diff --git a/examples/client/client.c b/examples/client/client.c index 826615996..317e872ca 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -495,7 +495,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, /* Measures throughput in kbps. Throughput = number of bytes */ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, int dtlsUDP, int dtlsSCTP, int block, size_t throughput, int useX25519, - int useX448) + int useX448, int exitWithRet) { double start, conn_time = 0, tx_time = 0, rx_time = 0; SOCKET_T sockfd; @@ -600,7 +600,9 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, } while (err == WC_PENDING_E); if (ret != len) { printf("SSL_write bench error %d!\n", err); - err_sys("SSL_write failed"); + if (!exitWithRet) + err_sys("SSL_write failed"); + goto doExit; } tx_time += current_time(0) - start; @@ -654,6 +656,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, else { err_sys("Client buffer malloc failed"); } +doExit: if(tx_buffer) XFREE(tx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); if(rx_buffer) XFREE(rx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); } @@ -665,6 +668,9 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, wolfSSL_free(ssl); ssl = NULL; CloseSocket(sockfd); + if (exitWithRet) + return err; + #if !defined(__MINGW32__) printf("wolfSSL Client Benchmark %zu bytes\n" #else @@ -1604,6 +1610,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) StackTrap(); + /* Reinitialize the global myVerifyAction. */ + myVerifyAction = VERIFY_OVERRIDE_ERROR; + #ifndef WOLFSSL_VXWORKS /* Not used: All used */ while ((ch = mygetopt(argc, argv, "?:" @@ -2622,9 +2631,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (throughput) { ((func_args*)args)->return_code = ClientBenchmarkThroughput(ctx, host, port, dtlsUDP, dtlsSCTP, - block, throughput, useX25519, useX448); + block, throughput, useX25519, useX448, + exitWithRet); wolfSSL_CTX_free(ctx); ctx = NULL; - XEXIT_T(EXIT_SUCCESS); + if (!exitWithRet) + XEXIT_T(EXIT_SUCCESS); + else + goto exit; } #if defined(WOLFSSL_MDK_ARM) @@ -3155,12 +3168,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err = ClientWrite(ssl, msg, msgSz, "", exitWithRet); if (exitWithRet && (err != 0)) { ((func_args*)args)->return_code = err; + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; goto exit; } err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet); if (exitWithRet && (err != 0)) { ((func_args*)args)->return_code = err; + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; goto exit; } diff --git a/examples/server/server.c b/examples/server/server.c index c575f2f88..44bc31348 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -381,6 +381,10 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, err_sys_ex(runWithErrors, "SSL_read failed"); break; } + if (err == WOLFSSL_ERROR_ZERO_RETURN) { + free(buffer); + return WOLFSSL_ERROR_ZERO_RETURN; + } } else { rx_pos += ret; @@ -438,7 +442,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, ); } - return EXIT_SUCCESS; + return 0; } static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) @@ -1097,6 +1101,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef WOLFSSL_VXWORKS useAnyAddr = 1; #else + + /* Reinitialize the global myVerifyAction. */ + myVerifyAction = VERIFY_OVERRIDE_ERROR; + /* Not Used: h, z, F, T, V, W, X */ while ((ch = mygetopt(argc, argv, "?:" "abc:defgijk:l:mnop:q:rstuv:wxy" @@ -1807,7 +1815,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER | (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK : WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), - myVerifyAction == VERIFY_OVERRIDE_DATE_ERR ? myVerify : NULL); + (myVerifyAction == VERIFY_OVERRIDE_DATE_ERR || + myVerifyAction == VERIFY_FORCE_FAIL) ? myVerify : NULL); #ifdef TEST_BEFORE_DATE verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY; @@ -2446,7 +2455,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif } else if (err == 0 || err == WOLFSSL_ERROR_ZERO_RETURN) { - ServerEchoData(ssl, clientfd, echoData, block, throughput); + err = ServerEchoData(ssl, clientfd, echoData, block, throughput); + if (err != 0) { + SSL_free(ssl); ssl = NULL; + SSL_CTX_free(ctx); ctx = NULL; + CloseSocket(clientfd); + CloseSocket(sockfd); + ((func_args*)args)->return_code = err; + goto exit; + } } #if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX) diff --git a/src/internal.c b/src/internal.c index e609383ff..e56fd3680 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10007,6 +10007,8 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret, /* Determine if verify was okay */ if (ret == 0) { verify_ok = 1; + use_cb = 1; /* use verify callback on success, in case callback + * could force fail a cert */ } /* Determine if verify callback should be used */ @@ -17727,9 +17729,11 @@ int SendData(WOLFSSL* ssl, const void* data, int sz) len = wolfSSL_GetMaxRecordSize(ssl, sz - sent); -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - len = min(len, MAX_UDP_SIZE); +#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_DTLS_SIZE_CHECK) + if (ssl->options.dtls && (len < sz - sent)) { + ssl->error = DTLS_SIZE_ERROR; + WOLFSSL_ERROR(ssl->error); + return ssl->error; } #endif buffSz = len; @@ -18457,6 +18461,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case TLS13_SECRET_CB_E: return "TLS1.3 Secret Callback Error"; + case DTLS_SIZE_ERROR: + return "DTLS trying to send too much in single datagram error"; + default : return "unknown error number"; } @@ -29995,7 +30002,7 @@ int wolfSSL_GetMaxRecordSize(WOLFSSL* ssl, int maxFragment) } #endif /* HAVE_MAX_FRAGMENT */ #ifdef WOLFSSL_DTLS - if ((ssl->options.dtls) && (maxFragment > MAX_UDP_SIZE)) { + if (IsDtlsNotSctpMode(ssl) && (maxFragment > MAX_UDP_SIZE)) { maxFragment = MAX_UDP_SIZE; } #endif diff --git a/tests/include.am b/tests/include.am index 07230abf3..1ef0a7cdf 100644 --- a/tests/include.am +++ b/tests/include.am @@ -31,6 +31,7 @@ EXTRA_DIST += tests/test.conf \ tests/test-psk-no-id.conf \ tests/test-psk-no-id-sha2.conf \ tests/test-dtls.conf \ + tests/test-dtls-fails.conf \ tests/test-dtls-group.conf \ tests/test-dtls-reneg-client.conf \ tests/test-dtls-reneg-server.conf \ diff --git a/tests/suites.c b/tests/suites.c index d4e4107af..72ae8fddf 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -455,6 +455,7 @@ static int execute_test_case(int svr_argc, char** svr_argv, return NOT_BUILT_IN; } printf("trying client command line[%d]: %s\n", tests, commandLine); + tests++; /* determine based on args if this test is expected to fail */ if (XSTRSTR(commandLine, exitWithRetFlag) != NULL) { @@ -881,6 +882,20 @@ int SuiteTest(int argc, char** argv) goto exit; } #endif +#ifndef WOLFSSL_NO_DTLS_SIZE_CHECK + /* failure tests */ + args.argc = 3; + strcpy(argv0[1], "tests/test-dtls-fails.conf"); + strcpy(argv0[2], "expFail"); /* tests are expected to fail */ + printf("starting dtls tests that expect failure\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } + strcpy(argv0[2], ""); +#endif #endif #ifdef WOLFSSL_SCTP /* add dtls-sctp extra suites */ @@ -1038,7 +1053,7 @@ int SuiteTest(int argc, char** argv) args.argc = 3; strcpy(argv0[1], "tests/test-dhprime.conf"); strcpy(argv0[2], "doDH"); /* add DH prime flag */ - printf("starting tests that expect failure\n"); + printf("starting dh prime tests\n"); test_harness(&args); if (args.return_code != 0) { printf("error from script %d\n", args.return_code); diff --git a/tests/test-dtls-fails.conf b/tests/test-dtls-fails.conf new file mode 100644 index 000000000..07492f2f7 --- /dev/null +++ b/tests/test-dtls-fails.conf @@ -0,0 +1,16 @@ +# DTLS test +# server DTLSv1.2 too big test +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem +-u +-B 9000 + +# client DTLSv1.2 too big test +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-A ./certs/ca-ecc-cert.pem +-u +-B 9000 + diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 9b44326e7..9478242aa 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -167,6 +167,7 @@ enum wolfSSL_ErrorCodes { CLIENT_CERT_CB_ERROR = -436, /* Client cert callback error */ SSL_SHUTDOWN_ALREADY_DONE_E = -437, /* Shutdown called redundantly */ TLS13_SECRET_CB_E = -438, /* TLS1.3 secret Cb fcn failure */ + DTLS_SIZE_ERROR = -439, /* Trying to send too much data */ /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ diff --git a/wolfssl/test.h b/wolfssl/test.h index 3c2f4ada9..dc7dae6e8 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1696,7 +1696,7 @@ enum { VERIFY_USE_PREVERFIY, VERIFY_OVERRIDE_DATE_ERR, }; -static int myVerifyAction = VERIFY_OVERRIDE_ERROR; +static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR; /* The verify callback is called for every certificate only when * --enable-opensslextra is defined because it sets WOLFSSL_ALWAYS_VERIFY_CB and