Check if downgrading is allowed in SetSSL_CTX

Pkcs7 cert limit based on build
2025-07-29 18:27:29 +02:00 · 2020-12-10 15:41:12 +01:00
parent 77c730361e
commit 2dd28ec5b3
3 changed files with 29 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -5273,22 +5273,42 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #ifdef OPENSSL_EXTRA
    if (ssl->version.minor == TLSv1_3_MINOR &&
     (ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) {
+        if (!ctx->method->downgrade) {
+            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.3 set but not "
+                        "allowed and downgrading disabled.");
+            return VERSION_ERROR;
+        }
        WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading");
        ssl->version.minor = TLSv1_2_MINOR;
    }
    if (ssl->version.minor == TLSv1_2_MINOR &&
     (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
+        if (!ctx->method->downgrade) {
+            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.2 set but not "
+                        "allowed and downgrading disabled.");
+            return VERSION_ERROR;
+        }
        WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
        ssl->version.minor = TLSv1_1_MINOR;
    }
    if (ssl->version.minor == TLSv1_1_MINOR &&
     (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
+        if (!ctx->method->downgrade) {
+            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.1 set but not "
+                        "allowed and downgrading disabled.");
+            return VERSION_ERROR;
+        }
        WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
        ssl->options.tls1_1 = 0;
        ssl->version.minor = TLSv1_MINOR;
    }
    if (ssl->version.minor == TLSv1_MINOR &&
        (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
+        if (!ctx->method->downgrade) {
+            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1 set but not "
+                        "allowed and downgrading disabled.");
+            return VERSION_ERROR;
+        }
        WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
        ssl->options.tls    = 0;
        ssl->options.tls1_1 = 0;
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -4306,6 +4306,11 @@ struct WOLFSSL {
    StaticKeyExchangeInfo_t staticKE;
 #endif
 #ifdef OPENSSL_ALL
+    /* Added in libest port: allow applications to get the 'tls-unique' Channel
+     * Binding Type (https://tools.ietf.org/html/rfc5929#section-3). This is
+     * used in the EST protocol to bind an enrollment to a TLS session through
+     * 'proof-of-possession' (https://tools.ietf.org/html/rfc7030#section-3.4
+     * and https://tools.ietf.org/html/rfc7030#section-3.5). */
    byte clientFinished[TLS_FINISHED_SZ];
    byte serverFinished[TLS_FINISHED_SZ];
 #endif
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@ -48,7 +48,11 @@

 /* Max number of certificates that PKCS7 structure can parse */
 #ifndef MAX_PKCS7_CERTS
+#ifdef OPENSSL_ALL
    #define MAX_PKCS7_CERTS 15
+#else
+    #define MAX_PKCS7_CERTS 4
+#endif
 #endif

 #ifndef MAX_ORI_TYPE_SZ