diff options
| author | Lutz Jänicke <jaenicke@openssl.org> | 2001-02-09 19:56:31 +0000 |
|---|---|---|
| committer | Lutz Jänicke <jaenicke@openssl.org> | 2001-02-09 19:56:31 +0000 |
| commit | 836f996010d6a5f38d9a13279c37e84a42819966 (patch) | |
| tree | e5188ce6a43977577a5efb7884da010b9805c993 /ssl/s2_clnt.c | |
| parent | 1613c4d3bff02bd2715e0e8a61356e82f9c0e147 (diff) | |
New Option SSL_OP_CIPHER_SERVER_PREFERENCE allows TLS/SSLv3 server to override
the clients choice; in SSLv2 the client uses the server's preferences.
Diffstat (limited to 'ssl/s2_clnt.c')
| -rw-r--r-- | ssl/s2_clnt.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 28d6d65296..3e06286375 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -287,7 +287,7 @@ static int get_server_hello(SSL *s) unsigned char *buf; unsigned char *p; int i,j; - STACK_OF(SSL_CIPHER) *sk=NULL,*cl; + STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow; buf=(unsigned char *)s->init_buf->data; p=buf; @@ -414,27 +414,43 @@ static int get_server_hello(SSL *s) sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp); /* get the array of ciphers we will accept */ - cl=ssl_get_ciphers_by_id(s); - + cl=SSL_get_ciphers(s); + sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp); + + /* + * If server preference flag set, choose the first + * (highest priority) cipher the server sends, otherwise + * client preference has priority. + */ + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + prio = sk; + allow = cl; + } + else + { + prio = cl; + allow = sk; + } /* In theory we could have ciphers sent back that we * don't want to use but that does not matter since we * will check against the list we originally sent and * for performance reasons we should not bother to match * the two lists up just to check. */ - for (i=0; i<sk_SSL_CIPHER_num(cl); i++) + for (i=0; i<sk_SSL_CIPHER_num(prio); i++) { - if (sk_SSL_CIPHER_find(sk, - sk_SSL_CIPHER_value(cl,i)) >= 0) + if (sk_SSL_CIPHER_find(allow, + sk_SSL_CIPHER_value(prio,i)) >= 0) break; } - if (i >= sk_SSL_CIPHER_num(cl)) + if (i >= sk_SSL_CIPHER_num(prio)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH); return(-1); } - s->session->cipher=sk_SSL_CIPHER_value(cl,i); + s->session->cipher=sk_SSL_CIPHER_value(prio,i); if (s->session->peer != NULL) /* can't happen*/ |