Google Git
Sign in
boringssl/boringssl/27a0d086f7bbf7076270dbeee5e65552eb2eab3a^!/.
commit
27a0d086f7bbf7076270dbeee5e65552eb2eab3a
[log]
author
Adam Langley <agl@google.com>
Tue Nov 03 13:34:10 2015 -0800
committer
Adam Langley <agl@google.com>
Tue Nov 03 21:58:13 2015 +0000
tree
00698a302fc48789c26acbb68fa6cf7a876f5f6f
parent
fa9eb568b07597af5ff75dd2bb8204e40fbfea78 [diff]
Add ssl_renegotiate_ignore.

This option causes clients to ignore HelloRequest messages completely.
This can be suitable in cases where a server tries to perform concurrent
application data and handshake flow, e.g. because they are trying to
“renew” symmetric keys.

Change-Id: I2779f7eff30d82163f2c34a625ec91dc34fab548
Reviewed-on: https://boringssl-review.googlesource.com/6431
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index f9e0d85..79d7205 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -2663,6 +2663,7 @@
   ssl_renegotiate_never = 0,
   ssl_renegotiate_once,
   ssl_renegotiate_freely,
+  ssl_renegotiate_ignore,
 };
 
 /* SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to
@@ -2671,8 +2672,10 @@
  *
  * The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
  * at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
- * allow one renegotiation and |ssl_renegotiate_freely| to allow all
- * renegotiations.
+ * allow one renegotiation, |ssl_renegotiate_freely| to allow all
+ * renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages.
+ * Note that ignoring HelloRequest messages may cause the connection to stall
+ * if the server waits for the renegotiation to complete.
  *
  * There is no support in BoringSSL for initiating renegotiations as a client
  * or server. */

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index c50b315..7416d0e 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c

@@ -346,6 +346,8 @@
       return ssl->s3->total_renegotiations == 0;
     case ssl_renegotiate_freely:
       return 1;
+    case ssl_renegotiate_ignore:
+      return 1;
   }
 
   assert(0);
@@ -567,6 +569,10 @@
       goto err;
     }
 
+    if (s->renegotiate_mode == ssl_renegotiate_ignore) {
+      goto start;
+    }
+
     /* Renegotiation is only supported at quiescent points in the application
      * protocol, namely in HTTPS, just before reading the HTTP response. Require
      * the record-layer be idle and avoid complexities of sending a handshake

diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 32c572e..fe3dd6f 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc

@@ -1205,6 +1205,9 @@
   if (config->renegotiate_freely) {
     SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_freely);
   }
+  if (config->renegotiate_ignore) {
+    SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_ignore);
+  }
   if (!config->check_close_notify) {
     SSL_set_quiet_shutdown(ssl.get(), 1);
   }

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 7defec1..078c227 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -782,6 +782,11 @@
 	// connections where the client offers a non-empty session ID or session
 	// ticket.
 	FailIfSessionOffered bool
+
+	// SendHelloRequestBeforeEveryAppDataRecord, if true, causes a
+	// HelloRequest handshake message to be sent before each application
+	// data record. This only makes sense for a server.
+	SendHelloRequestBeforeEveryAppDataRecord bool
 }
 
 func (c *Config) serverInit() {

diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index c911ad0..ab9e233 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go

@@ -1152,6 +1152,10 @@
 		c.sendAlertLocked(alertLevelError, c.config.Bugs.SendSpuriousAlert)
 	}
 
+	if c.config.Bugs.SendHelloRequestBeforeEveryAppDataRecord {
+		c.writeRecord(recordTypeHandshake, []byte{typeHelloRequest, 0, 0, 0})
+	}
+
 	// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
 	// attack when using block mode ciphers due to predictable IVs.
 	// This can be prevented by splitting each Application Data

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 4f0f8a3..ad8e12a 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -3920,6 +3920,28 @@
 			"-expect-total-renegotiations", "2",
 		},
 	})
+	testCases = append(testCases, testCase{
+		name: "Renegotiate-Client-NoIgnore",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendHelloRequestBeforeEveryAppDataRecord: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":NO_RENEGOTIATION:",
+	})
+	testCases = append(testCases, testCase{
+		name: "Renegotiate-Client-Ignore",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendHelloRequestBeforeEveryAppDataRecord: true,
+			},
+		},
+		flags: []string{
+			"-renegotiate-ignore",
+			"-expect-total-renegotiations", "0",
+		},
+	})
 }
 
 func addDTLSReplayTests() {

diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index abec0e1..8b540c3 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc

@@ -96,6 +96,7 @@
   { "-expect-verify-result", &TestConfig::expect_verify_result },
   { "-renegotiate-once", &TestConfig::renegotiate_once },
   { "-renegotiate-freely", &TestConfig::renegotiate_freely },
+  { "-renegotiate-ignore", &TestConfig::renegotiate_ignore },
   { "-disable-npn", &TestConfig::disable_npn },
 };
 

diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 23fa1f11..a72d66b 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h

@@ -98,6 +98,7 @@
   int expect_total_renegotiations = 0;
   bool renegotiate_once = false;
   bool renegotiate_freely = false;
+  bool renegotiate_ignore = false;
   bool disable_npn = false;
 };