mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-25 17:40:58 +00:00
Implement (partial) renego delay on client
This commit is contained in:
parent
f07f421759
commit
44ade654c5
|
@ -1493,23 +1493,26 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
|
||||||
/**
|
/**
|
||||||
* \brief Enforce server-requested renegotiation.
|
* \brief Enforce server-requested renegotiation.
|
||||||
* (Default: enforced, max_records = 16)
|
* (Default: enforced, max_records = 16)
|
||||||
* (No effect on client.)
|
|
||||||
*
|
*
|
||||||
* When a server requests a renegotiation, the client can
|
* When we request a renegotiation, the peer can comply or
|
||||||
* comply or ignore the request. This function allows the
|
* ignore the request. This function allows us to decide
|
||||||
* server to decide if it should enforce its renegotiation
|
* whether to enforce our renegotiation requests by closing
|
||||||
* requests by closing the connection if the client doesn't
|
* the connection if the peer doesn't comply.
|
||||||
* initiate a renegotiation.
|
|
||||||
*
|
*
|
||||||
* However, records could already be in transit from the
|
* However, records could already be in transit from the peer
|
||||||
* client to the server when the request is emitted. In order
|
* when the request is emitted. In order to increase
|
||||||
* to increase reliability, the server can accept a number of
|
* reliability, we can accept a number of records before the
|
||||||
* records containing application data before the ClientHello
|
* expected handshake records.
|
||||||
* that was requested.
|
|
||||||
*
|
*
|
||||||
* The optimal value is highly dependent on the specific usage
|
* The optimal value is highly dependent on the specific usage
|
||||||
* scenario.
|
* scenario.
|
||||||
*
|
*
|
||||||
|
* \warning On client, the grace period can only happen during
|
||||||
|
* ssl_read(), as opposed to ssl_write() and ssl_renegotiate()
|
||||||
|
* which always behave as if max_record was 0. The reason is,
|
||||||
|
* if we receive application data from the server, we need a
|
||||||
|
* place to write it, which only happens during ssl_read().
|
||||||
|
*
|
||||||
* \param ssl SSL context
|
* \param ssl SSL context
|
||||||
* \param max_records Use SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
|
* \param max_records Use SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
|
||||||
* enforce renegotiation, or a non-negative value to enforce
|
* enforce renegotiation, or a non-negative value to enforce
|
||||||
|
|
|
@ -904,6 +904,16 @@ static int ssl_parse_server_hello( ssl_context *ssl )
|
||||||
{
|
{
|
||||||
if( ssl->renegotiation == SSL_RENEGOTIATION )
|
if( ssl->renegotiation == SSL_RENEGOTIATION )
|
||||||
{
|
{
|
||||||
|
ssl->renego_records_seen++;
|
||||||
|
|
||||||
|
if( ssl->renego_max_records >= 0 &&
|
||||||
|
ssl->renego_records_seen > ssl->renego_max_records )
|
||||||
|
{
|
||||||
|
SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
|
||||||
|
"but not honored by server" ) );
|
||||||
|
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
|
||||||
|
}
|
||||||
|
|
||||||
SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
|
SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
|
||||||
return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
|
return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue