diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2015-11-13 14:37:24 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2015-11-14 00:06:32 +0000 |
| commit | 2b573382f8e54aa03a1d8ffd48fa9d0a04609184 (patch) | |
| tree | e509f3bb087dbdbf11ab5ef2e5d134e82e68387a /ssl | |
| parent | 5e3d21fef150f020e2d33439401da8f7e311aa24 (diff) | |
Don't alow TLS v1.0 ciphersuites for SSLv3
This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.
Thanks to the Open Crypto Audit Project for identifying this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_lib.c | 3 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 2 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 3 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 3 |
5 files changed, 13 insertions, 2 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 13bf3187d5..95cc56a413 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4841,6 +4841,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, /* Skip TLS v1.2 only ciphersuites if not supported */ if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) continue; + /* Skip TLS v1.0 ciphersuites if SSLv3 */ + if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION) + continue; ssl_set_masks(s, c); mask_k = s->s3->tmp.mask_k; diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 5d0ec23607..e386577e65 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1621,6 +1621,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) if (alg_ssl & SSL_SSLV3) ver = "SSLv3"; + else if (alg_ssl & SSL_TLSV1) + ver = "TLSv1.0"; else if (alg_ssl & SSL_TLSV1_2) ver = "TLSv1.2"; else diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 03bc35cc93..1295b7bdaf 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -381,8 +381,8 @@ /* Bits for algorithm_ssl (protocol version) */ # define SSL_SSLV3 0x00000002U -# define SSL_TLSV1 SSL_SSLV3/* for now */ -# define SSL_TLSV1_2 0x00000004U +# define SSL_TLSV1 0x00000004U +# define SSL_TLSV1_2 0x00000008U /* Bits for algorithm2 (handshake digests and other extra flags) */ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 73716b5d9b..f6b95d6d75 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1325,6 +1325,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->s3->tmp.mask_ssl = SSL_TLSV1_2; else s->s3->tmp.mask_ssl = 0; + /* Skip TLS v1.0 ciphersuites if SSLv3 */ + if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION) + s->s3->tmp.mask_ssl |= SSL_TLSV1; /* * If it is a disabled cipher we didn't send it in client hello, so * return an error. diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 943d4733f4..ffc95d848b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1094,6 +1094,9 @@ void ssl_set_client_disabled(SSL *s) s->s3->tmp.mask_ssl = SSL_TLSV1_2; else s->s3->tmp.mask_ssl = 0; + /* Disable TLS 1.0 ciphers if using SSL v3 */ + if (s->client_version == SSL3_VERSION) + s->s3->tmp.mask_ssl |= SSL_TLSV1; ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); /* * Disable static DH if we don't include any appropriate signature |