From f3dc2f6a1d083349c7fcc365ae4ce34563fcc4ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 29 Oct 2013 18:17:41 +0100
Subject: [PATCH] Add code for testing server-initiated renegotiation

---
 include/polarssl/ssl.h     |  2 ++
 library/ssl_srv.c          | 24 ++++++++++++++++++++++++
 library/ssl_tls.c          |  3 ++-
 programs/ssl/ssl_server2.c | 32 +++++++++++++++++++++++++++++++-
 4 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index e75f9d7b3..cbec35216 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1565,6 +1565,8 @@ static inline x509_crt *ssl_own_cert( ssl_context *ssl )
 }
 #endif /* POLARSSL_X509_CRT_PARSE_C */
 
+int ssl_write_hello_request( ssl_context *ssl );
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 7d81fc90c..66ba58a1a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -335,6 +335,30 @@ static int ssl_parse_ticket( ssl_context *ssl,
 }
 #endif /* POLARSSL_SSL_SESSION_TICKETS */
 
+/*
+ * Write HelloRequest to request renegotiation
+ */
+int ssl_write_hello_request( ssl_context *ssl )
+{
+    int ret;
+
+    SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = SSL_HS_HELLO_REQUEST;
+
+    if( ( ret = ssl_write_record( ssl ) ) != 0 )
+    {
+        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
+        return( ret );
+    }
+
+    SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
+
+    return( 0 );
+}
+
 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 /*
  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b8bc18831..e636f9d31 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1930,7 +1930,8 @@ int ssl_write_record( ssl_context *ssl )
         ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
         ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
 
-        ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
+        if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
+            ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
     }
 
 #if defined(POLARSSL_ZLIB_SUPPORT)
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 8e7ee0e99..890c11955 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -50,7 +50,6 @@
 #endif
 
 #define DFL_SERVER_PORT         4433
-#define DFL_REQUEST_PAGE        "/"
 #define DFL_DEBUG_LEVEL         0
 #define DFL_CA_FILE             ""
 #define DFL_CA_PATH             ""
@@ -84,6 +83,9 @@
     "<h2>PolarSSL Test Server</h2>\r\n" \
     "<p>Successful connection using: %s</p>\r\n" // LONG_RESPONSE
 
+/* Temporary, should become a runtime option later */
+// #define TEST_RENEGO
+
 /*
  * global options
  */
@@ -939,6 +941,34 @@ reset:
     buf[written] = '\0';
     printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
 
+#ifdef TEST_RENEGO
+    /*
+     * Request renegotiation (this must be done when the client is still
+     * waiting for input from our side).
+     */
+    printf( "  . Requestion renegotiation..." );
+    fflush( stdout );
+    while( ( ret = ssl_write_hello_request( &ssl ) ) != 0 )
+    {
+        if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
+        {
+            printf( " failed\n  ! ssl_write_hello_request returned %d\n\n", ret );
+            goto exit;
+        }
+    }
+
+    if( ( ret = ssl_read( &ssl, buf, 0 ) ) != 0 )
+    {
+        if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
+        {
+            printf( " failed\n  ! ssl_read returned %d\n\n", ret );
+            goto exit;
+        }
+    }
+
+    printf( " ok\n" );
+#endif
+
     ret = 0;
     goto reset;