1 |
diff -up openssl-fips-0.9.8e/apps/s_client.c.reneg openssl-fips-0.9.8e/apps/s_client.c |
2 |
--- openssl-fips-0.9.8e/apps/s_client.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
3 |
+++ openssl-fips-0.9.8e/apps/s_client.c 2010-02-18 15:58:31.000000000 +0100 |
4 |
@@ -231,7 +231,7 @@ static void sc_usage(void) |
5 |
BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); |
6 |
#endif |
7 |
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); |
8 |
- |
9 |
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); |
10 |
} |
11 |
|
12 |
enum |
13 |
@@ -247,7 +247,7 @@ int MAIN(int, char **); |
14 |
|
15 |
int MAIN(int argc, char **argv) |
16 |
{ |
17 |
- int off=0; |
18 |
+ int off=0, clr = 0; |
19 |
SSL *con=NULL,*con2=NULL; |
20 |
X509_STORE *store = NULL; |
21 |
int s,k,width,state=0; |
22 |
@@ -461,6 +461,12 @@ int MAIN(int argc, char **argv) |
23 |
off|=SSL_OP_NO_SSLv2; |
24 |
else if (strcmp(*argv,"-serverpref") == 0) |
25 |
off|=SSL_OP_CIPHER_SERVER_PREFERENCE; |
26 |
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0) |
27 |
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; |
28 |
+ else if (strcmp(*argv,"-legacy_server_connect") == 0) |
29 |
+ { off|=SSL_OP_LEGACY_SERVER_CONNECT; } |
30 |
+ else if (strcmp(*argv,"-no_legacy_server_connect") == 0) |
31 |
+ { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } |
32 |
else if (strcmp(*argv,"-cipher") == 0) |
33 |
{ |
34 |
if (--argc < 1) goto bad; |
35 |
@@ -589,6 +595,9 @@ bad: |
36 |
SSL_CTX_set_options(ctx,SSL_OP_ALL|off); |
37 |
else |
38 |
SSL_CTX_set_options(ctx,off); |
39 |
+ |
40 |
+ if (clr) |
41 |
+ SSL_CTX_clear_options(ctx, clr); |
42 |
/* DTLS: partial reads end up discarding unread UDP bytes :-( |
43 |
* Setting read ahead solves this problem. |
44 |
*/ |
45 |
@@ -1290,6 +1299,8 @@ static void print_stuff(BIO *bio, SSL *s |
46 |
EVP_PKEY_bits(pktmp)); |
47 |
EVP_PKEY_free(pktmp); |
48 |
} |
49 |
+ BIO_printf(bio, "Secure Renegotiation IS%s supported\n", |
50 |
+ SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); |
51 |
#ifndef OPENSSL_NO_COMP |
52 |
comp=SSL_get_current_compression(s); |
53 |
expansion=SSL_get_current_expansion(s); |
54 |
diff -up openssl-fips-0.9.8e/apps/s_server.c.reneg openssl-fips-0.9.8e/apps/s_server.c |
55 |
--- openssl-fips-0.9.8e/apps/s_server.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
56 |
+++ openssl-fips-0.9.8e/apps/s_server.c 2010-02-18 15:58:31.000000000 +0100 |
57 |
@@ -371,6 +371,7 @@ static void sv_usage(void) |
58 |
#endif |
59 |
BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); |
60 |
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); |
61 |
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); |
62 |
} |
63 |
|
64 |
static int local_argc=0; |
65 |
@@ -700,6 +701,8 @@ int MAIN(int argc, char *argv[]) |
66 |
} |
67 |
else if (strcmp(*argv,"-serverpref") == 0) |
68 |
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } |
69 |
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0) |
70 |
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; |
71 |
else if (strcmp(*argv,"-cipher") == 0) |
72 |
{ |
73 |
if (--argc < 1) goto bad; |
74 |
@@ -1534,6 +1537,8 @@ static int init_ssl_connection(SSL *con) |
75 |
con->kssl_ctx->client_princ); |
76 |
} |
77 |
#endif /* OPENSSL_NO_KRB5 */ |
78 |
+ BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", |
79 |
+ SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); |
80 |
return(1); |
81 |
} |
82 |
|
83 |
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod |
84 |
--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg 2005-10-11 12:16:09.000000000 +0200 |
85 |
+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2010-02-18 16:10:52.000000000 +0100 |
86 |
@@ -2,7 +2,7 @@ |
87 |
|
88 |
=head1 NAME |
89 |
|
90 |
-SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options |
91 |
+SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options |
92 |
|
93 |
=head1 SYNOPSIS |
94 |
|
95 |
@@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS |
96 |
long SSL_CTX_set_options(SSL_CTX *ctx, long options); |
97 |
long SSL_set_options(SSL *ssl, long options); |
98 |
|
99 |
+ long SSL_CTX_clear_options(SSL_CTX *ctx, long options); |
100 |
+ long SSL_clear_options(SSL *ssl, long options); |
101 |
+ |
102 |
long SSL_CTX_get_options(SSL_CTX *ctx); |
103 |
long SSL_get_options(SSL *ssl); |
104 |
|
105 |
+ long SSL_get_secure_renegotiation_support(SSL *ssl); |
106 |
+ |
107 |
=head1 DESCRIPTION |
108 |
|
109 |
+Note: all these functions are implemented using macros. |
110 |
+ |
111 |
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. |
112 |
Options already set before are not cleared! |
113 |
|
114 |
SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. |
115 |
Options already set before are not cleared! |
116 |
|
117 |
+SSL_CTX_clear_options() clears the options set via bitmask in B<options> |
118 |
+to B<ctx>. |
119 |
+ |
120 |
+SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>. |
121 |
+ |
122 |
SSL_CTX_get_options() returns the options set for B<ctx>. |
123 |
|
124 |
SSL_get_options() returns the options set for B<ssl>. |
125 |
|
126 |
+SSL_get_secure_renegotiation_support() indicates whether the peer supports |
127 |
+secure renegotiation. |
128 |
+ |
129 |
=head1 NOTES |
130 |
|
131 |
The behaviour of the SSL library can be changed by setting several options. |
132 |
The options are coded as bitmasks and can be combined by a logical B<or> |
133 |
-operation (|). Options can only be added but can never be reset. |
134 |
+operation (|). |
135 |
|
136 |
SSL_CTX_set_options() and SSL_set_options() affect the (external) |
137 |
protocol behaviour of the SSL library. The (internal) behaviour of |
138 |
@@ -199,17 +214,109 @@ Do not use the TLSv1 protocol. |
139 |
|
140 |
When performing renegotiation as a server, always start a new session |
141 |
(i.e., session resumption requests are only accepted in the initial |
142 |
-handshake). This option is not needed for clients. |
143 |
+handshake). This option is not needed for clients. |
144 |
+ |
145 |
+=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
146 |
+ |
147 |
+Allow legacy insecure renegotiation between OpenSSL and unpatched clients or |
148 |
+servers. See the B<SECURE RENEGOTIATION> section for more details. |
149 |
+ |
150 |
+=item SSL_OP_LEGACY_SERVER_CONNECT |
151 |
+ |
152 |
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers |
153 |
+B<only>: this option is currently set by default. See the |
154 |
+B<SECURE RENEGOTIATION> section for more details. |
155 |
|
156 |
=back |
157 |
|
158 |
+=head1 SECURE RENEGOTIATION |
159 |
+ |
160 |
+OpenSSL 0.9.8m and later always attempts to use secure renegotiation as |
161 |
+described in RFC5746. This counters the prefix attack described in |
162 |
+CVE-2009-3555 and elsewhere. |
163 |
+ |
164 |
+The deprecated and highly broken SSLv2 protocol does not support |
165 |
+renegotiation at all: its use is B<strongly> discouraged. |
166 |
+ |
167 |
+This attack has far reaching consequences which application writers should be |
168 |
+aware of. In the description below an implementation supporting secure |
169 |
+renegotiation is referred to as I<patched>. A server not supporting secure |
170 |
+renegotiation is referred to as I<unpatched>. |
171 |
+ |
172 |
+The following sections describe the operations permitted by OpenSSL's secure |
173 |
+renegotiation implementation. |
174 |
+ |
175 |
+=head2 Patched client and server |
176 |
+ |
177 |
+Connections and renegotiation are always permitted by OpenSSL implementations. |
178 |
+ |
179 |
+=head2 Unpatched client and patched OpenSSL server |
180 |
+ |
181 |
+The initial connection suceeds but client renegotiation is denied by the |
182 |
+server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal |
183 |
+B<handshake_failure> alert in SSL v3.0. |
184 |
+ |
185 |
+If the patched OpenSSL server attempts to renegotiate a fatal |
186 |
+B<handshake_failure> alert is sent. This is because the server code may be |
187 |
+unaware of the unpatched nature of the client. |
188 |
+ |
189 |
+If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then |
190 |
+renegotiation B<always> succeeds. |
191 |
+ |
192 |
+B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are |
193 |
+unpatched) will result in the connection hanging if it receives a |
194 |
+B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard |
195 |
+a B<no_renegotiation> alert as fatal and respond with a fatal |
196 |
+B<handshake_failure> alert. This is because the OpenSSL API currently has |
197 |
+no provision to indicate to an application that a renegotiation attempt |
198 |
+was refused. |
199 |
+ |
200 |
+=head2 Patched OpenSSL client and unpatched server. |
201 |
+ |
202 |
+If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or |
203 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections |
204 |
+and renegotiation between patched OpenSSL clients and unpatched servers |
205 |
+succeeds. If neither option is set then initial connections to unpatched |
206 |
+servers will fail. |
207 |
+ |
208 |
+The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even |
209 |
+though it has security implications: otherwise it would be impossible to |
210 |
+connect to unpatched servers (i.e. all of them initially) and this is clearly |
211 |
+not acceptable. Renegotiation is permitted because this does not add any |
212 |
+additional security issues: during an attack clients do not see any |
213 |
+renegotiations anyway. |
214 |
+ |
215 |
+As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will |
216 |
+B<not> be set by default in a future version of OpenSSL. |
217 |
+ |
218 |
+OpenSSL client applications wishing to ensure they can connect to unpatched |
219 |
+servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> |
220 |
+ |
221 |
+OpenSSL client applications that want to ensure they can B<not> connect to |
222 |
+unpatched servers (and thus avoid any security issues) should always B<clear> |
223 |
+B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or |
224 |
+SSL_clear_options(). |
225 |
+ |
226 |
+The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and |
227 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that |
228 |
+B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure |
229 |
+renegotiation between OpenSSL clients and unpatched servers B<only>, while |
230 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections |
231 |
+and renegotiation between OpenSSL and unpatched clients or servers. |
232 |
+ |
233 |
=head1 RETURN VALUES |
234 |
|
235 |
SSL_CTX_set_options() and SSL_set_options() return the new options bitmask |
236 |
after adding B<options>. |
237 |
|
238 |
+SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask |
239 |
+after clearing B<options>. |
240 |
+ |
241 |
SSL_CTX_get_options() and SSL_get_options() return the current bitmask. |
242 |
|
243 |
+SSL_get_secure_renegotiation_support() returns 1 is the peer supports |
244 |
+secure renegotiation and 0 if it does not. |
245 |
+ |
246 |
=head1 SEE ALSO |
247 |
|
248 |
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>, |
249 |
@@ -232,4 +339,11 @@ Versions up to OpenSSL 0.9.6c do not inc |
250 |
can be disabled with this option (in OpenSSL 0.9.6d, it was always |
251 |
enabled). |
252 |
|
253 |
+SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL |
254 |
+0.9.8m. |
255 |
+ |
256 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT> |
257 |
+and the function SSL_get_secure_renegotiation_support() were first added in |
258 |
+OpenSSL 0.9.8m. |
259 |
+ |
260 |
=cut |
261 |
diff -up openssl-fips-0.9.8e/ssl/d1_both.c.reneg openssl-fips-0.9.8e/ssl/d1_both.c |
262 |
--- openssl-fips-0.9.8e/ssl/d1_both.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
263 |
+++ openssl-fips-0.9.8e/ssl/d1_both.c 2010-02-18 15:58:31.000000000 +0100 |
264 |
@@ -750,6 +750,24 @@ int dtls1_send_finished(SSL *s, int a, i |
265 |
p+=i; |
266 |
l=i; |
267 |
|
268 |
+ /* Copy the finished so we can use it for |
269 |
+ * renegotiation checks |
270 |
+ */ |
271 |
+ if(s->type == SSL_ST_CONNECT) |
272 |
+ { |
273 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); |
274 |
+ memcpy(s->s3->previous_client_finished, |
275 |
+ s->s3->tmp.finish_md, i); |
276 |
+ s->s3->previous_client_finished_len=i; |
277 |
+ } |
278 |
+ else |
279 |
+ { |
280 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); |
281 |
+ memcpy(s->s3->previous_server_finished, |
282 |
+ s->s3->tmp.finish_md, i); |
283 |
+ s->s3->previous_server_finished_len=i; |
284 |
+ } |
285 |
+ |
286 |
#ifdef OPENSSL_SYS_WIN16 |
287 |
/* MSVC 1.5 does not clear the top bytes of the word unless |
288 |
* I do this. |
289 |
diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg openssl-fips-0.9.8e/ssl/d1_clnt.c |
290 |
--- openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
291 |
+++ openssl-fips-0.9.8e/ssl/d1_clnt.c 2010-02-18 15:58:31.000000000 +0100 |
292 |
@@ -621,7 +621,13 @@ int dtls1_client_hello(SSL *s) |
293 |
*(p++)=comp->id; |
294 |
} |
295 |
*(p++)=0; /* Add the NULL method */ |
296 |
- |
297 |
+ |
298 |
+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) |
299 |
+ { |
300 |
+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); |
301 |
+ goto err; |
302 |
+ } |
303 |
+ |
304 |
l=(p-d); |
305 |
d=buf; |
306 |
|
307 |
diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg openssl-fips-0.9.8e/ssl/d1_srvr.c |
308 |
--- openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
309 |
+++ openssl-fips-0.9.8e/ssl/d1_srvr.c 2010-02-18 15:58:31.000000000 +0100 |
310 |
@@ -267,7 +267,6 @@ int dtls1_accept(SSL *s) |
311 |
s->shutdown=0; |
312 |
ret=ssl3_get_client_hello(s); |
313 |
if (ret <= 0) goto end; |
314 |
- s->new_session = 2; |
315 |
|
316 |
if ( s->d1->send_cookie) |
317 |
s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; |
318 |
@@ -293,6 +292,7 @@ int dtls1_accept(SSL *s) |
319 |
|
320 |
case SSL3_ST_SW_SRVR_HELLO_A: |
321 |
case SSL3_ST_SW_SRVR_HELLO_B: |
322 |
+ s->new_session = 2; |
323 |
ret=dtls1_send_server_hello(s); |
324 |
if (ret <= 0) goto end; |
325 |
|
326 |
@@ -713,6 +713,8 @@ int dtls1_send_server_hello(SSL *s) |
327 |
p+=sl; |
328 |
|
329 |
/* put the cipher */ |
330 |
+ if (s->s3->tmp.new_cipher == NULL) |
331 |
+ return -1; |
332 |
i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); |
333 |
p+=i; |
334 |
|
335 |
@@ -726,13 +728,21 @@ int dtls1_send_server_hello(SSL *s) |
336 |
*(p++)=s->s3->tmp.new_compression->id; |
337 |
#endif |
338 |
|
339 |
+#ifndef OPENSSL_NO_TLSEXT |
340 |
+ if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) |
341 |
+ { |
342 |
+ SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); |
343 |
+ return -1; |
344 |
+ } |
345 |
+#endif |
346 |
+ |
347 |
/* do the header */ |
348 |
l=(p-d); |
349 |
d=buf; |
350 |
|
351 |
d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l); |
352 |
|
353 |
- s->state=SSL3_ST_CW_CLNT_HELLO_B; |
354 |
+ s->state=SSL3_ST_SW_SRVR_HELLO_B; |
355 |
/* number of bytes to write */ |
356 |
s->init_num=p-buf; |
357 |
s->init_off=0; |
358 |
@@ -741,7 +751,7 @@ int dtls1_send_server_hello(SSL *s) |
359 |
dtls1_buffer_message(s, 0); |
360 |
} |
361 |
|
362 |
- /* SSL3_ST_CW_CLNT_HELLO_B */ |
363 |
+ /* SSL3_ST_SW_SRVR_HELLO_B */ |
364 |
return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); |
365 |
} |
366 |
|
367 |
@@ -765,7 +775,7 @@ int dtls1_send_server_done(SSL *s) |
368 |
dtls1_buffer_message(s, 0); |
369 |
} |
370 |
|
371 |
- /* SSL3_ST_CW_CLNT_HELLO_B */ |
372 |
+ /* SSL3_ST_SW_SRVR_DONE_B */ |
373 |
return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); |
374 |
} |
375 |
|
376 |
diff -up openssl-fips-0.9.8e/ssl/Makefile.reneg openssl-fips-0.9.8e/ssl/Makefile |
377 |
--- openssl-fips-0.9.8e/ssl/Makefile.reneg 2007-08-01 13:33:16.000000000 +0200 |
378 |
+++ openssl-fips-0.9.8e/ssl/Makefile 2010-02-18 15:58:31.000000000 +0100 |
379 |
@@ -30,7 +30,7 @@ LIBSRC= \ |
380 |
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ |
381 |
ssl_ciph.c ssl_stat.c ssl_rsa.c \ |
382 |
ssl_asn1.c ssl_txt.c ssl_algs.c \ |
383 |
- bio_ssl.c ssl_err.c kssl.c |
384 |
+ bio_ssl.c ssl_err.c kssl.c t1_reneg.c |
385 |
LIBOBJ= \ |
386 |
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ |
387 |
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ |
388 |
@@ -41,7 +41,7 @@ LIBOBJ= \ |
389 |
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ |
390 |
ssl_ciph.o ssl_stat.o ssl_rsa.o \ |
391 |
ssl_asn1.o ssl_txt.o ssl_algs.o \ |
392 |
- bio_ssl.o ssl_err.o kssl.o |
393 |
+ bio_ssl.o ssl_err.o kssl.o t1_reneg.o |
394 |
|
395 |
SRC= $(LIBSRC) |
396 |
|
397 |
diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.reneg openssl-fips-0.9.8e/ssl/ssl_err.c |
398 |
--- openssl-fips-0.9.8e/ssl/ssl_err.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
399 |
+++ openssl-fips-0.9.8e/ssl/ssl_err.c 2010-02-18 15:58:31.000000000 +0100 |
400 |
@@ -168,8 +168,12 @@ static ERR_STRING_DATA SSL_str_functs[]= |
401 |
{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"}, |
402 |
{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"}, |
403 |
{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"}, |
404 |
+{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"}, |
405 |
+{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"}, |
406 |
{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"}, |
407 |
{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"}, |
408 |
+{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"}, |
409 |
+{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"}, |
410 |
{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"}, |
411 |
{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"}, |
412 |
{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"}, |
413 |
@@ -208,6 +212,10 @@ static ERR_STRING_DATA SSL_str_functs[]= |
414 |
{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, |
415 |
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, |
416 |
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, |
417 |
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, |
418 |
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, |
419 |
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, |
420 |
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, |
421 |
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, |
422 |
{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, |
423 |
{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, |
424 |
@@ -371,6 +379,7 @@ static ERR_STRING_DATA SSL_str_reasons[] |
425 |
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, |
426 |
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, |
427 |
{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"}, |
428 |
+{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"}, |
429 |
{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"}, |
430 |
{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"}, |
431 |
{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"}, |
432 |
@@ -378,6 +387,7 @@ static ERR_STRING_DATA SSL_str_reasons[] |
433 |
{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"}, |
434 |
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"}, |
435 |
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"}, |
436 |
+{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"}, |
437 |
{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"}, |
438 |
{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"}, |
439 |
{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"}, |
440 |
@@ -397,10 +407,14 @@ static ERR_STRING_DATA SSL_str_reasons[] |
441 |
{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"}, |
442 |
{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"}, |
443 |
{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"}, |
444 |
+{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"}, |
445 |
+{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"}, |
446 |
+{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"}, |
447 |
{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"}, |
448 |
{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"}, |
449 |
{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"}, |
450 |
{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"}, |
451 |
+{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, |
452 |
{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, |
453 |
{ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, |
454 |
{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, |
455 |
@@ -466,6 +480,7 @@ static ERR_STRING_DATA SSL_str_reasons[] |
456 |
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, |
457 |
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, |
458 |
{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, |
459 |
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, |
460 |
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, |
461 |
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, |
462 |
{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"}, |
463 |
diff -up openssl-fips-0.9.8e/ssl/ssl.h.reneg openssl-fips-0.9.8e/ssl/ssl.h |
464 |
--- openssl-fips-0.9.8e/ssl/ssl.h.reneg 2010-02-18 15:58:31.000000000 +0100 |
465 |
+++ openssl-fips-0.9.8e/ssl/ssl.h 2010-02-18 15:58:31.000000000 +0100 |
466 |
@@ -480,6 +480,8 @@ typedef struct ssl_session_st |
467 |
|
468 |
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L |
469 |
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L |
470 |
+/* Allow initial connection to servers that don't support RI */ |
471 |
+#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L |
472 |
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ |
473 |
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L |
474 |
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L |
475 |
@@ -506,6 +508,8 @@ typedef struct ssl_session_st |
476 |
|
477 |
/* As server, disallow session resumption on renegotiation */ |
478 |
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L |
479 |
+/* Permit unsafe legacy renegotiation */ |
480 |
+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L |
481 |
/* If set, always create a new key when using tmp_ecdh parameters */ |
482 |
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L |
483 |
/* If set, always create a new key when using tmp_dh parameters */ |
484 |
@@ -554,17 +558,25 @@ typedef struct ssl_session_st |
485 |
|
486 |
#define SSL_CTX_set_options(ctx,op) \ |
487 |
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) |
488 |
+#define SSL_CTX_clear_options(ctx,op) \ |
489 |
+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) |
490 |
#define SSL_CTX_get_options(ctx) \ |
491 |
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) |
492 |
#define SSL_set_options(ssl,op) \ |
493 |
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) |
494 |
+#define SSL_clear_options(ssl,op) \ |
495 |
+ SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) |
496 |
#define SSL_get_options(ssl) \ |
497 |
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) |
498 |
|
499 |
#define SSL_CTX_set_mode(ctx,op) \ |
500 |
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) |
501 |
+#define SSL_CTX_clear_mode(ctx,op) \ |
502 |
+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL) |
503 |
#define SSL_CTX_get_mode(ctx) \ |
504 |
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) |
505 |
+#define SSL_clear_mode(ssl,op) \ |
506 |
+ SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL) |
507 |
#define SSL_set_mode(ssl,op) \ |
508 |
SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) |
509 |
#define SSL_get_mode(ssl) \ |
510 |
@@ -572,6 +584,8 @@ typedef struct ssl_session_st |
511 |
#define SSL_set_mtu(ssl, mtu) \ |
512 |
SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL) |
513 |
|
514 |
+#define SSL_get_secure_renegotiation_support(ssl) \ |
515 |
+ SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) |
516 |
|
517 |
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); |
518 |
void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); |
519 |
@@ -1189,6 +1203,10 @@ size_t SSL_get_peer_finished(const SSL * |
520 |
#define SSL_CTRL_GET_MAX_CERT_LIST 50 |
521 |
#define SSL_CTRL_SET_MAX_CERT_LIST 51 |
522 |
|
523 |
+#define SSL_CTRL_GET_RI_SUPPORT 76 |
524 |
+#define SSL_CTRL_CLEAR_OPTIONS 77 |
525 |
+#define SSL_CTRL_CLEAR_MODE 78 |
526 |
+ |
527 |
#define SSL_session_reused(ssl) \ |
528 |
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) |
529 |
#define SSL_num_renegotiations(ssl) \ |
530 |
@@ -1650,8 +1668,12 @@ void ERR_load_SSL_strings(void); |
531 |
#define SSL_F_SSL3_SETUP_KEY_BLOCK 157 |
532 |
#define SSL_F_SSL3_WRITE_BYTES 158 |
533 |
#define SSL_F_SSL3_WRITE_PENDING 159 |
534 |
+#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 285 |
535 |
+#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 272 |
536 |
#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215 |
537 |
#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216 |
538 |
+#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 286 |
539 |
+#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 273 |
540 |
#define SSL_F_SSL_BAD_METHOD 160 |
541 |
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 |
542 |
#define SSL_F_SSL_CERT_DUP 221 |
543 |
@@ -1690,6 +1712,10 @@ void ERR_load_SSL_strings(void); |
544 |
#define SSL_F_SSL_INIT_WBIO_BUFFER 184 |
545 |
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 |
546 |
#define SSL_F_SSL_NEW 186 |
547 |
+#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 287 |
548 |
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 290 |
549 |
+#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 289 |
550 |
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 291 |
551 |
#define SSL_F_SSL_PEEK 270 |
552 |
#define SSL_F_SSL_READ 223 |
553 |
#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 |
554 |
@@ -1850,6 +1876,7 @@ void ERR_load_SSL_strings(void); |
555 |
#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 |
556 |
#define SSL_R_NO_PROTOCOLS_AVAILABLE 191 |
557 |
#define SSL_R_NO_PUBLICKEY 192 |
558 |
+#define SSL_R_NO_RENEGOTIATION 319 |
559 |
#define SSL_R_NO_SHARED_CIPHER 193 |
560 |
#define SSL_R_NO_VERIFY_CALLBACK 194 |
561 |
#define SSL_R_NULL_SSL_CTX 195 |
562 |
@@ -1857,6 +1884,7 @@ void ERR_load_SSL_strings(void); |
563 |
#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 |
564 |
#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297 |
565 |
#define SSL_R_PACKET_LENGTH_TOO_LONG 198 |
566 |
+#define SSL_R_PARSE_TLSEXT 223 |
567 |
#define SSL_R_PATH_TOO_LONG 270 |
568 |
#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 |
569 |
#define SSL_R_PEER_ERROR 200 |
570 |
@@ -1876,10 +1904,14 @@ void ERR_load_SSL_strings(void); |
571 |
#define SSL_R_RECORD_LENGTH_MISMATCH 213 |
572 |
#define SSL_R_RECORD_TOO_LARGE 214 |
573 |
#define SSL_R_RECORD_TOO_SMALL 298 |
574 |
+#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 320 |
575 |
+#define SSL_R_RENEGOTIATION_ENCODING_ERR 321 |
576 |
+#define SSL_R_RENEGOTIATION_MISMATCH 322 |
577 |
#define SSL_R_REQUIRED_CIPHER_MISSING 215 |
578 |
#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 |
579 |
#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 |
580 |
#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 |
581 |
+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 324 |
582 |
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 |
583 |
#define SSL_R_SHORT_READ 219 |
584 |
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 |
585 |
@@ -1945,6 +1977,7 @@ void ERR_load_SSL_strings(void); |
586 |
#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 |
587 |
#define SSL_R_UNKNOWN_SSL_VERSION 254 |
588 |
#define SSL_R_UNKNOWN_STATE 255 |
589 |
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 323 |
590 |
#define SSL_R_UNSUPPORTED_CIPHER 256 |
591 |
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 |
592 |
#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315 |
593 |
diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg openssl-fips-0.9.8e/ssl/ssl_lib.c |
594 |
--- openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
595 |
+++ openssl-fips-0.9.8e/ssl/ssl_lib.c 2010-02-18 16:10:30.000000000 +0100 |
596 |
@@ -958,8 +958,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v |
597 |
|
598 |
case SSL_CTRL_OPTIONS: |
599 |
return(s->options|=larg); |
600 |
+ case SSL_CTRL_CLEAR_OPTIONS: |
601 |
+ return(s->options&=~larg); |
602 |
case SSL_CTRL_MODE: |
603 |
return(s->mode|=larg); |
604 |
+ case SSL_CTRL_CLEAR_MODE: |
605 |
+ return(s->mode &=~larg); |
606 |
case SSL_CTRL_GET_MAX_CERT_LIST: |
607 |
return(s->max_cert_list); |
608 |
case SSL_CTRL_SET_MAX_CERT_LIST: |
609 |
@@ -973,6 +977,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v |
610 |
return larg; |
611 |
} |
612 |
return 0; |
613 |
+ case SSL_CTRL_GET_RI_SUPPORT: |
614 |
+ if (s->s3) |
615 |
+ return s->s3->send_connection_binding; |
616 |
+ else return 0; |
617 |
default: |
618 |
return(s->method->ssl_ctrl(s,cmd,larg,parg)); |
619 |
} |
620 |
@@ -1059,8 +1067,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l |
621 |
return(ctx->stats.sess_cache_full); |
622 |
case SSL_CTRL_OPTIONS: |
623 |
return(ctx->options|=larg); |
624 |
+ case SSL_CTRL_CLEAR_OPTIONS: |
625 |
+ return(ctx->options&=~larg); |
626 |
case SSL_CTRL_MODE: |
627 |
return(ctx->mode|=larg); |
628 |
+ case SSL_CTRL_CLEAR_MODE: |
629 |
+ return(ctx->mode&=~larg); |
630 |
default: |
631 |
return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); |
632 |
} |
633 |
@@ -1257,6 +1269,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC |
634 |
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); |
635 |
p+=j; |
636 |
} |
637 |
+ /* If p == q, no ciphers and caller indicates an error. Otherwise |
638 |
+ * add SCSV if not renegotiating. |
639 |
+ */ |
640 |
+ if (p != q && !s->new_session) |
641 |
+ { |
642 |
+ static SSL_CIPHER scsv = |
643 |
+ { |
644 |
+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, |
645 |
+ }; |
646 |
+ j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); |
647 |
+ p+=j; |
648 |
+#ifdef OPENSSL_RI_DEBUG |
649 |
+ fprintf(stderr, "SCSV sent by client\n"); |
650 |
+#endif |
651 |
+ } |
652 |
+ |
653 |
return(p-q); |
654 |
} |
655 |
|
656 |
@@ -1266,6 +1294,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe |
657 |
SSL_CIPHER *c; |
658 |
STACK_OF(SSL_CIPHER) *sk; |
659 |
int i,n; |
660 |
+ if (s->s3) |
661 |
+ s->s3->send_connection_binding = 0; |
662 |
|
663 |
n=ssl_put_cipher_by_char(s,NULL,NULL); |
664 |
if ((num%n) != 0) |
665 |
@@ -1283,6 +1313,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe |
666 |
|
667 |
for (i=0; i<num; i+=n) |
668 |
{ |
669 |
+ /* Check for SCSV */ |
670 |
+ if (s->s3 && (n != 3 || !p[0]) && |
671 |
+ (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && |
672 |
+ (p[n-1] == (SSL3_CK_SCSV & 0xff))) |
673 |
+ { |
674 |
+ /* SCSV fatal if renegotiating */ |
675 |
+ if (s->new_session) |
676 |
+ { |
677 |
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); |
678 |
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
679 |
+ goto err; |
680 |
+ } |
681 |
+ s->s3->send_connection_binding = 1; |
682 |
+ p += n; |
683 |
+#ifdef OPENSSL_RI_DEBUG |
684 |
+ fprintf(stderr, "SCSV received by server\n"); |
685 |
+#endif |
686 |
+ continue; |
687 |
+ } |
688 |
+ |
689 |
c=ssl_get_cipher_by_char(s,p); |
690 |
p+=n; |
691 |
if (c != NULL) |
692 |
@@ -1461,6 +1511,11 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) |
693 |
ret->extra_certs=NULL; |
694 |
ret->comp_methods=SSL_COMP_get_compression_methods(); |
695 |
|
696 |
+ /* Default is to connect to non-RI servers. When RI is more widely |
697 |
+ * deployed might change this. |
698 |
+ */ |
699 |
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; |
700 |
+ |
701 |
return(ret); |
702 |
err: |
703 |
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); |
704 |
diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg openssl-fips-0.9.8e/ssl/ssl_locl.h |
705 |
--- openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg 2010-02-18 15:58:31.000000000 +0100 |
706 |
+++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2010-02-18 15:58:31.000000000 +0100 |
707 |
@@ -934,5 +934,17 @@ int check_srvr_ecc_cert_and_alg(X509 *x, |
708 |
|
709 |
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); |
710 |
|
711 |
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); |
712 |
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); |
713 |
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); |
714 |
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); |
715 |
+int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, |
716 |
+ int maxlen); |
717 |
+int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, |
718 |
+ int *al); |
719 |
+int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, |
720 |
+ int maxlen); |
721 |
+int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, |
722 |
+ int *al); |
723 |
|
724 |
#endif |
725 |
diff -up openssl-fips-0.9.8e/ssl/ssl3.h.reneg openssl-fips-0.9.8e/ssl/ssl3.h |
726 |
--- openssl-fips-0.9.8e/ssl/ssl3.h.reneg 2010-02-18 15:58:31.000000000 +0100 |
727 |
+++ openssl-fips-0.9.8e/ssl/ssl3.h 2010-02-18 15:58:31.000000000 +0100 |
728 |
@@ -129,6 +129,9 @@ |
729 |
extern "C" { |
730 |
#endif |
731 |
|
732 |
+/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ |
733 |
+#define SSL3_CK_SCSV 0x030000FF |
734 |
+ |
735 |
#define SSL3_CK_RSA_NULL_MD5 0x03000001 |
736 |
#define SSL3_CK_RSA_NULL_SHA 0x03000002 |
737 |
#define SSL3_CK_RSA_RC4_40_MD5 0x03000003 |
738 |
@@ -437,6 +440,12 @@ typedef struct ssl3_state_st |
739 |
int cert_request; |
740 |
} tmp; |
741 |
|
742 |
+ /* Connection binding to prevent renegotiation attacks */ |
743 |
+ unsigned char previous_client_finished[EVP_MAX_MD_SIZE]; |
744 |
+ unsigned char previous_client_finished_len; |
745 |
+ unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; |
746 |
+ unsigned char previous_server_finished_len; |
747 |
+ int send_connection_binding; /* TODOEKR */ |
748 |
} SSL3_STATE; |
749 |
|
750 |
|
751 |
diff -up openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg openssl-fips-0.9.8e/ssl/s23_clnt.c |
752 |
--- openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg 2007-03-22 01:39:13.000000000 +0100 |
753 |
+++ openssl-fips-0.9.8e/ssl/s23_clnt.c 2010-02-18 16:07:51.000000000 +0100 |
754 |
@@ -368,6 +368,11 @@ static int ssl23_client_hello(SSL *s) |
755 |
*(p++)=comp->id; |
756 |
} |
757 |
*(p++)=0; /* Add the NULL method */ |
758 |
+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) |
759 |
+ { |
760 |
+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); |
761 |
+ return -1; |
762 |
+ } |
763 |
|
764 |
l = p-d; |
765 |
*p = 42; |
766 |
diff -up openssl-fips-0.9.8e/ssl/s3_both.c.reneg openssl-fips-0.9.8e/ssl/s3_both.c |
767 |
--- openssl-fips-0.9.8e/ssl/s3_both.c.reneg 2005-04-26 18:02:39.000000000 +0200 |
768 |
+++ openssl-fips-0.9.8e/ssl/s3_both.c 2010-02-18 15:58:31.000000000 +0100 |
769 |
@@ -168,6 +168,23 @@ int ssl3_send_finished(SSL *s, int a, in |
770 |
p+=i; |
771 |
l=i; |
772 |
|
773 |
+ /* Copy the finished so we can use it for |
774 |
+ renegotiation checks */ |
775 |
+ if(s->type == SSL_ST_CONNECT) |
776 |
+ { |
777 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); |
778 |
+ memcpy(s->s3->previous_client_finished, |
779 |
+ s->s3->tmp.finish_md, i); |
780 |
+ s->s3->previous_client_finished_len=i; |
781 |
+ } |
782 |
+ else |
783 |
+ { |
784 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); |
785 |
+ memcpy(s->s3->previous_server_finished, |
786 |
+ s->s3->tmp.finish_md, i); |
787 |
+ s->s3->previous_server_finished_len=i; |
788 |
+ } |
789 |
+ |
790 |
#ifdef OPENSSL_SYS_WIN16 |
791 |
/* MSVC 1.5 does not clear the top bytes of the word unless |
792 |
* I do this. |
793 |
@@ -232,6 +249,23 @@ int ssl3_get_finished(SSL *s, int a, int |
794 |
goto f_err; |
795 |
} |
796 |
|
797 |
+ /* Copy the finished so we can use it for |
798 |
+ renegotiation checks */ |
799 |
+ if(s->type == SSL_ST_ACCEPT) |
800 |
+ { |
801 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); |
802 |
+ memcpy(s->s3->previous_client_finished, |
803 |
+ s->s3->tmp.peer_finish_md, i); |
804 |
+ s->s3->previous_client_finished_len=i; |
805 |
+ } |
806 |
+ else |
807 |
+ { |
808 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); |
809 |
+ memcpy(s->s3->previous_server_finished, |
810 |
+ s->s3->tmp.peer_finish_md, i); |
811 |
+ s->s3->previous_server_finished_len=i; |
812 |
+ } |
813 |
+ |
814 |
return(1); |
815 |
f_err: |
816 |
ssl3_send_alert(s,SSL3_AL_FATAL,al); |
817 |
diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg openssl-fips-0.9.8e/ssl/s3_clnt.c |
818 |
--- openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
819 |
+++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2010-02-18 15:58:31.000000000 +0100 |
820 |
@@ -601,7 +601,11 @@ int ssl3_client_hello(SSL *s) |
821 |
} |
822 |
#endif |
823 |
*(p++)=0; /* Add the NULL method */ |
824 |
- |
825 |
+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) |
826 |
+ { |
827 |
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); |
828 |
+ goto err; |
829 |
+ } |
830 |
l=(p-d); |
831 |
d=buf; |
832 |
*(d++)=SSL3_MT_CLIENT_HELLO; |
833 |
@@ -635,7 +639,7 @@ int ssl3_get_server_hello(SSL *s) |
834 |
SSL3_ST_CR_SRVR_HELLO_A, |
835 |
SSL3_ST_CR_SRVR_HELLO_B, |
836 |
-1, |
837 |
- 300, /* ?? */ |
838 |
+ 1000, /* ?? */ |
839 |
&ok); |
840 |
|
841 |
if (!ok) return((int)n); |
842 |
@@ -785,6 +789,17 @@ int ssl3_get_server_hello(SSL *s) |
843 |
s->s3->tmp.new_compression=comp; |
844 |
} |
845 |
#endif |
846 |
+ /* TLS extensions - we parse renegotiate extension only */ |
847 |
+ if (s->version >= SSL3_VERSION) |
848 |
+ { |
849 |
+ if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) |
850 |
+ { |
851 |
+ /* 'al' set by ssl_parse_serverhello_tlsext */ |
852 |
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); |
853 |
+ goto f_err; |
854 |
+ } |
855 |
+ } |
856 |
+ |
857 |
|
858 |
if (p != (d+n)) |
859 |
{ |
860 |
diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg openssl-fips-0.9.8e/ssl/s3_pkt.c |
861 |
--- openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
862 |
+++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2010-02-18 15:58:31.000000000 +0100 |
863 |
@@ -1013,7 +1013,25 @@ start: |
864 |
* now try again to obtain the (application) data we were asked for */ |
865 |
goto start; |
866 |
} |
867 |
- |
868 |
+ /* If we are a server and get a client hello when renegotiation isn't |
869 |
+ * allowed send back a no renegotiation alert and carry on. |
870 |
+ * WARNING: experimental code, needs reviewing (steve) |
871 |
+ */ |
872 |
+ if (s->server && |
873 |
+ SSL_is_init_finished(s) && |
874 |
+ !s->s3->send_connection_binding && |
875 |
+ (s->version > SSL3_VERSION) && |
876 |
+ (s->s3->handshake_fragment_len >= 4) && |
877 |
+ (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && |
878 |
+ (s->session != NULL) && (s->session->cipher != NULL) && |
879 |
+ !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) |
880 |
+ |
881 |
+ { |
882 |
+ /*s->s3->handshake_fragment_len = 0;*/ |
883 |
+ rr->length = 0; |
884 |
+ ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); |
885 |
+ goto start; |
886 |
+ } |
887 |
if (s->s3->alert_fragment_len >= 2) |
888 |
{ |
889 |
int alert_level = s->s3->alert_fragment[0]; |
890 |
@@ -1043,6 +1061,21 @@ start: |
891 |
s->shutdown |= SSL_RECEIVED_SHUTDOWN; |
892 |
return(0); |
893 |
} |
894 |
+ /* This is a warning but we receive it if we requested |
895 |
+ * renegotiation and the peer denied it. Terminate with |
896 |
+ * a fatal alert because if application tried to |
897 |
+ * renegotiatie it presumably had a good reason and |
898 |
+ * expects it to succeed. |
899 |
+ * |
900 |
+ * In future we might have a renegotiation where we |
901 |
+ * don't care if the peer refused it where we carry on. |
902 |
+ */ |
903 |
+ else if (alert_descr == SSL_AD_NO_RENEGOTIATION) |
904 |
+ { |
905 |
+ al = SSL_AD_HANDSHAKE_FAILURE; |
906 |
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); |
907 |
+ goto f_err; |
908 |
+ } |
909 |
} |
910 |
else if (alert_level == 2) /* fatal */ |
911 |
{ |
912 |
diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg openssl-fips-0.9.8e/ssl/s3_srvr.c |
913 |
--- openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
914 |
+++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2010-02-18 15:58:31.000000000 +0100 |
915 |
@@ -248,6 +248,18 @@ int ssl3_accept(SSL *s) |
916 |
s->state=SSL3_ST_SR_CLNT_HELLO_A; |
917 |
s->ctx->stats.sess_accept++; |
918 |
} |
919 |
+ else if (!s->s3->send_connection_binding && |
920 |
+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) |
921 |
+ { |
922 |
+ /* Server attempting to renegotiate with |
923 |
+ * client that doesn't support secure |
924 |
+ * renegotiation. |
925 |
+ */ |
926 |
+ SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
927 |
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
928 |
+ ret = -1; |
929 |
+ goto end; |
930 |
+ } |
931 |
else |
932 |
{ |
933 |
/* s->state == SSL_ST_RENEGOTIATE, |
934 |
@@ -898,6 +910,16 @@ int ssl3_get_client_hello(SSL *s) |
935 |
goto f_err; |
936 |
} |
937 |
|
938 |
+ /* TLS extensions - just parsing the renegotiation extension */ |
939 |
+ if (s->version >= SSL3_VERSION) |
940 |
+ { |
941 |
+ if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) |
942 |
+ { |
943 |
+ /* 'al' set by ssl_parse_clienthello_tlsext */ |
944 |
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); |
945 |
+ goto f_err; |
946 |
+ } |
947 |
+ } |
948 |
/* Worst case, we will use the NULL compression, but if we have other |
949 |
* options, we will now look for them. We have i-1 compression |
950 |
* algorithms from the client, starting at q. */ |
951 |
@@ -1089,20 +1111,24 @@ int ssl3_send_server_hello(SSL *s) |
952 |
else |
953 |
*(p++)=s->s3->tmp.new_compression->id; |
954 |
#endif |
955 |
- |
956 |
+ if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) |
957 |
+ { |
958 |
+ SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); |
959 |
+ return -1; |
960 |
+ } |
961 |
/* do the header */ |
962 |
l=(p-d); |
963 |
d=buf; |
964 |
*(d++)=SSL3_MT_SERVER_HELLO; |
965 |
l2n3(l,d); |
966 |
|
967 |
- s->state=SSL3_ST_CW_CLNT_HELLO_B; |
968 |
+ s->state=SSL3_ST_SW_SRVR_HELLO_B; |
969 |
/* number of bytes to write */ |
970 |
s->init_num=p-buf; |
971 |
s->init_off=0; |
972 |
} |
973 |
|
974 |
- /* SSL3_ST_CW_CLNT_HELLO_B */ |
975 |
+ /* SSL3_ST_SW_SRVR_HELLO_B */ |
976 |
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
977 |
} |
978 |
|
979 |
@@ -1126,7 +1152,7 @@ int ssl3_send_server_done(SSL *s) |
980 |
s->init_off=0; |
981 |
} |
982 |
|
983 |
- /* SSL3_ST_CW_CLNT_HELLO_B */ |
984 |
+ /* SSL3_ST_SW_SRVR_DONE_B */ |
985 |
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
986 |
} |
987 |
|
988 |
diff -up openssl-fips-0.9.8e/ssl/tls1.h.reneg openssl-fips-0.9.8e/ssl/tls1.h |
989 |
--- openssl-fips-0.9.8e/ssl/tls1.h.reneg 2010-02-18 15:58:31.000000000 +0100 |
990 |
+++ openssl-fips-0.9.8e/ssl/tls1.h 2010-02-18 15:58:31.000000000 +0100 |
991 |
@@ -97,6 +97,9 @@ extern "C" { |
992 |
#define TLS1_AD_USER_CANCELLED 90 |
993 |
#define TLS1_AD_NO_RENEGOTIATION 100 |
994 |
|
995 |
+/* Temporary extension type */ |
996 |
+#define TLSEXT_TYPE_renegotiate 0xff01 |
997 |
+ |
998 |
/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt |
999 |
* (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see |
1000 |
* s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably |
1001 |
diff -up openssl-fips-0.9.8e/ssl/t1_lib.c.reneg openssl-fips-0.9.8e/ssl/t1_lib.c |
1002 |
--- openssl-fips-0.9.8e/ssl/t1_lib.c.reneg 2007-01-21 17:07:25.000000000 +0100 |
1003 |
+++ openssl-fips-0.9.8e/ssl/t1_lib.c 2010-02-18 16:10:05.000000000 +0100 |
1004 |
@@ -117,3 +117,202 @@ long tls1_callback_ctrl(SSL *s, int cmd, |
1005 |
return(0); |
1006 |
} |
1007 |
#endif |
1008 |
+ |
1009 |
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) |
1010 |
+ { |
1011 |
+ int extdatalen=0; |
1012 |
+ unsigned char *ret = p; |
1013 |
+ |
1014 |
+ /* don't add extensions for SSLv3 unless doing secure renegotiation */ |
1015 |
+ if (s->client_version == SSL3_VERSION |
1016 |
+ && !s->s3->send_connection_binding) |
1017 |
+ return p; |
1018 |
+ |
1019 |
+ ret+=2; |
1020 |
+ |
1021 |
+ if (ret>=limit) return NULL; /* this really never occurs, but ... */ |
1022 |
+ |
1023 |
+ /* Add RI if renegotiating */ |
1024 |
+ if (s->new_session) |
1025 |
+ { |
1026 |
+ int el; |
1027 |
+ |
1028 |
+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) |
1029 |
+ { |
1030 |
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
1031 |
+ return NULL; |
1032 |
+ } |
1033 |
+ |
1034 |
+ if((limit - p - 4 - el) < 0) return NULL; |
1035 |
+ |
1036 |
+ s2n(TLSEXT_TYPE_renegotiate,ret); |
1037 |
+ s2n(el,ret); |
1038 |
+ |
1039 |
+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) |
1040 |
+ { |
1041 |
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
1042 |
+ return NULL; |
1043 |
+ } |
1044 |
+ |
1045 |
+ ret += el; |
1046 |
+ } |
1047 |
+ |
1048 |
+ if ((extdatalen = ret-p-2)== 0) |
1049 |
+ return p; |
1050 |
+ |
1051 |
+ s2n(extdatalen,p); |
1052 |
+ return ret; |
1053 |
+ } |
1054 |
+ |
1055 |
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) |
1056 |
+ { |
1057 |
+ int extdatalen=0; |
1058 |
+ unsigned char *ret = p; |
1059 |
+ |
1060 |
+ /* don't add extensions for SSLv3, unless doing secure renegotiation */ |
1061 |
+ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) |
1062 |
+ return p; |
1063 |
+ |
1064 |
+ ret+=2; |
1065 |
+ if (ret>=limit) return NULL; /* this really never occurs, but ... */ |
1066 |
+ |
1067 |
+ if(s->s3->send_connection_binding) |
1068 |
+ { |
1069 |
+ int el; |
1070 |
+ |
1071 |
+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) |
1072 |
+ { |
1073 |
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
1074 |
+ return NULL; |
1075 |
+ } |
1076 |
+ |
1077 |
+ if((limit - p - 4 - el) < 0) return NULL; |
1078 |
+ |
1079 |
+ s2n(TLSEXT_TYPE_renegotiate,ret); |
1080 |
+ s2n(el,ret); |
1081 |
+ |
1082 |
+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) |
1083 |
+ { |
1084 |
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
1085 |
+ return NULL; |
1086 |
+ } |
1087 |
+ |
1088 |
+ ret += el; |
1089 |
+ } |
1090 |
+ |
1091 |
+ if ((extdatalen = ret-p-2)== 0) |
1092 |
+ return p; |
1093 |
+ |
1094 |
+ s2n(extdatalen,p); |
1095 |
+ return ret; |
1096 |
+ } |
1097 |
+ |
1098 |
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) |
1099 |
+ { |
1100 |
+ unsigned short type; |
1101 |
+ unsigned short size; |
1102 |
+ unsigned short len; |
1103 |
+ unsigned char *data = *p; |
1104 |
+ int renegotiate_seen = 0; |
1105 |
+ |
1106 |
+ if (data >= (d+n-2)) |
1107 |
+ goto ri_check; |
1108 |
+ |
1109 |
+ n2s(data,len); |
1110 |
+ |
1111 |
+ if (data > (d+n-len)) |
1112 |
+ goto ri_check; |
1113 |
+ |
1114 |
+ while (data <= (d+n-4)) |
1115 |
+ { |
1116 |
+ n2s(data,type); |
1117 |
+ n2s(data,size); |
1118 |
+ |
1119 |
+ if (data+size > (d+n)) |
1120 |
+ goto ri_check; |
1121 |
+ |
1122 |
+ if (type == TLSEXT_TYPE_renegotiate) |
1123 |
+ { |
1124 |
+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) |
1125 |
+ return 0; |
1126 |
+ renegotiate_seen = 1; |
1127 |
+ } |
1128 |
+ |
1129 |
+ data+=size; |
1130 |
+ } |
1131 |
+ *p = data; |
1132 |
+ |
1133 |
+ ri_check: |
1134 |
+ |
1135 |
+ /* Need RI if renegotiating */ |
1136 |
+ |
1137 |
+ if (!renegotiate_seen && s->new_session && |
1138 |
+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) |
1139 |
+ { |
1140 |
+ *al = SSL_AD_HANDSHAKE_FAILURE; |
1141 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, |
1142 |
+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
1143 |
+ return 0; |
1144 |
+ } |
1145 |
+ |
1146 |
+ return 1; |
1147 |
+ } |
1148 |
+ |
1149 |
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) |
1150 |
+ { |
1151 |
+ unsigned short type; |
1152 |
+ unsigned short size; |
1153 |
+ unsigned short len; |
1154 |
+ unsigned char *data = *p; |
1155 |
+ int renegotiate_seen = 0; |
1156 |
+ |
1157 |
+ if (data >= (d+n-2)) |
1158 |
+ goto ri_check; |
1159 |
+ |
1160 |
+ n2s(data,len); |
1161 |
+ |
1162 |
+ while(data <= (d+n-4)) |
1163 |
+ { |
1164 |
+ n2s(data,type); |
1165 |
+ n2s(data,size); |
1166 |
+ |
1167 |
+ if (data+size > (d+n)) |
1168 |
+ goto ri_check; |
1169 |
+ if (type == TLSEXT_TYPE_renegotiate) |
1170 |
+ { |
1171 |
+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) |
1172 |
+ return 0; |
1173 |
+ renegotiate_seen = 1; |
1174 |
+ } |
1175 |
+ data+=size; |
1176 |
+ } |
1177 |
+ |
1178 |
+ if (data != d+n) |
1179 |
+ { |
1180 |
+ *al = SSL_AD_DECODE_ERROR; |
1181 |
+ return 0; |
1182 |
+ } |
1183 |
+ |
1184 |
+ *p = data; |
1185 |
+ |
1186 |
+ ri_check: |
1187 |
+ |
1188 |
+ /* Determine if we need to see RI. Strictly speaking if we want to |
1189 |
+ * avoid an attack we should *always* see RI even on initial server |
1190 |
+ * hello because the client doesn't see any renegotiation during an |
1191 |
+ * attack. However this would mean we could not connect to any server |
1192 |
+ * which doesn't support RI so for the immediate future tolerate RI |
1193 |
+ * absence on initial connect only. |
1194 |
+ */ |
1195 |
+ if (!renegotiate_seen |
1196 |
+ && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) |
1197 |
+ && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) |
1198 |
+ { |
1199 |
+ *al = SSL_AD_HANDSHAKE_FAILURE; |
1200 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, |
1201 |
+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
1202 |
+ return 0; |
1203 |
+ } |
1204 |
+ |
1205 |
+ return 1; |
1206 |
+ } |
1207 |
diff -up openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg openssl-fips-0.9.8e/ssl/t1_reneg.c |
1208 |
--- openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg 2010-02-18 15:58:31.000000000 +0100 |
1209 |
+++ openssl-fips-0.9.8e/ssl/t1_reneg.c 2010-02-18 15:58:31.000000000 +0100 |
1210 |
@@ -0,0 +1,292 @@ |
1211 |
+/* ssl/t1_reneg.c */ |
1212 |
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
1213 |
+ * All rights reserved. |
1214 |
+ * |
1215 |
+ * This package is an SSL implementation written |
1216 |
+ * by Eric Young (eay@cryptsoft.com). |
1217 |
+ * The implementation was written so as to conform with Netscapes SSL. |
1218 |
+ * |
1219 |
+ * This library is free for commercial and non-commercial use as long as |
1220 |
+ * the following conditions are aheared to. The following conditions |
1221 |
+ * apply to all code found in this distribution, be it the RC4, RSA, |
1222 |
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
1223 |
+ * included with this distribution is covered by the same copyright terms |
1224 |
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
1225 |
+ * |
1226 |
+ * Copyright remains Eric Young's, and as such any Copyright notices in |
1227 |
+ * the code are not to be removed. |
1228 |
+ * If this package is used in a product, Eric Young should be given attribution |
1229 |
+ * as the author of the parts of the library used. |
1230 |
+ * This can be in the form of a textual message at program startup or |
1231 |
+ * in documentation (online or textual) provided with the package. |
1232 |
+ * |
1233 |
+ * Redistribution and use in source and binary forms, with or without |
1234 |
+ * modification, are permitted provided that the following conditions |
1235 |
+ * are met: |
1236 |
+ * 1. Redistributions of source code must retain the copyright |
1237 |
+ * notice, this list of conditions and the following disclaimer. |
1238 |
+ * 2. Redistributions in binary form must reproduce the above copyright |
1239 |
+ * notice, this list of conditions and the following disclaimer in the |
1240 |
+ * documentation and/or other materials provided with the distribution. |
1241 |
+ * 3. All advertising materials mentioning features or use of this software |
1242 |
+ * must display the following acknowledgement: |
1243 |
+ * "This product includes cryptographic software written by |
1244 |
+ * Eric Young (eay@cryptsoft.com)" |
1245 |
+ * The word 'cryptographic' can be left out if the rouines from the library |
1246 |
+ * being used are not cryptographic related :-). |
1247 |
+ * 4. If you include any Windows specific code (or a derivative thereof) from |
1248 |
+ * the apps directory (application code) you must include an acknowledgement: |
1249 |
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
1250 |
+ * |
1251 |
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
1252 |
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
1253 |
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
1254 |
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
1255 |
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
1256 |
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
1257 |
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
1258 |
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
1259 |
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
1260 |
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
1261 |
+ * SUCH DAMAGE. |
1262 |
+ * |
1263 |
+ * The licence and distribution terms for any publically available version or |
1264 |
+ * derivative of this code cannot be changed. i.e. this code cannot simply be |
1265 |
+ * copied and put under another distribution licence |
1266 |
+ * [including the GNU Public Licence.] |
1267 |
+ */ |
1268 |
+/* ==================================================================== |
1269 |
+ * Copyright (c) 1998-2009 The OpenSSL Project. All rights reserved. |
1270 |
+ * |
1271 |
+ * Redistribution and use in source and binary forms, with or without |
1272 |
+ * modification, are permitted provided that the following conditions |
1273 |
+ * are met: |
1274 |
+ * |
1275 |
+ * 1. Redistributions of source code must retain the above copyright |
1276 |
+ * notice, this list of conditions and the following disclaimer. |
1277 |
+ * |
1278 |
+ * 2. Redistributions in binary form must reproduce the above copyright |
1279 |
+ * notice, this list of conditions and the following disclaimer in |
1280 |
+ * the documentation and/or other materials provided with the |
1281 |
+ * distribution. |
1282 |
+ * |
1283 |
+ * 3. All advertising materials mentioning features or use of this |
1284 |
+ * software must display the following acknowledgment: |
1285 |
+ * "This product includes software developed by the OpenSSL Project |
1286 |
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
1287 |
+ * |
1288 |
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
1289 |
+ * endorse or promote products derived from this software without |
1290 |
+ * prior written permission. For written permission, please contact |
1291 |
+ * openssl-core@openssl.org. |
1292 |
+ * |
1293 |
+ * 5. Products derived from this software may not be called "OpenSSL" |
1294 |
+ * nor may "OpenSSL" appear in their names without prior written |
1295 |
+ * permission of the OpenSSL Project. |
1296 |
+ * |
1297 |
+ * 6. Redistributions of any form whatsoever must retain the following |
1298 |
+ * acknowledgment: |
1299 |
+ * "This product includes software developed by the OpenSSL Project |
1300 |
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
1301 |
+ * |
1302 |
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
1303 |
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
1304 |
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
1305 |
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
1306 |
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
1307 |
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
1308 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
1309 |
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
1310 |
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
1311 |
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
1312 |
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
1313 |
+ * OF THE POSSIBILITY OF SUCH DAMAGE. |
1314 |
+ * ==================================================================== |
1315 |
+ * |
1316 |
+ * This product includes cryptographic software written by Eric Young |
1317 |
+ * (eay@cryptsoft.com). This product includes software written by Tim |
1318 |
+ * Hudson (tjh@cryptsoft.com). |
1319 |
+ * |
1320 |
+ */ |
1321 |
+#include <stdio.h> |
1322 |
+#include <openssl/objects.h> |
1323 |
+#include "ssl_locl.h" |
1324 |
+ |
1325 |
+/* Add the client's renegotiation binding */ |
1326 |
+int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, |
1327 |
+ int maxlen) |
1328 |
+ { |
1329 |
+ if(p) |
1330 |
+ { |
1331 |
+ if((s->s3->previous_client_finished_len+1) > maxlen) |
1332 |
+ { |
1333 |
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); |
1334 |
+ return 0; |
1335 |
+ } |
1336 |
+ |
1337 |
+ /* Length byte */ |
1338 |
+ *p = s->s3->previous_client_finished_len; |
1339 |
+ p++; |
1340 |
+ |
1341 |
+ memcpy(p, s->s3->previous_client_finished, |
1342 |
+ s->s3->previous_client_finished_len); |
1343 |
+#ifdef OPENSSL_RI_DEBUG |
1344 |
+ fprintf(stderr, "%s RI extension sent by client\n", |
1345 |
+ s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); |
1346 |
+#endif |
1347 |
+ } |
1348 |
+ |
1349 |
+ *len=s->s3->previous_client_finished_len + 1; |
1350 |
+ |
1351 |
+ |
1352 |
+ return 1; |
1353 |
+ } |
1354 |
+ |
1355 |
+/* Parse the client's renegotiation binding and abort if it's not |
1356 |
+ right */ |
1357 |
+int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, |
1358 |
+ int *al) |
1359 |
+ { |
1360 |
+ int ilen; |
1361 |
+ |
1362 |
+ /* Parse the length byte */ |
1363 |
+ if(len < 1) |
1364 |
+ { |
1365 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); |
1366 |
+ *al=SSL_AD_ILLEGAL_PARAMETER; |
1367 |
+ return 0; |
1368 |
+ } |
1369 |
+ ilen = *d; |
1370 |
+ d++; |
1371 |
+ |
1372 |
+ /* Consistency check */ |
1373 |
+ if((ilen+1) != len) |
1374 |
+ { |
1375 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); |
1376 |
+ *al=SSL_AD_ILLEGAL_PARAMETER; |
1377 |
+ return 0; |
1378 |
+ } |
1379 |
+ |
1380 |
+ /* Check that the extension matches */ |
1381 |
+ if(ilen != s->s3->previous_client_finished_len) |
1382 |
+ { |
1383 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); |
1384 |
+ *al=SSL_AD_HANDSHAKE_FAILURE; |
1385 |
+ return 0; |
1386 |
+ } |
1387 |
+ |
1388 |
+ if(memcmp(d, s->s3->previous_client_finished, |
1389 |
+ s->s3->previous_client_finished_len)) |
1390 |
+ { |
1391 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); |
1392 |
+ *al=SSL_AD_HANDSHAKE_FAILURE; |
1393 |
+ return 0; |
1394 |
+ } |
1395 |
+#ifdef OPENSSL_RI_DEBUG |
1396 |
+ fprintf(stderr, "%s RI extension received by server\n", |
1397 |
+ ilen ? "Non-empty" : "Empty"); |
1398 |
+#endif |
1399 |
+ |
1400 |
+ s->s3->send_connection_binding=1; |
1401 |
+ |
1402 |
+ return 1; |
1403 |
+ } |
1404 |
+ |
1405 |
+/* Add the server's renegotiation binding */ |
1406 |
+int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, |
1407 |
+ int maxlen) |
1408 |
+ { |
1409 |
+ if(p) |
1410 |
+ { |
1411 |
+ if((s->s3->previous_client_finished_len + |
1412 |
+ s->s3->previous_server_finished_len + 1) > maxlen) |
1413 |
+ { |
1414 |
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); |
1415 |
+ return 0; |
1416 |
+ } |
1417 |
+ |
1418 |
+ /* Length byte */ |
1419 |
+ *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; |
1420 |
+ p++; |
1421 |
+ |
1422 |
+ memcpy(p, s->s3->previous_client_finished, |
1423 |
+ s->s3->previous_client_finished_len); |
1424 |
+ p += s->s3->previous_client_finished_len; |
1425 |
+ |
1426 |
+ memcpy(p, s->s3->previous_server_finished, |
1427 |
+ s->s3->previous_server_finished_len); |
1428 |
+#ifdef OPENSSL_RI_DEBUG |
1429 |
+ fprintf(stderr, "%s RI extension sent by server\n", |
1430 |
+ s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); |
1431 |
+#endif |
1432 |
+ } |
1433 |
+ |
1434 |
+ *len=s->s3->previous_client_finished_len |
1435 |
+ + s->s3->previous_server_finished_len + 1; |
1436 |
+ |
1437 |
+ return 1; |
1438 |
+ } |
1439 |
+ |
1440 |
+/* Parse the server's renegotiation binding and abort if it's not |
1441 |
+ right */ |
1442 |
+int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, |
1443 |
+ int *al) |
1444 |
+ { |
1445 |
+ int expected_len=s->s3->previous_client_finished_len |
1446 |
+ + s->s3->previous_server_finished_len; |
1447 |
+ int ilen; |
1448 |
+ |
1449 |
+ /* Check for logic errors */ |
1450 |
+ OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); |
1451 |
+ OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); |
1452 |
+ |
1453 |
+ /* Parse the length byte */ |
1454 |
+ if(len < 1) |
1455 |
+ { |
1456 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); |
1457 |
+ *al=SSL_AD_ILLEGAL_PARAMETER; |
1458 |
+ return 0; |
1459 |
+ } |
1460 |
+ ilen = *d; |
1461 |
+ d++; |
1462 |
+ |
1463 |
+ /* Consistency check */ |
1464 |
+ if(ilen+1 != len) |
1465 |
+ { |
1466 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); |
1467 |
+ *al=SSL_AD_ILLEGAL_PARAMETER; |
1468 |
+ return 0; |
1469 |
+ } |
1470 |
+ |
1471 |
+ /* Check that the extension matches */ |
1472 |
+ if(ilen != expected_len) |
1473 |
+ { |
1474 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); |
1475 |
+ *al=SSL_AD_HANDSHAKE_FAILURE; |
1476 |
+ return 0; |
1477 |
+ } |
1478 |
+ |
1479 |
+ if(memcmp(d, s->s3->previous_client_finished, |
1480 |
+ s->s3->previous_client_finished_len)) |
1481 |
+ { |
1482 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); |
1483 |
+ *al=SSL_AD_HANDSHAKE_FAILURE; |
1484 |
+ return 0; |
1485 |
+ } |
1486 |
+ d += s->s3->previous_client_finished_len; |
1487 |
+ |
1488 |
+ if(memcmp(d, s->s3->previous_server_finished, |
1489 |
+ s->s3->previous_server_finished_len)) |
1490 |
+ { |
1491 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); |
1492 |
+ *al=SSL_AD_ILLEGAL_PARAMETER; |
1493 |
+ return 0; |
1494 |
+ } |
1495 |
+#ifdef OPENSSL_RI_DEBUG |
1496 |
+ fprintf(stderr, "%s RI extension received by client\n", |
1497 |
+ ilen ? "Non-empty" : "Empty"); |
1498 |
+#endif |
1499 |
+ s->s3->send_connection_binding=1; |
1500 |
+ |
1501 |
+ return 1; |
1502 |
+ } |