[src/trunk]: src/crypto/external/bsd/openssl/dist/ssl Disable SSL V3 session ...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c2d21d46e91a
branches:  trunk
changeset: 749603:c2d21d46e91a
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Dec 03 23:44:33 2009 +0000

description:
Disable SSL V3 session renegotiation since the protocol parameters of the
old session are not cryptographically tied to the new session ones.
NB: Applications that require session re-negotiation will fail after this
update.

diffstat:

 crypto/external/bsd/openssl/dist/ssl/s3_lib.c  |  2 ++
 crypto/external/bsd/openssl/dist/ssl/s3_pkt.c  |  8 ++++++++
 crypto/external/bsd/openssl/dist/ssl/s3_srvr.c |  7 +++++++
 3 files changed, 17 insertions(+), 0 deletions(-)

diffs (59 lines):

diff -r b86e7077efe2 -r c2d21d46e91a crypto/external/bsd/openssl/dist/ssl/s3_lib.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_lib.c     Thu Dec 03 22:18:04 2009 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_lib.c     Thu Dec 03 23:44:33 2009 +0000
@@ -3297,6 +3297,8 @@
        if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
                return(0);
 
+       if (1)
+               return(0);
        s->s3->renegotiate=1;
        return(1);
        }
diff -r b86e7077efe2 -r c2d21d46e91a crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c     Thu Dec 03 22:18:04 2009 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c     Thu Dec 03 23:44:33 2009 +0000
@@ -1084,9 +1084,13 @@
                if (s->msg_callback)
                        s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
 
+#if 0
                if (SSL_is_init_finished(s) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
+#else
+               if (0)
+#endif
                        {
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))
@@ -1217,8 +1221,12 @@
        /* Unexpected handshake message (Client Hello, or protocol violation) */
        if ((s->s3->handshake_fragment_len >= 4) &&     !s->in_handshake)
                {
+#if 0
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+#else
+               if (0)
+#endif
                        {
 #if 0 /* worked only because C operator preferences are not as expected (and
        * because this is not really needed for clients except for detecting
diff -r b86e7077efe2 -r c2d21d46e91a crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c    Thu Dec 03 22:18:04 2009 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c    Thu Dec 03 23:44:33 2009 +0000
@@ -776,6 +776,13 @@
 #endif
        STACK_OF(SSL_CIPHER) *ciphers=NULL;
 
+       if (s->new_session)
+               {
+               al=SSL_AD_HANDSHAKE_FAILURE;
+               SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+               goto f_err;
+               }
+
        /* We do this so that we will respond with our native type.
         * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
         * This down switching should be handled by a different method.