commit 13f6d57b1ef964f2b9cbd8f68783884caef0e5cb
author Dr. Stephen Henson <steve@openssl.org> Tue Dec 08 13:14:03 2009 +0000
committer Dr. Stephen Henson <steve@openssl.org> Tue Dec 08 13:14:03 2009 +0000
tree 0e8b01c5c5428bc3aa4a9f56ed3e7f1b9ed11b1c
parent 8025e2511381152bbe517c1819922ead5bd106e6

Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.

ssl/t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ce53e50..7f57636 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -275,8 +275,9 @@
 	int extdatalen=0;
 	unsigned char *ret = p;
 
-	/* don't add extensions for SSLv3 */
-	if (s->client_version == SSL3_VERSION)
+	/* don't add extensions for SSLv3 unless doing secure renegotiation */
+	if (s->client_version == SSL3_VERSION
+					&& !s->s3->send_connection_binding)
 		return p;
 
 	ret+=2;
@@ -504,8 +505,8 @@
 	int extdatalen=0;
 	unsigned char *ret = p;
 
-	/* don't add extensions for SSLv3 */
-	if (s->version == SSL3_VERSION)
+	/* don't add extensions for SSLv3, unless doing secure renegotiation */
+	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
 		return p;
 	
 	ret+=2;
@@ -633,7 +634,6 @@
 
 	s->servername_done = 0;
 	s->tlsext_status_type = -1;
-	s->s3->send_connection_binding = 0;
 
 	if (data >= (d+n-2))
 		{