Make renego period configurable

This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-05 13:58:53 +01:00
parent b445805283
commit 837f0fe831
2 changed files with 33 additions and 7 deletions

View File

@ -830,6 +830,8 @@ struct _ssl_context
#if defined(POLARSSL_SSL_RENEGOTIATION)
int disable_renegotiation; /*!< enable/disable renegotiation */
int renego_max_records; /*!< grace period for renegotiation */
unsigned char renego_period[8]; /*!< value of the record counters
that triggers renegotiation */
#endif
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
@ -1543,6 +1545,26 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
* it but allow for a grace period of max_records records.
*/
void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records );
/**
* \brief Set record counter threshold for periodic renegotiation.
* (Default: 2^64 - 256.)
*
* Renegotiation is automatically triggered when a record
* counter (outgoing or ingoing) crosses the defined
* threshold. The default value is meant to prevent the
* connection from being closed when the counter is about to
* reached its maximal value (it is not allowed to wrap).
*
* Lower values can be used to enforce policies such as "keys
* must be refreshed every N packets with cipher X".
*
* \param ssl SSL context
* \param period The threshold value: a big-endian 64-bit number.
* Set to 2^64 - 1 to disable periodic renegotiation
*/
void ssl_set_renegotiation_period( ssl_context *ssl,
const unsigned char period[8] );
#endif /* POLARSSL_SSL_RENEGOTIATION */
/**

View File

@ -3404,6 +3404,8 @@ int ssl_init( ssl_context *ssl )
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
memset( ssl->renego_period, 0xFF, 7 );
ssl->renego_period[7] = 0x00;
#endif
#if defined(POLARSSL_DHM_C)
@ -4031,6 +4033,12 @@ void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
{
ssl->renego_max_records = max_records;
}
void ssl_set_renegotiation_period( ssl_context *ssl,
const unsigned char period[8] )
{
memcpy( ssl->renego_period, period, 8 );
}
#endif /* POLARSSL_SSL_RENEGOTIATION */
#if defined(POLARSSL_SSL_SESSION_TICKETS)
@ -4279,10 +4287,6 @@ int ssl_renegotiate( ssl_context *ssl )
*/
static int ssl_check_ctr_renegotiate( ssl_context *ssl )
{
static const unsigned char ctr_limit[8] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00
};
if( ssl->state != SSL_HANDSHAKE_OVER ||
ssl->renegotiation == SSL_RENEGOTIATION_PENDING ||
ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED )
@ -4291,13 +4295,13 @@ static int ssl_check_ctr_renegotiate( ssl_context *ssl )
}
// TODO: adapt for DTLS
if( memcmp( ssl->in_ctr, ctr_limit, 8 ) <= 0 &&
memcmp( ssl->out_ctr, ctr_limit, 8 ) <= 0 )
if( memcmp( ssl->in_ctr, ssl->renego_period, 8 ) <= 0 &&
memcmp( ssl->out_ctr, ssl->renego_period, 8 ) <= 0 )
{
return( 0 );
}
SSL_DEBUG_MSG( 2, ( "record counter about to wrap: renegotiate" ) );
SSL_DEBUG_MSG( 0, ( "record counter limit reached: renegotiate" ) );
return( ssl_renegotiate( ssl ) );
}
#endif /* POLARSSL_SSL_RENEGOTIATION */