diff --git a/src/ssl.c b/src/ssl.c index 73ee22bbe..a41cb3f61 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10635,8 +10635,7 @@ int wolfSSL_X509_add_altname_ex(WOLFSSL_X509* x509, const char* name, if ((name == NULL) || (nameSz == 0)) return WOLFSSL_SUCCESS; - newAltName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), - x509->heap, DYNAMIC_TYPE_ALTNAME); + newAltName = AltNameNew(x509->heap); if (newAltName == NULL) return WOLFSSL_FAILURE; @@ -26905,7 +26904,7 @@ int wolfSSL_ERR_GET_REASON(unsigned long err) if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)) return PEM_R_NO_START_LINE; #endif -#if defined(OPENSLL_ALL) && defined(WOLFSSL_PYTHON) +#if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) if (err == ((ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG)) return ASN1_R_HEADER_TOO_LONG; #endif @@ -44189,12 +44188,13 @@ unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) WOLFSSL_MSG("Issue peeking at error node in queue"); return 0; } + printf("ret from peek error node = %d\n", ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) if (ret == -ASN_NO_PEM_HEADER) return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; #endif - #if defined(OPENSLL_ALL) && defined(WOLFSSL_PYTHON) - if (ret == -ASN1_R_HEADER_TOO_LONG) { + #if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) + if (ret == ASN1_R_HEADER_TOO_LONG) { return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; } #endif @@ -46746,7 +46746,7 @@ unsigned long wolfSSL_ERR_peek_last_error(void) if (ret == -ASN_NO_PEM_HEADER) return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; #if defined(WOLFSSL_PYTHON) - if (ret == -ASN1_R_HEADER_TOO_LONG) + if (ret == ASN1_R_HEADER_TOO_LONG) return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; #endif return (unsigned long)ret; @@ -47832,6 +47832,11 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line, if (ret == -ASN_NO_PEM_HEADER) return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + #if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) + if (ret == ASN1_R_HEADER_TOO_LONG) { + return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; + } + #endif if (ret != -WANT_READ && ret != -WANT_WRITE && ret != -ZERO_RETURN && ret != -WOLFSSL_ERROR_ZERO_RETURN && ret != -SOCKET_PEER_CLOSED_E && ret != -SOCKET_ERROR_E) @@ -57883,7 +57888,8 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) /* get secret value from source of entropy */ ret = wolfSSL_RAND_bytes(secret, DRBG_SEED_LEN); - /* uses input buffer to seed fro pseudo random number generation */ + /* uses input buffer to seed for pseudo random number generation, each + * thread will potentially have different results this way */ if (ret == WOLFSSL_SUCCESS) { ret = wc_PRF(buf, num, secret, DRBG_SEED_LEN, (const byte*)buf, num, hash, NULL, INVALID_DEVID); diff --git a/tests/api.c b/tests/api.c index 9753712f5..7fd629c7d 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4020,6 +4020,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE); AssertIntGE(msg_len, 0); #endif + idx = wolfSSL_read(ssl, input, sizeof(input)-1); if (idx > 0) { input[idx] = '\0'; @@ -4035,6 +4036,9 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) #endif } + if (cbf != NULL && cbf->on_result != NULL) + cbf->on_result(ssl); + #ifdef WOLFSSL_TIRTOS Task_yield(); #endif @@ -32374,6 +32378,104 @@ static void test_wolfSSL_Tls13_Key_Logging_test(void) #endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */ } +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) +static void post_auth_version_cb(WOLFSSL* ssl) +{ + /* do handshake and then test version error */ + AssertIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + AssertStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); + AssertIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_FAILURE); +#ifdef OPENSSL_ALL + /* check was added to error queue */ + AssertIntEQ(wolfSSL_ERR_get_error(), -UNSUPPORTED_PROTO_VERSION); + + /* check the string matches expected string */ + AssertStrEQ(wolfSSL_ERR_error_string(-UNSUPPORTED_PROTO_VERSION, NULL), + "WRONG_SSL_VERSION"); +#endif +} + +static void post_auth_cb(WOLFSSL* ssl) +{ + /* do handshake and then test version error */ + AssertIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + AssertStrEQ("TLSv1.3", wolfSSL_get_version(ssl)); + AssertNull(wolfSSL_get_peer_certificate(ssl)); + AssertIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS); +} + +static void set_post_auth_cb(WOLFSSL* ssl) +{ + if (!wolfSSL_is_server(ssl)) { + AssertIntEQ(wolfSSL_allow_post_handshake_auth(ssl), 0); + } + else { + wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_POST_HANDSHAKE, NULL); + } +} +#endif + +static void test_wolfSSL_Tls13_postauth(void) +{ +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + tcp_ready ready; + func_args client_args; + func_args server_args; + callback_functions server_cbf; + callback_functions client_cbf; + THREAD_TYPE serverThread; + + printf(testingFmt, "wolfSSL_Tls13_postauth()"); + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + + StartTCP(); + InitTcpReady(&ready); + +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif + + server_args.signal = &ready; + client_args.signal = &ready; + + /* test version failure doing post auth with TLS 1.2 connection */ + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfTLSv1_2_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + client_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_version_cb; + server_args.callbacks = &server_cbf; + client_args.callbacks = &client_cbf; + + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, NULL); + join_thread(serverThread); + + /* tests on post auth with TLS 1.3 */ + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfTLSv1_3_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + client_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_cb; + server_args.callbacks = &server_cbf; + client_args.callbacks = &client_cbf; + + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, NULL); + join_thread(serverThread); + + FreeTcpReady(&ready); + printf(resultFmt, passed); +#endif +} + + static void test_wolfSSL_X509_NID(void) { #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ @@ -35450,6 +35552,17 @@ static void test_wolfSSL_ERR_put_error(void) ERR_put_error(0,SYS_F_SOCKET, 15, "this file", 15); AssertIntEQ(ERR_get_error_line(&file, &line), 15); +#ifdef WOLFSSL_PYTHON + ERR_put_error(ERR_LIB_ASN1, SYS_F_ACCEPT, ASN1_R_HEADER_TOO_LONG, + "this file", 100); + AssertIntEQ(wolfSSL_ERR_peek_last_error_line(&file, &line), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + AssertIntEQ(line, 100); + AssertIntEQ(wolfSSL_ERR_peek_error(), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + AssertIntEQ(ERR_get_error_line(&file, &line), ASN1_R_HEADER_TOO_LONG); +#endif + /* try reading past end of error queue */ file = NULL; AssertIntEQ(ERR_get_error_line(&file, &line), 0); @@ -49064,6 +49177,7 @@ void ApiTest(void) test_wolfSSL_CTX_get_keylog_callback(); test_wolfSSL_Tls12_Key_Logging_test(); test_wolfSSL_Tls13_Key_Logging_test(); + test_wolfSSL_Tls13_postauth(); test_wolfSSL_CTX_set_ecdh_auto(); test_wolfSSL_THREADID_hash(); test_wolfSSL_RAND_set_rand_method();