From 4c2bf4ea34a6c57a89ad51f4bc93e500563e67f9 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 13 Mar 2015 12:20:39 -0700 Subject: [PATCH] add SetMinVersion at context level --- src/internal.c | 3 +- src/ssl.c | 78 +++++++++++++++++++++++++++++----------------- wolfssl/internal.h | 1 + wolfssl/ssl.h | 1 + 4 files changed, 53 insertions(+), 30 deletions(-) diff --git a/src/internal.c b/src/internal.c index 6cdafd952..7546e6d07 100644 --- a/src/internal.c +++ b/src/internal.c @@ -359,6 +359,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method) ctx->refCount = 1; /* so either CTX_free or SSL_free can release */ ctx->heap = ctx; /* defaults to self */ ctx->timeout = WOLFSSL_SESSION_TIMEOUT; + ctx->minDowngrade = TLSv1_MINOR; /* current default */ if (InitMutex(&ctx->countMutex) < 0) { WOLFSSL_MSG("Mutex error on CTX init"); @@ -1488,7 +1489,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->verifyCallback = ctx->verifyCallback; ssl->options.side = ctx->method->side; ssl->options.downgrade = ctx->method->downgrade; - ssl->options.minDowngrade = TLSv1_MINOR; /* current default */ + ssl->options.minDowngrade = ctx->minDowngrade; if (ssl->options.side == WOLFSSL_SERVER_END) ssl->options.haveDH = ctx->haveDH; diff --git a/src/ssl.c b/src/ssl.c index 231062296..62c166290 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1568,6 +1568,54 @@ int wolfSSL_set_group_messages(WOLFSSL* ssl) } +/* make minVersion the internal equivilant SSL version */ +static int SetMinVersionHelper(byte* minVersion, int version) +{ + switch (version) { +#ifndef NO_OLD_TLS + case WOLFSSL_SSLV3: + *minVersion = SSLv3_MINOR; + break; +#endif + +#ifndef NO_TLS + #ifndef NO_OLD_TLS + case WOLFSSL_TLSV1: + *minVersion = TLSv1_MINOR; + break; + + case WOLFSSL_TLSV1_1: + *minVersion = TLSv1_1_MINOR; + break; + #endif + case WOLFSSL_TLSV1_2: + *minVersion = TLSv1_2_MINOR; + break; +#endif + + default: + WOLFSSL_MSG("Bad function argument"); + return BAD_FUNC_ARG; + } + + return SSL_SUCCESS; +} + + +/* Set minimum downgrade version allowed, SSL_SUCCESS on ok */ +int wolfSSL_CTX_SetMinVersion(WOLFSSL_CTX* ctx, int version) +{ + WOLFSSL_ENTER("wolfSSL_CTX_SetMinVersion"); + + if (ctx == NULL) { + WOLFSSL_MSG("Bad function argument"); + return BAD_FUNC_ARG; + } + + return SetMinVersionHelper(&ctx->minDowngrade, version); +} + + /* Set minimum downgrade version allowed, SSL_SUCCESS on ok */ int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version) { @@ -1578,35 +1626,7 @@ int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version) return BAD_FUNC_ARG; } - switch (version) { -#ifndef NO_OLD_TLS - case WOLFSSL_SSLV3: - ssl->options.minDowngrade = SSLv3_MINOR; - break; -#endif - -#ifndef NO_TLS - #ifndef NO_OLD_TLS - case WOLFSSL_TLSV1: - ssl->options.minDowngrade = TLSv1_MINOR; - break; - - case WOLFSSL_TLSV1_1: - ssl->options.minDowngrade = TLSv1_1_MINOR; - break; - #endif - case WOLFSSL_TLSV1_2: - ssl->options.minDowngrade = TLSv1_2_MINOR; - break; -#endif - - default: - WOLFSSL_MSG("Bad function argument"); - return BAD_FUNC_ARG; - } - - - return SSL_SUCCESS; + return SetMinVersionHelper(&ssl->options.minDowngrade, version); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 025cff2a7..e1e180eba 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1441,6 +1441,7 @@ struct WOLFSSL_CTX { byte partialWrite; /* only one msg per write call */ byte quietShutdown; /* don't send close notify */ byte groupMessages; /* group handshake messages before sending */ + byte minDowngrade; /* minimum downgrade version */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_DTLS diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 78a71d64a..02d528ed4 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1038,6 +1038,7 @@ enum { WOLFSSL_CHAIN_CA = 2 /* added to cache from trusted chain */ }; +WOLFSSL_API int wolfSSL_CTX_SetMinVersion(WOLFSSL_CTX* ctx, int version); WOLFSSL_API int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version); WOLFSSL_API int wolfSSL_GetObjectSize(void); /* object size based on build */ WOLFSSL_API int wolfSSL_SetVersion(WOLFSSL* ssl, int version);