Merge pull request #8653 from kareem-wolfssl/zd19696

Make trusted_ca_keys check opt-in.

.wolfssl_known_macro_extras

@@ -781,6 +781,7 @@ WOLFSSL_RENESAS_RSIP
 WOLFSSL_RENESAS_RZN2L
 WOLFSSL_RENESAS_TLS
 WOLFSSL_RENESAS_TSIP_IAREWRX
+WOLFSSL_REQUIRE_TCA
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED

src/tls.c

@@ -2971,7 +2971,10 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest)
     (void)ssl;
 
     if (!isRequest) {
-    #ifndef NO_WOLFSSL_CLIENT
+        /* RFC 6066 section 6 states that the server responding
+         * to trusted_ca_keys is optional.  Do not error out unless
+         * opted into with the define WOLFSSL_REQUIRE_TCA. */
+    #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA)
         TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
 
         if (extension && !extension->resp) {
@@ -2979,7 +2982,9 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest)
             WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR);
             return TCA_ABSENT_ERROR;
         }
-    #endif /* NO_WOLFSSL_CLIENT */
+    #else
+        WOLFSSL_MSG("No response received for trusted_ca_keys.  Continuing.");
+    #endif /* !NO_WOLFSSL_CLIENT && WOLFSSL_REQUIRE_TCA */
     }
 
     return 0;