mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 13:40:49 +02:00
86ba8f7770
Regression testing fixes - memory allocation failure testing
1544 lines
58 KiB
C
1544 lines
58 KiB
C
/* test_tls_ext.c
|
|
*
|
|
* Copyright (C) 2006-2026 wolfSSL Inc.
|
|
*
|
|
* This file is part of wolfSSL.
|
|
*
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
*/
|
|
|
|
#include <tests/unit.h>
|
|
|
|
#ifdef NO_INLINE
|
|
#include <wolfssl/wolfcrypt/misc.h>
|
|
#else
|
|
#define WOLFSSL_MISC_INCLUDED
|
|
#include <wolfcrypt/src/misc.c>
|
|
#endif
|
|
|
|
#include <wolfssl/internal.h>
|
|
#include <tests/utils.h>
|
|
#include <tests/api/test_tls_ext.h>
|
|
|
|
int test_tls_ems_downgrade(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL_SESSION* session = NULL;
|
|
/* TLS EMS extension in binary form */
|
|
const char ems_ext[] = { 0x00, 0x17, 0x00, 0x00 };
|
|
char data = 0;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLS_client_method, wolfTLS_server_method), 0);
|
|
|
|
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* Verify that the EMS extension is present in Client's message */
|
|
ExpectNotNull(mymemmem(test_ctx.s_buff, test_ctx.s_len,
|
|
ems_ext, sizeof(ems_ext)));
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
ExpectIntEQ(wolfSSL_version(ssl_c), TLS1_3_VERSION);
|
|
|
|
/* Do a round of reads to exchange the ticket message */
|
|
ExpectIntEQ(wolfSSL_read(ssl_s, &data, sizeof(data)), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
|
|
ExpectIntEQ(wolfSSL_read(ssl_c, &data, sizeof(data)), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
ExpectNotNull(session = wolfSSL_get1_session(ssl_c));
|
|
ExpectTrue(session->haveEMS);
|
|
|
|
wolfSSL_free(ssl_c);
|
|
ssl_c = NULL;
|
|
wolfSSL_free(ssl_s);
|
|
ssl_s = NULL;
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLS_client_method, wolfTLS_server_method), 0);
|
|
|
|
/* Resuming the connection */
|
|
ExpectIntEQ(wolfSSL_set_session(ssl_c, session), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* Verify that the EMS extension is still present in the resumption CH
|
|
* even though we used TLS 1.3 */
|
|
ExpectNotNull(mymemmem(test_ctx.s_buff, test_ctx.s_len,
|
|
ems_ext, sizeof(ems_ext)));
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
ExpectIntEQ(wolfSSL_version(ssl_c), TLS1_3_VERSION);
|
|
|
|
wolfSSL_SESSION_free(session);
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
/* F-2915: resumption of an EMS session without EMS must abort with
|
|
* EXT_MASTER_SECRET_NEEDED_E (RFC 7627 Section 5.3). */
|
|
int test_tls_ems_resumption_downgrade(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if !defined(WOLFSSL_NO_TLS12) && defined(HAVE_EXTENDED_MASTER) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(NO_SESSION_CACHE)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL_SESSION *session = NULL;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
ExpectNotNull(session = wolfSSL_get1_session(ssl_c));
|
|
|
|
wolfSSL_free(ssl_c);
|
|
ssl_c = NULL;
|
|
wolfSSL_free(ssl_s);
|
|
ssl_s = NULL;
|
|
test_memio_clear_buffer(&test_ctx, 0);
|
|
test_memio_clear_buffer(&test_ctx, 1);
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(wolfSSL_set_session(ssl_c, session), WOLFSSL_SUCCESS);
|
|
/* Drop EMS from the resumption ClientHello to simulate a downgrade. */
|
|
ExpectIntEQ(wolfSSL_DisableExtendedMasterSecret(ssl_c), WOLFSSL_SUCCESS);
|
|
|
|
ExpectIntNE(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, 0),
|
|
WC_NO_ERR_TRACE(EXT_MASTER_SECRET_NEEDED_E));
|
|
|
|
wolfSSL_SESSION_free(session);
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
#if !defined(WOLFSSL_NO_TLS12) && defined(HAVE_EXTENDED_MASTER) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(NO_SESSION_CACHE)
|
|
/* Remove the extended_master_secret extension from the ServerHello record at
|
|
* the head of the server-to-client memio buffer, patching up the record,
|
|
* handshake and extension-block lengths so the message still parses.
|
|
* Returns 0 on success. */
|
|
static int StripEmsFromServerHello(struct test_memio_ctx* test_ctx)
|
|
{
|
|
byte* buf = test_ctx->c_buff;
|
|
int len = test_ctx->c_len;
|
|
int recLen;
|
|
int hsLen;
|
|
int extsLenIdx;
|
|
int extsLen;
|
|
int idx;
|
|
int extsEnd;
|
|
|
|
/* Record header: type(1) version(2) length(2) */
|
|
if (len < 5 || buf[0] != handshake)
|
|
return -1;
|
|
recLen = (buf[3] << 8) | buf[4];
|
|
if (5 + recLen > len)
|
|
return -1;
|
|
/* Handshake header: type(1) length(3) */
|
|
if (recLen < HANDSHAKE_HEADER_SZ || buf[5] != server_hello)
|
|
return -1;
|
|
hsLen = (buf[6] << 16) | (buf[7] << 8) | buf[8];
|
|
/* Skip version(2), random(32) to the session ID length, then skip the
|
|
* session ID, cipher suite(2) and compression(1) to the extensions
|
|
* length. */
|
|
extsLenIdx = 5 + HANDSHAKE_HEADER_SZ + OPAQUE16_LEN + RAN_LEN +
|
|
OPAQUE8_LEN + buf[5 + HANDSHAKE_HEADER_SZ + OPAQUE16_LEN +
|
|
RAN_LEN] +
|
|
OPAQUE16_LEN + OPAQUE8_LEN;
|
|
if (extsLenIdx + OPAQUE16_LEN > 5 + recLen)
|
|
return -1;
|
|
extsLen = (buf[extsLenIdx] << 8) | buf[extsLenIdx + 1];
|
|
idx = extsLenIdx + OPAQUE16_LEN;
|
|
extsEnd = idx + extsLen;
|
|
if (extsEnd > 5 + recLen)
|
|
return -1;
|
|
while (idx + 4 <= extsEnd) {
|
|
int extType = (buf[idx] << 8) | buf[idx + 1];
|
|
int extLen = (buf[idx + 2] << 8) | buf[idx + 3];
|
|
int rmLen = 4 + extLen;
|
|
|
|
if (idx + rmLen > extsEnd)
|
|
return -1;
|
|
if (extType == HELLO_EXT_EXTMS) {
|
|
XMEMMOVE(buf + idx, buf + idx + rmLen,
|
|
(size_t)(len - idx - rmLen));
|
|
recLen -= rmLen;
|
|
hsLen -= rmLen;
|
|
extsLen -= rmLen;
|
|
buf[3] = (byte)(recLen >> 8);
|
|
buf[4] = (byte)recLen;
|
|
buf[6] = (byte)(hsLen >> 16);
|
|
buf[7] = (byte)(hsLen >> 8);
|
|
buf[8] = (byte)hsLen;
|
|
buf[extsLenIdx] = (byte)(extsLen >> 8);
|
|
buf[extsLenIdx + 1] = (byte)extsLen;
|
|
test_ctx->c_len -= rmLen;
|
|
/* The ServerHello record sits wholly inside the first buffered
|
|
* message. */
|
|
test_ctx->c_msg_sizes[0] -= rmLen;
|
|
return 0;
|
|
}
|
|
idx += rmLen;
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
/* Full handshake with EMS, then resume and strip the EMS extension from the
|
|
* ServerHello in transit. The client must catch the downgrade and abort
|
|
* (RFC 7627 Section 5.3). useTicket selects session-ticket resumption
|
|
* instead of session-ID resumption. */
|
|
static int test_tls_ems_resumption_server_downgrade_ex(int useTicket)
|
|
{
|
|
EXPECT_DECLS;
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL_SESSION *session = NULL;
|
|
|
|
#ifndef HAVE_SESSION_TICKET
|
|
(void)useTicket;
|
|
#endif
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
#ifdef HAVE_SESSION_TICKET
|
|
if (useTicket)
|
|
ExpectIntEQ(wolfSSL_UseSessionTicket(ssl_c), WOLFSSL_SUCCESS);
|
|
#endif
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
ExpectNotNull(session = wolfSSL_get1_session(ssl_c));
|
|
ExpectTrue(session->haveEMS);
|
|
#ifdef HAVE_SESSION_TICKET
|
|
if (useTicket)
|
|
ExpectIntGT(session->ticketLen, 0);
|
|
#endif
|
|
|
|
wolfSSL_free(ssl_c);
|
|
ssl_c = NULL;
|
|
wolfSSL_free(ssl_s);
|
|
ssl_s = NULL;
|
|
test_memio_clear_buffer(&test_ctx, 0);
|
|
test_memio_clear_buffer(&test_ctx, 1);
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(wolfSSL_set_session(ssl_c, session), WOLFSSL_SUCCESS);
|
|
|
|
/* ClientHello */
|
|
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
|
|
/* Server flight accepting the resumption */
|
|
ExpectIntEQ(wolfSSL_accept(ssl_s), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
|
|
/* Drop EMS from the ServerHello to simulate a downgrading server. */
|
|
ExpectIntEQ(StripEmsFromServerHello(&test_ctx), 0);
|
|
/* The client must refuse to resume without EMS. */
|
|
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1),
|
|
WC_NO_ERR_TRACE(EXT_MASTER_SECRET_NEEDED_E));
|
|
|
|
wolfSSL_SESSION_free(session);
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
return EXPECT_RESULT();
|
|
}
|
|
#endif
|
|
|
|
/* F-5807: a server that resumes an EMS session but omits the
|
|
* extended_master_secret extension from its ServerHello must be rejected by
|
|
* the client with EXT_MASTER_SECRET_NEEDED_E (RFC 7627 Section 5.3), on both
|
|
* session-ID and session-ticket resumption. */
|
|
int test_tls_ems_resumption_server_downgrade(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if !defined(WOLFSSL_NO_TLS12) && defined(HAVE_EXTENDED_MASTER) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(NO_SESSION_CACHE)
|
|
ExpectIntEQ(test_tls_ems_resumption_server_downgrade_ex(0), TEST_SUCCESS);
|
|
#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
|
|
ExpectIntEQ(test_tls_ems_resumption_server_downgrade_ex(1), TEST_SUCCESS);
|
|
#endif
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
#if !defined(WOLFSSL_NO_TLS12) && \
|
|
defined(BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
static int test_chacha_bad_tag_trigger = 0;
|
|
|
|
static int test_chacha_bad_tag_io_recv(WOLFSSL* ssl, char* buf, int sz,
|
|
void* ctx)
|
|
{
|
|
int ret = test_memio_read_cb(ssl, buf, sz, ctx);
|
|
/* Tamper with a byte from the encrypted record payload on the first
|
|
* read that spans past the 5-byte TLS record header, so the Poly1305
|
|
* authentication check no longer matches. */
|
|
if (test_chacha_bad_tag_trigger && ret > 5) {
|
|
buf[ret - 1] ^= 0xFF;
|
|
test_chacha_bad_tag_trigger = 0;
|
|
}
|
|
return ret;
|
|
}
|
|
#endif
|
|
|
|
/* F-2921: TLS 1.2 ChaCha20-Poly1305 must surface VERIFY_MAC_ERROR when
|
|
* the Poly1305 tag is corrupted. */
|
|
int test_tls12_chacha20_poly1305_bad_tag(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if !defined(WOLFSSL_NO_TLS12) && \
|
|
defined(BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
const char msg[] = "tamper me";
|
|
char recvBuf[32];
|
|
int ret;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
test_ctx.c_ciphers = test_ctx.s_ciphers =
|
|
"ECDHE-RSA-CHACHA20-POLY1305";
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
wolfSSL_SSLSetIORecv(ssl_s, test_chacha_bad_tag_io_recv);
|
|
|
|
ExpectIntEQ(wolfSSL_write(ssl_c, msg, (int)XSTRLEN(msg)),
|
|
(int)XSTRLEN(msg));
|
|
|
|
test_chacha_bad_tag_trigger = 1;
|
|
ret = wolfSSL_read(ssl_s, recvBuf, sizeof(recvBuf));
|
|
ExpectIntLE(ret, 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, ret),
|
|
WC_NO_ERR_TRACE(VERIFY_MAC_ERROR));
|
|
|
|
test_chacha_bad_tag_trigger = 0;
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER) && \
|
|
defined(BUILD_TLS_SHA256_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
static int test_tls13_null_bad_hmac_trigger = 0;
|
|
|
|
static int test_tls13_null_bad_hmac_io_recv(WOLFSSL* ssl, char* buf, int sz,
|
|
void* ctx)
|
|
{
|
|
int ret = test_memio_read_cb(ssl, buf, sz, ctx);
|
|
/* Tamper with a byte from the encrypted record payload on the first
|
|
* read that spans past the 5-byte TLS record header, so the HMAC tag
|
|
* check in Tls13IntegrityOnly_Decrypt no longer matches. */
|
|
if (test_tls13_null_bad_hmac_trigger && ret > 5) {
|
|
buf[ret - 1] ^= 0xFF;
|
|
test_tls13_null_bad_hmac_trigger = 0;
|
|
}
|
|
return ret;
|
|
}
|
|
#endif
|
|
|
|
/* F-2916: TLS 1.3 integrity-only decryption must surface DECRYPT_ERROR
|
|
* when the HMAC tag is corrupted. */
|
|
int test_tls13_null_cipher_bad_hmac(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER) && \
|
|
defined(BUILD_TLS_SHA256_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
const char msg[] = "integrity only";
|
|
char recvBuf[32];
|
|
int ret;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
test_ctx.c_ciphers = test_ctx.s_ciphers = "TLS13-SHA256-SHA256";
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
wolfSSL_SSLSetIORecv(ssl_s, test_tls13_null_bad_hmac_io_recv);
|
|
|
|
ExpectIntEQ(wolfSSL_write(ssl_c, msg, (int)XSTRLEN(msg)),
|
|
(int)XSTRLEN(msg));
|
|
|
|
test_tls13_null_bad_hmac_trigger = 1;
|
|
ret = wolfSSL_read(ssl_s, recvBuf, sizeof(recvBuf));
|
|
ExpectIntLE(ret, 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, ret),
|
|
WC_NO_ERR_TRACE(DECRYPT_ERROR));
|
|
|
|
test_tls13_null_bad_hmac_trigger = 0;
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
/* F-2913 and F-2914: the TLSX_SecureRenegotiation_Parse
|
|
* ConstantCompare against the cached Finished verify_data must reject
|
|
* a mismatch on both the client and server sides. */
|
|
int test_scr_verify_data_mismatch(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(WOLFSSL_NO_TLS12) && \
|
|
defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
int side;
|
|
|
|
for (side = 0; side < 2; side++) {
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL *failing;
|
|
byte data;
|
|
int ret;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
test_ctx.c_ciphers = test_ctx.s_ciphers =
|
|
"ECDHE-RSA-AES128-GCM-SHA256";
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
|
|
&ssl_s, wolfTLSv1_2_client_method,
|
|
wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx_c),
|
|
WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx_s),
|
|
WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_UseSecureRenegotiation(ssl_c), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_UseSecureRenegotiation(ssl_s), WOLFSSL_SUCCESS);
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* side 0: corrupt the client's copy; side 1: corrupt the
|
|
* server's copy. */
|
|
if (side == 0) {
|
|
if (ssl_c != NULL && ssl_c->secure_renegotiation != NULL)
|
|
ssl_c->secure_renegotiation->server_verify_data[0] ^= 0xFF;
|
|
failing = ssl_c;
|
|
}
|
|
else {
|
|
if (ssl_s != NULL && ssl_s->secure_renegotiation != NULL)
|
|
ssl_s->secure_renegotiation->client_verify_data[0] ^= 0xFF;
|
|
failing = ssl_s;
|
|
}
|
|
|
|
ret = wolfSSL_Rehandshake(ssl_c);
|
|
(void)ret;
|
|
(void)wolfSSL_read(ssl_s, &data, 1);
|
|
(void)wolfSSL_read(ssl_c, &data, 1);
|
|
ExpectIntEQ(wolfSSL_get_error(failing, 0),
|
|
WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E));
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
}
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* F-4144: WOLFSSL_OP_NO_RENEGOTIATION on the server must refuse a
|
|
* client-initiated renegotiation with a no_renegotiation *warning* while
|
|
* keeping the established connection alive, rather than aborting it. */
|
|
int test_scr_no_renegotiation_option(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(WOLFSSL_NO_TLS12) && \
|
|
defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL_ALERT_HISTORY history;
|
|
byte readBuf[16];
|
|
int ret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
|
|
int i;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
XMEMSET(&history, 0, sizeof(history));
|
|
test_ctx.c_ciphers = test_ctx.s_ciphers = "ECDHE-RSA-AES128-GCM-SHA256";
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
|
|
&ssl_s, wolfTLSv1_2_client_method,
|
|
wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx_c), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx_s), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_UseSecureRenegotiation(ssl_c), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_UseSecureRenegotiation(ssl_s), WOLFSSL_SUCCESS);
|
|
|
|
/* Server opts into rejecting peer-initiated renegotiation. */
|
|
wolfSSL_set_options(ssl_s, WOLFSSL_OP_NO_RENEGOTIATION);
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* Client initiates renegotiation: it sends a ClientHello and waits for a
|
|
* ServerHello that never comes. */
|
|
ExpectIntLT(wolfSSL_Rehandshake(ssl_c), 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* Server processes the renegotiation ClientHello. It must refuse without
|
|
* aborting: the read returns WANT_READ (connection still alive), not a
|
|
* SECURE_RENEGOTIATION_E fatal error. */
|
|
ExpectIntLT(wolfSSL_read(ssl_s, readBuf, sizeof(readBuf)), 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* The refusal was a warning-level no_renegotiation alert. */
|
|
ExpectIntEQ(wolfSSL_get_alert_history(ssl_s, &history), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(history.last_tx.level, alert_warning);
|
|
ExpectIntEQ(history.last_tx.code, no_renegotiation);
|
|
|
|
/* The connection is still active and passes data: the server sends
|
|
* application data which the client receives and decrypts correctly, even
|
|
* though the client's renegotiation attempt was refused. The client
|
|
* surfaces the data once it has processed the no_renegotiation warning. */
|
|
ExpectIntEQ(wolfSSL_write(ssl_s, "hello", 5), 5);
|
|
for (i = 0; i < 10 && ret != 5; i++)
|
|
ret = wolfSSL_read(ssl_c, readBuf, sizeof(readBuf));
|
|
ExpectIntEQ(ret, 5);
|
|
ExpectIntEQ(XMEMCMP(readBuf, "hello", 5), 0);
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* F-4144: WOLFSSL_OP_NO_RENEGOTIATION on the client must refuse a
|
|
* server-initiated renegotiation (HelloRequest) with a no_renegotiation
|
|
* *warning* while keeping the established connection alive, rather than
|
|
* starting a secure renegotiation. */
|
|
int test_helloRequest_no_renegotiation_option(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(WOLFSSL_NO_TLS12) && \
|
|
defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL_ALERT_HISTORY history;
|
|
byte readBuf[16];
|
|
int ret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
|
|
int i;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
XMEMSET(&history, 0, sizeof(history));
|
|
test_ctx.c_ciphers = test_ctx.s_ciphers = "ECDHE-RSA-AES128-GCM-SHA256";
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
|
|
&ssl_s, wolfTLSv1_2_client_method,
|
|
wolfTLSv1_2_server_method), 0);
|
|
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx_c), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx_s), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_UseSecureRenegotiation(ssl_c), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(wolfSSL_UseSecureRenegotiation(ssl_s), WOLFSSL_SUCCESS);
|
|
|
|
/* Client opts into rejecting peer-initiated renegotiation. */
|
|
wolfSSL_set_options(ssl_c, WOLFSSL_OP_NO_RENEGOTIATION);
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* Server asks the client to renegotiate by sending a HelloRequest, then
|
|
* waits for the ClientHello that never comes. */
|
|
ExpectIntLT(wolfSSL_Rehandshake(ssl_s), 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* Client processes the HelloRequest. It must refuse without starting a
|
|
* renegotiation: the read returns WANT_READ (connection still alive). */
|
|
ExpectIntLT(wolfSSL_read(ssl_c, readBuf, sizeof(readBuf)), 0);
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* The refusal was a warning-level no_renegotiation alert. */
|
|
ExpectIntEQ(wolfSSL_get_alert_history(ssl_c, &history), WOLFSSL_SUCCESS);
|
|
ExpectIntEQ(history.last_tx.level, alert_warning);
|
|
ExpectIntEQ(history.last_tx.code, no_renegotiation);
|
|
|
|
/* The connection is still active and passes data: the client sends
|
|
* application data which the server receives and decrypts correctly, even
|
|
* though its renegotiation request was refused. */
|
|
ExpectIntEQ(wolfSSL_write(ssl_c, "hello", 5), 5);
|
|
for (i = 0; i < 10 && ret != 5; i++)
|
|
ret = wolfSSL_read(ssl_s, readBuf, sizeof(readBuf));
|
|
ExpectIntEQ(ret, 5);
|
|
ExpectIntEQ(XMEMCMP(readBuf, "hello", 5), 0);
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* F-2126: DoTls13ClientHello must reject a second ClientHello whose
|
|
* cipher suite does not match the server's HelloRetryRequest. The
|
|
* client offers two suites in CH1 and only a different one in CH2. */
|
|
int test_tls13_hrr_cipher_suite_mismatch(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(WOLFSSL_TLS13) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
|
|
defined(BUILD_TLS_AES_128_GCM_SHA256) && \
|
|
defined(BUILD_TLS_AES_256_GCM_SHA384)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
int ret;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
/* Both suites supported on both ends; server prefers the first
|
|
* offered suite, which will be the one committed in the HRR. */
|
|
test_ctx.c_ciphers = test_ctx.s_ciphers =
|
|
"TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384";
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
|
|
/* Force HRR by withholding key_share entries in CH1. */
|
|
ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c), WOLFSSL_SUCCESS);
|
|
|
|
/* CH1 / HRR */
|
|
ExpectIntEQ(wolfSSL_connect(ssl_c), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_c, 0), WOLFSSL_ERROR_WANT_READ);
|
|
ExpectIntEQ(wolfSSL_accept(ssl_s), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
|
|
ExpectIntEQ(wolfSSL_get_error(ssl_s, 0), WOLFSSL_ERROR_WANT_READ);
|
|
|
|
/* Restrict the client to a different suite than the one the
|
|
* server committed to in the HRR, so CH2 offers only that. */
|
|
ExpectIntEQ(wolfSSL_set_cipher_list(ssl_c, "TLS13-AES256-GCM-SHA384"),
|
|
WOLFSSL_SUCCESS);
|
|
|
|
if (EXPECT_SUCCESS()) {
|
|
/* CH2 */
|
|
(void)wolfSSL_connect(ssl_c);
|
|
(void)wolfSSL_accept(ssl_s);
|
|
(void)wolfSSL_connect(ssl_c);
|
|
/* The cipher-suite mismatch is caught server-side; the server's
|
|
* alert reaches the client, so either peer can surface it. */
|
|
ret = wolfSSL_get_error(ssl_s, 0);
|
|
if (ret != WC_NO_ERR_TRACE(INVALID_PARAMETER))
|
|
ret = wolfSSL_get_error(ssl_c, 0);
|
|
ExpectIntEQ(ret, WC_NO_ERR_TRACE(INVALID_PARAMETER));
|
|
}
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
/* F-1824: DoClientTicketCheck must reject a PSK whose obfuscated age
|
|
* falls outside the [-1000, MAX_TICKET_AGE_DIFF*1000+1000] ms window. */
|
|
int test_tls13_ticket_age_out_of_window(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL;
|
|
WOLFSSL_CTX *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL;
|
|
WOLFSSL *ssl_s = NULL;
|
|
WOLFSSL_SESSION *session = NULL;
|
|
byte tmp;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
|
|
wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* Pump post-handshake reads so the NewSessionTicket reaches the
|
|
* client. */
|
|
(void)wolfSSL_read(ssl_c, &tmp, sizeof(tmp));
|
|
(void)wolfSSL_read(ssl_s, &tmp, sizeof(tmp));
|
|
(void)wolfSSL_read(ssl_c, &tmp, sizeof(tmp));
|
|
|
|
ExpectNotNull(session = wolfSSL_get1_session(ssl_c));
|
|
/* The test only exercises the age window check if the client actually
|
|
* received a NewSessionTicket and the session carries ticket material. */
|
|
ExpectIntGT(session->ticketLen, 0);
|
|
|
|
/* Flip the high bit to push the unobfuscated age out of window. */
|
|
if (session != NULL)
|
|
session->ticketAdd ^= 0x80000000U;
|
|
|
|
wolfSSL_free(ssl_c);
|
|
ssl_c = NULL;
|
|
wolfSSL_free(ssl_s);
|
|
ssl_s = NULL;
|
|
test_memio_clear_buffer(&test_ctx, 0);
|
|
test_memio_clear_buffer(&test_ctx, 1);
|
|
|
|
ExpectNotNull(ssl_c = wolfSSL_new(ctx_c));
|
|
ExpectNotNull(ssl_s = wolfSSL_new(ctx_s));
|
|
wolfSSL_SetIOReadCtx(ssl_c, &test_ctx);
|
|
wolfSSL_SetIOWriteCtx(ssl_c, &test_ctx);
|
|
wolfSSL_SetIOReadCtx(ssl_s, &test_ctx);
|
|
wolfSSL_SetIOWriteCtx(ssl_s, &test_ctx);
|
|
ExpectIntEQ(wolfSSL_set_session(ssl_c, session), WOLFSSL_SUCCESS);
|
|
|
|
/* PSK rejected, full handshake must still succeed. */
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
ExpectIntEQ(wolfSSL_session_reused(ssl_s), 0);
|
|
|
|
wolfSSL_SESSION_free(session);
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
int test_wolfSSL_DisableExtendedMasterSecret(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT) && \
|
|
!defined(NO_TLS)
|
|
WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
|
|
WOLFSSL *ssl = wolfSSL_new(ctx);
|
|
|
|
ExpectNotNull(ctx);
|
|
ExpectNotNull(ssl);
|
|
|
|
/* error cases */
|
|
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_DisableExtendedMasterSecret(NULL));
|
|
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_DisableExtendedMasterSecret(NULL));
|
|
|
|
/* success cases */
|
|
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_DisableExtendedMasterSecret(ctx));
|
|
ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_DisableExtendedMasterSecret(ssl));
|
|
|
|
wolfSSL_free(ssl);
|
|
wolfSSL_CTX_free(ctx);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
|
|
!defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
|
|
!defined(NO_CERTS) && !defined(NO_TLS) && (defined(OPENSSL_EXTRA) || \
|
|
defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(OPENSSL_ALL) || \
|
|
defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) && \
|
|
(defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12)) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
struct client_cb_arg {
|
|
WOLF_STACK_OF(X509_NAME) *names1;
|
|
WOLF_STACK_OF(X509_NAME) *names2;
|
|
};
|
|
|
|
static int certificate_authorities_client_cb(WOLFSSL *ssl, void *_arg) {
|
|
struct client_cb_arg *arg = (struct client_cb_arg *)_arg;
|
|
arg->names1 = wolfSSL_get_client_CA_list(ssl);
|
|
arg->names2 = wolfSSL_get0_peer_CA_list(ssl);
|
|
|
|
if (!wolfSSL_use_certificate_file(ssl, cliCertFile, SSL_FILETYPE_PEM))
|
|
return 0;
|
|
if (!wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, SSL_FILETYPE_PEM))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
int test_certificate_authorities_certificate_request(void) {
|
|
EXPECT_DECLS;
|
|
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
|
|
!defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
|
|
!defined(NO_CERTS) && !defined(NO_TLS) && (defined(OPENSSL_EXTRA) || \
|
|
defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(OPENSSL_ALL) || \
|
|
defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) && \
|
|
(defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12)) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
struct test_params {
|
|
method_provider client_meth;
|
|
method_provider server_meth;
|
|
int doUdp;
|
|
} params[] = {
|
|
#ifdef WOLFSSL_TLS13
|
|
/* TLS 1.3 uses certificate_authorities extension */
|
|
{wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, 0},
|
|
#endif
|
|
#if !defined(WOLFSSL_NO_TLS12) && (defined(OPENSSL_ALL) || \
|
|
defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))
|
|
/* TLS 1.2 directly embeds CA names in CertificateRequest */
|
|
{wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, 0},
|
|
#endif
|
|
#ifdef WOLFSSL_DTLS13
|
|
{wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, 1},
|
|
#endif
|
|
#if defined(WOLFSSL_DTLS) && (defined(OPENSSL_ALL) || \
|
|
defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))
|
|
{wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, 1},
|
|
#endif
|
|
};
|
|
size_t i;
|
|
|
|
for (i = 0; i < sizeof(params) / sizeof(*params); i++) {
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_srv = NULL;
|
|
WOLFSSL *ssl_srv = NULL;
|
|
WOLFSSL_CTX *ctx_cli = NULL;
|
|
WOLFSSL *ssl_cli = NULL;
|
|
WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL;
|
|
X509_NAME *name = NULL;
|
|
struct client_cb_arg cb_arg = { NULL, NULL };
|
|
const char *expected_names[] = {
|
|
"/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048"
|
|
"/CN=www.wolfssl.com/emailAddress=info@wolfssl.com",
|
|
"/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting"
|
|
"/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
|
|
};
|
|
|
|
if (EXPECT_FAIL())
|
|
break;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
|
|
ExpectIntEQ(0, test_memio_setup(&test_ctx, &ctx_cli, &ctx_srv,
|
|
&ssl_cli, NULL, params[i].client_meth,
|
|
params[i].server_meth));
|
|
|
|
wolfSSL_CTX_set_verify(ctx_srv,
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
|
|
ExpectIntEQ(WOLFSSL_SUCCESS,
|
|
wolfSSL_CTX_load_verify_locations(ctx_srv, cliCertFile, NULL));
|
|
|
|
ExpectNotNull(ssl_srv = wolfSSL_new(ctx_srv));
|
|
wolfSSL_SetIOReadCtx(ssl_srv, &test_ctx);
|
|
wolfSSL_SetIOWriteCtx(ssl_srv, &test_ctx);
|
|
|
|
names1 = wolfSSL_load_client_CA_file(cliCertFile);
|
|
ExpectNotNull(names1);
|
|
names2 = wolfSSL_load_client_CA_file(caCertFile);
|
|
ExpectNotNull(names2);
|
|
ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name));
|
|
if (EXPECT_FAIL()) {
|
|
wolfSSL_X509_NAME_free(name);
|
|
name = NULL;
|
|
}
|
|
wolfSSL_sk_X509_NAME_free(names2);
|
|
names2 = wolfSSL_load_client_CA_file(caCertFile);
|
|
ExpectNotNull(names2);
|
|
|
|
/* Check that client_CA_list and CA_list are separate internally */
|
|
wolfSSL_CTX_set_client_CA_list(ctx_srv, names1);
|
|
wolfSSL_CTX_set0_CA_list(ctx_srv, names2);
|
|
ExpectNotNull(names1 = wolfSSL_CTX_get_client_CA_list(ctx_srv));
|
|
ExpectNotNull(names2 = wolfSSL_CTX_get0_CA_list(ctx_srv));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_num(names1));
|
|
ExpectIntEQ(1, wolfSSL_sk_X509_NAME_num(names2));
|
|
|
|
/* Check that get_client_CA_list and get0_CA_list on ssl return same as
|
|
* ctx when not set */
|
|
ExpectNotNull(names1 = wolfSSL_get_client_CA_list(ssl_srv));
|
|
ExpectNotNull(names2 = wolfSSL_get0_CA_list(ssl_srv));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_num(names1));
|
|
ExpectIntEQ(1, wolfSSL_sk_X509_NAME_num(names2));
|
|
|
|
/* Same checks as before, but on ssl rather than ctx */
|
|
names1 = wolfSSL_load_client_CA_file(cliCertFile);
|
|
ExpectNotNull(names1);
|
|
names2 = wolfSSL_load_client_CA_file(caCertFile);
|
|
ExpectNotNull(names2);
|
|
ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name));
|
|
if (EXPECT_FAIL()) {
|
|
wolfSSL_X509_NAME_free(name);
|
|
name = NULL;
|
|
}
|
|
wolfSSL_sk_X509_NAME_free(names2);
|
|
names2 = wolfSSL_load_client_CA_file(caCertFile);
|
|
ExpectNotNull(names2);
|
|
|
|
wolfSSL_set_client_CA_list(ssl_srv, names1);
|
|
wolfSSL_set0_CA_list(ssl_srv, names2);
|
|
ExpectNotNull(names1 = wolfSSL_get_client_CA_list(ssl_srv));
|
|
ExpectNotNull(names2 = wolfSSL_get0_CA_list(ssl_srv));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_num(names1));
|
|
ExpectIntEQ(1, wolfSSL_sk_X509_NAME_num(names2));
|
|
|
|
#if !defined(NO_DH)
|
|
SetDH(ssl_srv);
|
|
#endif
|
|
|
|
/* Certs will be loaded in callback */
|
|
wolfSSL_CTX_set_cert_cb(ctx_cli,
|
|
certificate_authorities_client_cb, &cb_arg);
|
|
|
|
ExpectIntEQ(0, test_memio_do_handshake(ssl_cli, ssl_srv, 10, NULL));
|
|
|
|
ExpectNotNull(cb_arg.names1);
|
|
ExpectNotNull(cb_arg.names2);
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_num(cb_arg.names1));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_num(cb_arg.names2));
|
|
|
|
if (EXPECT_SUCCESS()) {
|
|
ExpectStrEQ(wolfSSL_sk_X509_NAME_value(cb_arg.names1, 0)->name,
|
|
expected_names[0]);
|
|
ExpectStrEQ(wolfSSL_sk_X509_NAME_value(cb_arg.names1, 1)->name,
|
|
expected_names[1]);
|
|
}
|
|
|
|
wolfSSL_shutdown(ssl_cli);
|
|
wolfSSL_free(ssl_cli);
|
|
wolfSSL_CTX_free(ctx_cli);
|
|
wolfSSL_free(ssl_srv);
|
|
wolfSSL_CTX_free(ctx_srv);
|
|
}
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
|
|
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
|
|
!defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
|
|
!defined(NO_CERTS) && (defined(OPENSSL_EXTRA) || \
|
|
defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(OPENSSL_ALL) || \
|
|
defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) && \
|
|
defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
static int certificate_authorities_server_cb(WOLFSSL *ssl, void *_arg) {
|
|
WOLF_STACK_OF(X509_NAME) **names_out = (WOLF_STACK_OF(X509_NAME) **)_arg;
|
|
WOLF_STACK_OF(X509_NAME) *names = wolfSSL_get0_peer_CA_list(ssl);
|
|
*names_out = names;
|
|
if (!wolfSSL_use_certificate_file(ssl, svrCertFile, SSL_FILETYPE_PEM))
|
|
return 0;
|
|
if (!wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, SSL_FILETYPE_PEM))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
#if defined(HAVE_TRUSTED_CA) && !defined(NO_SHA) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT)
|
|
/* Walk the TLSX list to find an extension by type. Avoids calling the
|
|
* WOLFSSL_LOCAL TLSX_Find which is not available in shared library builds. */
|
|
static TLSX* test_TLSX_find_ext(TLSX* list, TLSX_Type type)
|
|
{
|
|
while (list) {
|
|
if (list->type == type)
|
|
return list;
|
|
list = list->next;
|
|
}
|
|
return NULL;
|
|
}
|
|
#endif
|
|
|
|
int test_TLSX_TCA_Find(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_TRUSTED_CA) && !defined(NO_SHA) && \
|
|
defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
|
|
!defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT)
|
|
/* Two different 20-byte SHA1 ids */
|
|
byte id_A[WC_SHA_DIGEST_SIZE];
|
|
byte id_B[WC_SHA_DIGEST_SIZE];
|
|
TLSX* ext;
|
|
|
|
XMEMSET(id_A, 0xAA, sizeof(id_A));
|
|
XMEMSET(id_B, 0xBB, sizeof(id_B));
|
|
|
|
/* Test 1: Exact match - same type and same id should match */
|
|
{
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
|
|
&ssl_s, wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
|
|
/* Server has KEY_SHA1 with id_A */
|
|
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl_s, WOLFSSL_TRUSTED_CA_KEY_SHA1,
|
|
id_A, sizeof(id_A)), WOLFSSL_SUCCESS);
|
|
/* Client sends KEY_SHA1 with id_A (same) */
|
|
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl_c, WOLFSSL_TRUSTED_CA_KEY_SHA1,
|
|
id_A, sizeof(id_A)), WOLFSSL_SUCCESS);
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* Server should have found a match and responded */
|
|
ext = test_TLSX_find_ext(ssl_c ? ssl_c->extensions : NULL,
|
|
TLSX_TRUSTED_CA_KEYS);
|
|
ExpectNotNull(ext);
|
|
if (EXPECT_SUCCESS())
|
|
ExpectIntEQ(ext->resp, 1);
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
}
|
|
|
|
/* Test 2: Same type, different id - should NOT match.
|
|
* This is the key test that exposes the logic bug in TLSX_TCA_Find
|
|
* where matching on type alone (without checking id content) causes
|
|
* a false positive. */
|
|
{
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
|
|
&ssl_s, wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
|
|
/* Server has KEY_SHA1 with id_A */
|
|
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl_s, WOLFSSL_TRUSTED_CA_KEY_SHA1,
|
|
id_A, sizeof(id_A)), WOLFSSL_SUCCESS);
|
|
/* Client sends KEY_SHA1 with id_B (different!) */
|
|
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl_c, WOLFSSL_TRUSTED_CA_KEY_SHA1,
|
|
id_B, sizeof(id_B)), WOLFSSL_SUCCESS);
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* Server should NOT have found a match - ids differ */
|
|
ext = test_TLSX_find_ext(ssl_c ? ssl_c->extensions : NULL,
|
|
TLSX_TRUSTED_CA_KEYS);
|
|
ExpectNotNull(ext);
|
|
if (EXPECT_SUCCESS())
|
|
ExpectIntEQ(ext->resp, 0);
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
}
|
|
|
|
/* Test 3: PRE_AGREED should match any server entry */
|
|
{
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
|
|
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
|
|
&ssl_s, wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
|
|
|
|
/* Server has KEY_SHA1 with id_A */
|
|
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl_s, WOLFSSL_TRUSTED_CA_KEY_SHA1,
|
|
id_A, sizeof(id_A)), WOLFSSL_SUCCESS);
|
|
/* Client sends PRE_AGREED (no id needed) */
|
|
ExpectIntEQ(wolfSSL_UseTrustedCA(ssl_c, WOLFSSL_TRUSTED_CA_PRE_AGREED,
|
|
NULL, 0), WOLFSSL_SUCCESS);
|
|
|
|
ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
|
|
|
|
/* Server should have matched (PRE_AGREED matches anything) */
|
|
ext = test_TLSX_find_ext(ssl_c ? ssl_c->extensions : NULL,
|
|
TLSX_TRUSTED_CA_KEYS);
|
|
ExpectNotNull(ext);
|
|
if (EXPECT_SUCCESS())
|
|
ExpectIntEQ(ext->resp, 1);
|
|
|
|
wolfSSL_free(ssl_c);
|
|
wolfSSL_free(ssl_s);
|
|
wolfSSL_CTX_free(ctx_c);
|
|
wolfSSL_CTX_free(ctx_s);
|
|
}
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
int test_certificate_authorities_client_hello(void) {
|
|
EXPECT_DECLS;
|
|
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
|
|
!defined(WOLFSSL_NO_CA_NAMES) && !defined(NO_BIO) && \
|
|
!defined(NO_CERTS) && (defined(OPENSSL_EXTRA) || \
|
|
defined(OPENSSL_EXTRA_X509_SMALL)) && (defined(OPENSSL_ALL) || \
|
|
defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) && \
|
|
defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
|
|
|
|
struct test_params {
|
|
method_provider client_meth;
|
|
method_provider server_meth;
|
|
int doUdp;
|
|
} params[] = {
|
|
/* TLS >= 1.3 only */
|
|
#ifdef WOLFSSL_TLS13
|
|
{wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, 0},
|
|
#endif
|
|
#ifdef WOLFSSL_DTLS13
|
|
{wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, 1},
|
|
#endif
|
|
};
|
|
size_t i;
|
|
|
|
for (i = 0; i < sizeof(params) / sizeof(*params); i++) {
|
|
struct test_memio_ctx test_ctx;
|
|
WOLFSSL_CTX *ctx_srv = NULL;
|
|
WOLFSSL *ssl_srv = NULL;
|
|
WOLFSSL_CTX *ctx_cli = NULL;
|
|
WOLFSSL *ssl_cli = NULL;
|
|
WOLF_STACK_OF(X509_NAME) *cb_arg = NULL;
|
|
WOLF_STACK_OF(X509_NAME) *names1 = NULL, *names2 = NULL;
|
|
X509_NAME *name = NULL;
|
|
const char *expected_names[] = {
|
|
"/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting"
|
|
"/CN=www.wolfssl.com/emailAddress=info@wolfssl.com",
|
|
"/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048"
|
|
"/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
|
|
};
|
|
|
|
if (EXPECT_FAIL())
|
|
break;
|
|
|
|
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
|
|
|
|
ExpectIntEQ(0, test_memio_setup(&test_ctx, &ctx_cli, &ctx_srv,
|
|
&ssl_cli, &ssl_srv, params[i].client_meth,
|
|
params[i].server_meth));
|
|
|
|
wolfSSL_CTX_set_cert_cb(ctx_srv, certificate_authorities_server_cb,
|
|
&cb_arg);
|
|
|
|
names1 = wolfSSL_load_client_CA_file(caCertFile);
|
|
ExpectNotNull(names1);
|
|
names2 = wolfSSL_load_client_CA_file(cliCertFile);
|
|
ExpectNotNull(names2);
|
|
ExpectNotNull(name = wolfSSL_sk_X509_NAME_value(names2, 0));
|
|
ExpectIntEQ(2, wolfSSL_sk_X509_NAME_push(names1, name));
|
|
if (EXPECT_FAIL()) {
|
|
wolfSSL_X509_NAME_free(name);
|
|
name = NULL;
|
|
}
|
|
wolfSSL_sk_X509_NAME_free(names2);
|
|
names2 = wolfSSL_load_client_CA_file(cliCertFile);
|
|
ExpectNotNull(names2);
|
|
|
|
/* verify that set0_CA_list takes precedence */
|
|
wolfSSL_set0_CA_list(ssl_cli, names1);
|
|
wolfSSL_CTX_set0_CA_list(ctx_cli, names2);
|
|
|
|
ExpectIntEQ(0, test_memio_do_handshake(ssl_cli, ssl_srv, 10, NULL));
|
|
|
|
ExpectIntEQ(wolfSSL_sk_X509_NAME_num(cb_arg), 2);
|
|
|
|
if (EXPECT_SUCCESS()) {
|
|
ExpectStrEQ(wolfSSL_sk_X509_NAME_value(cb_arg, 0)->name,
|
|
expected_names[0]);
|
|
ExpectStrEQ(wolfSSL_sk_X509_NAME_value(cb_arg, 1)->name,
|
|
expected_names[1]);
|
|
}
|
|
|
|
wolfSSL_shutdown(ssl_cli);
|
|
wolfSSL_free(ssl_cli);
|
|
wolfSSL_CTX_free(ctx_cli);
|
|
wolfSSL_free(ssl_srv);
|
|
wolfSSL_CTX_free(ctx_srv);
|
|
}
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* Test that the SNI size calculation returns 0 on overflow instead of
|
|
* wrapping around to a small value (integer overflow vulnerability). */
|
|
int test_TLSX_SNI_GetSize_overflow(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_SNI) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
|
|
WOLFSSL_CTX* ctx = NULL;
|
|
WOLFSSL* ssl = NULL;
|
|
TLSX* sni_ext = NULL;
|
|
SNI* head = NULL;
|
|
SNI* sni = NULL;
|
|
int i;
|
|
/* Each SNI adds ENUM_LEN(1) + OPAQUE16_LEN(2) + hostname_len to the size.
|
|
* With a 1-byte hostname, each entry adds 4 bytes. Starting from
|
|
* OPAQUE16_LEN(2) base, we need enough entries to exceed UINT16_MAX. */
|
|
const int num_sni = (0xFFFF / 4) + 2;
|
|
|
|
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
|
|
/* Add initial SNI via public API */
|
|
ExpectIntEQ(WOLFSSL_SUCCESS,
|
|
wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "a", 1));
|
|
|
|
/* Find the SNI extension and manually build a long chain */
|
|
if (EXPECT_SUCCESS()) {
|
|
sni_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
|
|
ExpectNotNull(sni_ext);
|
|
}
|
|
|
|
if (EXPECT_SUCCESS()) {
|
|
head = (SNI*)sni_ext->data;
|
|
ExpectNotNull(head);
|
|
}
|
|
|
|
/* Append many SNI nodes to force overflow in the size calculation */
|
|
for (i = 1; EXPECT_SUCCESS() && i < num_sni; i++) {
|
|
sni = (SNI*)XMALLOC(sizeof(SNI), NULL, DYNAMIC_TYPE_TLSX);
|
|
ExpectNotNull(sni);
|
|
if (sni != NULL) {
|
|
XMEMSET(sni, 0, sizeof(SNI));
|
|
sni->type = WOLFSSL_SNI_HOST_NAME;
|
|
sni->data.host_name = (char*)XMALLOC(2, NULL, DYNAMIC_TYPE_TLSX);
|
|
ExpectNotNull(sni->data.host_name);
|
|
if (sni->data.host_name != NULL) {
|
|
sni->data.host_name[0] = 'a';
|
|
sni->data.host_name[1] = '\0';
|
|
}
|
|
sni->next = head->next;
|
|
head->next = sni;
|
|
}
|
|
}
|
|
|
|
if (EXPECT_SUCCESS()) {
|
|
/* The fixed calculation should return 0 (overflow detected) */
|
|
ExpectIntEQ(TLSX_SNI_GetSize((SNI*)sni_ext->data), 0);
|
|
}
|
|
|
|
wolfSSL_free(ssl);
|
|
wolfSSL_CTX_free(ctx);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* ECH is only valid in ClientHello, EncryptedExtensions, or
|
|
* HelloRetryRequest per RFC 9460. Feeding it in a Finished message must
|
|
* be rejected with EXT_NOT_ALLOWED rather than being silently accepted. */
|
|
int test_TLSX_ECH_msg_type_validation(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \
|
|
!defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
|
|
WOLFSSL_CTX* ctx = NULL;
|
|
WOLFSSL* ssl = NULL;
|
|
/* type = TLSX_ECH (0xfe0d), size = 0x0000 */
|
|
const byte extBytes[] = { 0xfe, 0x0d, 0x00, 0x00 };
|
|
|
|
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
|
|
ExpectIntEQ(TLSX_Parse(ssl, extBytes, (word16)sizeof(extBytes),
|
|
finished, NULL),
|
|
WC_NO_ERR_TRACE(EXT_NOT_ALLOWED));
|
|
|
|
wolfSSL_free(ssl);
|
|
wolfSSL_CTX_free(ctx);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* use_srtp is only valid in ClientHello/ServerHello (pre-TLS 1.3) or
|
|
* ClientHello/EncryptedExtensions (TLS 1.3) per RFC 5764. Feeding it in a
|
|
* Finished message must be rejected with EXT_NOT_ALLOWED. */
|
|
int test_TLSX_SRTP_msg_type_validation(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(WOLFSSL_SRTP) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS)
|
|
WOLFSSL_CTX* ctx = NULL;
|
|
WOLFSSL* ssl = NULL;
|
|
/* type = TLSX_USE_SRTP (0x000e), size = 0x0000 */
|
|
const byte extBytes[] = { 0x00, 0x0e, 0x00, 0x00 };
|
|
|
|
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
|
|
ExpectIntEQ(TLSX_Parse(ssl, extBytes, (word16)sizeof(extBytes),
|
|
finished, NULL),
|
|
WC_NO_ERR_TRACE(EXT_NOT_ALLOWED));
|
|
|
|
wolfSSL_free(ssl);
|
|
wolfSSL_CTX_free(ctx);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* RFC 7301 Section 3.1: the server's ProtocolNameList in its ALPN response
|
|
* MUST contain exactly one ProtocolName. A ServerHello carrying two entries
|
|
* must be rejected rather than silently accepted. */
|
|
int test_TLSX_ALPN_server_response_count(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if defined(HAVE_ALPN) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) && \
|
|
!defined(WOLFSSL_NO_TLS12)
|
|
WOLFSSL_CTX* ctx = NULL;
|
|
WOLFSSL* ssl = NULL;
|
|
/* ServerHello-style ALPN extension whose ProtocolNameList contains
|
|
* two entries ("h2" and "http/1.1"). */
|
|
static const byte extBytes[] = {
|
|
0x00, 0x10, /* extension type = ALPN (16) */
|
|
0x00, 0x0E, /* extension length = 14 */
|
|
0x00, 0x0C, /* ProtocolNameList length */
|
|
0x02, 'h', '2', /* entry 1: "h2" */
|
|
0x08, 'h', 't', 't', 'p', '/', '1', '.', '1' /* entry 2 */
|
|
};
|
|
static char alpn_h2[] = "h2";
|
|
|
|
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
|
|
ExpectIntEQ(wolfSSL_UseALPN(ssl, alpn_h2, (unsigned int)XSTRLEN(alpn_h2),
|
|
WOLFSSL_ALPN_FAILED_ON_MISMATCH),
|
|
WOLFSSL_SUCCESS);
|
|
|
|
ExpectIntEQ(TLSX_Parse(ssl, extBytes, (word16)sizeof(extBytes),
|
|
server_hello, NULL),
|
|
WC_NO_ERR_TRACE(BUFFER_ERROR));
|
|
|
|
wolfSSL_free(ssl);
|
|
wolfSSL_CTX_free(ctx);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* Regression test for the supported_groups (a.k.a. supported curves) parsing.
|
|
*
|
|
* A client that explicitly sends a supported_groups extension restricts the
|
|
* groups the server may use. An empty list, or a list that contains only
|
|
* groups the server does not support, must NOT be silently treated as if the
|
|
* extension was absent (which would impose no restriction and let the server
|
|
* pick an ECDHE suite/curve the client never advertised).
|
|
*
|
|
* - An empty named group list is malformed and must be rejected.
|
|
* - A list of only-unsupported groups must still leave a supported_groups
|
|
* node behind so suite selection sees the restriction.
|
|
*/
|
|
int test_TLSX_SupportedCurve_empty_or_unsupported(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) && \
|
|
defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_TLS12) && \
|
|
(!defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \
|
|
!defined(WOLFSSL_NO_SERVER_GROUPS_EXT)))
|
|
/* This exercises the server's parsing of a received ClientHello: the
|
|
* relevant code path (TLSX_SupportedCurve_Parse) is selected by the
|
|
* message type passed to TLSX_Parse (client_hello => isRequest), not by
|
|
* the side of the WOLFSSL object. A client-side WOLFSSL is used purely as
|
|
* the parse vehicle because creating a server-side WOLFSSL would require a
|
|
* certificate to be loaded first (NO_PRIVATE_KEY otherwise). */
|
|
WOLFSSL_CTX* ctx = NULL;
|
|
WOLFSSL* ssl = NULL;
|
|
Suites* suites = NULL;
|
|
/* supported_groups (0x000a), ext len 0x0002, named_group_list len 0x0000 */
|
|
const byte emptyList[] = { 0x00, 0x0a, 0x00, 0x02, 0x00, 0x00 };
|
|
/* supported_groups (0x000a), ext len 0x0004, list len 0x0002,
|
|
* group 0xeeee (private-use value we do not support) */
|
|
const byte unsupportedOnly[] = { 0x00, 0x0a, 0x00, 0x04, 0x00, 0x02,
|
|
0xee, 0xee };
|
|
|
|
/* An empty named group list is malformed and must be rejected. */
|
|
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
if (ssl != NULL)
|
|
suites = (Suites*)WOLFSSL_SUITES(ssl);
|
|
ExpectIntEQ(TLSX_Parse(ssl, emptyList, (word16)sizeof(emptyList),
|
|
client_hello, suites),
|
|
WC_NO_ERR_TRACE(BUFFER_ERROR));
|
|
wolfSSL_free(ssl);
|
|
ssl = NULL;
|
|
|
|
/* A list with only unsupported groups must still record a supported_groups
|
|
* node so that ECC/ECDHE suite selection sees the (now empty) restriction
|
|
* instead of treating the extension as absent. */
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
if (ssl != NULL)
|
|
suites = (Suites*)WOLFSSL_SUITES(ssl);
|
|
/* Precondition: server has not preconfigured supported groups. */
|
|
ExpectNull(TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS));
|
|
ExpectIntEQ(TLSX_Parse(ssl, unsupportedOnly, (word16)sizeof(unsupportedOnly),
|
|
client_hello, suites), 0);
|
|
/* The fix records an (empty) supported_groups node. */
|
|
ExpectNotNull(TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS));
|
|
wolfSSL_free(ssl);
|
|
ssl = NULL;
|
|
|
|
wolfSSL_CTX_free(ctx);
|
|
|
|
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT)
|
|
/* An empty named group list is equally malformed in a TLS 1.3
|
|
* EncryptedExtensions message (named_group_list<2..2^16-1>) and must be
|
|
* rejected with the same decode_error (BUFFER_ERROR), not silently
|
|
* accepted as the server advertising no groups. */
|
|
{
|
|
WOLFSSL_CTX* ctx13 = NULL;
|
|
WOLFSSL* ssl13 = NULL;
|
|
const byte emptyListEE[] = { 0x00, 0x0a, 0x00, 0x02, 0x00, 0x00 };
|
|
|
|
ExpectNotNull(ctx13 = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
|
|
ExpectNotNull(ssl13 = wolfSSL_new(ctx13));
|
|
/* Ensure the connection is treated as TLS 1.3 so EncryptedExtensions
|
|
* is a valid context for the extension. */
|
|
if (ssl13 != NULL) {
|
|
ssl13->version.major = SSLv3_MAJOR;
|
|
ssl13->version.minor = TLSv1_3_MINOR;
|
|
}
|
|
ExpectIntEQ(TLSX_Parse(ssl13, emptyListEE, (word16)sizeof(emptyListEE),
|
|
encrypted_extensions, NULL),
|
|
WC_NO_ERR_TRACE(BUFFER_ERROR));
|
|
wolfSSL_free(ssl13);
|
|
wolfSSL_CTX_free(ctx13);
|
|
}
|
|
#endif
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|
|
|
|
/* RFC 8422 Section 5.1.2: a client that sends the ec_point_formats extension
|
|
* MUST include the uncompressed (0) point format. When the uncompressed format
|
|
* is omitted the server records this (ssl->options.peerNoUncompPF) during
|
|
* parsing so the handshake can be aborted with an illegal_parameter alert if
|
|
* the client also advertised ECC named groups.
|
|
*
|
|
* - A list that contains the uncompressed format must clear the flag.
|
|
* - A list that omits the uncompressed format must set the flag.
|
|
*/
|
|
int test_TLSX_PointFormat_uncompressed_required(void)
|
|
{
|
|
EXPECT_DECLS;
|
|
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
|
|
!defined(NO_TLS) && defined(HAVE_SUPPORTED_CURVES) && \
|
|
defined(HAVE_TLS_EXTENSIONS) && !defined(WOLFSSL_NO_TLS12)
|
|
/* This exercises the server's parsing of a received ClientHello: the
|
|
* relevant code path (TLSX_PointFormat_Parse) is selected by the message
|
|
* type passed to TLSX_Parse (client_hello => isRequest), not by the side
|
|
* of the WOLFSSL object. A client-side WOLFSSL is used purely as the parse
|
|
* vehicle because creating a server-side WOLFSSL would require a
|
|
* certificate to be loaded first (NO_PRIVATE_KEY otherwise). The server
|
|
* build is required because TLSX_PointFormat_Parse (the PF_PARSE dispatch
|
|
* macro) is compiled to a no-op when NO_WOLFSSL_SERVER is defined. */
|
|
WOLFSSL_CTX* ctx = NULL;
|
|
WOLFSSL* ssl = NULL;
|
|
Suites* suites = NULL;
|
|
/* ec_point_formats (0x000b), ext len 0x0002, list len 0x01,
|
|
* format 0x00 (uncompressed) */
|
|
const byte withUncomp[] = { 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00 };
|
|
/* ec_point_formats (0x000b), ext len 0x0002, list len 0x01,
|
|
* format 0x01 (ansiX962_compressed_prime, uncompressed omitted) */
|
|
const byte noUncomp[] = { 0x00, 0x0b, 0x00, 0x02, 0x01, 0x01 };
|
|
/* As above but with two compressed formats and no uncompressed. */
|
|
const byte noUncomp2[] = { 0x00, 0x0b, 0x00, 0x03, 0x02, 0x01, 0x02 };
|
|
|
|
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
|
|
|
|
/* A list containing the uncompressed format leaves the flag clear and
|
|
* still adds the uncompressed format to the response. */
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
if (ssl != NULL)
|
|
suites = (Suites*)WOLFSSL_SUITES(ssl);
|
|
ExpectIntEQ(TLSX_Parse(ssl, withUncomp, (word16)sizeof(withUncomp),
|
|
client_hello, suites), 0);
|
|
if (ssl != NULL)
|
|
ExpectIntEQ(ssl->options.peerNoUncompPF, 0);
|
|
ExpectNotNull(TLSX_Find(ssl->extensions, TLSX_EC_POINT_FORMATS));
|
|
wolfSSL_free(ssl);
|
|
ssl = NULL;
|
|
|
|
/* A single-entry list that omits the uncompressed format sets the flag. */
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
if (ssl != NULL)
|
|
suites = (Suites*)WOLFSSL_SUITES(ssl);
|
|
ExpectIntEQ(TLSX_Parse(ssl, noUncomp, (word16)sizeof(noUncomp),
|
|
client_hello, suites), 0);
|
|
if (ssl != NULL)
|
|
ExpectIntEQ(ssl->options.peerNoUncompPF, 1);
|
|
wolfSSL_free(ssl);
|
|
ssl = NULL;
|
|
|
|
/* A multi-entry list that omits the uncompressed format sets the flag. */
|
|
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
|
if (ssl != NULL)
|
|
suites = (Suites*)WOLFSSL_SUITES(ssl);
|
|
ExpectIntEQ(TLSX_Parse(ssl, noUncomp2, (word16)sizeof(noUncomp2),
|
|
client_hello, suites), 0);
|
|
if (ssl != NULL)
|
|
ExpectIntEQ(ssl->options.peerNoUncompPF, 1);
|
|
wolfSSL_free(ssl);
|
|
ssl = NULL;
|
|
|
|
wolfSSL_CTX_free(ctx);
|
|
#endif
|
|
return EXPECT_RESULT();
|
|
}
|