From 00a21b0bfa086bc5106164d9f3bc332e1d672636 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Tue, 28 Apr 2026 13:05:44 -0700 Subject: [PATCH] Add regression tests for group-setting and shared-cipher API guards Extend test_tls13_apis with negative-count assertions for wolfSSL_CTX_set_groups and wolfSSL_set_groups, and NULL-groups assertions for wolfSSL_CTX_set1_groups and wolfSSL_set1_groups (tests/api/test_tls13.c). Add test_wolfSSL_get_shared_ciphers covering NULL ssl, NULL buf, and zero-length inputs (tests/api/test_tls.c). --- tests/api/test_tls.c | 26 ++++++++++++++++++++++++++ tests/api/test_tls.h | 4 +++- tests/api/test_tls13.c | 8 ++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c index 9053aef376..8829822491 100644 --- a/tests/api/test_tls.c +++ b/tests/api/test_tls.c @@ -1354,6 +1354,32 @@ int test_wolfSSL_alert_type_string(void) return EXPECT_RESULT(); } +int test_wolfSSL_get_shared_ciphers(void) +{ + EXPECT_DECLS; +#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_TLS) +#ifndef NO_WOLFSSL_CLIENT + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + char buf[32]; + + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + /* NULL ssl - pre-existing guard; pins the contract. */ + ExpectNull(wolfSSL_get_shared_ciphers(NULL, buf, sizeof(buf))); + /* NULL buf - primary regression case (pre-fix: XMEMCPY(NULL, ...) crash). */ + ExpectNull(wolfSSL_get_shared_ciphers(ssl, NULL, sizeof(buf))); + /* len == 0 - pre-existing guard; pins the contract. */ + ExpectNull(wolfSSL_get_shared_ciphers(ssl, buf, 0)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* NO_WOLFSSL_CLIENT */ +#endif + return EXPECT_RESULT(); +} + /* Test the TLS 1.2 peerAuthGood fail-safe checks directly on both sides. * The client branch sets NO_PEER_VERIFY; the server branch returns a generic * fatal error from TICKET_SENT before sending its Finished. */ diff --git a/tests/api/test_tls.h b/tests/api/test_tls.h index 0e140af98c..dae0527cbe 100644 --- a/tests/api/test_tls.h +++ b/tests/api/test_tls.h @@ -43,6 +43,7 @@ int test_wolfSSL_alert_type_string(void); int test_wolfSSL_alert_desc_string(void); int test_record_size_matches_build_message(void); int test_record_size_cache_invalidated_on_renegotiation(void); +int test_wolfSSL_get_shared_ciphers(void); #define TEST_TLS_DECLS \ TEST_DECL_GROUP("tls", test_utils_memio_move_message), \ @@ -67,6 +68,7 @@ int test_record_size_cache_invalidated_on_renegotiation(void); TEST_DECL_GROUP("tls", test_tls12_peerauth_failsafe), \ TEST_DECL_GROUP("tls", test_record_size_matches_build_message), \ TEST_DECL_GROUP("tls", \ - test_record_size_cache_invalidated_on_renegotiation) + test_record_size_cache_invalidated_on_renegotiation), \ + TEST_DECL_GROUP("tls", test_wolfSSL_get_shared_ciphers) #endif /* TESTS_API_TEST_TLS_H */ diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index f9deabd573..4f3362609f 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -590,6 +590,8 @@ int test_tls13_apis(void) #endif ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, numGroups), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, bad_groups, numGroups), @@ -617,6 +619,8 @@ int test_tls13_apis(void) #endif ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, numGroups), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_set_groups(clientSsl, bad_groups, numGroups), @@ -648,6 +652,10 @@ int test_tls13_apis(void) WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(wolfSSL_set1_groups(clientSsl, too_many_groups, WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_groups(clientCtx, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_groups(clientSsl, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12