From 35cae95032c71cd3523d38246401a1b7d7a74c37 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 27 Aug 2010 11:57:42 +0000 Subject: [PATCH] PR: 1833 Submitted By: Robin Seggelmann Fix other cases not covered by original patch. --- ssl/d1_clnt.c | 3 +-- ssl/d1_pkt.c | 2 -- ssl/d1_srvr.c | 7 +++---- ssl/s3_clnt.c | 3 +-- ssl/s3_pkt.c | 1 - ssl/s3_srvr.c | 7 +++---- ssl/ssl.h | 15 ++++++--------- ssl/ssl_lib.c | 30 +++++++++--------------------- ssl/t1_lib.c | 4 ++-- 9 files changed, 25 insertions(+), 47 deletions(-) diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 255c19d76..5bc9eb660 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -171,7 +171,7 @@ int dtls1_connect(SSL *s) switch(s->state) { case SSL_ST_RENEGOTIATE: - s->renegotiate=1; + s->new_session=1; s->state=SSL_ST_CONNECT; s->ctx->stats.sess_connect_renegotiate++; /* break */ @@ -539,7 +539,6 @@ int dtls1_connect(SSL *s) /* else do it later in ssl3_write */ s->init_num=0; - s->renegotiate=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index ee67561a8..1fd58bf59 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -957,7 +957,6 @@ start: !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && !s->s3->renegotiate) { - s->new_session = 1; ssl3_renegotiate(s); if (ssl3_renegotiate_check(s)) { @@ -1164,7 +1163,6 @@ start: #else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; #endif - s->renegotiate=1; s->new_session=1; } i=s->handshake_func(s); diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index ac4fbda3a..301ceda7a 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -177,7 +177,7 @@ int dtls1_accept(SSL *s) switch (s->state) { case SSL_ST_RENEGOTIATE: - s->renegotiate=1; + s->new_session=1; /* s->state=SSL_ST_ACCEPT; */ case SSL_ST_BEFORE: @@ -299,7 +299,7 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: - s->renegotiate = 2; + s->new_session = 2; dtls1_start_timer(s); ret=dtls1_send_server_hello(s); if (ret <= 0) goto end; @@ -620,12 +620,11 @@ int dtls1_accept(SSL *s) s->init_num=0; - if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ + if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ { /* actually not necessarily a 'new' session unless * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - s->renegotiate=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_SERVER); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 99b2f4928..41769feba 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -207,7 +207,7 @@ int ssl3_connect(SSL *s) switch(s->state) { case SSL_ST_RENEGOTIATE: - s->renegotiate=1; + s->new_session=1; s->state=SSL_ST_CONNECT; s->ctx->stats.sess_connect_renegotiate++; /* break */ @@ -546,7 +546,6 @@ int ssl3_connect(SSL *s) /* else do it later in ssl3_write */ s->init_num=0; - s->renegotiate=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index a1fec62df..b30c032b7 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1280,7 +1280,6 @@ start: #else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; #endif - s->renegotiate=1; s->new_session=1; } i=s->handshake_func(s); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 3a62a95fa..92f73b668 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -218,7 +218,7 @@ int ssl3_accept(SSL *s) switch (s->state) { case SSL_ST_RENEGOTIATE: - s->renegotiate=1; + s->new_session=1; /* s->state=SSL_ST_ACCEPT; */ case SSL_ST_BEFORE: @@ -316,7 +316,7 @@ int ssl3_accept(SSL *s) ret=ssl3_get_client_hello(s); if (ret <= 0) goto end; - s->renegotiate = 2; + s->new_session = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; break; @@ -673,12 +673,11 @@ int ssl3_accept(SSL *s) s->init_num=0; - if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ + if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ { /* actually not necessarily a 'new' session unless * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - s->renegotiate=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_SERVER); diff --git a/ssl/ssl.h b/ssl/ssl.h index 6e6f27c09..e6244b001 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1007,14 +1007,12 @@ struct ssl_st int server; /* are we the server side? - mostly used by SSL_clear*/ - int new_session;/* Generate a new session or reuse an old one. - * NB: For servers, the 'new' session may actually be a previously - * cached session or even the previous session unless - * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - int renegotiate;/* 1 if we are renegotiating. - * 2 if we are a server and are inside a handshake - * (i.e. not just sending a HelloRequest) */ - + int new_session;/* 1 if we are to use a new session. + * 2 if we are a server and are inside a handshake + * (i.e. not just sending a HelloRequest) + * NB: For servers, the 'new' session may actually be a previously + * cached session or even the previous session unless + * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ int quiet_shutdown;/* don't send shutdown packets */ int shutdown; /* we have shut things down, 0x01 sent, 0x02 * for received */ @@ -1663,7 +1661,6 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); -int SSL_renegotiate_abbreviated(SSL *s); int SSL_renegotiate_pending(SSL *s); int SSL_shutdown(SSL *s); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d4fc4aa1b..d4ca62ed2 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -202,9 +202,9 @@ int SSL_clear(SSL *s) * needed because SSL_clear is not called when doing renegotiation) */ /* This is set if we are doing dynamic renegotiation so keep * the old cipher. It is sort of a SSL_clear_lite :-) */ - if (s->renegotiate) return(1); + if (s->new_session) return(1); #else - if (s->renegotiate) + if (s->new_session) { SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); return 0; @@ -1008,29 +1008,18 @@ int SSL_shutdown(SSL *s) int SSL_renegotiate(SSL *s) { - if (s->renegotiate == 0) - s->renegotiate=1; - - s->new_session=1; - + if (s->new_session == 0) + { + s->new_session=1; + } return(s->method->ssl_renegotiate(s)); } -int SSL_renegotiate_abbreviated(SSL *s) -{ - if (s->renegotiate == 0) - s->renegotiate=1; - - s->new_session=0; - - return(s->method->ssl_renegotiate(s)); -} - int SSL_renegotiate_pending(SSL *s) { /* becomes true when negotiation is requested; * false again once a handshake has finished */ - return (s->renegotiate != 0); + return (s->new_session != 0); } long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) @@ -1383,7 +1372,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, /* If p == q, no ciphers and caller indicates an error. Otherwise * add SCSV if not renegotiating. */ - if (p != q && !s->new_session) + if (p != q && !s->renegotiate) { static SSL_CIPHER scsv = { @@ -1430,7 +1419,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, (p[n-1] == (SSL3_CK_SCSV & 0xff))) { /* SCSV fatal if renegotiating */ - if (s->new_session) + if (s->renegotiate) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); @@ -2530,7 +2519,6 @@ SSL *SSL_dup(SSL *s) ret->in_handshake = s->in_handshake; ret->handshake_func = s->handshake_func; ret->server = s->server; - ret->renegotiate = s->renegotiate; ret->new_session = s->new_session; ret->quiet_shutdown = s->quiet_shutdown; ret->shutdown=s->shutdown; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ef40e5e6f..521a41978 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -317,7 +317,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } /* Add RI if renegotiating */ - if (s->new_session) + if (s->renegotiate) { int el; @@ -969,7 +969,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in /* Need RI if renegotiating */ - if (!renegotiate_seen && s->new_session && + if (!renegotiate_seen && s->renegotiate && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_HANDSHAKE_FAILURE;