mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-08 23:20:47 +02:00
061311d6ca
- x509_str: require CA:TRUE unconditionally in wolfSSL_X509_verify_cert; verify leaf signature even when verify_cb overrides INVALID_CA - x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value (79) so OPENSSL_COEXIST builds compile; bump WC_OSSL_V509_V_ERR_MAX to 80 and extend error_test() missing-value table for the new gaps - asn: reject embedded NUL in dNSName / rfc822Name / URI SAN entries - internal: re-verify restored ticket peer cert against trust store with CRL/OCSP checks; clear stale state from session cache on verification failure - ticket: bind SNI and ALPN into session ticket via compile-time selected hash (TICKET_BINDING_HASH_TYPE); reject resumption on mismatch in both TLS 1.3 and TLS 1.2 paths - ticket: defer SNI/ALPN binding check until after extensions are parsed by consolidating into VerifyTicketBinding(), called once after ALPN_Select in DoTls13ClientHello and DoClientHello; the early per-call sites ran before extensions were parsed and rejected valid resumptions in nginx, haproxy, grpc, and CPython integration tests - ssl_sess: free previous session in wolfSSL_d2i_SSL_SESSION before overwrite - examples/client: increase SESSION_TICKET_LEN fallback from 256 to 2048 to support larger tickets - tests: update SAN NUL fixtures and add parse-time rejection coverage; add test_tls13_ticket_peer_cert_reverify for CA-removal scenario; skip it under WOLFSSL_NO_DEF_TICKET_ENC_CB
117 lines
5.7 KiB
C
117 lines
5.7 KiB
C
/* test_tls13.h
|
|
*
|
|
* Copyright (C) 2006-2026 wolfSSL Inc.
|
|
*
|
|
* This file is part of wolfSSL.
|
|
*
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
*/
|
|
|
|
#ifndef WOLFCRYPT_TEST_TLS13_H
|
|
#define WOLFCRYPT_TEST_TLS13_H
|
|
|
|
#include <tests/api/api_decl.h>
|
|
|
|
int test_tls13_apis(void);
|
|
int test_tls13_cipher_suites(void);
|
|
int test_tls13_bad_psk_binder(void);
|
|
int test_tls13_rpk_handshake(void);
|
|
int test_tls13_pq_groups(void);
|
|
int test_tls13_multi_pqc_key_share(void);
|
|
int test_tls13_early_data(void);
|
|
int test_tls13_same_ch(void);
|
|
int test_tls13_hrr_different_cs(void);
|
|
int test_tls13_ch2_different_cs(void);
|
|
int test_tls13_sg_missing(void);
|
|
int test_tls13_ks_missing(void);
|
|
int test_tls13_duplicate_extension(void);
|
|
int test_tls13_duplicate_ech_extension(void);
|
|
int test_key_share_mismatch(void);
|
|
int test_tls13_middlebox_compat_empty_session_id(void);
|
|
int test_tls13_plaintext_alert(void);
|
|
int test_tls13_warning_alert_is_fatal(void);
|
|
int test_tls13_unknown_ext_rejected(void);
|
|
int test_tls13_cert_req_sigalgs(void);
|
|
int test_tls13_derive_keys_no_key(void);
|
|
int test_tls13_pqc_hybrid_truncated_keyshare(void);
|
|
int test_tls13_pqc_hybrid_malformed_ecdh(void);
|
|
int test_tls13_empty_record_limit(void);
|
|
int test_tls13_short_session_ticket(void);
|
|
int test_tls13_early_data_0rtt_replay(void);
|
|
int test_tls13_0rtt_default_off(void);
|
|
int test_tls13_0rtt_stateless_replay(void);
|
|
int test_tls13_remove_session_return(void);
|
|
int test_tls13_0rtt_ext_cache_eviction(void);
|
|
int test_tls13_corrupted_finished(void);
|
|
int test_tls13_peerauth_failsafe(void);
|
|
int test_tls13_hrr_bad_cookie(void);
|
|
int test_tls13_zero_inner_content_type(void);
|
|
int test_tls13_downgrade_sentinel(void);
|
|
int test_tls13_serverhello_bad_cipher_suites(void);
|
|
int test_tls13_cert_with_extern_psk_apis(void);
|
|
int test_tls13_cert_with_extern_psk_handshake(void);
|
|
int test_tls13_cert_with_extern_psk_requires_key_share(void);
|
|
int test_tls13_cert_with_extern_psk_rejects_resumption(void);
|
|
int test_tls13_cert_with_extern_psk_sh_missing_key_share(void);
|
|
int test_tls13_cert_with_extern_psk_sh_confirms_resumption(void);
|
|
int test_tls13_ticket_peer_cert_reverify(void);
|
|
|
|
#define TEST_TLS13_DECLS \
|
|
TEST_DECL_GROUP("tls13", test_tls13_apis), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cipher_suites), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_bad_psk_binder), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_rpk_handshake), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_pq_groups), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_multi_pqc_key_share), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_early_data), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_same_ch), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_hrr_different_cs), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_ch2_different_cs), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_sg_missing), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_ks_missing), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_duplicate_extension), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_duplicate_ech_extension), \
|
|
TEST_DECL_GROUP("tls13", test_key_share_mismatch), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_middlebox_compat_empty_session_id), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_plaintext_alert), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_warning_alert_is_fatal), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_req_sigalgs), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_derive_keys_no_key), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_pqc_hybrid_truncated_keyshare), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_pqc_hybrid_malformed_ecdh), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_empty_record_limit), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_short_session_ticket), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_early_data_0rtt_replay), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_0rtt_default_off), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_0rtt_stateless_replay), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_remove_session_return), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_0rtt_ext_cache_eviction), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_unknown_ext_rejected), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_corrupted_finished), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_peerauth_failsafe), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_hrr_bad_cookie), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_zero_inner_content_type), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_downgrade_sentinel), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_serverhello_bad_cipher_suites), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_with_extern_psk_apis), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_with_extern_psk_handshake), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_with_extern_psk_requires_key_share), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_with_extern_psk_rejects_resumption), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_with_extern_psk_sh_missing_key_share), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_with_extern_psk_sh_confirms_resumption), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_ticket_peer_cert_reverify)
|
|
|
|
#endif /* WOLFCRYPT_TEST_TLS13_H */
|