diff --git a/cyassl/internal.h b/cyassl/internal.h index 5373b3c98..e3d183d3b 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -633,6 +633,7 @@ enum Misc { TLSv1_MINOR = 1, /* TLSv1 minor version number */ TLSv1_1_MINOR = 2, /* TLSv1_1 minor version number */ TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */ + OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */ INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */ NO_COMPRESSION = 0, ZLIB_COMPRESSION = 221, /* CyaSSL zlib compression */ diff --git a/src/internal.c b/src/internal.c index 464d62e65..58b9a9bc1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6230,9 +6230,6 @@ int ProcessReply(CYASSL* ssl) int ret = 0, type, readSz; int atomicUser = 0; word32 startIdx = 0; -#ifndef NO_CYASSL_SERVER - byte b0, b1; -#endif #ifdef CYASSL_DTLS int used; #endif @@ -6276,15 +6273,32 @@ int ProcessReply(CYASSL* ssl) #endif } -#ifndef NO_CYASSL_SERVER +#ifdef OLD_HELLO_ALLOWED /* see if sending SSLv2 client hello */ if ( ssl->options.side == CYASSL_SERVER_END && ssl->options.clientState == NULL_STATE && ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx] != handshake) { + byte b0, b1; + ssl->options.processReply = runProcessOldClientHello; + /* sanity checks before getting size at front */ + if (ssl->buffers.inputBuffer.buffer[ + ssl->buffers.inputBuffer.idx + 2] != OLD_HELLO_ID) { + CYASSL_MSG("Not a valid old client hello"); + return PARSE_ERROR; + } + + if (ssl->buffers.inputBuffer.buffer[ + ssl->buffers.inputBuffer.idx + 3] != SSLv3_MAJOR && + ssl->buffers.inputBuffer.buffer[ + ssl->buffers.inputBuffer.idx + 3] != DTLS_MAJOR) { + CYASSL_MSG("Not a valid version in old client hello"); + return PARSE_ERROR; + } + /* how many bytes need ProcessOldClientHello */ b0 = ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; @@ -6329,7 +6343,7 @@ int ProcessReply(CYASSL* ssl) return 0; } -#endif /* NO_CYASSL_SERVER */ +#endif /* OLD_HELLO_ALLOWED */ /* get the record layer header */ case getRecordLayerHeader: @@ -12252,6 +12266,8 @@ int DoSessionTicket(CYASSL* ssl, } +#ifdef OLD_HELLO_ALLOWED + /* process old style client hello, deprecate? */ int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 inSz, word16 sz) @@ -12429,6 +12445,8 @@ int DoSessionTicket(CYASSL* ssl, return MatchSuite(ssl, &clSuites); } +#endif /* OLD_HELLO_ALLOWED */ + static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 helloSz) diff --git a/src/sniffer.c b/src/sniffer.c index d88ab985c..69c87ac26 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2038,6 +2038,8 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo, } +#ifdef OLD_HELLO_ALLOWED + /* Process Old Client Hello Input */ static int DoOldHello(SnifferSession* session, const byte* sslFrame, int* rhSize, int* sslBytes, char* error) @@ -2074,6 +2076,8 @@ static int DoOldHello(SnifferSession* session, const byte* sslFrame, return 0; } +#endif /* OLD_HELLO_ALLOWED */ + #if 0 /* Calculate the TCP checksum, see RFC 1071 */ @@ -2510,7 +2514,9 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo, *sslFrame = ssl->buffers.inputBuffer.buffer; *end = *sslFrame + *sslBytes; } - + +#ifdef OLD_HELLO_ALLOWED + if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) { int rhSize; int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error); @@ -2519,6 +2525,8 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo, if (*sslBytes <= 0) return 1; } + +#endif return 0; }