generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

More Kerberos SSL patches from Vern Staats <staatsvr@asc.hpc.mil>.

Browse Source 
His comments are:

This patch fixes the problem of modern Kerberos using "derived keys"
to encrypt the authenticator by disabling the authenticator check
for all derived keys enctypes.

I think I've got all the bugfixes that Jeffrey and I discussed rolled
into this.  There were some problems with Jeffrey's code to convert
the authenticator's Kerberos timestring into struct tm (e.g. Z, -1900;
it helps to have an actual decryptable authenticator to play with).
So I've shamelessly pushed in my code, while stealing some bits from
Jeffrey.
This commit is contained in:
Richard Levitte
2001-07-21 09:43:43 +00:00
parent 6d3dec92fb
commit acdf4afb91
2 changed files with 117 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
ssl/s3_srvr.c
View File

@@ -1463,7 +1463,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
EVP_CIPHER_CTX ciph_ctx;
EVP_CIPHER *enc = NULL;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
+ EVP_MAX_IV_LENGTH + 1];
int padl, outl = sizeof(pms);
krb5_timestamp authtime = 0;
krb5_ticket_times ttimes;
@@ -1537,16 +1538,31 @@ static int ssl3_get_client_key_exchange(SSL *s)
enc = kssl_map_enc(kssl_ctx->enctype);
memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */
EVP_DecryptInit(&ciph_ctx,enc,kssl_ctx->key,iv);
EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
enc_pms.data, enc_pms.length);
if (!EVP_DecryptInit(&ciph_ctx,enc,kssl_ctx->key,iv))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_DECRYPTION_FAILED);
goto err;
}
if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
enc_pms.data, enc_pms.length))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_DECRYPTION_FAILED);
goto err;
}
if (outl > SSL_MAX_MASTER_KEY_LENGTH)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_DATA_LENGTH_TOO_LONG);
goto err;
}
EVP_DecryptFinal(&ciph_ctx,&(pms[outl]),&padl);
if (!EVP_DecryptFinal(&ciph_ctx,&(pms[outl]),&padl))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_DECRYPTION_FAILED);
goto err;
}
outl += padl;
if (outl > SSL_MAX_MASTER_KEY_LENGTH)
{