feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Add a macro guard WOLFSSL_CHECK_ALERT_ON_ERR that has the client check for

Browse Source 
alerts in the event of an error during the handshake.
This commit is contained in:
Hayden Roche
2021-08-09 20:03:07 -07:00
parent ef5510cbcc
commit fdc350fb52
2 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/ssl.c
View File

@ -151,6 +151,8 @@
* Enable default behaviour that is compatible with OpenSSL. For example * Enable default behaviour that is compatible with OpenSSL. For example
* SSL_CTX by default doesn't verify the loaded certs. Enabling this * SSL_CTX by default doesn't verify the loaded certs. Enabling this
* should make porting to new projects easier. * should make porting to new projects easier.
* WOLFSSL_CHECK_ALERT_ON_ERR:
* Check for alerts during the handshake in the event of an error.
*/ */
#define WOLFSSL_EVP_INCLUDED #define WOLFSSL_EVP_INCLUDED
@ -13258,7 +13260,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#endif #endif
if (ssl->options.sendVerify) { if (ssl->options.sendVerify) {
if ( (ssl->error = SendCertificate(ssl)) != 0) { if ( (ssl->error = SendCertificate(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }
@ -13277,7 +13281,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#endif #endif
if (!ssl->options.resuming) { if (!ssl->options.resuming) {
if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }
@ -13293,7 +13299,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
if (ssl->options.sendVerify) { if (ssl->options.sendVerify) {
if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }
@ -13306,7 +13314,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
case FIRST_REPLY_THIRD : case FIRST_REPLY_THIRD :
if ( (ssl->error = SendChangeCipher(ssl)) != 0) { if ( (ssl->error = SendChangeCipher(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }
@ -13317,7 +13327,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
case FIRST_REPLY_FOURTH : case FIRST_REPLY_FOURTH :
if ( (ssl->error = SendFinished(ssl)) != 0) { if ( (ssl->error = SendFinished(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }

8
src/tls13.c
View File

@ -69,6 +69,8 @@
* When only one PSK ID is used and only one call to the PSK callback can * When only one PSK ID is used and only one call to the PSK callback can
* be made per connect. * be made per connect.
* You cannot use wc_psk_client_cs_callback type callback on client. * You cannot use wc_psk_client_cs_callback type callback on client.
* WOLFSSL_CHECK_ALERT_ON_ERR
* Check for alerts during the handshake in the event of an error.
*/ */
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
@ -8471,7 +8473,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
if (!ssl->options.resuming && ssl->options.sendVerify) { if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13Certificate(ssl); ssl->error = SendTls13Certificate(ssl);
if (ssl->error != 0) { if (ssl->error != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }
@ -8490,7 +8494,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
if (!ssl->options.resuming && ssl->options.sendVerify) { if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13CertificateVerify(ssl); ssl->error = SendTls13CertificateVerify(ssl);
if (ssl->error != 0) { if (ssl->error != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }
@ -8504,7 +8510,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
case FIRST_REPLY_FOURTH: case FIRST_REPLY_FOURTH:
if ((ssl->error = SendTls13Finished(ssl)) != 0) { if ((ssl->error = SendTls13Finished(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error); WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR; return WOLFSSL_FATAL_ERROR;
} }