From: Dr. Stephen Henson <steve@openssl.org>
Date: Tue, 8 Dec 2009 13:47:28 +0000 (+0000)
Subject: Add ctrl and macro so we can determine if peer support secure renegotiation.
X-Git-Tag: OpenSSL_0_9_8m-beta1~39
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=59f44e810b696b7a908ab5b1958e16711a9154c2;p=oweals%2Fopenssl.git

Add ctrl and macro so we can determine if peer support secure renegotiation.

Fix SSL_CIPHER initialiser for mcsv
---

diff --git a/CHANGES b/CHANGES
index 0bee0393ea..65992b5735 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
 
+  *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
+     peer supports secure renegotiation and 0 otherwise. Print out peer
+     renegotiation support in s_client/s_server.
+     [Steve Henson]
+
   *) Replace the highly broken and deprecated SPKAC certification method with
      the updated NID creation version. This should correctly handle UTF8.
      [Steve Henson]
diff --git a/apps/s_client.c b/apps/s_client.c
index c9c654c3c8..86b5f6e45b 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1525,6 +1525,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 							 EVP_PKEY_bits(pktmp));
 		EVP_PKEY_free(pktmp);
 	}
+	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
+			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
 #ifndef OPENSSL_NO_COMP
 	comp=SSL_get_current_compression(s);
 	expansion=SSL_get_current_expansion(s);
diff --git a/apps/s_server.c b/apps/s_server.c
index 77bb6e8e91..88b308ca38 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2030,6 +2030,8 @@ static int init_ssl_connection(SSL *con)
 			con->kssl_ctx->client_princ);
 		}
 #endif /* OPENSSL_NO_KRB5 */
+	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
+		      SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
 	return(1);
 	}
 
diff --git a/ssl/ssl.h b/ssl/ssl.h
index d7d91c8f91..a9f3d77666 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -582,6 +582,8 @@ typedef struct ssl_session_st
 #define SSL_set_mtu(ssl, mtu) \
         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
 
+#define SSL_get_secure_renegotiation_support(ssl) \
+	SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
@@ -1249,6 +1251,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_CTRL_GET_MAX_CERT_LIST		50
 #define SSL_CTRL_SET_MAX_CERT_LIST		51
 
+#define SSL_CTRL_GET_RI_SUPPORT			53
+
 /* see tls1.h for macros based on these */
 #ifndef OPENSSL_NO_TLSEXT
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB	53
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e0a5926192..5399d46b93 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1003,6 +1003,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
 			return larg;
 			}
 		return 0;
+	case SSL_CTRL_GET_RI_SUPPORT:
+		if (s->s3)
+			return s->s3->send_connection_binding;
+		else return 0;
 	default:
 		return(s->method->ssl_ctrl(s,cmd,larg,parg));
 		}
@@ -1294,7 +1298,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		{
 		static SSL_CIPHER msvc =
 			{
-			0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+			0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0,
 			};
 		j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p);
 		p+=j;