Change to work for other TLS versions

Send alert when client doesn't send a certificate on request.

examples/server/server.c

@@ -614,9 +614,7 @@ static const char* server_usage_msg[][49] = {
 #ifdef HAVE_SESSION_TICKET
         "-T          Do not generate session ticket\n",                 /* 44 */
 #endif
-#ifdef WOLFSSL_TLS13
-        "-F          Mutual authentication is required\n",              /* 45 */
-#endif
+        "-F          Send alert if no mutual authentication\n",         /* 45 */
 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
         "-Q          Request certificate from client post-handshake\n", /* 46 */
 #endif
@@ -737,9 +735,7 @@ static const char* server_usage_msg[][49] = {
 #ifdef HAVE_SESSION_TICKET
         "-T         セッションチケットを生成しない\n",                  /* 44 */
 #endif
-#ifdef WOLFSSL_TLS13
-        "-F          Mutual authentication is required\n",              /* 45 */
-#endif
+        "-F          Send alert if no mutual authentication\n",         /* 45 */
 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
         "-Q          クライアントのポストハンドシェイクから"
                                               "証明書を要求する\n",     /* 46 */
@@ -858,9 +854,7 @@ static void Usage(void)
 #ifdef HAVE_SESSION_TICKET
     printf("%s", msg[++msgId]);     /* -T */
 #endif
-#ifdef WOLFSSL_TLS13
     printf("%s", msg[++msgId]);     /* -F */
-#endif
 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
     printf("%s", msg[++msgId]);     /* -Q */
 #endif
@@ -995,7 +989,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
     int noPskDheKe = 0;
 #endif
     int updateKeysIVs = 0;
-    int tls13MutualAuth = 0;
+    int mutualAuth = 0;
     int postHandAuth = 0;
 #ifdef WOLFSSL_EARLY_DATA
     int earlyData = 0;
@@ -1081,7 +1075,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
     (void)crlFlags;
     (void)readySignal;
     (void)updateKeysIVs;
-    (void)tls13MutualAuth;
+    (void)mutualAuth;
     (void)postHandAuth;
     (void)mcastID;
     (void)loadCertKeyIntoSSLObj;
@@ -1414,9 +1408,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                 break;
 
             case 'F' :
-                #ifdef WOLFSSL_TLS13
-                    tls13MutualAuth = 1;
-                #endif
+                    mutualAuth = 1;
                 break;
 
             case 'Q' :
@@ -1762,8 +1754,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         }
 #endif
     }
-#ifdef WOLFSSL_TLS13
-    if (tls13MutualAuth)
+#ifndef NO_CERTS
+    if (mutualAuth)
         wolfSSL_CTX_mutual_auth(ctx, 1);
 #endif
 

src/internal.c

@@ -5667,13 +5667,13 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->options.haveEMS = ctx->haveEMS;
 #endif
     ssl->options.useClientOrder = ctx->useClientOrder;
+    ssl->options.mutualAuth = ctx->mutualAuth;
 
 #ifdef WOLFSSL_TLS13
     #ifdef HAVE_SESSION_TICKET
         ssl->options.noTicketTls13 = ctx->noTicketTls13;
     #endif
     ssl->options.noPskDheKe = ctx->noPskDheKe;
-    ssl->options.mutualAuth = ctx->mutualAuth;
     #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
         ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
     #endif
@@ -9831,7 +9831,15 @@ static void DoCertFatalAlert(WOLFSSL* ssl, int ret)
     }
 #endif
     else if (ret == NO_PEER_CERT) {
-        alertWhy = certificate_required;
+#ifdef WOLFSSL_TLS13
+        if (ssl->options.tls1_3) {
+            alertWhy = certificate_required;
+        }
+        else
+#endif
+        {
+            alertWhy = handshake_failure;
+        }
     }
 
     /* send fatal alert and mark connection closed */
@@ -10604,14 +10612,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             args->count = args->totalCerts;
             args->certIdx = 0; /* select peer cert (first one) */
 
-        #ifdef WOLFSSL_TLS13
-            if (args->count == 0 && ssl->options.tls1_3 &&
-                                      ssl->options.mutualAuth &&
+            if (args->count == 0 && ssl->options.mutualAuth &&
                                       ssl->options.side == WOLFSSL_SERVER_END) {
                 ret = NO_PEER_CERT;
                 DoCertFatalAlert(ssl, ret);
             }
-        #endif
 
             args->dCertInit = 0;
         #ifndef WOLFSSL_SMALL_CERT_VERIFY

src/ssl.c

@@ -956,6 +956,47 @@ int wolfSSL_dtls(WOLFSSL* ssl)
     return dtlsOpt;
 }
 
+#if !defined(NO_CERTS)
+/* Set whether mutual authentication is required for connections.
+ * Server side only.
+ *
+ * ctx  The SSL/TLS CTX object.
+ * req  1 to indicate required and 0 when not.
+ * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
+ * 0 on success.
+ */
+int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req)
+{
+    if (ctx == NULL)
+        return BAD_FUNC_ARG;
+    if (ctx->method->side == WOLFSSL_CLIENT_END)
+        return SIDE_ERROR;
+
+    ctx->mutualAuth = (byte)req;
+
+    return 0;
+}
+
+/* Set whether mutual authentication is required for the connection.
+ * Server side only.
+ *
+ * ssl  The SSL/TLS object.
+ * req  1 to indicate required and 0 when not.
+ * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
+ * SIDE_ERROR when not a client and 0 on success.
+ */
+int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)
+{
+    if (ssl == NULL)
+        return BAD_FUNC_ARG;
+    if (ssl->options.side == WOLFSSL_SERVER_END)
+        return SIDE_ERROR;
+
+    ssl->options.mutualAuth = (word16)req;
+
+    return 0;
+}
+#endif /* NO_CERTS */
 
 #ifndef WOLFSSL_LEANPSK
 int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz)

src/tls13.c

@@ -8292,48 +8292,6 @@ int wolfSSL_update_keys(WOLFSSL* ssl)
     return ret;
 }
 
-#if !defined(NO_CERTS)
-/* Set whether mutual authentication is required for TLS v1.3 connections.
- * Server side only.
- *
- * ctx  The SSL/TLS CTX object.
- * req  1 to indicate required and 0 when not.
- * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
- * 0 on success.
- */
-int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req)
-{
-    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
-        return BAD_FUNC_ARG;
-    if (ctx->method->side == WOLFSSL_CLIENT_END)
-        return SIDE_ERROR;
-
-    ctx->mutualAuth = req;
-
-    return 0;
-}
-
-/* Set whether mutual authentication is required for a TLS v1.3 connection.
- * Server side only.
- *
- * ssl  The SSL/TLS object.
- * req  1 to indicate required and 0 when not.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * SIDE_ERROR when not a client and 0 on success.
- */
-int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)
-{
-    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
-        return BAD_FUNC_ARG;
-    if (ssl->options.side == WOLFSSL_SERVER_END)
-        return SIDE_ERROR;
-
-    ssl->options.mutualAuth = req;
-
-    return 0;
-}
-#endif /* NO_CERTS */
-
 #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
 /* Allow post-handshake authentication in TLS v1.3 connections.
  *

tests/test-fails.conf

@@ -169,3 +169,11 @@
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
 -H verifyFail
+
+# server send alert on no mutual authentication
+-v 3
+-F
+
+# client send alert on no mutual authentication
+-v 3
+-x

wolfssl/internal.h

@@ -2658,8 +2658,8 @@ struct WOLFSSL_CTX {
 #ifdef WOLFSSL_TLS13
     byte        noTicketTls13:1;  /* Server won't create new Ticket */
     byte        noPskDheKe:1;     /* Don't use (EC)DHE with PSK */
-    byte        mutualAuth:1;     /* Mutual authentication required */
 #endif
+    byte        mutualAuth:1;     /* Mutual authentication required */
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
     byte        postHandshakeAuth:1;  /* Post-handshake auth supported. */
 #endif
@@ -3412,9 +3412,7 @@ typedef struct Options {
 #endif
     word16            keepResources:1;    /* Keep resources after handshake */
     word16            useClientOrder:1;   /* Use client's cipher order */
-#ifdef WOLFSSL_TLS13
     word16            mutualAuth:1;       /* Mutual authentication is rquired */
-#endif
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
     word16            postHandshakeAuth:1;/* Client send post_handshake_auth
                                            * extension */

wolfssl/ssl.h

@@ -859,6 +859,8 @@ WOLFSSL_ABI WOLFSSL_API int  wolfSSL_write(WOLFSSL*, const void*, int);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_read(WOLFSSL*, void*, int);
 WOLFSSL_API int  wolfSSL_peek(WOLFSSL*, void*, int);
 WOLFSSL_API int  wolfSSL_accept(WOLFSSL*);
+WOLFSSL_API int  wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req);
+WOLFSSL_API int  wolfSSL_mutual_auth(WOLFSSL* ssl, int req);
 #ifdef WOLFSSL_TLS13
 WOLFSSL_API int  wolfSSL_send_hrr_cookie(WOLFSSL* ssl,
     const unsigned char* secret, unsigned int secretSz);
@@ -867,8 +869,6 @@ WOLFSSL_API int  wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl);
 WOLFSSL_API int  wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx);
 WOLFSSL_API int  wolfSSL_no_dhe_psk(WOLFSSL* ssl);
 WOLFSSL_API int  wolfSSL_update_keys(WOLFSSL* ssl);
-WOLFSSL_API int  wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req);
-WOLFSSL_API int  wolfSSL_mutual_auth(WOLFSSL* ssl, int req);
 WOLFSSL_API int  wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx);
 WOLFSSL_API int  wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl);
 WOLFSSL_API int  wolfSSL_request_certificate(WOLFSSL* ssl);