1 files changed, 48 insertions, 4 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 836dd1f1cf..4877849013 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -115,6 +115,9 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 static const SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
@@ -128,6 +131,10 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
                return(SSLv3_server_method());
        else if (ver == TLS1_VERSION)
                return(TLSv1_server_method());
+        else if (ver == TLS1_1_VERSION)
+                return(TLSv1_1_server_method());
+        else if (ver == TLS1_2_VERSION)
+                return(TLSv1_2_server_method());
        else
                return(NULL);
        }
@@ -283,7 +290,20 @@ int ssl23_get_client_hello(SSL *s)
                                /* SSLv3/TLSv1 */
                                if (p[4] >= TLS1_VERSION_MINOR)
                                        {
-                                        if (!(s->options & SSL_OP_NO_TLSv1))
+                                        if (p[4] >= TLS1_2_VERSION_MINOR &&
+                                           !(s->options & SSL_OP_NO_TLSv1_2))
+                                                {
+                                                s->version=TLS1_2_VERSION;
+                                                s->state=SSL23_ST_SR_CLNT_HELLO_B;
+                                                }
+                                        else if (p[4] >= TLS1_1_VERSION_MINOR &&
+                                           !(s->options & SSL_OP_NO_TLSv1_1))
+                                                {
+                                                s->version=TLS1_1_VERSION;
+                                                /* type=2; */ /* done later to survive restarts */
+                                                s->state=SSL23_ST_SR_CLNT_HELLO_B;
+                                                }
+                                        else if (!(s->options & SSL_OP_NO_TLSv1))
                                                {
                                                s->version=TLS1_VERSION;
                                                /* type=2; */ /* done later to survive restarts */
@@ -350,7 +370,19 @@ int ssl23_get_client_hello(SSL *s)
                                v[1]=p[10]; /* minor version according to client_version */
                        if (v[1] >= TLS1_VERSION_MINOR)
                                {
-                                if (!(s->options & SSL_OP_NO_TLSv1))
+                                if (v[1] >= TLS1_2_VERSION_MINOR &&
+                                        !(s->options & SSL_OP_NO_TLSv1_2))
+                                        {
+                                        s->version=TLS1_2_VERSION;
+                                        type=3;
+                                        }
+                                else if (v[1] >= TLS1_1_VERSION_MINOR &&
+                                        !(s->options & SSL_OP_NO_TLSv1_1))
+                                        {
+                                        s->version=TLS1_1_VERSION;
+                                        type=3;
+                                        }
+                                else if (!(s->options & SSL_OP_NO_TLSv1))
                                        {
                                        s->version=TLS1_VERSION;
                                        type=3;
@@ -393,6 +425,15 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (s->version < TLS1_VERSION))
+                {
+                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                goto err;
+                }
+#endif
        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                {
                /* we have SSLv3/TLSv1 in an SSLv2 header
@@ -567,8 +608,11 @@ int ssl23_get_client_hello(SSL *s)
                        s->s3->rbuf.left=0;
                        s->s3->rbuf.offset=0;
                        }
+                if (s->version == TLS1_2_VERSION)
-                if (s->version == TLS1_VERSION)
+                        s->method = TLSv1_2_server_method();
+                else if (s->version == TLS1_1_VERSION)
+                        s->method = TLSv1_1_server_method();
+                else if (s->version == TLS1_VERSION)
                        s->method = TLSv1_server_method();
                else
                        s->method = SSLv3_server_method();

diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 836dd1f1cf..4877849013 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c
@@ -115,6 +115,9 @@
115	#include <openssl/rand.h>	115	#include <openssl/rand.h>
116	#include <openssl/objects.h>	116	#include <openssl/objects.h>
117	#include <openssl/evp.h>	117	#include <openssl/evp.h>
		118	#ifdef OPENSSL_FIPS
		119	#include <openssl/fips.h>
		120	#endif
118		121
119	static const SSL_METHOD *ssl23_get_server_method(int ver);	122	static const SSL_METHOD *ssl23_get_server_method(int ver);
120	int ssl23_get_client_hello(SSL *s);	123	int ssl23_get_client_hello(SSL *s);
@@ -128,6 +131,10 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
128	return(SSLv3_server_method());	131	return(SSLv3_server_method());
129	else if (ver == TLS1_VERSION)	132	else if (ver == TLS1_VERSION)
130	return(TLSv1_server_method());	133	return(TLSv1_server_method());
		134	else if (ver == TLS1_1_VERSION)
		135	return(TLSv1_1_server_method());
		136	else if (ver == TLS1_2_VERSION)
		137	return(TLSv1_2_server_method());
131	else	138	else
132	return(NULL);	139	return(NULL);
133	}	140	}
@@ -283,7 +290,20 @@ int ssl23_get_client_hello(SSL *s)
283	/* SSLv3/TLSv1 */	290	/* SSLv3/TLSv1 */
284	if (p[4] >= TLS1_VERSION_MINOR)	291	if (p[4] >= TLS1_VERSION_MINOR)
285	{	292	{
286	if (!(s->options & SSL_OP_NO_TLSv1))	293	if (p[4] >= TLS1_2_VERSION_MINOR &&
		294	!(s->options & SSL_OP_NO_TLSv1_2))
		295	{
		296	s->version=TLS1_2_VERSION;
		297	s->state=SSL23_ST_SR_CLNT_HELLO_B;
		298	}
		299	else if (p[4] >= TLS1_1_VERSION_MINOR &&
		300	!(s->options & SSL_OP_NO_TLSv1_1))
		301	{
		302	s->version=TLS1_1_VERSION;
		303	/* type=2; / / done later to survive restarts */
		304	s->state=SSL23_ST_SR_CLNT_HELLO_B;
		305	}
		306	else if (!(s->options & SSL_OP_NO_TLSv1))
287	{	307	{
288	s->version=TLS1_VERSION;	308	s->version=TLS1_VERSION;
289	/* type=2; / / done later to survive restarts */	309	/* type=2; / / done later to survive restarts */
@@ -350,7 +370,19 @@ int ssl23_get_client_hello(SSL *s)
350	v[1]=p[10]; /* minor version according to client_version */	370	v[1]=p[10]; /* minor version according to client_version */
351	if (v[1] >= TLS1_VERSION_MINOR)	371	if (v[1] >= TLS1_VERSION_MINOR)
352	{	372	{
353	if (!(s->options & SSL_OP_NO_TLSv1))	373	if (v[1] >= TLS1_2_VERSION_MINOR &&
		374	!(s->options & SSL_OP_NO_TLSv1_2))
		375	{
		376	s->version=TLS1_2_VERSION;
		377	type=3;
		378	}
		379	else if (v[1] >= TLS1_1_VERSION_MINOR &&
		380	!(s->options & SSL_OP_NO_TLSv1_1))
		381	{
		382	s->version=TLS1_1_VERSION;
		383	type=3;
		384	}
		385	else if (!(s->options & SSL_OP_NO_TLSv1))
354	{	386	{
355	s->version=TLS1_VERSION;	387	s->version=TLS1_VERSION;
356	type=3;	388	type=3;
@@ -393,6 +425,15 @@ int ssl23_get_client_hello(SSL *s)
393	}	425	}
394	}	426	}
395		427
		428	#ifdef OPENSSL_FIPS
		429	if (FIPS_mode() && (s->version < TLS1_VERSION))
		430	{
		431	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
		432	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		433	goto err;
		434	}
		435	#endif
		436
396	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)	437	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
397	{	438	{
398	/* we have SSLv3/TLSv1 in an SSLv2 header	439	/* we have SSLv3/TLSv1 in an SSLv2 header
@@ -567,8 +608,11 @@ int ssl23_get_client_hello(SSL *s)
567	s->s3->rbuf.left=0;	608	s->s3->rbuf.left=0;
568	s->s3->rbuf.offset=0;	609	s->s3->rbuf.offset=0;
569	}	610	}
570		611	if (s->version == TLS1_2_VERSION)
571	if (s->version == TLS1_VERSION)	612	s->method = TLSv1_2_server_method();
		613	else if (s->version == TLS1_1_VERSION)
		614	s->method = TLSv1_1_server_method();
		615	else if (s->version == TLS1_VERSION)
572	s->method = TLSv1_server_method();	616	s->method = TLSv1_server_method();
573	else	617	else
574	s->method = SSLv3_server_method();	618	s->method = SSLv3_server_method();