aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-04-18 13:49:02 +0000
committerlloyd <[email protected]>2012-04-18 13:49:02 +0000
commit35101fb41e188f45b1a5661607ee00f918af9bd9 (patch)
treeda34c35a4a6019145666057e2caf89a553b9cd6f /src
parent0f0a9bf70a5aa13eb2597f3537f91f7aa1aaba18 (diff)
The secure renegotiation state was not updated on a session
resumption, which would cause failures if doing a renegotiation under the same session (eg to refresh keys). The peer_certs variable was not set until after the Session object was created, meaning the session (or session ticket) would not include client certs. Worse, they would be included in the next session saved, so if a client presented one cert, then renegotiated and presented another one, the first cert would be associated with the second session!
Diffstat (limited to 'src')
-rw-r--r--src/tls/tls_server.cpp16
1 files changed, 7 insertions, 9 deletions
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index e3efe9c04..312656eb1 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -330,6 +330,8 @@ void Server::process_handshake_msg(Handshake_Type type,
state->client_hello->supports_heartbeats(),
rng);
+ secure_renegotiation.update(state->server_hello);
+
if(session_info.fragment_size())
{
reader.set_maximum_fragment_size(session_info.fragment_size());
@@ -402,6 +404,8 @@ void Server::process_handshake_msg(Handshake_Type type,
state->client_hello->supports_heartbeats(),
rng);
+ secure_renegotiation.update(state->server_hello);
+
if(state->client_hello->fragment_size())
{
reader.set_maximum_fragment_size(state->client_hello->fragment_size());
@@ -459,8 +463,6 @@ void Server::process_handshake_msg(Handshake_Type type,
state->set_expected_next(CERTIFICATE);
}
- secure_renegotiation.update(state->server_hello);
-
/*
* If the client doesn't have a cert they want to use they are
* allowed to send either an empty cert message or proceed
@@ -492,11 +494,10 @@ void Server::process_handshake_msg(Handshake_Type type,
{
state->client_verify = new Certificate_Verify(contents, state->version());
- const std::vector<X509_Certificate>& client_certs =
- state->client_certs->cert_chain();
+ peer_certs = state->client_certs->cert_chain();
const bool sig_valid =
- state->client_verify->verify(client_certs[0], state);
+ state->client_verify->verify(peer_certs[0], state);
state->hash.update(type, contents);
@@ -510,7 +511,7 @@ void Server::process_handshake_msg(Handshake_Type type,
try
{
- creds.verify_certificate_chain("tls-server", "", client_certs);
+ creds.verify_certificate_chain("tls-server", "", peer_certs);
}
catch(std::exception& e)
{
@@ -596,9 +597,6 @@ void Server::process_handshake_msg(Handshake_Type type,
state->server_hello->compression_method());
state->server_finished = new Finished(writer, state, SERVER);
-
- if(state->client_certs && state->client_verify)
- peer_certs = state->client_certs->cert_chain();
}
secure_renegotiation.update(state->client_finished,