diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d5f01bc0b..9cb742b3f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -99,6 +99,7 @@ int main( int argc, char *argv[] ) #define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_RENEGOTIATE 0 +#define DFL_RENEGO_DELAY -2 #define DFL_MIN_VERSION -1 #define DFL_MAX_VERSION -1 #define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL @@ -159,6 +160,7 @@ struct options int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ + int renego_delay; /* delay before enforcing renegotiation */ int min_version; /* minimum protocol version accepted */ int max_version; /* maximum protocol version accepted */ int auth_mode; /* verify mode for connection */ @@ -676,6 +678,7 @@ int main( int argc, char *argv[] ) opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; + opt.renego_delay = DFL_RENEGO_DELAY; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; opt.auth_mode = DFL_AUTH_MODE; @@ -765,6 +768,10 @@ int main( int argc, char *argv[] ) if( opt.renegotiate < 0 || opt.renegotiate > 1 ) goto usage; } + else if( strcmp( p, "renego_delay" ) == 0 ) + { + opt.renego_delay = atoi( q ); + } else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) @@ -1264,6 +1271,8 @@ int main( int argc, char *argv[] ) ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); + if( opt.renego_delay != DFL_RENEGO_DELAY ) + ssl_set_renegotiation_enforced( &ssl, opt.renego_delay ); #if defined(POLARSSL_X509_CRT_PARSE_C) if( strcmp( opt.ca_path, "none" ) != 0 && diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6c2a92d5c..d4a41439d 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -616,9 +616,11 @@ run_test "Renegotiation #4 (client-initiated, server-rejected)" \ -c "found renegotiation extension" \ -c "=> renegotiate" \ -S "=> renegotiate" \ - -S "write hello request" + -S "write hello request" \ + -c "SSL - An unexpected message was received from our peer" \ + -c "failed" -run_test "Renegotiation #5 (server-initiated, client-rejected)" \ +run_test "Renegotiation #5 (server-initiated, client-rejected, default)" \ "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=4 renegotiation=0" \ 0 \ @@ -633,6 +635,70 @@ run_test "Renegotiation #5 (server-initiated, client-rejected)" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +run_test "Renegotiation #6 (server-initiated, client-rejected, not enforced)" \ + "$P_SRV debug_level=4 renegotiation=1 renegotiate=1 \ + renego_delay=-1" \ + "$P_CLI debug_level=4 renegotiation=0" \ + 0 \ + -C "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -S "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -C "=> renegotiate" \ + -S "=> renegotiate" \ + -s "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + +run_test "Renegotiation #7 (server-initiated, client-rejected, delay 1)" \ + "$P_SRV debug_level=4 renegotiation=1 renegotiate=1 \ + renego_delay=1" \ + "$P_CLI debug_level=4 renegotiation=0" \ + 0 \ + -C "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -S "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -C "=> renegotiate" \ + -S "=> renegotiate" \ + -s "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + +run_test "Renegotiation #8 (server-initiated, client-rejected, delay 0)" \ + "$P_SRV debug_level=4 renegotiation=1 renegotiate=1 \ + renego_delay=0" \ + "$P_CLI debug_level=4 renegotiation=0" \ + 0 \ + -C "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -S "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -C "=> renegotiate" \ + -S "=> renegotiate" \ + -s "write hello request" \ + -s "SSL - An unexpected message was received from our peer" \ + -s "failed" + +run_test "Renegotiation #9 (server-initiated, client-accepted, delay 0)" \ + "$P_SRV debug_level=4 renegotiation=1 renegotiate=1 \ + renego_delay=0" \ + "$P_CLI debug_level=4 renegotiation=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -s "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + # Tests for auth_mode run_test "Authentication #1 (server badcert, client required)" \