#include <openssl/x509.h>
#include "ssl_locl.h"
+#ifndef NO_KRB5
+#include "kssl.h"
+#endif /* NO_KRB5 */
+
static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
static int ssl3_check_client_hello(SSL *s);
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
if ((s->version>>8) != 3)
- abort();
+ {
+ SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
s->type=SSL_ST_ACCEPT;
if (s->init_buf == NULL)
/* clear this, it may get reset by
* send_server_key_exchange */
- if (s->options & SSL_OP_EPHEMERAL_RSA)
+ if ((s->options & SSL_OP_EPHEMERAL_RSA)
+#ifndef NO_KRB5
+ && !(l & SSL_KRB5)
+#endif /* NO_KRB5 */
+ )
s->s3->tmp.use_rsa_tmp=1;
else
s->s3->tmp.use_rsa_tmp=0;
dhp=cert->dh_tmp;
if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
dhp=s->cert->dh_tmp_cb(s,
- !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+ SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
if (dhp == NULL)
{
BIGNUM *pub=NULL;
DH *dh_srvr;
#endif
+#ifndef NO_KRB5
+ KSSL_ERR kssl_err;
+#endif /* NO_KRB5 */
n=ssl3_get_message(s,
SSL3_ST_SR_KEY_EXCH_A,
SSL3_ST_SR_KEY_EXCH_B,
SSL3_MT_CLIENT_KEY_EXCHANGE,
- 400, /* ???? */
+ 2048, /* ??? */
&ok);
if (!ok) return((int)n);
goto f_err;
}
- if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
+ if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
{
- al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
- goto f_err;
+ /* The premaster secret must contain the same version number as the
+ * ClientHello to detect version rollback attacks (strangely, the
+ * protocol does not offer such protection for DH ciphersuites).
+ * However, buggy clients exist that send the negotiated protocol
+ * version instead if the server does not support the requested
+ * protocol version.
+ * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
+ if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+ (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+ {
+ al=SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+ goto f_err;
+ }
}
s->session->master_key_length=
}
else
#endif
+#ifndef NO_KRB5
+ if (l & SSL_kKRB5)
+ {
+ krb5_error_code krb5rc;
+ KSSL_CTX *kssl_ctx = s->kssl_ctx;
+
+ if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
+ if ((krb5rc = kssl_sget_tkt(kssl_ctx,
+ s->init_buf->data, s->init_buf->length,
+ &kssl_err)) != 0)
+ {
+#ifdef KSSL_DEBUG
+ printf("kssl_sget_tkt rtn %d [%d]\n",
+ krb5rc, kssl_err.reason);
+ if (kssl_err.text)
+ printf("kssl_err text= %s\n", kssl_err.text);
+#endif /* KSSL_DEBUG */
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ kssl_err.reason);
+ goto err;
+ }
+
+#ifdef KSSL_DEBUG
+ kssl_ctx_show(kssl_ctx);
+#endif /* KSSL_DEBUG */
+
+ /* 19991013 VRS - 3DES is kind of bogus here,
+ ** at least until Kerberos supports 3DES. The only
+ ** real secret is the 8-byte Kerberos session key;
+ ** the other key material (client_random, server_random)
+ ** could be sniffed. Nonces may help against replays though.
+ **
+ ** Alternate code for Kerberos Purists:
+ **
+ ** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
+ ** s->session->master_key_length = kssl_ctx->length;
+ */
+ s->session->master_key_length=
+ s->method->ssl3_enc->generate_master_secret(s,
+ s->session->master_key, kssl_ctx->key, kssl_ctx->length);
+ /* Was doing kssl_ctx_free() here, but it caused problems for apache.
+ ** kssl_ctx = kssl_ctx_free(kssl_ctx);
+ ** if (s->kssl_ctx) s->kssl_ctx = NULL;
+ */
+ }
+ else
+#endif /* NO_KRB5 */
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
if (s->state == SSL3_ST_SW_CERT_A)
{
x=ssl_get_server_send_cert(s);
- if (x == NULL)
+ if (x == NULL &&
+ /* VRS: allow null cert if auth == KRB5 */
+ (s->s3->tmp.new_cipher->algorithms
+ & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+ != (SSL_aKRB5|SSL_kKRB5))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
return(0);
projects / openssl.git / blobdiff