s->s3->tmp.mask_a = 0;
s->s3->tmp.mask_k = 0;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
- ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
+ ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
#ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
if (!s->psk_client_callback) {
* @s: SSL connection that you want to use the cipher on
* @c: cipher to check
* @op: Security check that you want to do
+ * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
*
* Returns 1 when it's disabled, 0 when enabled.
*/
-int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
+int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
{
if (c->algorithm_mkey & s->s3->tmp.mask_k
|| c->algorithm_auth & s->s3->tmp.mask_a)
return 1;
if (s->s3->tmp.max_ver == 0)
return 1;
- if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
- || (c->max_tls < s->s3->tmp.min_ver)))
- return 1;
+ if (!SSL_IS_DTLS(s)) {
+ int min_tls = c->min_tls;
+
+ /*
+ * For historical reasons we will allow ECHDE to be selected by a server
+ * in SSLv3 if we are a client
+ */
+ if (min_tls == TLS1_VERSION && ecdhe
+ && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
+ min_tls = SSL3_VERSION;
+
+ if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
+ return 1;
+ }
if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
|| DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
return 1;
rv |= CERT_PKEY_CERT_TYPE;
}
- ca_dn = s->s3->tmp.ca_names;
+ ca_dn = s->s3->tmp.peer_ca_names;
if (!sk_X509_NAME_num(ca_dn))
rv |= CERT_PKEY_ISSUER_NAME;
projects / openssl.git / blobdiff