diff --git a/src/ssl.c b/src/ssl.c index e5820b422..f23ceb197 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4004,7 +4004,7 @@ int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx) return WOLFSSL_SUCCESS; } - +#ifdef HAVE_SECURE_RENEGOTIATION /* do a secure renegotiation handshake, user forced, we discourage */ static int _Rehandshake(WOLFSSL* ssl) { @@ -4069,7 +4069,7 @@ static int _Rehandshake(WOLFSSL* ssl) ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED; -#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SECURE_RENEGOTIATION) +#if !defined(NO_WOLFSSL_SERVER) if (ssl->options.side == WOLFSSL_SERVER_END) { ret = SendHelloRequest(ssl); if (ret != 0) { @@ -4077,7 +4077,7 @@ static int _Rehandshake(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } } -#endif /* !NO_WOLFSSL_SERVER && HAVE_SECURE_RENEGOTIATION */ +#endif /* !NO_WOLFSSL_SERVER */ ret = InitHandshakeHashes(ssl); if (ret != 0) { @@ -4151,6 +4151,8 @@ int wolfSSL_SecureResume(WOLFSSL* ssl) #endif /* NO_WOLFSSL_CLIENT */ +#endif /* HAVE_SECURE_RENEGOTIATION */ + long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_SSL_get_secure_renegotiation_support"); diff --git a/tests/api.c b/tests/api.c index 48ce4543e..e6abf63b6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -6367,7 +6367,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) if (ret < 0) { break; } else if (ret == 0) { continue; } } #endif - ret = wolfSSL_accept(ssl); + ret = wolfSSL_negotiate(ssl); err = wolfSSL_get_error(ssl, 0); } while (err == WC_PENDING_E); if (ret != WOLFSSL_SUCCESS) { @@ -63162,8 +63162,8 @@ static int test_dtls_1_0_hvr_downgrade(void) XMEMSET(&func_cb_server, 0, sizeof(callback_functions)); func_cb_client.doUdp = func_cb_server.doUdp = 1; - func_cb_server.method = wolfDTLSv1_2_server_method; func_cb_client.method = wolfDTLS_client_method; + func_cb_server.method = wolfDTLSv1_2_server_method; func_cb_client.ctx_ready = test_dtls_1_0_hvr_downgrade_ctx_ready; test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server); @@ -63251,6 +63251,71 @@ static int test_session_ticket_no_id(void) } #endif +#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_SECURE_RENEGOTIATION) +static void test_dtls_downgrade_scr_server_ctx_ready_server(WOLFSSL_CTX* ctx) +{ + AssertIntEQ(wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_DTLSV1_2), + WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx), WOLFSSL_SUCCESS); +} + +static void test_dtls_downgrade_scr_server_ctx_ready(WOLFSSL_CTX* ctx) +{ + AssertIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx), WOLFSSL_SUCCESS); +} + +static void test_dtls_downgrade_scr_server_on_result(WOLFSSL* ssl) +{ + char testMsg[] = "Message after SCR"; + char msgBuf[sizeof(testMsg)]; + if (wolfSSL_is_server(ssl)) { + AssertIntEQ(wolfSSL_Rehandshake(ssl), WOLFSSL_FATAL_ERROR); + AssertIntEQ(wolfSSL_get_error(ssl, -1), APP_DATA_READY); + AssertIntEQ(wolfSSL_read(ssl, msgBuf, sizeof(msgBuf)), sizeof(msgBuf)); + AssertIntEQ(wolfSSL_Rehandshake(ssl), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_write(ssl, testMsg, sizeof(testMsg)), + sizeof(testMsg)); + } + else { + AssertIntEQ(wolfSSL_write(ssl, testMsg, sizeof(testMsg)), + sizeof(testMsg)); + AssertIntEQ(wolfSSL_read(ssl, msgBuf, sizeof(msgBuf)), sizeof(msgBuf)); + } +} + +static int test_dtls_downgrade_scr_server(void) +{ + EXPECT_DECLS; + callback_functions func_cb_client; + callback_functions func_cb_server; + + XMEMSET(&func_cb_client, 0, sizeof(callback_functions)); + XMEMSET(&func_cb_server, 0, sizeof(callback_functions)); + + func_cb_client.doUdp = func_cb_server.doUdp = 1; + func_cb_client.method = wolfDTLSv1_2_client_method; + func_cb_server.method = wolfDTLS_server_method; + func_cb_client.ctx_ready = test_dtls_downgrade_scr_server_ctx_ready; + func_cb_server.ctx_ready = test_dtls_downgrade_scr_server_ctx_ready_server; + func_cb_client.on_result = test_dtls_downgrade_scr_server_on_result; + func_cb_server.on_result = test_dtls_downgrade_scr_server_on_result; + + test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server); + + ExpectIntEQ(func_cb_client.return_code, TEST_SUCCESS); + ExpectIntEQ(func_cb_server.return_code, TEST_SUCCESS); + + return EXPECT_RESULT(); +} +#else +static int test_dtls_downgrade_scr_server(void) +{ + EXPECT_DECLS; + return EXPECT_RESULT(); +} +#endif + #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_SECURE_RENEGOTIATION) static void test_dtls_downgrade_scr_ctx_ready(WOLFSSL_CTX* ctx) @@ -63289,8 +63354,8 @@ static int test_dtls_downgrade_scr(void) XMEMSET(&func_cb_server, 0, sizeof(callback_functions)); func_cb_client.doUdp = func_cb_server.doUdp = 1; - func_cb_server.method = wolfDTLSv1_2_server_method; func_cb_client.method = wolfDTLS_client_method; + func_cb_server.method = wolfDTLSv1_2_server_method; func_cb_client.ctx_ready = test_dtls_downgrade_scr_ctx_ready; func_cb_client.on_result = test_dtls_downgrade_scr_on_result; func_cb_server.on_result = test_dtls_downgrade_scr_on_result; @@ -64564,6 +64629,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_TLSX_CA_NAMES_bad_extension), TEST_DECL(test_dtls_1_0_hvr_downgrade), TEST_DECL(test_session_ticket_no_id), + TEST_DECL(test_dtls_downgrade_scr_server), TEST_DECL(test_dtls_downgrade_scr), /* This test needs to stay at the end to clean up any caches allocated. */ TEST_DECL(test_wolfSSL_Cleanup) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b7c6f960a..26082f850 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3984,8 +3984,10 @@ WOLFSSL_API int wolfSSL_NoKeyShares(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx); +#ifdef HAVE_SECURE_RENEGOTIATION WOLFSSL_API int wolfSSL_Rehandshake(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_SecureResume(WOLFSSL* ssl); +#endif WOLFSSL_API long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl); #endif