commit 8f4ddaeea9dbde232070817f0d87817cfbddd1c5
author Paul Bakker <p.j.bakker@polarssl.org> Mon Apr 15 15:09:54 2013 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Apr 16 18:09:45 2013 +0200
tree 876da55ab19f6eade36c83c944ad55f4410cbef4
parent eff2e6d4146b72637fbec2ea6b8b800b3f3d9980

Ability to specify allowed ciphersuites based on the protocol version.

The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int *[4]'.

The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
(cherry picked from commit a62729888b9d8eafbfa952fca63a04100ed90f69)

Conflicts:
	ChangeLog
	library/ssl_srv.c
	library/ssl_tls.c

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index b94ac92..fbc86ab 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -271,6 +271,7 @@
     size_t n;
     unsigned int ciph_len, sess_len, chal_len;
     unsigned char *buf, *p;
+    const int *ciphersuites;
 
     SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
 
@@ -431,7 +432,8 @@
         }
     }
 
-    for( i = 0; ssl->ciphersuites[i] != 0; i++ )
+    ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
+    for( i = 0; ciphersuites[i] != 0; i++ )
     {
         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
         {
@@ -439,8 +441,8 @@
             //
             if( p[0] == 0 &&
                 p[1] == 0 &&
-                ( ( ssl->ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
-                p[2] == ( ssl->ciphersuites[i] & 0xFF ) )
+                ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
+                p[2] == ( ciphersuites[i] & 0xFF ) )
                 goto have_ciphersuite_v2;
         }
     }
@@ -450,7 +452,7 @@
     return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
 
 have_ciphersuite_v2:
-    ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i];
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
 
     /*
@@ -487,6 +489,7 @@
     unsigned char *buf, *p, *ext;
     int renegotiation_info_seen = 0;
     int handshake_failure = 0;
+    const int *ciphersuites;
     const ssl_ciphersuite_t *ciphersuite_info;
 
     SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
@@ -836,20 +839,21 @@
      * Search for a matching ciphersuite
      * (At the end because we need information from the EC-based extensions)
      */
-    for( i = 0; ssl->ciphersuites[i] != 0; i++ )
+    ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
+    for( i = 0; ciphersuites[i] != 0; i++ )
     {
         for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
             j += 2, p += 2 )
         {
-            if( p[0] == ( ( ssl->ciphersuites[i] >> 8 ) & 0xFF ) &&
-                p[1] == ( ( ssl->ciphersuites[i]      ) & 0xFF ) )
+            if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
+                p[1] == ( ( ciphersuites[i]      ) & 0xFF ) )
             {
-                ciphersuite_info = ssl_ciphersuite_from_id( ssl->ciphersuites[i] );
+                ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
 
                 if( ciphersuite_info == NULL )
                 {
                     SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
-                                   ssl->ciphersuites[i] ) );
+                                   ciphersuites[i] ) );
                     return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
                 }
 
@@ -870,7 +874,7 @@
     return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
 
 have_ciphersuite:
-    ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i];
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );