* Put back TLS 1.0.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@268 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-07-30 16:24:09 +03:00 · 2016-08-17 10:42:49 +00:00
parent f599ff830e
commit 29b478f3cf
3 changed files with 14 additions and 5 deletions
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@ -1145,6 +1145,7 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
        increment_write_sequence(ssl);

        /* add the explicit IV for TLS1.1 */
+        if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_1)
        {
            uint8_t iv_size = ssl->cipher_info->iv_size;
            uint8_t *t_buf = malloc(msg_length + iv_size);
@ -1358,8 +1359,12 @@ int basic_read(SSL *ssl, uint8_t **in_data)
    if (IS_SET_SSL_FLAG(SSL_RX_ENCRYPTED))
    {
        ssl->cipher_info->decrypt(ssl->decrypt_ctx, buf, buf, read_len);
+
+        if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_1)
+        {
            buf += ssl->cipher_info->iv_size;
            read_len -= ssl->cipher_info->iv_size;
+        }

        read_len = verify_digest(ssl, 
                is_client ? SSL_CLIENT_READ : SSL_SERVER_READ, buf, read_len);
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@ -47,8 +47,9 @@ extern "C" {
 #include "crypto.h"
 #include "crypto_misc.h"

-#define SSL_PROTOCOL_MIN_VERSION    0x32   /* TLS v1.1 */
-#define SSL_PROTOCOL_VERSION_MAX    0x33   /* TLS v1.2 */
+#define SSL_PROTOCOL_MIN_VERSION    0x31   /* TLS v1.0 */
+#define SSL_PROTOCOL_VERSION_MAX    0x33   /* TLS v1.3 */
+#define SSL_PROTOCOL_VERSION_TLS1_1 0x32   /* TLS v1.1 */
 #define SSL_PROTOCOL_VERSION_TLS1_2 0x33   /* TLS v1.2 */
 #define SSL_RANDOM_SIZE             32
 #define SSL_SECRET_SIZE             48
--- a/ssl/x509.c
+++ b/ssl/x509.c
@ -74,7 +74,9 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
    int begin_tbs, end_tbs;
    int ret = X509_NOT_OK, offset = 0, cert_size = 0;
    X509_CTX *x509_ctx;
+#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
    BI_CTX *bi_ctx;
+#endif

    *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX));
    x509_ctx = *ctx;
@ -117,7 +119,6 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
        goto end_cert;
    }

-    bi_ctx = x509_ctx->rsa_ctx->bi_ctx;

    x509_ctx->fingerprint = malloc(SHA1_SIZE);
    SHA1_CTX sha_fp_ctx;
@ -126,6 +127,8 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
    SHA1_Final(x509_ctx->fingerprint, &sha_fp_ctx);

 #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
+    bi_ctx = x509_ctx->rsa_ctx->bi_ctx;
+
    /* use the appropriate signature algorithm */
    switch (x509_ctx->sig_type)
    {