Implement SSL_OP_TLS_ROLLBACK_BUG for servers.

Call dh_tmp_cb with correct 'is_export' flag. Avoid tabs in CHANGES.

Implement SSL_OP_TLS_ROLLBACK_BUG for servers.
Call dh_tmp_cb with correct 'is_export' flag. Avoid tabs in CHANGES.
2c05c494 · Bodo Möller · 2933ed4d · 2c05c494 · 2c05c494
显示空白变更内容
内联并排

Showing with 38 addition and 15 deletion

CHANGES CHANGES +22 -10

ssl/s3_srvr.c ssl/s3_srvr.c +16 -5

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,18 @@

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

+  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
+     this option is set, tolerate broken clients that send the negotiated
+     protocol version number instead of the requested protocol version
+     number.
+     [Bodo Moeller]
+
+  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
+     i.e. non-zero for export ciphersuites, zero otherwise.
+     Previous versions had this flag inverted, inconsistent with
+     rsa_tmp_cb (..._TMP_RSA_CB).
+     [Bodo Moeller; problem reported by Amit Chopra]
+
  *) Add missing DSA library text string. Work around for some IIS
     key files with invalid SEQUENCE encoding.
     [Steve Henson]

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -982,7 +982,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
 			dhp=cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
 				dhp=s->cert->dh_tmp_cb(s,
-				      !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL)
 				{
@@ -1326,12 +1326,23 @@ static int ssl3_get_client_key_exchange(SSL *s)
 			goto f_err;
 			}

-		if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
+		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+			{
+			/* The premaster secret must contain the same version number as the
+			 * ClientHello to detect version rollback attacks (strangely, the
+			 * protocol does not offer such protection for DH ciphersuites).
+			 * However, buggy clients exist that send the negotiated protocol
+			 * version instead if the servers does not support the requested
+			 * protocol version.
+			 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
+			if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+				(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
 				{
 				al=SSL_AD_DECODE_ERROR;
 				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
 				goto f_err;
 				}
+			}

 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,