feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

reset cipher suites after call to wolfSSL_set_options

Browse Source
This commit is contained in:
Jacob Barthelmeh
2017-07-31 16:21:39 -06:00
parent 0a3d6534c7
commit 92c9ff5f48
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/internal.c
View File

@@ -22890,15 +22890,18 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
* set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
if (!ssl->options.dtls && ssl->options.downgrade &&
ssl->options.mask > 0) {
byte reset = 0; /* check if suites need reset after version change*/
if (ssl->version.minor == TLSv1_2_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
reset = 1;
ssl->version.minor = TLSv1_1_MINOR;
}
if (ssl->version.minor == TLSv1_1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
ssl->options.tls1_1 = 0;
reset = 1;
ssl->version.minor = TLSv1_MINOR;
}
if (ssl->version.minor == TLSv1_MINOR &&
@@ -22906,6 +22909,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
ssl->options.tls = 0;
ssl->options.tls1_1 = 0;
reset = 1;
ssl->version.minor = SSLv3_MINOR;
}
if (ssl->version.minor == SSLv3_MINOR &&
@@ -22918,6 +22922,27 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
return VERSION_ERROR;
}
if (reset == 1) {
word16 haveRSA = 0;
word16 havePSK = 0;
int keySz = 0;
#ifndef NO_RSA
haveRSA = 1;
#endif
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
#ifndef NO_CERTS
keySz = ssl->buffers.keySz;
#endif
WOLFSSL_MSG("Reseting allowed cipher suites after downgrade");
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
}
}
#endif