New function SSL_renegotiate_pending().

New option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.

diff --git a/CHANGES b/CHANGES
index ad5f9464e831241c758e1e167628baccedea0628..1d2c6cf98a308c52b027b72e91066dfa180b6bed 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,22 @@
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 

+  +) New function SSL_renegotiate_pending().  This returns true once
+     renegotiation has been requested (either SSL_renegotiate() call
+     or HelloRequest/ClientHello receveived from the peer) and becomes
+     false once a handshake has been completed.
+     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
+     sends a HelloRequest, but does not ensure that a handshake takes
+     place.  SSL_renegotiate_pending() is useful for checking if the
+     client has followed the request.)
+     [Bodo Moeller]
+
+  +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
+     By default, clients may request session resumption even during
+     renegotiation (if session ID contexts permit); with this option,
+     session resumption is possible only in the first handshake.
+     [Bodo Moeller]
+

   *) Fix ssl3_accept (ssl/s3_srvr.c): Do not call ssl_init_wbio_buffer()
      when just sending a HelloRequest as this could interfere with
      application data writes (and is totally unnecessary).
   *) Fix ssl3_accept (ssl/s3_srvr.c): Do not call ssl_init_wbio_buffer()
      when just sending a HelloRequest as this could interfere with
      application data writes (and is totally unnecessary).

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index dcc1b72c9b90cf023147b71812cde71b87d97a9d..94da180d08be65b0798f6f6efc3cb358001302b2 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -524,7 +524,9 @@ int ssl3_accept(SSL *s)
                        /* remove buffering on output */
                        ssl_free_wbio_buffer(s);
 
                        /* remove buffering on output */
                        ssl_free_wbio_buffer(s);
 

-                       s->new_session=0;
+                       if (s->new_session == 2)
+                               s->new_session=0;
+                       /* if s->new_session is still 1, we have only sent a HelloRequest */

                        s->init_num=0;
 
                        ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
                        s->init_num=0;
 
                        ssl_update_cache(s,SSL_SESS_CACHE_SERVER);


@@ -673,7 +675,15 @@ static int ssl3_get_client_hello(SSL *s)
        j= *(p++);
 
        s->hit=0;
        j= *(p++);
 
        s->hit=0;

-       if (j == 0)
+       /* Versions before 0.9.7 always allow session reuse during renegotiation
+        * (i.e. when s->new_session is true), option
+        * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
+        * Maybe this optional behaviour should always have been the default,
+        * but we cannot safely change the default behaviour (or new applications
+        * might be written that become totally unsecure when compiled with
+        * an earlier library version)
+        */
+       if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))

                {
                if (!ssl_get_new_session(s,1))
                        goto err;
                {
                if (!ssl_get_new_session(s,1))
                        goto err;


@@ -694,6 +704,11 @@ static int ssl3_get_client_hello(SSL *s)
                        }
                }
 
                        }
                }
 

+       if (s->new_session)
+               /* actually not necessarily a 'new' section unless
+                * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
+               s->new_session = 2;
+

        p+=j;
        n2s(p,i);
        if ((i == 0) && (j != 0))
        p+=j;
        n2s(p,i);
        if ((i == 0) && (j != 0))

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 88060ad6d8102cbe173512c2be7e1dff3c87ca7b..8a8013463ba3024849dc202ccbed25a931de44d0 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -335,7 +335,8 @@ typedef struct ssl_session_st
 
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L
 
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L

-/* Set to also use the tmp_rsa key when doing RSA operations. */
+/* Set to always use the tmp_rsa key when doing RSA operations,
+ * even when this violates protocol specs */

 #define SSL_OP_EPHEMERAL_RSA                           0x00200000L
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_EPHEMERAL_RSA                           0x00200000L
 /* Set on servers to choose the cipher according to the server's
  * preferences */


@@ -345,6 +346,8 @@ typedef struct ssl_session_st
  * (version 3.1) was announced in the client hello. Normally this is
  * forbidden to prevent version rollback attacks. */
 #define SSL_OP_TLS_ROLLBACK_BUG                                0x00800000L
  * (version 3.1) was announced in the client hello. Normally this is
  * forbidden to prevent version rollback attacks. */
 #define SSL_OP_TLS_ROLLBACK_BUG                                0x00800000L

+/* As server, disallow session resumption on renegotiation */
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION  0x01000000L

 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */
 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */


@@ -640,7 +643,11 @@ struct ssl_st
 
        int server;     /* are we the server side? - mostly used by SSL_clear*/
 
 
        int server;     /* are we the server side? - mostly used by SSL_clear*/
 

-       int new_session;/* 1 if we are to use a new session */
+       int new_session;/* 1 if we are to use a new session,
+                        * (sometimes 2 after a new session has in fact been assigned).
+                        * NB: For servers, the 'new' session may actually be a previously
+                        * cached session or even the previous session unless
+                        * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */

        int quiet_shutdown;/* don't send shutdown packets */
        int shutdown;   /* we have shut things down, 0x01 sent, 0x02
                         * for received */
        int quiet_shutdown;/* don't send shutdown packets */
        int shutdown;   /* we have shut things down, 0x01 sent, 0x02
                         * for received */


@@ -1157,6 +1164,7 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
 
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
 
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);

+int SSL_renegotiate_pending(SSL *s);

 int SSL_shutdown(SSL *s);
 
 SSL_METHOD *SSL_get_ssl_method(SSL *s);
 int SSL_shutdown(SSL *s);
 
 SSL_METHOD *SSL_get_ssl_method(SSL *s);

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 89c3c2d4f498460ea8b625b9fdc0f229844085d0..f5512c465e42c4cf99b0dd63f2cf7e66530d5bda 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -836,6 +836,13 @@ int SSL_renegotiate(SSL *s)
        return(s->method->ssl_renegotiate(s));
        }
 
        return(s->method->ssl_renegotiate(s));
        }
 

+int SSL_renegotiate_pending(SSL *s)
+       {
+       /* becomes true when negotiation is requested;
+        * false again once a handshake has finished */
+       return (s->new_session != 0);
+       }
+

 long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
        {
        long l;
 long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
        {
        long l;

diff --git a/util/ssleay.num b/util/ssleay.num
index 4090d9909238f8afbfd7ffc72f486087c5f360d7..168e6d3c59a797c336309bfe5f75acac50d8bb3d 100755 (executable)
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -212,3 +212,4 @@ kssl_ctx_free                           261 EXIST::FUNCTION:KRB5
 kssl_krb5_free_data_contents            262    EXIST::FUNCTION:KRB5
 kssl_ctx_setstring                      263    EXIST::FUNCTION:KRB5
 SSL_CTX_set_generate_session_id         264    EXIST::FUNCTION:
 kssl_krb5_free_data_contents            262    EXIST::FUNCTION:KRB5
 kssl_ctx_setstring                      263    EXIST::FUNCTION:KRB5
 SSL_CTX_set_generate_session_id         264    EXIST::FUNCTION:

+SSL_renegotiate_pending                 265    EXIST::FUNCTION: