diff options
| author | Ben Laurie <ben@openssl.org> | 2009-11-05 16:07:42 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@openssl.org> | 2009-11-05 16:07:42 +0000 |
| commit | 0fc93c4b928552ace40ceb6e2ccce42fe1d1b60d (patch) | |
| tree | f91ff9debd0d4ac22f1eaac09c5ae8f2215913bc | |
| parent | c99c47f19e92e974675ddab862e4e2e26c82bbe7 (diff) | |
Belt and braces. Use existing code to disable renegotiation. Die if we
see a client hello.
| -rw-r--r-- | ssl/s3_lib.c | 3 | ||||
| -rw-r--r-- | ssl/s3_pkt.c | 4 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 7 | ||||
| -rw-r--r-- | ssl/ssl3.h | 9 |
4 files changed, 14 insertions, 9 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 8916a0b1b3..5aa7bb21da 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2592,6 +2592,9 @@ int ssl3_renegotiate(SSL *s) if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); + if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + return(0); + s->s3->renegotiate=1; return(1); } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 9476dcddf6..b98b84044f 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -985,6 +985,7 @@ start: if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && !s->s3->renegotiate) { ssl3_renegotiate(s); @@ -1117,7 +1118,8 @@ start: if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { #if 0 /* worked only because C operator preferences are not as expected (and * because this is not really needed for clients except for detecting diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 6719ecf02e..79f3706c31 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -718,14 +718,13 @@ int ssl3_get_client_hello(SSL *s) #endif STACK_OF(SSL_CIPHER) *ciphers=NULL; -#ifdef OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION - if (s->new_session) + if (s->new_session + && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { al=SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_RENEGOTIATION); + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } -#endif /* ndef OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION */ /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 4b1e2e9834..a1a19cbfcb 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -326,10 +326,11 @@ typedef struct ssl3_buffer_st #define SSL3_CT_NUMBER 7 -#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 -#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 -#define SSL3_FLAGS_POP_BUFFER 0x0004 -#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 +#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 +#define SSL3_FLAGS_POP_BUFFER 0x0004 +#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 typedef struct ssl3_state_st { |