WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Make wolfSSL_(get|set)_options available outside compat layer. 

Also make wolfSSL_CTX_get_options available.
pull/5362/head
Hayden Roche 2022-07-14 14:53:42 -07:00
parent e3c65d86d6
commit a1b7c29309
4 changed files with 119 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
src/internal.c
View File

@ -6204,12 +6204,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
}
} /* writeDup check */
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) {
WOLFSSL_MSG("wolfSSL_set_options error");
return BAD_FUNC_ARG;
}
#endif
#ifdef WOLFSSL_SESSION_EXPORT
#ifdef WOLFSSL_DTLS
@ -24336,12 +24334,11 @@ exit_dpk:
ret = 1;
}
#ifdef OPENSSL_EXTRA
if ((wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_3)) {
if ((wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_3)) {
/* option set at run time to disable TLS 1.3 */
ret = 0;
}
#endif
return ret;
#endif
}
@ -24860,31 +24857,38 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
}
}
#ifdef OPENSSL_EXTRA
/* check if option is set to not allow the current version
* set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
if (!ssl->options.dtls && ssl->options.downgrade &&
ssl->options.mask > 0) {
ssl->options.mask > 0) {
if (ssl->version.minor == TLSv1_2_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) ==
WOLFSSL_OP_NO_TLSv1_2) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
ssl->version.minor = TLSv1_1_MINOR;
}
if (ssl->version.minor == TLSv1_1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) ==
WOLFSSL_OP_NO_TLSv1_1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
ssl->options.tls1_1 = 0;
ssl->version.minor = TLSv1_MINOR;
}
if (ssl->version.minor == TLSv1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1) ==
WOLFSSL_OP_NO_TLSv1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
ssl->options.tls = 0;
ssl->options.tls1_1 = 0;
ssl->version.minor = SSLv3_MINOR;
}
if (ssl->version.minor == SSLv3_MINOR &&
(ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
(ssl->options.mask & WOLFSSL_OP_NO_SSLv3) ==
WOLFSSL_OP_NO_SSLv3) {
WOLFSSL_MSG("\tError, option set to not allow SSLv3");
return VERSION_ERROR;
}
@ -24894,7 +24898,6 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
return VERSION_ERROR;
}
}
#endif
return 0;
}
@ -25163,11 +25166,8 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR
#ifdef OPENSSL_EXTRA
&& (wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0
#endif
) {
ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
(wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_2) == 0) {
/* TLS v1.2 capable client not allowed to downgrade when
* connecting to TLS v1.2 capable server.
*/
@ -28863,11 +28863,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
#ifdef OPENSSL_EXTRA
(wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0 &&
#endif
!IsAtLeastTLSv1_2(ssl)) {
ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
(wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_2) == 0 &&
!IsAtLeastTLSv1_2(ssl)) {
/* TLS v1.2 capable server downgraded. */
XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ);
@ -31274,35 +31272,43 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->options.side);
}
#ifdef OPENSSL_EXTRA
/* check if option is set to not allow the current version
* set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
if (!ssl->options.dtls && ssl->options.downgrade &&
ssl->options.mask > 0) {
ssl->options.mask > 0) {
int reset = 0;
if (ssl->version.minor == TLSv1_2_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) ==
WOLFSSL_OP_NO_TLSv1_2) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
ssl->version.minor = TLSv1_1_MINOR;
reset = 1;
}
if (ssl->version.minor == TLSv1_1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) ==
WOLFSSL_OP_NO_TLSv1_1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
ssl->options.tls1_1 = 0;
ssl->version.minor = TLSv1_MINOR;
reset = 1;
}
if (ssl->version.minor == TLSv1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1) ==
WOLFSSL_OP_NO_TLSv1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
ssl->options.tls = 0;
ssl->options.tls1_1 = 0;
ssl->version.minor = SSLv3_MINOR;
reset = 1;
}
if (ssl->version.minor == SSLv3_MINOR &&
(ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
(ssl->options.mask & WOLFSSL_OP_NO_SSLv3) ==
WOLFSSL_OP_NO_SSLv3) {
WOLFSSL_MSG("\tError, option set to not allow SSLv3");
ret = VERSION_ERROR;
goto out;
@ -31337,7 +31343,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->options.side);
}
}
#endif
/* random */
XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);

21
src/ssl.c
View File

@ -15844,7 +15844,6 @@ cleanup:
}
#ifdef OPENSSL_EXTRA
void wolfSSL_CTX_set_tmp_rsa_callback(WOLFSSL_CTX* ctx,
WOLFSSL_RSA*(*f)(WOLFSSL*, int, int))
{
@ -15865,7 +15864,7 @@ cleanup:
ssl->options.sentNotify = (opt&WOLFSSL_SENT_SHUTDOWN) > 0;
ssl->options.closeNotify = (opt&WOLFSSL_RECEIVED_SHUTDOWN) > 0;
}
#endif
long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx)
{
@ -15876,8 +15875,6 @@ cleanup:
return ctx->mask;
}
#endif
static long wolf_set_options(long old_op, long op);
long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt)
{
@ -22584,7 +22581,6 @@ static long wolf_set_options(long old_op, long op)
return old_op | op;
}
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
long wolfSSL_set_options(WOLFSSL* ssl, long op)
{
word16 haveRSA = 1;
@ -22599,29 +22595,28 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
ssl->options.mask = wolf_set_options(ssl->options.mask, op);
#ifdef SSL_OP_NO_TLSv1_3
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) {
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == WOLFSSL_OP_NO_TLSv1_3) {
if (ssl->version.minor == TLSv1_3_MINOR)
ssl->version.minor = TLSv1_2_MINOR;
}
#endif
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2) {
if (ssl->version.minor == TLSv1_2_MINOR)
ssl->version.minor = TLSv1_1_MINOR;
}
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == WOLFSSL_OP_NO_TLSv1_1) {
if (ssl->version.minor == TLSv1_1_MINOR)
ssl->version.minor = TLSv1_MINOR;
}
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == WOLFSSL_OP_NO_TLSv1) {
if (ssl->version.minor == TLSv1_MINOR)
ssl->version.minor = SSLv3_MINOR;
}
if ((ssl->options.mask & WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION) {
if ((ssl->options.mask & WOLFSSL_OP_NO_COMPRESSION)
== WOLFSSL_OP_NO_COMPRESSION) {
#ifdef HAVE_LIBZ
ssl->options.usingCompression = 0;
#endif
@ -22657,8 +22652,6 @@ long wolfSSL_get_options(const WOLFSSL* ssl)
return ssl->options.mask;
}
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
#if defined(HAVE_SECURE_RENEGOTIATION) \
|| defined(HAVE_SERVER_RENEGOTIATION_INFO)
/* clears the counter for number of renegotiations done

133
tests/api.c
View File

@ -35483,90 +35483,112 @@ static void test_generate_cookie(void)
static void test_wolfSSL_set_options(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
SSL* ssl;
SSL_CTX* ctx;
#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA)
WOLFSSL* ssl;
WOLFSSL_CTX* ctx;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
char appData[] = "extra msg";
#endif
#ifdef OPENSSL_EXTRA
unsigned char protos[] = {
7, 't', 'l', 's', '/', '1', '.', '2',
8, 'h', 't', 't', 'p', '/', '1', '.', '1'
};
unsigned int len = sizeof(protos);
void *arg = (void *)TEST_ARG;
#endif
printf(testingFmt, "wolfSSL_set_options()");
#ifndef NO_WOLFSSL_SERVER
AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method()));
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#else
AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method()));
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#endif
AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM));
AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
WOLFSSL_FILETYPE_PEM));
AssertTrue(SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1);
AssertTrue(SSL_CTX_get_options(ctx) == SSL_OP_NO_TLSv1);
AssertTrue(wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1)
== WOLFSSL_OP_NO_TLSv1);
AssertTrue(wolfSSL_CTX_get_options(ctx) == WOLFSSL_OP_NO_TLSv1);
AssertIntGT((int)SSL_CTX_set_options(ctx, (SSL_OP_COOKIE_EXCHANGE |
SSL_OP_NO_SSLv2)), 0);
AssertTrue((SSL_CTX_set_options(ctx, SSL_OP_COOKIE_EXCHANGE) &
SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE);
AssertTrue((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) &
SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2);
AssertTrue((SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION) &
SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION);
AssertNull((SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION) &
SSL_OP_NO_COMPRESSION));
AssertIntGT((int)wolfSSL_CTX_set_options(ctx, (WOLFSSL_OP_COOKIE_EXCHANGE |
WOLFSSL_OP_NO_SSLv2)), 0);
AssertTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_COOKIE_EXCHANGE) &
WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE);
AssertTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2) &
WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2);
AssertTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_COMPRESSION) &
WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION);
#ifdef OPENSSL_EXTRA
AssertFalse((wolfSSL_CTX_clear_options(ctx, WOLFSSL_OP_NO_COMPRESSION) &
WOLFSSL_OP_NO_COMPRESSION));
#endif
SSL_CTX_free(ctx);
wolfSSL_CTX_free(ctx);
#ifndef NO_WOLFSSL_SERVER
ctx = SSL_CTX_new(wolfSSLv23_server_method());
ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
AssertNotNull(ctx);
#else
ctx = SSL_CTX_new(wolfSSLv23_client_method());
ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
AssertNotNull(ctx);
#endif
AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM));
AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
AssertTrue(SSL_CTX_set_msg_callback(ctx, msg_cb) == SSL_SUCCESS);
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
WOLFSSL_FILETYPE_PEM));
#ifdef OPENSSL_EXTRA
AssertTrue(wolfSSL_CTX_set_msg_callback(ctx, msg_cb) == WOLFSSL_SUCCESS);
#endif
AssertNotNull(ssl = SSL_new(ctx));
AssertNotNull(ssl = wolfSSL_new(ctx));
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
#ifdef HAVE_EX_DATA
AssertIntEQ(SSL_set_app_data(ssl, (void*)appData), SSL_SUCCESS);
AssertNotNull(SSL_get_app_data((const WOLFSSL*)ssl));
AssertIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WOLFSSL_SUCCESS);
AssertNotNull(wolfSSL_get_app_data((const WOLFSSL*)ssl));
if (ssl) {
AssertIntEQ(XMEMCMP(SSL_get_app_data((const WOLFSSL*)ssl),
AssertIntEQ(XMEMCMP(wolfSSL_get_app_data((const WOLFSSL*)ssl),
appData, sizeof(appData)), 0);
}
#else
AssertIntEQ(SSL_set_app_data(ssl, (void*)appData), SSL_FAILURE);
AssertNull(SSL_get_app_data((const WOLFSSL*)ssl));
AssertIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WOLFSSL_FAILURE);
AssertNull(wolfSSL_get_app_data((const WOLFSSL*)ssl));
#endif
#endif
AssertTrue(SSL_set_options(ssl, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1);
AssertTrue(SSL_get_options(ssl) == SSL_OP_NO_TLSv1);
AssertTrue(wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1) ==
WOLFSSL_OP_NO_TLSv1);
AssertIntGT((int)SSL_set_options(ssl, (SSL_OP_COOKIE_EXCHANGE |
WOLFSSL_OP_NO_SSLv2)), 0);
AssertTrue((SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE) &
SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE);
AssertTrue((SSL_set_options(ssl, SSL_OP_NO_TLSv1_2) &
SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2);
AssertTrue((SSL_set_options(ssl, SSL_OP_NO_COMPRESSION) &
SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION);
AssertNull((SSL_clear_options(ssl, SSL_OP_NO_COMPRESSION) &
SSL_OP_NO_COMPRESSION));
AssertTrue(wolfSSL_get_options(ssl) == WOLFSSL_OP_NO_TLSv1);
AssertTrue(SSL_set_msg_callback(ssl, msg_cb) == SSL_SUCCESS);
SSL_set_msg_callback_arg(ssl, arg);
AssertIntGT((int)wolfSSL_set_options(ssl, (WOLFSSL_OP_COOKIE_EXCHANGE |
WOLFSSL_OP_NO_SSLv2)), 0);
AssertTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_COOKIE_EXCHANGE) &
WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE);
AssertTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1_2) &
WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2);
AssertTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_COMPRESSION) &
WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION);
#ifdef OPENSSL_EXTRA
AssertNull((wolfSSL_clear_options(ssl, WOLFSSL_OP_NO_COMPRESSION) &
WOLFSSL_OP_NO_COMPRESSION));
#endif
#ifdef OPENSSL_EXTRA
AssertTrue(wolfSSL_set_msg_callback(ssl, msg_cb) == WOLFSSL_SUCCESS);
wolfSSL_set_msg_callback_arg(ssl, arg);
#ifdef WOLFSSL_ERROR_CODE_OPENSSL
AssertTrue(SSL_CTX_set_alpn_protos(ctx, protos, len) == 0);
AssertTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == 0);
#else
AssertTrue(SSL_CTX_set_alpn_protos(ctx, protos, len) == SSL_SUCCESS);
AssertTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == WOLFSSL_SUCCESS);
#endif
#endif
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
@ -35576,20 +35598,19 @@ static void test_wolfSSL_set_options(void)
#if defined(HAVE_ALPN) && !defined(NO_BIO)
#ifdef WOLFSSL_ERROR_CODE_OPENSSL
AssertTrue(SSL_set_alpn_protos(ssl, protos, len) == 0);
AssertTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == 0);
#else
AssertTrue(SSL_set_alpn_protos(ssl, protos, len) == SSL_SUCCESS);
AssertTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == WOLFSSL_SUCCESS);
#endif
#endif /* HAVE_ALPN && !NO_BIO */
#endif
SSL_free(ssl);
SSL_CTX_free(ctx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
printf(resultFmt, passed);
#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA) */
#endif /* !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
}
static void test_wolfSSL_sk_SSL_CIPHER(void)

2
wolfssl/internal.h
View File

@ -3740,8 +3740,8 @@ typedef struct Options {
#endif
void* psk_ctx;
#endif /* NO_PSK */
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
unsigned long mask; /* store SSL_OP_ flags */
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
word16 minProto:1; /* sets min to min available */
word16 maxProto:1; /* sets max to max available */
#endif