From fdc350fb52ff003a4f36e45d7579202e35c5d062 Mon Sep 17 00:00:00 2001 From: Hayden Roche Date: Mon, 9 Aug 2021 20:03:07 -0700 Subject: [PATCH] Add a macro guard WOLFSSL_CHECK_ALERT_ON_ERR that has the client check for alerts in the event of an error during the handshake. --- src/ssl.c | 12 ++++++++++++ src/tls13.c | 8 ++++++++ 2 files changed, 20 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 47777744b..b7035c3f2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -151,6 +151,8 @@ * Enable default behaviour that is compatible with OpenSSL. For example * SSL_CTX by default doesn't verify the loaded certs. Enabling this * should make porting to new projects easier. + * WOLFSSL_CHECK_ALERT_ON_ERR: + * Check for alerts during the handshake in the event of an error. */ #define WOLFSSL_EVP_INCLUDED @@ -13258,7 +13260,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13277,7 +13281,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13293,7 +13299,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13306,7 +13314,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13317,7 +13327,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/src/tls13.c b/src/tls13.c index c877a9421..5ce191edc 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -69,6 +69,8 @@ * When only one PSK ID is used and only one call to the PSK callback can * be made per connect. * You cannot use wc_psk_client_cs_callback type callback on client. + * WOLFSSL_CHECK_ALERT_ON_ERR + * Check for alerts during the handshake in the event of an error. */ #ifdef HAVE_CONFIG_H @@ -8471,7 +8473,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -8490,7 +8494,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -8504,7 +8510,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { + #ifdef WOLFSSL_CHECK_ALERT_ON_ERR ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; }