diff --git a/scripts/tls13.test b/scripts/tls13.test index 66942b9c2..f95d1d6ba 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -112,7 +112,10 @@ do_cleanup echo "" cat ./wolfssl/options.h | grep -- 'NO_CERTS' -if [ $? -ne 0 ]; then +NO_CERTS=$? +cat ./wolfssl/options.h | grep -- 'WOLFSSL_NO_CLIENT_AUTH' +NO_CLIENT_AUTH=$? +if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then # TLS 1.3 mutual auth required but client doesn't send certificates. echo -e "\n\nTLS v1.3 mutual auth fail" port=0 diff --git a/src/internal.c b/src/internal.c index 69e6a3ef1..a4def2682 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3556,8 +3556,7 @@ static word32 MacSize(WOLFSSL* ssl) #ifndef NO_RSA #ifndef WOLFSSL_NO_TLS12 -#if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \ - !defined(WOLFSSL_NO_CLIENT_AUTH)) +#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT) static int TypeHash(int hashAlgo) { switch (hashAlgo) { diff --git a/src/ssl.c b/src/ssl.c index 11bc08a3c..0631208af 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5777,7 +5777,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } if (done == 1) { - #ifndef NO_WOLFSSL_CM_VERIFY + #if !defined(NO_WOLFSSL_CM_VERIFY) && (!defined(NO_WOLFSSL_CLIENT) || \ + !defined(WOLFSSL_NO_CLIENT_AUTH)) if ((type == CA_TYPE) || (type == CERT_TYPE)) { /* Call to over-ride status */ if ((ctx != NULL) && (ctx->cm != NULL) && @@ -6066,6 +6067,7 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc) } #endif /* NO_WOLFSSL_CM_VERIFY */ +#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) /* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff, long sz, int format, int err_val) @@ -6172,6 +6174,8 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, { return CM_VerifyBuffer_ex(cm, buff, sz, format, 0); } +#endif /* !NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH */ + /* turn on OCSP if off and compiled in, set options */ int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options) { @@ -6746,6 +6750,7 @@ int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type) #endif /* WOLFSSL_TRUST_PEER_CERT */ +#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) /* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, int format) @@ -6798,7 +6803,7 @@ int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, return ret; } - +#endif /* like load verify locations, 1 for success, < 0 for error */ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, diff --git a/src/tls13.c b/src/tls13.c index 13666fc51..ce339d0e6 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5047,8 +5047,9 @@ static int SendTls13Certificate(WOLFSSL* ssl) return ret; } -#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ - defined(HAVE_ED448) +#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ + defined(HAVE_ED448)) && \ + (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) typedef struct Scv13Args { byte* output; /* not allocated */ byte* verify; /* not allocated */ @@ -5435,6 +5436,7 @@ exit_scv: } #endif +#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) /* handle processing TLS v1.3 certificate (11) */ /* Parse and handle a TLS v1.3 Certificate message. * @@ -5475,6 +5477,7 @@ static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, return ret; } +#endif #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ defined(HAVE_ED448) @@ -7104,7 +7107,8 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* !NO_WOLFSSL_SERVER */ /* Messages received by both client and server. */ -#ifndef NO_CERTS +#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ + !defined(WOLFSSL_NO_CLIENT_AUTH)) case certificate: WOLFSSL_MSG("processing certificate"); ret = DoTls13Certificate(ssl, input, inOutIdx, size); @@ -7529,8 +7533,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) FALL_THROUGH; case FIRST_REPLY_THIRD: - #if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ - defined(HAVE_ED25519) || defined(HAVE_ED448)) + #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ + defined(HAVE_ED25519) || defined(HAVE_ED448))) && \ + (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { diff --git a/tests/api.c b/tests/api.c index 774a33296..b65e54d7c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1168,7 +1168,8 @@ static int test_wolfSSL_CertManagerSetVerify(void) { int ret = 0; #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) WOLFSSL_CERT_MANAGER* cm; int tmp = myVerifyAction; const char* ca_cert = "./certs/ca-cert.pem"; @@ -25948,7 +25949,8 @@ static void test_wolfSSL_X509_STORE_set_flags(void) static void test_wolfSSL_X509_LOOKUP_load_file(void) { #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) WOLFSSL_X509_STORE* store; WOLFSSL_X509_LOOKUP* lookup; @@ -33811,7 +33813,8 @@ static void test_wolfSSL_PEM_write_bio_PKCS7(void) /*----------------------------------------------------------------------------* | Certificate Failure Checks *----------------------------------------------------------------------------*/ -#ifndef NO_CERTS +#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ + !defined(WOLFSSL_NO_CLIENT_AUTH)) /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz, int type) @@ -36051,7 +36054,8 @@ static void test_wolfSSL_dtls_set_mtu(void) } #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ - !defined(NO_CERTS) + !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ + !defined(WOLFSSL_NO_CLIENT_AUTH)) static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) { int ret; @@ -36629,7 +36633,9 @@ void ApiTest(void) test_tls13_apis(); #endif -#ifndef NO_CERTS +#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ + !defined(WOLFSSL_NO_CLIENT_AUTH)) + /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ /* Bad certificate signature tests */ AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E); AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E); @@ -36932,7 +36938,8 @@ void ApiTest(void) AssertIntEQ(test_wolfSSL_Cleanup(), WOLFSSL_SUCCESS); #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ - !defined(NO_CERTS) + !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ + !defined(WOLFSSL_NO_CLIENT_AUTH)) AssertIntEQ(test_various_pathlen_chains(), WOLFSSL_SUCCESS); #endif diff --git a/tests/suites.c b/tests/suites.c index 72ae8fddf..655c29003 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -249,6 +249,40 @@ static int IsValidCA(const char* line) return ret; } +#ifdef WOLFSSL_NO_CLIENT_AUTH +static int IsClientAuth(const char* line, int* reqClientCert) +{ + const char* begin; + + begin = XSTRSTR(line, "-H verifyFail"); + if (begin != NULL) { + return 1; + } + + begin = XSTRSTR(line, "-d"); + if (begin != NULL) { + *reqClientCert = 0; + } + else { + *reqClientCert = 1; + } + + return 0; +} + +static int IsNoClientCert(const char* line) +{ + const char* begin; + + begin = XSTRSTR(line, "-x"); + if (begin != NULL) { + return 1; + } + + return 0; +} +#endif + static int execute_test_case(int svr_argc, char** svr_argv, int cli_argc, char** cli_argv, int addNoVerify, int addNonBlocking, @@ -278,6 +312,9 @@ static int execute_test_case(int svr_argc, char** svr_argv, char portNumber[8]; #endif int cliTestShouldFail = 0, svrTestShouldFail = 0; +#ifdef WOLFSSL_NO_CLIENT_AUTH + int reqClientCert; +#endif /* Is Valid Cipher and Version Checks */ /* build command list for the Is checks below */ @@ -329,6 +366,15 @@ static int execute_test_case(int svr_argc, char** svr_argv, return VERSION_TOO_OLD; } #endif +#ifdef WOLFSSL_NO_CLIENT_AUTH + if (IsClientAuth(commandLine, &reqClientCert)) { + #ifdef DEBUG_SUITE_TESTS + printf("client auth on line %s not supported in build\n", + commandLine); + #endif + return NOT_BUILT_IN; + } +#endif /* Build Server Command */ if (addNoVerify) { @@ -454,6 +500,15 @@ static int execute_test_case(int svr_argc, char** svr_argv, #endif return NOT_BUILT_IN; } +#ifdef WOLFSSL_NO_CLIENT_AUTH + if (reqClientCert && IsNoClientCert(commandLine)) { + #ifdef DEBUG_SUITE_TESTS + printf("client auth on line %s not supported in build\n", + commandLine); + #endif + return NOT_BUILT_IN; + } +#endif printf("trying client command line[%d]: %s\n", tests, commandLine); tests++; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 925720fd2..69aa66378 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2022,8 +2022,7 @@ WOLFSSL_LOCAL int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff, #ifndef NO_CERTS -#if !defined NOCERTS &&\ - (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) typedef struct ProcPeerCertArgs { buffer* certs; #ifdef WOLFSSL_TLS13