CVS commit: src/crypto/external/bsd/openssl/dist/ssl

Thu, 03 Dec 2009 15:44:37 -0800 

Module Name:    src
Committed By:   christos
Date:           Thu Dec  3 23:44:33 UTC 2009

Modified Files:
        src/crypto/external/bsd/openssl/dist/ssl: s3_lib.c s3_pkt.c s3_srvr.c

Log Message:
Disable SSL V3 session renegotiation since the protocol parameters of the
old session are not cryptographically tied to the new session ones.
NB: Applications that require session re-negotiation will fail after this
update.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
    src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c \
    src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.1.1.1 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.2
--- src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.1.1.1	Sun Jul 19 19:05:48 2009
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c	Thu Dec  3 18:44:33 2009
@@ -3297,6 +3297,8 @@
 	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
 		return(0);
 
+	if (1)
+		return(0);
 	s->s3->renegotiate=1;
 	return(1);
 	}
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.1.1.1 src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.2
--- src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.1.1.1	Sun Jul 19 19:05:50 2009
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c	Thu Dec  3 18:44:33 2009
@@ -776,6 +776,13 @@
 #endif
 	STACK_OF(SSL_CIPHER) *ciphers=NULL;
 
+	if (s->new_session)
+		{
+		al=SSL_AD_HANDSHAKE_FAILURE;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+		goto f_err;
+		}
+
 	/* We do this so that we will respond with our native type.
 	 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
 	 * This down switching should be handled by a different method.

Index: src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.3 src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.4
--- src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.3	Wed Aug  5 14:38:22 2009
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c	Thu Dec  3 18:44:33 2009
@@ -1084,9 +1084,13 @@
 		if (s->msg_callback)
 			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
 
+#if 0
 		if (SSL_is_init_finished(s) &&
 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
 			!s->s3->renegotiate)
+#else
+		if (0)
+#endif
 			{
 			ssl3_renegotiate(s);
 			if (ssl3_renegotiate_check(s))
@@ -1217,8 +1221,12 @@
 	/* Unexpected handshake message (Client Hello, or protocol violation) */
 	if ((s->s3->handshake_fragment_len >= 4) &&	!s->in_handshake)
 		{
+#if 0
 		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+#else
+		if (0)
+#endif
 			{
 #if 0 /* worked only because C operator preferences are not as expected (and
        * because this is not really needed for clients except for detecting

Reply via email to