diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/src/ssl/s3_enc.c | 4 | ||||
-rw-r--r-- | lib/libssl/src/ssl/ssl.h | 7 | ||||
-rw-r--r-- | lib/libssl/src/ssl/ssl3.h | 7 | ||||
-rw-r--r-- | lib/libssl/src/ssl/ssl_err.c | 4 | ||||
-rw-r--r-- | lib/libssl/src/ssl/ssl_lib.c | 62 | ||||
-rw-r--r-- | lib/libssl/src/ssl/ssl_locl.h | 3 | ||||
-rw-r--r-- | lib/libssl/src/ssl/t1_enc.c | 4 | ||||
-rw-r--r-- | lib/libssl/src/ssl/tls1.h | 3 |
8 files changed, 81 insertions, 13 deletions
diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 0c7cda3c60b..7e244b6c19a 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_enc.c,v 1.58 2014/12/15 00:46:53 doug Exp $ */ +/* $OpenBSD: s3_enc.c,v 1.59 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -846,6 +846,8 @@ ssl3_alert_code(int code) return (SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_UNKNOWN_PSK_IDENTITY: return (TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK: + return (TLS1_AD_INAPPROPRIATE_FALLBACK); default: return (-1); } diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index 626b967f15f..73d007400f5 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.82 2015/02/12 03:45:25 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.83 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1363,7 +1363,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE -#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -2174,6 +2175,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 283 +#define SSL_R_INAPPROPRIATE_FALLBACK 373 #define SSL_R_INCONSISTENT_COMPRESSION 340 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 @@ -2319,6 +2321,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 +#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 diff --git a/lib/libssl/src/ssl/ssl3.h b/lib/libssl/src/ssl/ssl3.h index 644e8df16bc..61f600c55d0 100644 --- a/lib/libssl/src/ssl/ssl3.h +++ b/lib/libssl/src/ssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.35 2015/02/12 03:45:25 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -125,9 +125,12 @@ extern "C" { #endif -/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ +/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */ #define SSL3_CK_SCSV 0x030000FF +/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */ +#define SSL3_CK_FALLBACK_SCSV 0x03005600 + #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c index 891d5216c26..04742b60ca2 100644 --- a/lib/libssl/src/ssl/ssl_err.c +++ b/lib/libssl/src/ssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.28 2014/12/14 15:30:50 jsing Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) , "https proxy request"}, {ERR_REASON(SSL_R_HTTP_REQUEST) , "http request"}, {ERR_REASON(SSL_R_ILLEGAL_PADDING) , "illegal padding"}, + {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"}, {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"}, {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"}, {ERR_REASON(SSL_R_INVALID_COMMAND) , "invalid command"}, @@ -530,6 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"}, diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 58835931d24..d7b52835012 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.100 2015/02/22 15:29:39 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.101 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1419,7 +1419,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i; + unsigned long cipher_id; uint16_t cipher_value; + uint16_t max_version; if (s->s3) s->s3->send_connection_binding = 0; @@ -1440,10 +1442,13 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) { n2s(p, cipher_value); + cipher_id = SSL3_CK_ID | cipher_value; - /* Check for SCSV */ - if (s->s3 && (SSL3_CK_ID | cipher_value) == SSL3_CK_SCSV) { - /* SCSV is fatal if renegotiating. */ + if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) { + /* + * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if + * renegotiating. + */ if (s->renegotiate) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); @@ -1456,6 +1461,25 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, continue; } + if (cipher_id == SSL3_CK_FALLBACK_SCSV) { + /* + * TLS_FALLBACK_SCSV indicates that the client + * previously tried a higher protocol version. + * Fail if the current version is an unexpected + * downgrade. + */ + max_version = ssl_max_server_version(s); + if (max_version == 0 || s->version < max_version) { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, + SSL_R_INAPPROPRIATE_FALLBACK); + if (s->s3 != NULL) + ssl3_send_alert(s, SSL3_AL_FATAL, + SSL_AD_INAPPROPRIATE_FALLBACK); + goto err; + } + continue; + } + if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) { if (!sk_SSL_CIPHER_push(sk, c)) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, @@ -2543,6 +2567,36 @@ SSL_get_version(const SSL *s) return ssl_version_string(s->version); } +uint16_t +ssl_max_server_version(SSL *s) +{ + uint16_t max_version; + + /* + * The SSL method will be changed during version negotiation, as such + * we want to use the SSL method from the context. + */ + max_version = s->ctx->method->version; + + if (SSL_IS_DTLS(s)) + return (DTLS1_VERSION); + + if ((s->options & SSL_OP_NO_TLSv1_2) == 0 && + max_version >= TLS1_2_VERSION) + return (TLS1_2_VERSION); + if ((s->options & SSL_OP_NO_TLSv1_1) == 0 && + max_version >= TLS1_1_VERSION) + return (TLS1_1_VERSION); + if ((s->options & SSL_OP_NO_TLSv1) == 0 && + max_version >= TLS1_VERSION) + return (TLS1_VERSION); + if ((s->options & SSL_OP_NO_SSLv3) == 0 && + max_version >= SSL3_VERSION) + return (SSL3_VERSION); + + return (0); +} + SSL * SSL_dup(SSL *s) { diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index 3b7694fc949..c38aa3a90d0 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.87 2015/02/12 03:45:25 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.88 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -545,6 +545,7 @@ extern SSL_CIPHER ssl3_ciphers[]; SSL_METHOD *ssl_bad_method(int ver); const char *ssl_version_string(int ver); +uint16_t ssl_max_server_version(SSL *s); extern SSL3_ENC_METHOD TLSv1_enc_data; extern SSL3_ENC_METHOD TLSv1_1_enc_data; diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index f7c4bc8dde5..6e069edd4b6 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.76 2015/02/07 18:53:55 doug Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.77 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1240,6 +1240,8 @@ tls1_alert_code(int code) return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); case SSL_AD_UNKNOWN_PSK_IDENTITY: return (TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK: + return(TLS1_AD_INAPPROPRIATE_FALLBACK); default: return (-1); } diff --git a/lib/libssl/src/ssl/tls1.h b/lib/libssl/src/ssl/tls1.h index 6182daa837d..3dffb97b5c7 100644 --- a/lib/libssl/src/ssl/tls1.h +++ b/lib/libssl/src/ssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.24 2015/02/12 03:45:25 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.25 2015/02/22 15:54:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -187,6 +187,7 @@ extern "C" { #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 /* Codes 110-114 are from RFC 3546. */ |