wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Check if downgrading is allowed in SetSSL_CTX

Browse Source 
Pkcs7 cert limit based on build
This commit is contained in:
Juliusz Sosinowicz
2020-12-10 15:41:12 +01:00
parent 77c730361e
commit 2dd28ec5b3
3 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/internal.c
View File

@ -5273,22 +5273,42 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
if (ssl->version.minor == TLSv1_3_MINOR && if (ssl->version.minor == TLSv1_3_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { (ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) {
if (!ctx->method->downgrade) {
WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.3 set but not "
"allowed and downgrading disabled.");
return VERSION_ERROR;
}
WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading"); WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading");
ssl->version.minor = TLSv1_2_MINOR; ssl->version.minor = TLSv1_2_MINOR;
} }
if (ssl->version.minor == TLSv1_2_MINOR && if (ssl->version.minor == TLSv1_2_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
if (!ctx->method->downgrade) {
WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.2 set but not "
"allowed and downgrading disabled.");
return VERSION_ERROR;
}
WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading"); WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
ssl->version.minor = TLSv1_1_MINOR; ssl->version.minor = TLSv1_1_MINOR;
} }
if (ssl->version.minor == TLSv1_1_MINOR && if (ssl->version.minor == TLSv1_1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
if (!ctx->method->downgrade) {
WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.1 set but not "
"allowed and downgrading disabled.");
return VERSION_ERROR;
}
WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading"); WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
ssl->options.tls1_1 = 0; ssl->options.tls1_1 = 0;
ssl->version.minor = TLSv1_MINOR; ssl->version.minor = TLSv1_MINOR;
} }
if (ssl->version.minor == TLSv1_MINOR && if (ssl->version.minor == TLSv1_MINOR &&
(ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
if (!ctx->method->downgrade) {
WOLFSSL_MSG("\tInconsistent protocol options. TLS 1 set but not "
"allowed and downgrading disabled.");
return VERSION_ERROR;
}
WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading"); WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
ssl->options.tls = 0; ssl->options.tls = 0;
ssl->options.tls1_1 = 0; ssl->options.tls1_1 = 0;

5
wolfssl/internal.h
View File

@ -4306,6 +4306,11 @@ struct WOLFSSL {
StaticKeyExchangeInfo_t staticKE; StaticKeyExchangeInfo_t staticKE;
#endif #endif
#ifdef OPENSSL_ALL #ifdef OPENSSL_ALL
/* Added in libest port: allow applications to get the 'tls-unique' Channel
* Binding Type (https://tools.ietf.org/html/rfc5929#section-3). This is
* used in the EST protocol to bind an enrollment to a TLS session through
* 'proof-of-possession' (https://tools.ietf.org/html/rfc7030#section-3.4
* and https://tools.ietf.org/html/rfc7030#section-3.5). */
byte clientFinished[TLS_FINISHED_SZ]; byte clientFinished[TLS_FINISHED_SZ];
byte serverFinished[TLS_FINISHED_SZ]; byte serverFinished[TLS_FINISHED_SZ];
#endif #endif

4
wolfssl/wolfcrypt/pkcs7.h
View File

@ -48,7 +48,11 @@
/* Max number of certificates that PKCS7 structure can parse */ /* Max number of certificates that PKCS7 structure can parse */
#ifndef MAX_PKCS7_CERTS #ifndef MAX_PKCS7_CERTS
#ifdef OPENSSL_ALL
#define MAX_PKCS7_CERTS 15 #define MAX_PKCS7_CERTS 15
#else
#define MAX_PKCS7_CERTS 4
#endif
#endif #endif
#ifndef MAX_ORI_TYPE_SZ #ifndef MAX_ORI_TYPE_SZ