Merge pull request #3151 from ejohnstown/dtls-size

DTLS Size Fix

examples/client/client.c

@@ -495,7 +495,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
 /* Measures throughput in kbps. Throughput = number of bytes */
 static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
     int dtlsUDP, int dtlsSCTP, int block, size_t throughput, int useX25519,
-    int useX448)
+    int useX448, int exitWithRet)
 {
     double start, conn_time = 0, tx_time = 0, rx_time = 0;
     SOCKET_T sockfd;
@@ -600,7 +600,9 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
                     } while (err == WC_PENDING_E);
                     if (ret != len) {
                         printf("SSL_write bench error %d!\n", err);
+                        if (!exitWithRet)
                             err_sys("SSL_write failed");
+                        goto doExit;
                     }
                     tx_time += current_time(0) - start;
 
@@ -654,6 +656,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
         else {
             err_sys("Client buffer malloc failed");
         }
+doExit:
         if(tx_buffer) XFREE(tx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if(rx_buffer) XFREE(rx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
@@ -665,6 +668,9 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
     wolfSSL_free(ssl); ssl = NULL;
     CloseSocket(sockfd);
 
+    if (exitWithRet)
+        return err;
+
 #if !defined(__MINGW32__)
     printf("wolfSSL Client Benchmark %zu bytes\n"
 #else
@@ -1604,6 +1610,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     StackTrap();
 
+    /* Reinitialize the global myVerifyAction. */
+    myVerifyAction = VERIFY_OVERRIDE_ERROR;
+
 #ifndef WOLFSSL_VXWORKS
     /* Not used: All used */
     while ((ch = mygetopt(argc, argv, "?:"
@@ -2622,9 +2631,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     if (throughput) {
         ((func_args*)args)->return_code =
             ClientBenchmarkThroughput(ctx, host, port, dtlsUDP, dtlsSCTP,
-                                      block, throughput, useX25519, useX448);
+                                      block, throughput, useX25519, useX448,
+                                      exitWithRet);
         wolfSSL_CTX_free(ctx); ctx = NULL;
+        if (!exitWithRet)
             XEXIT_T(EXIT_SUCCESS);
+        else
+            goto exit;
     }
 
     #if defined(WOLFSSL_MDK_ARM)
@@ -3155,12 +3168,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     err = ClientWrite(ssl, msg, msgSz, "", exitWithRet);
     if (exitWithRet && (err != 0)) {
         ((func_args*)args)->return_code = err;
+        wolfSSL_free(ssl); ssl = NULL;
+        wolfSSL_CTX_free(ctx); ctx = NULL;
         goto exit;
     }
 
     err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet);
     if (exitWithRet && (err != 0)) {
         ((func_args*)args)->return_code = err;
+        wolfSSL_free(ssl); ssl = NULL;
+        wolfSSL_CTX_free(ctx); ctx = NULL;
         goto exit;
     }
 

examples/server/server.c

@@ -381,6 +381,10 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
                         err_sys_ex(runWithErrors, "SSL_read failed");
                         break;
                     }
+                    if (err == WOLFSSL_ERROR_ZERO_RETURN) {
+                        free(buffer);
+                        return WOLFSSL_ERROR_ZERO_RETURN;
+                    }
                 }
                 else {
                     rx_pos += ret;
@@ -438,7 +442,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
         );
     }
 
-    return EXIT_SUCCESS;
+    return 0;
 }
 
 static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
@@ -1097,6 +1101,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #ifdef WOLFSSL_VXWORKS
     useAnyAddr = 1;
 #else
+
+    /* Reinitialize the global myVerifyAction. */
+    myVerifyAction = VERIFY_OVERRIDE_ERROR;
+
     /* Not Used: h, z, F, T, V, W, X */
     while ((ch = mygetopt(argc, argv, "?:"
                 "abc:defgijk:l:mnop:q:rstuv:wxy"
@@ -1807,7 +1815,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
                             (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
                                 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT),
-                  myVerifyAction == VERIFY_OVERRIDE_DATE_ERR ? myVerify : NULL);
+                  (myVerifyAction == VERIFY_OVERRIDE_DATE_ERR ||
+                   myVerifyAction == VERIFY_FORCE_FAIL) ? myVerify : NULL);
 
     #ifdef TEST_BEFORE_DATE
         verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
@@ -2446,7 +2455,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #endif
         }
         else if (err == 0 || err == WOLFSSL_ERROR_ZERO_RETURN) {
-            ServerEchoData(ssl, clientfd, echoData, block, throughput);
+            err = ServerEchoData(ssl, clientfd, echoData, block, throughput);
+            if (err != 0) {
+                SSL_free(ssl); ssl = NULL;
+                SSL_CTX_free(ctx); ctx = NULL;
+                CloseSocket(clientfd);
+                CloseSocket(sockfd);
+                ((func_args*)args)->return_code = err;
+                goto exit;
+            }
         }
 
 #if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)

src/internal.c

@@ -10007,6 +10007,8 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
     /* Determine if verify was okay */
     if (ret == 0) {
         verify_ok = 1;
+        use_cb = 1; /* use verify callback on success, in case callback
+                     * could force fail a cert */
     }
 
     /* Determine if verify callback should be used */
@@ -17727,9 +17729,11 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
 
         len = wolfSSL_GetMaxRecordSize(ssl, sz - sent);
 
-#ifdef WOLFSSL_DTLS
+#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_DTLS_SIZE_CHECK)
-        if (IsDtlsNotSctpMode(ssl)) {
+        if (ssl->options.dtls && (len < sz - sent)) {
-            len = min(len, MAX_UDP_SIZE);
+            ssl->error = DTLS_SIZE_ERROR;
+            WOLFSSL_ERROR(ssl->error);
+            return ssl->error;
         }
 #endif
         buffSz = len;
@@ -18457,6 +18461,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case TLS13_SECRET_CB_E:
         return "TLS1.3 Secret Callback Error";
 
+    case DTLS_SIZE_ERROR:
+        return "DTLS trying to send too much in single datagram error";
+
     default :
         return "unknown error number";
     }
@@ -29995,7 +30002,7 @@ int wolfSSL_GetMaxRecordSize(WOLFSSL* ssl, int maxFragment)
     }
 #endif /* HAVE_MAX_FRAGMENT */
 #ifdef WOLFSSL_DTLS
-    if ((ssl->options.dtls) && (maxFragment > MAX_UDP_SIZE)) {
+    if (IsDtlsNotSctpMode(ssl) && (maxFragment > MAX_UDP_SIZE)) {
         maxFragment = MAX_UDP_SIZE;
     }
 #endif

tests/include.am

@@ -31,6 +31,7 @@ EXTRA_DIST += tests/test.conf \
               tests/test-psk-no-id.conf \
               tests/test-psk-no-id-sha2.conf \
               tests/test-dtls.conf \
+              tests/test-dtls-fails.conf \
               tests/test-dtls-group.conf \
               tests/test-dtls-reneg-client.conf \
               tests/test-dtls-reneg-server.conf \

tests/suites.c

@@ -455,6 +455,7 @@ static int execute_test_case(int svr_argc, char** svr_argv,
         return NOT_BUILT_IN;
     }
     printf("trying client command line[%d]: %s\n", tests, commandLine);
+    tests++;
 
     /* determine based on args if this test is expected to fail */
     if (XSTRSTR(commandLine, exitWithRetFlag) != NULL) {
@@ -881,6 +882,20 @@ int SuiteTest(int argc, char** argv)
         goto exit;
     }
 #endif
+#ifndef WOLFSSL_NO_DTLS_SIZE_CHECK
+    /* failure tests */
+    args.argc = 3;
+    strcpy(argv0[1], "tests/test-dtls-fails.conf");
+    strcpy(argv0[2], "expFail"); /* tests are expected to fail */
+    printf("starting dtls tests that expect failure\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+    strcpy(argv0[2], "");
+#endif
 #endif
 #ifdef WOLFSSL_SCTP
     /* add dtls-sctp extra suites */
@@ -1038,7 +1053,7 @@ int SuiteTest(int argc, char** argv)
     args.argc = 3;
     strcpy(argv0[1], "tests/test-dhprime.conf");
     strcpy(argv0[2], "doDH"); /* add DH prime flag */
-    printf("starting tests that expect failure\n");
+    printf("starting dh prime tests\n");
     test_harness(&args);
     if (args.return_code != 0) {
         printf("error from script %d\n", args.return_code);

tests/test-dtls-fails.conf

@@ -0,0 +1,16 @@
+# DTLS test
+# server DTLSv1.2 too big test
+-v 3
+-l ECDHE-ECDSA-AES128-SHA256
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+-u
+-B 9000
+
+# client DTLSv1.2 too big test
+-v 3
+-l ECDHE-ECDSA-AES128-SHA256
+-A ./certs/ca-ecc-cert.pem
+-u
+-B 9000
+

wolfssl/error-ssl.h

@@ -167,6 +167,7 @@ enum wolfSSL_ErrorCodes {
     CLIENT_CERT_CB_ERROR         = -436,   /* Client cert callback error */
     SSL_SHUTDOWN_ALREADY_DONE_E  = -437,   /* Shutdown called redundantly */
     TLS13_SECRET_CB_E            = -438,   /* TLS1.3 secret Cb fcn failure */
+    DTLS_SIZE_ERROR              = -439,   /* Trying to send too much data */
 
     /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */
 

wolfssl/test.h

@@ -1696,7 +1696,7 @@ enum {
     VERIFY_USE_PREVERFIY,
     VERIFY_OVERRIDE_DATE_ERR,
 };
-static int myVerifyAction = VERIFY_OVERRIDE_ERROR;
+static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;
 
 /* The verify callback is called for every certificate only when
  * --enable-opensslextra is defined because it sets WOLFSSL_ALWAYS_VERIFY_CB and