mingw-openssl/openssl-1.0.0-beta4-reneg-err.patch

Better error reporting for unsafe renegotiation.
diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err	2009-11-09 19:45:42.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/ssl_err.c	2009-11-20 17:56:57.000000000 +0100
@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},
 {ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},
 {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),	"SSL_PARSE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),	"SSL_PARSE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),	"SSL_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),	"SSL_PREPARE_SERVERHELLO_TLSEXT"},
@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
 {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err	2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/ssl.h	2009-11-20 17:56:57.000000000 +0100
@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
 #define SSL_F_SSL_NEW					 186
 #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 300
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 302
 #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 301
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 303
 #define SSL_F_SSL_PEEK					 270
 #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT		 281
 #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT		 282
@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
 #define SSL_R_UNKNOWN_SSL_VERSION			 254
 #define SSL_R_UNKNOWN_STATE				 255
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 338
 #define SSL_R_UNSUPPORTED_CIPHER			 256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
 #define SSL_R_UNSUPPORTED_DIGEST_TYPE			 326
diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err	2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c	2009-11-20 17:57:23.000000000 +0100
@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
 #else
+		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+			goto err;
+			}
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err	2009-11-18 14:04:19.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-20 17:56:57.000000000 +0100
@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 			{
 			/* We should always see one extension: the renegotiate extension */
 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+			SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 			return 0;
 			}
 		return 1;
@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
  	if (s->new_session && !renegotiate_seen
  		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
  		{
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
  		return 0;
  		}
@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 			{
 			/* We should always see one extension: the renegotiate extension */
 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+			SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 			return 0;
 			}
 #endif
@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 		return 0;
 		}
 #endif
- Updated to version 1.0.0 beta 4 - Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4) - Added patch to fix build with fips disabled 2009-11-22 17:44:35 +00:00			`Better error reporting for unsafe renegotiation.`
			`diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c`
			`--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100`
			`+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100`
			`@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=`
			`{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},`
			`{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},`
			`{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},`
			`+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},`
			`{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},`
			`+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},`
			`{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},`
			`{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},`
			`{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},`
			`@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]`
			`{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},`
			`{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},`
			`{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},`
			`+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},`
			`{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},`
			`{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},`
			`{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},`
			`diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h`
			`--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100`
			`+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100`
			`@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);`
			`#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185`
			`#define SSL_F_SSL_NEW 186`
			`#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300`
			`+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302`
			`#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301`
			`+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303`
			`#define SSL_F_SSL_PEEK 270`
			`#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281`
			`#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282`
			`@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);`
			`#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253`
			`#define SSL_R_UNKNOWN_SSL_VERSION 254`
			`#define SSL_R_UNKNOWN_STATE 255`
			`+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338`
			`#define SSL_R_UNSUPPORTED_CIPHER 256`
			`#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257`
			`#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326`
			`diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c`
			`--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100`
			`+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100`
			`@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)`
			`SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);`
			`goto err;`
			`#else`
			`+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))`
			`+ {`
			`+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);`
			`+ goto err;`
			`+ }`
			`/* we are talking sslv2 */`
			`/* we need to clean up the SSLv3/TLSv1 setup and put in the`
			`* sslv2 stuff. */`
			`diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c`
			`--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100`
			`+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100`
			`@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,`
			`{`
			`/* We should always see one extension: the renegotiate extension */`
			`al = SSL_AD_ILLEGAL_PARAMETER; / is this the right alert? */`
			`+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);`
			`return 0;`
			`}`
			`return 1;`
			`@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,`
			`if (s->new_session && !renegotiate_seen`
			`&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))`
			`{`
			`+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);`
			`al = SSL_AD_ILLEGAL_PARAMETER; / is this the right alert? */`
			`return 0;`
			`}`
			`@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,`
			`{`
			`/* We should always see one extension: the renegotiate extension */`
			`al = SSL_AD_ILLEGAL_PARAMETER; / is this the right alert? */`
			`+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);`
			`return 0;`
			`}`
			`#endif`
			`@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,`
			`&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))`
			`{`
			`al = SSL_AD_ILLEGAL_PARAMETER; / is this the right alert? */`
			`+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);`
			`return 0;`
			`}`
			`#endif`