diff --git a/examples/client/client.c b/examples/client/client.c index afe5beabe..c667a274f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -3050,13 +3050,28 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } else { if (!resumeScr) { printf("Beginning secure rengotiation.\n"); - if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) { + if ((ret = wolfSSL_Rehandshake(ssl)) != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); - printf("err = %d, %s\n", err, - wolfSSL_ERR_error_string(err, buffer)); - wolfSSL_free(ssl); ssl = NULL; - wolfSSL_CTX_free(ctx); ctx = NULL; - err_sys("wolfSSL_Rehandshake failed"); +#ifdef WOLFSSL_ASYNC_CRYPT + while (err == WC_PENDING_E) { + err = 0; + ret = wolfSSL_negotiate(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + if (err == WC_PENDING_E) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) break; + } + } + } +#endif + if (ret != WOLFSSL_SUCCESS) { + printf("err = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("wolfSSL_Rehandshake failed"); + } } else { printf("RENEGOTIATION SUCCESSFUL\n"); diff --git a/examples/server/server.c b/examples/server/server.c index 695ab6f9b..9c4c2925b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2385,8 +2385,23 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) printf("not doing secure renegotiation on example with" " nonblocking yet\n"); } else { - if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) { - printf("not doing secure renegotiation\n"); + if ((ret = wolfSSL_Rehandshake(ssl)) != WOLFSSL_SUCCESS) { +#ifdef WOLFSSL_ASYNC_CRYPT + err = wolfSSL_get_error(ssl, 0); + while (err == WC_PENDING_E) { + err = 0; + ret = wolfSSL_negotiate(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + if (err == WC_PENDING_E) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) break; + } + } + } + if (ret != WOLFSSL_SUCCESS) +#endif + printf("not doing secure renegotiation\n"); } else { printf("RENEGOTIATION SUCCESSFUL\n"); diff --git a/src/internal.c b/src/internal.c index 08158e8f3..ac605d0a6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -227,20 +227,6 @@ static WC_INLINE int IsDtlsNotSctpMode(WOLFSSL* ssl) return ssl->options.dtls; #endif } - -int IsInitialRenegotiationState(WOLFSSL* ssl) -{ - if (ssl->options.acceptState == ACCEPT_FIRST_REPLY_DONE - #ifdef HAVE_SECURE_RENEGOTIATION - || ssl->options.acceptState == ACCEPT_BEGIN_RENEG - #endif - ) { - return 1; - } - else { - return 0; - } -} #endif /* DTLS || !WOLFSSL_NO_TLS12 */ @@ -17692,11 +17678,7 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek) WOLFSSL_ENTER("ReceiveData()"); /* reset error state */ - if (ssl->error == WANT_READ - #ifdef WOLFSSL_ASYNC_CRYPT - || ssl->error == WC_PENDING_E - #endif - ) { + if (ssl->error == WANT_READ) { ssl->error = 0; } @@ -17709,11 +17691,17 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek) } #endif /* WOLFSSL_DTLS */ - if (ssl->error != 0 && ssl->error != WANT_WRITE) { + if (ssl->error != 0 && ssl->error != WANT_WRITE +#ifdef WOLFSSL_ASYNC_CRYPT + && ssl->error != WC_PENDING_E +#endif + ) { WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed"); return ssl->error; } + if (ssl->error != 0) fprintf(stderr, "ignoring err %d\n", ssl->error); + #ifdef WOLFSSL_EARLY_DATA if (ssl->earlyData != no_early_data) { } @@ -26914,7 +26902,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XMEMCPY(&pv, input + i, OPAQUE16_LEN); ssl->chVersion = pv; /* store */ #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && !IsInitialRenegotiationState(ssl)) { + if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) { #if defined(NO_SHA) && defined(NO_SHA256) #error "DTLS needs either SHA or SHA-256" #endif /* NO_SHA && NO_SHA256 */ @@ -27064,7 +27052,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* random */ XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && !IsInitialRenegotiationState(ssl)) { + if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) { ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN); if (ret != 0) return ret; } @@ -27097,7 +27085,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XMEMCPY(ssl->arrays->sessionID, input + i, b); #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && !IsInitialRenegotiationState(ssl)) { + if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) { ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); if (ret != 0) return ret; } @@ -27182,7 +27170,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && !IsInitialRenegotiationState(ssl)) { + if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) { ret = wc_HmacUpdate(&cookieHmac, input + i - OPAQUE16_LEN, clSuites.suiteSz + OPAQUE16_LEN); @@ -27208,7 +27196,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef WOLFSSL_DTLS if (IsDtlsNotSctpMode(ssl)) { - if (!IsInitialRenegotiationState(ssl)) { + if (!IsSCR(ssl)) { byte newCookie[MAX_COOKIE_LEN]; ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); diff --git a/src/ssl.c b/src/ssl.c index 31aa0f033..8bae5976f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2642,7 +2642,7 @@ int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx) /* do a secure renegotiation handshake, user forced, we discourage */ static int _Rehandshake(WOLFSSL* ssl) { - int ret, err; + int ret; if (ssl == NULL) return BAD_FUNC_ARG; @@ -2705,22 +2705,9 @@ static int _Rehandshake(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } } - - do { - err = 0; /* reset error */ - ret = wolfSSL_negotiate(ssl); - if (ret != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); -#ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) break; - } -#endif - } - } while (err == WC_PENDING_E); - - ssl->secure_rene_count++; + ret = wolfSSL_negotiate(ssl); + if (ret == WOLFSSL_SUCCESS) + ssl->secure_rene_count++; return ret; } @@ -12177,6 +12164,14 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } #endif /* WOLFSSL_DTLS */ +#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SECURE_RENEGOTIATION) + /* This may be necessary in async so that we don't try to + * renegotiate again */ + if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) { + ssl->secure_renegotiation->startScr = 0; + } +#endif /* WOLFSSL_ASYNC_CRYPT && HAVE_SECURE_RENEGOTIATION */ + #ifdef WOLFSSL_SESSION_EXPORT if (ssl->dtls_export) { if ((ssl->error = wolfSSL_send_session(ssl)) != 0) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d5ccca491..1fdcc69d4 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4382,10 +4382,6 @@ WOLFSSL_LOCAL int IsTLS(const WOLFSSL* ssl); WOLFSSL_LOCAL int IsAtLeastTLSv1_2(const WOLFSSL* ssl); WOLFSSL_LOCAL int IsAtLeastTLSv1_3(const ProtocolVersion pv); -#if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12) -WOLFSSL_LOCAL int IsInitialRenegotiationState(WOLFSSL* ssl); -#endif /* DTLS || !WOLFSSL_NO_TLS12 */ - WOLFSSL_LOCAL void FreeHandshakeResources(WOLFSSL* ssl); WOLFSSL_LOCAL void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree); WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl);