Update RI to match latest spec.

MCSV is now called SCSV.

Don't send SCSV if renegotiating.

Also note if RI is empty in debug messages.

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 414ad2d58a442c1d2dfd6d0f8d3c0b5047098117..342cd44590c536f2e21539bc67403b96d847a555 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -129,8 +129,8 @@ extern "C" {
 #endif
 
 /* Magic Cipher Suite Value. NB: bogus value used for testing */
 #endif
 
 /* Magic Cipher Suite Value. NB: bogus value used for testing */

-#ifndef SSL3_CK_MCSV
-#define SSL3_CK_MCSV                           0x03000FEC
+#ifndef SSL3_CK_SCSV
+#define SSL3_CK_SCSV                           0x03000FEC

 #endif
 
 #define SSL3_CK_RSA_NULL_MD5                   0x03000001
 #endif
 
 #define SSL3_CK_RSA_NULL_MD5                   0x03000001

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8d37e4914a4a19b9885cef53cef3c71590b1d1c6..9733201a3aba4327d6cd82dd944bc8ec5a4a5265 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1370,18 +1370,18 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                p+=j;
                }
        /* If p == q, no ciphers and caller indicates an error, otherwise
                p+=j;
                }
        /* If p == q, no ciphers and caller indicates an error, otherwise

-        * add MCSV
+        * add SCSV if not renegotiating

         */
         */

-       if (p != q)
+       if (p != q && !s->new_session)

                {
                static SSL_CIPHER msvc =
                        {
                {
                static SSL_CIPHER msvc =
                        {

-                       0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+                       0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0

                        };
                j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p);
                p+=j;
 #ifdef OPENSSL_RI_DEBUG
                        };
                j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p);
                p+=j;
 #ifdef OPENSSL_RI_DEBUG

-               fprintf(stderr, "MCSV sent by client\n");
+               fprintf(stderr, "SCSV sent by client\n");

 #endif
                }
 
 #endif
                }
 


@@ -1413,15 +1413,15 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 
        for (i=0; i<num; i+=n)
                {
 
        for (i=0; i<num; i+=n)
                {

-               /* Check for MCSV */
+               /* Check for SCSV */

                if (s->s3 && (n != 3 || !p[0]) &&
                if (s->s3 && (n != 3 || !p[0]) &&

-                       (p[n-2] == ((SSL3_CK_MCSV >> 8) & 0xff)) &&
-                       (p[n-1] == (SSL3_CK_MCSV & 0xff)))
+                       (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+                       (p[n-1] == (SSL3_CK_SCSV & 0xff)))

                        {
                        s->s3->send_connection_binding = 1;
                        p += n;
 #ifdef OPENSSL_RI_DEBUG
                        {
                        s->s3->send_connection_binding = 1;
                        p += n;
 #ifdef OPENSSL_RI_DEBUG

-                       fprintf(stderr, "MCSV received by server\n");
+                       fprintf(stderr, "SCSV received by server\n");

 #endif
                        continue;
                        }
 #endif
                        continue;
                        }

diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c
index 07fd5cb570dd7e63f6548991041e94657b4b58a2..9c2cc3c712a20415a83490cfa1c112fdc49eb6c5 100644 (file)
--- a/ssl/t1_reneg.c
+++ b/ssl/t1_reneg.c
@@ -131,7 +131,8 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
         memcpy(p, s->s3->previous_client_finished,
               s->s3->previous_client_finished_len);
 #ifdef OPENSSL_RI_DEBUG
         memcpy(p, s->s3->previous_client_finished,
               s->s3->previous_client_finished_len);
 #ifdef OPENSSL_RI_DEBUG

-    fprintf(stderr, "RI extension sent by client\n");
+    fprintf(stderr, "%s RI extension sent by client\n",
+               s->s3->previous_client_finished_len ? "Non-empty" : "Empty");

 #endif
         }
     
 #endif
         }
     


@@ -182,7 +183,8 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
         return 0;
         }
 #ifdef OPENSSL_RI_DEBUG
         return 0;
         }
 #ifdef OPENSSL_RI_DEBUG

-    fprintf(stderr, "RI extension received by server\n");
+    fprintf(stderr, "%s RI extension received by server\n",
+                               ilen ? "Non-empty" : "Empty");

 #endif
 
     s->s3->send_connection_binding=1;
 #endif
 
     s->s3->send_connection_binding=1;


@@ -214,7 +216,8 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
         memcpy(p, s->s3->previous_server_finished,
               s->s3->previous_server_finished_len);
 #ifdef OPENSSL_RI_DEBUG
         memcpy(p, s->s3->previous_server_finished,
               s->s3->previous_server_finished_len);
 #ifdef OPENSSL_RI_DEBUG

-    fprintf(stderr, "RI extension sent by server\n");
+    fprintf(stderr, "%s RI extension sent by server\n",
+               s->s3->previous_client_finished_len ? "Non-empty" : "Empty");

 #endif
         }
     
 #endif
         }
     


@@ -280,7 +283,8 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
         return 0;
         }
 #ifdef OPENSSL_RI_DEBUG
         return 0;
         }
 #ifdef OPENSSL_RI_DEBUG

-    fprintf(stderr, "RI extension received by client\n");
+    fprintf(stderr, "%s RI extension received by client\n",
+                               ilen ? "Non-empty" : "Empty");

 #endif
     s->s3->send_connection_binding=1;
 
 #endif
     s->s3->send_connection_binding=1;