PR: 1833
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de> Fix other cases not covered by original patch.
This commit is contained in:
parent
11a36aa96f
commit
35cae95032
@ -171,7 +171,7 @@ int dtls1_connect(SSL *s)
|
||||
switch(s->state)
|
||||
{
|
||||
case SSL_ST_RENEGOTIATE:
|
||||
s->renegotiate=1;
|
||||
s->new_session=1;
|
||||
s->state=SSL_ST_CONNECT;
|
||||
s->ctx->stats.sess_connect_renegotiate++;
|
||||
/* break */
|
||||
@ -539,7 +539,6 @@ int dtls1_connect(SSL *s)
|
||||
/* else do it later in ssl3_write */
|
||||
|
||||
s->init_num=0;
|
||||
s->renegotiate=0;
|
||||
s->new_session=0;
|
||||
|
||||
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
|
||||
|
@ -957,7 +957,6 @@ start:
|
||||
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
|
||||
!s->s3->renegotiate)
|
||||
{
|
||||
s->new_session = 1;
|
||||
ssl3_renegotiate(s);
|
||||
if (ssl3_renegotiate_check(s))
|
||||
{
|
||||
@ -1164,7 +1163,6 @@ start:
|
||||
#else
|
||||
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
|
||||
#endif
|
||||
s->renegotiate=1;
|
||||
s->new_session=1;
|
||||
}
|
||||
i=s->handshake_func(s);
|
||||
|
@ -177,7 +177,7 @@ int dtls1_accept(SSL *s)
|
||||
switch (s->state)
|
||||
{
|
||||
case SSL_ST_RENEGOTIATE:
|
||||
s->renegotiate=1;
|
||||
s->new_session=1;
|
||||
/* s->state=SSL_ST_ACCEPT; */
|
||||
|
||||
case SSL_ST_BEFORE:
|
||||
@ -299,7 +299,7 @@ int dtls1_accept(SSL *s)
|
||||
|
||||
case SSL3_ST_SW_SRVR_HELLO_A:
|
||||
case SSL3_ST_SW_SRVR_HELLO_B:
|
||||
s->renegotiate = 2;
|
||||
s->new_session = 2;
|
||||
dtls1_start_timer(s);
|
||||
ret=dtls1_send_server_hello(s);
|
||||
if (ret <= 0) goto end;
|
||||
@ -620,12 +620,11 @@ int dtls1_accept(SSL *s)
|
||||
|
||||
s->init_num=0;
|
||||
|
||||
if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
|
||||
if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
|
||||
{
|
||||
/* actually not necessarily a 'new' session unless
|
||||
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
|
||||
|
||||
s->renegotiate=0;
|
||||
s->new_session=0;
|
||||
|
||||
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
|
||||
|
@ -207,7 +207,7 @@ int ssl3_connect(SSL *s)
|
||||
switch(s->state)
|
||||
{
|
||||
case SSL_ST_RENEGOTIATE:
|
||||
s->renegotiate=1;
|
||||
s->new_session=1;
|
||||
s->state=SSL_ST_CONNECT;
|
||||
s->ctx->stats.sess_connect_renegotiate++;
|
||||
/* break */
|
||||
@ -546,7 +546,6 @@ int ssl3_connect(SSL *s)
|
||||
/* else do it later in ssl3_write */
|
||||
|
||||
s->init_num=0;
|
||||
s->renegotiate=0;
|
||||
s->new_session=0;
|
||||
|
||||
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
|
||||
|
@ -1280,7 +1280,6 @@ start:
|
||||
#else
|
||||
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
|
||||
#endif
|
||||
s->renegotiate=1;
|
||||
s->new_session=1;
|
||||
}
|
||||
i=s->handshake_func(s);
|
||||
|
@ -218,7 +218,7 @@ int ssl3_accept(SSL *s)
|
||||
switch (s->state)
|
||||
{
|
||||
case SSL_ST_RENEGOTIATE:
|
||||
s->renegotiate=1;
|
||||
s->new_session=1;
|
||||
/* s->state=SSL_ST_ACCEPT; */
|
||||
|
||||
case SSL_ST_BEFORE:
|
||||
@ -316,7 +316,7 @@ int ssl3_accept(SSL *s)
|
||||
ret=ssl3_get_client_hello(s);
|
||||
if (ret <= 0) goto end;
|
||||
|
||||
s->renegotiate = 2;
|
||||
s->new_session = 2;
|
||||
s->state=SSL3_ST_SW_SRVR_HELLO_A;
|
||||
s->init_num=0;
|
||||
break;
|
||||
@ -673,12 +673,11 @@ int ssl3_accept(SSL *s)
|
||||
|
||||
s->init_num=0;
|
||||
|
||||
if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
|
||||
if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
|
||||
{
|
||||
/* actually not necessarily a 'new' session unless
|
||||
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
|
||||
|
||||
s->renegotiate=0;
|
||||
s->new_session=0;
|
||||
|
||||
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
|
||||
|
15
ssl/ssl.h
15
ssl/ssl.h
@ -1007,14 +1007,12 @@ struct ssl_st
|
||||
|
||||
int server; /* are we the server side? - mostly used by SSL_clear*/
|
||||
|
||||
int new_session;/* Generate a new session or reuse an old one.
|
||||
* NB: For servers, the 'new' session may actually be a previously
|
||||
* cached session or even the previous session unless
|
||||
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
|
||||
int renegotiate;/* 1 if we are renegotiating.
|
||||
* 2 if we are a server and are inside a handshake
|
||||
* (i.e. not just sending a HelloRequest) */
|
||||
|
||||
int new_session;/* 1 if we are to use a new session.
|
||||
* 2 if we are a server and are inside a handshake
|
||||
* (i.e. not just sending a HelloRequest)
|
||||
* NB: For servers, the 'new' session may actually be a previously
|
||||
* cached session or even the previous session unless
|
||||
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
|
||||
int quiet_shutdown;/* don't send shutdown packets */
|
||||
int shutdown; /* we have shut things down, 0x01 sent, 0x02
|
||||
* for received */
|
||||
@ -1663,7 +1661,6 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
|
||||
|
||||
int SSL_do_handshake(SSL *s);
|
||||
int SSL_renegotiate(SSL *s);
|
||||
int SSL_renegotiate_abbreviated(SSL *s);
|
||||
int SSL_renegotiate_pending(SSL *s);
|
||||
int SSL_shutdown(SSL *s);
|
||||
|
||||
|
@ -202,9 +202,9 @@ int SSL_clear(SSL *s)
|
||||
* needed because SSL_clear is not called when doing renegotiation) */
|
||||
/* This is set if we are doing dynamic renegotiation so keep
|
||||
* the old cipher. It is sort of a SSL_clear_lite :-) */
|
||||
if (s->renegotiate) return(1);
|
||||
if (s->new_session) return(1);
|
||||
#else
|
||||
if (s->renegotiate)
|
||||
if (s->new_session)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
@ -1008,29 +1008,18 @@ int SSL_shutdown(SSL *s)
|
||||
|
||||
int SSL_renegotiate(SSL *s)
|
||||
{
|
||||
if (s->renegotiate == 0)
|
||||
s->renegotiate=1;
|
||||
|
||||
s->new_session=1;
|
||||
|
||||
if (s->new_session == 0)
|
||||
{
|
||||
s->new_session=1;
|
||||
}
|
||||
return(s->method->ssl_renegotiate(s));
|
||||
}
|
||||
|
||||
int SSL_renegotiate_abbreviated(SSL *s)
|
||||
{
|
||||
if (s->renegotiate == 0)
|
||||
s->renegotiate=1;
|
||||
|
||||
s->new_session=0;
|
||||
|
||||
return(s->method->ssl_renegotiate(s));
|
||||
}
|
||||
|
||||
int SSL_renegotiate_pending(SSL *s)
|
||||
{
|
||||
/* becomes true when negotiation is requested;
|
||||
* false again once a handshake has finished */
|
||||
return (s->renegotiate != 0);
|
||||
return (s->new_session != 0);
|
||||
}
|
||||
|
||||
long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
|
||||
@ -1383,7 +1372,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
|
||||
/* If p == q, no ciphers and caller indicates an error. Otherwise
|
||||
* add SCSV if not renegotiating.
|
||||
*/
|
||||
if (p != q && !s->new_session)
|
||||
if (p != q && !s->renegotiate)
|
||||
{
|
||||
static SSL_CIPHER scsv =
|
||||
{
|
||||
@ -1430,7 +1419,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
|
||||
(p[n-1] == (SSL3_CK_SCSV & 0xff)))
|
||||
{
|
||||
/* SCSV fatal if renegotiating */
|
||||
if (s->new_session)
|
||||
if (s->renegotiate)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
|
||||
@ -2530,7 +2519,6 @@ SSL *SSL_dup(SSL *s)
|
||||
ret->in_handshake = s->in_handshake;
|
||||
ret->handshake_func = s->handshake_func;
|
||||
ret->server = s->server;
|
||||
ret->renegotiate = s->renegotiate;
|
||||
ret->new_session = s->new_session;
|
||||
ret->quiet_shutdown = s->quiet_shutdown;
|
||||
ret->shutdown=s->shutdown;
|
||||
|
@ -317,7 +317,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
}
|
||||
|
||||
/* Add RI if renegotiating */
|
||||
if (s->new_session)
|
||||
if (s->renegotiate)
|
||||
{
|
||||
int el;
|
||||
|
||||
@ -969,7 +969,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
||||
|
||||
/* Need RI if renegotiating */
|
||||
|
||||
if (!renegotiate_seen && s->new_session &&
|
||||
if (!renegotiate_seen && s->renegotiate &&
|
||||
!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
{
|
||||
*al = SSL_AD_HANDSHAKE_FAILURE;
|
||||
|
Loading…
x
Reference in New Issue
Block a user