Merge pull request #9716 from SparkiDev/regression_fixes_22

Regression test fixes
This commit is contained in:
JacobBarthelmeh
2026-01-27 22:07:50 -07:00
committed by GitHub
27 changed files with 516 additions and 271 deletions
+10
View File
@@ -71,6 +71,16 @@ jobs:
'--enable-sessionexport --enable-dtls --enable-dtls13',
'--enable-sessionexport',
'--disable-examples CPPFLAGS=-DWOLFSSL_NO_MALLOC',
'CPPFLAGS=-DNO_WOLFSSL_CLIENT',
'CPPFLAGS=-DNO_WOLFSSL_SERVER',
'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
'--enable-all CPPFLAGS=-DNO_WOLFSSL_CLIENT',
'--enable-all CPPFLAGS=-DNO_WOLFSSL_SERVER',
'--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
]
name: make check
if: github.repository_owner == 'wolfssl'
+17 -7
View File
@@ -1209,8 +1209,10 @@ static const char* client_usage_msg[][79] = {
#endif
"-l <str> Cipher suite list (: delimited)\n", /* 8 */
#ifndef NO_CERTS
#ifndef WOLFSSL_NO_CLIENT_AUTH
"-c <file> Certificate file, default", /* 9 */
"-k <file> Key file, default", /* 10 */
#endif
"-A <file> Certificate Authority file, default", /* 11 */
#endif
#ifndef NO_DH
@@ -1261,7 +1263,7 @@ static const char* client_usage_msg[][79] = {
" The string parameter is optional.\n", /* 29 */
#endif
"-f Fewer packets/group messages\n", /* 30 */
#ifndef NO_CERTS
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
"-x Disable client cert/key loading\n", /* 31 */
#endif
"-X Driven by eXternal test case\n", /* 32 */
@@ -1329,7 +1331,8 @@ static const char* client_usage_msg[][79] = {
#ifdef HAVE_CURVE25519
"-t Use X25519 for key exchange\n", /* 56 */
#endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
!defined(WOLFSSL_NO_CLIENT_AUTH)
"-Q Support requesting certificate post-handshake\n", /* 57 */
#endif
#ifdef WOLFSSL_EARLY_DATA
@@ -1467,8 +1470,10 @@ static const char* client_usage_msg[][79] = {
#endif
"-l <str> 暗号スイートリスト (区切り文字 :)\n", /* 8 */
#ifndef NO_CERTS
#ifndef WOLFSSL_NO_CLIENT_AUTH
"-c <file> 証明書ファイル, 既定値", /* 9 */
"-k <file> 鍵ファイル, 既定値", /* 10 */
#endif
"-A <file> 認証局ファイル, 既定値", /* 11 */
#endif
#ifndef NO_DH
@@ -1518,7 +1523,7 @@ static const char* client_usage_msg[][79] = {
"-i <str> クライアント主導のネゴシエーションを強制する\n", /* 29 */
#endif
"-f より少ないパケット/グループメッセージを使用する\n",/* 30 */
#ifndef NO_CERTS
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
"-x クライアントの証明書/鍵のロードを無効する\n", /* 31 */
#endif
"-X 外部テスト・ケースにより動作する\n", /* 32 */
@@ -1589,7 +1594,8 @@ static const char* client_usage_msg[][79] = {
#ifdef HAVE_CURVE25519
"-t X25519を鍵交換に使用する\n", /* 56 */
#endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
!defined(WOLFSSL_NO_CLIENT_AUTH)
"-Q ポストハンドシェークの証明要求をサポートする\n", /* 57 */
#endif
#ifdef WOLFSSL_EARLY_DATA
@@ -1766,8 +1772,10 @@ static void Usage(void)
#endif
printf("%s", msg[++msgid]); /* -l */
#ifndef NO_CERTS
#ifndef WOLFSSL_NO_CLIENT_AUTH
printf("%s %s\n", msg[++msgid], cliCertFile); /* -c */
printf("%s %s\n", msg[++msgid], cliKeyFile); /* -k */
#endif
printf("%s %s\n", msg[++msgid], caCertFile); /* -A */
#endif
#ifndef NO_DH
@@ -1805,7 +1813,7 @@ static void Usage(void)
printf("%s", msg[++msgid]); /* -i */
#endif
printf("%s", msg[++msgid]); /* -f */
#ifndef NO_CERTS
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
printf("%s", msg[++msgid]); /* -x */
#endif
printf("%s", msg[++msgid]); /* -X */
@@ -1868,7 +1876,8 @@ static void Usage(void)
#ifdef HAVE_CURVE25519
printf("%s", msg[++msgid]); /* -t */
#endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
!defined(WOLFSSL_NO_CLIENT_AUTH)
printf("%s", msg[++msgid]); /* -Q */
#endif
#ifdef WOLFSSL_EARLY_DATA
@@ -2823,7 +2832,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
case 'Q' :
#if defined(WOLFSSL_TLS13) && \
defined(WOLFSSL_POST_HANDSHAKE_AUTH)
defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
!defined(WOLFSSL_NO_CLIENT_AUTH)
postHandAuth = 1;
#endif
break;
+8
View File
@@ -1,5 +1,13 @@
#!/usr/bin/env bash
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
#crl.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
+16
View File
@@ -3,6 +3,22 @@
# dtlscid.test
# Copyright wolfSSL 2022-2024
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 0
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 0
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
if ! ./examples/server/server | grep "Server not compiled in!" ; then
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
exit 77
fi
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
@@ -23,6 +23,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 1
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
if ! ./examples/server/server | grep "Server not compiled in!" ; then
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling-with-ca-as-responder.test because TLS1.2 is not available.' 1>&2
exit 77
+16
View File
@@ -17,6 +17,22 @@ if test "$WOLFSSL_EXTERNAL_TEST" == "0"; then
exit 77
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 1
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
if ! ./examples/server/server | grep "Server not compiled in!" ; then
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
exit 77
+16
View File
@@ -24,6 +24,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 1
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
if ! ./examples/server/server | grep "Server not compiled in!" ; then
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling2.test because TLS1.2 is not available.' 1>&2
exit 77
+16
View File
@@ -24,6 +24,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 1
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
if ! ./examples/server/server | grep "Server not compiled in!" ; then
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 4; then
tls13=no
+8
View File
@@ -2,6 +2,14 @@
#pkcallbacks.test
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
if ! ./examples/client/client | grep "Client not compiled in!" ; then
echo 'skipping pkcallbacks.test because client not compiled in.' 1>&2
exit 77
fi
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
+19 -13
View File
@@ -88,6 +88,10 @@ fi
if [ $? -eq 0 ]; then
exit 0
fi
./examples/client/client '-?' 2>&1 | grep -- 'Disable client cert/key loading'
if [ $? -eq 0 ]; then
CLIENT_AUTH_ENABLED=1
fi
# Usual psk server / psk client. This use case is tested in
# tests/unit.test and is used here for just checking if PSK is enabled
@@ -144,19 +148,21 @@ if [ $? -ne 0 ]; then
fi
echo ""
# check fail if no auth, psk server with non psk client
echo "Checking fail when not sending peer cert"
port=0
./examples/server/server -j -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nClient connected when supposed to fail"
do_cleanup
exit 1
if [ "$CLIENT_AUTH_ENABLED" != "" ]; then
# check fail if no auth, psk server with non psk client
echo "Checking fail when not sending peer cert"
port=0
./examples/server/server -j -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nClient connected when supposed to fail"
do_cleanup
exit 1
fi
fi
fi
+2 -1
View File
@@ -519,7 +519,8 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
(defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
!defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \
!defined(NO_STDIO_FILESYSTEM)
!defined(NO_STDIO_FILESYSTEM) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
/* if not find entry in the CRL list, it looks at the folder that sets */
/* by LOOKUP_ctrl because user would want to use hash_dir. */
/* Loading <issuer-hash>.rN form CRL file if find at the folder, */
+1 -1
View File
@@ -1849,7 +1849,7 @@ static int _Dtls13HandshakeRecv(WOLFSSL* ssl, byte* input, word32 size,
isComplete = isFirst && fragLength == messageLength;
if (!isComplete && !Dtls13AcceptFragmented(ssl, (enum HandShakeType)handshakeType)) {
#ifdef WOLFSSL_DTLS_CH_FRAG
#if defined(WOLFSSL_DTLS_CH_FRAG) && !defined(NO_WOLFSSL_SERVER)
byte tls13 = 0;
/* check if the first CH fragment contains a valid cookie */
if (ssl->options.dtls13ChFrag && !ssl->options.dtlsStateful &&
+84 -65
View File
@@ -211,7 +211,8 @@ int writeAeadAuthData(WOLFSSL* ssl, word16 sz, byte type, byte* additional,
static int _DtlsCheckWindow(WOLFSSL* ssl);
#endif
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
#include <Security/SecCertificate.h>
#include <Security/SecTrust.h>
#include <Security/SecPolicy.h>
@@ -4922,7 +4923,8 @@ void FreeX509(WOLFSSL_X509* x509)
}
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
#if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_CLIENT_AUTH))
#if !defined(WOLFSSL_NO_TLS12)
/* Encode the signature algorithm into buffer.
*
@@ -10772,9 +10774,11 @@ static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl)
#ifndef WOLFSSL_NO_TLS12
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_SERVER) || \
!defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(WOLFSSL_DTLS)
#if (!defined(NO_CERTS) && (!defined(NO_WOLFSSL_SERVER) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))) || \
((!defined(NO_WOLFSSL_SERVER) || \
(!defined(NO_WOLFSSL_CLIENT) && !defined(NO_CERTS) && \
!defined(WOLFSSL_NO_CLIENT_AUTH))) && defined(WOLFSSL_DTLS))
static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset,
word32 length, byte type, WOLFSSL* ssl)
{
@@ -10792,7 +10796,7 @@ static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset,
AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl, CUR_ORDER);
AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl);
}
#endif /* NO_CERTS */
#endif
#if !defined(NO_WOLFSSL_SERVER) || \
(!defined(NO_WOLFSSL_CLIENT) && !defined(NO_CERTS) && \
@@ -13347,7 +13351,8 @@ int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
}
#ifdef SESSION_CERTS
#if defined(SESSION_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain,
byte* certBuf, word32 certSz)
{
@@ -14134,9 +14139,10 @@ int CopyDecodedAcertToX509(WOLFSSL_X509_ACERT* x509, DecodedAcert* dAcert)
}
#endif /* WOLFSSL_ACERT */
#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) && !defined(WOLFSSL_NO_TLS12)
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
#ifndef NO_WOLFSSL_SERVER
static int CsrDoStatusVerifyCb(WOLFSSL* ssl, byte* input, word32 inputSz, word32 idx,
int ret)
{
@@ -14159,6 +14165,7 @@ static int CsrDoStatusVerifyCb(WOLFSSL* ssl, byte* input, word32 inputSz, word32
}
return ret;
}
#endif
static int ProcessCSR_ex(WOLFSSL* ssl, byte* input, word32* inOutIdx,
word32 status_length, int idx)
@@ -14263,7 +14270,9 @@ static int ProcessCSR_ex(WOLFSSL* ssl, byte* input, word32* inOutIdx,
else if (response->single->status->status != CERT_GOOD)
ret = BAD_CERTIFICATE_STATUS_ERROR;
#ifndef NO_WOLFSSL_SERVER
ret = CsrDoStatusVerifyCb(ssl, input + *inOutIdx, status_length, idx, ret);
#endif
}
*inOutIdx += status_length;
@@ -14286,6 +14295,7 @@ static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return ProcessCSR_ex(ssl, input, inOutIdx, status_length, 0);
}
#endif
#endif
@@ -17398,8 +17408,10 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* only frees 'single' if single->isDynamic is set */
FreeOcspResponse(response);
ret = CsrDoStatusVerifyCb(ssl, input + *inOutIdx, status_length,
idx, ret);
#ifndef NO_WOLFSSL_SERVER
ret = CsrDoStatusVerifyCb(ssl, input + *inOutIdx,
status_length, idx, ret);
#endif
if (ret == 0 && idx == 0) /* server cert must be OK */
endCertificateOK = 1;
@@ -25554,12 +25566,14 @@ int SendCertificateStatus(WOLFSSL* ssl)
status_type = status_type ? status_type : ssl->status_request_v2;
#endif
#ifndef NO_WOLFSSL_SERVER
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (SSL_CM(ssl)->ocsp_stapling != NULL &&
SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) {
return BuildCertificateStatusWithStatusCB(ssl, status_type);
}
#endif
#endif
switch (status_type) {
@@ -30725,6 +30739,36 @@ static int DhSetKey(WOLFSSL* ssl)
}
#endif /* !NO_DH */
#if !defined(NO_TLS) && !defined(WOLFSSL_NO_TLS12) && !defined(NO_PSK)
static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
{
byte* pms = arrays->preMasterSecret;
word16 sz = 0;
/* sz + (use_psk_key ? sz 0s : sz unaltered) + length of psk + psk */
if (!use_psk_key) {
sz = (word16)arrays->preMasterSz;
c16toa(sz, pms);
pms += OPAQUE16_LEN + sz;
}
if ((int)arrays->psk_keySz > 0) {
if (use_psk_key) {
sz = (word16)arrays->psk_keySz;
c16toa(sz, pms);
pms += OPAQUE16_LEN;
XMEMSET(pms, 0, sz);
pms += sz;
}
c16toa(arrays->psk_keySz, pms);
pms += OPAQUE16_LEN;
XMEMCPY(pms, arrays->psk_key, arrays->psk_keySz);
arrays->preMasterSz = sz + arrays->psk_keySz + OPAQUE16_LEN * 2;
ForceZero(arrays->psk_key, arrays->psk_keySz);
}
arrays->psk_keySz = 0; /* no further need */
}
#endif
/* client only parts */
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
@@ -33150,59 +33194,6 @@ static int EcExportHsKey(WOLFSSL* ssl, byte* out, word32* len)
}
#endif /*HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448*/
#ifndef NO_PSK
static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
{
int ret = 0;
/* Use the PSK hint to look up the PSK and add it to the
* preMasterSecret here. */
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
ssl->arrays->client_identity, ssl->arrays->psk_key,
MAX_PSK_KEY_LEN);
if (ssl->arrays->psk_keySz == 0 ||
(ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
(int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(WOLFSSL_PSK_IDENTITY_ALERT)
SendAlert(ssl, alert_fatal, unknown_psk_identity);
#endif
ret = 1;
}
if (ret == 0)
/* Pre-shared Key for peer authentication. */
ssl->options.peerAuthGood = 1;
return ret;
}
static void MakePSKPreMasterSecret(Arrays* arrays, byte use_psk_key)
{
byte* pms = arrays->preMasterSecret;
word16 sz = 0;
/* sz + (use_psk_key ? sz 0s : sz unaltered) + length of psk + psk */
if (!use_psk_key) {
sz = (word16)arrays->preMasterSz;
c16toa(sz, pms);
pms += OPAQUE16_LEN + sz;
}
if ((int)arrays->psk_keySz > 0) {
if (use_psk_key) {
sz = (word16)arrays->psk_keySz;
c16toa(sz, pms);
pms += OPAQUE16_LEN;
XMEMSET(pms, 0, sz);
pms += sz;
}
c16toa(arrays->psk_keySz, pms);
pms += OPAQUE16_LEN;
XMEMCPY(pms, arrays->psk_key, arrays->psk_keySz);
arrays->preMasterSz = sz + arrays->psk_keySz + OPAQUE16_LEN * 2;
ForceZero(arrays->psk_key, arrays->psk_keySz);
}
arrays->psk_keySz = 0; /* no further need */
}
#endif /*!NO_PSK*/
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
static int EcMakeKey(WOLFSSL* ssl)
{
@@ -35084,10 +35075,36 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return MATCH_SUITE_ERROR;
}
#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS)
#ifndef WOLFSSL_NO_TLS12
#ifndef NO_PSK
static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
{
int ret = 0;
/* Use the PSK hint to look up the PSK and add it to the
* preMasterSecret here. */
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
ssl->arrays->client_identity, ssl->arrays->psk_key,
MAX_PSK_KEY_LEN);
if (ssl->arrays->psk_keySz == 0 ||
(ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
(int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(WOLFSSL_PSK_IDENTITY_ALERT)
SendAlert(ssl, alert_fatal, unknown_psk_identity);
#endif
ret = 1;
}
if (ret == 0)
/* Pre-shared Key for peer authentication. */
ssl->options.peerAuthGood = 1;
return ret;
}
#endif /* NO_PSK */
static int getSessionID(WOLFSSL* ssl)
{
int sessIdSz = 0;
@@ -42055,7 +42072,8 @@ int wolfSSL_sk_BY_DIR_entry_push(WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk,
#endif /* OPENSSL_ALL && !NO_FILESYSTEM && !NO_FILESYSTEM */
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
/*
* Converts a DER formatted certificate to a SecCertificateRef
@@ -42401,7 +42419,8 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx,
}
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
#endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
#endif /* __APPLE__ && WOLFSSL_SYS_CA_CERTS && (!NO_WOLFSSL_CLIENT) ||
* !WOLFSSL_NO_CLIENT_AUTH) */
/* Do not try to process error for async, non blocking io, and app_read */
void wolfssl_local_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err)
+4
View File
@@ -3666,6 +3666,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
#endif /* NO_WOLFSSL_CLIENT */
#endif /* HAVE_TRUNCATED_HMAC */
#ifndef NO_WOLFSSL_CLIENT
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options)
@@ -3717,6 +3718,7 @@ int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, byte status_type,
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
#endif /* !NO_WOLFSSL_CLIENT */
/* Elliptic Curves */
#if defined(HAVE_SUPPORTED_CURVES)
@@ -22208,6 +22210,7 @@ int wolfSSL_set_tlsext_status_ocsp_resp_multi(WOLFSSL* ssl, unsigned char *resp,
return WOLFSSL_SUCCESS;
}
#ifndef NO_WOLFSSL_SERVER
void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
ocspVerifyStatusCb cb, void* cbArg)
{
@@ -22217,6 +22220,7 @@ void wolfSSL_CTX_set_ocsp_status_verify_cb(WOLFSSL_CTX* ctx,
}
}
#endif
#endif
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
+7 -4
View File
@@ -716,7 +716,8 @@ void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm,
}
#endif /* WC_ASN_UNKNOWN_EXT_CB */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
/* Verify the certificate.
*
* Uses the verification callback if available.
@@ -796,7 +797,8 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff,
(void)fatal;
#ifndef NO_WOLFSSL_CM_VERIFY
#if !defined(NO_WOLFSSL_CM_VERIFY) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use callback to perform verification too if available. */
if ((!fatal) && cm->verifyCallback) {
WC_DECLARE_VAR(args, ProcPeerCertArgs, 1, 0);
@@ -884,11 +886,12 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm,
return ret;
}
#endif /* !NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH */
#endif /* (!NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH) || OPENSSL_EXTRA */
#ifndef NO_FILESYSTEM
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
/* Verify the certificate loaded from a file.
*
* Uses the verification callback if available.
+2
View File
@@ -770,11 +770,13 @@ static int ProcessBufferTryDecodeEd448(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
WOLFSSL_MSG("ED448 private key too small");
ret = ECC_KEY_SIZE_E;
}
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && !defined(NO_ED448_CLIENT_AUTH)
if (ssl != NULL) {
/* Ed448 requires caching enabled for tracking message
* hash used in EdDSA_Update for signing */
ssl->options.cacheMessages = 1;
}
#endif
}
/* Not an Ed448 key but check whether we know what it is. */
else if (*keyFormat == 0) {
+8 -9
View File
@@ -1064,7 +1064,8 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
hashBlock[j] = b;
}
ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz); /* cppcheck-suppress uninitvar */
/* cppcheck-suppress uninitvar */
ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz);
if (ret != 0)
return ret;
ret = Hmac_HashFinalRaw(hmac, hashBlock);
@@ -3477,8 +3478,7 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length,
word16 size = 0;
#endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) \
&& defined(WOLFSSL_TLS13)
#if !defined(NO_WOLFSSL_CLIENT)
OcspRequest* request;
TLSX* extension;
CertificateStatusRequest* csr;
@@ -5331,6 +5331,7 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
return ret;
}
#endif /* HAVE_FFDHE && !WOLFSSL_NO_TLS12 */
#endif /* !NO_WOLFSSL_SERVER */
/* Check if the given curve is present in the supported groups extension.
*
@@ -5357,8 +5358,6 @@ int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name)
return 0;
}
#endif /* !NO_WOLFSSL_SERVER */
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
/* Return the preferred group.
*
@@ -6525,6 +6524,7 @@ typedef struct TlsxSrtp {
word16 ids; /* selected bits */
} TlsxSrtp;
#ifndef NO_WOLFSSL_SERVER
static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp)
{
/* SRTP Profile Len (2)
@@ -6532,6 +6532,7 @@ static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp)
* MKI (master key id) Length */
return (OPAQUE16_LEN + (srtp->profileCount * OPAQUE16_LEN) + 1);
}
#endif
static TlsxSrtp* TLSX_UseSRTP_New(word16 ids, void* heap)
{
@@ -6562,6 +6563,7 @@ static void TLSX_UseSRTP_Free(TlsxSrtp *srtp, void* heap)
(void)heap;
}
#ifndef NO_WOLFSSL_SERVER
static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
byte isRequest)
{
@@ -6569,10 +6571,8 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
word16 profile_len = 0;
word16 profile_value = 0;
word16 offset = 0;
#ifndef NO_WOLFSSL_SERVER
int i;
TlsxSrtp* srtp = NULL;
#endif
if (length < OPAQUE16_LEN) {
return BUFFER_ERROR;
@@ -6600,7 +6600,6 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
}
#endif
}
#ifndef NO_WOLFSSL_SERVER
else {
/* parse remainder one profile at a time, looking for match in CTX */
ret = 0;
@@ -6643,7 +6642,6 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
ssl->dtlsSrtpId = 0;
TLSX_UseSRTP_Free(srtp, ssl->heap);
}
#endif
(void)profile_len;
return ret;
@@ -6669,6 +6667,7 @@ static word16 TLSX_UseSRTP_Write(TlsxSrtp* srtp, byte* output)
return offset;
}
#endif
static int TLSX_UseSRTP(TLSX** extensions, word16 profiles, void* heap)
{
+140 -131
View File
@@ -3747,6 +3747,36 @@ static byte helloRetryRequestRandom[] = {
};
#endif
#ifdef HAVE_ECH
/* returns the index of the first supported cipher suite, -1 if none */
int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
{
int i, j, supported = 0;
for (i = 0; i < config->numCipherSuites; i++) {
supported = 0;
for (j = 0; j < HPKE_SUPPORTED_KDF_LEN; j++) {
if (config->cipherSuites[i].kdfId == hpkeSupportedKdf[j])
break;
}
if (j < HPKE_SUPPORTED_KDF_LEN)
for (j = 0; j < HPKE_SUPPORTED_AEAD_LEN; j++) {
if (config->cipherSuites[i].aeadId == hpkeSupportedAead[j]) {
supported = 1;
break;
}
}
if (supported)
return i;
}
return WOLFSSL_FATAL_ERROR;
}
#endif
#ifndef NO_WOLFSSL_CLIENT
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_PSK_ONE_ID) && \
@@ -4166,34 +4196,6 @@ static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
#endif
#if defined(HAVE_ECH)
/* returns the index of the first supported cipher suite, -1 if none */
int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
{
int i, j, supported = 0;
for (i = 0; i < config->numCipherSuites; i++) {
supported = 0;
for (j = 0; j < HPKE_SUPPORTED_KDF_LEN; j++) {
if (config->cipherSuites[i].kdfId == hpkeSupportedKdf[j])
break;
}
if (j < HPKE_SUPPORTED_KDF_LEN)
for (j = 0; j < HPKE_SUPPORTED_AEAD_LEN; j++) {
if (config->cipherSuites[i].aeadId == hpkeSupportedAead[j]) {
supported = 1;
break;
}
}
if (supported)
return i;
}
return WOLFSSL_FATAL_ERROR;
}
/* returns status after we hash the ech inner */
static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
{
@@ -4966,105 +4968,6 @@ static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
ssl->hsHashes = tmpHashes;
return ret;
}
/* replace the last acceptance field for either sever hello or hrr with the ech
* acceptance parameter, return status */
static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
byte* output, int acceptOffset, int helloSz, byte msgType)
{
int ret = 0;
int digestType = 0;
int digestSize = 0;
HS_Hashes* tmpHashes = NULL;
byte zeros[WC_MAX_DIGEST_SIZE];
byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
XMEMSET(zeros, 0, sizeof(zeros));
XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
/* store so we can restore regardless of the outcome */
tmpHashes = ssl->hsHashes;
ssl->hsHashes = ssl->hsHashesEch;
/* hash up to the acceptOffset */
ret = HashRaw(ssl, output, acceptOffset);
/* hash 8 zeros */
if (ret == 0)
ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
/* hash the rest of the hello */
if (ret == 0) {
ret = HashRaw(ssl, output + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ,
helloSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ));
}
/* get the modified transcript hash */
if (ret == 0)
ret = GetMsgHash(ssl, transcriptEchConf);
if (ret > 0)
ret = 0;
/* pick the right type and size based on mac_algorithm */
if (ret == 0) {
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
digestType = WC_SHA256;
digestSize = WC_SHA256_DIGEST_SIZE;
break;
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_SHA384
case sha384_mac:
digestType = WC_SHA384;
digestSize = WC_SHA384_DIGEST_SIZE;
break;
#endif /* WOLFSSL_SHA384 */
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
digestType = WC_SHA512;
digestSize = WC_SHA512_DIGEST_SIZE;
break;
#endif /* WOLFSSL_TLS13_SHA512 */
#ifdef WOLFSSL_SM3
case sm3_mac:
digestType = WC_SM3;
digestSize = WC_SM3_DIGEST_SIZE;
break;
#endif /* WOLFSSL_SM3 */
default:
ret = WOLFSSL_FATAL_ERROR;
break;
}
}
/* extract clientRandom with a key of all zeros */
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
#if !defined(HAVE_FIPS) || \
(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk,
ssl->heap, ssl->devId);
#else
ret = wc_HKDF_Extract(digestType, zeros, digestSize,
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk);
#endif
PRIVATE_KEY_LOCK();
}
/* tls expand with the confirmation label */
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = Tls13HKDFExpandKeyLabel(ssl, output + acceptOffset,
ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz,
transcriptEchConf, (word32)digestSize, digestType,
WOLFSSL_SERVER_END);
PRIVATE_KEY_LOCK();
}
/* mark that ech was accepted */
if (ret == 0 && msgType != hello_retry_request)
ssl->options.echAccepted = 1;
/* free hsHashesEch, if this is an HRR we will start at client hello 2*/
FreeHandshakeHashes(ssl);
ssl->hsHashesEch = NULL;
ssl->hsHashes = tmpHashes;
return ret;
}
#endif
/* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */
@@ -7374,6 +7277,107 @@ exit_dch:
return ret;
}
#ifdef HAVE_ECH
/* replace the last acceptance field for either sever hello or hrr with the ech
* acceptance parameter, return status */
static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
byte* output, int acceptOffset, int helloSz, byte msgType)
{
int ret = 0;
int digestType = 0;
int digestSize = 0;
HS_Hashes* tmpHashes = NULL;
byte zeros[WC_MAX_DIGEST_SIZE];
byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
XMEMSET(zeros, 0, sizeof(zeros));
XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
/* store so we can restore regardless of the outcome */
tmpHashes = ssl->hsHashes;
ssl->hsHashes = ssl->hsHashesEch;
/* hash up to the acceptOffset */
ret = HashRaw(ssl, output, acceptOffset);
/* hash 8 zeros */
if (ret == 0)
ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
/* hash the rest of the hello */
if (ret == 0) {
ret = HashRaw(ssl, output + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ,
helloSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ));
}
/* get the modified transcript hash */
if (ret == 0)
ret = GetMsgHash(ssl, transcriptEchConf);
if (ret > 0)
ret = 0;
/* pick the right type and size based on mac_algorithm */
if (ret == 0) {
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
digestType = WC_SHA256;
digestSize = WC_SHA256_DIGEST_SIZE;
break;
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_SHA384
case sha384_mac:
digestType = WC_SHA384;
digestSize = WC_SHA384_DIGEST_SIZE;
break;
#endif /* WOLFSSL_SHA384 */
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
digestType = WC_SHA512;
digestSize = WC_SHA512_DIGEST_SIZE;
break;
#endif /* WOLFSSL_TLS13_SHA512 */
#ifdef WOLFSSL_SM3
case sm3_mac:
digestType = WC_SM3;
digestSize = WC_SM3_DIGEST_SIZE;
break;
#endif /* WOLFSSL_SM3 */
default:
ret = WOLFSSL_FATAL_ERROR;
break;
}
}
/* extract clientRandom with a key of all zeros */
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
#if !defined(HAVE_FIPS) || \
(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk,
ssl->heap, ssl->devId);
#else
ret = wc_HKDF_Extract(digestType, zeros, digestSize,
ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk);
#endif
PRIVATE_KEY_LOCK();
}
/* tls expand with the confirmation label */
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = Tls13HKDFExpandKeyLabel(ssl, output + acceptOffset,
ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz,
transcriptEchConf, (word32)digestSize, digestType,
WOLFSSL_SERVER_END);
PRIVATE_KEY_LOCK();
}
/* mark that ech was accepted */
if (ret == 0 && msgType != hello_retry_request)
ssl->options.echAccepted = 1;
/* free hsHashesEch, if this is an HRR we will start at client hello 2*/
FreeHandshakeHashes(ssl);
ssl->hsHashesEch = NULL;
ssl->hsHashes = tmpHashes;
return ret;
}
#endif
/* Send TLS v1.3 ServerHello message to client.
* Only a server will send this message.
*
@@ -7884,15 +7888,17 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
#endif /* NO_WOLFSSL_SERVER */
#ifndef NO_CERTS
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
#if (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) && \
(!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM))
/* Encode the signature algorithm into buffer.
*
* hashalgo The hash algorithm.
* hsType The signature type.
* output The buffer to encode into.
*/
static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo, byte hsType, byte* output)
static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo,
byte hsType, byte* output)
{
(void)ssl;
switch (hsType) {
@@ -7987,7 +7993,10 @@ static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo, byte hsTy
break;
}
}
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
#ifdef WOLFSSL_DUAL_ALG_CERTS
/* These match up with what the OQS team has defined. */
#define HYBRID_SA_MAJOR 0xFE
@@ -12766,7 +12775,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
int ret = 0, tmp;
word32 inIdx = *inOutIdx;
int alertType;
#if defined(HAVE_ECH)
#if defined(HAVE_ECH) && !defined(NO_WOLFSSL_SERVER)
TLSX* echX = NULL;
word32 echInOutIdx;
#endif
+22 -15
View File
@@ -7043,7 +7043,7 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
WOLFSSL_SUCCESS);
}
#ifdef SESSION_CERTS
#if defined(SESSION_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
#ifndef WOLFSSL_TICKET_HAVE_ID
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
wolfSSL_session_reused(ssl))
@@ -7063,7 +7063,7 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
AssertNotNull(SSL_SESSION_get0_peer(*sess));
#endif
}
#endif /* SESSION_CERTS */
#endif /* SESSION_CERTS && !WOLFSSL_NO_CLIENT_AUTH */
}
static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl)
@@ -7446,7 +7446,7 @@ static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl)
ExpectIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
WOLFSSL_SUCCESS);
}
#ifdef SESSION_CERTS
#if defined(SESSION_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
#ifndef WOLFSSL_TICKET_HAVE_ID
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
wolfSSL_session_reused(ssl))
@@ -7481,7 +7481,7 @@ static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl)
ExpectIntEQ(wolfSSL_session_reused(ssl), 1);
}
#ifdef SESSION_CERTS
#if defined(SESSION_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
#ifndef WOLFSSL_TICKET_HAVE_ID
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
wolfSSL_session_reused(ssl))
@@ -9222,10 +9222,9 @@ static int test_wolfSSL_UseMaxFragment(void)
{
EXPECT_DECLS;
#if defined(HAVE_MAX_FRAGMENT) && !defined(NO_CERTS) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
!defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_WOLFSSL_CLIENT)
#if !defined(NO_TLS) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
#if !defined(NO_TLS)
#ifndef NO_WOLFSSL_SERVER
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
#else
@@ -9352,6 +9351,7 @@ static int test_wolfSSL_UseTruncatedHMAC(void)
ExpectNotNull(ssl = wolfSSL_new(ctx));
#ifndef NO_WOLFSSL_CLIENT
/* error cases */
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(NULL));
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(NULL));
@@ -9359,6 +9359,7 @@ static int test_wolfSSL_UseTruncatedHMAC(void)
/* success case */
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(ctx));
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(ssl));
#endif
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
@@ -11019,7 +11020,8 @@ static int test_wolfSSL_mcast(void)
{
EXPECT_DECLS;
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER))
(defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
byte preMasterSecret[512];
@@ -17737,7 +17739,8 @@ static int test_wolfSSL_verify_mode(void)
EXPECT_DECLS;
#if !defined(NO_RSA) && !defined(NO_TLS) && (defined(OPENSSL_ALL) || \
defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY))
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
!defined(NO_WOLFSSL_CLIENT)
WOLFSSL* ssl = NULL;
WOLFSSL_CTX* ctx = NULL;
@@ -18014,7 +18017,7 @@ static int test_wolfSSL_OPENSSL_hexstr2buf(void)
static int test_wolfSSL_sk_CIPHER_description(void)
{
EXPECT_DECLS;
#if !defined(NO_RSA) && !defined(NO_TLS)
#if !defined(NO_RSA) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION;
int i;
int numCiphers = 0;
@@ -18076,7 +18079,7 @@ static int test_wolfSSL_sk_CIPHER_description(void)
static int test_wolfSSL_get_ciphers_compat(void)
{
EXPECT_DECLS;
#if !defined(NO_RSA) && !defined(NO_TLS)
#if !defined(NO_RSA) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
const SSL_METHOD *method = NULL;
const char certPath[] = "./certs/client-cert.pem";
STACK_OF(SSL_CIPHER) *supportedCiphers = NULL;
@@ -27909,7 +27912,7 @@ static int test_override_alt_cert_chain(void)
static int test_rpk_set_xxx_cert_type(void)
{
EXPECT_DECLS;
#if defined(HAVE_RPK) && !defined(NO_TLS)
#if defined(HAVE_RPK) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
char ctype[MAX_CLIENT_CERT_TYPE_CNT + 1]; /* prepare bigger buffer */
WOLFSSL_CTX* ctx = NULL;
@@ -30285,6 +30288,7 @@ static int test_dtls13_missing_finished_server(void)
}
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
static int test_self_signed_stapling_client_v1_ctx_ready(WOLFSSL_CTX* ctx)
{
@@ -30325,12 +30329,14 @@ static int test_self_signed_stapling_server_ctx_ready(WOLFSSL_CTX* ctx)
return EXPECT_RESULT();
}
#endif
#endif
static int test_self_signed_stapling(void)
{
EXPECT_DECLS;
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
test_ssl_cbf client_cbf;
test_ssl_cbf server_cbf;
size_t i;
@@ -32009,7 +32015,8 @@ TEST_CASE testCases[] = {
#if defined(WOLFSSL_TICKET_NONCE_MALLOC) && defined(HAVE_SESSION_TICKET) \
&& defined(WOLFSSL_TLS13) && \
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))\
&& defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
TEST_DECL(test_ticket_nonce_malloc),
#endif
TEST_DECL(test_ticket_ret_create),
+30
View File
@@ -497,20 +497,29 @@ int test_wolfSSL_CertManagerLoadCABufferType(void)
(sword32)ca_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
(sword32)int1_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
(sword32)int2_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
(sword32)client_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
@@ -521,25 +530,34 @@ int test_wolfSSL_CertManagerLoadCABufferType(void)
/* Intermediate certs have been unloaded, but CA cert is still
loaded. Expect first level intermediate to verify, rest to fail. */
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
(sword32)int1_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
(sword32)int2_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
(sword32)client_cert_sz, CERT_FILETYPE, 0,
WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
@@ -547,39 +565,51 @@ int test_wolfSSL_CertManagerLoadCABufferType(void)
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA),
WOLFSSL_SUCCESS);
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
defined(OPENSSL_EXTRA)
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
#endif
if (cm)
wolfSSL_CertManagerFree(cm);
+2 -2
View File
@@ -346,7 +346,7 @@ int test_tls_certreq_order(void)
}
#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \
!defined(NO_WOLFSSL_SERVER)
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Called when writing. */
static int CsSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
@@ -382,7 +382,7 @@ int test_tls12_bad_cv_sig_alg(void)
{
EXPECT_DECLS;
#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \
!defined(NO_WOLFSSL_SERVER)
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFSSL_NO_CLIENT_AUTH)
byte clientMsgs[] = {
/* Client Hello */
0x16, 0x03, 0x03, 0x00, 0xe7,
+15 -6
View File
@@ -1118,7 +1118,8 @@ int test_tls13_bad_psk_binder(void)
}
#if defined(HAVE_RPK) && !defined(NO_TLS)
#if defined(HAVE_RPK) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) && \
!defined(NO_WOLFSSL_SERVER)
#define svrRpkCertFile "./certs/rpk/server-cert-rpk.der"
#define clntRpkCertFile "./certs/rpk/client-cert-rpk.der"
@@ -1225,13 +1226,15 @@ static WC_INLINE int test_rpk_memio_setup(
return 0;
}
#endif /* HAVE_RPK && !NO_TLS */
#endif /* HAVE_RPK && !NO_TLS && !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */
int test_tls13_rpk_handshake(void)
{
EXPECT_DECLS;
#if defined(HAVE_RPK) && (!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13))
#if defined(HAVE_RPK) && \
(!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
#ifdef WOLFSSL_TLS13
int ret = 0;
#endif
@@ -2081,9 +2084,15 @@ static int test_tls13_mock_wantwrite_cb(WOLFSSL* ssl, char* data, int sz,
void* ctx)
{
struct test_tls13_wwrite_ctx *wwctx = (struct test_tls13_wwrite_ctx *)ctx;
wwctx->want_write = !wwctx->want_write;
if (wwctx->want_write) {
return WOLFSSL_CBIO_ERR_WANT_WRITE;
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
/* Write ChangeCipherSpec message. */
if (data[0] != 0x14)
#endif
{
wwctx->want_write = !wwctx->want_write;
if (wwctx->want_write) {
return WOLFSSL_CBIO_ERR_WANT_WRITE;
}
}
return test_memio_write_cb(ssl, data, sz, wwctx->test_ctx);
}
+50 -14
View File
@@ -64,6 +64,7 @@ static int dummy_set_encryption_secrets(WOLFSSL *ssl,
return 1;
}
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
static int dummy_set_encryption_secrets_fail(WOLFSSL *ssl,
WOLFSSL_ENCRYPTION_LEVEL level,
const uint8_t *read_secret,
@@ -76,6 +77,7 @@ static int dummy_set_encryption_secrets_fail(WOLFSSL *ssl,
write_secret? "yes" : "no");
return 0;
}
#endif
static int dummy_add_handshake_data(WOLFSSL *ssl,
WOLFSSL_ENCRYPTION_LEVEL level,
@@ -115,20 +117,32 @@ static WOLFSSL_QUIC_METHOD null_method = {
static ctx_setups valids[] = {
#ifdef WOLFSSL_TLS13
#ifndef NO_WOLFSSL_SERVER
{ "TLSv1.3 server", wolfTLSv1_3_server_method, 1},
#endif
#ifndef NO_WOLFSSL_CLIENT
{ "TLSv1.3 client", wolfTLSv1_3_client_method, 0},
#endif
#endif
{ NULL, NULL, 0}
};
static ctx_setups invalids[] = {
#ifndef WOLFSSL_NO_TLS12
#ifndef NO_WOLFSSL_SERVER
{ "TLSv1.2 server", wolfTLSv1_2_server_method, 1},
#endif
#ifndef NO_WOLFSSL_CLIENT
{ "TLSv1.2 client", wolfTLSv1_2_client_method, 0},
#endif
#endif
#ifndef NO_OLD_TLS
#ifndef NO_WOLFSSL_SERVER
{ "TLSv1.1 server", wolfTLSv1_1_server_method, 1},
#endif
#ifndef NO_WOLFSSL_CLIENT
{ "TLSv1.1 client", wolfTLSv1_1_client_method, 0},
#endif
#endif
{ NULL, NULL, 0}
};
@@ -244,20 +258,7 @@ static int test_set_quic_method(void) {
return EXPECT_RESULT();
}
static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
{
rec[0] = (uint8_t)rtype;
c32to24(rlen, rec+1);
return rlen + 4;
}
static size_t shift_record(uint8_t *rec, size_t len, size_t written)
{
len -= written;
XMEMMOVE(rec, rec+written, len);
return len;
}
#if !defined(NO_WOLFSSL_CLIENT)
static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
{
size_t i = 0;
@@ -276,6 +277,22 @@ static void dump_buffer(const char *name, const byte *p, size_t len, int indent)
}
printf("\n%*s};\n", indent, " ");
}
#endif
#ifndef NO_WOLFSSL_CLIENT
static size_t fake_record(byte rtype, word32 rlen, uint8_t *rec)
{
rec[0] = (uint8_t)rtype;
c32to24(rlen, rec+1);
return rlen + 4;
}
static size_t shift_record(uint8_t *rec, size_t len, size_t written)
{
len -= written;
XMEMMOVE(rec, rec+written, len);
return len;
}
static void dump_ssl_buffers(WOLFSSL *ssl, FILE *fp)
{
@@ -505,12 +522,14 @@ static WOLFSSL_QUIC_METHOD ctx_method = {
ctx_send_alert,
};
#if !defined(NO_WOLFSSL_SERVER)
static WOLFSSL_QUIC_METHOD ctx_method_fail = {
dummy_set_encryption_secrets_fail,
ctx_add_handshake_data,
ctx_flush_flight,
ctx_send_alert,
};
#endif
static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
const char *name, int verbose)
@@ -542,6 +561,7 @@ static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
(void)ctx_method;
}
#if !defined(NO_WOLFSSL_SERVER)
static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
const char *name, int verbose)
{
@@ -571,6 +591,7 @@ static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx
}
(void)ctx_method;
}
#endif
static void QuicTestContext_free(QuicTestContext *tctx)
{
@@ -703,6 +724,7 @@ static void check_handshake_record(const byte *data, size_t data_len,
*prlen = rlen + HANDSHAKE_HEADER_SZ;
}
#if !defined(NO_WOLFSSL_SERVER)
static void ext_dump(const byte *data, size_t data_len, int indent)
{
size_t idx = 0;
@@ -720,6 +742,7 @@ static void ext_dump(const byte *data, size_t data_len, int indent)
idx += 2 + 2 + len16;
}
}
#endif
static const byte *ext_find(const byte *data, size_t data_len, int ext_type)
{
@@ -742,6 +765,7 @@ static int ext_has(const byte *data, size_t data_len, int ext_type)
return ext_find(data, data_len,ext_type) != NULL;
}
#if !defined(NO_WOLFSSL_SERVER)
static void ext_equals(const byte *data, size_t data_len, int ext_type,
const byte *exp_data, size_t exp_len)
{
@@ -800,6 +824,7 @@ static void check_quic_client_hello(const byte *data, size_t data_len,
dump_buffer("", data, data_len, indent);
}
}
#endif
static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1,
int tp_draft)
@@ -829,6 +854,7 @@ static void check_quic_client_hello_tp(OutputBuffer *out, int tp_v1,
AssertTrue(!ext_has(exts, exts_len, TLSX_KEY_QUIC_TP_PARAMS_DRAFT) == !tp_draft);
}
#if !defined(NO_WOLFSSL_SERVER)
static void check_secrets(QuicTestContext *ctx, WOLFSSL_ENCRYPTION_LEVEL level,
size_t rx_len, size_t tx_len)
{
@@ -1195,6 +1221,7 @@ static void QuicConversation_fail(QuicConversation *conv)
}
#endif /* HAVE_SESSION_TICKET */
#endif
static int test_quic_client_hello(int verbose) {
EXPECT_DECLS;
@@ -1252,7 +1279,9 @@ static int test_quic_client_hello(int verbose) {
return EXPECT_RESULT();
}
#endif /* !NO_WOLFSSL_CLIENT */
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
static int test_quic_server_hello(int verbose) {
EXPECT_DECLS;
WOLFSSL_CTX * ctx_c = NULL;
@@ -1883,6 +1912,7 @@ static int test_quic_session_export(int verbose)
return EXPECT_RESULT();
}
#endif /* WOLFSSL_SESSION_EXPORT */
#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */
#endif /* WOLFSSL_QUIC */
@@ -1891,7 +1921,9 @@ int QuicTest(void)
{
int ret = 0;
#ifdef WOLFSSL_QUIC
#ifndef NO_WOLFSSL_CLIENT
int verbose = 0;
#endif
if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
printf("wolfSSL_Init() failed in QuicTest().");
@@ -1901,9 +1933,12 @@ int QuicTest(void)
printf(" Begin QUIC Tests\n");
if ((ret = test_set_quic_method()) != TEST_SUCCESS) goto leave;
#ifndef NO_WOLFSSL_CLIENT
if ((ret = test_provide_quic_data()) != TEST_SUCCESS) goto leave;
if ((ret = test_quic_crypt()) != TEST_SUCCESS) goto leave;
if ((ret = test_quic_client_hello(verbose)) != TEST_SUCCESS) goto leave;
#endif
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
if ((ret = test_quic_server_hello(verbose)) != TEST_SUCCESS) goto leave;
if ((ret = test_quic_server_hello_fail(verbose)) != TEST_SUCCESS) goto leave;
#ifdef REALLY_HAVE_ALPN_AND_SNI
@@ -1917,6 +1952,7 @@ int QuicTest(void)
#endif /* WOLFSSL_EARLY_DATA */
if ((ret = test_quic_session_export(verbose)) != TEST_SUCCESS) goto leave;
#endif /* HAVE_SESSION_TICKET */
#endif
leave:
if (ret != TEST_SUCCESS) {
+1
View File
@@ -183,6 +183,7 @@
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-A ./certs/client-cert.pem
-H verifyFail
-H exitWithRet
# client
+4 -1
View File
@@ -341,7 +341,6 @@ static int test_crl_monitor(void)
for (i = 0; i < CRL_MONITOR_TEST_ROUNDS; i++) {
int expectFail;
if (i % 2 == 0) {
/* succeed on even rounds */
(void)XSNPRINTF(buf, sizeof(buf), "%s/%s", tmpDir, "crl.pem");
if (STAGE_FILE("certs/crl/crl.pem", buf) != 0) {
@@ -384,7 +383,11 @@ static int test_crl_monitor(void)
fprintf(stderr, "[%d] Failed to remove file %s\n", i, buf);
goto cleanup;
}
#ifndef WOLFSSL_NO_CLIENT_AUTH
expectFail = 1;
#else
expectFail = 0;
#endif
}
/* Give server a moment to register the file change */
XSLEEP_MS(100);
+1 -1
View File
@@ -12347,7 +12347,7 @@ int wc_AesGcmDecryptFinal(Aes* aes, const byte* authTag, word32 authTagSz)
{
ALIGN32 byte calcTag[WC_AES_BLOCK_SIZE];
/* Calculate authentication tag. */
ret = AesGcmFinal_C(aes, calcTag, authTagSz);
ret = AesGcmFinal_C(aes, calcTag, WC_AES_BLOCK_SIZE);
if (ret == 0) {
/* Check calculated tag matches the one passed in. */
if (ConstantCompare(authTag, calcTag, (int)authTagSz) != 0) {
+1 -1
View File
@@ -3403,8 +3403,8 @@ WOLFSSL_LOCAL int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first,
byte second, word32* ecdhCurveOID);
WOLFSSL_LOCAL int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl);
WOLFSSL_LOCAL int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl);
WOLFSSL_LOCAL int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name);
#endif
WOLFSSL_LOCAL int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name);
WOLFSSL_LOCAL int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl,
int checkSupported);
WOLFSSL_LOCAL int TLSX_SupportedCurve_Parse(const WOLFSSL* ssl,