Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist/ssl Instead of unconditiona...
details: https://anonhg.NetBSD.org/src/rev/d845225fa3b1
branches: trunk
changeset: 750681:d845225fa3b1
user: tonnerre <tonnerre%NetBSD.org@localhost>
date: Sun Jan 10 16:39:10 2010 +0000
description:
Instead of unconditionally disabling SSL3 renegociation, add the flag
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set by the
software which needs unsafe renegociation. Patch from OpenSSL CVS.
diffstat:
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 3 +++
crypto/external/bsd/openssl/dist/ssl/s3_pkt.c | 4 +++-
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c | 8 ++++++++
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h | 2 ++
4 files changed, 16 insertions(+), 1 deletions(-)
diffs (64 lines):
diff -r df86e412ee49 -r d845225fa3b1 crypto/external/bsd/openssl/dist/ssl/s3_lib.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Sun Jan 10 16:20:45 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Sun Jan 10 16:39:10 2010 +0000
@@ -3298,6 +3298,9 @@
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return(0);
+ if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ return(0);
+
s->s3->renegotiate=1;
return(1);
}
diff -r df86e412ee49 -r d845225fa3b1 crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c Sun Jan 10 16:20:45 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c Sun Jan 10 16:39:10 2010 +0000
@@ -1105,6 +1105,7 @@
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
!s->s3->renegotiate)
{
ssl3_renegotiate(s);
@@ -1270,7 +1271,8 @@
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
{
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
#if 0 /* worked only because C operator preferences are not as expected (and
* because this is not really needed for clients except for detecting
diff -r df86e412ee49 -r d845225fa3b1 crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Sun Jan 10 16:20:45 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Sun Jan 10 16:39:10 2010 +0000
@@ -776,6 +776,14 @@
#endif
STACK_OF(SSL_CIPHER) *ciphers=NULL;
+ if (s->new_session
+ && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+
/* We do this so that we will respond with our native type.
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
* This down switching should be handled by a different method.
diff -r df86e412ee49 -r d845225fa3b1 crypto/external/bsd/openssl/dist/ssl/ssl_locl.h
--- a/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Sun Jan 10 16:20:45 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Sun Jan 10 16:39:10 2010 +0000
@@ -453,6 +453,8 @@
#define NAMED_CURVE_TYPE 3
#endif /* OPENSSL_NO_EC */
+#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
+
typedef struct cert_pkey_st
{
X509 *x509;
Home |
Main Index |
Thread Index |
Old Index