Merge pull request #2926 from SparkiDev/tls13_failnocert

Fail when WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT set in TLS1.3

examples/client/client.c

@@ -831,8 +831,8 @@ static void ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str)
     }
 }
 
-static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
+static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
-                       const char* str)
+                      const char* str, int exitWithRet)
 {
     int ret, err;
     char buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -853,8 +853,13 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
             if (err != WOLFSSL_ERROR_WANT_READ) {
                 printf("SSL_read reply error %d, %s\n", err,
                                          wolfSSL_ERR_error_string(err, buffer));
+                if (!exitWithRet) {
                     err_sys("SSL_read failed");
                 }
+                else {
+                    break;
+                }
+            }
         }
 
         if (mustRead && err == WOLFSSL_ERROR_WANT_READ) {
@@ -874,6 +879,8 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
         reply[ret] = 0;
         printf("%s%s\n", str, reply);
     }
+
+    return err;
 }
 
 
@@ -3095,14 +3102,18 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     ClientWrite(ssl, msg, msgSz, "");
 
-    ClientRead(ssl, reply, sizeof(reply)-1, 1, "");
+    err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet);
+    if (exitWithRet && (err != 0)) {
+        ((func_args*)args)->return_code = err;
+        goto exit;
+    }
 
 #if defined(WOLFSSL_TLS13)
     if (updateKeysIVs || postHandAuth)
         ClientWrite(ssl, msg, msgSz, "");
 #endif
     if (sendGET) {  /* get html */
-        ClientRead(ssl, reply, sizeof(reply)-1, 0, "");
+        (void)ClientRead(ssl, reply, sizeof(reply)-1, 0, "", 0);
     }
 
 #ifndef NO_SESSION_CACHE
@@ -3353,8 +3364,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
         ClientWrite(sslResume, resumeMsg, resumeSz, " resume");
 
-        ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
+        (void)ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
-                   "Server resume: ");
+                         "Server resume: ", 0);
         /* try to send session break */
         ClientWrite(sslResume, msg, msgSz, " resume 2");
 

src/internal.c

@@ -10665,7 +10665,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             args->count = args->totalCerts;
             args->certIdx = 0; /* select peer cert (first one) */
 
-            if (args->count == 0 && ssl->options.mutualAuth &&
+            if (args->count == 0 && (ssl->options.mutualAuth ||
+                 (ssl->options.failNoCert && IsAtLeastTLSv1_3(ssl->version))) &&
                                       ssl->options.side == WOLFSSL_SERVER_END) {
                 ret = NO_PEER_CERT;
                 DoCertFatalAlert(ssl, ret);

tests/test-fails.conf

@@ -177,3 +177,14 @@
 # client send alert on no mutual authentication
 -v 3
 -x
+
+# server TLSv1.3 fail on no client certificate
+# server always sets WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT unless using -d
+-v 4
+-l TLS13-AES128-GCM-SHA256
+
+# client TLSv1.3 no client certificate
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-x
+

tests/test-tls13.conf

@@ -135,15 +135,6 @@
 -v 4
 -l TLS13-AES128-GCM-SHA256
 
-# client TLSv1.3 no client certificate
--v 4
--l TLS13-AES128-GCM-SHA256
--x
-
-# server TLSv1.3
--v 4
--l TLS13-AES128-GCM-SHA256
-
 # client TLSv1.3 DH key exchange
 -v 4
 -l TLS13-AES128-GCM-SHA256