[CVS] OpenSSL: BRANCH_OpenSSL_0_9_8k: openssl/ssl/ s3_lib.c s3_pkt.c s...
Ben Laurie
http://cvs.openssl.org/
____________________________________________________________________________
Server: cvs.openssl.org Name: Ben Laurie
Root: /v/openssl/cvs Email: b...@openssl.org
Module: openssl Date: 05-Nov-2009 17:07:43
Branch: BRANCH_OpenSSL_0_9_8k Handle: 2009110516073903
Modified files: (Branch: BRANCH_OpenSSL_0_9_8k)
openssl/ssl s3_lib.c s3_pkt.c s3_srvr.c ssl3.h
Log:
Belt and braces. Use existing code to disable renegotiation. Die if we
see a client hello.
Summary:
Revision Changes Path
1.74.2.23.2.1+3 -0 openssl/ssl/s3_lib.c
1.57.2.4.2.1+3 -1 openssl/ssl/s3_pkt.c
1.126.2.25.2.2+3 -4 openssl/ssl/s3_srvr.c
1.30.2.5.2.1+5 -4 openssl/ssl/ssl3.h
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openssl/ssl/s3_lib.c
============================================================================
$ cvs diff -u -r1.74.2.23 -r1.74.2.23.2.1 s3_lib.c
--- openssl/ssl/s3_lib.c 16 Jun 2008 16:56:41 -0000 1.74.2.23
+++ openssl/ssl/s3_lib.c 5 Nov 2009 16:07:39 -0000 1.74.2.23.2.1
@@ -2592,6 +2592,9 @@
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return(0);
+ if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ return(0);
+
s->s3->renegotiate=1;
return(1);
}
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/s3_pkt.c
============================================================================
$ cvs diff -u -r1.57.2.4 -r1.57.2.4.2.1 s3_pkt.c
--- openssl/ssl/s3_pkt.c 10 Oct 2008 10:41:32 -0000 1.57.2.4
+++ openssl/ssl/s3_pkt.c 5 Nov 2009 16:07:39 -0000 1.57.2.4.2.1
@@ -985,6 +985,7 @@
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
!s->s3->renegotiate)
{
ssl3_renegotiate(s);
@@ -1117,7 +1118,8 @@
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
{
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
#if 0 /* worked only because C operator preferences are not as expected (and
* because this is not really needed for clients except for detecting
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/s3_srvr.c
============================================================================
$ cvs diff -u -r1.126.2.25.2.1 -r1.126.2.25.2.2 s3_srvr.c
--- openssl/ssl/s3_srvr.c 5 Nov 2009 13:40:28 -0000 1.126.2.25.2.1
+++ openssl/ssl/s3_srvr.c 5 Nov 2009 16:07:39 -0000 1.126.2.25.2.2
@@ -718,14 +718,13 @@
#endif
STACK_OF(SSL_CIPHER) *ciphers=NULL;
-#ifdef OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION
- if (s->new_session)
+ if (s->new_session
+ && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
al=SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_RENEGOTIATION);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto f_err;
}
-#endif /* ndef OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION */
/* We do this so that we will respond with our native type.
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ .
patch -p0 <<'@@ .'
Index: openssl/ssl/ssl3.h
============================================================================
$ cvs diff -u -r1.30.2.5 -r1.30.2.5.2.1 ssl3.h
--- openssl/ssl/ssl3.h 12 Oct 2007 00:00:30 -0000 1.30.2.5
+++ openssl/ssl/ssl3.h 5 Nov 2009 16:07:42 -0000 1.30.2.5.2.1
@@ -326,10 +326,11 @@
#define SSL3_CT_NUMBER 7
-#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
-#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
-#define SSL3_FLAGS_POP_BUFFER 0x0004
-#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
+#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
+#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
+#define SSL3_FLAGS_POP_BUFFER 0x0004
+#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
+#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
typedef struct ssl3_state_st
{
@@ .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List opens...@openssl.org
Automated List Manager majo...@openssl.org