diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2016-02-07 20:17:07 +0100 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2016-03-09 19:10:28 +0100 |
commit | 3eb2aff40116ecceab847c895cbf02cdb075d194 (patch) | |
tree | d35e7768a1e0d4420c4e064d86401072fa660451 /ssl/t1_lib.c | |
parent | 068c358ac314032e9102b6741a0a99fdf15c5527 (diff) |
Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r-- | ssl/t1_lib.c | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 2161d155e8..8f5342b39f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -982,24 +982,21 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, } /* - * Get a mask of disabled algorithms: an algorithm is disabled if it isn't - * supported or doesn't appear in supported signature algorithms. Unlike - * ssl_cipher_get_disabled this applies to a specific session and not global - * settings. + * Set a mask of disabled algorithms: an algorithm is disabled if it isn't + * supported, doesn't appear in supported signature algorithms, isn't supported + * by the enabled protocol versions or by the security level. + * + * This function should only be used for checking which ciphers are supported + * by the client. + * + * Call ssl_cipher_disabled() to check that it's enabled or not. */ void ssl_set_client_disabled(SSL *s) { s->s3->tmp.mask_a = 0; s->s3->tmp.mask_k = 0; - /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ - if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) - s->s3->tmp.mask_ssl = SSL_TLSV1_2; - else - s->s3->tmp.mask_ssl = 0; - /* Disable TLS 1.0 ciphers if using SSL v3 */ - if (s->client_version == SSL3_VERSION) - s->s3->tmp.mask_ssl |= SSL_TLSV1; ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); + ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver); # ifndef OPENSSL_NO_PSK /* with PSK there must be client callback set */ if (!s->psk_client_callback) { @@ -1015,12 +1012,28 @@ void ssl_set_client_disabled(SSL *s) #endif } +/* + * ssl_cipher_disabled - check that a cipher is disabled or not + * @s: SSL connection that you want to use the cipher on + * @c: cipher to check + * @op: Security check that you want to do + * + * Returns 1 when it's disabled, 0 when enabled. + */ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) { - if (c->algorithm_ssl & s->s3->tmp.mask_ssl - || c->algorithm_mkey & s->s3->tmp.mask_k + if (c->algorithm_mkey & s->s3->tmp.mask_k || c->algorithm_auth & s->s3->tmp.mask_a) return 1; + if (s->s3->tmp.max_ver == 0) + return 1; + if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver) + || (c->max_tls < s->s3->tmp.min_ver))) + return 1; + if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver) + || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver))) + return 1; + return !ssl_security(s, op, c->strength_bits, 0, (void *)c); } |