commit 9b4c5d9f21bbd8040a0df1dae2ec4342cdb1b904
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Apr 10 13:57:43 2015 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Apr 10 13:57:43 2015 +0200
tree 753d9cb831c1fbd1671e9ba1c9c4e10acb44635a
parent 9fdc58fd9efb17516c45eb98cb1dda29f5536983

Revert "Fix verion-major intolerance"

This reverts commit 6d841c2c5cad97effe1e6a0f9cc69492fc433ec2.

This commit introduced a security-critical bug in the way the client version
is validated. Let's first revert it to fix the security issue, and then fix
the version-major intolerance issue another way.

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 7afde1f..249b5a1 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -438,20 +438,15 @@
                    buf[1], buf[2] ) );
 
     /*
-     * SSLv3/TLS Client Hello
+     * SSLv3 Client Hello
      *
      * Record layer:
      *     0  .   0   message type
      *     1  .   2   protocol version
      *     3  .   4   message length
      */
-
-    /* According to RFC 5246 Appendix E.1, the version here is typically
-     * "{03,00}, the lowest version number supported by the client, [or] the
-     * value of ClientHello.client_version", so the only meaningful check here
-     * is the major version shouldn't be less than 3 */
     if( buf[0] != SSL_MSG_HANDSHAKE ||
-        buf[1] < SSL_MAJOR_VERSION_3 )
+        buf[1] != SSL_MAJOR_VERSION_3 )
     {
         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
@@ -507,24 +502,21 @@
     /*
      * Check the handshake type and protocol version
      */
-    if( buf[0] != SSL_HS_CLIENT_HELLO )
+    if( buf[0] != SSL_HS_CLIENT_HELLO ||
+        buf[4] != SSL_MAJOR_VERSION_3 )
     {
         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
     }
 
-    ssl->major_ver = buf[4];
-    ssl->minor_ver = buf[5];
+    ssl->major_ver = SSL_MAJOR_VERSION_3;
+    ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 )
+                     ? buf[5]  : SSL_MINOR_VERSION_3;
 
-    ssl->max_major_ver = ssl->major_ver;
-    ssl->max_minor_ver = ssl->minor_ver;
-
-    if( ssl->major_ver < ssl->min_major_ver ||
-        ssl->minor_ver < ssl->min_minor_ver )
+    if( ssl->minor_ver < ssl->min_minor_ver )
     {
         SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
-                            " [%d:%d] < [%d:%d]",
-                            ssl->major_ver, ssl->minor_ver,
+                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
                             ssl->min_major_ver, ssl->min_minor_ver ) );
 
         ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
@@ -533,13 +525,8 @@
         return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
     }
 
-    if( ssl->major_ver > ssl->max_major_ver )
-    {
-        ssl->major_ver = ssl->max_major_ver;
-        ssl->minor_ver = ssl->max_minor_ver;
-    }
-    else if( ssl->minor_ver > ssl->max_minor_ver )
-        ssl->minor_ver = ssl->max_minor_ver;
+    ssl->max_major_ver = buf[4];
+    ssl->max_minor_ver = buf[5];
 
     memcpy( ssl->handshake->randbytes, buf + 6, 32 );