1. Remove the clearing of the sessionID from Rehandshake.

2. Put SecureResume in terms of a regular resume, using Get/SetSession
and then calling Rehandshake.
3. Add the startScr after checking secure_renegotiation enabled during a
resume.

src/internal.c

@@ -23898,6 +23898,14 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             ret = HandleTlsResumption(ssl, bogusID, &clSuites);
             if (ret != 0)
                 return ret;
+
+            #ifdef HAVE_SECURE_RENEGOTIATION
+            if (ssl->secure_renegotiation &&
+                    ssl->secure_renegotiation->enabled &&
+                    IsEncryptionOn(ssl, 0))
+                ssl->secure_renegotiation->startScr = 1;
+            #endif
+
             if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) {
                 WOLFSSL_LEAVE("DoClientHello", ret);
                 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);

src/ssl.c

@@ -2347,7 +2347,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl)
 
 
 /* do a secure renegotiation handshake, user forced, we discourage */
-int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume)
+int wolfSSL_Rehandshake(WOLFSSL* ssl)
 {
     int ret;
 
@@ -2364,9 +2364,6 @@ int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume)
         return SECURE_RENEGOTIATION_E;
     }
 
-    if (!resume)
-        ssl->options.resuming = 0;
-
     /* If the client started the renegotiation, the server will already
      * have processed the client's hello. */
     if (ssl->options.side != WOLFSSL_SERVER_END ||
@@ -2386,12 +2383,8 @@ int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume)
         }
 #endif
 
-        if (!resume) {
-            XMEMSET(ssl->session.sessionID, 0, sizeof(ssl->session.sessionID));
-            ssl->session.sessionIDSz = 0;
-        }
-
         /* reset handshake states */
+        ssl->options.sendVerify = 0;
         ssl->options.serverState = NULL_STATE;
         ssl->options.clientState = NULL_STATE;
         ssl->options.connectState  = CONNECT_BEGIN;
@@ -2406,29 +2399,39 @@ int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume)
 #if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SERVER_RENEGOTIATION_INFO)
         if (ssl->options.side == WOLFSSL_SERVER_END) {
             ret = SendHelloRequest(ssl);
-            if (ret != 0)
+            if (ret != 0) {
-                return ret;
+                ssl->error = ret;
+                return WOLFSSL_FATAL_ERROR;
+            }
         }
 #endif /* NO_WOLFSSL_SERVER && HAVE_SERVER_RENEGOTIATION_INFO */
 
         ret = InitHandshakeHashes(ssl);
-        if (ret !=0)
+        if (ret != 0) {
-            return ret;
+            ssl->error = ret;
+            return WOLFSSL_FATAL_ERROR;
+        }
     }
     ret = wolfSSL_negotiate(ssl);
     return ret;
 }
 
 
-int wolfSSL_Rehandshake(WOLFSSL* ssl) {
+/* do a secure resumption handshake, user forced, we discourage */
-    WOLFSSL_ENTER("wolfSSL_Rehandshake()");
+int wolfSSL_SecureResume(WOLFSSL* ssl)
-    return wolfSSL_StartSecureRenegotiation(ssl, 0);
+{
-}
+    WOLFSSL_SESSION* session;
+    int ret;
 
-
-int wolfSSL_SecureResume(WOLFSSL* ssl) {
     WOLFSSL_ENTER("wolfSSL_SecureResume()");
-    return wolfSSL_StartSecureRenegotiation(ssl, 1);
+
+    session = wolfSSL_get_session(ssl);
+    ret = wolfSSL_set_session(ssl, session);
+    session = NULL;
+    if (ret == WOLFSSL_SUCCESS)
+        ret = wolfSSL_Rehandshake(ssl);
+
+    return ret;
 }
 
 #endif /* HAVE_SECURE_RENEGOTIATION */