[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Apr 24 15:15:49 UTC 2017 

The branch master has been updated
       via  8af91fd9d08487e0dffb6ccac5f42633c964f3f0 (commit)
      from  dd94c37a5c2f783102b125c620000b9719c662d3 (commit)


- Log -----------------------------------------------------------------
commit 8af91fd9d08487e0dffb6ccac5f42633c964f3f0
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Apr 12 17:02:42 2017 +0100

    Don't fail the connection in SSLv3 if server selects ECDHE
    
    ECDHE is not properly defined for SSLv3. Commit fe55c4a2 prevented ECDHE
    from being selected in that protocol. However, historically, servers do
    still select ECDHE anyway so that commit causes interoperability problems.
    Clients that previously worked when talking to an SSLv3 server could now
    fail.
    
    This commit introduces an exception which enables a client to continue in
    SSLv3 if the server selected ECDHE.
    
    [extended tests]
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3204)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_lib.c            |  2 +-
 ssl/ssl_locl.h           |  2 +-
 ssl/statem/statem_clnt.c |  4 ++--
 ssl/t1_lib.c             | 20 ++++++++++++++++----
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4de2b47..c59aa84 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2229,7 +2229,7 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
     ssl_set_client_disabled(s);
     for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
         const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
-        if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED)) {
+        if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
             if (!sk)
                 sk = sk_SSL_CIPHER_new_null();
             if (!sk)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 5ca7237..8eb6ff5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2394,7 +2394,7 @@ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
 __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
 void ssl_set_client_disabled(SSL *s);
-__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
+__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
 
 __owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
                                  size_t *hashlen);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index a8bb566..0452729 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1259,7 +1259,7 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
      * If it is a disabled cipher we either didn't send it in client hello,
      * or it's not allowed for the selected protocol. So we return an error.
      */
-    if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
+    if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
         SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED);
         return 0;
     }
@@ -3552,7 +3552,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
 
         c = sk_SSL_CIPHER_value(sk, i);
         /* Skip disabled ciphers */
-        if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
+        if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
             continue;
 
         if (!s->method->put_cipher_by_char(c, pkt, &len)) {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 698c25b..5007f7e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1034,19 +1034,31 @@ void ssl_set_client_disabled(SSL *s)
  * @s: SSL connection that you want to use the cipher on
  * @c: cipher to check
  * @op: Security check that you want to do
+ * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
  *
  * Returns 1 when it's disabled, 0 when enabled.
  */
-int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
+int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
 {
     if (c->algorithm_mkey & s->s3->tmp.mask_k
         || c->algorithm_auth & s->s3->tmp.mask_a)
         return 1;
     if (s->s3->tmp.max_ver == 0)
         return 1;
-    if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
-                            || (c->max_tls < s->s3->tmp.min_ver)))
-        return 1;
+    if (!SSL_IS_DTLS(s)) {
+        int min_tls = c->min_tls;
+
+        /*
+         * For historical reasons we will allow ECHDE to be selected by a server
+         * in SSLv3 if we are a client
+         */
+        if (min_tls == TLS1_VERSION && ecdhe
+                && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
+            min_tls = SSL3_VERSION;
+
+        if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
+            return 1;
+    }
     if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
                            || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
         return 1;

More information about the openssl-commits mailing list