From a03c15e59891523c13d0e2422773509b28b9a5e5 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Wed, 13 Jun 2018 11:42:16 +1000 Subject: [PATCH] Allow NO_WOLFSSL_CLIENT/SERVER to compile and pass tests --- examples/benchmark/tls_bench.c | 5 + examples/client/client.c | 3 + examples/echoclient/echoclient.c | 1 + examples/echoserver/echoserver.c | 1 + examples/server/server.c | 1 + scripts/psk.test | 8 + scripts/resume.test | 32 ++-- scripts/tls13.test | 8 + src/internal.c | 288 ++++++++++++++++--------------- src/tls.c | 14 +- src/tls13.c | 287 ++++++++++++++++-------------- tests/api.c | 176 +++++++++++++++++-- tests/unit.c | 2 + wolfssl/internal.h | 4 +- wolfssl/ssl.h | 3 +- 15 files changed, 527 insertions(+), 306 deletions(-) diff --git a/examples/benchmark/tls_bench.c b/examples/benchmark/tls_bench.c index 199ab3755..93b39d974 100644 --- a/examples/benchmark/tls_bench.c +++ b/examples/benchmark/tls_bench.c @@ -68,6 +68,7 @@ bench_tls(args); #define TEST_PACKET_SIZE 1024 #define SHOW_VERBOSE 0 /* Default output is tab delimited format */ +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) static int argShowPeerInfo = 0; /* Show more info about wolfSSL configuration */ static const char* kTestStr = @@ -864,6 +865,7 @@ int bench_tls(void* args) /* Return reporting a success */ return (((func_args*)args)->return_code = 0); } +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ #ifndef NO_MAIN_DRIVER @@ -873,8 +875,11 @@ int main(int argc, char** argv) args.argc = argc; args.argv = argv; + args.return_code = 0; +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) bench_tls(&args); +#endif return(args.return_code); } diff --git a/examples/client/client.c b/examples/client/client.c index f90356c83..c16d14662 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -2633,6 +2633,7 @@ exit: args.argc = argc; args.argv = argv; + args.return_code = 0; #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_MDK_SHELL) && !defined(STACK_TRAP) wolfSSL_Debugging_ON(); @@ -2646,6 +2647,8 @@ exit: #else client_test(&args); #endif +#else + printf("Client not compiled in!\n"); #endif wolfSSL_Cleanup(); diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index f38b14df6..ffe4bd5ca 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -334,6 +334,7 @@ void echoclient_test(void* args) args.argc = argc; args.argv = argv; + args.return_code = 0; CyaSSL_Init(); #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 3e6bfbd58..37048f82f 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -497,6 +497,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) args.argc = argc; args.argv = argv; + args.return_code = 0; CyaSSL_Init(); #if defined(DEBUG_CYASSL) && !defined(CYASSL_MDK_SHELL) diff --git a/examples/server/server.c b/examples/server/server.c index f744a96c6..8103a7e01 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1753,6 +1753,7 @@ exit: args.argc = argc; args.argv = argv; args.signal = &ready; + args.return_code = 0; InitTcpReady(&ready); #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL) diff --git a/scripts/psk.test b/scripts/psk.test index 0d21443f2..b9c0f21c0 100755 --- a/scripts/psk.test +++ b/scripts/psk.test @@ -62,6 +62,14 @@ do_trap() { trap do_trap INT TERM [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 +./examples/client/client -? 2>&1 | grep -- 'Client not compiled in!' +if [ $? -eq 0 ]; then + exit 0 +fi +./examples/server/server -? 2>&1 | grep -- 'Server not compiled in!' +if [ $? -eq 0 ]; then + exit 0 +fi # Usual psk server / psk client. This use case is tested in # tests/unit.test and is used here for just checking if PSK is enabled diff --git a/scripts/resume.test b/scripts/resume.test index f948fb568..c4bd80f1e 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -111,18 +111,28 @@ do_test() { trap do_trap INT TERM -do_test +./examples/client/client -? 2>&1 | grep -- 'Client not compiled in!' +if [ $? -ne 0 ]; then + ./examples/server/server -? 2>&1 | grep -- 'Server not compiled in!' + if [ $? -ne 0 ]; then + RUN_TEST="Y" + fi +fi -# Check the client for the extended master secret disable option. If -# present we need to run the test twice. -options_check=`./examples/client/client -?` -case "$options_check" in -*$ems_string*) - echo -e "\nRepeating resume test without extended master secret..." - do_test -n ;; -*) - ;; -esac +if [ "$RUN_TEST" = "Y" ]; then + do_test + + # Check the client for the extended master secret disable option. If + # present we need to run the test twice. + options_check=`./examples/client/client -?` + case "$options_check" in + *$ems_string*) + echo -e "\nRepeating resume test without extended master secret..." + do_test -n ;; + *) + ;; + esac +fi echo -e "\nSuccess!\n" diff --git a/scripts/tls13.test b/scripts/tls13.test index 4fc0dd56c..ba999f41f 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -70,6 +70,14 @@ do_trap() { trap do_trap INT TERM [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 +./examples/client/client -? 2>&1 | grep -- 'Client not compiled in!' +if [ $? -eq 0 ]; then + exit 0 +fi +./examples/server/server -? 2>&1 | grep -- 'Server not compiled in!' +if [ $? -eq 0 ]; then + exit 0 +fi # Usual TLS v1.3 server / TLS v1.3 client. echo -e "\n\nTLS v1.3 server with TLS v1.3 client" diff --git a/src/internal.c b/src/internal.c index bb116852a..0206db164 100644 --- a/src/internal.c +++ b/src/internal.c @@ -16274,6 +16274,152 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, #endif /* WOLFSSL_CALLBACKS */ +#if !defined(NO_CERTS) && (defined(WOLFSSL_TLS13) || \ + !defined(NO_WOLFSSL_CLIENT)) + +/* Decode the private key - RSA, ECC, or Ed25519 - and creates a key object. + * The signature type is set as well. + * The maximum length of a signature is returned. + * + * ssl The SSL/TLS object. + * length The length of a signature. + * returns 0 on success, otherwise failure. + */ +int DecodePrivateKey(WOLFSSL *ssl, word16* length) +{ + int ret = BAD_FUNC_ARG; + int keySz; + word32 idx; + + /* make sure private key exists */ + if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) { + WOLFSSL_MSG("Private key missing!"); + ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); + } + +#ifndef NO_RSA + ssl->hsType = DYNAMIC_TYPE_RSA; + ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); + if (ret != 0) { + goto exit_dpk; + } + + WOLFSSL_MSG("Trying RSA private key"); + + /* Set start of data to beginning of buffer. */ + idx = 0; + /* Decode the key assuming it is an RSA private key. */ + ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, + (RsaKey*)ssl->hsKey, ssl->buffers.key->length); + if (ret == 0) { + WOLFSSL_MSG("Using RSA private key"); + + /* It worked so check it meets minimum key size requirements. */ + keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); + if (keySz < 0) { /* check if keySz has error case */ + ERROR_OUT(keySz, exit_dpk); + } + + if (keySz < ssl->options.minRsaKeySz) { + WOLFSSL_MSG("RSA key size too small"); + ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk); + } + + /* Return the maximum signature length. */ + *length = (word16)keySz; + + goto exit_dpk; + } +#endif /* !NO_RSA */ + +#ifdef HAVE_ECC +#ifndef NO_RSA + FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey); +#endif /* !NO_RSA */ + + ssl->hsType = DYNAMIC_TYPE_ECC; + ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); + if (ret != 0) { + goto exit_dpk; + } + +#ifndef NO_RSA + WOLFSSL_MSG("Trying ECC private key, RSA didn't work"); +#else + WOLFSSL_MSG("Trying ECC private key"); +#endif + + /* Set start of data to beginning of buffer. */ + idx = 0; + /* Decode the key assuming it is an ECC private key. */ + ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, + (ecc_key*)ssl->hsKey, + ssl->buffers.key->length); + if (ret == 0) { + WOLFSSL_MSG("Using ECC private key"); + + /* Check it meets the minimum ECC key size requirements. */ + keySz = wc_ecc_size((ecc_key*)ssl->hsKey); + if (keySz < ssl->options.minEccKeySz) { + WOLFSSL_MSG("ECC key size too small"); + ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk); + } + + /* Return the maximum signature length. */ + *length = (word16)wc_ecc_sig_size((ecc_key*)ssl->hsKey); + + goto exit_dpk; + } +#endif +#ifdef HAVE_ED25519 + #if !defined(NO_RSA) || defined(HAVE_ECC) + FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey); + #endif + + ssl->hsType = DYNAMIC_TYPE_ED25519; + ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); + if (ret != 0) { + goto exit_dpk; + } + + #ifdef HAVE_ECC + WOLFSSL_MSG("Trying ED25519 private key, ECC didn't work"); + #elif !defined(NO_RSA) + WOLFSSL_MSG("Trying ED25519 private key, RSA didn't work"); + #else + WOLFSSL_MSG("Trying ED25519 private key"); + #endif + + /* Set start of data to beginning of buffer. */ + idx = 0; + /* Decode the key assuming it is an ED25519 private key. */ + ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx, + (ed25519_key*)ssl->hsKey, + ssl->buffers.key->length); + if (ret == 0) { + WOLFSSL_MSG("Using ED25519 private key"); + + /* Check it meets the minimum ECC key size requirements. */ + if (ED25519_KEY_SIZE < ssl->options.minEccKeySz) { + WOLFSSL_MSG("ED25519 key size too small"); + ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk); + } + + /* Return the maximum signature length. */ + *length = ED25519_SIG_SIZE; + + goto exit_dpk; + } +#endif /* HAVE_ED25519 */ + + (void)idx; + (void)keySz; + (void)length; +exit_dpk: + return ret; +} + +#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ /* client only parts */ #ifndef NO_WOLFSSL_CLIENT @@ -19641,148 +19787,6 @@ exit_scke: } #endif /* HAVE_PK_CALLBACKS */ -/* Decode the private key - RSA, ECC, or Ed25519 - and creates a key object. - * The signature type is set as well. - * The maximum length of a signature is returned. - * - * ssl The SSL/TLS object. - * length The length of a signature. - * returns 0 on success, otherwise failure. - */ -int DecodePrivateKey(WOLFSSL *ssl, word16* length) -{ - int ret = BAD_FUNC_ARG; - int keySz; - word32 idx; - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) { - WOLFSSL_MSG("Private key missing!"); - ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); - } - -#ifndef NO_RSA - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dpk; - } - - WOLFSSL_MSG("Trying RSA private key"); - - /* Set start of data to beginning of buffer. */ - idx = 0; - /* Decode the key assuming it is an RSA private key. */ - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, - (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret == 0) { - WOLFSSL_MSG("Using RSA private key"); - - /* It worked so check it meets minimum key size requirements. */ - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* check if keySz has error case */ - ERROR_OUT(keySz, exit_dpk); - } - - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk); - } - - /* Return the maximum signature length. */ - *length = (word16)keySz; - - goto exit_dpk; - } -#endif /* !NO_RSA */ - -#ifdef HAVE_ECC -#ifndef NO_RSA - FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey); -#endif /* !NO_RSA */ - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dpk; - } - -#ifndef NO_RSA - WOLFSSL_MSG("Trying ECC private key, RSA didn't work"); -#else - WOLFSSL_MSG("Trying ECC private key"); -#endif - - /* Set start of data to beginning of buffer. */ - idx = 0; - /* Decode the key assuming it is an ECC private key. */ - ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, - (ecc_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret == 0) { - WOLFSSL_MSG("Using ECC private key"); - - /* Check it meets the minimum ECC key size requirements. */ - keySz = wc_ecc_size((ecc_key*)ssl->hsKey); - if (keySz < ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key size too small"); - ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk); - } - - /* Return the maximum signature length. */ - *length = (word16)wc_ecc_sig_size((ecc_key*)ssl->hsKey); - - goto exit_dpk; - } -#endif -#ifdef HAVE_ED25519 - #if !defined(NO_RSA) || defined(HAVE_ECC) - FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey); - #endif - - ssl->hsType = DYNAMIC_TYPE_ED25519; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dpk; - } - - #ifdef HAVE_ECC - WOLFSSL_MSG("Trying ED25519 private key, ECC didn't work"); - #elif !defined(NO_RSA) - WOLFSSL_MSG("Trying ED25519 private key, RSA didn't work"); - #else - WOLFSSL_MSG("Trying ED25519 private key"); - #endif - - /* Set start of data to beginning of buffer. */ - idx = 0; - /* Decode the key assuming it is an ED25519 private key. */ - ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx, - (ed25519_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret == 0) { - WOLFSSL_MSG("Using ED25519 private key"); - - /* Check it meets the minimum ECC key size requirements. */ - if (ED25519_KEY_SIZE < ssl->options.minEccKeySz) { - WOLFSSL_MSG("ED25519 key size too small"); - ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk); - } - - /* Return the maximum signature length. */ - *length = ED25519_SIG_SIZE; - - goto exit_dpk; - } -#endif /* HAVE_ED25519 */ - - (void)idx; - (void)keySz; - (void)length; -exit_dpk: - return ret; -} - #ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_CLIENT_AUTH diff --git a/src/tls.c b/src/tls.c index d6e947c19..22ff7f795 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3484,7 +3484,7 @@ static int TLSX_PointFormat_Append(PointFormat* list, byte format, void* heap) return ret; } -#ifndef NO_WOLFSSL_CLIENT +#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) static void TLSX_SupportedCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) { @@ -3515,6 +3515,7 @@ static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore) } #endif + #ifndef NO_WOLFSSL_SERVER static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore) @@ -3706,6 +3707,9 @@ int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl) return 0; } +#endif + +#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) /* Return the preferred group. * * ssl SSL/TLS object. @@ -4351,7 +4355,7 @@ int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap) #ifdef HAVE_SESSION_TICKET -#ifndef NO_WOLFSSL_CLIENT +#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) { TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); @@ -4366,7 +4370,7 @@ static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) } } } -#endif /* NO_WOLFSSL_CLIENT */ +#endif /* WLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest) @@ -9115,7 +9119,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) } -#ifndef NO_WOLFSSL_CLIENT +#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) /** Tells the buffered size of extensions to be sent into the client hello. */ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) @@ -9320,7 +9324,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) return ret; } -#endif /* NO_WOLFSSL_CLIENT */ +#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ #ifndef NO_WOLFSSL_SERVER diff --git a/src/tls13.c b/src/tls13.c index 34b862bcf..cb30d0536 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -2190,6 +2190,127 @@ static int FindSuite(WOLFSSL* ssl, byte* suite) } #endif +#ifndef WOLFSSL_TLS13_DRAFT_18 +#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) +/* Create Cookie extension using the hash of the first ClientHello. + * + * ssl SSL/TLS object. + * hash The hash data. + * hashSz The size of the hash data in bytes. + * returns 0 on success, otherwise failure. + */ +static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz) +{ + int ret; + byte mac[WC_MAX_DIGEST_SIZE]; + Hmac cookieHmac; + byte cookieType; + byte macSz; + +#if !defined(NO_SHA) && defined(NO_SHA256) + cookieType = SHA; + macSz = WC_SHA_DIGEST_SIZE; +#endif /* NO_SHA */ +#ifndef NO_SHA256 + cookieType = WC_SHA256; + macSz = WC_SHA256_DIGEST_SIZE; +#endif /* NO_SHA256 */ + + ret = wc_HmacSetKey(&cookieHmac, cookieType, + ssl->buffers.tls13CookieSecret.buffer, + ssl->buffers.tls13CookieSecret.length); + if (ret != 0) + return ret; + if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0) + return ret; + if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0) + return ret; + + /* The cookie data is the hash and the integrity check. */ + return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1); +} +#endif + +/* Restart the Hanshake hash with a hash of the previous messages. + * + * ssl The SSL/TLS object. + * returns 0 on success, otherwise failure. + */ +static int RestartHandshakeHash(WOLFSSL* ssl) +{ + int ret; + Hashes hashes; + byte header[HANDSHAKE_HEADER_SZ]; + byte* hash = NULL; + byte hashSz = 0; + + ret = BuildCertHashes(ssl, &hashes); + if (ret != 0) + return ret; + switch (ssl->specs.mac_algorithm) { + #ifndef NO_SHA256 + case sha256_mac: + hash = hashes.sha256; + break; + #endif + #ifdef WOLFSSL_SHA384 + case sha384_mac: + hash = hashes.sha384; + break; + #endif + #ifdef WOLFSSL_TLS13_SHA512 + case sha512_mac: + hash = hashes.sha512; + break; + #endif + } + hashSz = ssl->specs.hash_size; + AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); + + WOLFSSL_MSG("Restart Hash"); + WOLFSSL_BUFFER(hash, hashSz); + +#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) + if (ssl->options.sendCookie) { + byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2]; + TLSX* ext; + word32 idx = 0; + + /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */ + cookie[idx++] = hashSz; + XMEMCPY(cookie + idx, hash, hashSz); + idx += hashSz; + cookie[idx++] = ssl->options.cipherSuite0; + cookie[idx++] = ssl->options.cipherSuite; + if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) { + KeyShareEntry* kse = (KeyShareEntry*)ext->data; + c16toa(kse->group, cookie + idx); + idx += OPAQUE16_LEN; + } + return CreateCookie(ssl, cookie, idx); + } +#endif + + ret = InitHandshakeHashes(ssl); + if (ret != 0) + return ret; + ret = HashOutputRaw(ssl, header, sizeof(header)); + if (ret != 0) + return ret; + return HashOutputRaw(ssl, hash, hashSz); +} + +/* The value in the random field of a ServerHello to indicate + * HelloRetryRequest. + */ +static byte helloRetryRequestRandom[] = { + 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, + 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, + 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, + 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C +}; +#endif /* WOLFSSL_TLS13_DRAFT_18 */ + #ifndef NO_WOLFSSL_CLIENT #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) /* Setup pre-shared key based on the details in the extension data. @@ -2540,117 +2661,6 @@ int SendTls13ClientHello(WOLFSSL* ssl) return ret; } -#ifndef WOLFSSL_TLS13_DRAFT_18 -#ifdef WOLFSSL_SEND_HRR_COOKIE -/* Create Cookie extension using the hash of the first ClientHello. - * - * ssl SSL/TLS object. - * hash The hash data. - * hashSz The size of the hash data in bytes. - * returns 0 on success, otherwise failure. - */ -static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz) -{ - int ret; - byte mac[WC_MAX_DIGEST_SIZE]; - Hmac cookieHmac; - byte cookieType; - byte macSz; - -#if !defined(NO_SHA) && defined(NO_SHA256) - cookieType = SHA; - macSz = WC_SHA_DIGEST_SIZE; -#endif /* NO_SHA */ -#ifndef NO_SHA256 - cookieType = WC_SHA256; - macSz = WC_SHA256_DIGEST_SIZE; -#endif /* NO_SHA256 */ - - ret = wc_HmacSetKey(&cookieHmac, cookieType, - ssl->buffers.tls13CookieSecret.buffer, - ssl->buffers.tls13CookieSecret.length); - if (ret != 0) - return ret; - if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0) - return ret; - if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0) - return ret; - - /* The cookie data is the hash and the integrity check. */ - return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1); -} -#endif - -/* Restart the Hanshake hash with a hash of the previous messages. - * - * ssl The SSL/TLS object. - * returns 0 on success, otherwise failure. - */ -static int RestartHandshakeHash(WOLFSSL* ssl) -{ - int ret; - Hashes hashes; - byte header[HANDSHAKE_HEADER_SZ]; - byte* hash = NULL; - byte hashSz = 0; - - ret = BuildCertHashes(ssl, &hashes); - if (ret != 0) - return ret; - switch (ssl->specs.mac_algorithm) { - #ifndef NO_SHA256 - case sha256_mac: - hash = hashes.sha256; - break; - #endif - #ifdef WOLFSSL_SHA384 - case sha384_mac: - hash = hashes.sha384; - break; - #endif - #ifdef WOLFSSL_TLS13_SHA512 - case sha512_mac: - hash = hashes.sha512; - break; - #endif - } - hashSz = ssl->specs.hash_size; - AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); - - WOLFSSL_MSG("Restart Hash"); - WOLFSSL_BUFFER(hash, hashSz); - -#ifdef WOLFSSL_SEND_HRR_COOKIE - if (ssl->options.sendCookie) { - byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2]; - TLSX* ext; - word32 idx = 0; - - /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */ - cookie[idx++] = hashSz; - XMEMCPY(cookie + idx, hash, hashSz); - idx += hashSz; - cookie[idx++] = ssl->options.cipherSuite0; - cookie[idx++] = ssl->options.cipherSuite; - if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) { - KeyShareEntry* kse = (KeyShareEntry*)ext->data; - c16toa(kse->group, cookie + idx); - idx += OPAQUE16_LEN; - } - return CreateCookie(ssl, cookie, idx); - } -#endif - - ret = InitHandshakeHashes(ssl); - if (ret != 0) - return ret; - ret = HashOutputRaw(ssl, header, sizeof(header)); - if (ret != 0) - return ret; - return HashOutputRaw(ssl, hash, hashSz); -} -#endif - #ifdef WOLFSSL_TLS13_DRAFT_18 /* handle rocessing of TLS 1.3 hello_retry_request (6) */ /* Parse and handle a HelloRetryRequest message. @@ -2720,18 +2730,6 @@ static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input, #endif -#ifndef WOLFSSL_TLS13_DRAFT_18 -/* The value in the random field of a ServerHello to indicate - * HelloRetryRequest. - */ -static byte helloRetryRequestRandom[] = { - 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, - 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, - 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, - 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C -}; -#endif - /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */ /* Handle the ServerHello message from the server. * Only a client will receive this message. @@ -7306,6 +7304,7 @@ int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, return ret; } +#ifndef NO_WOLFSSL_CLIENT /* The client connecting to the server. * The protocol version is expecting to be TLS v1.3. @@ -7532,8 +7531,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; /* unknown connect state */ } } +#endif -#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) +#if defined(WOLFSSL_SEND_HRR_COOKIE) /* Send a cookie with the HelloRetryRequest to avoid storing state. * * ssl SSL/TLS object. @@ -7551,6 +7551,7 @@ int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) return BAD_FUNC_ARG; + #ifndef NO_WOLFSSL_SERVER if (ssl->options.side == WOLFSSL_CLIENT_END) return SIDE_ERROR; @@ -7597,7 +7598,15 @@ int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, ssl->options.sendCookie = 1; - return WOLFSSL_SUCCESS; + ret = WOLFSSL_SUCCESS; +#else + (void)secret; + (void)secretSz; + + ret = SIDE_ERROR; +#endif + + return ret; } #endif @@ -7783,10 +7792,13 @@ int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl) int wolfSSL_request_certificate(WOLFSSL* ssl) { int ret; +#ifndef NO_WOLFSSL_SERVER CertReqCtx* certReqCtx; +#endif if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) return BAD_FUNC_ARG; +#ifndef NO_WOLFSSL_SERVER if (ssl->options.side == WOLFSSL_CLIENT_END) return SIDE_ERROR; if (ssl->options.handShakeState != HANDSHAKE_DONE) @@ -7814,12 +7826,15 @@ int wolfSSL_request_certificate(WOLFSSL* ssl) ret = WOLFSSL_ERROR_WANT_WRITE; else if (ret == 0) ret = WOLFSSL_SUCCESS; +#else + ret = SIDE_ERROR; +#endif return ret; } #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */ -#if !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) +#if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) /* Get the preferred key exchange group. * * ssl The SSL/TLS object. @@ -7829,19 +7844,19 @@ int wolfSSL_request_certificate(WOLFSSL* ssl) */ int wolfSSL_preferred_group(WOLFSSL* ssl) { - int ret; - if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) return BAD_FUNC_ARG; +#ifndef NO_WOLFSSL_CLIENT if (ssl->options.side == WOLFSSL_SERVER_END) return SIDE_ERROR; if (ssl->options.handShakeState != HANDSHAKE_DONE) return NOT_READY_ERROR; /* Return supported groups only. */ - ret = TLSX_SupportedCurve_Preferred(ssl, 1); - - return ret; + return TLSX_SupportedCurve_Preferred(ssl, 1); +#else + return SIDE_ERROR; +#endif } #endif @@ -8258,6 +8273,7 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) if (!IsAtLeastTLSv1_3(ssl->version)) return BAD_FUNC_ARG; +#ifndef NO_WOLFSSL_CLIENT if (ssl->options.side == WOLFSSL_SERVER_END) return SIDE_ERROR; @@ -8272,6 +8288,9 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) if (ret > 0) *outSz = ret; } +#else + return SIDE_ERROR; +#endif WOLFSSL_LEAVE("SSL_write_early_data()", ret); @@ -8292,7 +8311,7 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) */ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) { - int ret; + int ret = 0; WOLFSSL_ENTER("wolfSSL_read_early_data()"); @@ -8302,6 +8321,7 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) if (!IsAtLeastTLSv1_3(ssl->version)) return BAD_FUNC_ARG; +#ifndef NO_WOLFSSL_SERVER if (ssl->options.side == WOLFSSL_CLIENT_END) return SIDE_ERROR; @@ -8320,6 +8340,9 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) } else ret = 0; +#else + return SIDE_ERROR; +#endif WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret); diff --git a/tests/api.c b/tests/api.c index faf006ff9..dbb8ef2b1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -465,8 +465,12 @@ static void test_wolfSSL_Method_Allocators(void) TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method); TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method); #endif - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_client_method); + #ifndef NO_WOLFSSL_SERVER + TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method); + #endif + #ifndef NO_WOLFSSL_CLIENT + TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_client_method); + #endif #endif #ifndef WOLFSSL_NO_TLS12 #ifndef NO_WOLFSSL_SERVER @@ -1181,7 +1185,7 @@ static int test_export(WOLFSSL* inSsl, byte* buf, word32 sz, void* userCtx) } #endif -#ifndef NO_WOLFSSL_SERVER +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) { SOCKET_T sockfd = 0; @@ -1339,7 +1343,6 @@ done: return 0; #endif } -#endif /* !NO_WOLFSSL_SERVER */ typedef int (*cbType)(WOLFSSL_CTX *ctx, WOLFSSL *ssl); @@ -1488,6 +1491,7 @@ done2: return; } +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ /* SNI / ALPN / session export helper functions */ #if defined(HAVE_SNI) || defined(HAVE_ALPN) || defined(WOLFSSL_SESSION_EXPORT) @@ -1742,7 +1746,7 @@ static void run_wolfssl_client(void* args) defined(WOLFSSL_SESSION_EXPORT) */ #endif /* io tests dependencies */ - +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) static void test_wolfSSL_read_write(void) { #ifdef HAVE_IO_TESTS_DEPENDENCIES @@ -1803,6 +1807,7 @@ static void test_wolfSSL_read_write(void) #endif } +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ #if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \ @@ -2972,10 +2977,18 @@ static void test_wolfSSL_PKCS8(void) /* Note that wolfSSL_Init() or wolfCrypt_Init() has been called before these * function calls */ -#ifndef WOLFSSL_NO_TLS12 - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); +#ifndef NO_WOLFSSL_CLIENT + #ifndef WOLFSSL_NO_TLS12 + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #endif #else - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #ifndef WOLFSSL_NO_TLS12 + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); + #endif #endif wolfSSL_CTX_set_default_passwd_cb(ctx, &PKCS8TestCallBack); wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag); @@ -3115,11 +3128,19 @@ static int test_wolfSSL_UseOCSPStapling(void) WOLFSSL* ssl; wolfSSL_Init(); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); #else ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); #endif +#else + #ifndef WOLFSSL_NO_TLS12 + ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()); + #else + ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()); + #endif +#endif ssl = wolfSSL_new(ctx); printf(testingFmt, "wolfSSL_UseOCSPStapling()"); @@ -3159,11 +3180,19 @@ static int test_wolfSSL_UseOCSPStaplingV2 (void) WOLFSSL* ssl; wolfSSL_Init(); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); #else ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); #endif +#else + #ifndef WOLFSSL_NO_TLS12 + ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()); + #else + ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()); + #endif +#endif ssl = wolfSSL_new(ctx); printf(testingFmt, "wolfSSL_UseOCSPStaplingV2()"); @@ -16161,6 +16190,7 @@ static void test_wolfSSL_CTX_add_extra_chain_cert(void) } +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) static void test_wolfSSL_ERR_peek_last_error_line(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ @@ -16264,6 +16294,7 @@ static void test_wolfSSL_ERR_peek_last_error_line(void) #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ } +#endif #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ !defined(NO_FILESYSTEM) && !defined(NO_RSA) @@ -16742,7 +16773,8 @@ static void test_wolfSSL_msgCb(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) + defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(NO_WOLFSSL_SERVER) tcp_ready ready; func_args client_args; @@ -18999,7 +19031,7 @@ static void test_wc_ecc_get_curve_id_from_params(void) #endif /* NO_CERTS */ #ifdef WOLFSSL_TLS13 -#ifdef WOLFSSL_SEND_HRR_COOKIE +#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) static byte fixedKey[WC_SHA384_DIGEST_SIZE] = { 0, }; #endif #ifdef WOLFSSL_EARLY_DATA @@ -19011,19 +19043,27 @@ static int test_tls13_apis(void) { int ret = 0; #ifndef WOLFSSL_NO_TLS12 +#ifndef NO_WOLFSSL_CLIENT WOLFSSL_CTX* clientTls12Ctx; WOLFSSL* clientTls12Ssl; +#endif +#ifndef NO_WOLFSSL_SERVER WOLFSSL_CTX* serverTls12Ctx; WOLFSSL* serverTls12Ssl; #endif +#endif +#ifndef NO_WOLFSSL_CLIENT WOLFSSL_CTX* clientCtx; WOLFSSL* clientSsl; +#endif +#ifndef NO_WOLFSSL_SERVER WOLFSSL_CTX* serverCtx; WOLFSSL* serverSsl; #ifndef NO_CERTS const char* ourCert = svrCertFile; const char* ourKey = svrKeyFile; #endif +#endif #ifdef WOLFSSL_EARLY_DATA int outSz; #endif @@ -19031,8 +19071,11 @@ static int test_tls13_apis(void) int numGroups = 1; #ifndef WOLFSSL_NO_TLS12 +#ifndef NO_WOLFSSL_CLIENT clientTls12Ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); clientTls12Ssl = wolfSSL_new(clientTls12Ctx); +#endif +#ifndef NO_WOLFSSL_SERVER serverTls12Ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()); #ifndef NO_CERTS wolfSSL_CTX_use_certificate_chain_file(serverTls12Ctx, ourCert); @@ -19040,19 +19083,27 @@ static int test_tls13_apis(void) #endif serverTls12Ssl = wolfSSL_new(serverTls12Ctx); #endif +#endif +#ifndef NO_WOLFSSL_CLIENT clientCtx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); clientSsl = wolfSSL_new(clientCtx); +#endif +#ifndef NO_WOLFSSL_SERVER serverCtx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()); #ifndef NO_CERTS wolfSSL_CTX_use_certificate_chain_file(serverCtx, ourCert); wolfSSL_CTX_use_PrivateKey_file(serverCtx, ourKey, WOLFSSL_FILETYPE_PEM); #endif serverSsl = wolfSSL_new(serverCtx); +#endif #ifdef WOLFSSL_SEND_HRR_COOKIE AssertIntEQ(wolfSSL_send_hrr_cookie(NULL, NULL, 0), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_send_hrr_cookie(clientSsl, NULL, 0), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_send_hrr_cookie(serverTls12Ssl, NULL, 0), BAD_FUNC_ARG); #endif @@ -19061,117 +19112,171 @@ static int test_tls13_apis(void) AssertIntEQ(wolfSSL_send_hrr_cookie(serverSsl, fixedKey, sizeof(fixedKey)), WOLFSSL_SUCCESS); #endif +#endif #ifdef HAVE_ECC AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1), WOLFSSL_SUCCESS); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_SECP256R1), WOLFSSL_SUCCESS); #endif AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1), WOLFSSL_SUCCESS); +#endif #elif defined(HAVE_CURVE25519) AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_X25519), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_X25519), WOLFSSL_SUCCESS); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_X25519), WOLFSSL_SUCCESS); #endif AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_X25519), WOLFSSL_SUCCESS); +#endif #else AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_SECP256R1), NOT_COMPILED_IN); #endif AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1), NOT_COMPILED_IN); +#endif #endif AssertIntEQ(wolfSSL_NoKeyShares(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_NoKeyShares(serverSsl), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_NoKeyShares(clientTls12Ssl), WOLFSSL_SUCCESS); #endif AssertIntEQ(wolfSSL_NoKeyShares(clientSsl), WOLFSSL_SUCCESS); +#endif AssertIntEQ(wolfSSL_CTX_no_ticket_TLSv13(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_CTX_no_ticket_TLSv13(clientCtx), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_CTX_no_ticket_TLSv13(serverTls12Ctx), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_CTX_no_ticket_TLSv13(serverCtx), 0); +#endif AssertIntEQ(wolfSSL_no_ticket_TLSv13(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_no_ticket_TLSv13(clientSsl), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_no_ticket_TLSv13(serverTls12Ssl), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_no_ticket_TLSv13(serverSsl), 0); +#endif AssertIntEQ(wolfSSL_CTX_no_dhe_psk(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_CTX_no_dhe_psk(clientTls12Ctx), BAD_FUNC_ARG); #endif - AssertIntEQ(wolfSSL_CTX_no_dhe_psk(serverCtx), 0); AssertIntEQ(wolfSSL_CTX_no_dhe_psk(clientCtx), 0); +#endif +#ifndef NO_WOLFSSL_SERVER + AssertIntEQ(wolfSSL_CTX_no_dhe_psk(serverCtx), 0); +#endif AssertIntEQ(wolfSSL_no_dhe_psk(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_no_dhe_psk(clientTls12Ssl), BAD_FUNC_ARG); #endif - AssertIntEQ(wolfSSL_no_dhe_psk(serverSsl), 0); AssertIntEQ(wolfSSL_no_dhe_psk(clientSsl), 0); +#endif +#ifndef NO_WOLFSSL_SERVER + AssertIntEQ(wolfSSL_no_dhe_psk(serverSsl), 0); +#endif AssertIntEQ(wolfSSL_update_keys(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_update_keys(clientTls12Ssl), BAD_FUNC_ARG); #endif - AssertIntEQ(wolfSSL_update_keys(serverSsl), BUILD_MSG_ERROR); AssertIntEQ(wolfSSL_update_keys(clientSsl), BUILD_MSG_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER + AssertIntEQ(wolfSSL_update_keys(serverSsl), BUILD_MSG_ERROR); +#endif #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) AssertIntEQ(wolfSSL_CTX_allow_post_handshake_auth(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_CTX_allow_post_handshake_auth(serverCtx), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_CTX_allow_post_handshake_auth(clientTls12Ctx), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_CTX_allow_post_handshake_auth(clientCtx), 0); +#endif AssertIntEQ(wolfSSL_allow_post_handshake_auth(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_allow_post_handshake_auth(serverSsl), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_allow_post_handshake_auth(clientTls12Ssl), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_allow_post_handshake_auth(clientSsl), 0); +#endif AssertIntEQ(wolfSSL_request_certificate(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_request_certificate(clientSsl), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_request_certificate(serverTls12Ssl), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_request_certificate(serverSsl), NOT_READY_ERROR); #endif +#endif #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT AssertIntEQ(wolfSSL_preferred_group(NULL), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_preferred_group(serverSsl), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_preferred_group(clientTls12Ssl), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_preferred_group(clientSsl), NOT_READY_ERROR); +#endif #endif AssertIntEQ(wolfSSL_CTX_set_groups(NULL, NULL, 0), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_CTX_set_groups(clientCtx, NULL, 0), BAD_FUNC_ARG); +#endif AssertIntEQ(wolfSSL_CTX_set_groups(NULL, groups, numGroups), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_CTX_set_groups(clientTls12Ctx, groups, numGroups), BAD_FUNC_ARG); @@ -19181,12 +19286,18 @@ static int test_tls13_apis(void) BAD_FUNC_ARG); AssertIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, numGroups), WOLFSSL_SUCCESS); +#endif +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_CTX_set_groups(serverCtx, groups, numGroups), WOLFSSL_SUCCESS); +#endif AssertIntEQ(wolfSSL_set_groups(NULL, NULL, 0), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_set_groups(clientSsl, NULL, 0), BAD_FUNC_ARG); +#endif AssertIntEQ(wolfSSL_set_groups(NULL, groups, numGroups), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_set_groups(clientTls12Ssl, groups, numGroups), BAD_FUNC_ARG); @@ -19195,27 +19306,39 @@ static int test_tls13_apis(void) WOLFSSL_MAX_GROUP_COUNT + 1), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_set_groups(clientSsl, groups, numGroups), WOLFSSL_SUCCESS); +#endif +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_set_groups(serverSsl, groups, numGroups), WOLFSSL_SUCCESS); +#endif #ifdef WOLFSSL_EARLY_DATA AssertIntEQ(wolfSSL_CTX_set_max_early_data(NULL, 0), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_CTX_set_max_early_data(clientCtx, 0), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_CTX_set_max_early_data(serverTls12Ctx, 0), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_CTX_set_max_early_data(serverCtx, 0), 0); +#endif AssertIntEQ(wolfSSL_set_max_early_data(NULL, 0), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_set_max_early_data(clientSsl, 0), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_set_max_early_data(serverTls12Ssl, 0), BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_set_max_early_data(serverSsl, 0), 0); +#endif AssertIntEQ(wolfSSL_write_early_data(NULL, earlyData, sizeof(earlyData), &outSz), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_write_early_data(clientSsl, NULL, sizeof(earlyData), &outSz), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_write_early_data(clientSsl, earlyData, -1, &outSz), @@ -19223,9 +19346,13 @@ static int test_tls13_apis(void) AssertIntEQ(wolfSSL_write_early_data(clientSsl, earlyData, sizeof(earlyData), NULL), BAD_FUNC_ARG); +#endif +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_write_early_data(serverSsl, earlyData, sizeof(earlyData), &outSz), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_write_early_data(clientTls12Ssl, earlyData, sizeof(earlyData), &outSz), @@ -19234,10 +19361,12 @@ static int test_tls13_apis(void) AssertIntEQ(wolfSSL_write_early_data(clientSsl, earlyData, sizeof(earlyData), &outSz), WOLFSSL_FATAL_ERROR); +#endif AssertIntEQ(wolfSSL_read_early_data(NULL, earlyDataBuffer, sizeof(earlyDataBuffer), &outSz), BAD_FUNC_ARG); +#ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_read_early_data(serverSsl, NULL, sizeof(earlyDataBuffer), &outSz), BAD_FUNC_ARG); @@ -19246,9 +19375,13 @@ static int test_tls13_apis(void) AssertIntEQ(wolfSSL_read_early_data(serverSsl, earlyDataBuffer, sizeof(earlyDataBuffer), NULL), BAD_FUNC_ARG); +#endif +#ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_read_early_data(clientSsl, earlyDataBuffer, sizeof(earlyDataBuffer), &outSz), SIDE_ERROR); +#endif +#ifndef NO_WOLFSSL_SERVER #ifndef WOLFSSL_NO_TLS12 AssertIntEQ(wolfSSL_read_early_data(serverTls12Ssl, earlyDataBuffer, sizeof(earlyDataBuffer), &outSz), @@ -19258,17 +19391,26 @@ static int test_tls13_apis(void) sizeof(earlyDataBuffer), &outSz), WOLFSSL_FATAL_ERROR); #endif +#endif +#ifndef NO_WOLFSSL_SERVER wolfSSL_free(serverSsl); wolfSSL_CTX_free(serverCtx); +#endif +#ifndef NO_WOLFSSL_CLIENT wolfSSL_free(clientSsl); wolfSSL_CTX_free(clientCtx); +#endif #ifndef WOLFSSL_NO_TLS12 +#ifndef NO_WOLFSSL_SERVER wolfSSL_free(serverTls12Ssl); wolfSSL_CTX_free(serverTls12Ctx); +#endif +#ifndef NO_WOLFSSL_CLIENT wolfSSL_free(clientTls12Ssl); wolfSSL_CTX_free(clientTls12Ctx); +#endif #endif return ret; @@ -19352,7 +19494,11 @@ static void test_DhCallbacks(void) printf(testingFmt, "test_DhCallbacks"); +#ifndef NO_WOLFSSL_CLIENT AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif wolfSSL_CTX_SetDhAgreeCb(ctx, &my_DhCallback); /* load client ca cert */ @@ -19709,7 +19855,9 @@ void ApiTest(void) test_client_wolfSSL_new(); test_wolfSSL_SetTmpDH_file(); test_wolfSSL_SetTmpDH_buffer(); +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) test_wolfSSL_read_write(); +#endif test_wolfSSL_dtls_export(); AssertIntEQ(test_wolfSSL_SetMinVersion(), WOLFSSL_SUCCESS); AssertIntEQ(test_wolfSSL_CTX_SetMinVersion(), WOLFSSL_SUCCESS); @@ -19750,7 +19898,9 @@ void ApiTest(void) test_wolfSSL_EVP_PKEY_new_mac_key(); test_wolfSSL_EVP_MD_hmac_signing(); test_wolfSSL_CTX_add_extra_chain_cert(); +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) test_wolfSSL_ERR_peek_last_error_line(); +#endif test_wolfSSL_set_options(); test_wolfSSL_X509_STORE_CTX(); test_wolfSSL_msgCb(); diff --git a/tests/unit.c b/tests/unit.c index 0f1e09adb..aef46d9e4 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -71,11 +71,13 @@ int unit_test(int argc, char** argv) goto exit; } +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) #ifndef SINGLE_THREADED if ( (ret = SuiteTest()) != 0){ printf("suite test failed with %d\n", ret); goto exit; } +#endif #endif SrpTest(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 82d4e2fa6..9c5beadbf 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1980,7 +1980,7 @@ WOLFSSL_LOCAL void TLSX_FreeAll(TLSX* list, void* heap); WOLFSSL_LOCAL int TLSX_SupportExtensions(WOLFSSL* ssl); WOLFSSL_LOCAL int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isRequest); -#ifndef NO_WOLFSSL_CLIENT +#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) WOLFSSL_LOCAL int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength); WOLFSSL_LOCAL int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, @@ -2144,9 +2144,9 @@ WOLFSSL_LOCAL int TLSX_UsePointFormat(TLSX** extensions, byte point, WOLFSSL_LOCAL int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second); WOLFSSL_LOCAL int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl); +#endif WOLFSSL_LOCAL int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported); -#endif #endif /* HAVE_SUPPORTED_CURVES */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 713ca514f..93a5c3904 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2347,7 +2347,6 @@ WOLFSSL_API int wolfSSL_set_SessionTicket_cb(WOLFSSL*, CallbackSessionTicket, void*); #endif /* NO_WOLFSSL_CLIENT */ -#ifndef NO_WOLFSSL_SERVER #define WOLFSSL_TICKET_NAME_SZ 16 #define WOLFSSL_TICKET_IV_SZ 16 @@ -2360,6 +2359,8 @@ enum TicketEncRet { WOLFSSL_TICKET_RET_CREATE /* existing ticket ok and create new one */ }; +#ifndef NO_WOLFSSL_SERVER + typedef int (*SessionTicketEncCb)(WOLFSSL*, unsigned char key_name[WOLFSSL_TICKET_NAME_SZ], unsigned char iv[WOLFSSL_TICKET_IV_SZ],