mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-28 00:21:48 +03:00
Merge commit 'f6080b8' into dtls
* commit 'f6080b8': Fix warning in reduced configs Adapt to "negative" switch for renego Add tests for periodic renegotiation Make renego period configurable Auto-renegotiate before sequence number wrapping Update Changelog for compile-option renegotiation Switch from an enable to a disable flag Save 48 bytes if SSLv3 is not defined Make renegotiation a compile-time option Add tests for renego security enforcement Conflicts: include/polarssl/ssl.h library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c programs/ssl/ssl_server2.c tests/ssl-opt.sh
This commit is contained in:
Manuel Pégourié-Gonnard
@ -106,9 +106,10 @@ int main( int argc, char *argv[] )
|
||||
#define DFL_FORCE_CIPHER 0
|
||||
#define DFL_VERSION_SUITES NULL
|
||||
#define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED
|
||||
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
|
||||
#define DFL_ALLOW_LEGACY -2
|
||||
#define DFL_RENEGOTIATE 0
|
||||
#define DFL_RENEGO_DELAY -2
|
||||
#define DFL_RENEGO_PERIOD -1
|
||||
#define DFL_EXCHANGES 1
|
||||
#define DFL_MIN_VERSION -1
|
||||
#define DFL_MAX_VERSION -1
|
||||
@ -178,6 +179,7 @@ struct options
|
||||
int allow_legacy; /* allow legacy renegotiation */
|
||||
int renegotiate; /* attempt renegotiation? */
|
||||
int renego_delay; /* delay before enforcing renegotiation */
|
||||
int renego_period; /* period for automatic renegotiation */
|
||||
int exchanges; /* number of data exchanges */
|
||||
int min_version; /* minimum protocol version accepted */
|
||||
int max_version; /* maximum protocol version accepted */
|
||||
@ -366,6 +368,16 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
|
||||
#define USAGE_ETM ""
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||
#define USAGE_RENEGO \
|
||||
" renegotiation=%%d default: 0 (disabled)\n" \
|
||||
" renegotiate=%%d default: 0 (disabled)\n" \
|
||||
" renego_delay=%%d default: -2 (library default)\n" \
|
||||
" renego_period=%%d default: (library default)\n"
|
||||
#else
|
||||
#define USAGE_RENEGO ""
|
||||
#endif
|
||||
|
||||
#define USAGE \
|
||||
"\n usage: ssl_server2 param=<>...\n" \
|
||||
"\n acceptable parameters:\n" \
|
||||
@ -388,10 +400,8 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
|
||||
"\n" \
|
||||
USAGE_PSK \
|
||||
"\n" \
|
||||
" renegotiation=%%d default: 1 (enabled)\n" \
|
||||
" allow_legacy=%%d default: 0 (disabled)\n" \
|
||||
" renegotiate=%%d default: 0 (disabled)\n" \
|
||||
" renego_delay=%%d default: -2 (library default)\n" \
|
||||
" allow_legacy=%%d default: (library default: no)\n" \
|
||||
USAGE_RENEGO \
|
||||
" exchanges=%%d default: 1\n" \
|
||||
"\n" \
|
||||
USAGE_TICKETS \
|
||||
@ -681,6 +691,9 @@ int main( int argc, char *argv[] )
|
||||
entropy_context entropy;
|
||||
ctr_drbg_context ctr_drbg;
|
||||
ssl_context ssl;
|
||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||
unsigned char renego_period[8] = { 0 };
|
||||
#endif
|
||||
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
||||
x509_crt cacert;
|
||||
x509_crt srvcert;
|
||||
@ -786,6 +799,7 @@ int main( int argc, char *argv[] )
|
||||
opt.allow_legacy = DFL_ALLOW_LEGACY;
|
||||
opt.renegotiate = DFL_RENEGOTIATE;
|
||||
opt.renego_delay = DFL_RENEGO_DELAY;
|
||||
opt.renego_period = DFL_RENEGO_PERIOD;
|
||||
opt.exchanges = DFL_EXCHANGES;
|
||||
opt.min_version = DFL_MIN_VERSION;
|
||||
opt.max_version = DFL_MAX_VERSION;
|
||||
@ -886,9 +900,13 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
else if( strcmp( p, "allow_legacy" ) == 0 )
|
||||
{
|
||||
opt.allow_legacy = atoi( q );
|
||||
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
|
||||
goto usage;
|
||||
switch( atoi( q ) )
|
||||
{
|
||||
case -1: opt.allow_legacy = SSL_LEGACY_BREAK_HANDSHAKE; break;
|
||||
case 0: opt.allow_legacy = SSL_LEGACY_NO_RENEGOTIATION; break;
|
||||
case 1: opt.allow_legacy = SSL_LEGACY_ALLOW_RENEGOTIATION; break;
|
||||
default: goto usage;
|
||||
}
|
||||
}
|
||||
else if( strcmp( p, "renegotiate" ) == 0 )
|
||||
{
|
||||
@ -900,6 +918,12 @@ int main( int argc, char *argv[] )
|
||||
{
|
||||
opt.renego_delay = atoi( q );
|
||||
}
|
||||
else if( strcmp( p, "renego_period" ) == 0 )
|
||||
{
|
||||
opt.renego_period = atoi( q );
|
||||
if( opt.renego_period < 2 || opt.renego_period > 255 )
|
||||
goto usage;
|
||||
}
|
||||
else if( strcmp( p, "exchanges" ) == 0 )
|
||||
{
|
||||
opt.exchanges = atoi( q );
|
||||
@ -1555,11 +1579,21 @@ int main( int argc, char *argv[] )
|
||||
SSL_MINOR_VERSION_3 );
|
||||
}
|
||||
|
||||
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
|
||||
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
|
||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||
ssl_set_renegotiation( &ssl, opt.renegotiation );
|
||||
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
|
||||
|
||||
if( opt.renego_delay != DFL_RENEGO_DELAY )
|
||||
ssl_set_renegotiation_enforced( &ssl, opt.renego_delay );
|
||||
|
||||
if( opt.renego_period != DFL_RENEGO_PERIOD )
|
||||
{
|
||||
renego_period[7] = opt.renego_period;
|
||||
ssl_set_renegotiation_period( &ssl, renego_period );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
||||
if( strcmp( opt.ca_path, "none" ) != 0 &&
|
||||
strcmp( opt.ca_file, "none" ) != 0 )
|
||||
@ -1967,6 +2001,7 @@ data_exchange:
|
||||
* 7a. Request renegotiation while client is waiting for input from us.
|
||||
* (only on the first exchange, to be able to test retransmission)
|
||||
*/
|
||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||
if( opt.renegotiate && exchanges == opt.exchanges )
|
||||
{
|
||||
printf( " . Requestion renegotiation..." );
|
||||
@ -1984,6 +2019,7 @@ data_exchange:
|
||||
|
||||
printf( " ok\n" );
|
||||
}
|
||||
#endif /* POLARSSL_SSL_RENEGOTIATION */
|
||||
|
||||
/*
|
||||
* 7. Write the 200 Response
|
||||
|
||||
Reference in New Issue
Block a user