Ability to specify allowed ciphersuites based on the protocol version.

The ciphersuites parameter in the ssl_session structure changed from 'int *' to 'int *[4]'. The new function ssl_set_ciphersuite_for_version() sets specific entries inside this array. ssl_set_ciphersuite() sets all entries to the same value. (cherry picked from commit a62729888b9d8eafbfa952fca63a04100ed90f69) Conflicts: ChangeLog library/ssl_srv.c library/ssl_tls.c
2026-02-19 00:39:46 +00:00 · 2013-04-15 15:09:54 +02:00
parent eff2e6d414
commit 8f4ddaeea9
5 changed files with 63 additions and 20 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -476,7 +476,7 @@ struct _ssl_context
    int verify_result;                  /*!<  verification result     */
    int disable_renegotiation;          /*!<  enable/disable renegotiation   */
    int allow_legacy_renegotiation;     /*!<  allow legacy renegotiation     */
-    const int *ciphersuites;            /*!<  allowed ciphersuites    */
+    const int *ciphersuite_list[4];     /*!<  allowed ciphersuites / version */

 #if defined(POLARSSL_DHM_C)
    mpi dhm_P;                          /*!<  prime modulus for DHM   */
@@ -706,12 +706,30 @@ void ssl_set_session( ssl_context *ssl, const ssl_session *session );

 /**
 * \brief               Set the list of allowed ciphersuites
+ *                      (Overrides all version specific lists)
 *
 * \param ssl           SSL context
 * \param ciphersuites  0-terminated list of allowed ciphersuites
 */
 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );

+/**
+ * \brief               Set the list of allowed ciphersuites for a specific
+ *                      version of the protocol.
+ *                      (Only useful on the server side)
+ *
+ * \param ssl           SSL context
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ * \param major         Major version number (only SSL_MAJOR_VERSION_3
+ *                      supported)
+ * \param minor         Minor version number (SSL_MINOR_VERSION_0,
+ *                      SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
+ *                      SSL_MINOR_VERSION_3 supported)
+ */
+void ssl_set_ciphersuites_for_version( ssl_context *ssl,
+                                       const int *ciphersuites,
+                                       int major, int minor );
+
 /**
 * \brief          Set the data required to verify peer certificate
 *