diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2015-03-06 16:45:13 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2015-03-06 16:45:13 +0700 |
commit | e781400bd619176f9804cb75e2ee8bc6102c2e62 (patch) | |
tree | 5b5f6fffb65d5d9e9da453aac61720ab45a7ff59 /crypto/src | |
parent | Improved handling for out-of-order Finished message (diff) | |
download | BouncyCastle.NET-ed25519-e781400bd619176f9804cb75e2ee8bc6102c2e62.tar.xz |
Refuse client-initiated renegotiation gracefully
Diffstat (limited to 'crypto/src')
-rw-r--r-- | crypto/src/crypto/tls/TlsClientProtocol.cs | 10 | ||||
-rw-r--r-- | crypto/src/crypto/tls/TlsProtocol.cs | 12 | ||||
-rw-r--r-- | crypto/src/crypto/tls/TlsServerProtocol.cs | 5 |
3 files changed, 18 insertions, 9 deletions
diff --git a/crypto/src/crypto/tls/TlsClientProtocol.cs b/crypto/src/crypto/tls/TlsClientProtocol.cs index 19e7d71aa..0c35e62af 100644 --- a/crypto/src/crypto/tls/TlsClientProtocol.cs +++ b/crypto/src/crypto/tls/TlsClientProtocol.cs @@ -529,15 +529,7 @@ namespace Org.BouncyCastle.Crypto.Tls */ if (this.mConnectionState == CS_END) { - /* - * RFC 5746 4.5 SSLv3 clients that refuse renegotiation SHOULD use a fatal - * handshake_failure alert. - */ - if (TlsUtilities.IsSsl(Context)) - throw new TlsFatalAlert(AlertDescription.handshake_failure); - - string message = "Renegotiation not supported"; - RaiseWarning(AlertDescription.no_renegotiation, message); + RefuseRenegotiation(); } break; } diff --git a/crypto/src/crypto/tls/TlsProtocol.cs b/crypto/src/crypto/tls/TlsProtocol.cs index 08b39f2a6..8fd83aca2 100644 --- a/crypto/src/crypto/tls/TlsProtocol.cs +++ b/crypto/src/crypto/tls/TlsProtocol.cs @@ -759,6 +759,18 @@ namespace Org.BouncyCastle.Crypto.Tls return maxFragmentLength; } + protected virtual void RefuseRenegotiation() + { + /* + * RFC 5746 4.5 SSLv3 clients that refuse renegotiation SHOULD use a fatal + * handshake_failure alert. + */ + if (TlsUtilities.IsSsl(Context)) + throw new TlsFatalAlert(AlertDescription.handshake_failure); + + RaiseWarning(AlertDescription.no_renegotiation, "Renegotiation not supported"); + } + /** * Make sure the InputStream 'buf' now empty. Fail otherwise. * diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs index b1fb830b6..d2959cfed 100644 --- a/crypto/src/crypto/tls/TlsServerProtocol.cs +++ b/crypto/src/crypto/tls/TlsServerProtocol.cs @@ -179,6 +179,11 @@ namespace Org.BouncyCastle.Crypto.Tls break; } + case CS_END: + { + RefuseRenegotiation(); + break; + } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } |