Server: enforce renegotiation
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 50ff986..e5ca9d5 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -202,6 +202,7 @@
#define SSL_INITIAL_HANDSHAKE 0
#define SSL_RENEGOTIATION 1 /* In progress */
#define SSL_RENEGOTIATION_DONE 2 /* Done */
+#define SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
#define SSL_LEGACY_RENEGOTIATION 0
#define SSL_SECURE_RENEGOTIATION 1
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 94d9edf..1205947 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3990,6 +3990,8 @@
return( ret );
}
+ ssl->renegotiation = SSL_RENEGOTIATION_PENDING;
+
SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
return( 0 );
@@ -4175,6 +4177,12 @@
return( POLARSSL_ERR_NET_WANT_READ );
}
}
+ else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
+ {
+ SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+ "but not honored by client" ) );
+ return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
{
SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index d35ab77..2a046a7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -967,7 +967,12 @@
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_read returned %d\n\n", ret );
- goto exit;
+
+ /* Unexpected message probably means client didn't renegotiate */
+ if( ret == POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE )
+ goto reset;
+ else
+ goto exit;
}
}