forked from wolfSSL/wolfssl
Merge pull request #8653 from kareem-wolfssl/zd19696
Make trusted_ca_keys check opt-in.
This commit is contained in:
Sean Parkinson
GitHub
@@ -781,6 +781,7 @@ WOLFSSL_RENESAS_RSIP
|
|||||||
WOLFSSL_RENESAS_RZN2L
|
WOLFSSL_RENESAS_RZN2L
|
||||||
WOLFSSL_RENESAS_TLS
|
WOLFSSL_RENESAS_TLS
|
||||||
WOLFSSL_RENESAS_TSIP_IAREWRX
|
WOLFSSL_RENESAS_TSIP_IAREWRX
|
||||||
|
WOLFSSL_REQUIRE_TCA
|
||||||
WOLFSSL_RSA_CHECK_D_ON_DECRYPT
|
WOLFSSL_RSA_CHECK_D_ON_DECRYPT
|
||||||
WOLFSSL_RSA_DECRYPT_TO_0_LEN
|
WOLFSSL_RSA_DECRYPT_TO_0_LEN
|
||||||
WOLFSSL_RW_THREADED
|
WOLFSSL_RW_THREADED
|
||||||
|
|||||||
@@ -2971,7 +2971,10 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest)
|
|||||||
(void)ssl;
|
(void)ssl;
|
||||||
|
|
||||||
if (!isRequest) {
|
if (!isRequest) {
|
||||||
#ifndef NO_WOLFSSL_CLIENT
|
/* RFC 6066 section 6 states that the server responding
|
||||||
|
* to trusted_ca_keys is optional. Do not error out unless
|
||||||
|
* opted into with the define WOLFSSL_REQUIRE_TCA. */
|
||||||
|
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA)
|
||||||
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
|
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
|
||||||
|
|
||||||
if (extension && !extension->resp) {
|
if (extension && !extension->resp) {
|
||||||
@@ -2979,7 +2982,9 @@ static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest)
|
|||||||
WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR);
|
WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR);
|
||||||
return TCA_ABSENT_ERROR;
|
return TCA_ABSENT_ERROR;
|
||||||
}
|
}
|
||||||
#endif /* NO_WOLFSSL_CLIENT */
|
#else
|
||||||
|
WOLFSSL_MSG("No response received for trusted_ca_keys. Continuing.");
|
||||||
|
#endif /* !NO_WOLFSSL_CLIENT && WOLFSSL_REQUIRE_TCA */
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
Reference in New Issue
Block a user