feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode

Browse Source
This commit is contained in:
Chris Conlon
2021-08-13 17:15:51 -06:00
parent ef0fb6520d
commit 070029fd08
7 changed files with 42 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/internal.c
View File

@ -6218,6 +6218,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.noPskDheKe = ctx->noPskDheKe;
#if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
ssl->options.verifyPostHandshake = ctx->verifyPostHandshake;
#endif
if (ctx->numGroups > 0) {

22
src/ssl.c
View File

@ -11260,6 +11260,9 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
ctx->verifyNone = 0;
ctx->failNoCert = 0;
ctx->failNoCertxPSK = 0;
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ctx->verifyPostHandshake = 0;
#endif
if (mode != WOLFSSL_VERIFY_DEFAULT) {
if (mode == WOLFSSL_VERIFY_NONE) {
@ -11275,6 +11278,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ctx->failNoCert = 1;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (mode & WOLFSSL_VERIFY_POST_HANDSHAKE) {
ctx->verifyPostHandshake = 1;
}
#endif
}
}
@ -11309,6 +11317,10 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
== WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
ssl->options.failNoCertxPSK = (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK)
== WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ssl->options.verifyPostHandshake = (mode & WOLFSSL_VERIFY_POST_HANDSHAKE)
== WOLFSSL_VERIFY_POST_HANDSHAKE;
#endif
ssl->verifyCallback = vc;
}
@ -46568,6 +46580,11 @@ int wolfSSL_get_verify_mode(const WOLFSSL* ssl) {
if (ssl->options.failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ssl->options.verifyPostHandshake) {
mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
}
#endif
}
WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
@ -46596,6 +46613,11 @@ int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx)
if (ctx->failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ctx->verifyPostHandshake) {
mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
}
#endif
}
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);

6
src/tls13.c
View File

@ -9401,7 +9401,11 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
case TLS13_SERVER_EXTENSIONS_SENT :
#ifndef NO_CERTS
if (!ssl->options.resuming) {
if (ssl->options.verifyPeer) {
if (ssl->options.verifyPeer
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
&& !ssl->options.verifyPostHandshake
#endif
) {
ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
if (ssl->error != 0) {
WOLFSSL_ERROR(ssl->error);

5
tests/api.c
View File

@ -36961,6 +36961,11 @@ static void test_wolfSSL_verify_mode(void)
wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK);
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE);
#endif
AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);

4
wolfssl/internal.h
View File

@ -2854,6 +2854,8 @@ struct WOLFSSL_CTX {
byte mutualAuth:1; /* Mutual authentication required */
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
byte postHandshakeAuth:1; /* Post-handshake auth supported. */
byte verifyPostHandshake:1; /* Only send client cert req post
* handshake, not also during */
#endif
#ifndef NO_DH
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
@ -3662,6 +3664,8 @@ typedef struct Options {
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
word16 postHandshakeAuth:1;/* Client send post_handshake_auth
* extension */
word16 verifyPostHandshake:1; /* Only send client cert req post
* handshake, not also during */
#endif
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
word16 sendCookie:1; /* Server creates a Cookie in HRR */

4
wolfssl/ssl.h
View File

@ -2186,6 +2186,7 @@ WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
#define SSL_VERIFY_PEER WOLFSSL_VERIFY_PEER
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT
#define SSL_VERIFY_CLIENT_ONCE WOLFSSL_VERIFY_CLIENT_ONCE
#define SSL_VERIFY_POST_HANDSHAKE WOLFSSL_VERIFY_POST_HANDSHAKE
#define SSL_VERIFY_FAIL_EXCEPT_PSK WOLFSSL_VERIFY_FAIL_EXCEPT_PSK
#define SSL_SESS_CACHE_OFF WOLFSSL_SESS_CACHE_OFF
@ -2256,7 +2257,8 @@ enum { /* ssl Constants */
WOLFSSL_VERIFY_PEER = 1 << 0,
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT = 1 << 1,
WOLFSSL_VERIFY_CLIENT_ONCE = 1 << 2,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK = 1 << 3,
WOLFSSL_VERIFY_POST_HANDSHAKE = 1 << 3,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK = 1 << 4,
WOLFSSL_VERIFY_DEFAULT = 1 << 9,
WOLFSSL_SESS_CACHE_OFF = 0x0000,

3
wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs
View File

@ -397,7 +397,8 @@ namespace wolfSSL.CSharp {
public static readonly int SSL_VERIFY_PEER = 1;
public static readonly int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2;
public static readonly int SSL_VERIFY_CLIENT_ONCE = 4;
public static readonly int SSL_VERIFY_FAIL_EXCEPT_PSK = 8;
public static readonly int SSL_VERIFY_POST_HANDSHAKE = 8;
public static readonly int SSL_VERIFY_FAIL_EXCEPT_PSK = 16;
public static readonly int CBIO_ERR_GENERAL = -1;
public static readonly int CBIO_ERR_WANT_READ = -2;