Add renegotiation callback #3527
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lrstewart
force-pushed
the
reneg_trigger
branch
from
d403473
to
b6ae558
Compare
maddeleine
reviewed
Oct 3, 2022
goatgoose
reviewed
Oct 3, 2022
lrstewart
force-pushed
the
reneg_trigger
branch
from
b6ae558
to
66dc3b3
Compare
maddeleine
approved these changes
Oct 4, 2022
goatgoose
approved these changes
Oct 4, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
When we receive a hello request, we need a callback to determine whether that request should be accepted or rejected. If rejected, we send a no_renegotiation alert. If accepted, the application needs to finish up sending and receiving and proceed to renegotiating (calling s2n_renegotiate_wipe and s2n_renegotiate).
We don't want the callback or its setter to be public yet, so I just put them in s2n_renegotiate.h for now.
As part of this PR, we also implement the "no secure_renegotiation" case from section 4.2 of rfc5746, so I fully commented + added exceptions for section 4.2.
Callouts
I called the callback "renegotiate_request" instead of "hello_request". I thought that was clearer about its purpose.
Testing:
Just unit tests
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.