From 4842dde80c6846518df9d1b8fe9dba6db217ffdc Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 1 Dec 2012 18:33:21 +0000 Subject: [PATCH] return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error coded --- ssl/ssl.h | 3 ++- ssl/ssl_ciph.c | 7 +++++++ ssl/ssl_conf.c | 6 +++--- ssl/ssl_err.c | 3 ++- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ssl/ssl.h b/ssl/ssl.h index 3c9ba9c024..0aa675efce 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2309,6 +2309,7 @@ void ERR_load_SSL_strings(void); /* Function codes. */ #define SSL_F_AUTHZ_FIND_DATA 330 #define SSL_F_AUTHZ_VALIDATE 323 +#define SSL_F_CHECK_SUITEB_CIPHER_LIST 335 #define SSL_F_CLIENT_CERTIFICATE 100 #define SSL_F_CLIENT_FINISHED 167 #define SSL_F_CLIENT_HELLO 101 @@ -2445,7 +2446,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_CIPHER_STRENGTH_SORT 231 #define SSL_F_SSL_CLEAR 164 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 -#define SSL_F_SSL_CONF_CTX_CMD 334 +#define SSL_F_SSL_CONF_CMD 334 #define SSL_F_SSL_CREATE_CIPHER_LIST 166 #define SSL_F_SSL_CTRL 232 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 7f3e16080b..4d87d2dbc4 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1379,6 +1379,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, return 1; /* Check version */ + if (meth->version != TLS1_2_VERSION) + { + SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, + SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE); + return 0; + } + switch(suiteb_flags) { case SSL_CERT_FLAG_SUITEB_128_LOS: diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 0de97f8a78..23754739bb 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -385,7 +385,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) size_t i; if (cmd == NULL) { - SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_INVALID_NULL_CMD_NAME); + SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); return 0; } /* If a prefix is set, check and skip */ @@ -442,7 +442,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) return -2; if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { - SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_BAD_VALUE); + SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); ERR_add_error_data(4, "cmd=", cmd, ", value=", value); } return 0; @@ -456,7 +456,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { - SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_UNKNOWN_CMD_NAME); + SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); ERR_add_error_data(2, "cmd=", cmd); } diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 5654def3f3..b978177ac4 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]= { {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA), "AUTHZ_FIND_DATA"}, {ERR_FUNC(SSL_F_AUTHZ_VALIDATE), "AUTHZ_VALIDATE"}, +{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST), "CHECK_SUITEB_CIPHER_LIST"}, {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"}, {ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"}, {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"}, @@ -208,7 +209,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"}, {ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"}, {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"}, -{ERR_FUNC(SSL_F_SSL_CONF_CTX_CMD), "SSL_CONF_CTX_cmd"}, +{ERR_FUNC(SSL_F_SSL_CONF_CMD), "SSL_CONF_cmd"}, {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "ssl_create_cipher_list"}, {ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"}, {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, -- GitLab