mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove use of the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag

Browse Source 
This flag is never set by anything so remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
This commit is contained in:
Matt Caswell 2017-01-10 14:58:17 +00:00
parent 9799748974
commit 0386aad1ab
7 changed files with 70 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/openssl/ssl3.h
View File

@ -256,6 +256,7 @@ extern "C" {
*/
# define SSL3_CT_NUMBER 9
/* No longer used as of OpenSSL 1.1.1 */
# define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
/* Removed from OpenSSL 1.1.0 */

4
ssl/record/rec_layer_d1.c
View File

@ -657,7 +657,6 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->msg_callback_arg);
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
!s->s3->renegotiate) {
s->d1->handshake_read_seq++;
s->new_session = 1;
@ -838,8 +837,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
goto start;
}
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
if (SSL_is_init_finished(s)) {
ossl_statem_set_in_init(s, 1);
s->renegotiate = 1;
s->new_session = 1;

15
ssl/record/rec_layer_s3.c
View File

@ -1390,6 +1390,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
/* If we are a client, check for an incoming 'Hello Request': */
if ((!s->server) &&
(s->rlayer.handshake_fragment_len >= 4) &&
!SSL_IS_TLS13(s) &&
(s->rlayer.handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
(s->session != NULL) && (s->session->cipher != NULL)) {
s->rlayer.handshake_fragment_len = 0;
@ -1408,7 +1409,6 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->msg_callback_arg);
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
!s->s3->renegotiate) {
ssl3_renegotiate(s);
if (ssl3_renegotiate_check(s)) {
@ -1459,6 +1459,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
SSL_is_init_finished(s) &&
!s->s3->send_connection_binding &&
(s->version > SSL3_VERSION) &&
!SSL_IS_TLS13(s) &&
(s->rlayer.handshake_fragment_len >= 4) &&
(s->rlayer.handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
(s->session != NULL) && (s->session->cipher != NULL) &&
@ -1557,15 +1558,17 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
}
/*
* Unexpected handshake message (Client Hello, or protocol violation)
* Unexpected handshake message (Client Hello, NewSessionTicket (TLS1.3) or
* protocol violation)
*/
if ((s->rlayer.handshake_fragment_len >= 4)
&& !ossl_statem_get_in_handshake(s)) {
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
if (SSL_is_init_finished(s)) {
ossl_statem_set_in_init(s, 1);
s->renegotiate = 1;
s->new_session = 1;
if (!SSL_IS_TLS13(s)) {
s->renegotiate = 1;
s->new_session = 1;
}
}
i = s->handshake_func(s);
if (i < 0)

3
ssl/s3_lib.c
View File

@ -3874,9 +3874,6 @@ int ssl3_renegotiate(SSL *s)
if (s->handshake_func == NULL)
return (1);
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
return (0);
s->s3->renegotiate = 1;
return (1);
}

88
ssl/statem/statem.c
View File

@ -107,6 +107,7 @@ void ossl_statem_set_renegotiate(SSL *s)
{
s->statem.state = MSG_FLOW_RENEGOTIATE;
s->statem.in_init = 1;
s->statem.request_state = TLS_ST_SW_HELLO_REQ;
}
/*
@ -259,9 +260,12 @@ static int state_machine(SSL *s, int server)
s->ctx->stats.sess_connect_renegotiate++;
}
if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) {
if (st->state == MSG_FLOW_UNINITED
|| st->state == MSG_FLOW_RENEGOTIATE
|| st->state == MSG_FLOW_FINISHED) {
if (st->state == MSG_FLOW_UNINITED) {
st->hand_state = TLS_ST_BEFORE;
st->request_state = TLS_ST_BEFORE;
}
s->server = server;
@ -318,54 +322,57 @@ static int state_machine(SSL *s, int server)
goto end;
}
if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
if (!ssl3_init_finished_mac(s)) {
ossl_statem_set_error(s);
goto end;
if (!SSL_IS_TLS13(s)) {
if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
if (!ssl3_init_finished_mac(s)) {
ossl_statem_set_error(s);
goto end;
}
}
}
if (server) {
if (st->state != MSG_FLOW_RENEGOTIATE) {
s->ctx->stats.sess_accept++;
} else if (!s->s3->send_connection_binding &&
!(s->options &
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
/*
* Server attempting to renegotiate with client that doesn't
* support secure renegotiation.
*/
SSLerr(SSL_F_STATE_MACHINE,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
ossl_statem_set_error(s);
goto end;
if (server) {
if (st->state != MSG_FLOW_RENEGOTIATE) {
s->ctx->stats.sess_accept++;
} else if (!s->s3->send_connection_binding &&
!(s->options &
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
/*
* Server attempting to renegotiate with client that doesn't
* support secure renegotiation.
*/
SSLerr(SSL_F_STATE_MACHINE,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
ossl_statem_set_error(s);
goto end;
} else {
/*
* st->state == MSG_FLOW_RENEGOTIATE, we will just send a
* HelloRequest
*/
s->ctx->stats.sess_accept_renegotiate++;
s->s3->tmp.cert_request = 0;
}
} else {
/*
* st->state == MSG_FLOW_RENEGOTIATE, we will just send a
* HelloRequest
*/
s->ctx->stats.sess_accept_renegotiate++;
s->ctx->stats.sess_connect++;
/* mark client_random uninitialized */
memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
s->hit = 0;
s->s3->tmp.cert_req = 0;
if (SSL_IS_DTLS(s)) {
st->use_timer = 1;
}
}
s->s3->tmp.cert_request = 0;
} else {
s->ctx->stats.sess_connect++;
/* mark client_random uninitialized */
memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
s->hit = 0;
s->s3->tmp.cert_req = 0;
if (SSL_IS_DTLS(s)) {
st->use_timer = 1;
}
st->read_state_first_init = 1;
}
st->state = MSG_FLOW_WRITING;
init_write_state_machine(s);
st->read_state_first_init = 1;
}
while (st->state != MSG_FLOW_FINISHED) {
@ -396,7 +403,6 @@ static int state_machine(SSL *s, int server)
}
}
st->state = MSG_FLOW_UNINITED;
ret = 1;
end:

2
ssl/statem/statem.h
View File

@ -86,6 +86,8 @@ struct ossl_statem_st {
READ_STATE read_state;
WORK_STATE read_state_work;
OSSL_HANDSHAKE_STATE hand_state;
/* The handshake state requested by an API call (e.g. HelloRequest) */
OSSL_HANDSHAKE_STATE request_state;
int in_init;
int read_state_first_init;
/* true when we are actually in SSL_accept() or SSL_connect() */

15
ssl/statem/statem_srvr.c
View File

@ -162,6 +162,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
break;
case TLS_ST_BEFORE:
case TLS_ST_OK:
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
if (mt == SSL3_MT_CLIENT_HELLO) {
st->hand_state = TLS_ST_SR_CLNT_HELLO;
@ -465,15 +466,19 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
/* Shouldn't happen */
return WRITE_TRAN_ERROR;
case TLS_ST_OK:
if (st->request_state == TLS_ST_SW_HELLO_REQ) {
/* We must be trying to renegotiate */
st->hand_state = TLS_ST_SW_HELLO_REQ;
st->request_state = TLS_ST_BEFORE;
return WRITE_TRAN_CONTINUE;
}
/* Fall through */
case TLS_ST_BEFORE:
/* Just go straight to trying to read from the client */
return WRITE_TRAN_FINISHED;
case TLS_ST_OK:
/* We must be trying to renegotiate */
st->hand_state = TLS_ST_SW_HELLO_REQ;
return WRITE_TRAN_CONTINUE;
case TLS_ST_SW_HELLO_REQ:
st->hand_state = TLS_ST_OK;
ossl_statem_set_in_init(s, 0);