mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fail when WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT set in TLS1.3

This commit is contained in:
Sean Parkinson 2020-04-27 14:03:15 +10:00
parent 5376763638
commit c153873337
4 changed files with 31 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
examples/client/client.c
View File

@ -831,8 +831,8 @@ static void ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str)
}
}
static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
const char* str)
static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
const char* str, int exitWithRet)
{
int ret, err;
char buffer[WOLFSSL_MAX_ERROR_SZ];
@ -853,7 +853,12 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
if (err != WOLFSSL_ERROR_WANT_READ) {
printf("SSL_read reply error %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer));
err_sys("SSL_read failed");
if (!exitWithRet) {
err_sys("SSL_read failed");
}
else {
break;
}
}
}
@ -874,6 +879,8 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
reply[ret] = 0;
printf("%s%s\n", str, reply);
}
return err;
}
@ -3095,14 +3102,18 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
ClientWrite(ssl, msg, msgSz, "");
ClientRead(ssl, reply, sizeof(reply)-1, 1, "");
err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet);
if (exitWithRet && (err != 0)) {
((func_args*)args)->return_code = err;
goto exit;
}
#if defined(WOLFSSL_TLS13)
if (updateKeysIVs || postHandAuth)
ClientWrite(ssl, msg, msgSz, "");
#endif
if (sendGET) { /* get html */
ClientRead(ssl, reply, sizeof(reply)-1, 0, "");
(void)ClientRead(ssl, reply, sizeof(reply)-1, 0, "", 0);
}
#ifndef NO_SESSION_CACHE
@ -3353,8 +3364,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
ClientWrite(sslResume, resumeMsg, resumeSz, " resume");
ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
"Server resume: ");
(void)ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
"Server resume: ", 0);
/* try to send session break */
ClientWrite(sslResume, msg, msgSz, " resume 2");

3
src/internal.c
View File

@ -10663,7 +10663,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->count = args->totalCerts;
args->certIdx = 0; /* select peer cert (first one) */
if (args->count == 0 && ssl->options.mutualAuth &&
if (args->count == 0 && (ssl->options.mutualAuth ||
(ssl->options.failNoCert && IsAtLeastTLSv1_3(ssl->version))) &&
ssl->options.side == WOLFSSL_SERVER_END) {
ret = NO_PEER_CERT;
DoCertFatalAlert(ssl, ret);

11
tests/test-fails.conf
View File

@ -177,3 +177,14 @@
# client send alert on no mutual authentication
-v 3
-x
# server TLSv1.3 fail on no client certificate
# server always sets WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT unless using -d
-v 4
-l TLS13-AES128-GCM-SHA256
# client TLSv1.3 no client certificate
-v 4
-l TLS13-AES128-GCM-SHA256
-x

9
tests/test-tls13.conf
View File

@ -135,15 +135,6 @@
-v 4
-l TLS13-AES128-GCM-SHA256
# client TLSv1.3 no client certificate
-v 4
-l TLS13-AES128-GCM-SHA256
-x
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
# client TLSv1.3 DH key exchange
-v 4
-l TLS13-AES128-GCM-SHA256