Skip to content

Commit 280b1f1

Browse files
davidbenmattcaswell
authored andcommitted
Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511 Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Bodo Möller <bodo@openssl.org>
1 parent 4f2011d commit 280b1f1

File tree

1 file changed

+23
-7
lines changed

1 file changed

+23
-7
lines changed

Diff for: ssl/s23_srvr.c

+23-7
Original file line numberDiff line numberDiff line change
@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
348348
* Client Hello message, this would be difficult, and we'd have
349349
* to read more records to find out.
350350
* No known SSL 3.0 client fragments ClientHello like this,
351-
* so we simply assume TLS 1.0 to avoid protocol version downgrade
352-
* attacks. */
351+
* so we simply reject such connections to avoid
352+
* protocol version downgrade attacks. */
353353
if (p[3] == 0 && p[4] < 6)
354354
{
355-
#if 0
356355
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
357356
goto err;
358-
#else
359-
v[1] = TLS1_VERSION_MINOR;
360-
#endif
361357
}
362358
/* if major version number > 3 set minor to a value
363359
* which will use the highest version 3 we support.
364360
* If TLS 2.0 ever appears we will need to revise
365361
* this....
366362
*/
367-
else if (p[9] > SSL3_VERSION_MAJOR)
363+
if (p[9] > SSL3_VERSION_MAJOR)
368364
v[1]=0xff;
369365
else
370366
v[1]=p[10]; /* minor version according to client_version */
@@ -457,14 +453,34 @@ int ssl23_get_client_hello(SSL *s)
457453
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
458454
v[1] = p[4];
459455

456+
/* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
457+
* header is sent directly on the wire, not wrapped as a TLS
458+
* record. It's format is:
459+
* Byte Content
460+
* 0-1 msg_length
461+
* 2 msg_type
462+
* 3-4 version
463+
* 5-6 cipher_spec_length
464+
* 7-8 session_id_length
465+
* 9-10 challenge_length
466+
* ... ...
467+
*/
460468
n=((p[0]&0x7f)<<8)|p[1];
461469
if (n > (1024*4))
462470
{
463471
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
464472
goto err;
465473
}
474+
if (n < 9)
475+
{
476+
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
477+
goto err;
478+
}
466479

467480
j=ssl23_read_bytes(s,n+2);
481+
/* We previously read 11 bytes, so if j > 0, we must have
482+
* j == n+2 == s->packet_length. We have at least 11 valid
483+
* packet bytes. */
468484
if (j <= 0) return(j);
469485

470486
ssl3_finish_mac(s, s->packet+2, s->packet_length-2);

0 commit comments

Comments
 (0)