1
From fc4bd2f287582c5f51f9549727fd5a49e9fc3012 Mon Sep 17 00:00:00 2001
2
From: David Benjamin <davidben@google.com>
3
Date: Wed, 23 Jul 2014 22:32:21 +0200
4
Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets
6
Content-Type: text/plain; charset=utf8
7
Content-Transfer-Encoding: 8bit
11
Reviewed-by: Emilia Käsper <emilia@openssl.org>
12
Reviewed-by: Bodo Möller <bodo@openssl.org>
14
ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
15
1 file changed, 23 insertions(+), 7 deletions(-)
17
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
18
index be05911..e544853 100644
21
@@ -328,23 +328,19 @@ int ssl23_get_client_hello(SSL *s)
22
* Client Hello message, this would be difficult, and we'd have
23
* to read more records to find out.
24
* No known SSL 3.0 client fragments ClientHello like this,
25
- * so we simply assume TLS 1.0 to avoid protocol version downgrade
27
+ * so we simply reject such connections to avoid
28
+ * protocol version downgrade attacks. */
29
if (p[3] == 0 && p[4] < 6)
32
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
35
- v[1] = TLS1_VERSION_MINOR;
38
/* if major version number > 3 set minor to a value
39
* which will use the highest version 3 we support.
40
* If TLS 2.0 ever appears we will need to revise
43
- else if (p[9] > SSL3_VERSION_MAJOR)
44
+ if (p[9] > SSL3_VERSION_MAJOR)
47
v[1]=p[10]; /* minor version according to client_version */
48
@@ -412,14 +408,34 @@ int ssl23_get_client_hello(SSL *s)
49
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
52
+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
53
+ * header is sent directly on the wire, not wrapped as a TLS
54
+ * record. It's format is:
59
+ * 5-6 cipher_spec_length
60
+ * 7-8 session_id_length
61
+ * 9-10 challenge_length
64
n=((p[0]&0x7f)<<8)|p[1];
67
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
72
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
76
j=ssl23_read_bytes(s,n+2);
77
+ /* We previously read 11 bytes, so if j > 0, we must have
78
+ * j == n+2 == s->packet_length. We have at least 11 valid
80
if (j <= 0) return(j);
82
ssl3_finish_mac(s, s->packet+2, s->packet_length-2);