Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and

1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos ciphersuite bugs introduced with PR:1336."
author: Dr. Stephen Henson <steve@openssl.org> 2010-02-27 23:04:10 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-02-27 23:04:10 +0000
commit: fbe2c6b33ea5cefb7eef3a7057a7b2bb5050f1c8 (patch)
tree: 3ef46d53595cc100b926cdfd86bf024b78bade51 /ssl/s3_srvr.c
parent: fc11f47229371cd3878fd964434f340225c46b0d (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 297f79fc1e..92f73b6681 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2286,7 +2286,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 				SSL_R_DATA_LENGTH_TOO_LONG);
 			goto err;
 			}
-		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+		if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
 		    {
 		    /* The premaster secret must contain the same version number as the
 		     * ClientHello to detect version rollback attacks (strangely, the
@@ -2296,8 +2296,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
 		     * (Perhaps we should have a separate BUG value for the Kerberos cipher)
 		     */
-		    if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
-			   (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+		    if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 			       SSL_AD_DECODE_ERROR);
author	Dr. Stephen Henson <steve@openssl.org>	2010-02-27 23:04:10 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-02-27 23:04:10 +0000
commit	fbe2c6b33ea5cefb7eef3a7057a7b2bb5050f1c8 (patch)
tree	3ef46d53595cc100b926cdfd86bf024b78bade51 /ssl/s3_srvr.c
parent	fc11f47229371cd3878fd964434f340225c46b0d (diff)