return error if Suite B mode is selected and TLS 1.2 can't be used.

(backport from HEAD)

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 5a39e98bb3e399a451afd335647907eb957b7a39..c6cc41b1b2a98f0803b7d5d3b5a3e204deb1a254 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2261,6 +2261,7 @@ void ERR_load_SSL_strings(void);
 /* Function codes. */
 #define SSL_F_AUTHZ_FIND_DATA                           330
 #define SSL_F_AUTHZ_VALIDATE                            323
+#define SSL_F_CHECK_SUITEB_CIPHER_LIST                  331
 #define SSL_F_CLIENT_CERTIFICATE                        100
 #define SSL_F_CLIENT_FINISHED                           167
 #define SSL_F_CLIENT_HELLO                              101

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index e4bc18440e472dcde3efe4f45bf9fa089ebe2c5e..159d010c24f6c5729df6b1dcba62a43d45a7a0d7 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1376,6 +1376,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                return 1;
        /* Check version */
 
+       if (meth->version != TLS1_2_VERSION)
+               {
+               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               return 0;
+               }
+
        switch(suiteb_flags)
                {
        case SSL_CERT_FLAG_SUITEB_128_LOS:

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 2a8b4bf712d8ed6a8e291c7fe095ac1bee86ed44..e21f6e5cb11c7cfae7538883f8ccf04e59006110 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
        {
 {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),      "AUTHZ_FIND_DATA"},
 {ERR_FUNC(SSL_F_AUTHZ_VALIDATE),       "AUTHZ_VALIDATE"},
+{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),     "CHECK_SUITEB_CIPHER_LIST"},
 {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),   "CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_CLIENT_FINISHED),      "CLIENT_FINISHED"},
 {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},