From 7389553bd6505cbe3c7760ed3277e32baa00ddca Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 20 Feb 2019 11:45:21 -0800 Subject: [PATCH] 1. For secure renegotiation, remove the check of the peer certificate's subject ID on renegotiation. Both endpoints are already cryptographically linked on an encrypted channel. 2. The error code list has gaps where deprecated codes were deleted, remove the redundant gaps where there aren't missing codes. --- src/internal.c | 27 --------------------------- wolfssl/error-ssl.h | 6 +----- wolfssl/internal.h | 1 - 3 files changed, 1 insertion(+), 33 deletions(-) diff --git a/src/internal.c b/src/internal.c index 56c3b8423..4b219fcc5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9562,30 +9562,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif } } - - #ifdef HAVE_SECURE_RENEGOTIATION - if (args->fatal == 0 && ssl->secure_renegotiation - && ssl->secure_renegotiation->enabled) { - - if (IsEncryptionOn(ssl, 0)) { - /* compare against previous time */ - if (XMEMCMP(args->dCert->subjectHash, - ssl->secure_renegotiation->subject_hash, - KEYID_SIZE) != 0) { - WOLFSSL_MSG( - "Peer sent different cert during scr, fatal"); - args->fatal = 1; - ret = SCR_DIFFERENT_CERT_E; - } - } - - /* cache peer's hash */ - if (args->fatal == 0) { - XMEMCPY(ssl->secure_renegotiation->subject_hash, - args->dCert->subjectHash, KEYID_SIZE); - } - } - #endif /* HAVE_SECURE_RENEGOTIATION */ } /* if (count > 0) */ /* Check for error */ @@ -15757,9 +15733,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case SESSION_TICKET_EXPECT_E: return "Session Ticket Error"; - case SCR_DIFFERENT_CERT_E: - return "Peer sent different cert during SCR"; - case SESSION_SECRET_CB_E: return "Session Secret Callback Error"; diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 827ae0272..3f0ae944d 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -119,30 +119,26 @@ enum wolfSSL_ErrorCodes { SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ - SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ + SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ SANITY_MSG_E = -394, /* Sanity check on msg order error */ DUPLICATE_MSG_E = -395, /* Duplicate message error */ SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ - BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ - DH_KEY_SIZE_E = -401, /* DH Key too small */ SNI_ABSENT_ERROR = -402, /* No SNI request. */ RSA_SIGN_FAULT = -403, /* RSA Sign fault */ HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ - UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/ BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */ OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */ OCSP_WANT_READ = -408, /* OCSP callback response WOLFSSL_CBIO_ERR_WANT_READ */ RSA_KEY_SIZE_E = -409, /* RSA key too small */ ECC_KEY_SIZE_E = -410, /* ECC key too small */ - DTLS_EXPORT_VER_E = -411, /* export version error */ INPUT_SIZE_E = -412, /* input size too big error */ CTX_INIT_MUTEX_E = -413, /* initialize ctx mutex error */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 5d7e94df5..fd82aa107 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2286,7 +2286,6 @@ typedef struct SecureRenegotiation { enum key_cache_state cache_status; /* track key cache state */ byte client_verify_data[TLS_FINISHED_SZ]; /* cached */ byte server_verify_data[TLS_FINISHED_SZ]; /* cached */ - byte subject_hash[KEYID_SIZE]; /* peer cert hash */ Keys tmp_keys; /* can't overwrite real keys yet */ } SecureRenegotiation;