From b79df62eff0f48399a6e8d0cf4509992524bb0bd Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 26 Dec 2012 17:39:02 +0000 Subject: [PATCH] return error if Suite B mode is selected and TLS 1.2 can't be used. (backport from HEAD) --- ssl/ssl.h | 1 + ssl/ssl_ciph.c | 7 +++++++ ssl/ssl_err.c | 1 + 3 files changed, 9 insertions(+) diff --git a/ssl/ssl.h b/ssl/ssl.h index 5a39e98bb3..c6cc41b1b2 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2261,6 +2261,7 @@ void ERR_load_SSL_strings(void); /* Function codes. */ #define SSL_F_AUTHZ_FIND_DATA 330 #define SSL_F_AUTHZ_VALIDATE 323 +#define SSL_F_CHECK_SUITEB_CIPHER_LIST 331 #define SSL_F_CLIENT_CERTIFICATE 100 #define SSL_F_CLIENT_FINISHED 167 #define SSL_F_CLIENT_HELLO 101 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index e4bc18440e..159d010c24 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1376,6 +1376,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, return 1; /* Check version */ + if (meth->version != TLS1_2_VERSION) + { + SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, + SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE); + return 0; + } + switch(suiteb_flags) { case SSL_CERT_FLAG_SUITEB_128_LOS: diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 2a8b4bf712..e21f6e5cb1 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]= { {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA), "AUTHZ_FIND_DATA"}, {ERR_FUNC(SSL_F_AUTHZ_VALIDATE), "AUTHZ_VALIDATE"}, +{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST), "CHECK_SUITEB_CIPHER_LIST"}, {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"}, {ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"}, {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"}, -- 2.25.1