diff options
author | Rich Salz <rsalz@akamai.com> | 2021-05-06 12:56:35 -0400 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-05-17 10:53:30 +0200 |
commit | 55373bfd419ca010a15aac18c88c94827e2f3a92 (patch) | |
tree | 803860f6eae08da5688ae7c4b68e195e52851a23 /apps | |
parent | d7970dd963134534340ad00fa62cb1180daf5cb0 (diff) |
Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION
Add -client_renegotiation flag support. The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.
Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.
Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/include/opt.h | 10 | ||||
-rw-r--r-- | apps/lib/s_cb.c | 8 | ||||
-rw-r--r-- | apps/s_client.c | 4 | ||||
-rw-r--r-- | apps/s_server.c | 6 |
4 files changed, 20 insertions, 8 deletions
diff --git a/apps/include/opt.h b/apps/include/opt.h index c6ec09f882..5d85877301 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -155,13 +155,14 @@ OPT_S__FIRST=3000, \ OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \ OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \ - OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ + OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \ + OPT_S_LEGACYCONN, \ OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \ OPT_S_PRIORITIZE_CHACHA, \ OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \ OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \ OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \ - OPT_S_MINPROTO, OPT_S_MAXPROTO, \ + OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_IMMEDIATE_RENEG, \ OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST # define OPT_S_OPTIONS \ @@ -179,6 +180,8 @@ {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \ {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \ "Enable use of legacy renegotiation (dangerous)"}, \ + {"client_renegotiation", OPT_S_CLIENTRENEG, '-', \ + "Allow client-initiated renegotiation" }, \ {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \ "Disable all renegotiation."}, \ {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \ @@ -208,6 +211,8 @@ {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \ {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \ {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \ + {"immediate_renegotiation", OPT_S_IMMEDIATE_RENEG, '-', \ + "Immediately attempt renegotiation"}, \ {"record_padding", OPT_S_RECORD_PADDING, 's', \ "Block size to pad TLS 1.3 records to."}, \ {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \ @@ -228,6 +233,7 @@ case OPT_S_NOTICKET: \ case OPT_S_SERVERPREF: \ case OPT_S_LEGACYRENEG: \ + case OPT_S_CLIENTRENEG: \ case OPT_S_LEGACYCONN: \ case OPT_S_ONRESUMP: \ case OPT_S_NOLEGACYCONN: \ diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index bdd5051ee6..e3d9ec1916 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1233,12 +1233,10 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); + if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { - if (arg != NULL) - BIO_printf(bio_err, "Error with command: \"%s %s\"\n", - flag, arg); - else - BIO_printf(bio_err, "Error with command: \"%s\"\n", flag); + BIO_printf(bio_err, "Call to SSL_CONF_cmd(%s, %s) failed\n", + flag, arg == NULL ? "<NULL>" : arg); ERR_print_errors(bio_err); return 0; } diff --git a/apps/s_client.c b/apps/s_client.c index 1aa7a3b7de..1754d3e1a4 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1047,6 +1047,9 @@ int s_client_main(int argc, char **argv) case OPT_BRIEF: c_brief = verify_args.quiet = c_quiet = 1; break; + case OPT_S_IMMEDIATE_RENEG: + /* Option ignored on client. */ + break; case OPT_S_CASES: if (ssl_args == NULL) ssl_args = sk_OPENSSL_STRING_new_null(); @@ -2673,7 +2676,6 @@ int s_client_main(int argc, char **argv) tty_on = 1; if (in_init) { in_init = 0; - if (c_brief) { BIO_puts(bio_err, "CONNECTION ESTABLISHED\n"); print_ssl_summary(con); diff --git a/apps/s_server.c b/apps/s_server.c index 5d9e8cd568..51b5c9d381 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -78,6 +78,7 @@ static int accept_socket = -1; static int s_nbio = 0; static int s_nbio_test = 0; static int s_crlf = 0; +static int immediate_reneg = 0; static SSL_CTX *ctx = NULL; static SSL_CTX *ctx2 = NULL; static int www = 0; @@ -1258,6 +1259,9 @@ int s_server_main(int argc, char *argv[]) if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format)) goto opthelp; break; + case OPT_S_IMMEDIATE_RENEG: + immediate_reneg = 1; + break; case OPT_S_CASES: case OPT_S_NUM_TICKETS: case OPT_ANTI_REPLAY: @@ -2784,6 +2788,8 @@ static int init_ssl_connection(SSL *con) } else { do { i = SSL_accept(con); + if (immediate_reneg) + SSL_renegotiate(con); if (i <= 0) retry = is_retryable(con, i); |