feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

1. For secure renegotiation, remove the check of the peer certificate's

Browse Source 
subject ID on renegotiation. Both endpoints are already
cryptographically linked on an encrypted channel.
2. The error code list has gaps where deprecated codes were deleted,
remove the redundant gaps where there aren't missing codes.
This commit is contained in:
John Safranek
2019-02-20 11:45:21 -08:00
parent a376e17aee
commit 7389553bd6
3 changed files with 1 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/internal.c
View File

@@ -9562,30 +9562,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif #endif
} }
} }
#ifdef HAVE_SECURE_RENEGOTIATION
if (args->fatal == 0 && ssl->secure_renegotiation
&& ssl->secure_renegotiation->enabled) {
if (IsEncryptionOn(ssl, 0)) {
/* compare against previous time */
if (XMEMCMP(args->dCert->subjectHash,
ssl->secure_renegotiation->subject_hash,
KEYID_SIZE) != 0) {
WOLFSSL_MSG(
"Peer sent different cert during scr, fatal");
args->fatal = 1;
ret = SCR_DIFFERENT_CERT_E;
}
}
/* cache peer's hash */
if (args->fatal == 0) {
XMEMCPY(ssl->secure_renegotiation->subject_hash,
args->dCert->subjectHash, KEYID_SIZE);
}
}
#endif /* HAVE_SECURE_RENEGOTIATION */
} /* if (count > 0) */ } /* if (count > 0) */
/* Check for error */ /* Check for error */
@@ -15757,9 +15733,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case SESSION_TICKET_EXPECT_E: case SESSION_TICKET_EXPECT_E:
return "Session Ticket Error"; return "Session Ticket Error";
case SCR_DIFFERENT_CERT_E:
return "Peer sent different cert during SCR";
case SESSION_SECRET_CB_E: case SESSION_SECRET_CB_E:
return "Session Secret Callback Error"; return "Session Secret Callback Error";

6
wolfssl/error-ssl.h
View File

@@ -119,30 +119,26 @@ enum wolfSSL_ErrorCodes {
SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */
SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */
SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */
SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */
SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */
NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */
SANITY_MSG_E = -394, /* Sanity check on msg order error */ SANITY_MSG_E = -394, /* Sanity check on msg order error */
DUPLICATE_MSG_E = -395, /* Duplicate message error */ DUPLICATE_MSG_E = -395, /* Duplicate message error */
SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */
SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */
BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */
BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */
BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */
DH_KEY_SIZE_E = -401, /* DH Key too small */ DH_KEY_SIZE_E = -401, /* DH Key too small */
SNI_ABSENT_ERROR = -402, /* No SNI request. */ SNI_ABSENT_ERROR = -402, /* No SNI request. */
RSA_SIGN_FAULT = -403, /* RSA Sign fault */ RSA_SIGN_FAULT = -403, /* RSA Sign fault */
HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */
UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/ UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/
BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */ BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */
OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */ OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */
OCSP_WANT_READ = -408, /* OCSP callback response WOLFSSL_CBIO_ERR_WANT_READ */ OCSP_WANT_READ = -408, /* OCSP callback response WOLFSSL_CBIO_ERR_WANT_READ */
RSA_KEY_SIZE_E = -409, /* RSA key too small */ RSA_KEY_SIZE_E = -409, /* RSA key too small */
ECC_KEY_SIZE_E = -410, /* ECC key too small */ ECC_KEY_SIZE_E = -410, /* ECC key too small */
DTLS_EXPORT_VER_E = -411, /* export version error */ DTLS_EXPORT_VER_E = -411, /* export version error */
INPUT_SIZE_E = -412, /* input size too big error */ INPUT_SIZE_E = -412, /* input size too big error */
CTX_INIT_MUTEX_E = -413, /* initialize ctx mutex error */ CTX_INIT_MUTEX_E = -413, /* initialize ctx mutex error */

1
wolfssl/internal.h
View File

@@ -2286,7 +2286,6 @@ typedef struct SecureRenegotiation {
enum key_cache_state cache_status; /* track key cache state */ enum key_cache_state cache_status; /* track key cache state */
byte client_verify_data[TLS_FINISHED_SZ]; /* cached */ byte client_verify_data[TLS_FINISHED_SZ]; /* cached */
byte server_verify_data[TLS_FINISHED_SZ]; /* cached */ byte server_verify_data[TLS_FINISHED_SZ]; /* cached */
byte subject_hash[KEYID_SIZE]; /* peer cert hash */
Keys tmp_keys; /* can't overwrite real keys yet */ Keys tmp_keys; /* can't overwrite real keys yet */
} SecureRenegotiation; } SecureRenegotiation;