return error if Suite B mode is selected and TLS 1.2 can't be used.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 17:39:02 +0000 (17:39 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 17:39:02 +0000 (17:39 +0000)
(backport from HEAD)

ssl/ssl.h
ssl/ssl_ciph.c
ssl/ssl_err.c

index 5a39e98..c6cc41b 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2261,6 +2261,7 @@ void ERR_load_SSL_strings(void);
 /* Function codes. */
 #define SSL_F_AUTHZ_FIND_DATA                           330
 #define SSL_F_AUTHZ_VALIDATE                            323
+#define SSL_F_CHECK_SUITEB_CIPHER_LIST                  331
 #define SSL_F_CLIENT_CERTIFICATE                        100
 #define SSL_F_CLIENT_FINISHED                           167
 #define SSL_F_CLIENT_HELLO                              101
index e4bc184..159d010 100644 (file)
@@ -1376,6 +1376,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                return 1;
        /* Check version */
 
+       if (meth->version != TLS1_2_VERSION)
+               {
+               SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+                               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+               return 0;
+               }
+
        switch(suiteb_flags)
                {
        case SSL_CERT_FLAG_SUITEB_128_LOS:
index 2a8b4bf..e21f6e5 100644 (file)
@@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
        {
 {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),      "AUTHZ_FIND_DATA"},
 {ERR_FUNC(SSL_F_AUTHZ_VALIDATE),       "AUTHZ_VALIDATE"},
+{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),     "CHECK_SUITEB_CIPHER_LIST"},
 {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),   "CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_CLIENT_FINISHED),      "CLIENT_FINISHED"},
 {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},