diff options
| -rw-r--r-- | ssl/s3_lib.c | 15 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | ssl/statem/statem_lib.c | 8 |
3 files changed, 11 insertions, 15 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 3feb628809..d8cce5e63c 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -58,6 +58,14 @@ #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) #define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs) +/* TLSv1.3 downgrade protection sentinel values */ +const unsigned char tls11downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00 +}; +const unsigned char tls12downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 +}; + /* * The list of available ciphers, mostly organized into the following * groups: @@ -4030,13 +4038,6 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, } #ifndef OPENSSL_NO_TLS13DOWNGRADE if (ret) { - static const unsigned char tls11downgrade[] = { - 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00 - }; - static const unsigned char tls12downgrade[] = { - 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 - }; - assert(sizeof(tls11downgrade) < len && sizeof(tls12downgrade) < len); if (dgrd == DOWNGRADE_TO_1_2) memcpy(result + len - sizeof(tls12downgrade), tls12downgrade, diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4a9e599818..4378b7177d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1865,6 +1865,9 @@ typedef enum tlsext_index_en { /* A dummy signature value not valid for TLSv1.2 signature algs */ #define TLSEXT_signature_rsa_pss 0x0101 +/* TLSv1.3 downgrade protection sentinel values */ +extern const unsigned char tls11downgrade[8]; +extern const unsigned char tls12downgrade[8]; extern SSL3_ENC_METHOD ssl3_undef_enc_method; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index f098213869..bf1a5b20e0 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1726,14 +1726,6 @@ int ssl_choose_client_version(SSL *s, int version, int checkdgrd, int *al) for (vent = table; vent->version != 0; ++vent) { const SSL_METHOD *method; int err; -#ifndef OPENSSL_NO_TLS13DOWNGRADE - static const unsigned char tls11downgrade[] = { - 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00 - }; - static const unsigned char tls12downgrade[] = { - 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 - }; -#endif if (vent->cmeth == NULL) continue; |