From: Alex Rousskov Date: Tue, 1 Sep 2015 09:07:03 +0000 (-0700) Subject: Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello X-Git-Tag: SQUID_4_0_1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e35a40d5caa43b2e1f1e448ce7fdb1c1737dce9;p=thirdparty%2Fsquid.git Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello Such sessions are created, for example, by some SSL clients using OpenSSL v0.9.8 with default options. This does _not_ re-enable SSLv2 sessions. Just enacts the permitted exception for Hello messages in RFC 6176 --- diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index ff4b53c130..b00704fe54 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -24,8 +24,6 @@ #include #endif -#undef DO_SSLV23 - #if _SQUID_WINDOWS_ extern int socket_read_method(int, char *, int); extern int socket_write_method(int, const char *, int); @@ -778,15 +776,13 @@ Ssl::Bio::sslFeatures::parseMsgHead(const MemBuf &buf) helloMsgSize = (head[3] << 8) + head[4]; debugs(83, 7, "SSL Header Size: " << helloMsgSize); helloMsgSize +=5; -#if defined(DO_SSLV23) } else if ((head[0] & 0x80) && head[2] == 0x01 && head[3] == 0x03) { debugs(83, 7, "SSL version 2 handshake message with v3 support"); - sslVersion = (hello[3] << 8) | hello[4]; + sslVersion = (head[3] << 8) | head[4]; debugs(83, 7, "SSL Version :" << std::hex << std::setw(8) << std::setfill('0') << sslVersion); // The hello message size exist in 2nd byte helloMsgSize = head[1]; helloMsgSize +=2; -#endif } else { debugs(83, 7, "Not an SSL acceptable handshake message (SSLv2 message?)"); return (helloMsgSize = -1); @@ -851,12 +847,9 @@ Ssl::Bio::sslFeatures::get(const MemBuf &buf, bool record) } const unsigned char *msg = (const unsigned char *)buf.content(); -#if defined(DO_SSLV23) if (msg[0] & 0x80) return parseV23Hello(msg, (size_t)msgSize); - else -#endif - { + else { // Hello messages require 5 bytes header + 1 byte Msg type + 3 bytes for Msg size if (buf.contentSize() < 9) return false; @@ -1091,22 +1084,21 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *hello, size_t size) bool Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello, size_t size) { -#if defined(DO_SSLV23) debugs(83, 7, "Get fake features from v23 ClientHello message."); if (size < 7) return false; //Ciphers list. It is stored after the Session ID. - const int ciphersLen = (hello[5] << 8) | hello[6]; + const unsigned int ciphersLen = (hello[5] << 8) | hello[6]; const unsigned char *ciphers = hello + 11; - if (size < ciphersLen + 11 + SSL3_RANDOM_SIZE) + if (size < ciphersLen + 11) return false; if (ciphersLen) { const SSL_METHOD *method = SSLv23_method(); int cs = method->put_cipher_by_char(NULL, NULL); assert(cs > 0); - for (int i = 0; i < ciphersLen; i += cs) { + for (unsigned int i = 0; i < ciphersLen; i += cs) { // The v2 hello messages cipher has 3 bytes. // The v2 cipher has the first byte not null // Because we are going to sent only v3 message we @@ -1123,15 +1115,18 @@ Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello, size_t size) } debugs(83, 7, "Ciphers requested by client: " << clientRequestedCiphers); - //Get Client Random number. It starts on the position 11 of hello message - memcpy(client_random, ciphers + ciphersLen, SSL3_RANDOM_SIZE); - debugs(83, 7, "Client random: " << objToString(client_random, SSL3_RANDOM_SIZE)); + const unsigned int sessionIdLength = (hello[7] << 8) | hello[8]; + debugs(83, 7, "SessionID length: " << sessionIdLength); + // SessionID starts at: hello+11+ciphersLen + if (sessionIdLength) + sessionId.assign((const char *)(hello + 11 + ciphersLen), sessionIdLength); + + const unsigned int challengeLength = (hello[5] << 9) | hello[10]; + debugs(83, 7, "Challenge Length: " << challengeLength); + //challenge starts at: hello+11+ciphersLen+sessionIdLength compressMethod = 0; return true; -#else - return false; -#endif } void