From de04d8a48600281caeb031b0b8cb8a922048f9e5 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 8 Apr 2025 14:32:31 -0700 Subject: [PATCH 1/2] Make trusted_ca_keys check opt-in. It is not required according to the RFC. --- src/tls.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/tls.c b/src/tls.c index 34c04902f..f86023d9d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2971,7 +2971,9 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest) (void)ssl; if (!isRequest) { - #ifndef NO_WOLFSSL_CLIENT + /* RFC 6066 section 6 states that the server responding to trusted_ca_keys + is optional. Do not error out unless opted into with the define WOLFSSL_REQUIRE_TCA. */ + #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA) TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS); if (extension && !extension->resp) { @@ -2979,7 +2981,9 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest) WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR); return TCA_ABSENT_ERROR; } - #endif /* NO_WOLFSSL_CLIENT */ + #else + WOLFSSL_MSG("No response received for trusted_ca_keys. Continuing."); + #endif /* !NO_WOLFSSL_CLIENT && WOLFSSL_REQUIRE_TCA */ } return 0; From 4808ce1b8c8fdfb1db1c623cfc8f0fa29d7e7e97 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 10 Apr 2025 15:48:50 -0700 Subject: [PATCH 2/2] Add new macro to known macros, reformat comment to fit in max length. --- .wolfssl_known_macro_extras | 1 + src/tls.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 0dc46fcab..3fe7c1926 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -764,6 +764,7 @@ WOLFSSL_RENESAS_RSIP WOLFSSL_RENESAS_RZN2L WOLFSSL_RENESAS_TLS WOLFSSL_RENESAS_TSIP_IAREWRX +WOLFSSL_REQUIRE_TCA WOLFSSL_RSA_CHECK_D_ON_DECRYPT WOLFSSL_RSA_DECRYPT_TO_0_LEN WOLFSSL_RW_THREADED diff --git a/src/tls.c b/src/tls.c index f86023d9d..6ad21c924 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2971,8 +2971,9 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest) (void)ssl; if (!isRequest) { - /* RFC 6066 section 6 states that the server responding to trusted_ca_keys - is optional. Do not error out unless opted into with the define WOLFSSL_REQUIRE_TCA. */ + /* RFC 6066 section 6 states that the server responding + * to trusted_ca_keys is optional. Do not error out unless + * opted into with the define WOLFSSL_REQUIRE_TCA. */ #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA) TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);