Fixes for the following claims:

1) Certificate Message with no certs OpenSSL implementation sends the Certificate message during SSL handshake, however as per the specification, these have been omitted. -- RFC 2712 -- CertificateRequest, and the ServerKeyExchange shown in Figure 1 will be omitted since authentication and the establishment of a master secret will be done using the client's Kerberos credentials for the TLS server. The client's certificate will be omitted for the same reason. -- RFC 2712 -- 3) Pre-master secret Protocol version The pre-master secret generated by OpenSSL does not have the correct client version. RFC 2712 says, if the Kerberos option is selected, the pre-master secret structure is the same as that used in the RSA case. TLS specification defines pre-master secret as: struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret; where client_version is the latest protocol version supported by the client The pre-master secret generated by OpenSSL does not have the correct client version. The implementation does not update the first 2 bytes of random secret for Kerberos Cipher suites. At the server-end, the client version from the pre-master secret is not validated. PR: 1336
2006-09-28 12:22:58 +00:00 · 2006-09-28 12:22:58 +00:00 · cbb92dfaf0
commit cbb92dfaf0
parent 019bfef899
2 changed files with 28 additions and 6 deletions
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@ -1902,8 +1902,10 @@ int ssl3_send_client_key_exchange(SSL *s)
 				n+=2;
 				}
 
-			if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
-			    goto err;
+			    tmp_buf[0]=s->client_version>>8;
+			    tmp_buf[1]=s->client_version&0xff;
+			    if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
+				goto err;

 			/*  20010420 VRS.  Tried it this way; failed.
 			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@ -1,4 +1,4 @@
-/* ssl/s3_srvr.c */
+/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -323,10 +323,11 @@ int ssl3_accept(SSL *s)

 		case SSL3_ST_SW_CERT_A:
 		case SSL3_ST_SW_CERT_B:
-			/* Check if it is anon DH or anon ECDH */
-			/* or normal PSK */
+			/* Check if it is anon DH or anon ECDH, */
+			/* normal PSK or KRB5 */
 			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
-				&& !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
+				&& !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
+				&& !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
 				{
 				ret=ssl3_send_server_certificate(s);
 				if (ret <= 0) goto end;
@ -2061,6 +2062,25 @@ int ssl3_get_client_key_exchange(SSL *s)
 				SSL_R_DATA_LENGTH_TOO_LONG);
 			goto err;
 			}
+		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+		    {
+		    /* The premaster secret must contain the same version number as the
+		     * ClientHello to detect version rollback attacks (strangely, the
+		     * protocol does not offer such protection for DH ciphersuites).
+		     * However, buggy clients exist that send random bytes instead of
+		     * the protocol version.
+		     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
+		     * (Perhaps we should have a separate BUG value for the Kerberos cipher)
+		     */
+		    if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+			   (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+		        {
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+			       SSL_AD_DECODE_ERROR);
+			goto err;
+			}
+		    }
+
 		EVP_CIPHER_CTX_cleanup(&ciph_ctx);

                s->session->master_key_length=