Fix tests

2026-01-27 04:22:19 +01:00 · 2025-09-17 16:11:52 +02:00
parent 3bdb43eb6a
commit 5efc4a7cd0
2 changed files with 112 additions and 86 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -6669,9 +6669,11 @@ int InitSSL_Suites(WOLFSSL* ssl)
    byte haveAnon = 0;
    byte haveRSA = 0;
    byte haveMcast = 0;
+    byte haveCertSetupCb = 0;

    (void)haveAnon; /* Squash unused var warnings */
    (void)haveMcast;
+    (void)haveCertSetupCb;

    if (!ssl)
        return BAD_FUNC_ARG;
@@ -6690,6 +6692,10 @@ int InitSSL_Suites(WOLFSSL* ssl)
    haveMcast = (byte)ssl->options.haveMcast;
 #endif /* WOLFSSL_MULTICAST */
 #endif /* !NO_CERTS && !WOLFSSL_SESSION_EXPORT */
+#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && defined(OPENSSL_EXTRA)
+    if (ssl->ctx->certSetupCb != NULL)
+        haveCertSetupCb = 1;
+#endif /* WOLFSSL_TLS13 && !NO_CERTS && OPENSSL_EXTRA */

 #ifdef WOLFSSL_EARLY_DATA
    if (ssl->options.side == WOLFSSL_SERVER_END)
@@ -6717,10 +6723,11 @@ int InitSSL_Suites(WOLFSSL* ssl)
    }

 #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
-    /* make sure server has cert and key unless using PSK, Anon, or
-     * Multicast. This should be true even if just switching ssl ctx */
+    /* make sure server has cert and key unless using PSK, Anon,
+     * Multicast or cert setup callback. This should be true even if just
+     * switching ssl ctx */
    if (ssl->options.side == WOLFSSL_SERVER_END &&
-            !havePSK && !haveAnon && !haveMcast) {
+            !havePSK && !haveAnon && !haveMcast && !haveCertSetupCb) {

        /* server certificate must be loaded */
        if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) {
--- a/tests/api/test_tls_ext.c
+++ b/tests/api/test_tls_ext.c
@@ -129,6 +129,13 @@ int test_wolfSSL_DisableExtendedMasterSecret(void)
 }


+#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
+    !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
+    !defined(NO_CERTS) && !defined(NO_TLS) && (defined(OPENSSL_EXTRA) || \
+            defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(WOLFSSL_TLS13) || \
+            (!defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \
+            defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)))) && \
+    !defined(SINGLE_THREADED) && defined(SESSION_CERTS)
 struct client_cb_arg {
    WOLF_STACK_OF(X509_NAME) *names1;
    WOLF_STACK_OF(X509_NAME) *names2;
@@ -145,13 +152,16 @@ static int certificate_authorities_client_cb(WOLFSSL *ssl, void *_arg) {
        return 0;
    return 1;
 }
+#endif

 int test_certificate_authorities_certificate_request(void) {
    EXPECT_DECLS;
 #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
    !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
-    !defined(NO_CERTS) && (defined(OPENSSL_EXTRA) || \
-            defined(OPENSSL_EXTRA_SMALL))
+    !defined(NO_CERTS) && !defined(NO_TLS) && (defined(OPENSSL_EXTRA) || \
+            defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(WOLFSSL_TLS13) || \
+            (!defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \
+                defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))))
    struct test_params {
        method_provider client_meth;
        method_provider server_meth;
@@ -161,24 +171,29 @@ int test_certificate_authorities_certificate_request(void) {
        /* TLS 1.3 uses certificate_authorities extension */
        {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, 0},
 #endif
-#ifndef WOLFSSL_NO_TLS12
+#if !defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \
+            defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))
        /* TLS 1.2 directly embeds CA names in CertificateRequest */
        {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, 0},
 #endif
 #ifdef WOLFSSL_DTLS13
        {wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, 1},
 #endif
-#ifdef WOLFSSL_DTLS
+#if defined(WOLFSSL_DTLS) && (defined(OPENSSL_ALL) || \
+            defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))
        {wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, 1},
 #endif
    };
    size_t i;

    for (i = 0; i < sizeof(params) / sizeof(*params); i++) {
-        WOLFSSL_CTX *ctx;
-        WOLFSSL *ssl;
+        WOLFSSL_CTX *ctx = NULL;
+        WOLFSSL *ssl = NULL;
        WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL;
-        X509_NAME *name;
+        X509_NAME *name = NULL;
+
+        if (EXPECT_FAIL())
+            break;

        ExpectNotNull(ctx = wolfSSL_CTX_new(params[i].server_meth()));

@@ -192,6 +207,7 @@ int test_certificate_authorities_certificate_request(void) {
            wolfSSL_X509_NAME_free(name);
            name = NULL;
        }
+        wolfSSL_sk_X509_NAME_free(names2);
        names2 = wolfSSL_load_client_CA_file(caCertFile);
        ExpectNotNull(names2);

@@ -228,6 +244,7 @@ int test_certificate_authorities_certificate_request(void) {
            wolfSSL_X509_NAME_free(name);
            name = NULL;
        }
+        wolfSSL_sk_X509_NAME_free(names2);
        names2 = wolfSSL_load_client_CA_file(caCertFile);
        ExpectNotNull(names2);

@@ -265,12 +282,6 @@ int test_certificate_authorities_certificate_request(void) {
                        cliCertFile, NULL));

            start_thread(test_server_nofail, &server_args, &server_thread);
-            wait_tcp_ready(&server_args);
-
-            tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port,
-                    params[i].doUdp, 0, NULL);
-            if (params[i].doUdp)
-                udp_connect(&sockfd, wolfSSLIP, server_args.signal->port);

            ExpectNotNull(ctx_client = wolfSSL_CTX_new(
                        params[i].client_meth()));
@@ -281,6 +292,11 @@ int test_certificate_authorities_certificate_request(void) {
                    certificate_authorities_client_cb, &client_cb_arg);

            ExpectNotNull(ssl_client = wolfSSL_new(ctx_client));
+
+            wait_tcp_ready(&server_args);
+            tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port,
+                    params[i].doUdp, 0, ssl_client);
+
            ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl_client, sockfd));
            ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_connect(ssl_client));

@@ -307,6 +323,11 @@ int test_certificate_authorities_certificate_request(void) {
 }


+#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
+    !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
+    !defined(NO_CERTS) && defined(WOLFSSL_TLS13) && (defined(OPENSSL_EXTRA) || \
+            defined(OPENSSL_EXTRA_X509_SMALL)) && \
+    !defined(SINGLE_THREADED) && defined(SESSION_CERTS)
 static int certificate_authorities_server_cb(WOLFSSL *ssl, void *_arg) {
    int *names_num = (int *)_arg;
    WOLF_STACK_OF(X509_NAME) *names = wolfSSL_get0_peer_CA_list(ssl);
@@ -317,13 +338,15 @@ static int certificate_authorities_server_cb(WOLFSSL *ssl, void *_arg) {
        return 0;
    return 1;
 }
+#endif

 int test_certificate_authorities_client_hello(void) {
    EXPECT_DECLS;
 #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
    !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
-    !defined(NO_CERTS) && (defined(OPENSSL_EXTRA) || \
-            defined(OPENSSL_EXTRA_SMALL))
+    !defined(NO_CERTS) && defined(WOLFSSL_TLS13) && (defined(OPENSSL_EXTRA) || \
+            defined(OPENSSL_EXTRA_X509_SMALL)) && \
+    !defined(SINGLE_THREADED) && defined(SESSION_CERTS)

    struct test_params {
        method_provider client_meth;
@@ -341,88 +364,84 @@ int test_certificate_authorities_client_hello(void) {
    size_t i;

    for (i = 0; i < sizeof(params) / sizeof(*params); i++) {
-        WOLFSSL_CTX *ctx;
+        WOLFSSL_CTX *ctx = NULL;
        int server_cb_arg;
+        tcp_ready ready;
+        func_args server_args;
+        callback_functions server_cb;
+        THREAD_TYPE server_thread;
+        WOLFSSL *ssl_client = NULL;
+        WOLFSSL_CTX *ctx_client = NULL;
+        SOCKET_T sockfd = 0;
+        WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL;
+        X509_NAME *name = NULL;
+
+        if (EXPECT_FAIL())
+            break;

        ExpectNotNull(ctx = wolfSSL_CTX_new(params[i].server_meth()));
        wolfSSL_CTX_set_cert_cb(ctx, certificate_authorities_server_cb,
                &server_cb_arg);

-#if !defined(SINGLE_THREADED) && defined(SESSION_CERTS)
-        {
-            tcp_ready ready;
-            func_args server_args;
-            callback_functions server_cb;
-            THREAD_TYPE server_thread;
-            WOLFSSL *ssl_client = NULL;
-            WOLFSSL_CTX *ctx_client = NULL;
-            SOCKET_T sockfd = 0;
-            WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL;
-            X509_NAME *name;
+        StartTCP();
+        InitTcpReady(&ready);
+        XMEMSET(&server_args, 0, sizeof(func_args));
+        XMEMSET(&server_cb, 0, sizeof(callback_functions));

-            StartTCP();
-            InitTcpReady(&ready);
-            XMEMSET(&server_args, 0, sizeof(func_args));
-            XMEMSET(&server_cb, 0, sizeof(callback_functions));
+        server_args.signal = &ready;
+        server_args.callbacks = &server_cb;

+        server_cb.ctx = ctx;
+        server_cb.isSharedCtx = 1;
+        server_cb.doUdp = params[i].doUdp;

-            server_args.signal = &ready;
-            server_args.callbacks = &server_cb;
+        start_thread(test_server_nofail, &server_args, &server_thread);

-            server_cb.ctx = ctx;
-            server_cb.isSharedCtx = 1;
-            server_cb.doUdp = params[i].doUdp;
+        ExpectNotNull(ctx_client = wolfSSL_CTX_new(
+                    params[i].client_meth()));
+        ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(
+                    ctx_client, caCertFile, NULL));

-            start_thread(test_server_nofail, &server_args, &server_thread);
-            wait_tcp_ready(&server_args);
+        ExpectNotNull(ssl_client = wolfSSL_new(ctx_client));

-            tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port,
-                    params[i].doUdp, 0, NULL);
-            if (params[i].doUdp)
-                udp_connect(&sockfd, wolfSSLIP, server_args.signal->port);
+        AssertTrue(wolfSSL_use_certificate_file(ssl_client, cliCertFile,
+                SSL_FILETYPE_PEM));
+        AssertTrue(wolfSSL_use_PrivateKey_file(ssl_client, cliKeyFile,
+                SSL_FILETYPE_PEM));

-            ExpectNotNull(ctx_client = wolfSSL_CTX_new(
-                        params[i].client_meth()));
-            ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(
-                        ctx_client, caCertFile, NULL));
-
-            ExpectNotNull(ssl_client = wolfSSL_new(ctx_client));
-
-            AssertTrue(wolfSSL_use_certificate_file(ssl_client, cliCertFile,
-                    SSL_FILETYPE_PEM));
-            AssertTrue(wolfSSL_use_PrivateKey_file(ssl_client, cliKeyFile,
-                    SSL_FILETYPE_PEM));
-
-            names1 = wolfSSL_load_client_CA_file(caCertFile);
-            ExpectNotNull(names1);
-            names2 = wolfSSL_load_client_CA_file(cliCertFile);
-            ExpectNotNull(names2);
-            ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0));
-            ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name));
-            if (EXPECT_FAIL()) {
-                wolfSSL_X509_NAME_free(name);
-                name = NULL;
-            }
-            names2 = wolfSSL_load_client_CA_file(cliCertFile);
-            ExpectNotNull(names2);
-
-            /* verify that set0_CA_list takes precedence */
-            wolfSSL_set0_CA_list(ssl_client, names1);
-            wolfSSL_CTX_set0_CA_list(ctx_client, names2);
-
-            ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl_client, sockfd));
-            ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_connect(ssl_client));
-
-            wolfSSL_shutdown(ssl_client);
-            wolfSSL_free(ssl_client);
-            wolfSSL_CTX_free(ctx_client);
-
-            CloseSocket(sockfd);
-
-            join_thread(server_thread);
-            FreeTcpReady(&ready);
+        names1 = wolfSSL_load_client_CA_file(caCertFile);
+        ExpectNotNull(names1);
+        names2 = wolfSSL_load_client_CA_file(cliCertFile);
+        ExpectNotNull(names2);
+        ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0));
+        ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name));
+        if (EXPECT_FAIL()) {
+            wolfSSL_X509_NAME_free(name);
+            name = NULL;
        }
-#endif
+        wolfSSL_sk_X509_NAME_free(names2);
+        names2 = wolfSSL_load_client_CA_file(cliCertFile);
+        ExpectNotNull(names2);
+
+        /* verify that set0_CA_list takes precedence */
+        wolfSSL_set0_CA_list(ssl_client, names1);
+        wolfSSL_CTX_set0_CA_list(ctx_client, names2);
+
+        wait_tcp_ready(&server_args);
+        tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port,
+                params[i].doUdp, 0, ssl_client);
+
+        ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl_client, sockfd));
+        ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_connect(ssl_client));
+
+        wolfSSL_shutdown(ssl_client);
+        wolfSSL_free(ssl_client);
+        wolfSSL_CTX_free(ctx_client);
+
+        CloseSocket(sockfd);
+
+        join_thread(server_thread);
+        FreeTcpReady(&ready);
        ExpectIntEQ(2, server_cb_arg);
        wolfSSL_CTX_free(ctx);
    }