Module Name: src Committed By: tonnerre Date: Sun Jan 10 16:39:10 UTC 2010
Modified Files: src/crypto/external/bsd/openssl/dist/ssl: s3_lib.c s3_pkt.c s3_srvr.c ssl_locl.h Log Message: Instead of unconditionally disabling SSL3 renegociation, add the flag SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set by the software which needs unsafe renegociation. Patch from OpenSSL CVS. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c \ src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c cvs rdiff -u -r1.1.1.2 -r1.2 \ src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.3 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.4 --- src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.3 Sun Dec 27 00:48:56 2009 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Sun Jan 10 16:39:10 2010 @@ -3298,6 +3298,9 @@ if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); + if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + return(0); + s->s3->renegotiate=1; return(1); } Index: src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.3 src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.4 --- src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.3 Sun Dec 27 00:48:56 2009 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Sun Jan 10 16:39:10 2010 @@ -776,6 +776,14 @@ #endif STACK_OF(SSL_CIPHER) *ciphers=NULL; + if (s->new_session + && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto f_err; + } + /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * This down switching should be handled by a different method. Index: src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.5 src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.6 --- src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.5 Sun Dec 27 00:48:56 2009 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c Sun Jan 10 16:39:10 2010 @@ -1105,6 +1105,7 @@ if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && !s->s3->renegotiate) { ssl3_renegotiate(s); @@ -1270,7 +1271,8 @@ if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { #if 0 /* worked only because C operator preferences are not as expected (and * because this is not really needed for clients except for detecting Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.1.1.2 src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.2 --- src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.1.1.2 Sat Dec 26 23:34:32 2009 +++ src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Sun Jan 10 16:39:10 2010 @@ -453,6 +453,8 @@ #define NAMED_CURVE_TYPE 3 #endif /* OPENSSL_NO_EC */ +#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 + typedef struct cert_pkey_st { X509 *x509;