diff -up openssl-fips-0.9.8e/apps/s_client.c.reneg openssl-fips-0.9.8e/apps/s_client.c

--- openssl-fips-0.9.8e/apps/s_client.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/apps/s_client.c	2010-02-18 15:58:31.000000000 +0100

@@ -231,7 +231,7 @@ static void sc_usage(void)

 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");

 #endif

 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);

-

+	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");

 	}

 enum

@@ -247,7 +247,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)

 	{

-	int off=0;

+	int off=0, clr = 0;

 	SSL *con=NULL,*con2=NULL;

 	X509_STORE *store = NULL;

 	int s,k,width,state=0;

@@ -461,6 +461,12 @@ int MAIN(int argc, char **argv)

 			off|=SSL_OP_NO_SSLv2;

 		else if (strcmp(*argv,"-serverpref") == 0)

 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;

+		else if (strcmp(*argv,"-legacy_renegotiation") == 0)

+			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;

+		else if	(strcmp(*argv,"-legacy_server_connect") == 0)

+			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }

+		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)

+			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }

 		else if	(strcmp(*argv,"-cipher") == 0)

 			{

 			if (--argc < 1) goto bad;

@@ -589,6 +595,9 @@ bad:

 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);

 	else

 		SSL_CTX_set_options(ctx,off);

+

+	if (clr)

+		SSL_CTX_clear_options(ctx, clr);

 	/* DTLS: partial reads end up discarding unread UDP bytes :-( 

 	 * Setting read ahead solves this problem.

 	 */

@@ -1290,6 +1299,8 @@ static void print_stuff(BIO *bio, SSL *s

 							 EVP_PKEY_bits(pktmp));

 		EVP_PKEY_free(pktmp);

 	}

+	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",

+			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");

 #ifndef OPENSSL_NO_COMP

 	comp=SSL_get_current_compression(s);

 	expansion=SSL_get_current_expansion(s);

diff -up openssl-fips-0.9.8e/apps/s_server.c.reneg openssl-fips-0.9.8e/apps/s_server.c

--- openssl-fips-0.9.8e/apps/s_server.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/apps/s_server.c	2010-02-18 15:58:31.000000000 +0100

@@ -371,6 +371,7 @@ static void sv_usage(void)

 #endif

 	BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");

 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);

+	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");

 	}

 static int local_argc=0;

@@ -700,6 +701,8 @@ int MAIN(int argc, char *argv[])

 			}

 		else if	(strcmp(*argv,"-serverpref") == 0)

 			{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }

+		else if (strcmp(*argv,"-legacy_renegotiation") == 0)

+			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;

 		else if	(strcmp(*argv,"-cipher") == 0)

 			{

 			if (--argc < 1) goto bad;

@@ -1534,6 +1537,8 @@ static int init_ssl_connection(SSL *con)

 			con->kssl_ctx->client_princ);

 		}

 #endif /* OPENSSL_NO_KRB5 */

+	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",

+		      SSL_get_secure_renegotiation_support(con) ? "" : " NOT");

 	return(1);

 	}

diff -up openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod

--- openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod.reneg	2005-10-11 12:16:09.000000000 +0200

+++ openssl-fips-0.9.8e/doc/ssl/SSL_CTX_set_options.pod	2010-02-18 16:10:52.000000000 +0100

@@ -2,7 +2,7 @@

 =head1 NAME

-SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options

+SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options

 =head1 SYNOPSIS

@@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS

  long SSL_CTX_set_options(SSL_CTX *ctx, long options);

  long SSL_set_options(SSL *ssl, long options);

+ long SSL_CTX_clear_options(SSL_CTX *ctx, long options);

+ long SSL_clear_options(SSL *ssl, long options);

+

  long SSL_CTX_get_options(SSL_CTX *ctx);

  long SSL_get_options(SSL *ssl);

+ long SSL_get_secure_renegotiation_support(SSL *ssl);

+

 =head1 DESCRIPTION

+Note: all these functions are implemented using macros.

+

 SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.

 Options already set before are not cleared!

 SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.

 Options already set before are not cleared!

+SSL_CTX_clear_options() clears the options set via bitmask in B<options>

+to B<ctx>.

+

+SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.

+

 SSL_CTX_get_options() returns the options set for B<ctx>.

 SSL_get_options() returns the options set for B<ssl>.

+SSL_get_secure_renegotiation_support() indicates whether the peer supports

+secure renegotiation.

+

 =head1 NOTES

 The behaviour of the SSL library can be changed by setting several options.

 The options are coded as bitmasks and can be combined by a logical B<or>

-operation (|). Options can only be added but can never be reset.

+operation (|).

 SSL_CTX_set_options() and SSL_set_options() affect the (external)

 protocol behaviour of the SSL library. The (internal) behaviour of

@@ -199,17 +214,109 @@ Do not use the TLSv1 protocol.

 When performing renegotiation as a server, always start a new session

 (i.e., session resumption requests are only accepted in the initial

-handshake).  This option is not needed for clients.

+handshake). This option is not needed for clients.

+

+=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

+

+Allow legacy insecure renegotiation between OpenSSL and unpatched clients or

+servers. See the B<SECURE RENEGOTIATION> section for more details.

+

+=item SSL_OP_LEGACY_SERVER_CONNECT

+

+Allow legacy insecure renegotiation between OpenSSL and unpatched servers

+B<only>: this option is currently set by default. See the

+B<SECURE RENEGOTIATION> section for more details.

 =back

+=head1 SECURE RENEGOTIATION

+

+OpenSSL 0.9.8m and later always attempts to use secure renegotiation as

+described in RFC5746. This counters the prefix attack described in

+CVE-2009-3555 and elsewhere.

+

+The deprecated and highly broken SSLv2 protocol does not support

+renegotiation at all: its use is B<strongly> discouraged.

+

+This attack has far reaching consequences which application writers should be

+aware of. In the description below an implementation supporting secure

+renegotiation is referred to as I<patched>. A server not supporting secure

+renegotiation is referred to as I<unpatched>.

+

+The following sections describe the operations permitted by OpenSSL's secure

+renegotiation implementation.

+

+=head2 Patched client and server

+

+Connections and renegotiation are always permitted by OpenSSL implementations.

+

+=head2 Unpatched client and patched OpenSSL server

+

+The initial connection suceeds but client renegotiation is denied by the

+server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal

+B<handshake_failure> alert in SSL v3.0.

+

+If the patched OpenSSL server attempts to renegotiate a fatal

+B<handshake_failure> alert is sent. This is because the server code may be

+unaware of the unpatched nature of the client.

+

+If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then

+renegotiation B<always> succeeds.

+

+B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are

+unpatched) will result in the connection hanging if it receives a

+B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard

+a B<no_renegotiation> alert as fatal and respond with a fatal

+B<handshake_failure> alert. This is because the OpenSSL API currently has

+no provision to indicate to an application that a renegotiation attempt

+was refused.

+

+=head2 Patched OpenSSL client and unpatched server.

+

+If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or

+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections

+and renegotiation between patched OpenSSL clients and unpatched servers

+succeeds. If neither option is set then initial connections to unpatched

+servers will fail.

+

+The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even

+though it has security implications: otherwise it would be impossible to

+connect to unpatched servers (i.e. all of them initially) and this is clearly

+not acceptable. Renegotiation is permitted because this does not add any

+additional security issues: during an attack clients do not see any

+renegotiations anyway.

+

+As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will

+B<not> be set by default in a future version of OpenSSL.

+

+OpenSSL client applications wishing to ensure they can connect to unpatched

+servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>

+

+OpenSSL client applications that want to ensure they can B<not> connect to

+unpatched servers (and thus avoid any security issues) should always B<clear>

+B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or

+SSL_clear_options().

+

+The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and

+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that

+B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure

+renegotiation between OpenSSL clients and unpatched servers B<only>, while

+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections

+and renegotiation between OpenSSL and unpatched clients or servers.

+

 =head1 RETURN VALUES

 SSL_CTX_set_options() and SSL_set_options() return the new options bitmask

 after adding B<options>.

+SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask

+after clearing B<options>.

+

 SSL_CTX_get_options() and SSL_get_options() return the current bitmask.

+SSL_get_secure_renegotiation_support() returns 1 is the peer supports

+secure renegotiation and 0 if it does not.

+

 =head1 SEE ALSO

 L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,

@@ -232,4 +339,11 @@ Versions up to OpenSSL 0.9.6c do not inc

 can be disabled with this option (in OpenSSL 0.9.6d, it was always

 enabled).

+SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL

+0.9.8m.

+

+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT>

+and the function SSL_get_secure_renegotiation_support() were first added in

+OpenSSL 0.9.8m.

+

 =cut

diff -up openssl-fips-0.9.8e/ssl/d1_both.c.reneg openssl-fips-0.9.8e/ssl/d1_both.c

--- openssl-fips-0.9.8e/ssl/d1_both.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/d1_both.c	2010-02-18 15:58:31.000000000 +0100

@@ -750,6 +750,24 @@ int dtls1_send_finished(SSL *s, int a, i

 		p+=i;

 		l=i;

+	/* Copy the finished so we can use it for

+	 * renegotiation checks

+	 */

+	if(s->type == SSL_ST_CONNECT)

+		{

+		OPENSSL_assert(i <= EVP_MAX_MD_SIZE);

+		memcpy(s->s3->previous_client_finished, 

+		       s->s3->tmp.finish_md, i);

+		s->s3->previous_client_finished_len=i;

+		}

+	else

+		{

+		OPENSSL_assert(i <= EVP_MAX_MD_SIZE);

+		memcpy(s->s3->previous_server_finished, 

+		       s->s3->tmp.finish_md, i);

+		s->s3->previous_server_finished_len=i;

+		}

+

 #ifdef OPENSSL_SYS_WIN16

 		/* MSVC 1.5 does not clear the top bytes of the word unless

 		 * I do this.

diff -up openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg openssl-fips-0.9.8e/ssl/d1_clnt.c

--- openssl-fips-0.9.8e/ssl/d1_clnt.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/d1_clnt.c	2010-02-18 15:58:31.000000000 +0100

@@ -621,7 +621,13 @@ int dtls1_client_hello(SSL *s)

 			*(p++)=comp->id;

 			}

 		*(p++)=0; /* Add the NULL method */

-		

+

+		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)

+			{

+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);

+			goto err;

+			}

+

 		l=(p-d);

 		d=buf;

diff -up openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg openssl-fips-0.9.8e/ssl/d1_srvr.c

--- openssl-fips-0.9.8e/ssl/d1_srvr.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/d1_srvr.c	2010-02-18 15:58:31.000000000 +0100

@@ -267,7 +267,6 @@ int dtls1_accept(SSL *s)

 			s->shutdown=0;

 			ret=ssl3_get_client_hello(s);

 			if (ret <= 0) goto end;

-			s->new_session = 2;

 			if ( s->d1->send_cookie)

 				s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;

@@ -293,6 +292,7 @@ int dtls1_accept(SSL *s)

 		case SSL3_ST_SW_SRVR_HELLO_A:

 		case SSL3_ST_SW_SRVR_HELLO_B:

+			s->new_session = 2;

 			ret=dtls1_send_server_hello(s);

 			if (ret <= 0) goto end;

@@ -713,6 +713,8 @@ int dtls1_send_server_hello(SSL *s)

 		p+=sl;

 		/* put the cipher */

+		if (s->s3->tmp.new_cipher == NULL)

+			return -1;

 		i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);

 		p+=i;

@@ -726,13 +728,21 @@ int dtls1_send_server_hello(SSL *s)

 			*(p++)=s->s3->tmp.new_compression->id;

 #endif

+#ifndef OPENSSL_NO_TLSEXT

+		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)

+			{

+			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);

+			return -1;

+			}

+#endif

+

 		/* do the header */

 		l=(p-d);

 		d=buf;

 		d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);

-		s->state=SSL3_ST_CW_CLNT_HELLO_B;

+		s->state=SSL3_ST_SW_SRVR_HELLO_B;

 		/* number of bytes to write */

 		s->init_num=p-buf;

 		s->init_off=0;

@@ -741,7 +751,7 @@ int dtls1_send_server_hello(SSL *s)

 		dtls1_buffer_message(s, 0);

 		}

-	/* SSL3_ST_CW_CLNT_HELLO_B */

+	/* SSL3_ST_SW_SRVR_HELLO_B */

 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));

 	}

@@ -765,7 +775,7 @@ int dtls1_send_server_done(SSL *s)

 		dtls1_buffer_message(s, 0);

 		}

-	/* SSL3_ST_CW_CLNT_HELLO_B */

+	/* SSL3_ST_SW_SRVR_DONE_B */

 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));

 	}

diff -up openssl-fips-0.9.8e/ssl/Makefile.reneg openssl-fips-0.9.8e/ssl/Makefile

--- openssl-fips-0.9.8e/ssl/Makefile.reneg	2007-08-01 13:33:16.000000000 +0200

+++ openssl-fips-0.9.8e/ssl/Makefile	2010-02-18 15:58:31.000000000 +0100

@@ -30,7 +30,7 @@ LIBSRC=	\

 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \

 	ssl_ciph.c ssl_stat.c ssl_rsa.c \

 	ssl_asn1.c ssl_txt.c ssl_algs.c \

-	bio_ssl.c ssl_err.c kssl.c

+	bio_ssl.c ssl_err.c kssl.c t1_reneg.c

 LIBOBJ= \

 	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \

 	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o \

@@ -41,7 +41,7 @@ LIBOBJ= \

 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \

 	ssl_ciph.o ssl_stat.o ssl_rsa.o \

 	ssl_asn1.o ssl_txt.o ssl_algs.o \

-	bio_ssl.o ssl_err.o kssl.o

+	bio_ssl.o ssl_err.o kssl.o t1_reneg.o

 SRC= $(LIBSRC)

diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.reneg openssl-fips-0.9.8e/ssl/ssl_err.c

--- openssl-fips-0.9.8e/ssl/ssl_err.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/ssl_err.c	2010-02-18 15:58:31.000000000 +0100

@@ -168,8 +168,12 @@ static ERR_STRING_DATA SSL_str_functs[]=

 {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK),	"SSL3_SETUP_KEY_BLOCK"},

 {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES),	"SSL3_WRITE_BYTES"},

 {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING),	"SSL3_WRITE_PENDING"},

+{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},

+{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),	"SSL_ADD_CLIENTHELLO_TLSEXT"},

 {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),	"SSL_add_dir_cert_subjects_to_stack"},

 {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK),	"SSL_add_file_cert_subjects_to_stack"},

+{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},

+{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),	"SSL_ADD_SERVERHELLO_TLSEXT"},

 {ERR_FUNC(SSL_F_SSL_BAD_METHOD),	"SSL_BAD_METHOD"},

 {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST),	"SSL_BYTES_TO_CIPHER_LIST"},

 {ERR_FUNC(SSL_F_SSL_CERT_DUP),	"SSL_CERT_DUP"},

@@ -208,6 +212,10 @@ static ERR_STRING_DATA SSL_str_functs[]=

 {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),	"SSL_INIT_WBIO_BUFFER"},

 {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},

 {ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},

+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},

+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),	"SSL_PARSE_CLIENTHELLO_TLSEXT"},

+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},

+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),	"SSL_PARSE_SERVERHELLO_TLSEXT"},

 {ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},

 {ERR_FUNC(SSL_F_SSL_READ),	"SSL_read"},

 {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),	"SSL_RSA_PRIVATE_DECRYPT"},

@@ -371,6 +379,7 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},

 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},

 {ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},

+{ERR_REASON(SSL_R_NO_RENEGOTIATION)      ,"no renegotiation"},

 {ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},

 {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},

 {ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},

@@ -378,6 +387,7 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},

 {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},

 {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},

+{ERR_REASON(SSL_R_PARSE_TLSEXT)          ,"parse tlsext"},

 {ERR_REASON(SSL_R_PATH_TOO_LONG)         ,"path too long"},

 {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},

 {ERR_REASON(SSL_R_PEER_ERROR)            ,"peer error"},

@@ -397,10 +407,14 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},

 {ERR_REASON(SSL_R_RECORD_TOO_LARGE)      ,"record too large"},

 {ERR_REASON(SSL_R_RECORD_TOO_SMALL)      ,"record too small"},

+{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},

+{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},

+{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},

 {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},

 {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},

 {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},

 {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},

+{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},

 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},

 {ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},

 {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},

@@ -466,6 +480,7 @@ static ERR_STRING_DATA SSL_str_reasons[]

 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},

 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},

 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},

+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},

 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},

 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},

 {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},

diff -up openssl-fips-0.9.8e/ssl/ssl.h.reneg openssl-fips-0.9.8e/ssl/ssl.h

--- openssl-fips-0.9.8e/ssl/ssl.h.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/ssl.h	2010-02-18 15:58:31.000000000 +0100

@@ -480,6 +480,8 @@ typedef struct ssl_session_st

 #define SSL_OP_MICROSOFT_SESS_ID_BUG			0x00000001L

 #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L

+/* Allow initial connection to servers that don't support RI */

+#define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L

 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L /* can break some security expectations */

 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L

 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L

@@ -506,6 +508,8 @@ typedef struct ssl_session_st

 /* As server, disallow session resumption on renegotiation */

 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L

+/* Permit unsafe legacy renegotiation */

+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x00040000L

 /* If set, always create a new key when using tmp_ecdh parameters */

 #define SSL_OP_SINGLE_ECDH_USE				0x00080000L

 /* If set, always create a new key when using tmp_dh parameters */

@@ -554,17 +558,25 @@ typedef struct ssl_session_st

 #define SSL_CTX_set_options(ctx,op) \

 	SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)

+#define SSL_CTX_clear_options(ctx,op) \

+	SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)

 #define SSL_CTX_get_options(ctx) \

 	SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)

 #define SSL_set_options(ssl,op) \

 	SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)

+#define SSL_clear_options(ssl,op) \

+	SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)

 #define SSL_get_options(ssl) \

         SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)

 #define SSL_CTX_set_mode(ctx,op) \

 	SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)

+#define SSL_CTX_clear_mode(ctx,op) \

+	SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)

 #define SSL_CTX_get_mode(ctx) \

 	SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)

+#define SSL_clear_mode(ssl,op) \

+	SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)

 #define SSL_set_mode(ssl,op) \

 	SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)

 #define SSL_get_mode(ssl) \

@@ -572,6 +584,8 @@ typedef struct ssl_session_st

 #define SSL_set_mtu(ssl, mtu) \

         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)

+#define SSL_get_secure_renegotiation_support(ssl) \

+	SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)

 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));

 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));

@@ -1189,6 +1203,10 @@ size_t SSL_get_peer_finished(const SSL *

 #define SSL_CTRL_GET_MAX_CERT_LIST		50

 #define SSL_CTRL_SET_MAX_CERT_LIST		51

+#define SSL_CTRL_GET_RI_SUPPORT			76

+#define SSL_CTRL_CLEAR_OPTIONS			77

+#define SSL_CTRL_CLEAR_MODE			78

+

 #define SSL_session_reused(ssl) \

 	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)

 #define SSL_num_renegotiations(ssl) \

@@ -1650,8 +1668,12 @@ void ERR_load_SSL_strings(void);

 #define SSL_F_SSL3_SETUP_KEY_BLOCK			 157

 #define SSL_F_SSL3_WRITE_BYTES				 158

 #define SSL_F_SSL3_WRITE_PENDING			 159

+#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT	 285

+#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT		 272

 #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK	 215

 #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK	 216

+#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT	 286

+#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT		 273

 #define SSL_F_SSL_BAD_METHOD				 160

 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST			 161

 #define SSL_F_SSL_CERT_DUP				 221

@@ -1690,6 +1712,10 @@ void ERR_load_SSL_strings(void);

 #define SSL_F_SSL_INIT_WBIO_BUFFER			 184

 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185

 #define SSL_F_SSL_NEW					 186

+#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 287

+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 290

+#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 289

+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 291

 #define SSL_F_SSL_PEEK					 270

 #define SSL_F_SSL_READ					 223

 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT			 187

@@ -1850,6 +1876,7 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190

 #define SSL_R_NO_PROTOCOLS_AVAILABLE			 191

 #define SSL_R_NO_PUBLICKEY				 192

+#define SSL_R_NO_RENEGOTIATION				 319

 #define SSL_R_NO_SHARED_CIPHER				 193

 #define SSL_R_NO_VERIFY_CALLBACK			 194

 #define SSL_R_NULL_SSL_CTX				 195

@@ -1857,6 +1884,7 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197

 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE		 297

 #define SSL_R_PACKET_LENGTH_TOO_LONG			 198

+#define SSL_R_PARSE_TLSEXT				 223

 #define SSL_R_PATH_TOO_LONG				 270

 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 199

 #define SSL_R_PEER_ERROR				 200

@@ -1876,10 +1904,14 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_RECORD_LENGTH_MISMATCH			 213

 #define SSL_R_RECORD_TOO_LARGE				 214

 #define SSL_R_RECORD_TOO_SMALL				 298

+#define SSL_R_RENEGOTIATE_EXT_TOO_LONG			 320

+#define SSL_R_RENEGOTIATION_ENCODING_ERR		 321

+#define SSL_R_RENEGOTIATION_MISMATCH			 322

 #define SSL_R_REQUIRED_CIPHER_MISSING			 215

 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216

 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217

 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218

+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING		 324

 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED		 277

 #define SSL_R_SHORT_READ				 219

 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220

@@ -1945,6 +1977,7 @@ void ERR_load_SSL_strings(void);

 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253

 #define SSL_R_UNKNOWN_SSL_VERSION			 254

 #define SSL_R_UNKNOWN_STATE				 255

+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 323

 #define SSL_R_UNSUPPORTED_CIPHER			 256

 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257

 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE		 315

diff -up openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg openssl-fips-0.9.8e/ssl/ssl_lib.c

--- openssl-fips-0.9.8e/ssl/ssl_lib.c.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/ssl_lib.c	2010-02-18 16:10:30.000000000 +0100

@@ -958,8 +958,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v

 	case SSL_CTRL_OPTIONS:

 		return(s->options|=larg);

+	case SSL_CTRL_CLEAR_OPTIONS:

+		return(s->options&=~larg);

 	case SSL_CTRL_MODE:

 		return(s->mode|=larg);

+	case SSL_CTRL_CLEAR_MODE:

+		return(s->mode &=~larg);

 	case SSL_CTRL_GET_MAX_CERT_LIST:

 		return(s->max_cert_list);

 	case SSL_CTRL_SET_MAX_CERT_LIST:

@@ -973,6 +977,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v

 			return larg;

 			}

 		return 0;

+	case SSL_CTRL_GET_RI_SUPPORT:

+		if (s->s3)

+			return s->s3->send_connection_binding;

+		else return 0;

 	default:

 		return(s->method->ssl_ctrl(s,cmd,larg,parg));

 		}

@@ -1059,8 +1067,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l

 		return(ctx->stats.sess_cache_full);

 	case SSL_CTRL_OPTIONS:

 		return(ctx->options|=larg);

+	case SSL_CTRL_CLEAR_OPTIONS:

+		return(ctx->options&=~larg);

 	case SSL_CTRL_MODE:

 		return(ctx->mode|=larg);

+	case SSL_CTRL_CLEAR_MODE:

+		return(ctx->mode&=~larg);

 	default:

 		return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));

 		}

@@ -1257,6 +1269,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC

 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);

 		p+=j;

 		}

+	/* If p == q, no ciphers and caller indicates an error. Otherwise

+	 * add SCSV if not renegotiating.

+	 */

+	if (p != q && !s->new_session)

+		{

+		static SSL_CIPHER scsv =

+			{

+			0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,

+			};

+		j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);

+		p+=j;

+#ifdef OPENSSL_RI_DEBUG

+		fprintf(stderr, "SCSV sent by client\n");

+#endif

+		}

+

 	return(p-q);

 	}

@@ -1266,6 +1294,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe

 	SSL_CIPHER *c;

 	STACK_OF(SSL_CIPHER) *sk;

 	int i,n;

+	if (s->s3)

+		s->s3->send_connection_binding = 0;

 	n=ssl_put_cipher_by_char(s,NULL,NULL);

 	if ((num%n) != 0)

@@ -1283,6 +1313,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe

 	for (i=0; i

 		{

+		/* Check for SCSV */

+		if (s->s3 && (n != 3 || !p[0]) &&

+			(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&

+			(p[n-1] == (SSL3_CK_SCSV & 0xff)))

+			{

+			/* SCSV fatal if renegotiating */

+			if (s->new_session)

+				{

+				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);

+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 

+				goto err;

+				}

+			s->s3->send_connection_binding = 1;

+			p += n;

+#ifdef OPENSSL_RI_DEBUG

+			fprintf(stderr, "SCSV received by server\n");

+#endif

+			continue;

+			}

+

 		c=ssl_get_cipher_by_char(s,p);

 		p+=n;

 		if (c != NULL)

@@ -1461,6 +1511,11 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)

 	ret->extra_certs=NULL;

 	ret->comp_methods=SSL_COMP_get_compression_methods();

+	/* Default is to connect to non-RI servers. When RI is more widely

+	 * deployed might change this.

+	 */

+	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;

+

 	return(ret);

 err:

 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);

diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg openssl-fips-0.9.8e/ssl/ssl_locl.h

--- openssl-fips-0.9.8e/ssl/ssl_locl.h.reneg	2010-02-18 15:58:31.000000000 +0100

+++ openssl-fips-0.9.8e/ssl/ssl_locl.h	2010-02-18 15:58:31.000000000 +0100

@@ -934,5 +934,17 @@ int check_srvr_ecc_cert_and_alg(X509 *x,

 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);

+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 

+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 

+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);

+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);

+int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,

+					int maxlen);

+int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,

+					  int *al);

+int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,