Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)

 Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]

  *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)

     [Adam Langley (Google)]

  *) Prevent malformed RFC3779 data triggering an assertion failure.

     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw

     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)

				}

			s->init_num=0;

			s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;

			if (s->state != SSL_ST_RENEGOTIATE)

				{

	int ok;

	long n;

	/* We only allow the client to restart the handshake once per

	 * negotiation. */

	if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)

		{

		SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);

		return -1;

		}

	/* this function is called when we really expect a Certificate message,

	 * so permit appropriate message length */

	n=s->method->ssl_get_message(s,

			s->s3->tmp.ecdh = NULL;

			}

#endif

		s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;

		return 2;

		}

	return 1;

#define SSL_F_SSL3_CALLBACK_CTRL			 233

#define SSL_F_SSL3_CHANGE_CIPHER_STATE			 129

#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM		 130

#define SSL_F_SSL3_CHECK_CLIENT_HELLO			 292

#define SSL_F_SSL3_CLIENT_HELLO				 131

#define SSL_F_SSL3_CONNECT				 132

#define SSL_F_SSL3_CTRL					 213

#define SSL_R_MISSING_TMP_RSA_KEY			 172

#define SSL_R_MISSING_TMP_RSA_PKEY			 173

#define SSL_R_MISSING_VERIFY_MESSAGE			 174

#define SSL_R_MULTIPLE_SGC_RESTARTS			 325

#define SSL_R_NON_SSLV2_INITIAL_PACKET			 175

#define SSL_R_NO_CERTIFICATES_RETURNED			 176

#define SSL_R_NO_CERTIFICATE_ASSIGNED			 177

#define SSL3_FLAGS_POP_BUFFER			0x0004

#define TLS1_FLAGS_TLS_PADDING_BUG		0x0008

/* SSL3_FLAGS_SGC_RESTART_DONE is set when we

 * restart a handshake because of MS SGC and so prevents us

 * from restarting the handshake in a loop. It's reset on a

 * renegotiation, so effectively limits the client to one restart

 * per negotiation. This limits the possibility of a DDoS

 * attack where the client handshakes in a loop using SGC to

 * restart. Servers which permit renegotiation can still be

 * effected, but we can't prevent that.

 */

#define SSL3_FLAGS_SGC_RESTART_DONE		0x0040

typedef struct ssl3_state_st

	{

	long flags;

/* ssl/ssl_err.c */

/* ====================================================================

 * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),	"SSL3_CALLBACK_CTRL"},

{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),	"SSL3_CHANGE_CIPHER_STATE"},

{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM),	"SSL3_CHECK_CERT_AND_ALGORITHM"},

{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO),	"SSL3_CHECK_CLIENT_HELLO"},

{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),	"SSL3_CLIENT_HELLO"},

{ERR_FUNC(SSL_F_SSL3_CONNECT),	"SSL3_CONNECT"},

{ERR_FUNC(SSL_F_SSL3_CTRL),	"SSL3_CTRL"},

{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},

{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},

{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},

{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},

{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},

{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},

{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},