bool CHECK_RESULT renegotiatefull(SSL *ssl, bool server)
{
if (debuglevel > 2) fprintf(stderr,"Renegotiating\n");
CHECK(SSL_renegotiate(ssl) == SSL_OK);
// On server, this results in "HelloRequest" being sent to server.
// Allow SSL to do this in its own time on client.
if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) {
return false;
}
#if defined LIBRESSL_VERSION_NUMBER || OPENSSL_VERSION_NUMBER < 0x10100000L
// [Now, mercifully, seems to be unnecessary in the main OpenSSL branch]
// [Just as well, as it doesn't compile any more]
if (server) {
// Nasty hack - this makes SSL expect an immediate
// handshake and we get an error otherwise. See:
// http://www.mail-archive.com/[email protected]/msg20802.html
ssl->state = SSL_ST_ACCEPT;
// Complete the handshake.
// This fails if there is unread data from the client
// This can also fail eg. if the client fails to send a certificate.
// Should change to softer error.
if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) {
return false;
}
}
#endif
return true;
}
int sslConnect(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys,
sslSessionId_t *id, short cipherSuite,
int (*certValidator)(sslCertInfo_t *t, void *arg))
{
sslConn_t *conn;
conn = calloc(sizeof(sslConn_t), 1);
conn->fd = fd;
if (matrixSslNewSession(&conn->ssl, keys, id, 0) < 0) {
fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
sslFreeConnection(&conn);
return -1;
}
matrixSslSetCertValidator(conn->ssl, certValidator, keys);
*cpp = sslDoHandshake(conn, cipherSuite);
if (*cpp == NULL) {
fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
return -1;
}
return 0;
}
/*
Client side. Make a socket connection and go through the SSL handshake
phase in blocking mode. The last parameter is an optional function
callback for user-level certificate validation. NULL if not needed.
*/
int sslConnect(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys,
sslSessionId_t *id, short cipherSuite,
int (*certValidator)(sslCertInfo_t *t, void *arg))
{
sslConn_t *conn;
/*
Create a new SSL session for the new socket and register the
user certificate validator
*/
conn = calloc(sizeof(sslConn_t), 1);
conn->fd = fd;
if (matrixSslNewSession(&conn->ssl, keys, id, 0) < 0) {
sslFreeConnection(&conn);
return -1;
}
matrixSslSetCertValidator(conn->ssl, certValidator, NULL);
*cpp = sslDoHandshake(conn, cipherSuite);
if (*cpp == NULL) {
return -1;
}
return 0;
}
// Initiate an asynchronous renegotiation
bool CHECK_RESULT renegotiate(SSL *ssl, bool server)
{
if (debuglevel > 2) fprintf(stderr,"Renegotiating\n");
CHECK(SSL_renegotiate(ssl) == SSL_OK);
// On server, this results in "HelloRequest" being sent to client.
// Allow SSL to do this in its own time on client.
if (server) {
if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) {
return false;
}
}
return true;
}
bool CHECK_RESULT renegotiatefull(SSL *ssl, bool server)
{
if (debuglevel > 2) fprintf(stderr,"Renegotiating\n");
CHECK(SSL_renegotiate(ssl) == SSL_OK);
// On server, this results in "HelloRequest" being sent to server.
// Allow SSL to do this in its own time on client.
if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) {
return false;
}
if (server) {
// Nasty hack - this makes SSL expect an immediate
// handshake and we get an error otherwise. See:
// http://www.mail-archive.com/[email protected]/msg20802.html
ssl->state = SSL_ST_ACCEPT;
// Complete the handshake.
// This fails if there is unread data from the client
// This can also fail eg. if the client fails to send a certificate.
// Should change to softer error.
if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) {
return false;
}
}
return true;
}
