X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=3157f20eac6d68e72824a572b3c437918b021efb;hb=f6d13ac8cf4cacf4f0150290b4aee67062bfacc7;hp=8c26e8f2205cf5873cf7347591094fa456253b8c;hpb=b52a2738d4cd20d8cf4cf88943bee2b6789eeaf1;p=openssl.git

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8c26e8f220..3157f20eac 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1041,8 +1041,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
 
 	case SSL_CTRL_OPTIONS:
 		return(s->options|=larg);
+	case SSL_CTRL_CLEAR_OPTIONS:
+		return(s->options&=~larg);
 	case SSL_CTRL_MODE:
 		return(s->mode|=larg);
+	case SSL_CTRL_CLEAR_MODE:
+		return(s->mode &=~larg);
 	case SSL_CTRL_GET_MAX_CERT_LIST:
 		return(s->max_cert_list);
 	case SSL_CTRL_SET_MAX_CERT_LIST:
@@ -1152,8 +1156,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
 		return(ctx->stats.sess_cache_full);
 	case SSL_CTRL_OPTIONS:
 		return(ctx->options|=larg);
+	case SSL_CTRL_CLEAR_OPTIONS:
+		return(ctx->options&=~larg);
 	case SSL_CTRL_MODE:
 		return(ctx->mode|=larg);
+	case SSL_CTRL_CLEAR_MODE:
+		return(ctx->mode&=~larg);
 	case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
 		if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
 			return 0;
@@ -1361,19 +1369,19 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
 		p+=j;
 		}
-	/* If p == q, no ciphers and caller indicates an error, otherwise
-	 * add MCSV
+	/* If p == q, no ciphers and caller indicates an error. Otherwise
+	 * add SCSV if not renegotiating.
 	 */
-	if (p != q)
+	if (p != q && !s->new_session)
 		{
-		static SSL_CIPHER msvc =
+		static SSL_CIPHER scsv =
 			{
-			0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+			0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
 			};
-		j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p);
+		j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
 		p+=j;
 #ifdef OPENSSL_RI_DEBUG
-		fprintf(stderr, "MCSV sent by client\n");
+		fprintf(stderr, "SCSV sent by client\n");
 #endif
 		}
 
@@ -1386,8 +1394,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 	const SSL_CIPHER *c;
 	STACK_OF(SSL_CIPHER) *sk;
 	int i,n;
-
-	s->s3->send_connection_binding = 0;
+	if (s->s3)
+		s->s3->send_connection_binding = 0;
 
 	n=ssl_put_cipher_by_char(s,NULL,NULL);
 	if ((num%n) != 0)
@@ -1405,15 +1413,22 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 
 	for (i=0; i<num; i+=n)
 		{
-		/* Check for MCSV */
-		if ((n != 3 || !p[0]) &&
-			(p[n-2] == ((SSL3_CK_MCSV >> 8) & 0xff)) &&
-			(p[n-1] == (SSL3_CK_MCSV & 0xff)))
+		/* Check for SCSV */
+		if (s->s3 && (n != 3 || !p[0]) &&
+			(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+			(p[n-1] == (SSL3_CK_SCSV & 0xff)))
 			{
+			/* SCSV fatal if renegotiating */
+			if (s->new_session)
+				{
+				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
+				goto err;
+				}
 			s->s3->send_connection_binding = 1;
 			p += n;
 #ifdef OPENSSL_RI_DEBUG
-			fprintf(stderr, "MCSV received by server\n");
+			fprintf(stderr, "SCSV received by server\n");
 #endif
 			continue;
 			}
@@ -1669,6 +1684,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	}
 #endif
 #endif
+	/* Default is to connect to non-RI servers. When RI is more widely
+	 * deployed might change this.
+	 */
+	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
 
 	return(ret);
 err: