wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3306 from SparkiDev/tls13_pha_psk

Browse Source 
TLS 1.3: Post-handshake Authentication and resumption secret
This commit is contained in:
toddouska
2020-09-23 16:06:55 -07:00
committed by GitHub
parent 2bb8427ab2 4ed3438be0
commit 1c07de883c
3 changed files with 57 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
examples/server/server.c
View File

@@ -2033,6 +2033,39 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
} }
#endif /* HAVE_SECURE_RENEGOTIATION */ #endif /* HAVE_SECURE_RENEGOTIATION */
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (postHandAuth) {
unsigned int verify_flags = 0;
SSL_set_verify(ssl, WOLFSSL_VERIFY_PEER |
((usePskPlus) ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0);
#ifdef TEST_BEFORE_DATE
verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
#endif
if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0,
verify_flags)
!= WOLFSSL_SUCCESS) {
err_sys_ex(runWithErrors, "can't load ca file, Please run from "
"wolfSSL home dir");
}
#ifdef WOLFSSL_TRUST_PEER_CERT
if (trustCert) {
if ((ret = wolfSSL_trust_peer_cert(ssl, trustCert,
WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
err_sys_ex(runWithErrors, "can't load trusted peer cert "
"file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}
#endif
#endif
#ifndef NO_HANDSHAKE_DONE_CB #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL); wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL);
#endif #endif
@@ -2387,38 +2420,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
} }
#endif #endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (postHandAuth) {
unsigned int verify_flags = 0;
SSL_set_verify(ssl, WOLFSSL_VERIFY_PEER |
((usePskPlus) ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0);
#ifdef TEST_BEFORE_DATE
verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
#endif
if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0,
verify_flags)
!= WOLFSSL_SUCCESS) {
err_sys_ex(runWithErrors, "can't load ca file, Please run from "
"wolfSSL home dir");
}
#ifdef WOLFSSL_TRUST_PEER_CERT
if (trustCert) {
if ((ret = wolfSSL_trust_peer_cert(ssl, trustCert,
WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
err_sys_ex(runWithErrors, "can't load trusted peer cert "
"file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}
#endif
#endif
if (echoData == 0 && throughput == 0) { if (echoData == 0 && throughput == 0) {
ServerRead(ssl, input, sizeof(input)-1); ServerRead(ssl, input, sizeof(input)-1);
err = SSL_get_error(ssl, 0); err = SSL_get_error(ssl, 0);

13
src/internal.c
View File

@@ -11193,6 +11193,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (args->fatal == 0) { if (args->fatal == 0) {
int copyRet = 0; int copyRet = 0;
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
if (ssl->options.handShakeDone) {
FreeX509(&ssl->peerCert);
InitX509(&ssl->peerCert, 0, ssl->heap);
}
else
#endif
#ifdef HAVE_SECURE_RENEGOTIATION #ifdef HAVE_SECURE_RENEGOTIATION
if (ssl->secure_renegotiation && if (ssl->secure_renegotiation &&
ssl->secure_renegotiation->enabled) { ssl->secure_renegotiation->enabled) {
@@ -11200,7 +11207,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
FreeX509(&ssl->peerCert); FreeX509(&ssl->peerCert);
InitX509(&ssl->peerCert, 0, ssl->heap); InitX509(&ssl->peerCert, 0, ssl->heap);
} }
else
#endif #endif
{
}
/* set X509 format for peer cert */ /* set X509 format for peer cert */
copyRet = CopyDecodedToX509(&ssl->peerCert, args->dCert); copyRet = CopyDecodedToX509(&ssl->peerCert, args->dCert);
@@ -11360,7 +11370,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif #endif
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
#ifndef NO_RSA #ifndef NO_RSA
#ifdef HAVE_SECURE_RENEGOTIATION #if defined(HAVE_SECURE_RENEGOTIATION) || \
defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ssl->buffers.peerRsaKey.buffer) { if (ssl->buffers.peerRsaKey.buffer) {
XFREE(ssl->buffers.peerRsaKey.buffer, XFREE(ssl->buffers.peerRsaKey.buffer,
ssl->heap, DYNAMIC_TYPE_RSA); ssl->heap, DYNAMIC_TYPE_RSA);

17
src/tls13.c
View File

@@ -739,13 +739,20 @@ static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
*/ */
int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
{ {
byte* masterSecret;
WOLFSSL_MSG("Derive Resumption Secret"); WOLFSSL_MSG("Derive Resumption Secret");
if (ssl == NULL || ssl->arrays == NULL) { if (ssl == NULL) {
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, if (ssl->arrays != NULL) {
resumeMasterLabel, RESUME_MASTER_LABEL_SZ, masterSecret = ssl->arrays->masterSecret;
ssl->specs.mac_algorithm, 1); }
else {
masterSecret = ssl->session.masterSecret;
}
return DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel,
RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1);
} }
#endif #endif
@@ -7031,7 +7038,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ssl->options.handShakeState == HANDSHAKE_DONE && if (ssl->options.handShakeState == HANDSHAKE_DONE &&
type != session_ticket && type != certificate_request && type != session_ticket && type != certificate_request &&
type != certificate && type != key_update) { type != certificate && type != key_update && type != finished) {
WOLFSSL_MSG("HandShake message after handshake complete"); WOLFSSL_MSG("HandShake message after handshake complete");
SendAlert(ssl, alert_fatal, unexpected_message); SendAlert(ssl, alert_fatal, unexpected_message);
return OUT_OF_ORDER_E; return OUT_OF_ORDER_E;