yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-10 21:25:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement (partial) renego delay on client

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-08-19 13:58:40 +02:00
parent f07f421759
commit 44ade654c5
2 changed files with 24 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
include/polarssl/ssl.h
View file

@ -1493,23 +1493,26 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
/** /**
* \brief Enforce server-requested renegotiation. * \brief Enforce server-requested renegotiation.
* (Default: enforced, max_records = 16) * (Default: enforced, max_records = 16)
* (No effect on client.)
* *
* When a server requests a renegotiation, the client can * When we request a renegotiation, the peer can comply or
* comply or ignore the request. This function allows the * ignore the request. This function allows us to decide
* server to decide if it should enforce its renegotiation * whether to enforce our renegotiation requests by closing
* requests by closing the connection if the client doesn't * the connection if the peer doesn't comply.
* initiate a renegotiation.
* *
* However, records could already be in transit from the * However, records could already be in transit from the peer
* client to the server when the request is emitted. In order * when the request is emitted. In order to increase
* to increase reliability, the server can accept a number of * reliability, we can accept a number of records before the
* records containing application data before the ClientHello * expected handshake records.
* that was requested.
* *
* The optimal value is highly dependent on the specific usage * The optimal value is highly dependent on the specific usage
* scenario. * scenario.
* *
* \warning On client, the grace period can only happen during
* ssl_read(), as opposed to ssl_write() and ssl_renegotiate()
* which always behave as if max_record was 0. The reason is,
* if we receive application data from the server, we need a
* place to write it, which only happens during ssl_read().
*
* \param ssl SSL context * \param ssl SSL context
* \param max_records Use SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to * \param max_records Use SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
* enforce renegotiation, or a non-negative value to enforce * enforce renegotiation, or a non-negative value to enforce

10
library/ssl_cli.c
View file

@ -904,6 +904,16 @@ static int ssl_parse_server_hello( ssl_context *ssl )
{ {
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
{ {
ssl->renego_records_seen++;
if( ssl->renego_max_records >= 0 &&
ssl->renego_records_seen > ssl->renego_max_records )
{
SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
"but not honored by server" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
}
SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
} }