|
|
5820f5 |
diff -up openssl-fips-0.9.8e/apps/s_client.c.reneg openssl-fips-0.9.8e/apps/s_client.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/apps/s_client.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/apps/s_client.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -231,7 +231,7 @@ static void sc_usage(void)
|
|
|
5820f5 |
BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
|
|
|
5820f5 |
-
|
|
|
5820f5 |
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
enum
|
|
|
5820f5 |
@@ -247,7 +247,7 @@ int MAIN(int, char **);
|
|
|
5820f5 |
|
|
|
5820f5 |
int MAIN(int argc, char **argv)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
- int off=0;
|
|
|
5820f5 |
+ int off=0, clr = 0;
|
|
|
5820f5 |
SSL *con=NULL,*con2=NULL;
|
|
|
5820f5 |
X509_STORE *store = NULL;
|
|
|
5820f5 |
int s,k,width,state=0;
|
|
|
5820f5 |
@@ -461,6 +461,12 @@ int MAIN(int argc, char **argv)
|
|
|
5820f5 |
off|=SSL_OP_NO_SSLv2;
|
|
|
5820f5 |
else if (strcmp(*argv,"-serverpref") == 0)
|
|
|
5820f5 |
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
|
|
|
5820f5 |
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
|
|
5820f5 |
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
|
|
5820f5 |
+ else if (strcmp(*argv,"-legacy_server_connect") == 0)
|
|
|
5820f5 |
+ { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
|
|
|
5820f5 |
+ else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
|
|
|
5820f5 |
+ { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
|
|
|
5820f5 |
else if (strcmp(*argv,"-cipher") == 0)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
if (--argc < 1) goto bad;
|
|
|
5820f5 |
@@ -589,6 +595,9 @@ bad:
|
|
|
5820f5 |
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
|
|
|
5820f5 |
else
|
|
|
5820f5 |
SSL_CTX_set_options(ctx,off);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (clr)
|
|
|
5820f5 |
+ SSL_CTX_clear_options(ctx, clr);
|
|
|
5820f5 |
/* DTLS: partial reads end up discarding unread UDP bytes :-(
|
|
|
5820f5 |
* Setting read ahead solves this problem.
|
|
|
5820f5 |
*/
|
|
|
5820f5 |
@@ -1290,6 +1299,8 @@ static void print_stuff(BIO *bio, SSL *s
|
|
|
5820f5 |
EVP_PKEY_bits(pktmp));
|
|
|
5820f5 |
EVP_PKEY_free(pktmp);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
+ BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
|
|
|
5820f5 |
+ SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
|
|
|
5820f5 |
#ifndef OPENSSL_NO_COMP
|
|
|
5820f5 |
comp=SSL_get_current_compression(s);
|
|
|
5820f5 |
expansion=SSL_get_current_expansion(s);
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/apps/s_server.c.reneg openssl-fips-0.9.8e/apps/s_server.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/apps/s_server.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/apps/s_server.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -371,6 +371,7 @@ static void sv_usage(void)
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
|
|
|
5820f5 |
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
|
|
|
5820f5 |
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
static int local_argc=0;
|
|
|
5820f5 |
@@ -700,6 +701,8 @@ int MAIN(int argc, char *argv[])
|
|
|
5820f5 |
}
|
|
|
5820f5 |
else if (strcmp(*argv,"-serverpref") == 0)
|
|
|
5820f5 |
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
|
|
|
5820f5 |
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
|
|
5820f5 |
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
|
|
5820f5 |
else if (strcmp(*argv,"-cipher") == 0)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
if (--argc < 1) goto bad;
|
|
|
5820f5 |
@@ -1534,6 +1537,8 @@ static int init_ssl_connection(SSL *con)
|
|
|
5820f5 |
con->kssl_ctx->client_princ);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
5820f5 |
+ BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
|
|
|
5820f5 |
+ SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
|
|
|
5820f5 |
return(1);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg 2005-10-11 12:16:09.000000000 +0200
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod 2010-02-18 16:10:52.000000000 +0100
|
|
|
5820f5 |
@@ -2,7 +2,7 @@
|
|
|
5820f5 |
|
|
|
5820f5 |
=head1 NAME
|
|
|
5820f5 |
|
|
|
5820f5 |
-SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
|
|
|
5820f5 |
+SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options
|
|
|
5820f5 |
|
|
|
5820f5 |
=head1 SYNOPSIS
|
|
|
5820f5 |
|
|
|
5820f5 |
@@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS
|
|
|
5820f5 |
long SSL_CTX_set_options(SSL_CTX *ctx, long options);
|
|
|
5820f5 |
long SSL_set_options(SSL *ssl, long options);
|
|
|
5820f5 |
|
|
|
5820f5 |
+ long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
|
|
|
5820f5 |
+ long SSL_clear_options(SSL *ssl, long options);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
long SSL_CTX_get_options(SSL_CTX *ctx);
|
|
|
5820f5 |
long SSL_get_options(SSL *ssl);
|
|
|
5820f5 |
|
|
|
5820f5 |
+ long SSL_get_secure_renegotiation_support(SSL *ssl);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
=head1 DESCRIPTION
|
|
|
5820f5 |
|
|
|
5820f5 |
+Note: all these functions are implemented using macros.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
|
|
|
5820f5 |
Options already set before are not cleared!
|
|
|
5820f5 |
|
|
|
5820f5 |
SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
|
|
|
5820f5 |
Options already set before are not cleared!
|
|
|
5820f5 |
|
|
|
5820f5 |
+SSL_CTX_clear_options() clears the options set via bitmask in B<options>
|
|
|
5820f5 |
+to B<ctx>.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
SSL_CTX_get_options() returns the options set for B<ctx>.
|
|
|
5820f5 |
|
|
|
5820f5 |
SSL_get_options() returns the options set for B<ssl>.
|
|
|
5820f5 |
|
|
|
5820f5 |
+SSL_get_secure_renegotiation_support() indicates whether the peer supports
|
|
|
5820f5 |
+secure renegotiation.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
=head1 NOTES
|
|
|
5820f5 |
|
|
|
5820f5 |
The behaviour of the SSL library can be changed by setting several options.
|
|
|
5820f5 |
The options are coded as bitmasks and can be combined by a logical B<or>
|
|
|
5820f5 |
-operation (|). Options can only be added but can never be reset.
|
|
|
5820f5 |
+operation (|).
|
|
|
5820f5 |
|
|
|
5820f5 |
SSL_CTX_set_options() and SSL_set_options() affect the (external)
|
|
|
5820f5 |
protocol behaviour of the SSL library. The (internal) behaviour of
|
|
|
5820f5 |
@@ -199,17 +214,109 @@ Do not use the TLSv1 protocol.
|
|
|
5820f5 |
|
|
|
5820f5 |
When performing renegotiation as a server, always start a new session
|
|
|
5820f5 |
(i.e., session resumption requests are only accepted in the initial
|
|
|
5820f5 |
-handshake). This option is not needed for clients.
|
|
|
5820f5 |
+handshake). This option is not needed for clients.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
|
|
|
5820f5 |
+servers. See the B<SECURE RENEGOTIATION> section for more details.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+=item SSL_OP_LEGACY_SERVER_CONNECT
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers
|
|
|
5820f5 |
+B<only>: this option is currently set by default. See the
|
|
|
5820f5 |
+B<SECURE RENEGOTIATION> section for more details.
|
|
|
5820f5 |
|
|
|
5820f5 |
=back
|
|
|
5820f5 |
|
|
|
5820f5 |
+=head1 SECURE RENEGOTIATION
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
|
|
|
5820f5 |
+described in RFC5746. This counters the prefix attack described in
|
|
|
5820f5 |
+CVE-2009-3555 and elsewhere.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+The deprecated and highly broken SSLv2 protocol does not support
|
|
|
5820f5 |
+renegotiation at all: its use is B<strongly> discouraged.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+This attack has far reaching consequences which application writers should be
|
|
|
5820f5 |
+aware of. In the description below an implementation supporting secure
|
|
|
5820f5 |
+renegotiation is referred to as I<patched>. A server not supporting secure
|
|
|
5820f5 |
+renegotiation is referred to as I<unpatched>.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+The following sections describe the operations permitted by OpenSSL's secure
|
|
|
5820f5 |
+renegotiation implementation.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+=head2 Patched client and server
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+Connections and renegotiation are always permitted by OpenSSL implementations.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+=head2 Unpatched client and patched OpenSSL server
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+The initial connection suceeds but client renegotiation is denied by the
|
|
|
5820f5 |
+server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
|
|
|
5820f5 |
+B<handshake_failure> alert in SSL v3.0.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+If the patched OpenSSL server attempts to renegotiate a fatal
|
|
|
5820f5 |
+B<handshake_failure> alert is sent. This is because the server code may be
|
|
|
5820f5 |
+unaware of the unpatched nature of the client.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
|
|
|
5820f5 |
+renegotiation B<always> succeeds.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are
|
|
|
5820f5 |
+unpatched) will result in the connection hanging if it receives a
|
|
|
5820f5 |
+B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard
|
|
|
5820f5 |
+a B<no_renegotiation> alert as fatal and respond with a fatal
|
|
|
5820f5 |
+B<handshake_failure> alert. This is because the OpenSSL API currently has
|
|
|
5820f5 |
+no provision to indicate to an application that a renegotiation attempt
|
|
|
5820f5 |
+was refused.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+=head2 Patched OpenSSL client and unpatched server.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
|
|
|
5820f5 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
|
|
|
5820f5 |
+and renegotiation between patched OpenSSL clients and unpatched servers
|
|
|
5820f5 |
+succeeds. If neither option is set then initial connections to unpatched
|
|
|
5820f5 |
+servers will fail.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
|
|
|
5820f5 |
+though it has security implications: otherwise it would be impossible to
|
|
|
5820f5 |
+connect to unpatched servers (i.e. all of them initially) and this is clearly
|
|
|
5820f5 |
+not acceptable. Renegotiation is permitted because this does not add any
|
|
|
5820f5 |
+additional security issues: during an attack clients do not see any
|
|
|
5820f5 |
+renegotiations anyway.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
|
|
|
5820f5 |
+B<not> be set by default in a future version of OpenSSL.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+OpenSSL client applications wishing to ensure they can connect to unpatched
|
|
|
5820f5 |
+servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+OpenSSL client applications that want to ensure they can B<not> connect to
|
|
|
5820f5 |
+unpatched servers (and thus avoid any security issues) should always B<clear>
|
|
|
5820f5 |
+B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
|
|
|
5820f5 |
+SSL_clear_options().
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
|
|
|
5820f5 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
|
|
|
5820f5 |
+B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
|
|
|
5820f5 |
+renegotiation between OpenSSL clients and unpatched servers B<only>, while
|
|
|
5820f5 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
|
|
|
5820f5 |
+and renegotiation between OpenSSL and unpatched clients or servers.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
=head1 RETURN VALUES
|
|
|
5820f5 |
|
|
|
5820f5 |
SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
|
|
|
5820f5 |
after adding B<options>.
|
|
|
5820f5 |
|
|
|
5820f5 |
+SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
|
|
|
5820f5 |
+after clearing B<options>.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
|
|
|
5820f5 |
|
|
|
5820f5 |
+SSL_get_secure_renegotiation_support() returns 1 is the peer supports
|
|
|
5820f5 |
+secure renegotiation and 0 if it does not.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
=head1 SEE ALSO
|
|
|
5820f5 |
|
|
|
5820f5 |
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
|
|
|
5820f5 |
@@ -232,4 +339,11 @@ Versions up to OpenSSL 0.9.6c do not inc
|
|
|
5820f5 |
can be disabled with this option (in OpenSSL 0.9.6d, it was always
|
|
|
5820f5 |
enabled).
|
|
|
5820f5 |
|
|
|
5820f5 |
+SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL
|
|
|
5820f5 |
+0.9.8m.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT>
|
|
|
5820f5 |
+and the function SSL_get_secure_renegotiation_support() were first added in
|
|
|
5820f5 |
+OpenSSL 0.9.8m.
|
|
|
5820f5 |
+
|
|
|
5820f5 |
=cut
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/d1_both.c.reneg openssl-fips-0.9.8e/ssl/d1_both.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/d1_both.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/d1_both.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -750,6 +750,24 @@ int dtls1_send_finished(SSL *s, int a, i
|
|
|
5820f5 |
p+=i;
|
|
|
5820f5 |
l=i;
|
|
|
5820f5 |
|
|
|
5820f5 |
+ /* Copy the finished so we can use it for
|
|
|
5820f5 |
+ * renegotiation checks
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ if(s->type == SSL_ST_CONNECT)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
|
|
|
5820f5 |
+ memcpy(s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->tmp.finish_md, i);
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len=i;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ else
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
|
|
|
5820f5 |
+ memcpy(s->s3->previous_server_finished,
|
|
|
5820f5 |
+ s->s3->tmp.finish_md, i);
|
|
|
5820f5 |
+ s->s3->previous_server_finished_len=i;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
#ifdef OPENSSL_SYS_WIN16
|
|
|
5820f5 |
/* MSVC 1.5 does not clear the top bytes of the word unless
|
|
|
5820f5 |
* I do this.
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg openssl-fips-0.9.8e/ssl/d1_clnt.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/d1_clnt.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -621,7 +621,13 @@ int dtls1_client_hello(SSL *s)
|
|
|
5820f5 |
*(p++)=comp->id;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
*(p++)=0; /* Add the NULL method */
|
|
|
5820f5 |
-
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ goto err;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
l=(p-d);
|
|
|
5820f5 |
d=buf;
|
|
|
5820f5 |
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg openssl-fips-0.9.8e/ssl/d1_srvr.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/d1_srvr.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -267,7 +267,6 @@ int dtls1_accept(SSL *s)
|
|
|
5820f5 |
s->shutdown=0;
|
|
|
5820f5 |
ret=ssl3_get_client_hello(s);
|
|
|
5820f5 |
if (ret <= 0) goto end;
|
|
|
5820f5 |
- s->new_session = 2;
|
|
|
5820f5 |
|
|
|
5820f5 |
if ( s->d1->send_cookie)
|
|
|
5820f5 |
s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
|
|
|
5820f5 |
@@ -293,6 +292,7 @@ int dtls1_accept(SSL *s)
|
|
|
5820f5 |
|
|
|
5820f5 |
case SSL3_ST_SW_SRVR_HELLO_A:
|
|
|
5820f5 |
case SSL3_ST_SW_SRVR_HELLO_B:
|
|
|
5820f5 |
+ s->new_session = 2;
|
|
|
5820f5 |
ret=dtls1_send_server_hello(s);
|
|
|
5820f5 |
if (ret <= 0) goto end;
|
|
|
5820f5 |
|
|
|
5820f5 |
@@ -713,6 +713,8 @@ int dtls1_send_server_hello(SSL *s)
|
|
|
5820f5 |
p+=sl;
|
|
|
5820f5 |
|
|
|
5820f5 |
/* put the cipher */
|
|
|
5820f5 |
+ if (s->s3->tmp.new_cipher == NULL)
|
|
|
5820f5 |
+ return -1;
|
|
|
5820f5 |
i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
|
|
|
5820f5 |
p+=i;
|
|
|
5820f5 |
|
|
|
5820f5 |
@@ -726,13 +728,21 @@ int dtls1_send_server_hello(SSL *s)
|
|
|
5820f5 |
*(p++)=s->s3->tmp.new_compression->id;
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
|
|
|
5820f5 |
+#ifndef OPENSSL_NO_TLSEXT
|
|
|
5820f5 |
+ if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return -1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+
|
|
|
5820f5 |
/* do the header */
|
|
|
5820f5 |
l=(p-d);
|
|
|
5820f5 |
d=buf;
|
|
|
5820f5 |
|
|
|
5820f5 |
d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
|
|
|
5820f5 |
|
|
|
5820f5 |
- s->state=SSL3_ST_CW_CLNT_HELLO_B;
|
|
|
5820f5 |
+ s->state=SSL3_ST_SW_SRVR_HELLO_B;
|
|
|
5820f5 |
/* number of bytes to write */
|
|
|
5820f5 |
s->init_num=p-buf;
|
|
|
5820f5 |
s->init_off=0;
|
|
|
5820f5 |
@@ -741,7 +751,7 @@ int dtls1_send_server_hello(SSL *s)
|
|
|
5820f5 |
dtls1_buffer_message(s, 0);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
- /* SSL3_ST_CW_CLNT_HELLO_B */
|
|
|
5820f5 |
+ /* SSL3_ST_SW_SRVR_HELLO_B */
|
|
|
5820f5 |
return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
@@ -765,7 +775,7 @@ int dtls1_send_server_done(SSL *s)
|
|
|
5820f5 |
dtls1_buffer_message(s, 0);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
- /* SSL3_ST_CW_CLNT_HELLO_B */
|
|
|
5820f5 |
+ /* SSL3_ST_SW_SRVR_DONE_B */
|
|
|
5820f5 |
return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/Makefile.reneg openssl-fips-0.9.8e/ssl/Makefile
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/Makefile.reneg 2007-08-01 13:33:16.000000000 +0200
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/Makefile 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -30,7 +30,7 @@ LIBSRC= \
|
|
|
5820f5 |
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
|
|
|
5820f5 |
ssl_ciph.c ssl_stat.c ssl_rsa.c \
|
|
|
5820f5 |
ssl_asn1.c ssl_txt.c ssl_algs.c \
|
|
|
5820f5 |
- bio_ssl.c ssl_err.c kssl.c
|
|
|
5820f5 |
+ bio_ssl.c ssl_err.c kssl.c t1_reneg.c
|
|
|
5820f5 |
LIBOBJ= \
|
|
|
5820f5 |
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
|
|
|
5820f5 |
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
|
|
|
5820f5 |
@@ -41,7 +41,7 @@ LIBOBJ= \
|
|
|
5820f5 |
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
|
|
|
5820f5 |
ssl_ciph.o ssl_stat.o ssl_rsa.o \
|
|
|
5820f5 |
ssl_asn1.o ssl_txt.o ssl_algs.o \
|
|
|
5820f5 |
- bio_ssl.o ssl_err.o kssl.o
|
|
|
5820f5 |
+ bio_ssl.o ssl_err.o kssl.o t1_reneg.o
|
|
|
5820f5 |
|
|
|
5820f5 |
SRC= $(LIBSRC)
|
|
|
5820f5 |
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.reneg openssl-fips-0.9.8e/ssl/ssl_err.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/ssl_err.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/ssl_err.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -168,8 +168,12 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
|
|
|
5820f5 |
@@ -208,6 +212,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
|
|
|
5820f5 |
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
|
|
|
5820f5 |
{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
|
|
|
5820f5 |
@@ -371,6 +379,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
|
5820f5 |
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
|
|
|
5820f5 |
@@ -378,6 +387,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
|
5820f5 |
{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
|
|
|
5820f5 |
@@ -397,10 +407,14 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
|
5820f5 |
{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
|
|
|
5820f5 |
@@ -466,6 +480,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
|
5820f5 |
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
|
|
|
5820f5 |
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
|
|
|
5820f5 |
{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/ssl.h.reneg openssl-fips-0.9.8e/ssl/ssl.h
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/ssl.h.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/ssl.h 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -480,6 +480,8 @@ typedef struct ssl_session_st
|
|
|
5820f5 |
|
|
|
5820f5 |
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
|
|
|
5820f5 |
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
|
|
5820f5 |
+/* Allow initial connection to servers that don't support RI */
|
|
|
5820f5 |
+#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
|
|
|
5820f5 |
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
|
|
|
5820f5 |
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
|
|
5820f5 |
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
|
|
5820f5 |
@@ -506,6 +508,8 @@ typedef struct ssl_session_st
|
|
|
5820f5 |
|
|
|
5820f5 |
/* As server, disallow session resumption on renegotiation */
|
|
|
5820f5 |
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
|
|
|
5820f5 |
+/* Permit unsafe legacy renegotiation */
|
|
|
5820f5 |
+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
|
|
|
5820f5 |
/* If set, always create a new key when using tmp_ecdh parameters */
|
|
|
5820f5 |
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
|
|
|
5820f5 |
/* If set, always create a new key when using tmp_dh parameters */
|
|
|
5820f5 |
@@ -554,17 +558,25 @@ typedef struct ssl_session_st
|
|
|
5820f5 |
|
|
|
5820f5 |
#define SSL_CTX_set_options(ctx,op) \
|
|
|
5820f5 |
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
|
|
|
5820f5 |
+#define SSL_CTX_clear_options(ctx,op) \
|
|
|
5820f5 |
+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
|
|
|
5820f5 |
#define SSL_CTX_get_options(ctx) \
|
|
|
5820f5 |
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
|
|
|
5820f5 |
#define SSL_set_options(ssl,op) \
|
|
|
5820f5 |
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
|
|
|
5820f5 |
+#define SSL_clear_options(ssl,op) \
|
|
|
5820f5 |
+ SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
|
|
|
5820f5 |
#define SSL_get_options(ssl) \
|
|
|
5820f5 |
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
|
|
|
5820f5 |
|
|
|
5820f5 |
#define SSL_CTX_set_mode(ctx,op) \
|
|
|
5820f5 |
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
|
|
|
5820f5 |
+#define SSL_CTX_clear_mode(ctx,op) \
|
|
|
5820f5 |
+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
|
|
|
5820f5 |
#define SSL_CTX_get_mode(ctx) \
|
|
|
5820f5 |
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
|
|
|
5820f5 |
+#define SSL_clear_mode(ssl,op) \
|
|
|
5820f5 |
+ SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
|
|
|
5820f5 |
#define SSL_set_mode(ssl,op) \
|
|
|
5820f5 |
SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
|
|
|
5820f5 |
#define SSL_get_mode(ssl) \
|
|
|
5820f5 |
@@ -572,6 +584,8 @@ typedef struct ssl_session_st
|
|
|
5820f5 |
#define SSL_set_mtu(ssl, mtu) \
|
|
|
5820f5 |
SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
|
|
|
5820f5 |
|
|
|
5820f5 |
+#define SSL_get_secure_renegotiation_support(ssl) \
|
|
|
5820f5 |
+ SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
|
|
|
5820f5 |
|
|
|
5820f5 |
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
|
|
|
5820f5 |
void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
|
|
|
5820f5 |
@@ -1189,6 +1203,10 @@ size_t SSL_get_peer_finished(const SSL *
|
|
|
5820f5 |
#define SSL_CTRL_GET_MAX_CERT_LIST 50
|
|
|
5820f5 |
#define SSL_CTRL_SET_MAX_CERT_LIST 51
|
|
|
5820f5 |
|
|
|
5820f5 |
+#define SSL_CTRL_GET_RI_SUPPORT 76
|
|
|
5820f5 |
+#define SSL_CTRL_CLEAR_OPTIONS 77
|
|
|
5820f5 |
+#define SSL_CTRL_CLEAR_MODE 78
|
|
|
5820f5 |
+
|
|
|
5820f5 |
#define SSL_session_reused(ssl) \
|
|
|
5820f5 |
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
|
|
|
5820f5 |
#define SSL_num_renegotiations(ssl) \
|
|
|
5820f5 |
@@ -1650,8 +1668,12 @@ void ERR_load_SSL_strings(void);
|
|
|
5820f5 |
#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
|
|
|
5820f5 |
#define SSL_F_SSL3_WRITE_BYTES 158
|
|
|
5820f5 |
#define SSL_F_SSL3_WRITE_PENDING 159
|
|
|
5820f5 |
+#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 285
|
|
|
5820f5 |
+#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 272
|
|
|
5820f5 |
#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
|
|
|
5820f5 |
#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
|
|
|
5820f5 |
+#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 286
|
|
|
5820f5 |
+#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 273
|
|
|
5820f5 |
#define SSL_F_SSL_BAD_METHOD 160
|
|
|
5820f5 |
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
|
|
|
5820f5 |
#define SSL_F_SSL_CERT_DUP 221
|
|
|
5820f5 |
@@ -1690,6 +1712,10 @@ void ERR_load_SSL_strings(void);
|
|
|
5820f5 |
#define SSL_F_SSL_INIT_WBIO_BUFFER 184
|
|
|
5820f5 |
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
|
|
|
5820f5 |
#define SSL_F_SSL_NEW 186
|
|
|
5820f5 |
+#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 287
|
|
|
5820f5 |
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 290
|
|
|
5820f5 |
+#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 289
|
|
|
5820f5 |
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 291
|
|
|
5820f5 |
#define SSL_F_SSL_PEEK 270
|
|
|
5820f5 |
#define SSL_F_SSL_READ 223
|
|
|
5820f5 |
#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
|
|
|
5820f5 |
@@ -1850,6 +1876,7 @@ void ERR_load_SSL_strings(void);
|
|
|
5820f5 |
#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
|
|
|
5820f5 |
#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
|
|
|
5820f5 |
#define SSL_R_NO_PUBLICKEY 192
|
|
|
5820f5 |
+#define SSL_R_NO_RENEGOTIATION 319
|
|
|
5820f5 |
#define SSL_R_NO_SHARED_CIPHER 193
|
|
|
5820f5 |
#define SSL_R_NO_VERIFY_CALLBACK 194
|
|
|
5820f5 |
#define SSL_R_NULL_SSL_CTX 195
|
|
|
5820f5 |
@@ -1857,6 +1884,7 @@ void ERR_load_SSL_strings(void);
|
|
|
5820f5 |
#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
|
|
|
5820f5 |
#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
|
|
|
5820f5 |
#define SSL_R_PACKET_LENGTH_TOO_LONG 198
|
|
|
5820f5 |
+#define SSL_R_PARSE_TLSEXT 223
|
|
|
5820f5 |
#define SSL_R_PATH_TOO_LONG 270
|
|
|
5820f5 |
#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
|
|
|
5820f5 |
#define SSL_R_PEER_ERROR 200
|
|
|
5820f5 |
@@ -1876,10 +1904,14 @@ void ERR_load_SSL_strings(void);
|
|
|
5820f5 |
#define SSL_R_RECORD_LENGTH_MISMATCH 213
|
|
|
5820f5 |
#define SSL_R_RECORD_TOO_LARGE 214
|
|
|
5820f5 |
#define SSL_R_RECORD_TOO_SMALL 298
|
|
|
5820f5 |
+#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 320
|
|
|
5820f5 |
+#define SSL_R_RENEGOTIATION_ENCODING_ERR 321
|
|
|
5820f5 |
+#define SSL_R_RENEGOTIATION_MISMATCH 322
|
|
|
5820f5 |
#define SSL_R_REQUIRED_CIPHER_MISSING 215
|
|
|
5820f5 |
#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
|
|
|
5820f5 |
#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
|
|
|
5820f5 |
#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
|
|
|
5820f5 |
+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 324
|
|
|
5820f5 |
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
|
|
|
5820f5 |
#define SSL_R_SHORT_READ 219
|
|
|
5820f5 |
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
|
|
|
5820f5 |
@@ -1945,6 +1977,7 @@ void ERR_load_SSL_strings(void);
|
|
|
5820f5 |
#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
|
|
|
5820f5 |
#define SSL_R_UNKNOWN_SSL_VERSION 254
|
|
|
5820f5 |
#define SSL_R_UNKNOWN_STATE 255
|
|
|
5820f5 |
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 323
|
|
|
5820f5 |
#define SSL_R_UNSUPPORTED_CIPHER 256
|
|
|
5820f5 |
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
|
|
|
5820f5 |
#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg openssl-fips-0.9.8e/ssl/ssl_lib.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/ssl_lib.c 2010-02-18 16:10:30.000000000 +0100
|
|
|
5820f5 |
@@ -958,8 +958,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
|
|
|
5820f5 |
|
|
|
5820f5 |
case SSL_CTRL_OPTIONS:
|
|
|
5820f5 |
return(s->options|=larg);
|
|
|
5820f5 |
+ case SSL_CTRL_CLEAR_OPTIONS:
|
|
|
5820f5 |
+ return(s->options&=~larg);
|
|
|
5820f5 |
case SSL_CTRL_MODE:
|
|
|
5820f5 |
return(s->mode|=larg);
|
|
|
5820f5 |
+ case SSL_CTRL_CLEAR_MODE:
|
|
|
5820f5 |
+ return(s->mode &=~larg);
|
|
|
5820f5 |
case SSL_CTRL_GET_MAX_CERT_LIST:
|
|
|
5820f5 |
return(s->max_cert_list);
|
|
|
5820f5 |
case SSL_CTRL_SET_MAX_CERT_LIST:
|
|
|
5820f5 |
@@ -973,6 +977,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
|
|
|
5820f5 |
return larg;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
return 0;
|
|
|
5820f5 |
+ case SSL_CTRL_GET_RI_SUPPORT:
|
|
|
5820f5 |
+ if (s->s3)
|
|
|
5820f5 |
+ return s->s3->send_connection_binding;
|
|
|
5820f5 |
+ else return 0;
|
|
|
5820f5 |
default:
|
|
|
5820f5 |
return(s->method->ssl_ctrl(s,cmd,larg,parg));
|
|
|
5820f5 |
}
|
|
|
5820f5 |
@@ -1059,8 +1067,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l
|
|
|
5820f5 |
return(ctx->stats.sess_cache_full);
|
|
|
5820f5 |
case SSL_CTRL_OPTIONS:
|
|
|
5820f5 |
return(ctx->options|=larg);
|
|
|
5820f5 |
+ case SSL_CTRL_CLEAR_OPTIONS:
|
|
|
5820f5 |
+ return(ctx->options&=~larg);
|
|
|
5820f5 |
case SSL_CTRL_MODE:
|
|
|
5820f5 |
return(ctx->mode|=larg);
|
|
|
5820f5 |
+ case SSL_CTRL_CLEAR_MODE:
|
|
|
5820f5 |
+ return(ctx->mode&=~larg);
|
|
|
5820f5 |
default:
|
|
|
5820f5 |
return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
|
|
|
5820f5 |
}
|
|
|
5820f5 |
@@ -1257,6 +1269,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
|
|
|
5820f5 |
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
|
|
|
5820f5 |
p+=j;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
+ /* If p == q, no ciphers and caller indicates an error. Otherwise
|
|
|
5820f5 |
+ * add SCSV if not renegotiating.
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ if (p != q && !s->new_session)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ static SSL_CIPHER scsv =
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
|
|
|
5820f5 |
+ };
|
|
|
5820f5 |
+ j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
|
|
|
5820f5 |
+ p+=j;
|
|
|
5820f5 |
+#ifdef OPENSSL_RI_DEBUG
|
|
|
5820f5 |
+ fprintf(stderr, "SCSV sent by client\n");
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
return(p-q);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
@@ -1266,6 +1294,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
|
|
|
5820f5 |
SSL_CIPHER *c;
|
|
|
5820f5 |
STACK_OF(SSL_CIPHER) *sk;
|
|
|
5820f5 |
int i,n;
|
|
|
5820f5 |
+ if (s->s3)
|
|
|
5820f5 |
+ s->s3->send_connection_binding = 0;
|
|
|
5820f5 |
|
|
|
5820f5 |
n=ssl_put_cipher_by_char(s,NULL,NULL);
|
|
|
5820f5 |
if ((num%n) != 0)
|
|
|
5820f5 |
@@ -1283,6 +1313,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
|
|
|
5820f5 |
|
|
|
5820f5 |
for (i=0; i
|
|
|
5820f5 |
{
|
|
|
5820f5 |
+ /* Check for SCSV */
|
|
|
5820f5 |
+ if (s->s3 && (n != 3 || !p[0]) &&
|
|
|
5820f5 |
+ (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
|
|
|
5820f5 |
+ (p[n-1] == (SSL3_CK_SCSV & 0xff)))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ /* SCSV fatal if renegotiating */
|
|
|
5820f5 |
+ if (s->new_session)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
|
|
|
5820f5 |
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
|
|
|
5820f5 |
+ goto err;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ s->s3->send_connection_binding = 1;
|
|
|
5820f5 |
+ p += n;
|
|
|
5820f5 |
+#ifdef OPENSSL_RI_DEBUG
|
|
|
5820f5 |
+ fprintf(stderr, "SCSV received by server\n");
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+ continue;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
c=ssl_get_cipher_by_char(s,p);
|
|
|
5820f5 |
p+=n;
|
|
|
5820f5 |
if (c != NULL)
|
|
|
5820f5 |
@@ -1461,6 +1511,11 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
|
|
|
5820f5 |
ret->extra_certs=NULL;
|
|
|
5820f5 |
ret->comp_methods=SSL_COMP_get_compression_methods();
|
|
|
5820f5 |
|
|
|
5820f5 |
+ /* Default is to connect to non-RI servers. When RI is more widely
|
|
|
5820f5 |
+ * deployed might change this.
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
return(ret);
|
|
|
5820f5 |
err:
|
|
|
5820f5 |
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg openssl-fips-0.9.8e/ssl/ssl_locl.h
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -934,5 +934,17 @@ int check_srvr_ecc_cert_and_alg(X509 *x,
|
|
|
5820f5 |
|
|
|
5820f5 |
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
|
|
|
5820f5 |
|
|
|
5820f5 |
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
|
|
|
5820f5 |
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
|
|
|
5820f5 |
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
|
|
5820f5 |
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
|
|
5820f5 |
+int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
|
|
|
5820f5 |
+ int maxlen);
|
|
|
5820f5 |
+int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
|
|
|
5820f5 |
+ int *al);
|
|
|
5820f5 |
+int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
|
|
|
5820f5 |
+ int maxlen);
|
|
|
5820f5 |
+int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
|
|
|
5820f5 |
+ int *al);
|
|
|
5820f5 |
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/ssl3.h.reneg openssl-fips-0.9.8e/ssl/ssl3.h
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/ssl3.h.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/ssl3.h 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -129,6 +129,9 @@
|
|
|
5820f5 |
extern "C" {
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
|
|
|
5820f5 |
+/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
|
|
|
5820f5 |
+#define SSL3_CK_SCSV 0x030000FF
|
|
|
5820f5 |
+
|
|
|
5820f5 |
#define SSL3_CK_RSA_NULL_MD5 0x03000001
|
|
|
5820f5 |
#define SSL3_CK_RSA_NULL_SHA 0x03000002
|
|
|
5820f5 |
#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
|
|
|
5820f5 |
@@ -437,6 +440,12 @@ typedef struct ssl3_state_st
|
|
|
5820f5 |
int cert_request;
|
|
|
5820f5 |
} tmp;
|
|
|
5820f5 |
|
|
|
5820f5 |
+ /* Connection binding to prevent renegotiation attacks */
|
|
|
5820f5 |
+ unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
|
|
|
5820f5 |
+ unsigned char previous_client_finished_len;
|
|
|
5820f5 |
+ unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
|
|
|
5820f5 |
+ unsigned char previous_server_finished_len;
|
|
|
5820f5 |
+ int send_connection_binding; /* TODOEKR */
|
|
|
5820f5 |
} SSL3_STATE;
|
|
|
5820f5 |
|
|
|
5820f5 |
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg openssl-fips-0.9.8e/ssl/s23_clnt.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/s23_clnt.c.reneg 2007-03-22 01:39:13.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/s23_clnt.c 2010-02-18 16:07:51.000000000 +0100
|
|
|
5820f5 |
@@ -368,6 +368,11 @@ static int ssl23_client_hello(SSL *s)
|
|
|
5820f5 |
*(p++)=comp->id;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
*(p++)=0; /* Add the NULL method */
|
|
|
5820f5 |
+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return -1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
|
|
|
5820f5 |
l = p-d;
|
|
|
5820f5 |
*p = 42;
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/s3_both.c.reneg openssl-fips-0.9.8e/ssl/s3_both.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/s3_both.c.reneg 2005-04-26 18:02:39.000000000 +0200
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/s3_both.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -168,6 +168,23 @@ int ssl3_send_finished(SSL *s, int a, in
|
|
|
5820f5 |
p+=i;
|
|
|
5820f5 |
l=i;
|
|
|
5820f5 |
|
|
|
5820f5 |
+ /* Copy the finished so we can use it for
|
|
|
5820f5 |
+ renegotiation checks */
|
|
|
5820f5 |
+ if(s->type == SSL_ST_CONNECT)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
|
|
|
5820f5 |
+ memcpy(s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->tmp.finish_md, i);
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len=i;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ else
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
|
|
|
5820f5 |
+ memcpy(s->s3->previous_server_finished,
|
|
|
5820f5 |
+ s->s3->tmp.finish_md, i);
|
|
|
5820f5 |
+ s->s3->previous_server_finished_len=i;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
#ifdef OPENSSL_SYS_WIN16
|
|
|
5820f5 |
/* MSVC 1.5 does not clear the top bytes of the word unless
|
|
|
5820f5 |
* I do this.
|
|
|
5820f5 |
@@ -232,6 +249,23 @@ int ssl3_get_finished(SSL *s, int a, int
|
|
|
5820f5 |
goto f_err;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
+ /* Copy the finished so we can use it for
|
|
|
5820f5 |
+ renegotiation checks */
|
|
|
5820f5 |
+ if(s->type == SSL_ST_ACCEPT)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
|
|
|
5820f5 |
+ memcpy(s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->tmp.peer_finish_md, i);
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len=i;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ else
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
|
|
|
5820f5 |
+ memcpy(s->s3->previous_server_finished,
|
|
|
5820f5 |
+ s->s3->tmp.peer_finish_md, i);
|
|
|
5820f5 |
+ s->s3->previous_server_finished_len=i;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
return(1);
|
|
|
5820f5 |
f_err:
|
|
|
5820f5 |
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg openssl-fips-0.9.8e/ssl/s3_clnt.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/s3_clnt.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/s3_clnt.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -601,7 +601,11 @@ int ssl3_client_hello(SSL *s)
|
|
|
5820f5 |
}
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
*(p++)=0; /* Add the NULL method */
|
|
|
5820f5 |
-
|
|
|
5820f5 |
+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ goto err;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
l=(p-d);
|
|
|
5820f5 |
d=buf;
|
|
|
5820f5 |
*(d++)=SSL3_MT_CLIENT_HELLO;
|
|
|
5820f5 |
@@ -635,7 +639,7 @@ int ssl3_get_server_hello(SSL *s)
|
|
|
5820f5 |
SSL3_ST_CR_SRVR_HELLO_A,
|
|
|
5820f5 |
SSL3_ST_CR_SRVR_HELLO_B,
|
|
|
5820f5 |
-1,
|
|
|
5820f5 |
- 300, /* ?? */
|
|
|
5820f5 |
+ 1000, /* ?? */
|
|
|
5820f5 |
&ok;;
|
|
|
5820f5 |
|
|
|
5820f5 |
if (!ok) return((int)n);
|
|
|
5820f5 |
@@ -785,6 +789,17 @@ int ssl3_get_server_hello(SSL *s)
|
|
|
5820f5 |
s->s3->tmp.new_compression=comp;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
+ /* TLS extensions - we parse renegotiate extension only */
|
|
|
5820f5 |
+ if (s->version >= SSL3_VERSION)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ /* 'al' set by ssl_parse_serverhello_tlsext */
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
|
|
|
5820f5 |
+ goto f_err;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
|
|
|
5820f5 |
if (p != (d+n))
|
|
|
5820f5 |
{
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg openssl-fips-0.9.8e/ssl/s3_pkt.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/s3_pkt.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -1013,7 +1013,25 @@ start:
|
|
|
5820f5 |
* now try again to obtain the (application) data we were asked for */
|
|
|
5820f5 |
goto start;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
-
|
|
|
5820f5 |
+ /* If we are a server and get a client hello when renegotiation isn't
|
|
|
5820f5 |
+ * allowed send back a no renegotiation alert and carry on.
|
|
|
5820f5 |
+ * WARNING: experimental code, needs reviewing (steve)
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ if (s->server &&
|
|
|
5820f5 |
+ SSL_is_init_finished(s) &&
|
|
|
5820f5 |
+ !s->s3->send_connection_binding &&
|
|
|
5820f5 |
+ (s->version > SSL3_VERSION) &&
|
|
|
5820f5 |
+ (s->s3->handshake_fragment_len >= 4) &&
|
|
|
5820f5 |
+ (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
|
|
|
5820f5 |
+ (s->session != NULL) && (s->session->cipher != NULL) &&
|
|
|
5820f5 |
+ !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ /*s->s3->handshake_fragment_len = 0;*/
|
|
|
5820f5 |
+ rr->length = 0;
|
|
|
5820f5 |
+ ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
|
|
|
5820f5 |
+ goto start;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
if (s->s3->alert_fragment_len >= 2)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
int alert_level = s->s3->alert_fragment[0];
|
|
|
5820f5 |
@@ -1043,6 +1061,21 @@ start:
|
|
|
5820f5 |
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
|
|
|
5820f5 |
return(0);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
+ /* This is a warning but we receive it if we requested
|
|
|
5820f5 |
+ * renegotiation and the peer denied it. Terminate with
|
|
|
5820f5 |
+ * a fatal alert because if application tried to
|
|
|
5820f5 |
+ * renegotiatie it presumably had a good reason and
|
|
|
5820f5 |
+ * expects it to succeed.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * In future we might have a renegotiation where we
|
|
|
5820f5 |
+ * don't care if the peer refused it where we carry on.
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ al = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
|
|
|
5820f5 |
+ goto f_err;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
}
|
|
|
5820f5 |
else if (alert_level == 2) /* fatal */
|
|
|
5820f5 |
{
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg openssl-fips-0.9.8e/ssl/s3_srvr.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/s3_srvr.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -248,6 +248,18 @@ int ssl3_accept(SSL *s)
|
|
|
5820f5 |
s->state=SSL3_ST_SR_CLNT_HELLO_A;
|
|
|
5820f5 |
s->ctx->stats.sess_accept++;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
+ else if (!s->s3->send_connection_binding &&
|
|
|
5820f5 |
+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ /* Server attempting to renegotiate with
|
|
|
5820f5 |
+ * client that doesn't support secure
|
|
|
5820f5 |
+ * renegotiation.
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
|
5820f5 |
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
|
|
|
5820f5 |
+ ret = -1;
|
|
|
5820f5 |
+ goto end;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
else
|
|
|
5820f5 |
{
|
|
|
5820f5 |
/* s->state == SSL_ST_RENEGOTIATE,
|
|
|
5820f5 |
@@ -898,6 +910,16 @@ int ssl3_get_client_hello(SSL *s)
|
|
|
5820f5 |
goto f_err;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
+ /* TLS extensions - just parsing the renegotiation extension */
|
|
|
5820f5 |
+ if (s->version >= SSL3_VERSION)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ /* 'al' set by ssl_parse_clienthello_tlsext */
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
|
|
|
5820f5 |
+ goto f_err;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
/* Worst case, we will use the NULL compression, but if we have other
|
|
|
5820f5 |
* options, we will now look for them. We have i-1 compression
|
|
|
5820f5 |
* algorithms from the client, starting at q. */
|
|
|
5820f5 |
@@ -1089,20 +1111,24 @@ int ssl3_send_server_hello(SSL *s)
|
|
|
5820f5 |
else
|
|
|
5820f5 |
*(p++)=s->s3->tmp.new_compression->id;
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
-
|
|
|
5820f5 |
+ if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return -1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
/* do the header */
|
|
|
5820f5 |
l=(p-d);
|
|
|
5820f5 |
d=buf;
|
|
|
5820f5 |
*(d++)=SSL3_MT_SERVER_HELLO;
|
|
|
5820f5 |
l2n3(l,d);
|
|
|
5820f5 |
|
|
|
5820f5 |
- s->state=SSL3_ST_CW_CLNT_HELLO_B;
|
|
|
5820f5 |
+ s->state=SSL3_ST_SW_SRVR_HELLO_B;
|
|
|
5820f5 |
/* number of bytes to write */
|
|
|
5820f5 |
s->init_num=p-buf;
|
|
|
5820f5 |
s->init_off=0;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
- /* SSL3_ST_CW_CLNT_HELLO_B */
|
|
|
5820f5 |
+ /* SSL3_ST_SW_SRVR_HELLO_B */
|
|
|
5820f5 |
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
@@ -1126,7 +1152,7 @@ int ssl3_send_server_done(SSL *s)
|
|
|
5820f5 |
s->init_off=0;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
- /* SSL3_ST_CW_CLNT_HELLO_B */
|
|
|
5820f5 |
+ /* SSL3_ST_SW_SRVR_DONE_B */
|
|
|
5820f5 |
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/tls1.h.reneg openssl-fips-0.9.8e/ssl/tls1.h
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/tls1.h.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/tls1.h 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -97,6 +97,9 @@ extern "C" {
|
|
|
5820f5 |
#define TLS1_AD_USER_CANCELLED 90
|
|
|
5820f5 |
#define TLS1_AD_NO_RENEGOTIATION 100
|
|
|
5820f5 |
|
|
|
5820f5 |
+/* Temporary extension type */
|
|
|
5820f5 |
+#define TLSEXT_TYPE_renegotiate 0xff01
|
|
|
5820f5 |
+
|
|
|
5820f5 |
/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
|
|
|
5820f5 |
* (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
|
|
|
5820f5 |
* s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/t1_lib.c.reneg openssl-fips-0.9.8e/ssl/t1_lib.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/t1_lib.c.reneg 2007-01-21 17:07:25.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/t1_lib.c 2010-02-18 16:10:05.000000000 +0100
|
|
|
5820f5 |
@@ -117,3 +117,202 @@ long tls1_callback_ctrl(SSL *s, int cmd,
|
|
|
5820f5 |
return(0);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
#endif
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ int extdatalen=0;
|
|
|
5820f5 |
+ unsigned char *ret = p;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* don't add extensions for SSLv3 unless doing secure renegotiation */
|
|
|
5820f5 |
+ if (s->client_version == SSL3_VERSION
|
|
|
5820f5 |
+ && !s->s3->send_connection_binding)
|
|
|
5820f5 |
+ return p;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ ret+=2;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Add RI if renegotiating */
|
|
|
5820f5 |
+ if (s->new_session)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ int el;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return NULL;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if((limit - p - 4 - el) < 0) return NULL;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
|
|
5820f5 |
+ s2n(el,ret);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return NULL;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ ret += el;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if ((extdatalen = ret-p-2)== 0)
|
|
|
5820f5 |
+ return p;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ s2n(extdatalen,p);
|
|
|
5820f5 |
+ return ret;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ int extdatalen=0;
|
|
|
5820f5 |
+ unsigned char *ret = p;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* don't add extensions for SSLv3, unless doing secure renegotiation */
|
|
|
5820f5 |
+ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
|
|
|
5820f5 |
+ return p;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ ret+=2;
|
|
|
5820f5 |
+ if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(s->s3->send_connection_binding)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ int el;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return NULL;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if((limit - p - 4 - el) < 0) return NULL;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
|
|
5820f5 |
+ s2n(el,ret);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
|
5820f5 |
+ return NULL;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ ret += el;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if ((extdatalen = ret-p-2)== 0)
|
|
|
5820f5 |
+ return p;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ s2n(extdatalen,p);
|
|
|
5820f5 |
+ return ret;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ unsigned short type;
|
|
|
5820f5 |
+ unsigned short size;
|
|
|
5820f5 |
+ unsigned short len;
|
|
|
5820f5 |
+ unsigned char *data = *p;
|
|
|
5820f5 |
+ int renegotiate_seen = 0;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (data >= (d+n-2))
|
|
|
5820f5 |
+ goto ri_check;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ n2s(data,len);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (data > (d+n-len))
|
|
|
5820f5 |
+ goto ri_check;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ while (data <= (d+n-4))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ n2s(data,type);
|
|
|
5820f5 |
+ n2s(data,size);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (data+size > (d+n))
|
|
|
5820f5 |
+ goto ri_check;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (type == TLSEXT_TYPE_renegotiate)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ renegotiate_seen = 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ data+=size;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ *p = data;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ ri_check:
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Need RI if renegotiating */
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (!renegotiate_seen && s->new_session &&
|
|
|
5820f5 |
+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ *al = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
|
|
|
5820f5 |
+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ return 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ unsigned short type;
|
|
|
5820f5 |
+ unsigned short size;
|
|
|
5820f5 |
+ unsigned short len;
|
|
|
5820f5 |
+ unsigned char *data = *p;
|
|
|
5820f5 |
+ int renegotiate_seen = 0;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (data >= (d+n-2))
|
|
|
5820f5 |
+ goto ri_check;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ n2s(data,len);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ while(data <= (d+n-4))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ n2s(data,type);
|
|
|
5820f5 |
+ n2s(data,size);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (data+size > (d+n))
|
|
|
5820f5 |
+ goto ri_check;
|
|
|
5820f5 |
+ if (type == TLSEXT_TYPE_renegotiate)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ renegotiate_seen = 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ data+=size;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if (data != d+n)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ *al = SSL_AD_DECODE_ERROR;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ *p = data;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ ri_check:
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Determine if we need to see RI. Strictly speaking if we want to
|
|
|
5820f5 |
+ * avoid an attack we should *always* see RI even on initial server
|
|
|
5820f5 |
+ * hello because the client doesn't see any renegotiation during an
|
|
|
5820f5 |
+ * attack. However this would mean we could not connect to any server
|
|
|
5820f5 |
+ * which doesn't support RI so for the immediate future tolerate RI
|
|
|
5820f5 |
+ * absence on initial connect only.
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ if (!renegotiate_seen
|
|
|
5820f5 |
+ && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
|
|
|
5820f5 |
+ && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ *al = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
|
|
|
5820f5 |
+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ return 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
diff -up openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg openssl-fips-0.9.8e/ssl/t1_reneg.c
|
|
|
5820f5 |
--- openssl-fips-0.9.8e/ssl/t1_reneg.c.reneg 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
+++ openssl-fips-0.9.8e/ssl/t1_reneg.c 2010-02-18 15:58:31.000000000 +0100
|
|
|
5820f5 |
@@ -0,0 +1,292 @@
|
|
|
5820f5 |
+/* ssl/t1_reneg.c */
|
|
|
5820f5 |
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
|
|
5820f5 |
+ * All rights reserved.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * This package is an SSL implementation written
|
|
|
5820f5 |
+ * by Eric Young (eay@cryptsoft.com).
|
|
|
5820f5 |
+ * The implementation was written so as to conform with Netscapes SSL.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * This library is free for commercial and non-commercial use as long as
|
|
|
5820f5 |
+ * the following conditions are aheared to. The following conditions
|
|
|
5820f5 |
+ * apply to all code found in this distribution, be it the RC4, RSA,
|
|
|
5820f5 |
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
|
|
5820f5 |
+ * included with this distribution is covered by the same copyright terms
|
|
|
5820f5 |
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * Copyright remains Eric Young's, and as such any Copyright notices in
|
|
|
5820f5 |
+ * the code are not to be removed.
|
|
|
5820f5 |
+ * If this package is used in a product, Eric Young should be given attribution
|
|
|
5820f5 |
+ * as the author of the parts of the library used.
|
|
|
5820f5 |
+ * This can be in the form of a textual message at program startup or
|
|
|
5820f5 |
+ * in documentation (online or textual) provided with the package.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * Redistribution and use in source and binary forms, with or without
|
|
|
5820f5 |
+ * modification, are permitted provided that the following conditions
|
|
|
5820f5 |
+ * are met:
|
|
|
5820f5 |
+ * 1. Redistributions of source code must retain the copyright
|
|
|
5820f5 |
+ * notice, this list of conditions and the following disclaimer.
|
|
|
5820f5 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
5820f5 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
|
5820f5 |
+ * documentation and/or other materials provided with the distribution.
|
|
|
5820f5 |
+ * 3. All advertising materials mentioning features or use of this software
|
|
|
5820f5 |
+ * must display the following acknowledgement:
|
|
|
5820f5 |
+ * "This product includes cryptographic software written by
|
|
|
5820f5 |
+ * Eric Young (eay@cryptsoft.com)"
|
|
|
5820f5 |
+ * The word 'cryptographic' can be left out if the rouines from the library
|
|
|
5820f5 |
+ * being used are not cryptographic related :-).
|
|
|
5820f5 |
+ * 4. If you include any Windows specific code (or a derivative thereof) from
|
|
|
5820f5 |
+ * the apps directory (application code) you must include an acknowledgement:
|
|
|
5820f5 |
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
|
|
5820f5 |
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
5820f5 |
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
5820f5 |
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
5820f5 |
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
5820f5 |
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
5820f5 |
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
5820f5 |
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
5820f5 |
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
5820f5 |
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
5820f5 |
+ * SUCH DAMAGE.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * The licence and distribution terms for any publically available version or
|
|
|
5820f5 |
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
|
|
|
5820f5 |
+ * copied and put under another distribution licence
|
|
|
5820f5 |
+ * [including the GNU Public Licence.]
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+/* ====================================================================
|
|
|
5820f5 |
+ * Copyright (c) 1998-2009 The OpenSSL Project. All rights reserved.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * Redistribution and use in source and binary forms, with or without
|
|
|
5820f5 |
+ * modification, are permitted provided that the following conditions
|
|
|
5820f5 |
+ * are met:
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
5820f5 |
+ * notice, this list of conditions and the following disclaimer.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
5820f5 |
+ * notice, this list of conditions and the following disclaimer in
|
|
|
5820f5 |
+ * the documentation and/or other materials provided with the
|
|
|
5820f5 |
+ * distribution.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * 3. All advertising materials mentioning features or use of this
|
|
|
5820f5 |
+ * software must display the following acknowledgment:
|
|
|
5820f5 |
+ * "This product includes software developed by the OpenSSL Project
|
|
|
5820f5 |
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
|
5820f5 |
+ * endorse or promote products derived from this software without
|
|
|
5820f5 |
+ * prior written permission. For written permission, please contact
|
|
|
5820f5 |
+ * openssl-core@openssl.org.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * 5. Products derived from this software may not be called "OpenSSL"
|
|
|
5820f5 |
+ * nor may "OpenSSL" appear in their names without prior written
|
|
|
5820f5 |
+ * permission of the OpenSSL Project.
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * 6. Redistributions of any form whatsoever must retain the following
|
|
|
5820f5 |
+ * acknowledgment:
|
|
|
5820f5 |
+ * "This product includes software developed by the OpenSSL Project
|
|
|
5820f5 |
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
|
5820f5 |
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
5820f5 |
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
5820f5 |
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
|
5820f5 |
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
5820f5 |
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
5820f5 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
5820f5 |
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
5820f5 |
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
5820f5 |
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
5820f5 |
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
5820f5 |
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
5820f5 |
+ * ====================================================================
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ * This product includes cryptographic software written by Eric Young
|
|
|
5820f5 |
+ * (eay@cryptsoft.com). This product includes software written by Tim
|
|
|
5820f5 |
+ * Hudson (tjh@cryptsoft.com).
|
|
|
5820f5 |
+ *
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+#include <stdio.h>
|
|
|
5820f5 |
+#include <openssl/objects.h>
|
|
|
5820f5 |
+#include "ssl_locl.h"
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+/* Add the client's renegotiation binding */
|
|
|
5820f5 |
+int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
|
|
|
5820f5 |
+ int maxlen)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if(p)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if((s->s3->previous_client_finished_len+1) > maxlen)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG);
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Length byte */
|
|
|
5820f5 |
+ *p = s->s3->previous_client_finished_len;
|
|
|
5820f5 |
+ p++;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ memcpy(p, s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len);
|
|
|
5820f5 |
+#ifdef OPENSSL_RI_DEBUG
|
|
|
5820f5 |
+ fprintf(stderr, "%s RI extension sent by client\n",
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ *len=s->s3->previous_client_finished_len + 1;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ return 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+/* Parse the client's renegotiation binding and abort if it's not
|
|
|
5820f5 |
+ right */
|
|
|
5820f5 |
+int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
|
|
|
5820f5 |
+ int *al)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ int ilen;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Parse the length byte */
|
|
|
5820f5 |
+ if(len < 1)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
|
|
|
5820f5 |
+ *al=SSL_AD_ILLEGAL_PARAMETER;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ ilen = *d;
|
|
|
5820f5 |
+ d++;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Consistency check */
|
|
|
5820f5 |
+ if((ilen+1) != len)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
|
|
|
5820f5 |
+ *al=SSL_AD_ILLEGAL_PARAMETER;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Check that the extension matches */
|
|
|
5820f5 |
+ if(ilen != s->s3->previous_client_finished_len)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
|
|
|
5820f5 |
+ *al=SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(memcmp(d, s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
|
|
|
5820f5 |
+ *al=SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+#ifdef OPENSSL_RI_DEBUG
|
|
|
5820f5 |
+ fprintf(stderr, "%s RI extension received by server\n",
|
|
|
5820f5 |
+ ilen ? "Non-empty" : "Empty");
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ s->s3->send_connection_binding=1;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ return 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+/* Add the server's renegotiation binding */
|
|
|
5820f5 |
+int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
|
|
|
5820f5 |
+ int maxlen)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if(p)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ if((s->s3->previous_client_finished_len +
|
|
|
5820f5 |
+ s->s3->previous_server_finished_len + 1) > maxlen)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG);
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Length byte */
|
|
|
5820f5 |
+ *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
|
|
|
5820f5 |
+ p++;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ memcpy(p, s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len);
|
|
|
5820f5 |
+ p += s->s3->previous_client_finished_len;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ memcpy(p, s->s3->previous_server_finished,
|
|
|
5820f5 |
+ s->s3->previous_server_finished_len);
|
|
|
5820f5 |
+#ifdef OPENSSL_RI_DEBUG
|
|
|
5820f5 |
+ fprintf(stderr, "%s RI extension sent by server\n",
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ *len=s->s3->previous_client_finished_len
|
|
|
5820f5 |
+ + s->s3->previous_server_finished_len + 1;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ return 1;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+/* Parse the server's renegotiation binding and abort if it's not
|
|
|
5820f5 |
+ right */
|
|
|
5820f5 |
+int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
|
|
|
5820f5 |
+ int *al)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ int expected_len=s->s3->previous_client_finished_len
|
|
|
5820f5 |
+ + s->s3->previous_server_finished_len;
|
|
|
5820f5 |
+ int ilen;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Check for logic errors */
|
|
|
5820f5 |
+ OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len);
|
|
|
5820f5 |
+ OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Parse the length byte */
|
|
|
5820f5 |
+ if(len < 1)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
|
|
|
5820f5 |
+ *al=SSL_AD_ILLEGAL_PARAMETER;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ ilen = *d;
|
|
|
5820f5 |
+ d++;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Consistency check */
|
|
|
5820f5 |
+ if(ilen+1 != len)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
|
|
|
5820f5 |
+ *al=SSL_AD_ILLEGAL_PARAMETER;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ /* Check that the extension matches */
|
|
|
5820f5 |
+ if(ilen != expected_len)
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
|
|
|
5820f5 |
+ *al=SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(memcmp(d, s->s3->previous_client_finished,
|
|
|
5820f5 |
+ s->s3->previous_client_finished_len))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
|
|
|
5820f5 |
+ *al=SSL_AD_HANDSHAKE_FAILURE;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ d += s->s3->previous_client_finished_len;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ if(memcmp(d, s->s3->previous_server_finished,
|
|
|
5820f5 |
+ s->s3->previous_server_finished_len))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
|
|
|
5820f5 |
+ *al=SSL_AD_ILLEGAL_PARAMETER;
|
|
|
5820f5 |
+ return 0;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+#ifdef OPENSSL_RI_DEBUG
|
|
|
5820f5 |
+ fprintf(stderr, "%s RI extension received by client\n",
|
|
|
5820f5 |
+ ilen ? "Non-empty" : "Empty");
|
|
|
5820f5 |
+#endif
|
|
|
5820f5 |
+ s->s3->send_connection_binding=1;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ return 1;
|
|
|
5820f5 |
+ }
|