diff --git a/src/internal.c b/src/internal.c index 3096121d5..36418b919 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6669,9 +6669,11 @@ int InitSSL_Suites(WOLFSSL* ssl) byte haveAnon = 0; byte haveRSA = 0; byte haveMcast = 0; + byte haveCertSetupCb = 0; (void)haveAnon; /* Squash unused var warnings */ (void)haveMcast; + (void)haveCertSetupCb; if (!ssl) return BAD_FUNC_ARG; @@ -6690,6 +6692,10 @@ int InitSSL_Suites(WOLFSSL* ssl) haveMcast = (byte)ssl->options.haveMcast; #endif /* WOLFSSL_MULTICAST */ #endif /* !NO_CERTS && !WOLFSSL_SESSION_EXPORT */ +#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && defined(OPENSSL_EXTRA) + if (ssl->ctx->certSetupCb != NULL) + haveCertSetupCb = 1; +#endif /* WOLFSSL_TLS13 && !NO_CERTS && OPENSSL_EXTRA */ #ifdef WOLFSSL_EARLY_DATA if (ssl->options.side == WOLFSSL_SERVER_END) @@ -6717,10 +6723,11 @@ int InitSSL_Suites(WOLFSSL* ssl) } #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) - /* make sure server has cert and key unless using PSK, Anon, or - * Multicast. This should be true even if just switching ssl ctx */ + /* make sure server has cert and key unless using PSK, Anon, + * Multicast or cert setup callback. This should be true even if just + * switching ssl ctx */ if (ssl->options.side == WOLFSSL_SERVER_END && - !havePSK && !haveAnon && !haveMcast) { + !havePSK && !haveAnon && !haveMcast && !haveCertSetupCb) { /* server certificate must be loaded */ if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) { diff --git a/tests/api/test_tls_ext.c b/tests/api/test_tls_ext.c index 532c68e18..65c1766a6 100644 --- a/tests/api/test_tls_ext.c +++ b/tests/api/test_tls_ext.c @@ -129,6 +129,13 @@ int test_wolfSSL_DisableExtendedMasterSecret(void) } +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \ + !defined(NO_CERTS) && !defined(NO_TLS) && (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(WOLFSSL_TLS13) || \ + (!defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)))) && \ + !defined(SINGLE_THREADED) && defined(SESSION_CERTS) struct client_cb_arg { WOLF_STACK_OF(X509_NAME) *names1; WOLF_STACK_OF(X509_NAME) *names2; @@ -145,13 +152,16 @@ static int certificate_authorities_client_cb(WOLFSSL *ssl, void *_arg) { return 0; return 1; } +#endif int test_certificate_authorities_certificate_request(void) { EXPECT_DECLS; #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \ - !defined(NO_CERTS) && (defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_SMALL)) + !defined(NO_CERTS) && !defined(NO_TLS) && (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(WOLFSSL_TLS13) || \ + (!defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)))) struct test_params { method_provider client_meth; method_provider server_meth; @@ -161,24 +171,29 @@ int test_certificate_authorities_certificate_request(void) { /* TLS 1.3 uses certificate_authorities extension */ {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, 0}, #endif -#ifndef WOLFSSL_NO_TLS12 +#if !defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) /* TLS 1.2 directly embeds CA names in CertificateRequest */ {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, 0}, #endif #ifdef WOLFSSL_DTLS13 {wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, 1}, #endif -#ifdef WOLFSSL_DTLS +#if defined(WOLFSSL_DTLS) && (defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) {wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, 1}, #endif }; size_t i; for (i = 0; i < sizeof(params) / sizeof(*params); i++) { - WOLFSSL_CTX *ctx; - WOLFSSL *ssl; + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL; - X509_NAME *name; + X509_NAME *name = NULL; + + if (EXPECT_FAIL()) + break; ExpectNotNull(ctx = wolfSSL_CTX_new(params[i].server_meth())); @@ -192,6 +207,7 @@ int test_certificate_authorities_certificate_request(void) { wolfSSL_X509_NAME_free(name); name = NULL; } + wolfSSL_sk_X509_NAME_free(names2); names2 = wolfSSL_load_client_CA_file(caCertFile); ExpectNotNull(names2); @@ -228,6 +244,7 @@ int test_certificate_authorities_certificate_request(void) { wolfSSL_X509_NAME_free(name); name = NULL; } + wolfSSL_sk_X509_NAME_free(names2); names2 = wolfSSL_load_client_CA_file(caCertFile); ExpectNotNull(names2); @@ -265,12 +282,6 @@ int test_certificate_authorities_certificate_request(void) { cliCertFile, NULL)); start_thread(test_server_nofail, &server_args, &server_thread); - wait_tcp_ready(&server_args); - - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, - params[i].doUdp, 0, NULL); - if (params[i].doUdp) - udp_connect(&sockfd, wolfSSLIP, server_args.signal->port); ExpectNotNull(ctx_client = wolfSSL_CTX_new( params[i].client_meth())); @@ -281,6 +292,11 @@ int test_certificate_authorities_certificate_request(void) { certificate_authorities_client_cb, &client_cb_arg); ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); + + wait_tcp_ready(&server_args); + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, + params[i].doUdp, 0, ssl_client); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl_client, sockfd)); ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_connect(ssl_client)); @@ -307,6 +323,11 @@ int test_certificate_authorities_certificate_request(void) { } +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \ + !defined(NO_CERTS) && defined(WOLFSSL_TLS13) && (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(SINGLE_THREADED) && defined(SESSION_CERTS) static int certificate_authorities_server_cb(WOLFSSL *ssl, void *_arg) { int *names_num = (int *)_arg; WOLF_STACK_OF(X509_NAME) *names = wolfSSL_get0_peer_CA_list(ssl); @@ -317,13 +338,15 @@ static int certificate_authorities_server_cb(WOLFSSL *ssl, void *_arg) { return 0; return 1; } +#endif int test_certificate_authorities_client_hello(void) { EXPECT_DECLS; #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ !defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \ - !defined(NO_CERTS) && (defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_SMALL)) + !defined(NO_CERTS) && defined(WOLFSSL_TLS13) && (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(SINGLE_THREADED) && defined(SESSION_CERTS) struct test_params { method_provider client_meth; @@ -341,88 +364,84 @@ int test_certificate_authorities_client_hello(void) { size_t i; for (i = 0; i < sizeof(params) / sizeof(*params); i++) { - WOLFSSL_CTX *ctx; + WOLFSSL_CTX *ctx = NULL; int server_cb_arg; + tcp_ready ready; + func_args server_args; + callback_functions server_cb; + THREAD_TYPE server_thread; + WOLFSSL *ssl_client = NULL; + WOLFSSL_CTX *ctx_client = NULL; + SOCKET_T sockfd = 0; + WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL; + X509_NAME *name = NULL; + + if (EXPECT_FAIL()) + break; ExpectNotNull(ctx = wolfSSL_CTX_new(params[i].server_meth())); wolfSSL_CTX_set_cert_cb(ctx, certificate_authorities_server_cb, &server_cb_arg); -#if !defined(SINGLE_THREADED) && defined(SESSION_CERTS) - { - tcp_ready ready; - func_args server_args; - callback_functions server_cb; - THREAD_TYPE server_thread; - WOLFSSL *ssl_client = NULL; - WOLFSSL_CTX *ctx_client = NULL; - SOCKET_T sockfd = 0; - WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL; - X509_NAME *name; + StartTCP(); + InitTcpReady(&ready); + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); - StartTCP(); - InitTcpReady(&ready); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); + server_args.signal = &ready; + server_args.callbacks = &server_cb; + server_cb.ctx = ctx; + server_cb.isSharedCtx = 1; + server_cb.doUdp = params[i].doUdp; - server_args.signal = &ready; - server_args.callbacks = &server_cb; + start_thread(test_server_nofail, &server_args, &server_thread); - server_cb.ctx = ctx; - server_cb.isSharedCtx = 1; - server_cb.doUdp = params[i].doUdp; + ExpectNotNull(ctx_client = wolfSSL_CTX_new( + params[i].client_meth())); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations( + ctx_client, caCertFile, NULL)); - start_thread(test_server_nofail, &server_args, &server_thread); - wait_tcp_ready(&server_args); + ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, - params[i].doUdp, 0, NULL); - if (params[i].doUdp) - udp_connect(&sockfd, wolfSSLIP, server_args.signal->port); + AssertTrue(wolfSSL_use_certificate_file(ssl_client, cliCertFile, + SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_use_PrivateKey_file(ssl_client, cliKeyFile, + SSL_FILETYPE_PEM)); - ExpectNotNull(ctx_client = wolfSSL_CTX_new( - params[i].client_meth())); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations( - ctx_client, caCertFile, NULL)); - - ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); - - AssertTrue(wolfSSL_use_certificate_file(ssl_client, cliCertFile, - SSL_FILETYPE_PEM)); - AssertTrue(wolfSSL_use_PrivateKey_file(ssl_client, cliKeyFile, - SSL_FILETYPE_PEM)); - - names1 = wolfSSL_load_client_CA_file(caCertFile); - ExpectNotNull(names1); - names2 = wolfSSL_load_client_CA_file(cliCertFile); - ExpectNotNull(names2); - ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0)); - ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name)); - if (EXPECT_FAIL()) { - wolfSSL_X509_NAME_free(name); - name = NULL; - } - names2 = wolfSSL_load_client_CA_file(cliCertFile); - ExpectNotNull(names2); - - /* verify that set0_CA_list takes precedence */ - wolfSSL_set0_CA_list(ssl_client, names1); - wolfSSL_CTX_set0_CA_list(ctx_client, names2); - - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl_client, sockfd)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_connect(ssl_client)); - - wolfSSL_shutdown(ssl_client); - wolfSSL_free(ssl_client); - wolfSSL_CTX_free(ctx_client); - - CloseSocket(sockfd); - - join_thread(server_thread); - FreeTcpReady(&ready); + names1 = wolfSSL_load_client_CA_file(caCertFile); + ExpectNotNull(names1); + names2 = wolfSSL_load_client_CA_file(cliCertFile); + ExpectNotNull(names2); + ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0)); + ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name)); + if (EXPECT_FAIL()) { + wolfSSL_X509_NAME_free(name); + name = NULL; } -#endif + wolfSSL_sk_X509_NAME_free(names2); + names2 = wolfSSL_load_client_CA_file(cliCertFile); + ExpectNotNull(names2); + + /* verify that set0_CA_list takes precedence */ + wolfSSL_set0_CA_list(ssl_client, names1); + wolfSSL_CTX_set0_CA_list(ctx_client, names2); + + wait_tcp_ready(&server_args); + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, + params[i].doUdp, 0, ssl_client); + + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl_client, sockfd)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_connect(ssl_client)); + + wolfSSL_shutdown(ssl_client); + wolfSSL_free(ssl_client); + wolfSSL_CTX_free(ctx_client); + + CloseSocket(sockfd); + + join_thread(server_thread); + FreeTcpReady(&ready); ExpectIntEQ(2, server_cb_arg); wolfSSL_CTX_free(ctx); }