diff options
| author | jsing <> | 2025-03-12 14:03:55 +0000 |
|---|---|---|
| committer | jsing <> | 2025-03-12 14:03:55 +0000 |
| commit | cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af (patch) | |
| tree | 115a09cea80866af43519a40dfdd3e9409e4cc96 /src/lib/libssl/ssl_lib.c | |
| parent | 93373bbf82b95dab0336951cf191b5fecde0597c (diff) | |
| download | openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.tar.gz openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.tar.bz2 openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.zip | |
Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a
SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an
active connection (client initiated renegotation). Then in May 2017 OpenSSL
added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION
warning alert if a server receives a ClientHello on an active connection
(client initiated renegotation), or a client receives a HelloRequest
(server requested renegotation). This option also causes calls to
SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021,
OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps
SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages
(apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard).
Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION,
primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION
is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION
ineffective. The rest of the behaviour should match OpenSSL, with the
exception of ClientHellos triggering fatal alerts instead of warnings.
ok tb@
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 63d72baf8e..ce68981493 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.330 2024/09/22 14:59:48 tb Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1308,6 +1308,11 @@ LSSL_ALIAS(SSL_shutdown); | |||
| 1308 | int | 1308 | int |
| 1309 | SSL_renegotiate(SSL *s) | 1309 | SSL_renegotiate(SSL *s) |
| 1310 | { | 1310 | { |
| 1311 | if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { | ||
| 1312 | SSLerror(s, SSL_R_NO_RENEGOTIATION); | ||
| 1313 | return 0; | ||
| 1314 | } | ||
| 1315 | |||
| 1311 | if (s->renegotiate == 0) | 1316 | if (s->renegotiate == 0) |
| 1312 | s->renegotiate = 1; | 1317 | s->renegotiate = 1; |
| 1313 | 1318 | ||
| @@ -1320,6 +1325,11 @@ LSSL_ALIAS(SSL_renegotiate); | |||
| 1320 | int | 1325 | int |
| 1321 | SSL_renegotiate_abbreviated(SSL *s) | 1326 | SSL_renegotiate_abbreviated(SSL *s) |
| 1322 | { | 1327 | { |
| 1328 | if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { | ||
| 1329 | SSLerror(s, SSL_R_NO_RENEGOTIATION); | ||
| 1330 | return 0; | ||
| 1331 | } | ||
| 1332 | |||
| 1323 | if (s->renegotiate == 0) | 1333 | if (s->renegotiate == 0) |
| 1324 | s->renegotiate = 1; | 1334 | s->renegotiate = 1; |
| 1325 | 1335 | ||