Nuke SSL_OP_TLS_ROLLBACK_BUG - this is a workaround for buggy clients from

around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also helps to clean up the RSA key exchange code. ok "kill it with fire" beck@ tb@
author: jsing <> 2018-04-11 17:47:36 +0000
committer: jsing <> 2018-04-11 17:47:36 +0000
commit: 4d132fdc372189fa2be2978dc75a3654032aaec6 (patch)
tree: 9d2a5aea7b060e408a6260fb778ca983ca2780bf /src
parent: 4a86db5884fb87b302e9846edd558538a0a73215 (diff)
download: openbsd-4d132fdc372189fa2be2978dc75a3654032aaec6.tar.gz
openbsd-4d132fdc372189fa2be2978dc75a3654032aaec6.tar.bz2
openbsd-4d132fdc372189fa2be2978dc75a3654032aaec6.zip
2 files changed, 17 insertions, 36 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 78a6787d43..143dd8a003 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.154 2018/03/20 15:28:12 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.155 2018/04/11 17:47:36 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -507,11 +507,6 @@ struct ssl_session_st {
 /* Set on servers to choose the cipher according to the server's
 * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE                 0x00400000L
-/* If set, a server will allow a client to issue a SSLv3.0 version number
- * as latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks. */
-#define SSL_OP_TLS_ROLLBACK_BUG                         0x00800000L
 #define SSL_OP_NO_TLSv1                                 0x04000000L
 #define SSL_OP_NO_TLSv1_2                               0x08000000L
@@ -545,6 +540,7 @@ struct ssl_session_st {
 #define SSL_OP_TLSEXT_PADDING                           0x0
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
 #define SSL_OP_TLS_D5_BUG                               0x0
+#define SSL_OP_TLS_ROLLBACK_BUG                         0x0
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
 * when just a single record has been written): */
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index f1a0c9ae03..e72593e6b1 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.28 2018/01/28 09:21:34 inoguchi Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.29 2018/04/11 17:47:36 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1772,36 +1772,21 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
        if ((al == -1) && !((p[0] == (s->client_version >> 8)) &&
            (p[1] == (s->client_version & 0xff)))) {
                /*
-                 * The premaster secret must contain the same version
+                 * The premaster secret must contain the same version number
-                 * number as the ClientHello to detect version rollback
+                 * as the ClientHello to detect version rollback attacks
-                 * attacks (strangely, the protocol does not offer such
+                 * (strangely, the protocol does not offer such protection for
-                 * protection for DH ciphersuites).
+                 * DH ciphersuites).
-                 * However, buggy clients exist that send the negotiated
+                 *
-                 * protocol version instead if the server does not
+                 * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
-                 * support the requested protocol version.
+                 * (http://eprint.iacr.org/2003/052/) exploits the version
-                 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
+                 * number check as a "bad version oracle" -- an alert would
-                 * clients.
+                 * reveal that the plaintext corresponding to some ciphertext
+                 * made up by the adversary is properly formatted except that
+                 * the version number is wrong. To avoid such attacks, we should
+                 * treat this just like any other decryption error.
                 */
-                if (!((s->internal->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+                al = SSL_AD_DECODE_ERROR;
-                    (p[0] == (s->version >> 8)) &&
+                /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                    (p[1] == (s->version & 0xff)))) {
-                        al = SSL_AD_DECODE_ERROR;
-                        /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                        /*
-                         * The Klima-Pokorny-Rosa extension of
-                         * Bleichenbacher's attack
-                         * (http://eprint.iacr.org/2003/052/) exploits
-                         * the version number check as a "bad version
-                         * oracle" -- an alert would reveal that the
-                         * plaintext corresponding to some ciphertext
-                         * made up by the adversary is properly
-                         * formatted except that the version number is
-                         * wrong.
-                         * To avoid such attacks, we should treat this
-                         * just like any other decryption error.
-                         */
-                }
        }
        if (al != -1) {
author	jsing <>	2018-04-11 17:47:36 +0000
committer	jsing <>	2018-04-11 17:47:36 +0000
commit	4d132fdc372189fa2be2978dc75a3654032aaec6 (patch)
tree	9d2a5aea7b060e408a6260fb778ca983ca2780bf /src
parent	4a86db5884fb87b302e9846edd558538a0a73215 (diff)
download	openbsd-4d132fdc372189fa2be2978dc75a3654032aaec6.tar.gz openbsd-4d132fdc372189fa2be2978dc75a3654032aaec6.tar.bz2 openbsd-4d132fdc372189fa2be2978dc75a3654032aaec6.zip