Server: enforce renegotiation
This commit is contained in:
parent
9c1e1898b6
commit
6d8404d6ba
3 changed files with 15 additions and 1 deletions
|
@ -202,6 +202,7 @@
|
||||||
#define SSL_INITIAL_HANDSHAKE 0
|
#define SSL_INITIAL_HANDSHAKE 0
|
||||||
#define SSL_RENEGOTIATION 1 /* In progress */
|
#define SSL_RENEGOTIATION 1 /* In progress */
|
||||||
#define SSL_RENEGOTIATION_DONE 2 /* Done */
|
#define SSL_RENEGOTIATION_DONE 2 /* Done */
|
||||||
|
#define SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
|
||||||
|
|
||||||
#define SSL_LEGACY_RENEGOTIATION 0
|
#define SSL_LEGACY_RENEGOTIATION 0
|
||||||
#define SSL_SECURE_RENEGOTIATION 1
|
#define SSL_SECURE_RENEGOTIATION 1
|
||||||
|
|
|
@ -3990,6 +3990,8 @@ static int ssl_write_hello_request( ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ssl->renegotiation = SSL_RENEGOTIATION_PENDING;
|
||||||
|
|
||||||
SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
|
SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
@ -4175,6 +4177,12 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
|
||||||
return( POLARSSL_ERR_NET_WANT_READ );
|
return( POLARSSL_ERR_NET_WANT_READ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
|
||||||
|
{
|
||||||
|
SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
|
||||||
|
"but not honored by client" ) );
|
||||||
|
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
|
||||||
|
}
|
||||||
else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
|
else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
|
SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
|
||||||
|
|
|
@ -967,7 +967,12 @@ reset:
|
||||||
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
|
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
|
||||||
{
|
{
|
||||||
printf( " failed\n ! ssl_read returned %d\n\n", ret );
|
printf( " failed\n ! ssl_read returned %d\n\n", ret );
|
||||||
goto exit;
|
|
||||||
|
/* Unexpected message probably means client didn't renegotiate */
|
||||||
|
if( ret == POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE )
|
||||||
|
goto reset;
|
||||||
|
else
|
||||||
|
goto exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue