/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-3555.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-3555.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Error occurred while calculating annotation data.
Initial import

1 diff -up openssl-fips-0.9.8e/apps/s_client.c.reneg openssl-fips-0.9.8e/apps/s_client.c
2 --- openssl-fips-0.9.8e/apps/s_client.c.reneg 2010-02-18 15:58:31.000000000 +0100
3 +++ openssl-fips-0.9.8e/apps/s_client.c 2010-02-18 15:58:31.000000000 +0100
4 @@ -231,7 +231,7 @@ static void sc_usage(void)
5 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
6 #endif
7 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
8 -
9 + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
10 }
11
12 enum
13 @@ -247,7 +247,7 @@ int MAIN(int, char **);
14
15 int MAIN(int argc, char **argv)
16 {
17 - int off=0;
18 + int off=0, clr = 0;
19 SSL *con=NULL,*con2=NULL;
20 X509_STORE *store = NULL;
21 int s,k,width,state=0;
22 @@ -461,6 +461,12 @@ int MAIN(int argc, char **argv)
23 off|=SSL_OP_NO_SSLv2;
24 else if (strcmp(*argv,"-serverpref") == 0)
25 off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
26 + else if (strcmp(*argv,"-legacy_renegotiation") == 0)
27 + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
28 + else if (strcmp(*argv,"-legacy_server_connect") == 0)
29 + { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
30 + else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
31 + { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
32 else if (strcmp(*argv,"-cipher") == 0)
33 {
34 if (--argc < 1) goto bad;
35 @@ -589,6 +595,9 @@ bad:
36 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
37 else
38 SSL_CTX_set_options(ctx,off);
39 +
40 + if (clr)
41 + SSL_CTX_clear_options(ctx, clr);
42 /* DTLS: partial reads end up discarding unread UDP bytes :-(
43 * Setting read ahead solves this problem.
44 */
45 @@ -1290,6 +1299,8 @@ static void print_stuff(BIO *bio, SSL *s
46 EVP_PKEY_bits(pktmp));
47 EVP_PKEY_free(pktmp);
48 }
49 + BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
50 + SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
51 #ifndef OPENSSL_NO_COMP
52 comp=SSL_get_current_compression(s);
53 expansion=SSL_get_current_expansion(s);
54 diff -up openssl-fips-0.9.8e/apps/s_server.c.reneg openssl-fips-0.9.8e/apps/s_server.c
55 --- openssl-fips-0.9.8e/apps/s_server.c.reneg 2010-02-18 15:58:31.000000000 +0100
56 +++ openssl-fips-0.9.8e/apps/s_server.c 2010-02-18 15:58:31.000000000 +0100
57 @@ -371,6 +371,7 @@ static void sv_usage(void)
58 #endif
59 BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
60 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
61 + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
62 }
63
64 static int local_argc=0;
65 @@ -700,6 +701,8 @@ int MAIN(int argc, char *argv[])
66 }
67 else if (strcmp(*argv,"-serverpref") == 0)
68 { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
69 + else if (strcmp(*argv,"-legacy_renegotiation") == 0)
70 + off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
71 else if (strcmp(*argv,"-cipher") == 0)
72 {
73 if (--argc < 1) goto bad;
74 @@ -1534,6 +1537,8 @@ static int init_ssl_connection(SSL *con)
75 con->kssl_ctx->client_princ);
76 }
77 #endif /* OPENSSL_NO_KRB5 */
78 + BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
79 + SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
80 return(1);
81 }
82
83 diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod
84 --- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg 2005-10-11 12:16:09.000000000 +0200
85 +++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2010-02-18 16:10:52.000000000 +0100
86 @@ -2,7 +2,7 @@
87
88 =head1 NAME
89
90 -SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
91 +SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options
92
93 =head1 SYNOPSIS
94
95 @@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS
96 long SSL_CTX_set_options(SSL_CTX *ctx, long options);
97 long SSL_set_options(SSL *ssl, long options);
98
99 + long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
100 + long SSL_clear_options(SSL *ssl, long options);
101 +
102 long SSL_CTX_get_options(SSL_CTX *ctx);
103 long SSL_get_options(SSL *ssl);
104
105 + long SSL_get_secure_renegotiation_support(SSL *ssl);
106 +
107 =head1 DESCRIPTION
108
109 +Note: all these functions are implemented using macros.
110 +
111 SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
112 Options already set before are not cleared!
113
114 SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
115 Options already set before are not cleared!
116
117 +SSL_CTX_clear_options() clears the options set via bitmask in B<options>
118 +to B<ctx>.
119 +
120 +SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
121 +
122 SSL_CTX_get_options() returns the options set for B<ctx>.
123
124 SSL_get_options() returns the options set for B<ssl>.
125
126 +SSL_get_secure_renegotiation_support() indicates whether the peer supports
127 +secure renegotiation.
128 +
129 =head1 NOTES
130
131 The behaviour of the SSL library can be changed by setting several options.
132 The options are coded as bitmasks and can be combined by a logical B<or>
133 -operation (|). Options can only be added but can never be reset.
134 +operation (|).
135
136 SSL_CTX_set_options() and SSL_set_options() affect the (external)
137 protocol behaviour of the SSL library. The (internal) behaviour of
138 @@ -199,17 +214,109 @@ Do not use the TLSv1 protocol.
139
140 When performing renegotiation as a server, always start a new session
141 (i.e., session resumption requests are only accepted in the initial
142 -handshake). This option is not needed for clients.
143 +handshake). This option is not needed for clients.
144 +
145 +=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
146 +
147 +Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
148 +servers. See the B<SECURE RENEGOTIATION> section for more details.
149 +
150 +=item SSL_OP_LEGACY_SERVER_CONNECT
151 +
152 +Allow legacy insecure renegotiation between OpenSSL and unpatched servers
153 +B<only>: this option is currently set by default. See the
154 +B<SECURE RENEGOTIATION> section for more details.
155
156 =back
157
158 +=head1 SECURE RENEGOTIATION
159 +
160 +OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
161 +described in RFC5746. This counters the prefix attack described in
162 +CVE-2009-3555 and elsewhere.
163 +
164 +The deprecated and highly broken SSLv2 protocol does not support
165 +renegotiation at all: its use is B<strongly> discouraged.
166 +
167 +This attack has far reaching consequences which application writers should be
168 +aware of. In the description below an implementation supporting secure
169 +renegotiation is referred to as I<patched>. A server not supporting secure
170 +renegotiation is referred to as I<unpatched>.
171 +
172 +The following sections describe the operations permitted by OpenSSL's secure
173 +renegotiation implementation.
174 +
175 +=head2 Patched client and server
176 +
177 +Connections and renegotiation are always permitted by OpenSSL implementations.
178 +
179 +=head2 Unpatched client and patched OpenSSL server
180 +
181 +The initial connection suceeds but client renegotiation is denied by the
182 +server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
183 +B<handshake_failure> alert in SSL v3.0.
184 +
185 +If the patched OpenSSL server attempts to renegotiate a fatal
186 +B<handshake_failure> alert is sent. This is because the server code may be
187 +unaware of the unpatched nature of the client.
188 +
189 +If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
190 +renegotiation B<always> succeeds.
191 +
192 +B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are
193 +unpatched) will result in the connection hanging if it receives a
194 +B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard
195 +a B<no_renegotiation> alert as fatal and respond with a fatal
196 +B<handshake_failure> alert. This is because the OpenSSL API currently has
197 +no provision to indicate to an application that a renegotiation attempt
198 +was refused.
199 +
200 +=head2 Patched OpenSSL client and unpatched server.
201 +
202 +If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
203 +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
204 +and renegotiation between patched OpenSSL clients and unpatched servers
205 +succeeds. If neither option is set then initial connections to unpatched
206 +servers will fail.
207 +
208 +The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
209 +though it has security implications: otherwise it would be impossible to
210 +connect to unpatched servers (i.e. all of them initially) and this is clearly
211 +not acceptable. Renegotiation is permitted because this does not add any
212 +additional security issues: during an attack clients do not see any
213 +renegotiations anyway.
214 +
215 +As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
216 +B<not> be set by default in a future version of OpenSSL.
217 +
218 +OpenSSL client applications wishing to ensure they can connect to unpatched
219 +servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
220 +
221 +OpenSSL client applications that want to ensure they can B<not> connect to
222 +unpatched servers (and thus avoid any security issues) should always B<clear>
223 +B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
224 +SSL_clear_options().
225 +
226 +The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
227 +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
228 +B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
229 +renegotiation between OpenSSL clients and unpatched servers B<only>, while
230 +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
231 +and renegotiation between OpenSSL and unpatched clients or servers.
232 +
233 =head1 RETURN VALUES
234
235 SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
236 after adding B<options>.
237
238 +SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
239 +after clearing B<options>.
240 +
241 SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
242
243 +SSL_get_secure_renegotiation_support() returns 1 is the peer supports
244 +secure renegotiation and 0 if it does not.
245 +
246 =head1 SEE ALSO
247
248 L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
249 @@ -232,4 +339,11 @@ Versions up to OpenSSL 0.9.6c do not inc
250 can be disabled with this option (in OpenSSL 0.9.6d, it was always
251 enabled).
252
253 +SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL
254 +0.9.8m.
255 +
256 +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT>
257 +and the function SSL_get_secure_renegotiation_support() were first added in
258 +OpenSSL 0.9.8m.
259 +
260 =cut
261 diff -up openssl-fips-0.9.8e/ssl/d1_both.c.reneg openssl-fips-0.9.8e/ssl/d1_both.c
262 --- openssl-fips-0.9.8e/ssl/d1_both.c.reneg 2010-02-18 15:58:31.000000000 +0100
263 +++ openssl-fips-0.9.8e/ssl/d1_both.c 2010-02-18 15:58:31.000000000 +0100
264 @@ -750,6 +750,24 @@ int dtls1_send_finished(SSL *s, int a, i
265 p+=i;
266 l=i;
267
268 + /* Copy the finished so we can use it for
269 + * renegotiation checks
270 + */
271 + if(s->type == SSL_ST_CONNECT)
272 + {
273 + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
274 + memcpy(s->s3->previous_client_finished,
275 + s->s3->tmp.finish_md, i);
276 + s->s3->previous_client_finished_len=i;
277 + }
278 + else
279 + {
280 + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
281 + memcpy(s->s3->previous_server_finished,
282 + s->s3->tmp.finish_md, i);
283 + s->s3->previous_server_finished_len=i;
284 + }
285 +
286 #ifdef OPENSSL_SYS_WIN16
287 /* MSVC 1.5 does not clear the top bytes of the word unless
288 * I do this.
289 diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg openssl-fips-0.9.8e/ssl/d1_clnt.c
290 --- openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100
291 +++ openssl-fips-0.9.8e/ssl/d1_clnt.c 2010-02-18 15:58:31.000000000 +0100
292 @@ -621,7 +621,13 @@ int dtls1_client_hello(SSL *s)
293 *(p++)=comp->id;
294 }
295 *(p++)=0; /* Add the NULL method */
296 -
297 +
298 + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
299 + {
300 + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
301 + goto err;
302 + }
303 +
304 l=(p-d);
305 d=buf;
306
307 diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg openssl-fips-0.9.8e/ssl/d1_srvr.c
308 --- openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100
309 +++ openssl-fips-0.9.8e/ssl/d1_srvr.c 2010-02-18 15:58:31.000000000 +0100
310 @@ -267,7 +267,6 @@ int dtls1_accept(SSL *s)
311 s->shutdown=0;
312 ret=ssl3_get_client_hello(s);
313 if (ret <= 0) goto end;
314 - s->new_session = 2;
315
316 if ( s->d1->send_cookie)
317 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
318 @@ -293,6 +292,7 @@ int dtls1_accept(SSL *s)
319
320 case SSL3_ST_SW_SRVR_HELLO_A:
321 case SSL3_ST_SW_SRVR_HELLO_B:
322 + s->new_session = 2;
323 ret=dtls1_send_server_hello(s);
324 if (ret <= 0) goto end;
325
326 @@ -713,6 +713,8 @@ int dtls1_send_server_hello(SSL *s)
327 p+=sl;
328
329 /* put the cipher */
330 + if (s->s3->tmp.new_cipher == NULL)
331 + return -1;
332 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
333 p+=i;
334
335 @@ -726,13 +728,21 @@ int dtls1_send_server_hello(SSL *s)
336 *(p++)=s->s3->tmp.new_compression->id;
337 #endif
338
339 +#ifndef OPENSSL_NO_TLSEXT
340 + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
341 + {
342 + SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
343 + return -1;
344 + }
345 +#endif
346 +
347 /* do the header */
348 l=(p-d);
349 d=buf;
350
351 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
352
353 - s->state=SSL3_ST_CW_CLNT_HELLO_B;
354 + s->state=SSL3_ST_SW_SRVR_HELLO_B;
355 /* number of bytes to write */
356 s->init_num=p-buf;
357 s->init_off=0;
358 @@ -741,7 +751,7 @@ int dtls1_send_server_hello(SSL *s)
359 dtls1_buffer_message(s, 0);
360 }
361
362 - /* SSL3_ST_CW_CLNT_HELLO_B */
363 + /* SSL3_ST_SW_SRVR_HELLO_B */
364 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
365 }
366
367 @@ -765,7 +775,7 @@ int dtls1_send_server_done(SSL *s)
368 dtls1_buffer_message(s, 0);
369 }
370
371 - /* SSL3_ST_CW_CLNT_HELLO_B */
372 + /* SSL3_ST_SW_SRVR_DONE_B */
373 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
374 }
375
376 diff -up openssl-fips-0.9.8e/ssl/Makefile.reneg openssl-fips-0.9.8e/ssl/Makefile
377 --- openssl-fips-0.9.8e/ssl/Makefile.reneg 2007-08-01 13:33:16.000000000 +0200
378 +++ openssl-fips-0.9.8e/ssl/Makefile 2010-02-18 15:58:31.000000000 +0100
379 @@ -30,7 +30,7 @@ LIBSRC= \
380 ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
381 ssl_ciph.c ssl_stat.c ssl_rsa.c \
382 ssl_asn1.c ssl_txt.c ssl_algs.c \
383 - bio_ssl.c ssl_err.c kssl.c
384 + bio_ssl.c ssl_err.c kssl.c t1_reneg.c
385 LIBOBJ= \
386 s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
387 s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
388 @@ -41,7 +41,7 @@ LIBOBJ= \
389 ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
390 ssl_ciph.o ssl_stat.o ssl_rsa.o \
391 ssl_asn1.o ssl_txt.o ssl_algs.o \
392 - bio_ssl.o ssl_err.o kssl.o
393 + bio_ssl.o ssl_err.o kssl.o t1_reneg.o
394
395 SRC= $(LIBSRC)
396
397 diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.reneg openssl-fips-0.9.8e/ssl/ssl_err.c
398 --- openssl-fips-0.9.8e/ssl/ssl_err.c.reneg 2010-02-18 15:58:31.000000000 +0100
399 +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2010-02-18 15:58:31.000000000 +0100
400 @@ -168,8 +168,12 @@ static ERR_STRING_DATA SSL_str_functs[]=
401 {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
402 {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
403 {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
404 +{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
405 +{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
406 {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
407 {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
408 +{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
409 +{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
410 {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
411 {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
412 {ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
413 @@ -208,6 +212,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
414 {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
415 {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
416 {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
417 +{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
418 +{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
419 +{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
420 +{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
421 {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
422 {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
423 {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
424 @@ -371,6 +379,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
425 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
426 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
427 {ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
428 +{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
429 {ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
430 {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
431 {ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
432 @@ -378,6 +387,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
433 {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
434 {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
435 {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
436 +{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
437 {ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
438 {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
439 {ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
440 @@ -397,10 +407,14 @@ static ERR_STRING_DATA SSL_str_reasons[]
441 {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
442 {ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
443 {ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
444 +{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},
445 +{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
446 +{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
447 {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
448 {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
449 {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
450 {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
451 +{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
452 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
453 {ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
454 {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
455 @@ -466,6 +480,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
456 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
457 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
458 {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
459 +{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
460 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
461 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
462 {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
463 diff -up openssl-fips-0.9.8e/ssl/ssl.h.reneg openssl-fips-0.9.8e/ssl/ssl.h
464 --- openssl-fips-0.9.8e/ssl/ssl.h.reneg 2010-02-18 15:58:31.000000000 +0100
465 +++ openssl-fips-0.9.8e/ssl/ssl.h 2010-02-18 15:58:31.000000000 +0100
466 @@ -480,6 +480,8 @@ typedef struct ssl_session_st
467
468 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
469 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
470 +/* Allow initial connection to servers that don't support RI */
471 +#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
472 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
473 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
474 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
475 @@ -506,6 +508,8 @@ typedef struct ssl_session_st
476
477 /* As server, disallow session resumption on renegotiation */
478 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
479 +/* Permit unsafe legacy renegotiation */
480 +#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
481 /* If set, always create a new key when using tmp_ecdh parameters */
482 #define SSL_OP_SINGLE_ECDH_USE 0x00080000L
483 /* If set, always create a new key when using tmp_dh parameters */
484 @@ -554,17 +558,25 @@ typedef struct ssl_session_st
485
486 #define SSL_CTX_set_options(ctx,op) \
487 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
488 +#define SSL_CTX_clear_options(ctx,op) \
489 + SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
490 #define SSL_CTX_get_options(ctx) \
491 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
492 #define SSL_set_options(ssl,op) \
493 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
494 +#define SSL_clear_options(ssl,op) \
495 + SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
496 #define SSL_get_options(ssl) \
497 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
498
499 #define SSL_CTX_set_mode(ctx,op) \
500 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
501 +#define SSL_CTX_clear_mode(ctx,op) \
502 + SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
503 #define SSL_CTX_get_mode(ctx) \
504 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
505 +#define SSL_clear_mode(ssl,op) \
506 + SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
507 #define SSL_set_mode(ssl,op) \
508 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
509 #define SSL_get_mode(ssl) \
510 @@ -572,6 +584,8 @@ typedef struct ssl_session_st
511 #define SSL_set_mtu(ssl, mtu) \
512 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
513
514 +#define SSL_get_secure_renegotiation_support(ssl) \
515 + SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
516
517 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
518 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
519 @@ -1189,6 +1203,10 @@ size_t SSL_get_peer_finished(const SSL *
520 #define SSL_CTRL_GET_MAX_CERT_LIST 50
521 #define SSL_CTRL_SET_MAX_CERT_LIST 51
522
523 +#define SSL_CTRL_GET_RI_SUPPORT 76
524 +#define SSL_CTRL_CLEAR_OPTIONS 77
525 +#define SSL_CTRL_CLEAR_MODE 78
526 +
527 #define SSL_session_reused(ssl) \
528 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
529 #define SSL_num_renegotiations(ssl) \
530 @@ -1650,8 +1668,12 @@ void ERR_load_SSL_strings(void);
531 #define SSL_F_SSL3_SETUP_KEY_BLOCK 157
532 #define SSL_F_SSL3_WRITE_BYTES 158
533 #define SSL_F_SSL3_WRITE_PENDING 159
534 +#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 285
535 +#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 272
536 #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
537 #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
538 +#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 286
539 +#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 273
540 #define SSL_F_SSL_BAD_METHOD 160
541 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
542 #define SSL_F_SSL_CERT_DUP 221
543 @@ -1690,6 +1712,10 @@ void ERR_load_SSL_strings(void);
544 #define SSL_F_SSL_INIT_WBIO_BUFFER 184
545 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
546 #define SSL_F_SSL_NEW 186
547 +#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 287
548 +#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 290
549 +#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 289
550 +#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 291
551 #define SSL_F_SSL_PEEK 270
552 #define SSL_F_SSL_READ 223
553 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
554 @@ -1850,6 +1876,7 @@ void ERR_load_SSL_strings(void);
555 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
556 #define SSL_R_NO_PROTOCOLS_AVAILABLE 191
557 #define SSL_R_NO_PUBLICKEY 192
558 +#define SSL_R_NO_RENEGOTIATION 319
559 #define SSL_R_NO_SHARED_CIPHER 193
560 #define SSL_R_NO_VERIFY_CALLBACK 194
561 #define SSL_R_NULL_SSL_CTX 195
562 @@ -1857,6 +1884,7 @@ void ERR_load_SSL_strings(void);
563 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
564 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
565 #define SSL_R_PACKET_LENGTH_TOO_LONG 198
566 +#define SSL_R_PARSE_TLSEXT 223
567 #define SSL_R_PATH_TOO_LONG 270
568 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
569 #define SSL_R_PEER_ERROR 200
570 @@ -1876,10 +1904,14 @@ void ERR_load_SSL_strings(void);
571 #define SSL_R_RECORD_LENGTH_MISMATCH 213
572 #define SSL_R_RECORD_TOO_LARGE 214
573 #define SSL_R_RECORD_TOO_SMALL 298
574 +#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 320
575 +#define SSL_R_RENEGOTIATION_ENCODING_ERR 321
576 +#define SSL_R_RENEGOTIATION_MISMATCH 322
577 #define SSL_R_REQUIRED_CIPHER_MISSING 215
578 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
579 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
580 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
581 +#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 324
582 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
583 #define SSL_R_SHORT_READ 219
584 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
585 @@ -1945,6 +1977,7 @@ void ERR_load_SSL_strings(void);
586 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
587 #define SSL_R_UNKNOWN_SSL_VERSION 254
588 #define SSL_R_UNKNOWN_STATE 255
589 +#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 323
590 #define SSL_R_UNSUPPORTED_CIPHER 256
591 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
592 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
593 diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg openssl-fips-0.9.8e/ssl/ssl_lib.c
594 --- openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg 2010-02-18 15:58:31.000000000 +0100
595 +++ openssl-fips-0.9.8e/ssl/ssl_lib.c 2010-02-18 16:10:30.000000000 +0100
596 @@ -958,8 +958,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
597
598 case SSL_CTRL_OPTIONS:
599 return(s->options|=larg);
600 + case SSL_CTRL_CLEAR_OPTIONS:
601 + return(s->options&=~larg);
602 case SSL_CTRL_MODE:
603 return(s->mode|=larg);
604 + case SSL_CTRL_CLEAR_MODE:
605 + return(s->mode &=~larg);
606 case SSL_CTRL_GET_MAX_CERT_LIST:
607 return(s->max_cert_list);
608 case SSL_CTRL_SET_MAX_CERT_LIST:
609 @@ -973,6 +977,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
610 return larg;
611 }
612 return 0;
613 + case SSL_CTRL_GET_RI_SUPPORT:
614 + if (s->s3)
615 + return s->s3->send_connection_binding;
616 + else return 0;
617 default:
618 return(s->method->ssl_ctrl(s,cmd,larg,parg));
619 }
620 @@ -1059,8 +1067,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l
621 return(ctx->stats.sess_cache_full);
622 case SSL_CTRL_OPTIONS:
623 return(ctx->options|=larg);
624 + case SSL_CTRL_CLEAR_OPTIONS:
625 + return(ctx->options&=~larg);
626 case SSL_CTRL_MODE:
627 return(ctx->mode|=larg);
628 + case SSL_CTRL_CLEAR_MODE:
629 + return(ctx->mode&=~larg);
630 default:
631 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
632 }
633 @@ -1257,6 +1269,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
634 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
635 p+=j;
636 }
637 + /* If p == q, no ciphers and caller indicates an error. Otherwise
638 + * add SCSV if not renegotiating.
639 + */
640 + if (p != q && !s->new_session)
641 + {
642 + static SSL_CIPHER scsv =
643 + {
644 + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
645 + };
646 + j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
647 + p+=j;
648 +#ifdef OPENSSL_RI_DEBUG
649 + fprintf(stderr, "SCSV sent by client\n");
650 +#endif
651 + }
652 +
653 return(p-q);
654 }
655
656 @@ -1266,6 +1294,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
657 SSL_CIPHER *c;
658 STACK_OF(SSL_CIPHER) *sk;
659 int i,n;
660 + if (s->s3)
661 + s->s3->send_connection_binding = 0;
662
663 n=ssl_put_cipher_by_char(s,NULL,NULL);
664 if ((num%n) != 0)
665 @@ -1283,6 +1313,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
666
667 for (i=0; i<num; i+=n)
668 {
669 + /* Check for SCSV */
670 + if (s->s3 && (n != 3 || !p[0]) &&
671 + (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
672 + (p[n-1] == (SSL3_CK_SCSV & 0xff)))
673 + {
674 + /* SCSV fatal if renegotiating */
675 + if (s->new_session)
676 + {
677 + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
678 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
679 + goto err;
680 + }
681 + s->s3->send_connection_binding = 1;
682 + p += n;
683 +#ifdef OPENSSL_RI_DEBUG
684 + fprintf(stderr, "SCSV received by server\n");
685 +#endif
686 + continue;
687 + }
688 +
689 c=ssl_get_cipher_by_char(s,p);
690 p+=n;
691 if (c != NULL)
692 @@ -1461,6 +1511,11 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
693 ret->extra_certs=NULL;
694 ret->comp_methods=SSL_COMP_get_compression_methods();
695
696 + /* Default is to connect to non-RI servers. When RI is more widely
697 + * deployed might change this.
698 + */
699 + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
700 +
701 return(ret);
702 err:
703 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
704 diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg openssl-fips-0.9.8e/ssl/ssl_locl.h
705 --- openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg 2010-02-18 15:58:31.000000000 +0100
706 +++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2010-02-18 15:58:31.000000000 +0100
707 @@ -934,5 +934,17 @@ int check_srvr_ecc_cert_and_alg(X509 *x,
708
709 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
710
711 +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
712 +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
713 +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
714 +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
715 +int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
716 + int maxlen);
717 +int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
718 + int *al);
719 +int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
720 + int maxlen);
721 +int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
722 + int *al);
723
724 #endif
725 diff -up openssl-fips-0.9.8e/ssl/ssl3.h.reneg openssl-fips-0.9.8e/ssl/ssl3.h
726 --- openssl-fips-0.9.8e/ssl/ssl3.h.reneg 2010-02-18 15:58:31.000000000 +0100
727 +++ openssl-fips-0.9.8e/ssl/ssl3.h 2010-02-18 15:58:31.000000000 +0100
728 @@ -129,6 +129,9 @@
729 extern "C" {
730 #endif
731
732 +/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
733 +#define SSL3_CK_SCSV 0x030000FF
734 +
735 #define SSL3_CK_RSA_NULL_MD5 0x03000001
736 #define SSL3_CK_RSA_NULL_SHA 0x03000002
737 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
738 @@ -437,6 +440,12 @@ typedef struct ssl3_state_st
739 int cert_request;
740 } tmp;
741
742 + /* Connection binding to prevent renegotiation attacks */
743 + unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
744 + unsigned char previous_client_finished_len;
745 + unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
746 + unsigned char previous_server_finished_len;
747 + int send_connection_binding; /* TODOEKR */
748 } SSL3_STATE;
749
750
751 diff -up openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg openssl-fips-0.9.8e/ssl/s23_clnt.c
752 --- openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg 2007-03-22 01:39:13.000000000 +0100
753 +++ openssl-fips-0.9.8e/ssl/s23_clnt.c 2010-02-18 16:07:51.000000000 +0100
754 @@ -368,6 +368,11 @@ static int ssl23_client_hello(SSL *s)
755 *(p++)=comp->id;
756 }
757 *(p++)=0; /* Add the NULL method */
758 + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
759 + {
760 + SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
761 + return -1;
762 + }
763
764 l = p-d;
765 *p = 42;
766 diff -up openssl-fips-0.9.8e/ssl/s3_both.c.reneg openssl-fips-0.9.8e/ssl/s3_both.c
767 --- openssl-fips-0.9.8e/ssl/s3_both.c.reneg 2005-04-26 18:02:39.000000000 +0200
768 +++ openssl-fips-0.9.8e/ssl/s3_both.c 2010-02-18 15:58:31.000000000 +0100
769 @@ -168,6 +168,23 @@ int ssl3_send_finished(SSL *s, int a, in
770 p+=i;
771 l=i;
772
773 + /* Copy the finished so we can use it for
774 + renegotiation checks */
775 + if(s->type == SSL_ST_CONNECT)
776 + {
777 + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
778 + memcpy(s->s3->previous_client_finished,
779 + s->s3->tmp.finish_md, i);
780 + s->s3->previous_client_finished_len=i;
781 + }
782 + else
783 + {
784 + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
785 + memcpy(s->s3->previous_server_finished,
786 + s->s3->tmp.finish_md, i);
787 + s->s3->previous_server_finished_len=i;
788 + }
789 +
790 #ifdef OPENSSL_SYS_WIN16
791 /* MSVC 1.5 does not clear the top bytes of the word unless
792 * I do this.
793 @@ -232,6 +249,23 @@ int ssl3_get_finished(SSL *s, int a, int
794 goto f_err;
795 }
796
797 + /* Copy the finished so we can use it for
798 + renegotiation checks */
799 + if(s->type == SSL_ST_ACCEPT)
800 + {
801 + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
802 + memcpy(s->s3->previous_client_finished,
803 + s->s3->tmp.peer_finish_md, i);
804 + s->s3->previous_client_finished_len=i;
805 + }
806 + else
807 + {
808 + OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
809 + memcpy(s->s3->previous_server_finished,
810 + s->s3->tmp.peer_finish_md, i);
811 + s->s3->previous_server_finished_len=i;
812 + }
813 +
814 return(1);
815 f_err:
816 ssl3_send_alert(s,SSL3_AL_FATAL,al);
817 diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg openssl-fips-0.9.8e/ssl/s3_clnt.c
818 --- openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100
819 +++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2010-02-18 15:58:31.000000000 +0100
820 @@ -601,7 +601,11 @@ int ssl3_client_hello(SSL *s)
821 }
822 #endif
823 *(p++)=0; /* Add the NULL method */
824 -
825 + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
826 + {
827 + SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
828 + goto err;
829 + }
830 l=(p-d);
831 d=buf;
832 *(d++)=SSL3_MT_CLIENT_HELLO;
833 @@ -635,7 +639,7 @@ int ssl3_get_server_hello(SSL *s)
834 SSL3_ST_CR_SRVR_HELLO_A,
835 SSL3_ST_CR_SRVR_HELLO_B,
836 -1,
837 - 300, /* ?? */
838 + 1000, /* ?? */
839 &ok);
840
841 if (!ok) return((int)n);
842 @@ -785,6 +789,17 @@ int ssl3_get_server_hello(SSL *s)
843 s->s3->tmp.new_compression=comp;
844 }
845 #endif
846 + /* TLS extensions - we parse renegotiate extension only */
847 + if (s->version >= SSL3_VERSION)
848 + {
849 + if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
850 + {
851 + /* 'al' set by ssl_parse_serverhello_tlsext */
852 + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
853 + goto f_err;
854 + }
855 + }
856 +
857
858 if (p != (d+n))
859 {
860 diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg openssl-fips-0.9.8e/ssl/s3_pkt.c
861 --- openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg 2010-02-18 15:58:31.000000000 +0100
862 +++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2010-02-18 15:58:31.000000000 +0100
863 @@ -1013,7 +1013,25 @@ start:
864 * now try again to obtain the (application) data we were asked for */
865 goto start;
866 }
867 -
868 + /* If we are a server and get a client hello when renegotiation isn't
869 + * allowed send back a no renegotiation alert and carry on.
870 + * WARNING: experimental code, needs reviewing (steve)
871 + */
872 + if (s->server &&
873 + SSL_is_init_finished(s) &&
874 + !s->s3->send_connection_binding &&
875 + (s->version > SSL3_VERSION) &&
876 + (s->s3->handshake_fragment_len >= 4) &&
877 + (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
878 + (s->session != NULL) && (s->session->cipher != NULL) &&
879 + !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
880 +
881 + {
882 + /*s->s3->handshake_fragment_len = 0;*/
883 + rr->length = 0;
884 + ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
885 + goto start;
886 + }
887 if (s->s3->alert_fragment_len >= 2)
888 {
889 int alert_level = s->s3->alert_fragment[0];
890 @@ -1043,6 +1061,21 @@ start:
891 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
892 return(0);
893 }
894 + /* This is a warning but we receive it if we requested
895 + * renegotiation and the peer denied it. Terminate with
896 + * a fatal alert because if application tried to
897 + * renegotiatie it presumably had a good reason and
898 + * expects it to succeed.
899 + *
900 + * In future we might have a renegotiation where we
901 + * don't care if the peer refused it where we carry on.
902 + */
903 + else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
904 + {
905 + al = SSL_AD_HANDSHAKE_FAILURE;
906 + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
907 + goto f_err;
908 + }
909 }
910 else if (alert_level == 2) /* fatal */
911 {
912 diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg openssl-fips-0.9.8e/ssl/s3_srvr.c
913 --- openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100
914 +++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2010-02-18 15:58:31.000000000 +0100
915 @@ -248,6 +248,18 @@ int ssl3_accept(SSL *s)
916 s->state=SSL3_ST_SR_CLNT_HELLO_A;
917 s->ctx->stats.sess_accept++;
918 }
919 + else if (!s->s3->send_connection_binding &&
920 + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
921 + {
922 + /* Server attempting to renegotiate with
923 + * client that doesn't support secure
924 + * renegotiation.
925 + */
926 + SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
927 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
928 + ret = -1;
929 + goto end;
930 + }
931 else
932 {
933 /* s->state == SSL_ST_RENEGOTIATE,
934 @@ -898,6 +910,16 @@ int ssl3_get_client_hello(SSL *s)
935 goto f_err;
936 }
937
938 + /* TLS extensions - just parsing the renegotiation extension */
939 + if (s->version >= SSL3_VERSION)
940 + {
941 + if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
942 + {
943 + /* 'al' set by ssl_parse_clienthello_tlsext */
944 + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
945 + goto f_err;
946 + }
947 + }
948 /* Worst case, we will use the NULL compression, but if we have other
949 * options, we will now look for them. We have i-1 compression
950 * algorithms from the client, starting at q. */
951 @@ -1089,20 +1111,24 @@ int ssl3_send_server_hello(SSL *s)
952 else
953 *(p++)=s->s3->tmp.new_compression->id;
954 #endif
955 -
956 + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
957 + {
958 + SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
959 + return -1;
960 + }
961 /* do the header */
962 l=(p-d);
963 d=buf;
964 *(d++)=SSL3_MT_SERVER_HELLO;
965 l2n3(l,d);
966
967 - s->state=SSL3_ST_CW_CLNT_HELLO_B;
968 + s->state=SSL3_ST_SW_SRVR_HELLO_B;
969 /* number of bytes to write */
970 s->init_num=p-buf;
971 s->init_off=0;
972 }
973
974 - /* SSL3_ST_CW_CLNT_HELLO_B */
975 + /* SSL3_ST_SW_SRVR_HELLO_B */
976 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
977 }
978
979 @@ -1126,7 +1152,7 @@ int ssl3_send_server_done(SSL *s)
980 s->init_off=0;
981 }
982
983 - /* SSL3_ST_CW_CLNT_HELLO_B */
984 + /* SSL3_ST_SW_SRVR_DONE_B */
985 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
986 }
987
988 diff -up openssl-fips-0.9.8e/ssl/tls1.h.reneg openssl-fips-0.9.8e/ssl/tls1.h
989 --- openssl-fips-0.9.8e/ssl/tls1.h.reneg 2010-02-18 15:58:31.000000000 +0100
990 +++ openssl-fips-0.9.8e/ssl/tls1.h 2010-02-18 15:58:31.000000000 +0100
991 @@ -97,6 +97,9 @@ extern "C" {
992 #define TLS1_AD_USER_CANCELLED 90
993 #define TLS1_AD_NO_RENEGOTIATION 100
994
995 +/* Temporary extension type */
996 +#define TLSEXT_TYPE_renegotiate 0xff01
997 +
998 /* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
999 * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
1000 * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
1001 diff -up openssl-fips-0.9.8e/ssl/t1_lib.c.reneg openssl-fips-0.9.8e/ssl/t1_lib.c
1002 --- openssl-fips-0.9.8e/ssl/t1_lib.c.reneg 2007-01-21 17:07:25.000000000 +0100
1003 +++ openssl-fips-0.9.8e/ssl/t1_lib.c 2010-02-18 16:10:05.000000000 +0100
1004 @@ -117,3 +117,202 @@ long tls1_callback_ctrl(SSL *s, int cmd,
1005 return(0);
1006 }
1007 #endif
1008 +
1009 +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1010 + {
1011 + int extdatalen=0;
1012 + unsigned char *ret = p;
1013 +
1014 + /* don't add extensions for SSLv3 unless doing secure renegotiation */
1015 + if (s->client_version == SSL3_VERSION
1016 + && !s->s3->send_connection_binding)
1017 + return p;
1018 +
1019 + ret+=2;
1020 +
1021 + if (ret>=limit) return NULL; /* this really never occurs, but ... */
1022 +
1023 + /* Add RI if renegotiating */
1024 + if (s->new_session)
1025 + {
1026 + int el;
1027 +
1028 + if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1029 + {
1030 + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1031 + return NULL;
1032 + }
1033 +
1034 + if((limit - p - 4 - el) < 0) return NULL;
1035 +
1036 + s2n(TLSEXT_TYPE_renegotiate,ret);
1037 + s2n(el,ret);
1038 +
1039 + if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1040 + {
1041 + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1042 + return NULL;
1043 + }
1044 +
1045 + ret += el;
1046 + }
1047 +
1048 + if ((extdatalen = ret-p-2)== 0)
1049 + return p;
1050 +
1051 + s2n(extdatalen,p);
1052 + return ret;
1053 + }
1054 +
1055 +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1056 + {
1057 + int extdatalen=0;
1058 + unsigned char *ret = p;
1059 +
1060 + /* don't add extensions for SSLv3, unless doing secure renegotiation */
1061 + if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1062 + return p;
1063 +
1064 + ret+=2;
1065 + if (ret>=limit) return NULL; /* this really never occurs, but ... */
1066 +
1067 + if(s->s3->send_connection_binding)
1068 + {
1069 + int el;
1070 +
1071 + if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1072 + {
1073 + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1074 + return NULL;
1075 + }
1076 +
1077 + if((limit - p - 4 - el) < 0) return NULL;
1078 +
1079 + s2n(TLSEXT_TYPE_renegotiate,ret);
1080 + s2n(el,ret);
1081 +
1082 + if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1083 + {
1084 + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1085 + return NULL;
1086 + }
1087 +
1088 + ret += el;
1089 + }
1090 +
1091 + if ((extdatalen = ret-p-2)== 0)
1092 + return p;
1093 +
1094 + s2n(extdatalen,p);
1095 + return ret;
1096 + }
1097 +
1098 +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1099 + {
1100 + unsigned short type;
1101 + unsigned short size;
1102 + unsigned short len;
1103 + unsigned char *data = *p;
1104 + int renegotiate_seen = 0;
1105 +
1106 + if (data >= (d+n-2))
1107 + goto ri_check;
1108 +
1109 + n2s(data,len);
1110 +
1111 + if (data > (d+n-len))
1112 + goto ri_check;
1113 +
1114 + while (data <= (d+n-4))
1115 + {
1116 + n2s(data,type);
1117 + n2s(data,size);
1118 +
1119 + if (data+size > (d+n))
1120 + goto ri_check;
1121 +
1122 + if (type == TLSEXT_TYPE_renegotiate)
1123 + {
1124 + if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1125 + return 0;
1126 + renegotiate_seen = 1;
1127 + }
1128 +
1129 + data+=size;
1130 + }
1131 + *p = data;
1132 +
1133 + ri_check:
1134 +
1135 + /* Need RI if renegotiating */
1136 +
1137 + if (!renegotiate_seen && s->new_session &&
1138 + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1139 + {
1140 + *al = SSL_AD_HANDSHAKE_FAILURE;
1141 + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1142 + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1143 + return 0;
1144 + }
1145 +
1146 + return 1;
1147 + }
1148 +
1149 +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1150 + {
1151 + unsigned short type;
1152 + unsigned short size;
1153 + unsigned short len;
1154 + unsigned char *data = *p;
1155 + int renegotiate_seen = 0;
1156 +
1157 + if (data >= (d+n-2))
1158 + goto ri_check;
1159 +
1160 + n2s(data,len);
1161 +
1162 + while(data <= (d+n-4))
1163 + {
1164 + n2s(data,type);
1165 + n2s(data,size);
1166 +
1167 + if (data+size > (d+n))
1168 + goto ri_check;
1169 + if (type == TLSEXT_TYPE_renegotiate)
1170 + {
1171 + if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1172 + return 0;
1173 + renegotiate_seen = 1;
1174 + }
1175 + data+=size;
1176 + }
1177 +
1178 + if (data != d+n)
1179 + {
1180 + *al = SSL_AD_DECODE_ERROR;
1181 + return 0;
1182 + }
1183 +
1184 + *p = data;
1185 +
1186 + ri_check:
1187 +
1188 + /* Determine if we need to see RI. Strictly speaking if we want to
1189 + * avoid an attack we should *always* see RI even on initial server
1190 + * hello because the client doesn't see any renegotiation during an
1191 + * attack. However this would mean we could not connect to any server
1192 + * which doesn't support RI so for the immediate future tolerate RI
1193 + * absence on initial connect only.
1194 + */
1195 + if (!renegotiate_seen
1196 + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1197 + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1198 + {
1199 + *al = SSL_AD_HANDSHAKE_FAILURE;
1200 + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1201 + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1202 + return 0;
1203 + }
1204 +
1205 + return 1;
1206 + }
1207 diff -up openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg openssl-fips-0.9.8e/ssl/t1_reneg.c
1208 --- openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg 2010-02-18 15:58:31.000000000 +0100
1209 +++ openssl-fips-0.9.8e/ssl/t1_reneg.c 2010-02-18 15:58:31.000000000 +0100
1210 @@ -0,0 +1,292 @@
1211 +/* ssl/t1_reneg.c */
1212 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1213 + * All rights reserved.
1214 + *
1215 + * This package is an SSL implementation written
1216 + * by Eric Young (eay@cryptsoft.com).
1217 + * The implementation was written so as to conform with Netscapes SSL.
1218 + *
1219 + * This library is free for commercial and non-commercial use as long as
1220 + * the following conditions are aheared to. The following conditions
1221 + * apply to all code found in this distribution, be it the RC4, RSA,
1222 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1223 + * included with this distribution is covered by the same copyright terms
1224 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1225 + *
1226 + * Copyright remains Eric Young's, and as such any Copyright notices in
1227 + * the code are not to be removed.
1228 + * If this package is used in a product, Eric Young should be given attribution
1229 + * as the author of the parts of the library used.
1230 + * This can be in the form of a textual message at program startup or
1231 + * in documentation (online or textual) provided with the package.
1232 + *
1233 + * Redistribution and use in source and binary forms, with or without
1234 + * modification, are permitted provided that the following conditions
1235 + * are met:
1236 + * 1. Redistributions of source code must retain the copyright
1237 + * notice, this list of conditions and the following disclaimer.
1238 + * 2. Redistributions in binary form must reproduce the above copyright
1239 + * notice, this list of conditions and the following disclaimer in the
1240 + * documentation and/or other materials provided with the distribution.
1241 + * 3. All advertising materials mentioning features or use of this software
1242 + * must display the following acknowledgement:
1243 + * "This product includes cryptographic software written by
1244 + * Eric Young (eay@cryptsoft.com)"
1245 + * The word 'cryptographic' can be left out if the rouines from the library
1246 + * being used are not cryptographic related :-).
1247 + * 4. If you include any Windows specific code (or a derivative thereof) from
1248 + * the apps directory (application code) you must include an acknowledgement:
1249 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1250 + *
1251 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1252 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1253 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1254 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1255 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1256 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1257 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1258 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1259 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1260 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1261 + * SUCH DAMAGE.
1262 + *
1263 + * The licence and distribution terms for any publically available version or
1264 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1265 + * copied and put under another distribution licence
1266 + * [including the GNU Public Licence.]
1267 + */
1268 +/* ====================================================================
1269 + * Copyright (c) 1998-2009 The OpenSSL Project. All rights reserved.
1270 + *
1271 + * Redistribution and use in source and binary forms, with or without
1272 + * modification, are permitted provided that the following conditions
1273 + * are met:
1274 + *
1275 + * 1. Redistributions of source code must retain the above copyright
1276 + * notice, this list of conditions and the following disclaimer.
1277 + *
1278 + * 2. Redistributions in binary form must reproduce the above copyright
1279 + * notice, this list of conditions and the following disclaimer in
1280 + * the documentation and/or other materials provided with the
1281 + * distribution.
1282 + *
1283 + * 3. All advertising materials mentioning features or use of this
1284 + * software must display the following acknowledgment:
1285 + * "This product includes software developed by the OpenSSL Project
1286 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1287 + *
1288 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1289 + * endorse or promote products derived from this software without
1290 + * prior written permission. For written permission, please contact
1291 + * openssl-core@openssl.org.
1292 + *
1293 + * 5. Products derived from this software may not be called "OpenSSL"
1294 + * nor may "OpenSSL" appear in their names without prior written
1295 + * permission of the OpenSSL Project.
1296 + *
1297 + * 6. Redistributions of any form whatsoever must retain the following
1298 + * acknowledgment:
1299 + * "This product includes software developed by the OpenSSL Project
1300 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1301 + *
1302 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1303 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1304 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1305 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1306 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1307 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1308 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1309 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1310 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1311 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1312 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1313 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1314 + * ====================================================================
1315 + *
1316 + * This product includes cryptographic software written by Eric Young
1317 + * (eay@cryptsoft.com). This product includes software written by Tim
1318 + * Hudson (tjh@cryptsoft.com).
1319 + *
1320 + */
1321 +#include <stdio.h>
1322 +#include <openssl/objects.h>
1323 +#include "ssl_locl.h"
1324 +
1325 +/* Add the client's renegotiation binding */
1326 +int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1327 + int maxlen)
1328 + {
1329 + if(p)
1330 + {
1331 + if((s->s3->previous_client_finished_len+1) > maxlen)
1332 + {
1333 + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG);
1334 + return 0;
1335 + }
1336 +
1337 + /* Length byte */
1338 + *p = s->s3->previous_client_finished_len;
1339 + p++;
1340 +
1341 + memcpy(p, s->s3->previous_client_finished,
1342 + s->s3->previous_client_finished_len);
1343 +#ifdef OPENSSL_RI_DEBUG
1344 + fprintf(stderr, "%s RI extension sent by client\n",
1345 + s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
1346 +#endif
1347 + }
1348 +
1349 + *len=s->s3->previous_client_finished_len + 1;
1350 +
1351 +
1352 + return 1;
1353 + }
1354 +
1355 +/* Parse the client's renegotiation binding and abort if it's not
1356 + right */
1357 +int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1358 + int *al)
1359 + {
1360 + int ilen;
1361 +
1362 + /* Parse the length byte */
1363 + if(len < 1)
1364 + {
1365 + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1366 + *al=SSL_AD_ILLEGAL_PARAMETER;
1367 + return 0;
1368 + }
1369 + ilen = *d;
1370 + d++;
1371 +
1372 + /* Consistency check */
1373 + if((ilen+1) != len)
1374 + {
1375 + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1376 + *al=SSL_AD_ILLEGAL_PARAMETER;
1377 + return 0;
1378 + }
1379 +
1380 + /* Check that the extension matches */
1381 + if(ilen != s->s3->previous_client_finished_len)
1382 + {
1383 + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1384 + *al=SSL_AD_HANDSHAKE_FAILURE;
1385 + return 0;
1386 + }
1387 +
1388 + if(memcmp(d, s->s3->previous_client_finished,
1389 + s->s3->previous_client_finished_len))
1390 + {
1391 + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1392 + *al=SSL_AD_HANDSHAKE_FAILURE;
1393 + return 0;
1394 + }
1395 +#ifdef OPENSSL_RI_DEBUG
1396 + fprintf(stderr, "%s RI extension received by server\n",
1397 + ilen ? "Non-empty" : "Empty");
1398 +#endif
1399 +
1400 + s->s3->send_connection_binding=1;
1401 +
1402 + return 1;
1403 + }
1404 +
1405 +/* Add the server's renegotiation binding */
1406 +int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1407 + int maxlen)
1408 + {
1409 + if(p)
1410 + {
1411 + if((s->s3->previous_client_finished_len +
1412 + s->s3->previous_server_finished_len + 1) > maxlen)
1413 + {
1414 + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG);
1415 + return 0;
1416 + }
1417 +
1418 + /* Length byte */
1419 + *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
1420 + p++;
1421 +
1422 + memcpy(p, s->s3->previous_client_finished,
1423 + s->s3->previous_client_finished_len);
1424 + p += s->s3->previous_client_finished_len;
1425 +
1426 + memcpy(p, s->s3->previous_server_finished,
1427 + s->s3->previous_server_finished_len);
1428 +#ifdef OPENSSL_RI_DEBUG
1429 + fprintf(stderr, "%s RI extension sent by server\n",
1430 + s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
1431 +#endif
1432 + }
1433 +
1434 + *len=s->s3->previous_client_finished_len
1435 + + s->s3->previous_server_finished_len + 1;
1436 +
1437 + return 1;
1438 + }
1439 +
1440 +/* Parse the server's renegotiation binding and abort if it's not
1441 + right */
1442 +int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1443 + int *al)
1444 + {
1445 + int expected_len=s->s3->previous_client_finished_len
1446 + + s->s3->previous_server_finished_len;
1447 + int ilen;
1448 +
1449 + /* Check for logic errors */
1450 + OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len);
1451 + OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len);
1452 +
1453 + /* Parse the length byte */
1454 + if(len < 1)
1455 + {
1456 + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1457 + *al=SSL_AD_ILLEGAL_PARAMETER;
1458 + return 0;
1459 + }
1460 + ilen = *d;
1461 + d++;
1462 +
1463 + /* Consistency check */
1464 + if(ilen+1 != len)
1465 + {
1466 + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
1467 + *al=SSL_AD_ILLEGAL_PARAMETER;
1468 + return 0;
1469 + }
1470 +
1471 + /* Check that the extension matches */
1472 + if(ilen != expected_len)
1473 + {
1474 + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1475 + *al=SSL_AD_HANDSHAKE_FAILURE;
1476 + return 0;
1477 + }
1478 +
1479 + if(memcmp(d, s->s3->previous_client_finished,
1480 + s->s3->previous_client_finished_len))
1481 + {
1482 + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1483 + *al=SSL_AD_HANDSHAKE_FAILURE;
1484 + return 0;
1485 + }
1486 + d += s->s3->previous_client_finished_len;
1487 +
1488 + if(memcmp(d, s->s3->previous_server_finished,
1489 + s->s3->previous_server_finished_len))
1490 + {
1491 + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
1492 + *al=SSL_AD_ILLEGAL_PARAMETER;
1493 + return 0;
1494 + }
1495 +#ifdef OPENSSL_RI_DEBUG
1496 + fprintf(stderr, "%s RI extension received by client\n",
1497 + ilen ? "Non-empty" : "Empty");
1498 +#endif
1499 + s->s3->send_connection_binding=1;
1500 +
1501 + return 1;
1502 + }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed