Updates to conform with draft-ietf-tls-renegotiation-03.txt:

1. Add provisional SCSV value. 2. Don't send SCSV and RI at same time. 3. Fatal error is SCSV received when renegotiating.

Updates to conform with draft-ietf-tls-renegotiation-03.txt:
1. Add provisional SCSV value. 2. Don't send SCSV and RI at same time. 3. Fatal error is SCSV received when renegotiating.
76998a71 · Dr. Stephen Henson · dd792d62 · 76998a71 · 76998a71 · 76998a71
隐藏空白更改
内联并排

Showing with 16 addition and 8 deletion

CHANGES CHANGES +1 -1

ssl/ssl.h ssl/ssl.h +1 -0

ssl/ssl3.h ssl/ssl3.h +2 -4

ssl/ssl_err.c ssl/ssl_err.c +1 -0

ssl/ssl_lib.c ssl/ssl_lib.c +11 -3

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -905,7 +905,7 @@
     the updated NID creation version. This should correctly handle UTF8.
     [Steve Henson]

-  *) Implement draft-ietf-tls-renegotiation. Re-enable
+  *) Implement draft-ietf-tls-renegotiation-03. Re-enable
     renegotiation but require the extension as needed. Unfortunately,
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
     bad idea. It has been replaced by

--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2207,6 +2207,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218
+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING		 345
 #define SSL_R_SERVERHELLO_TLSEXT			 275
 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED		 277
 #define SSL_R_SHORT_READ				 219

--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -128,10 +128,8 @@
 extern "C" {
 #endif

-/* Magic Cipher Suite Value. NB: bogus value used for testing */
-#ifndef SSL3_CK_SCSV
-#define SSL3_CK_SCSV				0x03000FEC
-#endif
+/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+#define SSL3_CK_SCSV				0x030000FF

 #define SSL3_CK_RSA_NULL_MD5			0x03000001
 #define SSL3_CK_RSA_NULL_SHA			0x03000002

--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -459,6 +459,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
 {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
 {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
+{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
 {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT)    ,"serverhello tlsext"},
 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
 {ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1369,10 +1369,11 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
 		p+=j;
 		}
-	/* If p == q, no ciphers and caller indicates an error, otherwise
-	 * add SCSV if not renegotiating
+	/* If p == q, no ciphers and caller indicates an error. Otherwise
+	 * add SCSV if no extensions (i.e. SSL3 is client_version)
+	 * since spec RECOMMENDS not sending both RI and SCSV.
 	 */
-	if (p != q && !s->new_session)
+	if (p != q && !s->new_session && s->client_version == SSL3_VERSION)
 		{
 		static SSL_CIPHER scsv =
 			{
@@ -1418,6 +1419,13 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 			(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
 			(p[n-1] == (SSL3_CK_SCSV & 0xff)))
 			{
+			/* SCSV fatal if renegotiating */
+			if (s->new_session)
+				{
+				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
+				goto err;
+				}
 			s->s3->send_connection_binding = 1;
 			p += n;
 #ifdef OPENSSL_RI_DEBUG