wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 04:04:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix initsuites with PSK on downgrade, example server with PSK

Browse Source
This commit is contained in:
Todd A Ouska
2011-04-25 16:11:23 -07:00
parent 1ad10ffdc8
commit adaffeca6c
2 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
examples/server/server.c
View File

@@ -63,17 +63,19 @@ THREAD_RETURN CYASSL_API server_test(void* args)
ctx = SSL_CTX_new(method); ctx = SSL_CTX_new(method);
#ifndef NO_PSK #ifndef NO_PSK
/* do PSK */
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb); SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
SSL_CTX_set_cipher_list(ctx, "PSK-AES256-CBC-SHA");
#else
/* not using PSK, verify peer with certs */
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
#endif #endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif #endif
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
#ifndef NO_FILESYSTEM #ifndef NO_FILESYSTEM
/* for client auth */ /* for client auth */
if (SSL_CTX_load_verify_locations(ctx, cliCert, 0) != SSL_SUCCESS) if (SSL_CTX_load_verify_locations(ctx, cliCert, 0) != SSL_SUCCESS)
@@ -117,7 +119,9 @@ THREAD_RETURN CYASSL_API server_test(void* args)
#endif #endif
SSL_set_fd(ssl, clientfd); SSL_set_fd(ssl, clientfd);
SetDH(ssl); #ifdef NO_PSK
SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */
#endif
#ifdef NON_BLOCKING #ifdef NON_BLOCKING
tcp_set_nonblocking(&clientfd); tcp_set_nonblocking(&clientfd);

13
src/cyassl_int.c
View File

@@ -4960,6 +4960,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
ssl->chVersion = pv; /* store */ ssl->chVersion = pv; /* store */
if (ssl->version.minor > pv.minor) { if (ssl->version.minor > pv.minor) {
byte havePSK = 0;
if (!ssl->options.downgrade) { if (!ssl->options.downgrade) {
CYASSL_MSG("Client trying to connect with lesser version"); CYASSL_MSG("Client trying to connect with lesser version");
return VERSION_ERROR; return VERSION_ERROR;
@@ -4981,7 +4982,11 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
CYASSL_MSG(" downgrading to TLSv1.1"); CYASSL_MSG(" downgrading to TLSv1.1");
ssl->version.minor = TLSv1_1_MINOR; ssl->version.minor = TLSv1_1_MINOR;
} }
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE, #ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->ctx->method->side); ssl->ctx->method->side);
} }
@@ -5084,6 +5089,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
ssl->chVersion = pv; /* store */ ssl->chVersion = pv; /* store */
i += sizeof(pv); i += sizeof(pv);
if (ssl->version.minor > pv.minor) { if (ssl->version.minor > pv.minor) {
byte havePSK = 0;
if (!ssl->options.downgrade) { if (!ssl->options.downgrade) {
CYASSL_MSG("Client trying to connect with lesser version"); CYASSL_MSG("Client trying to connect with lesser version");
return VERSION_ERROR; return VERSION_ERROR;
@@ -5105,7 +5111,10 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
CYASSL_MSG(" downgrading to TLSv1.1"); CYASSL_MSG(" downgrading to TLSv1.1");
ssl->version.minor = TLSv1_1_MINOR; ssl->version.minor = TLSv1_1_MINOR;
} }
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE, #ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->ctx->method->side); ssl->ctx->method->side);
} }