- upstream fix compression handling on session resumption

- various null checks and other small fixes from upstream
- upstream changes for the renegotiation info according to the latest draft

openssl-1.0.0-beta4-backports2.patch

@@ -0,0 +1,334 @@
+diff -up openssl-1.0.0-beta4/apps/ca.c.backports2 openssl-1.0.0-beta4/apps/ca.c
+--- openssl-1.0.0-beta4/apps/ca.c.backports2	2009-10-04 18:43:21.000000000 +0200
++++ openssl-1.0.0-beta4/apps/ca.c	2010-01-07 23:16:08.000000000 +0100
+@@ -215,7 +215,6 @@ static int certify_spkac(X509 **xret, ch
+ 			 char *startdate, char *enddate, long days, char *ext_sect,
+ 			 CONF *conf, int verbose, unsigned long certopt, 
+ 			 unsigned long nameopt, int default_op, int ext_copy);
+-static int fix_data(int nid, int *type);
+ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
+ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
+ 	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
+@@ -2334,25 +2333,9 @@ static int certify_spkac(X509 **xret, ch
+ 			continue;
+ 			}
+ 
+-		/*
+-		if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
+-			continue;
+-		*/
+-		
+-		j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
+-		if (fix_data(nid, &j) == 0)
+-			{
+-			BIO_printf(bio_err,
+-				"invalid characters in string %s\n",buf);
+-			goto err;
+-			}
+-
+-		if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
+-			(unsigned char *)buf,
+-			strlen(buf))) == NULL)
++		if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
++				(unsigned char *)buf, -1, -1, 0))
+ 			goto err;
+-
+-		if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
+ 		}
+ 	if (spki == NULL)
+ 		{
+@@ -2395,21 +2378,6 @@ err:
+ 	return(ok);
+ 	}
+ 
+-static int fix_data(int nid, int *type)
+-	{
+-	if (nid == NID_pkcs9_emailAddress)
+-		*type=V_ASN1_IA5STRING;
+-	if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
+-		*type=V_ASN1_T61STRING;
+-	if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
+-		*type=V_ASN1_T61STRING;
+-	if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
+-		return(0);
+-	if (nid == NID_pkcs9_unstructuredName)
+-		*type=V_ASN1_IA5STRING;
+-	return(1);
+-	}
+-
+ static int check_time_format(const char *str)
+ 	{
+ 	return ASN1_TIME_set_string(NULL, str);
+diff -up openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c.backports2 openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c
+--- openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c.backports2	2008-11-12 04:57:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c	2010-01-07 23:16:08.000000000 +0100
+@@ -301,6 +301,8 @@ EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new(
+ 		if (!ameth->info)
+ 			goto err;
+ 		}
++	else
++		ameth->info = NULL;
+ 
+ 	if (pem_str)
+ 		{
+@@ -308,6 +310,8 @@ EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new(
+ 		if (!ameth->pem_str)
+ 			goto err;
+ 		}
++	else
++		ameth->pem_str = NULL;
+ 
+ 	ameth->pub_decode = 0;
+ 	ameth->pub_encode = 0;
+diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.backports2 openssl-1.0.0-beta4/crypto/bio/b_sock.c
+--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.backports2	2010-01-07 23:16:08.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bio/b_sock.c	2010-01-07 23:16:08.000000000 +0100
+@@ -595,7 +595,7 @@ int BIO_get_accept_socket(char *host, in
+ 		struct sockaddr_in6 sa_in6;
+ #endif
+ 	} server,client;
+-	int s=INVALID_SOCKET,cs;
++	int s=INVALID_SOCKET,cs,addrlen;
+ 	unsigned char ip[4];
+ 	unsigned short port;
+ 	char *str=NULL,*e;
+@@ -666,8 +666,10 @@ int BIO_get_accept_socket(char *host, in
+ 
+ 	if ((*p_getaddrinfo.f)(h,p,&hint,&res)) break;
+ 
+-	memcpy(&server, res->ai_addr,
+-		res->ai_addrlen<=sizeof(server)?res->ai_addrlen:sizeof(server));
++	addrlen = res->ai_addrlen<=sizeof(server) ?
++			res->ai_addrlen :
++			sizeof(server);
++	memcpy(&server, res->ai_addr, addrlen);
+ 
+ 	(*p_freeaddrinfo.f)(res);
+ 	goto again;
+@@ -679,6 +681,7 @@ int BIO_get_accept_socket(char *host, in
+ 	memset((char *)&server,0,sizeof(server));
+ 	server.sa_in.sin_family=AF_INET;
+ 	server.sa_in.sin_port=htons(port);
++	addrlen = sizeof(server.sa_in);
+ 
+ 	if (h == NULL || strcmp(h,"*") == 0)
+ 		server.sa_in.sin_addr.s_addr=INADDR_ANY;
+@@ -712,7 +715,7 @@ again:
+ 		bind_mode=BIO_BIND_NORMAL;
+ 		}
+ #endif
+-	if (bind(s,&server.sa,sizeof(server)) == -1)
++	if (bind(s,&server.sa,addrlen) == -1)
+ 		{
+ #ifdef SO_REUSEADDR
+ 		err_num=get_last_socket_error();
+@@ -740,7 +743,7 @@ again:
+ 			if (cs != INVALID_SOCKET)
+ 				{
+ 				int ii;
+-				ii=connect(cs,&client.sa,sizeof(client));
++				ii=connect(cs,&client.sa,addrlen);
+ 				closesocket(cs);
+ 				if (ii == INVALID_SOCKET)
+ 					{
+diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.backports2 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
+--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.backports2	2010-01-07 23:16:08.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c	2010-01-07 23:16:08.000000000 +0100
+@@ -335,11 +335,21 @@ static int dgram_write(BIO *b, const cha
+ 	if ( data->connected )
+ 		ret=writesocket(b->num,in,inl);
+ 	else
++		{
++		int peerlen = sizeof(data->peer);
++
++		if (data->peer.sa.sa_family == AF_INET)
++			peerlen = sizeof(data->peer.sa_in);
++#if OPENSSL_USE_IVP6
++		else if (data->peer.sa.sa_family == AF_INET6)
++			peerlen = sizeof(data->peer.sa_in6);
++#endif
+ #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-		ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
++		ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, peerlen);
+ #else
+-		ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
++		ret=sendto(b->num, in, inl, 0, &data->peer.sa, peerlen);
+ #endif
++		}
+ 
+ 	BIO_clear_retry_flags(b);
+ 	if (ret <= 0)
+diff -up openssl-1.0.0-beta4/crypto/bn/bn_mul.c.backports2 openssl-1.0.0-beta4/crypto/bn/bn_mul.c
+--- openssl-1.0.0-beta4/crypto/bn/bn_mul.c.backports2	2009-06-17 13:47:54.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/bn/bn_mul.c	2010-01-07 23:16:08.000000000 +0100
+@@ -1032,15 +1032,15 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, c
+ 				goto err;
+ 			if (al > j || bl > j)
+ 				{
+-				bn_wexpand(t,k*4);
+-				bn_wexpand(rr,k*4);
++				if (bn_wexpand(t,k*4) == NULL) goto err;
++				if (bn_wexpand(rr,k*4) == NULL) goto err;
+ 				bn_mul_part_recursive(rr->d,a->d,b->d,
+ 					j,al-j,bl-j,t->d);
+ 				}
+ 			else	/* al <= j || bl <= j */
+ 				{
+-				bn_wexpand(t,k*2);
+-				bn_wexpand(rr,k*2);
++				if (bn_wexpand(t,k*2) == NULL) goto err;
++				if (bn_wexpand(rr,k*2) == NULL) goto err;
+ 				bn_mul_recursive(rr->d,a->d,b->d,
+ 					j,al-j,bl-j,t->d);
+ 				}
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c.backports2 openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c
+--- openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c.backports2	2009-09-02 17:51:28.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c	2010-01-07 23:16:08.000000000 +0100
+@@ -132,7 +132,7 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *c
+ 
+ 	ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa);
+ 
+-	if (ret < 0)
++	if (ret <= 0)
+ 		return ret;
+ 	*siglen = sltmp;
+ 	return 1;
+diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.backports2 openssl-1.0.0-beta4/crypto/evp/digest.c
+--- openssl-1.0.0-beta4/crypto/evp/digest.c.backports2	2010-01-07 23:16:07.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/digest.c	2010-01-07 23:16:08.000000000 +0100
+@@ -127,7 +127,8 @@ EVP_MD_CTX *EVP_MD_CTX_create(void)
+ 	{
+ 	EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
+ 
+-	EVP_MD_CTX_init(ctx);
++	if (ctx)
++		EVP_MD_CTX_init(ctx);
+ 
+ 	return ctx;
+ 	}
+@@ -256,6 +257,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ 			{
+ 			ctx->update = type->update;
+ 			ctx->md_data=OPENSSL_malloc(type->ctx_size);
++			if (ctx->md_data == NULL)
++				{
++				EVPerr(EVP_F_EVP_DIGESTINIT_EX,
++							ERR_R_MALLOC_FAILURE);
++				return 0;
++				}
+ 			}
+ 		}
+ #ifndef OPENSSL_NO_ENGINE
+@@ -346,8 +353,17 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, 
+ 
+ 	if (in->md_data && out->digest->ctx_size)
+ 		{
+-		if (tmp_buf) out->md_data = tmp_buf;
+-		else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
++		if (tmp_buf)
++			out->md_data = tmp_buf;
++		else
++			{
++			out->md_data=OPENSSL_malloc(out->digest->ctx_size);
++			if (!out->md_data)
++				{
++				EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_MALLOC_FAILURE);
++				return 0;
++				}
++			}
+ 		memcpy(out->md_data,in->md_data,out->digest->ctx_size);
+ 		}
+ 
+diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.backports2 openssl-1.0.0-beta4/crypto/evp/evp_err.c
+--- openssl-1.0.0-beta4/crypto/evp/evp_err.c.backports2	2010-01-07 23:16:07.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp_err.c	2010-01-07 23:16:08.000000000 +0100
+@@ -186,6 +186,8 @@ static ERR_STRING_DATA EVP_str_reasons[]
+ {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"},
+ {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"},
+ {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
++{ERR_REASON(EVP_R_UNKNOWN_CIPHER)        ,"unknown cipher"},
++{ERR_REASON(EVP_R_UNKNOWN_DIGEST)        ,"unknown digest"},
+ {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
+ {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
+ {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"},
+diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.backports2 openssl-1.0.0-beta4/crypto/evp/evp.h
+--- openssl-1.0.0-beta4/crypto/evp/evp.h.backports2	2010-01-07 23:16:07.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp.h	2010-01-07 23:16:08.000000000 +0100
+@@ -1275,6 +1275,8 @@ void ERR_load_EVP_strings(void);
+ #define EVP_R_PRIVATE_KEY_DECODE_ERROR			 145
+ #define EVP_R_PRIVATE_KEY_ENCODE_ERROR			 146
+ #define EVP_R_PUBLIC_KEY_NOT_RSA			 106
++#define EVP_R_UNKNOWN_CIPHER				 160
++#define EVP_R_UNKNOWN_DIGEST				 161
+ #define EVP_R_UNKNOWN_PBE_ALGORITHM			 121
+ #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS		 135
+ #define EVP_R_UNSUPPORTED_ALGORITHM			 156
+diff -up openssl-1.0.0-beta4/crypto/evp/evp_pbe.c.backports2 openssl-1.0.0-beta4/crypto/evp/evp_pbe.c
+--- openssl-1.0.0-beta4/crypto/evp/evp_pbe.c.backports2	2008-11-05 19:38:57.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp_pbe.c	2010-01-07 23:17:15.000000000 +0100
+@@ -174,12 +174,26 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_
+ 	if (cipher_nid == -1)
+ 		cipher = NULL;
+ 	else
++		{
+ 		cipher = EVP_get_cipherbynid(cipher_nid);
++		if (!cipher)
++			{
++			EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_CIPHER);
++			return 0;
++			}
++		}
+ 
+ 	if (md_nid == -1)
+ 		md = NULL;
+ 	else
++		{
+ 		md = EVP_get_digestbynid(md_nid);
++		if (!md)
++			{
++			EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_DIGEST);
++			return 0;
++			}
++		}
+ 
+ 	if (!keygen(ctx, pass, passlen, param, cipher, md, en_de))
+ 		{
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.backports2 openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.backports2	2010-01-07 23:16:07.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c	2010-01-07 23:16:08.000000000 +0100
+@@ -208,7 +208,16 @@ RSA *RSA_new_method(ENGINE *engine)
+ 	ret->mt_blinding=NULL;
+ 	ret->bignum_data=NULL;
+ 	ret->flags=ret->meth->flags;
+-	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
++	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
++		{
++#ifndef OPENSSL_NO_ENGINE
++	if (ret->engine)
++		ENGINE_finish(ret->engine);
++#endif
++		OPENSSL_free(ret);
++		return(NULL);
++		}
++
+ 	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+ 		{
+ #ifndef OPENSSL_NO_ENGINE
+diff -up openssl-1.0.0-beta4/crypto/x509/x509_lu.c.backports2 openssl-1.0.0-beta4/crypto/x509/x509_lu.c
+--- openssl-1.0.0-beta4/crypto/x509/x509_lu.c.backports2	2009-10-18 16:42:27.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/x509/x509_lu.c	2010-01-07 23:16:08.000000000 +0100
+@@ -200,7 +200,13 @@ X509_STORE *X509_STORE_new(void)
+ 	ret->lookup_crls = 0;
+ 	ret->cleanup = 0;
+ 
+-	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
++	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
++		{
++		sk_X509_OBJECT_free(ret->objs);
++		OPENSSL_free(ret);
++		return NULL;
++		}
++
+ 	ret->references=1;
+ 	return ret;
+ 	}

openssl-1.0.0-beta4-dtls-ipv6.patch

@@ -13,7 +13,7 @@ diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/c
  		{
 diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
 --- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6	2009-10-15 19:41:44.000000000 +0200
-+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c	2009-11-23 08:50:45.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c	2010-01-07 17:31:00.000000000 +0100
 @@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
  
  typedef struct bio_dgram_data_st
@@ -135,7 +135,7 @@ diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta
  #if 0
  			}
  #endif
-@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd, 
+@@ -537,41 +543,62 @@ static long dgram_ctrl(BIO *b, int cmd, 
  		if ( to != NULL)
  			{
  			data->connected = 1;
@@ -170,12 +170,12 @@ diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta
  			}
  		break;
  	case BIO_CTRL_DGRAM_GET_PEER:
- 		to = (struct sockaddr *) ptr;
+-		to = (struct sockaddr *) ptr;
 -
-+		switch (to->sa_family)
++		switch (data->peer.sa.sa_family)
 +			{
 +			case AF_INET:
-+				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
++				ret=sizeof(data->peer.sa_in);
 +				break;
  #if OPENSSL_USE_IPV6
 -		memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
@@ -185,13 +185,16 @@ diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta
 -		ret = sizeof(struct sockaddr_in);
 -#endif
 +			case AF_INET6:
-+				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
++				ret=sizeof(data->peer.sa_in6);
 +				break;
 +#endif
 +			default:
-+				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
++				ret=sizeof(data->peer.sa);
 +				break;
 +			}
++		if (num==0 || num>ret)
++			num=ret;
++		memcpy(ptr,&data->peer,(ret=num));
  		break;
  	case BIO_CTRL_DGRAM_SET_PEER:
  		to = (struct sockaddr *) ptr;

openssl-1.0.0-beta4-dtls-reneg.patch

@@ -0,0 +1,571 @@
+diff -up openssl-1.0.0-beta4/ssl/d1_both.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_both.c
+--- openssl-1.0.0-beta4/ssl/d1_both.c.dtls-reneg	2009-11-02 14:37:17.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/d1_both.c	2010-01-07 17:35:19.000000000 +0100
+@@ -764,6 +764,24 @@ int dtls1_send_finished(SSL *s, int a, i
+ 		p+=i;
+ 		l=i;
+ 
++	/* Copy the finished so we can use it for
++	 * renegotiation checks
++	 */
++	if(s->type == SSL_ST_CONNECT)
++		{
++		OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
++		memcpy(s->s3->previous_client_finished, 
++		       s->s3->tmp.finish_md, i);
++		s->s3->previous_client_finished_len=i;
++		}
++	else
++		{
++		OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
++		memcpy(s->s3->previous_server_finished, 
++		       s->s3->tmp.finish_md, i);
++		s->s3->previous_server_finished_len=i;
++		}
++
+ #ifdef OPENSSL_SYS_WIN16
+ 		/* MSVC 1.5 does not clear the top bytes of the word unless
+ 		 * I do this.
+diff -up openssl-1.0.0-beta4/ssl/d1_clnt.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_clnt.c
+--- openssl-1.0.0-beta4/ssl/d1_clnt.c.dtls-reneg	2009-07-24 13:52:32.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/d1_clnt.c	2010-01-07 17:44:55.000000000 +0100
+@@ -286,16 +286,44 @@ int dtls1_connect(SSL *s)
+ 
+ 		case SSL3_ST_CR_CERT_A:
+ 		case SSL3_ST_CR_CERT_B:
++#ifndef OPENSSL_NO_TLSEXT
++			ret=ssl3_check_finished(s);
++			if (ret <= 0) goto end;
++			if (ret == 2)
++				{
++				s->hit = 1;
++				if (s->tlsext_ticket_expected)
++					s->state=SSL3_ST_CR_SESSION_TICKET_A;
++				else
++					s->state=SSL3_ST_CR_FINISHED_A;
++				s->init_num=0;
++				break;
++				}
++#endif
+ 			/* Check if it is anon DH or PSK */
+ 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+ 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
+ 				{
+ 				ret=ssl3_get_server_certificate(s);
+ 				if (ret <= 0) goto end;
++#ifndef OPENSSL_NO_TLSEXT
++				if (s->tlsext_status_expected)
++					s->state=SSL3_ST_CR_CERT_STATUS_A;
++				else
++					s->state=SSL3_ST_CR_KEY_EXCH_A;
++				}
++			else
++				{
++				skip = 1;
++				s->state=SSL3_ST_CR_KEY_EXCH_A;
++				}
++#else
+ 				}
+ 			else
+ 				skip=1;
++
+ 			s->state=SSL3_ST_CR_KEY_EXCH_A;
++#endif
+ 			s->init_num=0;
+ 			break;
+ 
+@@ -437,11 +465,36 @@ int dtls1_connect(SSL *s)
+ 				}
+ 			else
+ 				{
++#ifndef OPENSSL_NO_TLSEXT
++				/* Allow NewSessionTicket if ticket expected */
++				if (s->tlsext_ticket_expected)
++					s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
++				else
++#endif
++				
+ 				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+ 				}
+ 			s->init_num=0;
+ 			break;
+ 
++#ifndef OPENSSL_NO_TLSEXT
++		case SSL3_ST_CR_SESSION_TICKET_A:
++		case SSL3_ST_CR_SESSION_TICKET_B:
++			ret=ssl3_get_new_session_ticket(s);
++			if (ret <= 0) goto end;
++			s->state=SSL3_ST_CR_FINISHED_A;
++			s->init_num=0;
++		break;
++
++		case SSL3_ST_CR_CERT_STATUS_A:
++		case SSL3_ST_CR_CERT_STATUS_B:
++			ret=ssl3_get_cert_status(s);
++			if (ret <= 0) goto end;
++			s->state=SSL3_ST_CR_KEY_EXCH_A;
++			s->init_num=0;
++		break;
++#endif
++
+ 		case SSL3_ST_CR_FINISHED_A:
+ 		case SSL3_ST_CR_FINISHED_B:
+ 			s->d1->change_cipher_spec_ok = 1;
+@@ -554,8 +607,14 @@ int dtls1_client_hello(SSL *s)
+ 	buf=(unsigned char *)s->init_buf->data;
+ 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
+ 		{
++		SSL_SESSION *sess = s->session;
+ 		if ((s->session == NULL) ||
+ 			(s->session->ssl_version != s->version) ||
++#ifdef OPENSSL_NO_TLSEXT
++			!sess->session_id_length ||
++#else
++			(!sess->session_id_length && !sess->tlsext_tick) ||
++#endif
+ 			(s->session->not_resumable))
+ 			{
+ 			if (!ssl_get_new_session(s,0))
+@@ -635,7 +694,15 @@ int dtls1_client_hello(SSL *s)
+ 			*(p++)=comp->id;
+ 			}
+ 		*(p++)=0; /* Add the NULL method */
+-		
++
++#ifndef OPENSSL_NO_TLSEXT
++		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
++			{
++			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
++			goto err;
++			}
++#endif		
++
+ 		l=(p-d);
+ 		d=buf;
+ 
+diff -up openssl-1.0.0-beta4/ssl/d1_lib.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_lib.c
+diff -up openssl-1.0.0-beta4/ssl/d1_srvr.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_srvr.c
+--- openssl-1.0.0-beta4/ssl/d1_srvr.c.dtls-reneg	2009-09-09 19:05:42.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/d1_srvr.c	2010-01-07 17:44:55.000000000 +0100
+@@ -305,8 +305,18 @@ int dtls1_accept(SSL *s)
+ 			ret=dtls1_send_server_hello(s);
+ 			if (ret <= 0) goto end;
+ 
++#ifndef OPENSSL_NO_TLSEXT
+ 			if (s->hit)
+-				s->state=SSL3_ST_SW_CHANGE_A;
++				{
++				if (s->tlsext_ticket_expected)
++					s->state=SSL3_ST_SW_SESSION_TICKET_A;
++				else
++					s->state=SSL3_ST_SW_CHANGE_A;
++				}
++#else
++			if (s->hit)
++					s->state=SSL3_ST_SW_CHANGE_A;
++#endif
+ 			else
+ 				s->state=SSL3_ST_SW_CERT_A;
+ 			s->init_num=0;
+@@ -321,10 +331,24 @@ int dtls1_accept(SSL *s)
+ 				dtls1_start_timer(s);
+ 				ret=dtls1_send_server_certificate(s);
+ 				if (ret <= 0) goto end;
++#ifndef OPENSSL_NO_TLSEXT
++				if (s->tlsext_status_expected)
++					s->state=SSL3_ST_SW_CERT_STATUS_A;
++				else
++					s->state=SSL3_ST_SW_KEY_EXCH_A;
++				}
++			else
++				{
++				skip = 1;
++				s->state=SSL3_ST_SW_KEY_EXCH_A;
++				}
++#else
+ 				}
+ 			else
+ 				skip=1;
++
+ 			s->state=SSL3_ST_SW_KEY_EXCH_A;
++#endif
+ 			s->init_num=0;
+ 			break;
+ 
+@@ -519,11 +543,34 @@ int dtls1_accept(SSL *s)
+ 			dtls1_stop_timer(s);
+ 			if (s->hit)
+ 				s->state=SSL_ST_OK;
++#ifndef OPENSSL_NO_TLSEXT
++			else if (s->tlsext_ticket_expected)
++				s->state=SSL3_ST_SW_SESSION_TICKET_A;
++#endif
+ 			else
+ 				s->state=SSL3_ST_SW_CHANGE_A;
+ 			s->init_num=0;
+ 			break;
+ 
++#ifndef OPENSSL_NO_TLSEXT
++		case SSL3_ST_SW_SESSION_TICKET_A:
++		case SSL3_ST_SW_SESSION_TICKET_B:
++			ret=dtls1_send_newsession_ticket(s);
++			if (ret <= 0) goto end;
++			s->state=SSL3_ST_SW_CHANGE_A;
++			s->init_num=0;
++			break;
++
++		case SSL3_ST_SW_CERT_STATUS_A:
++		case SSL3_ST_SW_CERT_STATUS_B:
++			ret=ssl3_send_cert_status(s);
++			if (ret <= 0) goto end;
++			s->state=SSL3_ST_SW_KEY_EXCH_A;
++			s->init_num=0;
++			break;
++
++#endif
++
+ 		case SSL3_ST_SW_CHANGE_A:
+ 		case SSL3_ST_SW_CHANGE_B:
+ 
+@@ -749,6 +796,8 @@ int dtls1_send_server_hello(SSL *s)
+ 		p+=sl;
+ 
+ 		/* put the cipher */
++		if (s->s3->tmp.new_cipher == NULL)
++			return -1;
+ 		i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
+ 		p+=i;
+ 
+@@ -762,6 +811,14 @@ int dtls1_send_server_hello(SSL *s)
+ 			*(p++)=s->s3->tmp.new_compression->id;
+ #endif
+ 
++#ifndef OPENSSL_NO_TLSEXT
++		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
++			{
++			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
++			return -1;
++			}
++#endif
++
+ 		/* do the header */
+ 		l=(p-d);
+ 		d=buf;
+@@ -1384,3 +1441,114 @@ int dtls1_send_server_certificate(SSL *s
+ 	/* SSL3_ST_SW_CERT_B */
+ 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+ 	}
++
++#ifndef OPENSSL_NO_TLSEXT
++int dtls1_send_newsession_ticket(SSL *s)
++	{
++	if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
++		{
++		unsigned char *p, *senc, *macstart;
++		int len, slen;
++		unsigned int hlen, msg_len;
++		EVP_CIPHER_CTX ctx;
++		HMAC_CTX hctx;
++		SSL_CTX *tctx = s->initial_ctx;
++		unsigned char iv[EVP_MAX_IV_LENGTH];
++		unsigned char key_name[16];
++
++		/* get session encoding length */
++		slen = i2d_SSL_SESSION(s->session, NULL);
++		/* Some length values are 16 bits, so forget it if session is
++ 		 * too long
++ 		 */
++		if (slen > 0xFF00)
++			return -1;
++		/* Grow buffer if need be: the length calculation is as
++ 		 * follows 12 (DTLS handshake message header) +
++ 		 * 4 (ticket lifetime hint) + 2 (ticket length) +
++ 		 * 16 (key name) + max_iv_len (iv length) +
++ 		 * session_length + max_enc_block_size (max encrypted session
++ 		 * length) + max_md_size (HMAC).
++ 		 */
++		if (!BUF_MEM_grow(s->init_buf,
++			DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH +
++			EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
++			return -1;
++		senc = OPENSSL_malloc(slen);
++		if (!senc)
++			return -1;
++		p = senc;
++		i2d_SSL_SESSION(s->session, &p);
++
++		p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
++		EVP_CIPHER_CTX_init(&ctx);
++		HMAC_CTX_init(&hctx);
++		/* Initialize HMAC and cipher contexts. If callback present
++		 * it does all the work otherwise use generated values
++		 * from parent ctx.
++		 */
++		if (tctx->tlsext_ticket_key_cb)
++			{
++			if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
++							 &hctx, 1) < 0)
++				{
++				OPENSSL_free(senc);
++				return -1;
++				}
++			}
++		else
++			{
++			RAND_pseudo_bytes(iv, 16);
++			EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
++					tctx->tlsext_tick_aes_key, iv);
++			HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
++					tlsext_tick_md(), NULL);
++			memcpy(key_name, tctx->tlsext_tick_key_name, 16);
++			}
++		l2n(s->session->tlsext_tick_lifetime_hint, p);
++		/* Skip ticket length for now */
++		p += 2;
++		/* Output key name */
++		macstart = p;
++		memcpy(p, key_name, 16);
++		p += 16;
++		/* output IV */
++		memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
++		p += EVP_CIPHER_CTX_iv_length(&ctx);
++		/* Encrypt session data */
++		EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
++		p += len;
++		EVP_EncryptFinal(&ctx, p, &len);
++		p += len;
++		EVP_CIPHER_CTX_cleanup(&ctx);
++
++		HMAC_Update(&hctx, macstart, p - macstart);
++		HMAC_Final(&hctx, p, &hlen);
++		HMAC_CTX_cleanup(&hctx);
++
++		p += hlen;
++		/* Now write out lengths: p points to end of data written */
++		/* Total length */
++		len = p - (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
++		p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
++		s2n(len - 18, p);  /* Ticket length */
++
++		/* number of bytes to write */
++		s->init_num= len;
++		s->state=SSL3_ST_SW_SESSION_TICKET_B;
++		s->init_off=0;
++		OPENSSL_free(senc);
++
++		/* XDTLS:  set message header ? */
++		msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
++		dtls1_set_message_header(s, (void *)s->init_buf->data,
++			SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len);
++
++		/* buffer the message to handle re-xmits */
++		dtls1_buffer_message(s, 0);
++		}
++
++	/* SSL3_ST_SW_SESSION_TICKET_B */
++	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
++	}
++#endif
+diff -up openssl-1.0.0-beta4/ssl/ssl_locl.h.dtls-reneg openssl-1.0.0-beta4/ssl/ssl_locl.h
+--- openssl-1.0.0-beta4/ssl/ssl_locl.h.dtls-reneg	2009-11-23 08:36:03.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_locl.h	2010-01-07 17:44:55.000000000 +0100
+@@ -933,7 +933,7 @@ void dtls1_start_timer(SSL *s);
+ void dtls1_stop_timer(SSL *s);
+ int dtls1_is_timer_expired(SSL *s);
+ void dtls1_double_timeout(SSL *s);
+-
++int dtls1_send_newsession_ticket(SSL *s);
+ 
+ /* some client-only functions */
+ int ssl3_client_hello(SSL *s);
+@@ -949,6 +949,9 @@ int ssl3_send_client_key_exchange(SSL *s
+ int ssl3_get_key_exchange(SSL *s);
+ int ssl3_get_server_certificate(SSL *s);
+ int ssl3_check_cert_and_algorithm(SSL *s);
++#ifndef OPENSSL_NO_TLSEXT
++int ssl3_check_finished(SSL *s);
++#endif
+ 
+ int dtls1_client_hello(SSL *s);
+ int dtls1_send_client_certificate(SSL *s);
+@@ -1030,6 +1033,7 @@ int ssl_prepare_clienthello_tlsext(SSL *
+ int ssl_prepare_serverhello_tlsext(SSL *s);
+ int ssl_check_clienthello_tlsext(SSL *s);
+ int ssl_check_serverhello_tlsext(SSL *s);
++
+ #ifdef OPENSSL_NO_SHA256
+ #define tlsext_tick_md	EVP_sha1
+ #else
+diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.dtls-reneg openssl-1.0.0-beta4/ssl/s3_clnt.c
+--- openssl-1.0.0-beta4/ssl/s3_clnt.c.dtls-reneg	2009-11-23 08:36:04.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_clnt.c	2010-01-07 17:44:55.000000000 +0100
+@@ -170,9 +170,6 @@
+ 
+ static const SSL_METHOD *ssl3_get_client_method(int ver);
+ static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
+-#ifndef OPENSSL_NO_TLSEXT
+-static int ssl3_check_finished(SSL *s);
+-#endif
+ 
+ static const SSL_METHOD *ssl3_get_client_method(int ver)
+ 	{
+@@ -1827,6 +1824,7 @@ int ssl3_get_new_session_ticket(SSL *s)
+ 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
+ 		goto f_err;
+ 		}
++
+ 	p=d=(unsigned char *)s->init_msg;
+ 	n2l(p, s->session->tlsext_tick_lifetime_hint);
+ 	n2s(p, ticklen);
+@@ -2991,7 +2989,7 @@ err:
+  */
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+-static int ssl3_check_finished(SSL *s)
++int ssl3_check_finished(SSL *s)
+ 	{
+ 	int ok;
+ 	long n;
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.dtls-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.dtls-reneg	2009-11-23 08:36:04.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c	2010-01-07 17:44:55.000000000 +0100
+@@ -340,7 +340,8 @@ unsigned char *ssl_add_clienthello_tlsex
+         }
+ 
+ #ifndef OPENSSL_NO_EC
+-	if (s->tlsext_ecpointformatlist != NULL)
++	if (s->tlsext_ecpointformatlist != NULL &&
++	    s->version != DTLS1_VERSION)
+ 		{
+ 		/* Add TLS extension ECPointFormats to the ClientHello message */
+ 		long lenmax; 
+@@ -359,7 +360,8 @@ unsigned char *ssl_add_clienthello_tlsex
+ 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
+ 		ret+=s->tlsext_ecpointformatlist_length;
+ 		}
+-	if (s->tlsext_ellipticcurvelist != NULL)
++	if (s->tlsext_ellipticcurvelist != NULL &&
++	    s->version != DTLS1_VERSION)
+ 		{
+ 		/* Add TLS extension EllipticCurves to the ClientHello message */
+ 		long lenmax; 
+@@ -423,7 +425,8 @@ unsigned char *ssl_add_clienthello_tlsex
+ 		skip_ext:
+ 
+ #ifdef TLSEXT_TYPE_opaque_prf_input
+-	if (s->s3->client_opaque_prf_input != NULL)
++	if (s->s3->client_opaque_prf_input != NULL &&
++	    s->version != DTLS1_VERSION)
+ 		{
+ 		size_t col = s->s3->client_opaque_prf_input_len;
+ 		
+@@ -440,7 +443,8 @@ unsigned char *ssl_add_clienthello_tlsex
+ 		}
+ #endif
+ 
+-	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
++	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
++	    s->version != DTLS1_VERSION)
+ 		{
+ 		int i;
+ 		long extlen, idlen, itmp;
+@@ -515,7 +519,7 @@ unsigned char *ssl_add_serverhello_tlsex
+ 		s2n(0,ret);
+ 		}
+ 
+-        if(s->s3->send_connection_binding)
++	if(s->s3->send_connection_binding)
+         {
+           int el;
+           
+@@ -540,7 +544,8 @@ unsigned char *ssl_add_serverhello_tlsex
+         }
+ 
+ #ifndef OPENSSL_NO_EC
+-	if (s->tlsext_ecpointformatlist != NULL)
++	if (s->tlsext_ecpointformatlist != NULL &&
++	    s->version != DTLS1_VERSION)
+ 		{
+ 		/* Add TLS extension ECPointFormats to the ServerHello message */
+ 		long lenmax; 
+@@ -579,7 +584,8 @@ unsigned char *ssl_add_serverhello_tlsex
+ 		}
+ 
+ #ifdef TLSEXT_TYPE_opaque_prf_input
+-	if (s->s3->server_opaque_prf_input != NULL)
++	if (s->s3->server_opaque_prf_input != NULL &&
++	    s->version != DTLS1_VERSION)
+ 		{
+ 		size_t sol = s->s3->server_opaque_prf_input_len;
+ 		
+@@ -757,7 +763,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 			}
+ 
+ #ifndef OPENSSL_NO_EC
+-		else if (type == TLSEXT_TYPE_ec_point_formats)
++		else if (type == TLSEXT_TYPE_ec_point_formats &&
++	             s->version != DTLS1_VERSION)
+ 			{
+ 			unsigned char *sdata = data;
+ 			int ecpointformatlist_length = *(sdata++);
+@@ -784,7 +791,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 			fprintf(stderr,"\n");
+ #endif
+ 			}
+-		else if (type == TLSEXT_TYPE_elliptic_curves)
++		else if (type == TLSEXT_TYPE_elliptic_curves &&
++	             s->version != DTLS1_VERSION)
+ 			{
+ 			unsigned char *sdata = data;
+ 			int ellipticcurvelist_length = (*(sdata++) << 8);
+@@ -814,7 +822,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 			}
+ #endif /* OPENSSL_NO_EC */
+ #ifdef TLSEXT_TYPE_opaque_prf_input
+-		else if (type == TLSEXT_TYPE_opaque_prf_input)
++		else if (type == TLSEXT_TYPE_opaque_prf_input &&
++	             s->version != DTLS1_VERSION)
+ 			{
+ 			unsigned char *sdata = data;
+ 
+@@ -858,8 +867,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 				return 0;
+ 			renegotiate_seen = 1;
+ 			}
+-		else if (type == TLSEXT_TYPE_status_request
+-						&& s->ctx->tlsext_status_cb)
++		else if (type == TLSEXT_TYPE_status_request &&
++		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
+ 			{
+ 		
+ 			if (size < 5) 
+@@ -1027,7 +1036,8 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			}
+ 
+ #ifndef OPENSSL_NO_EC
+-		else if (type == TLSEXT_TYPE_ec_point_formats)
++		else if (type == TLSEXT_TYPE_ec_point_formats &&
++	             s->version != DTLS1_VERSION)
+ 			{
+ 			unsigned char *sdata = data;
+ 			int ecpointformatlist_length = *(sdata++);
+@@ -1073,7 +1083,8 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			s->tlsext_ticket_expected = 1;
+ 			}
+ #ifdef TLSEXT_TYPE_opaque_prf_input
+-		else if (type == TLSEXT_TYPE_opaque_prf_input)
++		else if (type == TLSEXT_TYPE_opaque_prf_input &&
++	             s->version != DTLS1_VERSION)
+ 			{
+ 			unsigned char *sdata = data;
+ 
+@@ -1103,7 +1114,8 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 				}
+ 			}
+ #endif
+-		else if (type == TLSEXT_TYPE_status_request)
++		else if (type == TLSEXT_TYPE_status_request &&
++		         s->version != DTLS1_VERSION)
+ 			{
+ 			/* MUST be empty and only sent if we've requested
+ 			 * a status request message.

openssl-1.0.0-beta4-reneg-scsv.patch

@@ -0,0 +1,793 @@
+diff -up openssl-1.0.0-beta4/apps/s_client.c.scsv openssl-1.0.0-beta4/apps/s_client.c
+--- openssl-1.0.0-beta4/apps/s_client.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_client.c	2010-01-07 23:37:39.000000000 +0100
+@@ -382,7 +382,7 @@ int MAIN(int, char **);
+ 
+ int MAIN(int argc, char **argv)
+ 	{
+-	int off=0;
++	unsigned int off=0, clr=0;
+ 	SSL *con=NULL;
+ 	int s,k,width,state=0;
+ 	char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
+@@ -660,6 +660,10 @@ int MAIN(int argc, char **argv)
+ 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
+ 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+ 			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
++		else if	(strcmp(*argv,"-legacy_server_connect") == 0)
++			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
++		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)
++			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
+ 		else if	(strcmp(*argv,"-cipher") == 0)
+ 			{
+ 			if (--argc < 1) goto bad;
+@@ -870,6 +874,9 @@ bad:
+ 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
+ 	else
+ 		SSL_CTX_set_options(ctx,off);
++
++	if (clr)
++		SSL_CTX_clear_options(ctx, clr);
+ 	/* DTLS: partial reads end up discarding unread UDP bytes :-( 
+ 	 * Setting read ahead solves this problem.
+ 	 */
+@@ -1725,6 +1732,8 @@ static void print_stuff(BIO *bio, SSL *s
+ 							 EVP_PKEY_bits(pktmp));
+ 		EVP_PKEY_free(pktmp);
+ 	}
++	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
++			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
+ #ifndef OPENSSL_NO_COMP
+ 	comp=SSL_get_current_compression(s);
+ 	expansion=SSL_get_current_expansion(s);
+diff -up openssl-1.0.0-beta4/apps/s_server.c.scsv openssl-1.0.0-beta4/apps/s_server.c
+--- openssl-1.0.0-beta4/apps/s_server.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_server.c	2010-01-07 23:37:39.000000000 +0100
+@@ -2212,6 +2212,8 @@ static int init_ssl_connection(SSL *con)
+ 			con->kssl_ctx->client_princ);
+ 		}
+ #endif /* OPENSSL_NO_KRB5 */
++	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
++		      SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
+ 	return(1);
+ 	}
+ 
+diff -up openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod.scsv openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod
+--- openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod.scsv	2007-08-24 00:49:13.000000000 +0200
++++ openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod	2010-01-07 23:37:39.000000000 +0100
+@@ -2,7 +2,7 @@
+ 
+ =head1 NAME
+ 
+-SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
++SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options
+ 
+ =head1 SYNOPSIS
+ 
+@@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS
+  long SSL_CTX_set_options(SSL_CTX *ctx, long options);
+  long SSL_set_options(SSL *ssl, long options);
+ 
++ long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
++ long SSL_clear_options(SSL *ssl, long options);
++
+  long SSL_CTX_get_options(SSL_CTX *ctx);
+  long SSL_get_options(SSL *ssl);
+ 
++ long SSL_get_secure_renegotiation_support(SSL *ssl);
++
+ =head1 DESCRIPTION
+ 
++Note: all these functions are implemented using macros.
++
+ SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
+ Options already set before are not cleared!
+ 
+ SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
+ Options already set before are not cleared!
+ 
++SSL_CTX_clear_options() clears the options set via bitmask in B<options>
++to B<ctx>.
++
++SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
++
+ SSL_CTX_get_options() returns the options set for B<ctx>.
+ 
+ SSL_get_options() returns the options set for B<ssl>.
+ 
++SSL_get_secure_renegotiation_support() indicates whether the peer supports
++secure renegotiation.
++
+ =head1 NOTES
+ 
+ The behaviour of the SSL library can be changed by setting several options.
+ The options are coded as bitmasks and can be combined by a logical B<or>
+-operation (|). Options can only be added but can never be reset.
++operation (|).
+ 
+ SSL_CTX_set_options() and SSL_set_options() affect the (external)
+ protocol behaviour of the SSL library. The (internal) behaviour of
+@@ -199,7 +214,7 @@ Do not use the TLSv1 protocol.
+ 
+ When performing renegotiation as a server, always start a new session
+ (i.e., session resumption requests are only accepted in the initial
+-handshake).  This option is not needed for clients.
++handshake). This option is not needed for clients.
+ 
+ =item SSL_OP_NO_TICKET
+ 
+@@ -209,15 +224,63 @@ of RFC4507bis tickets for stateless sess
+ If this option is set this functionality is disabled and tickets will
+ not be used by clients or servers.
+ 
++=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++
++See the B<SECURE RENEGOTIATION> section for a discussion of the purpose of
++this option
++
+ =back
+ 
++=head1 SECURE RENEGOTIATION
++
++OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
++described in draft-ietf-tls-renegotiation (FIXME: replace by RFC). This
++counters a prefix attack described in the draft and elsewhere (FIXME: need full
++reference).
++
++This attack has far reaching consequences which application writers should be
++aware of. In the description below an implementation supporting secure
++renegotiation is referred to as I<patched>. A server not supporting secure
++renegotiation is referred to as I<unpatched>.
++
++If an unpatched client attempts to connect to a patched OpenSSL server then
++the attempt will succeed but renegotiation is not permitted. As required
++by the standard a B<no_renegotiation> alert is sent back to the client if
++the TLS v1.0 protocol is used. If SSLv3.0 is used then renegotiation results
++in a fatal B<handshake_failed> alert.
++
++If a patched OpenSSL client attempts to connect to an unpatched server
++then the connection will fail because it is not possible to determine
++whether an attack is taking place.
++
++If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then the
++above restrictions are relaxed. Renegotiation is permissible and initial
++connections to unpatched servers will succeed.
++
++This option should be used with caution because it leaves both clients and
++servers vulnerable. However unpatched servers and clients are likely to be
++around for some time and refusing to connect to unpatched servers or denying
++renegotion altogether may be unacceptable. So applications may be forced to
++tolerate unsafe renegotiation for the immediate future.
++
++The function SSL_get_secure_renegotiation_support() indicates whether the peer
++supports secure renegotiation. 
++
++The deprecated SSLv2 protocol does not support secure renegotiation at all.
++
+ =head1 RETURN VALUES
+ 
+ SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
+ after adding B<options>.
+ 
++SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
++after clearing B<options>.
++
+ SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
+ 
++SSL_get_secure_renegotiation_support() returns 1 is the peer supports
++secure renegotiation and 0 if it does not.
++
+ =head1 SEE ALSO
+ 
+ L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+@@ -240,4 +303,10 @@ Versions up to OpenSSL 0.9.6c do not inc
+ can be disabled with this option (in OpenSSL 0.9.6d, it was always
+ enabled).
+ 
++SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL
++0.9.8m.
++
++B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> was first added in OpenSSL
++0.9.8m.
++
+ =cut
+diff -up openssl-1.0.0-beta4/ssl/d1_clnt.c.scsv openssl-1.0.0-beta4/ssl/d1_clnt.c
+--- openssl-1.0.0-beta4/ssl/d1_clnt.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/d1_clnt.c	2010-01-07 23:37:39.000000000 +0100
+@@ -698,7 +698,7 @@ int dtls1_client_hello(SSL *s)
+ #ifndef OPENSSL_NO_TLSEXT
+ 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+ 			{
+-			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
++			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+ 			goto err;
+ 			}
+ #endif		
+diff -up openssl-1.0.0-beta4/ssl/d1_srvr.c.scsv openssl-1.0.0-beta4/ssl/d1_srvr.c
+--- openssl-1.0.0-beta4/ssl/d1_srvr.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/d1_srvr.c	2010-01-07 23:37:39.000000000 +0100
+@@ -814,7 +814,7 @@ int dtls1_send_server_hello(SSL *s)
+ #ifndef OPENSSL_NO_TLSEXT
+ 		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+ 			{
+-			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
++			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
+ 			return -1;
+ 			}
+ #endif
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.scsv openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_err.c	2010-01-07 23:37:39.000000000 +0100
+@@ -414,6 +414,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
+ {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
+ {ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},
++{ERR_REASON(SSL_R_NO_RENEGOTIATION)      ,"no renegotiation"},
+ {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST)    ,"digest requred for handshake isn't computed"},
+ {ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
+ {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},
+@@ -453,6 +454,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
+ {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
+ {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
++{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
+ {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT)    ,"serverhello tlsext"},
+ {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
+ {ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.scsv openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl.h	2010-01-07 23:37:39.000000000 +0100
+@@ -511,6 +511,8 @@ typedef struct ssl_session_st
+ 
+ #define SSL_OP_MICROSOFT_SESS_ID_BUG			0x00000001L
+ #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L
++/* Allow initial connection to servers that don't support RI */
++#define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
+ #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L /* can break some security expectations */
+ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+ #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
+@@ -518,7 +520,6 @@ typedef struct ssl_session_st
+ #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
+ #define SSL_OP_TLS_D5_BUG				0x00000100L
+ #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
+-#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x00000400L
+ 
+ /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
+@@ -544,6 +545,8 @@ typedef struct ssl_session_st
+ #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L
+ /* Don't use compression even if supported */
+ #define SSL_OP_NO_COMPRESSION				0x00020000L
++/* Permit unsafe legacy renegotiation */
++#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x00040000L
+ /* If set, always create a new key when using tmp_ecdh parameters */
+ #define SSL_OP_SINGLE_ECDH_USE				0x00080000L
+ /* If set, always create a new key when using tmp_dh parameters */
+@@ -599,17 +602,25 @@ typedef struct ssl_session_st
+ 
+ #define SSL_CTX_set_options(ctx,op) \
+ 	SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
++#define SSL_CTX_clear_options(ctx,op) \
++	SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
+ #define SSL_CTX_get_options(ctx) \
+ 	SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
+ #define SSL_set_options(ssl,op) \
+ 	SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
++#define SSL_clear_options(ssl,op) \
++	SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
+ #define SSL_get_options(ssl) \
+         SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
+ 
+ #define SSL_CTX_set_mode(ctx,op) \
+ 	SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
++#define SSL_CTX_clear_mode(ctx,op) \
++	SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
+ #define SSL_CTX_get_mode(ctx) \
+ 	SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
++#define SSL_clear_mode(ssl,op) \
++	SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
+ #define SSL_set_mode(ssl,op) \
+ 	SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
+ #define SSL_get_mode(ssl) \
+@@ -617,6 +628,8 @@ typedef struct ssl_session_st
+ #define SSL_set_mtu(ssl, mtu) \
+         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
+ 
++#define SSL_get_secure_renegotiation_support(ssl) \
++	SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
+ 
+ void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+@@ -1389,6 +1402,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+ #define DTLS_CTRL_HANDLE_TIMEOUT	74
+ #define DTLS_CTRL_LISTEN			75
+ 
++#define SSL_CTRL_GET_RI_SUPPORT			76
++#define SSL_CTRL_CLEAR_OPTIONS			77
++#define SSL_CTRL_CLEAR_MODE			78
++
+ #define DTLSv1_get_timeout(ssl, arg) \
+ 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
+ #define DTLSv1_handle_timeout(ssl) \
+@@ -2119,6 +2136,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190
+ #define SSL_R_NO_PROTOCOLS_AVAILABLE			 191
+ #define SSL_R_NO_PUBLICKEY				 192
++#define SSL_R_NO_RENEGOTIATION				 339
+ #define SSL_R_NO_REQUIRED_DIGEST			 324
+ #define SSL_R_NO_SHARED_CIPHER				 193
+ #define SSL_R_NO_VERIFY_CALLBACK			 194
+@@ -2158,6 +2176,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
+ #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
+ #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218
++#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING		 345
+ #define SSL_R_SERVERHELLO_TLSEXT			 275
+ #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED		 277
+ #define SSL_R_SHORT_READ				 219
+diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.scsv openssl-1.0.0-beta4/ssl/ssl_lib.c
+--- openssl-1.0.0-beta4/ssl/ssl_lib.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_lib.c	2010-01-07 23:38:08.000000000 +0100
+@@ -1041,8 +1041,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
+ 
+ 	case SSL_CTRL_OPTIONS:
+ 		return(s->options|=larg);
++	case SSL_CTRL_CLEAR_OPTIONS:
++		return(s->options&=~larg);
+ 	case SSL_CTRL_MODE:
+ 		return(s->mode|=larg);
++	case SSL_CTRL_CLEAR_MODE:
++		return(s->mode &=~larg);
+ 	case SSL_CTRL_GET_MAX_CERT_LIST:
+ 		return(s->max_cert_list);
+ 	case SSL_CTRL_SET_MAX_CERT_LIST:
+@@ -1062,6 +1066,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
+ 			return 0;
+ 		s->max_send_fragment = larg;
+ 		return 1;
++	case SSL_CTRL_GET_RI_SUPPORT:
++		if (s->s3)
++			return s->s3->send_connection_binding;
++		else return 0;
+ 	default:
+ 		return(s->method->ssl_ctrl(s,cmd,larg,parg));
+ 		}
+@@ -1148,8 +1156,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l
+ 		return(ctx->stats.sess_cache_full);
+ 	case SSL_CTRL_OPTIONS:
+ 		return(ctx->options|=larg);
++	case SSL_CTRL_CLEAR_OPTIONS:
++		return(ctx->options&=~larg);
+ 	case SSL_CTRL_MODE:
+ 		return(ctx->mode|=larg);
++	case SSL_CTRL_CLEAR_MODE:
++		return(ctx->mode&=~larg);
+ 	case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
+ 		if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
+ 			return 0;
+@@ -1357,6 +1369,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
+ 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
+ 		p+=j;
+ 		}
++	/* If p == q, no ciphers and caller indicates an error. Otherwise
++	 * add SCSV if not renegotiating.
++	 */
++	if (p != q && !s->new_session)
++		{
++		static SSL_CIPHER scsv =
++			{
++			0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
++			};
++		j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
++		p+=j;
++#ifdef OPENSSL_RI_DEBUG
++		fprintf(stderr, "SCSV sent by client\n");
++#endif
++		}
++
+ 	return(p-q);
+ 	}
+ 
+@@ -1366,6 +1394,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
+ 	const SSL_CIPHER *c;
+ 	STACK_OF(SSL_CIPHER) *sk;
+ 	int i,n;
++	if (s->s3)
++		s->s3->send_connection_binding = 0;
+ 
+ 	n=ssl_put_cipher_by_char(s,NULL,NULL);
+ 	if ((num%n) != 0)
+@@ -1383,6 +1413,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
+ 
+ 	for (i=0; i<num; i+=n)
+ 		{
++		/* Check for SCSV */
++		if (s->s3 && (n != 3 || !p[0]) &&
++			(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
++			(p[n-1] == (SSL3_CK_SCSV & 0xff)))
++			{
++			/* SCSV fatal if renegotiating */
++			if (s->new_session)
++				{
++				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
++				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
++				goto err;
++				}
++			s->s3->send_connection_binding = 1;
++			p += n;
++#ifdef OPENSSL_RI_DEBUG
++			fprintf(stderr, "SCSV received by server\n");
++#endif
++			continue;
++			}
++
+ 		c=ssl_get_cipher_by_char(s,p);
+ 		p+=n;
+ 		if (c != NULL)
+@@ -1642,6 +1692,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ 	}
+ #endif
+ #endif
++	/* Default is to connect to non-RI servers. When RI is more widely
++	 * deployed might change this.
++	 */
++	ret->options = SSL_OP_LEGACY_SERVER_CONNECT;
+ 
+ 	return(ret);
+ err:
+diff -up openssl-1.0.0-beta4/ssl/ssl3.h.scsv openssl-1.0.0-beta4/ssl/ssl3.h
+--- openssl-1.0.0-beta4/ssl/ssl3.h.scsv	2010-01-07 23:37:38.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl3.h	2010-01-07 23:37:39.000000000 +0100
+@@ -128,6 +128,9 @@
+ extern "C" {
+ #endif
+ 
++/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
++#define SSL3_CK_SCSV				0x030000FF
++
+ #define SSL3_CK_RSA_NULL_MD5			0x03000001
+ #define SSL3_CK_RSA_NULL_SHA			0x03000002
+ #define SSL3_CK_RSA_RC4_40_MD5 			0x03000003
+diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.scsv openssl-1.0.0-beta4/ssl/s3_clnt.c
+--- openssl-1.0.0-beta4/ssl/s3_clnt.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_clnt.c	2010-01-07 23:37:39.000000000 +0100
+@@ -916,7 +916,7 @@ int ssl3_get_server_hello(SSL *s)
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+ 	/* TLS extensions*/
+-	if (s->version > SSL3_VERSION)
++	if (s->version >= SSL3_VERSION)
+ 		{
+ 		if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
+ 			{
+diff -up openssl-1.0.0-beta4/ssl/s3_pkt.c.scsv openssl-1.0.0-beta4/ssl/s3_pkt.c
+--- openssl-1.0.0-beta4/ssl/s3_pkt.c.scsv	2009-07-14 17:28:44.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/s3_pkt.c	2010-01-07 23:37:39.000000000 +0100
+@@ -1120,7 +1120,25 @@ start:
+ 		 * now try again to obtain the (application) data we were asked for */
+ 		goto start;
+ 		}
+-
++	/* If we are a server and get a client hello when renegotiation isn't
++	 * allowed send back a no renegotiation alert and carry on.
++	 * WARNING: experimental code, needs reviewing (steve)
++	 */
++	if (s->server &&
++		SSL_is_init_finished(s) &&
++    		!s->s3->send_connection_binding &&
++		(s->version > SSL3_VERSION) &&
++		(s->s3->handshake_fragment_len >= 4) &&
++		(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
++		(s->session != NULL) && (s->session->cipher != NULL) &&
++		!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++		
++		{
++		/*s->s3->handshake_fragment_len = 0;*/
++		rr->length = 0;
++		ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
++		goto start;
++		}
+ 	if (s->s3->alert_fragment_len >= 2)
+ 		{
+ 		int alert_level = s->s3->alert_fragment[0];
+@@ -1150,6 +1168,21 @@ start:
+ 				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ 				return(0);
+ 				}
++			/* This is a warning but we receive it if we requested
++			 * renegotiation and the peer denied it. Terminate with
++			 * a fatal alert because if application tried to
++			 * renegotiatie it presumably had a good reason and
++			 * expects it to succeed.
++			 *
++			 * In future we might have a renegotiation where we
++			 * don't care if the peer refused it where we carry on.
++			 */
++			else if (alert_descr == SSL_AD_NO_RENEGOTIATION)
++				{
++				al = SSL_AD_HANDSHAKE_FAILURE;
++				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
++				goto f_err;
++				}
+ 			}
+ 		else if (alert_level == 2) /* fatal */
+ 			{
+diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.scsv openssl-1.0.0-beta4/ssl/s3_srvr.c
+--- openssl-1.0.0-beta4/ssl/s3_srvr.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_srvr.c	2010-01-07 23:37:39.000000000 +0100
+@@ -1015,7 +1015,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+ 	/* TLS extensions*/
+-	if (s->version > SSL3_VERSION)
++	if (s->version >= SSL3_VERSION)
+ 		{
+ 		if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
+ 			{
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.scsv openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.scsv	2010-01-07 23:37:39.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c	2010-01-07 23:38:08.000000000 +0100
+@@ -275,8 +275,9 @@ unsigned char *ssl_add_clienthello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
+-	/* don't add extensions for SSLv3 */
+-	if (s->client_version == SSL3_VERSION)
++	/* don't add extensions for SSLv3 unless doing secure renegotiation */
++	if (s->client_version == SSL3_VERSION
++					&& !s->s3->send_connection_binding)
+ 		return p;
+ 
+ 	ret+=2;
+@@ -315,8 +316,9 @@ unsigned char *ssl_add_clienthello_tlsex
+ 		ret+=size_str;
+ 		}
+ 
+-        /* Add the renegotiation option: TODOEKR switch */
+-        {
++        /* Add RI if renegotiating */
++        if (s->new_session)
++          {
+           int el;
+           
+           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
+@@ -504,8 +506,8 @@ unsigned char *ssl_add_serverhello_tlsex
+ 	int extdatalen=0;
+ 	unsigned char *ret = p;
+ 
+-	/* don't add extensions for SSLv3 */
+-	if (s->version == SSL3_VERSION)
++	/* don't add extensions for SSLv3, unless doing secure renegotiation */
++	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
+ 		return p;
+ 	
+ 	ret+=2;
+@@ -633,24 +635,13 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 
+ 	s->servername_done = 0;
+ 	s->tlsext_status_type = -1;
+-	s->s3->send_connection_binding = 0;
+ 
+ 	if (data >= (d+n-2))
+-		{
+-		if (s->new_session
+-			&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+-			{
+-			/* We should always see one extension: the renegotiate extension */
+-			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+-			SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+-			return 0;
+-			}
+-		return 1;
+-		}
++		goto ri_check;
+ 	n2s(data,len);
+ 
+ 	if (data > (d+n-len)) 
+-		return 1;
++		goto ri_check;
+ 
+ 	while (data <= (d+n-4))
+ 		{
+@@ -658,7 +649,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 		n2s(data,size);
+ 
+ 		if (data+size > (d+n))
+-	   		return 1;
++	   		goto ri_check;
+ #if 0
+ 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
+ #endif
+@@ -971,17 +962,22 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 		/* session ticket processed earlier */
+ 		data+=size;
+ 		}
+-  
+- 	if (s->new_session && !renegotiate_seen
+- 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+- 		{
+-		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+- 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+- 		return 0;
+- 		}
+- 
+ 				
+ 	*p = data;
++
++	ri_check:
++
++	/* Need RI if renegotiating */
++
++	if (!renegotiate_seen && s->new_session &&
++		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++		{
++		*al = SSL_AD_HANDSHAKE_FAILURE;
++	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
++				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
++		return 0;
++		}
++
+ 	return 1;
+ 	}
+ 
+@@ -995,21 +991,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 	int renegotiate_seen = 0;
+ 
+ 	if (data >= (d+n-2))
+-		{
+-#if 0
+-		/* Because the client does not see any renegotiation during an
+-		   attack, we must enforce this on all server hellos, even the
+-		   first */
+-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+-			{
+-			/* We should always see one extension: the renegotiate extension */
+-			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+-			SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+-			return 0;
+-			}
+-#endif
+-		return 1;
+-		}
++		goto ri_check;
+ 
+ 	n2s(data,len);
+ 
+@@ -1019,7 +1001,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		n2s(data,size);
+ 
+ 		if (data+size > (d+n))
+-	   		return 1;
++	   		goto ri_check;
+ 
+ 		if (s->tlsext_debug_cb)
+ 			s->tlsext_debug_cb(s, 1, type, data, size,
+@@ -1143,16 +1125,6 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		return 0;
+ 		}
+ 
+-#if 0
+-	if (!renegotiate_seen
+-		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+-		{
+-		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+-		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+-		return 0;
+-		}
+-#endif
+-
+ 	if (!s->hit && tlsext_servername == 1)
+ 		{
+  		if (s->tlsext_hostname)
+@@ -1175,6 +1147,26 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		}
+ 
+ 	*p = data;
++
++	ri_check:
++
++	/* Determine if we need to see RI. Strictly speaking if we want to
++	 * avoid an attack we should *always* see RI even on initial server
++	 * hello because the client doesn't see any renegotiation during an
++	 * attack. However this would mean we could not connect to any server
++	 * which doesn't support RI so for the immediate future tolerate RI
++	 * absence on initial connect only.
++	 */
++	if (!renegotiate_seen && 
++		(s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
++		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++		{
++		*al = SSL_AD_HANDSHAKE_FAILURE;
++		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
++				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
++		return 0;
++		}
++
+ 	return 1;
+ 	}
+ 
+diff -up openssl-1.0.0-beta4/ssl/t1_reneg.c.scsv openssl-1.0.0-beta4/ssl/t1_reneg.c
+--- openssl-1.0.0-beta4/ssl/t1_reneg.c.scsv	2009-11-09 19:45:42.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_reneg.c	2010-01-07 23:37:39.000000000 +0100
+@@ -130,10 +130,15 @@ int ssl_add_clienthello_renegotiate_ext(
+ 
+         memcpy(p, s->s3->previous_client_finished,
+ 	       s->s3->previous_client_finished_len);
++#ifdef OPENSSL_RI_DEBUG
++    fprintf(stderr, "%s RI extension sent by client\n",
++		s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
++#endif
+         }
+     
+     *len=s->s3->previous_client_finished_len + 1;
+-    
++
++ 
+     return 1;
+     }
+ 
+@@ -166,7 +171,7 @@ int ssl_parse_clienthello_renegotiate_ex
+     if(ilen != s->s3->previous_client_finished_len)
+         {
+         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
+-        *al=SSL_AD_ILLEGAL_PARAMETER;
++        *al=SSL_AD_HANDSHAKE_FAILURE;
+         return 0;
+         }
+     
+@@ -174,9 +179,13 @@ int ssl_parse_clienthello_renegotiate_ex
+ 	      s->s3->previous_client_finished_len))
+         {
+         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
+-        *al=SSL_AD_ILLEGAL_PARAMETER;
++        *al=SSL_AD_HANDSHAKE_FAILURE;
+         return 0;
+         }
++#ifdef OPENSSL_RI_DEBUG
++    fprintf(stderr, "%s RI extension received by server\n",
++				ilen ? "Non-empty" : "Empty");
++#endif
+ 
+     s->s3->send_connection_binding=1;
+ 
+@@ -206,6 +215,10 @@ int ssl_add_serverhello_renegotiate_ext(
+ 
+         memcpy(p, s->s3->previous_server_finished,
+ 	       s->s3->previous_server_finished_len);
++#ifdef OPENSSL_RI_DEBUG
++    fprintf(stderr, "%s RI extension sent by server\n",
++    		s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
++#endif
+         }
+     
+     *len=s->s3->previous_client_finished_len
+@@ -249,7 +262,7 @@ int ssl_parse_serverhello_renegotiate_ex
+     if(ilen != expected_len)
+         {
+         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
+-        *al=SSL_AD_ILLEGAL_PARAMETER;
++        *al=SSL_AD_HANDSHAKE_FAILURE;
+         return 0;
+         }
+ 
+@@ -257,7 +270,7 @@ int ssl_parse_serverhello_renegotiate_ex
+ 	      s->s3->previous_client_finished_len))
+         {
+         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
+-        *al=SSL_AD_ILLEGAL_PARAMETER;
++        *al=SSL_AD_HANDSHAKE_FAILURE;
+         return 0;
+         }
+     d += s->s3->previous_client_finished_len;
+@@ -269,6 +282,11 @@ int ssl_parse_serverhello_renegotiate_ex
+         *al=SSL_AD_ILLEGAL_PARAMETER;
+         return 0;
+         }
++#ifdef OPENSSL_RI_DEBUG
++    fprintf(stderr, "%s RI extension received by client\n",
++				ilen ? "Non-empty" : "Empty");
++#endif
++    s->s3->send_connection_binding=1;
+ 
+     return 1;
+     }

openssl-1.0.0-beta4-tls-comp.patch

@@ -0,0 +1,193 @@
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp	2010-01-07 18:45:46.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_err.c	2010-01-07 22:46:10.000000000 +0100
+@@ -329,6 +329,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
+ {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    ,"clienthello tlsext"},
+ {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
++{ERR_REASON(SSL_R_COMPRESSION_DISABLED)  ,"compression disabled"},
+ {ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},
+ {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
+ {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
+@@ -357,8 +358,10 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
+ {ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},
+ {ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},
++{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
+ {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
+ {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
++{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
+ {ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
+ {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
+ {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
+@@ -421,6 +424,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
+ {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
+ {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
++{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
+ {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
+ {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
+ {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
+@@ -451,6 +455,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
+ {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
+ {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
++{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},
+ {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
+ {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
+ {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.tls-comp openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.tls-comp	2010-01-07 18:45:46.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl.h	2010-01-07 22:47:07.000000000 +0100
+@@ -485,7 +485,7 @@ typedef struct ssl_session_st
+ 	long timeout;
+ 	long time;
+ 
+-	int compress_meth;		/* Need to lookup the method */
++	unsigned int compress_meth;	/* Need to lookup the method */
+ 
+ 	const SSL_CIPHER *cipher;
+ 	unsigned long cipher_id;	/* when ASN.1 loaded, this
+@@ -2051,6 +2051,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
+ #define SSL_R_CLIENTHELLO_TLSEXT			 226
+ #define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140
++#define SSL_R_COMPRESSION_DISABLED			 343
+ #define SSL_R_COMPRESSION_FAILURE			 141
+ #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE	 307
+ #define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
+@@ -2079,8 +2080,10 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_HTTPS_PROXY_REQUEST			 155
+ #define SSL_R_HTTP_REQUEST				 156
+ #define SSL_R_ILLEGAL_PADDING				 283
++#define SSL_R_INCONSISTENT_COMPRESSION			 340
+ #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
+ #define SSL_R_INVALID_COMMAND				 280
++#define SSL_R_INVALID_COMPRESSION_ALGORITHM		 341
+ #define SSL_R_INVALID_PURPOSE				 278
+ #define SSL_R_INVALID_STATUS_RESPONSE			 328
+ #define SSL_R_INVALID_TICKET_KEYS_LENGTH		 325
+@@ -2143,6 +2146,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_NULL_SSL_CTX				 195
+ #define SSL_R_NULL_SSL_METHOD_PASSED			 196
+ #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197
++#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
+ #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE		 297
+ #define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG			 327
+ #define SSL_R_PACKET_LENGTH_TOO_LONG			 198
+@@ -2173,6 +2177,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_RENEGOTIATION_ENCODING_ERR		 336
+ #define SSL_R_RENEGOTIATION_MISMATCH			 337
+ #define SSL_R_REQUIRED_CIPHER_MISSING			 215
++#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING	 342
+ #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
+ #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
+ #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218
+diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp openssl-1.0.0-beta4/ssl/s3_clnt.c
+--- openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp	2010-01-07 17:53:12.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_clnt.c	2010-01-07 22:47:07.000000000 +0100
+@@ -895,10 +895,31 @@ int ssl3_get_server_hello(SSL *s)
+ 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
+ 		goto f_err;
+ 		}
++	/* If compression is disabled we'd better not try to resume a session
++	 * using compression.
++	 */
++	if (s->session->compress_meth != 0)
++		{
++		al=SSL_AD_INTERNAL_ERROR;
++		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
++		goto f_err;
++		}
+ #else
+ 	j= *(p++);
+-	if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
++	if (s->hit && j != s->session->compress_meth)
++		{
++		al=SSL_AD_ILLEGAL_PARAMETER;
++		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
++		goto f_err;
++		}
++	if (j == 0)
+ 		comp=NULL;
++	else if (s->options & SSL_OP_NO_COMPRESSION)
++		{
++		al=SSL_AD_ILLEGAL_PARAMETER;
++		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
++		goto f_err;
++		}
+ 	else
+ 		comp=ssl3_comp_find(s->ctx->comp_methods,j);
+ 	
+diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp openssl-1.0.0-beta4/ssl/s3_srvr.c
+--- openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp	2010-01-07 17:53:12.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_srvr.c	2010-01-07 22:46:10.000000000 +0100
+@@ -1088,7 +1088,50 @@ int ssl3_get_client_hello(SSL *s)
+ 	 * algorithms from the client, starting at q. */
+ 	s->s3->tmp.new_compression=NULL;
+ #ifndef OPENSSL_NO_COMP
+-	if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
++	/* This only happens if we have a cache hit */
++	if (s->session->compress_meth != 0)
++		{
++		int m, comp_id = s->session->compress_meth;
++		/* Perform sanity checks on resumed compression algorithm */
++		/* Can't disable compression */
++		if (s->options & SSL_OP_NO_COMPRESSION)
++			{
++			al=SSL_AD_INTERNAL_ERROR;
++			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
++			goto f_err;
++			}
++		/* Look for resumed compression method */
++		for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
++			{
++			comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
++			if (comp_id == comp->id)
++				{
++				s->s3->tmp.new_compression=comp;
++				break;
++				}
++			}
++		if (s->s3->tmp.new_compression == NULL)
++			{
++			al=SSL_AD_INTERNAL_ERROR;
++			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
++			goto f_err;
++			}
++		/* Look for resumed method in compression list */
++		for (m = 0; m < i; m++)
++			{
++			if (q[m] == comp_id)
++				break;
++			}
++		if (m >= i)
++			{
++			al=SSL_AD_ILLEGAL_PARAMETER;
++			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
++			goto f_err;
++			}
++		}
++	else if (s->hit)
++		comp = NULL;
++	else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
+ 		{ /* See if we have a match */
+ 		int m,nn,o,v,done=0;
+ 
+@@ -1112,6 +1155,16 @@ int ssl3_get_client_hello(SSL *s)
+ 		else
+ 			comp=NULL;
+ 		}
++#else
++	/* If compression is disabled we'd better not try to resume a session
++	 * using compression.
++	 */
++	if (s->session->compress_meth != 0)
++		{
++		al=SSL_AD_INTERNAL_ERROR;
++		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
++		goto f_err;
++		}
+ #endif
+ 
+ 	/* Given s->session->ciphers and SSL_get_ciphers, we must

openssl.spec

@@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.16.%{beta}%{?dist}
+Release: 0.17.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -68,6 +68,10 @@ Patch61: openssl-1.0.0-beta4-client-reneg.patch
 Patch62: openssl-1.0.0-beta4-backports.patch
 Patch63: openssl-1.0.0-beta4-reneg-err.patch
 Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
+Patch65: openssl-1.0.0-beta4-dtls-reneg.patch
+Patch66: openssl-1.0.0-beta4-backports2.patch
+Patch67: openssl-1.0.0-beta4-reneg-scsv.patch
+Patch68: openssl-1.0.0-beta4-tls-comp.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -152,6 +156,10 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch62 -p1 -b .backports
 %patch63 -p1 -b .reneg-err
 %patch64 -p1 -b .dtls-ipv6
+%patch65 -p1 -b .dtls-reneg
+%patch66 -p1 -b .backports2
+%patch67 -p1 -b .scsv
+%patch68 -p1 -b .tls-comp
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -160,7 +168,7 @@ perl util/perlpath.pl `dirname %{__perl}`
 touch Makefile
 make TABLE PERL=%{__perl}
 
-%build 
+%build
 # Figure out which flags we want to use.
 # default
 sslarch=%{_os}-%{_arch}
@@ -347,7 +355,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %clean
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 
-%files 
+%files
 %defattr(-,root,root)
 %doc FAQ LICENSE CHANGES NEWS INSTALL README
 %doc doc/c-indentation.el doc/openssl.txt
@@ -400,6 +408,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Thu Jan  7 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.17.beta4
+- upstream fix compression handling on session resumption
+- various null checks and other small fixes from upstream
+- upstream changes for the renegotiation info according to the latest draft 
+
 * Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
 - fix non-fips mingw build (patch by Kalev Lember)
 - add IPV6 fix for DTLS
@@ -419,7 +432,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
   openssh and possibly other dependencies with too strict version check
 
 * Thu Nov 12 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.11.beta4
-- update to new upstream version, no soname bump needed 
+- update to new upstream version, no soname bump needed
 - fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
   so the compatibility with unfixed clients is not broken. The
   protocol extension is also not final.