feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

remove old client hello processing by default, can turn on with OLD_HELLO_ALLOWED, add sanity checks before size front alloc

Browse Source
This commit is contained in:
toddouska
2014-10-31 13:23:50 -07:00
parent 1e7b579777
commit 0f641e07a2
3 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cyassl/internal.h
View File

@@ -633,6 +633,7 @@ enum Misc {
TLSv1_MINOR = 1, /* TLSv1 minor version number */ TLSv1_MINOR = 1, /* TLSv1 minor version number */
TLSv1_1_MINOR = 2, /* TLSv1_1 minor version number */ TLSv1_1_MINOR = 2, /* TLSv1_1 minor version number */
TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */ TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */
OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */
INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */ INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */
NO_COMPRESSION = 0, NO_COMPRESSION = 0,
ZLIB_COMPRESSION = 221, /* CyaSSL zlib compression */ ZLIB_COMPRESSION = 221, /* CyaSSL zlib compression */

28
src/internal.c
View File

@@ -6230,9 +6230,6 @@ int ProcessReply(CYASSL* ssl)
int ret = 0, type, readSz; int ret = 0, type, readSz;
int atomicUser = 0; int atomicUser = 0;
word32 startIdx = 0; word32 startIdx = 0;
#ifndef NO_CYASSL_SERVER
byte b0, b1;
#endif
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
int used; int used;
#endif #endif
@@ -6276,15 +6273,32 @@ int ProcessReply(CYASSL* ssl)
#endif #endif
} }
#ifndef NO_CYASSL_SERVER #ifdef OLD_HELLO_ALLOWED
/* see if sending SSLv2 client hello */ /* see if sending SSLv2 client hello */
if ( ssl->options.side == CYASSL_SERVER_END && if ( ssl->options.side == CYASSL_SERVER_END &&
ssl->options.clientState == NULL_STATE && ssl->options.clientState == NULL_STATE &&
ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx] ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx]
!= handshake) { != handshake) {
byte b0, b1;
ssl->options.processReply = runProcessOldClientHello; ssl->options.processReply = runProcessOldClientHello;
/* sanity checks before getting size at front */
if (ssl->buffers.inputBuffer.buffer[
ssl->buffers.inputBuffer.idx + 2] != OLD_HELLO_ID) {
CYASSL_MSG("Not a valid old client hello");
return PARSE_ERROR;
}
if (ssl->buffers.inputBuffer.buffer[
ssl->buffers.inputBuffer.idx + 3] != SSLv3_MAJOR &&
ssl->buffers.inputBuffer.buffer[
ssl->buffers.inputBuffer.idx + 3] != DTLS_MAJOR) {
CYASSL_MSG("Not a valid version in old client hello");
return PARSE_ERROR;
}
/* how many bytes need ProcessOldClientHello */ /* how many bytes need ProcessOldClientHello */
b0 = b0 =
ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
@@ -6329,7 +6343,7 @@ int ProcessReply(CYASSL* ssl)
return 0; return 0;
} }
#endif /* NO_CYASSL_SERVER */ #endif /* OLD_HELLO_ALLOWED */
/* get the record layer header */ /* get the record layer header */
case getRecordLayerHeader: case getRecordLayerHeader:
@@ -12252,6 +12266,8 @@ int DoSessionTicket(CYASSL* ssl,
} }
#ifdef OLD_HELLO_ALLOWED
/* process old style client hello, deprecate? */ /* process old style client hello, deprecate? */
int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx,
word32 inSz, word16 sz) word32 inSz, word16 sz)
@@ -12429,6 +12445,8 @@ int DoSessionTicket(CYASSL* ssl,
return MatchSuite(ssl, &clSuites); return MatchSuite(ssl, &clSuites);
} }
#endif /* OLD_HELLO_ALLOWED */
static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx,
word32 helloSz) word32 helloSz)

10
src/sniffer.c
View File

@@ -2038,6 +2038,8 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
} }
#ifdef OLD_HELLO_ALLOWED
/* Process Old Client Hello Input */ /* Process Old Client Hello Input */
static int DoOldHello(SnifferSession* session, const byte* sslFrame, static int DoOldHello(SnifferSession* session, const byte* sslFrame,
int* rhSize, int* sslBytes, char* error) int* rhSize, int* sslBytes, char* error)
@@ -2074,6 +2076,8 @@ static int DoOldHello(SnifferSession* session, const byte* sslFrame,
return 0; return 0;
} }
#endif /* OLD_HELLO_ALLOWED */
#if 0 #if 0
/* Calculate the TCP checksum, see RFC 1071 */ /* Calculate the TCP checksum, see RFC 1071 */
@@ -2510,7 +2514,9 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
*sslFrame = ssl->buffers.inputBuffer.buffer; *sslFrame = ssl->buffers.inputBuffer.buffer;
*end = *sslFrame + *sslBytes; *end = *sslFrame + *sslBytes;
} }
#ifdef OLD_HELLO_ALLOWED
if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) { if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) {
int rhSize; int rhSize;
int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error); int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error);
@@ -2519,6 +2525,8 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
if (*sslBytes <= 0) if (*sslBytes <= 0)
return 1; return 1;
} }
#endif
return 0; return 0;
} }