forked from wolfSSL/wolfssl
allow user to set minimum downgrade version with v23 methods()
This commit is contained in:
toddouska
@ -1762,6 +1762,7 @@ typedef struct Options {
|
|||||||
byte verifyNone;
|
byte verifyNone;
|
||||||
byte failNoCert;
|
byte failNoCert;
|
||||||
byte downgrade; /* allow downgrade of versions */
|
byte downgrade; /* allow downgrade of versions */
|
||||||
|
byte minDowngrade; /* minimum downgrade version */
|
||||||
byte sendVerify; /* false = 0, true = 1, sendBlank = 2 */
|
byte sendVerify; /* false = 0, true = 1, sendBlank = 2 */
|
||||||
byte resuming;
|
byte resuming;
|
||||||
byte haveSessionId; /* server may not send */
|
byte haveSessionId; /* server may not send */
|
||||||
|
|||||||
@ -1020,6 +1020,7 @@ enum {
|
|||||||
CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */
|
CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
CYASSL_API int CyaSSL_SetMinVersion(CYASSL* ssl, int version);
|
||||||
CYASSL_API int CyaSSL_GetObjectSize(void); /* object size based on build */
|
CYASSL_API int CyaSSL_GetObjectSize(void); /* object size based on build */
|
||||||
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
|
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
|
||||||
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
|
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
|
||||||
|
|||||||
@ -156,7 +156,6 @@ void echoclient_test(void* args)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
ssl = SSL_new(ctx);
|
ssl = SSL_new(ctx);
|
||||||
|
|
||||||
|
|
||||||
if (doDTLS) {
|
if (doDTLS) {
|
||||||
SOCKADDR_IN_T addr;
|
SOCKADDR_IN_T addr;
|
||||||
|
|||||||
@ -1610,7 +1610,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
|
|||||||
ssl->verifyCallback = ctx->verifyCallback;
|
ssl->verifyCallback = ctx->verifyCallback;
|
||||||
ssl->verifyCbCtx = NULL;
|
ssl->verifyCbCtx = NULL;
|
||||||
ssl->options.side = ctx->method->side;
|
ssl->options.side = ctx->method->side;
|
||||||
ssl->options.downgrade = ctx->method->downgrade;
|
ssl->options.downgrade = ctx->method->downgrade;
|
||||||
|
ssl->options.minDowngrade = TLSv1_MINOR; /* current default */
|
||||||
ssl->error = 0;
|
ssl->error = 0;
|
||||||
ssl->options.connReset = 0;
|
ssl->options.connReset = 0;
|
||||||
ssl->options.isClosed = 0;
|
ssl->options.isClosed = 0;
|
||||||
@ -9228,6 +9229,10 @@ static void PickHashSigAlgo(CYASSL* ssl,
|
|||||||
CYASSL_MSG(" no downgrade allowed, fatal error");
|
CYASSL_MSG(" no downgrade allowed, fatal error");
|
||||||
return VERSION_ERROR;
|
return VERSION_ERROR;
|
||||||
}
|
}
|
||||||
|
if (pv.minor < ssl->options.minDowngrade) {
|
||||||
|
CYASSL_MSG(" version below minimum allowed, fatal error");
|
||||||
|
return VERSION_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef HAVE_SECURE_RENEGOTIATION
|
#ifdef HAVE_SECURE_RENEGOTIATION
|
||||||
if (ssl->secure_renegotiation &&
|
if (ssl->secure_renegotiation &&
|
||||||
@ -12321,6 +12326,10 @@ int DoSessionTicket(CYASSL* ssl,
|
|||||||
CYASSL_MSG("Client trying to connect with lesser version");
|
CYASSL_MSG("Client trying to connect with lesser version");
|
||||||
return VERSION_ERROR;
|
return VERSION_ERROR;
|
||||||
}
|
}
|
||||||
|
if (pv.minor < ssl->options.minDowngrade) {
|
||||||
|
CYASSL_MSG(" version below minimum allowed, fatal error");
|
||||||
|
return VERSION_ERROR;
|
||||||
|
}
|
||||||
if (pv.minor == SSLv3_MINOR) {
|
if (pv.minor == SSLv3_MINOR) {
|
||||||
/* turn off tls */
|
/* turn off tls */
|
||||||
CYASSL_MSG(" downgrading to SSLv3");
|
CYASSL_MSG(" downgrading to SSLv3");
|
||||||
@ -12479,6 +12488,10 @@ int DoSessionTicket(CYASSL* ssl,
|
|||||||
CYASSL_MSG("Client trying to connect with lesser version");
|
CYASSL_MSG("Client trying to connect with lesser version");
|
||||||
return VERSION_ERROR;
|
return VERSION_ERROR;
|
||||||
}
|
}
|
||||||
|
if (pv.minor < ssl->options.minDowngrade) {
|
||||||
|
CYASSL_MSG(" version below minimum allowed, fatal error");
|
||||||
|
return VERSION_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
if (pv.minor == SSLv3_MINOR) {
|
if (pv.minor == SSLv3_MINOR) {
|
||||||
/* turn off tls */
|
/* turn off tls */
|
||||||
|
|||||||
42
src/ssl.c
42
src/ssl.c
@ -1533,6 +1533,48 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Set minimum downgrade version allowed, SSL_SUCCESS on ok */
|
||||||
|
int CyaSSL_SetMinVersion(CYASSL* ssl, int version)
|
||||||
|
{
|
||||||
|
CYASSL_ENTER("CyaSSL_SetMinVersion");
|
||||||
|
|
||||||
|
if (ssl == NULL) {
|
||||||
|
CYASSL_MSG("Bad function argument");
|
||||||
|
return BAD_FUNC_ARG;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (version) {
|
||||||
|
#ifndef NO_OLD_TLS
|
||||||
|
case CYASSL_SSLV3:
|
||||||
|
ssl->options.minDowngrade = SSLv3_MINOR;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef NO_TLS
|
||||||
|
#ifndef NO_OLD_TLS
|
||||||
|
case CYASSL_TLSV1:
|
||||||
|
ssl->options.minDowngrade = TLSv1_MINOR;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case CYASSL_TLSV1_1:
|
||||||
|
ssl->options.minDowngrade = TLSv1_1_MINOR;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case CYASSL_TLSV1_2:
|
||||||
|
ssl->options.minDowngrade = TLSv1_2_MINOR;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
default:
|
||||||
|
CYASSL_MSG("Bad function argument");
|
||||||
|
return BAD_FUNC_ARG;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
return SSL_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int CyaSSL_SetVersion(CYASSL* ssl, int version)
|
int CyaSSL_SetVersion(CYASSL* ssl, int version)
|
||||||
{
|
{
|
||||||
byte haveRSA = 1;
|
byte haveRSA = 1;
|
||||||
|
|||||||
Reference in New Issue
Block a user