diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8aee54abe..f0c4ef1d1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -104,6 +104,7 @@ int main( int argc, char *argv[] ) #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 #define DFL_RENEGO_DELAY -2 +#define DFL_RENEGO_PERIOD -1 #define DFL_EXCHANGES 1 #define DFL_MIN_VERSION -1 #define DFL_MAX_VERSION -1 @@ -164,6 +165,7 @@ struct options int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ int renego_delay; /* delay before enforcing renegotiation */ + int renego_period; /* period for automatic renegotiation */ int exchanges; /* number of data exchanges */ int min_version; /* minimum protocol version accepted */ int max_version; /* maximum protocol version accepted */ @@ -303,7 +305,8 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) #define USAGE_RENEGO \ " renegotiation=%%d default: 0 (disabled)\n" \ " renegotiate=%%d default: 0 (disabled)\n" \ - " renego_delay=%%d default: -2 (library default)\n" + " renego_delay=%%d default: -2 (library default)\n" \ + " renego_period=%%d default: (library default)\n" #else #define USAGE_RENEGO "" #endif @@ -608,6 +611,9 @@ int main( int argc, char *argv[] ) entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; +#if defined(POLARSSL_SSL_RENEGOTIATION) + unsigned char renego_period[8] = { 0 }; +#endif #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt cacert; x509_crt srvcert; @@ -708,6 +714,7 @@ int main( int argc, char *argv[] ) opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; opt.renego_delay = DFL_RENEGO_DELAY; + opt.renego_period = DFL_RENEGO_PERIOD; opt.exchanges = DFL_EXCHANGES; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; @@ -806,6 +813,12 @@ int main( int argc, char *argv[] ) { opt.renego_delay = atoi( q ); } + else if( strcmp( p, "renego_period" ) == 0 ) + { + opt.renego_period = atoi( q ); + if( opt.renego_period < 2 || opt.renego_period > 255 ) + goto usage; + } else if( strcmp( p, "exchanges" ) == 0 ) { opt.exchanges = atoi( q ); @@ -1325,8 +1338,15 @@ int main( int argc, char *argv[] ) ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); #if defined(POLARSSL_SSL_RENEGOTIATION) ssl_set_renegotiation( &ssl, opt.renegotiation ); + if( opt.renego_delay != DFL_RENEGO_DELAY ) ssl_set_renegotiation_enforced( &ssl, opt.renego_delay ); + + if( opt.renego_period != DFL_RENEGO_PERIOD ) + { + renego_period[7] = opt.renego_period; + ssl_set_renegotiation_period( &ssl, renego_period ); + } #endif #if defined(POLARSSL_X509_CRT_PARSE_C) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bd98bdb42..b90979975 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -770,6 +770,70 @@ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +run_test "Renegotiation: periodic, just below period" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ + "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ + 0 \ + -C "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -S "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -S "record counter limit reached: renegotiate" \ + -C "=> renegotiate" \ + -S "=> renegotiate" \ + -S "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + +run_test "Renegotiation: periodic, just above period" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ + "$P_CLI debug_level=3 exchanges=3 renegotiation=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -s "record counter limit reached: renegotiate" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -s "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + +run_test "Renegotiation: periodic, two times period" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ + "$P_CLI debug_level=3 exchanges=6 renegotiation=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -s "record counter limit reached: renegotiate" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -s "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + +run_test "Renegotiation: periodic, above period, disabled" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3" \ + "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ + 0 \ + -C "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -S "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -S "record counter limit reached: renegotiate" \ + -C "=> renegotiate" \ + -S "=> renegotiate" \ + -S "write hello request" \ + -S "SSL - An unexpected message was received from our peer" \ + -S "failed" + run_test "Renegotiation: nbio, client-initiated" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \