Commit 2b573382 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Don't alow TLS v1.0 ciphersuites for SSLv3 



This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.

Thanks to the Open Crypto Audit Project for identifying this issue.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 5e3d21fe

ssl/s3_lib.c

+3 −0
Original line number Diff line number Diff line
@@ -4841,6 +4841,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 
        /* Skip TLS v1.2 only ciphersuites if not supported */

        if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))

            continue;

        /* Skip TLS v1.0 ciphersuites if SSLv3 */

        if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)

            continue;



        ssl_set_masks(s, c);

        mask_k = s->s3->tmp.mask_k;

ssl/ssl_ciph.c

+2 −0
Original line number Diff line number Diff line
@@ -1621,6 +1621,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) 


    if (alg_ssl & SSL_SSLV3)

        ver = "SSLv3";

    else if (alg_ssl & SSL_TLSV1)

        ver = "TLSv1.0";

    else if (alg_ssl & SSL_TLSV1_2)

        ver = "TLSv1.2";

    else

ssl/ssl_locl.h

+2 −2
Original line number Diff line number Diff line
@@ -381,8 +381,8 @@ 


/* Bits for algorithm_ssl (protocol version) */

# define SSL_SSLV3               0x00000002U

# define SSL_TLSV1               SSL_SSLV3/* for now */

# define SSL_TLSV1_2             0x00000004U

# define SSL_TLSV1               0x00000004U

# define SSL_TLSV1_2             0x00000008U



/* Bits for algorithm2 (handshake digests and other extra flags) */

ssl/statem/statem_clnt.c

+3 −0
Original line number Diff line number Diff line
@@ -1325,6 +1325,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 
        s->s3->tmp.mask_ssl = SSL_TLSV1_2;

    else

        s->s3->tmp.mask_ssl = 0;

    /* Skip TLS v1.0 ciphersuites if SSLv3 */

    if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)

        s->s3->tmp.mask_ssl |= SSL_TLSV1;

    /*

     * If it is a disabled cipher we didn't send it in client hello, so

     * return an error.

ssl/t1_lib.c

+3 −0
Original line number Diff line number Diff line
@@ -1094,6 +1094,9 @@ void ssl_set_client_disabled(SSL *s) 
        s->s3->tmp.mask_ssl = SSL_TLSV1_2;

    else

        s->s3->tmp.mask_ssl = 0;

    /* Disable TLS 1.0 ciphers if using SSL v3 */

    if (s->client_version == SSL3_VERSION)

        s->s3->tmp.mask_ssl |= SSL_TLSV1;

    ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);

    /*

     * Disable static DH if we don't include any appropriate signature