/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-fallback-scsv.patch
ViewVC logotype

Annotation of /rpms/openssl/sme8/openssl-fips-0.9.8e-fallback-scsv.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Sat Oct 18 10:06:56 2014 UTC (10 years ago) by vip-ire
Branch: MAIN
CVS Tags: openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-31_1_el5_sme, openssl-0_9_8e-33_1_el5_sme, HEAD 
* Sat Oct 18 2014 Daniel Berteaud <daniel@firewall-services.com> 0.9.8e-31.1.el5.sme
- update with ca-bundle.crt from SME 9 [SME: 8208]
1 vip-ire 1.1 diff -up openssl-fips-0.9.8e/apps/s_client.c.fallback-scsv openssl-fips-0.9.8e/apps/s_client.c
2     --- openssl-fips-0.9.8e/apps/s_client.c.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
3     +++ openssl-fips-0.9.8e/apps/s_client.c 2014-10-15 16:11:24.131372054 +0200
4     @@ -217,6 +217,7 @@ static void sc_usage(void)
5     BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
6     BIO_printf(bio_err," -tls1 - just use TLSv1\n");
7     BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
8     + BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
9     BIO_printf(bio_err," -mtu - set the MTU\n");
10     BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
11     BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
12     @@ -289,6 +290,7 @@ int MAIN(int argc, char **argv)
13    
14     struct sockaddr peer;
15     int peerlen = sizeof(peer);
16     + int fallback_scsv = 0;
17     int enable_timeouts = 0 ;
18     long mtu = 0;
19    
20     @@ -422,6 +424,10 @@ int MAIN(int argc, char **argv)
21     mtu = atol(*(++argv));
22     }
23     #endif
24     + else if (strcmp(*argv,"-fallback_scsv") == 0)
25     + {
26     + fallback_scsv = 1;
27     + }
28     else if (strcmp(*argv,"-bugs") == 0)
29     bugs=1;
30     else if (strcmp(*argv,"-keyform") == 0)
31     @@ -632,6 +638,9 @@ bad:
32     X509_STORE_set_flags(store, vflags);
33    
34     con=SSL_new(ctx);
35     + if (fallback_scsv)
36     + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
37     +
38     #ifndef OPENSSL_NO_KRB5
39     if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
40     {
41     diff -up openssl-fips-0.9.8e/crypto/err/openssl.ec.fallback-scsv openssl-fips-0.9.8e/crypto/err/openssl.ec
42     --- openssl-fips-0.9.8e/crypto/err/openssl.ec.fallback-scsv 2007-08-15 15:35:29.000000000 +0200
43     +++ openssl-fips-0.9.8e/crypto/err/openssl.ec 2014-10-15 16:12:41.422116927 +0200
44     @@ -66,6 +66,7 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION
45     R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
46     R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
47     R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
48     +R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
49     R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
50     R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
51    
52     diff -up openssl-fips-0.9.8e/ssl/dtls1.h.fallback-scsv openssl-fips-0.9.8e/ssl/dtls1.h
53     --- openssl-fips-0.9.8e/ssl/dtls1.h.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
54     +++ openssl-fips-0.9.8e/ssl/dtls1.h 2014-10-15 16:07:06.407553827 +0200
55     @@ -68,6 +68,8 @@ extern "C" {
56     #endif
57    
58     #define DTLS1_VERSION 0xFEFF
59     +#define DTLS_MAX_VERSION DTLS1_VERSION
60     +
61     #define DTLS1_BAD_VER 0x0100
62    
63     #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 110
64     @@ -208,4 +210,3 @@ typedef struct dtls1_record_data_st
65     }
66     #endif
67     #endif
68     -
69     diff -up openssl-fips-0.9.8e/ssl/d1_lib.c.fallback-scsv openssl-fips-0.9.8e/ssl/d1_lib.c
70     --- openssl-fips-0.9.8e/ssl/d1_lib.c.fallback-scsv 2014-10-15 16:07:06.406553804 +0200
71     +++ openssl-fips-0.9.8e/ssl/d1_lib.c 2014-10-15 16:18:24.206855442 +0200
72     @@ -189,6 +189,30 @@ void dtls1_clear(SSL *s)
73     s->version=DTLS1_VERSION;
74     }
75    
76     +long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
77     + {
78     + int ret=0;
79     +
80     + switch (cmd)
81     + {
82     + case SSL_CTRL_CHECK_PROTO_VERSION:
83     + /* For library-internal use; checks that the current protocol
84     + * is the highest enabled version (according to s->ctx->method,
85     + * as version negotiation may have changed s->method). */
86     +#if DTLS_MAX_VERSION != DTLS1_VERSION
87     +# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
88     +#endif
89     + /* Just one protocol version is supported so far;
90     + * fail closed if the version is not as expected. */
91     + return s->version == DTLS_MAX_VERSION;
92     +
93     + default:
94     + ret = ssl3_ctrl(s, cmd, larg, parg);
95     + break;
96     + }
97     + return(ret);
98     + }
99     +
100     /*
101     * As it's impossible to use stream ciphers in "datagram" mode, this
102     * simple filter is designed to disengage them in DTLS. Unfortunately
103     diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.fallback-scsv openssl-fips-0.9.8e/ssl/ssl_err.c
104     --- openssl-fips-0.9.8e/ssl/ssl_err.c.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
105     +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2014-10-15 16:07:06.409553872 +0200
106     @@ -327,6 +327,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
107     {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
108     {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
109     {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
110     +{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
111     {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
112     {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
113     {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
114     @@ -448,6 +449,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
115     {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
116     {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
117     {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
118     +{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
119     {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
120     {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
121     {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
122     diff -up openssl-fips-0.9.8e/ssl/ssl.h.fallback-scsv openssl-fips-0.9.8e/ssl/ssl.h
123     --- openssl-fips-0.9.8e/ssl/ssl.h.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
124     +++ openssl-fips-0.9.8e/ssl/ssl.h 2014-10-15 16:33:56.329898526 +0200
125     @@ -551,6 +551,10 @@ typedef struct ssl_session_st
126     #define SSL_MODE_AUTO_RETRY 0x00000004L
127     /* Don't attempt to automatically build certificate chain */
128     #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
129     +/* Send TLS_FALLBACK_SCSV in the ClientHello.
130     + * To be set by applications that reconnect with a downgraded protocol
131     + * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
132     +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
133    
134    
135     /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
136     @@ -1145,6 +1149,7 @@ size_t SSL_get_peer_finished(const SSL *
137     #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
138     #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
139     #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
140     +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
141    
142     #define SSL_ERROR_NONE 0
143     #define SSL_ERROR_SSL 1
144     @@ -1207,6 +1212,8 @@ size_t SSL_get_peer_finished(const SSL *
145     #define SSL_CTRL_CLEAR_OPTIONS 77
146     #define SSL_CTRL_CLEAR_MODE 78
147    
148     +#define SSL_CTRL_CHECK_PROTO_VERSION 119
149     +
150     #define SSL_session_reused(ssl) \
151     SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
152     #define SSL_num_renegotiations(ssl) \
153     @@ -1824,6 +1831,7 @@ void ERR_load_SSL_strings(void);
154     #define SSL_R_HTTPS_PROXY_REQUEST 155
155     #define SSL_R_HTTP_REQUEST 156
156     #define SSL_R_ILLEGAL_PADDING 283
157     +#define SSL_R_INAPPROPRIATE_FALLBACK 373
158     #define SSL_R_INVALID_CHALLENGE_LENGTH 158
159     #define SSL_R_INVALID_COMMAND 280
160     #define SSL_R_INVALID_PURPOSE 278
161     @@ -1945,6 +1953,7 @@ void ERR_load_SSL_strings(void);
162     #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
163     #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
164     #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
165     +#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
166     #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
167     #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
168     #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
169     diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.fallback-scsv openssl-fips-0.9.8e/ssl/ssl_lib.c
170     --- openssl-fips-0.9.8e/ssl/ssl_lib.c.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
171     +++ openssl-fips-0.9.8e/ssl/ssl_lib.c 2014-10-15 16:07:06.410553894 +0200
172     @@ -1257,6 +1257,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
173    
174     if (sk == NULL) return(0);
175     q=p;
176     + if (put_cb == NULL)
177     + put_cb = s->method->put_cipher_by_char;
178    
179     for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
180     {
181     @@ -1266,24 +1268,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
182     continue;
183     #endif /* OPENSSL_NO_KRB5 */
184    
185     - j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
186     + j = put_cb(c,p);
187     p+=j;
188     }
189     - /* If p == q, no ciphers and caller indicates an error. Otherwise
190     - * add SCSV if not renegotiating.
191     - */
192     - if (p != q && !s->new_session)
193     + /* If p == q, no ciphers; caller indicates an error.
194     + * Otherwise, add applicable SCSVs. */
195     + if (p != q)
196     {
197     - static SSL_CIPHER scsv =
198     + if (!s->new_session)
199     {
200     - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
201     - };
202     - j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
203     - p+=j;
204     + static SSL_CIPHER scsv =
205     + {
206     + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
207     + };
208     + j = put_cb(&scsv,p);
209     + p+=j;
210     #ifdef OPENSSL_RI_DEBUG
211     - fprintf(stderr, "SCSV sent by client\n");
212     + fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
213     #endif
214     - }
215     + }
216     +
217     + if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
218     + {
219     + static SSL_CIPHER scsv =
220     + {
221     + 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0,
222     + };
223     + j = put_cb(&scsv,p);
224     + p+=j;
225     + }
226     + }
227    
228     return(p-q);
229     }
230     @@ -1294,11 +1308,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
231     SSL_CIPHER *c;
232     STACK_OF(SSL_CIPHER) *sk;
233     int i,n;
234     +
235     if (s->s3)
236     s->s3->send_connection_binding = 0;
237    
238     n=ssl_put_cipher_by_char(s,NULL,NULL);
239     - if ((num%n) != 0)
240     + if (n == 0 || (num%n) != 0)
241     {
242     SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
243     return(NULL);
244     @@ -1313,7 +1328,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
245    
246     for (i=0; i<num; i+=n)
247     {
248     - /* Check for SCSV */
249     + /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
250     if (s->s3 && (n != 3 || !p[0]) &&
251     (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
252     (p[n-1] == (SSL3_CK_SCSV & 0xff)))
253     @@ -1333,6 +1348,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
254     continue;
255     }
256    
257     + /* Check for TLS_FALLBACK_SCSV */
258     + if ((n != 3 || !p[0]) &&
259     + (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
260     + (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
261     + {
262     + /* The SCSV indicates that the client previously tried a higher version.
263     + * Fail if the current version is an unexpected downgrade. */
264     + if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
265     + {
266     + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
267     + if (s->s3)
268     + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
269     + goto err;
270     + }
271     + continue;
272     + }
273     +
274     c=ssl_get_cipher_by_char(s,p);
275     p+=n;
276     if (c != NULL)
277     diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.fallback-scsv openssl-fips-0.9.8e/ssl/ssl_locl.h
278     --- openssl-fips-0.9.8e/ssl/ssl_locl.h.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
279     +++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2014-10-15 16:20:04.917129020 +0200
280     @@ -684,7 +684,7 @@ SSL_METHOD *func_name(void) \
281     dtls1_read_bytes, \
282     dtls1_write_app_data_bytes, \
283     dtls1_dispatch_alert, \
284     - ssl3_ctrl, \
285     + dtls1_ctrl, \
286     ssl3_ctx_ctrl, \
287     ssl3_get_cipher_by_char, \
288     ssl3_put_cipher_by_char, \
289     diff -up openssl-fips-0.9.8e/ssl/ssl3.h.fallback-scsv openssl-fips-0.9.8e/ssl/ssl3.h
290     --- openssl-fips-0.9.8e/ssl/ssl3.h.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
291     +++ openssl-fips-0.9.8e/ssl/ssl3.h 2014-10-15 16:07:06.409553872 +0200
292     @@ -129,9 +129,14 @@
293     extern "C" {
294     #endif
295    
296     -/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
297     +/* Signalling cipher suite value from RFC 5746
298     + * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
299     #define SSL3_CK_SCSV 0x030000FF
300    
301     +/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
302     + * (TLS_FALLBACK_SCSV) */
303     +#define SSL3_CK_FALLBACK_SCSV 0x03005600
304     +
305     #define SSL3_CK_RSA_NULL_MD5 0x03000001
306     #define SSL3_CK_RSA_NULL_SHA 0x03000002
307     #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
308     diff -up openssl-fips-0.9.8e/ssl/s2_lib.c.fallback-scsv openssl-fips-0.9.8e/ssl/s2_lib.c
309     --- openssl-fips-0.9.8e/ssl/s2_lib.c.fallback-scsv 2007-01-21 17:07:25.000000000 +0100
310     +++ openssl-fips-0.9.8e/ssl/s2_lib.c 2014-10-15 16:07:06.407553827 +0200
311     @@ -314,6 +314,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar
312     case SSL_CTRL_GET_SESSION_REUSED:
313     ret=s->hit;
314     break;
315     + case SSL_CTRL_CHECK_PROTO_VERSION:
316     + return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
317     default:
318     break;
319     }
320     @@ -362,7 +364,7 @@ int ssl2_put_cipher_by_char(const SSL_CI
321     if (p != NULL)
322     {
323     l=c->id;
324     - if ((l & 0xff000000) != 0x02000000) return(0);
325     + if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
326     p[0]=((unsigned char)(l>>16L))&0xFF;
327     p[1]=((unsigned char)(l>> 8L))&0xFF;
328     p[2]=((unsigned char)(l ))&0xFF;
329     diff -up openssl-fips-0.9.8e/ssl/s23_clnt.c.fallback-scsv openssl-fips-0.9.8e/ssl/s23_clnt.c
330     --- openssl-fips-0.9.8e/ssl/s23_clnt.c.fallback-scsv 2014-10-15 16:07:06.407553827 +0200
331     +++ openssl-fips-0.9.8e/ssl/s23_clnt.c 2014-10-15 16:31:03.515997177 +0200
332     @@ -553,6 +553,9 @@ static int ssl23_get_server_hello(SSL *s
333     SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
334     goto err;
335     }
336     +
337     + /* ensure that TLS_MAX_VERSION is up-to-date */
338     + OPENSSL_assert(s->version <= TLS_MAX_VERSION);
339    
340     s->handshake_func=s->method->ssl_connect;
341     }
342     diff -up openssl-fips-0.9.8e/ssl/s23_srvr.c.fallback-scsv openssl-fips-0.9.8e/ssl/s23_srvr.c
343     --- openssl-fips-0.9.8e/ssl/s23_srvr.c.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
344     +++ openssl-fips-0.9.8e/ssl/s23_srvr.c 2014-10-15 16:07:06.407553827 +0200
345     @@ -402,6 +402,9 @@ int ssl23_get_client_hello(SSL *s)
346     }
347     #endif
348    
349     + /* ensure that TLS_MAX_VERSION is up-to-date */
350     + OPENSSL_assert(s->version <= TLS_MAX_VERSION);
351     +
352     if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
353     {
354     /* we have SSLv3/TLSv1 in an SSLv2 header
355     diff -up openssl-fips-0.9.8e/ssl/s3_enc.c.fallback-scsv openssl-fips-0.9.8e/ssl/s3_enc.c
356     diff -up openssl-fips-0.9.8e/ssl/s3_lib.c.fallback-scsv openssl-fips-0.9.8e/ssl/s3_lib.c
357     --- openssl-fips-0.9.8e/ssl/s3_lib.c.fallback-scsv 2007-05-21 14:45:10.000000000 +0200
358     +++ openssl-fips-0.9.8e/ssl/s3_lib.c 2014-10-15 16:32:22.307775935 +0200
359     @@ -1904,6 +1904,29 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
360     }
361     break;
362     #endif /* !OPENSSL_NO_ECDH */
363     +
364     + case SSL_CTRL_CHECK_PROTO_VERSION:
365     + /* For library-internal use; checks that the current protocol
366     + * is the highest enabled version (according to s->ctx->method,
367     + * as version negotiation may have changed s->method). */
368     + if (s->version == s->ctx->method->version)
369     + return 1;
370     + /* Apparently we're using a version-flexible SSL_METHOD
371     + * (not at its highest protocol version). */
372     + if (s->ctx->method->version == SSLv23_method()->version)
373     + {
374     +#if TLS_MAX_VERSION != TLS1_VERSION
375     +# error Code needs update for SSLv23_method() support beyond TLS1_VERSION.
376     +#endif
377     + if (!(s->options & SSL_OP_NO_TLSv1))
378     + return s->version == TLS1_VERSION;
379     + if (!(s->options & SSL_OP_NO_SSLv3))
380     + return s->version == SSL3_VERSION;
381     + if (!(s->options & SSL_OP_NO_SSLv2))
382     + return s->version == SSL2_VERSION;
383     + }
384     + return 0; /* Unexpected state; fail closed. */
385     +
386     default:
387     break;
388     }
389     @@ -2133,6 +2156,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx
390     }
391     break;
392     #endif
393     +
394     default:
395     return(0);
396     }
397     diff -up openssl-fips-0.9.8e/ssl/tls1.h.fallback-scsv openssl-fips-0.9.8e/ssl/tls1.h
398     --- openssl-fips-0.9.8e/ssl/tls1.h.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
399     +++ openssl-fips-0.9.8e/ssl/tls1.h 2014-10-15 16:28:09.813075757 +0200
400     @@ -81,9 +81,24 @@ extern "C" {
401     #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
402    
403     #define TLS1_VERSION 0x0301
404     +#define TLS1_1_VERSION 0x0302
405     +#define TLS1_2_VERSION 0x0303
406     +/* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so
407     + * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above
408     + * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert()
409     + * check that would catch the error if TLS_MAX_VERSION was too low.)
410     + */
411     +#define TLS_MAX_VERSION TLS1_VERSION
412     +
413     #define TLS1_VERSION_MAJOR 0x03
414     #define TLS1_VERSION_MINOR 0x01
415    
416     +#define TLS1_1_VERSION_MAJOR 0x03
417     +#define TLS1_1_VERSION_MINOR 0x02
418     +
419     +#define TLS1_2_VERSION_MAJOR 0x03
420     +#define TLS1_2_VERSION_MINOR 0x03
421     +
422     #define TLS1_AD_DECRYPTION_FAILED 21
423     #define TLS1_AD_RECORD_OVERFLOW 22
424     #define TLS1_AD_UNKNOWN_CA 48 /* fatal */
425     @@ -94,6 +109,7 @@ extern "C" {
426     #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
427     #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
428     #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
429     +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
430     #define TLS1_AD_USER_CANCELLED 90
431     #define TLS1_AD_NO_RENEGOTIATION 100
432    
433     diff -up openssl-fips-0.9.8e/ssl/t1_enc.c.fallback-scsv openssl-fips-0.9.8e/ssl/t1_enc.c
434     --- openssl-fips-0.9.8e/ssl/t1_enc.c.fallback-scsv 2014-08-08 11:54:24.000000000 +0200
435     +++ openssl-fips-0.9.8e/ssl/t1_enc.c 2014-10-15 16:25:54.695025409 +0200
436     @@ -848,9 +848,9 @@ int tls1_alert_code(int code)
437     case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
438     case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
439     case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
440     + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
441     case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
442     (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
443     default: return(-1);
444     }
445     }
446     -
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed