summaryrefslogtreecommitdiffstats
path: root/ssl/ssl_conf.c
diff options
context:
space:
mode:
authorViktor Dukhovni <openssl-users@dukhovni.org>2015-12-29 03:24:17 -0500
committerViktor Dukhovni <openssl-users@dukhovni.org>2016-01-02 10:49:06 -0500
commit4fa52141b08fca89250805afcf2f112a2e0d3500 (patch)
treeab8988a8267c6032f6a8b48846d12fb907930b3b /ssl/ssl_conf.c
parent57ce7b617c602ae8513c22daa2bda31f179edb0f (diff)
Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive short functions in a single file and is table driven. Protocol-specific constraints that influence negotiation are moved into the flags field of the method structure. The same protocol version constraints are now applied in all code paths. It is now much easier to add new protocol versions without reworking the protocol selection logic. In the presence of "holes" in the list of enabled client protocols we no longer select client protocols below the hole based on a subset of the constraints and then fail shortly after when it is found that these don't meet the remaining constraints (suiteb, FIPS, security level, ...). Ideally, with the new min/max controls users will be less likely to create "holes" in the first place. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Diffstat (limited to 'ssl/ssl_conf.c')
-rw-r--r--ssl/ssl_conf.c32
1 files changed, 18 insertions, 14 deletions
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 1e14a4497e..9529d30842 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -347,6 +347,22 @@ static int protocol_from_string(const char *value)
return -1;
}
+static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound)
+{
+ int method_version;
+ int new_version;
+
+ if (cctx->ctx != NULL)
+ method_version = cctx->ctx->method->version;
+ else if (cctx->ssl != NULL)
+ method_version = cctx->ssl->ctx->method->version;
+ else
+ return 0;
+ if ((new_version = protocol_from_string(value)) < 0)
+ return 0;
+ return ssl_set_version_bound(method_version, new_version, bound);
+}
+
/*
* cmd_MinProtocol - Set min protocol version
* @cctx: config structure to save settings in
@@ -356,13 +372,7 @@ static int protocol_from_string(const char *value)
*/
static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value)
{
- int version = protocol_from_string(value);
-
- if (version < 0)
- return 0;
-
- *(cctx->min_version) = version;
- return 1;
+ return min_max_proto(cctx, value, cctx->min_version);
}
/*
@@ -374,13 +384,7 @@ static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value)
*/
static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value)
{
- int version = protocol_from_string(value);
-
- if (version < 0)
- return 0;
-
- *(cctx->max_version) = version;
- return 1;
+ return min_max_proto(cctx, value, cctx->max_version);
}
static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)