From cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 12 Mar 2025 14:03:55 +0000
Subject: Provide SSL_OP_NO_RENEGOTIATION and
 SSL_OP_ALLOW_CLIENT_RENEGOTIATION.

In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a
SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an
active connection (client initiated renegotation). Then in May 2017 OpenSSL
added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION
warning alert if a server receives a ClientHello on an active connection
(client initiated renegotation), or a client receives a HelloRequest
(server requested renegotation). This option also causes calls to
SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021,
OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps
SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages
(apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard).

Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION,
primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION
is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION
ineffective. The rest of the behaviour should match OpenSSL, with the
exception of ClientHellos triggering fatal alerts instead of warnings.

ok tb@
---
 src/lib/libssl/d1_pkt.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/d1_pkt.c')

diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index cf32ca8cd6..8ba0bb0bcf 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.129 2024/07/20 04:04:23 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.130 2025/03/12 14:03:55 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -592,6 +592,12 @@ dtls1_read_handshake_unexpected(SSL *s)
 		tls_content_clear(s->s3->rcontent);
 		s->s3->rrec.length = 0;
 
+		if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
+			ssl3_send_alert(s, SSL3_AL_WARNING,
+			    SSL_AD_NO_RENEGOTIATION);
+			return 1;
+		}
+
 		/*
 		 * It should be impossible to hit this, but keep the safety
 		 * harness for now...
@@ -644,7 +650,9 @@ dtls1_read_handshake_unexpected(SSL *s)
 			return -1;
 		}
 
-		if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) {
+		if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0 ||
+		    ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 &&
+		    (s->options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) == 0)) {
 			ssl3_send_alert(s, SSL3_AL_FATAL,
 			    SSL_AD_NO_RENEGOTIATION);
 			return -1;
-- 
cgit v1.2.3-55-g6feb