return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error...
authorDr. Stephen Henson <steve@openssl.org>
Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)
ssl/ssl.h
ssl/ssl_ciph.c
ssl/ssl_conf.c
ssl/ssl_err.c

index 3c9ba9c..0aa675e 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2309,6 +2309,7 @@ void ERR_load_SSL_strings(void);
 /* Function codes. */
 #define SSL_F_AUTHZ_FIND_DATA                           330
 #define SSL_F_AUTHZ_VALIDATE                            323
+#define SSL_F_CHECK_SUITEB_CIPHER_LIST                  335
 #define SSL_F_CLIENT_CERTIFICATE                        100
 #define SSL_F_CLIENT_FINISHED                           167
 #define SSL_F_CLIENT_HELLO                              101
@@ -2445,7 +2446,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CIPHER_STRENGTH_SORT                  231
 #define SSL_F_SSL_CLEAR                                         164
 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD           165
-#define SSL_F_SSL_CONF_CTX_CMD                          334
+#define SSL_F_SSL_CONF_CMD                              334
 #define SSL_F_SSL_CREATE_CIPHER_LIST                    166
 #define SSL_F_SSL_CTRL                                  232
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         168
index 7f3e160..4d87d2d 100644 (file)
@@ -1379,6 +1379,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                return 1;
        /* Check version */
 
+       if (meth->version != TLS1_2_VERSION)
+               {
+               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               return 0;
+               }
+
        switch(suiteb_flags)
                {
        case SSL_CERT_FLAG_SUITEB_128_LOS:
index 0de97f8..2375473 100644 (file)
@@ -385,7 +385,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
        size_t i;
        if (cmd == NULL)
                {
-               SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_INVALID_NULL_CMD_NAME);
+               SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
                return 0;
                }
        /* If a prefix is set, check and skip */
@@ -442,7 +442,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
                        return -2;
                if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
                        {
-                       SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_BAD_VALUE);
+                       SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE);
                        ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
                        }
                return 0;
@@ -456,7 +456,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
 
        if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
                {
-               SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_UNKNOWN_CMD_NAME);
+               SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
                ERR_add_error_data(2, "cmd=", cmd);
                }
 
index 5654def..b978177 100644 (file)
@@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
        {
 {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),      "AUTHZ_FIND_DATA"},
 {ERR_FUNC(SSL_F_AUTHZ_VALIDATE),       "AUTHZ_VALIDATE"},
+{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),     "CHECK_SUITEB_CIPHER_LIST"},
 {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),   "CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_CLIENT_FINISHED),      "CLIENT_FINISHED"},
 {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
@@ -208,7 +209,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),     "SSL_CIPHER_STRENGTH_SORT"},
 {ERR_FUNC(SSL_F_SSL_CLEAR),    "SSL_clear"},
 {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),      "SSL_COMP_add_compression_method"},
-{ERR_FUNC(SSL_F_SSL_CONF_CTX_CMD),     "SSL_CONF_CTX_cmd"},
+{ERR_FUNC(SSL_F_SSL_CONF_CMD), "SSL_CONF_cmd"},
 {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),       "ssl_create_cipher_list"},
 {ERR_FUNC(SSL_F_SSL_CTRL),     "SSL_ctrl"},
 {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),    "SSL_CTX_check_private_key"},