diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-21 09:50:10 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-10 18:09:00 +0200 |
| commit | cd5461320584ef94eaac834f05fb2e816abf71a2 (patch) | |
| tree | 07e146abcf231c7fc2d7bbc140f1ab4fff31d9a5 | |
| parent | ff681da68e7c6a6ace2ddc80805a71ee85f68547 (diff) | |
| download | gnutls-cd5461320584ef94eaac834f05fb2e816abf71a2.tar.gz | |
ciphersuites: introduce a maximum supported TLS/DTLS version
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/algorithms/ciphersuites.c | 12 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 4 |
2 files changed, 11 insertions, 5 deletions
diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c index 5605913e87..2050150582 100644 --- a/lib/algorithms/ciphersuites.c +++ b/lib/algorithms/ciphersuites.c @@ -38,11 +38,11 @@ /* Cipher SUITES */ #define ENTRY( name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version ) \ - { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, GNUTLS_MAC_SHA256} + { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, GNUTLS_TLS1_2, dtls_version, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA256} #define ENTRY_PRF( name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, prf ) \ - { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, prf} + { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, GNUTLS_TLS1_2, dtls_version, GNUTLS_DTLS1_2, prf} #define ENTRY_TLS13( name, block_algorithm, min_version, prf ) \ - { #name, name, block_algorithm, 0, GNUTLS_MAC_AEAD, min_version, GNUTLS_VERSION_UNKNOWN, prf} + { #name, name, block_algorithm, 0, GNUTLS_MAC_AEAD, min_version, GNUTLS_TLS1_3, GNUTLS_VERSION_UNKNOWN, GNUTLS_VERSION_UNKNOWN, prf} /* TLS 1.3 ciphersuites */ #define GNUTLS_AES_128_GCM_SHA256 { 0x13, 0x01 } @@ -1395,11 +1395,13 @@ const char *gnutls_cipher_suite_info(size_t idx, #define VERSION_CHECK(entry) \ if (is_dtls) { \ if (entry->min_dtls_version == GNUTLS_VERSION_UNKNOWN || \ - version->id < entry->min_dtls_version) \ + version->id < entry->min_dtls_version || \ + version->id > entry->max_dtls_version) \ continue; \ } else { \ if (entry->min_version == GNUTLS_VERSION_UNKNOWN || \ - version->id < entry->min_version) \ + version->id < entry->min_version || \ + version->id > entry->max_version) \ continue; \ } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 9958e6633d..3cc35e2f2b 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -514,7 +514,11 @@ typedef struct gnutls_cipher_suite_entry_st { gnutls_protocol_t min_version; /* this cipher suite is supported * from 'version' and above; */ + gnutls_protocol_t max_version; /* this cipher suite is not supported + * after 'version' and above; + */ gnutls_protocol_t min_dtls_version; /* DTLS min version */ + gnutls_protocol_t max_dtls_version; /* DTLS max version */ gnutls_mac_algorithm_t prf; } gnutls_cipher_suite_entry_st; |