return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error...

author Dr. Stephen Henson <steve@openssl.org>

Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
diff --git a/ssl/ssl.h b/ssl/ssl.h

index 3c9ba9c024c6dbd1d97ec11338e9587c1528e3c9..0aa675efce37a89f57513040499afd3ae45cb0b4 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2309,6 +2309,7 @@ void ERR_load_SSL_strings(void);
  /* Function codes. */
  #define SSL_F_AUTHZ_FIND_DATA                           330
  #define SSL_F_AUTHZ_VALIDATE                            323
+#define SSL_F_CHECK_SUITEB_CIPHER_LIST                  335
  #define SSL_F_CLIENT_CERTIFICATE                        100
  #define SSL_F_CLIENT_FINISHED                           167
  #define SSL_F_CLIENT_HELLO                              101
@@ -2445,7 +2446,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_SSL_CIPHER_STRENGTH_SORT                  231
  #define SSL_F_SSL_CLEAR                                         164
  #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD           165
-#define SSL_F_SSL_CONF_CTX_CMD                          334
+#define SSL_F_SSL_CONF_CMD                              334
  #define SSL_F_SSL_CREATE_CIPHER_LIST                    166
  #define SSL_F_SSL_CTRL                                  232
  #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         168
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c

index 7f3e16080b0a4b740d9235a9c31e795c611cff60..4d87d2dbc4bf7f4b0b8a8f13c39e9cf41fe79e9b 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1379,6 +1379,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                 return 1;
         /* Check version */
  
+       if (meth->version != TLS1_2_VERSION)
+               {
+               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               return 0;
+               }
+
         switch(suiteb_flags)
                 {
         case SSL_CERT_FLAG_SUITEB_128_LOS:
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c

index 0de97f8a78889196e55ae1aa8f64509cc62a423c..23754739bb9720203a4eb20cf6ea58cbf9fffbf3 100644 (file)
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -385,7 +385,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
         size_t i;
         if (cmd == NULL)
                 {
-               SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_INVALID_NULL_CMD_NAME);
+               SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
                 return 0;
                 }
         /* If a prefix is set, check and skip */
@@ -442,7 +442,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
                         return -2;
                 if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
                         {
-                       SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_BAD_VALUE);
+                       SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE);
                         ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
                         }
                 return 0;
@@ -456,7 +456,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
  
         if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
                 {
-               SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_UNKNOWN_CMD_NAME);
+               SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
                 ERR_add_error_data(2, "cmd=", cmd);
                 }
  
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c

index 5654def3f31e07f1b9311c7b1a1b0db7accc969d..b978177ac409adf3cb7dee7be23519ab3a83d3b6 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
         {
  {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),      "AUTHZ_FIND_DATA"},
  {ERR_FUNC(SSL_F_AUTHZ_VALIDATE),       "AUTHZ_VALIDATE"},
+{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),     "CHECK_SUITEB_CIPHER_LIST"},
  {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),   "CLIENT_CERTIFICATE"},
  {ERR_FUNC(SSL_F_CLIENT_FINISHED),      "CLIENT_FINISHED"},
  {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
@@ -208,7 +209,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
  {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),     "SSL_CIPHER_STRENGTH_SORT"},
  {ERR_FUNC(SSL_F_SSL_CLEAR),    "SSL_clear"},
  {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),      "SSL_COMP_add_compression_method"},
-{ERR_FUNC(SSL_F_SSL_CONF_CTX_CMD),     "SSL_CONF_CTX_cmd"},
+{ERR_FUNC(SSL_F_SSL_CONF_CMD), "SSL_CONF_cmd"},
  {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),       "ssl_create_cipher_list"},
  {ERR_FUNC(SSL_F_SSL_CTRL),     "SSL_ctrl"},
  {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),    "SSL_CTX_check_private_key"},
author	Dr. Stephen Henson <steve@openssl.org>
	Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
ssl/ssl.h		patch \| blob \| history
ssl/ssl_ciph.c		patch \| blob \| history
ssl/ssl_conf.c		patch \| blob \| history
ssl/ssl_err.c		patch \| blob \| history