commit 1deb41bb2de8c4c99842b2868772b1931b80d315
author David Benjamin <davidben@google.com> Tue Aug 09 19:36:38 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Aug 11 04:57:52 2016 +0000
tree 912b4919683a0ba5cf2cf52d7c625d5b9cf88c83
parent 19d5cf86dec1aaf52b4ab5f71d0602b795932f00

Move SCSV handling out of cipher list parsing.

It's odd that a function like ssl_bytes_to_cipher_list secretly has side
effects all over the place. This removes the need for the TLS 1.3 code
to re-query the version range, and it removes the requirement that the
RI extension be first.

Change-Id: Ic9af549db3aaa8880f3c591b8a13ba9ae91d6a46
Reviewed-on: https://boringssl-review.googlesource.com/10220
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/handshake_server.c

diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index d10d7f5..43abf39 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -530,6 +530,26 @@
   return ret;
 }
 
+int ssl_client_cipher_list_contains_cipher(
+    const struct ssl_early_callback_ctx *client_hello, uint16_t id) {
+  CBS cipher_suites;
+  CBS_init(&cipher_suites, client_hello->cipher_suites,
+           client_hello->cipher_suites_len);
+
+  while (CBS_len(&cipher_suites) > 0) {
+    uint16_t got_id;
+    if (!CBS_get_u16(&cipher_suites, &got_id)) {
+      return 0;
+    }
+
+    if (got_id == id) {
+      return 1;
+    }
+  }
+
+  return 0;
+}
+
 static int ssl3_get_client_hello(SSL *ssl) {
   int al = SSL_AD_INTERNAL_ERROR, ret = -1;
   const SSL_CIPHER *c;
@@ -600,11 +620,22 @@
     if (version > max_version) {
       version = max_version;
     }
+
     if (version < min_version) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
       al = SSL_AD_PROTOCOL_VERSION;
       goto f_err;
     }
+
+    /* Handle FALLBACK_SCSV. */
+    if (ssl_client_cipher_list_contains_cipher(
+            &client_hello, SSL3_CK_FALLBACK_SCSV & 0xffff) &&
+        version < max_version) {
+      al = SSL3_AD_INAPPROPRIATE_FALLBACK;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
+      goto f_err;
+    }
+
     ssl->version = ssl->method->version_to_wire(version);
     ssl->s3->enc_method = ssl3_get_enc_method(version);
     assert(ssl->s3->enc_method != NULL);
@@ -698,7 +729,7 @@
     goto f_err;
   }
 
-  ciphers = ssl_parse_client_cipher_list(ssl, &client_hello, max_version);
+  ciphers = ssl_parse_client_cipher_list(&client_hello);
   if (ciphers == NULL) {
     goto err;
   }