From 6334dd9cb0ea24f84f593321641a4d93fce6a5c7 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Thu, 20 Feb 2020 16:15:30 +1000 Subject: [PATCH 1/2] Allow mutual authentication to be required for TLS 1.3 --- examples/server/server.c | 47 +++++++++++++++++++++++++++++----------- scripts/tls13.test | 16 ++++++++++++++ src/internal.c | 13 +++++++++++ src/tls13.c | 42 +++++++++++++++++++++++++++++++++++ wolfssl/internal.h | 4 ++++ wolfssl/ssl.h | 3 +++ 6 files changed, 112 insertions(+), 13 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index b9350292a..b891e3965 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -614,23 +614,26 @@ static const char* server_usage_msg[][49] = { #ifdef HAVE_SESSION_TICKET "-T Do not generate session ticket\n", /* 44 */ #endif +#ifdef WOLFSSL_TLS13 + "-F Mutual authentication is required\n", /* 45 */ +#endif #ifdef WOLFSSL_POST_HANDSHAKE_AUTH - "-Q Request certificate from client post-handshake\n", /* 45 */ + "-Q Request certificate from client post-handshake\n", /* 46 */ #endif #ifdef WOLFSSL_SEND_HRR_COOKIE - "-J Server sends Cookie Extension containing state\n", /* 46 */ + "-J Server sends Cookie Extension containing state\n", /* 47 */ #endif #endif /* WOLFSSL_TLS13 */ #ifdef WOLFSSL_EARLY_DATA - "-0 Early data read from client (0-RTT handshake)\n", /* 47 */ + "-0 Early data read from client (0-RTT handshake)\n", /* 48 */ #endif #ifdef WOLFSSL_MULTICAST - "-3 Multicast, grpid < 256\n", /* 48 */ + "-3 Multicast, grpid < 256\n", /* 49 */ #endif "-1 Display a result by specified language." - "\n 0: English, 1: Japanese\n", /* 49 */ + "\n 0: English, 1: Japanese\n", /* 50 */ #ifdef HAVE_TRUSTED_CA - "-5 Use Trusted CA Key Indication\n", /* 52 */ + "-5 Use Trusted CA Key Indication\n", /* 53 */ #endif #ifdef HAVE_CURVE448 "-8 Pre-generate Key share using Curve448 only\n", /* 55 */ @@ -734,25 +737,28 @@ static const char* server_usage_msg[][49] = { #ifdef HAVE_SESSION_TICKET "-T セッションチケットを生成しない\n", /* 44 */ #endif +#ifdef WOLFSSL_TLS13 + "-F Mutual authentication is required\n", /* 45 */ +#endif #ifdef WOLFSSL_POST_HANDSHAKE_AUTH "-Q クライアントのポストハンドシェイクから" - "証明書を要求する\n", /* 45 */ + "証明書を要求する\n", /* 46 */ #endif #ifdef WOLFSSL_SEND_HRR_COOKIE - "-J サーバーの状態を含むTLS Cookie 拡張を送信する\n", /* 46 */ + "-J サーバーの状態を含むTLS Cookie 拡張を送信する\n", /* 47 */ #endif #endif /* WOLFSSL_TLS13 */ #ifdef WOLFSSL_EARLY_DATA "-0 クライアントからの Early Data 読み取り" - "(0-RTTハンドシェイク)\n", /* 47 */ + "(0-RTTハンドシェイク)\n", /* 48 */ #endif #ifdef WOLFSSL_MULTICAST - "-3 マルチキャスト, grpid < 256\n", /* 48 */ + "-3 マルチキャスト, grpid < 256\n", /* 49 */ #endif "-1 指定された言語で結果を表示します。" - "\n 0: 英語、 1: 日本語\n", /* 49 */ + "\n 0: 英語、 1: 日本語\n", /* 50 */ #ifdef HAVE_TRUSTED_CA - "-5 信頼できる認証局の鍵表示を使用する\n", /* 52 */ + "-5 信頼できる認証局の鍵表示を使用する\n", /* 53 */ #endif #ifdef HAVE_CURVE448 "-8 Pre-generate Key share using Curve448 only\n", /* 55 */ @@ -852,6 +858,9 @@ static void Usage(void) #ifdef HAVE_SESSION_TICKET printf("%s", msg[++msgId]); /* -T */ #endif +#ifdef WOLFSSL_TLS13 + printf("%s", msg[++msgId]); /* -F */ +#endif #ifdef WOLFSSL_POST_HANDSHAKE_AUTH printf("%s", msg[++msgId]); /* -Q */ #endif @@ -986,6 +995,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) int noPskDheKe = 0; #endif int updateKeysIVs = 0; + int tls13MutualAuth = 0; int postHandAuth = 0; #ifdef WOLFSSL_EARLY_DATA int earlyData = 0; @@ -1071,6 +1081,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) (void)crlFlags; (void)readySignal; (void)updateKeysIVs; + (void)tls13MutualAuth; (void)postHandAuth; (void)mcastID; (void)loadCertKeyIntoSSLObj; @@ -1087,7 +1098,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) /* Not Used: h, z, F, T, V, W, X */ while ((ch = mygetopt(argc, argv, "?:" "abc:defgijk:l:mnop:q:rstuv:wxy" - "A:B:C:D:E:GH:IJKL:MNO:PQR:S:TUVYZ:" + "A:B:C:D:E:FGH:IJKL:MNO:PQR:S:TUVYZ:" "01:23:4:58")) != -1) { switch (ch) { case '?' : @@ -1402,6 +1413,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif break; + case 'F' : + #ifdef WOLFSSL_TLS13 + tls13MutualAuth = 1; + #endif + break; + case 'Q' : #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) postHandAuth = 1; @@ -1745,6 +1762,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif } +#ifdef WOLFSSL_TLS13 + if (tls13MutualAuth) + wolfSSL_CTX_mutual_auth(ctx, 1); +#endif #ifdef HAVE_ECC diff --git a/scripts/tls13.test b/scripts/tls13.test index ba999f41f..7beb9a56b 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -111,6 +111,22 @@ if [ $RESULT -eq 0 ]; then fi echo "" +# TLS 1.3 mutual auth required but client doesn't send certificates. +echo -e "\n\nTLS v1.3 mutual auth fail" +port=0 +./examples/server/server -v 4 -F -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -v 4 -x -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -eq 0 ]; then + echo -e "\n\nIssue with requiring mutual authentication" + do_cleanup + exit 1 +fi +echo "" + ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if [ $? -ne 0 ]; then diff --git a/src/internal.c b/src/internal.c index d73a881c7..bfae99953 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5673,6 +5673,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.noTicketTls13 = ctx->noTicketTls13; #endif ssl->options.noPskDheKe = ctx->noPskDheKe; + ssl->options.mutualAuth = ctx->mutualAuth; #if defined(WOLFSSL_POST_HANDSHAKE_AUTH) ssl->options.postHandshakeAuth = ctx->postHandshakeAuth; #endif @@ -9829,6 +9830,9 @@ static void DoCertFatalAlert(WOLFSSL* ssl, int ret) alertWhy = certificate_revoked; } #endif + else if (ret == NO_PEER_CERT) { + alertWhy = certificate_required; + } /* send fatal alert and mark connection closed */ SendAlert(ssl, alert_fatal, alertWhy); /* try to send */ @@ -10600,6 +10604,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, args->count = args->totalCerts; args->certIdx = 0; /* select peer cert (first one) */ + #ifdef WOLFSSL_TLS13 + if (args->count == 0 && ssl->options.tls1_3 && + ssl->options.mutualAuth && + ssl->options.side == WOLFSSL_SERVER_END) { + ret = NO_PEER_CERT; + DoCertFatalAlert(ssl, ret); + } + #endif + args->dCertInit = 0; #ifndef WOLFSSL_SMALL_CERT_VERIFY args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, diff --git a/src/tls13.c b/src/tls13.c index e5fd49d8b..e2fdfa73e 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8292,6 +8292,48 @@ int wolfSSL_update_keys(WOLFSSL* ssl) return ret; } +#if !defined(NO_CERTS) +/* Set whether mutual authentication is required for TLS v1.3 connections. + * Server side only. + * + * ctx The SSL/TLS CTX object. + * req 1 to indicate required and 0 when not. + * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and + * 0 on success. + */ +int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req) +{ + if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) + return BAD_FUNC_ARG; + if (ctx->method->side == WOLFSSL_CLIENT_END) + return SIDE_ERROR; + + ctx->mutualAuth = req; + + return 0; +} + +/* Set whether mutual authentication is required for a TLS v1.3 connection. + * Server side only. + * + * ssl The SSL/TLS object. + * req 1 to indicate required and 0 when not. + * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, + * SIDE_ERROR when not a client and 0 on success. + */ +int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) +{ + if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) + return BAD_FUNC_ARG; + if (ssl->options.side == WOLFSSL_SERVER_END) + return SIDE_ERROR; + + ssl->options.mutualAuth = req; + + return 0; +} +#endif /* NO_CERTS */ + #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) /* Allow post-handshake authentication in TLS v1.3 connections. * diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 262d8b6b6..776732303 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2658,6 +2658,7 @@ struct WOLFSSL_CTX { #ifdef WOLFSSL_TLS13 byte noTicketTls13:1; /* Server won't create new Ticket */ byte noPskDheKe:1; /* Don't use (EC)DHE with PSK */ + byte mutualAuth:1; /* Mutual authentication required */ #endif #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) byte postHandshakeAuth:1; /* Post-handshake auth supported. */ @@ -3411,6 +3412,9 @@ typedef struct Options { #endif word16 keepResources:1; /* Keep resources after handshake */ word16 useClientOrder:1; /* Use client's cipher order */ +#ifdef WOLFSSL_TLS13 + word16 mutualAuth:1; /* Mutual authentication is rquired */ +#endif #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) word16 postHandshakeAuth:1;/* Client send post_handshake_auth * extension */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 6397fa177..f2ec11915 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -627,6 +627,7 @@ enum AlertDescription { unrecognized_name = 112, /**< RFC 6066, section 3 */ bad_certificate_status_response = 113, /**< RFC 6066, section 8 */ unknown_psk_identity = 115, /**< RFC 4279, section 2 */ + certificate_required = 116, /**< RFC 8446, section 8.2 */ no_application_protocol = 120 }; @@ -866,6 +867,8 @@ WOLFSSL_API int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_no_dhe_psk(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_update_keys(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req); +WOLFSSL_API int wolfSSL_mutual_auth(WOLFSSL* ssl, int req); WOLFSSL_API int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_request_certificate(WOLFSSL* ssl); From 8cccb9008b0a38872255ac7426525e19677e7b99 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Fri, 21 Feb 2020 09:43:32 +1000 Subject: [PATCH 2/2] Change to work for other TLS versions Send alert when client doesn't send a certificate on request. --- examples/server/server.c | 22 +++++++-------------- src/internal.c | 17 ++++++++++------ src/ssl.c | 41 +++++++++++++++++++++++++++++++++++++++ src/tls13.c | 42 ---------------------------------------- tests/test-fails.conf | 8 ++++++++ wolfssl/internal.h | 4 +--- wolfssl/ssl.h | 4 ++-- 7 files changed, 70 insertions(+), 68 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index b891e3965..12d312cc1 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -614,9 +614,7 @@ static const char* server_usage_msg[][49] = { #ifdef HAVE_SESSION_TICKET "-T Do not generate session ticket\n", /* 44 */ #endif -#ifdef WOLFSSL_TLS13 - "-F Mutual authentication is required\n", /* 45 */ -#endif + "-F Send alert if no mutual authentication\n", /* 45 */ #ifdef WOLFSSL_POST_HANDSHAKE_AUTH "-Q Request certificate from client post-handshake\n", /* 46 */ #endif @@ -737,9 +735,7 @@ static const char* server_usage_msg[][49] = { #ifdef HAVE_SESSION_TICKET "-T セッションチケットを生成しない\n", /* 44 */ #endif -#ifdef WOLFSSL_TLS13 - "-F Mutual authentication is required\n", /* 45 */ -#endif + "-F Send alert if no mutual authentication\n", /* 45 */ #ifdef WOLFSSL_POST_HANDSHAKE_AUTH "-Q クライアントのポストハンドシェイクから" "証明書を要求する\n", /* 46 */ @@ -858,9 +854,7 @@ static void Usage(void) #ifdef HAVE_SESSION_TICKET printf("%s", msg[++msgId]); /* -T */ #endif -#ifdef WOLFSSL_TLS13 printf("%s", msg[++msgId]); /* -F */ -#endif #ifdef WOLFSSL_POST_HANDSHAKE_AUTH printf("%s", msg[++msgId]); /* -Q */ #endif @@ -995,7 +989,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) int noPskDheKe = 0; #endif int updateKeysIVs = 0; - int tls13MutualAuth = 0; + int mutualAuth = 0; int postHandAuth = 0; #ifdef WOLFSSL_EARLY_DATA int earlyData = 0; @@ -1081,7 +1075,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) (void)crlFlags; (void)readySignal; (void)updateKeysIVs; - (void)tls13MutualAuth; + (void)mutualAuth; (void)postHandAuth; (void)mcastID; (void)loadCertKeyIntoSSLObj; @@ -1414,9 +1408,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) break; case 'F' : - #ifdef WOLFSSL_TLS13 - tls13MutualAuth = 1; - #endif + mutualAuth = 1; break; case 'Q' : @@ -1762,8 +1754,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif } -#ifdef WOLFSSL_TLS13 - if (tls13MutualAuth) +#ifndef NO_CERTS + if (mutualAuth) wolfSSL_CTX_mutual_auth(ctx, 1); #endif diff --git a/src/internal.c b/src/internal.c index bfae99953..0ffb0d670 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5667,13 +5667,13 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.haveEMS = ctx->haveEMS; #endif ssl->options.useClientOrder = ctx->useClientOrder; + ssl->options.mutualAuth = ctx->mutualAuth; #ifdef WOLFSSL_TLS13 #ifdef HAVE_SESSION_TICKET ssl->options.noTicketTls13 = ctx->noTicketTls13; #endif ssl->options.noPskDheKe = ctx->noPskDheKe; - ssl->options.mutualAuth = ctx->mutualAuth; #if defined(WOLFSSL_POST_HANDSHAKE_AUTH) ssl->options.postHandshakeAuth = ctx->postHandshakeAuth; #endif @@ -9831,7 +9831,15 @@ static void DoCertFatalAlert(WOLFSSL* ssl, int ret) } #endif else if (ret == NO_PEER_CERT) { - alertWhy = certificate_required; +#ifdef WOLFSSL_TLS13 + if (ssl->options.tls1_3) { + alertWhy = certificate_required; + } + else +#endif + { + alertWhy = handshake_failure; + } } /* send fatal alert and mark connection closed */ @@ -10604,14 +10612,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, args->count = args->totalCerts; args->certIdx = 0; /* select peer cert (first one) */ - #ifdef WOLFSSL_TLS13 - if (args->count == 0 && ssl->options.tls1_3 && - ssl->options.mutualAuth && + if (args->count == 0 && ssl->options.mutualAuth && ssl->options.side == WOLFSSL_SERVER_END) { ret = NO_PEER_CERT; DoCertFatalAlert(ssl, ret); } - #endif args->dCertInit = 0; #ifndef WOLFSSL_SMALL_CERT_VERIFY diff --git a/src/ssl.c b/src/ssl.c index 96b99596c..54b8e55ff 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -956,6 +956,47 @@ int wolfSSL_dtls(WOLFSSL* ssl) return dtlsOpt; } +#if !defined(NO_CERTS) +/* Set whether mutual authentication is required for connections. + * Server side only. + * + * ctx The SSL/TLS CTX object. + * req 1 to indicate required and 0 when not. + * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and + * 0 on success. + */ +int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; + if (ctx->method->side == WOLFSSL_CLIENT_END) + return SIDE_ERROR; + + ctx->mutualAuth = (byte)req; + + return 0; +} + +/* Set whether mutual authentication is required for the connection. + * Server side only. + * + * ssl The SSL/TLS object. + * req 1 to indicate required and 0 when not. + * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, + * SIDE_ERROR when not a client and 0 on success. + */ +int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + if (ssl->options.side == WOLFSSL_SERVER_END) + return SIDE_ERROR; + + ssl->options.mutualAuth = (word16)req; + + return 0; +} +#endif /* NO_CERTS */ #ifndef WOLFSSL_LEANPSK int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz) diff --git a/src/tls13.c b/src/tls13.c index e2fdfa73e..e5fd49d8b 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8292,48 +8292,6 @@ int wolfSSL_update_keys(WOLFSSL* ssl) return ret; } -#if !defined(NO_CERTS) -/* Set whether mutual authentication is required for TLS v1.3 connections. - * Server side only. - * - * ctx The SSL/TLS CTX object. - * req 1 to indicate required and 0 when not. - * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and - * 0 on success. - */ -int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req) -{ - if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) - return BAD_FUNC_ARG; - if (ctx->method->side == WOLFSSL_CLIENT_END) - return SIDE_ERROR; - - ctx->mutualAuth = req; - - return 0; -} - -/* Set whether mutual authentication is required for a TLS v1.3 connection. - * Server side only. - * - * ssl The SSL/TLS object. - * req 1 to indicate required and 0 when not. - * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, - * SIDE_ERROR when not a client and 0 on success. - */ -int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) -{ - if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) - return BAD_FUNC_ARG; - if (ssl->options.side == WOLFSSL_SERVER_END) - return SIDE_ERROR; - - ssl->options.mutualAuth = req; - - return 0; -} -#endif /* NO_CERTS */ - #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) /* Allow post-handshake authentication in TLS v1.3 connections. * diff --git a/tests/test-fails.conf b/tests/test-fails.conf index 86fb3d4e3..d8ea91fd4 100644 --- a/tests/test-fails.conf +++ b/tests/test-fails.conf @@ -169,3 +169,11 @@ -v 3 -l ECDHE-ECDSA-AES128-GCM-SHA256 -H verifyFail + +# server send alert on no mutual authentication +-v 3 +-F + +# client send alert on no mutual authentication +-v 3 +-x diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 776732303..62a881f1c 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2658,8 +2658,8 @@ struct WOLFSSL_CTX { #ifdef WOLFSSL_TLS13 byte noTicketTls13:1; /* Server won't create new Ticket */ byte noPskDheKe:1; /* Don't use (EC)DHE with PSK */ - byte mutualAuth:1; /* Mutual authentication required */ #endif + byte mutualAuth:1; /* Mutual authentication required */ #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) byte postHandshakeAuth:1; /* Post-handshake auth supported. */ #endif @@ -3412,9 +3412,7 @@ typedef struct Options { #endif word16 keepResources:1; /* Keep resources after handshake */ word16 useClientOrder:1; /* Use client's cipher order */ -#ifdef WOLFSSL_TLS13 word16 mutualAuth:1; /* Mutual authentication is rquired */ -#endif #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) word16 postHandshakeAuth:1;/* Client send post_handshake_auth * extension */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f2ec11915..b1d6f69f7 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -859,6 +859,8 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_write(WOLFSSL*, const void*, int); WOLFSSL_ABI WOLFSSL_API int wolfSSL_read(WOLFSSL*, void*, int); WOLFSSL_API int wolfSSL_peek(WOLFSSL*, void*, int); WOLFSSL_API int wolfSSL_accept(WOLFSSL*); +WOLFSSL_API int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req); +WOLFSSL_API int wolfSSL_mutual_auth(WOLFSSL* ssl, int req); #ifdef WOLFSSL_TLS13 WOLFSSL_API int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, unsigned int secretSz); @@ -867,8 +869,6 @@ WOLFSSL_API int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_no_dhe_psk(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_update_keys(WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req); -WOLFSSL_API int wolfSSL_mutual_auth(WOLFSSL* ssl, int req); WOLFSSL_API int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_request_certificate(WOLFSSL* ssl);