wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix max SSL version handling for client

Browse Source 
Enable CRL when adding one to store
This commit is contained in:
Juliusz Sosinowicz
2020-10-07 19:16:17 +02:00
parent 2197748a51
commit 031ca80fe7
3 changed files with 92 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/crl.c
View File

@ -703,6 +703,11 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
store->crl = store->cm->crl = crl; store->crl = store->cm->crl = crl;
if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL)
!= WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_CertManagerEnableCRL error");
return WOLFSSL_FAILURE;
}
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
@ -730,6 +735,12 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
wc_UnLockMutex(&crl->crlLock); wc_UnLockMutex(&crl->crlLock);
} }
if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL)
!= WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_CertManagerEnableCRL error");
return WOLFSSL_FAILURE;
}
WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS); WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;

42
src/internal.c
View File

@ -5266,6 +5266,44 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->ctx = ctx; /* only for passing to calls, options could change */ ssl->ctx = ctx; /* only for passing to calls, options could change */
ssl->version = ctx->method->version; ssl->version = ctx->method->version;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
ssl->options.mask = ctx->mask;
#endif
#ifdef OPENSSL_EXTRA
if (ssl->version.minor == TLSv1_3_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading");
ssl->version.minor = TLSv1_2_MINOR;
}
if (ssl->version.minor == TLSv1_2_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
ssl->version.minor = TLSv1_1_MINOR;
}
if (ssl->version.minor == TLSv1_1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
ssl->options.tls1_1 = 0;
ssl->version.minor = TLSv1_MINOR;
}
if (ssl->version.minor == TLSv1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
ssl->options.tls = 0;
ssl->options.tls1_1 = 0;
ssl->version.minor = SSLv3_MINOR;
}
if (ssl->version.minor == SSLv3_MINOR &&
(ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
WOLFSSL_MSG("\tError, option set to not allow SSLv3");
return VERSION_ERROR;
}
if (ssl->version.minor < ssl->options.minDowngrade) {
WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
return VERSION_ERROR;
}
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
ssl->eccTempKeySz = ctx->eccTempKeySz; ssl->eccTempKeySz = ctx->eccTempKeySz;
@ -5274,10 +5312,6 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
ssl->pkCurveOID = ctx->pkCurveOID; ssl->pkCurveOID = ctx->pkCurveOID;
#endif #endif
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
ssl->options.mask = ctx->mask;
#endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
ssl->CBIS = ctx->CBIS; ssl->CBIS = ctx->CBIS;
#endif #endif

44
src/ssl.c
View File

@ -16230,6 +16230,41 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
switch (version) {
#ifdef WOLFSSL_TLS13
case TLS1_3_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2);
FALL_THROUGH;
#else
WOLFSSL_MSG("wolfSSL TLS1.3 support not compiled in");
return WOLFSSL_FAILURE;
#endif
case TLS1_2_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_1);
FALL_THROUGH;
case TLS1_1_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1);
FALL_THROUGH;
case TLS1_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3);
FALL_THROUGH;
case SSL3_VERSION:
FALL_THROUGH;
case SSL2_VERSION:
/* Nothing to do here */
break;
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#endif
case DTLS1_2_VERSION:
break;
#endif
default:
WOLFSSL_MSG("Unrecognized protocol version");
return WOLFSSL_FAILURE;
}
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
@ -16237,7 +16272,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
{ {
WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version"); WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version");
if (!ctx) { if (!ctx || !ctx->method) {
WOLFSSL_MSG("Bad parameter"); WOLFSSL_MSG("Bad parameter");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
@ -16263,6 +16298,13 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
/* Nothing to do here */ /* Nothing to do here */
#endif #endif
break; break;
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#endif
case DTLS1_2_VERSION:
break;
#endif
default: default:
WOLFSSL_MSG("Unrecognized protocol version"); WOLFSSL_MSG("Unrecognized protocol version");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;