1 files changed, 97 insertions, 14 deletions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index c4d8bf2eb3..47673e740a 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -129,6 +129,10 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
                return(SSLv3_client_method());
        else if (ver == TLS1_VERSION)
                return(TLSv1_client_method());
+        else if (ver == TLS1_1_VERSION)
+                return(TLSv1_1_client_method());
+        else if (ver == TLS1_2_VERSION)
+                return(TLSv1_2_client_method());
        else
                return(NULL);
        }
@@ -278,24 +282,51 @@ static int ssl23_client_hello(SSL *s)
        SSL_COMP *comp;
 #endif
        int ret;
+        unsigned long mask, options = s->options;
-        ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
+        ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
        if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
                ssl2_compat = 0;
-        if (!(s->options & SSL_OP_NO_TLSv1))
+        /*
-                {
+         * SSL_OP_NO_X disables all protocols above X *if* there are
+         * some protocols below X enabled. This is required in order
+         * to maintain "version capability" vector contiguous. So
+         * that if application wants to disable TLS1.0 in favour of
+         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
+         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
+         */
+        mask =  SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
+#if !defined(OPENSSL_NO_SSL3)
+                |SSL_OP_NO_SSLv3
+#endif
+#if !defined(OPENSSL_NO_SSL2)
+                |(ssl2_compat?SSL_OP_NO_SSLv2:0)
+#endif
+                ;
+#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
+        version = TLS1_2_VERSION;
+        if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
+                version = TLS1_1_VERSION;
+#else
+        version = TLS1_1_VERSION;
+#endif
+        mask &= ~SSL_OP_NO_TLSv1_1;
+        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
                version = TLS1_VERSION;
-                }
+        mask &= ~SSL_OP_NO_TLSv1;
-        else if (!(s->options & SSL_OP_NO_SSLv3))
+#if !defined(OPENSSL_NO_SSL3)
-                {
+        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
                version = SSL3_VERSION;
-                }
+        mask &= ~SSL_OP_NO_SSLv3;
-        else if (!(s->options & SSL_OP_NO_SSLv2))
+#endif
-                {
+#if !defined(OPENSSL_NO_SSL2)
+        if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
                version = SSL2_VERSION;
-                }
+#endif
 #ifndef OPENSSL_NO_TLSEXT
        if (version != SSL2_VERSION)
                {
@@ -329,11 +360,29 @@ static int ssl23_client_hello(SSL *s)
                if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
                        return -1;
-                if (version == TLS1_VERSION)
+                if (version == TLS1_2_VERSION)
+                        {
+                        version_major = TLS1_2_VERSION_MAJOR;
+                        version_minor = TLS1_2_VERSION_MINOR;
+                        }
+                else if (version == TLS1_1_VERSION)
+                        {
+                        version_major = TLS1_1_VERSION_MAJOR;
+                        version_minor = TLS1_1_VERSION_MINOR;
+                        }
+                else if (version == TLS1_VERSION)
                        {
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
                        }
+#ifdef OPENSSL_FIPS
+                else if(FIPS_mode())
+                        {
+                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                        return -1;
+                        }
+#endif
                else if (version == SSL3_VERSION)
                        {
                        version_major = SSL3_VERSION_MAJOR;
@@ -437,6 +486,15 @@ static int ssl23_client_hello(SSL *s)
                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
                                return -1;
                                }
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+                        /* Some servers hang if client hello > 256 bytes
+                         * as hack workaround chop number of supported ciphers
+                         * to keep it well below this if we use TLS v1.2
+                         */
+                        if (TLS1_get_version(s) >= TLS1_2_VERSION
+                                && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+                                i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+#endif
                        s2n(i,p);
                        p+=i;
@@ -491,8 +549,13 @@ static int ssl23_client_hello(SSL *s)
                        d=buf;
                        *(d++) = SSL3_RT_HANDSHAKE;
                        *(d++) = version_major;
-                        *(d++) = version_minor; /* arguably we should send the *lowest* suported version here
+                        /* Some servers hang if we use long client hellos
-                                                 * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
+                         * and a record number > TLS 1.0.
+                         */
+                        if (TLS1_get_client_version(s) > TLS1_VERSION)
+                                *(d++) = 1;
+                        else
+                                *(d++) = version_minor;
                        s2n((int)l,d);
                        /* number of bytes to write */
@@ -608,7 +671,7 @@ static int ssl23_get_server_hello(SSL *s)
 #endif
                }
        else if (p[1] == SSL3_VERSION_MAJOR &&
-                 (p[2] == SSL3_VERSION_MINOR || p[2] == TLS1_VERSION_MINOR) &&
+                 p[2] <= TLS1_2_VERSION_MINOR &&
                 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
                  (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
                {
@@ -617,6 +680,14 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                {
+                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                                goto err;
+                                }
+#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }
@@ -626,6 +697,18 @@ static int ssl23_get_server_hello(SSL *s)
                        s->version=TLS1_VERSION;
                        s->method=TLSv1_client_method();
                        }
+                else if ((p[2] == TLS1_1_VERSION_MINOR) &&
+                        !(s->options & SSL_OP_NO_TLSv1_1))
+                        {
+                        s->version=TLS1_1_VERSION;
+                        s->method=TLSv1_1_client_method();
+                        }
+                else if ((p[2] == TLS1_2_VERSION_MINOR) &&
+                        !(s->options & SSL_OP_NO_TLSv1_2))
+                        {
+                        s->version=TLS1_2_VERSION;
+                        s->method=TLSv1_2_client_method();
+                        }
                else
                        {
                        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);

diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index c4d8bf2eb3..47673e740a 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c
@@ -129,6 +129,10 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
129	return(SSLv3_client_method());	129	return(SSLv3_client_method());
130	else if (ver == TLS1_VERSION)	130	else if (ver == TLS1_VERSION)
131	return(TLSv1_client_method());	131	return(TLSv1_client_method());
		132	else if (ver == TLS1_1_VERSION)
		133	return(TLSv1_1_client_method());
		134	else if (ver == TLS1_2_VERSION)
		135	return(TLSv1_2_client_method());
132	else	136	else
133	return(NULL);	137	return(NULL);
134	}	138	}
@@ -278,24 +282,51 @@ static int ssl23_client_hello(SSL *s)
278	SSL_COMP *comp;	282	SSL_COMP *comp;
279	#endif	283	#endif
280	int ret;	284	int ret;
		285	unsigned long mask, options = s->options;
281		286
282	ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;	287	ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
283		288
284	if (ssl2_compat && ssl23_no_ssl2_ciphers(s))	289	if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
285	ssl2_compat = 0;	290	ssl2_compat = 0;
286		291
287	if (!(s->options & SSL_OP_NO_TLSv1))	292	/*
288	{	293	* SSL_OP_NO_X disables all protocols above X if there are
		294	* some protocols below X enabled. This is required in order
		295	* to maintain "version capability" vector contiguous. So
		296	* that if application wants to disable TLS1.0 in favour of
		297	* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
		298	* answer is SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2.
		299	*/
		300	mask = SSL_OP_NO_TLSv1_1\|SSL_OP_NO_TLSv1
		301	#if !defined(OPENSSL_NO_SSL3)
		302	\|SSL_OP_NO_SSLv3
		303	#endif
		304	#if !defined(OPENSSL_NO_SSL2)
		305	\|(ssl2_compat?SSL_OP_NO_SSLv2:0)
		306	#endif
		307	;
		308	#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
		309	version = TLS1_2_VERSION;
		310
		311	if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
		312	version = TLS1_1_VERSION;
		313	#else
		314	version = TLS1_1_VERSION;
		315	#endif
		316	mask &= ~SSL_OP_NO_TLSv1_1;
		317	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
289	version = TLS1_VERSION;	318	version = TLS1_VERSION;
290	}	319	mask &= ~SSL_OP_NO_TLSv1;
291	else if (!(s->options & SSL_OP_NO_SSLv3))	320	#if !defined(OPENSSL_NO_SSL3)
292	{	321	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
293	version = SSL3_VERSION;	322	version = SSL3_VERSION;
294	}	323	mask &= ~SSL_OP_NO_SSLv3;
295	else if (!(s->options & SSL_OP_NO_SSLv2))	324	#endif
296	{	325	#if !defined(OPENSSL_NO_SSL2)
		326	if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
297	version = SSL2_VERSION;	327	version = SSL2_VERSION;
298	}	328	#endif
		329
299	#ifndef OPENSSL_NO_TLSEXT	330	#ifndef OPENSSL_NO_TLSEXT
300	if (version != SSL2_VERSION)	331	if (version != SSL2_VERSION)
301	{	332	{
@@ -329,11 +360,29 @@ static int ssl23_client_hello(SSL *s)
329	if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)	360	if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
330	return -1;	361	return -1;
331		362
332	if (version == TLS1_VERSION)	363	if (version == TLS1_2_VERSION)
		364	{
		365	version_major = TLS1_2_VERSION_MAJOR;
		366	version_minor = TLS1_2_VERSION_MINOR;
		367	}
		368	else if (version == TLS1_1_VERSION)
		369	{
		370	version_major = TLS1_1_VERSION_MAJOR;
		371	version_minor = TLS1_1_VERSION_MINOR;
		372	}
		373	else if (version == TLS1_VERSION)
333	{	374	{
334	version_major = TLS1_VERSION_MAJOR;	375	version_major = TLS1_VERSION_MAJOR;
335	version_minor = TLS1_VERSION_MINOR;	376	version_minor = TLS1_VERSION_MINOR;
336	}	377	}
		378	#ifdef OPENSSL_FIPS
		379	else if(FIPS_mode())
		380	{
		381	SSLerr(SSL_F_SSL23_CLIENT_HELLO,
		382	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		383	return -1;
		384	}
		385	#endif
337	else if (version == SSL3_VERSION)	386	else if (version == SSL3_VERSION)
338	{	387	{
339	version_major = SSL3_VERSION_MAJOR;	388	version_major = SSL3_VERSION_MAJOR;
@@ -437,6 +486,15 @@ static int ssl23_client_hello(SSL *s)
437	SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);	486	SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
438	return -1;	487	return -1;
439	}	488	}
		489	#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
		490	/* Some servers hang if client hello > 256 bytes
		491	* as hack workaround chop number of supported ciphers
		492	* to keep it well below this if we use TLS v1.2
		493	*/
		494	if (TLS1_get_version(s) >= TLS1_2_VERSION
		495	&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
		496	i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
		497	#endif
440	s2n(i,p);	498	s2n(i,p);
441	p+=i;	499	p+=i;
442		500
@@ -491,8 +549,13 @@ static int ssl23_client_hello(SSL *s)
491	d=buf;	549	d=buf;
492	*(d++) = SSL3_RT_HANDSHAKE;	550	*(d++) = SSL3_RT_HANDSHAKE;
493	*(d++) = version_major;	551	*(d++) = version_major;
494	(d++) = version_minor; / arguably we should send the lowest suported version here	552	/* Some servers hang if we use long client hellos
495	* (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */	553	* and a record number > TLS 1.0.
		554	*/
		555	if (TLS1_get_client_version(s) > TLS1_VERSION)
		556	*(d++) = 1;
		557	else
		558	*(d++) = version_minor;
496	s2n((int)l,d);	559	s2n((int)l,d);
497		560
498	/* number of bytes to write */	561	/* number of bytes to write */
@@ -608,7 +671,7 @@ static int ssl23_get_server_hello(SSL *s)
608	#endif	671	#endif
609	}	672	}
610	else if (p[1] == SSL3_VERSION_MAJOR &&	673	else if (p[1] == SSL3_VERSION_MAJOR &&
611	(p[2] == SSL3_VERSION_MINOR \|\| p[2] == TLS1_VERSION_MINOR) &&	674	p[2] <= TLS1_2_VERSION_MINOR &&
612	((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) \|\|	675	((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) \|\|
613	(p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))	676	(p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
614	{	677	{
@@ -617,6 +680,14 @@ static int ssl23_get_server_hello(SSL *s)
617	if ((p[2] == SSL3_VERSION_MINOR) &&	680	if ((p[2] == SSL3_VERSION_MINOR) &&
618	!(s->options & SSL_OP_NO_SSLv3))	681	!(s->options & SSL_OP_NO_SSLv3))
619	{	682	{
		683	#ifdef OPENSSL_FIPS
		684	if(FIPS_mode())
		685	{
		686	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
		687	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		688	goto err;
		689	}
		690	#endif
620	s->version=SSL3_VERSION;	691	s->version=SSL3_VERSION;
621	s->method=SSLv3_client_method();	692	s->method=SSLv3_client_method();
622	}	693	}
@@ -626,6 +697,18 @@ static int ssl23_get_server_hello(SSL *s)
626	s->version=TLS1_VERSION;	697	s->version=TLS1_VERSION;
627	s->method=TLSv1_client_method();	698	s->method=TLSv1_client_method();
628	}	699	}
		700	else if ((p[2] == TLS1_1_VERSION_MINOR) &&
		701	!(s->options & SSL_OP_NO_TLSv1_1))
		702	{
		703	s->version=TLS1_1_VERSION;
		704	s->method=TLSv1_1_client_method();
		705	}
		706	else if ((p[2] == TLS1_2_VERSION_MINOR) &&
		707	!(s->options & SSL_OP_NO_TLSv1_2))
		708	{
		709	s->version=TLS1_2_VERSION;
		710	s->method=TLSv1_2_client_method();
		711	}
629	else	712	else
630	{	713	{
631	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);	714	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);