From 322f79f5219a0d6a73da49af1f687a9431c5eac4 Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Mon, 3 Nov 2014 15:12:48 -0800
Subject: [PATCH] allow user to set minimum downgrade version with v23
 methods()

---
 cyassl/internal.h                |  1 +
 cyassl/ssl.h                     |  1 +
 examples/echoclient/echoclient.c |  1 -
 src/internal.c                   | 15 +++++++++++-
 src/ssl.c                        | 42 ++++++++++++++++++++++++++++++++
 5 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/cyassl/internal.h b/cyassl/internal.h
index c1961fb6a..180933821 100644
--- a/cyassl/internal.h
+++ b/cyassl/internal.h
@@ -1762,6 +1762,7 @@ typedef struct Options {
     byte            verifyNone;
     byte            failNoCert;
     byte            downgrade;          /* allow downgrade of versions */
+    byte            minDowngrade;       /* minimum downgrade version */
     byte            sendVerify;         /* false = 0, true = 1, sendBlank = 2 */
     byte            resuming;
     byte            haveSessionId;      /* server may not send */
diff --git a/cyassl/ssl.h b/cyassl/ssl.h
index 60eb8d54e..6279aea58 100644
--- a/cyassl/ssl.h
+++ b/cyassl/ssl.h
@@ -1020,6 +1020,7 @@ enum {
     CYASSL_CHAIN_CA = 2           /* added to cache from trusted chain */
 };
 
+CYASSL_API int CyaSSL_SetMinVersion(CYASSL* ssl, int version);
 CYASSL_API int CyaSSL_GetObjectSize(void);  /* object size based on build */
 CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
 CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c
index 0324c3a79..cfd681779 100644
--- a/examples/echoclient/echoclient.c
+++ b/examples/echoclient/echoclient.c
@@ -156,7 +156,6 @@ void echoclient_test(void* args)
     #endif
 
     ssl = SSL_new(ctx);
-        
 
     if (doDTLS) {
         SOCKADDR_IN_T addr;
diff --git a/src/internal.c b/src/internal.c
index 58b9a9bc1..d309445be 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1610,7 +1610,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
     ssl->verifyCallback    = ctx->verifyCallback;
     ssl->verifyCbCtx       = NULL;
     ssl->options.side      = ctx->method->side;
-    ssl->options.downgrade = ctx->method->downgrade;
+    ssl->options.downgrade    = ctx->method->downgrade;
+    ssl->options.minDowngrade = TLSv1_MINOR;     /* current default */
     ssl->error = 0;
     ssl->options.connReset = 0;
     ssl->options.isClosed  = 0;
@@ -9228,6 +9229,10 @@ static void PickHashSigAlgo(CYASSL* ssl,
                 CYASSL_MSG("    no downgrade allowed, fatal error");
                 return VERSION_ERROR;
             }
+            if (pv.minor < ssl->options.minDowngrade) {
+                CYASSL_MSG("    version below minimum allowed, fatal error");
+                return VERSION_ERROR;
+            }
 
             #ifdef HAVE_SECURE_RENEGOTIATION
                 if (ssl->secure_renegotiation &&
@@ -12321,6 +12326,10 @@ int DoSessionTicket(CYASSL* ssl,
                 CYASSL_MSG("Client trying to connect with lesser version");
                 return VERSION_ERROR;
             }
+            if (pv.minor < ssl->options.minDowngrade) {
+                CYASSL_MSG("    version below minimum allowed, fatal error");
+                return VERSION_ERROR;
+            }
             if (pv.minor == SSLv3_MINOR) {
                 /* turn off tls */
                 CYASSL_MSG("    downgrading to SSLv3");
@@ -12479,6 +12488,10 @@ int DoSessionTicket(CYASSL* ssl,
                 CYASSL_MSG("Client trying to connect with lesser version");
                 return VERSION_ERROR;
             }
+            if (pv.minor < ssl->options.minDowngrade) {
+                CYASSL_MSG("    version below minimum allowed, fatal error");
+                return VERSION_ERROR;
+            }
 
             if (pv.minor == SSLv3_MINOR) {
                 /* turn off tls */
diff --git a/src/ssl.c b/src/ssl.c
index 425ca74e7..9a1138fa0 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1533,6 +1533,48 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
 }
 
 
+/* Set minimum downgrade version allowed, SSL_SUCCESS on ok */
+int CyaSSL_SetMinVersion(CYASSL* ssl, int version)
+{
+    CYASSL_ENTER("CyaSSL_SetMinVersion");
+
+    if (ssl == NULL) {
+        CYASSL_MSG("Bad function argument");
+        return BAD_FUNC_ARG;
+    }
+
+    switch (version) {
+#ifndef NO_OLD_TLS
+        case CYASSL_SSLV3:
+            ssl->options.minDowngrade = SSLv3_MINOR;
+            break;
+#endif
+
+#ifndef NO_TLS
+    #ifndef NO_OLD_TLS
+        case CYASSL_TLSV1:
+            ssl->options.minDowngrade = TLSv1_MINOR;
+            break;
+
+        case CYASSL_TLSV1_1:
+            ssl->options.minDowngrade = TLSv1_1_MINOR;
+            break;
+    #endif
+        case CYASSL_TLSV1_2:
+            ssl->options.minDowngrade = TLSv1_2_MINOR;
+            break;
+#endif
+
+        default:
+            CYASSL_MSG("Bad function argument");
+            return BAD_FUNC_ARG;
+    }
+
+
+    return SSL_SUCCESS;
+}
+
+
 int CyaSSL_SetVersion(CYASSL* ssl, int version)
 {
     byte haveRSA = 1;