/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-3555.patch
ViewVC logotype

Annotation of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-3555.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 wellsi 1.1 diff -up openssl-fips-0.9.8e/apps/s_client.c.reneg openssl-fips-0.9.8e/apps/s_client.c
2     --- openssl-fips-0.9.8e/apps/s_client.c.reneg 2010-02-18 15:58:31.000000000 +0100
3     +++ openssl-fips-0.9.8e/apps/s_client.c 2010-02-18 15:58:31.000000000 +0100
4     @@ -231,7 +231,7 @@ static void sc_usage(void)
5     BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
6     #endif
7     BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
8     -
9     + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
10     }
11    
12     enum
13     @@ -247,7 +247,7 @@ int MAIN(int, char **);
14    
15     int MAIN(int argc, char **argv)
16     {
17     - int off=0;
18     + int off=0, clr = 0;
19     SSL *con=NULL,*con2=NULL;
20     X509_STORE *store = NULL;
21     int s,k,width,state=0;
22     @@ -461,6 +461,12 @@ int MAIN(int argc, char **argv)
23     off|=SSL_OP_NO_SSLv2;
24     else if (strcmp(*argv,"-serverpref") == 0)
25     off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
26     + else if (strcmp(*argv,"-legacy_renegotiation") == 0)
27     + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
28     + else if (strcmp(*argv,"-legacy_server_connect") == 0)
29     + { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
30     + else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
31     + { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
32     else if (strcmp(*argv,"-cipher") == 0)
33     {
34     if (--argc < 1) goto bad;
35     @@ -589,6 +595,9 @@ bad:
36     SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
37     else
38     SSL_CTX_set_options(ctx,off);
39     +
40     + if (clr)
41     + SSL_CTX_clear_options(ctx, clr);
42     /* DTLS: partial reads end up discarding unread UDP bytes :-(
43     * Setting read ahead solves this problem.
44     */
45     @@ -1290,6 +1299,8 @@ static void print_stuff(BIO *bio, SSL *s
46     EVP_PKEY_bits(pktmp));
47     EVP_PKEY_free(pktmp);
48     }
49     + BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
50     + SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
51     #ifndef OPENSSL_NO_COMP
52     comp=SSL_get_current_compression(s);
53     expansion=SSL_get_current_expansion(s);
54     diff -up openssl-fips-0.9.8e/apps/s_server.c.reneg openssl-fips-0.9.8e/apps/s_server.c
55     --- openssl-fips-0.9.8e/apps/s_server.c.reneg 2010-02-18 15:58:31.000000000 +0100
56     +++ openssl-fips-0.9.8e/apps/s_server.c 2010-02-18 15:58:31.000000000 +0100
57     @@ -371,6 +371,7 @@ static void sv_usage(void)
58     #endif
59     BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
60     BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
61     + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
62     }
63    
64     static int local_argc=0;
65     @@ -700,6 +701,8 @@ int MAIN(int argc, char *argv[])
66     }
67     else if (strcmp(*argv,"-serverpref") == 0)
68     { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
69     + else if (strcmp(*argv,"-legacy_renegotiation") == 0)
70     + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
71     else if (strcmp(*argv,"-cipher") == 0)
72     {
73     if (--argc < 1) goto bad;
74     @@ -1534,6 +1537,8 @@ static int init_ssl_connection(SSL *con)
75     con->kssl_ctx->client_princ);
76     }
77     #endif /* OPENSSL_NO_KRB5 */
78     + BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
79     + SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
80     return(1);
81     }
82    
83     diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod
84     --- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg 2005-10-11 12:16:09.000000000 +0200
85     +++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2010-02-18 16:10:52.000000000 +0100
86     @@ -2,7 +2,7 @@
87    
88     =head1 NAME
89    
90     -SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
91     +SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options
92    
93     =head1 SYNOPSIS
94    
95     @@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS
96     long SSL_CTX_set_options(SSL_CTX *ctx, long options);
97     long SSL_set_options(SSL *ssl, long options);
98    
99     + long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
100     + long SSL_clear_options(SSL *ssl, long options);
101     +
102     long SSL_CTX_get_options(SSL_CTX *ctx);
103     long SSL_get_options(SSL *ssl);
104    
105     + long SSL_get_secure_renegotiation_support(SSL *ssl);
106     +
107     =head1 DESCRIPTION
108    
109     +Note: all these functions are implemented using macros.
110     +
111     SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
112     Options already set before are not cleared!
113    
114     SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
115     Options already set before are not cleared!
116    
117     +SSL_CTX_clear_options() clears the options set via bitmask in B<options>
118     +to B<ctx>.
119     +
120     +SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
121     +
122     SSL_CTX_get_options() returns the options set for B<ctx>.
123    
124     SSL_get_options() returns the options set for B<ssl>.
125    
126     +SSL_get_secure_renegotiation_support() indicates whether the peer supports
127     +secure renegotiation.
128     +
129     =head1 NOTES
130    
131     The behaviour of the SSL library can be changed by setting several options.
132     The options are coded as bitmasks and can be combined by a logical B<or>
133     -operation (|). Options can only be added but can never be reset.
134     +operation (|).
135    
136     SSL_CTX_set_options() and SSL_set_options() affect the (external)
137     protocol behaviour of the SSL library. The (internal) behaviour of
138     @@ -199,17 +214,109 @@ Do not use the TLSv1 protocol.
139    
140     When performing renegotiation as a server, always start a new session
141     (i.e., session resumption requests are only accepted in the initial
142     -handshake). This option is not needed for clients.
143     +handshake). This option is not needed for clients.
144     +
145     +=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
146     +
147     +Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
148     +servers. See the B<SECURE RENEGOTIATION> section for more details.
149     +
150     +=item SSL_OP_LEGACY_SERVER_CONNECT
151     +
152     +Allow legacy insecure renegotiation between OpenSSL and unpatched servers
153     +B<only>: this option is currently set by default. See the
154     +B<SECURE RENEGOTIATION> section for more details.
155    
156     =back
157    
158     +=head1 SECURE RENEGOTIATION
159     +
160     +OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
161     +described in RFC5746. This counters the prefix attack described in
162     +CVE-2009-3555 and elsewhere.
163     +
164     +The deprecated and highly broken SSLv2 protocol does not support
165     +renegotiation at all: its use is B<strongly> discouraged.
166     +
167     +This attack has far reaching consequences which application writers should be
168     +aware of. In the description below an implementation supporting secure
169     +renegotiation is referred to as I<patched>. A server not supporting secure
170     +renegotiation is referred to as I<unpatched>.
171     +
172     +The following sections describe the operations permitted by OpenSSL's secure
173     +renegotiation implementation.
174     +
175     +=head2 Patched client and server
176     +
177     +Connections and renegotiation are always permitted by OpenSSL implementations.
178     +
179     +=head2 Unpatched client and patched OpenSSL server
180     +
181     +The initial connection suceeds but client renegotiation is denied by the
182     +server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
183     +B<handshake_failure> alert in SSL v3.0.
184     +
185     +If the patched OpenSSL server attempts to renegotiate a fatal
186     +B<handshake_failure> alert is sent. This is because the server code may be
187     +unaware of the unpatched nature of the client.
188     +
189     +If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
190     +renegotiation B<always> succeeds.
191     +
192     +B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are
193     +unpatched) will result in the connection hanging if it receives a
194     +B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard
195     +a B<no_renegotiation> alert as fatal and respond with a fatal
196     +B<handshake_failure> alert. This is because the OpenSSL API currently has
197     +no provision to indicate to an application that a renegotiation attempt
198     +was refused.
199     +
200     +=head2 Patched OpenSSL client and unpatched server.
201     +
202     +If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
203     +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
204     +and renegotiation between patched OpenSSL clients and unpatched servers
205     +succeeds. If neither option is set then initial connections to unpatched
206     +servers will fail.
207     +
208     +The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
209     +though it has security implications: otherwise it would be impossible to
210     +connect to unpatched servers (i.e. all of them initially) and this is clearly
211     +not acceptable. Renegotiation is permitted because this does not add any
212     +additional security issues: during an attack clients do not see any
213     +renegotiations anyway.
214     +
215     +As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
216     +B<not> be set by default in a future version of OpenSSL.
217     +
218     +OpenSSL client applications wishing to ensure they can connect to unpatched
219     +servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
220     +
221     +OpenSSL client applications that want to ensure they can B<not> connect to
222     +unpatched servers (and thus avoid any security issues) should always B<clear>
223     +B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
224     +SSL_clear_options().
225     +
226     +The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
227     +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
228     +B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
229     +renegotiation between OpenSSL clients and unpatched servers B<only>, while
230     +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
231     +and renegotiation between OpenSSL and unpatched clients or servers.
232     +
233     =head1 RETURN VALUES
234    
235     SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
236     after adding B<options>.
237    
238     +SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
239     +after clearing B<options>.
240     +
241     SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
242    
243     +SSL_get_secure_renegotiation_support() returns 1 is the peer supports
244     +secure renegotiation and 0 if it does not.
245     +
246     =head1 SEE ALSO
247    
248     L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
249     @@ -232,4 +339,11 @@ Versions up to OpenSSL 0.9.6c do not inc
250     can be disabled with this option (in OpenSSL 0.9.6d, it was always
251     enabled).
252    
253     +SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL
254     +0.9.8m.
255     +
256     +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT>
257     +and the function SSL_get_secure_renegotiation_support() were first added in
258     +OpenSSL 0.9.8m.
259     +
260     =cut
261     diff -up openssl-fips-0.9.8e/ssl/d1_both.c.reneg openssl-fips-0.9.8e/ssl/d1_both.c
262     --- openssl-fips-0.9.8e/ssl/d1_both.c.reneg 2010-02-18 15:58:31.000000000 +0100
263     +++ openssl-fips-0.9.8e/ssl/d1_both.c 2010-02-18 15:58:31.000000000 +0100
264     @@ -750,6 +750,24 @@ int dtls1_send_finished(SSL *s, int a, i
265     p+=i;
266     l=i;
267    
268     + /* Copy the finished so we can use it for
269     + * renegotiation checks
270     + */
271     + if(s->type == SSL_ST_CONNECT)
272     + {
273     + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
274     + memcpy(s->s3->previous_client_finished,
275     + s->s3->tmp.finish_md, i);
276     + s->s3->previous_client_finished_len=i;
277     + }
278     + else
279     + {
280     + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
281     + memcpy(s->s3->previous_server_finished,
282     + s->s3->tmp.finish_md, i);
283     + s->s3->previous_server_finished_len=i;
284     + }
285     +
286     #ifdef OPENSSL_SYS_WIN16
287     /* MSVC 1.5 does not clear the top bytes of the word unless
288     * I do this.
289     diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg openssl-fips-0.9.8e/ssl/d1_clnt.c
290     --- openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100
291     +++ openssl-fips-0.9.8e/ssl/d1_clnt.c 2010-02-18 15:58:31.000000000 +0100
292     @@ -621,7 +621,13 @@ int dtls1_client_hello(SSL *s)
293     *(p++)=comp->id;
294     }
295     *(p++)=0; /* Add the NULL method */
296     -
297     +
298     + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
299     + {
300     + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
301     + goto err;
302     + }
303     +
304     l=(p-d);
305     d=buf;
306    
307     diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg openssl-fips-0.9.8e/ssl/d1_srvr.c
308     --- openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100
309     +++ openssl-fips-0.9.8e/ssl/d1_srvr.c 2010-02-18 15:58:31.000000000 +0100
310     @@ -267,7 +267,6 @@ int dtls1_accept(SSL *s)
311     s->shutdown=0;
312     ret=ssl3_get_client_hello(s);
313     if (ret <= 0) goto end;
314     - s->new_session = 2;
315    
316     if ( s->d1->send_cookie)
317     s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
318     @@ -293,6 +292,7 @@ int dtls1_accept(SSL *s)
319    
320     case SSL3_ST_SW_SRVR_HELLO_A:
321     case SSL3_ST_SW_SRVR_HELLO_B:
322     + s->new_session = 2;
323     ret=dtls1_send_server_hello(s);
324     if (ret <= 0) goto end;
325    
326     @@ -713,6 +713,8 @@ int dtls1_send_server_hello(SSL *s)
327     p+=sl;
328    
329     /* put the cipher */
330     + if (s->s3->tmp.new_cipher == NULL)
331     + return -1;
332     i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
333     p+=i;
334    
335     @@ -726,13 +728,21 @@ int dtls1_send_server_hello(SSL *s)
336     *(p++)=s->s3->tmp.new_compression->id;
337     #endif
338    
339     +#ifndef OPENSSL_NO_TLSEXT
340     + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
341     + {
342     + SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
343     + return -1;
344     + }
345     +#endif
346     +
347     /* do the header */
348     l=(p-d);
349     d=buf;
350    
351     d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
352    
353     - s->state=SSL3_ST_CW_CLNT_HELLO_B;
354     + s->state=SSL3_ST_SW_SRVR_HELLO_B;
355     /* number of bytes to write */
356     s->init_num=p-buf;
357     s->init_off=0;
358     @@ -741,7 +751,7 @@ int dtls1_send_server_hello(SSL *s)
359     dtls1_buffer_message(s, 0);
360     }
361    
362     - /* SSL3_ST_CW_CLNT_HELLO_B */
363     + /* SSL3_ST_SW_SRVR_HELLO_B */
364     return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
365     }
366    
367     @@ -765,7 +775,7 @@ int dtls1_send_server_done(SSL *s)
368     dtls1_buffer_message(s, 0);
369     }
370    
371     - /* SSL3_ST_CW_CLNT_HELLO_B */
372     + /* SSL3_ST_SW_SRVR_DONE_B */
373     return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
374     }
375    
376     diff -up openssl-fips-0.9.8e/ssl/Makefile.reneg openssl-fips-0.9.8e/ssl/Makefile
377     --- openssl-fips-0.9.8e/ssl/Makefile.reneg 2007-08-01 13:33:16.000000000 +0200
378     +++ openssl-fips-0.9.8e/ssl/Makefile 2010-02-18 15:58:31.000000000 +0100
379     @@ -30,7 +30,7 @@ LIBSRC= \
380     ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
381     ssl_ciph.c ssl_stat.c ssl_rsa.c \
382     ssl_asn1.c ssl_txt.c ssl_algs.c \
383     - bio_ssl.c ssl_err.c kssl.c
384     + bio_ssl.c ssl_err.c kssl.c t1_reneg.c
385     LIBOBJ= \
386     s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
387     s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
388     @@ -41,7 +41,7 @@ LIBOBJ= \
389     ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
390     ssl_ciph.o ssl_stat.o ssl_rsa.o \
391     ssl_asn1.o ssl_txt.o ssl_algs.o \
392     - bio_ssl.o ssl_err.o kssl.o
393     + bio_ssl.o ssl_err.o kssl.o t1_reneg.o
394    
395     SRC= $(LIBSRC)
396    
397     diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.reneg openssl-fips-0.9.8e/ssl/ssl_err.c
398     --- openssl-fips-0.9.8e/ssl/ssl_err.c.reneg 2010-02-18 15:58:31.000000000 +0100
399     +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2010-02-18 15:58:31.000000000 +0100
400     @@ -168,8 +168,12 @@ static ERR_STRING_DATA SSL_str_functs[]=
401     {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
402     {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
403     {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
404     +{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
405     +{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
406     {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
407     {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
408     +{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
409     +{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
410     {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
411     {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
412     {ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
413     @@ -208,6 +212,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
414     {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
415     {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
416     {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
417     +{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
418     +{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
419     +{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
420     +{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
421     {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
422     {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
423     {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
424     @@ -371,6 +379,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
425     {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
426     {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
427     {ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
428     +{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
429     {ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
430     {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
431     {ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
432     @@ -378,6 +387,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
433     {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
434     {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
435     {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
436     +{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
437     {ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
438     {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
439     {ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
440     @@ -397,10 +407,14 @@ static ERR_STRING_DATA SSL_str_reasons[]
441     {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
442     {ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
443     {ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
444     +{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},
445     +{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
446     +{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
447     {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
448     {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
449     {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
450     {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
451     +{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
452     {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
453     {ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
454     {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
455     @@ -466,6 +480,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
456     {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
457     {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
458     {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
459     +{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
460     {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
461     {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
462     {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
463     diff -up openssl-fips-0.9.8e/ssl/ssl.h.reneg openssl-fips-0.9.8e/ssl/ssl.h
464     --- openssl-fips-0.9.8e/ssl/ssl.h.reneg 2010-02-18 15:58:31.000000000 +0100
465     +++ openssl-fips-0.9.8e/ssl/ssl.h 2010-02-18 15:58:31.000000000 +0100
466     @@ -480,6 +480,8 @@ typedef struct ssl_session_st
467    
468     #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
469     #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
470     +/* Allow initial connection to servers that don't support RI */
471     +#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
472     #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
473     #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
474     #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
475     @@ -506,6 +508,8 @@ typedef struct ssl_session_st
476    
477     /* As server, disallow session resumption on renegotiation */
478     #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
479     +/* Permit unsafe legacy renegotiation */
480     +#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
481     /* If set, always create a new key when using tmp_ecdh parameters */
482     #define SSL_OP_SINGLE_ECDH_USE 0x00080000L
483     /* If set, always create a new key when using tmp_dh parameters */
484     @@ -554,17 +558,25 @@ typedef struct ssl_session_st
485    
486     #define SSL_CTX_set_options(ctx,op) \
487     SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
488     +#define SSL_CTX_clear_options(ctx,op) \
489     + SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
490     #define SSL_CTX_get_options(ctx) \
491     SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
492     #define SSL_set_options(ssl,op) \
493     SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
494     +#define SSL_clear_options(ssl,op) \
495     + SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
496     #define SSL_get_options(ssl) \
497     SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
498    
499     #define SSL_CTX_set_mode(ctx,op) \
500     SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
501     +#define SSL_CTX_clear_mode(ctx,op) \
502     + SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
503     #define SSL_CTX_get_mode(ctx) \
504     SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
505     +#define SSL_clear_mode(ssl,op) \
506     + SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
507     #define SSL_set_mode(ssl,op) \
508     SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
509     #define SSL_get_mode(ssl) \
510     @@ -572,6 +584,8 @@ typedef struct ssl_session_st
511     #define SSL_set_mtu(ssl, mtu) \
512     SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
513    
514     +#define SSL_get_secure_renegotiation_support(ssl) \
515     + SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
516    
517     void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
518     void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
519     @@ -1189,6 +1203,10 @@ size_t SSL_get_peer_finished(const SSL *
520     #define SSL_CTRL_GET_MAX_CERT_LIST 50
521     #define SSL_CTRL_SET_MAX_CERT_LIST 51
522    
523     +#define SSL_CTRL_GET_RI_SUPPORT 76
524     +#define SSL_CTRL_CLEAR_OPTIONS 77
525     +#define SSL_CTRL_CLEAR_MODE 78
526     +
527     #define SSL_session_reused(ssl) \
528     SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
529     #define SSL_num_renegotiations(ssl) \
530     @@ -1650,8 +1668,12 @@ void ERR_load_SSL_strings(void);
531     #define SSL_F_SSL3_SETUP_KEY_BLOCK 157
532     #define SSL_F_SSL3_WRITE_BYTES 158
533     #define SSL_F_SSL3_WRITE_PENDING 159
534     +#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 285
535     +#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 272
536     #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
537     #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
538     +#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 286
539     +#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 273
540     #define SSL_F_SSL_BAD_METHOD 160
541     #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
542     #define SSL_F_SSL_CERT_DUP 221
543     @@ -1690,6 +1712,10 @@ void ERR_load_SSL_strings(void);
544     #define SSL_F_SSL_INIT_WBIO_BUFFER 184
545     #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
546     #define SSL_F_SSL_NEW 186
547     +#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 287
548     +#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 290
549     +#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 289
550     +#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 291
551     #define SSL_F_SSL_PEEK 270
552     #define SSL_F_SSL_READ 223
553     #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
554     @@ -1850,6 +1876,7 @@ void ERR_load_SSL_strings(void);
555     #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
556     #define SSL_R_NO_PROTOCOLS_AVAILABLE 191
557     #define SSL_R_NO_PUBLICKEY 192
558     +#define SSL_R_NO_RENEGOTIATION 319
559     #define SSL_R_NO_SHARED_CIPHER 193
560     #define SSL_R_NO_VERIFY_CALLBACK 194
561     #define SSL_R_NULL_SSL_CTX 195
562     @@ -1857,6 +1884,7 @@ void ERR_load_SSL_strings(void);
563     #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
564     #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
565     #define SSL_R_PACKET_LENGTH_TOO_LONG 198
566     +#define SSL_R_PARSE_TLSEXT 223
567     #define SSL_R_PATH_TOO_LONG 270
568     #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
569     #define SSL_R_PEER_ERROR 200
570     @@ -1876,10 +1904,14 @@ void ERR_load_SSL_strings(void);
571     #define SSL_R_RECORD_LENGTH_MISMATCH 213
572     #define SSL_R_RECORD_TOO_LARGE 214
573     #define SSL_R_RECORD_TOO_SMALL 298
574     +#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 320
575     +#define SSL_R_RENEGOTIATION_ENCODING_ERR 321
576     +#define SSL_R_RENEGOTIATION_MISMATCH 322
577     #define SSL_R_REQUIRED_CIPHER_MISSING 215
578     #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
579     #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
580     #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
581     +#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 324
582     #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
583     #define SSL_R_SHORT_READ 219
584     #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
585     @@ -1945,6 +1977,7 @@ void ERR_load_SSL_strings(void);
586     #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
587     #define SSL_R_UNKNOWN_SSL_VERSION 254
588     #define SSL_R_UNKNOWN_STATE 255
589     +#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 323
590     #define SSL_R_UNSUPPORTED_CIPHER 256
591     #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
592     #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
593     diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg openssl-fips-0.9.8e/ssl/ssl_lib.c
594     --- openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg 2010-02-18 15:58:31.000000000 +0100
595     +++ openssl-fips-0.9.8e/ssl/ssl_lib.c 2010-02-18 16:10:30.000000000 +0100
596     @@ -958,8 +958,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
597    
598     case SSL_CTRL_OPTIONS:
599     return(s->options|=larg);
600     + case SSL_CTRL_CLEAR_OPTIONS:
601     + return(s->options&=~larg);
602     case SSL_CTRL_MODE:
603     return(s->mode|=larg);
604     + case SSL_CTRL_CLEAR_MODE:
605     + return(s->mode &=~larg);
606     case SSL_CTRL_GET_MAX_CERT_LIST:
607     return(s->max_cert_list);
608     case SSL_CTRL_SET_MAX_CERT_LIST:
609     @@ -973,6 +977,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
610     return larg;
611     }
612     return 0;
613     + case SSL_CTRL_GET_RI_SUPPORT:
614     + if (s->s3)
615     + return s->s3->send_connection_binding;
616     + else return 0;
617     default:
618     return(s->method->ssl_ctrl(s,cmd,larg,parg));
619     }
620     @@ -1059,8 +1067,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l
621     return(ctx->stats.sess_cache_full);
622     case SSL_CTRL_OPTIONS:
623     return(ctx->options|=larg);
624     + case SSL_CTRL_CLEAR_OPTIONS:
625     + return(ctx->options&=~larg);
626     case SSL_CTRL_MODE:
627     return(ctx->mode|=larg);
628     + case SSL_CTRL_CLEAR_MODE:
629     + return(ctx->mode&=~larg);
630     default:
631     return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
632     }
633     @@ -1257,6 +1269,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
634     j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
635     p+=j;
636     }
637     + /* If p == q, no ciphers and caller indicates an error. Otherwise
638     + * add SCSV if not renegotiating.
639     + */
640     + if (p != q && !s->new_session)
641     + {
642     + static SSL_CIPHER scsv =
643     + {
644     + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
645     + };
646     + j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
647     + p+=j;
648     +#ifdef OPENSSL_RI_DEBUG
649     + fprintf(stderr, "SCSV sent by client\n");
650     +#endif
651     + }
652     +
653     return(p-q);
654     }
655    
656     @@ -1266,6 +1294,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
657     SSL_CIPHER *c;
658     STACK_OF(SSL_CIPHER) *sk;
659     int i,n;
660     + if (s->s3)
661     + s->s3->send_connection_binding = 0;
662    
663     n=ssl_put_cipher_by_char(s,NULL,NULL);
664     if ((num%n) != 0)
665     @@ -1283,6 +1313,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
666    
667     for (i=0; i<num; i+=n)
668     {
669     + /* Check for SCSV */
670     + if (s->s3 && (n != 3 || !p[0]) &&
671     + (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
672     + (p[n-1] == (SSL3_CK_SCSV & 0xff)))
673     + {
674     + /* SCSV fatal if renegotiating */
675     + if (s->new_session)
676     + {
677     + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
678     + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
679     + goto err;
680     + }
681     + s->s3->send_connection_binding = 1;
682     + p += n;
683     +#ifdef OPENSSL_RI_DEBUG
684     + fprintf(stderr, "SCSV received by server\n");
685     +#endif
686     + continue;
687     + }
688     +
689     c=ssl_get_cipher_by_char(s,p);
690     p+=n;
691     if (c != NULL)
692     @@ -1461,6 +1511,11 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
693     ret->extra_certs=NULL;
694     ret->comp_methods=SSL_COMP_get_compression_methods();
695    
696     + /* Default is to connect to non-RI servers. When RI is more widely
697     + * deployed might change this.
698     + */
699     + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
700     +
701     return(ret);
702     err:
703     SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
704     diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg openssl-fips-0.9.8e/ssl/ssl_locl.h
705     --- openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg 2010-02-18 15:58:31.000000000 +0100
706     +++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2010-02-18 15:58:31.000000000 +0100
707     @@ -934,5 +934,17 @@ int check_srvr_ecc_cert_and_alg(X509 *x,
708    
709     SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
710    
711     +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
712     +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
713     +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
714     +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
715     +int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
716     + int maxlen);
717     +int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
718     + int *al);
719     +int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
720     + int maxlen);
721     +int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
722     + int *al);
723    
724     #endif
725     diff -up openssl-fips-0.9.8e/ssl/ssl3.h.reneg openssl-fips-0.9.8e/ssl/ssl3.h
726     --- openssl-fips-0.9.8e/ssl/ssl3.h.reneg 2010-02-18 15:58:31.000000000 +0100
727     +++ openssl-fips-0.9.8e/ssl/ssl3.h 2010-02-18 15:58:31.000000000 +0100
728     @@ -129,6 +129,9 @@
729     extern "C" {
730     #endif
731    
732     +/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
733     +#define SSL3_CK_SCSV 0x030000FF
734     +
735     #define SSL3_CK_RSA_NULL_MD5 0x03000001
736     #define SSL3_CK_RSA_NULL_SHA 0x03000002
737     #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
738     @@ -437,6 +440,12 @@ typedef struct ssl3_state_st
739     int cert_request;
740     } tmp;
741    
742     + /* Connection binding to prevent renegotiation attacks */
743     + unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
744     + unsigned char previous_client_finished_len;
745     + unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
746     + unsigned char previous_server_finished_len;
747     + int send_connection_binding; /* TODOEKR */
748     } SSL3_STATE;
749    
750    
751     diff -up openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg openssl-fips-0.9.8e/ssl/s23_clnt.c
752     --- openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg 2007-03-22 01:39:13.000000000 +0100
753     +++ openssl-fips-0.9.8e/ssl/s23_clnt.c 2010-02-18 16:07:51.000000000 +0100
754     @@ -368,6 +368,11 @@ static int ssl23_client_hello(SSL *s)
755     *(p++)=comp->id;
756     }
757     *(p++)=0; /* Add the NULL method */
758     + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
759     + {
760     + SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
761     + return -1;
762     + }
763    
764     l = p-d;
765     *p = 42;
766     diff -up openssl-fips-0.9.8e/ssl/s3_both.c.reneg openssl-fips-0.9.8e/ssl/s3_both.c
767     --- openssl-fips-0.9.8e/ssl/s3_both.c.reneg 2005-04-26 18:02:39.000000000 +0200
768     +++ openssl-fips-0.9.8e/ssl/s3_both.c 2010-02-18 15:58:31.000000000 +0100
769     @@ -168,6 +168,23 @@ int ssl3_send_finished(SSL *s, int a, in
770     p+=i;
771     l=i;
772    
773     + /* Copy the finished so we can use it for
774     + renegotiation checks */
775     + if(s->type == SSL_ST_CONNECT)
776     + {
777     + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
778     + memcpy(s->s3->previous_client_finished,
779     + s->s3->tmp.finish_md, i);
780     + s->s3->previous_client_finished_len=i;
781     + }
782     + else
783     + {
784     + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
785     + memcpy(s->s3->previous_server_finished,
786     + s->s3->tmp.finish_md, i);
787     + s->s3->previous_server_finished_len=i;
788     + }
789     +
790     #ifdef OPENSSL_SYS_WIN16
791     /* MSVC 1.5 does not clear the top bytes of the word unless
792     * I do this.
793     @@ -232,6 +249,23 @@ int ssl3_get_finished(SSL *s, int a, int
794     goto f_err;
795     }
796    
797     + /* Copy the finished so we can use it for
798     + renegotiation checks */
799     + if(s->type == SSL_ST_ACCEPT)
800     + {
801     + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
802     + memcpy(s->s3->previous_client_finished,
803     + s->s3->tmp.peer_finish_md, i);
804     + s->s3->previous_client_finished_len=i;
805     + }
806     + else
807     + {
808     + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
809     + memcpy(s->s3->previous_server_finished,
810     + s->s3->tmp.peer_finish_md, i);
811     + s->s3->previous_server_finished_len=i;
812     + }
813     +
814     return(1);
815     f_err:
816     ssl3_send_alert(s,SSL3_AL_FATAL,al);
817     diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg openssl-fips-0.9.8e/ssl/s3_clnt.c
818     --- openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100
819     +++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2010-02-18 15:58:31.000000000 +0100
820     @@ -601,7 +601,11 @@ int ssl3_client_hello(SSL *s)
821     }
822     #endif
823     *(p++)=0; /* Add the NULL method */
824     -
825     + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
826     + {
827     + SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
828     + goto err;
829     + }
830     l=(p-d);
831     d=buf;
832     *(d++)=SSL3_MT_CLIENT_HELLO;
833     @@ -635,7 +639,7 @@ int ssl3_get_server_hello(SSL *s)
834     SSL3_ST_CR_SRVR_HELLO_A,
835     SSL3_ST_CR_SRVR_HELLO_B,
836     -1,
837     - 300, /* ?? */
838     + 1000, /* ?? */
839     &ok);
840    
841     if (!ok) return((int)n);
842     @@ -785,6 +789,17 @@ int ssl3_get_server_hello(SSL *s)
843     s->s3->tmp.new_compression=comp;
844     }
845     #endif
846     + /* TLS extensions - we parse renegotiate extension only */
847     + if (s->version >= SSL3_VERSION)
848     + {
849     + if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
850     + {
851     + /* 'al' set by ssl_parse_serverhello_tlsext */
852     + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
853     + goto f_err;
854     + }
855     + }
856     +
857    
858     if (p != (d+n))
859     {
860     diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg openssl-fips-0.9.8e/ssl/s3_pkt.c
861     --- openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg 2010-02-18 15:58:31.000000000 +0100
862     +++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2010-02-18 15:58:31.000000000 +0100
863     @@ -1013,7 +1013,25 @@ start:
864     * now try again to obtain the (application) data we were asked for */
865     goto start;
866     }
867     -
868     + /* If we are a server and get a client hello when renegotiation isn't
869     + * allowed send back a no renegotiation alert and carry on.
870     + * WARNING: experimental code, needs reviewing (steve)
871     + */
872     + if (s->server &&
873     + SSL_is_init_finished(s) &&
874     + !s->s3->send_connection_binding &&
875     + (s->version > SSL3_VERSION) &&
876     + (s->s3->handshake_fragment_len >= 4) &&
877     + (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
878     + (s->session != NULL) && (s->session->cipher != NULL) &&
879     + !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
880     +
881     + {
882     + /*s->s3->handshake_fragment_len = 0;*/
883     + rr->length = 0;
884     + ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
885     + goto start;
886     + }
887     if (s->s3->alert_fragment_len >= 2)
888     {
889     int alert_level = s->s3->alert_fragment[0];
890     @@ -1043,6 +1061,21 @@ start:
891     s->shutdown |= SSL_RECEIVED_SHUTDOWN;
892     return(0);
893     }
894     + /* This is a warning but we receive it if we requested
895     + * renegotiation and the peer denied it. Terminate with
896     + * a fatal alert because if application tried to
897     + * renegotiatie it presumably had a good reason and
898     + * expects it to succeed.
899     + *
900     + * In future we might have a renegotiation where we
901     + * don't care if the peer refused it where we carry on.
902     + */
903     + else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
904     + {
905     + al = SSL_AD_HANDSHAKE_FAILURE;
906     + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
907     + goto f_err;
908     + }
909     }
910     else if (alert_level == 2) /* fatal */
911     {
912     diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg openssl-fips-0.9.8e/ssl/s3_srvr.c
913     --- openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100
914     +++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2010-02-18 15:58:31.000000000 +0100
915     @@ -248,6 +248,18 @@ int ssl3_accept(SSL *s)
916     s->state=SSL3_ST_SR_CLNT_HELLO_A;
917     s->ctx->stats.sess_accept++;
918     }
919     + else if (!s->s3->send_connection_binding &&
920     + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
921     + {
922     + /* Server attempting to renegotiate with
923     + * client that doesn't support secure
924     + * renegotiation.
925     + */
926     + SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
927     + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
928     + ret = -1;
929     + goto end;
930     + }
931     else
932     {
933     /* s->state == SSL_ST_RENEGOTIATE,
934     @@ -898,6 +910,16 @@ int ssl3_get_client_hello(SSL *s)
935     goto f_err;
936     }
937    
938     + /* TLS extensions - just parsing the renegotiation extension */
939     + if (s->version >= SSL3_VERSION)
940     + {
941     + if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
942     + {
943     + /* 'al' set by ssl_parse_clienthello_tlsext */
944     + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
945     + goto f_err;
946     + }
947     + }
948     /* Worst case, we will use the NULL compression, but if we have other
949     * options, we will now look for them. We have i-1 compression
950     * algorithms from the client, starting at q. */
951     @@ -1089,20 +1111,24 @@ int ssl3_send_server_hello(SSL *s)
952     else
953     *(p++)=s->s3->tmp.new_compression->id;
954     #endif
955     -
956     + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
957     + {
958     + SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
959     + return -1;
960     + }
961     /* do the header */
962     l=(p-d);
963     d=buf;
964     *(d++)=SSL3_MT_SERVER_HELLO;
965     l2n3(l,d);
966    
967     - s->state=SSL3_ST_CW_CLNT_HELLO_B;
968     + s->state=SSL3_ST_SW_SRVR_HELLO_B;
969     /* number of bytes to write */
970     s->init_num=p-buf;
971     s->init_off=0;
972     }
973    
974     - /* SSL3_ST_CW_CLNT_HELLO_B */
975     + /* SSL3_ST_SW_SRVR_HELLO_B */
976     return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
977     }
978    
979     @@ -1126,7 +1152,7 @@ int ssl3_send_server_done(SSL *s)
980     s->init_off=0;
981     }
982    
983     - /* SSL3_ST_CW_CLNT_HELLO_B */
984     + /* SSL3_ST_SW_SRVR_DONE_B */
985     return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
986     }
987    
988     diff -up openssl-fips-0.9.8e/ssl/tls1.h.reneg openssl-fips-0.9.8e/ssl/tls1.h
989     --- openssl-fips-0.9.8e/ssl/tls1.h.reneg 2010-02-18 15:58:31.000000000 +0100
990     +++ openssl-fips-0.9.8e/ssl/tls1.h 2010-02-18 15:58:31.000000000 +0100
991     @@ -97,6 +97,9 @@ extern "C" {
992     #define TLS1_AD_USER_CANCELLED 90
993     #define TLS1_AD_NO_RENEGOTIATION 100
994    
995     +/* Temporary extension type */
996     +#define TLSEXT_TYPE_renegotiate 0xff01
997     +
998     /* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
999     * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
1000     * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
1001     diff -up openssl-fips-0.9.8e/ssl/t1_lib.c.reneg openssl-fips-0.9.8e/ssl/t1_lib.c
1002     --- openssl-fips-0.9.8e/ssl/t1_lib.c.reneg 2007-01-21 17:07:25.000000000 +0100
1003     +++ openssl-fips-0.9.8e/ssl/t1_lib.c 2010-02-18 16:10:05.000000000 +0100
1004     @@ -117,3 +117,202 @@ long tls1_callback_ctrl(SSL *s, int cmd,
1005     return(0);
1006     }
1007     #endif
1008     +
1009     +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1010     + {
1011     + int extdatalen=0;
1012     + unsigned char *ret = p;
1013     +
1014     + /* don't add extensions for SSLv3 unless doing secure renegotiation */
1015     + if (s->client_version == SSL3_VERSION
1016     + && !s->s3->send_connection_binding)
1017     + return p;
1018     +
1019     + ret+=2;
1020     +
1021     + if (ret>=limit) return NULL; /* this really never occurs, but ... */
1022     +
1023     + /* Add RI if renegotiating */
1024     + if (s->new_session)
1025     + {
1026     + int el;
1027     +
1028     + if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1029     + {
1030     + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1031     + return NULL;
1032     + }
1033     +
1034     + if((limit - p - 4 - el) < 0) return NULL;
1035     +
1036     + s2n(TLSEXT_TYPE_renegotiate,ret);
1037     + s2n(el,ret);
1038     +
1039     + if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1040     + {
1041     + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1042     + return NULL;
1043     + }
1044     +
1045     + ret += el;
1046     + }
1047     +
1048     + if ((extdatalen = ret-p-2)== 0)
1049     + return p;
1050     +
1051     + s2n(extdatalen,p);
1052     + return ret;
1053     + }
1054     +
1055     +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1056     + {
1057     + int extdatalen=0;
1058     + unsigned char *ret = p;
1059     +
1060     + /* don't add extensions for SSLv3, unless doing secure renegotiation */
1061     + if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1062     + return p;
1063     +
1064     + ret+=2;
1065     + if (ret>=limit) return NULL; /* this really never occurs, but ... */
1066     +
1067     + if(s->s3->send_connection_binding)
1068     + {
1069     + int el;
1070     +
1071     + if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1072     + {
1073     + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1074     + return NULL;
1075     + }
1076     +
1077     + if((limit - p - 4 - el) < 0) return NULL;
1078     +
1079     + s2n(TLSEXT_TYPE_renegotiate,ret);
1080     + s2n(el,ret);
1081     +
1082     + if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1083     + {
1084     + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1085     + return NULL;
1086     + }
1087     +
1088     + ret += el;
1089     + }
1090     +
1091     + if ((extdatalen = ret-p-2)== 0)
1092     + return p;
1093     +
1094     + s2n(extdatalen,p);
1095     + return ret;
1096     + }
1097     +
1098     +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1099     + {
1100     + unsigned short type;
1101     + unsigned short size;
1102     + unsigned short len;
1103     + unsigned char *data = *p;
1104     + int renegotiate_seen = 0;
1105     +
1106     + if (data >= (d+n-2))
1107     + goto ri_check;
1108     +
1109     + n2s(data,len);
1110     +
1111     + if (data > (d+n-len))
1112     + goto ri_check;
1113     +
1114     + while (data <= (d+n-4))
1115     + {
1116     + n2s(data,type);
1117     + n2s(data,size);
1118     +
1119     + if (data+size > (d+n))
1120     + goto ri_check;
1121     +
1122     + if (type == TLSEXT_TYPE_renegotiate)
1123     + {
1124     + if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1125     + return 0;
1126     + renegotiate_seen = 1;
1127     + }
1128     +
1129     + data+=size;
1130     + }
1131     + *p = data;
1132     +
1133     + ri_check:
1134     +
1135     + /* Need RI if renegotiating */
1136     +
1137     + if (!renegotiate_seen && s->new_session &&
1138     + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1139     + {
1140     + *al = SSL_AD_HANDSHAKE_FAILURE;
1141     + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1142     + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1143     + return 0;
1144     + }
1145     +
1146     + return 1;
1147     + }
1148     +
1149     +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1150     + {
1151     + unsigned short type;
1152     + unsigned short size;
1153     + unsigned short len;
1154     + unsigned char *data = *p;
1155     + int renegotiate_seen = 0;
1156     +
1157     + if (data >= (d+n-2))
1158     + goto ri_check;
1159     +
1160     + n2s(data,len);
1161     +
1162     + while(data <= (d+n-4))
1163     + {
1164     + n2s(data,type);
1165     + n2s(data,size);
1166     +
1167     + if (data+size > (d+n))
1168     + goto ri_check;
1169     + if (type == TLSEXT_TYPE_renegotiate)
1170     + {
1171     + if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1172     + return 0;
1173     + renegotiate_seen = 1;
1174     + }
1175     + data+=size;
1176     + }
1177     +
1178     + if (data != d+n)
1179     + {
1180     + *al = SSL_AD_DECODE_ERROR;
1181     + return 0;
1182     + }
1183     +
1184     + *p = data;
1185     +
1186     + ri_check:
1187     +
1188     + /* Determine if we need to see RI. Strictly speaking if we want to
1189     + * avoid an attack we should *always* see RI even on initial server
1190     + * hello because the client doesn't see any renegotiation during an
1191     + * attack. However this would mean we could not connect to any server
1192     + * which doesn't support RI so for the immediate future tolerate RI
1193     + * absence on initial connect only.
1194     + */
1195     + if (!renegotiate_seen
1196     + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1197     + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1198     + {
1199     + *al = SSL_AD_HANDSHAKE_FAILURE;
1200     + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1201     + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1202     + return 0;
1203     + }
1204     +
1205     + return 1;
1206     + }
1207     diff -up openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg openssl-fips-0.9.8e/ssl/t1_reneg.c
1208     --- openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg 2010-02-18 15:58:31.000000000 +0100
1209     +++ openssl-fips-0.9.8e/ssl/t1_reneg.c 2010-02-18 15:58:31.000000000 +0100
1210     @@ -0,0 +1,292 @@
1211     +/* ssl/t1_reneg.c */
1212     +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1213     + * All rights reserved.
1214     + *
1215     + * This package is an SSL implementation written
1216     + * by Eric Young (eay@cryptsoft.com).
1217     + * The implementation was written so as to conform with Netscapes SSL.
1218     + *
1219     + * This library is free for commercial and non-commercial use as long as
1220     + * the following conditions are aheared to. The following conditions
1221     + * apply to all code found in this distribution, be it the RC4, RSA,
1222     + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1223     + * included with this distribution is covered by the same copyright terms
1224     + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1225     + *
1226     + * Copyright remains Eric Young's, and as such any Copyright notices in
1227     + * the code are not to be removed.
1228     + * If this package is used in a product, Eric Young should be given attribution
1229     + * as the author of the parts of the library used.
1230     + * This can be in the form of a textual message at program startup or
1231     + * in documentation (online or textual) provided with the package.
1232     + *
1233     + * Redistribution and use in source and binary forms, with or without
1234     + * modification, are permitted provided that the following conditions
1235     + * are met:
1236     + * 1. Redistributions of source code must retain the copyright
1237     + * notice, this list of conditions and the following disclaimer.
1238     + * 2. Redistributions in binary form must reproduce the above copyright
1239     + * notice, this list of conditions and the following disclaimer in the
1240     + * documentation and/or other materials provided with the distribution.
1241     + * 3. All advertising materials mentioning features or use of this software
1242     + * must display the following acknowledgement:
1243     + * "This product includes cryptographic software written by
1244     + * Eric Young (eay@cryptsoft.com)"
1245     + * The word 'cryptographic' can be left out if the rouines from the library
1246     + * being used are not cryptographic related :-).
1247     + * 4. If you include any Windows specific code (or a derivative thereof) from
1248     + * the apps directory (application code) you must include an acknowledgement:
1249     + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1250     + *
1251     + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1252     + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1253     + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1254     + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1255     + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1256     + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1257     + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1258     + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1259     + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1260     + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1261     + * SUCH DAMAGE.
1262     + *
1263     + * The licence and distribution terms for any publically available version or
1264     + * derivative of this code cannot be changed. i.e. this code cannot simply be
1265     + * copied and put under another distribution licence
1266     + * [including the GNU Public Licence.]
1267     + */
1268     +/* ====================================================================
1269     + * Copyright (c) 1998-2009 The OpenSSL Project. All rights reserved.
1270     + *
1271     + * Redistribution and use in source and binary forms, with or without
1272     + * modification, are permitted provided that the following conditions
1273     + * are met:
1274     + *
1275     + * 1. Redistributions of source code must retain the above copyright
1276     + * notice, this list of conditions and the following disclaimer.
1277     + *
1278     + * 2. Redistributions in binary form must reproduce the above copyright
1279     + * notice, this list of conditions and the following disclaimer in
1280     + * the documentation and/or other materials provided with the
1281     + * distribution.
1282     + *
1283     + * 3. All advertising materials mentioning features or use of this
1284     + * software must display the following acknowledgment:
1285     + * "This product includes software developed by the OpenSSL Project
1286     + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1287     + *
1288     + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1289     + * endorse or promote products derived from this software without
1290     + * prior written permission. For written permission, please contact
1291     + * openssl-core@openssl.org.
1292     + *
1293     + * 5. Products derived from this software may not be called "OpenSSL"
1294     + * nor may "OpenSSL" appear in their names without prior written
1295     + * permission of the OpenSSL Project.
1296     + *
1297     + * 6. Redistributions of any form whatsoever must retain the following
1298     + * acknowledgment:
1299     + * "This product includes software developed by the OpenSSL Project
1300     + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1301     + *
1302     + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1303     + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1304     + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1305     + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1306     + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1307     + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1308     + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1309     + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1310     + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1311     + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1312     + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1313     + * OF THE POSSIBILITY OF SUCH DAMAGE.
1314     + * ====================================================================
1315     + *
1316     + * This product includes cryptographic software written by Eric Young
1317     + * (eay@cryptsoft.com). This product includes software written by Tim
1318     + * Hudson (tjh@cryptsoft.com).
1319     + *
1320     + */
1321     +#include <stdio.h>
1322     +#include <openssl/objects.h>
1323     +#include "ssl_locl.h"
1324     +
1325     +/* Add the client's renegotiation binding */
1326     +int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1327     + int maxlen)
1328     + {
1329     + if(p)
1330     + {
1331     + if((s->s3->previous_client_finished_len+1) > maxlen)
1332     + {
1333     + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG);
1334     + return 0;
1335     + }
1336     +
1337     + /* Length byte */
1338     + *p = s->s3->previous_client_finished_len;
1339     + p++;
1340     +
1341     + memcpy(p, s->s3->previous_client_finished,
1342     + s->s3->previous_client_finished_len);
1343     +#ifdef OPENSSL_RI_DEBUG
1344     + fprintf(stderr, "%s RI extension sent by client\n",
1345     + s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
1346     +#endif
1347     + }
1348     +
1349     + *len=s->s3->previous_client_finished_len + 1;
1350     +
1351     +
1352     + return 1;
1353     + }
1354     +
1355     +/* Parse the client's renegotiation binding and abort if it's not
1356     + right */
1357     +int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1358     + int *al)
1359     + {
1360     + int ilen;
1361     +
1362     + /* Parse the length byte */
1363     + if(len < 1)
1364     + {
1365     + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1366     + *al=SSL_AD_ILLEGAL_PARAMETER;
1367     + return 0;
1368     + }
1369     + ilen = *d;
1370     + d++;
1371     +
1372     + /* Consistency check */
1373     + if((ilen+1) != len)
1374     + {
1375     + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1376     + *al=SSL_AD_ILLEGAL_PARAMETER;
1377     + return 0;
1378     + }
1379     +
1380     + /* Check that the extension matches */
1381     + if(ilen != s->s3->previous_client_finished_len)
1382     + {
1383     + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1384     + *al=SSL_AD_HANDSHAKE_FAILURE;
1385     + return 0;
1386     + }
1387     +
1388     + if(memcmp(d, s->s3->previous_client_finished,
1389     + s->s3->previous_client_finished_len))
1390     + {
1391     + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1392     + *al=SSL_AD_HANDSHAKE_FAILURE;
1393     + return 0;
1394     + }
1395     +#ifdef OPENSSL_RI_DEBUG
1396     + fprintf(stderr, "%s RI extension received by server\n",
1397     + ilen ? "Non-empty" : "Empty");
1398     +#endif
1399     +
1400     + s->s3->send_connection_binding=1;
1401     +
1402     + return 1;
1403     + }
1404     +
1405     +/* Add the server's renegotiation binding */
1406     +int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1407     + int maxlen)
1408     + {
1409     + if(p)
1410     + {
1411     + if((s->s3->previous_client_finished_len +
1412     + s->s3->previous_server_finished_len + 1) > maxlen)
1413     + {
1414     + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG);
1415     + return 0;
1416     + }
1417     +
1418     + /* Length byte */
1419     + *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
1420     + p++;
1421     +
1422     + memcpy(p, s->s3->previous_client_finished,
1423     + s->s3->previous_client_finished_len);
1424     + p += s->s3->previous_client_finished_len;
1425     +
1426     + memcpy(p, s->s3->previous_server_finished,
1427     + s->s3->previous_server_finished_len);
1428     +#ifdef OPENSSL_RI_DEBUG
1429     + fprintf(stderr, "%s RI extension sent by server\n",
1430     + s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
1431     +#endif
1432     + }
1433     +
1434     + *len=s->s3->previous_client_finished_len
1435     + + s->s3->previous_server_finished_len + 1;
1436     +
1437     + return 1;
1438     + }
1439     +
1440     +/* Parse the server's renegotiation binding and abort if it's not
1441     + right */
1442     +int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1443     + int *al)
1444     + {
1445     + int expected_len=s->s3->previous_client_finished_len
1446     + + s->s3->previous_server_finished_len;
1447     + int ilen;
1448     +
1449     + /* Check for logic errors */
1450     + OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len);
1451     + OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len);
1452     +
1453     + /* Parse the length byte */
1454     + if(len < 1)
1455     + {
1456     + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1457     + *al=SSL_AD_ILLEGAL_PARAMETER;
1458     + return 0;
1459     + }
1460     + ilen = *d;
1461     + d++;
1462     +
1463     + /* Consistency check */
1464     + if(ilen+1 != len)
1465     + {
1466     + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1467     + *al=SSL_AD_ILLEGAL_PARAMETER;
1468     + return 0;
1469     + }
1470     +
1471     + /* Check that the extension matches */
1472     + if(ilen != expected_len)
1473     + {
1474     + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1475     + *al=SSL_AD_HANDSHAKE_FAILURE;
1476     + return 0;
1477     + }
1478     +
1479     + if(memcmp(d, s->s3->previous_client_finished,
1480     + s->s3->previous_client_finished_len))
1481     + {
1482     + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1483     + *al=SSL_AD_HANDSHAKE_FAILURE;
1484     + return 0;
1485     + }
1486     + d += s->s3->previous_client_finished_len;
1487     +
1488     + if(memcmp(d, s->s3->previous_server_finished,
1489     + s->s3->previous_server_finished_len))
1490     + {
1491     + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1492     + *al=SSL_AD_ILLEGAL_PARAMETER;
1493     + return 0;
1494     + }
1495     +#ifdef OPENSSL_RI_DEBUG
1496     + fprintf(stderr, "%s RI extension received by client\n",
1497     + ilen ? "Non-empty" : "Empty");
1498     +#endif
1499     + s->s3->send_connection_binding=1;
1500     +
1501     + return 1;
1502     + }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed