Browse Source

add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode

Chris Conlon 2 years ago
parent
commit
070029fd08
7 changed files with 42 additions and 3 deletions
  1. 1 0
      src/internal.c
  2. 22 0
      src/ssl.c
  3. 5 1
      src/tls13.c
  4. 5 0
      tests/api.c
  5. 4 0
      wolfssl/internal.h
  6. 3 1
      wolfssl/ssl.h
  7. 2 1
      wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs

+ 1 - 0
src/internal.c

@@ -6218,6 +6218,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->options.noPskDheKe = ctx->noPskDheKe;
     #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
         ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
+        ssl->options.verifyPostHandshake = ctx->verifyPostHandshake;
     #endif
 
     if (ctx->numGroups > 0) {

+ 22 - 0
src/ssl.c

@@ -11260,6 +11260,9 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
     ctx->verifyNone     = 0;
     ctx->failNoCert     = 0;
     ctx->failNoCertxPSK = 0;
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+    ctx->verifyPostHandshake = 0;
+#endif
 
     if (mode != WOLFSSL_VERIFY_DEFAULT) {
         if (mode == WOLFSSL_VERIFY_NONE) {
@@ -11275,6 +11278,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
             if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
                 ctx->failNoCert = 1;
             }
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+            if (mode & WOLFSSL_VERIFY_POST_HANDSHAKE) {
+                ctx->verifyPostHandshake = 1;
+            }
+#endif
         }
     }
 
@@ -11309,6 +11317,10 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
                                         == WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
     ssl->options.failNoCertxPSK = (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK)
                                         == WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+    ssl->options.verifyPostHandshake = (mode & WOLFSSL_VERIFY_POST_HANDSHAKE)
+                                        == WOLFSSL_VERIFY_POST_HANDSHAKE;
+#endif
 
     ssl->verifyCallback = vc;
 }
@@ -46568,6 +46580,11 @@ int wolfSSL_get_verify_mode(const WOLFSSL* ssl) {
         if (ssl->options.failNoCertxPSK) {
             mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
         }
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+        if (ssl->options.verifyPostHandshake) {
+            mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
+        }
+#endif
     }
 
     WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
@@ -46596,6 +46613,11 @@ int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx)
         if (ctx->failNoCertxPSK) {
             mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
         }
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+        if (ctx->verifyPostHandshake) {
+            mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
+        }
+#endif
     }
 
     WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);

+ 5 - 1
src/tls13.c

@@ -9401,7 +9401,11 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
         case TLS13_SERVER_EXTENSIONS_SENT :
 #ifndef NO_CERTS
             if (!ssl->options.resuming) {
-                if (ssl->options.verifyPeer) {
+                if (ssl->options.verifyPeer
+    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
+                    && !ssl->options.verifyPostHandshake
+    #endif
+                   ) {
                     ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
                     if (ssl->error != 0) {
                         WOLFSSL_ERROR(ssl->error);

+ 5 - 0
tests/api.c

@@ -36961,6 +36961,11 @@ static void test_wolfSSL_verify_mode(void)
     wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0);
     AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK);
 
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+    wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0);
+    AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE);
+#endif
+
     AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
                 WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
 

+ 4 - 0
wolfssl/internal.h

@@ -2854,6 +2854,8 @@ struct WOLFSSL_CTX {
     byte        mutualAuth:1;     /* Mutual authentication required */
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
     byte        postHandshakeAuth:1;  /* Post-handshake auth supported. */
+    byte        verifyPostHandshake:1; /* Only send client cert req post
+                                        * handshake, not also during */
 #endif
 #ifndef NO_DH
     #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
@@ -3662,6 +3664,8 @@ typedef struct Options {
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
     word16            postHandshakeAuth:1;/* Client send post_handshake_auth
                                            * extension */
+    word16            verifyPostHandshake:1; /* Only send client cert req post
+                                              * handshake, not also during */
 #endif
 #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
     word16            sendCookie:1;       /* Server creates a Cookie in HRR */

+ 3 - 1
wolfssl/ssl.h

@@ -2186,6 +2186,7 @@ WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
     #define SSL_VERIFY_PEER WOLFSSL_VERIFY_PEER
     #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT
     #define SSL_VERIFY_CLIENT_ONCE WOLFSSL_VERIFY_CLIENT_ONCE
+    #define SSL_VERIFY_POST_HANDSHAKE WOLFSSL_VERIFY_POST_HANDSHAKE
     #define SSL_VERIFY_FAIL_EXCEPT_PSK WOLFSSL_VERIFY_FAIL_EXCEPT_PSK
 
     #define SSL_SESS_CACHE_OFF WOLFSSL_SESS_CACHE_OFF
@@ -2256,7 +2257,8 @@ enum { /* ssl Constants */
     WOLFSSL_VERIFY_PEER                 = 1 << 0,
     WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT = 1 << 1,
     WOLFSSL_VERIFY_CLIENT_ONCE          = 1 << 2,
-    WOLFSSL_VERIFY_FAIL_EXCEPT_PSK      = 1 << 3,
+    WOLFSSL_VERIFY_POST_HANDSHAKE       = 1 << 3,
+    WOLFSSL_VERIFY_FAIL_EXCEPT_PSK      = 1 << 4,
     WOLFSSL_VERIFY_DEFAULT              = 1 << 9,
 
     WOLFSSL_SESS_CACHE_OFF                = 0x0000,

+ 2 - 1
wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs

@@ -397,7 +397,8 @@ namespace wolfSSL.CSharp {
         public static readonly int SSL_VERIFY_PEER = 1;
         public static readonly int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2;
         public static readonly int SSL_VERIFY_CLIENT_ONCE = 4;
-        public static readonly int SSL_VERIFY_FAIL_EXCEPT_PSK = 8;
+        public static readonly int SSL_VERIFY_POST_HANDSHAKE = 8;
+        public static readonly int SSL_VERIFY_FAIL_EXCEPT_PSK = 16;
 
         public static readonly int CBIO_ERR_GENERAL = -1;
         public static readonly int CBIO_ERR_WANT_READ = -2;