Ability to specify allowed ciphersuites based on the protocol version.

The ciphersuites parameter in the ssl_session structure changed from 'int *' to 'int *[4]'. The new function ssl_set_ciphersuite_for_version() sets specific entries inside this array. ssl_set_ciphersuite() sets all entries to the same value. (cherry picked from commit a62729888b) Conflicts: ChangeLog library/ssl_srv.c library/ssl_tls.c
2025-07-28 00:21:48 +03:00 · 2013-04-15 15:09:54 +02:00
parent eff2e6d414
commit 8f4ddaeea9
5 changed files with 63 additions and 20 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -255,6 +255,7 @@ static int ssl_write_client_hello( ssl_context *ssl )
    unsigned char *buf;
    unsigned char *p;
    time_t t;
+    const int *ciphersuites;

    SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );

@ -327,7 +328,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
    SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
    SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );

-    for( n = 0; ssl->ciphersuites[n] != 0; n++ );
+    ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
+    for( n = 0; ciphersuites[n] != 0; n++ );
    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
    *p++ = (unsigned char)( n >> 7 );
    *p++ = (unsigned char)( n << 1 );
@ -347,10 +349,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
    for( i = 0; i < n; i++ )
    {
        SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
-                       ssl->ciphersuites[i] ) );
+                       ciphersuites[i] ) );

-        *p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 );
-        *p++ = (unsigned char)( ssl->ciphersuites[i]      );
+        *p++ = (unsigned char)( ciphersuites[i] >> 8 );
+        *p++ = (unsigned char)( ciphersuites[i]      );
    }

 #if defined(POLARSSL_ZLIB_SUPPORT)
@ -571,7 +573,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
    if( ssl->transform_negotiate->ciphersuite_info == NULL )
    {
        SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
-                          ssl->ciphersuites[i] ) );
+                          ssl->ciphersuite_list[ssl->minor_ver][i] ) );
        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    }

@ -616,14 +618,17 @@ static int ssl_parse_server_hello( ssl_context *ssl )
    i = 0;
    while( 1 )
    {
-        if( ssl->ciphersuites[i] == 0 )
+        if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
        {
            SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
        }

-        if( ssl->ciphersuites[i++] == ssl->session_negotiate->ciphersuite )
+        if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
+            ssl->session_negotiate->ciphersuite )
+        {
            break;
+        }
    }

    if( comp != SSL_COMPRESS_NULL