forked from wolfSSL/wolfssl
1. For secure renegotiation, remove the check of the peer certificate's
subject ID on renegotiation. Both endpoints are already cryptographically linked on an encrypted channel. 2. The error code list has gaps where deprecated codes were deleted, remove the redundant gaps where there aren't missing codes.
This commit is contained in:
John Safranek
@@ -9562,30 +9562,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_SECURE_RENEGOTIATION
|
||||
if (args->fatal == 0 && ssl->secure_renegotiation
|
||||
&& ssl->secure_renegotiation->enabled) {
|
||||
|
||||
if (IsEncryptionOn(ssl, 0)) {
|
||||
/* compare against previous time */
|
||||
if (XMEMCMP(args->dCert->subjectHash,
|
||||
ssl->secure_renegotiation->subject_hash,
|
||||
KEYID_SIZE) != 0) {
|
||||
WOLFSSL_MSG(
|
||||
"Peer sent different cert during scr, fatal");
|
||||
args->fatal = 1;
|
||||
ret = SCR_DIFFERENT_CERT_E;
|
||||
}
|
||||
}
|
||||
|
||||
/* cache peer's hash */
|
||||
if (args->fatal == 0) {
|
||||
XMEMCPY(ssl->secure_renegotiation->subject_hash,
|
||||
args->dCert->subjectHash, KEYID_SIZE);
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_SECURE_RENEGOTIATION */
|
||||
} /* if (count > 0) */
|
||||
|
||||
/* Check for error */
|
||||
@@ -15757,9 +15733,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
|
||||
case SESSION_TICKET_EXPECT_E:
|
||||
return "Session Ticket Error";
|
||||
|
||||
case SCR_DIFFERENT_CERT_E:
|
||||
return "Peer sent different cert during SCR";
|
||||
|
||||
case SESSION_SECRET_CB_E:
|
||||
return "Session Secret Callback Error";
|
||||
|
||||
|
||||
@@ -119,30 +119,26 @@ enum wolfSSL_ErrorCodes {
|
||||
SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */
|
||||
SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */
|
||||
SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */
|
||||
SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */
|
||||
|
||||
SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */
|
||||
NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */
|
||||
SANITY_MSG_E = -394, /* Sanity check on msg order error */
|
||||
DUPLICATE_MSG_E = -395, /* Duplicate message error */
|
||||
SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */
|
||||
SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */
|
||||
|
||||
BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */
|
||||
BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */
|
||||
BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */
|
||||
|
||||
DH_KEY_SIZE_E = -401, /* DH Key too small */
|
||||
SNI_ABSENT_ERROR = -402, /* No SNI request. */
|
||||
RSA_SIGN_FAULT = -403, /* RSA Sign fault */
|
||||
HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */
|
||||
|
||||
UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/
|
||||
BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */
|
||||
OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */
|
||||
OCSP_WANT_READ = -408, /* OCSP callback response WOLFSSL_CBIO_ERR_WANT_READ */
|
||||
RSA_KEY_SIZE_E = -409, /* RSA key too small */
|
||||
ECC_KEY_SIZE_E = -410, /* ECC key too small */
|
||||
|
||||
DTLS_EXPORT_VER_E = -411, /* export version error */
|
||||
INPUT_SIZE_E = -412, /* input size too big error */
|
||||
CTX_INIT_MUTEX_E = -413, /* initialize ctx mutex error */
|
||||
|
||||
@@ -2286,7 +2286,6 @@ typedef struct SecureRenegotiation {
|
||||
enum key_cache_state cache_status; /* track key cache state */
|
||||
byte client_verify_data[TLS_FINISHED_SZ]; /* cached */
|
||||
byte server_verify_data[TLS_FINISHED_SZ]; /* cached */
|
||||
byte subject_hash[KEYID_SIZE]; /* peer cert hash */
|
||||
Keys tmp_keys; /* can't overwrite real keys yet */
|
||||
} SecureRenegotiation;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user