Add tests for renego security enforcement
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 5b7a488..5f84546 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -83,7 +83,7 @@
#define DFL_PSK_IDENTITY "Client_identity"
#define DFL_FORCE_CIPHER 0
#define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED
-#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
+#define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1
@@ -304,7 +304,7 @@
USAGE_PSK \
"\n" \
" renegotiation=%%d default: 1 (enabled)\n" \
- " allow_legacy=%%d default: 0 (disabled)\n" \
+ " allow_legacy=%%d default: (library default: no)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \
" exchanges=%%d default: 1\n" \
" reconnect=%%d default: 0 (disabled)\n" \
@@ -481,9 +481,13 @@
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
- opt.allow_legacy = atoi( q );
- if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
- goto usage;
+ switch( atoi( q ) )
+ {
+ case -1: opt.allow_legacy = SSL_LEGACY_BREAK_HANDSHAKE; break;
+ case 0: opt.allow_legacy = SSL_LEGACY_NO_RENEGOTIATION; break;
+ case 1: opt.allow_legacy = SSL_LEGACY_ALLOW_RENEGOTIATION; break;
+ default: goto usage;
+ }
}
else if( strcmp( p, "renegotiate" ) == 0 )
{
@@ -911,7 +915,8 @@
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
- ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
+ if( opt.allow_legacy != DFL_ALLOW_LEGACY )
+ ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 &&
