external/conscrypt: allow server-initiated renegotiations.

BoringSSL disables server-initiated renegotiations by default. However, it's unclear what the impact of this will be. On the other hand, rejecting renegotiations certainly makes things simplier. Change-Id: I0cd3f04838c0afea665a88d4f0cd0a16c1e811de

external/conscrypt: allow server-initiated renegotiations.
BoringSSL disables server-initiated renegotiations by default. However, it's unclear what the impact of this will be. On the other hand, rejecting renegotiations certainly makes things simplier. Change-Id: I0cd3f04838c0afea665a88d4f0cd0a16c1e811de
ed628f94 · Adam Langley · Kenny Root · 6e2618d6 · ed628f94 · ed628f94
Commit ed628f94 authored 9 years ago by Adam Langley Committed by Kenny Root 9 years ago
3 changed files
--- a/src/main/java/org/conscrypt/NativeCrypto.java
+++ b/src/main/java/org/conscrypt/NativeCrypto.java
@@ -1017,6 +1017,9 @@ public final class NativeCrypto {
    public static native void SSL_set_session_creation_enabled(
            long sslNativePointer, boolean creationEnabled) throws SSLException;

+    public static native void SSL_set_reject_peer_renegotiations(
+            long sslNativePointer, boolean renegotiationRejected) throws SSLException;
+
    public static native void SSL_set_tlsext_host_name(long sslNativePointer, String hostname)
            throws SSLException;
    public static native String SSL_get_servername(long sslNativePointer);

--- a/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
+++ b/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
@@ -293,6 +293,11 @@ public class OpenSSLSocketImpl
                        enableSessionCreation);
            }

+            // Allow servers to trigger renegotiation. Some inadvisable server
+            // configurations cause them to attempt to renegotiate during
+            // certain protocols.
+            NativeCrypto.SSL_set_reject_peer_renegotiations(sslNativePointer, false);
+
            final OpenSSLSessionImpl sessionToReuse = sslParameters.getSessionToReuse(
                    sslNativePointer, getHostname(), getPort());
            sslParameters.setSSLParameters(sslCtxNativePointer, sslNativePointer, this, this,

--- a/src/main/native/org_conscrypt_NativeCrypto.cpp
+++ b/src/main/native/org_conscrypt_NativeCrypto.cpp
@@ -8861,6 +8861,25 @@ static void NativeCrypto_SSL_set_session_creation_enabled(JNIEnv* env, jclass,
 #endif
 }

+static void NativeCrypto_SSL_set_reject_peer_renegotiations(JNIEnv* env, jclass,
+        jlong ssl_address, jboolean reject_renegotiations)
+{
+    SSL* ssl = to_SSL(env, ssl_address, true);
+    JNI_TRACE("ssl=%p NativeCrypto_SSL_set_reject_peer_renegotiations reject_renegotiations=%d",
+              ssl, reject_renegotiations);
+    if (ssl == NULL) {
+        return;
+    }
+
+#if defined(OPENSSL_IS_BORINGSSL)
+    SSL_set_reject_peer_renegotiations(ssl, reject_renegotiations);
+#else
+    (void) reject_renegotiations;
+    /* OpenSSL doesn't support this call and accepts renegotiation requests by
+     * default. */
+#endif
+}
+
 static void NativeCrypto_SSL_set_tlsext_host_name(JNIEnv* env, jclass,
        jlong ssl_address, jstring hostname)
 {
@@ -10793,6 +10812,7 @@ static JNINativeMethod sNativeCryptoMethods[] = {
    NATIVE_METHOD(NativeCrypto, SSL_set_verify, "(JI)V"),
    NATIVE_METHOD(NativeCrypto, SSL_set_session, "(JJ)V"),
    NATIVE_METHOD(NativeCrypto, SSL_set_session_creation_enabled, "(JZ)V"),
+    NATIVE_METHOD(NativeCrypto, SSL_set_reject_peer_renegotiations, "(JZ)V"),
    NATIVE_METHOD(NativeCrypto, SSL_set_tlsext_host_name, "(JLjava/lang/String;)V"),
    NATIVE_METHOD(NativeCrypto, SSL_get_servername, "(J)Ljava/lang/String;"),
    NATIVE_METHOD(NativeCrypto, SSL_do_handshake, "(J" FILE_DESCRIPTOR SSL_CALLBACKS "IZ[B[B)J"),