Updates to conform with draft-ietf-tls-renegotiation-03.txt: (76998a71) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

CHANGES

+1 −1

Original line number	Diff line number	Diff line
		@@ -905,7 +905,7 @@
		the updated NID creation version. This should correctly handle UTF8.
		[Steve Henson]

		*) Implement draft-ietf-tls-renegotiation. Re-enable
		*) Implement draft-ietf-tls-renegotiation-03. Re-enable
		renegotiation but require the extension as needed. Unfortunately,
		SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
		bad idea. It has been replaced by

+1 −0

Original line number	Diff line number	Diff line
		@@ -2207,6 +2207,7 @@ void ERR_load_SSL_strings(void);
		#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
		#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
		#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
		#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
		#define SSL_R_SERVERHELLO_TLSEXT 275
		#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
		#define SSL_R_SHORT_READ 219

+2 −4

Original line number	Diff line number	Diff line
		@@ -128,10 +128,8 @@
		extern "C" {
		#endif

		/* Magic Cipher Suite Value. NB: bogus value used for testing */
		#ifndef SSL3_CK_SCSV
		#define SSL3_CK_SCSV 0x03000FEC
		#endif
		/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
		#define SSL3_CK_SCSV 0x030000FF

		#define SSL3_CK_RSA_NULL_MD5 0x03000001
		#define SSL3_CK_RSA_NULL_SHA 0x03000002

+1 −0

Original line number	Diff line number	Diff line
		@@ -459,6 +459,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
		{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
		{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
		{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
		{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
		{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
		{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
		{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},

+11 −3

Original line number	Diff line number	Diff line
		@@ -1369,10 +1369,11 @@ int ssl_cipher_list_to_bytes(SSL s,STACK_OF(SSL_CIPHER) sk,unsigned char *p,
		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
		p+=j;
		}
		/* If p == q, no ciphers and caller indicates an error, otherwise
		* add SCSV if not renegotiating
		/* If p == q, no ciphers and caller indicates an error. Otherwise
		* add SCSV if no extensions (i.e. SSL3 is client_version)
		* since spec RECOMMENDS not sending both RI and SCSV.
		*/
		if (p != q && !s->new_session)
		if (p != q && !s->new_session && s->client_version == SSL3_VERSION)
		{
		static SSL_CIPHER scsv =
		{
		@@ -1418,6 +1419,13 @@ STACK_OF(SSL_CIPHER) ssl_bytes_to_cipher_list(SSL s,unsigned char *p,int num,
		(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
		(p[n-1] == (SSL3_CK_SCSV & 0xff)))
		{
		/* SCSV fatal if renegotiating */
		if (s->new_session)
		{
		SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
		goto err;
		}
		s->s3->send_connection_binding = 1;
		p += n;
		#ifdef OPENSSL_RI_DEBUG