added test cases and fixed a bug with AEAD ciphers with DTLSv1.2.

cyassl/test.h

@@ -106,7 +106,11 @@
    
 
 #define SERVER_DEFAULT_VERSION 3
+#define SERVER_DTLS_DEFAULT_VERSION (-2)
+#define SERVER_INVALID_VERSION (-99)
 #define CLIENT_DEFAULT_VERSION 3
+#define CLIENT_DTLS_DEFAULT_VERSION (-2)
+#define CLIENT_INVALID_VERSION (-99)
 
 /* all certs relative to CyaSSL home directory now */
 #define caCert     "./certs/ca-cert.pem"

examples/client/client.c

@@ -99,7 +99,8 @@ static void Usage(void)
     printf("-s          Use pre Shared keys\n");
     printf("-d          Disable peer checks\n");
     printf("-g          Send server HTTP GET\n");
-    printf("-u          Use UDP DTLS\n");
+    printf("-u          Use UDP DTLS,"
+           " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n");
     printf("-m          Match domain name in cert\n");
     printf("-N          Use Non-blocking sockets\n");
     printf("-r          Resume session\n");
@@ -129,7 +130,7 @@ void client_test(void* args)
     char* domain = (char*)"www.yassl.com";
 
     int    ch;
-    int    version = CLIENT_DEFAULT_VERSION;
+    int    version = CLIENT_INVALID_VERSION;
     int    usePsk   = 0;
     int    sendGET  = 0;
     int    benchmark = 0;
@@ -164,7 +165,6 @@ void client_test(void* args)
 
             case 'u' :
                 doDTLS  = 1;
-                version = -1;  /* DTLS flag */
                 break;
 
             case 's' :
@@ -190,8 +190,6 @@ void client_test(void* args)
                     Usage();
                     exit(MY_EX_USAGE);
                 }
-                if (doDTLS)
-                    version = -1;   /* DTLS flag */
                 break;
 
             case 'l' :
@@ -234,6 +232,22 @@ void client_test(void* args)
 
     myoptind = 0;      /* reset for test cases */
 
+    /* sort out DTLS versus TLS versions */
+    if (version == CLIENT_INVALID_VERSION) {
+        if (doDTLS)
+            version = CLIENT_DTLS_DEFAULT_VERSION;
+        else
+            version = CLIENT_DEFAULT_VERSION;
+    }
+    else {
+        if (doDTLS) {
+            if (version == 3)
+                version = -2;
+            else
+                version = -1;
+        }
+    }
+
     switch (version) {
 #ifndef NO_OLD_TLS
         case 0:
@@ -257,6 +271,10 @@ void client_test(void* args)
         case -1:
             method = CyaDTLSv1_client_method();
             break;
+
+        case -2:
+            method = CyaDTLSv1_2_client_method();
+            break;
 #endif
 
         default:

examples/server/server.c

@@ -98,7 +98,8 @@ static void Usage(void)
     printf("-d          Disable client cert check\n");
     printf("-b          Bind to any interface instead of localhost only\n");
     printf("-s          Use pre Shared keys\n");
-    printf("-u          Use UDP DTLS\n");
+    printf("-u          Use UDP DTLS,"
+           " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n");
     printf("-N          Use Non-blocking sockets\n");
 }
 
@@ -157,7 +158,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 
             case 'u' :
                 doDTLS  = 1;
-                version = -1;  /* DTLS flag */
                 break;
 
             case 'p' :
@@ -170,8 +170,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                     Usage();
                     exit(MY_EX_USAGE);
                 }
-                if (doDTLS)
-                    version = -1;  /* stay with DTLS */
                 break;
 
             case 'l' :
@@ -202,6 +200,22 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 
     myoptind = 0;      /* reset for test cases */
 
+    /* sort out DTLS versus TLS versions */
+    if (version == CLIENT_INVALID_VERSION) {
+        if (doDTLS)
+            version = CLIENT_DTLS_DEFAULT_VERSION;
+        else
+            version = CLIENT_DEFAULT_VERSION;
+    }
+    else {
+        if (doDTLS) {
+            if (version == 3)
+                version = -2;
+            else
+                version = -1;
+        }
+    }
+
     switch (version) {
 #ifndef NO_OLD_TLS
         case 0:
@@ -225,6 +239,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
         case -1:
             method = DTLSv1_server_method();
             break;
+
+        case -2:
+            method = DTLSv1_2_server_method();
+            break;
 #endif
 
         default:

src/internal.c

@@ -3375,6 +3375,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
                 {
                     byte additional[AES_BLOCK_SIZE];
                     byte nonce[AEAD_NONCE_SZ];
+                    const byte* additionalSrc = input - 5;
 
                     XMEMSET(additional, 0, AES_BLOCK_SIZE);
 
@@ -3384,7 +3385,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
 
                     /* Store the type, version. Unfortunately, they are in
                      * the input buffer ahead of the plaintext. */
-                    XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3);
+                    #ifdef CYASSL_DTLS
+                        if (ssl->options.dtls)
+                            additionalSrc -= DTLS_HANDSHAKE_EXTRA;
+                    #endif
+                    XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
 
                     /* Store the length of the plain text minus the explicit
                      * IV length minus the authentication tag size. */
@@ -3411,6 +3416,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
                 {
                     byte additional[AES_BLOCK_SIZE];
                     byte nonce[AEAD_NONCE_SZ];
+                    const byte* additionalSrc = input - 5;
 
                     XMEMSET(additional, 0, AES_BLOCK_SIZE);
 
@@ -3420,7 +3426,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
 
                     /* Store the type, version. Unfortunately, they are in
                      * the input buffer ahead of the plaintext. */
-                    XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3);
+                    #ifdef CYASSL_DTLS
+                        if (ssl->options.dtls)
+                            additionalSrc -= DTLS_HANDSHAKE_EXTRA;
+                    #endif
+                    XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
 
                     /* Store the length of the plain text minus the explicit
                      * IV length minus the authentication tag size. */

tests/include.am

@@ -27,9 +27,11 @@ EXTRA_DIST += tests/test.conf \
               tests/test-ecc-sha384.conf \
               tests/test-aesgcm.conf \
               tests/test-aesgcm-ecc.conf \
+              tests/test-aesgcm-ecc-dtls.conf \
               tests/test-aesgcm-openssl.conf \
               tests/test-aesccm.conf \
               tests/test-aesccm-ecc.conf \
+              tests/test-aesccm-ecc-dtls.conf \
               tests/test-camellia.conf \
               tests/test-camellia-openssl.conf \
               tests/test-dtls.conf \

tests/suites.c

@@ -400,6 +400,16 @@ int SuiteTest(void)
         printf("error from script %d\n", args.return_code);
         exit(EXIT_FAILURE);  
     }
+    #ifdef CYASSL_DTLS
+        /* add aesgcm ecc dtls extra suites */
+        strcpy(argv0[1], "tests/test-aesgcm-ecc-dtls.conf");
+        printf("starting aesgcm ecc dtls extra cipher suite tests\n");
+        test_harness(&args);
+        if (args.return_code != 0) {
+            printf("error from script %d\n", args.return_code);
+            exit(EXIT_FAILURE);  
+        }
+    #endif
 #endif
 
 #if defined(HAVE_AESCCM)
@@ -420,6 +430,16 @@ int SuiteTest(void)
             printf("error from script %d\n", args.return_code);
             exit(EXIT_FAILURE);  
         }
+        #ifdef CYASSL_DTLS
+            /* add aesccm ecc dtls extra suites */
+            strcpy(argv0[1], "tests/test-aesccm-ecc-dtls.conf");
+            printf("starting aesccm ecc dtls cipher suite tests\n");
+            test_harness(&args);
+            if (args.return_code != 0) {
+                printf("error from script %d\n", args.return_code);
+                exit(EXIT_FAILURE);  
+            }
+        #endif
     #endif
 #endif
 

tests/test-aesccm-ecc-dtls.conf

@@ -0,0 +1,56 @@
+# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256
+-u
+-v 3
+-l ECDHE-ECDSA-AES128-CCM-8-SHA256
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256
+-u
+-v 3
+-l ECDHE-ECDSA-AES128-CCM-8-SHA256
+-A ./certs/server-ecc.pem
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-CCM-8-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-CCM-8-SHA384
+-A ./certs/server-ecc.pem
+
+# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 NON-BLOCKING
+-u
+-v 3
+-l ECDHE-ECDSA-AES128-CCM-8-SHA256
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+-N
+
+# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 NON-BLOCKING
+-u
+-v 3
+-l ECDHE-ECDSA-AES128-CCM-8-SHA256
+-A ./certs/server-ecc.pem
+-N
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 NON-BLOCKING
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-CCM-8-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+-N
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 NON-BLOCKING
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-CCM-8-SHA384
+-A ./certs/server-ecc.pem
+-N
+

tests/test-aesgcm-ecc-dtls.conf

@@ -0,0 +1,96 @@
+# server DTLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/server-ecc.pem
+
+# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-ECDSA-AES256-GCM-SHA384
+-A ./certs/server-ecc.pem
+
+# server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDH-ECDSA-AES128-GCM-SHA256
+-A ./certs/server-ecc.pem
+
+# server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDH-ECDSA-AES256-GCM-SHA384
+-c ./certs/server-ecc.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDH-ECDSA-AES256-GCM-SHA384
+-A ./certs/server-ecc.pem
+
+# server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+
+# client DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+
+# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDHE-RSA-AES256-GCM-SHA384
+
+# server DTLSv1.2 ECDH-RSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDH-RSA-AES128-GCM-SHA256
+-c ./certs/server-ecc-rsa.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDH-RSA-AES128-GCM-SHA256 
+-u
+-v 3
+-l ECDH-RSA-AES128-GCM-SHA256
+
+# server DTLSv1.2 ECDH-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDH-RSA-AES256-GCM-SHA384
+-c ./certs/server-ecc-rsa.pem
+-k ./certs/ecc-key.pem
+
+# client DTLSv1.2 ECDH-RSA-AES256-GCM-SHA384
+-u
+-v 3
+-l ECDH-RSA-AES256-GCM-SHA384
+

tests/test-dtls.conf

@@ -1,98 +1,240 @@
 # server DTLSv1 RC4-SHA
 -u
+-v 2
 -l RC4-SHA
 
 # client DTLSv1 RC4-SHA
 -u
+-v 2
+-l RC4-SHA
+
+# server DTLSv1.2 RC4-SHA
+-u
+-v 3
+-l RC4-SHA
+
+# client DTLSv1.2 RC4-SHA
+-u
+-v 3
 -l RC4-SHA
 
 # server DTLSv1 DES-CBC3-SHA
 -u
+-v 2
 -l DES-CBC3-SHA
 
 # client DTLSv1 DES-CBC3-SHA
 -u
+-v 2
+-l DES-CBC3-SHA
+
+# server DTLSv1.2 DES-CBC3-SHA
+-u
+-v 3
+-l DES-CBC3-SHA
+
+# client DTLSv1.2 DES-CBC3-SHA
+-u
+-v 3
 -l DES-CBC3-SHA
 
 # server DTLSv1 AES128-SHA
 -u
+-v 2
 -l AES128-SHA
 
 # client DTLSv1 AES128-SHA
 -u
+-v 2
+-l AES128-SHA
+
+# server DTLSv1.2 AES128-SHA
+-u
+-v 3
+-l AES128-SHA
+
+# client DTLSv1.2 AES128-SHA
+-u
+-v 3
 -l AES128-SHA
 
 # server DTLSv1 AES256-SHA
 -u
+-v 2
 -l AES256-SHA
 
 # client DTLSv1 AES256-SHA
 -u
+-v 2
+-l AES256-SHA
+
+# server DTLSv1.2 AES256-SHA
+-u
+-v 3
+-l AES256-SHA
+
+# client DTLSv1.2 AES256-SHA
+-u
+-v 3
 -l AES256-SHA
 
 # server DTLSv1 AES128-SHA256
 -u
+-v 2
 -l AES128-SHA256
 
 # client DTLSv1 AES128-SHA256
 -u
+-v 2
+-l AES128-SHA256
+
+# server DTLSv1.2 AES128-SHA256
+-u
+-v 3
+-l AES128-SHA256
+
+# client DTLSv1.2 AES128-SHA256
+-u
+-v 3
 -l AES128-SHA256
 
 # server DTLSv1 AES256-SHA256
 -u
+-v 2
 -l AES256-SHA256
 
 # client DTLSv1 AES256-SHA256
 -u
+-v 2
+-l AES256-SHA256
+
+# server DTLSv1.2 AES256-SHA256
+-u
+-v 3
+-l AES256-SHA256
+
+# client DTLSv1.2 AES256-SHA256
+-u
+-v 3
 -l AES256-SHA256
 
 # server DTLSv1 DES-CBC3-SHA NON-BLOCKING
 -u
+-v 2
 -l DES-CBC3-SHA
 -N
 
 # client DTLSv1 DES-CBC3-SHA NON-BLOCKING
 -u
+-v 2
+-l DES-CBC3-SHA
+-N
+
+# server DTLSv1.2 DES-CBC3-SHA NON-BLOCKING
+-u
+-v 3
+-l DES-CBC3-SHA
+-N
+
+# client DTLSv1.2 DES-CBC3-SHA NON-BLOCKING
+-u
+-v 3
 -l DES-CBC3-SHA
 -N
 
 # server DTLSv1 AES128-SHA NON-BLOCKING
 -u
+-v 2
 -l AES128-SHA
 -N
 
 # client DTLSv1 AES128-SHA NON-BLOCKING
 -u
+-v 2
+-l AES128-SHA
+-N
+
+# server DTLSv1.2 AES128-SHA NON-BLOCKING
+-u
+-v 3
+-l AES128-SHA
+-N
+
+# client DTLSv1.2 AES128-SHA NON-BLOCKING
+-u
+-v 3
 -l AES128-SHA
 -N
 
 # server DTLSv1 AES256-SHA NON-BLOCKING
 -u
+-v 2
 -l AES256-SHA
 -N
 
 # client DTLSv1 AES256-SHA NON-BLOCKING
 -u
+-v 2
+-l AES256-SHA
+-N
+
+# server DTLSv1.2 AES256-SHA NON-BLOCKING
+-u
+-v 3
+-l AES256-SHA
+-N
+
+# client DTLSv1.2 AES256-SHA NON-BLOCKING
+-u
+-v 3
 -l AES256-SHA
 -N
 
 # server DTLSv1 AES128-SHA256 NON-BLOCKING
 -u
+-v 2
 -l AES128-SHA256
 -N
 
 # client DTLSv1 AES128-SHA256 NON-BLOCKING
 -u
+-v 2
+-l AES128-SHA256
+-N
+
+# server DTLSv1.2 AES128-SHA256 NON-BLOCKING
+-u
+-v 3
+-l AES128-SHA256
+-N
+
+# client DTLSv1.2 AES128-SHA256 NON-BLOCKING
+-u
+-v 3
 -l AES128-SHA256
 -N
 
 # server DTLSv1 AES256-SHA256 NON-BLOCKING
 -u
+-v 2
 -l AES256-SHA256
 -N
 
 # client DTLSv1 AES256-SHA256 NON-BLOCKING
 -u
+-v 2
+-l AES256-SHA256
+-N
+
+# server DTLSv1.2 AES256-SHA256 NON-BLOCKING
+-u
+-v 3
+-l AES256-SHA256
+-N
+
+# client DTLSv1.2 AES256-SHA256 NON-BLOCKING
+-u
+-v 3
 -l AES256-SHA256
 -N