Add test cases for max chain depth fixes

This commit is contained in:
Colton Willey
2026-05-12 11:43:12 -07:00
parent 94b36c9092
commit eb180dbee2
3 changed files with 147 additions and 1 deletions
+85
View File
@@ -3828,6 +3828,89 @@ static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void)
return EXPECT_RESULT();
}
/* wolfSSL_get_chain_{length,cert,X509} must reject out-of-range idx. */
static int test_wolfSSL_get_chain_idx_bounds(void)
{
EXPECT_DECLS;
#if defined(SESSION_CERTS) && \
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
struct test_memio_ctx test_ctx;
WOLFSSL_CTX* ctx_c = NULL;
WOLFSSL_CTX* ctx_s = NULL;
WOLFSSL* ssl_c = NULL;
WOLFSSL* ssl_s = NULL;
WOLFSSL_X509_CHAIN* chain = NULL;
int count;
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
wolfTLS_client_method, wolfTLS_server_method), 0);
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
ExpectNotNull(chain = wolfSSL_get_peer_chain(ssl_c));
ExpectIntGT(count = wolfSSL_get_chain_count(chain), 0);
ExpectIntEQ(wolfSSL_get_chain_length(chain, -1), 0);
ExpectIntEQ(wolfSSL_get_chain_length(chain, count), 0);
ExpectIntEQ(wolfSSL_get_chain_length(chain, MAX_CHAIN_DEPTH), 0);
ExpectNull(wolfSSL_get_chain_cert(chain, -1));
ExpectNull(wolfSSL_get_chain_cert(chain, count));
ExpectNull(wolfSSL_get_chain_cert(chain, MAX_CHAIN_DEPTH));
#ifdef OPENSSL_EXTRA
{
WOLFSSL_X509* x = NULL;
ExpectNull(x = wolfSSL_get_chain_X509(chain, -1));
if (x != NULL) { wolfSSL_X509_free(x); x = NULL; }
ExpectNull(x = wolfSSL_get_chain_X509(chain, count));
if (x != NULL) { wolfSSL_X509_free(x); x = NULL; }
ExpectNull(x = wolfSSL_get_chain_X509(chain, MAX_CHAIN_DEPTH));
if (x != NULL) { wolfSSL_X509_free(x); x = NULL; }
}
#endif
wolfSSL_free(ssl_c);
wolfSSL_free(ssl_s);
wolfSSL_CTX_free(ctx_c);
wolfSSL_CTX_free(ctx_s);
#endif
return EXPECT_RESULT();
}
/* Reject chain buffers containing more than MAX_CHAIN_DEPTH certificates. */
static int test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth(void)
{
EXPECT_DECLS;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) && \
defined(WOLFSSL_PEM_TO_DER)
WOLFSSL_CTX* ctx = NULL;
unsigned char* one = NULL;
unsigned char* big = NULL;
size_t oneLen = 0;
size_t bigLen;
int i;
const int nCerts = MAX_CHAIN_DEPTH + 1;
ExpectIntEQ(load_file(svrCertFile, &one, &oneLen), 0);
bigLen = oneLen * (size_t)nCerts;
ExpectNotNull(big = (unsigned char*)XMALLOC(bigLen, NULL,
DYNAMIC_TYPE_TMP_BUFFER));
for (i = 0; EXPECT_SUCCESS() && i < nCerts; i++)
XMEMCPY(big + (size_t)i * oneLen, one, oneLen);
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, big,
(long)bigLen), WC_NO_ERR_TRACE(MAX_CHAIN_ERROR));
wolfSSL_CTX_free(ctx);
if (big != NULL)
XFREE(big, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (one != NULL)
XFREE(one, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_CTX_use_certificate_chain_file_format(void)
{
EXPECT_DECLS;
@@ -40648,6 +40731,8 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_CTX_add1_chain_cert),
TEST_DECL(test_wolfSSL_add_to_chain_overflow),
TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_format),
TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth),
TEST_DECL(test_wolfSSL_get_chain_idx_bounds),
TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_file_format),
TEST_DECL(test_wolfSSL_use_certificate_chain_file),
TEST_DECL(test_wolfSSL_CTX_trust_peer_cert),
+59
View File
@@ -2873,6 +2873,65 @@ int test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen(void)
} /* END test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen() */
/* Decoding an AuthEnvelopedData blob whose encryptedContent or authTag
* is truncated must return BUFFER_E rather than reading past pkiMsg. */
int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void)
{
EXPECT_DECLS;
#if defined(HAVE_PKCS7) && defined(HAVE_AESGCM) && !defined(NO_RSA) && \
!defined(NO_AES) && defined(WOLFSSL_AES_128) && defined(NO_PKCS7_STREAM)
PKCS7* pkcs7 = NULL;
byte enveloped[2048];
byte decoded[256];
byte data[] = "truncated authEnvelopedData test";
int encSz = 0;
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
sizeof_client_cert_der_2048), 0);
if (pkcs7 != NULL) {
pkcs7->content = data;
pkcs7->contentSz = (word32)sizeof(data);
pkcs7->contentOID = DATA;
pkcs7->encryptOID = AES128GCMb;
}
ExpectIntGT(encSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped,
sizeof(enveloped)), 0);
wc_PKCS7_Free(pkcs7);
pkcs7 = NULL;
/* Truncate inside encryptedContent (encryptedContentSz check). */
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
sizeof_client_cert_der_2048), 0);
if (pkcs7 != NULL) {
pkcs7->privateKey = (byte*)client_key_der_2048;
pkcs7->privateKeySz = sizeof_client_key_der_2048;
}
ExpectIntEQ(wc_PKCS7_DecodeAuthEnvelopedData(pkcs7, enveloped,
(word32)encSz - 32, decoded, sizeof(decoded)),
WC_NO_ERR_TRACE(BUFFER_E));
wc_PKCS7_Free(pkcs7);
pkcs7 = NULL;
/* Truncate one byte off the auth tag (authTagSz check). */
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
sizeof_client_cert_der_2048), 0);
if (pkcs7 != NULL) {
pkcs7->privateKey = (byte*)client_key_der_2048;
pkcs7->privateKeySz = sizeof_client_key_der_2048;
}
ExpectIntEQ(wc_PKCS7_DecodeAuthEnvelopedData(pkcs7, enveloped,
(word32)encSz - 1, decoded, sizeof(decoded)),
WC_NO_ERR_TRACE(BUFFER_E));
wc_PKCS7_Free(pkcs7);
#endif
return EXPECT_RESULT();
} /* END test_wc_PKCS7_DecodeAuthEnvelopedData_truncated() */
/*
* Testing wc_PKCS7_DecodeEnvelopedData with streaming
*/
+3 -1
View File
@@ -68,6 +68,7 @@ int test_wc_PKCS7_SetOriDecryptCtx(void);
int test_wc_PKCS7_DecodeCompressedData(void);
int test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients(void);
int test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen(void);
int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void);
int test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq(void);
int test_wc_PKCS7_VerifySignedData_IndefLenOOB(void);
int test_wc_PKCS7_VerifySignedData_TruncEContentTag(void);
@@ -139,7 +140,8 @@ int test_wc_PKCS7_VerifySignedData_TruncCertSetTag(void);
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriEncryptCtx), \
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriDecryptCtx), \
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients), \
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen)
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_forgedRecipientSetLen), \
TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeAuthEnvelopedData_truncated)
#define TEST_PKCS7_SIGNED_ENCRYPTED_DATA_DECLS \
TEST_DECL_GROUP("pkcs7_sed", test_wc_PKCS7_signed_enveloped)