]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Here are two more patches. The first adds support for renegotiation of
authorSteve Dispensa <dispensa@phonefactor.com>
Wed, 13 Jan 2010 17:14:24 +0000 (18:14 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 13 Jan 2010 17:24:48 +0000 (18:24 +0100)
resumption.

Also, I found a bug in my initial implementation - I was incorrectly sending
the SCSV on all connections, not only those using SSLv3, as should have been
the case.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
lib/gnutls_handshake.c

index 41a9f0e8ff0b59d13eed69e480e7158bb14dbdb1..8188b8db1d2631279bf77cf30dbc244a5a9bc3a3 100644 (file)
@@ -141,6 +141,23 @@ resume_copy_required_values (gnutls_session_t session)
          sizeof (session->security_parameters.session_id));
   session->security_parameters.session_id_size =
     session->internals.resumed_security_parameters.session_id_size;
+
+  /* safe renegotiation */
+  tls_ext_st *newext = &session->security_parameters.extensions;
+  tls_ext_st *resext = &session->internals.resumed_security_parameters.extensions;
+
+  newext->connection_using_safe_renegotiation = 
+         resext->connection_using_safe_renegotiation;
+
+  newext->initial_negotiation_completed = TRUE;
+
+  newext->client_verify_data_len = resext->client_verify_data_len;
+  memcpy (newext->client_verify_data, resext->client_verify_data, 
+         resext->client_verify_data_len);
+
+  newext->server_verify_data_len = resext->server_verify_data_len;
+  memcpy (newext->server_verify_data, resext->server_verify_data, 
+         resext->server_verify_data_len);
 }
 
 void
@@ -1677,6 +1694,23 @@ _gnutls_client_check_if_resuming (gnutls_session_t session,
              session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
       session->internals.resumed = RESUME_TRUE;        /* we are resuming */
 
+      /* safe renegotiation after resumption */
+      tls_ext_st *newext = &session->security_parameters.extensions;
+      tls_ext_st *resext = &session->internals.resumed_security_parameters.extensions;
+
+      newext->connection_using_safe_renegotiation = 
+       resext->connection_using_safe_renegotiation;
+
+      newext->initial_negotiation_completed = TRUE;
+
+      newext->client_verify_data_len = resext->client_verify_data_len;
+      memcpy (newext->client_verify_data, resext->client_verify_data, 
+             resext->client_verify_data_len);
+
+      newext->server_verify_data_len = resext->server_verify_data_len;
+      memcpy (newext->server_verify_data, resext->server_verify_data, 
+             resext->server_verify_data_len);
+
       return 0;
     }
   else
@@ -2066,7 +2100,8 @@ _gnutls_send_client_hello (gnutls_session_t session, int again)
        * handled with the RI extension below).
        */
       if(!session->security_parameters.extensions.initial_negotiation_completed &&
-        session->security_parameters.entity == GNUTLS_CLIENT)
+        session->security_parameters.entity == GNUTLS_CLIENT &&
+        gnutls_protocol_get_version (session) == GNUTLS_SSL3)
         {
          ret = _gnutls_copy_ciphersuites (session, extdata, extdatalen, TRUE);
          _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION);