From: Bodo Möller <bodo@openssl.org>
Date: Fri, 22 Sep 2000 21:39:33 +0000 (+0000)
Subject: Avoid protocol rollback.
X-Git-Tag: OpenSSL-engine-0_9_6~2^2~7
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=f1192b7f2e2b6683333ee99ff7def5bb413dc3d2

Avoid protocol rollback.
---

diff --git a/CHANGES b/CHANGES
index 26fb7f8a89..390c17e212 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,16 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) In ssl23_get_client_hello, generate an error message when faced
+     with an initial SSL 3.0/TLS record that is too small to contain the
+     first two bytes of the ClientHello message, i.e. client_version.
+     (Note that this is a pathologic case that probably has never happened
+     in real life.)  The previous approach was to use the version number
+     from the record header as a subsitute; but our protocol choice
+     should not depend on that one because it is not authenticated
+     by the Finished messages.
+     [Bodo Moeller]
+
   *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
      not set then we don't setup the error code for issuer check errors
      to avoid possibly overwriting other errors which the callback does
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index a81544a1b6..050618235f 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -348,16 +348,21 @@ int ssl23_get_client_hello(SSL *s)
 			 * SSLv3 or tls1 header
 			 */
 			
-			v[0]=p[1]; /* major version */
+			v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
 			/* We must look at client_version inside the Client Hello message
-			 * to get the correct minor version: */
-			v[1]=p[10];
-			/* However if we have only a pathologically small fragment of the
-			 * Client Hello message, we simply use the version from the
-			 * record header -- this is incorrect but unlikely to fail in
-			 * practice */
+			 * to get the correct minor version.
+			 * However if we have only a pathologically small fragment of the
+			 * Client Hello message, this would be difficult, we'd have
+			 * to read at least one additional record to find out.
+			 * This doesn't usually happen in real life, so we just complain
+			 * for now.
+			 */
 			if (p[3] == 0 && p[4] < 6)
-				v[1]=p[2];
+				{
+				SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
+				goto err;
+				}
+			v[1]=p[10]; /* minor version according to client_version */
 			if (v[1] >= TLS1_VERSION_MINOR)
 				{
 				if (!(s->options & SSL_OP_NO_TLSv1))
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 6ffeca4d31..fdbdc70ba7 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1471,6 +1471,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_READ_WRONG_PACKET_TYPE			 212
 #define SSL_R_RECORD_LENGTH_MISMATCH			 213
 #define SSL_R_RECORD_TOO_LARGE				 214
+#define SSL_R_RECORD_TOO_SMALL				 1093
 #define SSL_R_REQUIRED_CIPHER_MISSING			 215
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 642c3f93e7..17b4caf528 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -327,6 +327,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_READ_WRONG_PACKET_TYPE            ,"read wrong packet type"},
 {SSL_R_RECORD_LENGTH_MISMATCH            ,"record length mismatch"},
 {SSL_R_RECORD_TOO_LARGE                  ,"record too large"},
+{SSL_R_RECORD_TOO_SMALL                  ,"record too small"},
 {SSL_R_REQUIRED_CIPHER_MISSING           ,"required cipher missing"},
 {SSL_R_REUSE_CERT_LENGTH_NOT_ZERO        ,"reuse cert length not zero"},
 {SSL_R_REUSE_CERT_TYPE_NOT_ZERO          ,"reuse cert type not zero"},