Google Git
Sign in
boringssl/boringssl.git/39ebf53dd34a553768277ee2e0a5c681b4ac6f9e^!/./ssl
commit
39ebf53dd34a553768277ee2e0a5c681b4ac6f9e
[log]
author
David Benjamin <davidben@chromium.org>
Sun Aug 31 02:23:49 2014 -0400
committer
Adam Langley <agl@google.com>
Tue Sep 02 23:41:34 2014 +0000
tree
db22c3a5d8f59ff3551157a108e32ef6f9a199df
parent
120a674c003b2e5950d77415c464b5db20c43972 [diff]
Check the server did not use a TLS 1.2 cipher suite pre-TLS 1.2.

This check got refactored in OpenSSL 1.0.2 and broke in the process. Fix this
and add a test. Otherwise things like client auth can get slightly confused; it
will try to sign the MD5/SHA-1 hash, but the TLS 1.2 cipher suite may not use
SSL_HANDSHAKE_MAC_DEFAULT, so those digests won't be available.

Based on upstream's 226751ae4a1f3e00021c43399d7bb51a99c22c17.

Change-Id: I5b864d3a696f3187b849c53b872c24fb7df27924
Reviewed-on: https://boringssl-review.googlesource.com/1696
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 97d1107..5f8c5db 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -798,6 +798,7 @@
 	CBS server_hello, server_random, session_id;
 	uint16_t server_version, cipher_suite;
 	uint8_t compression_method;
+	unsigned long mask_ssl;
 
 	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_SRVR_HELLO_A,
@@ -913,10 +914,16 @@
 		OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNKNOWN_CIPHER_RETURNED);
 		goto f_err;
 		}
+	/* ct->mask_ssl was computed from client capabilities. Now
+	 * that the final version is known, compute a new mask_ssl. */
+	if (!SSL_USE_TLS1_2_CIPHERS(s))
+		mask_ssl = SSL_TLSV1_2;
+	else
+		mask_ssl = 0;
 	/* If it is a disabled cipher we didn't send it in client hello,
 	 * so return an error.
 	 */
-	if (c->algorithm_ssl & ct->mask_ssl ||
+	if (c->algorithm_ssl & mask_ssl ||
 		c->algorithm_mkey & ct->mask_k ||
 		c->algorithm_auth & ct->mask_a)
 		{

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index fa0e6d8..f22f95a 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -445,6 +445,10 @@
 	// ClientKeyExchange message without the two-byte length
 	// prefix, as if it were SSL3.
 	SSL3RSAKeyExchange bool
+
+	// SkipCipherVersionCheck causes the server to negotiate
+	// TLS 1.2 ciphers in earlier versions of TLS.
+	SkipCipherVersionCheck bool
 }
 
 func (c *Config) serverInit() {

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 855f992..6d61fd5 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go

@@ -832,7 +832,7 @@
 			if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
 				continue
 			}
-			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
+			if !c.config.Bugs.SkipCipherVersionCheck && version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
 				continue
 			}
 			if c.isDTLS && candidate.flags&suiteNoDTLS != 0 {

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index d238e8a..9322592 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -483,6 +483,18 @@
 		shouldFail:    true,
 		expectedError: ":HTTPS_PROXY_REQUEST:",
 	},
+	{
+		name: "SkipCipherVersionCheck",
+		config: Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+			MaxVersion:   VersionTLS11,
+			Bugs: ProtocolBugs{
+				SkipCipherVersionCheck: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":WRONG_CIPHER_RETURNED:",
+	},
 }
 
 func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int) error {