bool CHECK_RESULT renegotiatefull(SSL *ssl, bool server) { if (debuglevel > 2) fprintf(stderr,"Renegotiating\n"); CHECK(SSL_renegotiate(ssl) == SSL_OK); // On server, this results in "HelloRequest" being sent to server. // Allow SSL to do this in its own time on client. if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) { return false; } #if defined LIBRESSL_VERSION_NUMBER || OPENSSL_VERSION_NUMBER < 0x10100000L // [Now, mercifully, seems to be unnecessary in the main OpenSSL branch] // [Just as well, as it doesn't compile any more] if (server) { // Nasty hack - this makes SSL expect an immediate // handshake and we get an error otherwise. See: // http://www.mail-archive.com/[email protected]/msg20802.html ssl->state = SSL_ST_ACCEPT; // Complete the handshake. // This fails if there is unread data from the client // This can also fail eg. if the client fails to send a certificate. // Should change to softer error. if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) { return false; } } #endif return true; }
int sslConnect(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys, sslSessionId_t *id, short cipherSuite, int (*certValidator)(sslCertInfo_t *t, void *arg)) { sslConn_t *conn; conn = calloc(sizeof(sslConn_t), 1); conn->fd = fd; if (matrixSslNewSession(&conn->ssl, keys, id, 0) < 0) { fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__); sslFreeConnection(&conn); return -1; } matrixSslSetCertValidator(conn->ssl, certValidator, keys); *cpp = sslDoHandshake(conn, cipherSuite); if (*cpp == NULL) { fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__); return -1; } return 0; }
/* Client side. Make a socket connection and go through the SSL handshake phase in blocking mode. The last parameter is an optional function callback for user-level certificate validation. NULL if not needed. */ int sslConnect(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys, sslSessionId_t *id, short cipherSuite, int (*certValidator)(sslCertInfo_t *t, void *arg)) { sslConn_t *conn; /* Create a new SSL session for the new socket and register the user certificate validator */ conn = calloc(sizeof(sslConn_t), 1); conn->fd = fd; if (matrixSslNewSession(&conn->ssl, keys, id, 0) < 0) { sslFreeConnection(&conn); return -1; } matrixSslSetCertValidator(conn->ssl, certValidator, NULL); *cpp = sslDoHandshake(conn, cipherSuite); if (*cpp == NULL) { return -1; } return 0; }
// Initiate an asynchronous renegotiation bool CHECK_RESULT renegotiate(SSL *ssl, bool server) { if (debuglevel > 2) fprintf(stderr,"Renegotiating\n"); CHECK(SSL_renegotiate(ssl) == SSL_OK); // On server, this results in "HelloRequest" being sent to client. // Allow SSL to do this in its own time on client. if (server) { if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) { return false; } } return true; }
bool CHECK_RESULT renegotiatefull(SSL *ssl, bool server) { if (debuglevel > 2) fprintf(stderr,"Renegotiating\n"); CHECK(SSL_renegotiate(ssl) == SSL_OK); // On server, this results in "HelloRequest" being sent to server. // Allow SSL to do this in its own time on client. if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) { return false; } if (server) { // Nasty hack - this makes SSL expect an immediate // handshake and we get an error otherwise. See: // http://www.mail-archive.com/[email protected]/msg20802.html ssl->state = SSL_ST_ACCEPT; // Complete the handshake. // This fails if there is unread data from the client // This can also fail eg. if the client fails to send a certificate. // Should change to softer error. if (!LOGCHECK(sslDoHandshake(ssl) == SSL_OK)) { return false; } } return true; }