diff options
author | lloyd <[email protected]> | 2012-04-18 13:49:02 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-04-18 13:49:02 +0000 |
commit | 35101fb41e188f45b1a5661607ee00f918af9bd9 (patch) | |
tree | da34c35a4a6019145666057e2caf89a553b9cd6f /src | |
parent | 0f0a9bf70a5aa13eb2597f3537f91f7aa1aaba18 (diff) |
The secure renegotiation state was not updated on a session
resumption, which would cause failures if doing a renegotiation under
the same session (eg to refresh keys).
The peer_certs variable was not set until after the Session object was
created, meaning the session (or session ticket) would not include
client certs. Worse, they would be included in the next session saved,
so if a client presented one cert, then renegotiated and presented
another one, the first cert would be associated with the second
session!
Diffstat (limited to 'src')
-rw-r--r-- | src/tls/tls_server.cpp | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index e3efe9c04..312656eb1 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -330,6 +330,8 @@ void Server::process_handshake_msg(Handshake_Type type, state->client_hello->supports_heartbeats(), rng); + secure_renegotiation.update(state->server_hello); + if(session_info.fragment_size()) { reader.set_maximum_fragment_size(session_info.fragment_size()); @@ -402,6 +404,8 @@ void Server::process_handshake_msg(Handshake_Type type, state->client_hello->supports_heartbeats(), rng); + secure_renegotiation.update(state->server_hello); + if(state->client_hello->fragment_size()) { reader.set_maximum_fragment_size(state->client_hello->fragment_size()); @@ -459,8 +463,6 @@ void Server::process_handshake_msg(Handshake_Type type, state->set_expected_next(CERTIFICATE); } - secure_renegotiation.update(state->server_hello); - /* * If the client doesn't have a cert they want to use they are * allowed to send either an empty cert message or proceed @@ -492,11 +494,10 @@ void Server::process_handshake_msg(Handshake_Type type, { state->client_verify = new Certificate_Verify(contents, state->version()); - const std::vector<X509_Certificate>& client_certs = - state->client_certs->cert_chain(); + peer_certs = state->client_certs->cert_chain(); const bool sig_valid = - state->client_verify->verify(client_certs[0], state); + state->client_verify->verify(peer_certs[0], state); state->hash.update(type, contents); @@ -510,7 +511,7 @@ void Server::process_handshake_msg(Handshake_Type type, try { - creds.verify_certificate_chain("tls-server", "", client_certs); + creds.verify_certificate_chain("tls-server", "", peer_certs); } catch(std::exception& e) { @@ -596,9 +597,6 @@ void Server::process_handshake_msg(Handshake_Type type, state->server_hello->compression_method()); state->server_finished = new Finished(writer, state, SERVER); - - if(state->client_certs && state->client_verify) - peer_certs = state->client_certs->cert_chain(); } secure_renegotiation.update(state->client_finished, |