[OE-core] [PATCH] OpenSSL: SSLv3 POODLE vulnerability (CVE-2014-3566)
Saul Wold
sgw at linux.intel.com
Thu Oct 16 06:00:43 UTC 2014
On 10/15/2014 10:50 PM, Sona Sarmadi wrote:
> This patch is a backport from OpenSSL_1.0.1j.
> (From upstream: 6bfe55380abbf7528e04e59f18921bd6c896af1c)
>
> "Unfortunately there are still ancient and broken servers in use which
> cannot handle this technique and will fail to connect. Some servers only
> work if TLS is turned off."
>
Sona,
Does it make more sense to update to 1.0.1j directly (I know it's late
in the 1.7 release cycle), but given there are 3 other CVEs fixed in 'j'
along with some other fixes. People may look more at the version that
is part of 1.7 than the back ported fixes.
Please review the changes for 1.0.1j it may be a better approach even at
this late stage.
Sau!
> Reference:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
> https://www.openssl.org/~bodo/ssl-poodle.pdf
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
> ---
> .../support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch | 499 +++++++++++++++++++++
> .../recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 +
> 2 files changed, 500 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch b/meta/recipes-connectivity/openssl/openssl/support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch
> new file mode 100644
> index 0000000..c692b04
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch
> @@ -0,0 +1,499 @@
> +From 6bfe55380abbf7528e04e59f18921bd6c896af1c Mon Sep 17 00:00:00 2001
> +From: Bodo Moeller <bodo at openssl.org>
> +Date: Wed, 15 Oct 2014 04:05:42 +0200
> +Subject: [PATCH] Support TLS_FALLBACK_SCSV.
> +
> +Upstream-Status: Backport
> +
> +Reviewed-by: Rich Salz <rsalz at openssl.org>
> +---
> + CHANGES | 6 +++++
> + apps/s_client.c | 10 +++++++++
> + crypto/err/openssl.ec | 1 +
> + ssl/d1_lib.c | 10 +++++++++
> + ssl/dtls1.h | 3 ++-
> + ssl/s23_clnt.c | 3 +++
> + ssl/s23_srvr.c | 3 +++
> + ssl/s2_lib.c | 4 +++-
> + ssl/s3_enc.c | 2 +-
> + ssl/s3_lib.c | 29 +++++++++++++++++++++++-
> + ssl/ssl.h | 9 ++++++++
> + ssl/ssl3.h | 7 +++++-
> + ssl/ssl_err.c | 2 ++
> + ssl/ssl_lib.c | 60 +++++++++++++++++++++++++++++++++++++------------
> + ssl/t1_enc.c | 1 +
> + ssl/tls1.h | 15 ++++++++-----
> + 16 files changed, 140 insertions(+), 25 deletions(-)
> +
> +diff --git a/CHANGES b/CHANGES
> +index 79477f6..c79f4d0 100644
> +--- a/CHANGES
> ++++ b/CHANGES
> +@@ -4,6 +4,12 @@
> +
> + Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
> +
> ++ *) Add support for TLS_FALLBACK_SCSV.
> ++ Client applications doing fallback retries should call
> ++ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
> ++ (CVE-2014-3566)
> ++ [Adam Langley, Bodo Moeller]
> ++
> + *) A missing bounds check in the handling of the TLS heartbeat extension
> + can be used to reveal up to 64k of memory to a connected client or
> + server.
> +diff --git a/apps/s_client.c b/apps/s_client.c
> +index 4625467..c2e160c 100644
> +--- a/apps/s_client.c
> ++++ b/apps/s_client.c
> +@@ -337,6 +337,7 @@ static void sc_usage(void)
> + BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
> + BIO_printf(bio_err," -tls1 - just use TLSv1\n");
> + BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
> ++ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
> + BIO_printf(bio_err," -mtu - set the link layer MTU\n");
> + BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
> + BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
> +@@ -617,6 +618,7 @@ int MAIN(int argc, char **argv)
> + char *sess_out = NULL;
> + struct sockaddr peer;
> + int peerlen = sizeof(peer);
> ++ int fallback_scsv = 0;
> + int enable_timeouts = 0 ;
> + long socket_mtu = 0;
> + #ifndef OPENSSL_NO_JPAKE
> +@@ -823,6 +825,10 @@ int MAIN(int argc, char **argv)
> + meth=DTLSv1_client_method();
> + socket_type=SOCK_DGRAM;
> + }
> ++ else if (strcmp(*argv,"-fallback_scsv") == 0)
> ++ {
> ++ fallback_scsv = 1;
> ++ }
> + else if (strcmp(*argv,"-timeout") == 0)
> + enable_timeouts=1;
> + else if (strcmp(*argv,"-mtu") == 0)
> +@@ -1235,6 +1241,10 @@ bad:
> + SSL_set_session(con, sess);
> + SSL_SESSION_free(sess);
> + }
> ++
> ++ if (fallback_scsv)
> ++ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
> ++
> + #ifndef OPENSSL_NO_TLSEXT
> + if (servername != NULL)
> + {
> +diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec
> +index e0554b4..34754e5 100644
> +--- a/crypto/err/openssl.ec
> ++++ b/crypto/err/openssl.ec
> +@@ -71,6 +71,7 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
> + R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
> + R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
> + R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
> ++R SSL_R_SSLV3_ALERT_INAPPROPRIATE_FALLBACK 1086
> + R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
> + R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
> + R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
> +diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
> +index 6bde16f..82ca653 100644
> +--- a/ssl/d1_lib.c
> ++++ b/ssl/d1_lib.c
> +@@ -266,6 +266,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
> + case DTLS_CTRL_LISTEN:
> + ret = dtls1_listen(s, parg);
> + break;
> ++ case SSL_CTRL_CHECK_PROTO_VERSION:
> ++ /* For library-internal use; checks that the current protocol
> ++ * is the highest enabled version (according to s->ctx->method,
> ++ * as version negotiation may have changed s->method). */
> ++#if DTLS_MAX_VERSION != DTLS1_VERSION
> ++# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
> ++#endif
> ++ /* Just one protocol version is supported so far;
> ++ * fail closed if the version is not as expected. */
> ++ return s->version == DTLS_MAX_VERSION;
> +
> + default:
> + ret = ssl3_ctrl(s, cmd, larg, parg);
> +diff --git a/ssl/dtls1.h b/ssl/dtls1.h
> +index e65d501..192c5de 100644
> +--- a/ssl/dtls1.h
> ++++ b/ssl/dtls1.h
> +@@ -84,6 +84,8 @@ extern "C" {
> + #endif
> +
> + #define DTLS1_VERSION 0xFEFF
> ++#define DTLS_MAX_VERSION DTLS1_VERSION
> ++
> + #define DTLS1_BAD_VER 0x0100
> +
> + #if 0
> +@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
> + }
> + #endif
> + #endif
> +-
> +diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
> +index 2b93c63..d4e43c3 100644
> +--- a/ssl/s23_clnt.c
> ++++ b/ssl/s23_clnt.c
> +@@ -736,6 +736,9 @@ static int ssl23_get_server_hello(SSL *s)
> + goto err;
> + }
> +
> ++ /* ensure that TLS_MAX_VERSION is up-to-date */
> ++ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
> ++
> + if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
> + {
> + /* fatal alert */
> +diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
> +index 2901a6b..567a6b1 100644
> +--- a/ssl/s23_srvr.c
> ++++ b/ssl/s23_srvr.c
> +@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s)
> + }
> + }
> +
> ++ /* ensure that TLS_MAX_VERSION is up-to-date */
> ++ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
> ++
> + #ifdef OPENSSL_FIPS
> + if (FIPS_mode() && (s->version < TLS1_VERSION))
> + {
> +diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
> +index c0bdae5..c63be30 100644
> +--- a/ssl/s2_lib.c
> ++++ b/ssl/s2_lib.c
> +@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
> + case SSL_CTRL_GET_SESSION_REUSED:
> + ret=s->hit;
> + break;
> ++ case SSL_CTRL_CHECK_PROTO_VERSION:
> ++ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
> + default:
> + break;
> + }
> +@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
> + if (p != NULL)
> + {
> + l=c->id;
> +- if ((l & 0xff000000) != 0x02000000) return(0);
> ++ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
> + p[0]=((unsigned char)(l>>16L))&0xFF;
> + p[1]=((unsigned char)(l>> 8L))&0xFF;
> + p[2]=((unsigned char)(l ))&0xFF;
> +diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
> +index 9962677..9db45af 100644
> +--- a/ssl/s3_enc.c
> ++++ b/ssl/s3_enc.c
> +@@ -900,7 +900,7 @@ int ssl3_alert_code(int code)
> + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
> + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
> + case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
> ++ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
> + default: return(-1);
> + }
> + }
> +-
> +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
> +index e17f126..3f17453 100644
> +--- a/ssl/s3_lib.c
> ++++ b/ssl/s3_lib.c
> +@@ -3355,6 +3355,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
> + #endif
> +
> + #endif /* !OPENSSL_NO_TLSEXT */
> ++
> ++ case SSL_CTRL_CHECK_PROTO_VERSION:
> ++ /* For library-internal use; checks that the current protocol
> ++ * is the highest enabled version (according to s->ctx->method,
> ++ * as version negotiation may have changed s->method). */
> ++ if (s->version == s->ctx->method->version)
> ++ return 1;
> ++ /* Apparently we're using a version-flexible SSL_METHOD
> ++ * (not at its highest protocol version). */
> ++ if (s->ctx->method->version == SSLv23_method()->version)
> ++ {
> ++#if TLS_MAX_VERSION != TLS1_2_VERSION
> ++# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
> ++#endif
> ++ if (!(s->options & SSL_OP_NO_TLSv1_2))
> ++ return s->version == TLS1_2_VERSION;
> ++ if (!(s->options & SSL_OP_NO_TLSv1_1))
> ++ return s->version == TLS1_1_VERSION;
> ++ if (!(s->options & SSL_OP_NO_TLSv1))
> ++ return s->version == TLS1_VERSION;
> ++ if (!(s->options & SSL_OP_NO_SSLv3))
> ++ return s->version == SSL3_VERSION;
> ++ if (!(s->options & SSL_OP_NO_SSLv2))
> ++ return s->version == SSL2_VERSION;
> ++ }
> ++ return 0; /* Unexpected state; fail closed. */
> ++
> + default:
> + break;
> + }
> +@@ -3714,6 +3741,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
> + break;
> + #endif
> + #endif
> ++
> + default:
> + return(0);
> + }
> +@@ -4296,4 +4324,3 @@ long ssl_get_algorithm2(SSL *s)
> + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
> + return alg2;
> + }
> +-
> +diff --git a/ssl/ssl.h b/ssl/ssl.h
> +index b73da5e..b78a1cc 100644
> +--- a/ssl/ssl.h
> ++++ b/ssl/ssl.h
> +@@ -653,6 +653,10 @@ struct ssl_session_st
> + */
> + #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
> + #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
> ++/* Send TLS_FALLBACK_SCSV in the ClientHello.
> ++ * To be set by applications that reconnect with a downgraded protocol
> ++ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
> ++#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
> +
> + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
> + * they cannot be used to clear bits. */
> +@@ -1511,6 +1515,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
> + #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
> + #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
> + #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
> ++#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
> +
> + #define SSL_ERROR_NONE 0
> + #define SSL_ERROR_SSL 1
> +@@ -1621,6 +1626,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
> + #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
> + #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
> +
> ++#define SSL_CTRL_CHECK_PROTO_VERSION 119
> ++
> + #define DTLSv1_get_timeout(ssl, arg) \
> + SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
> + #define DTLSv1_handle_timeout(ssl) \
> +@@ -2379,6 +2386,7 @@ void ERR_load_SSL_strings(void);
> + #define SSL_R_HTTPS_PROXY_REQUEST 155
> + #define SSL_R_HTTP_REQUEST 156
> + #define SSL_R_ILLEGAL_PADDING 283
> ++#define SSL_R_INAPPROPRIATE_FALLBACK 373
> + #define SSL_R_INCONSISTENT_COMPRESSION 340
> + #define SSL_R_INVALID_CHALLENGE_LENGTH 158
> + #define SSL_R_INVALID_COMMAND 280
> +@@ -2525,6 +2533,7 @@ void ERR_load_SSL_strings(void);
> + #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
> + #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
> + #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
> ++#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
> + #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
> + #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
> + #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
> +diff --git a/ssl/ssl3.h b/ssl/ssl3.h
> +index 37f19e3..85f1504 100644
> +--- a/ssl/ssl3.h
> ++++ b/ssl/ssl3.h
> +@@ -128,9 +128,14 @@
> + extern "C" {
> + #endif
> +
> +-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
> ++/* Signalling cipher suite value from RFC 5746
> ++ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
> + #define SSL3_CK_SCSV 0x030000FF
> +
> ++/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
> ++ * (TLS_FALLBACK_SCSV) */
> ++#define SSL3_CK_FALLBACK_SCSV 0x03005600
> ++
> + #define SSL3_CK_RSA_NULL_MD5 0x03000001
> + #define SSL3_CK_RSA_NULL_SHA 0x03000002
> + #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
> +diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
> +index d2f0dec..1b7eb47 100644
> +--- a/ssl/ssl_err.c
> ++++ b/ssl/ssl_err.c
> +@@ -383,6 +383,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
> + {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
> + {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
> + {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
> ++{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
> + {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
> + {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
> + {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
> +@@ -529,6 +530,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
> + {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
> + {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
> + {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
> ++{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
> + {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
> + {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
> + {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
> +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
> +index cc094e4..3f66fc0 100644
> +--- a/ssl/ssl_lib.c
> ++++ b/ssl/ssl_lib.c
> +@@ -1387,6 +1387,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
> +
> + if (sk == NULL) return(0);
> + q=p;
> ++ if (put_cb == NULL)
> ++ put_cb = s->method->put_cipher_by_char;
> +
> + for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
> + {
> +@@ -1402,24 +1402,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
> + s->psk_client_callback == NULL)
> + continue;
> + #endif /* OPENSSL_NO_PSK */
> +- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
> ++ j = put_cb(c,p);
> + p+=j;
> + }
> +- /* If p == q, no ciphers and caller indicates an error. Otherwise
> ++ /* If p == q, no ciphers; caller indicates an error. Otherwise
> + * add SCSV if not renegotiating.
> + */
> +- if (p != q && !s->renegotiate)
> ++ if (p != q)
> + {
> +- static SSL_CIPHER scsv =
> ++ if (!s->renegotiate)
> + {
> +- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
> +- };
> +- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
> +- p+=j;
> ++ static SSL_CIPHER scsv =
> ++ {
> ++ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
> ++ };
> ++ j = put_cb(&scsv,p);
> ++ p+=j;
> + #ifdef OPENSSL_RI_DEBUG
> +- fprintf(stderr, "SCSV sent by client\n");
> ++ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
> + #endif
> +- }
> ++ }
> ++ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
> ++ {
> ++ static SSL_CIPHER scsv =
> ++ {
> ++ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
> ++ };
> ++ j = put_cb(&scsv,p);
> ++ p+=j;
> ++ }
> ++ }
> +
> + return(p-q);
> + }
> +@@ -1439,11 +1453,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
> + const SSL_CIPHER *c;
> + STACK_OF(SSL_CIPHER) *sk;
> + int i,n;
> ++
> + if (s->s3)
> + s->s3->send_connection_binding = 0;
> +
> + n=ssl_put_cipher_by_char(s,NULL,NULL);
> +- if ((num%n) != 0)
> ++ if (n == 0 || (num%n) != 0)
> + {
> + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
> + return(NULL);
> +@@ -1458,7 +1473,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
> +
> + for (i=0; i<num; i+=n)
> + {
> +- /* Check for SCSV */
> ++ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
> + if (s->s3 && (n != 3 || !p[0]) &&
> + (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
> + (p[n-1] == (SSL3_CK_SCSV & 0xff)))
> +@@ -1478,6 +1493,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
> + continue;
> + }
> +
> ++ /* Check for TLS_FALLBACK_SCSV */
> ++ if ((n != 3 || !p[0]) &&
> ++ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
> ++ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
> ++ {
> ++ /* The SCSV indicates that the client previously tried a higher version.
> ++ * Fail if the current version is an unexpected downgrade. */
> ++ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
> ++ {
> ++ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
> ++ if (s->s3)
> ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
> ++ goto err;
> ++ }
> ++ continue;
> ++ }
> ++
> + c=ssl_get_cipher_by_char(s,p);
> + p+=n;
> + if (c != NULL)
> +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
> +index 1427484..1923cf3 100644
> +--- a/ssl/t1_enc.c
> ++++ b/ssl/t1_enc.c
> +@@ -1241,6 +1241,7 @@ int tls1_alert_code(int code)
> + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
> + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
> + case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
> ++ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
> + #if 0 /* not appropriate for TLS, not used for DTLS */
> + case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
> + (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
> +diff --git a/ssl/tls1.h b/ssl/tls1.h
> +index c992091..6ae8876 100644
> +--- a/ssl/tls1.h
> ++++ b/ssl/tls1.h
> +@@ -159,17 +159,19 @@ extern "C" {
> +
> + #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
> +
> ++#define TLS1_VERSION 0x0301
> ++#define TLS1_1_VERSION 0x0302
> + #define TLS1_2_VERSION 0x0303
> +-#define TLS1_2_VERSION_MAJOR 0x03
> +-#define TLS1_2_VERSION_MINOR 0x03
> ++#define TLS_MAX_VERSION TLS1_2_VERSION
> ++
> ++#define TLS1_VERSION_MAJOR 0x03
> ++#define TLS1_VERSION_MINOR 0x01
> +
> +-#define TLS1_1_VERSION 0x0302
> + #define TLS1_1_VERSION_MAJOR 0x03
> + #define TLS1_1_VERSION_MINOR 0x02
> +
> +-#define TLS1_VERSION 0x0301
> +-#define TLS1_VERSION_MAJOR 0x03
> +-#define TLS1_VERSION_MINOR 0x01
> ++#define TLS1_2_VERSION_MAJOR 0x03
> ++#define TLS1_2_VERSION_MINOR 0x03
> +
> + #define TLS1_get_version(s) \
> + ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
> +@@ -187,6 +189,7 @@ extern "C" {
> + #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
> + #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
> + #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
> ++#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
> + #define TLS1_AD_USER_CANCELLED 90
> + #define TLS1_AD_NO_RENEGOTIATION 100
> + /* codes 110-114 are from RFC3546 */
> +--
> +1.7.9.5
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
> index 274c69d..293c6c0 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
> @@ -40,6 +40,7 @@ SRC_URI += "file://configure-targets.patch \
> file://openssl-1.0.1e-cve-2014-0224.patch \
> file://openssl-1.0.1e-cve-2014-3470.patch \
> file://openssl-CVE-2010-5298.patch \
> + file://support-TLS_FALLBACK_SCSV-CVE-2014-3566.patch \
> "
>
> SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"
>
More information about the Openembedded-core
mailing list