Whenever a handshake is initiated, the variable s->new_session is set
to indicate that a handshake is being performed. This is not the
correct context because a handshake can also be abbreviated and will
not create a new session then. This variable is also used in the right
context to determine whether or not the current Session ID is sent
with a ClientHello. The result is that renegotiations always create a
new session because the handshake state has to be set. There is no
possibility to perform an abbreviated handshake for renegotiation
conform to the TLS specification. This patch adds the variable s-
>renegotiate to indicate handshakes, so that s->new_session only
indicates if a new session should be created, that is a full handshake
should be performed. The patch also adds the function
SSL_renegotiate_abbreviated(SSL* ssl) which can be used to trigger an
abbreviated handshake. The functionality of SSL_renegotiate(SSL* ssl)
remains the same and always performs a full handshake.
--- ssl/d1_clnt.c 2008-06-04 20:35:25.000000000 +0200
+++ ssl/d1_clnt.c 2009-01-30 11:31:23.000000000 +0100
@@ -169,7 +169,7 @@
switch(s->state)
{
case SSL_ST_RENEGOTIATE:
- s->new_session=1;
+ s->renegotiate=1;
s->state=SSL_ST_CONNECT;
s->ctx->stats.sess_connect_renegotiate++;
/* break */
@@ -478,7 +478,7 @@
/* else do it later in ssl3_write */
s->init_num=0;
- s->new_session=0;
+ s->renegotiate=0;
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
if (s->hit) s->ctx->stats.sess_hit++;
--- ssl/d1_pkt.c 2008-10-13 08:43:06.000000000 +0200
+++ ssl/d1_pkt.c 2009-01-30 11:32:30.000000000 +0100
@@ -1047,7 +1047,7 @@
#else
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
#endif
- s->new_session=1;
+ s->renegotiate=1;
}
i=s->handshake_func(s);
if (i < 0) return(i);
--- ssl/d1_srvr.c 2008-09-14 16:02:01.000000000 +0200
+++ ssl/d1_srvr.c 2009-01-30 14:05:35.000000000 +0100
@@ -176,7 +176,7 @@
switch (s->state)
{
case SSL_ST_RENEGOTIATE:
- s->new_session=1;
+ s->renegotiate=1;
/* s->state=SSL_ST_ACCEPT; */
case SSL_ST_BEFORE:
@@ -267,7 +267,7 @@
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
- s->new_session = 2;
+ s->renegotiate = 2;
if ( s->d1->send_cookie)
s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
@@ -532,12 +532,12 @@
s->init_num=0;
- if (s->new_session == 2) /* skipped if we just sent a
HelloRequest
*/
+ if (s->renegotiate == 2) /* skipped if we just sent a
HelloRequest
*/
{
/* actually not necessarily a 'new' session
unless
*
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
- s->new_session=0;
+ s->renegotiate=0;
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
--- ssl/s3_clnt.c 2009-01-07 11:48:23.000000000 +0100
+++ ssl/s3_clnt.c 2009-01-30 14:07:32.000000000 +0100
@@ -194,7 +194,7 @@
switch(s->state)
{
case SSL_ST_RENEGOTIATE:
- s->new_session=1;
+ s->renegotiate=1;
s->state=SSL_ST_CONNECT;
s->ctx->stats.sess_connect_renegotiate++;
/* break */
@@ -529,7 +529,7 @@
/* else do it later in ssl3_write */
s->init_num=0;
- s->new_session=0;
+ s->renegotiate=0;
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
if (s->hit) s->ctx->stats.sess_hit++;
--- ssl/s3_pkt.c 2008-10-10 12:41:32.000000000 +0200
+++ ssl/s3_pkt.c 2009-01-29 14:25:53.000000000 +0100
@@ -1128,7 +1128,7 @@
#else
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
#endif
- s->new_session=1;
+ s->renegotiate=1;
}
i=s->handshake_func(s);
if (i < 0) return(i);
--- ssl/s3_srvr.c 2009-01-07 11:48:23.000000000 +0100
+++ ssl/s3_srvr.c 2009-01-29 14:24:50.000000000 +0100
@@ -196,7 +196,7 @@
switch (s->state)
{
case SSL_ST_RENEGOTIATE:
- s->new_session=1;
+ s->renegotiate=1;
/* s->state=SSL_ST_ACCEPT; */
case SSL_ST_BEFORE:
@@ -281,7 +281,7 @@
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
- s->new_session = 2;
+ s->renegotiate = 2;
s->state=SSL3_ST_SW_SRVR_HELLO_A;
s->init_num=0;
break;
@@ -595,12 +595,12 @@
s->init_num=0;
- if (s->new_session == 2) /* skipped if we just sent a
HelloRequest
*/
+ if (s->renegotiate == 2) /* skipped if we just sent a
HelloRequest
*/
{
/* actually not necessarily a 'new' session
unless
*
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
- s->new_session=0;
+ s->renegotiate=0;
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
@@ -784,12 +784,14 @@
i=ssl_get_prev_session(s, p, j, d + n);
if (i == 1)
{ /* previous session */
+
s->hit=1;
}
else if (i == -1)
goto err;
else /* i == 0 */
{
+
if (!ssl_get_new_session(s,1))
goto err;
}
--- ssl/ssl.h 2008-08-13 21:44:44.000000000 +0200
+++ ssl/ssl.h 2009-01-30 14:11:23.000000000 +0100
@@ -894,12 +894,14 @@
int server; /* are we the server side? - mostly used by SSL_clear*/
- int new_session;/* 1 if we are to use a new session.
- * 2 if we are a server and are inside a handshake
- * (i.e. not just sending a HelloRequest)
- * NB: For servers, the 'new' session may actually
be a previously
- * cached session or even the previous session unless
- * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is
set */
+ int renegotiate;/* 1 if we are renegotiating.
+ * 2 if we are a server and are inside
a handshake
+ * (i.e. not just sending a
HelloRequest) */
+ int new_session;/* Generate a new session or reuse an old one.
+ * NB: For servers, the 'new' session
may actually be a previously
+ * cached session or even the previous
session unless
+ *
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
+
int quiet_shutdown;/* don't send shutdown packets */
int shutdown; /* we have shut things down, 0x01 sent, 0x02
* for received */
@@ -1495,6 +1497,7 @@
int SSL_do_handshake(SSL *s);
int SSL_renegotiate(SSL *s);
+int SSL_renegotiate_abbreviated(SSL *s);
int SSL_renegotiate_pending(SSL *s);
int SSL_shutdown(SSL *s);
--- ssl/ssl_lib.c 2008-06-16 18:56:42.000000000 +0200
+++ ssl/ssl_lib.c 2009-01-30 11:16:02.000000000 +0100
@@ -176,9 +176,9 @@
* needed because SSL_clear is not called when doing
renegotiation) */
/* This is set if we are doing dynamic renegotiation so keep
* the old cipher. It is sort of a SSL_clear_lite :-) */
- if (s->new_session) return(1);
+ if (s->renegotiate) return(1);
#else
- if (s->new_session)
+ if (s->renegotiate)
{
SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
return 0;
@@ -951,18 +951,29 @@
int SSL_renegotiate(SSL *s)
{
- if (s->new_session == 0)
- {
- s->new_session=1;
- }
+ if (s->renegotiate == 0)
+ s->renegotiate=1;
+
+ s->new_session=1;
+
return(s->method->ssl_renegotiate(s));
}
+int SSL_renegotiate_abbreviated(SSL *s)
+{
+ if (s->renegotiate == 0)
+ s->renegotiate=1;
+
+ s->new_session=0;
+
+ return(s->method->ssl_renegotiate(s));
+}
+
int SSL_renegotiate_pending(SSL *s)
{
/* becomes true when negotiation is requested;
* false again once a handshake has finished */
- return (s->new_session != 0);
+ return (s->renegotiate != 0);
}
long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
@@ -2282,6 +2293,7 @@
ret->in_handshake = s->in_handshake;
ret->handshake_func = s->handshake_func;
ret->server = s->server;
+ ret->renegotiate = s->renegotiate;
ret->new_session = s->new_session;
ret->quiet_shutdown = s->quiet_shutdown;
ret->shutdown=s->shutdown;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
