mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-11 14:10:49 +02:00
Merge pull request #9716 from SparkiDev/regression_fixes_22
Regression test fixes
This commit is contained in:
@@ -71,6 +71,16 @@ jobs:
|
||||
'--enable-sessionexport --enable-dtls --enable-dtls13',
|
||||
'--enable-sessionexport',
|
||||
'--disable-examples CPPFLAGS=-DWOLFSSL_NO_MALLOC',
|
||||
'CPPFLAGS=-DNO_WOLFSSL_CLIENT',
|
||||
'CPPFLAGS=-DNO_WOLFSSL_SERVER',
|
||||
'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
|
||||
'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
|
||||
'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
|
||||
'--enable-all CPPFLAGS=-DNO_WOLFSSL_CLIENT',
|
||||
'--enable-all CPPFLAGS=-DNO_WOLFSSL_SERVER',
|
||||
'--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
|
||||
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
|
||||
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
|
||||
]
|
||||
name: make check
|
||||
if: github.repository_owner == 'wolfssl'
|
||||
|
||||
@@ -1209,8 +1209,10 @@ static const char* client_usage_msg[][79] = {
|
||||
#endif
|
||||
"-l <str> Cipher suite list (: delimited)\n", /* 8 */
|
||||
#ifndef NO_CERTS
|
||||
#ifndef WOLFSSL_NO_CLIENT_AUTH
|
||||
"-c <file> Certificate file, default", /* 9 */
|
||||
"-k <file> Key file, default", /* 10 */
|
||||
#endif
|
||||
"-A <file> Certificate Authority file, default", /* 11 */
|
||||
#endif
|
||||
#ifndef NO_DH
|
||||
@@ -1261,7 +1263,7 @@ static const char* client_usage_msg[][79] = {
|
||||
" The string parameter is optional.\n", /* 29 */
|
||||
#endif
|
||||
"-f Fewer packets/group messages\n", /* 30 */
|
||||
#ifndef NO_CERTS
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
"-x Disable client cert/key loading\n", /* 31 */
|
||||
#endif
|
||||
"-X Driven by eXternal test case\n", /* 32 */
|
||||
@@ -1329,7 +1331,8 @@ static const char* client_usage_msg[][79] = {
|
||||
#ifdef HAVE_CURVE25519
|
||||
"-t Use X25519 for key exchange\n", /* 56 */
|
||||
#endif
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
"-Q Support requesting certificate post-handshake\n", /* 57 */
|
||||
#endif
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
@@ -1467,8 +1470,10 @@ static const char* client_usage_msg[][79] = {
|
||||
#endif
|
||||
"-l <str> 暗号スイートリスト (区切り文字 :)\n", /* 8 */
|
||||
#ifndef NO_CERTS
|
||||
#ifndef WOLFSSL_NO_CLIENT_AUTH
|
||||
"-c <file> 証明書ファイル, 既定値", /* 9 */
|
||||
"-k <file> 鍵ファイル, 既定値", /* 10 */
|
||||
#endif
|
||||
"-A <file> 認証局ファイル, 既定値", /* 11 */
|
||||
#endif
|
||||
#ifndef NO_DH
|
||||
@@ -1518,7 +1523,7 @@ static const char* client_usage_msg[][79] = {
|
||||
"-i <str> クライアント主導のネゴシエーションを強制する\n", /* 29 */
|
||||
#endif
|
||||
"-f より少ないパケット/グループメッセージを使用する\n",/* 30 */
|
||||
#ifndef NO_CERTS
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
"-x クライアントの証明書/鍵のロードを無効する\n", /* 31 */
|
||||
#endif
|
||||
"-X 外部テスト・ケースにより動作する\n", /* 32 */
|
||||
@@ -1589,7 +1594,8 @@ static const char* client_usage_msg[][79] = {
|
||||
#ifdef HAVE_CURVE25519
|
||||
"-t X25519を鍵交換に使用する\n", /* 56 */
|
||||
#endif
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
"-Q ポストハンドシェークの証明要求をサポートする\n", /* 57 */
|
||||
#endif
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
@@ -1766,8 +1772,10 @@ static void Usage(void)
|
||||
#endif
|
||||
printf("%s", msg[++msgid]); /* -l */
|
||||
#ifndef NO_CERTS
|
||||
#ifndef WOLFSSL_NO_CLIENT_AUTH
|
||||
printf("%s %s\n", msg[++msgid], cliCertFile); /* -c */
|
||||
printf("%s %s\n", msg[++msgid], cliKeyFile); /* -k */
|
||||
#endif
|
||||
printf("%s %s\n", msg[++msgid], caCertFile); /* -A */
|
||||
#endif
|
||||
#ifndef NO_DH
|
||||
@@ -1805,7 +1813,7 @@ static void Usage(void)
|
||||
printf("%s", msg[++msgid]); /* -i */
|
||||
#endif
|
||||
printf("%s", msg[++msgid]); /* -f */
|
||||
#ifndef NO_CERTS
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
printf("%s", msg[++msgid]); /* -x */
|
||||
#endif
|
||||
printf("%s", msg[++msgid]); /* -X */
|
||||
@@ -1868,7 +1876,8 @@ static void Usage(void)
|
||||
#ifdef HAVE_CURVE25519
|
||||
printf("%s", msg[++msgid]); /* -t */
|
||||
#endif
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
printf("%s", msg[++msgid]); /* -Q */
|
||||
#endif
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
@@ -2823,7 +2832,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
||||
|
||||
case 'Q' :
|
||||
#if defined(WOLFSSL_TLS13) && \
|
||||
defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
||||
defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
postHandAuth = 1;
|
||||
#endif
|
||||
break;
|
||||
|
||||
@@ -1,5 +1,13 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
#crl.test
|
||||
# if we can, isolate the network namespace to eliminate port collisions.
|
||||
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
||||
|
||||
@@ -3,6 +3,22 @@
|
||||
# dtlscid.test
|
||||
# Copyright wolfSSL 2022-2024
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 0
|
||||
|
||||
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
|
||||
&& exit 0
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/server/server | grep "Server not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
# if we can, isolate the network namespace to eliminate port collisions.
|
||||
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
||||
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
|
||||
|
||||
@@ -23,6 +23,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
|
||||
export RETRIES_REMAINING=2
|
||||
fi
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/server/server | grep "Server not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/client/client -V | grep -q 3; then
|
||||
echo 'skipping ocsp-stapling-with-ca-as-responder.test because TLS1.2 is not available.' 1>&2
|
||||
exit 77
|
||||
|
||||
@@ -17,6 +17,22 @@ if test "$WOLFSSL_EXTERNAL_TEST" == "0"; then
|
||||
exit 77
|
||||
fi
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/server/server | grep "Server not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/client/client -V | grep -q 3; then
|
||||
echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
|
||||
exit 77
|
||||
|
||||
@@ -24,6 +24,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
|
||||
export RETRIES_REMAINING=2
|
||||
fi
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/server/server | grep "Server not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/client/client -V | grep -q 3; then
|
||||
echo 'skipping ocsp-stapling2.test because TLS1.2 is not available.' 1>&2
|
||||
exit 77
|
||||
|
||||
@@ -24,6 +24,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
|
||||
export RETRIES_REMAINING=2
|
||||
fi
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/server/server | grep "Server not compiled in!" ; then
|
||||
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if ! ./examples/client/client -V | grep -q 4; then
|
||||
tls13=no
|
||||
|
||||
|
||||
@@ -2,6 +2,14 @@
|
||||
|
||||
#pkcallbacks.test
|
||||
|
||||
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
||||
&& exit 1
|
||||
|
||||
if ! ./examples/client/client | grep "Client not compiled in!" ; then
|
||||
echo 'skipping pkcallbacks.test because client not compiled in.' 1>&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
# if we can, isolate the network namespace to eliminate port collisions.
|
||||
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
||||
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
|
||||
|
||||
+19
-13
@@ -88,6 +88,10 @@ fi
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 0
|
||||
fi
|
||||
./examples/client/client '-?' 2>&1 | grep -- 'Disable client cert/key loading'
|
||||
if [ $? -eq 0 ]; then
|
||||
CLIENT_AUTH_ENABLED=1
|
||||
fi
|
||||
|
||||
# Usual psk server / psk client. This use case is tested in
|
||||
# tests/unit.test and is used here for just checking if PSK is enabled
|
||||
@@ -144,19 +148,21 @@ if [ $? -ne 0 ]; then
|
||||
fi
|
||||
echo ""
|
||||
|
||||
# check fail if no auth, psk server with non psk client
|
||||
echo "Checking fail when not sending peer cert"
|
||||
port=0
|
||||
./examples/server/server -j -R "$ready_file" -p $port &
|
||||
server_pid=$!
|
||||
create_port
|
||||
./examples/client/client -x -p $port
|
||||
RESULT=$?
|
||||
remove_ready_file
|
||||
if [ $RESULT -eq 0 ]; then
|
||||
echo -e "\n\nClient connected when supposed to fail"
|
||||
do_cleanup
|
||||
exit 1
|
||||
if [ "$CLIENT_AUTH_ENABLED" != "" ]; then
|
||||
# check fail if no auth, psk server with non psk client
|
||||
echo "Checking fail when not sending peer cert"
|
||||
port=0
|
||||
./examples/server/server -j -R "$ready_file" -p $port &
|
||||
server_pid=$!
|
||||
create_port
|
||||
./examples/client/client -x -p $port
|
||||
RESULT=$?
|
||||
remove_ready_file
|
||||
if [ $RESULT -eq 0 ]; then
|
||||
echo -e "\n\nClient connected when supposed to fail"
|
||||
do_cleanup
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
@@ -519,7 +519,8 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
|
||||
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
|
||||
(defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \
|
||||
!defined(NO_STDIO_FILESYSTEM)
|
||||
!defined(NO_STDIO_FILESYSTEM) && \
|
||||
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
|
||||
/* if not find entry in the CRL list, it looks at the folder that sets */
|
||||
/* by LOOKUP_ctrl because user would want to use hash_dir. */
|
||||
/* Loading <issuer-hash>.rN form CRL file if find at the folder, */
|
||||
|
||||
+1
-1
@@ -1849,7 +1849,7 @@ static int _Dtls13HandshakeRecv(WOLFSSL* ssl, byte* input, word32 size,
|
||||
isComplete = isFirst && fragLength == messageLength;
|
||||
|
||||
if (!isComplete && !Dtls13AcceptFragmented(ssl, (enum HandShakeType)handshakeType)) {
|
||||
#ifdef WOLFSSL_DTLS_CH_FRAG
|
||||
#if defined(WOLFSSL_DTLS_CH_FRAG) && !defined(NO_WOLFSSL_SERVER)
|
||||
byte tls13 = 0;
|
||||
/* check if the first CH fragment contains a valid cookie */
|
||||
if (ssl->options.dtls13ChFrag && !ssl->options.dtlsStateful &&
|
||||
|
||||
+84
-65
@@ -211,7 +211,8 @@ int writeAeadAuthData(WOLFSSL* ssl, word16 sz, byte type, byte* additional,
|
||||
static int _DtlsCheckWindow(WOLFSSL* ssl);
|
||||
#endif
|
||||
|
||||
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
|
||||
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) && \
|
||||
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
|
||||
#include <Security/SecCertificate.h>
|
||||
#include <Security/SecTrust.h>
|
||||
#include <Security/SecPolicy.h>
|
||||
@@ -4922,7 +4923,8 @@ void FreeX509(WOLFSSL_X509* x509)
|
||||
}
|
||||
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
|
||||
#if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH))
|
||||
#if !defined(WOLFSSL_NO_TLS12)
|
||||
/* Encode the signature algorithm into buffer.
|
||||
*
|
||||
@@ -10772,9 +10774,11 @@ static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl)
|
||||
|
||||
|
||||
#ifndef WOLFSSL_NO_TLS12
|
||||
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_SERVER) || \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(WOLFSSL_DTLS)
|
||||
#if (!defined(NO_CERTS) && (!defined(NO_WOLFSSL_SERVER) || \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH))) || \
|
||||
((!defined(NO_WOLFSSL_SERVER) || \
|
||||
(!defined(NO_WOLFSSL_CLIENT) && !defined(NO_CERTS) && \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH))) && defined(WOLFSSL_DTLS))
|
||||
static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset,
|
||||
word32 length, byte type, WOLFSSL* ssl)
|
||||
{
|
||||
@@ -10792,7 +10796,7 @@ static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset,
|
||||
AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl, CUR_ORDER);
|
||||
AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl);
|
||||
}
|
||||
#endif /* NO_CERTS */
|
||||
#endif
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER) || \
|
||||
(!defined(NO_WOLFSSL_CLIENT) && !defined(NO_CERTS) && \
|
||||
@@ -13347,7 +13351,8 @@ int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
|
||||
}
|
||||
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
#if defined(SESSION_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH))
|
||||
static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain,
|
||||
byte* certBuf, word32 certSz)
|
||||
{
|
||||
@@ -14134,9 +14139,10 @@ int CopyDecodedAcertToX509(WOLFSSL_X509_ACERT* x509, DecodedAcert* dAcert)
|
||||
}
|
||||
#endif /* WOLFSSL_ACERT */
|
||||
|
||||
|
||||
#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
|
||||
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) && !defined(WOLFSSL_NO_TLS12)
|
||||
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
static int CsrDoStatusVerifyCb(WOLFSSL* ssl, byte* input, word32 inputSz, word32 idx,
|
||||
int ret)
|
||||
{
|
||||
@@ -14159,6 +14165,7 @@ static int CsrDoStatusVerifyCb(WOLFSSL* ssl, byte* input, word32 inputSz, word32
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int ProcessCSR_ex(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
word32 status_length, int idx)
|
||||
@@ -14263,7 +14270,9 @@ static int ProcessCSR_ex(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
else if (response->single->status->status != CERT_GOOD)
|
||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
ret = CsrDoStatusVerifyCb(ssl, input + *inOutIdx, status_length, idx, ret);
|
||||
#endif
|
||||
}
|
||||
|
||||
*inOutIdx += status_length;
|
||||
@@ -14286,6 +14295,7 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
return ProcessCSR_ex(ssl, input, inOutIdx, status_length, 0);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
@@ -17398,8 +17408,10 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
/* only frees 'single' if single->isDynamic is set */
|
||||
FreeOcspResponse(response);
|
||||
|
||||
ret = CsrDoStatusVerifyCb(ssl, input + *inOutIdx, status_length,
|
||||
idx, ret);
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
ret = CsrDoStatusVerifyCb(ssl, input + *inOutIdx,
|
||||
status_length, idx, ret);
|
||||
#endif
|
||||
if (ret == 0 && idx == 0) /* server cert must be OK */
|
||||
endCertificateOK = 1;
|
||||
|
||||
@@ -25554,12 +25566,14 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
||||
status_type = status_type ? status_type : ssl->status_request_v2;
|
||||
#endif
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
|
||||
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
|
||||
if (SSL_CM(ssl)->ocsp_stapling != NULL &&
|
||||
SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) {
|
||||
return BuildCertificateStatusWithStatusCB(ssl, status_type);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
switch (status_type) {
|
||||
@@ -30725,6 +30739,36 @@ static int DhSetKey(WOLFSSL* ssl)
|
||||
}
|
||||
#endif /* !NO_DH */
|
||||
|
||||
#if !defined(NO_TLS) && !defined(WOLFSSL_NO_TLS12) && !defined(NO_PSK)
|
||||
static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
|
||||
{
|
||||
byte* pms = arrays->preMasterSecret;
|
||||
word16 sz = 0;
|
||||
|
||||
/* sz + (use_psk_key ? sz 0s : sz unaltered) + length of psk + psk */
|
||||
if (!use_psk_key) {
|
||||
sz = (word16)arrays->preMasterSz;
|
||||
c16toa(sz, pms);
|
||||
pms += OPAQUE16_LEN + sz;
|
||||
}
|
||||
if ((int)arrays->psk_keySz > 0) {
|
||||
if (use_psk_key) {
|
||||
sz = (word16)arrays->psk_keySz;
|
||||
c16toa(sz, pms);
|
||||
pms += OPAQUE16_LEN;
|
||||
XMEMSET(pms, 0, sz);
|
||||
pms += sz;
|
||||
}
|
||||
c16toa(arrays->psk_keySz, pms);
|
||||
pms += OPAQUE16_LEN;
|
||||
XMEMCPY(pms, arrays->psk_key, arrays->psk_keySz);
|
||||
arrays->preMasterSz = sz + arrays->psk_keySz + OPAQUE16_LEN * 2;
|
||||
ForceZero(arrays->psk_key, arrays->psk_keySz);
|
||||
}
|
||||
arrays->psk_keySz = 0; /* no further need */
|
||||
}
|
||||
#endif
|
||||
|
||||
/* client only parts */
|
||||
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
|
||||
|
||||
@@ -33150,59 +33194,6 @@ static int EcExportHsKey(WOLFSSL* ssl, byte* out, word32* len)
|
||||
}
|
||||
#endif /*HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448*/
|
||||
|
||||
#ifndef NO_PSK
|
||||
static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
|
||||
{
|
||||
int ret = 0;
|
||||
/* Use the PSK hint to look up the PSK and add it to the
|
||||
* preMasterSecret here. */
|
||||
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
||||
ssl->arrays->client_identity, ssl->arrays->psk_key,
|
||||
MAX_PSK_KEY_LEN);
|
||||
|
||||
if (ssl->arrays->psk_keySz == 0 ||
|
||||
(ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
|
||||
(int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
|
||||
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(WOLFSSL_PSK_IDENTITY_ALERT)
|
||||
SendAlert(ssl, alert_fatal, unknown_psk_identity);
|
||||
#endif
|
||||
ret = 1;
|
||||
}
|
||||
if (ret == 0)
|
||||
/* Pre-shared Key for peer authentication. */
|
||||
ssl->options.peerAuthGood = 1;
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
|
||||
{
|
||||
byte* pms = arrays->preMasterSecret;
|
||||
word16 sz = 0;
|
||||
|
||||
/* sz + (use_psk_key ? sz 0s : sz unaltered) + length of psk + psk */
|
||||
if (!use_psk_key) {
|
||||
sz = (word16)arrays->preMasterSz;
|
||||
c16toa(sz, pms);
|
||||
pms += OPAQUE16_LEN + sz;
|
||||
}
|
||||
if ((int)arrays->psk_keySz > 0) {
|
||||
if (use_psk_key) {
|
||||
sz = (word16)arrays->psk_keySz;
|
||||
c16toa(sz, pms);
|
||||
pms += OPAQUE16_LEN;
|
||||
XMEMSET(pms, 0, sz);
|
||||
pms += sz;
|
||||
}
|
||||
c16toa(arrays->psk_keySz, pms);
|
||||
pms += OPAQUE16_LEN;
|
||||
XMEMCPY(pms, arrays->psk_key, arrays->psk_keySz);
|
||||
arrays->preMasterSz = sz + arrays->psk_keySz + OPAQUE16_LEN * 2;
|
||||
ForceZero(arrays->psk_key, arrays->psk_keySz);
|
||||
}
|
||||
arrays->psk_keySz = 0; /* no further need */
|
||||
}
|
||||
#endif /*!NO_PSK*/
|
||||
|
||||
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
|
||||
static int EcMakeKey(WOLFSSL* ssl)
|
||||
{
|
||||
@@ -35084,10 +35075,36 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
return MATCH_SUITE_ERROR;
|
||||
}
|
||||
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
|
||||
|
||||
#ifndef WOLFSSL_NO_TLS12
|
||||
|
||||
#ifndef NO_PSK
|
||||
static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
|
||||
{
|
||||
int ret = 0;
|
||||
/* Use the PSK hint to look up the PSK and add it to the
|
||||
* preMasterSecret here. */
|
||||
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
||||
ssl->arrays->client_identity, ssl->arrays->psk_key,
|
||||
MAX_PSK_KEY_LEN);
|
||||
|
||||
if (ssl->arrays->psk_keySz == 0 ||
|
||||
(ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
|
||||
(int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
|
||||
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(WOLFSSL_PSK_IDENTITY_ALERT)
|
||||
SendAlert(ssl, alert_fatal, unknown_psk_identity);
|
||||
#endif
|
||||
ret = 1;
|
||||
}
|
||||
if (ret == 0)
|
||||
/* Pre-shared Key for peer authentication. */
|
||||
ssl->options.peerAuthGood = 1;
|
||||
return ret;
|
||||
}
|
||||
#endif /* NO_PSK */
|
||||
|
||||
static int getSessionID(WOLFSSL* ssl)
|
||||
{
|
||||
int sessIdSz = 0;
|
||||
@@ -42055,7 +42072,8 @@ int wolfSSL_sk_BY_DIR_entry_push(WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk,
|
||||
|
||||
#endif /* OPENSSL_ALL && !NO_FILESYSTEM && !NO_FILESYSTEM */
|
||||
|
||||
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
|
||||
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) && \
|
||||
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
|
||||
|
||||
/*
|
||||
* Converts a DER formatted certificate to a SecCertificateRef
|
||||
@@ -42401,7 +42419,8 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx,
|
||||
}
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
|
||||
#endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
|
||||
#endif /* __APPLE__ && WOLFSSL_SYS_CA_CERTS && (!NO_WOLFSSL_CLIENT) ||
|
||||
* !WOLFSSL_NO_CLIENT_AUTH) */
|
||||
|
||||
/* Do not try to process error for async, non blocking io, and app_read */
|
||||
void wolfssl_local_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err)
|
||||
|
||||
@@ -3666,6 +3666,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
|
||||
#endif /* NO_WOLFSSL_CLIENT */
|
||||
#endif /* HAVE_TRUNCATED_HMAC */
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
|
||||
|
||||
int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options)
|
||||
@@ -3717,6 +3718,7 @@ int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, byte status_type,
|
||||
}
|
||||
|
||||
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
|
||||
#endif /* !NO_WOLFSSL_CLIENT */
|
||||
|
||||
/* Elliptic Curves */
|
||||
#if defined(HAVE_SUPPORTED_CURVES)
|
||||
@@ -22208,6 +22210,7 @@ int wolfSSL_set_tlsext_status_ocsp_resp_multi(WOLFSSL* ssl, unsigned char *resp,
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
|
||||
ocspVerifyStatusCb cb, void* cbArg)
|
||||
{
|
||||
@@ -22217,6 +22220,7 @@ void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
|
||||
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
|
||||
|
||||
+7
-4
@@ -716,7 +716,8 @@ void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm,
|
||||
}
|
||||
#endif /* WC_ASN_UNKNOWN_EXT_CB */
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
/* Verify the certificate.
|
||||
*
|
||||
* Uses the verification callback if available.
|
||||
@@ -796,7 +797,8 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff,
|
||||
|
||||
(void)fatal;
|
||||
|
||||
#ifndef NO_WOLFSSL_CM_VERIFY
|
||||
#if !defined(NO_WOLFSSL_CM_VERIFY) && \
|
||||
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
|
||||
/* Use callback to perform verification too if available. */
|
||||
if ((!fatal) && cm->verifyCallback) {
|
||||
WC_DECLARE_VAR(args, ProcPeerCertArgs, 1, 0);
|
||||
@@ -884,11 +886,12 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm,
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* !NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH */
|
||||
#endif /* (!NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH) || OPENSSL_EXTRA */
|
||||
|
||||
#ifndef NO_FILESYSTEM
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
/* Verify the certificate loaded from a file.
|
||||
*
|
||||
* Uses the verification callback if available.
|
||||
|
||||
@@ -770,11 +770,13 @@ static int ProcessBufferTryDecodeEd448(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
|
||||
WOLFSSL_MSG("ED448 private key too small");
|
||||
ret = ECC_KEY_SIZE_E;
|
||||
}
|
||||
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && !defined(NO_ED448_CLIENT_AUTH)
|
||||
if (ssl != NULL) {
|
||||
/* Ed448 requires caching enabled for tracking message
|
||||
* hash used in EdDSA_Update for signing */
|
||||
ssl->options.cacheMessages = 1;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
/* Not an Ed448 key but check whether we know what it is. */
|
||||
else if (*keyFormat == 0) {
|
||||
|
||||
@@ -1064,7 +1064,8 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
|
||||
hashBlock[j] = b;
|
||||
}
|
||||
|
||||
ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz); /* cppcheck-suppress uninitvar */
|
||||
/* cppcheck-suppress uninitvar */
|
||||
ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
ret = Hmac_HashFinalRaw(hmac, hashBlock);
|
||||
@@ -3477,8 +3478,7 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
word16 size = 0;
|
||||
#endif
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) \
|
||||
&& defined(WOLFSSL_TLS13)
|
||||
#if !defined(NO_WOLFSSL_CLIENT)
|
||||
OcspRequest* request;
|
||||
TLSX* extension;
|
||||
CertificateStatusRequest* csr;
|
||||
@@ -5331,6 +5331,7 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
|
||||
return ret;
|
||||
}
|
||||
#endif /* HAVE_FFDHE && !WOLFSSL_NO_TLS12 */
|
||||
#endif /* !NO_WOLFSSL_SERVER */
|
||||
|
||||
/* Check if the given curve is present in the supported groups extension.
|
||||
*
|
||||
@@ -5357,8 +5358,6 @@ int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* !NO_WOLFSSL_SERVER */
|
||||
|
||||
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
|
||||
/* Return the preferred group.
|
||||
*
|
||||
@@ -6525,6 +6524,7 @@ typedef struct TlsxSrtp {
|
||||
word16 ids; /* selected bits */
|
||||
} TlsxSrtp;
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp)
|
||||
{
|
||||
/* SRTP Profile Len (2)
|
||||
@@ -6532,6 +6532,7 @@ static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp)
|
||||
* MKI (master key id) Length */
|
||||
return (OPAQUE16_LEN + (srtp->profileCount * OPAQUE16_LEN) + 1);
|
||||
}
|
||||
#endif
|
||||
|
||||
static TlsxSrtp* TLSX_UseSRTP_New(word16 ids, void* heap)
|
||||
{
|
||||
@@ -6562,6 +6563,7 @@ static void TLSX_UseSRTP_Free(TlsxSrtp *srtp, void* heap)
|
||||
(void)heap;
|
||||
}
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
byte isRequest)
|
||||
{
|
||||
@@ -6569,10 +6571,8 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
word16 profile_len = 0;
|
||||
word16 profile_value = 0;
|
||||
word16 offset = 0;
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
int i;
|
||||
TlsxSrtp* srtp = NULL;
|
||||
#endif
|
||||
|
||||
if (length < OPAQUE16_LEN) {
|
||||
return BUFFER_ERROR;
|
||||
@@ -6600,7 +6600,6 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
else {
|
||||
/* parse remainder one profile at a time, looking for match in CTX */
|
||||
ret = 0;
|
||||
@@ -6643,7 +6642,6 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
ssl->dtlsSrtpId = 0;
|
||||
TLSX_UseSRTP_Free(srtp, ssl->heap);
|
||||
}
|
||||
#endif
|
||||
(void)profile_len;
|
||||
|
||||
return ret;
|
||||
@@ -6669,6 +6667,7 @@ static word16 TLSX_UseSRTP_Write(TlsxSrtp* srtp, byte* output)
|
||||
|
||||
return offset;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int TLSX_UseSRTP(TLSX** extensions, word16 profiles, void* heap)
|
||||
{
|
||||
|
||||
+140
-131
@@ -3747,6 +3747,36 @@ static byte helloRetryRequestRandom[] = {
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_ECH
|
||||
/* returns the index of the first supported cipher suite, -1 if none */
|
||||
int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
|
||||
{
|
||||
int i, j, supported = 0;
|
||||
|
||||
for (i = 0; i < config->numCipherSuites; i++) {
|
||||
supported = 0;
|
||||
|
||||
for (j = 0; j < HPKE_SUPPORTED_KDF_LEN; j++) {
|
||||
if (config->cipherSuites[i].kdfId == hpkeSupportedKdf[j])
|
||||
break;
|
||||
}
|
||||
|
||||
if (j < HPKE_SUPPORTED_KDF_LEN)
|
||||
for (j = 0; j < HPKE_SUPPORTED_AEAD_LEN; j++) {
|
||||
if (config->cipherSuites[i].aeadId == hpkeSupportedAead[j]) {
|
||||
supported = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (supported)
|
||||
return i;
|
||||
}
|
||||
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_PSK_ONE_ID) && \
|
||||
@@ -4166,34 +4196,6 @@ static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_ECH)
|
||||
/* returns the index of the first supported cipher suite, -1 if none */
|
||||
int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
|
||||
{
|
||||
int i, j, supported = 0;
|
||||
|
||||
for (i = 0; i < config->numCipherSuites; i++) {
|
||||
supported = 0;
|
||||
|
||||
for (j = 0; j < HPKE_SUPPORTED_KDF_LEN; j++) {
|
||||
if (config->cipherSuites[i].kdfId == hpkeSupportedKdf[j])
|
||||
break;
|
||||
}
|
||||
|
||||
if (j < HPKE_SUPPORTED_KDF_LEN)
|
||||
for (j = 0; j < HPKE_SUPPORTED_AEAD_LEN; j++) {
|
||||
if (config->cipherSuites[i].aeadId == hpkeSupportedAead[j]) {
|
||||
supported = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (supported)
|
||||
return i;
|
||||
}
|
||||
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
/* returns status after we hash the ech inner */
|
||||
static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
|
||||
{
|
||||
@@ -4966,105 +4968,6 @@ static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
|
||||
ssl->hsHashes = tmpHashes;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* replace the last acceptance field for either sever hello or hrr with the ech
|
||||
* acceptance parameter, return status */
|
||||
static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
|
||||
byte* output, int acceptOffset, int helloSz, byte msgType)
|
||||
{
|
||||
int ret = 0;
|
||||
int digestType = 0;
|
||||
int digestSize = 0;
|
||||
HS_Hashes* tmpHashes = NULL;
|
||||
byte zeros[WC_MAX_DIGEST_SIZE];
|
||||
byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
|
||||
byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
|
||||
XMEMSET(zeros, 0, sizeof(zeros));
|
||||
XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
|
||||
XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
|
||||
/* store so we can restore regardless of the outcome */
|
||||
tmpHashes = ssl->hsHashes;
|
||||
ssl->hsHashes = ssl->hsHashesEch;
|
||||
/* hash up to the acceptOffset */
|
||||
ret = HashRaw(ssl, output, acceptOffset);
|
||||
/* hash 8 zeros */
|
||||
if (ret == 0)
|
||||
ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
|
||||
/* hash the rest of the hello */
|
||||
if (ret == 0) {
|
||||
ret = HashRaw(ssl, output + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ,
|
||||
helloSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ));
|
||||
}
|
||||
/* get the modified transcript hash */
|
||||
if (ret == 0)
|
||||
ret = GetMsgHash(ssl, transcriptEchConf);
|
||||
if (ret > 0)
|
||||
ret = 0;
|
||||
/* pick the right type and size based on mac_algorithm */
|
||||
if (ret == 0) {
|
||||
switch (ssl->specs.mac_algorithm) {
|
||||
#ifndef NO_SHA256
|
||||
case sha256_mac:
|
||||
digestType = WC_SHA256;
|
||||
digestSize = WC_SHA256_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* !NO_SHA256 */
|
||||
#ifdef WOLFSSL_SHA384
|
||||
case sha384_mac:
|
||||
digestType = WC_SHA384;
|
||||
digestSize = WC_SHA384_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* WOLFSSL_SHA384 */
|
||||
#ifdef WOLFSSL_TLS13_SHA512
|
||||
case sha512_mac:
|
||||
digestType = WC_SHA512;
|
||||
digestSize = WC_SHA512_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* WOLFSSL_TLS13_SHA512 */
|
||||
#ifdef WOLFSSL_SM3
|
||||
case sm3_mac:
|
||||
digestType = WC_SM3;
|
||||
digestSize = WC_SM3_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* WOLFSSL_SM3 */
|
||||
default:
|
||||
ret = WOLFSSL_FATAL_ERROR;
|
||||
break;
|
||||
}
|
||||
}
|
||||
/* extract clientRandom with a key of all zeros */
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
|
||||
ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
|
||||
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk,
|
||||
ssl->heap, ssl->devId);
|
||||
#else
|
||||
ret = wc_HKDF_Extract(digestType, zeros, digestSize,
|
||||
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk);
|
||||
#endif
|
||||
PRIVATE_KEY_LOCK();
|
||||
}
|
||||
/* tls expand with the confirmation label */
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ret = Tls13HKDFExpandKeyLabel(ssl, output + acceptOffset,
|
||||
ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
|
||||
tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz,
|
||||
transcriptEchConf, (word32)digestSize, digestType,
|
||||
WOLFSSL_SERVER_END);
|
||||
PRIVATE_KEY_LOCK();
|
||||
}
|
||||
/* mark that ech was accepted */
|
||||
if (ret == 0 && msgType != hello_retry_request)
|
||||
ssl->options.echAccepted = 1;
|
||||
/* free hsHashesEch, if this is an HRR we will start at client hello 2*/
|
||||
FreeHandshakeHashes(ssl);
|
||||
ssl->hsHashesEch = NULL;
|
||||
ssl->hsHashes = tmpHashes;
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */
|
||||
@@ -7374,6 +7277,107 @@ exit_dch:
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef HAVE_ECH
|
||||
/* replace the last acceptance field for either sever hello or hrr with the ech
|
||||
* acceptance parameter, return status */
|
||||
static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
|
||||
byte* output, int acceptOffset, int helloSz, byte msgType)
|
||||
{
|
||||
int ret = 0;
|
||||
int digestType = 0;
|
||||
int digestSize = 0;
|
||||
HS_Hashes* tmpHashes = NULL;
|
||||
byte zeros[WC_MAX_DIGEST_SIZE];
|
||||
byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
|
||||
byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
|
||||
XMEMSET(zeros, 0, sizeof(zeros));
|
||||
XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
|
||||
XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
|
||||
/* store so we can restore regardless of the outcome */
|
||||
tmpHashes = ssl->hsHashes;
|
||||
ssl->hsHashes = ssl->hsHashesEch;
|
||||
/* hash up to the acceptOffset */
|
||||
ret = HashRaw(ssl, output, acceptOffset);
|
||||
/* hash 8 zeros */
|
||||
if (ret == 0)
|
||||
ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
|
||||
/* hash the rest of the hello */
|
||||
if (ret == 0) {
|
||||
ret = HashRaw(ssl, output + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ,
|
||||
helloSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ));
|
||||
}
|
||||
/* get the modified transcript hash */
|
||||
if (ret == 0)
|
||||
ret = GetMsgHash(ssl, transcriptEchConf);
|
||||
if (ret > 0)
|
||||
ret = 0;
|
||||
/* pick the right type and size based on mac_algorithm */
|
||||
if (ret == 0) {
|
||||
switch (ssl->specs.mac_algorithm) {
|
||||
#ifndef NO_SHA256
|
||||
case sha256_mac:
|
||||
digestType = WC_SHA256;
|
||||
digestSize = WC_SHA256_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* !NO_SHA256 */
|
||||
#ifdef WOLFSSL_SHA384
|
||||
case sha384_mac:
|
||||
digestType = WC_SHA384;
|
||||
digestSize = WC_SHA384_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* WOLFSSL_SHA384 */
|
||||
#ifdef WOLFSSL_TLS13_SHA512
|
||||
case sha512_mac:
|
||||
digestType = WC_SHA512;
|
||||
digestSize = WC_SHA512_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* WOLFSSL_TLS13_SHA512 */
|
||||
#ifdef WOLFSSL_SM3
|
||||
case sm3_mac:
|
||||
digestType = WC_SM3;
|
||||
digestSize = WC_SM3_DIGEST_SIZE;
|
||||
break;
|
||||
#endif /* WOLFSSL_SM3 */
|
||||
default:
|
||||
ret = WOLFSSL_FATAL_ERROR;
|
||||
break;
|
||||
}
|
||||
}
|
||||
/* extract clientRandom with a key of all zeros */
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
|
||||
ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
|
||||
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk,
|
||||
ssl->heap, ssl->devId);
|
||||
#else
|
||||
ret = wc_HKDF_Extract(digestType, zeros, digestSize,
|
||||
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk);
|
||||
#endif
|
||||
PRIVATE_KEY_LOCK();
|
||||
}
|
||||
/* tls expand with the confirmation label */
|
||||
if (ret == 0) {
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ret = Tls13HKDFExpandKeyLabel(ssl, output + acceptOffset,
|
||||
ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
|
||||
tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz,
|
||||
transcriptEchConf, (word32)digestSize, digestType,
|
||||
WOLFSSL_SERVER_END);
|
||||
PRIVATE_KEY_LOCK();
|
||||
}
|
||||
/* mark that ech was accepted */
|
||||
if (ret == 0 && msgType != hello_retry_request)
|
||||
ssl->options.echAccepted = 1;
|
||||
/* free hsHashesEch, if this is an HRR we will start at client hello 2*/
|
||||
FreeHandshakeHashes(ssl);
|
||||
ssl->hsHashesEch = NULL;
|
||||
ssl->hsHashes = tmpHashes;
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Send TLS v1.3 ServerHello message to client.
|
||||
* Only a server will send this message.
|
||||
*
|
||||
@@ -7884,15 +7888,17 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
|
||||
#endif /* NO_WOLFSSL_SERVER */
|
||||
|
||||
#ifndef NO_CERTS
|
||||
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
|
||||
#if (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) && \
|
||||
(!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM))
|
||||
/* Encode the signature algorithm into buffer.
|
||||
*
|
||||
* hashalgo The hash algorithm.
|
||||
* hsType The signature type.
|
||||
* output The buffer to encode into.
|
||||
*/
|
||||
static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo, byte hsType, byte* output)
|
||||
static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo,
|
||||
byte hsType, byte* output)
|
||||
{
|
||||
(void)ssl;
|
||||
switch (hsType) {
|
||||
@@ -7987,7 +7993,10 @@ static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo, byte hsTy
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
|
||||
#ifdef WOLFSSL_DUAL_ALG_CERTS
|
||||
/* These match up with what the OQS team has defined. */
|
||||
#define HYBRID_SA_MAJOR 0xFE
|
||||
@@ -12766,7 +12775,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
int ret = 0, tmp;
|
||||
word32 inIdx = *inOutIdx;
|
||||
int alertType;
|
||||
#if defined(HAVE_ECH)
|
||||
#if defined(HAVE_ECH) && !defined(NO_WOLFSSL_SERVER)
|
||||
TLSX* echX = NULL;
|
||||
word32 echInOutIdx;
|
||||
#endif
|
||||
|
||||
+22
-15
@@ -7043,7 +7043,7 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
|
||||
AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
|
||||
WOLFSSL_SUCCESS);
|
||||
}
|
||||
#ifdef SESSION_CERTS
|
||||
#if defined(SESSION_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
#ifndef WOLFSSL_TICKET_HAVE_ID
|
||||
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
|
||||
wolfSSL_session_reused(ssl))
|
||||
@@ -7063,7 +7063,7 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
|
||||
AssertNotNull(SSL_SESSION_get0_peer(*sess));
|
||||
#endif
|
||||
}
|
||||
#endif /* SESSION_CERTS */
|
||||
#endif /* SESSION_CERTS && !WOLFSSL_NO_CLIENT_AUTH */
|
||||
}
|
||||
|
||||
static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl)
|
||||
@@ -7446,7 +7446,7 @@ static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl)
|
||||
ExpectIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
|
||||
WOLFSSL_SUCCESS);
|
||||
}
|
||||
#ifdef SESSION_CERTS
|
||||
#if defined(SESSION_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
#ifndef WOLFSSL_TICKET_HAVE_ID
|
||||
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
|
||||
wolfSSL_session_reused(ssl))
|
||||
@@ -7481,7 +7481,7 @@ static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl)
|
||||
ExpectIntEQ(wolfSSL_session_reused(ssl), 1);
|
||||
}
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
#if defined(SESSION_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
#ifndef WOLFSSL_TICKET_HAVE_ID
|
||||
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
|
||||
wolfSSL_session_reused(ssl))
|
||||
@@ -9222,10 +9222,9 @@ static int test_wolfSSL_UseMaxFragment(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_MAX_FRAGMENT) && !defined(NO_CERTS) && \
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_WOLFSSL_CLIENT)
|
||||
|
||||
#if !defined(NO_TLS) && \
|
||||
(!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
|
||||
#if !defined(NO_TLS)
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
|
||||
#else
|
||||
@@ -9352,6 +9351,7 @@ static int test_wolfSSL_UseTruncatedHMAC(void)
|
||||
|
||||
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
/* error cases */
|
||||
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(NULL));
|
||||
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(NULL));
|
||||
@@ -9359,6 +9359,7 @@ static int test_wolfSSL_UseTruncatedHMAC(void)
|
||||
/* success case */
|
||||
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(ctx));
|
||||
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(ssl));
|
||||
#endif
|
||||
|
||||
wolfSSL_free(ssl);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
@@ -11019,7 +11020,8 @@ static int test_wolfSSL_mcast(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
|
||||
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER))
|
||||
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
|
||||
!defined(NO_WOLFSSL_CLIENT)
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
WOLFSSL* ssl = NULL;
|
||||
byte preMasterSecret[512];
|
||||
@@ -17737,7 +17739,8 @@ static int test_wolfSSL_verify_mode(void)
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_RSA) && !defined(NO_TLS) && (defined(OPENSSL_ALL) || \
|
||||
defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY))
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
|
||||
!defined(NO_WOLFSSL_CLIENT)
|
||||
WOLFSSL* ssl = NULL;
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
|
||||
@@ -18014,7 +18017,7 @@ static int test_wolfSSL_OPENSSL_hexstr2buf(void)
|
||||
static int test_wolfSSL_sk_CIPHER_description(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_RSA) && !defined(NO_TLS)
|
||||
#if !defined(NO_RSA) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
|
||||
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION;
|
||||
int i;
|
||||
int numCiphers = 0;
|
||||
@@ -18076,7 +18079,7 @@ static int test_wolfSSL_sk_CIPHER_description(void)
|
||||
static int test_wolfSSL_get_ciphers_compat(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_RSA) && !defined(NO_TLS)
|
||||
#if !defined(NO_RSA) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
|
||||
const SSL_METHOD *method = NULL;
|
||||
const char certPath[] = "./certs/client-cert.pem";
|
||||
STACK_OF(SSL_CIPHER) *supportedCiphers = NULL;
|
||||
@@ -27909,7 +27912,7 @@ static int test_override_alt_cert_chain(void)
|
||||
static int test_rpk_set_xxx_cert_type(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_RPK) && !defined(NO_TLS)
|
||||
#if defined(HAVE_RPK) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
|
||||
|
||||
char ctype[MAX_CLIENT_CERT_TYPE_CNT + 1]; /* prepare bigger buffer */
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
@@ -30285,6 +30288,7 @@ static int test_dtls13_missing_finished_server(void)
|
||||
}
|
||||
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
|
||||
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
|
||||
static int test_self_signed_stapling_client_v1_ctx_ready(WOLFSSL_CTX* ctx)
|
||||
{
|
||||
@@ -30325,12 +30329,14 @@ static int test_self_signed_stapling_server_ctx_ready(WOLFSSL_CTX* ctx)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
static int test_self_signed_stapling(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|
||||
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
|
||||
#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
|
||||
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) && \
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
|
||||
test_ssl_cbf client_cbf;
|
||||
test_ssl_cbf server_cbf;
|
||||
size_t i;
|
||||
@@ -32009,7 +32015,8 @@ TEST_CASE testCases[] = {
|
||||
|
||||
#if defined(WOLFSSL_TICKET_NONCE_MALLOC) && defined(HAVE_SESSION_TICKET) \
|
||||
&& defined(WOLFSSL_TLS13) && \
|
||||
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
|
||||
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))\
|
||||
&& defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
||||
TEST_DECL(test_ticket_nonce_malloc),
|
||||
#endif
|
||||
TEST_DECL(test_ticket_ret_create),
|
||||
|
||||
@@ -497,20 +497,29 @@ int test_wolfSSL_CertManagerLoadCABufferType(void)
|
||||
(sword32)ca_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
|
||||
(sword32)int1_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
|
||||
(sword32)int2_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
|
||||
(sword32)client_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
@@ -521,25 +530,34 @@ int test_wolfSSL_CertManagerLoadCABufferType(void)
|
||||
|
||||
/* Intermediate certs have been unloaded, but CA cert is still
|
||||
loaded. Expect first level intermediate to verify, rest to fail. */
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
|
||||
(sword32)int1_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
|
||||
(sword32)int2_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
|
||||
(sword32)client_cert_sz, CERT_FILETYPE, 0,
|
||||
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
|
||||
@@ -547,39 +565,51 @@ int test_wolfSSL_CertManagerLoadCABufferType(void)
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA),
|
||||
WOLFSSL_SUCCESS);
|
||||
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
|
||||
defined(OPENSSL_EXTRA)
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
|
||||
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
|
||||
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
|
||||
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
if (cm)
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
|
||||
@@ -346,7 +346,7 @@ int test_tls_certreq_order(void)
|
||||
}
|
||||
|
||||
#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \
|
||||
!defined(NO_WOLFSSL_SERVER)
|
||||
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
/* Called when writing. */
|
||||
static int CsSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
|
||||
{
|
||||
@@ -382,7 +382,7 @@ int test_tls12_bad_cv_sig_alg(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \
|
||||
!defined(NO_WOLFSSL_SERVER)
|
||||
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFSSL_NO_CLIENT_AUTH)
|
||||
byte clientMsgs[] = {
|
||||
/* Client Hello */
|
||||
0x16, 0x03, 0x03, 0x00, 0xe7,
|
||||
|
||||
+15
-6
@@ -1118,7 +1118,8 @@ int test_tls13_bad_psk_binder(void)
|
||||
}
|
||||
|
||||
|
||||
#if defined(HAVE_RPK) && !defined(NO_TLS)
|
||||
#if defined(HAVE_RPK) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) && \
|
||||
!defined(NO_WOLFSSL_SERVER)
|
||||
|
||||
#define svrRpkCertFile "./certs/rpk/server-cert-rpk.der"
|
||||
#define clntRpkCertFile "./certs/rpk/client-cert-rpk.der"
|
||||
@@ -1225,13 +1226,15 @@ static WC_INLINE int test_rpk_memio_setup(
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* HAVE_RPK && !NO_TLS */
|
||||
#endif /* HAVE_RPK && !NO_TLS && !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */
|
||||
|
||||
|
||||
int test_tls13_rpk_handshake(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_RPK) && (!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13))
|
||||
#if defined(HAVE_RPK) && \
|
||||
(!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)) && \
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
|
||||
#ifdef WOLFSSL_TLS13
|
||||
int ret = 0;
|
||||
#endif
|
||||
@@ -2081,9 +2084,15 @@ static int test_tls13_mock_wantwrite_cb(WOLFSSL* ssl, char* data, int sz,
|
||||
void* ctx)
|
||||
{
|
||||
struct test_tls13_wwrite_ctx *wwctx = (struct test_tls13_wwrite_ctx *)ctx;
|
||||
wwctx->want_write = !wwctx->want_write;
|
||||
if (wwctx->want_write) {
|
||||
return WOLFSSL_CBIO_ERR_WANT_WRITE;
|
||||
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
|
||||
/* Write ChangeCipherSpec message. */
|
||||
if (data[0] != 0x14)
|
||||
#endif
|
||||
{
|
||||
wwctx->want_write = !wwctx->want_write;
|
||||
if (wwctx->want_write) {
|
||||
return WOLFSSL_CBIO_ERR_WANT_WRITE;
|
||||
}
|
||||
}
|
||||
return test_memio_write_cb(ssl, data, sz, wwctx->test_ctx);
|
||||
}
|
||||
|
||||
+50
-14
@@ -64,6 +64,7 @@ static int dummy_set_encryption_secrets(WOLFSSL *ssl,
|
||||
return 1;
|
||||
}
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
|
||||
static int dummy_set_encryption_secrets_fail(WOLFSSL *ssl,
|
||||
WOLFSSL_ENCRYPTION_LEVEL level,
|
||||
const uint8_t *read_secret,
|
||||
@@ -76,6 +77,7 @@ static int dummy_set_encryption_secrets_fail(WOLFSSL *ssl,
|
||||
write_secret? "yes" : "no");
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int dummy_add_handshake_data(WOLFSSL *ssl,
|
||||
WOLFSSL_ENCRYPTION_LEVEL level,
|
||||
@@ -115,20 +117,32 @@ static WOLFSSL_QUIC_METHOD null_method = {
|
||||
|
||||
static ctx_setups valids[] = {
|
||||
#ifdef WOLFSSL_TLS13
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
{ "TLSv1.3 server", wolfTLSv1_3_server_method, 1},
|
||||
#endif
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
{ "TLSv1.3 client", wolfTLSv1_3_client_method, 0},
|
||||
#endif
|
||||
#endif
|
||||
{ NULL, NULL, 0}
|
||||
};
|
||||
|
||||
static ctx_setups invalids[] = {
|
||||
#ifndef WOLFSSL_NO_TLS12
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
{ "TLSv1.2 server", wolfTLSv1_2_server_method, 1},
|
||||
#endif
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
{ "TLSv1.2 client", wolfTLSv1_2_client_method, 0},
|
||||
#endif
|
||||
#endif
|
||||
#ifndef NO_OLD_TLS
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
{ "TLSv1.1 server", wolfTLSv1_1_server_method, 1},
|
||||
#endif
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
{ "TLSv1.1 client", wolfTLSv1_1_client_method, 0},
|
||||
#endif
|
||||
#endif
|
||||
{ NULL, NULL, 0}
|
||||
};
|
||||
@@ -244,20 +258,7 @@ static int test_set_quic_method(void) {
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
|
||||
{
|
||||
rec[0] = (uint8_t)rtype;
|
||||
c32to24(rlen, rec+1);
|
||||
return rlen + 4;
|
||||
}
|
||||
|
||||
static size_t shift_record(uint8_t *rec, size_t len, size_t written)
|
||||
{
|
||||
len -= written;
|
||||
XMEMMOVE(rec, rec+written, len);
|
||||
return len;
|
||||
}
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT)
|
||||
static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
|
||||
{
|
||||
size_t i = 0;
|
||||
@@ -276,6 +277,22 @@ static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
|
||||
}
|
||||
printf("\n%*s};\n", indent, " ");
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
|
||||
{
|
||||
rec[0] = (uint8_t)rtype;
|
||||
c32to24(rlen, rec+1);
|
||||
return rlen + 4;
|
||||
}
|
||||
|
||||
static size_t shift_record(uint8_t *rec, size_t len, size_t written)
|
||||
{
|
||||
len -= written;
|
||||
XMEMMOVE(rec, rec+written, len);
|
||||
return len;
|
||||
}
|
||||
|
||||
static void dump_ssl_buffers(WOLFSSL *ssl, FILE *fp)
|
||||
{
|
||||
@@ -505,12 +522,14 @@ static WOLFSSL_QUIC_METHOD ctx_method = {
|
||||
ctx_send_alert,
|
||||
};
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER)
|
||||
static WOLFSSL_QUIC_METHOD ctx_method_fail = {
|
||||
dummy_set_encryption_secrets_fail,
|
||||
ctx_add_handshake_data,
|
||||
ctx_flush_flight,
|
||||
ctx_send_alert,
|
||||
};
|
||||
#endif
|
||||
|
||||
static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
|
||||
const char *name, int verbose)
|
||||
@@ -542,6 +561,7 @@ static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
|
||||
(void)ctx_method;
|
||||
}
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER)
|
||||
static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
|
||||
const char *name, int verbose)
|
||||
{
|
||||
@@ -571,6 +591,7 @@ static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx
|
||||
}
|
||||
(void)ctx_method;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void QuicTestContext_free(QuicTestContext *tctx)
|
||||
{
|
||||
@@ -703,6 +724,7 @@ static void check_handshake_record(const byte *data, size_t data_len,
|
||||
*prlen = rlen + HANDSHAKE_HEADER_SZ;
|
||||
}
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER)
|
||||
static void ext_dump(const byte *data, size_t data_len, int indent)
|
||||
{
|
||||
size_t idx = 0;
|
||||
@@ -720,6 +742,7 @@ static void ext_dump(const byte *data, size_t data_len, int indent)
|
||||
idx += 2 + 2 + len16;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
static const byte *ext_find(const byte *data, size_t data_len, int ext_type)
|
||||
{
|
||||
@@ -742,6 +765,7 @@ static int ext_has(const byte *data, size_t data_len, int ext_type)
|
||||
return ext_find(data, data_len,ext_type) != NULL;
|
||||
}
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER)
|
||||
static void ext_equals(const byte *data, size_t data_len, int ext_type,
|
||||
const byte *exp_data, size_t exp_len)
|
||||
{
|
||||
@@ -800,6 +824,7 @@ static void check_quic_client_hello(const byte *data, size_t data_len,
|
||||
dump_buffer("", data, data_len, indent);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1,
|
||||
int tp_draft)
|
||||
@@ -829,6 +854,7 @@ static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1,
|
||||
AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS_DRAFT) == !tp_draft);
|
||||
}
|
||||
|
||||
#if !defined(NO_WOLFSSL_SERVER)
|
||||
static void check_secrets(QuicTestContext *ctx, WOLFSSL_ENCRYPTION_LEVEL level,
|
||||
size_t rx_len, size_t tx_len)
|
||||
{
|
||||
@@ -1195,6 +1221,7 @@ static void QuicConversation_fail(QuicConversation *conv)
|
||||
}
|
||||
|
||||
#endif /* HAVE_SESSION_TICKET */
|
||||
#endif
|
||||
|
||||
static int test_quic_client_hello(int verbose) {
|
||||
EXPECT_DECLS;
|
||||
@@ -1252,7 +1279,9 @@ static int test_quic_client_hello(int verbose) {
|
||||
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#endif /* !NO_WOLFSSL_CLIENT */
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
|
||||
static int test_quic_server_hello(int verbose) {
|
||||
EXPECT_DECLS;
|
||||
WOLFSSL_CTX * ctx_c = NULL;
|
||||
@@ -1883,6 +1912,7 @@ static int test_quic_session_export(int verbose)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#endif /* WOLFSSL_SESSION_EXPORT */
|
||||
#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */
|
||||
|
||||
#endif /* WOLFSSL_QUIC */
|
||||
|
||||
@@ -1891,7 +1921,9 @@ int QuicTest(void)
|
||||
{
|
||||
int ret = 0;
|
||||
#ifdef WOLFSSL_QUIC
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
int verbose = 0;
|
||||
#endif
|
||||
|
||||
if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
|
||||
printf("wolfSSL_Init() failed in QuicTest().");
|
||||
@@ -1901,9 +1933,12 @@ int QuicTest(void)
|
||||
printf(" Begin QUIC Tests\n");
|
||||
|
||||
if ((ret = test_set_quic_method()) != TEST_SUCCESS) goto leave;
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
if ((ret = test_provide_quic_data()) != TEST_SUCCESS) goto leave;
|
||||
if ((ret = test_quic_crypt()) != TEST_SUCCESS) goto leave;
|
||||
if ((ret = test_quic_client_hello(verbose)) != TEST_SUCCESS) goto leave;
|
||||
#endif
|
||||
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
|
||||
if ((ret = test_quic_server_hello(verbose)) != TEST_SUCCESS) goto leave;
|
||||
if ((ret = test_quic_server_hello_fail(verbose)) != TEST_SUCCESS) goto leave;
|
||||
#ifdef REALLY_HAVE_ALPN_AND_SNI
|
||||
@@ -1917,6 +1952,7 @@ int QuicTest(void)
|
||||
#endif /* WOLFSSL_EARLY_DATA */
|
||||
if ((ret = test_quic_session_export(verbose)) != TEST_SUCCESS) goto leave;
|
||||
#endif /* HAVE_SESSION_TICKET */
|
||||
#endif
|
||||
|
||||
leave:
|
||||
if (ret != TEST_SUCCESS) {
|
||||
|
||||
@@ -183,6 +183,7 @@
|
||||
-c ./certs/server-ecc.pem
|
||||
-k ./certs/ecc-key.pem
|
||||
-A ./certs/client-cert.pem
|
||||
-H verifyFail
|
||||
-H exitWithRet
|
||||
|
||||
# client
|
||||
|
||||
@@ -341,7 +341,6 @@ static int test_crl_monitor(void)
|
||||
for (i = 0; i < CRL_MONITOR_TEST_ROUNDS; i++) {
|
||||
int expectFail;
|
||||
if (i % 2 == 0) {
|
||||
|
||||
/* succeed on even rounds */
|
||||
(void)XSNPRINTF(buf, sizeof(buf), "%s/%s", tmpDir, "crl.pem");
|
||||
if (STAGE_FILE("certs/crl/crl.pem", buf) != 0) {
|
||||
@@ -384,7 +383,11 @@ static int test_crl_monitor(void)
|
||||
fprintf(stderr, "[%d] Failed to remove file %s\n", i, buf);
|
||||
goto cleanup;
|
||||
}
|
||||
#ifndef WOLFSSL_NO_CLIENT_AUTH
|
||||
expectFail = 1;
|
||||
#else
|
||||
expectFail = 0;
|
||||
#endif
|
||||
}
|
||||
/* Give server a moment to register the file change */
|
||||
XSLEEP_MS(100);
|
||||
|
||||
+1
-1
@@ -12347,7 +12347,7 @@ int wc_AesGcmDecryptFinal(Aes* aes, const byte* authTag, word32 authTagSz)
|
||||
{
|
||||
ALIGN32 byte calcTag[WC_AES_BLOCK_SIZE];
|
||||
/* Calculate authentication tag. */
|
||||
ret = AesGcmFinal_C(aes, calcTag, authTagSz);
|
||||
ret = AesGcmFinal_C(aes, calcTag, WC_AES_BLOCK_SIZE);
|
||||
if (ret == 0) {
|
||||
/* Check calculated tag matches the one passed in. */
|
||||
if (ConstantCompare(authTag, calcTag, (int)authTagSz) != 0) {
|
||||
|
||||
+1
-1
@@ -3403,8 +3403,8 @@ WOLFSSL_LOCAL int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first,
|
||||
byte second, word32* ecdhCurveOID);
|
||||
WOLFSSL_LOCAL int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name);
|
||||
#endif
|
||||
WOLFSSL_LOCAL int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name);
|
||||
WOLFSSL_LOCAL int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl,
|
||||
int checkSupported);
|
||||
WOLFSSL_LOCAL int TLSX_SupportedCurve_Parse(const WOLFSSL* ssl,
|
||||
|
||||
Reference in New Issue
Block a user