New function SSL_renegotiate_pending().

New option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.

3 files changed, 34 insertions, 4 deletions

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index dcc1b72c9b..94da180d08 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -524,7 +524,9 @@ int ssl3_accept(SSL *s)
 			/* remove buffering on output */
 			ssl_free_wbio_buffer(s);
 
-			s->new_session=0;
+			if (s->new_session == 2)
+				s->new_session=0;
+			/* if s->new_session is still 1, we have only sent a HelloRequest */
 			s->init_num=0;
 
 			ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
@@ -673,7 +675,15 @@ static int ssl3_get_client_hello(SSL *s)
 	j= *(p++);
 
 	s->hit=0;
-	if (j == 0)
+	/* Versions before 0.9.7 always allow session reuse during renegotiation
+	 * (i.e. when s->new_session is true), option
+	 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
+	 * Maybe this optional behaviour should always have been the default,
+	 * but we cannot safely change the default behaviour (or new applications
+	 * might be written that become totally unsecure when compiled with
+	 * an earlier library version)
+	 */
+	if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
 		{
 		if (!ssl_get_new_session(s,1))
 			goto err;
@@ -694,6 +704,11 @@ static int ssl3_get_client_hello(SSL *s)
 			}
 		}
 
+	if (s->new_session)
+		/* actually not necessarily a 'new' section unless
+		 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
+		s->new_session = 2;
+
 	p+=j;
 	n2s(p,i);
 	if ((i == 0) && (j != 0))
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 88060ad6d8..8a8013463b 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -335,7 +335,8 @@ typedef struct ssl_session_st
 
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE				0x00100000L
-/* Set to also use the tmp_rsa key when doing RSA operations. */
+/* Set to always use the tmp_rsa key when doing RSA operations,
+ * even when this violates protocol specs */
 #define SSL_OP_EPHEMERAL_RSA				0x00200000L
 /* Set on servers to choose the cipher according to the server's
  * preferences */
@@ -345,6 +346,8 @@ typedef struct ssl_session_st
  * (version 3.1) was announced in the client hello. Normally this is
  * forbidden to prevent version rollback attacks. */
 #define SSL_OP_TLS_ROLLBACK_BUG				0x00800000L
+/* As server, disallow session resumption on renegotiation */
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x01000000L
 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */
@@ -640,7 +643,11 @@ struct ssl_st
 
 	int server;	/* are we the server side? - mostly used by SSL_clear*/
 
-	int new_session;/* 1 if we are to use a new session */
+	int new_session;/* 1 if we are to use a new session,
+	                 * (sometimes 2 after a new session has in fact been assigned).
+	                 * NB: For servers, the 'new' session may actually be a previously
+	                 * cached session or even the previous session unless
+	                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
 	int quiet_shutdown;/* don't send shutdown packets */
 	int shutdown;	/* we have shut things down, 0x01 sent, 0x02
 			 * for received */
@@ -1157,6 +1164,7 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
 
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
+int SSL_renegotiate_pending(SSL *s);
 int SSL_shutdown(SSL *s);
 
 SSL_METHOD *SSL_get_ssl_method(SSL *s);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 89c3c2d4f4..f5512c465e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -836,6 +836,13 @@ int SSL_renegotiate(SSL *s)
 	return(s->method->ssl_renegotiate(s));
 	}
 
+int SSL_renegotiate_pending(SSL *s)
+	{
+	/* becomes true when negotiation is requested;
+	 * false again once a handshake has finished */
+	return (s->new_session != 0);
+	}
+
 long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
 	{
 	long l;