forked from wolfSSL/wolfssl
option for fail on no peer cert except PSK suites
This commit is contained in:
Jacob Barthelmeh
@ -257,6 +257,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
int useAnyAddr = 0;
|
int useAnyAddr = 0;
|
||||||
word16 port = wolfSSLPort;
|
word16 port = wolfSSLPort;
|
||||||
int usePsk = 0;
|
int usePsk = 0;
|
||||||
|
int usePskPlus = 0;
|
||||||
int useAnon = 0;
|
int useAnon = 0;
|
||||||
int doDTLS = 0;
|
int doDTLS = 0;
|
||||||
int needDH = 0;
|
int needDH = 0;
|
||||||
@ -329,7 +330,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
#ifdef WOLFSSL_VXWORKS
|
#ifdef WOLFSSL_VXWORKS
|
||||||
useAnyAddr = 1;
|
useAnyAddr = 1;
|
||||||
#else
|
#else
|
||||||
while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:"))
|
while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j"))
|
||||||
!= -1) {
|
!= -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
case '?' :
|
case '?' :
|
||||||
@ -348,6 +349,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
usePsk = 1;
|
usePsk = 1;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case 'j' :
|
||||||
|
usePskPlus = 1;
|
||||||
|
break;
|
||||||
|
|
||||||
case 't' :
|
case 't' :
|
||||||
#ifdef USE_WOLFSSL_MEMORY
|
#ifdef USE_WOLFSSL_MEMORY
|
||||||
trackMemory = 1;
|
trackMemory = 1;
|
||||||
@ -609,7 +614,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
||||||
if (!usePsk && !useAnon) {
|
if ((!usePsk || usePskPlus) && !useAnon) {
|
||||||
if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
|
if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
|
||||||
!= SSL_SUCCESS)
|
!= SSL_SUCCESS)
|
||||||
err_sys("can't load server cert file, check file and run from"
|
err_sys("can't load server cert file, check file and run from"
|
||||||
@ -630,7 +635,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
||||||
if (!useNtruKey && !usePsk && !useAnon) {
|
if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) {
|
||||||
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
|
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
|
||||||
!= SSL_SUCCESS)
|
!= SSL_SUCCESS)
|
||||||
err_sys("can't load server private key file, check file and run "
|
err_sys("can't load server private key file, check file and run "
|
||||||
@ -638,14 +643,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (usePsk) {
|
if (usePsk || usePskPlus) {
|
||||||
#ifndef NO_PSK
|
#ifndef NO_PSK
|
||||||
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
|
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
|
||||||
|
|
||||||
if (sendPskIdentityHint == 1)
|
if (sendPskIdentityHint == 1)
|
||||||
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
|
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
|
||||||
|
|
||||||
if (cipherList == NULL) {
|
if (cipherList == NULL && !usePskPlus) {
|
||||||
const char *defaultCipherList;
|
const char *defaultCipherList;
|
||||||
#if defined(HAVE_AESGCM) && !defined(NO_DH)
|
#if defined(HAVE_AESGCM) && !defined(NO_DH)
|
||||||
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
|
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
|
||||||
@ -672,13 +677,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
||||||
/* if not using PSK, verify peer with certs */
|
/* if not using PSK, verify peer with certs
|
||||||
if (doCliCertCheck && usePsk == 0 && useAnon == 0) {
|
if using PSK Plus then verify peer certs except PSK suites */
|
||||||
|
if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
|
||||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
|
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
|
||||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
|
((usePskPlus)? SSL_VERIFY_FAIL_EXCEPT_PSK :
|
||||||
|
SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
|
||||||
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
|
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
|
||||||
err_sys("can't load ca file, Please run from wolfSSL home dir");
|
err_sys("can't load ca file, Please run from wolfSSL home dir");
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(CYASSL_SNIFFER)
|
#if defined(CYASSL_SNIFFER)
|
||||||
@ -795,7 +802,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||||||
wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
|
wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (usePsk == 0 || useAnon == 1 || cipherList != NULL || needDH == 1) {
|
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|
||||||
|
|| needDH == 1) {
|
||||||
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
|
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
|
||||||
CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM);
|
CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM);
|
||||||
#elif !defined(NO_DH)
|
#elif !defined(NO_DH)
|
||||||
|
|||||||
@ -1835,10 +1835,11 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
|
|||||||
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
|
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
|
||||||
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
|
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
|
||||||
|
|
||||||
ssl->options.verifyPeer = ctx->verifyPeer;
|
ssl->options.verifyPeer = ctx->verifyPeer;
|
||||||
ssl->options.verifyNone = ctx->verifyNone;
|
ssl->options.verifyNone = ctx->verifyNone;
|
||||||
ssl->options.failNoCert = ctx->failNoCert;
|
ssl->options.failNoCert = ctx->failNoCert;
|
||||||
ssl->options.sendVerify = ctx->sendVerify;
|
ssl->options.failNoCertxPSK = ctx->failNoCertxPSK;
|
||||||
|
ssl->options.sendVerify = ctx->sendVerify;
|
||||||
|
|
||||||
ssl->heap = ctx->heap; /* defaults to self */
|
ssl->heap = ctx->heap; /* defaults to self */
|
||||||
ssl->options.partialWrite = ctx->partialWrite;
|
ssl->options.partialWrite = ctx->partialWrite;
|
||||||
@ -16936,6 +16937,14 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
return NO_PEER_CERT;
|
return NO_PEER_CERT;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) {
|
||||||
|
if (!ssl->options.havePeerCert &&
|
||||||
|
!ssl->options.usingPSK_cipher){
|
||||||
|
WOLFSSL_MSG("client didn't present peer cert");
|
||||||
|
return NO_PEER_CERT;
|
||||||
|
}
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_CALLBACKS
|
#ifdef WOLFSSL_CALLBACKS
|
||||||
|
|||||||
13
src/ssl.c
13
src/ssl.c
@ -4608,6 +4608,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
|
|||||||
if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||||
ctx->failNoCert = 1;
|
ctx->failNoCert = 1;
|
||||||
|
|
||||||
|
if (mode & SSL_VERIFY_FAIL_EXCEPT_PSK) {
|
||||||
|
ctx->failNoCert = 0; /* fail on all is set to fail on PSK */
|
||||||
|
ctx->failNoCertxPSK = 1;
|
||||||
|
}
|
||||||
|
|
||||||
ctx->verifyCallback = vc;
|
ctx->verifyCallback = vc;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4628,6 +4633,11 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
|
|||||||
if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||||
ssl->options.failNoCert = 1;
|
ssl->options.failNoCert = 1;
|
||||||
|
|
||||||
|
if (mode & SSL_VERIFY_FAIL_EXCEPT_PSK) {
|
||||||
|
ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */
|
||||||
|
ssl->options.failNoCertxPSK = 1;
|
||||||
|
}
|
||||||
|
|
||||||
ssl->verifyCallback = vc;
|
ssl->verifyCallback = vc;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -17074,6 +17084,9 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
|
|||||||
if (ctx->failNoCert)
|
if (ctx->failNoCert)
|
||||||
mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||||
|
|
||||||
|
if (ctx->failNoCertxPSK)
|
||||||
|
mode |= SSL_VERIFY_FAIL_EXCEPT_PSK;
|
||||||
|
|
||||||
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
|
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
|
||||||
return mode;
|
return mode;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1818,6 +1818,7 @@ struct WOLFSSL_CTX {
|
|||||||
byte verifyPeer;
|
byte verifyPeer;
|
||||||
byte verifyNone;
|
byte verifyNone;
|
||||||
byte failNoCert;
|
byte failNoCert;
|
||||||
|
byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/
|
||||||
byte sessionCacheOff;
|
byte sessionCacheOff;
|
||||||
byte sessionCacheFlushOff;
|
byte sessionCacheFlushOff;
|
||||||
byte sendVerify; /* for client side */
|
byte sendVerify; /* for client side */
|
||||||
@ -2216,6 +2217,7 @@ typedef struct Options {
|
|||||||
word16 verifyPeer:1;
|
word16 verifyPeer:1;
|
||||||
word16 verifyNone:1;
|
word16 verifyNone:1;
|
||||||
word16 failNoCert:1;
|
word16 failNoCert:1;
|
||||||
|
word16 failNoCertxPSK:1; /* fail for no cert except with PSK */
|
||||||
word16 downgrade:1; /* allow downgrade of versions */
|
word16 downgrade:1; /* allow downgrade of versions */
|
||||||
word16 resuming:1;
|
word16 resuming:1;
|
||||||
word16 haveSessionId:1; /* server may not send */
|
word16 haveSessionId:1; /* server may not send */
|
||||||
|
|||||||
@ -698,6 +698,7 @@ enum { /* ssl Constants */
|
|||||||
SSL_VERIFY_PEER = 1,
|
SSL_VERIFY_PEER = 1,
|
||||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2,
|
SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2,
|
||||||
SSL_VERIFY_CLIENT_ONCE = 4,
|
SSL_VERIFY_CLIENT_ONCE = 4,
|
||||||
|
SSL_VERIFY_FAIL_EXCEPT_PSK = 8,
|
||||||
|
|
||||||
SSL_SESS_CACHE_OFF = 30,
|
SSL_SESS_CACHE_OFF = 30,
|
||||||
SSL_SESS_CACHE_CLIENT = 31,
|
SSL_SESS_CACHE_CLIENT = 31,
|
||||||
|
|||||||
Reference in New Issue
Block a user