diff --git a/examples/client/client.c b/examples/client/client.c index cd31f8f15..8ec2ac7a2 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1520,8 +1520,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } else if (input < 0) { int readErr = wolfSSL_get_error(ssl, 0); - if (readErr != SSL_ERROR_WANT_READ) + if (readErr != SSL_ERROR_WANT_READ) { + printf("wolfSSL_read error %d!\n", readErr); err_sys("wolfSSL_read failed"); + } } #ifndef NO_SESSION_CACHE @@ -1687,8 +1689,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } } else if (input < 0) { int readErr = wolfSSL_get_error(ssl, 0); - if (readErr != SSL_ERROR_WANT_READ) + if (readErr != SSL_ERROR_WANT_READ) { + printf("wolfSSL_read error %d!\n", readErr); err_sys("wolfSSL_read failed"); + } } /* try to send session break */ diff --git a/src/tls.c b/src/tls.c index 9bea193a9..6f4389c5d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3163,16 +3163,29 @@ static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input, ret = 0; } } - else if (*input == 2 * TLS_FINISHED_SZ) { - /* TODO compare client_verify_data and server_verify_data */ - ret = 0; + else if (*input == 2 * TLS_FINISHED_SZ && + length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) { + input++; /* get past size */ + + /* validate client and server verify data */ + if (XMEMCMP(input, + ssl->secure_renegotiation->client_verify_data, + TLS_FINISHED_SZ) == 0 && + XMEMCMP(input + TLS_FINISHED_SZ, + ssl->secure_renegotiation->server_verify_data, + TLS_FINISHED_SZ) == 0) { + WOLFSSL_MSG("SCR client and server verify data match"); + ret = 0; /* verified */ + } else { + /* already in error state */ + WOLFSSL_MSG("SCR client and server verify data Failure"); + } } #endif } } if (ret != 0) { - /* TODO: turn on fatal error at ssl level too */ SendAlert(ssl, alert_fatal, handshake_failure); }