Skip to content

Commit

Permalink
Fix kerberos ciphersuite bugs introduced with PR:1336.
Browse files Browse the repository at this point in the history
  • Loading branch information
@snhenson
snhenson committed Mar 9, 2007
1 parent 3370b69 commit 295de18
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 10 deletions.
16 changes: 9 additions & 7 deletions ssl/s3_clnt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -821,7 +821,9 @@ int ssl3_get_server_certificate(SSL *s)

if (!ok) return((int)n);

if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) &&
(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
{
s->s3->tmp.reuse_message=1;
return(1);
Expand Down Expand Up @@ -2292,18 +2294,18 @@ int ssl3_check_cert_and_algorithm(SSL *s)

sc=s->session->sess_cert;

if (sc == NULL)
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
goto err;
}

algs=s->s3->tmp.new_cipher->algorithms;

/* we don't have a certificate */
if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
return(1);

if (sc == NULL)
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
goto err;
}

#ifndef OPENSSL_NO_RSA
rsa=s->session->sess_cert->peer_rsa_tmp;
#endif
Expand Down
5 changes: 2 additions & 3 deletions ssl/s3_srvr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1997,7 +1997,7 @@ int ssl3_get_client_key_exchange(SSL *s)
SSL_R_DATA_LENGTH_TOO_LONG);
goto err;
}
if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
{
/* The premaster secret must contain the same version number as the
* ClientHello to detect version rollback attacks (strangely, the
Expand All @@ -2007,8 +2007,7 @@ int ssl3_get_client_key_exchange(SSL *s)
* If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
* (Perhaps we should have a separate BUG value for the Kerberos cipher)
*/
if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_AD_DECODE_ERROR);
Expand Down

0 comments on commit 295de18

Please sign in to comment.