Updates to conform with draft-ietf-tls-renegotiation-03.txt:

1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.

diff --git a/CHANGES b/CHANGES
index 2a0c98b1eb6cda40152b1f314292b308c4d7dfbd..80024ce79ae7784195303e9f1b5c90e3101626b3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -36,7 +36,7 @@
      the updated NID creation version. This should correctly handle UTF8.
      [Steve Henson]
 
-  *) Implement draft-ietf-tls-renegotiation. Re-enable
+  *) Implement draft-ietf-tls-renegotiation-03. Re-enable
      renegotiation but require the extension as needed. Unfortunately,
      SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
      bad idea. It has been replaced by

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 057083faad441a9b957c8206001dd0ac8fc42463..7d4e46e9163a683b86e483466c8c762209ae6b61 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2028,6 +2028,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                216
 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  217
 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                218
+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING          324
 #define SSL_R_SERVERHELLO_TLSEXT                        224
 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED          277
 #define SSL_R_SHORT_READ                                219

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index b5f61f02170952a9423bddb6aac6537dcf7b3a09..2f579c253bc8a2b18a4f3527ab51121b68ed6028 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -129,10 +129,8 @@
 extern "C" {
 #endif
 
-/* Magic Cipher Suite Value. NB: bogus value used for testing */
-#ifndef SSL3_CK_SCSV
-#define SSL3_CK_SCSV                           0x03000FEC
-#endif
+/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+#define SSL3_CK_SCSV                           0x030000FF
 
 #define SSL3_CK_RSA_NULL_MD5                   0x03000001
 #define SSL3_CK_RSA_NULL_SHA                   0x03000002

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index fdce772fa889c0f409b13607a27bbb28d0b4548e..7eb52026e78a135ee028b90422be226cca767c3e 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -429,6 +429,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
 {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
 {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
+{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
 {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT)    ,"serverhello tlsext"},
 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
 {ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f2999ead7f4dfe4d4cb071b67533df0343eb89e2..b0bd720539d2e2e4828a40739c94d94647a3f701 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1299,8 +1299,9 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
                p+=j;
                }
-       /* If p == q, no ciphers and caller indicates an error, otherwise
-        * add SCSV
+       /* If p == q, no ciphers and caller indicates an error. Otherwise
+        * add SCSV if no extensions (i.e. SSL3 is client_version)
+        * since spec RECOMMENDS not sending both RI and SCSV.
         */
        if (p != q)
                {
@@ -1348,6 +1349,13 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                        (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
                        (p[n-1] == (SSL3_CK_SCSV & 0xff)))
                        {
+                       /* SCSV fatal if renegotiating */
+                       if (s->new_session)
+                               {
+                               SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
+                               goto err;
+                               }
                        s->s3->send_connection_binding = 1;
                        p += n;
 #ifdef OPENSSL_RI_DEBUG