Merge pull request #614 from toddouska/scr-verify

add SCR client and server verify data check

examples/client/client.c

@@ -1520,8 +1520,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     }
     else if (input < 0) {
         int readErr = wolfSSL_get_error(ssl, 0);
-        if (readErr != SSL_ERROR_WANT_READ)
+        if (readErr != SSL_ERROR_WANT_READ) {
+            printf("wolfSSL_read error %d!\n", readErr);
             err_sys("wolfSSL_read failed");
+        }
     }
 
 #ifndef NO_SESSION_CACHE
@@ -1687,8 +1689,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         }
     } else if (input < 0) {
         int readErr = wolfSSL_get_error(ssl, 0);
-        if (readErr != SSL_ERROR_WANT_READ)
+        if (readErr != SSL_ERROR_WANT_READ) {
+            printf("wolfSSL_read error %d!\n", readErr);
             err_sys("wolfSSL_read failed");
+        }
     }
 
         /* try to send session break */

src/tls.c

@@ -3163,16 +3163,29 @@ static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input,
                     ret = 0;
                 }
             }
-            else if (*input == 2 * TLS_FINISHED_SZ) {
-                /* TODO compare client_verify_data and server_verify_data */
-                ret = 0;
+            else if (*input == 2 * TLS_FINISHED_SZ &&
+                     length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) {
+                input++;  /* get past size */
+
+                /* validate client and server verify data */
+                if (XMEMCMP(input,
+                            ssl->secure_renegotiation->client_verify_data,
+                            TLS_FINISHED_SZ) == 0 &&
+                    XMEMCMP(input + TLS_FINISHED_SZ,
+                            ssl->secure_renegotiation->server_verify_data,
+                            TLS_FINISHED_SZ) == 0) {
+                    WOLFSSL_MSG("SCR client and server verify data match");
+                    ret = 0;  /* verified */
+                } else {
+                    /* already in error state */
+                    WOLFSSL_MSG("SCR client and server verify data Failure");
+                }
             }
         #endif
         }
     }
 
     if (ret != 0) {
-        /* TODO: turn on fatal error at ssl level too */
         SendAlert(ssl, alert_fatal, handshake_failure);
     }