Server Side Secure Renegotiation

1. Fix an incorrect function entry log string.
2. Restart the server's accept state assuming the client hello was
received when the client initiates renegotiation.
This commit is contained in:
John Safranek
2018-11-20 14:57:29 -08:00
parent d168d60ade
commit 175c91ab4e
2 changed files with 34 additions and 29 deletions
+2 -2
View File
@@ -10273,7 +10273,7 @@ static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
(void)input;
WOLFSSL_START(WC_FUNC_HELLO_REQUEST_DO);
WOLFSSL_ENTER("DoFinished");
WOLFSSL_ENTER("DoHelloRequest");
if (size) /* must be 0 */
return BUFFER_ERROR;
@@ -10722,7 +10722,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ssl->options.serverState = NULL_STATE;
ssl->options.clientState = NULL_STATE;
ssl->options.connectState = CONNECT_BEGIN;
ssl->options.acceptState = ACCEPT_BEGIN;
ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
ssl->options.handShakeState = NULL_STATE;
ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;
+32 -27
View File
@@ -2364,42 +2364,47 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl)
return SECURE_RENEGOTIATION_E;
}
if (ssl->options.handShakeState != HANDSHAKE_DONE) {
WOLFSSL_MSG("Can't renegotiate until previous handshake complete");
return SECURE_RENEGOTIATION_E;
}
/* If the client started the renegotiation, the server will already
* have processed the client's hello. */
if (ssl->options.side != WOLFSSL_SERVER_END ||
ssl->options.acceptState != ACCEPT_FIRST_REPLY_DONE) {
if (ssl->options.handShakeState != HANDSHAKE_DONE) {
WOLFSSL_MSG("Can't renegotiate until previous handshake complete");
return SECURE_RENEGOTIATION_E;
}
#ifndef NO_FORCE_SCR_SAME_SUITE
/* force same suite */
if (ssl->suites) {
ssl->suites->suiteSz = SUITE_LEN;
ssl->suites->suites[0] = ssl->options.cipherSuite0;
ssl->suites->suites[1] = ssl->options.cipherSuite;
}
/* force same suite */
if (ssl->suites) {
ssl->suites->suiteSz = SUITE_LEN;
ssl->suites->suites[0] = ssl->options.cipherSuite0;
ssl->suites->suites[1] = ssl->options.cipherSuite;
}
#endif
/* reset handshake states */
ssl->options.serverState = NULL_STATE;
ssl->options.clientState = NULL_STATE;
ssl->options.connectState = CONNECT_BEGIN;
ssl->options.acceptState = ACCEPT_BEGIN;
ssl->options.handShakeState = NULL_STATE;
ssl->options.processReply = 0; /* TODO, move states in internal.h */
/* reset handshake states */
ssl->options.serverState = NULL_STATE;
ssl->options.clientState = NULL_STATE;
ssl->options.connectState = CONNECT_BEGIN;
ssl->options.acceptState = ACCEPT_BEGIN;
ssl->options.handShakeState = NULL_STATE;
ssl->options.processReply = 0; /* TODO, move states in internal.h */
XMEMSET(&ssl->msgsReceived, 0, sizeof(ssl->msgsReceived));
XMEMSET(&ssl->msgsReceived, 0, sizeof(ssl->msgsReceived));
ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;
ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;
if (ssl->options.side == WOLFSSL_SERVER_END) {
ret = SendHelloRequest(ssl);
if (ret != 0)
if (ssl->options.side == WOLFSSL_SERVER_END) {
ret = SendHelloRequest(ssl);
if (ret != 0)
return ret;
}
ret = InitHandshakeHashes(ssl);
if (ret !=0)
return ret;
}
ret = InitHandshakeHashes(ssl);
if (ret !=0)
return ret;
ret = wolfSSL_negotiate(ssl);
return ret;
}