diff options
| author | beck <> | 2014-04-16 18:05:55 +0000 |
|---|---|---|
| committer | beck <> | 2014-04-16 18:05:55 +0000 |
| commit | cd08fd7b7f7dd206dc05c7e18941b10aef11ab9a (patch) | |
| tree | 516681ebe1121ac72861c67f1ce12851fce7d1ac | |
| parent | 8cf170bf672c7d86b3903a219e445ba6138e7e95 (diff) | |
| download | openbsd-cd08fd7b7f7dd206dc05c7e18941b10aef11ab9a.tar.gz openbsd-cd08fd7b7f7dd206dc05c7e18941b10aef11ab9a.tar.bz2 openbsd-cd08fd7b7f7dd206dc05c7e18941b10aef11ab9a.zip | |
Thanks to the knobs in http://tools.ietf.org/html/rfc5746, we have a knob
to say "allow this connection to negotiate insecurely". de-fang the code
that respects this option to ignore it.
ok miod@
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 6 |
4 files changed, 6 insertions, 14 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 93510cb58a..1a924f828e 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -269,9 +269,7 @@ ssl3_accept(SSL *s) | |||
| 269 | ssl3_init_finished_mac(s); | 269 | ssl3_init_finished_mac(s); |
| 270 | s->state = SSL3_ST_SR_CLNT_HELLO_A; | 270 | s->state = SSL3_ST_SR_CLNT_HELLO_A; |
| 271 | s->ctx->stats.sess_accept++; | 271 | s->ctx->stats.sess_accept++; |
| 272 | } else if (!s->s3->send_connection_binding && | 272 | } else if (!s->s3->send_connection_binding) { |
| 273 | !(s->options & | ||
| 274 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | ||
| 275 | /* | 273 | /* |
| 276 | * Server attempting to renegotiate with | 274 | * Server attempting to renegotiate with |
| 277 | * client that doesn't support secure | 275 | * client that doesn't support secure |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 93510cb58a..1a924f828e 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
| @@ -269,9 +269,7 @@ ssl3_accept(SSL *s) | |||
| 269 | ssl3_init_finished_mac(s); | 269 | ssl3_init_finished_mac(s); |
| 270 | s->state = SSL3_ST_SR_CLNT_HELLO_A; | 270 | s->state = SSL3_ST_SR_CLNT_HELLO_A; |
| 271 | s->ctx->stats.sess_accept++; | 271 | s->ctx->stats.sess_accept++; |
| 272 | } else if (!s->s3->send_connection_binding && | 272 | } else if (!s->s3->send_connection_binding) { |
| 273 | !(s->options & | ||
| 274 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | ||
| 275 | /* | 273 | /* |
| 276 | * Server attempting to renegotiate with | 274 | * Server attempting to renegotiate with |
| 277 | * client that doesn't support secure | 275 | * client that doesn't support secure |
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 417b90381b..c4eeb7a41d 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1296 | 1296 | ||
| 1297 | /* Need RI if renegotiating */ | 1297 | /* Need RI if renegotiating */ |
| 1298 | 1298 | ||
| 1299 | if (!renegotiate_seen && s->renegotiate && | 1299 | if (!renegotiate_seen && s->renegotiate) { |
| 1300 | !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | ||
| 1301 | *al = SSL_AD_HANDSHAKE_FAILURE; | 1300 | *al = SSL_AD_HANDSHAKE_FAILURE; |
| 1302 | SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, | 1301 | SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, |
| 1303 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | 1302 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
| @@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, | |||
| 1533 | * absence on initial connect only. | 1532 | * absence on initial connect only. |
| 1534 | */ | 1533 | */ |
| 1535 | if (!renegotiate_seen | 1534 | if (!renegotiate_seen |
| 1536 | && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | 1535 | && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { |
| 1537 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | ||
| 1538 | *al = SSL_AD_HANDSHAKE_FAILURE; | 1536 | *al = SSL_AD_HANDSHAKE_FAILURE; |
| 1539 | SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, | 1537 | SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, |
| 1540 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | 1538 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 417b90381b..c4eeb7a41d 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1296 | 1296 | ||
| 1297 | /* Need RI if renegotiating */ | 1297 | /* Need RI if renegotiating */ |
| 1298 | 1298 | ||
| 1299 | if (!renegotiate_seen && s->renegotiate && | 1299 | if (!renegotiate_seen && s->renegotiate) { |
| 1300 | !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | ||
| 1301 | *al = SSL_AD_HANDSHAKE_FAILURE; | 1300 | *al = SSL_AD_HANDSHAKE_FAILURE; |
| 1302 | SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, | 1301 | SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, |
| 1303 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | 1302 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
| @@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, | |||
| 1533 | * absence on initial connect only. | 1532 | * absence on initial connect only. |
| 1534 | */ | 1533 | */ |
| 1535 | if (!renegotiate_seen | 1534 | if (!renegotiate_seen |
| 1536 | && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | 1535 | && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { |
| 1537 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | ||
| 1538 | *al = SSL_AD_HANDSHAKE_FAILURE; | 1536 | *al = SSL_AD_HANDSHAKE_FAILURE; |
| 1539 | SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, | 1537 | SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, |
| 1540 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | 1538 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |