8 files changed, 81 insertions, 13 deletions

diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c
index 0c7cda3c60b..7e244b6c19a 100644
--- a/lib/libssl/src/ssl/s3_enc.c
+++ b/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.58 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.59 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -846,6 +846,8 @@ ssl3_alert_code(int code)
 		return (SSL3_AD_HANDSHAKE_FAILURE);
 	case SSL_AD_UNKNOWN_PSK_IDENTITY:
 		return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+	case SSL_AD_INAPPROPRIATE_FALLBACK:
+		return (TLS1_AD_INAPPROPRIATE_FALLBACK);
 	default:
 		return (-1);
 	}
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 626b967f15f..73d007400f5 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.82 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.83 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1363,7 +1363,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_AD_UNRECOGNIZED_NAME	TLS1_AD_UNRECOGNIZED_NAME
 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-#define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_UNKNOWN_PSK_IDENTITY	TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK	TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
 
 #define SSL_ERROR_NONE			0
 #define SSL_ERROR_SSL			1
@@ -2174,6 +2175,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_HTTPS_PROXY_REQUEST			 155
 #define SSL_R_HTTP_REQUEST				 156
 #define SSL_R_ILLEGAL_PADDING				 283
+#define SSL_R_INAPPROPRIATE_FALLBACK			 373
 #define SSL_R_INCONSISTENT_COMPRESSION			 340
 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
 #define SSL_R_INVALID_COMMAND				 280
@@ -2319,6 +2321,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		 1021
 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR			 1051
 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION		 1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK	 1086
 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY		 1071
 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR		 1080
 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		 1100
diff --git a/lib/libssl/src/ssl/ssl3.h b/lib/libssl/src/ssl/ssl3.h
index 644e8df16bc..61f600c55d0 100644
--- a/lib/libssl/src/ssl/ssl3.h
+++ b/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.35 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -125,9 +125,12 @@
 extern "C" {
 #endif
 
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */
 #define SSL3_CK_SCSV				0x030000FF
 
+/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */
+#define SSL3_CK_FALLBACK_SCSV			0x03005600
+
 #define SSL3_CK_RSA_NULL_MD5			0x03000001
 #define SSL3_CK_RSA_NULL_SHA			0x03000002
 #define SSL3_CK_RSA_RC4_40_MD5 			0x03000003
diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c
index 891d5216c26..04742b60ca2 100644
--- a/lib/libssl/src/ssl/ssl_err.c
+++ b/lib/libssl/src/ssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.28 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
 	{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   , "https proxy request"},
 	{ERR_REASON(SSL_R_HTTP_REQUEST)          , "http request"},
 	{ERR_REASON(SSL_R_ILLEGAL_PADDING)       , "illegal padding"},
+	{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
 	{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
 	{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"},
 	{ERR_REASON(SSL_R_INVALID_COMMAND)       , "invalid command"},
@@ -530,6 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
 	{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
 	{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
 	{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"},
+	{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
 	{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
 	{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
 	{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c
index 58835931d24..d7b52835012 100644
--- a/lib/libssl/src/ssl/ssl_lib.c
+++ b/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.100 2015/02/22 15:29:39 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.101 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1419,7 +1419,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
 	const SSL_CIPHER	*c;
 	STACK_OF(SSL_CIPHER)	*sk;
 	int			 i;
+	unsigned long		 cipher_id;
 	uint16_t		 cipher_value;
+	uint16_t		 max_version;
 
 	if (s->s3)
 		s->s3->send_connection_binding = 0;
@@ -1440,10 +1442,13 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
 
 	for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
 		n2s(p, cipher_value);
+		cipher_id = SSL3_CK_ID | cipher_value;
 
-		/* Check for SCSV */
-		if (s->s3 && (SSL3_CK_ID | cipher_value) == SSL3_CK_SCSV) {
-			/* SCSV is fatal if renegotiating. */
+		if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
+			/*
+			 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
+			 * renegotiating.
+			 */
 			if (s->renegotiate) {
 				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
 				    SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1456,6 +1461,25 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
 			continue;
 		}
 
+		if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
+			/*
+			 * TLS_FALLBACK_SCSV indicates that the client
+			 * previously tried a higher protocol version.
+			 * Fail if the current version is an unexpected
+			 * downgrade.
+			 */
+			max_version = ssl_max_server_version(s);
+			if (max_version == 0 || s->version < max_version) {
+				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+				    SSL_R_INAPPROPRIATE_FALLBACK);
+				if (s->s3 != NULL)
+					ssl3_send_alert(s, SSL3_AL_FATAL,
+					    SSL_AD_INAPPROPRIATE_FALLBACK);
+				goto err;
+			}
+			continue;
+		}
+
 		if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
 			if (!sk_SSL_CIPHER_push(sk, c)) {
 				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -2543,6 +2567,36 @@ SSL_get_version(const SSL *s)
 	return ssl_version_string(s->version);
 }
 
+uint16_t
+ssl_max_server_version(SSL *s)
+{
+	uint16_t max_version;
+
+	/*
+	 * The SSL method will be changed during version negotiation, as such
+	 * we want to use the SSL method from the context.
+	 */
+	max_version = s->ctx->method->version;
+
+	if (SSL_IS_DTLS(s))
+		return (DTLS1_VERSION);
+
+	if ((s->options & SSL_OP_NO_TLSv1_2) == 0 &&
+	    max_version >= TLS1_2_VERSION)
+		return (TLS1_2_VERSION);
+	if ((s->options & SSL_OP_NO_TLSv1_1) == 0 &&
+	    max_version >= TLS1_1_VERSION)
+		return (TLS1_1_VERSION);
+	if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
+	    max_version >= TLS1_VERSION)
+		return (TLS1_VERSION);
+	if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
+	    max_version >= SSL3_VERSION)
+		return (SSL3_VERSION);
+
+	return (0);
+}
+
 SSL *
 SSL_dup(SSL *s)
 {
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index 3b7694fc949..c38aa3a90d0 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.87 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.88 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -545,6 +545,7 @@ extern SSL_CIPHER ssl3_ciphers[];
 
 SSL_METHOD *ssl_bad_method(int ver);
 const char *ssl_version_string(int ver);
+uint16_t ssl_max_server_version(SSL *s);
 
 extern SSL3_ENC_METHOD TLSv1_enc_data;
 extern SSL3_ENC_METHOD TLSv1_1_enc_data;
diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c
index f7c4bc8dde5..6e069edd4b6 100644
--- a/lib/libssl/src/ssl/t1_enc.c
+++ b/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.76 2015/02/07 18:53:55 doug Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.77 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1240,6 +1240,8 @@ tls1_alert_code(int code)
 		return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
 	case SSL_AD_UNKNOWN_PSK_IDENTITY:
 		return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+	case SSL_AD_INAPPROPRIATE_FALLBACK:
+		return(TLS1_AD_INAPPROPRIATE_FALLBACK);
 	default:
 		return (-1);
 	}
diff --git a/lib/libssl/src/ssl/tls1.h b/lib/libssl/src/ssl/tls1.h
index 6182daa837d..3dffb97b5c7 100644
--- a/lib/libssl/src/ssl/tls1.h
+++ b/lib/libssl/src/ssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.24 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: tls1.h,v 1.25 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -187,6 +187,7 @@ extern "C" {
 #define TLS1_AD_PROTOCOL_VERSION	70	/* fatal */
 #define TLS1_AD_INSUFFICIENT_SECURITY	71	/* fatal */
 #define TLS1_AD_INTERNAL_ERROR		80	/* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK	86	/* fatal */
 #define TLS1_AD_USER_CANCELLED		90
 #define TLS1_AD_NO_RENEGOTIATION	100
 /* Codes 110-114 are from RFC 3546. */