Fixes for the following claims:

  1) Certificate Message with no certs

  OpenSSL implementation sends the Certificate message during SSL
  handshake, however as per the specification, these have been omitted.

  -- RFC 2712 --
     CertificateRequest, and the ServerKeyExchange shown in Figure 1
     will be omitted since authentication and the establishment of a
     master secret will be done using the client's Kerberos credentials
     for the TLS server.  The client's certificate will be omitted for
     the same reason.
  -- RFC 2712 --

  3) Pre-master secret Protocol version

  The pre-master secret generated by OpenSSL does not have the correct
  client version.

  RFC 2712 says, if the Kerberos option is selected, the pre-master
  secret structure is the same as that used in the RSA case.

  TLS specification defines pre-master secret as:
         struct {
             ProtocolVersion client_version;
             opaque random[46];
         } PreMasterSecret;

  where client_version is the latest protocol version supported by the
  client

  The pre-master secret generated by OpenSSL does not have the correct
  client version. The implementation does not update the first 2 bytes
  of random secret for Kerberos Cipher suites. At the server-end, the
  client version from the pre-master secret is not validated.

PR: 1336

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 0fb959e35f91c1ee44c4cba30c2c7c3e44a51717..4a34b445ee94f2a167856c42d1e56de5d803e99e 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1902,8 +1902,10 @@ int ssl3_send_client_key_exchange(SSL *s)
                                n+=2;
                                }
  
-                       if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
-                           goto err;
+                           tmp_buf[0]=s->client_version>>8;
+                           tmp_buf[1]=s->client_version&0xff;
+                           if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
+                               goto err;
 
                        /*  20010420 VRS.  Tried it this way; failed.
                        **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index db0f31e054a8db607663b0173df7d7534afffdc8..85fa6849a2a9bd66907c26786605fce7eb8028dc 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* ssl/s3_srvr.c */
+/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -323,10 +323,11 @@ int ssl3_accept(SSL *s)
 
                case SSL3_ST_SW_CERT_A:
                case SSL3_ST_SW_CERT_B:
-                       /* Check if it is anon DH or anon ECDH */
-                       /* or normal PSK */
+                       /* Check if it is anon DH or anon ECDH, */
+                       /* normal PSK or KRB5 */
                        if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
-                               && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
+                               && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
+                               && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
                                {
                                ret=ssl3_send_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -2061,6 +2062,25 @@ int ssl3_get_client_key_exchange(SSL *s)
                                SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                        }
+               if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+                   {
+                   /* The premaster secret must contain the same version number as the
+                    * ClientHello to detect version rollback attacks (strangely, the
+                    * protocol does not offer such protection for DH ciphersuites).
+                    * However, buggy clients exist that send random bytes instead of
+                    * the protocol version.
+                    * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
+                    * (Perhaps we should have a separate BUG value for the Kerberos cipher)
+                    */
+                   if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+                          (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                              SSL_AD_DECODE_ERROR);
+                       goto err;
+                       }
+                   }
+
                EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
                 s->session->master_key_length=