- Added Secure Renegotiation (RFC 5746)
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 8c0a94d..df5274a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -50,6 +50,8 @@
#define DFL_CRT_FILE ""
#define DFL_KEY_FILE ""
#define DFL_FORCE_CIPHER 0
+#define DFL_RENEGOTIATION SSL_RENEGOTIATION_ENABLED
+#define DFL_ALLOW_LEGACY SSL_NO_LEGACY_RENEGOTIATION
#define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n"
@@ -67,6 +69,8 @@
char *crt_file; /* the file with the client certificate */
char *key_file; /* the file with the client key */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
+ int renegotiation; /* enable / disable renegotiation */
+ int allow_legacy; /* allow legacy renegotiation */
} opt;
void my_debug( void *ctx, int level, const char *str )
@@ -97,6 +101,8 @@
" debug_level=%%d default: 0 (disabled)\n" \
USAGE_IO \
" request_page=%%s default: \".\"\n" \
+ " renegotiation=%%d default: 1 (enabled)\n" \
+ " allow_legacy=%%d default: 0 (disabled)\n" \
" force_ciphersuite=<name> default: all enabled\n"\
" acceptable ciphersuite names:\n"
@@ -171,6 +177,8 @@
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
+ opt.renegotiation = DFL_RENEGOTIATION;
+ opt.allow_legacy = DFL_ALLOW_LEGACY;
for( i = 1; i < argc; i++ )
{
@@ -224,6 +232,17 @@
}
opt.force_ciphersuite[1] = 0;
}
+ else if( strcmp( p, "renegotiation" ) == 0 )
+ {
+ opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
+ SSL_RENEGOTIATION_DISABLED;
+ }
+ else if( strcmp( p, "allow_legacy" ) == 0 )
+ {
+ opt.allow_legacy = atoi( q );
+ if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
+ goto usage;
+ }
else
goto usage;
}
@@ -367,6 +386,9 @@
else
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
+ ssl_set_renegotiation( &ssl, opt.renegotiation );
+ ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
+
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
@@ -419,7 +441,8 @@
printf( " ok\n" );
printf( " . Peer certificate information ...\n" );
- x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
+ x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
+ ssl.session->peer_cert );
printf( "%s\n", buf );
/*
@@ -495,6 +518,7 @@
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
+ ssl_session_free( &ssn );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 881a68e..416d4bf 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -379,7 +379,9 @@
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
+#if defined(POLARSSL_DHM_C)
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
+#endif
/*
* 5. Handshake
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 6bf64af..ea7068c 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -171,7 +171,8 @@
printf( " ok\n" );
printf( " . Peer certificate information ...\n" );
- x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl->peer_cert );
+ x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
+ ssl->session->peer_cert );
printf( "%s\n", buf );
return( 0 );
@@ -803,6 +804,7 @@
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
+ ssl_session_free( &ssn );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 0d24787..ca1477e 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -370,7 +370,9 @@
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
+#if defined(POLARSSL_DHM_C)
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
+#endif
printf( " ok\n" );
@@ -484,8 +486,11 @@
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
+
+ if( ret > 0 )
+ break;
}
- while( 0 );
+ while( 1 );
/*
* 7. Write the 200 Response
@@ -531,19 +536,10 @@
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
+ ssl_session_free( &ssn );
+ ssl_session_free( s_list_1st );
ssl_free( &ssl );
- cur = s_list_1st;
- while( cur != NULL )
- {
- prv = cur;
- cur = cur->next;
- memset( prv, 0, sizeof( ssl_session ) );
- free( prv );
- }
-
- memset( &ssl, 0, sizeof( ssl_context ) );
-
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 08d1b9a..18c23b2 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -312,7 +312,8 @@
* 5. Print the certificate
*/
printf( " . Peer certificate information ...\n" );
- ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
+ ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
+ ssl.session->peer_cert );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
@@ -332,10 +333,9 @@
net_close( server_fd );
x509_free( &clicert );
rsa_free( &rsa );
+ ssl_session_free( &ssn );
ssl_free( &ssl );
- memset( &ssl, 0, sizeof( ssl ) );
-
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
