From 44ade654c57b3f3c64897015308911e719db248f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 19 Aug 2014 13:58:40 +0200
Subject: [PATCH] Implement (partial) renego delay on client

---
 include/polarssl/ssl.h | 25 ++++++++++++++-----------
 library/ssl_cli.c      | 10 ++++++++++
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 6c6cb21b4..207fc03cb 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1493,23 +1493,26 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
 /**
  * \brief          Enforce server-requested renegotiation.
  *                 (Default: enforced, max_records = 16)
- *                 (No effect on client.)
  *
- *                 When a server requests a renegotiation, the client can
- *                 comply or ignore the request. This function allows the
- *                 server to decide if it should enforce its renegotiation
- *                 requests by closing the connection if the client doesn't
- *                 initiate a renegotiation.
+ *                 When we request a renegotiation, the peer can comply or
+ *                 ignore the request. This function allows us to decide
+ *                 whether to enforce our renegotiation requests by closing
+ *                 the connection if the peer doesn't comply.
  *
- *                 However, records could already be in transit from the
- *                 client to the server when the request is emitted. In order
- *                 to increase reliability, the server can accept a number of
- *                 records containing application data before the ClientHello
- *                 that was requested.
+ *                 However, records could already be in transit from the peer
+ *                 when the request is emitted. In order to increase
+ *                 reliability, we can accept a number of records before the
+ *                 expected handshake records.
  *
  *                 The optimal value is highly dependent on the specific usage
  *                 scenario.
  *
+ * \warning        On client, the grace period can only happen during
+ *                 ssl_read(), as opposed to ssl_write() and ssl_renegotiate()
+ *                 which always behave as if max_record was 0. The reason is,
+ *                 if we receive application data from the server, we need a
+ *                 place to write it, which only happens during ssl_read().
+ *
  * \param ssl      SSL context
  * \param max_records Use SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
  *                 enforce renegotiation, or a non-negative value to enforce
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 089b7c96b..38f9fe720 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -904,6 +904,16 @@ static int ssl_parse_server_hello( ssl_context *ssl )
     {
         if( ssl->renegotiation == SSL_RENEGOTIATION )
         {
+            ssl->renego_records_seen++;
+
+            if( ssl->renego_max_records >= 0 &&
+                ssl->renego_records_seen > ssl->renego_max_records )
+            {
+                SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                    "but not honored by server" ) );
+                return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+
             SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
             return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
         }