Merge pull request #2704 from ejohnstown/renegotiation

Maintenance: Renegotiation
2019-12-30 16:45:31 -08:00 · 2019-12-30 16:45:31 -08:00 · 4f71bcfa7c
parent abc96f20fb add7cdd4e2
commit 4f71bcfa7c
2 changed files with 67 additions and 13 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -3209,6 +3209,44 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
        #endif
    #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */

+#ifdef HAVE_SECURE_RENEGOTIATION
+    if (scr && forceScr) {
+        if (nonBlocking) {
+            printf("not doing secure renegotiation on example with"
+                   " nonblocking yet\n");
+        } else {
+            if (!resumeScr) {
+                printf("Beginning secure rengotiation.\n");
+                if (wolfSSL_Rehandshake(sslResume) != WOLFSSL_SUCCESS) {
+                    err = wolfSSL_get_error(sslResume, 0);
+                    printf("err = %d, %s\n", err,
+                                    wolfSSL_ERR_error_string(err, buffer));
+                    wolfSSL_free(sslResume); sslResume = NULL;
+                    wolfSSL_CTX_free(ctx); ctx = NULL;
+                    err_sys("wolfSSL_Rehandshake failed");
+                }
+                else {
+                    printf("RENEGOTIATION SUCCESSFUL\n");
+                }
+            }
+            else {
+                printf("Beginning secure resumption.\n");
+                if (wolfSSL_SecureResume(sslResume) != WOLFSSL_SUCCESS) {
+                    err = wolfSSL_get_error(sslResume, 0);
+                    printf("err = %d, %s\n", err,
+                                    wolfSSL_ERR_error_string(err, buffer));
+                    wolfSSL_free(sslResume); sslResume = NULL;
+                    wolfSSL_CTX_free(ctx); ctx = NULL;
+                    err_sys("wolfSSL_SecureResume failed");
+                }
+                else {
+                    printf("SECURE RESUMPTION SUCCESSFUL\n");
+                }
+            }
+        }
+    }
+#endif /* HAVE_SECURE_RENEGOTIATION */
+
        do {
            err = 0; /* reset error */
            ret = wolfSSL_write(sslResume, resumeMsg, resumeSz);
--- a/src/ssl.c
+++ b/src/ssl.c
@ -2541,10 +2541,9 @@ int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx)


 /* do a secure renegotiation handshake, user forced, we discourage */
-int wolfSSL_Rehandshake(WOLFSSL* ssl)
+static int _Rehandshake(WOLFSSL* ssl)
 {
    int ret;
-    WOLFSSL_ENTER("wolfSSL_Rehandshake");

    if (ssl == NULL)
        return BAD_FUNC_ARG;
@ -2613,15 +2612,38 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl)
 }


+/* do a secure renegotiation handshake, user forced, we discourage */
+int wolfSSL_Rehandshake(WOLFSSL* ssl)
+{
+    int ret = WOLFSSL_SUCCESS;
+    WOLFSSL_ENTER("wolfSSL_Rehandshake");
+
+    if (ssl->options.side == WOLFSSL_SERVER_END) {
+        /* Reset option to send certificate verify. */
+        ssl->options.sendVerify = 0;
+    }
+    else {
+        /* Reset resuming flag to do full secure handshake. */
+        ssl->options.resuming = 0;
+        #ifdef HAVE_SESSION_TICKET
+            /* Clearing the ticket. */
+            ret = wolfSSL_UseSessionTicket(ssl);
+        #endif
+    }
+
+    if (ret == WOLFSSL_SUCCESS)
+        ret = _Rehandshake(ssl);
+
+    return ret;
+}
+
+
 #ifndef NO_WOLFSSL_CLIENT

 /* do a secure resumption handshake, user forced, we discourage */
 int wolfSSL_SecureResume(WOLFSSL* ssl)
 {
-    WOLFSSL_SESSION* session;
-    int ret;
-
-    WOLFSSL_ENTER("wolfSSL_SecureResume()");
+    WOLFSSL_ENTER("wolfSSL_SecureResume");

    if (ssl == NULL)
        return BAD_FUNC_ARG;
@ -2631,13 +2653,7 @@ int wolfSSL_SecureResume(WOLFSSL* ssl)
        return SSL_FATAL_ERROR;
    }

-    session = wolfSSL_get_session(ssl);
-    ret = wolfSSL_set_session(ssl, session);
-    session = NULL;
-    if (ret == WOLFSSL_SUCCESS)
-        ret = wolfSSL_Rehandshake(ssl);
-
-    return ret;
+    return _Rehandshake(ssl);
 }

 #endif /* NO_WOLFSSL_CLIENT */