Add ctrl and macro so we can determine if peer support secure renegotiation.

diff --git a/CHANGES b/CHANGES
index 58f695dd857d65a0380c7d7bc86337acebc8a5e9..d3596e6b05d71041fd86cd619c277704a29f2d19 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -863,6 +863,11 @@
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
 
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
 

+  *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
+     peer supports secure renegotiation and 0 otherwise. Print out peer
+     renegotiation support in s_client/s_server.
+     [Steve Henson]
+

   *) Replace the highly broken and deprecated SPKAC certification method with
      the updated NID creation version. This should correctly handle UTF8.
      [Steve Henson]
   *) Replace the highly broken and deprecated SPKAC certification method with
      the updated NID creation version. This should correctly handle UTF8.
      [Steve Henson]

diff --git a/apps/s_client.c b/apps/s_client.c
index 2f647b852d2439f0264d5e69bd70cff642b6a000..a52e728a16325798e3c5496b3cde2f657b6471e3 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1730,6 +1730,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                                                         EVP_PKEY_bits(pktmp));
                EVP_PKEY_free(pktmp);
        }
                                                         EVP_PKEY_bits(pktmp));
                EVP_PKEY_free(pktmp);
        }

+       BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
+                       SSL_get_secure_renegotiation_support(s) ? "" : " NOT");

 #ifndef OPENSSL_NO_COMP
        comp=SSL_get_current_compression(s);
        expansion=SSL_get_current_expansion(s);
 #ifndef OPENSSL_NO_COMP
        comp=SSL_get_current_compression(s);
        expansion=SSL_get_current_expansion(s);

diff --git a/apps/s_server.c b/apps/s_server.c
index 6f6768951908192311377f178bc5beb603aa3d33..9ec5600c7527a789e8657ba4b6c61efd16381354 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2215,6 +2215,8 @@ static int init_ssl_connection(SSL *con)
                        con->kssl_ctx->client_princ);
                }
 #endif /* OPENSSL_NO_KRB5 */
                        con->kssl_ctx->client_princ);
                }
 #endif /* OPENSSL_NO_KRB5 */

+       BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
+                     SSL_get_secure_renegotiation_support(con) ? "" : " NOT");

        return(1);
        }
 
        return(1);
        }
 

diff --git a/ssl/ssl.h b/ssl/ssl.h
index e3cb2a1a02408241b3ff58ff01a98b0462f195b6..dc04b66a87abc8a55ee3af0397bd2d92ffe890c5 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -625,6 +625,8 @@ typedef struct ssl_session_st
 #define SSL_set_mtu(ssl, mtu) \
         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
 
 #define SSL_set_mtu(ssl, mtu) \
         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
 

+#define SSL_get_secure_renegotiation_support(ssl) \
+       SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)

 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));


@@ -1374,6 +1376,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 
 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT         52
 
 
 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT         52
 

+#define SSL_CTRL_GET_RI_SUPPORT                        53
+

 /* see tls1.h for macros based on these */
 #ifndef OPENSSL_NO_TLSEXT
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB      53
 /* see tls1.h for macros based on these */
 #ifndef OPENSSL_NO_TLSEXT
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB      53

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3583c4d0aa1c9fb3a4b60ca114da11534c776682..39bd9d7cf04bcaf304729df1812db1013f18b395 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1062,6 +1062,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                        return 0;
                s->max_send_fragment = larg;
                return 1;
                        return 0;
                s->max_send_fragment = larg;
                return 1;

+       case SSL_CTRL_GET_RI_SUPPORT:
+               if (s->s3)
+                       return s->s3->send_connection_binding;
+               else return 0;

        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }
        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }