Add code for testing server-initiated renegotiation
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index e75f9d7..cbec352 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1565,6 +1565,8 @@
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
+int ssl_write_hello_request( ssl_context *ssl );
+
#ifdef __cplusplus
}
#endif
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 7d81fc9..66ba58a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -335,6 +335,30 @@
}
#endif /* POLARSSL_SSL_SESSION_TICKETS */
+/*
+ * Write HelloRequest to request renegotiation
+ */
+int ssl_write_hello_request( ssl_context *ssl )
+{
+ int ret;
+
+ SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
+
+ ssl->out_msglen = 4;
+ ssl->out_msgtype = SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
+
+ if( ( ret = ssl_write_record( ssl ) ) != 0 )
+ {
+ SSL_DEBUG_RET( 1, "ssl_write_record", ret );
+ return( ret );
+ }
+
+ SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
+
+ return( 0 );
+}
+
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
/*
* Wrapper around f_sni, allowing use of ssl_set_own_cert() but
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b8bc188..e636f9d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1930,7 +1930,8 @@
ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
- ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
+ if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
+ ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
}
#if defined(POLARSSL_ZLIB_SUPPORT)
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 8e7ee0e..890c119 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -50,7 +50,6 @@
#endif
#define DFL_SERVER_PORT 4433
-#define DFL_REQUEST_PAGE "/"
#define DFL_DEBUG_LEVEL 0
#define DFL_CA_FILE ""
#define DFL_CA_PATH ""
@@ -84,6 +83,9 @@
"<h2>PolarSSL Test Server</h2>\r\n" \
"<p>Successful connection using: %s</p>\r\n" // LONG_RESPONSE
+/* Temporary, should become a runtime option later */
+// #define TEST_RENEGO
+
/*
* global options
*/
@@ -939,6 +941,34 @@
buf[written] = '\0';
printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
+#ifdef TEST_RENEGO
+ /*
+ * Request renegotiation (this must be done when the client is still
+ * waiting for input from our side).
+ */
+ printf( " . Requestion renegotiation..." );
+ fflush( stdout );
+ while( ( ret = ssl_write_hello_request( &ssl ) ) != 0 )
+ {
+ if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
+ {
+ printf( " failed\n ! ssl_write_hello_request returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+
+ if( ( ret = ssl_read( &ssl, buf, 0 ) ) != 0 )
+ {
+ if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
+ {
+ printf( " failed\n ! ssl_read returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+
+ printf( " ok\n" );
+#endif
+
ret = 0;
goto reset;