------------------------------------------------------------ revno: 13904 revision-id: squid3@treenet.co.nz-20150901092557-520gvjurni9xv4nr parent: squid3@treenet.co.nz-20150829202133-kfxz9l1xxdav25ye author: Alex Rousskov committer: Amos Jeffries branch nick: 3.5 timestamp: Tue 2015-09-01 02:25:57 -0700 message: Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello Such sessions are created, for example, by some SSL clients using OpenSSL v0.9.8 with default options. This does _not_ relate to SSLv2 sessions. Just enacts the permitted exception for Hello messages in RFC 6176. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150901092557-520gvjurni9xv4nr # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: 2876792999f01c1a6eeeeb07de5ca031a8327be4 # timestamp: 2015-09-01 09:50:55 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150829202133-\ # kfxz9l1xxdav25ye # # Begin patch === modified file 'src/ssl/bio.cc' --- src/ssl/bio.cc 2015-05-22 05:05:33 +0000 +++ src/ssl/bio.cc 2015-09-01 09:25:57 +0000 @@ -25,8 +25,6 @@ #include #endif -#undef DO_SSLV23 - #if _SQUID_WINDOWS_ extern int socket_read_method(int, char *, int); extern int socket_write_method(int, const char *, int); @@ -781,15 +779,13 @@ helloMsgSize = (head[3] << 8) + head[4]; debugs(83, 7, "SSL Header Size: " << helloMsgSize); helloMsgSize +=5; -#if defined(DO_SSLV23) } else if ((head[0] & 0x80) && head[2] == 0x01 && head[3] == 0x03) { debugs(83, 7, "SSL version 2 handshake message with v3 support"); - sslVersion = (hello[3] << 8) | hello[4]; + sslVersion = (head[3] << 8) | head[4]; debugs(83, 7, "SSL Version :" << std::hex << std::setw(8) << std::setfill('0') << sslVersion); // The hello message size exist in 2nd byte helloMsgSize = head[1]; helloMsgSize +=2; -#endif } else { debugs(83, 7, "Not an SSL acceptable handshake message (SSLv2 message?)"); return (helloMsgSize = -1); @@ -854,12 +850,9 @@ } const unsigned char *msg = (const unsigned char *)buf.content(); -#if defined(DO_SSLV23) if (msg[0] & 0x80) return parseV23Hello(msg, (size_t)msgSize); - else -#endif - { + else { // Hello messages require 5 bytes header + 1 byte Msg type + 3 bytes for Msg size if (buf.contentSize() < 9) return false; @@ -1094,22 +1087,21 @@ bool Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello, size_t size) { -#if defined(DO_SSLV23) debugs(83, 7, "Get fake features from v23 ClientHello message."); if (size < 7) return false; //Ciphers list. It is stored after the Session ID. - const int ciphersLen = (hello[5] << 8) | hello[6]; + const unsigned int ciphersLen = (hello[5] << 8) | hello[6]; const unsigned char *ciphers = hello + 11; - if (size < ciphersLen + 11 + SSL3_RANDOM_SIZE) + if (size < ciphersLen + 11) return false; if (ciphersLen) { const SSL_METHOD *method = SSLv23_method(); int cs = method->put_cipher_by_char(NULL, NULL); assert(cs > 0); - for (int i = 0; i < ciphersLen; i += cs) { + for (unsigned int i = 0; i < ciphersLen; i += cs) { // The v2 hello messages cipher has 3 bytes. // The v2 cipher has the first byte not null // Because we are going to sent only v3 message we @@ -1126,15 +1118,18 @@ } debugs(83, 7, "Ciphers requested by client: " << clientRequestedCiphers); - //Get Client Random number. It starts on the position 11 of hello message - memcpy(client_random, ciphers + ciphersLen, SSL3_RANDOM_SIZE); - debugs(83, 7, "Client random: " << objToString(client_random, SSL3_RANDOM_SIZE)); + const unsigned int sessionIdLength = (hello[7] << 8) | hello[8]; + debugs(83, 7, "SessionID length: " << sessionIdLength); + // SessionID starts at: hello+11+ciphersLen + if (sessionIdLength) + sessionId.assign((const char *)(hello + 11 + ciphersLen), sessionIdLength); + + const unsigned int challengeLength = (hello[5] << 9) | hello[10]; + debugs(83, 7, "Challenge Length: " << challengeLength); + //challenge starts at: hello+11+ciphersLen+sessionIdLength compressMethod = 0; return true; -#else - return false; -#endif } void