From: Robbie Harwood Date: Sat, 29 May 2021 16:05:49 +0000 (-0400) Subject: Fix k5tls module for OpenSSL 3 X-Git-Tag: krb5-1.20-beta1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1196%2Fhead;p=thirdparty%2Fkrb5.git Fix k5tls module for OpenSSL 3 Starting in OpenSSL 3, connection termination without a close_notify alert causes SSL_read() to return SSL_ERROR_SSL instead of SSL_ERROR_SYSCALL. OpenSSL 3 also provides a new option SSL_OP_IGNORE_UNEXPECTED_EOF which allows an application to explicitly ignore possible truncation attacks and receive SSL_ERROR_ZERO_RETURN instead. Remove the call to SSL_CTX_get_options() since SSL_CTX_set_options() doesn't clear existing options. [ghudson@mit.edu: edited commit message and comment] --- diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c index 76a43b3cd3..99fda7ffcd 100644 --- a/src/plugins/tls/k5tls/openssl.c +++ b/src/plugins/tls/k5tls/openssl.c @@ -433,7 +433,7 @@ setup(krb5_context context, SOCKET fd, const char *servername, char **anchors, k5_tls_handle *handle_out) { int e; - long options; + long options = SSL_OP_NO_SSLv2; SSL_CTX *ctx = NULL; SSL *ssl = NULL; k5_tls_handle handle = NULL; @@ -448,8 +448,19 @@ setup(krb5_context context, SOCKET fd, const char *servername, ctx = SSL_CTX_new(SSLv23_client_method()); if (ctx == NULL) goto error; - options = SSL_CTX_get_options(ctx); - SSL_CTX_set_options(ctx, options | SSL_OP_NO_SSLv2); + +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + /* + * For OpenSSL 3 and later, mark close_notify alerts as optional. We don't + * need to worry about truncation attacks because the protocols this module + * is used with (Kerberos and change-password) receive a single + * length-delimited message from the server. For prior versions of OpenSSL + * we check for SSL_ERROR_SYSCALL when reading instead (this error changes + * to SSL_ERROR_SSL in OpenSSL 3). + */ + options |= SSL_OP_IGNORE_UNEXPECTED_EOF; +#endif + SSL_CTX_set_options(ctx, options); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), 0);