feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes for Jenkins tests

Browse Source 
- Move test to `HAVE_IO_TESTS_DEPENDENCIES`
- Implement `wolfSSL_trust_peer_cert`
- have{cipher} options weren't being set with only RSA enabled
This commit is contained in:
Juliusz Sosinowicz
2022-02-08 19:20:10 +01:00
parent 91b08fb691
commit ceff401269
6 changed files with 204 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
examples/server/server.c
View File

@ -802,7 +802,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
/* 4. add the same message into Japanese section */
/* (will be translated later) */
/* 5. add printf() into suitable position of Usage() */
static const char* server_usage_msg[][60] = {
static const char* server_usage_msg[][63] = {
/* English */
{
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */

58
src/internal.c
View File

@ -8974,7 +8974,8 @@ retry:
return -1;
case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */
if (ssl->ctx->autoRetry && !ssl->options.handShakeDone)
if (ssl->ctx->autoRetry && !ssl->options.handShakeDone &&
!ssl->options.dtls)
goto retry;
return WANT_READ;
@ -12498,13 +12499,18 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Failed to verify Peer's cert");
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (ssl->peerVerifyRet == 0) { /* Return first cert error here */
if (ret == ASN_BEFORE_DATE_E)
ssl->peerVerifyRet = X509_V_ERR_CERT_NOT_YET_VALID;
else if (ret == ASN_AFTER_DATE_E)
ssl->peerVerifyRet = X509_V_ERR_CERT_HAS_EXPIRED;
if (ret == ASN_BEFORE_DATE_E) {
ssl->peerVerifyRet =
(unsigned long)X509_V_ERR_CERT_NOT_YET_VALID;
}
else if (ret == ASN_AFTER_DATE_E) {
ssl->peerVerifyRet =
(unsigned long)X509_V_ERR_CERT_HAS_EXPIRED;
}
else {
ssl->peerVerifyRet =
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
(unsigned long)
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
}
}
#endif
@ -29188,7 +29194,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->arrays->masterSecret, 1);
#ifdef HAVE_SESSION_TICKET
if (ssl->options.useTicket == 1) {
session = &ssl->session;
session = ssl->session;
}
#endif
@ -30605,24 +30611,44 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TICKET_HAVE_ID
{
const byte* id = NULL;
if (ssl->session->haveAltSessionID)
byte idSz = 0;
if (ssl->session->haveAltSessionID) {
id = ssl->session->altSessionID;
else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
idSz = ID_LEN;
}
else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
id = ssl->arrays->sessionID;
else
idSz = ssl->arrays->sessionIDSz;
}
else {
id = ssl->session->sessionID;
idSz = ssl->session->sessionIDSz;
}
if (idSz == 0) {
ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
ID_LEN);
if (ret != 0)
return ret;
ssl->session->haveAltSessionID = 1;
id = ssl->session->altSessionID;
idSz = ID_LEN;
}
XMEMCPY(it.id, id, ID_LEN);
}
#endif
/* encrypt */
encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */
if (ssl->ctx->ticketEncCb == NULL ||
if (ssl->ctx->ticketEncCb == NULL
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
||
/* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
* "stateful" tickets for 1.3 so just use the regular
* stateless ones. */
(!IsAtLeastTLSv1_3(ssl->version) &&
(ssl->options.mask & SSL_OP_NO_TICKET) != 0)) {
(ssl->options.mask & SSL_OP_NO_TICKET) != 0)
#endif
) {
ret = WOLFSSL_TICKET_RET_FATAL;
}
else {
@ -30717,12 +30743,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
outLen = inLen; /* may be reduced by user padding */
if (ssl->ctx->ticketEncCb == NULL ||
if (ssl->ctx->ticketEncCb == NULL
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
||
/* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
* "stateful" tickets for 1.3 so just use the regular
* stateless ones. */
(!IsAtLeastTLSv1_3(ssl->version) &&
(ssl->options.mask & SSL_OP_NO_TICKET) != 0)) {
(ssl->options.mask & SSL_OP_NO_TICKET) != 0)
#endif
) {
ret = WOLFSSL_TICKET_RET_FATAL;
}
else {

102
src/ssl.c
View File

@ -4398,8 +4398,12 @@ void wolfSSL_ERR_print_errors_cb (int (*cb)(const char *str, size_t len,
#endif
#endif
/*
* TODO This ssl parameter needs to be changed to const once our ABI checker
* stops flagging qualifier additions as ABI breaking.
*/
WOLFSSL_ABI
int wolfSSL_pending(const WOLFSSL* ssl)
int wolfSSL_pending(WOLFSSL* ssl)
{
WOLFSSL_ENTER("SSL_pending");
if (ssl == NULL)
@ -6130,13 +6134,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
#ifdef WOLFSSL_TRUST_PEER_CERT
else if (type == TRUSTED_PEER_TYPE) {
if (ctx == NULL) {
WOLFSSL_MSG("Need context for trusted peer cert load");
FreeDer(&der);
return BAD_FUNC_ARG;
}
/* add trusted peer cert. der is freed within */
ret = AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone);
if (ctx != NULL)
ret = AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone);
else
ret = AddTrustedPeer(SSL_CM(ssl), &der, !ssl->options.verifyNone);
if (ret != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Error adding trusted peer");
}
@ -6322,9 +6324,12 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
defined(HAVE_PQC)
defined(HAVE_PQC) || !defined(NO_RSA)
if (ssl) {
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
(defined(HAVE_CURVE448) && defined(HAVE_ED448))
ssl->pkCurveOID = cert->pkCurveOID;
#endif
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ssl->options.haveECC = 1;
@ -6355,7 +6360,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif
}
else if (ctx) {
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
ctx->pkCurveOID = cert->pkCurveOID;
#endif
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ctx->haveECC = 1;
@ -7620,6 +7627,18 @@ int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type)
return ProcessFile(ctx, file, type, TRUSTED_PEER_TYPE, NULL, 0, NULL,
GET_VERIFY_SETTING_CTX(ctx));
}
int wolfSSL_trust_peer_cert(WOLFSSL* ssl, const char* file, int type)
{
WOLFSSL_ENTER("wolfSSL_trust_peer_cert");
if (ssl == NULL || file == NULL) {
return WOLFSSL_FAILURE;
}
return ProcessFile(NULL, file, type, TRUSTED_PEER_TYPE, ssl, 0, NULL,
GET_VERIFY_SETTING_SSL(ssl));
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
@ -15769,7 +15788,7 @@ int AddSessionToClientCache(int side, int row, int idx, byte* serverID,
}
#endif
int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id,
int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id, byte idSz,
int* sessionIndex, int side, word16 useTicket)
{
WOLFSSL_SESSION* cacheSession = NULL;
@ -15790,8 +15809,10 @@ int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id,
(void)sessionIndex;
(void)useTicket;
if (addSession == NULL)
if (addSession == NULL || idSz == 0) {
WOLFSSL_MSG("addSession NULL or idSz == 0");
return BAD_FUNC_ARG;
}
/* Find a position for the new session in cache and use that */
#ifdef HAVE_SESSION_TICKET
@ -15916,6 +15937,7 @@ int AddSession(WOLFSSL* ssl)
{
int error = 0;
const byte* id = NULL;
byte idSz = 0;
WOLFSSL_SESSION* session = ssl->session;
#ifdef HAVE_EXT_CACHE
int cbRet = 0;
@ -15941,8 +15963,10 @@ int AddSession(WOLFSSL* ssl)
}
#endif
if (session->haveAltSessionID)
if (session->haveAltSessionID) {
id = session->altSessionID;
idSz = ID_LEN;
}
else {
if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
/* Make sure the session ID is available when the user calls any
@ -15951,15 +15975,9 @@ int AddSession(WOLFSSL* ssl)
session->sessionIDSz = ssl->arrays->sessionIDSz;
}
id = session->sessionID;
idSz = session->sessionIDSz;
}
if (id == NULL) {
WOLFSSL_MSG("No Session ID");
return BAD_FUNC_ARG;
}
/* Setup the ssl->session object */
session->timeout = ssl->timeout;
session->side = (byte)ssl->options.side;
if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
@ -15993,7 +16011,7 @@ int AddSession(WOLFSSL* ssl)
if (!ssl->options.internalCacheOff)
#endif
{
error = AddSessionToCache(session, id,
error = AddSessionToCache(session, id, idSz,
#ifdef SESSION_INDEX
&ssl->sessionIndex,
#else
@ -17203,6 +17221,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return wolfSSL_CertManagerUnload_trust_peers(ctx->cm);
}
#ifdef WOLFSSL_LOCAL_X509_STORE
int wolfSSL_Unload_trust_peers(WOLFSSL* ssl)
{
WOLFSSL_ENTER("wolfSSL_CTX_Unload_trust_peers");
if (ssl == NULL)
return BAD_FUNC_ARG;
return wolfSSL_CertManagerUnload_trust_peers(SSL_CM(ssl));
}
#endif /* WOLFSSL_LOCAL_X509_STORE */
#endif /* WOLFSSL_TRUST_PEER_CERT */
/* old NO_FILESYSTEM end */
#endif /* !NO_CERTS */
@ -23670,7 +23700,9 @@ WOLFSSL_SESSION* wolfSSL_NewSession(void* heap)
}
#endif
ret->refCount = 1;
#ifndef NO_SESSION_CACHE
ret->cacheRow = INVALID_SESSION_ROW; /* not in cache */
#endif
ret->type = WOLFSSL_SESSION_TYPE_HEAP;
ret->heap = heap;
ret->masterSecret = ret->_masterSecret;
@ -23782,7 +23814,9 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output,
/* Set sane values for copy */
if (output->type != WOLFSSL_SESSION_TYPE_CACHE)
#ifndef NO_SESSION_CACHE
output->cacheRow = INVALID_SESSION_ROW;
#endif
#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
if (input->peer != NULL && input->peer->dynamicMemory) {
if (wolfSSL_X509_up_ref(input->peer) != WOLFSSL_SUCCESS) {
@ -23971,10 +24005,12 @@ void wolfSSL_SESSION_free(WOLFSSL_SESSION* session)
wolfSSL_FreeSession(session);
}
#ifndef NO_SESSION_CACHE
int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session)
{
int error = 0;
const byte* id = NULL;
byte idSz = 0;
WOLFSSL_ENTER("wolfSSL_CTX_add_session");
@ -23985,10 +24021,13 @@ int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session)
(void)ctx;
id = session->sessionID;
if (session->haveAltSessionID)
idSz = session->sessionIDSz;
if (session->haveAltSessionID) {
id = session->altSessionID;
idSz = ID_LEN;
}
error = AddSessionToCache(session, id,
error = AddSessionToCache(session, id, idSz,
NULL, session->side,
#ifdef HAVE_SESSION_TICKET
session->ticketLen > 0
@ -23999,6 +24038,7 @@ int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session)
return error == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
}
#endif
#if defined(OPENSSL_EXTRA) || defined(HAVE_EXT_CACHE)
@ -32484,6 +32524,7 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
(void)p;
(void)i;
(void)ret;
(void)sess;
#ifdef HAVE_EXT_CACHE
if (p == NULL || *p == NULL)
@ -34467,11 +34508,16 @@ int wolfSSL_DH_set0_pqg(WOLFSSL_DH *dh, WOLFSSL_BIGNUM *p,
/* free existing internal DH structure and recreate with new p / g */
if (dh->inSet) {
#ifndef HAVE_SELFTEST
ret = wc_FreeDhKey((DhKey*)dh->internal);
if (ret != 0) {
WOLFSSL_MSG("Unable to free internal DH key");
return WOLFSSL_FAILURE;
}
#else
/* Selftest code has this API with a void return type */
wc_FreeDhKey((DhKey*)dh->internal);
#endif
}
wolfSSL_BN_free(dh->p);
@ -40498,7 +40544,6 @@ int wolfSSL_i2d_ECDSA_SIG(const WOLFSSL_ECDSA_SIG *sig, unsigned char **pp)
}
/* End ECDSA_SIG */
/* Remove this prototype when code is reorganized. */
static int wolfSSL_RAND_Init(void);
@ -45760,16 +45805,20 @@ err:
#ifdef WOLFSSL_HAVE_ERROR_QUEUE
unsigned long err;
CLEAR_ASN_NO_PEM_HEADER_ERROR(err);
if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
ret = WOLFSSL_FAILURE;
}
#else
if (wolfSSL_sk_X509_INFO_num(localSk) > 0) {
WOLFSSL_MSG("At least one X509_INFO object on stack."
"Assuming error means EOF or no more PEM"
"headers found.");
}
#endif
else {
ret = WOLFSSL_FAILURE;
}
#endif
break;
}
}
@ -48708,6 +48757,7 @@ void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk)
(defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \
defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))
#ifdef HAVE_EX_DATA
int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1,
void* cb2, CRYPTO_free_func* cb3)
{
@ -48719,6 +48769,7 @@ int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1,
(void)data;
return get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION);
}
#endif
#if defined(USE_WOLFSSL_MEMORY) && !defined(WOLFSSL_DEBUG_MEMORY)
static wolfSSL_OSSL_Malloc_cb ossl_malloc = NULL;
@ -51914,7 +51965,8 @@ int wolfSSL_sk_WOLFSSL_STRING_num(WOLF_STACK_OF(WOLFSSL_STRING)* strings)
#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \
defined(KEEP_PEER_CERT)
WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x)
{
WOLFSSL_ENTER("wolfSSL_X509_dup");
@ -63779,7 +63831,7 @@ WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, WC_PKCS12** pkcs12)
if (mem != NULL && localPkcs12 != NULL) {
if (wolfSSL_BIO_read(bio, mem, (int)memSz) == memSz) {
ret = wc_d2i_PKCS12(mem, memSz, localPkcs12);
ret = wc_d2i_PKCS12(mem, (word32)memSz, localPkcs12);
if (ret < 0) {
WOLFSSL_MSG("Failed to get PKCS12 sequence");
}

103
tests/api.c
View File

@ -914,47 +914,66 @@ static void test_wolfSSL_CTX_trust_peer_cert(void)
#if !defined(NO_CERTS) && defined(WOLFSSL_TRUST_PEER_CERT) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX *ctx;
WOLFSSL* ssl;
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
AssertNotNull(ssl = wolfSSL_new(ctx));
#if !defined(NO_FILESYSTEM)
/* invalid file */
assert(wolfSSL_CTX_trust_peer_cert(ctx, NULL,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS);
assert(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS);
assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, NULL,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* success */
assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, WOLFSSL_FILETYPE_PEM)
== WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* unload cert */
assert(wolfSSL_CTX_Unload_trust_peers(NULL) != WOLFSSL_SUCCESS);
assert(wolfSSL_CTX_Unload_trust_peers(ctx) == WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_CTX_Unload_trust_peers(NULL), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_Unload_trust_peers(ctx), WOLFSSL_SUCCESS);
/* invalid file */
AssertIntNE(wolfSSL_trust_peer_cert(ssl, NULL,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_trust_peer_cert(ssl, bogusFile,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_trust_peer_cert(ssl, cliCertFile,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* success */
AssertIntEQ(wolfSSL_trust_peer_cert(ssl, cliCertFile,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* unload cert */
AssertIntNE(wolfSSL_Unload_trust_peers(NULL), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_Unload_trust_peers(ssl), WOLFSSL_SUCCESS);
#endif
/* Test of loading certs from buffers */
/* invalid buffer */
assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* success */
#ifdef USE_CERT_BUFFERS_1024
assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024,
sizeof_client_cert_der_1024, WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024,
sizeof_client_cert_der_1024, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
#ifdef USE_CERT_BUFFERS_2048
assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048,
sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048,
sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif
/* unload cert */
assert(wolfSSL_CTX_Unload_trust_peers(NULL) != WOLFSSL_SUCCESS);
assert(wolfSSL_CTX_Unload_trust_peers(ctx) == WOLFSSL_SUCCESS);
AssertIntNE(wolfSSL_CTX_Unload_trust_peers(NULL), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_Unload_trust_peers(ctx), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
}
@ -4488,7 +4507,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
goto done;
}
if (cbf != NULL && !cbf->ticNoInit) {
if (cbf == NULL || !cbf->ticNoInit) {
#if defined(HAVE_SESSION_TICKET) && \
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM))
#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC)
@ -4693,7 +4712,7 @@ done:
wc_ecc_fp_free(); /* free per thread cache */
#endif
if (cbf != NULL && !cbf->ticNoInit) {
if (cbf == NULL || !cbf->ticNoInit) {
#if defined(HAVE_SESSION_TICKET) && \
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM))
#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC)
@ -6238,9 +6257,16 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
if (*sess == NULL) {
AssertNotNull(*sess = wolfSSL_get1_session(ssl));
/* Now save the session in the internal store to make it available
* for lookup */
AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), *sess),
WOLFSSL_SUCCESS);
* for lookup. For TLS 1.3, we can't save the session without
* WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the
* session from cache. */
if (wolfSSL_is_server(ssl)
#ifndef WOLFSSL_TICKET_HAVE_ID
&& wolfSSL_version(ssl) != TLS1_3_VERSION
#endif
)
AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl),
*sess), WOLFSSL_SUCCESS);
}
else {
/* If we have a session retrieved then remaining connections should be
@ -6292,7 +6318,10 @@ static void test_wolfSSL_CTX_add_session(void)
callback_functions client_cb;
callback_functions server_cb;
method_provider methods[][2] = {
#ifndef NO_OLD_TLS
#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \
!defined(NO_DES3))
/* Without AES there are almost no ciphersuites available. This leads
* to no ciphersuites being available and an error. */
{ wolfTLSv1_1_client_method, wolfTLSv1_1_server_method },
#endif
#ifndef WOLFSSL_NO_TLS12
@ -50000,13 +50029,13 @@ static void test_wolfSSL_CTX_LoadCRL(void)
FAIL_T1(wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor);
#ifndef NO_WOLFSSL_CLIENT
#ifndef NO_WOLFSSL_CLIENT
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#elif !defined(NO_WOLFSSL_SERVER)
#elif !defined(NO_WOLFSSL_SERVER)
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#else
#else
return;
#endif
#endif
SUCC_T (wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor);
SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, pemType, monitor);
@ -50014,13 +50043,25 @@ static void test_wolfSSL_CTX_LoadCRL(void)
wolfSSL_CTX_free(ctx);
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
#ifndef NO_WOLFSSL_CLIENT
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#elif !defined(NO_WOLFSSL_SERVER)
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#else
return;
#endif
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL),
WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
#ifndef NO_WOLFSSL_CLIENT
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#elif !defined(NO_WOLFSSL_SERVER)
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#else
return;
#endif
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL),
WOLFSSL_SUCCESS);
AssertNotNull(ssl = wolfSSL_new(ctx));
@ -52326,8 +52367,8 @@ void ApiTest(void)
#endif
#ifdef HAVE_IO_TESTS_DEPENDENCIES
test_wolfSSL_get_finished();
#endif
test_wolfSSL_CTX_add_session();
#endif
test_SSL_CIPHER_get_xxx();
test_wolfSSL_ERR_strings();
test_wolfSSL_EVP_shake128();

4
wolfssl/internal.h
View File

@ -3314,7 +3314,9 @@ struct WOLFSSL_SESSION {
/* WARNING Do not add fields here. They will be ignored in
* wolfSSL_DupSession. */
WOLFSSL_SESSION_TYPE type;
#ifndef NO_SESSION_CACHE
int cacheRow; /* row in session cache */
#endif
int refCount; /* reference count */
#ifndef SINGLE_THREADED
wolfSSL_Mutex refMutex; /* ref count mutex */
@ -4767,7 +4769,7 @@ WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL* ssl);
WOLFSSL_LOCAL int AddSession(WOLFSSL* ssl);
WOLFSSL_LOCAL int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id,
int* sessionIndex, int side, word16 useTicket);
byte idSz, int* sessionIndex, int side, word16 useTicket);
WOLFSSL_LOCAL int AddSessionToClientCache(int side, int row, int idx,
byte* serverID, word16 idLen, word16 useTicket);
WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl);

9
wolfssl/ssl.h
View File

@ -970,6 +970,8 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_CTX_load_verify_locations(
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_API int wolfSSL_CTX_trust_peer_cert(
WOLFSSL_CTX* ctx, const char* file, int type);
WOLFSSL_API int wolfSSL_trust_peer_cert(
WOLFSSL* ssl, const char* file, int type);
#endif
WOLFSSL_ABI WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_file(
WOLFSSL_CTX* ctx, const char* file);
@ -1193,7 +1195,7 @@ WOLFSSL_API int wolfSSL_set_post_handshake_auth(WOLFSSL* ssl, int val);
WOLFSSL_API void wolfSSL_SetCertCbCtx(WOLFSSL* ssl, void* ctx);
WOLFSSL_ABI WOLFSSL_API int wolfSSL_pending(const WOLFSSL* ssl);
WOLFSSL_ABI WOLFSSL_API int wolfSSL_pending(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_has_pending(const WOLFSSL* ssl);
WOLFSSL_API void wolfSSL_load_error_strings(void);
@ -1509,6 +1511,7 @@ WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk);
WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x);
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa);
WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509);
@ -2837,6 +2840,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len,
WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX* ctx);
#ifdef WOLFSSL_TRUST_PEER_CERT
WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx);
#ifdef WOLFSSL_LOCAL_X509_STORE
WOLFSSL_API int wolfSSL_Unload_trust_peers(WOLFSSL* ssl);
#endif
WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx,
const unsigned char*, long, int);
#endif
@ -4011,7 +4017,6 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_delete_entry(
WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x,
const WOLFSSL_X509_NAME* y);
WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x);
WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_dup(WOLFSSL_X509_NAME* name);
WOLFSSL_API int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to);
WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl);