generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Belt and braces. Use existing code to disable renegotiation. Die if we

Browse Source 
see a client hello.
This commit is contained in:
Ben Laurie
2009-11-05 16:07:42 +00:00
parent c99c47f19e
commit 0fc93c4b92
4 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ssl/s3_lib.c
View File

@@ -2592,6 +2592,9 @@ int ssl3_renegotiate(SSL *s)
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return(0); return(0);
if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
return(0);
s->s3->renegotiate=1; s->s3->renegotiate=1;
return(1); return(1);
} }

4
ssl/s3_pkt.c
View File

@@ -985,6 +985,7 @@ start:
if (SSL_is_init_finished(s) && if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
!s->s3->renegotiate) !s->s3->renegotiate)
{ {
ssl3_renegotiate(s); ssl3_renegotiate(s);
@@ -1117,7 +1118,8 @@ start:
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
{ {
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{ {
#if 0 /* worked only because C operator preferences are not as expected (and #if 0 /* worked only because C operator preferences are not as expected (and
* because this is not really needed for clients except for detecting * because this is not really needed for clients except for detecting

7
ssl/s3_srvr.c
View File

@@ -718,14 +718,13 @@ int ssl3_get_client_hello(SSL *s)
#endif #endif
STACK_OF(SSL_CIPHER) *ciphers=NULL; STACK_OF(SSL_CIPHER) *ciphers=NULL;
#ifdef OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION if (s->new_session
if (s->new_session) && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{ {
al=SSL_AD_HANDSHAKE_FAILURE; al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_RENEGOTIATION); SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto f_err; goto f_err;
} }
#endif /* ndef OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION */
/* We do this so that we will respond with our native type. /* We do this so that we will respond with our native type.
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,

1
ssl/ssl3.h
View File

@@ -330,6 +330,7 @@ typedef struct ssl3_buffer_st
#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
#define SSL3_FLAGS_POP_BUFFER 0x0004 #define SSL3_FLAGS_POP_BUFFER 0x0004
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
typedef struct ssl3_state_st typedef struct ssl3_state_st
{ {