summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Popeanga <Catalin.Popeanga@enea.com>2014-10-15 12:38:57 +0200
committerTudor Florea <tudor.florea@enea.com>2015-07-06 20:19:35 +0200
commit5862d3229bf1722ab8d3e848ef041240f3580f74 (patch)
tree2ef29a2909284edddc3aa6588b90caa3963924bd
parent3477302ae771d4b9b23839b7ff74fcdcba417b59 (diff)
downloadpoky-5862d3229bf1722ab8d3e848ef041240f3580f74.tar.gz
Fix-CVE-2014-3566
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE2014-3566) This patch is a backport from OpenSSL_1.0.1j. Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3566.patch499
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.1g.bb1
2 files changed, 500 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3566.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3566.patch
new file mode 100644
index 0000000000..c692b040d6
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3566.patch
@@ -0,0 +1,499 @@
1From 6bfe55380abbf7528e04e59f18921bd6c896af1c Mon Sep 17 00:00:00 2001
2From: Bodo Moeller <bodo@openssl.org>
3Date: Wed, 15 Oct 2014 04:05:42 +0200
4Subject: [PATCH] Support TLS_FALLBACK_SCSV.
5
6Upstream-Status: Backport
7
8Reviewed-by: Rich Salz <rsalz@openssl.org>
9---
10 CHANGES | 6 +++++
11 apps/s_client.c | 10 +++++++++
12 crypto/err/openssl.ec | 1 +
13 ssl/d1_lib.c | 10 +++++++++
14 ssl/dtls1.h | 3 ++-
15 ssl/s23_clnt.c | 3 +++
16 ssl/s23_srvr.c | 3 +++
17 ssl/s2_lib.c | 4 +++-
18 ssl/s3_enc.c | 2 +-
19 ssl/s3_lib.c | 29 +++++++++++++++++++++++-
20 ssl/ssl.h | 9 ++++++++
21 ssl/ssl3.h | 7 +++++-
22 ssl/ssl_err.c | 2 ++
23 ssl/ssl_lib.c | 60 +++++++++++++++++++++++++++++++++++++------------
24 ssl/t1_enc.c | 1 +
25 ssl/tls1.h | 15 ++++++++-----
26 16 files changed, 140 insertions(+), 25 deletions(-)
27
28diff --git a/CHANGES b/CHANGES
29index 79477f6..c79f4d0 100644
30--- a/CHANGES
31+++ b/CHANGES
32@@ -4,6 +4,12 @@
33
34 Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
35
36+ *) Add support for TLS_FALLBACK_SCSV.
37+ Client applications doing fallback retries should call
38+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
39+ (CVE-2014-3566)
40+ [Adam Langley, Bodo Moeller]
41+
42 *) A missing bounds check in the handling of the TLS heartbeat extension
43 can be used to reveal up to 64k of memory to a connected client or
44 server.
45diff --git a/apps/s_client.c b/apps/s_client.c
46index 4625467..c2e160c 100644
47--- a/apps/s_client.c
48+++ b/apps/s_client.c
49@@ -337,6 +337,7 @@ static void sc_usage(void)
50 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
51 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
52 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
53+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
54 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
55 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
56 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
57@@ -617,6 +618,7 @@ int MAIN(int argc, char **argv)
58 char *sess_out = NULL;
59 struct sockaddr peer;
60 int peerlen = sizeof(peer);
61+ int fallback_scsv = 0;
62 int enable_timeouts = 0 ;
63 long socket_mtu = 0;
64 #ifndef OPENSSL_NO_JPAKE
65@@ -823,6 +825,10 @@ int MAIN(int argc, char **argv)
66 meth=DTLSv1_client_method();
67 socket_type=SOCK_DGRAM;
68 }
69+ else if (strcmp(*argv,"-fallback_scsv") == 0)
70+ {
71+ fallback_scsv = 1;
72+ }
73 else if (strcmp(*argv,"-timeout") == 0)
74 enable_timeouts=1;
75 else if (strcmp(*argv,"-mtu") == 0)
76@@ -1235,6 +1241,10 @@ bad:
77 SSL_set_session(con, sess);
78 SSL_SESSION_free(sess);
79 }
80+
81+ if (fallback_scsv)
82+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
83+
84 #ifndef OPENSSL_NO_TLSEXT
85 if (servername != NULL)
86 {
87diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec
88index e0554b4..34754e5 100644
89--- a/crypto/err/openssl.ec
90+++ b/crypto/err/openssl.ec
91@@ -71,6 +71,7 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
92 R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
93 R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
94 R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
95+R SSL_R_SSLV3_ALERT_INAPPROPRIATE_FALLBACK 1086
96 R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
97 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
98 R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
99diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
100index 6bde16f..82ca653 100644
101--- a/ssl/d1_lib.c
102+++ b/ssl/d1_lib.c
103@@ -266,6 +266,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
104 case DTLS_CTRL_LISTEN:
105 ret = dtls1_listen(s, parg);
106 break;
107+ case SSL_CTRL_CHECK_PROTO_VERSION:
108+ /* For library-internal use; checks that the current protocol
109+ * is the highest enabled version (according to s->ctx->method,
110+ * as version negotiation may have changed s->method). */
111+#if DTLS_MAX_VERSION != DTLS1_VERSION
112+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
113+#endif
114+ /* Just one protocol version is supported so far;
115+ * fail closed if the version is not as expected. */
116+ return s->version == DTLS_MAX_VERSION;
117
118 default:
119 ret = ssl3_ctrl(s, cmd, larg, parg);
120diff --git a/ssl/dtls1.h b/ssl/dtls1.h
121index e65d501..192c5de 100644
122--- a/ssl/dtls1.h
123+++ b/ssl/dtls1.h
124@@ -84,6 +84,8 @@ extern "C" {
125 #endif
126
127 #define DTLS1_VERSION 0xFEFF
128+#define DTLS_MAX_VERSION DTLS1_VERSION
129+
130 #define DTLS1_BAD_VER 0x0100
131
132 #if 0
133@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
134 }
135 #endif
136 #endif
137-
138diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
139index 2b93c63..d4e43c3 100644
140--- a/ssl/s23_clnt.c
141+++ b/ssl/s23_clnt.c
142@@ -736,6 +736,9 @@ static int ssl23_get_server_hello(SSL *s)
143 goto err;
144 }
145
146+ /* ensure that TLS_MAX_VERSION is up-to-date */
147+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
148+
149 if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
150 {
151 /* fatal alert */
152diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
153index 2901a6b..567a6b1 100644
154--- a/ssl/s23_srvr.c
155+++ b/ssl/s23_srvr.c
156@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s)
157 }
158 }
159
160+ /* ensure that TLS_MAX_VERSION is up-to-date */
161+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
162+
163 #ifdef OPENSSL_FIPS
164 if (FIPS_mode() && (s->version < TLS1_VERSION))
165 {
166diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
167index c0bdae5..c63be30 100644
168--- a/ssl/s2_lib.c
169+++ b/ssl/s2_lib.c
170@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
171 case SSL_CTRL_GET_SESSION_REUSED:
172 ret=s->hit;
173 break;
174+ case SSL_CTRL_CHECK_PROTO_VERSION:
175+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
176 default:
177 break;
178 }
179@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
180 if (p != NULL)
181 {
182 l=c->id;
183- if ((l & 0xff000000) != 0x02000000) return(0);
184+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
185 p[0]=((unsigned char)(l>>16L))&0xFF;
186 p[1]=((unsigned char)(l>> 8L))&0xFF;
187 p[2]=((unsigned char)(l ))&0xFF;
188diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
189index 9962677..9db45af 100644
190--- a/ssl/s3_enc.c
191+++ b/ssl/s3_enc.c
192@@ -900,7 +900,7 @@ int ssl3_alert_code(int code)
193 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
194 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
195 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
196+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
197 default: return(-1);
198 }
199 }
200-
201diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
202index e17f126..3f17453 100644
203--- a/ssl/s3_lib.c
204+++ b/ssl/s3_lib.c
205@@ -3355,6 +3355,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
206 #endif
207
208 #endif /* !OPENSSL_NO_TLSEXT */
209+
210+ case SSL_CTRL_CHECK_PROTO_VERSION:
211+ /* For library-internal use; checks that the current protocol
212+ * is the highest enabled version (according to s->ctx->method,
213+ * as version negotiation may have changed s->method). */
214+ if (s->version == s->ctx->method->version)
215+ return 1;
216+ /* Apparently we're using a version-flexible SSL_METHOD
217+ * (not at its highest protocol version). */
218+ if (s->ctx->method->version == SSLv23_method()->version)
219+ {
220+#if TLS_MAX_VERSION != TLS1_2_VERSION
221+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
222+#endif
223+ if (!(s->options & SSL_OP_NO_TLSv1_2))
224+ return s->version == TLS1_2_VERSION;
225+ if (!(s->options & SSL_OP_NO_TLSv1_1))
226+ return s->version == TLS1_1_VERSION;
227+ if (!(s->options & SSL_OP_NO_TLSv1))
228+ return s->version == TLS1_VERSION;
229+ if (!(s->options & SSL_OP_NO_SSLv3))
230+ return s->version == SSL3_VERSION;
231+ if (!(s->options & SSL_OP_NO_SSLv2))
232+ return s->version == SSL2_VERSION;
233+ }
234+ return 0; /* Unexpected state; fail closed. */
235+
236 default:
237 break;
238 }
239@@ -3714,6 +3741,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
240 break;
241 #endif
242 #endif
243+
244 default:
245 return(0);
246 }
247@@ -4296,4 +4324,3 @@ long ssl_get_algorithm2(SSL *s)
248 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
249 return alg2;
250 }
251-
252diff --git a/ssl/ssl.h b/ssl/ssl.h
253index b73da5e..b78a1cc 100644
254--- a/ssl/ssl.h
255+++ b/ssl/ssl.h
256@@ -653,6 +653,10 @@ struct ssl_session_st
257 */
258 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
259 #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
260+/* Send TLS_FALLBACK_SCSV in the ClientHello.
261+ * To be set by applications that reconnect with a downgraded protocol
262+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
263+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
264
265 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
266 * they cannot be used to clear bits. */
267@@ -1511,6 +1515,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
268 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
269 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
270 #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
271+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
272
273 #define SSL_ERROR_NONE 0
274 #define SSL_ERROR_SSL 1
275@@ -1621,6 +1626,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
276 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
277 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
278
279+#define SSL_CTRL_CHECK_PROTO_VERSION 119
280+
281 #define DTLSv1_get_timeout(ssl, arg) \
282 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
283 #define DTLSv1_handle_timeout(ssl) \
284@@ -2379,6 +2386,7 @@ void ERR_load_SSL_strings(void);
285 #define SSL_R_HTTPS_PROXY_REQUEST 155
286 #define SSL_R_HTTP_REQUEST 156
287 #define SSL_R_ILLEGAL_PADDING 283
288+#define SSL_R_INAPPROPRIATE_FALLBACK 373
289 #define SSL_R_INCONSISTENT_COMPRESSION 340
290 #define SSL_R_INVALID_CHALLENGE_LENGTH 158
291 #define SSL_R_INVALID_COMMAND 280
292@@ -2525,6 +2533,7 @@ void ERR_load_SSL_strings(void);
293 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
294 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
295 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
296+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
297 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
298 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
299 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
300diff --git a/ssl/ssl3.h b/ssl/ssl3.h
301index 37f19e3..85f1504 100644
302--- a/ssl/ssl3.h
303+++ b/ssl/ssl3.h
304@@ -128,9 +128,14 @@
305 extern "C" {
306 #endif
307
308-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
309+/* Signalling cipher suite value from RFC 5746
310+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
311 #define SSL3_CK_SCSV 0x030000FF
312
313+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
314+ * (TLS_FALLBACK_SCSV) */
315+#define SSL3_CK_FALLBACK_SCSV 0x03005600
316+
317 #define SSL3_CK_RSA_NULL_MD5 0x03000001
318 #define SSL3_CK_RSA_NULL_SHA 0x03000002
319 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
320diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
321index d2f0dec..1b7eb47 100644
322--- a/ssl/ssl_err.c
323+++ b/ssl/ssl_err.c
324@@ -383,6 +383,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
325 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
326 {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
327 {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
328+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
329 {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
330 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
331 {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
332@@ -529,6 +530,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
333 {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
334 {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
335 {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
336+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
337 {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
338 {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
339 {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
340diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
341index cc094e4..3f66fc0 100644
342--- a/ssl/ssl_lib.c
343+++ b/ssl/ssl_lib.c
344@@ -1387,6 +1387,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
345
346 if (sk == NULL) return(0);
347 q=p;
348+ if (put_cb == NULL)
349+ put_cb = s->method->put_cipher_by_char;
350
351 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
352 {
353@@ -1402,24 +1402,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
354 s->psk_client_callback == NULL)
355 continue;
356 #endif /* OPENSSL_NO_PSK */
357- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
358+ j = put_cb(c,p);
359 p+=j;
360 }
361- /* If p == q, no ciphers and caller indicates an error. Otherwise
362+ /* If p == q, no ciphers; caller indicates an error. Otherwise
363 * add SCSV if not renegotiating.
364 */
365- if (p != q && !s->renegotiate)
366+ if (p != q)
367 {
368- static SSL_CIPHER scsv =
369+ if (!s->renegotiate)
370 {
371- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
372- };
373- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
374- p+=j;
375+ static SSL_CIPHER scsv =
376+ {
377+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
378+ };
379+ j = put_cb(&scsv,p);
380+ p+=j;
381 #ifdef OPENSSL_RI_DEBUG
382- fprintf(stderr, "SCSV sent by client\n");
383+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
384 #endif
385- }
386+ }
387+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
388+ {
389+ static SSL_CIPHER scsv =
390+ {
391+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
392+ };
393+ j = put_cb(&scsv,p);
394+ p+=j;
395+ }
396+ }
397
398 return(p-q);
399 }
400@@ -1439,11 +1453,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
401 const SSL_CIPHER *c;
402 STACK_OF(SSL_CIPHER) *sk;
403 int i,n;
404+
405 if (s->s3)
406 s->s3->send_connection_binding = 0;
407
408 n=ssl_put_cipher_by_char(s,NULL,NULL);
409- if ((num%n) != 0)
410+ if (n == 0 || (num%n) != 0)
411 {
412 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
413 return(NULL);
414@@ -1458,7 +1473,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
415
416 for (i=0; i<num; i+=n)
417 {
418- /* Check for SCSV */
419+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
420 if (s->s3 && (n != 3 || !p[0]) &&
421 (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
422 (p[n-1] == (SSL3_CK_SCSV & 0xff)))
423@@ -1478,6 +1493,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
424 continue;
425 }
426
427+ /* Check for TLS_FALLBACK_SCSV */
428+ if ((n != 3 || !p[0]) &&
429+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
430+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
431+ {
432+ /* The SCSV indicates that the client previously tried a higher version.
433+ * Fail if the current version is an unexpected downgrade. */
434+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
435+ {
436+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
437+ if (s->s3)
438+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
439+ goto err;
440+ }
441+ continue;
442+ }
443+
444 c=ssl_get_cipher_by_char(s,p);
445 p+=n;
446 if (c != NULL)
447diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
448index 1427484..1923cf3 100644
449--- a/ssl/t1_enc.c
450+++ b/ssl/t1_enc.c
451@@ -1241,6 +1241,7 @@ int tls1_alert_code(int code)
452 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
453 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
454 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
455+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
456 #if 0 /* not appropriate for TLS, not used for DTLS */
457 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
458 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
459diff --git a/ssl/tls1.h b/ssl/tls1.h
460index c992091..6ae8876 100644
461--- a/ssl/tls1.h
462+++ b/ssl/tls1.h
463@@ -159,17 +159,19 @@ extern "C" {
464
465 #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
466
467+#define TLS1_VERSION 0x0301
468+#define TLS1_1_VERSION 0x0302
469 #define TLS1_2_VERSION 0x0303
470-#define TLS1_2_VERSION_MAJOR 0x03
471-#define TLS1_2_VERSION_MINOR 0x03
472+#define TLS_MAX_VERSION TLS1_2_VERSION
473+
474+#define TLS1_VERSION_MAJOR 0x03
475+#define TLS1_VERSION_MINOR 0x01
476
477-#define TLS1_1_VERSION 0x0302
478 #define TLS1_1_VERSION_MAJOR 0x03
479 #define TLS1_1_VERSION_MINOR 0x02
480
481-#define TLS1_VERSION 0x0301
482-#define TLS1_VERSION_MAJOR 0x03
483-#define TLS1_VERSION_MINOR 0x01
484+#define TLS1_2_VERSION_MAJOR 0x03
485+#define TLS1_2_VERSION_MINOR 0x03
486
487 #define TLS1_get_version(s) \
488 ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
489@@ -187,6 +189,7 @@ extern "C" {
490 #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
491 #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
492 #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
493+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
494 #define TLS1_AD_USER_CANCELLED 90
495 #define TLS1_AD_NO_RENEGOTIATION 100
496 /* codes 110-114 are from RFC3546 */
497--
4981.7.9.5
499
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index d7d2b7f00e..9bd8ab58dd 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -43,6 +43,7 @@ SRC_URI += "file://configure-targets.patch \
43 file://0003-Make-tls_session_secret_cb-work-with-CVE-2014-0224-f.patch \ 43 file://0003-Make-tls_session_secret_cb-work-with-CVE-2014-0224-f.patch \
44 file://0001-Fix-CVE-2014-3470.patch \ 44 file://0001-Fix-CVE-2014-3470.patch \
45 file://run-ptest \ 45 file://run-ptest \
46 file://openssl-fix-CVE-2014-3566.patch \
46 " 47 "
47 48
48SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" 49SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"