diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2013-12-07 07:24:41 +0400 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2013-12-07 07:24:41 +0400 |
commit | 0d25deb0af1d2dfecb0d1b39455ba971af665faf (patch) | |
tree | dfd953055ecf9ae02b469bda15acdea30cacede6 /core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java | |
parent | 26c9bd6b3868540fdb1749cb7a455029dc0884a0 (diff) |
Add checks for ciphersuite validity vs the negotiated version
Diffstat (limited to 'core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java')
-rw-r--r-- | core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java index 5a546618..f339df27 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java @@ -634,12 +634,13 @@ public class TlsClientProtocol /* * Find out which CipherSuite the server has chosen and check that it was one of the offered - * ones. + * ones, and is a valid selection for the negotiated version. */ int selectedCipherSuite = TlsUtils.readUint16(buf); if (!Arrays.contains(this.offeredCipherSuites, selectedCipherSuite) || selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL - || selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV) + || selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV + || !TlsUtils.isValidCipherSuiteForVersion(selectedCipherSuite, server_version)) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } |