Merge pull request #2104 from ejohnstown/renegotiation-testing

Secure Renegotiation
2019-03-11 12:10:48 -07:00
parent b3a1d6bff1 020b27bab2
commit 6e1b05316d
7 changed files with 168 additions and 28 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -984,6 +984,11 @@ static const char* client_usage_msg[][59] = {
 #endif
        "-1 <num>    Display a result by specified language.\n"
                               "            0: English, 1: Japanese\n", /* 58 */
+#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
+    !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
+        "-2          Disable DH Prime check\n",                         /* 59 */
+#endif
+        "-4          Use resumption for renegotiation\n",               /* 60 */
        NULL,
    },
 #ifndef NO_MULTIBYTE_PRINT
@@ -1135,6 +1140,13 @@ static const char* client_usage_msg[][59] = {
 #endif
        "-1 <num>    指定された言語で結果を表示します。\n"
                                   "            0: 英語、 1: 日本語\n", /* 58 */
+#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
+    !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
+        "-2          DHプライム番号チェックを無効にする\n",             /* 59 */
+#endif
+#ifdef HAVE_SECURE_RENEGOTIATION
+        "-4          再交渉に再開を使用\n",                             /* 60 */
+#endif
        NULL,
    },
 #endif
@@ -1276,14 +1288,17 @@ static void Usage(void)
 #ifdef WOLFSSL_EARLY_DATA
    printf("%s", msg[++msgid]); /* -0 */
 #endif
-#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
-    !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
-    printf("-2          Disable DH Prime check\n");
-#endif
 #ifdef WOLFSSL_MULTICAST
    printf("%s", msg[++msgid]); /* -3 */
 #endif
    printf("%s", msg[++msgid]);  /* -1 */
+#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
+    !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
+    printf("%s", msg[++msgid]);  /* -2 */
+#endif
+#ifdef HAVE_SECURE_RENEGOTIATION
+    printf("%s", msg[++msgid]);  /* -4 */
+#endif
 }

 THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
@@ -1338,6 +1353,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    int    err           = 0;
    int    scr           = 0;    /* allow secure renegotiation */
    int    forceScr      = 0;    /* force client initiaed scr */
+    int    resumeScr     = 0;    /* use resumption for renegotiation */
 #ifndef WOLFSSL_NO_CLIENT_AUTH
    int    useClientCert = 1;
 #else
@@ -1451,6 +1467,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    (void)atomicUser;
    (void)scr;
    (void)forceScr;
+    (void)resumeScr;
    (void)ourKey;
    (void)ourCert;
    (void)verifyCert;
@@ -1475,7 +1492,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    while ((ch = mygetopt(argc, argv, "?:"
            "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
            "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
-            "01:23:")) != -1) {
+            "01:23:4")) != -1) {
        switch (ch) {
            case '?' :
                if(myoptarg!=NULL) {
@@ -1889,6 +1906,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                #endif
                break;

+            case '4' :
+                #ifdef HAVE_SECURE_RENEGOTIATION
+                    scr       = 1;
+                    forceScr  = 1;
+                    resumeScr = 1;
+                #endif
+                break;
+
            default:
                Usage();
                XEXIT_T(MY_EX_USAGE);
@@ -2829,18 +2854,35 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    if (scr && forceScr) {
        if (nonBlocking) {
            printf("not doing secure renegotiation on example with"
-                   " nonblocking yet");
+                   " nonblocking yet\n");
        } else {
-            if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) {
-                err = wolfSSL_get_error(ssl, 0);
-                printf("err = %d, %s\n", err,
-                                wolfSSL_ERR_error_string(err, buffer));
-                wolfSSL_free(ssl); ssl = NULL;
-                wolfSSL_CTX_free(ctx); ctx = NULL;
-                err_sys("wolfSSL_Rehandshake failed");
+            if (!resumeScr) {
+                printf("Beginning secure rengotiation.\n");
+                if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) {
+                    err = wolfSSL_get_error(ssl, 0);
+                    printf("err = %d, %s\n", err,
+                                    wolfSSL_ERR_error_string(err, buffer));
+                    wolfSSL_free(ssl); ssl = NULL;
+                    wolfSSL_CTX_free(ctx); ctx = NULL;
+                    err_sys("wolfSSL_Rehandshake failed");
+                }
+                else {
+                    printf("RENEGOTIATION SUCCESSFUL\n");
+                }
            }
            else {
-                printf("RENEGOTIATION SUCCESSFUL\n");
+                printf("Beginning secure resumption.\n");
+                if (wolfSSL_SecureResume(ssl) != WOLFSSL_SUCCESS) {
+                    err = wolfSSL_get_error(ssl, 0);
+                    printf("err = %d, %s\n", err,
+                                    wolfSSL_ERR_error_string(err, buffer));
+                    wolfSSL_free(ssl); ssl = NULL;
+                    wolfSSL_CTX_free(ctx); ctx = NULL;
+                    err_sys("wolfSSL_SecureResume failed");
+                }
+                else {
+                    printf("SECURE RESUMPTION SUCCESSFUL\n");
+                }
            }
        }
    }