From 13dee95d971d6684c38510e0a5d2a85c7541c3a2 Mon Sep 17 00:00:00 2001
From: cameronrich <cameronrich@9a5d90b5-6617-0410-8a86-bb477d3ed2e3>
Date: Sat, 12 Dec 2009 04:11:56 +0000
Subject: [PATCH] Fix for ssl client renotiation SSL error

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@166 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
---
 ssl/ssl.h       |  1 +
 ssl/tls1.c      | 17 +++++++++++++++--
 ssl/tls1_clnt.c |  1 +
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl.h b/ssl/ssl.h
index d6ed68dae..9e9d801c0 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -100,6 +100,7 @@ extern "C" {
 #define SSL_ERROR_INVALID_KEY                   -269
 #define SSL_ERROR_FINISHED_INVALID              -271
 #define SSL_ERROR_NO_CERT_DEFINED               -272
+#define SSL_ERROR_NO_CLIENT_RENOG               -273
 #define SSL_ERROR_NOT_SUPPORTED                 -274
 #define SSL_X509_OFFSET                         -512
 #define SSL_X509_ERROR(A)                       (SSL_X509_OFFSET+A)
diff --git a/ssl/tls1.c b/ssl/tls1.c
index 9a469d7fe..5ce8c2453 100755
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@@ -1230,8 +1230,16 @@ int basic_read(SSL *ssl, uint8_t **in_data)
     switch (ssl->record_type)
     {
         case PT_HANDSHAKE_PROTOCOL:
-            ssl->dc->bm_proc_index = 0;
-            ret = do_handshake(ssl, buf, read_len);
+            if (ssl->dc != NULL)
+            {
+                ssl->dc->bm_proc_index = 0;
+                ret = do_handshake(ssl, buf, read_len);
+            }
+            else /* no client renogiation allowed */
+            {
+                ret = SSL_ERROR_NO_CLIENT_RENOG;              
+                goto error;
+            }
             break;
 
         case PT_CHANGE_CIPHER_SPEC:
@@ -1402,6 +1410,7 @@ int send_alert(SSL *ssl, int error_code)
 
         case SSL_ERROR_INVALID_HANDSHAKE:
         case SSL_ERROR_INVALID_PROT_MSG:
+        case SSL_ERROR_NO_CLIENT_RENOG:
             alert_num = SSL_ALERT_HANDSHAKE_FAILURE;
             break;
 
@@ -1958,6 +1967,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
             printf("no certificate defined");
             break;
 
+        case SSL_ERROR_NO_CLIENT_RENOG:
+            printf("client renegotiation not supported");
+            break;
+            
         case SSL_ERROR_NOT_SUPPORTED:
             printf("Option not supported");
             break;
diff --git a/ssl/tls1_clnt.c b/ssl/tls1_clnt.c
index 91314333c..beb0e278b 100644
--- a/ssl/tls1_clnt.c
+++ b/ssl/tls1_clnt.c
@@ -123,6 +123,7 @@ int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
         case HS_FINISHED:
             ret = process_finished(ssl, hs_len);
             disposable_free(ssl);   /* free up some memory */
+            /* note: client renogiation is not allowed after this */
             break;
 
         case HS_HELLO_REQUEST: