Suite B support for DTLS 1.2 (4544f0a6) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

ssl/d1_srvr.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -667,7 +667,7 @@ int dtls1_accept(SSL *s)
		*/
		if (!s->s3->handshake_buffer)
		{
		SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
		SSLerr(SSL_F_DTLS1_ACCEPT,ERR_R_INTERNAL_ERROR);
		return -1;
		}
		s->s3->flags \|= TLS1_FLAGS_KEEP_HANDSHAKE;

+17 −0

Original line number	Diff line number	Diff line
		@@ -701,6 +701,11 @@ int ssl3_client_hello(SSL *s)
		/* If DTLS 1.2 disabled correct the version number */
		if (options & SSL_OP_NO_DTLSv1_2)
		{
		if (tls1_suiteb(s))
		{
		SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
		goto err;
		}
		/* Disabling all versions is silly: return an
		* error.
		*/
		@@ -954,11 +959,23 @@ int ssl3_get_server_hello(SSL *s)
		if (hversion == DTLS1_2_VERSION
		&& !(options & SSL_OP_NO_DTLSv1_2))
		s->method = DTLSv1_2_client_method();
		else if (tls1_suiteb(s))
		{
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
		s->version = hversion;
		al = SSL_AD_PROTOCOL_VERSION;
		goto f_err;
		}
		else if (hversion == DTLS1_VERSION
		&& !(options & SSL_OP_NO_DTLSv1))
		s->method = DTLSv1_client_method();
		else
		{
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
		s->version = hversion;
		al = SSL_AD_PROTOCOL_VERSION;
		goto f_err;
		}
		s->version = s->client_version = s->method->version;
		}

+7 −0

Original line number	Diff line number	Diff line
		@@ -1096,6 +1096,13 @@ int ssl3_get_client_hello(SSL *s)
		s->version = DTLS1_2_VERSION;
		s->method = DTLSv1_2_server_method();
		}
		else if (tls1_suiteb(s))
		{
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
		s->version = s->client_version;
		al = SSL_AD_PROTOCOL_VERSION;
		goto f_err;
		}
		else if (s->client_version <= DTLS1_VERSION &&
		!(s->options & SSL_OP_NO_DTLSv1))
		{

+1 −0

Original line number	Diff line number	Diff line
		@@ -2724,6 +2724,7 @@ void ERR_load_SSL_strings(void);
		#define SSL_R_NULL_SSL_METHOD_PASSED 196
		#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
		#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
		#define SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE 387
		#define SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE 379
		#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
		#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327

+7 −3

Original line number	Diff line number	Diff line
		@@ -1377,10 +1377,14 @@ static int check_suiteb_cipher_list(const SSL_METHOD meth, CERT c,

		if (!suiteb_flags)
		return 1;
		/* Check version */
		/* Check version: if TLS 1.2 ciphers allowed we can use Suite B */

		if (meth->version != TLS1_2_VERSION)
		if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS))
		{
		if (meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
		SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
		SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
		else
		SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
		SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
		return 0;