summaryrefslogtreecommitdiff
path: root/lib/vtls/gskit.c
diff options
context:
space:
mode:
authorJozef Kralik <jozef.kralik@eset.sk>2016-12-13 21:10:00 +0100
committerKamil Dudka <kdudka@redhat.com>2017-03-08 15:54:07 +0100
commit6448f98c1857de521fb2dd3f9d4e5659845b5474 (patch)
tree183b4febdb062f32be9113ae170e3b57f44a4b28 /lib/vtls/gskit.c
parentb66690733642d764199eeb1b64aaaa2513c13db3 (diff)
downloadcurl-6448f98c1857de521fb2dd3f9d4e5659845b5474.tar.gz
vtls: add options to specify range of enabled TLS versions
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166
Diffstat (limited to 'lib/vtls/gskit.c')
-rw-r--r--lib/vtls/gskit.c48
1 files changed, 39 insertions, 9 deletions
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index a0d462b70..d760b6a87 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -748,6 +748,40 @@ static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf,
return (ssize_t) nread;
}
+static CURLcode
+set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn)
+{
+ struct Curl_easy *data = conn->data;
+ long ssl_version = SSL_CONN_CONFIG(version);
+ long ssl_version_max = SSL_CONN_CONFIG(version_max);
+ long i = ssl_version;
+ switch(ssl_version_max) {
+ case CURL_SSLVERSION_MAX_NONE:
+ ssl_version_max = ssl_version;
+ break;
+ case CURL_SSLVERSION_MAX_DEFAULT:
+ ssl_version_max = CURL_SSLVERSION_TLSv1_2;
+ break;
+ }
+ for(; i <= (ssl_version_max >> 16); ++i) {
+ switch(i) {
+ case CURL_SSLVERSION_TLSv1_0:
+ *protoflags |= CURL_GSKPROTO_TLSV10_MASK;
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ *protoflags |= CURL_GSKPROTO_TLSV11_MASK;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ *protoflags |= CURL_GSKPROTO_TLSV11_MASK;
+ break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "GSKit: TLS 1.3 is not yet supported");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+
+ return CURLE_OK;
+}
static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
{
@@ -764,7 +798,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:
conn->host.name;
const char *sni;
- unsigned int protoflags;
+ unsigned int protoflags = 0;
long timeout;
Qso_OverlappedIO_t commarea;
int sockpair[2];
@@ -849,17 +883,13 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK;
break;
case CURL_SSLVERSION_TLSv1_0:
- protoflags = CURL_GSKPROTO_TLSV10_MASK;
- break;
case CURL_SSLVERSION_TLSv1_1:
- protoflags = CURL_GSKPROTO_TLSV11_MASK;
- break;
case CURL_SSLVERSION_TLSv1_2:
- protoflags = CURL_GSKPROTO_TLSV12_MASK;
- break;
case CURL_SSLVERSION_TLSv1_3:
- failf(data, "GSKit: TLS 1.3 is not yet supported");
- return CURLE_SSL_CONNECT_ERROR;
+ result = set_ssl_version_min_max(&protoflags, conn);
+ if(result != CURLE_OK)
+ return result;
+ break;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;