X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=4704dfb59867a918d817e04d5cb51b8ca479912c;hb=c5e48d8b0143e7f69c6f5bc9ca8e3ba6e4566a78;hp=90806e2d99bb6fcac411600c82429c786b407704;hpb=fbb41ae0ad1369d6fe8d6c72d2297270ad24f0e5;p=openssl.git diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 90806e2d99..4704dfb598 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -70,6 +70,10 @@ #include #include "ssl_locl.h" +#ifndef NO_KRB5 +#include "kssl.h" +#endif /* NO_KRB5 */ + static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); static int ssl3_check_client_hello(SSL *s); @@ -153,7 +157,10 @@ int ssl3_accept(SSL *s) if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version>>8) != 3) - abort(); + { + SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR); + return -1; + } s->type=SSL_ST_ACCEPT; if (s->init_buf == NULL) @@ -259,7 +266,11 @@ int ssl3_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if (s->options & SSL_OP_EPHEMERAL_RSA) + if ((s->options & SSL_OP_EPHEMERAL_RSA) +#ifndef NO_KRB5 + && !(l & SSL_KRB5) +#endif /* NO_KRB5 */ + ) s->s3->tmp.use_rsa_tmp=1; else s->s3->tmp.use_rsa_tmp=0; @@ -982,7 +993,7 @@ static int ssl3_send_server_key_exchange(SSL *s) dhp=cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp=s->cert->dh_tmp_cb(s, - !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { @@ -1254,12 +1265,15 @@ static int ssl3_get_client_key_exchange(SSL *s) BIGNUM *pub=NULL; DH *dh_srvr; #endif +#ifndef NO_KRB5 + KSSL_ERR kssl_err; +#endif /* NO_KRB5 */ n=ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, - 400, /* ???? */ + 2048, /* ??? */ &ok); if (!ok) return((int)n); @@ -1326,11 +1340,22 @@ static int ssl3_get_client_key_exchange(SSL *s) goto f_err; } - if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff))) + if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) { - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send the negotiated protocol + * version instead if the server does not support the requested + * protocol version. + * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ + if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) + { + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); + goto f_err; + } } s->session->master_key_length= @@ -1403,6 +1428,53 @@ static int ssl3_get_client_key_exchange(SSL *s) } else #endif +#ifndef NO_KRB5 + if (l & SSL_kKRB5) + { + krb5_error_code krb5rc; + KSSL_CTX *kssl_ctx = s->kssl_ctx; + + if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); + if ((krb5rc = kssl_sget_tkt(kssl_ctx, + s->init_buf->data, s->init_buf->length, + &kssl_err)) != 0) + { +#ifdef KSSL_DEBUG + printf("kssl_sget_tkt rtn %d [%d]\n", + krb5rc, kssl_err.reason); + if (kssl_err.text) + printf("kssl_err text= %s\n", kssl_err.text); +#endif /* KSSL_DEBUG */ + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + kssl_err.reason); + goto err; + } + +#ifdef KSSL_DEBUG + kssl_ctx_show(kssl_ctx); +#endif /* KSSL_DEBUG */ + + /* 19991013 VRS - 3DES is kind of bogus here, + ** at least until Kerberos supports 3DES. The only + ** real secret is the 8-byte Kerberos session key; + ** the other key material (client_random, server_random) + ** could be sniffed. Nonces may help against replays though. + ** + ** Alternate code for Kerberos Purists: + ** + ** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length); + ** s->session->master_key_length = kssl_ctx->length; + */ + s->session->master_key_length= + s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, kssl_ctx->key, kssl_ctx->length); + /* Was doing kssl_ctx_free() here, but it caused problems for apache. + ** kssl_ctx = kssl_ctx_free(kssl_ctx); + ** if (s->kssl_ctx) s->kssl_ctx = NULL; + */ + } + else +#endif /* NO_KRB5 */ { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE); @@ -1698,6 +1770,8 @@ static int ssl3_get_client_certificate(SSL *s) if (s->session->sess_cert->cert_chain != NULL) sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); s->session->sess_cert->cert_chain=sk; + /* Inconsistency alert: cert_chain does *not* include the + * peer's own certificate, while we do include it in s3_clnt.c */ sk=NULL; @@ -1721,7 +1795,11 @@ int ssl3_send_server_certificate(SSL *s) if (s->state == SSL3_ST_SW_CERT_A) { x=ssl_get_server_send_cert(s); - if (x == NULL) + if (x == NULL && + /* VRS: allow null cert if auth == KRB5 */ + (s->s3->tmp.new_cipher->algorithms + & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + != (SSL_aKRB5|SSL_kKRB5)) { SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR); return(0);