Commit 48916f9b authored by Paul Bakker's avatar Paul Bakker

- Added Secure Renegotiation (RFC 5746)

parent b5b20f19
......@@ -13,7 +13,7 @@ Features
* Added key_app_writer example application
* Added cert_req example application
* Added base Galois Counter Mode (GCM) for AES
* Added TLS 1.2 support
* Added TLS 1.2 support (RFC 5246)
* Added GCM suites to TLS 1.2 (RFC 5288)
* Added commandline error code convertor (util/strerror)
* Added support for Hardware Acceleration hooking in SSL/TLS
......@@ -24,6 +24,7 @@ Features
* Added DEFLATE compression support as per RFC3749 (requires zlib)
* Added blowfish algorithm (Generic and cipher layer)
* Added PKCS#5 PBKDF2 key derivation function
* Added Secure Renegotiation (RFC 5746)
Changes
* Removed redundant POLARSSL_DEBUG_MSG define
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -50,6 +50,8 @@
#define DFL_CRT_FILE ""
#define DFL_KEY_FILE ""
#define DFL_FORCE_CIPHER 0
#define DFL_RENEGOTIATION SSL_RENEGOTIATION_ENABLED
#define DFL_ALLOW_LEGACY SSL_NO_LEGACY_RENEGOTIATION
#define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n"
......@@ -67,6 +69,8 @@ struct options
char *crt_file; /* the file with the client certificate */
char *key_file; /* the file with the client key */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */
} opt;
void my_debug( void *ctx, int level, const char *str )
......@@ -97,6 +101,8 @@ void my_debug( void *ctx, int level, const char *str )
" debug_level=%%d default: 0 (disabled)\n" \
USAGE_IO \
" request_page=%%s default: \".\"\n" \
" renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: 0 (disabled)\n" \
" force_ciphersuite=<name> default: all enabled\n"\
" acceptable ciphersuite names:\n"
......@@ -171,6 +177,8 @@ int main( int argc, char *argv[] )
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
for( i = 1; i < argc; i++ )
{
......@@ -224,6 +232,17 @@ int main( int argc, char *argv[] )
}
opt.force_ciphersuite[1] = 0;
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
opt.allow_legacy = atoi( q );
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
goto usage;
}
else
goto usage;
}
......@@ -367,6 +386,9 @@ int main( int argc, char *argv[] )
else
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
......@@ -419,7 +441,8 @@ int main( int argc, char *argv[] )
printf( " ok\n" );
printf( " . Peer certificate information ...\n" );
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl.session->peer_cert );
printf( "%s\n", buf );
/*
......@@ -495,6 +518,7 @@ exit:
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_session_free( &ssn );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
......
......@@ -379,7 +379,9 @@ int main( int argc, char *argv[] )
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
#if defined(POLARSSL_DHM_C)
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
#endif
/*
* 5. Handshake
......
......@@ -171,7 +171,8 @@ int do_handshake( ssl_context *ssl, struct options *opt )
printf( " ok\n" );
printf( " . Peer certificate information ...\n" );
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl->peer_cert );
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl->session->peer_cert );
printf( "%s\n", buf );
return( 0 );
......@@ -803,6 +804,7 @@ exit:
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_session_free( &ssn );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
......
......@@ -370,7 +370,9 @@ int main( int argc, char *argv[] )
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
#if defined(POLARSSL_DHM_C)
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
#endif
printf( " ok\n" );
......@@ -484,8 +486,11 @@ reset:
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
if( ret > 0 )
break;
}
while( 0 );
while( 1 );
/*
* 7. Write the 200 Response
......@@ -531,19 +536,10 @@ exit:
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_session_free( &ssn );
ssl_session_free( s_list_1st );
ssl_free( &ssl );
cur = s_list_1st;
while( cur != NULL )
{
prv = cur;
cur = cur->next;
memset( prv, 0, sizeof( ssl_session ) );
free( prv );
}
memset( &ssl, 0, sizeof( ssl_context ) );
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
......
......@@ -312,7 +312,8 @@ int main( int argc, char *argv[] )
* 5. Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl.session->peer_cert );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
......@@ -332,10 +333,9 @@ exit:
net_close( server_fd );
x509_free( &clicert );
rsa_free( &rsa );
ssl_session_free( &ssn );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment