diff options
| -rw-r--r-- | doc/manual/tls.rst | 8 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.cpp | 1 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.h | 7 | ||||
| -rw-r--r-- | src/lib/tls/tls_server.cpp | 8 |
4 files changed, 22 insertions, 2 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst index 8d9a6fb12..02ed1e611 100644 --- a/doc/manual/tls.rst +++ b/doc/manual/tls.rst @@ -953,6 +953,14 @@ policy settings from a file. Default: false + .. cpp:function:: bool allow_client_initiated_renegotiation() const + + If this function returns true, a server will accept a + client-initiated renegotiation attempt. Otherwise it will send + the client a non-fatal ``no_renegotiation`` alert. + + Default: true + .. cpp:function:: bool allow_server_initiated_renegotiation() const If this function returns true, a client will accept a diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 60f8957c0..0bc2d4418 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -266,6 +266,7 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite&) const return true; } +bool Policy::allow_client_initiated_renegotiation() const { return true; } bool Policy::allow_server_initiated_renegotiation() const { return false; } bool Policy::allow_insecure_renegotiation() const { return false; } bool Policy::allow_tls10() const { return true; } diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 6f617c673..b6afd7b28 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -119,7 +119,12 @@ class BOTAN_DLL Policy virtual bool include_time_in_hello_random() const; /** - * Allow servers to initiate a new handshake + * Consulted by server side. If true, allows clients to initiate a new handshake + */ + virtual bool allow_client_initiated_renegotiation() const; + + /** + * Consulted by client side. If true, allows servers to initiate a new handshake */ virtual bool allow_server_initiated_renegotiation() const; diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index f509122a8..a78a025a4 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -353,7 +353,13 @@ void Server::initiate_handshake(Handshake_State& state, void Server::process_client_hello_msg(const Handshake_State* active_state, Server_Handshake_State& pending_state, const std::vector<uint8_t>& contents) -{ + { + if(policy().allow_client_initiated_renegotiation() == false) + { + send_warning_alert(Alert::NO_RENEGOTIATION); + return; + } + const bool initial_handshake = !active_state; if(!policy().allow_insecure_renegotiation() && |