jdk Cdiff src/share/classes/sun/security/ssl/ServerHandshaker.java

src/share/classes/sun/security/ssl/ServerHandshaker.java

7188658 Add possibility to disable client initiated renegotiation


*** 1,7 ****
  /*
!  * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
--- 1,7 ----
  /*
!  * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
*** 277,286 ****
--- 277,293 ----
      private void clientHello(ClientHello mesg) throws IOException {
          if (debug != null && Debug.isOn("handshake")) {
              mesg.print(System.out);
          }
  
+         // reject client initialized renegotiation?
+         if (rejectClientInitializedRenego && !isInitialHandshake &&
+                 state != HandshakeMessage.ht_hello_request) {
+             fatalSE(Alerts.alert_handshake_failure,
+                 "Client initialized renegotiation is not allowed");
+         }
+ 
          // check the server name indication if required
          ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
                      mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
          if (!sniMatchers.isEmpty()) {
              // we do not reject client without SNI extension
*** 367,377 ****
                          "indication in ClientHello, allow legacy ClientHello");
                  }
              } else if (!allowUnsafeRenegotiation) {
                  // abort the handshake
                  if (activeProtocolVersion.v >= ProtocolVersion.TLS10.v) {
!                     // response with a no_renegotiation warning,
                      warningSE(Alerts.alert_no_renegotiation);
  
                      // invalidate the handshake so that the caller can
                      // dispose this object.
                      invalidated = true;
--- 374,384 ----
                          "indication in ClientHello, allow legacy ClientHello");
                  }
              } else if (!allowUnsafeRenegotiation) {
                  // abort the handshake
                  if (activeProtocolVersion.v >= ProtocolVersion.TLS10.v) {
!                     // response with a no_renegotiation warning
                      warningSE(Alerts.alert_no_renegotiation);
  
                      // invalidate the handshake so that the caller can
                      // dispose this object.
                      invalidated = true;