diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/s23_srvr.c | 59 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s23_srvr.c | 59 |
2 files changed, 54 insertions, 64 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 94e669ae14..53e06706e3 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c | |||
| @@ -261,20 +261,21 @@ end: | |||
| 261 | int | 261 | int |
| 262 | ssl23_get_client_hello(SSL *s) | 262 | ssl23_get_client_hello(SSL *s) |
| 263 | { | 263 | { |
| 264 | char buf_space[11]; /* Request this many bytes in initial read. | 264 | char buf[11]; |
| 265 | * We can detect SSL 3.0/TLS 1.0 Client Hellos | 265 | /* |
| 266 | * ('type == 3') correctly only when the following | 266 | * sizeof(buf) == 11, because we'll need to request this many bytes in |
| 267 | * is in a single record, which is not guaranteed by | 267 | * the initial read. |
| 268 | * the protocol specification: | 268 | * We can detect SSL 3.0/TLS 1.0 Client Hellos ('type == 3') correctly |
| 269 | * Byte Content | 269 | * only when the following is in a single record, which is not |
| 270 | * 0 type \ | 270 | * guaranteed by the protocol specification: |
| 271 | * 1/2 version > record header | 271 | * Byte Content |
| 272 | * 3/4 length / | 272 | * 0 type \ |
| 273 | * 5 msg_type \ | 273 | * 1/2 version > record header |
| 274 | * 6-8 length > Client Hello message | 274 | * 3/4 length / |
| 275 | * 9/10 client_version / | 275 | * 5 msg_type \ |
| 276 | */ | 276 | * 6-8 length > Client Hello message |
| 277 | char *buf = &(buf_space[0]); | 277 | * 9/10 client_version / |
| 278 | */ | ||
| 278 | unsigned char *p, *d, *d_len, *dd; | 279 | unsigned char *p, *d, *d_len, *dd; |
| 279 | unsigned int i; | 280 | unsigned int i; |
| 280 | unsigned int csl, sil, cl; | 281 | unsigned int csl, sil, cl; |
| @@ -287,11 +288,11 @@ ssl23_get_client_hello(SSL *s) | |||
| 287 | v[0] = v[1] = 0; | 288 | v[0] = v[1] = 0; |
| 288 | 289 | ||
| 289 | if (!ssl3_setup_buffers(s)) | 290 | if (!ssl3_setup_buffers(s)) |
| 290 | goto err; | 291 | return -1; |
| 291 | 292 | ||
| 292 | n = ssl23_read_bytes(s, sizeof buf_space); | 293 | n = ssl23_read_bytes(s, sizeof buf); |
| 293 | if (n != sizeof buf_space) | 294 | if (n != sizeof buf) |
| 294 | return(n); /* n == -1 || n == 0 */ | 295 | return(n); |
| 295 | 296 | ||
| 296 | p = s->packet; | 297 | p = s->packet; |
| 297 | 298 | ||
| @@ -404,10 +405,10 @@ ssl23_get_client_hello(SSL *s) | |||
| 404 | (strncmp("HEAD ",(char *)p, 5) == 0) || | 405 | (strncmp("HEAD ",(char *)p, 5) == 0) || |
| 405 | (strncmp("PUT ", (char *)p, 4) == 0)) { | 406 | (strncmp("PUT ", (char *)p, 4) == 0)) { |
| 406 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); | 407 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); |
| 407 | goto err; | 408 | return -1; |
| 408 | } else if (strncmp("CONNECT", (char *)p, 7) == 0) { | 409 | } else if (strncmp("CONNECT", (char *)p, 7) == 0) { |
| 409 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); | 410 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); |
| 410 | goto err; | 411 | return -1; |
| 411 | } | 412 | } |
| 412 | } | 413 | } |
| 413 | 414 | ||
| @@ -423,7 +424,7 @@ ssl23_get_client_hello(SSL *s) | |||
| 423 | n = ((p[0] & 0x7f) << 8) | p[1]; | 424 | n = ((p[0] & 0x7f) << 8) | p[1]; |
| 424 | if (n > (1024 * 4)) { | 425 | if (n > (1024 * 4)) { |
| 425 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); | 426 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); |
| 426 | goto err; | 427 | return -1; |
| 427 | } | 428 | } |
| 428 | 429 | ||
| 429 | j = ssl23_read_bytes(s, n + 2); | 430 | j = ssl23_read_bytes(s, n + 2); |
| @@ -449,7 +450,7 @@ ssl23_get_client_hello(SSL *s) | |||
| 449 | */ | 450 | */ |
| 450 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, | 451 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
| 451 | SSL_R_RECORD_LENGTH_MISMATCH); | 452 | SSL_R_RECORD_LENGTH_MISMATCH); |
| 452 | goto err; | 453 | return -1; |
| 453 | } | 454 | } |
| 454 | 455 | ||
| 455 | /* record header: msg_type ... */ | 456 | /* record header: msg_type ... */ |
| @@ -511,14 +512,14 @@ ssl23_get_client_hello(SSL *s) | |||
| 511 | 512 | ||
| 512 | if (type == 1) { | 513 | if (type == 1) { |
| 513 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); | 514 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); |
| 514 | goto err; | 515 | return -1; |
| 515 | } | 516 | } |
| 516 | 517 | ||
| 517 | if ((type == 2) || (type == 3)) { | 518 | if ((type == 2) || (type == 3)) { |
| 518 | /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ | 519 | /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ |
| 519 | 520 | ||
| 520 | if (!ssl_init_wbio_buffer(s, 1)) | 521 | if (!ssl_init_wbio_buffer(s, 1)) |
| 521 | goto err; | 522 | return -1; |
| 522 | 523 | ||
| 523 | /* we are in this state */ | 524 | /* we are in this state */ |
| 524 | s->state = SSL3_ST_SR_CLNT_HELLO_A; | 525 | s->state = SSL3_ST_SR_CLNT_HELLO_A; |
| @@ -530,7 +531,7 @@ ssl23_get_client_hello(SSL *s) | |||
| 530 | s->packet_length = n; | 531 | s->packet_length = n; |
| 531 | if (s->s3->rbuf.buf == NULL) | 532 | if (s->s3->rbuf.buf == NULL) |
| 532 | if (!ssl3_setup_read_buffer(s)) | 533 | if (!ssl3_setup_read_buffer(s)) |
| 533 | goto err; | 534 | return -1; |
| 534 | 535 | ||
| 535 | s->packet = &(s->s3->rbuf.buf[0]); | 536 | s->packet = &(s->s3->rbuf.buf[0]); |
| 536 | memcpy(s->packet, buf, n); | 537 | memcpy(s->packet, buf, n); |
| @@ -558,15 +559,9 @@ ssl23_get_client_hello(SSL *s) | |||
| 558 | if ((type < 1) || (type > 3)) { | 559 | if ((type < 1) || (type > 3)) { |
| 559 | /* bad, very bad */ | 560 | /* bad, very bad */ |
| 560 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); | 561 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); |
| 561 | goto err; | 562 | return -1; |
| 562 | } | 563 | } |
| 563 | s->init_num = 0; | 564 | s->init_num = 0; |
| 564 | 565 | ||
| 565 | if (buf != buf_space) | ||
| 566 | free(buf); | ||
| 567 | return (SSL_accept(s)); | 566 | return (SSL_accept(s)); |
| 568 | err: | ||
| 569 | if (buf != buf_space) | ||
| 570 | free(buf); | ||
| 571 | return (-1); | ||
| 572 | } | 567 | } |
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index 94e669ae14..53e06706e3 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c | |||
| @@ -261,20 +261,21 @@ end: | |||
| 261 | int | 261 | int |
| 262 | ssl23_get_client_hello(SSL *s) | 262 | ssl23_get_client_hello(SSL *s) |
| 263 | { | 263 | { |
| 264 | char buf_space[11]; /* Request this many bytes in initial read. | 264 | char buf[11]; |
| 265 | * We can detect SSL 3.0/TLS 1.0 Client Hellos | 265 | /* |
| 266 | * ('type == 3') correctly only when the following | 266 | * sizeof(buf) == 11, because we'll need to request this many bytes in |
| 267 | * is in a single record, which is not guaranteed by | 267 | * the initial read. |
| 268 | * the protocol specification: | 268 | * We can detect SSL 3.0/TLS 1.0 Client Hellos ('type == 3') correctly |
| 269 | * Byte Content | 269 | * only when the following is in a single record, which is not |
| 270 | * 0 type \ | 270 | * guaranteed by the protocol specification: |
| 271 | * 1/2 version > record header | 271 | * Byte Content |
| 272 | * 3/4 length / | 272 | * 0 type \ |
| 273 | * 5 msg_type \ | 273 | * 1/2 version > record header |
| 274 | * 6-8 length > Client Hello message | 274 | * 3/4 length / |
| 275 | * 9/10 client_version / | 275 | * 5 msg_type \ |
| 276 | */ | 276 | * 6-8 length > Client Hello message |
| 277 | char *buf = &(buf_space[0]); | 277 | * 9/10 client_version / |
| 278 | */ | ||
| 278 | unsigned char *p, *d, *d_len, *dd; | 279 | unsigned char *p, *d, *d_len, *dd; |
| 279 | unsigned int i; | 280 | unsigned int i; |
| 280 | unsigned int csl, sil, cl; | 281 | unsigned int csl, sil, cl; |
| @@ -287,11 +288,11 @@ ssl23_get_client_hello(SSL *s) | |||
| 287 | v[0] = v[1] = 0; | 288 | v[0] = v[1] = 0; |
| 288 | 289 | ||
| 289 | if (!ssl3_setup_buffers(s)) | 290 | if (!ssl3_setup_buffers(s)) |
| 290 | goto err; | 291 | return -1; |
| 291 | 292 | ||
| 292 | n = ssl23_read_bytes(s, sizeof buf_space); | 293 | n = ssl23_read_bytes(s, sizeof buf); |
| 293 | if (n != sizeof buf_space) | 294 | if (n != sizeof buf) |
| 294 | return(n); /* n == -1 || n == 0 */ | 295 | return(n); |
| 295 | 296 | ||
| 296 | p = s->packet; | 297 | p = s->packet; |
| 297 | 298 | ||
| @@ -404,10 +405,10 @@ ssl23_get_client_hello(SSL *s) | |||
| 404 | (strncmp("HEAD ",(char *)p, 5) == 0) || | 405 | (strncmp("HEAD ",(char *)p, 5) == 0) || |
| 405 | (strncmp("PUT ", (char *)p, 4) == 0)) { | 406 | (strncmp("PUT ", (char *)p, 4) == 0)) { |
| 406 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); | 407 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); |
| 407 | goto err; | 408 | return -1; |
| 408 | } else if (strncmp("CONNECT", (char *)p, 7) == 0) { | 409 | } else if (strncmp("CONNECT", (char *)p, 7) == 0) { |
| 409 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); | 410 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); |
| 410 | goto err; | 411 | return -1; |
| 411 | } | 412 | } |
| 412 | } | 413 | } |
| 413 | 414 | ||
| @@ -423,7 +424,7 @@ ssl23_get_client_hello(SSL *s) | |||
| 423 | n = ((p[0] & 0x7f) << 8) | p[1]; | 424 | n = ((p[0] & 0x7f) << 8) | p[1]; |
| 424 | if (n > (1024 * 4)) { | 425 | if (n > (1024 * 4)) { |
| 425 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); | 426 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); |
| 426 | goto err; | 427 | return -1; |
| 427 | } | 428 | } |
| 428 | 429 | ||
| 429 | j = ssl23_read_bytes(s, n + 2); | 430 | j = ssl23_read_bytes(s, n + 2); |
| @@ -449,7 +450,7 @@ ssl23_get_client_hello(SSL *s) | |||
| 449 | */ | 450 | */ |
| 450 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, | 451 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
| 451 | SSL_R_RECORD_LENGTH_MISMATCH); | 452 | SSL_R_RECORD_LENGTH_MISMATCH); |
| 452 | goto err; | 453 | return -1; |
| 453 | } | 454 | } |
| 454 | 455 | ||
| 455 | /* record header: msg_type ... */ | 456 | /* record header: msg_type ... */ |
| @@ -511,14 +512,14 @@ ssl23_get_client_hello(SSL *s) | |||
| 511 | 512 | ||
| 512 | if (type == 1) { | 513 | if (type == 1) { |
| 513 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); | 514 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); |
| 514 | goto err; | 515 | return -1; |
| 515 | } | 516 | } |
| 516 | 517 | ||
| 517 | if ((type == 2) || (type == 3)) { | 518 | if ((type == 2) || (type == 3)) { |
| 518 | /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ | 519 | /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ |
| 519 | 520 | ||
| 520 | if (!ssl_init_wbio_buffer(s, 1)) | 521 | if (!ssl_init_wbio_buffer(s, 1)) |
| 521 | goto err; | 522 | return -1; |
| 522 | 523 | ||
| 523 | /* we are in this state */ | 524 | /* we are in this state */ |
| 524 | s->state = SSL3_ST_SR_CLNT_HELLO_A; | 525 | s->state = SSL3_ST_SR_CLNT_HELLO_A; |
| @@ -530,7 +531,7 @@ ssl23_get_client_hello(SSL *s) | |||
| 530 | s->packet_length = n; | 531 | s->packet_length = n; |
| 531 | if (s->s3->rbuf.buf == NULL) | 532 | if (s->s3->rbuf.buf == NULL) |
| 532 | if (!ssl3_setup_read_buffer(s)) | 533 | if (!ssl3_setup_read_buffer(s)) |
| 533 | goto err; | 534 | return -1; |
| 534 | 535 | ||
| 535 | s->packet = &(s->s3->rbuf.buf[0]); | 536 | s->packet = &(s->s3->rbuf.buf[0]); |
| 536 | memcpy(s->packet, buf, n); | 537 | memcpy(s->packet, buf, n); |
| @@ -558,15 +559,9 @@ ssl23_get_client_hello(SSL *s) | |||
| 558 | if ((type < 1) || (type > 3)) { | 559 | if ((type < 1) || (type > 3)) { |
| 559 | /* bad, very bad */ | 560 | /* bad, very bad */ |
| 560 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); | 561 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); |
| 561 | goto err; | 562 | return -1; |
| 562 | } | 563 | } |
| 563 | s->init_num = 0; | 564 | s->init_num = 0; |
| 564 | 565 | ||
| 565 | if (buf != buf_space) | ||
| 566 | free(buf); | ||
| 567 | return (SSL_accept(s)); | 566 | return (SSL_accept(s)); |
| 568 | err: | ||
| 569 | if (buf != buf_space) | ||
| 570 | free(buf); | ||
| 571 | return (-1); | ||
| 572 | } | 567 | } |