TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1d29fb5e338249ac38e8573997bcda25d325719f^! / . / library
commit1d29fb5e338249ac38e8573997bcda25d325719f[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Fri Sep 28 13:28:45 2012 +0000
committerPaul Bakker <p.j.bakker@polarssl.org>Fri Sep 28 13:28:45 2012 +0000
treee0a1e6af02653126caee806a87762b206f756f72
parent5d19f86fdd88cfd1b5b01351e080530b929dd545 [diff]
 - Added option to add minimum accepted SSL/TLS protocol version


diff --git a/library/error.c b/library/error.c
index d4d8500..a5eaaba 100644
--- a/library/error.c
+++ b/library/error.c

@@ -303,6 +303,8 @@
             snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
         if( use_ret == -(POLARSSL_ERR_SSL_COMPRESSION_FAILED) )
             snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
+        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
+            snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
 #endif /* POLARSSL_SSL_TLS_C */
 
 #if defined(POLARSSL_X509_PARSE_C)

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 3e1b056..07b31d9 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -413,6 +413,18 @@
 
     ssl->minor_ver = buf[5];
 
+    if( ssl->minor_ver < ssl->min_minor_ver )
+    {
+        SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
+                            buf[4], buf[5] ) );
+
+        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
+                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
 #if defined(POLARSSL_DEBUG_C)
     t = ( (time_t) buf[6] << 24 )
       | ( (time_t) buf[7] << 16 )

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index da34015..408d510 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -222,6 +222,18 @@
     ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 )
                      ? buf[5]  : SSL_MINOR_VERSION_3;
 
+    if( ssl->minor_ver < ssl->min_minor_ver )
+    {
+        SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
+                            buf[4], buf[5] ) );
+
+        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
+                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
     ssl->max_major_ver = buf[4];
     ssl->max_minor_ver = buf[5];
 

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5ae581f..b66e046 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -2855,6 +2855,9 @@
     ssl->rsa_sign = ssl_rsa_sign;
     ssl->rsa_key_len = ssl_rsa_key_len;
 
+    ssl->min_major_ver = SSL_MAJOR_VERSION_3;
+    ssl->min_minor_ver = SSL_MINOR_VERSION_0;
+
 #if defined(POLARSSL_DHM_C)
     if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
                                  POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
@@ -3133,6 +3136,12 @@
     ssl->max_minor_ver = minor;
 }
 
+void ssl_set_min_version( ssl_context *ssl, int major, int minor )
+{
+    ssl->min_major_ver = major;
+    ssl->min_minor_ver = minor;
+}
+
 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
 {
     ssl->disable_renegotiation = renegotiation;