From 1c6e1c4c9ac7a2547ab38e411ffaa30111b0dbe7 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 19 Dec 2023 12:31:28 -0800
Subject: [PATCH] Add mutual auth, RSA/ECC and TLS v1.2/v1.3 support to TLS
 crypto callback examples.

---
 tls/client-tls-cryptocb.c | 52 ++++++++++++++++++++++++++++++++++++---
 tls/server-tls-cryptocb.c | 40 +++++++++++++++++++++++++++---
 2 files changed, 85 insertions(+), 7 deletions(-)

diff --git a/tls/client-tls-cryptocb.c b/tls/client-tls-cryptocb.c
index bf98badb..27a7bdfc 100644
--- a/tls/client-tls-cryptocb.c
+++ b/tls/client-tls-cryptocb.c
@@ -31,7 +31,9 @@
 #include <unistd.h>
 
 /* wolfSSL */
-#include <wolfssl/options.h>
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfcrypt/sha256.h>
 #include <wolfssl/wolfcrypt/cryptocb.h>
@@ -39,7 +41,18 @@
 
 #define DEFAULT_PORT 11111
 
-#define CA_FILE "../certs/ca-cert.pem"
+#define USE_ECDHE_ECDSA
+#define USE_TLSV13
+
+#ifdef USE_ECDHE_ECDSA
+#define CERT_FILE   "../certs/client-ecc-cert.pem"
+#define KEY_FILE    "../certs/ecc-client-key.pem"
+#define CA_FILE     "../certs/ca-ecc-cert.pem"
+#else
+#define CERT_FILE   "../certs/client-cert.pem"
+#define KEY_FILE    "../certs/client-key.pem"
+#define CA_FILE     "../certs/ca-cert.pem"
+#endif
 
 #ifdef WOLF_CRYPTO_CB
 /* Example custom context for crypto callback */
@@ -555,12 +568,45 @@ int main(int argc, char** argv)
 #endif
 
     /* Create and initialize WOLFSSL_CTX */
-    if ((ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())) == NULL) {
+#ifdef USE_TLSV13
+    ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
+#else
+    ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
+#endif
+    if (ctx == NULL) {
         fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
         ret = -1;
         goto exit;
     }
 
+    /* Mutual Authentication */
+    /* Load client certificate into WOLFSSL_CTX */
+    if ((ret = wolfSSL_CTX_use_certificate_file(ctx, CERT_FILE,
+                                    WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+                CERT_FILE);
+        goto exit;
+    }
+
+    /* Load client key into WOLFSSL_CTX */
+    if ((ret = wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE,
+                                    WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+                KEY_FILE);
+        goto exit;
+    }
+
+    /* Load CA certificate into WOLFSSL_CTX for validating peer */
+    if ((ret = wolfSSL_CTX_load_verify_locations(ctx, CA_FILE, NULL))
+         != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+                CA_FILE);
+        goto exit;
+    }
+
+    /* validate peer certificate */
+    wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
+
     /* register a devID for crypto callbacks */
     wolfSSL_CTX_SetDevId(ctx, devId);
 
diff --git a/tls/server-tls-cryptocb.c b/tls/server-tls-cryptocb.c
index 6ca4f079..50d0ecc5 100644
--- a/tls/server-tls-cryptocb.c
+++ b/tls/server-tls-cryptocb.c
@@ -31,13 +31,28 @@
 #include <unistd.h>
 
 /* wolfSSL */
-#include <wolfssl/options.h>
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/ssl.h>
+#include <wolfssl/wolfcrypt/sha256.h>
+#include <wolfssl/wolfcrypt/cryptocb.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #define DEFAULT_PORT 11111
 
-#define CERT_FILE "../certs/server-cert.pem"
-#define KEY_FILE  "../certs/server-key.pem"
+#define USE_ECDHE_ECDSA
+#define USE_TLSV13
+
+#ifdef USE_ECDHE_ECDSA
+#define CERT_FILE   "../certs/server-ecc.pem"
+#define KEY_FILE    "../certs/ecc-key.pem"
+#define CA_FILE     "../certs/client-ecc-cert.pem"
+#else
+#define CERT_FILE   "../certs/server-cert.pem"
+#define KEY_FILE    "../certs/server-key.pem"
+#define CA_FILE     "../certs/client-cert.pem"
+#endif
 
 #ifdef WOLF_CRYPTO_CB
 /* Example custom context for crypto callback */
@@ -518,7 +533,12 @@ int main(int argc, char** argv)
 #endif
 
     /* Create and initialize WOLFSSL_CTX */
-    if ((ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())) == NULL) {
+#ifdef USE_TLSV13
+    ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
+#else
+    ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method());
+#endif
+    if (ctx == NULL) {
         fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
         ret = -1;
         goto exit;
@@ -543,6 +563,18 @@ int main(int argc, char** argv)
         goto exit;
     }
 
+    /* Load CA certificate into WOLFSSL_CTX for validating peer */
+    if ((ret = wolfSSL_CTX_load_verify_locations(ctx, CA_FILE, NULL))
+         != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+                CA_FILE);
+        goto exit;
+    }
+
+    /* enable mutual authentication */
+    wolfSSL_CTX_set_verify(ctx,
+        WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+
 #if 0
     /* Example: "TLS13-AES256-GCM-SHA384", "TLS13-AES128-GCM-SHA256" or "TLS13-CHACHA20-POLY1305-SHA256" */
     wolfSSL_CTX_set_cipher_list(ctx, "TLS13-AES256-GCM-SHA384");