fix initsuites with PSK on downgrade, example server with PSK

2011-04-25 16:11:23 -07:00 · 2011-04-25 16:11:23 -07:00 · adaffeca6c
commit adaffeca6c
parent 1ad10ffdc8
2 changed files with 19 additions and 6 deletions
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -63,17 +63,19 @@ THREAD_RETURN CYASSL_API server_test(void* args)
    ctx    = SSL_CTX_new(method);

 #ifndef NO_PSK
+    /* do PSK */
    SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
    SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
+    SSL_CTX_set_cipher_list(ctx, "PSK-AES256-CBC-SHA");
+#else
+    /* not using PSK, verify peer with certs */
+    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
 #endif

 #ifdef OPENSSL_EXTRA
    SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
 #endif

-    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
-
-
 #ifndef NO_FILESYSTEM
    /* for client auth */
    if (SSL_CTX_load_verify_locations(ctx, cliCert, 0) != SSL_SUCCESS)
@ -117,7 +119,9 @@ THREAD_RETURN CYASSL_API server_test(void* args)
 #endif

    SSL_set_fd(ssl, clientfd);
-    SetDH(ssl);
+#ifdef NO_PSK
+    SetDH(ssl);   /* will repick suites with DHE, higher priority than PSK */
+#endif

 #ifdef NON_BLOCKING
    tcp_set_nonblocking(&clientfd);
--- a/src/cyassl_int.c
+++ b/src/cyassl_int.c
@ -4960,6 +4960,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
        ssl->chVersion = pv;  /* store */

        if (ssl->version.minor > pv.minor) {
+            byte havePSK = 0;
            if (!ssl->options.downgrade) {
                CYASSL_MSG("Client trying to connect with lesser version"); 
                return VERSION_ERROR;
@ -4981,7 +4982,11 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
                CYASSL_MSG("    downgrading to TLSv1.1");
                ssl->version.minor  = TLSv1_1_MINOR;
            }
-            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE,
+#ifndef NO_PSK
+            havePSK = ssl->options.havePSK;
+#endif
+
+            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
                       ssl->options.haveNTRU, ssl->options.haveECDSA,
                       ssl->ctx->method->side);
        }
@ -5084,6 +5089,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
        ssl->chVersion = pv;   /* store */
        i += sizeof(pv);
        if (ssl->version.minor > pv.minor) {
+            byte havePSK = 0;
            if (!ssl->options.downgrade) {
                CYASSL_MSG("Client trying to connect with lesser version"); 
                return VERSION_ERROR;
@ -5105,7 +5111,10 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
                CYASSL_MSG("    downgrading to TLSv1.1");
                ssl->version.minor  = TLSv1_1_MINOR;
            }
-            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE,
+#ifndef NO_PSK
+            havePSK = ssl->options.havePSK;
+#endif
+            InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
                       ssl->options.haveNTRU, ssl->options.haveECDSA,
                       ssl->ctx->method->side);
        }