Suite B support for DTLS 1.2

Check for Suite B support using method flags instead of version numbers: anything supporting TLS 1.2 cipher suites will also support Suite B. Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
author: Dr. Stephen Henson <steve@openssl.org> 2013-04-09 15:57:39 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2013-04-09 16:49:13 +0100
commit: 4544f0a69161a37ee3edce3cc1bc34c3678a4d64 (patch)
tree: 3f722dd7c35b791ec0bac696804c9821c838c9c3 /ssl/s3_srvr.c
parent: c56f5b8edfbcec704f924870daddd96a5f768fbb (diff)
download: openssl-new-4544f0a69161a37ee3edce3cc1bc34c3678a4d64.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index d915155e15..ea4e132d97 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1096,6 +1096,13 @@ int ssl3_get_client_hello(SSL *s)
 				s->version = DTLS1_2_VERSION;
 				s->method = DTLSv1_2_server_method();
 				}
+			else if (tls1_suiteb(s))
+				{
+				SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+				s->version = s->client_version;
+				al = SSL_AD_PROTOCOL_VERSION;
+				goto f_err;
+				}
 			else if (s->client_version <= DTLS1_VERSION &&
 				!(s->options & SSL_OP_NO_DTLSv1))
 				{
author	Dr. Stephen Henson <steve@openssl.org>	2013-04-09 15:57:39 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2013-04-09 16:49:13 +0100
commit	4544f0a69161a37ee3edce3cc1bc34c3678a4d64 (patch)
tree	3f722dd7c35b791ec0bac696804c9821c838c9c3 /ssl/s3_srvr.c
parent	c56f5b8edfbcec704f924870daddd96a5f768fbb (diff)
download	openssl-new-4544f0a69161a37ee3edce3cc1bc34c3678a4d64.tar.gz