wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Secure Renegotiation

Browse Source 
1. Split the wolfSSL_Rehandshake() function into wolfSSL_Rehadshake()
which performs a full handshake on secure renegotiation and
wolfSSL_SecureResume() which performs a session resumption on a
secure renegotiation.
2. Add option to example client to perform a secure resumption instead
of a full secure handshake.
This commit is contained in:
John Safranek
2019-02-19 15:04:22 -08:00
parent 25dd5882f8
commit 1f6314746c
5 changed files with 63 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
examples/client/client.c
View File

@ -1208,6 +1208,7 @@ static void Usage(void)
#ifdef HAVE_SECURE_RENEGOTIATION
printf("%s", msg[++msgid]); /* -R */
printf("%s", msg[++msgid]); /* -i */
printf("-4 Use resumption for renegotiation\n");
#endif
printf("%s", msg[++msgid]); /* -f */
printf("%s", msg[++msgid]); /* -x */
@ -1337,6 +1338,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
int err = 0;
int scr = 0; /* allow secure renegotiation */
int forceScr = 0; /* force client initiaed scr */
int resumeScr = 0; /* use resumption for renegotiation */
#ifndef WOLFSSL_NO_CLIENT_AUTH
int useClientCert = 1;
#else
@ -1452,6 +1454,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
(void)atomicUser;
(void)scr;
(void)forceScr;
(void)resumeScr;
(void)ourKey;
(void)ourCert;
(void)verifyCert;
@ -1478,7 +1481,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
while ((ch = mygetopt(argc, argv, "?:"
"ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
"A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
"01:23:")) != -1) {
"01:23:4")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@ -1892,6 +1895,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
break;
case '4' :
#ifdef HAVE_SECURE_RENEGOTIATION
scr = 1;
forceScr = 1;
resumeScr = 1;
#endif
break;
default:
Usage();
XEXIT_T(MY_EX_USAGE);
@ -2826,16 +2837,33 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
printf("not doing secure renegotiation on example with"
" nonblocking yet");
} else {
if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
printf("err = %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer));
wolfSSL_free(ssl); ssl = NULL;
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("wolfSSL_Rehandshake failed");
if (!resumeScr) {
printf("Beginning secure rengotiation.\n");
if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
printf("err = %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer));
wolfSSL_free(ssl); ssl = NULL;
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("wolfSSL_Rehandshake failed");
}
else {
printf("RENEGOTIATION SUCCESSFUL\n");
}
}
else {
printf("RENEGOTIATION SUCCESSFUL\n");
printf("Beginning secure resumption.\n");
if (wolfSSL_SecureResume(ssl) != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
printf("err = %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer));
wolfSSL_free(ssl); ssl = NULL;
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("wolfSSL_SecureResume failed");
}
else {
printf("SECURE RESUMPTION SUCCESSFUL\n");
}
}
}
}

4
src/internal.c
View File

@ -9571,7 +9571,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* compare against previous time */
if (XMEMCMP(args->dCert->subjectHash,
ssl->secure_renegotiation->subject_hash,
WC_SHA_DIGEST_SIZE) != 0) {
KEYID_SIZE) != 0) {
WOLFSSL_MSG(
"Peer sent different cert during scr, fatal");
args->fatal = 1;
@ -9582,7 +9582,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* cache peer's hash */
if (args->fatal == 0) {
XMEMCPY(ssl->secure_renegotiation->subject_hash,
args->dCert->subjectHash, WC_SHA_DIGEST_SIZE);
args->dCert->subjectHash, KEYID_SIZE);
}
}
#endif /* HAVE_SECURE_RENEGOTIATION */

22
src/ssl.c
View File

@ -2347,7 +2347,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl)
/* do a secure renegotiation handshake, user forced, we discourage */
int wolfSSL_Rehandshake(WOLFSSL* ssl)
int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume)
{
int ret;
@ -2364,6 +2364,9 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl)
return SECURE_RENEGOTIATION_E;
}
if (!resume)
ssl->options.resuming = 0;
/* If the client started the renegotiation, the server will already
* have processed the client's hello. */
if (ssl->options.side != WOLFSSL_SERVER_END ||
@ -2383,6 +2386,11 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl)
}
#endif
if (!resume) {
XMEMSET(ssl->session.sessionID, 0, ID_LEN);
ssl->session.sessionIDSz = 0;
}
/* reset handshake states */
ssl->options.serverState = NULL_STATE;
ssl->options.clientState = NULL_STATE;
@ -2411,6 +2419,18 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl)
return ret;
}
int wolfSSL_Rehandshake(WOLFSSL* ssl) {
WOLFSSL_ENTER("wolfSSL_Rehandshake()");
return wolfSSL_StartSecureRenegotiation(ssl, 0);
}
int wolfSSL_SecureResume(WOLFSSL* ssl) {
WOLFSSL_ENTER("wolfSSL_SecureResume()");
return wolfSSL_StartSecureRenegotiation(ssl, 1);
}
#endif /* HAVE_SECURE_RENEGOTIATION */
/* Session Ticket */

2
wolfssl/internal.h
View File

@ -2286,7 +2286,7 @@ typedef struct SecureRenegotiation {
enum key_cache_state cache_status; /* track key cache state */
byte client_verify_data[TLS_FINISHED_SZ]; /* cached */
byte server_verify_data[TLS_FINISHED_SZ]; /* cached */
byte subject_hash[WC_SHA_DIGEST_SIZE]; /* peer cert hash */
byte subject_hash[KEYID_SIZE]; /* peer cert hash */
Keys tmp_keys; /* can't overwrite real keys yet */
} SecureRenegotiation;

2
wolfssl/ssl.h
View File

@ -2433,7 +2433,9 @@ WOLFSSL_API int wolfSSL_NoKeyShares(WOLFSSL* ssl);
#ifdef HAVE_SECURE_RENEGOTIATION
WOLFSSL_API int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume);
WOLFSSL_API int wolfSSL_Rehandshake(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_SecureResume(WOLFSSL* ssl);
#endif