Forbid renego in SSL 3.0.
We need to retain a pair of Finished messages for renegotiation_info.
SSL 3.0's is actually larger than TLS 1.2's (always 12 bytes). Take
renegotiation out in preparation for trimming them to size.
Change-Id: I2e238c48aaf9be07dd696bc2a6af75e9b0ead299
Reviewed-on: https://boringssl-review.googlesource.com/11570
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1dd748d..491c408 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -635,8 +635,10 @@
}
static int ssl_do_renegotiate(SSL *ssl) {
- /* We do not accept renegotiations as a server. */
- if (ssl->server) {
+ /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
+ * removed entirely in the future and requires retaining more data for
+ * renegotiation_info. */
+ if (ssl->server || ssl->version == SSL3_VERSION) {
goto no_renegotiation;
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 95dbc0d..4599687 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5689,6 +5689,22 @@
},
})
+ // Renegotiation is not allowed at SSL 3.0.
+ testCases = append(testCases, testCase{
+ name: "Renegotiate-Client-SSL3",
+ config: Config{
+ MaxVersion: VersionSSL30,
+ },
+ renegotiate: 1,
+ flags: []string{
+ "-renegotiate-freely",
+ "-expect-total-renegotiations", "1",
+ },
+ shouldFail: true,
+ expectedError: ":NO_RENEGOTIATION:",
+ expectedLocalError: "remote error: no renegotiation",
+ })
+
// Stray HelloRequests during the handshake are ignored in TLS 1.2.
testCases = append(testCases, testCase{
name: "StrayHelloRequest",
