mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 14:20:49 +02:00
Add test cases for max chain depth fixes
This commit is contained in:
+85
@@ -3828,6 +3828,89 @@ static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
/* wolfSSL_get_chain_{length,cert,X509} must reject out-of-range idx. */
|
||||
static int test_wolfSSL_get_chain_idx_bounds(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(SESSION_CERTS) && \
|
||||
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
||||
struct test_memio_ctx test_ctx;
|
||||
WOLFSSL_CTX* ctx_c = NULL;
|
||||
WOLFSSL_CTX* ctx_s = NULL;
|
||||
WOLFSSL* ssl_c = NULL;
|
||||
WOLFSSL* ssl_s = NULL;
|
||||
WOLFSSL_X509_CHAIN* chain = NULL;
|
||||
int count;
|
||||
|
||||
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
||||
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
||||
wolfTLS_client_method, wolfTLS_server_method), 0);
|
||||
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
||||
|
||||
ExpectNotNull(chain = wolfSSL_get_peer_chain(ssl_c));
|
||||
ExpectIntGT(count = wolfSSL_get_chain_count(chain), 0);
|
||||
|
||||
ExpectIntEQ(wolfSSL_get_chain_length(chain, -1), 0);
|
||||
ExpectIntEQ(wolfSSL_get_chain_length(chain, count), 0);
|
||||
ExpectIntEQ(wolfSSL_get_chain_length(chain, MAX_CHAIN_DEPTH), 0);
|
||||
ExpectNull(wolfSSL_get_chain_cert(chain, -1));
|
||||
ExpectNull(wolfSSL_get_chain_cert(chain, count));
|
||||
ExpectNull(wolfSSL_get_chain_cert(chain, MAX_CHAIN_DEPTH));
|
||||
#ifdef OPENSSL_EXTRA
|
||||
{
|
||||
WOLFSSL_X509* x = NULL;
|
||||
ExpectNull(x = wolfSSL_get_chain_X509(chain, -1));
|
||||
if (x != NULL) { wolfSSL_X509_free(x); x = NULL; }
|
||||
ExpectNull(x = wolfSSL_get_chain_X509(chain, count));
|
||||
if (x != NULL) { wolfSSL_X509_free(x); x = NULL; }
|
||||
ExpectNull(x = wolfSSL_get_chain_X509(chain, MAX_CHAIN_DEPTH));
|
||||
if (x != NULL) { wolfSSL_X509_free(x); x = NULL; }
|
||||
}
|
||||
#endif
|
||||
|
||||
wolfSSL_free(ssl_c);
|
||||
wolfSSL_free(ssl_s);
|
||||
wolfSSL_CTX_free(ctx_c);
|
||||
wolfSSL_CTX_free(ctx_s);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
/* Reject chain buffers containing more than MAX_CHAIN_DEPTH certificates. */
|
||||
static int test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) && \
|
||||
defined(WOLFSSL_PEM_TO_DER)
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
unsigned char* one = NULL;
|
||||
unsigned char* big = NULL;
|
||||
size_t oneLen = 0;
|
||||
size_t bigLen;
|
||||
int i;
|
||||
const int nCerts = MAX_CHAIN_DEPTH + 1;
|
||||
|
||||
ExpectIntEQ(load_file(svrCertFile, &one, &oneLen), 0);
|
||||
bigLen = oneLen * (size_t)nCerts;
|
||||
ExpectNotNull(big = (unsigned char*)XMALLOC(bigLen, NULL,
|
||||
DYNAMIC_TYPE_TMP_BUFFER));
|
||||
for (i = 0; EXPECT_SUCCESS() && i < nCerts; i++)
|
||||
XMEMCPY(big + (size_t)i * oneLen, one, oneLen);
|
||||
|
||||
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, big,
|
||||
(long)bigLen), WC_NO_ERR_TRACE(MAX_CHAIN_ERROR));
|
||||
|
||||
wolfSSL_CTX_free(ctx);
|
||||
if (big != NULL)
|
||||
XFREE(big, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (one != NULL)
|
||||
XFREE(one, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
static int test_wolfSSL_CTX_use_certificate_chain_file_format(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
@@ -40648,6 +40731,8 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wolfSSL_CTX_add1_chain_cert),
|
||||
TEST_DECL(test_wolfSSL_add_to_chain_overflow),
|
||||
TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_format),
|
||||
TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth),
|
||||
TEST_DECL(test_wolfSSL_get_chain_idx_bounds),
|
||||
TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_file_format),
|
||||
TEST_DECL(test_wolfSSL_use_certificate_chain_file),
|
||||
TEST_DECL(test_wolfSSL_CTX_trust_peer_cert),
|
||||
|
||||
@@ -2873,6 +2873,65 @@ int test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen(void)
|
||||
} /* END test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen() */
|
||||
|
||||
|
||||
/* Decoding an AuthEnvelopedData blob whose encryptedContent or authTag
|
||||
* is truncated must return BUFFER_E rather than reading past pkiMsg. */
|
||||
int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_PKCS7) && defined(HAVE_AESGCM) && !defined(NO_RSA) && \
|
||||
!defined(NO_AES) && defined(WOLFSSL_AES_128) && defined(NO_PKCS7_STREAM)
|
||||
PKCS7* pkcs7 = NULL;
|
||||
byte enveloped[2048];
|
||||
byte decoded[256];
|
||||
byte data[] = "truncated authEnvelopedData test";
|
||||
int encSz = 0;
|
||||
|
||||
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
|
||||
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
|
||||
sizeof_client_cert_der_2048), 0);
|
||||
if (pkcs7 != NULL) {
|
||||
pkcs7->content = data;
|
||||
pkcs7->contentSz = (word32)sizeof(data);
|
||||
pkcs7->contentOID = DATA;
|
||||
pkcs7->encryptOID = AES128GCMb;
|
||||
}
|
||||
ExpectIntGT(encSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped,
|
||||
sizeof(enveloped)), 0);
|
||||
wc_PKCS7_Free(pkcs7);
|
||||
pkcs7 = NULL;
|
||||
|
||||
/* Truncate inside encryptedContent (encryptedContentSz check). */
|
||||
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
|
||||
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
|
||||
sizeof_client_cert_der_2048), 0);
|
||||
if (pkcs7 != NULL) {
|
||||
pkcs7->privateKey = (byte*)client_key_der_2048;
|
||||
pkcs7->privateKeySz = sizeof_client_key_der_2048;
|
||||
}
|
||||
ExpectIntEQ(wc_PKCS7_DecodeAuthEnvelopedData(pkcs7, enveloped,
|
||||
(word32)encSz - 32, decoded, sizeof(decoded)),
|
||||
WC_NO_ERR_TRACE(BUFFER_E));
|
||||
wc_PKCS7_Free(pkcs7);
|
||||
pkcs7 = NULL;
|
||||
|
||||
/* Truncate one byte off the auth tag (authTagSz check). */
|
||||
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
|
||||
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
|
||||
sizeof_client_cert_der_2048), 0);
|
||||
if (pkcs7 != NULL) {
|
||||
pkcs7->privateKey = (byte*)client_key_der_2048;
|
||||
pkcs7->privateKeySz = sizeof_client_key_der_2048;
|
||||
}
|
||||
ExpectIntEQ(wc_PKCS7_DecodeAuthEnvelopedData(pkcs7, enveloped,
|
||||
(word32)encSz - 1, decoded, sizeof(decoded)),
|
||||
WC_NO_ERR_TRACE(BUFFER_E));
|
||||
|
||||
wc_PKCS7_Free(pkcs7);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
} /* END test_wc_PKCS7_DecodeAuthEnvelopedData_truncated() */
|
||||
|
||||
|
||||
/*
|
||||
* Testing wc_PKCS7_DecodeEnvelopedData with streaming
|
||||
*/
|
||||
|
||||
@@ -68,6 +68,7 @@ int test_wc_PKCS7_SetOriDecryptCtx(void);
|
||||
int test_wc_PKCS7_DecodeCompressedData(void);
|
||||
int test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients(void);
|
||||
int test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen(void);
|
||||
int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void);
|
||||
int test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq(void);
|
||||
int test_wc_PKCS7_VerifySignedData_IndefLenOOB(void);
|
||||
int test_wc_PKCS7_VerifySignedData_TruncEContentTag(void);
|
||||
@@ -139,7 +140,8 @@ int test_wc_PKCS7_VerifySignedData_TruncCertSetTag(void);
|
||||
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriEncryptCtx), \
|
||||
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriDecryptCtx), \
|
||||
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients), \
|
||||
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen)
|
||||
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen), \
|
||||
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeAuthEnvelopedData_truncated)
|
||||
|
||||
#define TEST_PKCS7_SIGNED_ENCRYPTED_DATA_DECLS \
|
||||
TEST_DECL_GROUP("pkcs7_sed", test_wc_PKCS7_signed_enveloped)
|
||||
|
||||
Reference in New Issue
Block a user