diff --git a/cyassl/internal.h b/cyassl/internal.h index e5cd2b8db..f0c4a1700 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1160,7 +1160,9 @@ enum AlertDescription { certificate_expired = 45, certificate_unknown = 46, illegal_parameter = 47, - decrypt_error = 51 + decrypt_error = 51, + protocol_version = 70, + no_renegotiation = 100 }; diff --git a/src/internal.c b/src/internal.c index fa6a213c8..b712ea456 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1709,6 +1709,36 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) } +static int DoHelloRequest(CYASSL* ssl, const byte* input, word32* inOutIdx) +{ + if (ssl->keys.encryptionOn) { + const byte* mac; + int padSz = ssl->keys.encryptSz - HANDSHAKE_HEADER_SZ - + ssl->specs.hash_size; + byte verify[SHA256_DIGEST_SIZE]; + + ssl->hmac(ssl, verify, input + *inOutIdx - HANDSHAKE_HEADER_SZ, + HANDSHAKE_HEADER_SZ, handshake, 1); + /* read mac and fill */ + mac = input + *inOutIdx; + *inOutIdx += ssl->specs.hash_size; + + if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) + padSz -= ssl->specs.block_size; + + *inOutIdx += padSz; + + /* verify */ + if (XMEMCMP(mac, verify, ssl->specs.hash_size)) { + CYASSL_MSG(" hello_request verify mac error"); + return VERIFY_MAC_ERROR; + } + } + + return SendAlert(ssl, alert_warning, no_renegotiation); +} + + int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, int sniff) { byte verifyMAC[SHA256_DIGEST_SIZE]; @@ -1802,6 +1832,11 @@ static int DoHandShakeMsg(CYASSL* ssl, byte* input, word32* inOutIdx, switch (type) { + case hello_request: + CYASSL_MSG("processing hello request"); + ret = DoHelloRequest(ssl, input, inOutIdx); + break; + #ifndef NO_CYASSL_CLIENT case hello_verify_request: CYASSL_MSG("processing hello verify request");