allow user to set minimum downgrade version with v23 methods()
This commit is contained in:
parent
d9f5ada772
commit
322f79f521
@ -1762,6 +1762,7 @@ typedef struct Options {
|
||||
byte verifyNone;
|
||||
byte failNoCert;
|
||||
byte downgrade; /* allow downgrade of versions */
|
||||
byte minDowngrade; /* minimum downgrade version */
|
||||
byte sendVerify; /* false = 0, true = 1, sendBlank = 2 */
|
||||
byte resuming;
|
||||
byte haveSessionId; /* server may not send */
|
||||
|
@ -1020,6 +1020,7 @@ enum {
|
||||
CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */
|
||||
};
|
||||
|
||||
CYASSL_API int CyaSSL_SetMinVersion(CYASSL* ssl, int version);
|
||||
CYASSL_API int CyaSSL_GetObjectSize(void); /* object size based on build */
|
||||
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
|
||||
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
|
||||
|
@ -156,7 +156,6 @@ void echoclient_test(void* args)
|
||||
#endif
|
||||
|
||||
ssl = SSL_new(ctx);
|
||||
|
||||
|
||||
if (doDTLS) {
|
||||
SOCKADDR_IN_T addr;
|
||||
|
@ -1610,7 +1610,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
|
||||
ssl->verifyCallback = ctx->verifyCallback;
|
||||
ssl->verifyCbCtx = NULL;
|
||||
ssl->options.side = ctx->method->side;
|
||||
ssl->options.downgrade = ctx->method->downgrade;
|
||||
ssl->options.downgrade = ctx->method->downgrade;
|
||||
ssl->options.minDowngrade = TLSv1_MINOR; /* current default */
|
||||
ssl->error = 0;
|
||||
ssl->options.connReset = 0;
|
||||
ssl->options.isClosed = 0;
|
||||
@ -9228,6 +9229,10 @@ static void PickHashSigAlgo(CYASSL* ssl,
|
||||
CYASSL_MSG(" no downgrade allowed, fatal error");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
if (pv.minor < ssl->options.minDowngrade) {
|
||||
CYASSL_MSG(" version below minimum allowed, fatal error");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
|
||||
#ifdef HAVE_SECURE_RENEGOTIATION
|
||||
if (ssl->secure_renegotiation &&
|
||||
@ -12321,6 +12326,10 @@ int DoSessionTicket(CYASSL* ssl,
|
||||
CYASSL_MSG("Client trying to connect with lesser version");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
if (pv.minor < ssl->options.minDowngrade) {
|
||||
CYASSL_MSG(" version below minimum allowed, fatal error");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
if (pv.minor == SSLv3_MINOR) {
|
||||
/* turn off tls */
|
||||
CYASSL_MSG(" downgrading to SSLv3");
|
||||
@ -12479,6 +12488,10 @@ int DoSessionTicket(CYASSL* ssl,
|
||||
CYASSL_MSG("Client trying to connect with lesser version");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
if (pv.minor < ssl->options.minDowngrade) {
|
||||
CYASSL_MSG(" version below minimum allowed, fatal error");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
|
||||
if (pv.minor == SSLv3_MINOR) {
|
||||
/* turn off tls */
|
||||
|
42
src/ssl.c
42
src/ssl.c
@ -1533,6 +1533,48 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
|
||||
}
|
||||
|
||||
|
||||
/* Set minimum downgrade version allowed, SSL_SUCCESS on ok */
|
||||
int CyaSSL_SetMinVersion(CYASSL* ssl, int version)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_SetMinVersion");
|
||||
|
||||
if (ssl == NULL) {
|
||||
CYASSL_MSG("Bad function argument");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
switch (version) {
|
||||
#ifndef NO_OLD_TLS
|
||||
case CYASSL_SSLV3:
|
||||
ssl->options.minDowngrade = SSLv3_MINOR;
|
||||
break;
|
||||
#endif
|
||||
|
||||
#ifndef NO_TLS
|
||||
#ifndef NO_OLD_TLS
|
||||
case CYASSL_TLSV1:
|
||||
ssl->options.minDowngrade = TLSv1_MINOR;
|
||||
break;
|
||||
|
||||
case CYASSL_TLSV1_1:
|
||||
ssl->options.minDowngrade = TLSv1_1_MINOR;
|
||||
break;
|
||||
#endif
|
||||
case CYASSL_TLSV1_2:
|
||||
ssl->options.minDowngrade = TLSv1_2_MINOR;
|
||||
break;
|
||||
#endif
|
||||
|
||||
default:
|
||||
CYASSL_MSG("Bad function argument");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_SetVersion(CYASSL* ssl, int version)
|
||||
{
|
||||
byte haveRSA = 1;
|
||||
|
Loading…
Reference in New Issue
Block a user