首页 发现 帮助
登录
OWEALs
/
openssl
镜像自地址 git://git.openssl.org/openssl.git
2
0
派生 0
文件 工单管理 1 Wiki
浏览代码

Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."

Dr. Stephen Henson 14 年之前
父节点
48435b2098
当前提交
c1ca9d3238
共有 3 个文件被更改,包括 15 次插入11 次删除
分列视图 显示文件统计
  1. 3 0
      apps/verify.c
  2. 10 8
      ssl/s3_clnt.c
  3. 2 3
      ssl/s3_srvr.c

+ 3 - 0
apps/verify.c
查看文件 

@@ -350,6 +350,9 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 
 			case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
 
 			ok = 1;
 
 
+			case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
 
+			ok = 1;
 
+
 
 			}
 
 
 		return ok;

+ 10 - 8
ssl/s3_clnt.c
查看文件 

@@ -981,7 +981,9 @@ int ssl3_get_server_certificate(SSL *s)
 
 
 	if (!ok) return((int)n);
 
 
-	if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
 
+	if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
 
+		((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) && 
+		(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
 
 		{
 
 		s->s3->tmp.reuse_message=1;
 
 		return(1);
 
@@ -2868,13 +2870,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 
 	DH *dh;
 
 #endif
 
 
-	sc=s->session->sess_cert;
 
-	if (sc == NULL)
 
-		{
 
-		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
 
-		goto err;
 
-		}
 
-
 
 	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
 	alg_a=s->s3->tmp.new_cipher->algorithm_auth;
 
 
@@ -2882,6 +2877,13 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 
 	if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
 
 		return(1);
 
 
+	sc=s->session->sess_cert;
 
+	if (sc == NULL)
 
+		{
 
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
 
+		goto err;
 
+		}
 
+
 
 #ifndef OPENSSL_NO_RSA
 
 	rsa=s->session->sess_cert->peer_rsa_tmp;
 
 #endif

+ 2 - 3
ssl/s3_srvr.c
查看文件 

@@ -2286,7 +2286,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 
 				SSL_R_DATA_LENGTH_TOO_LONG);
 
 			goto err;
 
 			}
 
-		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
 
+		if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
 
 		    {
 
 		    /* The premaster secret must contain the same version number as the
 
 		     * ClientHello to detect version rollback attacks (strangely, the
 
@@ -2296,8 +2296,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 
 		     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
 		     * (Perhaps we should have a separate BUG value for the Kerberos cipher)
 
 		     */
 
-		    if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
 
-			   (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
 
+		    if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
 
 			{
 
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 
 			       SSL_AD_DECODE_ERROR);