From: Richard Levitte Date: Thu, 28 Sep 2006 12:23:15 +0000 (+0000) Subject: Fixes for the following claims: X-Git-Tag: OpenSSL_0_9_8e~77 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7e2bf831006fa4e0a2c1f1f929234a75b9410efa;p=openssl Fixes for the following claims: 1) Certificate Message with no certs OpenSSL implementation sends the Certificate message during SSL handshake, however as per the specification, these have been omitted. -- RFC 2712 -- CertificateRequest, and the ServerKeyExchange shown in Figure 1 will be omitted since authentication and the establishment of a master secret will be done using the client's Kerberos credentials for the TLS server. The client's certificate will be omitted for the same reason. -- RFC 2712 -- 3) Pre-master secret Protocol version The pre-master secret generated by OpenSSL does not have the correct client version. RFC 2712 says, if the Kerberos option is selected, the pre-master secret structure is the same as that used in the RSA case. TLS specification defines pre-master secret as: struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret; where client_version is the latest protocol version supported by the client The pre-master secret generated by OpenSSL does not have the correct client version. The implementation does not update the first 2 bytes of random secret for Kerberos Cipher suites. At the server-end, the client version from the pre-master secret is not validated. PR: 1336 --- diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 26788858d7..278be82294 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1796,8 +1796,10 @@ int ssl3_send_client_key_exchange(SSL *s) n+=2; } - if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) - goto err; + tmp_buf[0]=s->client_version>>8; + tmp_buf[1]=s->client_version&0xff; + if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) + goto err; /* 20010420 VRS. Tried it this way; failed. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 098eea13ce..9f84e3e4dc 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -300,8 +300,9 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: - /* Check if it is anon DH or anon ECDH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + /* Check if it is anon DH or anon ECDH or KRB5 */ + if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) { ret=ssl3_send_server_certificate(s); if (ret <= 0) goto end; @@ -1995,6 +1996,25 @@ int ssl3_get_client_key_exchange(SSL *s) SSL_R_DATA_LENGTH_TOO_LONG); goto err; } + if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) + { + /* The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send random bytes instead of + * the protocol version. + * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. + * (Perhaps we should have a separate BUG value for the Kerberos cipher) + */ + if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_AD_DECODE_ERROR); + goto err; + } + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); s->session->master_key_length=