From 96ec4ce0d28eef62ca601aecd7eb55cdff617309 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Thu, 25 Oct 2001 06:06:50 +0000
Subject: [PATCH] Assume TLS 1.0 if ClientHello fragment is too short.

---
 CHANGES        |  9 +++++++++
 ssl/s23_clnt.c |  1 +
 ssl/s23_srvr.c | 19 ++++++++++++-------
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 812f139f54..f04945168c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
 
  Changes between 0.9.6b and 0.9.6c  [XX xxx XXXX]
 
+  *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
+     faced with a pathologically small ClientHello fragment that does
+     not contain client_version: Instead of aborting with an error,
+     simply choose the highest available protocol version (i.e.,
+     TLS 1.0 unless it is disabled).  In practice, ClientHello
+     messages are never sent like this, but this change gives us
+     strictly correct behaviour at least for TLS.
+     [Bodo Moeller]
+
   *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
      never resets s->method to s->ctx->method when called from within
      one of the SSL handshake functions.
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 2d0eb4a8ff..4117c566ac 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -200,6 +200,7 @@ int ssl23_connect(SSL *s)
 		}
 end:
 	s->in_handshake--;
+	if (s->in_handshake)
 	if (cb != NULL)
 		cb(s,SSL_CB_CONNECT_EXIT,ret);
 	return(ret);
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index a403af3671..b40bb01ab7 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -232,9 +232,9 @@ int ssl23_accept(SSL *s)
 			}
 		}
 end:
+	s->in_handshake--;
 	if (cb != NULL)
 		cb(s,SSL_CB_ACCEPT_EXIT,ret);
-	s->in_handshake--;
 	return(ret);
 	}
 
@@ -405,17 +405,22 @@ int ssl23_get_client_hello(SSL *s)
 			/* We must look at client_version inside the Client Hello message
 			 * to get the correct minor version.
 			 * However if we have only a pathologically small fragment of the
-			 * Client Hello message, this would be difficult, we'd have
-			 * to read at least one additional record to find out.
-			 * This doesn't usually happen in real life, so we just complain
-			 * for now.
-			 */
+			 * Client Hello message, this would be difficult, and we'd have
+			 * to read more records to find out.
+			 * No known SSL 3.0 client fragments ClientHello like this,
+			 * so we simply assume TLS 1.0 to avoid protocol version downgrade
+			 * attacks. */
 			if (p[3] == 0 && p[4] < 6)
 				{
+#if 0
 				SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
 				goto err;
+#else
+				v[1] = TLS1_VERSION_MINOR;
+#endif
 				}
-			v[1]=p[10]; /* minor version according to client_version */
+			else
+				v[1]=p[10]; /* minor version according to client_version */
 			if (v[1] >= TLS1_VERSION_MINOR)
 				{
 				if (!(s->options & SSL_OP_NO_TLSv1))
-- 
2.25.1