return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error coded

2025-01-30 14:01:55 +08:00 · 2012-12-01 18:33:21 +00:00 · 2012-12-01 18:33:21 +00:00 · 4842dde80c
commit 4842dde80c
parent f91926a240
4 changed files with 14 additions and 5 deletions
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -2309,6 +2309,7 @@ void ERR_load_SSL_strings(void);
 /* Function codes. */
 #define SSL_F_AUTHZ_FIND_DATA				 330
 #define SSL_F_AUTHZ_VALIDATE				 323
+#define SSL_F_CHECK_SUITEB_CIPHER_LIST			 335
 #define SSL_F_CLIENT_CERTIFICATE			 100
 #define SSL_F_CLIENT_FINISHED				 167
 #define SSL_F_CLIENT_HELLO				 101
@ -2445,7 +2446,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CIPHER_STRENGTH_SORT			 231
 #define SSL_F_SSL_CLEAR					 164
 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
-#define SSL_F_SSL_CONF_CTX_CMD				 334
+#define SSL_F_SSL_CONF_CMD				 334
 #define SSL_F_SSL_CREATE_CIPHER_LIST			 166
 #define SSL_F_SSL_CTRL					 232
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -1379,6 +1379,13 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 		return 1;
 	/* Check version */

+	if (meth->version != TLS1_2_VERSION)
+		{
+		SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
+				SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+		return 0;
+		}
+
 	switch(suiteb_flags)
 		{
 	case SSL_CERT_FLAG_SUITEB_128_LOS:
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@ -385,7 +385,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
 	size_t i;
 	if (cmd == NULL)
 		{
-		SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_INVALID_NULL_CMD_NAME);
+		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
 		return 0;
 		}
 	/* If a prefix is set, check and skip */
@ -442,7 +442,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
 			return -2;
 		if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
 			{
-			SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_BAD_VALUE);
+			SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE);
 			ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
 			}
 		return 0;
@ -456,7 +456,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)

 	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
 		{
-		SSLerr(SSL_F_SSL_CONF_CTX_CMD, SSL_R_UNKNOWN_CMD_NAME);
+		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
 		ERR_add_error_data(2, "cmd=", cmd);
 		}

--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@ -72,6 +72,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 	{
 {ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),	"AUTHZ_FIND_DATA"},
 {ERR_FUNC(SSL_F_AUTHZ_VALIDATE),	"AUTHZ_VALIDATE"},
+{ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),	"CHECK_SUITEB_CIPHER_LIST"},
 {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),	"CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_CLIENT_FINISHED),	"CLIENT_FINISHED"},
 {ERR_FUNC(SSL_F_CLIENT_HELLO),	"CLIENT_HELLO"},
@ -208,7 +209,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),	"SSL_CIPHER_STRENGTH_SORT"},
 {ERR_FUNC(SSL_F_SSL_CLEAR),	"SSL_clear"},
 {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),	"SSL_COMP_add_compression_method"},
-{ERR_FUNC(SSL_F_SSL_CONF_CTX_CMD),	"SSL_CONF_CTX_cmd"},
+{ERR_FUNC(SSL_F_SSL_CONF_CMD),	"SSL_CONF_cmd"},
 {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),	"ssl_create_cipher_list"},
 {ERR_FUNC(SSL_F_SSL_CTRL),	"SSL_ctrl"},
 {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),	"SSL_CTX_check_private_key"},