diff --git a/tls/client-tls-posthsauth.c b/tls/client-tls-posthsauth.c index 11c3b768..f3b9dc17 100644 --- a/tls/client-tls-posthsauth.c +++ b/tls/client-tls-posthsauth.c @@ -36,81 +36,13 @@ #include #include +#ifdef WOLFSSL_POST_HANDSHAKE_AUTH #define DEFAULT_PORT 11111 #define CERT_FILE "../certs/client-cert.pem" #define KEY_FILE "../certs/client-key.pem" #define CA_FILE "../certs/ca-cert.pem" -#if defined(WOLFSSL_TLS13) && defined(HAVE_SECRET_CALLBACK) - -#ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT - #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log" -#endif - -/* Callback function for TLS v1.3 secrets for use with Wireshark */ -static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret, - int secretSz, void* ctx) -{ - int i; - const char* str = NULL; - unsigned char clientRandom[32]; - int clientRandomSz; - XFILE fp = stderr; - if (ctx) { - fp = XFOPEN((const char*)ctx, "ab"); - if (fp == XBADFILE) { - return BAD_FUNC_ARG; - } - } - - clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom, - sizeof(clientRandom)); - - if (clientRandomSz <= 0) { - printf("Error getting client random %d\n", clientRandomSz); - } - -#if 0 - printf("TLS Client Secret CB: Rand %d, Secret %d\n", - clientRandomSz, secretSz); -#endif - - switch (id) { - case CLIENT_EARLY_TRAFFIC_SECRET: - str = "CLIENT_EARLY_TRAFFIC_SECRET"; break; - case EARLY_EXPORTER_SECRET: - str = "EARLY_EXPORTER_SECRET"; break; - case CLIENT_HANDSHAKE_TRAFFIC_SECRET: - str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break; - case SERVER_HANDSHAKE_TRAFFIC_SECRET: - str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break; - case CLIENT_TRAFFIC_SECRET: - str = "CLIENT_TRAFFIC_SECRET_0"; break; - case SERVER_TRAFFIC_SECRET: - str = "SERVER_TRAFFIC_SECRET_0"; break; - case EXPORTER_SECRET: - str = "EXPORTER_SECRET"; break; - } - - fprintf(fp, "%s ", str); - for (i = 0; i < clientRandomSz; i++) { - fprintf(fp, "%02x", clientRandom[i]); - } - fprintf(fp, " "); - for (i = 0; i < secretSz; i++) { - fprintf(fp, "%02x", secret[i]); - } - fprintf(fp, "\n"); - - if (fp != stderr) { - XFCLOSE(fp); - } - - return 0; -} -#endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */ - int main(int argc, char** argv) { int ret = 0; @@ -201,6 +133,7 @@ int main(int argc, char** argv) goto exit; } + /* POSTHSAUTH: Prepare for post-handshake authentication. */ if ((ret = wolfSSL_CTX_allow_post_handshake_auth(ctx)) != 0) { fprintf(stderr, "ERROR: failed to allow post hand-shake auth.\n"); goto exit; @@ -218,25 +151,12 @@ int main(int argc, char** argv) goto exit; } -#ifdef HAVE_SECRET_CALLBACK - /* required for getting random used */ - wolfSSL_KeepArrays(ssl); - - /* optional logging for wireshark */ - wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback, - (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT); -#endif - /* Connect to wolfSSL on the server side */ if ((ret = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS) { fprintf(stderr, "ERROR: failed to connect to wolfSSL\n"); goto exit; } -#ifdef HAVE_SECRET_CALLBACK - wolfSSL_FreeArrays(ssl); -#endif - /* Get a message for the server from stdin */ printf("Message for server: "); memset(buff, 0, sizeof(buff)); @@ -263,7 +183,8 @@ int main(int argc, char** argv) /* Print to stdout any data the server sends */ printf("Server: %s\n", buff); - /* Send the second message to the server */ + /* POSTHSAUTH: Send the second message to the server. This message is now + * authenticated. */ memset(buff, 0, sizeof(buff)); memcpy(buff, "Hello again from the client\n", 28); len = strnlen(buff, sizeof(buff)); @@ -294,3 +215,10 @@ exit: return ret; } +#else +int main() { + fprintf(stderr, "Please configure with --enable-postauth or compile with " + "WOLFSSL_POST_HANDSHAKE_AUTH defined.\n"); + return 0; +} +#endif /* WOLFSSL_POST_HANDSHAKE_AUTH */ diff --git a/tls/server-tls-posthsauth.c b/tls/server-tls-posthsauth.c index 7d058917..a772bb83 100644 --- a/tls/server-tls-posthsauth.c +++ b/tls/server-tls-posthsauth.c @@ -41,6 +41,7 @@ #include #include +#ifdef WOLFSSL_POST_HANDSHAKE_AUTH #define DEFAULT_PORT 11111 #define CERT_FILE "../certs/server-cert.pem" @@ -48,75 +49,6 @@ #define CA_FILE "../certs/client-cert.pem" -#if defined(WOLFSSL_TLS13) && defined(HAVE_SECRET_CALLBACK) - -#ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT - #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log" -#endif - -/* Callback function for TLS v1.3 secrets for use with Wireshark */ -static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret, - int secretSz, void* ctx) -{ - int i; - const char* str = NULL; - unsigned char serverRandom[32]; - int serverRandomSz; - XFILE fp = stderr; - if (ctx) { - fp = XFOPEN((const char*)ctx, "ab"); - if (fp == XBADFILE) { - return BAD_FUNC_ARG; - } - } - - serverRandomSz = (int)wolfSSL_get_server_random(ssl, serverRandom, - sizeof(serverRandom)); - - if (serverRandomSz <= 0) { - printf("Error getting server random %d\n", serverRandomSz); - } - -#if 0 - printf("TLS Server Secret CB: Rand %d, Secret %d\n", - serverRandomSz, secretSz); -#endif - - switch (id) { - case CLIENT_EARLY_TRAFFIC_SECRET: - str = "CLIENT_EARLY_TRAFFIC_SECRET"; break; - case EARLY_EXPORTER_SECRET: - str = "EARLY_EXPORTER_SECRET"; break; - case CLIENT_HANDSHAKE_TRAFFIC_SECRET: - str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break; - case SERVER_HANDSHAKE_TRAFFIC_SECRET: - str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break; - case CLIENT_TRAFFIC_SECRET: - str = "CLIENT_TRAFFIC_SECRET_0"; break; - case SERVER_TRAFFIC_SECRET: - str = "SERVER_TRAFFIC_SECRET_0"; break; - case EXPORTER_SECRET: - str = "EXPORTER_SECRET"; break; - } - - fprintf(fp, "%s ", str); - for (i = 0; i < (int)serverRandomSz; i++) { - fprintf(fp, "%02x", serverRandom[i]); - } - fprintf(fp, " "); - for (i = 0; i < secretSz; i++) { - fprintf(fp, "%02x", secret[i]); - } - fprintf(fp, "\n"); - - if (fp != stderr) { - XFCLOSE(fp); - } - - return 0; -} -#endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */ - static int mSockfd = SOCKET_INVALID; static int mConnd = SOCKET_INVALID; static int mShutdown = 0; @@ -216,7 +148,8 @@ int main(int argc, char** argv) goto exit; } - /* No verification during handshake. Will be doing it post handshake. */ + /* POSTHSAUTH: No verification during handshake. Will be doing it post + * handshake. */ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); /* Load server certificates into WOLFSSL_CTX */ @@ -263,15 +196,6 @@ int main(int argc, char** argv) /* Attach wolfSSL to the socket */ wolfSSL_set_fd(ssl, mConnd); - #ifdef HAVE_SECRET_CALLBACK - /* required for getting random used */ - wolfSSL_KeepArrays(ssl); - - /* optional logging for wireshark */ - wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback, - (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT); - #endif - /* Establish TLS connection */ if ((ret = wolfSSL_accept(ssl)) != WOLFSSL_SUCCESS) { fprintf(stderr, "wolfSSL_accept error = %d\n", @@ -281,10 +205,6 @@ int main(int argc, char** argv) printf("Client connected successfully\n"); - #ifdef HAVE_SECRET_CALLBACK - wolfSSL_FreeArrays(ssl); - #endif - /* Read the client data into our buff array */ memset(buff, 0, sizeof(buff)); if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) < 0) { @@ -301,9 +221,12 @@ int main(int argc, char** argv) mShutdown = 1; } + /* POSTHSAUTH: Require the client to send over their certificate; fail + * if we cannot verify the client. */ wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + /* POSTHSAUTH: Request the certficate and do the verification. */ if (wolfSSL_request_certificate(ssl) != WOLFSSL_SUCCESS) { fprintf(stderr, "ERROR: Request for post-hs certificate failed\n"); goto exit; @@ -323,7 +246,8 @@ int main(int argc, char** argv) goto exit; } - /* Read second message into our buff array */ + /* POSTHSAUTH: Read second message into our buff array. This is now + * authenticated. */ memset(buff, 0, sizeof(buff)); if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) < 0) { fprintf(stderr, "ERROR: failed to read\n"); @@ -372,3 +296,10 @@ exit: return ret; } +#else +int main() { + fprintf(stderr, "Please configure with --enable-postauth or compile with " + "WOLFSSL_POST_HANDSHAKE_AUTH defined.\n"); + return 0; +} +#endif /* WOLFSSL_POST_HANDSHAKE_AUTH */