|
 |
1b2890 |
From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001
|
|
|
1b2890 |
From: David Benjamin <davidben@google.com>
|
|
|
1b2890 |
Date: Wed, 23 Jul 2014 22:32:21 +0200
|
|
|
1b2890 |
Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets
|
|
|
1b2890 |
MIME-Version: 1.0
|
|
|
1b2890 |
Content-Type: text/plain; charset=UTF-8
|
|
|
1b2890 |
Content-Transfer-Encoding: 8bit
|
|
|
1b2890 |
|
|
|
1b2890 |
CVE-2014-3511
|
|
|
1b2890 |
|
|
|
1b2890 |
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
|
1b2890 |
Reviewed-by: Bodo Möller <bodo@openssl.org>
|
|
|
1b2890 |
---
|
|
|
1b2890 |
ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
|
|
|
1b2890 |
1 file changed, 23 insertions(+), 7 deletions(-)
|
|
|
1b2890 |
|
|
|
1b2890 |
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
|
|
|
1b2890 |
index 4877849..2901a6b 100644
|
|
|
1b2890 |
--- a/ssl/s23_srvr.c
|
|
|
1b2890 |
+++ b/ssl/s23_srvr.c
|
|
|
1b2890 |
@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
|
|
|
1b2890 |
* Client Hello message, this would be difficult, and we'd have
|
|
|
1b2890 |
* to read more records to find out.
|
|
|
1b2890 |
* No known SSL 3.0 client fragments ClientHello like this,
|
|
|
1b2890 |
- * so we simply assume TLS 1.0 to avoid protocol version downgrade
|
|
|
1b2890 |
- * attacks. */
|
|
|
1b2890 |
+ * so we simply reject such connections to avoid
|
|
|
1b2890 |
+ * protocol version downgrade attacks. */
|
|
|
1b2890 |
if (p[3] == 0 && p[4] < 6)
|
|
|
1b2890 |
{
|
|
|
1b2890 |
-#if 0
|
|
|
1b2890 |
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
|
|
|
1b2890 |
goto err;
|
|
|
1b2890 |
-#else
|
|
|
1b2890 |
- v[1] = TLS1_VERSION_MINOR;
|
|
|
1b2890 |
-#endif
|
|
|
1b2890 |
}
|
|
|
1b2890 |
/* if major version number > 3 set minor to a value
|
|
|
1b2890 |
* which will use the highest version 3 we support.
|
|
|
1b2890 |
* If TLS 2.0 ever appears we will need to revise
|
|
|
1b2890 |
* this....
|
|
|
1b2890 |
*/
|
|
|
1b2890 |
- else if (p[9] > SSL3_VERSION_MAJOR)
|
|
|
1b2890 |
+ if (p[9] > SSL3_VERSION_MAJOR)
|
|
|
1b2890 |
v[1]=0xff;
|
|
|
1b2890 |
else
|
|
|
1b2890 |
v[1]=p[10]; /* minor version according to client_version */
|
|
|
1b2890 |
@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s)
|
|
|
1b2890 |
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
|
|
|
1b2890 |
v[1] = p[4];
|
|
|
1b2890 |
|
|
|
1b2890 |
+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
|
|
|
1b2890 |
+ * header is sent directly on the wire, not wrapped as a TLS
|
|
|
1b2890 |
+ * record. It's format is:
|
|
|
1b2890 |
+ * Byte Content
|
|
|
1b2890 |
+ * 0-1 msg_length
|
|
|
1b2890 |
+ * 2 msg_type
|
|
|
1b2890 |
+ * 3-4 version
|
|
|
1b2890 |
+ * 5-6 cipher_spec_length
|
|
|
1b2890 |
+ * 7-8 session_id_length
|
|
|
1b2890 |
+ * 9-10 challenge_length
|
|
|
1b2890 |
+ * ... ...
|
|
|
1b2890 |
+ */
|
|
|
1b2890 |
n=((p[0]&0x7f)<<8)|p[1];
|
|
|
1b2890 |
if (n > (1024*4))
|
|
|
1b2890 |
{
|
|
|
1b2890 |
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
|
|
|
1b2890 |
goto err;
|
|
|
1b2890 |
}
|
|
|
1b2890 |
+ if (n < 9)
|
|
|
1b2890 |
+ {
|
|
|
1b2890 |
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
|
|
|
1b2890 |
+ goto err;
|
|
|
1b2890 |
+ }
|
|
|
1b2890 |
|
|
|
1b2890 |
j=ssl23_read_bytes(s,n+2);
|
|
|
1b2890 |
+ /* We previously read 11 bytes, so if j > 0, we must have
|
|
|
1b2890 |
+ * j == n+2 == s->packet_length. We have at least 11 valid
|
|
|
1b2890 |
+ * packet bytes. */
|
|
|
1b2890 |
if (j <= 0) return(j);
|
|
|
1b2890 |
|
|
|
1b2890 |
ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
|
|
|
1b2890 |
--
|
|
|
1b2890 |
1.8.3.1
|
|
|
1b2890 |
|