Always define TLSv3

amousset · amousset · commit b81f70295bdb · 2023-08-18T20:21:58.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,7 +24,7 @@ libc = "0.2"
 tempfile = "3.1.0"
 
 [target.'cfg(target_os = "windows")'.dependencies]
-schannel = "0.1.17"
+schannel = "0.1.20"
 
 [target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "ios")))'.dependencies]
 log = "0.4.5"
diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
@@ -23,22 +23,24 @@ fn supported_protocols(
     min: Option<Protocol>,
     max: Option<Protocol>,
     ctx: &mut SslContextBuilder,
-) -> Result<(), ErrorStack> {
+) -> Result<(), Error> {
     use self::openssl::ssl::SslVersion;
 
-    fn cvt(p: Protocol) -> SslVersion {
+    fn cvt(p: Protocol) -> Result<SslVersion, Error> {
         match p {
-            Protocol::Sslv3 => SslVersion::SSL3,
-            Protocol::Tlsv10 => SslVersion::TLS1,
-            Protocol::Tlsv11 => SslVersion::TLS1_1,
-            Protocol::Tlsv12 => SslVersion::TLS1_2,
+            Protocol::Sslv3 => Ok(SslVersion::SSL3),
+            Protocol::Tlsv10 => Ok(SslVersion::TLS1),
+            Protocol::Tlsv11 => Ok(SslVersion::TLS1_1),
+            Protocol::Tlsv12 => Ok(SslVersion::TLS1_2),
             #[cfg(have_tls13_version)]
-            Protocol::Tlsv13 => SslVersion::TLS1_3,
+            Protocol::Tlsv13 => Ok(SslVersion::TLS1_3),
+            #[cfg(not(have_tls13_version))]
+            Protocol::Tlsv13 => Err(Error::UnsupportedTls13)
         }
     }
 
-    ctx.set_min_proto_version(min.map(cvt))?;
-    ctx.set_max_proto_version(max.map(cvt))?;
+    ctx.set_min_proto_version(min.map(cvt).transpose()?)?;
+    ctx.set_max_proto_version(max.map(cvt).transpose()?)?;
 
     Ok(())
 }
@@ -117,6 +119,7 @@ pub enum Error {
     Ssl(ssl::Error, X509VerifyResult),
     EmptyChain,
     NotPkcs8,
+    UnsupportedTls13,
 }
 
 impl error::Error for Error {
@@ -126,6 +129,7 @@ impl error::Error for Error {
             Error::Ssl(ref e, _) => error::Error::source(e),
             Error::EmptyChain => None,
             Error::NotPkcs8 => None,
+            Error::UnsupportedTls13 => None,
         }
     }
 }
@@ -141,6 +145,7 @@ impl fmt::Display for Error {
                 "at least one certificate must be provided to create an identity"
             ),
             Error::NotPkcs8 => write!(fmt, "expected PKCS#8 PEM"),
+            Error::UnsupportedTls13 => write!(fmt, "TLS version 1.3 not supported"),
         }
     }
 }
diff --git a/src/imp/schannel.rs b/src/imp/schannel.rs
@@ -19,6 +19,7 @@ static PROTOCOLS: &'static [Protocol] = &[
     Protocol::Tls10,
     Protocol::Tls11,
     Protocol::Tls12,
+    Protocol::Tls13,
 ];
 
 fn convert_protocols(min: Option<::Protocol>, max: Option<::Protocol>) -> &'static [Protocol] {
diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
@@ -43,12 +43,14 @@ static SET_AT_EXIT: Once = Once::new();
 #[cfg(not(target_os = "ios"))]
 static TEMP_KEYCHAIN: Lazy<Mutex<Option<(SecKeychain, TempDir)>>> = Lazy::new(|| Mutex::new(None));
 
-fn convert_protocol(protocol: Protocol) -> SslProtocol {
+fn convert_protocol(protocol: Protocol) -> Result<SslProtocol, Error> {
     match protocol {
-        Protocol::Sslv3 => SslProtocol::SSL3,
-        Protocol::Tlsv10 => SslProtocol::TLS1,
-        Protocol::Tlsv11 => SslProtocol::TLS11,
-        Protocol::Tlsv12 => SslProtocol::TLS12,
+        Protocol::Sslv3 => Ok(SslProtocol::SSL3),
+        Protocol::Tlsv10 => Ok(SslProtocol::TLS1),
+        Protocol::Tlsv11 => Ok(SslProtocol::TLS11),
+        Protocol::Tlsv12 => Ok(SslProtocol::TLS12),
+        // Not supported in SecureTransport API used in security_framework
+        Protocol::Tlsv13 => Err(Error(base::Error::from("TLS 1.3 is not supported")))
     }
 }
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -324,8 +324,8 @@ pub enum Protocol {
     Tlsv12,
     /// The TLS 1.3 protocol.
     ///
-    /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer.
-    #[cfg(have_tls13_version)]
+    /// Only works on Windows, or with openssl >= 1.1.1 or libressl >= 3.4.0.
+    /// It will fail at runtime when used in other situations.
     Tlsv13,
 }
 
diff --git a/src/test.rs b/src/test.rs
@@ -16,7 +16,7 @@ macro_rules! p {
     };
 }
 
-#[cfg(have_tls13_version)]
+#[cfg(any(target_os = "windows", have_tls13_version))]
 #[test]
 fn connect_google_tls13() {
     let builder = p!(

Original file line number	Diff line number	Diff line change
`@@ -23,22 +23,24 @@ fn supported_protocols(`
`23`	`23`	`min: Option<Protocol>,`
`24`	`24`	`max: Option<Protocol>,`
`25`	`25`	`ctx: &mut SslContextBuilder,`
`26`		`-) -> Result<(), ErrorStack> {`
	`26`	`+) -> Result<(), Error> {`
`27`	`27`	`use self::openssl::ssl::SslVersion;`
`28`	`28`
`29`		`- fn cvt(p: Protocol) -> SslVersion {`
	`29`	`+ fn cvt(p: Protocol) -> Result<SslVersion, Error> {`
`30`	`30`	`match p {`
`31`		`- Protocol::Sslv3 => SslVersion::SSL3,`
`32`		`- Protocol::Tlsv10 => SslVersion::TLS1,`
`33`		`- Protocol::Tlsv11 => SslVersion::TLS1_1,`
`34`		`- Protocol::Tlsv12 => SslVersion::TLS1_2,`
	`31`	`+ Protocol::Sslv3 => Ok(SslVersion::SSL3),`
	`32`	`+ Protocol::Tlsv10 => Ok(SslVersion::TLS1),`
	`33`	`+ Protocol::Tlsv11 => Ok(SslVersion::TLS1_1),`
	`34`	`+ Protocol::Tlsv12 => Ok(SslVersion::TLS1_2),`
`35`	`35`	`#[cfg(have_tls13_version)]`
`36`		`- Protocol::Tlsv13 => SslVersion::TLS1_3,`
	`36`	`+ Protocol::Tlsv13 => Ok(SslVersion::TLS1_3),`
	`37`	`+ #[cfg(not(have_tls13_version))]`
	`38`	`+ Protocol::Tlsv13 => Err(Error::UnsupportedTls13)`
`37`	`39`	`}`
`38`	`40`	`}`
`39`	`41`
`40`		`- ctx.set_min_proto_version(min.map(cvt))?;`
`41`		`- ctx.set_max_proto_version(max.map(cvt))?;`
	`42`	`+ ctx.set_min_proto_version(min.map(cvt).transpose()?)?;`
	`43`	`+ ctx.set_max_proto_version(max.map(cvt).transpose()?)?;`
`42`	`44`
`43`	`45`	`Ok(())`
`44`	`46`	`}`
`@@ -117,6 +119,7 @@ pub enum Error {`
`117`	`119`	`Ssl(ssl::Error, X509VerifyResult),`
`118`	`120`	`EmptyChain,`
`119`	`121`	`NotPkcs8,`
	`122`	`+ UnsupportedTls13,`
`120`	`123`	`}`
`121`	`124`
`122`	`125`	`impl error::Error for Error {`
`@@ -126,6 +129,7 @@ impl error::Error for Error {`
`126`	`129`	`Error::Ssl(ref e, _) => error::Error::source(e),`
`127`	`130`	`Error::EmptyChain => None,`
`128`	`131`	`Error::NotPkcs8 => None,`
	`132`	`+ Error::UnsupportedTls13 => None,`
`129`	`133`	`}`
`130`	`134`	`}`
`131`	`135`	`}`
`@@ -141,6 +145,7 @@ impl fmt::Display for Error {`
`141`	`145`	`"at least one certificate must be provided to create an identity"`
`142`	`146`	`),`
`143`	`147`	`Error::NotPkcs8 => write!(fmt, "expected PKCS#8 PEM"),`
	`148`	`+ Error::UnsupportedTls13 => write!(fmt, "TLS version 1.3 not supported"),`
`144`	`149`	`}`
`145`	`150`	`}`
`146`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ macro_rules! p {`
`16`	`16`	`};`
`17`	`17`	`}`
`18`	`18`
`19`		`-#[cfg(have_tls13_version)]`
	`19`	`+#[cfg(any(target_os = "windows", have_tls13_version))]`
`20`	`20`	`#[test]`
`21`	`21`	`fn connect_google_tls13() {`
`22`	`22`	`let builder = p!(`