diff --git a/examples/client/client.c b/examples/client/client.c index 339f1722c..474e89e7d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1208,6 +1208,7 @@ static void Usage(void) #ifdef HAVE_SECURE_RENEGOTIATION printf("%s", msg[++msgid]); /* -R */ printf("%s", msg[++msgid]); /* -i */ + printf("-4 Use resumption for renegotiation\n"); #endif printf("%s", msg[++msgid]); /* -f */ printf("%s", msg[++msgid]); /* -x */ @@ -1337,6 +1338,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) int err = 0; int scr = 0; /* allow secure renegotiation */ int forceScr = 0; /* force client initiaed scr */ + int resumeScr = 0; /* use resumption for renegotiation */ #ifndef WOLFSSL_NO_CLIENT_AUTH int useClientCert = 1; #else @@ -1452,6 +1454,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) (void)atomicUser; (void)scr; (void)forceScr; + (void)resumeScr; (void)ourKey; (void)ourCert; (void)verifyCert; @@ -1478,7 +1481,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) while ((ch = mygetopt(argc, argv, "?:" "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz" "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:" - "01:23:")) != -1) { + "01:23:4")) != -1) { switch (ch) { case '?' : if(myoptarg!=NULL) { @@ -1892,6 +1895,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif break; + case '4' : + #ifdef HAVE_SECURE_RENEGOTIATION + scr = 1; + forceScr = 1; + resumeScr = 1; + #endif + break; + default: Usage(); XEXIT_T(MY_EX_USAGE); @@ -2826,16 +2837,33 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) printf("not doing secure renegotiation on example with" " nonblocking yet"); } else { - if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - printf("err = %d, %s\n", err, - wolfSSL_ERR_error_string(err, buffer)); - wolfSSL_free(ssl); ssl = NULL; - wolfSSL_CTX_free(ctx); ctx = NULL; - err_sys("wolfSSL_Rehandshake failed"); + if (!resumeScr) { + printf("Beginning secure rengotiation.\n"); + if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + printf("err = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("wolfSSL_Rehandshake failed"); + } + else { + printf("RENEGOTIATION SUCCESSFUL\n"); + } } else { - printf("RENEGOTIATION SUCCESSFUL\n"); + printf("Beginning secure resumption.\n"); + if (wolfSSL_SecureResume(ssl) != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + printf("err = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("wolfSSL_SecureResume failed"); + } + else { + printf("SECURE RESUMPTION SUCCESSFUL\n"); + } } } } diff --git a/src/internal.c b/src/internal.c index 16b35131b..56c3b8423 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9571,7 +9571,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* compare against previous time */ if (XMEMCMP(args->dCert->subjectHash, ssl->secure_renegotiation->subject_hash, - WC_SHA_DIGEST_SIZE) != 0) { + KEYID_SIZE) != 0) { WOLFSSL_MSG( "Peer sent different cert during scr, fatal"); args->fatal = 1; @@ -9582,7 +9582,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* cache peer's hash */ if (args->fatal == 0) { XMEMCPY(ssl->secure_renegotiation->subject_hash, - args->dCert->subjectHash, WC_SHA_DIGEST_SIZE); + args->dCert->subjectHash, KEYID_SIZE); } } #endif /* HAVE_SECURE_RENEGOTIATION */ diff --git a/src/ssl.c b/src/ssl.c index fc3442a61..175e3460a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2347,7 +2347,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl) /* do a secure renegotiation handshake, user forced, we discourage */ -int wolfSSL_Rehandshake(WOLFSSL* ssl) +int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume) { int ret; @@ -2364,6 +2364,9 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) return SECURE_RENEGOTIATION_E; } + if (!resume) + ssl->options.resuming = 0; + /* If the client started the renegotiation, the server will already * have processed the client's hello. */ if (ssl->options.side != WOLFSSL_SERVER_END || @@ -2383,6 +2386,11 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) } #endif + if (!resume) { + XMEMSET(ssl->session.sessionID, 0, ID_LEN); + ssl->session.sessionIDSz = 0; + } + /* reset handshake states */ ssl->options.serverState = NULL_STATE; ssl->options.clientState = NULL_STATE; @@ -2411,6 +2419,18 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) return ret; } + +int wolfSSL_Rehandshake(WOLFSSL* ssl) { + WOLFSSL_ENTER("wolfSSL_Rehandshake()"); + return wolfSSL_StartSecureRenegotiation(ssl, 0); +} + + +int wolfSSL_SecureResume(WOLFSSL* ssl) { + WOLFSSL_ENTER("wolfSSL_SecureResume()"); + return wolfSSL_StartSecureRenegotiation(ssl, 1); +} + #endif /* HAVE_SECURE_RENEGOTIATION */ /* Session Ticket */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d4fbefaba..5d7e94df5 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2286,7 +2286,7 @@ typedef struct SecureRenegotiation { enum key_cache_state cache_status; /* track key cache state */ byte client_verify_data[TLS_FINISHED_SZ]; /* cached */ byte server_verify_data[TLS_FINISHED_SZ]; /* cached */ - byte subject_hash[WC_SHA_DIGEST_SIZE]; /* peer cert hash */ + byte subject_hash[KEYID_SIZE]; /* peer cert hash */ Keys tmp_keys; /* can't overwrite real keys yet */ } SecureRenegotiation; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 44bc2367b..b650947f5 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2433,7 +2433,9 @@ WOLFSSL_API int wolfSSL_NoKeyShares(WOLFSSL* ssl); #ifdef HAVE_SECURE_RENEGOTIATION WOLFSSL_API int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_StartSecureRenegotiation(WOLFSSL* ssl, int resume); WOLFSSL_API int wolfSSL_Rehandshake(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_SecureResume(WOLFSSL* ssl); #endif