feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Additional checks for secure renegotiation

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2022-09-09 12:36:16 +02:00
parent f7c31dbf64
commit 0a1332c4df
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/ssl.c
View File

@ -3168,6 +3168,11 @@ static int _Rehandshake(WOLFSSL* ssl)
if (ssl == NULL) if (ssl == NULL)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
if (IsAtLeastTLSv1_3(ssl->version)) {
WOLFSSL_MSG("Secure Renegotiation not supported in TLS 1.3");
return SECURE_RENEGOTIATION_E;
}
if (ssl->secure_renegotiation == NULL) { if (ssl->secure_renegotiation == NULL) {
WOLFSSL_MSG("Secure Renegotiation not forced on by user"); WOLFSSL_MSG("Secure Renegotiation not forced on by user");
return SECURE_RENEGOTIATION_E; return SECURE_RENEGOTIATION_E;
@ -3178,6 +3183,11 @@ static int _Rehandshake(WOLFSSL* ssl)
return SECURE_RENEGOTIATION_E; return SECURE_RENEGOTIATION_E;
} }
if (ssl->keys.dtls_epoch == 0xFFFF) {
WOLFSSL_MSG("Secure Renegotiation not allowed. Epoch would wrap");
return SECURE_RENEGOTIATION_E;
}
/* If the client started the renegotiation, the server will already /* If the client started the renegotiation, the server will already
* have processed the client's hello. */ * have processed the client's hello. */
if (ssl->options.side != WOLFSSL_SERVER_END || if (ssl->options.side != WOLFSSL_SERVER_END ||