From 53b3e0603b592c61d9c0a49a8082feb62e253856 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 29 Oct 2013 18:16:38 +0100 Subject: [PATCH 1/8] Add code for testing client-initiated renegotiation --- programs/ssl/ssl_client2.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 247abbe05..6879f3e5b 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -71,6 +71,9 @@ * longer paquets (for fragmentation purposes) */ #define GET_REQUEST "GET %s HTTP/1.0\r\n" /* LONG_HEADER */ "\r\n" +/* Temporary, should become a runtime option later */ +// #define TEST_RENEGO + /* * global options */ @@ -792,6 +795,24 @@ int main( int argc, char *argv[] ) } #endif /* POLARSSL_X509_CRT_PARSE_C */ +#ifdef TEST_RENEGO + /* + * Perform renegotiation (this must be done when the server is waiting + * for input from our side). + */ + printf( " . Performing renegotiation..." ); + fflush( stdout ); + while( ( ret = ssl_renegotiate( &ssl ) ) != 0 ) + { + if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) + { + printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret ); + goto exit; + } + } + printf( " ok\n" ); +#endif + /* * 6. Write the GET request */ From f3dc2f6a1d083349c7fcc365ae4ce34563fcc4ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 29 Oct 2013 18:17:41 +0100 Subject: [PATCH 2/8] Add code for testing server-initiated renegotiation --- include/polarssl/ssl.h | 2 ++ library/ssl_srv.c | 24 ++++++++++++++++++++++++ library/ssl_tls.c | 3 ++- programs/ssl/ssl_server2.c | 32 +++++++++++++++++++++++++++++++- 4 files changed, 59 insertions(+), 2 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index e75f9d7b3..cbec35216 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1565,6 +1565,8 @@ static inline x509_crt *ssl_own_cert( ssl_context *ssl ) } #endif /* POLARSSL_X509_CRT_PARSE_C */ +int ssl_write_hello_request( ssl_context *ssl ); + #ifdef __cplusplus } #endif diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 7d81fc90c..66ba58a1a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -335,6 +335,30 @@ static int ssl_parse_ticket( ssl_context *ssl, } #endif /* POLARSSL_SSL_SESSION_TICKETS */ +/* + * Write HelloRequest to request renegotiation + */ +int ssl_write_hello_request( ssl_context *ssl ) +{ + int ret; + + SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); + + ssl->out_msglen = 4; + ssl->out_msgtype = SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = SSL_HS_HELLO_REQUEST; + + if( ( ret = ssl_write_record( ssl ) ) != 0 ) + { + SSL_DEBUG_RET( 1, "ssl_write_record", ret ); + return( ret ); + } + + SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); + + return( 0 ); +} + #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) /* * Wrapper around f_sni, allowing use of ssl_set_own_cert() but diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b8bc18831..e636f9d31 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1930,7 +1930,8 @@ int ssl_write_record( ssl_context *ssl ) ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); - ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); + if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST ) + ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); } #if defined(POLARSSL_ZLIB_SUPPORT) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8e7ee0e99..890c11955 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -50,7 +50,6 @@ #endif #define DFL_SERVER_PORT 4433 -#define DFL_REQUEST_PAGE "/" #define DFL_DEBUG_LEVEL 0 #define DFL_CA_FILE "" #define DFL_CA_PATH "" @@ -84,6 +83,9 @@ "

PolarSSL Test Server

\r\n" \ "

Successful connection using: %s

\r\n" // LONG_RESPONSE +/* Temporary, should become a runtime option later */ +// #define TEST_RENEGO + /* * global options */ @@ -939,6 +941,34 @@ reset: buf[written] = '\0'; printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf ); +#ifdef TEST_RENEGO + /* + * Request renegotiation (this must be done when the client is still + * waiting for input from our side). + */ + printf( " . Requestion renegotiation..." ); + fflush( stdout ); + while( ( ret = ssl_write_hello_request( &ssl ) ) != 0 ) + { + if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) + { + printf( " failed\n ! ssl_write_hello_request returned %d\n\n", ret ); + goto exit; + } + } + + if( ( ret = ssl_read( &ssl, buf, 0 ) ) != 0 ) + { + if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) + { + printf( " failed\n ! ssl_read returned %d\n\n", ret ); + goto exit; + } + } + + printf( " ok\n" ); +#endif + ret = 0; goto reset; From e5e1bb972cc8b4f316b3eff12e9e18ae88a36262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 30 Oct 2013 11:25:30 +0100 Subject: [PATCH 3/8] Fix misplaced initialisation --- library/ssl_tls.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e636f9d31..6dd5cc0ac 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3277,6 +3277,10 @@ static int ssl_handshake_init( ssl_context *ssl ) ecdh_init( &ssl->handshake->ecdh_ctx ); #endif +#if defined(POLARSSL_X509_CRT_PARSE_C) + ssl->handshake->key_cert = ssl->key_cert; +#endif + return( 0 ); } @@ -3951,10 +3955,6 @@ int ssl_handshake( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); -#if defined(POLARSSL_X509_CRT_PARSE_C) - ssl->handshake->key_cert = ssl->key_cert; -#endif - while( ssl->state != SSL_HANDSHAKE_OVER ) { ret = ssl_handshake_step( ssl ); From caed0541a0646684745b19d1f4e6d4e7e2cd59d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 30 Oct 2013 12:47:35 +0100 Subject: [PATCH 4/8] Allow ssl_renegotiate() to be called in a loop Previously broken if waiting for network I/O in the middle of a re-handshake initiated by the client. --- include/polarssl/ssl.h | 3 ++- library/ssl_tls.c | 21 +++++++++++++++------ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index cbec35216..6808487d8 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -200,7 +200,8 @@ #define SSL_VERIFY_REQUIRED 2 #define SSL_INITIAL_HANDSHAKE 0 -#define SSL_RENEGOTIATION 1 +#define SSL_RENEGOTIATION 1 /* In progress */ +#define SSL_RENEGOTIATION_DONE 2 /* Done */ #define SSL_LEGACY_RENEGOTIATION 0 #define SSL_SECURE_RENEGOTIATION 1 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6dd5cc0ac..f6f3e109d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3023,6 +3023,9 @@ void ssl_handshake_wrapup( ssl_context *ssl ) polarssl_free( ssl->handshake ); ssl->handshake = NULL; + if( ssl->renegotiation == SSL_RENEGOTIATION ) + ssl->renegotiation = SSL_RENEGOTIATION_DONE; + /* * Switch in our now active transform context */ @@ -3977,14 +3980,20 @@ int ssl_renegotiate( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); - if( ssl->state != SSL_HANDSHAKE_OVER ) - return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + /* + * If renegotiation is already in progress, skip checks/init + */ + if( ssl->renegotiation != SSL_RENEGOTIATION ) + { + if( ssl->state != SSL_HANDSHAKE_OVER ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); - ssl->state = SSL_HELLO_REQUEST; - ssl->renegotiation = SSL_RENEGOTIATION; + if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) + return( ret ); - if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) - return( ret ); + ssl->state = SSL_HELLO_REQUEST; + ssl->renegotiation = SSL_RENEGOTIATION; + } if( ( ret = ssl_handshake( ssl ) ) != 0 ) { From 214eed38c740614c0842bd90e97accca4a600b90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 30 Oct 2013 13:06:54 +0100 Subject: [PATCH 5/8] Make ssl_renegotiate the only interface ssl_write_hello_request() is no private --- include/polarssl/ssl.h | 2 -- library/ssl_srv.c | 24 --------------------- library/ssl_tls.c | 48 ++++++++++++++++++++++++++++++++++++++---- 3 files changed, 44 insertions(+), 30 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 6808487d8..e15efad00 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1566,8 +1566,6 @@ static inline x509_crt *ssl_own_cert( ssl_context *ssl ) } #endif /* POLARSSL_X509_CRT_PARSE_C */ -int ssl_write_hello_request( ssl_context *ssl ); - #ifdef __cplusplus } #endif diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 66ba58a1a..7d81fc90c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -335,30 +335,6 @@ static int ssl_parse_ticket( ssl_context *ssl, } #endif /* POLARSSL_SSL_SESSION_TICKETS */ -/* - * Write HelloRequest to request renegotiation - */ -int ssl_write_hello_request( ssl_context *ssl ) -{ - int ret; - - SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); - - ssl->out_msglen = 4; - ssl->out_msgtype = SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = SSL_HS_HELLO_REQUEST; - - if( ( ret = ssl_write_record( ssl ) ) != 0 ) - { - SSL_DEBUG_RET( 1, "ssl_write_record", ret ); - return( ret ); - } - - SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); - - return( 0 ); -} - #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) /* * Wrapper around f_sni, allowing use of ssl_set_own_cert() but diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f6f3e109d..00372f962 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3972,9 +3972,37 @@ int ssl_handshake( ssl_context *ssl ) } /* - * Renegotiate current connection + * Write HelloRequest to request renegotiation on server */ -int ssl_renegotiate( ssl_context *ssl ) +static int ssl_write_hello_request( ssl_context *ssl ) +{ + int ret; + + SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); + + ssl->out_msglen = 4; + ssl->out_msgtype = SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = SSL_HS_HELLO_REQUEST; + + if( ( ret = ssl_write_record( ssl ) ) != 0 ) + { + SSL_DEBUG_RET( 1, "ssl_write_record", ret ); + return( ret ); + } + + SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); + + return( 0 ); +} + +/* + * Actually renegotiate current connection, triggered by either: + * - calling ssl_renegotiate() on client, + * - receiving a HelloRequestion on client during ssl_read(), + * - receiving any handshake message on server during ssl_read() after the + * initial handshake is completed + */ +static int ssl_do_renegotiate( ssl_context *ssl ) { int ret; @@ -4006,6 +4034,18 @@ int ssl_renegotiate( ssl_context *ssl ) return( 0 ); } +/* + * Renegotiate current connection on client, + * or request renegotiation on server + */ +int ssl_renegotiate( ssl_context *ssl ) +{ + if( ssl->endpoint == SSL_IS_CLIENT ) + return( ssl_do_renegotiate( ssl ) ); + else + return( ssl_write_hello_request( ssl ) ); +} + /* * Receive application data decrypted from the SSL layer */ @@ -4101,9 +4141,9 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) } else { - if( ( ret = ssl_renegotiate( ssl ) ) != 0 ) + if( ( ret = ssl_do_renegotiate( ssl ) ) != 0 ) { - SSL_DEBUG_RET( 1, "ssl_renegotiate", ret ); + SSL_DEBUG_RET( 1, "ssl_do_renegotiate", ret ); return( ret ); } From 9c1e1898b65427f3d2e5e4c13ed6578d61b3d6d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 30 Oct 2013 16:41:21 +0100 Subject: [PATCH 6/8] Move some code around, improve documentation --- include/polarssl/ssl.h | 5 ++- library/ssl_tls.c | 65 ++++++++++++++++++++++++++------------ programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 11 +++++-- 4 files changed, 58 insertions(+), 25 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index e15efad00..50ff9864e 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1422,7 +1422,10 @@ int ssl_handshake( ssl_context *ssl ); int ssl_handshake_step( ssl_context *ssl ); /** - * \brief Perform an SSL renegotiation on the running connection + * \brief Initiate an SSL renegotiation on the running connection. + * Client: perform the renegotiation right now. + * Server: request renegotiation, which will be performed + * during the next call to ssl_read() if honored by client. * * \param ssl SSL context * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 00372f962..94d9edf27 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3998,30 +3998,23 @@ static int ssl_write_hello_request( ssl_context *ssl ) /* * Actually renegotiate current connection, triggered by either: * - calling ssl_renegotiate() on client, - * - receiving a HelloRequestion on client during ssl_read(), + * - receiving a HelloRequest on client during ssl_read(), * - receiving any handshake message on server during ssl_read() after the * initial handshake is completed + * If the handshake doesn't complete due to waiting for I/O, it will continue + * during the next calls to ssl_renegotiate() or ssl_read() respectively. */ -static int ssl_do_renegotiate( ssl_context *ssl ) +static int ssl_start_renegotiation( ssl_context *ssl ) { int ret; SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); - /* - * If renegotiation is already in progress, skip checks/init - */ - if( ssl->renegotiation != SSL_RENEGOTIATION ) - { - if( ssl->state != SSL_HANDSHAKE_OVER ) - return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) + return( ret ); - if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) - return( ret ); - - ssl->state = SSL_HELLO_REQUEST; - ssl->renegotiation = SSL_RENEGOTIATION; - } + ssl->state = SSL_HELLO_REQUEST; + ssl->renegotiation = SSL_RENEGOTIATION; if( ( ret = ssl_handshake( ssl ) ) != 0 ) { @@ -4040,10 +4033,42 @@ static int ssl_do_renegotiate( ssl_context *ssl ) */ int ssl_renegotiate( ssl_context *ssl ) { - if( ssl->endpoint == SSL_IS_CLIENT ) - return( ssl_do_renegotiate( ssl ) ); - else + int ret; + + /* On server, just send the request */ + if( ssl->endpoint == SSL_IS_SERVER ) + { + if( ssl->state != SSL_HANDSHAKE_OVER ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + return( ssl_write_hello_request( ssl ) ); + } + + /* + * On client, either start the renegotiation process or, + * if already in progress, continue the handshake + */ + if( ssl->renegotiation != SSL_RENEGOTIATION ) + { + if( ssl->state != SSL_HANDSHAKE_OVER ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + + if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) + { + SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); + return( ret ); + } + } + else + { + if( ( ret = ssl_handshake( ssl ) ) != 0 ) + { + SSL_DEBUG_RET( 1, "ssl_handshake", ret ); + return( ret ); + } + } + + return( 0 ); } /* @@ -4141,9 +4166,9 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) } else { - if( ( ret = ssl_do_renegotiate( ssl ) ) != 0 ) + if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) { - SSL_DEBUG_RET( 1, "ssl_do_renegotiate", ret ); + SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); return( ret ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6879f3e5b..e4a1426a3 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -71,7 +71,7 @@ * longer paquets (for fragmentation purposes) */ #define GET_REQUEST "GET %s HTTP/1.0\r\n" /* LONG_HEADER */ "\r\n" -/* Temporary, should become a runtime option later */ +/* Uncomment to test client-initiated renegotiation */ // #define TEST_RENEGO /* diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 890c11955..d35ab77d7 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -83,7 +83,7 @@ "

PolarSSL Test Server

\r\n" \ "

Successful connection using: %s

\r\n" // LONG_RESPONSE -/* Temporary, should become a runtime option later */ +/* Uncomment to test server-initiated renegotiation */ // #define TEST_RENEGO /* @@ -948,15 +948,20 @@ reset: */ printf( " . Requestion renegotiation..." ); fflush( stdout ); - while( ( ret = ssl_write_hello_request( &ssl ) ) != 0 ) + while( ( ret = ssl_renegotiate( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { - printf( " failed\n ! ssl_write_hello_request returned %d\n\n", ret ); + printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret ); goto exit; } } + /* + * Should be a while loop, not an if, but here we're not actually + * expecting data from the client, and since we're running tests locally, + * we can just hope the handshake will finish the during the first call. + */ if( ( ret = ssl_read( &ssl, buf, 0 ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) From 6d8404d6ba64aef87aaebf56db37779354e96acb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 30 Oct 2013 16:41:45 +0100 Subject: [PATCH 7/8] Server: enforce renegotiation --- include/polarssl/ssl.h | 1 + library/ssl_tls.c | 8 ++++++++ programs/ssl/ssl_server2.c | 7 ++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 50ff9864e..e5ca9d571 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -202,6 +202,7 @@ #define SSL_INITIAL_HANDSHAKE 0 #define SSL_RENEGOTIATION 1 /* In progress */ #define SSL_RENEGOTIATION_DONE 2 /* Done */ +#define SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ #define SSL_LEGACY_RENEGOTIATION 0 #define SSL_SECURE_RENEGOTIATION 1 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 94d9edf27..1205947bb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3990,6 +3990,8 @@ static int ssl_write_hello_request( ssl_context *ssl ) return( ret ); } + ssl->renegotiation = SSL_RENEGOTIATION_PENDING; + SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); return( 0 ); @@ -4175,6 +4177,12 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) return( POLARSSL_ERR_NET_WANT_READ ); } } + else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING ) + { + SSL_DEBUG_MSG( 1, ( "renegotiation requested, " + "but not honored by client" ) ); + return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); + } else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA ) { SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d35ab77d7..2a046a77f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -967,7 +967,12 @@ reset: if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_read returned %d\n\n", ret ); - goto exit; + + /* Unexpected message probably means client didn't renegotiate */ + if( ret == POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ) + goto reset; + else + goto exit; } } From 37ce0ff185b40a7a3fa2d7d024a4a147be471902 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Thu, 31 Oct 2013 14:32:04 +0100 Subject: [PATCH 8/8] Added defines around renegotiation code for SSL_SRV and SSL_CLI --- library/ssl_tls.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1205947bb..4654ea62d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3971,6 +3971,7 @@ int ssl_handshake( ssl_context *ssl ) return( ret ); } +#if defined(POLARSSL_SSL_SRV_C) /* * Write HelloRequest to request renegotiation on server */ @@ -3996,6 +3997,7 @@ static int ssl_write_hello_request( ssl_context *ssl ) return( 0 ); } +#endif /* POLARSSL_SSL_SRV_C */ /* * Actually renegotiate current connection, triggered by either: @@ -4035,8 +4037,9 @@ static int ssl_start_renegotiation( ssl_context *ssl ) */ int ssl_renegotiate( ssl_context *ssl ) { - int ret; + int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; +#if defined(POLARSSL_SSL_SRV_C) /* On server, just send the request */ if( ssl->endpoint == SSL_IS_SERVER ) { @@ -4045,7 +4048,9 @@ int ssl_renegotiate( ssl_context *ssl ) return( ssl_write_hello_request( ssl ) ); } +#endif /* POLARSSL_SSL_SRV_C */ +#if defined(POLARSSL_SSL_CLI_C) /* * On client, either start the renegotiation process or, * if already in progress, continue the handshake @@ -4069,8 +4074,9 @@ int ssl_renegotiate( ssl_context *ssl ) return( ret ); } } +#endif /* POLARSSL_SSL_CLI_C */ - return( 0 ); + return( ret ); } /*