diff options
| author | Jack Lloyd <[email protected]> | 2017-09-19 12:02:32 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2017-09-19 12:02:32 -0400 |
| commit | 7e27023fafabec9e87b15675f6798cc98cca0427 (patch) | |
| tree | ad49ffb3efeac6c54bd86fca72feb80551444eac /src/lib/tls | |
| parent | c393f1b84ec43887b72eb93069c58676c0d444be (diff) | |
| parent | 93b361fc07733f92eb5519fa9de00ed1fa61f1ee (diff) | |
Merge GH #872 Add ability for TLS servers to prohibit renegotiation
Diffstat (limited to 'src/lib/tls')
| -rw-r--r-- | src/lib/tls/tls_policy.cpp | 1 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.h | 9 | ||||
| -rw-r--r-- | src/lib/tls/tls_server.cpp | 8 |
3 files changed, 16 insertions, 2 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 7432b276e..863958eaa 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -285,6 +285,7 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite&) const return true; } +bool Policy::allow_client_initiated_renegotiation() const { return false; } bool Policy::allow_server_initiated_renegotiation() const { return false; } bool Policy::allow_insecure_renegotiation() const { return false; } bool Policy::allow_tls10() const { return true; } diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index d36a20aad..80dc9cbd6 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -120,7 +120,12 @@ class BOTAN_DLL Policy virtual bool include_time_in_hello_random() const; /** - * Allow servers to initiate a new handshake + * Consulted by server side. If true, allows clients to initiate a new handshake + */ + virtual bool allow_client_initiated_renegotiation() const; + + /** + * Consulted by client side. If true, allows servers to initiate a new handshake */ virtual bool allow_server_initiated_renegotiation() const; @@ -476,6 +481,8 @@ class BOTAN_DLL Text_Policy : public Policy bool include_time_in_hello_random() const override { return get_bool("include_time_in_hello_random", Policy::include_time_in_hello_random()); } + bool allow_client_initiated_renegotiation() const override + { return get_bool("allow_client_initiated_renegotiation", Policy::allow_client_initiated_renegotiation()); } bool allow_server_initiated_renegotiation() const override { return get_bool("allow_server_initiated_renegotiation", Policy::allow_server_initiated_renegotiation()); } diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 434acf93d..1c9ca0b86 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -387,9 +387,15 @@ void Server::initiate_handshake(Handshake_State& state, void Server::process_client_hello_msg(const Handshake_State* active_state, Server_Handshake_State& pending_state, const std::vector<uint8_t>& contents) -{ + { const bool initial_handshake = !active_state; + if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false) + { + send_warning_alert(Alert::NO_RENEGOTIATION); + return; + } + if(!policy().allow_insecure_renegotiation() && !(initial_handshake || secure_renegotiation_supported())) { |