From: Dr. Stephen Henson Date: Wed, 6 Jan 2010 17:37:09 +0000 (+0000) Subject: Updates to conform with draft-ietf-tls-renegotiation-03.txt: X-Git-Tag: OpenSSL-fips-2_0-rc1~1361 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=76998a71bc3ce86d1af2bddd26c8d7f2040088df;p=oweals%2Fopenssl.git Updates to conform with draft-ietf-tls-renegotiation-03.txt: 1. Add provisional SCSV value. 2. Don't send SCSV and RI at same time. 3. Fatal error is SCSV received when renegotiating. --- diff --git a/CHANGES b/CHANGES index 9f15d3d6a1..5a67bf02c7 100644 --- a/CHANGES +++ b/CHANGES @@ -905,7 +905,7 @@ the updated NID creation version. This should correctly handle UTF8. [Steve Henson] - *) Implement draft-ietf-tls-renegotiation. Re-enable + *) Implement draft-ietf-tls-renegotiation-03. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by diff --git a/ssl/ssl.h b/ssl/ssl.h index 4a468dead0..761c6f3c1f 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2207,6 +2207,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 +#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 #define SSL_R_SERVERHELLO_TLSEXT 275 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 #define SSL_R_SHORT_READ 219 diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 342cd44590..baaa89e717 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -128,10 +128,8 @@ extern "C" { #endif -/* Magic Cipher Suite Value. NB: bogus value used for testing */ -#ifndef SSL3_CK_SCSV -#define SSL3_CK_SCSV 0x03000FEC -#endif +/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ +#define SSL3_CK_SCSV 0x030000FF #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 2bd86316ca..0eed464749 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -459,6 +459,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"}, {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"}, {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"}, +{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6683272f59..ee01a2c879 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1369,10 +1369,11 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); p+=j; } - /* If p == q, no ciphers and caller indicates an error, otherwise - * add SCSV if not renegotiating + /* If p == q, no ciphers and caller indicates an error. Otherwise + * add SCSV if no extensions (i.e. SSL3 is client_version) + * since spec RECOMMENDS not sending both RI and SCSV. */ - if (p != q && !s->new_session) + if (p != q && !s->new_session && s->client_version == SSL3_VERSION) { static SSL_CIPHER scsv = { @@ -1418,6 +1419,13 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && (p[n-1] == (SSL3_CK_SCSV & 0xff))) { + /* SCSV fatal if renegotiating */ + if (s->new_session) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); + goto err; + } s->s3->send_connection_binding = 1; p += n; #ifdef OPENSSL_RI_DEBUG