Google Git
Sign in
flutter / third_party / openssl / db0f35dda18403accabe98e7780f3dfc516f49de^! / . / ssl / statem
commitdb0f35dda18403accabe98e7780f3dfc516f49de[log] [tgz]
authorTodd Short <tshort@akamai.com>Wed May 10 16:46:14 2017 -0400
committerMatt Caswell <matt@openssl.org>Tue Jun 06 22:39:41 2017 +0100
tree68a7b32f8f99c5624e2d0bb1089f6bf34047f01f
parent270d65fa34caa974fb27c9b161b0c9b6cd806c76 [diff]
Fix #2400 Add NO_RENEGOTIATE option

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3432)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 95bacdf..fe181ab 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c

@@ -817,6 +817,7 @@
     if (!s->s3->send_connection_binding)
         return EXT_RETURN_NOT_SENT;
 
+    /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
             || !WPACKET_start_sub_packet_u16(pkt)
             || !WPACKET_start_sub_packet_u8(pkt)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d4382e8..020589f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c

@@ -3454,6 +3454,11 @@
         return MSG_PROCESS_ERROR;
     }
 
+    if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
+        ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+        return MSG_PROCESS_FINISHED_READING;
+    }
+
     /*
      * This is a historical discrepancy (not in the RFC) maintained for
      * compatibility reasons. If a TLS client receives a HelloRequest it will

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c2b1485..29fb9dc 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c

@@ -116,6 +116,10 @@
         }
         if (SSL_IS_FIRST_HANDSHAKE(s)) {
             s->ctx->stats.sess_accept++;
+        } else if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
+            /* Renegotiation is disabled */
+            ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+            return 0;
         } else if (!s->s3->send_connection_binding &&
                    !(s->options &
                      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 02c6e56..c26c93b 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c

@@ -1246,6 +1246,10 @@
     }
     /* Check if this is actually an unexpected renegotiation ClientHello */
     if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
+        if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
+            ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+            goto err;
+        }
         s->renegotiate = 1;
         s->new_session = 1;
     }