From 864a81fdc0e66ea037c3ecb7b5df51345cb12bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 10 Feb 2014 14:25:10 +0100 Subject: [PATCH] More ssl_set_XXX() functions can return BAD_INPUT --- include/polarssl/ssl.h | 14 ++++------ library/ssl_tls.c | 56 ++++++++++++++++++++++++++------------ programs/ssl/ssl_client2.c | 26 ++++++++++++++++-- programs/ssl/ssl_server2.c | 25 +++++++++++++++-- 4 files changed, 90 insertions(+), 31 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 09bc907f1..e68714a35 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -959,11 +959,12 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint ); * \param transport transport type: * SSL_TRANSPORT_STREAM for TLS, * SSL_TRANSPORT_DATAGRAM for DTLS. + * \return 0 on success or POLARSSL_ERR_SSL_BAD_INPUT_DATA * * \note If DTLS is selected and max and/or min version are less * than TLS 1.1 (DTLS 1.0) they are upped to that value. */ -void ssl_set_transport( ssl_context *ssl, int transport ); +int ssl_set_transport( ssl_context *ssl, int transport ); /** * \brief Set the certificate verification mode @@ -1377,38 +1378,35 @@ const char *ssl_get_alpn_protocol( const ssl_context *ssl ); * (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION) * * Note: This ignores ciphersuites from 'higher' versions. - * Note: Input outside of the SSL_MAX_XXXXX_VERSION and - * SSL_MIN_XXXXX_VERSION range is ignored. * * \param ssl SSL context * \param major Major version number (only SSL_MAJOR_VERSION_3 supported) * \param minor Minor version number (SSL_MINOR_VERSION_0, * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, * SSL_MINOR_VERSION_3 supported) + * \return 0 on success or POLARSSL_ERR_SSL_BAD_INPUT_DATA * * \note With DTLS, use SSL_MINOR_VERSION_2 for DTLS 1.0 and * SSL_MINOR_VERSION_3 for DTLS 1.2 */ -void ssl_set_max_version( ssl_context *ssl, int major, int minor ); +int ssl_set_max_version( ssl_context *ssl, int major, int minor ); /** * \brief Set the minimum accepted SSL/TLS protocol version * (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION) * - * Note: Input outside of the SSL_MAX_XXXXX_VERSION and - * SSL_MIN_XXXXX_VERSION range is ignored. - * * \param ssl SSL context * \param major Major version number (only SSL_MAJOR_VERSION_3 supported) * \param minor Minor version number (SSL_MINOR_VERSION_0, * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, * SSL_MINOR_VERSION_3 supported) + * \return 0 on success or POLARSSL_ERR_SSL_BAD_INPUT_DATA * * \note With DTLS, use SSL_MINOR_VERSION_2 for DTLS 1.0 and * SSL_MINOR_VERSION_3 for DTLS 1.2 */ -void ssl_set_min_version( ssl_context *ssl, int major, int minor ); +int ssl_set_min_version( ssl_context *ssl, int major, int minor ); #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 13b711574..8d1b3b34b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3597,16 +3597,31 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint ) #endif } -void ssl_set_transport( ssl_context *ssl, int transport ) +int ssl_set_transport( ssl_context *ssl, int transport ) { - ssl->transport = transport; +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( transport == SSL_TRANSPORT_DATAGRAM ) + { + ssl->transport = transport; - /* DTLS starts with TLS1.1 */ - if( ssl->min_minor_ver < SSL_MINOR_VERSION_2 ) - ssl->min_minor_ver = SSL_MINOR_VERSION_2; + /* DTLS starts with TLS1.1 */ + if( ssl->min_minor_ver < SSL_MINOR_VERSION_2 ) + ssl->min_minor_ver = SSL_MINOR_VERSION_2; - if( ssl->max_minor_ver < SSL_MINOR_VERSION_2 ) - ssl->max_minor_ver = SSL_MINOR_VERSION_2; + if( ssl->max_minor_ver < SSL_MINOR_VERSION_2 ) + ssl->max_minor_ver = SSL_MINOR_VERSION_2; + + return( 0 ); + } +#endif + + if( transport == SSL_TRANSPORT_STREAM ) + { + ssl->transport = transport; + return( 0 ); + } + + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); } void ssl_set_authmode( ssl_context *ssl, int authmode ) @@ -3969,32 +3984,39 @@ const char *ssl_get_alpn_protocol( const ssl_context *ssl ) } #endif /* POLARSSL_SSL_ALPN */ -void ssl_set_max_version( ssl_context *ssl, int major, int minor ) +static int ssl_check_version( const ssl_context *ssl, int major, int minor ) { if( major < SSL_MIN_MAJOR_VERSION || major > SSL_MAX_MAJOR_VERSION || minor < SSL_MIN_MINOR_VERSION || minor > SSL_MAX_MINOR_VERSION || ( ssl->transport == SSL_TRANSPORT_DATAGRAM && minor < SSL_MINOR_VERSION_2 ) ) { - return; + return( -1 ); } + return( 0 ); +} + +int ssl_set_max_version( ssl_context *ssl, int major, int minor ) +{ + if( ssl_check_version( ssl, major, minor ) != 0 ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + ssl->max_major_ver = major; ssl->max_minor_ver = minor; + + return( 0 ); } -void ssl_set_min_version( ssl_context *ssl, int major, int minor ) +int ssl_set_min_version( ssl_context *ssl, int major, int minor ) { - if( major < SSL_MIN_MAJOR_VERSION || major > SSL_MAX_MAJOR_VERSION || - minor < SSL_MIN_MINOR_VERSION || minor > SSL_MAX_MINOR_VERSION || - ( ssl->transport == SSL_TRANSPORT_DATAGRAM && - minor < SSL_MINOR_VERSION_2 ) ) - { - return; - } + if( ssl_check_version( ssl, major, minor ) != 0 ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); ssl->min_major_ver = major; ssl->min_minor_ver = minor; + + return( 0 ); } #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d99806d0f..63c8e3822 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -876,9 +876,14 @@ int main( int argc, char *argv[] ) #endif ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); - ssl_set_transport( &ssl, opt.transport ); ssl_set_authmode( &ssl, opt.auth_mode ); + if( ( ret = ssl_set_transport( &ssl, opt.transport ) ) != 0 ) + { + printf( "selected transport is not available\n" ); + goto exit; + } + #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) if( ( ret = ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 ) { @@ -963,9 +968,24 @@ int main( int argc, char *argv[] ) #endif if( opt.min_version != -1 ) - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); + { + ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); + if( ret != 0 ) + { + printf( " selected min_version is not available\n" ); + goto exit; + } + } + if( opt.max_version != -1 ) - ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); + { + ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); + if( ret != 0 ) + { + printf( " selected max_version is not available\n" ); + goto exit; + } + } /* * 4. Handshake diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 707731aa5..36feb6f8c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1261,9 +1261,14 @@ int main( int argc, char *argv[] ) } ssl_set_endpoint( &ssl, SSL_IS_SERVER ); - ssl_set_transport( &ssl, opt.transport ); ssl_set_authmode( &ssl, opt.auth_mode ); + if( ( ret = ssl_set_transport( &ssl, opt.transport ) ) != 0 ) + { + printf( "selected transport is not available\n" ); + goto exit; + } + #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) if( ( ret = ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 ) { @@ -1392,10 +1397,24 @@ int main( int argc, char *argv[] ) #endif if( opt.min_version != -1 ) - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); + { + ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); + if( ret != 0 ) + { + printf( " selected min_version is not available\n" ); + goto exit; + } + } if( opt.max_version != -1 ) - ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); + { + ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); + if( ret != 0 ) + { + printf( " selected max_version is not available\n" ); + goto exit; + } + } printf( " ok\n" );