ssl.c: Move functions out to own files and add testing

ssl_api_pk.c: added Public-key APIs (min/max key sizes, DH key test,
signature NIDs, tmp ecdh. Reworked code of new functions.
ssl_api_cert.c: added more SSL Certificate APIs. Reworked code of new
functions.
ssl_api_ext.c: TLS extension APIs (session tickets, max fragment,
groups, etc.). Reworked code.
ssl_api_dtls.c: DTLS APIs (cookie secret, etc.)

Improved test coverage for functions moved.
This commit is contained in:
Sean Parkinson
2026-06-04 10:40:51 +10:00
parent 4f09916e7e
commit 359e688dc3
17 changed files with 8980 additions and 4121 deletions
+3
View File
@@ -2945,6 +2945,9 @@ if(WOLFSSL_EXAMPLES)
tests/api/test_lms_xmss.c
tests/api/test_dtls.c
tests/api/test_dtls13.c
tests/api/test_ssl_cert.c
tests/api/test_ssl_pk.c
tests/api/test_ssl_ext.c
tests/api/test_ocsp.c
tests/api/test_evp.c
tests/api/test_tls_ext.c
+2
View File
@@ -21,6 +21,8 @@ EXTRA_DIST += src/pk_rsa.c
EXTRA_DIST += src/pk_ec.c
EXTRA_DIST += src/ssl_api_cert.c
EXTRA_DIST += src/ssl_api_crl_ocsp.c
EXTRA_DIST += src/ssl_api_dtls.c
EXTRA_DIST += src/ssl_api_ext.c
EXTRA_DIST += src/ssl_api_pk.c
EXTRA_DIST += src/ssl_asn1.c
EXTRA_DIST += src/ssl_bn.c
+14 -4096
View File
File diff suppressed because it is too large Load Diff
+772 -15
View File
@@ -42,6 +42,7 @@ int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req)
{
if (ctx == NULL)
return BAD_FUNC_ARG;
/* Mutual authentication is a server-side only setting. */
if (ctx->method->side != WOLFSSL_SERVER_END)
return SIDE_ERROR;
@@ -63,6 +64,7 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)
{
if (ssl == NULL)
return BAD_FUNC_ARG;
/* Mutual authentication is a server-side only setting. */
if (ssl->options.side != WOLFSSL_SERVER_END)
return SIDE_ERROR;
@@ -81,7 +83,8 @@ WOLFSSL_CERT_MANAGER* wolfSSL_CTX_GetCertManager(WOLFSSL_CTX* ctx)
{
WOLFSSL_CERT_MANAGER* cm = NULL;
if (ctx)
/* The certificate manager is owned by the context. */
if (ctx != NULL)
cm = ctx->cm;
return cm;
@@ -98,6 +101,7 @@ void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx, int depth)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_verify_depth");
/* Reject out-of-range depths; valid range is 0 to MAX_CHAIN_DEPTH. */
if ((ctx == NULL) || (depth < 0) || (depth > MAX_CHAIN_DEPTH)) {
WOLFSSL_MSG("Bad depth argument, too large or less than 0");
}
@@ -121,6 +125,8 @@ long wolfSSL_CTX_get_verify_depth(WOLFSSL_CTX* ctx)
ret = BAD_FUNC_ARG;
}
else {
/* A configurable depth is only tracked with the OpenSSL extra APIs;
* otherwise the fixed maximum chain depth applies. */
#ifndef OPENSSL_EXTRA
ret = MAX_CHAIN_DEPTH;
#else
@@ -145,6 +151,8 @@ long wolfSSL_get_verify_depth(WOLFSSL* ssl)
ret = BAD_FUNC_ARG;
}
else {
/* A configurable depth is only tracked with the OpenSSL extra APIs;
* otherwise the fixed maximum chain depth applies. */
#ifndef OPENSSL_EXTRA
ret = MAX_CHAIN_DEPTH;
#else
@@ -168,7 +176,7 @@ long wolfSSL_get_verify_depth(WOLFSSL* ssl)
static int isArrayUnique(const char* buf, size_t len)
{
size_t i;
/* check the array is unique */
/* Check the array is unique. */
for (i = 0; i < len - 1; ++i) {
size_t j;
for (j = i + 1; j < len; ++j) {
@@ -260,6 +268,7 @@ int wolfSSL_CTX_set_client_cert_type(WOLFSSL_CTX* ctx, const char* buf, int len)
ret = BAD_FUNC_ARG;
}
else {
/* A side value of 1 records these as the client certificate types. */
ret = set_cert_type(&ctx->rpkConfig, 1, buf, len);
}
@@ -284,6 +293,7 @@ int wolfSSL_CTX_set_server_cert_type(WOLFSSL_CTX* ctx, const char* buf, int len)
ret = BAD_FUNC_ARG;
}
else {
/* A side value of 0 records these as the server certificate types. */
ret = set_cert_type(&ctx->rpkConfig, 0, buf, len);
}
@@ -308,6 +318,7 @@ int wolfSSL_set_client_cert_type(WOLFSSL* ssl, const char* buf, int len)
ret = BAD_FUNC_ARG;
}
else {
/* A side value of 1 records these as the client certificate types. */
ret = set_cert_type(&ssl->options.rpkConfig, 1, buf, len);
}
@@ -332,6 +343,7 @@ int wolfSSL_set_server_cert_type(WOLFSSL* ssl, const char* buf, int len)
ret = BAD_FUNC_ARG;
}
else {
/* A side value of 0 records these as the server certificate types. */
ret = set_cert_type(&ssl->options.rpkConfig, 0, buf, len);
}
@@ -627,7 +639,7 @@ int wolfSSL_verify_client_post_handshake(WOLFSSL* ssl)
ret = wolfSSL_request_certificate(ssl);
if (ret != 1) {
/* Special logging for wrong protocol version. */
if ((ssl != NULL) && !IsAtLeastTLSv1_3(ssl->version)) {
if ((ssl != NULL) && (!IsAtLeastTLSv1_3(ssl->version))) {
WOLFSSL_ERROR(UNSUPPORTED_PROTO_VERSION);
}
else {
@@ -851,7 +863,7 @@ int wolfSSL_UnloadCertsKeys(WOLFSSL* ssl)
ret = BAD_FUNC_ARG;
}
else {
if (ssl->buffers.weOwnCert && !ssl->keepCert) {
if (ssl->buffers.weOwnCert && (!ssl->keepCert)) {
WOLFSSL_MSG("Unloading cert");
FreeDer(&ssl->buffers.certificate);
#ifdef KEEP_OUR_CERT
@@ -869,7 +881,7 @@ int wolfSSL_UnloadCertsKeys(WOLFSSL* ssl)
if (ssl->buffers.weOwnKey) {
WOLFSSL_MSG("Unloading key");
if (ssl->buffers.key != NULL && ssl->buffers.key->buffer != NULL)
if ((ssl->buffers.key != NULL) && (ssl->buffers.key->buffer != NULL))
ForceZero(ssl->buffers.key->buffer, ssl->buffers.key->length);
FreeDer(&ssl->buffers.key);
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
@@ -881,8 +893,8 @@ int wolfSSL_UnloadCertsKeys(WOLFSSL* ssl)
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->buffers.weOwnAltKey) {
WOLFSSL_MSG("Unloading alt key");
if (ssl->buffers.altKey != NULL &&
ssl->buffers.altKey->buffer != NULL) {
if ((ssl->buffers.altKey != NULL) &&
(ssl->buffers.altKey->buffer != NULL)) {
ForceZero(ssl->buffers.altKey->buffer,
ssl->buffers.altKey->length);
}
@@ -1028,11 +1040,13 @@ static int add_to_ca_names_list(WOLFSSL_STACK* ca_names, WOLFSSL_X509* x509)
int ret = 1;
WOLFSSL_X509_NAME *nameCopy = NULL;
/* The list owns its names, so push a copy of the subject name. */
nameCopy = wolfSSL_X509_NAME_dup(wolfSSL_X509_get_subject_name(x509));
if (nameCopy == NULL) {
WOLFSSL_MSG("wolfSSL_X509_NAME_dup error");
ret = 0;
}
/* On push failure the copy is not owned by the list - free it here. */
else if (wolfSSL_sk_X509_NAME_push(ca_names, nameCopy) <= 0) {
WOLFSSL_MSG("wolfSSL_sk_X509_NAME_push error");
wolfSSL_X509_NAME_free(nameCopy);
@@ -1435,7 +1449,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname)
}
/* Read each certificate in the chain out of the file. */
while (!err && wolfSSL_PEM_read_bio_X509(bio, &cert, NULL, NULL) != NULL) {
while ((!err) && (wolfSSL_PEM_read_bio_X509(bio, &cert, NULL, NULL) != NULL)) {
WOLFSSL_X509_NAME *nameCopy;
/* Need a persistent copy of the subject name. */
@@ -1730,15 +1744,15 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl)
* a new X509. This maintains pointer compatibility with
* applications (like nginx OCSP stapling) that use the X509 pointer
* from SSL_CTX_use_certificate as a lookup key. */
if (ssl->ctx != NULL && ssl->ctx->ourCert != NULL) {
if ((ssl->ctx != NULL) && (ssl->ctx->ourCert != NULL)) {
/* Compare cert buffers to make sure they are the same */
if (ssl->buffers.certificate == NULL ||
ssl->buffers.certificate->buffer == NULL ||
(ssl->buffers.certificate->length ==
ssl->ctx->certificate->length &&
XMEMCMP(ssl->buffers.certificate->buffer,
if ((ssl->buffers.certificate == NULL) ||
(ssl->buffers.certificate->buffer == NULL) ||
((ssl->buffers.certificate->length ==
ssl->ctx->certificate->length) &&
(XMEMCMP(ssl->buffers.certificate->buffer,
ssl->ctx->certificate->buffer,
ssl->buffers.certificate->length) == 0)) {
ssl->buffers.certificate->length) == 0))) {
return ssl->ctx->ourCert;
}
}
@@ -1769,4 +1783,747 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl)
#endif /* !NO_CERTS */
#ifndef WOLFCRYPT_ONLY
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
/* Get the index at which the object is stored in an X509 store context's
* external data.
*
* @return Index of the SSL/TLS object (0).
*/
int wolfSSL_get_ex_data_X509_STORE_CTX_idx(void)
{
WOLFSSL_ENTER("wolfSSL_get_ex_data_X509_STORE_CTX_idx");
/* store SSL at index 0 */
return 0;
}
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(OPENSSL_ALL)
/* Get the result of peer certificate verification.
*
* @param [in] ssl SSL/TLS object.
* @return Verification result code on success.
* @return WOLFSSL_X509_V_ERR_APPLICATION_VERIFICATION when ssl is NULL.
*/
long wolfSSL_get_verify_result(const WOLFSSL *ssl)
{
long ret;
if (ssl == NULL) {
/* Return a non-zero error so the OpenSSL-idiomatic
* "!= X509_V_OK" check does not mistake a NULL ssl for a
* successful verification (X509_V_OK is 0). */
ret = WOLFSSL_X509_V_ERR_APPLICATION_VERIFICATION;
}
else {
/* Result of verifying the peer's certificate chain. */
ret = (long)ssl->peerVerifyRet;
}
return ret;
}
#endif
#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && \
defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM)
/* Compare the peer's certificate against a PEM certificate file.
*
* @param [in] ssl SSL/TLS object.
* @param [in] fname Path to a PEM certificate file.
* @return 0 when the certificates match.
* @return WOLFSSL_FATAL_ERROR when arguments are NULL or they do not match.
* @return WOLFSSL_BAD_FILE when the file cannot be read.
*/
int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
{
int ret;
WOLFSSL_ENTER("wolfSSL_cmp_peer_cert_to_file");
if ((ssl == NULL) || (fname == NULL)) {
ret = WOLFSSL_FATAL_ERROR;
}
else {
#ifdef WOLFSSL_SMALL_STACK
byte staticBuffer[1]; /* force heap usage */
#else
byte staticBuffer[FILE_BUFFER_SIZE];
#endif
byte* myBuf = staticBuffer;
XFILE file;
long sz = 0;
void* heap = ssl->ctx->heap;
WOLFSSL_X509* peer_cert = &ssl->peerCert;
DerBuffer* fileDer = NULL;
/* Open the file and determine its size. From here, ret == 0
* indicates processing is still on track. */
file = XFOPEN(fname, "rb");
ret = wolfssl_file_len(file, &sz);
/* Use a heap buffer when the file is bigger than the stack buffer. */
if ((ret == 0) && (sz > (long)sizeof(staticBuffer))) {
WOLFSSL_MSG("Getting dynamic buffer");
myBuf = (byte*)XMALLOC((size_t)sz, heap, DYNAMIC_TYPE_FILE);
if (myBuf == NULL) {
ret = WOLFSSL_FATAL_ERROR;
}
}
/* Read the whole file into the buffer. */
if ((ret == 0) && (XFREAD(myBuf, 1, (size_t)sz, file) != (size_t)sz)) {
ret = WOLFSSL_FATAL_ERROR;
}
/* Convert the PEM file contents to DER. */
if ((ret == 0) && (PemToDer(myBuf, sz, CERT_TYPE, &fileDer, heap, NULL,
NULL) != 0)) {
ret = WOLFSSL_FATAL_ERROR;
}
/* Peer certificate matches when the DER lengths and bytes are equal. */
if ((ret == 0) && ((fileDer->length == 0) ||
(fileDer->length != peer_cert->derCert->length) ||
(XMEMCMP(peer_cert->derCert->buffer, fileDer->buffer,
fileDer->length) != 0))) {
ret = WOLFSSL_FATAL_ERROR;
}
/* Dispose of the DER, any heap buffer and close the file. */
FreeDer(&fileDer);
if (myBuf != staticBuffer) {
XFREE(myBuf, heap, DYNAMIC_TYPE_FILE);
}
if (file != XBADFILE) {
XFCLOSE(file);
}
}
return ret;
}
#endif
#ifdef WOLFSSL_ALT_CERT_CHAINS
/* Determine whether the peer was verified using an alternate cert chain.
*
* @param [in] ssl SSL/TLS object.
* @return 1 when an alternate certificate chain was used.
* @return 0 otherwise, or when ssl is NULL.
*/
int wolfSSL_is_peer_alt_cert_chain(const WOLFSSL* ssl)
{
return (ssl != NULL) && ssl->options.usingAltCertChain;
}
#endif /* WOLFSSL_ALT_CERT_CHAINS */
#ifdef SESSION_CERTS
#ifdef WOLFSSL_ALT_CERT_CHAINS
/* Get the peer's alternate certificate chain.
*
* @param [in] ssl SSL/TLS object.
* @return Alternate certificate chain on success.
* @return NULL when ssl is NULL.
*/
WOLFSSL_X509_CHAIN* wolfSSL_get_peer_alt_chain(WOLFSSL* ssl)
{
WOLFSSL_X509_CHAIN* chain = NULL;
WOLFSSL_ENTER("wolfSSL_get_peer_alt_chain");
if (ssl != NULL) {
/* The alternate chain is held within the session. */
chain = &ssl->session->altChain;
}
return chain;
}
#endif /* WOLFSSL_ALT_CERT_CHAINS */
/* Get the peer's certificate chain.
*
* @param [in] ssl SSL/TLS object.
* @return Certificate chain on success.
* @return NULL when ssl is NULL.
*/
WOLFSSL_X509_CHAIN* wolfSSL_get_peer_chain(WOLFSSL* ssl)
{
WOLFSSL_X509_CHAIN* chain = NULL;
WOLFSSL_ENTER("wolfSSL_get_peer_chain");
if (ssl != NULL) {
/* The peer chain is held within the session. */
chain = &ssl->session->chain;
}
return chain;
}
/* Get the number of certificates in a certificate chain.
*
* @param [in] chain Certificate chain object.
* @return Number of certificates on success.
* @return 0 when chain is NULL.
*/
int wolfSSL_get_chain_count(WOLFSSL_X509_CHAIN* chain)
{
int count = 0;
WOLFSSL_ENTER("wolfSSL_get_chain_count");
if (chain != NULL) {
/* Number of certificates captured in the chain. */
count = chain->count;
}
return count;
}
/* Get the length, in bytes, of the DER certificate at an index in a chain.
*
* @param [in] chain Certificate chain object.
* @param [in] idx Index of the certificate in the chain.
* @return Length of the DER certificate in bytes on success.
* @return 0 when chain is NULL.
*/
int wolfSSL_get_chain_length(WOLFSSL_X509_CHAIN* chain, int idx)
{
int length = 0;
WOLFSSL_ENTER("wolfSSL_get_chain_length");
if (chain != NULL) {
/* DER length of the certificate stored at the given index. */
length = chain->certs[idx].length;
}
return length;
}
/* Get the DER certificate at an index in a certificate chain.
*
* @param [in] chain Certificate chain object.
* @param [in] idx Index of the certificate in the chain.
* @return Buffer holding the DER certificate on success.
* @return 0 when chain is NULL.
*/
byte* wolfSSL_get_chain_cert(WOLFSSL_X509_CHAIN* chain, int idx)
{
byte* cert = NULL;
WOLFSSL_ENTER("wolfSSL_get_chain_cert");
if (chain != NULL) {
/* DER buffer of the certificate stored at the given index. */
cert = chain->certs[idx].buffer;
}
return cert;
}
/* Decode DER certificate data into a WOLFSSL_X509 object. Defined in
* src/ssl.c. */
static int DecodeToX509(WOLFSSL_X509* x509, const byte* in, int len);
/* Get the certificate at an index in a chain as a new X509 object.
*
* The returned object must be freed by the caller with wolfSSL_X509_free().
*
* @param [in] chain Certificate chain object.
* @param [in] idx Index of the certificate in the chain.
* @return Newly allocated X509 certificate object on success.
* @return NULL when chain is NULL, idx is out of range or on error.
*/
WOLFSSL_X509* wolfSSL_get_chain_X509(WOLFSSL_X509_CHAIN* chain, int idx)
{
WOLFSSL_X509* x509 = NULL;
WOLFSSL_ENTER("wolfSSL_get_chain_X509");
if ((chain != NULL) && (idx < MAX_CHAIN_DEPTH)) {
x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL,
DYNAMIC_TYPE_X509);
if (x509 == NULL) {
WOLFSSL_MSG("Failed alloc X509");
}
else {
/* Pre-init with dynamicMemory=1 so DecodeToX509 skips its own
* InitX509 (and we still own the buffer for X509_free). */
InitX509(x509, 1, NULL);
if (DecodeToX509(x509, chain->certs[idx].buffer,
chain->certs[idx].length) != 0) {
WOLFSSL_MSG("Failed to decode cert");
wolfSSL_X509_free(x509);
x509 = NULL;
}
}
}
return x509;
}
/* Get the certificate at an index in a chain as PEM.
*
* When buf is NULL, the length required is returned in outLen.
*
* @param [in] chain Certificate chain object.
* @param [in] idx Index of the certificate in the chain.
* @param [out] buf Buffer to hold PEM. May be NULL to get the length.
* @param [in] inLen Length of buffer in bytes.
* @param [out] outLen Length of PEM data in bytes.
* @return WOLFSSL_SUCCESS on success.
* @return LENGTH_ONLY_E when buf is NULL and outLen has been set.
* @return BAD_FUNC_ARG when a required argument is NULL or idx is invalid.
* @return WOLFSSL_FAILURE on error.
*/
int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx,
unsigned char* buf, int inLen, int* outLen)
{
#ifdef WOLFSSL_DER_TO_PEM
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_get_chain_cert_pem");
if ((chain == NULL) || (outLen == NULL) || (idx < 0) ||
(idx >= wolfSSL_get_chain_count(chain))) {
ret = BAD_FUNC_ARG;
}
/* Delegate to wc_DerToPem when DER-to-PEM is available. */
if (ret == WOLFSSL_SUCCESS) {
if (buf == NULL) {
inLen = 0;
}
else if (inLen < 0) {
ret = BAD_FUNC_ARG;
}
}
if (ret == WOLFSSL_SUCCESS) {
int n = wc_DerToPem(chain->certs[idx].buffer,
(word32)chain->certs[idx].length, buf, (word32)inLen, CERT_TYPE);
if (n < 0) {
if (buf == NULL) {
ret = WOLFSSL_FAILURE;
}
else {
ret = n;
}
}
else {
*outLen = n;
if (buf == NULL) {
ret = WC_NO_ERR_TRACE(LENGTH_ONLY_E);
}
}
}
return ret;
#elif defined(WOLFSSL_PEM_TO_DER)
int ret = WOLFSSL_SUCCESS;
const char* header = NULL;
const char* footer = NULL;
int headerLen;
int footerLen;
int i;
int err;
WOLFSSL_ENTER("wolfSSL_get_chain_cert_pem");
if ((chain == NULL) || (outLen == NULL) || (idx < 0) ||
(idx >= wolfSSL_get_chain_count(chain))) {
ret = BAD_FUNC_ARG;
}
if (ret == WOLFSSL_SUCCESS) {
if ((err = wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer)) != 0) {
ret = err;
}
}
if (ret == WOLFSSL_SUCCESS) {
headerLen = (int)XSTRLEN(header);
footerLen = (int)XSTRLEN(footer);
/* Null output buffer returns size needed in outLen. */
if (buf == NULL) {
word32 szNeeded = 0;
if (Base64_Encode(chain->certs[idx].buffer,
(word32)chain->certs[idx].length, NULL,
&szNeeded) != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
ret = WOLFSSL_FAILURE;
}
else {
*outLen = (int)szNeeded + headerLen + footerLen;
ret = WC_NO_ERR_TRACE(LENGTH_ONLY_E);
}
}
/* buf == NULL, ret will not be WOLFSSL_SUCCESS. */
}
/* Don't even try when inLen is too short. */
if ((ret == WOLFSSL_SUCCESS) &&
(inLen < headerLen + footerLen + chain->certs[idx].length)) {
ret = BAD_FUNC_ARG;
}
if (ret == WOLFSSL_SUCCESS) {
/* Write the PEM header. */
XMEMCPY(buf, header, (size_t)headerLen);
i = headerLen;
/* Space left for Base64 data after header and before footer. */
*outLen = inLen - headerLen - footerLen;
if ((err = Base64_Encode(chain->certs[idx].buffer,
(word32)chain->certs[idx].length, buf + i,
(word32*)outLen)) < 0) {
ret = err;
}
}
if (ret == WOLFSSL_SUCCESS) {
i += *outLen;
/* Write the PEM footer. */
XMEMCPY(buf + i, footer, (size_t)footerLen);
*outLen += headerLen + footerLen;
}
return ret;
#else
(void)chain;
(void)idx;
(void)buf;
(void)inLen;
(void)outLen;
return WOLFSSL_FAILURE;
#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */
}
#endif /* SESSION_CERTS */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \
|| defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT)
#ifndef NO_WOLFSSL_STUB
/* Clear the extra certificate chain set on the context.
*
* Not implemented - stub for OpenSSL compatibility.
*
* @param [in] ctx SSL/TLS context object.
* @return Result of the SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS control command.
*/
long wolfSSL_CTX_clear_extra_chain_certs(WOLFSSL_CTX* ctx)
{
return wolfSSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0L, NULL);
}
#endif
/* Get the verify callback set on the object.
*
* @param [in] ssl SSL/TLS object.
* @return Verify callback on success.
* @return NULL when ssl is NULL or no callback is set.
*/
VerifyCallback wolfSSL_get_verify_callback(WOLFSSL* ssl)
{
VerifyCallback cb = NULL;
WOLFSSL_ENTER("wolfSSL_get_verify_callback");
if (ssl != NULL) {
/* Verify callback configured on the object. */
cb = ssl->verifyCallback;
}
return cb;
}
#endif
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
/* Get the verify callback set on the context.
*
* @param [in] ctx SSL/TLS context object.
* @return Verify callback on success.
* @return NULL when ctx is NULL or no callback is set.
*/
VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx)
{
VerifyCallback cb = NULL;
WOLFSSL_ENTER("wolfSSL_CTX_get_verify_callback");
if (ctx != NULL) {
/* Verify callback configured on the context. */
cb = ctx->verifyCallback;
}
return cb;
}
#endif
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \
defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
/* Get the verification mode set on the object.
*
* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE.
*
* @param [in] ssl SSL/TLS object.
* @return Bitmask of WOLFSSL_VERIFY_* flags on success.
* @return WOLFSSL_FAILURE when ssl is NULL.
*/
int wolfSSL_get_verify_mode(const WOLFSSL* ssl)
{
int mode = 0;
WOLFSSL_ENTER("wolfSSL_get_verify_mode");
if (ssl == NULL) {
mode = WOLFSSL_FAILURE;
}
else if (ssl->options.verifyNone) {
/* VERIFY_NONE is exclusive of the other verify flags. */
mode = WOLFSSL_VERIFY_NONE;
}
else {
/* Build the mode as a bitmask of the enabled verify flags. */
if (ssl->options.verifyPeer) {
mode |= WOLFSSL_VERIFY_PEER;
}
if (ssl->options.failNoCert) {
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
if (ssl->options.failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ssl->options.verifyPostHandshake) {
mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
}
#endif
}
WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
return mode;
}
/* Get the verification mode set on the context.
*
* @param [in] ctx SSL/TLS context object.
* @return Bitmask of WOLFSSL_VERIFY_* flags on success.
* @return WOLFSSL_FAILURE when ctx is NULL.
*/
int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx)
{
int mode = 0;
WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode");
if (ctx == NULL) {
mode = WOLFSSL_FAILURE;
}
else if (ctx->verifyNone) {
/* VERIFY_NONE is exclusive of the other verify flags. */
mode = WOLFSSL_VERIFY_NONE;
}
else {
/* Build the mode as a bitmask of the enabled verify flags. */
if (ctx->verifyPeer) {
mode |= WOLFSSL_VERIFY_PEER;
}
if (ctx->failNoCert) {
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
if (ctx->failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ctx->verifyPostHandshake) {
mode |= WOLFSSL_VERIFY_POST_HANDSHAKE;
}
#endif
}
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
return mode;
}
#endif
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
/* Create a stack of X509 certificates from a DER encoded certificate chain.
*
* The chain buffer holds each certificate as: 3 byte length | X509 DER data.
*
* @param [in] der DER encoded certificate chain.
* @param [in] derLen Length of certificate chain buffer in bytes.
* @param [in] heap Dynamic memory hint.
* @param [out] chain Stack of X509 certificates. Holds as much of the
* chain as was created on failure.
* @return WOLFSSL_SUCCESS on success.
* @return WOLFSSL_FAILURE on allocation or decode error.
*/
static int wolfssl_certchain_to_x509_stack(byte* der, word32 derLen,
void* heap, WOLF_STACK_OF(X509)** chain)
{
int ret = WOLFSSL_SUCCESS;
word32 idx;
word32 length;
WOLFSSL_STACK* node;
WOLFSSL_STACK* last = NULL;
/* Create a new stack of WOLFSSL_X509 object from chain buffer. */
for (idx = 0; idx < derLen; ) {
/* Need 3 bytes for the length of the DER encoded certificate. */
if ((derLen - idx) < 3) {
ret = WOLFSSL_FAILURE;
break;
}
/* Format: 3 byte length | X509 DER data. */
ato24(der + idx, &length);
idx += 3;
/* Ensure the DER encoded certificate is contained in the buffer. */
if (length > (derLen - idx)) {
ret = WOLFSSL_FAILURE;
break;
}
node = wolfSSL_sk_X509_new_null();
if (node == NULL) {
ret = WOLFSSL_FAILURE;
break;
}
node->next = NULL;
/* Create a new X509 from DER encoded data. */
node->data.x509 = wolfSSL_X509_d2i_ex(NULL, der + idx, (int)length,
heap);
if (node->data.x509 == NULL) {
XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL);
/* Return as much of the chain as we created. */
ret = WOLFSSL_FAILURE;
break;
}
idx += length;
/* Add object to the end of the stack. */
if (last == NULL) {
node->num = 1;
*chain = node;
}
else {
(*chain)->num++;
last->next = node;
}
last = node;
}
return ret;
}
/* Get the extra certificate chain set on the context as a stack of X509.
*
* Builds the stack from the context's certificate chain buffer when needed.
*
* @param [in] ctx SSL/TLS context object.
* @param [out] chain Stack of X509 certificates.
* @return WOLFSSL_SUCCESS on success.
* @return WOLFSSL_FAILURE when ctx or chain is NULL, or on allocation error.
*/
int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx,
WOLF_STACK_OF(X509)** chain)
{
int ret = WOLFSSL_SUCCESS;
if ((ctx == NULL) || (chain == NULL)) {
ret = WOLFSSL_FAILURE;
}
else if (ctx->x509Chain != NULL) {
*chain = ctx->x509Chain;
}
else {
/* If there are no chains then success! */
*chain = NULL;
if ((ctx->certChain != NULL) && (ctx->certChain->length != 0)) {
/* Build a stack of X509 from the DER certificate chain buffer. */
ret = wolfssl_certchain_to_x509_stack(ctx->certChain->buffer,
ctx->certChain->length, ctx->heap, chain);
/* Cache the chain - holds as much as was created on failure. */
ctx->x509Chain = *chain;
}
}
return ret;
}
/* Get the certificate chain set on the context.
*
* @param [in] ctx SSL/TLS context object.
* @param [out] sk Stack of X509 certificates.
* @return WOLFSSL_SUCCESS on success.
* @return WOLFSSL_FAILURE when ctx or sk is NULL.
*/
int wolfSSL_CTX_get0_chain_certs(WOLFSSL_CTX *ctx,
WOLF_STACK_OF(WOLFSSL_X509) **sk)
{
int ret;
WOLFSSL_ENTER("wolfSSL_CTX_get0_chain_certs");
if ((ctx == NULL) || (sk == NULL)) {
WOLFSSL_MSG("Bad parameter");
ret = WOLFSSL_FAILURE;
}
else {
/* This function should return ctx->x509Chain if it is populated,
* otherwise it should be populated from ctx->certChain. This matches
* the behavior of wolfSSL_CTX_get_extra_chain_certs, so it is used
* directly. */
ret = wolfSSL_CTX_get_extra_chain_certs(ctx, sk);
}
return ret;
}
#ifdef KEEP_OUR_CERT
/* Get our certificate chain set on the object.
*
* @param [in] ssl SSL/TLS object.
* @param [out] sk Stack of X509 certificates.
* @return WOLFSSL_SUCCESS on success.
* @return WOLFSSL_FAILURE when ssl or sk is NULL.
*/
int wolfSSL_get0_chain_certs(WOLFSSL *ssl, WOLF_STACK_OF(WOLFSSL_X509) **sk)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_get0_chain_certs");
if ((ssl == NULL) || (sk == NULL)) {
WOLFSSL_MSG("Bad parameter");
ret = WOLFSSL_FAILURE;
}
else {
/* Return our own certificate chain held on the object. */
*sk = ssl->ourCertChain;
}
return ret;
}
#endif
#endif
#endif /* !WOLFCRYPT_ONLY */
#endif /* !WOLFSSL_SSL_API_CERT_INCLUDED */
+1462
View File
File diff suppressed because it is too large Load Diff
+2727
View File
File diff suppressed because it is too large Load Diff
+1241 -5
View File
File diff suppressed because it is too large Load Diff
+6
View File
@@ -235,6 +235,9 @@
#include <tests/api/test_signature.h>
#include <tests/api/test_dtls.h>
#include <tests/api/test_dtls13.h>
#include <tests/api/test_ssl_cert.h>
#include <tests/api/test_ssl_pk.h>
#include <tests/api/test_ssl_ext.h>
#include <tests/api/test_ocsp.h>
#include <tests/api/test_evp.h>
#include <tests/api/test_tls_ext.h>
@@ -35268,6 +35271,9 @@ TEST_CASE testCases[] = {
TEST_DECL(test_revoked_loaded_int_cert),
TEST_DTLS_DECLS,
TEST_DTLS13_DECLS,
TEST_SSL_CERT_DECLS,
TEST_SSL_PK_DECLS,
TEST_SSL_EXT_DECLS,
TEST_DECL(test_tls_multi_handshakes_one_record),
TEST_DECL(test_write_dup),
TEST_DECL(test_write_dup_want_write),
+6
View File
@@ -55,6 +55,9 @@ tests_unit_test_SOURCES += tests/api/test_lms_xmss.c
# TLS Protocol
tests_unit_test_SOURCES += tests/api/test_dtls.c
tests_unit_test_SOURCES += tests/api/test_dtls13.c
tests_unit_test_SOURCES += tests/api/test_ssl_cert.c
tests_unit_test_SOURCES += tests/api/test_ssl_pk.c
tests_unit_test_SOURCES += tests/api/test_ssl_ext.c
# TLS Feature
tests_unit_test_SOURCES += tests/api/test_ocsp.c
tests_unit_test_SOURCES += tests/api/test_evp.c
@@ -163,6 +166,9 @@ EXTRA_DIST += tests/api/test_signature.h
EXTRA_DIST += tests/api/test_lms_xmss.h
EXTRA_DIST += tests/api/test_dtls.h
EXTRA_DIST += tests/api/test_dtls13.h
EXTRA_DIST += tests/api/test_ssl_cert.h
EXTRA_DIST += tests/api/test_ssl_pk.h
EXTRA_DIST += tests/api/test_ssl_ext.h
EXTRA_DIST += tests/api/test_ocsp.h
EXTRA_DIST += tests/api/test_ocsp_test_blobs.h
EXTRA_DIST += tests/api/create_ocsp_test_blobs.py
+839 -3
View File
@@ -515,13 +515,54 @@ int test_wolfSSL_dtls_set_pending_peer(void)
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID) && \
!defined(WOLFSSL_NO_SOCK) && defined(XINET_PTON) && \
defined(HAVE_SOCKADDR) && !defined(WOLFSSL_NO_TLS12) && \
!defined(NO_WOLFSSL_CLIENT)
{
/* Exercise the "already the current peer" branch, which needs real
* AF_INET addresses (sockAddrEqual() validates the sockaddr). */
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
void* cur = NULL;
void* other = NULL;
unsigned int addrSz = (unsigned int)sizeof(SOCKADDR_IN);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectNotNull(cur =
wolfSSL_dtls_create_peer(11111, (char*)"127.0.0.1"));
ExpectNotNull(other =
wolfSSL_dtls_create_peer(22222, (char*)"127.0.0.1"));
/* NULL object fails. */
ExpectIntEQ(wolfSSL_dtls_set_pending_peer(NULL, cur, addrSz),
WOLFSSL_FAILURE);
/* Make 'cur' the current peer. */
ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, cur, addrSz), WOLFSSL_SUCCESS);
/* A different address goes to the pending slot (SockAddrSet path). */
ExpectIntEQ(wolfSSL_dtls_set_pending_peer(ssl, other, addrSz),
WOLFSSL_SUCCESS);
/* The current address matches: the staged pending peer is cleared. */
ExpectIntEQ(wolfSSL_dtls_set_pending_peer(ssl, cur, addrSz),
WOLFSSL_SUCCESS);
/* Matches again with no pending peer left to clear. */
ExpectIntEQ(wolfSSL_dtls_set_pending_peer(ssl, cur, addrSz),
WOLFSSL_SUCCESS);
wolfSSL_dtls_free_peer(cur);
wolfSSL_dtls_free_peer(other);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
}
#endif
return EXPECT_RESULT();
}
int test_dtls_version_checking(void)
{
EXPECT_DECLS;
@@ -5438,3 +5479,798 @@ int test_dtls12_export_import_etm(void)
#endif
return EXPECT_RESULT();
}
/* ----------------------------------------------------------------------------
* Coverage tests for DTLS APIs in src/ssl_api_dtls.c
* ------------------------------------------------------------------------- */
int test_wolfSSL_dtls_create_free_peer(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(XINET_PTON) && \
!defined(WOLFSSL_NO_SOCK) && defined(HAVE_SOCKADDR)
void* peer = NULL;
/* Valid IPv4 address and port. */
ExpectNotNull(peer = wolfSSL_dtls_create_peer(11111, (char*)"127.0.0.1"));
ExpectIntEQ(wolfSSL_dtls_free_peer(peer), WOLFSSL_SUCCESS);
/* Invalid address string returns NULL. */
ExpectNull(wolfSSL_dtls_create_peer(11111, (char*)"not-an-ip-address"));
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_get0_peer(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
const void* peer = NULL;
unsigned int peerSz = 0;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, (void*)"1234", 5), WOLFSSL_SUCCESS);
#ifndef WOLFSSL_RW_THREADED
/* NULL arguments fail. */
ExpectIntEQ(wolfSSL_dtls_get0_peer(NULL, &peer, &peerSz), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_dtls_get0_peer(ssl, NULL, &peerSz), WOLFSSL_FAILURE);
/* Returns a pointer to the stored peer address and its size. */
ExpectIntEQ(wolfSSL_dtls_get0_peer(ssl, &peer, &peerSz), WOLFSSL_SUCCESS);
ExpectIntEQ(peerSz, 5);
ExpectNotNull(peer);
#else
ExpectIntEQ(wolfSSL_dtls_get0_peer(ssl, &peer, &peerSz),
WOLFSSL_NOT_IMPLEMENTED);
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_set_timeout_init(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_LEANPSK) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_dtls_set_timeout_init(NULL, 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_dtls_set_timeout_init(ssl, -1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_dtls_set_timeout_max(ssl, 5), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_dtls_set_timeout_init(ssl, 3), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_dtls_get_current_timeout(ssl), 3);
/* Initial timeout greater than maximum fails. */
ExpectIntEQ(wolfSSL_dtls_set_timeout_init(ssl, 10),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_retransmit(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method), 0);
/* NULL fails. */
ExpectIntEQ(wolfSSL_dtls_retransmit(NULL), WOLFSSL_FATAL_ERROR);
/* Send the ClientHello flight, then retransmit it (DTLS 1.2 path). */
ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
ExpectIntEQ(wolfSSL_dtls_retransmit(ssl_c), WOLFSSL_SUCCESS);
/* Resending fails when the transport reports want-write, exercising the
* error path (sets ssl->error and returns WOLFSSL_FATAL_ERROR). */
test_memio_simulate_want_write(&test_ctx, 1, 1);
ExpectIntEQ(wolfSSL_dtls_retransmit(ssl_c), WOLFSSL_FATAL_ERROR);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_WRITE);
test_memio_simulate_want_write(&test_ctx, 1, 0);
/* After the handshake completes, retransmit is a no-op success. */
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
ExpectIntEQ(wolfSSL_dtls_retransmit(ssl_c), WOLFSSL_SUCCESS);
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13)
{
/* DTLS 1.3 exercises the Dtls13DoScheduledWork() branch. */
WOLFSSL_CTX *ctx_c13 = NULL, *ctx_s13 = NULL;
WOLFSSL *ssl_c13 = NULL, *ssl_s13 = NULL;
struct test_memio_ctx test_ctx13;
XMEMSET(&test_ctx13, 0, sizeof(test_ctx13));
ExpectIntEQ(test_memio_setup(&test_ctx13, &ctx_c13, &ctx_s13, &ssl_c13,
&ssl_s13, wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method),
0);
ExpectIntEQ(wolfSSL_negotiate(ssl_c13), -1);
ExpectIntEQ(wolfSSL_get_error(ssl_c13, -1), WOLFSSL_ERROR_WANT_READ);
ExpectIntEQ(wolfSSL_dtls_retransmit(ssl_c13), WOLFSSL_SUCCESS);
wolfSSL_free(ssl_s13);
wolfSSL_free(ssl_c13);
wolfSSL_CTX_free(ctx_s13);
wolfSSL_CTX_free(ctx_c13);
}
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_DTLSv1_compat_timeouts(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
WOLFSSL_TIMEVAL tv;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
XMEMSET(&tv, 0, sizeof(tv));
ExpectIntEQ(wolfSSL_DTLSv1_get_timeout(ssl, &tv), 0);
/* NULL arguments are tolerated. */
ExpectIntEQ(wolfSSL_DTLSv1_get_timeout(NULL, NULL), 0);
#ifndef NO_WOLFSSL_STUB
ExpectIntEQ(wolfSSL_DTLSv1_handle_timeout(ssl), 0);
wolfSSL_DTLSv1_set_initial_timeout_duration(ssl, 1000);
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls13_set_send_more_acks(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_3_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Toggle the send-more-acks option (void return). */
wolfSSL_dtls13_set_send_more_acks(ssl, 1);
wolfSSL_dtls13_set_send_more_acks(ssl, 0);
/* NULL is tolerated. */
wolfSSL_dtls13_set_send_more_acks(NULL, 1);
/* Quick-timeout flag defaults to off. */
ExpectIntEQ(wolfSSL_dtls13_use_quick_timeout(ssl), 0);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_srtp_keying_material(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \
defined(WOLFSSL_SRTP) && defined(HAVE_KEYING_MATERIAL) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
const WOLFSSL_SRTP_PROTECTION_PROFILE* profile = NULL;
unsigned char keyMaterial[64];
size_t olen = 0;
const char* profileStr = "SRTP_AES128_CM_SHA1_80";
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method), 0);
/* No profile selected before the handshake. */
ExpectNull(wolfSSL_get_selected_srtp_profile(NULL));
/* NULL arguments fail. */
olen = sizeof(keyMaterial);
ExpectIntEQ(wolfSSL_export_dtls_srtp_keying_material(NULL, keyMaterial,
&olen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Exporting before SRTP is negotiated reports a missing extension. */
ExpectIntEQ(wolfSSL_export_dtls_srtp_keying_material(ssl_c, keyMaterial,
&olen), WC_NO_ERR_TRACE(EXT_MISSING));
/* Request SRTP on both ends (0 == success, OpenSSL convention). */
ExpectIntEQ(wolfSSL_set_tlsext_use_srtp(ssl_c, profileStr), 0);
ExpectIntEQ(wolfSSL_set_tlsext_use_srtp(ssl_s, profileStr), 0);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
/* A profile is now selected. */
ExpectNotNull(profile = wolfSSL_get_selected_srtp_profile(ssl_c));
/* Length-only query (out == NULL). */
olen = 0;
ExpectIntEQ(wolfSSL_export_dtls_srtp_keying_material(ssl_c, NULL, &olen),
WC_NO_ERR_TRACE(LENGTH_ONLY_E));
ExpectIntGT((int)olen, 0);
ExpectIntLE((int)olen, (int)sizeof(keyMaterial));
/* A buffer smaller than the keying material reports BUFFER_E. */
olen = 1;
ExpectIntEQ(wolfSSL_export_dtls_srtp_keying_material(ssl_c, keyMaterial,
&olen), WC_NO_ERR_TRACE(BUFFER_E));
/* Export the keying material into a large enough buffer. */
olen = sizeof(keyMaterial);
#ifdef WOLFSSL_OPENVPN
ExpectIntEQ(wolfSSL_export_dtls_srtp_keying_material(ssl_c, keyMaterial,
&olen), WOLFSSL_SUCCESS);
#else
/* Arrays aren't saved without WOLFSSL_OPENVPN. */
ExpectIntEQ(wolfSSL_export_dtls_srtp_keying_material(ssl_c, keyMaterial,
&olen), WOLFSSL_FAILURE);
#endif
#ifndef NO_WOLFSSL_STUB
/* Stub returns NULL. */
ExpectNull(wolfSSL_get_srtp_profiles(ssl_c));
#endif
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
return EXPECT_RESULT();
}
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
!defined(NO_WOLFSSL_CLIENT)
static int test_dtls_mcast_highwater_cb(unsigned short peerId,
unsigned int maxSeq, unsigned int curSeq, void* ctx)
{
(void)peerId;
(void)maxSeq;
(void)curSeq;
(void)ctx;
return 0;
}
#endif
int test_wolfSSL_mcast_peers(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int hwCtx = 0;
ExpectIntGT(wolfSSL_mcast_get_max_peers(), 0);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 0), WOLFSSL_SUCCESS);
/* Highwater callback argument validation. */
ExpectIntEQ(wolfSSL_CTX_mcast_set_highwater_cb(NULL, 320, 100, 200,
test_dtls_mcast_highwater_cb), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_mcast_set_highwater_cb(ctx, 320, 100, 200, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_mcast_set_highwater_cb(ctx, 320, 100, 200,
test_dtls_mcast_highwater_cb), WOLFSSL_SUCCESS);
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_mcast_set_highwater_ctx(NULL, &hwCtx),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_mcast_set_highwater_ctx(ssl, &hwCtx), WOLFSSL_SUCCESS);
/* Add, query and remove a multicast peer. */
ExpectIntEQ(wolfSSL_mcast_peer_add(NULL, 1, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl, 1, 0), WOLFSSL_SUCCESS);
/* Known peer that has not sent data yet -> 0. */
ExpectIntEQ(wolfSSL_mcast_peer_known(ssl, 1), 0);
/* Unknown peer -> 0. */
ExpectIntEQ(wolfSSL_mcast_peer_known(ssl, 2), 0);
ExpectIntEQ(wolfSSL_mcast_peer_known(NULL, 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Once the peer has received data (non-zero sequence number) it is
* reported as known. */
if (ssl != NULL) {
int j;
for (j = 0; j < WOLFSSL_DTLS_PEERSEQ_SZ; j++) {
if (ssl->keys.peerSeq[j].peerId == 1) {
ssl->keys.peerSeq[j].nextSeq_lo = 1;
break;
}
}
}
ExpectIntEQ(wolfSSL_mcast_peer_known(ssl, 1), 1);
/* Remove the peer (sub = 1). */
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl, 1, 1), WOLFSSL_SUCCESS);
/* Re-adding a peer that is already present reports an error. */
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl, 5, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl, 5, 0), WOLFSSL_FATAL_ERROR);
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl, 5, 1), WOLFSSL_SUCCESS);
/* Filling every peer slot then adding another peer overflows the list. */
#if WOLFSSL_DTLS_PEERSEQ_SZ <= 255
{
int idx;
for (idx = 0; idx < WOLFSSL_DTLS_PEERSEQ_SZ && !EXPECT_FAIL(); idx++) {
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl, (word16)idx, 0),
WOLFSSL_SUCCESS);
}
ExpectIntEQ(wolfSSL_mcast_peer_add(ssl,
(word16)WOLFSSL_DTLS_PEERSEQ_SZ, 0), WOLFSSL_FATAL_ERROR);
}
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set_dtls_fd_connected(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_set_dtls_fd_connected(NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_set_dtls_fd_connected(ssl, 1), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_get_peer(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
unsigned char peer[16];
unsigned int peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_get_peer(NULL, peer, &peerSz), WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* No peer set yet. */
peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_get_peer(ssl, peer, &peerSz), WOLFSSL_FAILURE);
/* Set then retrieve the peer. */
ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, (void*)"1234", 5), WOLFSSL_SUCCESS);
peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_get_peer(ssl, peer, &peerSz), WOLFSSL_SUCCESS);
ExpectIntEQ(peerSz, 5);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_set_peer(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
unsigned char peer[16];
unsigned int peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_set_peer(NULL, (void*)"1234", 5), WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Set a peer then read it back. */
ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, (void*)"1234", 5), WOLFSSL_SUCCESS);
peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_get_peer(ssl, peer, &peerSz), WOLFSSL_SUCCESS);
ExpectIntEQ(peerSz, 5);
/* A larger peer grows the buffer, freeing the previous one. */
ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, (void*)"123456789012", 12),
WOLFSSL_SUCCESS);
peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_get_peer(ssl, peer, &peerSz), WOLFSSL_SUCCESS);
ExpectIntEQ(peerSz, 12);
/* Clearing the peer with NULL/0 frees the stored address. */
ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, NULL, 0), WOLFSSL_SUCCESS);
peerSz = (unsigned int)sizeof(peer);
ExpectIntEQ(wolfSSL_dtls_get_peer(ssl, peer, &peerSz), WOLFSSL_FAILURE);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_GetDtlsMacSecret(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_AEAD_ONLY)
/* NULL ssl returns NULL. */
ExpectNull(wolfSSL_GetDtlsMacSecret(NULL, 0, 0));
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_get_using_nonblock(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_dtls_get_using_nonblock(NULL), WOLFSSL_FAILURE);
/* DTLS object: default is off. */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_dtls_get_using_nonblock(ssl), 0);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
ssl = NULL;
ctx = NULL;
#ifndef WOLFSSL_NO_TLS12
/* Non-DTLS object takes the deprecated-use branch and returns 0. */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_dtls_get_using_nonblock(ssl), 0);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_set_using_nonblock(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_LEANPSK) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
/* NULL is a no-op (must not crash). */
wolfSSL_dtls_set_using_nonblock(NULL, 1);
/* DTLS object: value is stored and read back. */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
wolfSSL_dtls_set_using_nonblock(ssl, 1);
ExpectIntEQ(wolfSSL_dtls_get_using_nonblock(ssl), 1);
wolfSSL_dtls_set_using_nonblock(ssl, 0);
ExpectIntEQ(wolfSSL_dtls_get_using_nonblock(ssl), 0);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
ssl = NULL;
ctx = NULL;
#ifndef WOLFSSL_NO_TLS12
/* Non-DTLS object takes the deprecated-use branch. */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
wolfSSL_dtls_set_using_nonblock(ssl, 1);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set_mtu_compat(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(OPENSSL_EXTRA) && \
(defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* A reasonable MTU succeeds. */
ExpectIntEQ(wolfSSL_set_mtu_compat(ssl, 1500), WOLFSSL_SUCCESS);
/* An MTU larger than a record fails. */
ExpectIntEQ(wolfSSL_set_mtu_compat(ssl, 0xFFFF), WOLFSSL_FAILURE);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_set_timeout_max(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_LEANPSK) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFSSL_NO_TLS12)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_dtls_set_timeout_max(NULL, 5),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Negative timeout fails. */
ExpectIntEQ(wolfSSL_dtls_set_timeout_max(ssl, -1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Valid maximum succeeds. */
ExpectIntEQ(wolfSSL_dtls_set_timeout_max(ssl, 5), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_dtls_set_timeout_init(ssl, 3), WOLFSSL_SUCCESS);
/* Maximum less than the initial timeout fails. */
ExpectIntEQ(wolfSSL_dtls_set_timeout_max(ssl, 2),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_mcast_set_member_id(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(NULL, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
/* Member id out of range (> 8-bit) fails. */
ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 256),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Valid member id succeeds. */
ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 0), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_mcast_read(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
word16 id = 0;
byte buf[16];
ExpectIntEQ(wolfSSL_mcast_read(NULL, &id, buf, (int)sizeof(buf)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 0), WOLFSSL_SUCCESS);
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Negative size fails. */
ExpectIntEQ(wolfSSL_mcast_read(ssl, &id, buf, -1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_dtls_got_timeout(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_LEANPSK) && \
!defined(NO_WOLFSSL_CLIENT)
/* NULL object fails. */
ExpectIntEQ(wolfSSL_dtls_got_timeout(NULL), WOLFSSL_FATAL_ERROR);
#ifndef WOLFSSL_NO_TLS12
{
/* A non-DTLS object also fails. */
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl), WOLFSSL_FATAL_ERROR);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
}
#endif
#endif
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \
!defined(WOLFSSL_LEANPSK) && !defined(WOLFSSL_NO_TLS12)
{
/* With a DTLS 1.2 flight buffered, a transport that reports want-write
* makes the timeout handler take the pool-send error path. */
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method), 0);
/* Buffer the ClientHello flight. */
ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
/* Resending the flight fails -> error path, returns FATAL_ERROR. */
test_memio_simulate_want_write(&test_ctx, 1, 1);
ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_c), WOLFSSL_FATAL_ERROR);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_WRITE);
/* With the transport unblocked the resend succeeds. */
test_memio_simulate_want_write(&test_ctx, 1, 0);
ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_c), WOLFSSL_SUCCESS);
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
}
#endif
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13)
{
/* DTLS 1.3: a want-write while retransmitting takes the
* Dtls13RtxTimeout() error branch. */
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method), 0);
/* Buffer the ClientHello flight. */
ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
/* Retransmit under want-write fails. */
test_memio_simulate_want_write(&test_ctx, 1, 1);
ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_c), WOLFSSL_FATAL_ERROR);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_WRITE);
test_memio_simulate_want_write(&test_ctx, 1, 0);
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
}
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_DTLS_SetCookieSecret(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA))
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
byte secret1[32];
byte secret2[16];
XMEMSET(secret1, 0xA5, sizeof(secret1));
XMEMSET(secret2, 0x5A, sizeof(secret2));
/* NULL object fails. */
ExpectIntEQ(wolfSSL_DTLS_SetCookieSecret(NULL, secret1, sizeof(secret1)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* A non-NULL secret with zero size fails. */
ExpectIntEQ(wolfSSL_DTLS_SetCookieSecret(ssl, secret1, 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Set an explicit secret (copy path). */
ExpectIntEQ(wolfSSL_DTLS_SetCookieSecret(ssl, secret1, sizeof(secret1)), 0);
/* A different size frees the old buffer and reallocates. */
ExpectIntEQ(wolfSSL_DTLS_SetCookieSecret(ssl, secret2, sizeof(secret2)), 0);
/* The same size keeps the existing buffer (no reallocation). */
ExpectIntEQ(wolfSSL_DTLS_SetCookieSecret(ssl, secret2, sizeof(secret2)), 0);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set_secret(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
byte preMasterSecret[16];
byte clientRandom[32];
byte serverRandom[32];
byte suite[2] = { 0, 0xfe }; /* WDM_WITH_NULL_SHA256 */
XMEMSET(preMasterSecret, 0x23, sizeof(preMasterSecret));
XMEMSET(clientRandom, 0xA5, sizeof(clientRandom));
XMEMSET(serverRandom, 0x5A, sizeof(serverRandom));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method()));
ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 0), WOLFSSL_SUCCESS);
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Invalid arguments take the error path and return WOLFSSL_FATAL_ERROR. */
ExpectIntEQ(wolfSSL_set_secret(ssl, 23, NULL, sizeof(preMasterSecret),
clientRandom, serverRandom, suite), WOLFSSL_FATAL_ERROR);
ExpectIntEQ(wolfSSL_set_secret(ssl, 23, preMasterSecret, 0,
clientRandom, serverRandom, suite), WOLFSSL_FATAL_ERROR);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
+49 -2
View File
@@ -45,6 +45,27 @@ int test_dtls_mtu_fragment_headroom(void);
int test_dtls_mtu_split_messages(void);
int test_dtls_set_session_min_downgrade(void);
int test_dtls12_export_import_etm(void);
int test_wolfSSL_dtls_create_free_peer(void);
int test_wolfSSL_dtls_get0_peer(void);
int test_wolfSSL_dtls_set_timeout_init(void);
int test_wolfSSL_dtls_retransmit(void);
int test_wolfSSL_DTLSv1_compat_timeouts(void);
int test_wolfSSL_dtls13_set_send_more_acks(void);
int test_wolfSSL_dtls_srtp_keying_material(void);
int test_wolfSSL_mcast_peers(void);
int test_wolfSSL_set_dtls_fd_connected(void);
int test_wolfSSL_dtls_get_peer(void);
int test_wolfSSL_dtls_set_peer(void);
int test_wolfSSL_GetDtlsMacSecret(void);
int test_wolfSSL_dtls_get_using_nonblock(void);
int test_wolfSSL_dtls_set_using_nonblock(void);
int test_wolfSSL_set_mtu_compat(void);
int test_wolfSSL_dtls_set_timeout_max(void);
int test_wolfSSL_CTX_mcast_set_member_id(void);
int test_wolfSSL_mcast_read(void);
int test_wolfSSL_dtls_got_timeout(void);
int test_wolfSSL_DTLS_SetCookieSecret(void);
int test_wolfSSL_set_secret(void);
/* DTLS tests moved out of tests/api.c. */
int test_dtls_msg_from_other_peer(void);
@@ -105,7 +126,8 @@ int test_WOLFSSL_dtls_version_alert(void);
TEST_DECL_GROUP("dtls", test_dtls_set_session_min_downgrade), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_export), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_export_peers), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_import_state_extra_window_words), \
TEST_DECL_GROUP("dtls", \
test_wolfSSL_dtls_import_state_extra_window_words), \
TEST_DECL_GROUP("dtls", test_wolfSSL_DTLS_either_side), \
TEST_DECL_GROUP("dtls", test_generate_cookie), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_set_mtu), \
@@ -135,5 +157,30 @@ int test_WOLFSSL_dtls_version_alert(void);
TEST_DECL_GROUP("dtls", test_dtls_seq_num_downgrade), \
TEST_DECL_GROUP("dtls", test_dtls_old_seq_number), \
TEST_DECL_GROUP("dtls", test_dtls12_missing_finished), \
TEST_DECL_GROUP("dtls", test_dtls12_export_import_etm)
TEST_DECL_GROUP("dtls", test_dtls12_export_import_etm), \
TEST_DECL_GROUP("dtls", test_dtls13_min_rtx_interval), \
TEST_DECL_GROUP("dtls", test_dtls13_no_session_id_echo), \
TEST_DECL_GROUP("dtls", test_dtls13_oversized_cert_chain), \
TEST_DECL_GROUP("dtls", test_dtls_set_session_min_downgrade), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_create_free_peer), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_get0_peer), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_set_timeout_init), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_retransmit), \
TEST_DECL_GROUP("dtls", test_wolfSSL_DTLSv1_compat_timeouts), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls13_set_send_more_acks), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_srtp_keying_material), \
TEST_DECL_GROUP("dtls", test_wolfSSL_mcast_peers), \
TEST_DECL_GROUP("dtls", test_wolfSSL_set_dtls_fd_connected), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_get_peer), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_set_peer), \
TEST_DECL_GROUP("dtls", test_wolfSSL_GetDtlsMacSecret), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_get_using_nonblock), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_set_using_nonblock), \
TEST_DECL_GROUP("dtls", test_wolfSSL_set_mtu_compat), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_set_timeout_max), \
TEST_DECL_GROUP("dtls", test_wolfSSL_CTX_mcast_set_member_id), \
TEST_DECL_GROUP("dtls", test_wolfSSL_mcast_read), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_got_timeout), \
TEST_DECL_GROUP("dtls", test_wolfSSL_DTLS_SetCookieSecret), \
TEST_DECL_GROUP("dtls", test_wolfSSL_set_secret)
#endif /* TESTS_API_DTLS_H */
+406
View File
@@ -0,0 +1,406 @@
/* test_ssl_cert.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include <tests/unit.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
#include <wolfssl/ssl.h>
#include <wolfssl/internal.h>
#include <tests/utils.h>
#include <tests/api/test_ssl_cert.h>
/* Tests for the certificate APIs in src/ssl_api_cert.c (moved from ssl.c). */
int test_wolfSSL_get_verify_mode(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \
defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)) && \
!defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int mode;
ExpectIntEQ(wolfSSL_get_verify_mode(NULL), WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_NONE, NULL);
ExpectIntEQ(wolfSSL_get_verify_mode(ssl), WOLFSSL_VERIFY_NONE);
wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER, NULL);
ExpectIntEQ(wolfSSL_get_verify_mode(ssl), WOLFSSL_VERIFY_PEER);
wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER |
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
ExpectIntEQ(wolfSSL_get_verify_mode(ssl),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
/* Exercise the fail-except-PSK option. */
wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_FAIL_EXCEPT_PSK, NULL);
mode = wolfSSL_get_verify_mode(ssl);
ExpectIntEQ(mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_get_verify_mode(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \
defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)) && \
!defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
int mode;
ExpectIntEQ(wolfSSL_CTX_get_verify_mode(NULL), WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
ExpectIntEQ(wolfSSL_CTX_get_verify_mode(ctx), WOLFSSL_VERIFY_NONE);
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
ExpectIntEQ(wolfSSL_CTX_get_verify_mode(ctx),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_FAIL_EXCEPT_PSK, NULL);
mode = wolfSSL_CTX_get_verify_mode(ctx);
ExpectIntEQ(mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK);
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
/* Exercise the post-handshake auth option. */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
WOLFSSL_VERIFY_POST_HANDSHAKE, NULL);
mode = wolfSSL_CTX_get_verify_mode(ctx);
ExpectIntEQ(mode & WOLFSSL_VERIFY_POST_HANDSHAKE,
WOLFSSL_VERIFY_POST_HANDSHAKE);
#endif
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT)
static int test_cert_verify_cb(int preverify, WOLFSSL_X509_STORE_CTX* store)
{
(void)store;
return preverify;
}
#endif
int test_wolfSSL_get_verify_callback(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
/* CTX verify callback getter. */
ExpectNull(wolfSSL_CTX_get_verify_callback(NULL));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNull(wolfSSL_CTX_get_verify_callback(ctx));
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, test_cert_verify_cb);
ExpectTrue(wolfSSL_CTX_get_verify_callback(ctx) == test_cert_verify_cb);
/* SSL verify callback getter. */
ExpectNull(wolfSSL_get_verify_callback(NULL));
ExpectNotNull(ssl = wolfSSL_new(ctx));
wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER, test_cert_verify_cb);
ExpectTrue(wolfSSL_get_verify_callback(ssl) == test_cert_verify_cb);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_get_extra_chain_certs(void)
{
EXPECT_DECLS;
#if (defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \
!defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
!defined(NO_WOLFSSL_SERVER)
WOLFSSL_CTX* ctx = NULL;
WOLF_STACK_OF(WOLFSSL_X509)* sk = NULL;
/* NULL arguments fail. */
ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(NULL, &sk), WOLFSSL_FAILURE);
/* No certificate chain loaded: succeeds with an empty (NULL) stack. */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
sk = NULL;
ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &sk), WOLFSSL_SUCCESS);
ExpectNull(sk);
wolfSSL_CTX_free(ctx);
ctx = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* server-cert.pem holds a 2-cert chain, so the CA goes into certChain. */
ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx, svrCertFile),
WOLFSSL_SUCCESS);
/* Builds a stack of X509 from the stored chain. */
sk = NULL;
ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &sk), WOLFSSL_SUCCESS);
ExpectNotNull(sk);
/* get0 returns the same (cached) chain. */
sk = NULL;
ExpectIntEQ(wolfSSL_CTX_get0_chain_certs(ctx, &sk), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_get0_chain_certs(NULL, &sk), WOLFSSL_FAILURE);
wolfSSL_CTX_free(ctx);
ctx = NULL;
/* A longer chain (leaf + 2 certs) exercises appending past the first
* node, building a multi-element stack. */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx,
"certs/intermediate/server-chain.pem"), WOLFSSL_SUCCESS);
sk = NULL;
ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &sk), WOLFSSL_SUCCESS);
ExpectNotNull(sk);
ExpectIntGE(wolfSSL_sk_X509_num(sk), 2);
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || \
defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_QT)) && !defined(NO_WOLFSSL_STUB)
/* Stub: returns via the control command. */
wolfSSL_CTX_clear_extra_chain_certs(ctx);
#endif
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_peer_chain(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(SESSION_CERTS) && \
!defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA)
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
WOLFSSL_X509_CHAIN* chain = NULL;
/* NULL / not-yet-populated cases. */
ExpectNull(wolfSSL_get_peer_chain(NULL));
ExpectIntEQ(wolfSSL_get_chain_count(NULL), 0);
ExpectIntEQ(wolfSSL_get_chain_length(NULL, 0), 0);
ExpectNull(wolfSSL_get_chain_cert(NULL, 0));
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
/* The client now holds the server's certificate chain. */
ExpectNotNull(chain = wolfSSL_get_peer_chain(ssl_c));
ExpectIntGT(wolfSSL_get_chain_count(chain), 0);
ExpectIntGT(wolfSSL_get_chain_length(chain, 0), 0);
ExpectNotNull(wolfSSL_get_chain_cert(chain, 0));
#ifdef WOLFSSL_ALT_CERT_CHAINS
ExpectNull(wolfSSL_get_peer_alt_chain(NULL));
ExpectNotNull(wolfSSL_get_peer_alt_chain(ssl_c));
#endif
#if (defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && defined(KEEP_OUR_CERT)
{
WOLF_STACK_OF(WOLFSSL_X509)* osk = NULL;
ExpectIntEQ(wolfSSL_get0_chain_certs(NULL, &osk), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_get0_chain_certs(ssl_c, &osk), WOLFSSL_SUCCESS);
}
#endif
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_chain_X509(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(SESSION_CERTS) && \
!defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA)
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
WOLFSSL_X509_CHAIN* chain = NULL;
WOLFSSL_X509* x509 = NULL;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
ExpectNotNull(chain = wolfSSL_get_peer_chain(ssl_c));
/* A valid index returns a parseable certificate. */
ExpectNotNull(x509 = wolfSSL_get_chain_X509(chain, 0));
wolfSSL_X509_free(x509);
x509 = NULL;
/* NULL chain and an index past MAX_CHAIN_DEPTH return NULL up front. */
ExpectNull(wolfSSL_get_chain_X509(NULL, 0));
ExpectNull(wolfSSL_get_chain_X509(chain, MAX_CHAIN_DEPTH));
/* An index past the populated certs exercises the parse-failure path. */
ExpectNull(wolfSSL_get_chain_X509(chain, wolfSSL_get_chain_count(chain)));
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_chain_cert_pem(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(SESSION_CERTS) && \
!defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA)
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
WOLFSSL_X509_CHAIN* chain = NULL;
byte pem[4096];
int pemSz = 0;
int needed = 0;
int chainLen = 0;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
ExpectNotNull(chain = wolfSSL_get_peer_chain(ssl_c));
/* Successful PEM conversion. */
pemSz = (int)sizeof(pem);
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, 0, pem, (int)sizeof(pem),
&pemSz), WOLFSSL_SUCCESS);
ExpectIntGT(pemSz, 0);
/* Argument validation. */
pemSz = (int)sizeof(pem);
ExpectIntEQ(wolfSSL_get_chain_cert_pem(NULL, 0, pem, (int)sizeof(pem),
&pemSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, -1, pem, (int)sizeof(pem),
&pemSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, 99, pem, (int)sizeof(pem),
&pemSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, 0, pem, (int)sizeof(pem),
NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* NULL buffer returns the size needed (length-only query). */
needed = 0;
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, 0, NULL, 0, &needed),
WC_NO_ERR_TRACE(LENGTH_ONLY_E));
ExpectIntGT(needed, 0);
ExpectIntLE(needed, (int)sizeof(pem));
/* A buffer shorter than the DER certificate fails up front. */
pemSz = (int)sizeof(pem);
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, 0, pem, 1, &pemSz),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* One byte short of the full size leaves no room for the footer. */
pemSz = (int)sizeof(pem);
ExpectIntEQ(wolfSSL_get_chain_cert_pem(chain, 0, pem, needed - 1, &pemSz),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Room for the DER length but not the base64-expanded body: the encoder
* reports an error (negative return). */
chainLen = wolfSSL_get_chain_length(chain, 0);
pemSz = (int)sizeof(pem);
ExpectIntLT(wolfSSL_get_chain_cert_pem(chain, 0, pem, chainLen + 100,
&pemSz), 0);
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_cmp_peer_cert_to_file(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(OPENSSL_EXTRA) && \
defined(KEEP_PEER_CERT) && defined(HAVE_EX_DATA) && \
!defined(NO_FILESYSTEM) && !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA)
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
struct test_memio_ctx test_ctx;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
/* NULL arguments report failure. */
ExpectIntEQ(wolfSSL_cmp_peer_cert_to_file(NULL, svrCertFile),
WOLFSSL_FATAL_ERROR);
ExpectIntEQ(wolfSSL_cmp_peer_cert_to_file(ssl_c, NULL),
WOLFSSL_FATAL_ERROR);
/* The peer (server) certificate matches the file it was loaded from. */
ExpectIntEQ(wolfSSL_cmp_peer_cert_to_file(ssl_c, svrCertFile), 0);
/* A different certificate does not match. */
ExpectIntEQ(wolfSSL_cmp_peer_cert_to_file(ssl_c, caCertFile),
WOLFSSL_FATAL_ERROR);
/* A missing file reports a file error. */
ExpectIntEQ(wolfSSL_cmp_peer_cert_to_file(ssl_c,
"certs/does-not-exist.pem"), WC_NO_ERR_TRACE(WOLFSSL_BAD_FILE));
/* A readable file that is not PEM-encoded fails conversion. */
ExpectIntEQ(wolfSSL_cmp_peer_cert_to_file(ssl_c, cliCertDerFile),
WOLFSSL_FATAL_ERROR);
wolfSSL_free(ssl_s);
wolfSSL_free(ssl_c);
wolfSSL_CTX_free(ctx_s);
wolfSSL_CTX_free(ctx_c);
#endif
return EXPECT_RESULT();
}
+44
View File
@@ -0,0 +1,44 @@
/* test_ssl_cert.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef TESTS_API_SSL_CERT_H
#define TESTS_API_SSL_CERT_H
int test_wolfSSL_get_verify_mode(void);
int test_wolfSSL_CTX_get_verify_mode(void);
int test_wolfSSL_get_verify_callback(void);
int test_wolfSSL_CTX_get_extra_chain_certs(void);
int test_wolfSSL_get_peer_chain(void);
int test_wolfSSL_get_chain_X509(void);
int test_wolfSSL_get_chain_cert_pem(void);
int test_wolfSSL_cmp_peer_cert_to_file(void);
#define TEST_SSL_CERT_DECLS \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_get_verify_mode), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_CTX_get_verify_mode), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_get_verify_callback), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_CTX_get_extra_chain_certs), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_get_peer_chain), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_get_chain_X509), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_get_chain_cert_pem), \
TEST_DECL_GROUP("ssl_cert", test_wolfSSL_cmp_peer_cert_to_file)
#endif /* TESTS_API_SSL_CERT_H */
+688
View File
@@ -0,0 +1,688 @@
/* test_ssl_ext.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include <tests/unit.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
#include <wolfssl/ssl.h>
#include <wolfssl/internal.h>
#include <tests/utils.h>
#include <tests/api/test_ssl_ext.h>
/* Tests for the TLS extension APIs in src/ssl_api_ext.c (moved from ssl.c).
* These cover functions not already exercised elsewhere in api.c. */
int test_wolfSSL_NoTicketTLSv12_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA))
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
/* NULL arguments are rejected. */
ExpectIntEQ(wolfSSL_CTX_NoTicketTLSv12(NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_NoTicketTLSv12(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
ExpectIntEQ(wolfSSL_CTX_NoTicketTLSv12(ctx), WOLFSSL_SUCCESS);
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_NoTicketTLSv12(ssl), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_UseMaxFragment_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_MAX_FRAGMENT) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
/* NULL context is rejected. */
ExpectIntEQ(wolfSSL_CTX_UseMaxFragment(NULL, WOLFSSL_MFL_2_9),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectIntEQ(wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_9),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_12),
WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_num_tickets_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TLS13) && \
!defined(NO_WOLFSSL_SERVER)
WOLFSSL_CTX* ctx = NULL;
/* NULL context: set fails, get returns zero. */
ExpectIntEQ(wolfSSL_CTX_set_num_tickets(NULL, 5), WOLFSSL_FAILURE);
ExpectIntEQ((int)wolfSSL_CTX_get_num_tickets(NULL), 0);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
ExpectIntEQ(wolfSSL_CTX_set_num_tickets(ctx, 3), WOLFSSL_SUCCESS);
ExpectIntEQ((int)wolfSSL_CTX_get_num_tickets(ctx), 3);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set1_groups_ext(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_SUPPORTED_CURVES) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int dummy[1];
#ifdef HAVE_ECC
int groups[1];
#endif
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* A zero or too-large group count is rejected. */
ExpectIntEQ(wolfSSL_CTX_set1_groups(ctx, dummy, 0), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_CTX_set1_groups(ctx, dummy,
WOLFSSL_MAX_GROUP_COUNT + 1), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_set1_groups(ssl, dummy, 0), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_set1_groups(ssl, dummy,
WOLFSSL_MAX_GROUP_COUNT + 1), WOLFSSL_FAILURE);
#ifdef HAVE_ECC
/* A valid named group succeeds. */
groups[0] = WOLFSSL_ECC_SECP256R1;
ExpectIntEQ(wolfSSL_CTX_set1_groups(ctx, groups, 1), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_set1_groups(ssl, groups, 1), WOLFSSL_SUCCESS);
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set1_groups_list_ext(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(WOLFSSL_TLS13) && \
defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
/* NULL arguments are rejected. */
ExpectIntEQ(wolfSSL_CTX_set1_groups_list(NULL, "P-256"), WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_CTX_set1_groups_list(ctx, NULL), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_set1_groups_list(ssl, NULL), WOLFSSL_FAILURE);
/* A known group name succeeds. */
ExpectIntEQ(wolfSSL_CTX_set1_groups_list(ctx, "P-256"), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_set1_groups_list(ssl, "P-256"), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_set_TicketHint_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
WOLFSSL_CTX* ctx = NULL;
ExpectIntEQ(wolfSSL_CTX_set_TicketHint(NULL, 100),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* RFC 8446 caps the hint at 604800 seconds (7 days). */
ExpectIntEQ(wolfSSL_CTX_set_TicketHint(ctx, -1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_set_TicketHint(ctx, 604801),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_set_TicketHint(ctx, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_set_TicketHint(ctx, 604800), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_tlsext_max_fragment_length_ext(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_MAX_FRAGMENT) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_CTX_set_tlsext_max_fragment_length(NULL,
WOLFSSL_MFL_2_9), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Modes outside the WOLFSSL_MFL_2_9..WOLFSSL_MFL_2_12 range are rejected. */
ExpectIntEQ(wolfSSL_CTX_set_tlsext_max_fragment_length(ctx,
WOLFSSL_MFL_2_9 - 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_set_tlsext_max_fragment_length(ctx,
WOLFSSL_MFL_2_12 + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_set_tlsext_max_fragment_length(ctx,
WOLFSSL_MFL_2_9), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_set_tlsext_max_fragment_length(NULL, WOLFSSL_MFL_2_9),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_set_tlsext_max_fragment_length(ssl, WOLFSSL_MFL_2_12),
WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_DisableExtendedMasterSecret_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_CTX_DisableExtendedMasterSecret(NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_DisableExtendedMasterSecret(NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectIntEQ(wolfSSL_CTX_DisableExtendedMasterSecret(ctx), WOLFSSL_SUCCESS);
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_DisableExtendedMasterSecret(ssl), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set_tlsext_host_name_ext(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && defined(HAVE_SNI) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_set_tlsext_host_name(ssl, "localhost"),
WOLFSSL_SUCCESS);
#ifndef NO_WOLFSSL_SERVER
/* On the client the host name just set is returned. */
ExpectStrEQ(wolfSSL_get_servername(ssl, WOLFSSL_SNI_HOST_NAME),
"localhost");
ExpectNull(wolfSSL_get_servername(NULL, WOLFSSL_SNI_HOST_NAME));
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_set_tlsext_servername_callback_ext(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && defined(HAVE_SNI) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
ExpectIntEQ(wolfSSL_CTX_set_tlsext_servername_callback(NULL, NULL),
WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectIntEQ(wolfSSL_CTX_set_tlsext_servername_callback(ctx, NULL),
WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set_tlsext_debug_arg_ext(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_PK_CALLBACKS) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int arg = 0;
ExpectIntEQ(wolfSSL_set_tlsext_debug_arg(NULL, &arg), WOLFSSL_FAILURE);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_set_tlsext_debug_arg(ssl, &arg), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set_SessionTicket_cb_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_set_SessionTicket_cb(NULL, NULL, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectIntEQ(wolfSSL_set_SessionTicket_cb(ssl, NULL, NULL),
WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set1_curves_list_ext(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && \
(defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) \
&& !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object or list is rejected. */
ExpectIntEQ(wolfSSL_set1_curves_list(NULL, "P-256"), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_set1_curves_list(ssl, NULL), WOLFSSL_FAILURE);
#ifdef HAVE_ECC
ExpectIntEQ(wolfSSL_set1_curves_list(ssl, "P-256"), WOLFSSL_SUCCESS);
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SecureResume_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectIntEQ(wolfSSL_SecureResume(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* Secure renegotiation has not been forced on, so resume is refused. */
ExpectIntEQ(wolfSSL_SecureResume(ssl),
WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_UseSecureRenegotiation_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SERVER_RENEGOTIATION_INFO) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
/* NULL context is rejected. */
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_next_proto_cb_ext(void)
{
EXPECT_DECLS;
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) || \
defined(WOLFSSL_QUIC)) && defined(HAVE_ALPN) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
const unsigned char* data = NULL;
unsigned int len = 0;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* These NPN APIs are no-op stubs for OpenSSL compatibility. Exercise
* them to confirm they accept NULL callbacks without crashing. */
wolfSSL_CTX_set_next_protos_advertised_cb(ctx, NULL, NULL);
wolfSSL_CTX_set_next_proto_select_cb(ctx, NULL, NULL);
wolfSSL_get0_next_proto_negotiated(ssl, &data, &len);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_tlsext_status_exts_ids_ext(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_STUB) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* These status_request extension/id APIs are unimplemented stubs that
* always report failure. */
ExpectIntEQ(wolfSSL_get_tlsext_status_exts(ssl, NULL), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_set_tlsext_status_exts(ssl, NULL), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_get_tlsext_status_ids(ssl, NULL), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_set_tlsext_status_ids(ssl, NULL), WOLFSSL_FAILURE);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SNI_GetFromBuffer_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SNI) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
byte sni[32];
word32 sniSz = (word32)sizeof(sni);
byte hello[8] = { 0 };
/* A NULL ClientHello buffer is rejected. */
ExpectIntEQ(wolfSSL_SNI_GetFromBuffer(NULL, (word32)sizeof(hello), 0, sni,
&sniSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_UseTrustedCA_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_TRUSTED_CA) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
const byte id[1] = { 0 };
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* The pre-agreed type must not carry an identifier. */
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl, WOLFSSL_TRUSTED_CA_PRE_AGREED, id, 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_UseMaxFragment_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_MAX_FRAGMENT) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(NO_TLS)
/* A NULL object is rejected. */
ExpectIntEQ(wolfSSL_UseMaxFragment(NULL, WOLFSSL_MFL_2_9),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_set1_groups_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SUPPORTED_CURVES) && defined(OPENSSL_EXTRA) && \
defined(HAVE_ECC) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int badGroups[1];
badGroups[0] = 0xFFFE; /* neither a named group nor a valid curve NID */
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* An unrecognized group identifier is rejected. */
ExpectIntEQ(wolfSSL_set1_groups(ssl, badGroups, 1), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_CTX_set1_groups(ctx, badGroups, 1), WOLFSSL_FAILURE);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_UseALPN_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_ALPN) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
char proto[] = "h2";
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* A protocol-list length beyond the maximum is rejected. */
ExpectIntEQ(wolfSSL_UseALPN(ssl, proto,
(word32)(WOLFSSL_MAX_ALPN_NUMBER * WOLFSSL_MAX_ALPN_PROTO_NAME_LEN +
WOLFSSL_MAX_ALPN_NUMBER + 1),
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* No mismatch option set is rejected. */
ExpectIntEQ(wolfSSL_UseALPN(ssl, proto, (word32)XSTRLEN(proto), 0),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_ALPN_GetPeerProtocol_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_ALPN) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
char* list = NULL;
word16 listSz = 0;
/* NULL arguments are rejected. */
ExpectIntEQ(wolfSSL_ALPN_GetPeerProtocol(NULL, &list, &listSz),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_ALPN_FreePeerProtocol(NULL, &list),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* The peer has not offered any protocols yet. */
ExpectIntEQ(wolfSSL_ALPN_GetPeerProtocol(ssl, &list, &listSz),
WC_NO_ERR_TRACE(BUFFER_ERROR));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_set_TicketEncCb_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
!defined(NO_TLS)
/* A NULL context is rejected. */
ExpectIntEQ(wolfSSL_CTX_set_TicketEncCb(NULL, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SessionTicket_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
byte tick[8] = { 1, 2, 3, 4, 5, 6, 7, 8 };
byte out[8];
word32 outSz;
byte big[4096];
XMEMSET(big, 0x5a, sizeof(big));
/* NULL object checks. */
ExpectIntEQ(wolfSSL_UseSessionTicket(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_UseSessionTicket(NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_set_SessionTicket(NULL, tick, (word32)sizeof(tick)),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* set: a non-zero size with a NULL buffer is rejected. */
ExpectIntEQ(wolfSSL_set_SessionTicket(ssl, NULL, 4),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* get: NULL object and NULL buffer with non-zero size are rejected. */
outSz = (word32)sizeof(out);
ExpectIntEQ(wolfSSL_get_SessionTicket(NULL, out, &outSz),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
outSz = (word32)sizeof(out);
ExpectIntEQ(wolfSSL_get_SessionTicket(ssl, NULL, &outSz),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Store a short ticket (static-buffer path). */
ExpectIntEQ(wolfSSL_set_SessionTicket(ssl, tick, (word32)sizeof(tick)),
WOLFSSL_SUCCESS);
/* Retrieving into a buffer that is too small reports zero length. */
outSz = 2;
ExpectIntEQ(wolfSSL_get_SessionTicket(ssl, out, &outSz), WOLFSSL_SUCCESS);
ExpectIntEQ(outSz, 0);
/* A ticket larger than the static buffer (SESSION_TICKET_LEN) uses
* dynamic storage; growing it again frees the previous allocation, and a
* later short ticket returns to the static buffer. */
ExpectIntEQ(wolfSSL_set_SessionTicket(ssl, big, 3000), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_set_SessionTicket(ssl, big, 4000), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_set_SessionTicket(ssl, tick, (word32)sizeof(tick)),
WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_set_servername_arg_inval_ext(void)
{
EXPECT_DECLS;
#if defined(HAVE_SNI)
/* A NULL context is rejected. */
ExpectIntEQ(wolfSSL_CTX_set_servername_arg(NULL, NULL), WOLFSSL_FAILURE);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_set_alpn_protos_inval_ext(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
const unsigned char protos[] = { 2, 'h', '2' };
#if defined(WOLFSSL_ERROR_CODE_OPENSSL)
const int good = 0;
#else
const int good = WOLFSSL_SUCCESS;
#endif
/* A NULL context is rejected. */
ExpectIntEQ(wolfSSL_CTX_set_alpn_protos(NULL, protos, (unsigned int)
sizeof(protos)), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
/* Setting twice exercises the free-previous-list path. */
ExpectIntEQ(wolfSSL_CTX_set_alpn_protos(ctx, protos,
(unsigned int)sizeof(protos)), good);
ExpectIntEQ(wolfSSL_CTX_set_alpn_protos(ctx, protos,
(unsigned int)sizeof(protos)), good);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
+92
View File
@@ -0,0 +1,92 @@
/* test_ssl_ext.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef TESTS_API_SSL_EXT_H
#define TESTS_API_SSL_EXT_H
int test_wolfSSL_NoTicketTLSv12_ext(void);
int test_wolfSSL_CTX_UseMaxFragment_ext(void);
int test_wolfSSL_CTX_num_tickets_ext(void);
int test_wolfSSL_set1_groups_ext(void);
int test_wolfSSL_set1_groups_list_ext(void);
int test_wolfSSL_CTX_set_TicketHint_ext(void);
int test_wolfSSL_tlsext_max_fragment_length_ext(void);
int test_wolfSSL_DisableExtendedMasterSecret_ext(void);
int test_wolfSSL_set_tlsext_host_name_ext(void);
int test_wolfSSL_CTX_set_tlsext_servername_callback_ext(void);
int test_wolfSSL_set_tlsext_debug_arg_ext(void);
int test_wolfSSL_set_SessionTicket_cb_ext(void);
int test_wolfSSL_set1_curves_list_ext(void);
int test_wolfSSL_SecureResume_ext(void);
int test_wolfSSL_CTX_UseSecureRenegotiation_ext(void);
int test_wolfSSL_next_proto_cb_ext(void);
int test_wolfSSL_tlsext_status_exts_ids_ext(void);
int test_wolfSSL_SNI_GetFromBuffer_inval_ext(void);
int test_wolfSSL_UseTrustedCA_inval_ext(void);
int test_wolfSSL_UseMaxFragment_inval_ext(void);
int test_wolfSSL_set1_groups_inval_ext(void);
int test_wolfSSL_UseALPN_inval_ext(void);
int test_wolfSSL_ALPN_GetPeerProtocol_inval_ext(void);
int test_wolfSSL_CTX_set_TicketEncCb_inval_ext(void);
int test_wolfSSL_SessionTicket_inval_ext(void);
int test_wolfSSL_CTX_set_servername_arg_inval_ext(void);
int test_wolfSSL_CTX_set_alpn_protos_inval_ext(void);
#define TEST_SSL_EXT_DECLS \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_NoTicketTLSv12_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_CTX_UseMaxFragment_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_CTX_num_tickets_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set1_groups_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set1_groups_list_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_CTX_set_TicketHint_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_tlsext_max_fragment_length_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_DisableExtendedMasterSecret_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set_tlsext_host_name_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_CTX_set_tlsext_servername_callback_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set_tlsext_debug_arg_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set_SessionTicket_cb_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set1_curves_list_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_SecureResume_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_CTX_UseSecureRenegotiation_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_next_proto_cb_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_tlsext_status_exts_ids_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_SNI_GetFromBuffer_inval_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_UseTrustedCA_inval_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_UseMaxFragment_inval_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set1_groups_inval_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_UseALPN_inval_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_ALPN_GetPeerProtocol_inval_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_CTX_set_TicketEncCb_inval_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_SessionTicket_inval_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_CTX_set_servername_arg_inval_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_CTX_set_alpn_protos_inval_ext)
#endif /* TESTS_API_SSL_EXT_H */
+567
View File
@@ -0,0 +1,567 @@
/* test_ssl_pk.c
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include <tests/unit.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
#include <wolfssl/ssl.h>
#include <wolfssl/internal.h>
#include <wolfssl/openssl/ec.h>
#include <tests/utils.h>
#include <tests/api/test_ssl_pk.h>
/* Tests for the public-key APIs in src/ssl_api_pk.c (moved from ssl.c). */
int test_wolfSSL_CTX_SetMinEccKey_Sz(void)
{
EXPECT_DECLS;
#if defined(HAVE_ECC) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* NULL context and negative size are rejected. */
ExpectIntEQ(wolfSSL_CTX_SetMinEccKey_Sz(NULL, 256),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinEccKey_Sz(ctx, -1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Multiple-of-8 and non-multiple-of-8 bit sizes both succeed. */
ExpectIntEQ(wolfSSL_CTX_SetMinEccKey_Sz(ctx, 256), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_SetMinEccKey_Sz(ctx, 255), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SetMinEccKey_Sz(void)
{
EXPECT_DECLS;
#if defined(HAVE_ECC) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA)) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object and negative size are rejected. */
ExpectIntEQ(wolfSSL_SetMinEccKey_Sz(NULL, 256),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinEccKey_Sz(ssl, -1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Multiple-of-8 and non-multiple-of-8 bit sizes both succeed. */
ExpectIntEQ(wolfSSL_SetMinEccKey_Sz(ssl, 256), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_SetMinEccKey_Sz(ssl, 255), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_SetMinRsaKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* NULL context, negative size and non-multiple-of-8 size are rejected. */
ExpectIntEQ(wolfSSL_CTX_SetMinRsaKey_Sz(NULL, 2048),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinRsaKey_Sz(ctx, -8),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinRsaKey_Sz(ctx, 1001),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinRsaKey_Sz(ctx, 2048), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SetMinRsaKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object, negative size and non-multiple-of-8 size are rejected. */
ExpectIntEQ(wolfSSL_SetMinRsaKey_Sz(NULL, 2048),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinRsaKey_Sz(ssl, -8),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinRsaKey_Sz(ssl, 1001),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinRsaKey_Sz(ssl, 2048), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SetEnableDhKeyTest(void)
{
EXPECT_DECLS;
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(NO_WOLFSSL_SERVER) && (defined(NO_CERTS) || !defined(NO_RSA)) && \
!defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object is rejected. */
ExpectIntEQ(wolfSSL_SetEnableDhKeyTest(NULL, 1),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Disable then enable the prime test. */
ExpectIntEQ(wolfSSL_SetEnableDhKeyTest(ssl, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_SetEnableDhKeyTest(ssl, 1), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_SetMinDhKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_DH) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA)) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* NULL context, oversized and non-multiple-of-8 sizes are rejected. */
ExpectIntEQ(wolfSSL_CTX_SetMinDhKey_Sz(NULL, 1024),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinDhKey_Sz(ctx, 16008),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinDhKey_Sz(ctx, 1001),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMinDhKey_Sz(ctx, 1024), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SetMinDhKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_DH) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA)) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object, oversized and non-multiple-of-8 sizes are rejected. */
ExpectIntEQ(wolfSSL_SetMinDhKey_Sz(NULL, 1024),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinDhKey_Sz(ssl, 16008),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinDhKey_Sz(ssl, 1001),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMinDhKey_Sz(ssl, 1024), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_SetMaxDhKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_DH) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* NULL context, oversized and non-multiple-of-8 sizes are rejected. */
ExpectIntEQ(wolfSSL_CTX_SetMaxDhKey_Sz(NULL, 4096),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 16008),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 1001),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 4096), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SetMaxDhKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_DH) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA)) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object, oversized and non-multiple-of-8 sizes are rejected. */
ExpectIntEQ(wolfSSL_SetMaxDhKey_Sz(NULL, 4096),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMaxDhKey_Sz(ssl, 16008),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMaxDhKey_Sz(ssl, 1001),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SetMaxDhKey_Sz(ssl, 4096), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_GetDhKey_Sz(void)
{
EXPECT_DECLS;
#if !defined(NO_DH) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA)) && !defined(NO_TLS)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object is rejected. */
ExpectIntEQ(wolfSSL_GetDhKey_Sz(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Valid object returns the negotiated size (0 before a handshake). */
ExpectIntGE(wolfSSL_GetDhKey_Sz(ssl), 0);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_privatekey(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_STUB)
/* Stub for OpenSSL compatibility - always returns NULL. */
ExpectNull(wolfSSL_get_privatekey(NULL));
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_signature_nid(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA))
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int nid = 0;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object or output pointer is rejected. */
ExpectIntEQ(wolfSSL_get_signature_nid(NULL, &nid), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_get_signature_nid(ssl, NULL), WOLFSSL_FAILURE);
/* Valid object maps the hash algorithm to a NID. */
ExpectIntEQ(wolfSSL_get_signature_nid(ssl, &nid), WOLFSSL_SUCCESS);
/* Drive every hash-algorithm case (HashToNid). */
if (EXPECT_SUCCESS()) {
static const byte hashAlgos[] = {
no_mac, md5_mac, sha_mac, sha224_mac, sha256_mac, sha384_mac,
sha512_mac, rmd_mac, blake2b_mac, sm3_mac
};
size_t i;
for (i = 0; i < sizeof(hashAlgos) / sizeof(hashAlgos[0]); i++) {
ssl->options.hashAlgo = hashAlgos[i];
ExpectIntEQ(wolfSSL_get_signature_nid(ssl, &nid), WOLFSSL_SUCCESS);
}
/* An unknown hash algorithm is rejected. */
ssl->options.hashAlgo = 0xFF;
ExpectIntEQ(wolfSSL_get_signature_nid(ssl, &nid), WOLFSSL_FAILURE);
}
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_signature_type_nid(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA))
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int nid = 0;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object or output pointer is rejected. */
ExpectIntEQ(wolfSSL_get_signature_type_nid(NULL, &nid), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, NULL), WOLFSSL_FAILURE);
/* Valid object maps the signature algorithm to a NID. */
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid), WOLFSSL_SUCCESS);
/* Drive every signature-algorithm case (SaToNid). */
if (EXPECT_SUCCESS()) {
static const byte okAlgos[] = {
anonymous_sa_algo, rsa_sa_algo, dsa_sa_algo, ecc_dsa_sa_algo,
ecc_brainpool_sa_algo, rsa_pss_sa_algo, rsa_pss_pss_algo,
falcon_level1_sa_algo, falcon_level5_sa_algo, mldsa_44_sa_algo,
mldsa_65_sa_algo, mldsa_87_sa_algo, sm2_sa_algo
};
static const byte failAlgos[] = { invalid_sa_algo, any_sa_algo };
size_t i;
for (i = 0; i < sizeof(okAlgos) / sizeof(okAlgos[0]); i++) {
ssl->options.sigAlgo = okAlgos[i];
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid),
WOLFSSL_SUCCESS);
}
/* Ed25519/Ed448 mappings depend on build configuration. */
ssl->options.sigAlgo = ed25519_sa_algo;
#ifdef HAVE_ED25519
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid), WOLFSSL_SUCCESS);
#else
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid), WOLFSSL_FAILURE);
#endif
ssl->options.sigAlgo = ed448_sa_algo;
#ifdef HAVE_ED448
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid), WOLFSSL_SUCCESS);
#else
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid), WOLFSSL_FAILURE);
#endif
/* Unknown/placeholder algorithms are rejected. */
for (i = 0; i < sizeof(failAlgos) / sizeof(failAlgos[0]); i++) {
ssl->options.sigAlgo = failAlgos[i];
ExpectIntEQ(wolfSSL_get_signature_type_nid(ssl, &nid),
WOLFSSL_FAILURE);
}
}
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_peer_signature_nid(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA))
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int nid = 0;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object or output pointer is rejected. */
ExpectIntEQ(wolfSSL_get_peer_signature_nid(NULL, &nid), WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_get_peer_signature_nid(ssl, NULL), WOLFSSL_FAILURE);
/* Valid object maps the peer's hash algorithm to a NID. */
ExpectIntEQ(wolfSSL_get_peer_signature_nid(ssl, &nid), WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_get_peer_signature_type_nid(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_SERVER) && \
(defined(NO_CERTS) || !defined(NO_RSA))
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
int nid = 0;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#ifndef NO_CERTS
/* A server WOLFSSL needs a key and certificate set on the context. */
ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, CERT_FILETYPE),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectNotNull(ssl = wolfSSL_new(ctx));
/* NULL object or output pointer is rejected. */
ExpectIntEQ(wolfSSL_get_peer_signature_type_nid(NULL, &nid),
WOLFSSL_FAILURE);
ExpectIntEQ(wolfSSL_get_peer_signature_type_nid(ssl, NULL),
WOLFSSL_FAILURE);
/* Valid object maps the peer's signature algorithm to a NID. */
ExpectIntEQ(wolfSSL_get_peer_signature_type_nid(ssl, &nid),
WOLFSSL_SUCCESS);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_SSL_CTX_set_tmp_ecdh(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_WOLFSSL_SERVER)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL_EC_KEY* ecdh = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
ExpectNotNull(ecdh = wolfSSL_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
/* NULL context or key is rejected. */
ExpectIntEQ(wolfSSL_SSL_CTX_set_tmp_ecdh(NULL, ecdh),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wolfSSL_SSL_CTX_set_tmp_ecdh(ctx, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
/* Valid key sets the curve. */
ExpectIntEQ(wolfSSL_SSL_CTX_set_tmp_ecdh(ctx, ecdh), WOLFSSL_SUCCESS);
wolfSSL_EC_KEY_free(ecdh);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
int test_wolfSSL_CTX_set_dh_auto(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_SERVER)
WOLFSSL_CTX* ctx = NULL;
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
/* Compatibility stub - always succeeds. */
ExpectIntEQ(wolfSSL_CTX_set_dh_auto(ctx, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_set_dh_auto(ctx, 1), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
#endif
return EXPECT_RESULT();
}
+62
View File
@@ -0,0 +1,62 @@
/* test_ssl_pk.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef TESTS_API_SSL_PK_H
#define TESTS_API_SSL_PK_H
int test_wolfSSL_CTX_SetMinEccKey_Sz(void);
int test_wolfSSL_SetMinEccKey_Sz(void);
int test_wolfSSL_CTX_SetMinRsaKey_Sz(void);
int test_wolfSSL_SetMinRsaKey_Sz(void);
int test_wolfSSL_SetEnableDhKeyTest(void);
int test_wolfSSL_CTX_SetMinDhKey_Sz(void);
int test_wolfSSL_SetMinDhKey_Sz(void);
int test_wolfSSL_CTX_SetMaxDhKey_Sz(void);
int test_wolfSSL_SetMaxDhKey_Sz(void);
int test_wolfSSL_GetDhKey_Sz(void);
int test_wolfSSL_get_privatekey(void);
int test_wolfSSL_get_signature_nid(void);
int test_wolfSSL_get_signature_type_nid(void);
int test_wolfSSL_get_peer_signature_nid(void);
int test_wolfSSL_get_peer_signature_type_nid(void);
int test_wolfSSL_SSL_CTX_set_tmp_ecdh(void);
int test_wolfSSL_CTX_set_dh_auto(void);
#define TEST_SSL_PK_DECLS \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_CTX_SetMinEccKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_SetMinEccKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_CTX_SetMinRsaKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_SetMinRsaKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_SetEnableDhKeyTest), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_CTX_SetMinDhKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_SetMinDhKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_CTX_SetMaxDhKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_SetMaxDhKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_GetDhKey_Sz), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_get_privatekey), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_get_signature_nid), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_get_signature_type_nid), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_get_peer_signature_nid), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_get_peer_signature_type_nid), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_SSL_CTX_set_tmp_ecdh), \
TEST_DECL_GROUP("ssl_pk", test_wolfSSL_CTX_set_dh_auto)
#endif /* TESTS_API_SSL_PK_H */