- Added option to add minimum accepted SSL/TLS protocol version

2025-07-30 22:43:08 +03:00 · 2012-09-28 13:28:45 +00:00
parent 5d19f86fdd
commit 1d29fb5e33
8 changed files with 142 additions and 1 deletions
--- a/library/error.c
+++ b/library/error.c
@ -303,6 +303,8 @@ void error_strerror( int ret, char *buf, size_t buflen )
            snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
        if( use_ret == -(POLARSSL_ERR_SSL_COMPRESSION_FAILED) )
            snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
+        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
+            snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
 #endif /* POLARSSL_SSL_TLS_C */

 #if defined(POLARSSL_X509_PARSE_C)
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -413,6 +413,18 @@ static int ssl_parse_server_hello( ssl_context *ssl )

    ssl->minor_ver = buf[5];

+    if( ssl->minor_ver < ssl->min_minor_ver )
+    {
+        SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
+                            buf[4], buf[5] ) );
+
+        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
+                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
 #if defined(POLARSSL_DEBUG_C)
    t = ( (time_t) buf[6] << 24 )
      | ( (time_t) buf[7] << 16 )
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -222,6 +222,18 @@ static int ssl_parse_client_hello( ssl_context *ssl )
    ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 )
                     ? buf[5]  : SSL_MINOR_VERSION_3;

+    if( ssl->minor_ver < ssl->min_minor_ver )
+    {
+        SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
+                            buf[4], buf[5] ) );
+
+        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
+                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
    ssl->max_major_ver = buf[4];
    ssl->max_minor_ver = buf[5];

--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2855,6 +2855,9 @@ int ssl_init( ssl_context *ssl )
    ssl->rsa_sign = ssl_rsa_sign;
    ssl->rsa_key_len = ssl_rsa_key_len;

+    ssl->min_major_ver = SSL_MAJOR_VERSION_3;
+    ssl->min_minor_ver = SSL_MINOR_VERSION_0;
+
 #if defined(POLARSSL_DHM_C)
    if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
                                 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
@ -3133,6 +3136,12 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor )
    ssl->max_minor_ver = minor;
 }

+void ssl_set_min_version( ssl_context *ssl, int major, int minor )
+{
+    ssl->min_major_ver = major;
+    ssl->min_minor_ver = minor;
+}
+
 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
 {
    ssl->disable_renegotiation = renegotiation;