merge in mnc-release history after reset to mnc-dev
diff --git a/src/main/java/org/conscrypt/NativeCrypto.java b/src/main/java/org/conscrypt/NativeCrypto.java
index eb61ff7..264901f 100644
--- a/src/main/java/org/conscrypt/NativeCrypto.java
+++ b/src/main/java/org/conscrypt/NativeCrypto.java
@@ -1011,6 +1011,9 @@
public static native void SSL_set_session_creation_enabled(
long sslNativePointer, boolean creationEnabled) throws SSLException;
+ public static native void SSL_set_reject_peer_renegotiations(
+ long sslNativePointer, boolean renegotiationRejected) throws SSLException;
+
public static native void SSL_set_tlsext_host_name(long sslNativePointer, String hostname)
throws SSLException;
public static native String SSL_get_servername(long sslNativePointer);
diff --git a/src/main/java/org/conscrypt/OpenSSLSocketImpl.java b/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
index f03306a..b0ed237 100644
--- a/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
+++ b/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
@@ -293,6 +293,11 @@
enableSessionCreation);
}
+ // Allow servers to trigger renegotiation. Some inadvisable server
+ // configurations cause them to attempt to renegotiate during
+ // certain protocols.
+ NativeCrypto.SSL_set_reject_peer_renegotiations(sslNativePointer, false);
+
final OpenSSLSessionImpl sessionToReuse = sslParameters.getSessionToReuse(
sslNativePointer, getHostname(), getPort());
sslParameters.setSSLParameters(sslCtxNativePointer, sslNativePointer, this, this,
diff --git a/src/main/native/org_conscrypt_NativeCrypto.cpp b/src/main/native/org_conscrypt_NativeCrypto.cpp
index 486297d..6c68750 100644
--- a/src/main/native/org_conscrypt_NativeCrypto.cpp
+++ b/src/main/native/org_conscrypt_NativeCrypto.cpp
@@ -8895,6 +8895,25 @@
#endif
}
+static void NativeCrypto_SSL_set_reject_peer_renegotiations(JNIEnv* env, jclass,
+ jlong ssl_address, jboolean reject_renegotiations)
+{
+ SSL* ssl = to_SSL(env, ssl_address, true);
+ JNI_TRACE("ssl=%p NativeCrypto_SSL_set_reject_peer_renegotiations reject_renegotiations=%d",
+ ssl, reject_renegotiations);
+ if (ssl == NULL) {
+ return;
+ }
+
+#if defined(OPENSSL_IS_BORINGSSL)
+ SSL_set_reject_peer_renegotiations(ssl, reject_renegotiations);
+#else
+ (void) reject_renegotiations;
+ /* OpenSSL doesn't support this call and accepts renegotiation requests by
+ * default. */
+#endif
+}
+
static void NativeCrypto_SSL_set_tlsext_host_name(JNIEnv* env, jclass,
jlong ssl_address, jstring hostname)
{
@@ -10825,6 +10844,7 @@
NATIVE_METHOD(NativeCrypto, SSL_set_verify, "(JI)V"),
NATIVE_METHOD(NativeCrypto, SSL_set_session, "(JJ)V"),
NATIVE_METHOD(NativeCrypto, SSL_set_session_creation_enabled, "(JZ)V"),
+ NATIVE_METHOD(NativeCrypto, SSL_set_reject_peer_renegotiations, "(JZ)V"),
NATIVE_METHOD(NativeCrypto, SSL_set_tlsext_host_name, "(JLjava/lang/String;)V"),
NATIVE_METHOD(NativeCrypto, SSL_get_servername, "(J)Ljava/lang/String;"),
NATIVE_METHOD(NativeCrypto, SSL_do_handshake, "(J" FILE_DESCRIPTOR SSL_CALLBACKS "IZ[B[B)J"),