diff --git a/include/polarssl/ssl_ciphersuites.h b/include/polarssl/ssl_ciphersuites.h index c4f1ffe64..3282a2514 100644 --- a/include/polarssl/ssl_ciphersuites.h +++ b/include/polarssl/ssl_ciphersuites.h @@ -253,6 +253,7 @@ typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t; #define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */ #define POLARSSL_CIPHERSUITE_SHORT_TAG 0x02 /**< Short authentication tag, eg for CCM_8 */ +#define POLARSSL_CIPHERSUITE_NODTLS 0x04 /**< Can't be used with DTLS */ /** * \brief This structure is used for storing ciphersuite information diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 7907980cd..0d67c701d 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -392,7 +392,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ @@ -511,7 +511,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_RSA, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ @@ -802,7 +802,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_MD5, POLARSSL_KEY_EXCHANGE_RSA, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif #if defined(POLARSSL_SHA1_C) @@ -810,7 +810,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif #endif /* POLARSSL_ARC4_C */ #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */ @@ -919,7 +919,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDH_RSA, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ @@ -1038,7 +1038,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDH_ECDSA, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ @@ -1184,7 +1184,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */ @@ -1320,7 +1320,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ @@ -1399,7 +1399,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_ECDHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ @@ -1513,7 +1513,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = POLARSSL_CIPHER_ARC4_128, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, - 0 }, + POLARSSL_CIPHERSUITE_NODTLS }, #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_ARC4_C */ #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 27abb3efe..e1bfbc2fc 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -588,6 +588,12 @@ static int ssl_write_client_hello( ssl_context *ssl ) ciphersuite_info->max_minor_ver < ssl->min_minor_ver ) continue; +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM && + ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_NODTLS ) ) + continue; +#endif + SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", ciphersuites[i] ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 01b0aca20..49ae4a5c0 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -847,6 +847,12 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id, suite_info->max_minor_ver < ssl->minor_ver ) return( 0 ); +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM && + ( suite_info->flags & POLARSSL_CIPHERSUITE_NODTLS ) ) + return( 0 ); +#endif + #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) if( ssl_ciphersuite_uses_ec( suite_info ) && ( ssl->handshake->curves == NULL ||