diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/d1_pkt.c | 12 | ||||
| -rw-r--r-- | src/lib/libssl/ssl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 12 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_pkt.c | 12 |
4 files changed, 36 insertions, 6 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index cf32ca8cd6..8ba0bb0bcf 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_pkt.c,v 1.129 2024/07/20 04:04:23 jsing Exp $ */ | 1 | /* $OpenBSD: d1_pkt.c,v 1.130 2025/03/12 14:03:55 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -592,6 +592,12 @@ dtls1_read_handshake_unexpected(SSL *s) | |||
| 592 | tls_content_clear(s->s3->rcontent); | 592 | tls_content_clear(s->s3->rcontent); |
| 593 | s->s3->rrec.length = 0; | 593 | s->s3->rrec.length = 0; |
| 594 | 594 | ||
| 595 | if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { | ||
| 596 | ssl3_send_alert(s, SSL3_AL_WARNING, | ||
| 597 | SSL_AD_NO_RENEGOTIATION); | ||
| 598 | return 1; | ||
| 599 | } | ||
| 600 | |||
| 595 | /* | 601 | /* |
| 596 | * It should be impossible to hit this, but keep the safety | 602 | * It should be impossible to hit this, but keep the safety |
| 597 | * harness for now... | 603 | * harness for now... |
| @@ -644,7 +650,9 @@ dtls1_read_handshake_unexpected(SSL *s) | |||
| 644 | return -1; | 650 | return -1; |
| 645 | } | 651 | } |
| 646 | 652 | ||
| 647 | if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { | 653 | if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0 || |
| 654 | ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 && | ||
| 655 | (s->options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) == 0)) { | ||
| 648 | ssl3_send_alert(s, SSL3_AL_FATAL, | 656 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 649 | SSL_AD_NO_RENEGOTIATION); | 657 | SSL_AD_NO_RENEGOTIATION); |
| 650 | return -1; | 658 | return -1; |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 062c6dcbb9..a1ed22b778 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.246 2025/03/09 15:53:36 tb Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.247 2025/03/12 14:03:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -389,6 +389,10 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, | |||
| 389 | #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L | 389 | #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L |
| 390 | /* Disallow client initiated renegotiation. */ | 390 | /* Disallow client initiated renegotiation. */ |
| 391 | #define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L | 391 | #define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L |
| 392 | /* Disallow client and server initiated renegotiation. */ | ||
| 393 | #define SSL_OP_NO_RENEGOTIATION 0x00040000L | ||
| 394 | /* Allow client initiated renegotiation. */ | ||
| 395 | #define SSL_OP_ALLOW_CLIENT_RENEGOTIATION 0x00080000L | ||
| 392 | /* If set, always create a new key when using tmp_dh parameters */ | 396 | /* If set, always create a new key when using tmp_dh parameters */ |
| 393 | #define SSL_OP_SINGLE_DH_USE 0x00100000L | 397 | #define SSL_OP_SINGLE_DH_USE 0x00100000L |
| 394 | /* Set on servers to choose the cipher according to the server's | 398 | /* Set on servers to choose the cipher according to the server's |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 63d72baf8e..ce68981493 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.330 2024/09/22 14:59:48 tb Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1308,6 +1308,11 @@ LSSL_ALIAS(SSL_shutdown); | |||
| 1308 | int | 1308 | int |
| 1309 | SSL_renegotiate(SSL *s) | 1309 | SSL_renegotiate(SSL *s) |
| 1310 | { | 1310 | { |
| 1311 | if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { | ||
| 1312 | SSLerror(s, SSL_R_NO_RENEGOTIATION); | ||
| 1313 | return 0; | ||
| 1314 | } | ||
| 1315 | |||
| 1311 | if (s->renegotiate == 0) | 1316 | if (s->renegotiate == 0) |
| 1312 | s->renegotiate = 1; | 1317 | s->renegotiate = 1; |
| 1313 | 1318 | ||
| @@ -1320,6 +1325,11 @@ LSSL_ALIAS(SSL_renegotiate); | |||
| 1320 | int | 1325 | int |
| 1321 | SSL_renegotiate_abbreviated(SSL *s) | 1326 | SSL_renegotiate_abbreviated(SSL *s) |
| 1322 | { | 1327 | { |
| 1328 | if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { | ||
| 1329 | SSLerror(s, SSL_R_NO_RENEGOTIATION); | ||
| 1330 | return 0; | ||
| 1331 | } | ||
| 1332 | |||
| 1323 | if (s->renegotiate == 0) | 1333 | if (s->renegotiate == 0) |
| 1324 | s->renegotiate = 1; | 1334 | s->renegotiate = 1; |
| 1325 | 1335 | ||
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index 740fe97192..7032175aac 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_pkt.c,v 1.68 2024/07/22 14:47:15 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_pkt.c,v 1.69 2025/03/12 14:03:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -900,6 +900,12 @@ ssl3_read_handshake_unexpected(SSL *s) | |||
| 900 | tls_buffer_free(s->s3->handshake_fragment); | 900 | tls_buffer_free(s->s3->handshake_fragment); |
| 901 | s->s3->handshake_fragment = NULL; | 901 | s->s3->handshake_fragment = NULL; |
| 902 | 902 | ||
| 903 | if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { | ||
| 904 | ssl3_send_alert(s, SSL3_AL_WARNING, | ||
| 905 | SSL_AD_NO_RENEGOTIATION); | ||
| 906 | return 1; | ||
| 907 | } | ||
| 908 | |||
| 903 | /* | 909 | /* |
| 904 | * It should be impossible to hit this, but keep the safety | 910 | * It should be impossible to hit this, but keep the safety |
| 905 | * harness for now... | 911 | * harness for now... |
| @@ -947,7 +953,9 @@ ssl3_read_handshake_unexpected(SSL *s) | |||
| 947 | return -1; | 953 | return -1; |
| 948 | } | 954 | } |
| 949 | 955 | ||
| 950 | if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { | 956 | if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0 || |
| 957 | ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 && | ||
| 958 | (s->options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) == 0)) { | ||
| 951 | ssl3_send_alert(s, SSL3_AL_FATAL, | 959 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 952 | SSL_AD_NO_RENEGOTIATION); | 960 | SSL_AD_NO_RENEGOTIATION); |
| 953 | return -1; | 961 | return -1; |