diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 6543d5545..09bc907f1 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -959,6 +959,9 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint ); * \param transport transport type: * SSL_TRANSPORT_STREAM for TLS, * SSL_TRANSPORT_DATAGRAM for DTLS. + * + * \note If DTLS is selected and max and/or min version are less + * than TLS 1.1 (DTLS 1.0) they are upped to that value. */ void ssl_set_transport( ssl_context *ssl, int transport ); @@ -1122,6 +1125,9 @@ void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ); * \param minor Minor version number (SSL_MINOR_VERSION_0, * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, * SSL_MINOR_VERSION_3 supported) + * + * \note With DTLS, use SSL_MINOR_VERSION_2 for DTLS 1.0 + * and SSL_MINOR_VERSION_3 for DTLS 1.2 */ void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites, @@ -1379,6 +1385,9 @@ const char *ssl_get_alpn_protocol( const ssl_context *ssl ); * \param minor Minor version number (SSL_MINOR_VERSION_0, * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, * SSL_MINOR_VERSION_3 supported) + * + * \note With DTLS, use SSL_MINOR_VERSION_2 for DTLS 1.0 and + * SSL_MINOR_VERSION_3 for DTLS 1.2 */ void ssl_set_max_version( ssl_context *ssl, int major, int minor ); @@ -1395,6 +1404,9 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor ); * \param minor Minor version number (SSL_MINOR_VERSION_0, * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, * SSL_MINOR_VERSION_3 supported) + * + * \note With DTLS, use SSL_MINOR_VERSION_2 for DTLS 1.0 and + * SSL_MINOR_VERSION_3 for DTLS 1.2 */ void ssl_set_min_version( ssl_context *ssl, int major, int minor ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0b8b0d075..13b711574 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3600,6 +3600,13 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint ) void ssl_set_transport( ssl_context *ssl, int transport ) { ssl->transport = transport; + + /* DTLS starts with TLS1.1 */ + if( ssl->min_minor_ver < SSL_MINOR_VERSION_2 ) + ssl->min_minor_ver = SSL_MINOR_VERSION_2; + + if( ssl->max_minor_ver < SSL_MINOR_VERSION_2 ) + ssl->max_minor_ver = SSL_MINOR_VERSION_2; } void ssl_set_authmode( ssl_context *ssl, int authmode ) @@ -3964,22 +3971,30 @@ const char *ssl_get_alpn_protocol( const ssl_context *ssl ) void ssl_set_max_version( ssl_context *ssl, int major, int minor ) { - if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION && - minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION ) + if( major < SSL_MIN_MAJOR_VERSION || major > SSL_MAX_MAJOR_VERSION || + minor < SSL_MIN_MINOR_VERSION || minor > SSL_MAX_MINOR_VERSION || + ( ssl->transport == SSL_TRANSPORT_DATAGRAM && + minor < SSL_MINOR_VERSION_2 ) ) { - ssl->max_major_ver = major; - ssl->max_minor_ver = minor; + return; } + + ssl->max_major_ver = major; + ssl->max_minor_ver = minor; } void ssl_set_min_version( ssl_context *ssl, int major, int minor ) { - if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION && - minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION ) + if( major < SSL_MIN_MAJOR_VERSION || major > SSL_MAX_MAJOR_VERSION || + minor < SSL_MIN_MINOR_VERSION || minor > SSL_MAX_MINOR_VERSION || + ( ssl->transport == SSL_TRANSPORT_DATAGRAM && + minor < SSL_MINOR_VERSION_2 ) ) { - ssl->min_major_ver = major; - ssl->min_minor_ver = minor; + return; } + + ssl->min_major_ver = major; + ssl->min_minor_ver = minor; } #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) @@ -4067,6 +4082,23 @@ const char *ssl_get_ciphersuite( const ssl_context *ssl ) const char *ssl_get_version( const ssl_context *ssl ) { +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM ) + { + switch( ssl->minor_ver ) + { + case SSL_MINOR_VERSION_2: + return( "DTLSv1.0" ); + + case SSL_MINOR_VERSION_3: + return( "DTLSv1.2" ); + + default: + return( "unknown (DTLS)" ); + } + } +#endif + switch( ssl->minor_ver ) { case SSL_MINOR_VERSION_0: @@ -4082,9 +4114,8 @@ const char *ssl_get_version( const ssl_context *ssl ) return( "TLSv1.2" ); default: - break; + return( "unknown" ); } - return( "unknown" ); } #if defined(POLARSSL_X509_CRT_PARSE_C)