summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/src/ssl/s3_enc.c4
-rw-r--r--lib/libssl/src/ssl/ssl.h7
-rw-r--r--lib/libssl/src/ssl/ssl3.h7
-rw-r--r--lib/libssl/src/ssl/ssl_err.c4
-rw-r--r--lib/libssl/src/ssl/ssl_lib.c62
-rw-r--r--lib/libssl/src/ssl/ssl_locl.h3
-rw-r--r--lib/libssl/src/ssl/t1_enc.c4
-rw-r--r--lib/libssl/src/ssl/tls1.h3
8 files changed, 81 insertions, 13 deletions
diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c
index 0c7cda3c60b..7e244b6c19a 100644
--- a/lib/libssl/src/ssl/s3_enc.c
+++ b/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.58 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.59 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -846,6 +846,8 @@ ssl3_alert_code(int code)
return (SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:
return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:
+ return (TLS1_AD_INAPPROPRIATE_FALLBACK);
default:
return (-1);
}
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 626b967f15f..73d007400f5 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.82 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.83 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1363,7 +1363,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@@ -2174,6 +2175,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
+#define SSL_R_INAPPROPRIATE_FALLBACK 373
#define SSL_R_INCONSISTENT_COMPRESSION 340
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
@@ -2319,6 +2321,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
diff --git a/lib/libssl/src/ssl/ssl3.h b/lib/libssl/src/ssl/ssl3.h
index 644e8df16bc..61f600c55d0 100644
--- a/lib/libssl/src/ssl/ssl3.h
+++ b/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.35 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -125,9 +125,12 @@
extern "C" {
#endif
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */
#define SSL3_CK_SCSV 0x030000FF
+/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */
+#define SSL3_CK_FALLBACK_SCSV 0x03005600
+
#define SSL3_CK_RSA_NULL_MD5 0x03000001
#define SSL3_CK_RSA_NULL_SHA 0x03000002
#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c
index 891d5216c26..04742b60ca2 100644
--- a/lib/libssl/src/ssl/ssl_err.c
+++ b/lib/libssl/src/ssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.28 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */
/* ====================================================================
* Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*
@@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) , "https proxy request"},
{ERR_REASON(SSL_R_HTTP_REQUEST) , "http request"},
{ERR_REASON(SSL_R_ILLEGAL_PADDING) , "illegal padding"},
+ {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"},
{ERR_REASON(SSL_R_INVALID_COMMAND) , "invalid command"},
@@ -530,6 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c
index 58835931d24..d7b52835012 100644
--- a/lib/libssl/src/ssl/ssl_lib.c
+++ b/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.100 2015/02/22 15:29:39 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.101 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1419,7 +1419,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
int i;
+ unsigned long cipher_id;
uint16_t cipher_value;
+ uint16_t max_version;
if (s->s3)
s->s3->send_connection_binding = 0;
@@ -1440,10 +1442,13 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
n2s(p, cipher_value);
+ cipher_id = SSL3_CK_ID | cipher_value;
- /* Check for SCSV */
- if (s->s3 && (SSL3_CK_ID | cipher_value) == SSL3_CK_SCSV) {
- /* SCSV is fatal if renegotiating. */
+ if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
+ /*
+ * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
+ * renegotiating.
+ */
if (s->renegotiate) {
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1456,6 +1461,25 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
continue;
}
+ if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
+ /*
+ * TLS_FALLBACK_SCSV indicates that the client
+ * previously tried a higher protocol version.
+ * Fail if the current version is an unexpected
+ * downgrade.
+ */
+ max_version = ssl_max_server_version(s);
+ if (max_version == 0 || s->version < max_version) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+ SSL_R_INAPPROPRIATE_FALLBACK);
+ if (s->s3 != NULL)
+ ssl3_send_alert(s, SSL3_AL_FATAL,
+ SSL_AD_INAPPROPRIATE_FALLBACK);
+ goto err;
+ }
+ continue;
+ }
+
if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
if (!sk_SSL_CIPHER_push(sk, c)) {
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -2543,6 +2567,36 @@ SSL_get_version(const SSL *s)
return ssl_version_string(s->version);
}
+uint16_t
+ssl_max_server_version(SSL *s)
+{
+ uint16_t max_version;
+
+ /*
+ * The SSL method will be changed during version negotiation, as such
+ * we want to use the SSL method from the context.
+ */
+ max_version = s->ctx->method->version;
+
+ if (SSL_IS_DTLS(s))
+ return (DTLS1_VERSION);
+
+ if ((s->options & SSL_OP_NO_TLSv1_2) == 0 &&
+ max_version >= TLS1_2_VERSION)
+ return (TLS1_2_VERSION);
+ if ((s->options & SSL_OP_NO_TLSv1_1) == 0 &&
+ max_version >= TLS1_1_VERSION)
+ return (TLS1_1_VERSION);
+ if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
+ max_version >= TLS1_VERSION)
+ return (TLS1_VERSION);
+ if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
+ max_version >= SSL3_VERSION)
+ return (SSL3_VERSION);
+
+ return (0);
+}
+
SSL *
SSL_dup(SSL *s)
{
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index 3b7694fc949..c38aa3a90d0 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.87 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.88 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -545,6 +545,7 @@ extern SSL_CIPHER ssl3_ciphers[];
SSL_METHOD *ssl_bad_method(int ver);
const char *ssl_version_string(int ver);
+uint16_t ssl_max_server_version(SSL *s);
extern SSL3_ENC_METHOD TLSv1_enc_data;
extern SSL3_ENC_METHOD TLSv1_1_enc_data;
diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c
index f7c4bc8dde5..6e069edd4b6 100644
--- a/lib/libssl/src/ssl/t1_enc.c
+++ b/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.76 2015/02/07 18:53:55 doug Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.77 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1240,6 +1240,8 @@ tls1_alert_code(int code)
return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:
return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:
+ return(TLS1_AD_INAPPROPRIATE_FALLBACK);
default:
return (-1);
}
diff --git a/lib/libssl/src/ssl/tls1.h b/lib/libssl/src/ssl/tls1.h
index 6182daa837d..3dffb97b5c7 100644
--- a/lib/libssl/src/ssl/tls1.h
+++ b/lib/libssl/src/ssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.24 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: tls1.h,v 1.25 2015/02/22 15:54:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -187,6 +187,7 @@ extern "C" {
#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
/* Codes 110-114 are from RFC 3546. */