-/* $OpenBSD: ssl_packet.c,v 1.15 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_packet.c,v 1.16 2024/06/28 13:37:49 jsing Exp $ */
/*
* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
*
#include "bytestring.h"
#include "ssl_local.h"
-static int
-ssl_is_sslv2_client_hello(CBS *header)
-{
- uint16_t record_length;
- uint8_t message_type;
- CBS cbs;
-
- CBS_dup(header, &cbs);
-
- if (!CBS_get_u16(&cbs, &record_length) ||
- !CBS_get_u8(&cbs, &message_type))
- return 0;
-
- /*
- * The SSLv2 record length field uses variable length (2 or 3 byte)
- * encoding. Given the size of a client hello, we expect/require the
- * 2-byte form which is indicated by a one in the most significant bit.
- */
- if ((record_length & 0x8000) == 0)
- return 0;
- if ((record_length & ~0x8000) < 3)
- return 0;
- if (message_type != SSL2_MT_CLIENT_HELLO)
- return 0;
-
- return 1;
-}
-
static int
ssl_is_sslv3_handshake(CBS *header)
{
return 1;
}
-static int
-ssl_convert_sslv2_client_hello(SSL *s)
-{
- CBB cbb, handshake, client_hello, cipher_suites, compression, session_id;
- CBS cbs, challenge, cipher_specs, session;
- uint16_t record_length, client_version, cipher_specs_length;
- uint16_t session_id_length, challenge_length;
- unsigned char *client_random = NULL, *data = NULL;
- size_t data_len, pad_len, len;
- uint32_t cipher_spec;
- uint8_t message_type;
- unsigned char *pad;
- int ret = -1;
- int n;
-
- memset(&cbb, 0, sizeof(cbb));
-
- CBS_init(&cbs, s->packet, SSL3_RT_HEADER_LENGTH);
-
- if (!CBS_get_u16(&cbs, &record_length) ||
- !CBS_get_u8(&cbs, &message_type) ||
- !CBS_get_u16(&cbs, &client_version))
- return -1;
-
- /*
- * The SSLv2 record length field uses variable length (2 or 3 byte)
- * encoding. Given the size of a client hello, we expect/require the
- * 2-byte form which is indicated by a one in the most significant bit.
- * Also note that the record length value does not include the bytes
- * used for the record length field.
- */
- if ((record_length & 0x8000) == 0)
- return -1;
- record_length &= ~0x8000;
- if (record_length < SSL3_RT_HEADER_LENGTH - 2)
- return -1;
- if (message_type != SSL2_MT_CLIENT_HELLO)
- return -1;
-
- if (record_length < 9) {
- SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH);
- return -1;
- }
- if (record_length > 4096) {
- SSLerror(s, SSL_R_RECORD_TOO_LARGE);
- return -1;
- }
-
- n = ssl3_packet_extend(s, record_length + 2);
- if (n != record_length + 2)
- return n;
-
- tls1_transcript_record(s, s->packet + 2,
- s->packet_length - 2);
- s->mac_packet = 0;
-
- if (s->msg_callback)
- s->msg_callback(0, SSL2_VERSION, 0,
- s->packet + 2, s->packet_length - 2, s,
- s->msg_callback_arg);
-
- /* Decode the SSLv2 record containing the client hello. */
- CBS_init(&cbs, s->packet, s->packet_length);
-
- if (!CBS_get_u16(&cbs, &record_length))
- return -1;
- if (!CBS_get_u8(&cbs, &message_type))
- return -1;
- if (!CBS_get_u16(&cbs, &client_version))
- return -1;
- if (!CBS_get_u16(&cbs, &cipher_specs_length))
- return -1;
- if (!CBS_get_u16(&cbs, &session_id_length))
- return -1;
- if (!CBS_get_u16(&cbs, &challenge_length))
- return -1;
- if (!CBS_get_bytes(&cbs, &cipher_specs, cipher_specs_length))
- return -1;
- if (!CBS_get_bytes(&cbs, &session, session_id_length))
- return -1;
- if (!CBS_get_bytes(&cbs, &challenge, challenge_length))
- return -1;
- if (CBS_len(&cbs) != 0) {
- SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH);
- return -1;
- }
-
- /*
- * Convert SSLv2 challenge to SSLv3/TLS client random, by truncating or
- * left-padding with zero bytes.
- */
- if ((client_random = malloc(SSL3_RANDOM_SIZE)) == NULL)
- goto err;
- if (!CBB_init_fixed(&cbb, client_random, SSL3_RANDOM_SIZE))
- goto err;
- if ((len = CBS_len(&challenge)) > SSL3_RANDOM_SIZE)
- len = SSL3_RANDOM_SIZE;
- pad_len = SSL3_RANDOM_SIZE - len;
- if (!CBB_add_space(&cbb, &pad, pad_len))
- goto err;
- memset(pad, 0, pad_len);
- if (!CBB_add_bytes(&cbb, CBS_data(&challenge), len))
- goto err;
- if (!CBB_finish(&cbb, NULL, NULL))
- goto err;
-
- /* Build SSLv3/TLS record with client hello. */
- if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
- goto err;
- if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
- goto err;
- if (!CBB_add_u16(&cbb, 0x0301))
- goto err;
- if (!CBB_add_u16_length_prefixed(&cbb, &handshake))
- goto err;
- if (!CBB_add_u8(&handshake, SSL3_MT_CLIENT_HELLO))
- goto err;
- if (!CBB_add_u24_length_prefixed(&handshake, &client_hello))
- goto err;
- if (!CBB_add_u16(&client_hello, client_version))
- goto err;
- if (!CBB_add_bytes(&client_hello, client_random, SSL3_RANDOM_SIZE))
- goto err;
- if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
- goto err;
- if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
- goto err;
- while (CBS_len(&cipher_specs) > 0) {
- if (!CBS_get_u24(&cipher_specs, &cipher_spec))
- goto err;
- if ((cipher_spec & 0xff0000) != 0)
- continue;
- if (!CBB_add_u16(&cipher_suites, cipher_spec & 0xffff))
- goto err;
- }
- if (!CBB_add_u8_length_prefixed(&client_hello, &compression))
- goto err;
- if (!CBB_add_u8(&compression, 0))
- goto err;
- if (!CBB_finish(&cbb, &data, &data_len))
- goto err;
-
- if (data_len > s->s3->rbuf.len)
- goto err;
-
- s->packet = s->s3->rbuf.buf;
- s->packet_length = data_len;
- memcpy(s->packet, data, data_len);
- ret = 1;
-
- err:
- CBB_cleanup(&cbb);
- free(client_random);
- free(data);
-
- return (ret);
-}
-
/*
* Potentially do legacy processing on the first packet received by a TLS
* server. We return 1 if we want SSLv3/TLS record processing to continue
int
ssl_server_legacy_first_packet(SSL *s)
{
- uint16_t min_version;
const char *data;
CBS header;
if (s->method->min_tls_version == s->method->max_tls_version)
return 1;
- if (ssl_is_sslv2_client_hello(&header) == 1) {
- /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
- if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
- SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
- return -1;
- }
- if (min_version > TLS1_VERSION)
- return 1;
-
- if (ssl_convert_sslv2_client_hello(s) != 1) {
- SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
- return -1;
- }
-
- return 1;
- }
-
/* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
projects / openbsd / commitdiff