[openssl-commits] [openssl] master update

Fri Jul 29 12:09:13 UTC 2016

The branch master has been updated
       via  0647719d809abdfe6b871949f4f75ce82da6616a (commit)
      from  1a627771634adba9d4f3b5cf7be74d6bab428a5f (commit)


- Log -----------------------------------------------------------------
commit 0647719d809abdfe6b871949f4f75ce82da6616a
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Jul 22 14:58:19 2016 +0100

    Make the checks for an SSLv2 style record stricter
    
    SSLv2 is no longer supported in 1.1.0, however we *do* still accept an SSLv2
    style ClientHello, as long as we then subsequently negotiate a protocol
    version >= SSLv3. The record format for SSLv2 style ClientHellos is quite
    different to SSLv3+. We only accept this format in the first record of an
    initial ClientHello. Previously we checked this by confirming
    s->first_packet is set and s->server is true. However, this really only
    tells us that we are dealing with an initial ClientHello, not that it is
    the first record (s->first_packet is badly named...it really means this is
    the first message). To check this is the first record of the initial
    ClientHello we should also check that we've not received any data yet
    (s->init_num == 0), and that we've not had any empty records.
    
    GitHub Issue #1298
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/record/ssl3_record.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index b4d8981..ad240bc 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -160,12 +160,18 @@ int ssl3_get_record(SSL *s)
 
             /*
              * Check whether this is a regular record or an SSLv2 style record.
-             * The latter is only used in an initial ClientHello for old
-             * clients. We check s->read_hash and s->enc_read_ctx to ensure this
-             * does not apply during renegotiation
+             * The latter can only be used in the first record of an initial
+             * ClientHello for old clients. Initial ClientHello means
+             * s->first_packet is set and s->server is true. The first record
+             * means we've not received any data so far (s->init_num == 0) and
+             * have had no empty records. We check s->read_hash and
+             * s->enc_read_ctx to ensure this does not apply during
+             * renegotiation.
              */
-            if (s->first_packet && s->server && !s->read_hash
-                    && !s->enc_read_ctx
+            if (s->first_packet && s->server
+                    && s->init_num == 0
+                    && RECORD_LAYER_get_empty_record_count(&s->rlayer) == 0
+                    && s->read_hash == NULL && s->enc_read_ctx == NULL
                     && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
                 /*
                  *  SSLv2 style record
