Send no_renegotiation alert as required by spec.

diff --git a/CHANGES b/CHANGES
index d3596e6b05d71041fd86cd619c277704a29f2d19..24be6c51bc9a19a60c4634205e00220624eb77f2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -863,6 +863,17 @@
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
 
+  *) If client attempts to renegotiate and doesn't support RI respond with
+     a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
+     Some renegotiating TLS clients will continue a connection gracefully
+     when they receive the alert. Unfortunately OpenSSL mishandled
+     this alert and would hang waiting for a server hello which it will never
+     receive. Now we treat a received no_renegotiation alert as a fatal 
+     error. This is because applications requesting a renegotiation might well
+     expect it to succeed and would have no code in place to handle the server
+     denying it so the only safe thing to do is to terminate the connection.
+     [Steve Henson]
+
   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
      peer supports secure renegotiation and 0 otherwise. Print out peer
      renegotiation support in s_client/s_server.

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index d795199ead0c01dda0c487a1d82ba49320dde205..808505771d3a4feffe500acf1bd7cc010566ed9c 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1139,7 +1139,25 @@ start:
                 * now try again to obtain the (application) data we were asked for */
                goto start;
                }
-
+       /* If we are a server and get a client hello when renegotiation isn't
+        * allowed send back a no renegotiation alert and carry on.
+        * WARNING: experimental code, needs reviewing (steve)
+        */
+       if (s->server &&
+               SSL_is_init_finished(s) &&
+               !s->s3->send_connection_binding &&
+               (s->version > SSL3_VERSION) &&
+               (s->s3->handshake_fragment_len >= 4) &&
+               (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
+               (s->session != NULL) && (s->session->cipher != NULL) &&
+               !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               
+               {
+               /*s->s3->handshake_fragment_len = 0;*/
+               rr->length = 0;
+               ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+               goto start;
+               }
        if (s->s3->alert_fragment_len >= 2)
                {
                int alert_level = s->s3->alert_fragment[0];
@@ -1169,6 +1187,21 @@ start:
                                s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                return(0);
                                }
+                       /* This is a warning but we receive it if we requested
+                        * renegotiation and the peer denied it. Terminate with
+                        * a fatal alert because if application tried to
+                        * renegotiatie it presumably had a good reason and
+                        * expects it to succeed.
+                        *
+                        * In future we might have a renegotiation where we
+                        * don't care if the peer refused it where we carry on.
+                        */
+                       else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
+                               {
+                               al = SSL_AD_HANDSHAKE_FAILURE;
+                               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
+                               goto f_err;
+                               }
                        }
                else if (alert_level == 2) /* fatal */
                        {