diff --git a/examples/server/server.c b/examples/server/server.c index dba33feca..2598dc351 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2033,6 +2033,39 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif /* HAVE_SECURE_RENEGOTIATION */ +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) + #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + if (postHandAuth) { + unsigned int verify_flags = 0; + + SSL_set_verify(ssl, WOLFSSL_VERIFY_PEER | + ((usePskPlus) ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK : + WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0); + + #ifdef TEST_BEFORE_DATE + verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY; + #endif + + if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, + verify_flags) + != WOLFSSL_SUCCESS) { + err_sys_ex(runWithErrors, "can't load ca file, Please run from " + "wolfSSL home dir"); + } + #ifdef WOLFSSL_TRUST_PEER_CERT + if (trustCert) { + if ((ret = wolfSSL_trust_peer_cert(ssl, trustCert, + WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { + err_sys_ex(runWithErrors, "can't load trusted peer cert " + "file"); + } + } + #endif /* WOLFSSL_TRUST_PEER_CERT */ + } + #endif +#endif + + #ifndef NO_HANDSHAKE_DONE_CB wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL); #endif @@ -2387,38 +2420,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) - if (postHandAuth) { - unsigned int verify_flags = 0; - - SSL_set_verify(ssl, WOLFSSL_VERIFY_PEER | - ((usePskPlus) ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK : - WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0); - - #ifdef TEST_BEFORE_DATE - verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY; - #endif - - if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, - verify_flags) - != WOLFSSL_SUCCESS) { - err_sys_ex(runWithErrors, "can't load ca file, Please run from " - "wolfSSL home dir"); - } - #ifdef WOLFSSL_TRUST_PEER_CERT - if (trustCert) { - if ((ret = wolfSSL_trust_peer_cert(ssl, trustCert, - WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { - err_sys_ex(runWithErrors, "can't load trusted peer cert " - "file"); - } - } - #endif /* WOLFSSL_TRUST_PEER_CERT */ - } - #endif -#endif - if (echoData == 0 && throughput == 0) { ServerRead(ssl, input, sizeof(input)-1); err = SSL_get_error(ssl, 0); diff --git a/src/internal.c b/src/internal.c index 58c4800fc..a666f63d4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -11193,6 +11193,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (args->fatal == 0) { int copyRet = 0; + #ifdef WOLFSSL_POST_HANDSHAKE_AUTH + if (ssl->options.handShakeDone) { + FreeX509(&ssl->peerCert); + InitX509(&ssl->peerCert, 0, ssl->heap); + } + else + #endif #ifdef HAVE_SECURE_RENEGOTIATION if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { @@ -11200,7 +11207,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, FreeX509(&ssl->peerCert); InitX509(&ssl->peerCert, 0, ssl->heap); } + else #endif + { + } /* set X509 format for peer cert */ copyRet = CopyDecodedToX509(&ssl->peerCert, args->dCert); @@ -11360,7 +11370,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif #ifdef HAVE_PK_CALLBACKS #ifndef NO_RSA - #ifdef HAVE_SECURE_RENEGOTIATION + #if defined(HAVE_SECURE_RENEGOTIATION) || \ + defined(WOLFSSL_POST_HANDSHAKE_AUTH) if (ssl->buffers.peerRsaKey.buffer) { XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA); diff --git a/src/tls13.c b/src/tls13.c index ce339d0e6..ca92588f3 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -739,13 +739,20 @@ static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = */ int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) { + byte* masterSecret; + WOLFSSL_MSG("Derive Resumption Secret"); - if (ssl == NULL || ssl->arrays == NULL) { + if (ssl == NULL) { return BAD_FUNC_ARG; } - return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, - resumeMasterLabel, RESUME_MASTER_LABEL_SZ, - ssl->specs.mac_algorithm, 1); + if (ssl->arrays != NULL) { + masterSecret = ssl->arrays->masterSecret; + } + else { + masterSecret = ssl->session.masterSecret; + } + return DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel, + RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1); } #endif @@ -7031,7 +7038,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ssl->options.handShakeState == HANDSHAKE_DONE && type != session_ticket && type != certificate_request && - type != certificate && type != key_update) { + type != certificate && type != key_update && type != finished) { WOLFSSL_MSG("HandShake message after handshake complete"); SendAlert(ssl, alert_fatal, unexpected_message); return OUT_OF_ORDER_E;