Don't alow TLS v1.0 ciphersuites for SSLv3

This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.

Thanks to the Open Crypto Audit Project for identifying this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 13bf3187d5c399595a01144eb41788959359c070..95cc56a4137244febc22b7d30951e199ee64d1c8 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4841,6 +4841,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
         /* Skip TLS v1.2 only ciphersuites if not supported */
         if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
             continue;
+        /* Skip TLS v1.0 ciphersuites if SSLv3 */
+        if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
+            continue;
 
         ssl_set_masks(s, c);
         mask_k = s->s3->tmp.mask_k;

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5d0ec23607b78acef222495fbb41554a1bda297a..e386577e6520f35c880f1f72871dded64cdfe3ec 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1621,6 +1621,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 
     if (alg_ssl & SSL_SSLV3)
         ver = "SSLv3";
+    else if (alg_ssl & SSL_TLSV1)
+        ver = "TLSv1.0";
     else if (alg_ssl & SSL_TLSV1_2)
         ver = "TLSv1.2";
     else

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 03bc35cc93a85749618c4eecb3047d832f444f55..1295b7bdafcbb8d01928ebaa1ac617c766e38019 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -381,8 +381,8 @@
 
 /* Bits for algorithm_ssl (protocol version) */
 # define SSL_SSLV3               0x00000002U
-# define SSL_TLSV1               SSL_SSLV3/* for now */
-# define SSL_TLSV1_2             0x00000004U
+# define SSL_TLSV1               0x00000004U
+# define SSL_TLSV1_2             0x00000008U
 
 /* Bits for algorithm2 (handshake digests and other extra flags) */
 

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 73716b5d9b5375afe7c80c1f55092e8be03a9fbb..f6b95d6d756fa1dec981b02d8e1872c4479b8e2f 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1325,6 +1325,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
         s->s3->tmp.mask_ssl = SSL_TLSV1_2;
     else
         s->s3->tmp.mask_ssl = 0;
+    /* Skip TLS v1.0 ciphersuites if SSLv3 */
+    if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
+        s->s3->tmp.mask_ssl |= SSL_TLSV1;
     /*
      * If it is a disabled cipher we didn't send it in client hello, so
      * return an error.

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 943d4733f4d5d04a2589acb2ba83dcd89bbd3519..ffc95d848b55515a3a3382080e006b02e9a6de10 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1094,6 +1094,9 @@ void ssl_set_client_disabled(SSL *s)
         s->s3->tmp.mask_ssl = SSL_TLSV1_2;
     else
         s->s3->tmp.mask_ssl = 0;
+    /* Disable TLS 1.0 ciphers if using SSL v3 */
+    if (s->client_version == SSL3_VERSION)
+        s->s3->tmp.mask_ssl |= SSL_TLSV1;
     ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
     /*
      * Disable static DH if we don't include any appropriate signature