From f07f421759f63fbffa1489153a63cbfc8dddf4d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 15 Aug 2014 19:04:47 +0200 Subject: [PATCH] Fix server-initiated renego with non-blocking I/O --- ChangeLog | 2 ++ library/ssl_tls.c | 8 ++++++-- tests/ssl-opt.sh | 26 ++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f2e086297..6aab3d1d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ Bugfix * Remove non-existent file from VS projects (found by Peter Vaskovic). * ssl_read() could return non-application data records on server while renegotation was pending, and on client when a HelloRequest was received. + * Server-initiated renegotiation would fail with non-blocking I/O if the + write callback returned WANT_WRITE when requesting renegotiation. Changes * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e6c4efdfd..6e6f6dae5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4167,8 +4167,6 @@ static int ssl_write_hello_request( ssl_context *ssl ) return( ret ); } - ssl->renegotiation = SSL_RENEGOTIATION_PENDING; - SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); return( 0 ); @@ -4222,6 +4220,12 @@ int ssl_renegotiate( ssl_context *ssl ) if( ssl->state != SSL_HANDSHAKE_OVER ) return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + ssl->renegotiation = SSL_RENEGOTIATION_PENDING; + + /* Did we already try/start sending HelloRequest? */ + if( ssl->out_left != 0 ) + return( ssl_flush_output( ssl ) ); + return( ssl_write_hello_request( ssl ) ); } #endif /* POLARSSL_SSL_SRV_C */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e05019fa6..ed0f19cb0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -709,6 +709,32 @@ run_test "Renegotiation #9 (server-initiated, client-accepted, delay 0)" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +run_test "Renegotiation #10 (nbio, enabled, client-initiated)" \ + "$P_SRV debug_level=4 nbio=2 exchanges=2 renegotiation=1" \ + "$P_CLI debug_level=4 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -S "write hello request" + +run_test "Renegotiation #11 (nbio, enabled, server-initiated)" \ + "$P_SRV debug_level=4 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=4 nbio=2 exchanges=2 renegotiation=1" \ + 0 \ + -c "client hello, adding renegotiation extension" \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" \ + -s "=> renegotiate" \ + -s "write hello request" + # Tests for auth_mode run_test "Authentication #1 (server badcert, client required)" \