diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index c8e6d18ab..6a4ba395c 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2011,6 +2011,22 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 256, 256, }, +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + { + 1, + "SCSV", + SSL3_CK_SCSV, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + }, +#endif #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 35ed940c3..8018b5f35 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -971,7 +971,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, #ifdef CIPHER_DEBUG printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); #endif - +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + if (cipher_id && cipher_id != cp->id) + continue; +#endif if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) continue; if (alg_auth && !(alg_auth & cp->algorithm_auth)) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 1d346cffb..a64e5d0e8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1423,6 +1423,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, SSL_CIPHER *c; CERT *ct = s->cert; unsigned char *q; + int no_scsv = s->renegotiate; /* Set disabled masks for this session */ ssl_set_client_disabled(s); @@ -1437,13 +1438,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a) continue; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + if (c->id == SSL3_CK_SCSV) + { + if (no_scsv) + continue; + else + no_scsv = 1; + } +#endif j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); p+=j; } /* If p == q, no ciphers and caller indicates an error. Otherwise * add SCSV if not renegotiating. */ - if (p != q && !s->renegotiate) + if (p != q && !no_scsv) { static SSL_CIPHER scsv = {