Updates to conform with draft-ietf-tls-renegotiation-03.txt:

1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.

1 files changed, 10 insertions, 2 deletions

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f2999ead7f..b0bd720539 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1299,8 +1299,9 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
 		p+=j;
 		}
-	/* If p == q, no ciphers and caller indicates an error, otherwise
-	 * add SCSV
+	/* If p == q, no ciphers and caller indicates an error. Otherwise
+	 * add SCSV if no extensions (i.e. SSL3 is client_version)
+	 * since spec RECOMMENDS not sending both RI and SCSV.
 	 */
 	if (p != q)
 		{
@@ -1348,6 +1349,13 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 			(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
 			(p[n-1] == (SSL3_CK_SCSV & 0xff)))
 			{
+			/* SCSV fatal if renegotiating */
+			if (s->new_session)
+				{
+				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
+				goto err;
+				}
 			s->s3->send_connection_binding = 1;
 			p += n;
 #ifdef OPENSSL_RI_DEBUG