diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2016-02-07 20:17:07 +0100 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2016-03-09 19:10:28 +0100 |
commit | 3eb2aff40116ecceab847c895cbf02cdb075d194 (patch) | |
tree | d35e7768a1e0d4420c4e064d86401072fa660451 /ssl/statem | |
parent | 068c358ac314032e9102b6741a0a99fdf15c5527 (diff) |
Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/statem_clnt.c | 18 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 6 |
2 files changed, 11 insertions, 13 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 03f4a8f97e..26c4d10785 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1143,17 +1143,15 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED); goto f_err; } - /* Set version disabled mask now we know version */ - if (!SSL_USE_TLS1_2_CIPHERS(s)) - s->s3->tmp.mask_ssl = SSL_TLSV1_2; - else - s->s3->tmp.mask_ssl = 0; - /* Skip TLS v1.0 ciphersuites if SSLv3 */ - if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION) - s->s3->tmp.mask_ssl |= SSL_TLSV1; /* - * If it is a disabled cipher we didn't send it in client hello, so - * return an error. + * Now that we know the version, update the check to see if it's an allowed + * version. + */ + s->s3->tmp.min_ver = s->version; + s->s3->tmp.max_ver = s->version; + /* + * If it is a disabled cipher we either didn't send it in client hello, + * or it's not allowed for the selected protocol. So we return an error. */ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) { al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6028066918..6be6e1d8a0 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1117,13 +1117,13 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_vers */ int ssl_set_client_hello_version(SSL *s) { - int min, max, ret; + int ver_min, ver_max, ret; - ret = ssl_get_client_min_max_version(s, &min, &max); + ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); if (ret != 0) return ret; - s->client_version = s->version = max; + s->client_version = s->version = ver_max; return 0; } |