diff options
author | Jozef Kralik <jozef.kralik@eset.sk> | 2016-12-13 21:10:00 +0100 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2017-03-08 15:54:07 +0100 |
commit | 6448f98c1857de521fb2dd3f9d4e5659845b5474 (patch) | |
tree | 183b4febdb062f32be9113ae170e3b57f44a4b28 /lib/vtls/gskit.c | |
parent | b66690733642d764199eeb1b64aaaa2513c13db3 (diff) | |
download | curl-6448f98c1857de521fb2dd3f9d4e5659845b5474.tar.gz |
vtls: add options to specify range of enabled TLS versions
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.
Closes https://github.com/curl/curl/pull/1166
Diffstat (limited to 'lib/vtls/gskit.c')
-rw-r--r-- | lib/vtls/gskit.c | 48 |
1 files changed, 39 insertions, 9 deletions
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index a0d462b70..d760b6a87 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -748,6 +748,40 @@ static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf, return (ssize_t) nread; } +static CURLcode +set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn) +{ + struct Curl_easy *data = conn->data; + long ssl_version = SSL_CONN_CONFIG(version); + long ssl_version_max = SSL_CONN_CONFIG(version_max); + long i = ssl_version; + switch(ssl_version_max) { + case CURL_SSLVERSION_MAX_NONE: + ssl_version_max = ssl_version; + break; + case CURL_SSLVERSION_MAX_DEFAULT: + ssl_version_max = CURL_SSLVERSION_TLSv1_2; + break; + } + for(; i <= (ssl_version_max >> 16); ++i) { + switch(i) { + case CURL_SSLVERSION_TLSv1_0: + *protoflags |= CURL_GSKPROTO_TLSV10_MASK; + break; + case CURL_SSLVERSION_TLSv1_1: + *protoflags |= CURL_GSKPROTO_TLSV11_MASK; + break; + case CURL_SSLVERSION_TLSv1_2: + *protoflags |= CURL_GSKPROTO_TLSV11_MASK; + break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "GSKit: TLS 1.3 is not yet supported"); + return CURLE_SSL_CONNECT_ERROR; + } + } + + return CURLE_OK; +} static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) { @@ -764,7 +798,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name: conn->host.name; const char *sni; - unsigned int protoflags; + unsigned int protoflags = 0; long timeout; Qso_OverlappedIO_t commarea; int sockpair[2]; @@ -849,17 +883,13 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK; break; case CURL_SSLVERSION_TLSv1_0: - protoflags = CURL_GSKPROTO_TLSV10_MASK; - break; case CURL_SSLVERSION_TLSv1_1: - protoflags = CURL_GSKPROTO_TLSV11_MASK; - break; case CURL_SSLVERSION_TLSv1_2: - protoflags = CURL_GSKPROTO_TLSV12_MASK; - break; case CURL_SSLVERSION_TLSv1_3: - failf(data, "GSKit: TLS 1.3 is not yet supported"); - return CURLE_SSL_CONNECT_ERROR; + result = set_ssl_version_min_max(&protoflags, conn); + if(result != CURLE_OK) + return result; + break; default: failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); return CURLE_SSL_CONNECT_ERROR; |