Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support and

prohibit use of these ciphersuites for TLS < 1.2
2011-07-25 20:41:32 +00:00
parent 2667162d33
commit d09677ac45
7 changed files with 203 additions and 6 deletions
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -894,6 +894,14 @@ int ssl3_get_server_hello(SSL *s)
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
 		goto f_err;
 		}
+	/* TLS v1.2 only ciphersuites require v1.2 or later */
+	if ((c->algorithm_ssl & SSL_TLSV1_2) && 
+		(TLS1_get_version(s) < TLS1_2_VERSION))
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
+		goto f_err;
+		}
 	p+=ssl_put_cipher_by_char(s,NULL,NULL);

 	sk=ssl_get_ciphers_by_id(s);