Drop renego state from context if no renego support

This commit is contained in:
Manuel Pégourié-Gonnard 2015-03-10 11:54:02 +00:00
parent d2b35ec3d3
commit 69849f8595
3 changed files with 26 additions and 15 deletions

View file

@ -794,8 +794,8 @@ struct _ssl_context
*/
int state; /*!< SSL handshake: current state */
int transport; /*!< Transport: stream or datagram */
int renegotiation; /*!< Initial or renegotiation */
#if defined(POLARSSL_SSL_RENEGOTIATION)
int renegotiation; /*!< Initial or renegotiation */
int renego_records_seen; /*!< Records since renego request, or with DTLS,
number of retransmissions of request if
renego_max_records is < 0 */

View file

@ -1495,16 +1495,11 @@ read_record_header:
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
{
/*
* Copy the client's handshake message_seq on initial handshakes
* Copy the client's handshake message_seq on initial handshakes,
* check sequence number on renego.
*/
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
{
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
ssl->in_msg[5];
ssl->handshake->out_msg_seq = cli_msg_seq;
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
}
else
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS )
{
/* This couldn't be done in ssl_prepare_handshake_record() */
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
@ -1520,6 +1515,14 @@ read_record_header:
ssl->handshake->in_msg_seq++;
}
else
#endif
{
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
ssl->in_msg[5];
ssl->handshake->out_msg_seq = cli_msg_seq;
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
}
/*
* For now we don't support fragmentation, so make sure
@ -1643,8 +1646,11 @@ read_record_header:
buf + cookie_offset + 1, cookie_len );
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
if( ssl->f_cookie_check != NULL &&
ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
if( ssl->f_cookie_check != NULL
#if defined(POLARSSL_SSL_RENEGOTIATION)
&& ssl->renegotiation == SSL_INITIAL_HANDSHAKE
#endif
)
{
if( ssl->f_cookie_check( ssl->p_cookie,
buf + cookie_offset + 1, cookie_len,
@ -1941,6 +1947,7 @@ read_record_header:
if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
{
SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS )
{
SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
@ -1950,6 +1957,7 @@ read_record_header:
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
#endif
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
break;
}

View file

@ -3205,9 +3205,12 @@ static int ssl_parse_record_header( ssl_context *ssl )
/* Drop unexpected ApplicationData records,
* except at the beginning of renegotiations */
if( ssl->in_msgtype == SSL_MSG_APPLICATION_DATA &&
ssl->state != SSL_HANDSHAKE_OVER &&
! ( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->state == SSL_SERVER_HELLO ) )
ssl->state != SSL_HANDSHAKE_OVER
#if defined(POLARSSL_SSL_RENEGOTIATION)
&& ! ( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->state == SSL_SERVER_HELLO )
#endif
)
{
SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
return( POLARSSL_ERR_SSL_INVALID_RECORD );