Server: enforce renegotiation

2024-11-24 08:28:25 +00:00 · 2013-10-30 16:41:45 +01:00 · 2013-10-30 16:41:45 +01:00 · 6d8404d6ba
commit 6d8404d6ba
parent 9c1e1898b6
3 changed files with 15 additions and 1 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -202,6 +202,7 @@
 #define SSL_INITIAL_HANDSHAKE           0
 #define SSL_RENEGOTIATION               1   /* In progress */
 #define SSL_RENEGOTIATION_DONE          2   /* Done */
+#define SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */

 #define SSL_LEGACY_RENEGOTIATION        0
 #define SSL_SECURE_RENEGOTIATION        1
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3990,6 +3990,8 @@ static int ssl_write_hello_request( ssl_context *ssl )
        return( ret );
    }

+    ssl->renegotiation = SSL_RENEGOTIATION_PENDING;
+
    SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );

    return( 0 );
@ -4175,6 +4177,12 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                return( POLARSSL_ERR_NET_WANT_READ );
            }
        }
+        else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
+        {
+            SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                "but not honored by client" ) );
+            return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
        else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
        {
            SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -967,7 +967,12 @@ reset:
        if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
        {
            printf( " failed\n  ! ssl_read returned %d\n\n", ret );
-            goto exit;
+
+            /* Unexpected message probably means client didn't renegotiate */
+            if( ret == POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE )
+                goto reset;
+            else
+                goto exit;
        }
    }