feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #4346 from cconlon/verifyPostHandshake

Browse Source 
TLS 1.3: add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode
This commit is contained in:
Sean Parkinson
2021-08-30 09:47:23 +10:00
committed by GitHub
parent c7645a42a7 070029fd08
commit 0488caed4c
7 changed files with 42 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/internal.c
View File

@@ -6218,6 +6218,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.noPskDheKe = ctx->noPskDheKe;
#if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
ssl->options.verifyPostHandshake = ctx->verifyPostHandshake;
#endif
if (ctx->numGroups > 0) {

22
src/ssl.c
View File

@@ -11276,6 +11276,9 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
ctx->verifyNone = 0;
ctx->failNoCert = 0;
ctx->failNoCertxPSK = 0;
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ctx->verifyPostHandshake = 0;
#endif
if (mode != WOLFSSL_VERIFY_DEFAULT) {
if (mode == WOLFSSL_VERIFY_NONE) {
@@ -11291,6 +11294,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ctx->failNoCert = 1;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (mode & WOLFSSL_VERIFY_POST_HANDSHAKE) {
ctx->verifyPostHandshake = 1;
}
#endif
}
}
@@ -11325,6 +11333,10 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
== WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
ssl->options.failNoCertxPSK = (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK)
== WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ssl->options.verifyPostHandshake = (mode & WOLFSSL_VERIFY_POST_HANDSHAKE)
== WOLFSSL_VERIFY_POST_HANDSHAKE;
#endif
ssl->verifyCallback = vc;
}
@@ -46581,6 +46593,11 @@ int wolfSSL_get_verify_mode(const WOLFSSL* ssl) {
if (ssl->options.failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ssl->options.verifyPostHandshake) {
mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
}
#endif
}
WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
@@ -46609,6 +46626,11 @@ int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx)
if (ctx->failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ctx->verifyPostHandshake) {
mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
}
#endif
}
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);

6
src/tls13.c
View File

@@ -9414,7 +9414,11 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
case TLS13_SERVER_EXTENSIONS_SENT :
#ifndef NO_CERTS
if (!ssl->options.resuming) {
if (ssl->options.verifyPeer) {
if (ssl->options.verifyPeer
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
&& !ssl->options.verifyPostHandshake
#endif
) {
ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
if (ssl->error != 0) {
WOLFSSL_ERROR(ssl->error);

5
tests/api.c
View File

@@ -36964,6 +36964,11 @@ static void test_wolfSSL_verify_mode(void)
wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK);
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE);
#endif
AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);

4
wolfssl/internal.h
View File

@@ -2853,6 +2853,8 @@ struct WOLFSSL_CTX {
byte mutualAuth:1; /* Mutual authentication required */
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
byte postHandshakeAuth:1; /* Post-handshake auth supported. */
byte verifyPostHandshake:1; /* Only send client cert req post
* handshake, not also during */
#endif
#ifndef NO_DH
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
@@ -3661,6 +3663,8 @@ typedef struct Options {
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
word16 postHandshakeAuth:1;/* Client send post_handshake_auth
* extension */
word16 verifyPostHandshake:1; /* Only send client cert req post
* handshake, not also during */
#endif
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
word16 sendCookie:1; /* Server creates a Cookie in HRR */

4
wolfssl/ssl.h
View File

@@ -2190,6 +2190,7 @@ WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
#define SSL_VERIFY_PEER WOLFSSL_VERIFY_PEER
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT
#define SSL_VERIFY_CLIENT_ONCE WOLFSSL_VERIFY_CLIENT_ONCE
#define SSL_VERIFY_POST_HANDSHAKE WOLFSSL_VERIFY_POST_HANDSHAKE
#define SSL_VERIFY_FAIL_EXCEPT_PSK WOLFSSL_VERIFY_FAIL_EXCEPT_PSK
#define SSL_SESS_CACHE_OFF WOLFSSL_SESS_CACHE_OFF
@@ -2260,7 +2261,8 @@ enum { /* ssl Constants */
WOLFSSL_VERIFY_PEER = 1 << 0,
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT = 1 << 1,
WOLFSSL_VERIFY_CLIENT_ONCE = 1 << 2,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK = 1 << 3,
WOLFSSL_VERIFY_POST_HANDSHAKE = 1 << 3,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK = 1 << 4,
WOLFSSL_VERIFY_DEFAULT = 1 << 9,
WOLFSSL_SESS_CACHE_OFF = 0x0000,

3
wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs
View File

@@ -397,7 +397,8 @@ namespace wolfSSL.CSharp {
public static readonly int SSL_VERIFY_PEER = 1;
public static readonly int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2;
public static readonly int SSL_VERIFY_CLIENT_ONCE = 4;
public static readonly int SSL_VERIFY_FAIL_EXCEPT_PSK = 8;
public static readonly int SSL_VERIFY_POST_HANDSHAKE = 8;
public static readonly int SSL_VERIFY_FAIL_EXCEPT_PSK = 16;
public static readonly int CBIO_ERR_GENERAL = -1;
public static readonly int CBIO_ERR_WANT_READ = -2;