Move the downgrade sentinel declarations to a header file

Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3022)
2017-03-24 09:57:21 +00:00 · 2017-03-24 09:57:21 +00:00 · 643a358042
commit 643a358042
parent b9647e34ff
3 changed files with 11 additions and 15 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -58,6 +58,14 @@
 #define SSL3_NUM_CIPHERS        OSSL_NELEM(ssl3_ciphers)
 #define SSL3_NUM_SCSVS          OSSL_NELEM(ssl3_scsvs)

+/* TLSv1.3 downgrade protection sentinel values */
+const unsigned char tls11downgrade[] = {
+    0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
+};
+const unsigned char tls12downgrade[] = {
+    0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
+};
+
 /*
 * The list of available ciphers, mostly organized into the following
 * groups:
@ -4030,13 +4038,6 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len,
    }
 #ifndef OPENSSL_NO_TLS13DOWNGRADE
    if (ret) {
-        static const unsigned char tls11downgrade[] = {
-            0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
-        };
-        static const unsigned char tls12downgrade[] = {
-            0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
-        };
-
        assert(sizeof(tls11downgrade) < len && sizeof(tls12downgrade) < len);
        if (dgrd == DOWNGRADE_TO_1_2)
            memcpy(result + len - sizeof(tls12downgrade), tls12downgrade,
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -1865,6 +1865,9 @@ typedef enum tlsext_index_en {
 /* A dummy signature value not valid for TLSv1.2 signature algs */
 #define TLSEXT_signature_rsa_pss                                0x0101

+/* TLSv1.3 downgrade protection sentinel values */
+extern const unsigned char tls11downgrade[8];
+extern const unsigned char tls12downgrade[8];

 extern SSL3_ENC_METHOD ssl3_undef_enc_method;

--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@ -1726,14 +1726,6 @@ int ssl_choose_client_version(SSL *s, int version, int checkdgrd, int *al)
    for (vent = table; vent->version != 0; ++vent) {
        const SSL_METHOD *method;
        int err;
-#ifndef OPENSSL_NO_TLS13DOWNGRADE
-        static const unsigned char tls11downgrade[] = {
-            0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
-        };
-        static const unsigned char tls12downgrade[] = {
-            0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
-        };
-#endif

        if (vent->cmeth == NULL)
            continue;