wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow mutual authentication to be required for TLS 1.3

Browse Source
This commit is contained in:
Sean Parkinson
2020-02-20 16:15:30 +10:00
parent 805034bca3
commit 6334dd9cb0
6 changed files with 112 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
examples/server/server.c
View File

@ -614,23 +614,26 @@ static const char* server_usage_msg[][49] = {
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
"-T Do not generate session ticket\n", /* 44 */ "-T Do not generate session ticket\n", /* 44 */
#endif #endif
#ifdef WOLFSSL_TLS13
"-F Mutual authentication is required\n", /* 45 */
#endif
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
"-Q Request certificate from client post-handshake\n", /* 45 */ "-Q Request certificate from client post-handshake\n", /* 46 */
#endif #endif
#ifdef WOLFSSL_SEND_HRR_COOKIE #ifdef WOLFSSL_SEND_HRR_COOKIE
"-J Server sends Cookie Extension containing state\n", /* 46 */ "-J Server sends Cookie Extension containing state\n", /* 47 */
#endif #endif
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
"-0 Early data read from client (0-RTT handshake)\n", /* 47 */ "-0 Early data read from client (0-RTT handshake)\n", /* 48 */
#endif #endif
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
"-3 <grpid> Multicast, grpid < 256\n", /* 48 */ "-3 <grpid> Multicast, grpid < 256\n", /* 49 */
#endif #endif
"-1 <num> Display a result by specified language." "-1 <num> Display a result by specified language."
"\n 0: English, 1: Japanese\n", /* 49 */ "\n 0: English, 1: Japanese\n", /* 50 */
#ifdef HAVE_TRUSTED_CA #ifdef HAVE_TRUSTED_CA
"-5 Use Trusted CA Key Indication\n", /* 52 */ "-5 Use Trusted CA Key Indication\n", /* 53 */
#endif #endif
#ifdef HAVE_CURVE448 #ifdef HAVE_CURVE448
"-8 Pre-generate Key share using Curve448 only\n", /* 55 */ "-8 Pre-generate Key share using Curve448 only\n", /* 55 */
@ -734,25 +737,28 @@ static const char* server_usage_msg[][49] = {
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
"-T セッションチケットを生成しない\n", /* 44 */ "-T セッションチケットを生成しない\n", /* 44 */
#endif #endif
#ifdef WOLFSSL_TLS13
"-F Mutual authentication is required\n", /* 45 */
#endif
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
"-Q クライアントのポストハンドシェイクから" "-Q クライアントのポストハンドシェイクから"
"証明書を要求する\n", /* 45 */ "証明書を要求する\n", /* 46 */
#endif #endif
#ifdef WOLFSSL_SEND_HRR_COOKIE #ifdef WOLFSSL_SEND_HRR_COOKIE
"-J サーバーの状態を含むTLS Cookie 拡張を送信する\n", /* 46 */ "-J サーバーの状態を含むTLS Cookie 拡張を送信する\n", /* 47 */
#endif #endif
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
"-0 クライアントからの Early Data 読み取り" "-0 クライアントからの Early Data 読み取り"
"0-RTTハンドシェイク\n", /* 47 */ "0-RTTハンドシェイク\n", /* 48 */
#endif #endif
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
"-3 <grpid> マルチキャスト, grpid < 256\n", /* 48 */ "-3 <grpid> マルチキャスト, grpid < 256\n", /* 49 */
#endif #endif
"-1 <num> 指定された言語で結果を表示します。" "-1 <num> 指定された言語で結果を表示します。"
"\n 0: 英語、 1: 日本語\n", /* 49 */ "\n 0: 英語、 1: 日本語\n", /* 50 */
#ifdef HAVE_TRUSTED_CA #ifdef HAVE_TRUSTED_CA
"-5 信頼できる認証局の鍵表示を使用する\n", /* 52 */ "-5 信頼できる認証局の鍵表示を使用する\n", /* 53 */
#endif #endif
#ifdef HAVE_CURVE448 #ifdef HAVE_CURVE448
"-8 Pre-generate Key share using Curve448 only\n", /* 55 */ "-8 Pre-generate Key share using Curve448 only\n", /* 55 */
@ -852,6 +858,9 @@ static void Usage(void)
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
printf("%s", msg[++msgId]); /* -T */ printf("%s", msg[++msgId]); /* -T */
#endif #endif
#ifdef WOLFSSL_TLS13
printf("%s", msg[++msgId]); /* -F */
#endif
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
printf("%s", msg[++msgId]); /* -Q */ printf("%s", msg[++msgId]); /* -Q */
#endif #endif
@ -986,6 +995,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
int noPskDheKe = 0; int noPskDheKe = 0;
#endif #endif
int updateKeysIVs = 0; int updateKeysIVs = 0;
int tls13MutualAuth = 0;
int postHandAuth = 0; int postHandAuth = 0;
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
int earlyData = 0; int earlyData = 0;
@ -1071,6 +1081,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
(void)crlFlags; (void)crlFlags;
(void)readySignal; (void)readySignal;
(void)updateKeysIVs; (void)updateKeysIVs;
(void)tls13MutualAuth;
(void)postHandAuth; (void)postHandAuth;
(void)mcastID; (void)mcastID;
(void)loadCertKeyIntoSSLObj; (void)loadCertKeyIntoSSLObj;
@ -1087,7 +1098,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
/* Not Used: h, z, F, T, V, W, X */ /* Not Used: h, z, F, T, V, W, X */
while ((ch = mygetopt(argc, argv, "?:" while ((ch = mygetopt(argc, argv, "?:"
"abc:defgijk:l:mnop:q:rstuv:wxy" "abc:defgijk:l:mnop:q:rstuv:wxy"
"A:B:C:D:E:GH:IJKL:MNO:PQR:S:TUVYZ:" "A:B:C:D:E:FGH:IJKL:MNO:PQR:S:TUVYZ:"
"01:23:4:58")) != -1) { "01:23:4:58")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
@ -1402,6 +1413,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif #endif
break; break;
case 'F' :
#ifdef WOLFSSL_TLS13
tls13MutualAuth = 1;
#endif
break;
case 'Q' : case 'Q' :
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
postHandAuth = 1; postHandAuth = 1;
@ -1745,6 +1762,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
} }
#endif #endif
} }
#ifdef WOLFSSL_TLS13
if (tls13MutualAuth)
wolfSSL_CTX_mutual_auth(ctx, 1);
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC

16
scripts/tls13.test
View File

@ -111,6 +111,22 @@ if [ $RESULT -eq 0 ]; then
fi fi
echo "" echo ""
# TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail"
port=0
./examples/server/server -v 4 -F -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with requiring mutual authentication"
do_cleanup
exit 1
fi
echo ""
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then

13
src/internal.c
View File

@ -5673,6 +5673,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.noTicketTls13 = ctx->noTicketTls13; ssl->options.noTicketTls13 = ctx->noTicketTls13;
#endif #endif
ssl->options.noPskDheKe = ctx->noPskDheKe; ssl->options.noPskDheKe = ctx->noPskDheKe;
ssl->options.mutualAuth = ctx->mutualAuth;
#if defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
ssl->options.postHandshakeAuth = ctx->postHandshakeAuth; ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
#endif #endif
@ -9829,6 +9830,9 @@ static void DoCertFatalAlert(WOLFSSL* ssl, int ret)
alertWhy = certificate_revoked; alertWhy = certificate_revoked;
} }
#endif #endif
else if (ret == NO_PEER_CERT) {
alertWhy = certificate_required;
}
/* send fatal alert and mark connection closed */ /* send fatal alert and mark connection closed */
SendAlert(ssl, alert_fatal, alertWhy); /* try to send */ SendAlert(ssl, alert_fatal, alertWhy); /* try to send */
@ -10600,6 +10604,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->count = args->totalCerts; args->count = args->totalCerts;
args->certIdx = 0; /* select peer cert (first one) */ args->certIdx = 0; /* select peer cert (first one) */
#ifdef WOLFSSL_TLS13
if (args->count == 0 && ssl->options.tls1_3 &&
ssl->options.mutualAuth &&
ssl->options.side == WOLFSSL_SERVER_END) {
ret = NO_PEER_CERT;
DoCertFatalAlert(ssl, ret);
}
#endif
args->dCertInit = 0; args->dCertInit = 0;
#ifndef WOLFSSL_SMALL_CERT_VERIFY #ifndef WOLFSSL_SMALL_CERT_VERIFY
args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,

42
src/tls13.c
View File

@ -8292,6 +8292,48 @@ int wolfSSL_update_keys(WOLFSSL* ssl)
return ret; return ret;
} }
#if !defined(NO_CERTS)
/* Set whether mutual authentication is required for TLS v1.3 connections.
* Server side only.
*
* ctx The SSL/TLS CTX object.
* req 1 to indicate required and 0 when not.
* returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
* 0 on success.
*/
int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
if (ctx->method->side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
ctx->mutualAuth = req;
return 0;
}
/* Set whether mutual authentication is required for a TLS v1.3 connection.
* Server side only.
*
* ssl The SSL/TLS object.
* req 1 to indicate required and 0 when not.
* returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
* SIDE_ERROR when not a client and 0 on success.
*/
int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
if (ssl->options.side == WOLFSSL_SERVER_END)
return SIDE_ERROR;
ssl->options.mutualAuth = req;
return 0;
}
#endif /* NO_CERTS */
#if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
/* Allow post-handshake authentication in TLS v1.3 connections. /* Allow post-handshake authentication in TLS v1.3 connections.
* *

4
wolfssl/internal.h
View File

@ -2658,6 +2658,7 @@ struct WOLFSSL_CTX {
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
byte noTicketTls13:1; /* Server won't create new Ticket */ byte noTicketTls13:1; /* Server won't create new Ticket */
byte noPskDheKe:1; /* Don't use (EC)DHE with PSK */ byte noPskDheKe:1; /* Don't use (EC)DHE with PSK */
byte mutualAuth:1; /* Mutual authentication required */
#endif #endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
byte postHandshakeAuth:1; /* Post-handshake auth supported. */ byte postHandshakeAuth:1; /* Post-handshake auth supported. */
@ -3411,6 +3412,9 @@ typedef struct Options {
#endif #endif
word16 keepResources:1; /* Keep resources after handshake */ word16 keepResources:1; /* Keep resources after handshake */
word16 useClientOrder:1; /* Use client's cipher order */ word16 useClientOrder:1; /* Use client's cipher order */
#ifdef WOLFSSL_TLS13
word16 mutualAuth:1; /* Mutual authentication is rquired */
#endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
word16 postHandshakeAuth:1;/* Client send post_handshake_auth word16 postHandshakeAuth:1;/* Client send post_handshake_auth
* extension */ * extension */

3
wolfssl/ssl.h
View File

@ -627,6 +627,7 @@ enum AlertDescription {
unrecognized_name = 112, /**< RFC 6066, section 3 */ unrecognized_name = 112, /**< RFC 6066, section 3 */
bad_certificate_status_response = 113, /**< RFC 6066, section 8 */ bad_certificate_status_response = 113, /**< RFC 6066, section 8 */
unknown_psk_identity = 115, /**< RFC 4279, section 2 */ unknown_psk_identity = 115, /**< RFC 4279, section 2 */
certificate_required = 116, /**< RFC 8446, section 8.2 */
no_application_protocol = 120 no_application_protocol = 120
}; };
@ -866,6 +867,8 @@ WOLFSSL_API int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx);
WOLFSSL_API int wolfSSL_no_dhe_psk(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_no_dhe_psk(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_update_keys(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_update_keys(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req);
WOLFSSL_API int wolfSSL_mutual_auth(WOLFSSL* ssl, int req);
WOLFSSL_API int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx);
WOLFSSL_API int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_request_certificate(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_request_certificate(WOLFSSL* ssl);