From cc9ac1846d721dc020f5ba4aa7c4055b7d4928a8 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 26 Feb 2013 22:24:34 -0800 Subject: [PATCH] fix ecc w/ no rsa send cert verify and server flag for missing cert verify --- cyassl/error.h | 1 + cyassl/internal.h | 1 + src/internal.c | 21 ++++++++++++++++++++- src/ssl.c | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/cyassl/error.h b/cyassl/error.h index 7ad273910..2f222051a 100644 --- a/cyassl/error.h +++ b/cyassl/error.h @@ -110,6 +110,7 @@ enum CyaSSL_ErrorCodes { SANITY_CIPHER_E = -275, /* sanity check on cipher error */ RECV_OVERFLOW_E = -276, /* RXCB returned more than rqed */ GEN_COOKIE_E = -277, /* Generate Cookie Error */ + NO_PEER_VERIFY = -278, /* Need peer cert verify Error */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ diff --git a/cyassl/internal.h b/cyassl/internal.h index 5865025b9..0c3a76114 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1317,6 +1317,7 @@ typedef struct Options { byte haveECDSAsig; /* server ECDSA signed cert */ byte haveStaticECC; /* static server ECC private key */ byte havePeerCert; /* do we have peer's cert */ + byte havePeerVerify; /* and peer's cert verify */ byte usingPSK_cipher; /* whether we're using psk as cipher */ byte sendAlertState; /* nonblocking resume */ byte processReply; /* nonblocking resume */ diff --git a/src/internal.c b/src/internal.c index ad4ae932a..01610c56c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1191,7 +1191,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->options.haveNTRU = ctx->haveNTRU; ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveStaticECC = ctx->haveStaticECC; - ssl->options.havePeerCert = 0; + ssl->options.havePeerCert = 0; + ssl->options.havePeerVerify = 0; ssl->options.usingPSK_cipher = 0; ssl->options.sendAlertState = 0; #ifndef NO_PSK @@ -4283,6 +4284,17 @@ int ProcessReply(CYASSL* ssl) CYASSL_MSG("Malicious or corrupted ChangeCipher msg"); return LENGTH_ERROR; } + #ifndef NO_CERTS + if (ssl->options.side == SERVER_END && + ssl->options.verifyPeer && + ssl->options.havePeerCert) + if (!ssl->options.havePeerVerify) { + CYASSL_MSG("client didn't send cert verify"); + return NO_PEER_VERIFY; + } + #endif + + ssl->buffers.inputBuffer.idx++; ssl->keys.encryptionOn = 1; @@ -5437,6 +5449,10 @@ void SetErrorString(int error, char* str) XSTRNCPY(str, "Generate Cookie Error", max); break; + case NO_PEER_VERIFY: + XSTRNCPY(str, "Need peer certificate verify Error", max); + break; + default : XSTRNCPY(str, "unknown error number", max); } @@ -8882,6 +8898,9 @@ int SetCipherList(Suites* s, const char* list) ret = 0; /* verified */ } #endif + if (ret == 0) + ssl->options.havePeerVerify = 1; + return ret; } #endif /* !NO_RSA || HAVE_ECC */ diff --git a/src/ssl.c b/src/ssl.c index b5f467a98..d096e324b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2715,7 +2715,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_MSG("connect state: FIRST_REPLY_SECOND"); case FIRST_REPLY_SECOND : - #ifndef NO_RSA + #ifndef NO_CERTS if (ssl->options.sendVerify) if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { CYASSL_ERROR(ssl->error);