allow user to set minimum downgrade version with v23 methods()

This commit is contained in:
toddouska 2014-11-03 15:12:48 -08:00
parent d9f5ada772
commit 322f79f521
5 changed files with 58 additions and 2 deletions

View File

@ -1762,6 +1762,7 @@ typedef struct Options {
byte verifyNone;
byte failNoCert;
byte downgrade; /* allow downgrade of versions */
byte minDowngrade; /* minimum downgrade version */
byte sendVerify; /* false = 0, true = 1, sendBlank = 2 */
byte resuming;
byte haveSessionId; /* server may not send */

View File

@ -1020,6 +1020,7 @@ enum {
CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */
};
CYASSL_API int CyaSSL_SetMinVersion(CYASSL* ssl, int version);
CYASSL_API int CyaSSL_GetObjectSize(void); /* object size based on build */
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,

View File

@ -156,7 +156,6 @@ void echoclient_test(void* args)
#endif
ssl = SSL_new(ctx);
if (doDTLS) {
SOCKADDR_IN_T addr;

View File

@ -1610,7 +1610,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
ssl->verifyCallback = ctx->verifyCallback;
ssl->verifyCbCtx = NULL;
ssl->options.side = ctx->method->side;
ssl->options.downgrade = ctx->method->downgrade;
ssl->options.downgrade = ctx->method->downgrade;
ssl->options.minDowngrade = TLSv1_MINOR; /* current default */
ssl->error = 0;
ssl->options.connReset = 0;
ssl->options.isClosed = 0;
@ -9228,6 +9229,10 @@ static void PickHashSigAlgo(CYASSL* ssl,
CYASSL_MSG(" no downgrade allowed, fatal error");
return VERSION_ERROR;
}
if (pv.minor < ssl->options.minDowngrade) {
CYASSL_MSG(" version below minimum allowed, fatal error");
return VERSION_ERROR;
}
#ifdef HAVE_SECURE_RENEGOTIATION
if (ssl->secure_renegotiation &&
@ -12321,6 +12326,10 @@ int DoSessionTicket(CYASSL* ssl,
CYASSL_MSG("Client trying to connect with lesser version");
return VERSION_ERROR;
}
if (pv.minor < ssl->options.minDowngrade) {
CYASSL_MSG(" version below minimum allowed, fatal error");
return VERSION_ERROR;
}
if (pv.minor == SSLv3_MINOR) {
/* turn off tls */
CYASSL_MSG(" downgrading to SSLv3");
@ -12479,6 +12488,10 @@ int DoSessionTicket(CYASSL* ssl,
CYASSL_MSG("Client trying to connect with lesser version");
return VERSION_ERROR;
}
if (pv.minor < ssl->options.minDowngrade) {
CYASSL_MSG(" version below minimum allowed, fatal error");
return VERSION_ERROR;
}
if (pv.minor == SSLv3_MINOR) {
/* turn off tls */

View File

@ -1533,6 +1533,48 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
}
/* Set minimum downgrade version allowed, SSL_SUCCESS on ok */
int CyaSSL_SetMinVersion(CYASSL* ssl, int version)
{
CYASSL_ENTER("CyaSSL_SetMinVersion");
if (ssl == NULL) {
CYASSL_MSG("Bad function argument");
return BAD_FUNC_ARG;
}
switch (version) {
#ifndef NO_OLD_TLS
case CYASSL_SSLV3:
ssl->options.minDowngrade = SSLv3_MINOR;
break;
#endif
#ifndef NO_TLS
#ifndef NO_OLD_TLS
case CYASSL_TLSV1:
ssl->options.minDowngrade = TLSv1_MINOR;
break;
case CYASSL_TLSV1_1:
ssl->options.minDowngrade = TLSv1_1_MINOR;
break;
#endif
case CYASSL_TLSV1_2:
ssl->options.minDowngrade = TLSv1_2_MINOR;
break;
#endif
default:
CYASSL_MSG("Bad function argument");
return BAD_FUNC_ARG;
}
return SSL_SUCCESS;
}
int CyaSSL_SetVersion(CYASSL* ssl, int version)
{
byte haveRSA = 1;