From 7aee92110b728ffef1f4147656db32a3cc77dc49 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Tue, 27 Jun 2017 08:52:53 +1000
Subject: [PATCH] Code review fixes

Also put in configuration option for sending HRR Cookie extension with
state.
---
 configure.ac             | 17 +++++++++++++++++
 examples/server/server.c |  3 +++
 src/tls13.c              |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index fe8ebb80a..9666232d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -297,6 +297,22 @@ then
 fi
 
 
+# Post-handshake Authentication
+AC_ARG_ENABLE([hrrcookie],
+    [AS_HELP_STRING([--enable-hrrcookie],[Enable the server to send Cookie Extension in HRR with state (default: disabled)])],
+    [ ENABLED_SEND_HRR_COOKIE=$enableval ],
+    [ ENABLED_SEND_HRR_COOKIE=no ]
+    )
+if test "$ENABLED_SEND_HRR_COOKIE" = "yes"
+then
+    if test "x$ENABLED_TLS13" = "xno"
+    then
+        AC_MSG_ERROR([cannot enable hrrcookie without enabling tls13.])
+    fi
+  AM_CFLAGS="-DWOLFSSL_SEND_HRR_COOKIE $AM_CFLAGS"
+fi
+
+
 AC_ARG_ENABLE([rng],
     [AS_HELP_STRING([--enable-rng],[Enable compiling and using RNG (default: enabled)])],
     [ ENABLED_RNG=$enableval ],
@@ -3798,6 +3814,7 @@ echo "   * TLS v1.3:                   $ENABLED_TLS13"
 echo "   * TLS v1.3 Draft 18:          $ENABLED_TLS13_DRAFT18"
 echo "   * Post-handshake Auth:        $ENABLED_TLS13_POST_AUTH"
 echo "   * Early Data:                 $ENABLED_TLS13_EARLY_DATA"
+echo "   * Send State in HRR Cookie:   $ENABLED_SEND_HRR_COOKIE"
 echo "   * OCSP:                       $ENABLED_OCSP"
 echo "   * OCSP Stapling:              $ENABLED_CERTIFICATE_STATUS_REQUEST"
 echo "   * OCSP Stapling v2:           $ENABLED_CERTIFICATE_STATUS_REQUEST_V2"
diff --git a/examples/server/server.c b/examples/server/server.c
index de3da45a7..ca19788f8 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -379,6 +379,9 @@ static void Usage(void)
 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
     printf("-Q          Request certificate from client post-handshake\n");
 #endif
+#ifdef WOLFSSL_SEND_HRR_COOKIE
+    printf("-J          Server sends Cookie Extension containing state\n");
+#endif
 #endif
 #ifdef WOLFSSL_EARLY_DATA
     printf("-0          Early data read from client (0-RTT handshake)\n");
diff --git a/src/tls13.c b/src/tls13.c
index a13722f85..6ee7f2bcc 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3155,7 +3155,7 @@ static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz)
     if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
         return ret;
 
-    if (XMEMCMP(cookie + cookieSz, mac, macSz) != 0)
+    if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0)
         return HRR_COOKIE_ERROR;
     return cookieSz;
 }