mirror of https://github.com/wolfSSL/wolfssl
fix ecc w/ no rsa send cert verify and server flag for missing cert verify
This commit is contained in:
parent
b397f89b27
commit
cc9ac1846d
|
@ -110,6 +110,7 @@ enum CyaSSL_ErrorCodes {
|
|||
SANITY_CIPHER_E = -275, /* sanity check on cipher error */
|
||||
RECV_OVERFLOW_E = -276, /* RXCB returned more than rqed */
|
||||
GEN_COOKIE_E = -277, /* Generate Cookie Error */
|
||||
NO_PEER_VERIFY = -278, /* Need peer cert verify Error */
|
||||
/* add strings to SetErrorString !!!!! */
|
||||
|
||||
/* begin negotiation parameter errors */
|
||||
|
|
|
@ -1317,6 +1317,7 @@ typedef struct Options {
|
|||
byte haveECDSAsig; /* server ECDSA signed cert */
|
||||
byte haveStaticECC; /* static server ECC private key */
|
||||
byte havePeerCert; /* do we have peer's cert */
|
||||
byte havePeerVerify; /* and peer's cert verify */
|
||||
byte usingPSK_cipher; /* whether we're using psk as cipher */
|
||||
byte sendAlertState; /* nonblocking resume */
|
||||
byte processReply; /* nonblocking resume */
|
||||
|
|
|
@ -1191,7 +1191,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
|
|||
ssl->options.haveNTRU = ctx->haveNTRU;
|
||||
ssl->options.haveECDSAsig = ctx->haveECDSAsig;
|
||||
ssl->options.haveStaticECC = ctx->haveStaticECC;
|
||||
ssl->options.havePeerCert = 0;
|
||||
ssl->options.havePeerCert = 0;
|
||||
ssl->options.havePeerVerify = 0;
|
||||
ssl->options.usingPSK_cipher = 0;
|
||||
ssl->options.sendAlertState = 0;
|
||||
#ifndef NO_PSK
|
||||
|
@ -4283,6 +4284,17 @@ int ProcessReply(CYASSL* ssl)
|
|||
CYASSL_MSG("Malicious or corrupted ChangeCipher msg");
|
||||
return LENGTH_ERROR;
|
||||
}
|
||||
#ifndef NO_CERTS
|
||||
if (ssl->options.side == SERVER_END &&
|
||||
ssl->options.verifyPeer &&
|
||||
ssl->options.havePeerCert)
|
||||
if (!ssl->options.havePeerVerify) {
|
||||
CYASSL_MSG("client didn't send cert verify");
|
||||
return NO_PEER_VERIFY;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
ssl->buffers.inputBuffer.idx++;
|
||||
ssl->keys.encryptionOn = 1;
|
||||
|
||||
|
@ -5437,6 +5449,10 @@ void SetErrorString(int error, char* str)
|
|||
XSTRNCPY(str, "Generate Cookie Error", max);
|
||||
break;
|
||||
|
||||
case NO_PEER_VERIFY:
|
||||
XSTRNCPY(str, "Need peer certificate verify Error", max);
|
||||
break;
|
||||
|
||||
default :
|
||||
XSTRNCPY(str, "unknown error number", max);
|
||||
}
|
||||
|
@ -8882,6 +8898,9 @@ int SetCipherList(Suites* s, const char* list)
|
|||
ret = 0; /* verified */
|
||||
}
|
||||
#endif
|
||||
if (ret == 0)
|
||||
ssl->options.havePeerVerify = 1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* !NO_RSA || HAVE_ECC */
|
||||
|
|
|
@ -2715,7 +2715,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
|
|||
CYASSL_MSG("connect state: FIRST_REPLY_SECOND");
|
||||
|
||||
case FIRST_REPLY_SECOND :
|
||||
#ifndef NO_RSA
|
||||
#ifndef NO_CERTS
|
||||
if (ssl->options.sendVerify)
|
||||
if ( (ssl->error = SendCertificateVerify(ssl)) != 0) {
|
||||
CYASSL_ERROR(ssl->error);
|
||||
|
|
Loading…
Reference in New Issue