feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3171 from SparkiDev/tls13_fin_fix

Browse Source 
TLS 1.3: Client requires cert_vfy before finished when not PSK
This commit is contained in:
toddouska
2020-07-31 11:28:24 -07:00
committed by GitHub
parent e7fe460fac f59a1fa295
commit ff08a01f94
2 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/tls13.c
View File

@@ -5812,6 +5812,11 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
/* Advance state and proceed */ /* Advance state and proceed */
ssl->options.asyncState = TLS_ASYNC_END; ssl->options.asyncState = TLS_ASYNC_END;
#if !defined(NO_WOLFSSL_CLIENT)
if (ssl->options.side == WOLFSSL_CLIENT_END)
ssl->options.serverState = SERVER_CERT_VERIFY_COMPLETE;
#endif
} /* case TLS_ASYNC_FINALIZE */ } /* case TLS_ASYNC_FINALIZE */
case TLS_ASYNC_END: case TLS_ASYNC_END:
@@ -6922,16 +6927,27 @@ static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
WOLFSSL_MSG("Finished received out of order"); WOLFSSL_MSG("Finished received out of order");
return OUT_OF_ORDER_E; return OUT_OF_ORDER_E;
} }
if (ssl->options.serverState < /* Must have seen certificate and verify from server except when
* using PSK. */
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->arrays->psk_keySz != 0) {
if (ssl->options.serverState !=
SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
WOLFSSL_MSG("Finished received out of order"); WOLFSSL_MSG("Finished received out of order");
return OUT_OF_ORDER_E; return OUT_OF_ORDER_E;
} }
} }
else
#endif
if (ssl->options.serverState != SERVER_CERT_VERIFY_COMPLETE) {
WOLFSSL_MSG("Finished received out of order");
return OUT_OF_ORDER_E;
}
}
#endif #endif
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) { if (ssl->options.side == WOLFSSL_SERVER_END) {
if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { if (ssl->options.serverState != SERVER_FINISHED_COMPLETE) {
WOLFSSL_MSG("Finished received out of order"); WOLFSSL_MSG("Finished received out of order");
return OUT_OF_ORDER_E; return OUT_OF_ORDER_E;
} }

1
wolfssl/internal.h
View File

@@ -1590,6 +1590,7 @@ enum states {
SERVER_HELLO_COMPLETE, SERVER_HELLO_COMPLETE,
SERVER_ENCRYPTED_EXTENSIONS_COMPLETE, SERVER_ENCRYPTED_EXTENSIONS_COMPLETE,
SERVER_CERT_COMPLETE, SERVER_CERT_COMPLETE,
SERVER_CERT_VERIFY_COMPLETE,
SERVER_KEYEXCHANGE_COMPLETE, SERVER_KEYEXCHANGE_COMPLETE,
SERVER_HELLODONE_COMPLETE, SERVER_HELLODONE_COMPLETE,
SERVER_CHANGECIPHERSPEC_COMPLETE, SERVER_CHANGECIPHERSPEC_COMPLETE,