Forbid initiating renegotiate in DTLS.
We will not support any form of DTLS renego.
Change-Id: I6eab4ed12a131ad27fdb9b5ea7cc1f35d872cd43
Reviewed-on: https://boringssl-review.googlesource.com/3230
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e1f1062..13fbcb2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2433,6 +2433,7 @@
#define SSL_F_tls1_enc 297
#define SSL_F_ssl3_prf 298
#define SSL_F_dtls1_do_write 299
+#define SSL_F_SSL_renegotiate 300
#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 100
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 101
#define SSL_R_INVALID_NULL_CMD_NAME 102
diff --git a/ssl/ssl_error.c b/ssl/ssl_error.c
index 2ffb9e6..00b4839 100644
--- a/ssl/ssl_error.c
+++ b/ssl/ssl_error.c
@@ -51,6 +51,7 @@
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_new, 0), "SSL_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_peek, 0), "SSL_peek"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_read, 0), "SSL_read"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_renegotiate, 0), "SSL_renegotiate"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_cipher_list, 0), "SSL_set_cipher_list"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_fd, 0), "SSL_set_fd"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_rfd, 0), "SSL_set_rfd"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4b094bf..f090882 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1005,6 +1005,12 @@
}
int SSL_renegotiate(SSL *s) {
+ if (SSL_IS_DTLS(s)) {
+ /* Renegotiation is not supported for DTLS. */
+ OPENSSL_PUT_ERROR(SSL, SSL_renegotiate, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return 0;
+ }
+
if (s->renegotiate == 0) {
s->renegotiate = 1;
}
