moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 08:38:49 -05:00
Code Issues Releases Wiki Activity

GnuTLS: don't allow TLS 1.3 for versions that don't support it

Browse Source 
Follow-up to 781864bedb

... as they don't understand it and will return error at us!

Closes #7014
This commit is contained in:
Daniel Stenberg 2021-05-05 23:26:01 +02:00
parent 92953dc387
commit 577f19397c
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 26 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
lib/vtls/gtls.c
View File

@ -308,7 +308,9 @@ static gnutls_x509_crt_fmt_t do_file_type(const char *type)
#define GNUTLS_SRP "+SRP" #define GNUTLS_SRP "+SRP"
static CURLcode static CURLcode
set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data) set_ssl_version_min_max(struct Curl_easy *data,
const char **prioritylist,
const char *tls13support)
{ {
struct connectdata *conn = data->conn; struct connectdata *conn = data->conn;
long ssl_version = SSL_CONN_CONFIG(version); long ssl_version = SSL_CONN_CONFIG(version);
@ -319,6 +321,15 @@ set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data)
ssl_version = CURL_SSLVERSION_TLSv1_0; ssl_version = CURL_SSLVERSION_TLSv1_0;
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT; ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
if(!tls13support) {
/* If the running GnuTLS doesn't support TLS 1.3, we must not specify a
prioritylist involving that since it will make GnuTLS return an en
error back at us */
if((ssl_version_max == CURL_SSLVERSION_MAX_TLSv1_3) ||
(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT)) {
ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
}
}
switch(ssl_version | ssl_version_max) { switch(ssl_version | ssl_version_max) {
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0: case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
@ -398,6 +409,7 @@ gtls_connect_step1(struct Curl_easy *data,
const char *err = NULL; const char *err = NULL;
const char * const hostname = SSL_HOST_NAME(); const char * const hostname = SSL_HOST_NAME();
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult); long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
const char *tls13support;
if(connssl->state == ssl_connection_complete) if(connssl->state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the /* to make us tolerant against being called more than once for the
@ -545,27 +557,34 @@ gtls_connect_step1(struct Curl_easy *data,
if(rc != GNUTLS_E_SUCCESS) if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR; return CURLE_SSL_CONNECT_ERROR;
/* "In GnuTLS 3.6.5, TLS 1.3 is enabled by default" */
tls13support = gnutls_check_version("3.6.5");
/* Ensure +SRP comes at the *end* of all relevant strings so that it can be /* Ensure +SRP comes at the *end* of all relevant strings so that it can be
* removed if a run-time error indicates that SRP is not supported by this * removed if a run-time error indicates that SRP is not supported by this
* GnuTLS version */ * GnuTLS version */
switch(SSL_CONN_CONFIG(version)) { switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_TLSv1_3:
if(!tls13support) {
failf(data, "This GnuTLS installation does not support TLS 1.3");
return CURLE_SSL_CONNECT_ERROR;
}
/* FALLTHROUGH */
case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1:
case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1: case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2: {
case CURL_SSLVERSION_TLSv1_3: { CURLcode result = set_ssl_version_min_max(data, &prioritylist,
CURLcode result = set_ssl_version_min_max(&prioritylist, data); tls13support);
if(result) if(result)
return result; return result;
break; break;
} }
case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv2:
case CURL_SSLVERSION_SSLv3: case CURL_SSLVERSION_SSLv3:
failf(data, "GnuTLS does not support SSLv2 or SSLv3");
return CURLE_SSL_CONNECT_ERROR;
default: default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); failf(data, "GnuTLS does not support SSLv2 or SSLv3");
return CURLE_SSL_CONNECT_ERROR; return CURLE_SSL_CONNECT_ERROR;
} }
@ -580,7 +599,6 @@ gtls_connect_step1(struct Curl_easy *data,
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
strcpy(prioritysrp, prioritylist); strcpy(prioritysrp, prioritylist);
strcpy(prioritysrp + len, ":" GNUTLS_SRP); strcpy(prioritysrp + len, ":" GNUTLS_SRP);
rc = gnutls_priority_set_direct(session, prioritysrp, &err); rc = gnutls_priority_set_direct(session, prioritysrp, &err);
free(prioritysrp); free(prioritysrp);