PR: 1833
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de> Fix other cases not covered by original patch.
This commit is contained in:
		| @@ -171,7 +171,7 @@ int dtls1_connect(SSL *s) | |||||||
| 		switch(s->state) | 		switch(s->state) | ||||||
| 			{ | 			{ | ||||||
| 		case SSL_ST_RENEGOTIATE: | 		case SSL_ST_RENEGOTIATE: | ||||||
| 			s->renegotiate=1; | 			s->new_session=1; | ||||||
| 			s->state=SSL_ST_CONNECT; | 			s->state=SSL_ST_CONNECT; | ||||||
| 			s->ctx->stats.sess_connect_renegotiate++; | 			s->ctx->stats.sess_connect_renegotiate++; | ||||||
| 			/* break */ | 			/* break */ | ||||||
| @@ -539,7 +539,6 @@ int dtls1_connect(SSL *s) | |||||||
| 			/* else do it later in ssl3_write */ | 			/* else do it later in ssl3_write */ | ||||||
|  |  | ||||||
| 			s->init_num=0; | 			s->init_num=0; | ||||||
| 			s->renegotiate=0; |  | ||||||
| 			s->new_session=0; | 			s->new_session=0; | ||||||
|  |  | ||||||
| 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); | 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); | ||||||
|   | |||||||
| @@ -957,7 +957,6 @@ start: | |||||||
| 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | ||||||
| 			!s->s3->renegotiate) | 			!s->s3->renegotiate) | ||||||
| 			{ | 			{ | ||||||
| 			s->new_session = 1; |  | ||||||
| 			ssl3_renegotiate(s); | 			ssl3_renegotiate(s); | ||||||
| 			if (ssl3_renegotiate_check(s)) | 			if (ssl3_renegotiate_check(s)) | ||||||
| 				{ | 				{ | ||||||
| @@ -1164,7 +1163,6 @@ start: | |||||||
| #else | #else | ||||||
| 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | ||||||
| #endif | #endif | ||||||
| 			s->renegotiate=1; |  | ||||||
| 			s->new_session=1; | 			s->new_session=1; | ||||||
| 			} | 			} | ||||||
| 		i=s->handshake_func(s); | 		i=s->handshake_func(s); | ||||||
|   | |||||||
| @@ -177,7 +177,7 @@ int dtls1_accept(SSL *s) | |||||||
| 		switch (s->state) | 		switch (s->state) | ||||||
| 			{ | 			{ | ||||||
| 		case SSL_ST_RENEGOTIATE: | 		case SSL_ST_RENEGOTIATE: | ||||||
| 			s->renegotiate=1; | 			s->new_session=1; | ||||||
| 			/* s->state=SSL_ST_ACCEPT; */ | 			/* s->state=SSL_ST_ACCEPT; */ | ||||||
|  |  | ||||||
| 		case SSL_ST_BEFORE: | 		case SSL_ST_BEFORE: | ||||||
| @@ -299,7 +299,7 @@ int dtls1_accept(SSL *s) | |||||||
| 			 | 			 | ||||||
| 		case SSL3_ST_SW_SRVR_HELLO_A: | 		case SSL3_ST_SW_SRVR_HELLO_A: | ||||||
| 		case SSL3_ST_SW_SRVR_HELLO_B: | 		case SSL3_ST_SW_SRVR_HELLO_B: | ||||||
| 			s->renegotiate = 2; | 			s->new_session = 2; | ||||||
| 			dtls1_start_timer(s); | 			dtls1_start_timer(s); | ||||||
| 			ret=dtls1_send_server_hello(s); | 			ret=dtls1_send_server_hello(s); | ||||||
| 			if (ret <= 0) goto end; | 			if (ret <= 0) goto end; | ||||||
| @@ -620,12 +620,11 @@ int dtls1_accept(SSL *s) | |||||||
|  |  | ||||||
| 			s->init_num=0; | 			s->init_num=0; | ||||||
|  |  | ||||||
| 			if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ | 			if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ | ||||||
| 				{ | 				{ | ||||||
| 				/* actually not necessarily a 'new' session unless | 				/* actually not necessarily a 'new' session unless | ||||||
| 				 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | 				 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | ||||||
| 				 | 				 | ||||||
| 				s->renegotiate=0; |  | ||||||
| 				s->new_session=0; | 				s->new_session=0; | ||||||
| 				 | 				 | ||||||
| 				ssl_update_cache(s,SSL_SESS_CACHE_SERVER); | 				ssl_update_cache(s,SSL_SESS_CACHE_SERVER); | ||||||
|   | |||||||
| @@ -207,7 +207,7 @@ int ssl3_connect(SSL *s) | |||||||
| 		switch(s->state) | 		switch(s->state) | ||||||
| 			{ | 			{ | ||||||
| 		case SSL_ST_RENEGOTIATE: | 		case SSL_ST_RENEGOTIATE: | ||||||
| 			s->renegotiate=1; | 			s->new_session=1; | ||||||
| 			s->state=SSL_ST_CONNECT; | 			s->state=SSL_ST_CONNECT; | ||||||
| 			s->ctx->stats.sess_connect_renegotiate++; | 			s->ctx->stats.sess_connect_renegotiate++; | ||||||
| 			/* break */ | 			/* break */ | ||||||
| @@ -546,7 +546,6 @@ int ssl3_connect(SSL *s) | |||||||
| 			/* else do it later in ssl3_write */ | 			/* else do it later in ssl3_write */ | ||||||
|  |  | ||||||
| 			s->init_num=0; | 			s->init_num=0; | ||||||
| 			s->renegotiate=0; |  | ||||||
| 			s->new_session=0; | 			s->new_session=0; | ||||||
|  |  | ||||||
| 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); | 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); | ||||||
|   | |||||||
| @@ -1280,7 +1280,6 @@ start: | |||||||
| #else | #else | ||||||
| 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | ||||||
| #endif | #endif | ||||||
| 			s->renegotiate=1; |  | ||||||
| 			s->new_session=1; | 			s->new_session=1; | ||||||
| 			} | 			} | ||||||
| 		i=s->handshake_func(s); | 		i=s->handshake_func(s); | ||||||
|   | |||||||
| @@ -218,7 +218,7 @@ int ssl3_accept(SSL *s) | |||||||
| 		switch (s->state) | 		switch (s->state) | ||||||
| 			{ | 			{ | ||||||
| 		case SSL_ST_RENEGOTIATE: | 		case SSL_ST_RENEGOTIATE: | ||||||
| 			s->renegotiate=1; | 			s->new_session=1; | ||||||
| 			/* s->state=SSL_ST_ACCEPT; */ | 			/* s->state=SSL_ST_ACCEPT; */ | ||||||
|  |  | ||||||
| 		case SSL_ST_BEFORE: | 		case SSL_ST_BEFORE: | ||||||
| @@ -316,7 +316,7 @@ int ssl3_accept(SSL *s) | |||||||
| 			ret=ssl3_get_client_hello(s); | 			ret=ssl3_get_client_hello(s); | ||||||
| 			if (ret <= 0) goto end; | 			if (ret <= 0) goto end; | ||||||
| 			 | 			 | ||||||
| 			s->renegotiate = 2; | 			s->new_session = 2; | ||||||
| 			s->state=SSL3_ST_SW_SRVR_HELLO_A; | 			s->state=SSL3_ST_SW_SRVR_HELLO_A; | ||||||
| 			s->init_num=0; | 			s->init_num=0; | ||||||
| 			break; | 			break; | ||||||
| @@ -673,12 +673,11 @@ int ssl3_accept(SSL *s) | |||||||
|  |  | ||||||
| 			s->init_num=0; | 			s->init_num=0; | ||||||
|  |  | ||||||
| 			if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ | 			if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ | ||||||
| 				{ | 				{ | ||||||
| 				/* actually not necessarily a 'new' session unless | 				/* actually not necessarily a 'new' session unless | ||||||
| 				 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | 				 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | ||||||
| 				 | 				 | ||||||
| 				s->renegotiate=0; |  | ||||||
| 				s->new_session=0; | 				s->new_session=0; | ||||||
| 				 | 				 | ||||||
| 				ssl_update_cache(s,SSL_SESS_CACHE_SERVER); | 				ssl_update_cache(s,SSL_SESS_CACHE_SERVER); | ||||||
|   | |||||||
| @@ -1007,14 +1007,12 @@ struct ssl_st | |||||||
|  |  | ||||||
| 	int server;	/* are we the server side? - mostly used by SSL_clear*/ | 	int server;	/* are we the server side? - mostly used by SSL_clear*/ | ||||||
|  |  | ||||||
| 	int new_session;/* Generate a new session or reuse an old one. | 	int new_session;/* 1 if we are to use a new session. | ||||||
|  | 	                 * 2 if we are a server and are inside a handshake | ||||||
|  | 	                 *   (i.e. not just sending a HelloRequest) | ||||||
| 	                 * NB: For servers, the 'new' session may actually be a previously | 	                 * NB: For servers, the 'new' session may actually be a previously | ||||||
| 	                 * cached session or even the previous session unless | 	                 * cached session or even the previous session unless | ||||||
| 	                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | 	                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | ||||||
| 	int renegotiate;/* 1 if we are renegotiating. |  | ||||||
| 					 * 2 if we are a server and are inside a handshake |  | ||||||
| 					 *   (i.e. not just sending a HelloRequest) */ |  | ||||||
|  |  | ||||||
| 	int quiet_shutdown;/* don't send shutdown packets */ | 	int quiet_shutdown;/* don't send shutdown packets */ | ||||||
| 	int shutdown;	/* we have shut things down, 0x01 sent, 0x02 | 	int shutdown;	/* we have shut things down, 0x01 sent, 0x02 | ||||||
| 			 * for received */ | 			 * for received */ | ||||||
| @@ -1663,7 +1661,6 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); | |||||||
|  |  | ||||||
| int SSL_do_handshake(SSL *s); | int SSL_do_handshake(SSL *s); | ||||||
| int SSL_renegotiate(SSL *s); | int SSL_renegotiate(SSL *s); | ||||||
| int SSL_renegotiate_abbreviated(SSL *s); |  | ||||||
| int SSL_renegotiate_pending(SSL *s); | int SSL_renegotiate_pending(SSL *s); | ||||||
| int SSL_shutdown(SSL *s); | int SSL_shutdown(SSL *s); | ||||||
|  |  | ||||||
|   | |||||||
| @@ -202,9 +202,9 @@ int SSL_clear(SSL *s) | |||||||
|        * needed because SSL_clear is not called when doing renegotiation) */ |        * needed because SSL_clear is not called when doing renegotiation) */ | ||||||
| 	/* This is set if we are doing dynamic renegotiation so keep | 	/* This is set if we are doing dynamic renegotiation so keep | ||||||
| 	 * the old cipher.  It is sort of a SSL_clear_lite :-) */ | 	 * the old cipher.  It is sort of a SSL_clear_lite :-) */ | ||||||
| 	if (s->renegotiate) return(1); | 	if (s->new_session) return(1); | ||||||
| #else | #else | ||||||
| 	if (s->renegotiate) | 	if (s->new_session) | ||||||
| 		{ | 		{ | ||||||
| 		SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); | 		SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); | ||||||
| 		return 0; | 		return 0; | ||||||
| @@ -1008,21 +1008,10 @@ int SSL_shutdown(SSL *s) | |||||||
|  |  | ||||||
| int SSL_renegotiate(SSL *s) | int SSL_renegotiate(SSL *s) | ||||||
| 	{ | 	{ | ||||||
| 	if (s->renegotiate == 0) | 	if (s->new_session == 0) | ||||||
| 		s->renegotiate=1; |  | ||||||
|  |  | ||||||
| 	s->new_session=1; |  | ||||||
|  |  | ||||||
| 	return(s->method->ssl_renegotiate(s)); |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| int SSL_renegotiate_abbreviated(SSL *s) |  | ||||||
| 		{ | 		{ | ||||||
| 	if (s->renegotiate == 0) | 		s->new_session=1; | ||||||
| 		s->renegotiate=1; | 		} | ||||||
| 	 |  | ||||||
| 	s->new_session=0; |  | ||||||
| 	 |  | ||||||
| 	return(s->method->ssl_renegotiate(s)); | 	return(s->method->ssl_renegotiate(s)); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| @@ -1030,7 +1019,7 @@ int SSL_renegotiate_pending(SSL *s) | |||||||
| 	{ | 	{ | ||||||
| 	/* becomes true when negotiation is requested; | 	/* becomes true when negotiation is requested; | ||||||
| 	 * false again once a handshake has finished */ | 	 * false again once a handshake has finished */ | ||||||
| 	return (s->renegotiate != 0); | 	return (s->new_session != 0); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) | long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) | ||||||
| @@ -1383,7 +1372,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, | |||||||
| 	/* If p == q, no ciphers and caller indicates an error. Otherwise | 	/* If p == q, no ciphers and caller indicates an error. Otherwise | ||||||
| 	 * add SCSV if not renegotiating. | 	 * add SCSV if not renegotiating. | ||||||
| 	 */ | 	 */ | ||||||
| 	if (p != q && !s->new_session) | 	if (p != q && !s->renegotiate) | ||||||
| 		{ | 		{ | ||||||
| 		static SSL_CIPHER scsv = | 		static SSL_CIPHER scsv = | ||||||
| 			{ | 			{ | ||||||
| @@ -1430,7 +1419,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, | |||||||
| 			(p[n-1] == (SSL3_CK_SCSV & 0xff))) | 			(p[n-1] == (SSL3_CK_SCSV & 0xff))) | ||||||
| 			{ | 			{ | ||||||
| 			/* SCSV fatal if renegotiating */ | 			/* SCSV fatal if renegotiating */ | ||||||
| 			if (s->new_session) | 			if (s->renegotiate) | ||||||
| 				{ | 				{ | ||||||
| 				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); | 				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); | ||||||
| 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);  | 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);  | ||||||
| @@ -2530,7 +2519,6 @@ SSL *SSL_dup(SSL *s) | |||||||
| 	ret->in_handshake = s->in_handshake; | 	ret->in_handshake = s->in_handshake; | ||||||
| 	ret->handshake_func = s->handshake_func; | 	ret->handshake_func = s->handshake_func; | ||||||
| 	ret->server = s->server; | 	ret->server = s->server; | ||||||
| 	ret->renegotiate = s->renegotiate; |  | ||||||
| 	ret->new_session = s->new_session; | 	ret->new_session = s->new_session; | ||||||
| 	ret->quiet_shutdown = s->quiet_shutdown; | 	ret->quiet_shutdown = s->quiet_shutdown; | ||||||
| 	ret->shutdown=s->shutdown; | 	ret->shutdown=s->shutdown; | ||||||
|   | |||||||
| @@ -317,7 +317,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
|         /* Add RI if renegotiating */ |         /* Add RI if renegotiating */ | ||||||
|         if (s->new_session) |         if (s->renegotiate) | ||||||
|           { |           { | ||||||
|           int el; |           int el; | ||||||
|            |            | ||||||
| @@ -969,7 +969,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||||||
|  |  | ||||||
| 	/* Need RI if renegotiating */ | 	/* Need RI if renegotiating */ | ||||||
|  |  | ||||||
| 	if (!renegotiate_seen && s->new_session && | 	if (!renegotiate_seen && s->renegotiate && | ||||||
| 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) | 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) | ||||||
| 		{ | 		{ | ||||||
| 		*al = SSL_AD_HANDSHAKE_FAILURE; | 		*al = SSL_AD_HANDSHAKE_FAILURE; | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Dr. Stephen Henson
					Dr. Stephen Henson