diff options
| author | jsing <> | 2017-01-31 15:35:46 +0000 |
|---|---|---|
| committer | jsing <> | 2017-01-31 15:35:46 +0000 |
| commit | 3ad3f36472b7244bbdcd534b2487fb1c780509fa (patch) | |
| tree | 512d2ad81e2e679a30bbc15a035dc65de38f9de0 /src | |
| parent | 246deb4bbd4aa0deb89c6c0051f717622541248e (diff) | |
| download | openbsd-3ad3f36472b7244bbdcd534b2487fb1c780509fa.tar.gz openbsd-3ad3f36472b7244bbdcd534b2487fb1c780509fa.tar.bz2 openbsd-3ad3f36472b7244bbdcd534b2487fb1c780509fa.zip | |
Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. The current default behaviour remains
unchanged.
ok beck@ reyk@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_pkt.c | 10 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 2122fea936..72de5c15a9 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.125 2017/01/26 07:20:57 beck Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.126 2017/01/31 15:35:46 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -501,6 +501,8 @@ struct ssl_session_st { | |||
| 501 | 501 | ||
| 502 | /* As server, disallow session resumption on renegotiation */ | 502 | /* As server, disallow session resumption on renegotiation */ |
| 503 | #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L | 503 | #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L |
| 504 | /* Disallow client initiated renegotiation. */ | ||
| 505 | #define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L | ||
| 504 | /* If set, always create a new key when using tmp_ecdh parameters */ | 506 | /* If set, always create a new key when using tmp_ecdh parameters */ |
| 505 | #define SSL_OP_SINGLE_ECDH_USE 0x00080000L | 507 | #define SSL_OP_SINGLE_ECDH_USE 0x00080000L |
| 506 | /* If set, always create a new key when using tmp_dh parameters */ | 508 | /* If set, always create a new key when using tmp_dh parameters */ |
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index 6a1c837944..c57eacd770 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_pkt.c,v 1.8 2017/01/29 15:31:15 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_pkt.c,v 1.9 2017/01/31 15:35:46 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1136,6 +1136,14 @@ start: | |||
| 1136 | * now try again to obtain the (application) data we were asked for */ | 1136 | * now try again to obtain the (application) data we were asked for */ |
| 1137 | goto start; | 1137 | goto start; |
| 1138 | } | 1138 | } |
| 1139 | /* Disallow client initiated renegotiation if configured. */ | ||
| 1140 | if (s->server && SSL_is_init_finished(s) && | ||
| 1141 | S3I(s)->handshake_fragment_len >= 4 && | ||
| 1142 | S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO && | ||
| 1143 | (s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION)) { | ||
| 1144 | al = SSL_AD_NO_RENEGOTIATION; | ||
| 1145 | goto f_err; | ||
| 1146 | } | ||
| 1139 | /* If we are a server and get a client hello when renegotiation isn't | 1147 | /* If we are a server and get a client hello when renegotiation isn't |
| 1140 | * allowed send back a no renegotiation alert and carry on. | 1148 | * allowed send back a no renegotiation alert and carry on. |
| 1141 | * WARNING: experimental code, needs reviewing (steve) | 1149 | * WARNING: experimental code, needs reviewing (steve) |