Implement SSL_OP_TLS_ROLLBACK_BUG for servers.
authorBodo Möller <bodo@openssl.org>
Thu, 25 May 2000 09:50:40 +0000 (09:50 +0000)
committerBodo Möller <bodo@openssl.org>
Thu, 25 May 2000 09:50:40 +0000 (09:50 +0000)
Call dh_tmp_cb with correct 'is_export' flag.

Avoid tabs in CHANGES.

CHANGES
ssl/s3_srvr.c

diff --git a/CHANGES b/CHANGES
index bc4f221..4ae08b0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,18 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
+     this option is set, tolerate broken clients that send the negotiated
+     protocol version number instead of the requested protocol version
+     number.
+     [Bodo Moeller]
+
+  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
+     i.e. non-zero for export ciphersuites, zero otherwise.
+     Previous versions had this flag inverted, inconsistent with
+     rsa_tmp_cb (..._TMP_RSA_CB).
+     [Bodo Moeller; problem reported by Amit Chopra]
+
   *) Add missing DSA library text string. Work around for some IIS
      key files with invalid SEQUENCE encoding.
      [Steve Henson]
@@ -19,7 +31,7 @@
      [Steve Henson]
 
   *) Eliminate non-ANSI declarations in crypto.h and stack.h.
-        [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix for SSL server purpose checking. Server checking was
      rejecting certificates which had extended key usage present
 
      The new configuration file reading functions are:
 
-       NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
-       NCONF_get_section, NCONF_get_string, NCONF_get_numbre
+        NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
+        NCONF_get_section, NCONF_get_string, NCONF_get_numbre
 
-       NCONF_default, NCONF_WIN32
+        NCONF_default, NCONF_WIN32
 
-       NCONF_dump_fp, NCONF_dump_bio
+        NCONF_dump_fp, NCONF_dump_bio
 
      NCONF_default and NCONF_WIN32 are method (or "class") choosers,
      NCONF_new creates a new CONF object.  This works in the same way
 
      With these changes, a new set of functions and macros have appeared:
 
-       CRYPTO_set_mem_debug_functions()                [F]
-       CRYPTO_get_mem_debug_functions()                [F]
-       CRYPTO_dbg_set_options()                        [F]
-       CRYPTO_dbg_get_options()                        [F]
-       CRYPTO_malloc_debug_init()              [M]
+       CRYPTO_set_mem_debug_functions()                [F]
+       CRYPTO_get_mem_debug_functions()         [F]
+       CRYPTO_dbg_set_options()                        [F]
+       CRYPTO_dbg_get_options()                 [F]
+       CRYPTO_malloc_debug_init()               [M]
 
      The memory debug functions are NULL by default, unless the library
      is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
index e23ca20..64c1d80 100644 (file)
@@ -982,7 +982,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
                        dhp=cert->dh_tmp;
                        if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
                                dhp=s->cert->dh_tmp_cb(s,
-                                     !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+                                     SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
                                      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
                        if (dhp == NULL)
                                {
@@ -1326,11 +1326,22 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        goto f_err;
                        }
 
-               if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
+               if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
                        {
-                       al=SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
-                       goto f_err;
+                       /* The premaster secret must contain the same version number as the
+                        * ClientHello to detect version rollback attacks (strangely, the
+                        * protocol does not offer such protection for DH ciphersuites).
+                        * However, buggy clients exist that send the negotiated protocol
+                        * version instead if the servers does not support the requested
+                        * protocol version.
+                        * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
+                       if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+                               (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+                               {
+                               al=SSL_AD_DECODE_ERROR;
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+                               goto f_err;
+                               }
                        }
 
                s->session->master_key_length=