Fix for "Record of death" vulnerability CVE-2010-0740.

[openssl.git] / ssl / s3_pkt.c
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c

index d795199ead0c01dda0c487a1d82ba49320dde205..b30c032b74e01c316f145a3ccab4975dde34e7c4 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -337,9 +337,9 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
                         if (version != s->version)
                                 {
                                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
                         if (version != s->version)
                                 {
                                 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                               /* Send back error using their
-                                * version number :-) */
-                               s->version=version;
+                                if ((s->version & 0xFF00) == (version & 0xFF00))
+                                       /* Send back error using their minor version number :-) */
+                                       s->version = (unsigned short)version;
                                 al=SSL_AD_PROTOCOL_VERSION;
                                 goto f_err;
                                 }
                                 al=SSL_AD_PROTOCOL_VERSION;
                                 goto f_err;
                                 }
@@ -789,8 +789,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
  
         if (eivlen)
                 {
  
         if (eivlen)
                 {
-               if (RAND_pseudo_bytes(p, eivlen) <= 0)
-                       goto err;
+       /*      if (RAND_pseudo_bytes(p, eivlen) <= 0)
+                       goto err; */
                 wr->length += eivlen;
                 }
  
                 wr->length += eivlen;
                 }
  
@@ -1139,7 +1139,25 @@ start:
                  * now try again to obtain the (application) data we were asked for */
                 goto start;
                 }
                  * now try again to obtain the (application) data we were asked for */
                 goto start;
                 }
-
+       /* If we are a server and get a client hello when renegotiation isn't
+        * allowed send back a no renegotiation alert and carry on.
+        * WARNING: experimental code, needs reviewing (steve)
+        */
+       if (s->server &&
+               SSL_is_init_finished(s) &&
+               !s->s3->send_connection_binding &&
+               (s->version > SSL3_VERSION) &&
+               (s->s3->handshake_fragment_len >= 4) &&
+               (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
+               (s->session != NULL) && (s->session->cipher != NULL) &&
+               !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               
+               {
+               /*s->s3->handshake_fragment_len = 0;*/
+               rr->length = 0;
+               ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+               goto start;
+               }
         if (s->s3->alert_fragment_len >= 2)
                 {
                 int alert_level = s->s3->alert_fragment[0];
         if (s->s3->alert_fragment_len >= 2)
                 {
                 int alert_level = s->s3->alert_fragment[0];
@@ -1169,6 +1187,21 @@ start:
                                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                 return(0);
                                 }
                                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                 return(0);
                                 }
+                       /* This is a warning but we receive it if we requested
+                        * renegotiation and the peer denied it. Terminate with
+                        * a fatal alert because if application tried to
+                        * renegotiatie it presumably had a good reason and
+                        * expects it to succeed.
+                        *
+                        * In future we might have a renegotiation where we
+                        * don't care if the peer refused it where we carry on.
+                        */
+                       else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
+                               {
+                               al = SSL_AD_HANDSHAKE_FAILURE;
+                               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
+                               goto f_err;
+                               }
                         }
                 else if (alert_level == 2) /* fatal */
                         {
                         }
                 else if (alert_level == 2) /* fatal */
                         {