From 43d831ff06b888844141e9cd0b26c4b3ee6a5ee1 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 12 Jan 2026 20:03:14 +1000 Subject: [PATCH] API testing: split out more test cases EVP into test_evp_cipher, test_evp_digest, test_evp_pkey and test_evp. OBJ into test_ossl_obj. OpenSSL RAND into test_ossl_rand. OpenSSL PKCS7 and PKCS12 tests into test_ossl_p7p12. CertificateManager into test_certman. Move some BIO tests from api.c into test_evp_bio.c. Fix line lengths. --- CMakeLists.txt | 7 + tests/api.c | 35821 ++++++++++++---------------------- tests/api/api.h | 5 + tests/api/include.am | 17 + tests/api/test_certman.c | 2370 +++ tests/api/test_certman.h | 61 + tests/api/test_evp.c | 579 +- tests/api/test_evp.h | 22 +- tests/api/test_evp_cipher.c | 2704 +++ tests/api/test_evp_cipher.h | 108 + tests/api/test_evp_digest.c | 589 + tests/api/test_evp_digest.h | 58 + tests/api/test_evp_pkey.c | 2359 +++ tests/api/test_evp_pkey.h | 102 + tests/api/test_ossl_asn1.c | 21 +- tests/api/test_ossl_bio.c | 366 +- tests/api/test_ossl_bio.h | 6 +- tests/api/test_ossl_bn.c | 9 +- tests/api/test_ossl_dgst.c | 44 +- tests/api/test_ossl_ec.c | 9 +- tests/api/test_ossl_obj.c | 465 + tests/api/test_ossl_obj.h | 45 + tests/api/test_ossl_p7p12.c | 1321 ++ tests/api/test_ossl_p7p12.h | 54 + tests/api/test_ossl_rand.c | 340 + tests/api/test_ossl_rand.h | 39 + tests/api/test_ossl_rsa.c | 15 +- 27 files changed, 24159 insertions(+), 23377 deletions(-) create mode 100644 tests/api/test_certman.c create mode 100644 tests/api/test_certman.h create mode 100644 tests/api/test_evp_cipher.c create mode 100644 tests/api/test_evp_cipher.h create mode 100644 tests/api/test_evp_digest.c create mode 100644 tests/api/test_evp_digest.h create mode 100644 tests/api/test_evp_pkey.c create mode 100644 tests/api/test_evp_pkey.h create mode 100644 tests/api/test_ossl_obj.c create mode 100644 tests/api/test_ossl_obj.h create mode 100644 tests/api/test_ossl_p7p12.c create mode 100644 tests/api/test_ossl_p7p12.h create mode 100644 tests/api/test_ossl_rand.c create mode 100644 tests/api/test_ossl_rand.h diff --git a/CMakeLists.txt b/CMakeLists.txt index b13a79432d2..fe44d22e3d2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2705,6 +2705,13 @@ if(WOLFSSL_EXAMPLES) tests/api/test_ossl_x509_str.c tests/api/test_ossl_x509_lu.c tests/api/test_ossl_pem.c + tests/api/test_ossl_rand.c + tests/api/test_ossl_obj.c + tests/api/test_ossl_p7p12.c + tests/api/test_evp_digest.c + tests/api/test_evp_cipher.c + tests/api/test_evp_pkey.c + tests/api/test_certman.c tests/api/test_tls13.c tests/srp.c tests/suites.c diff --git a/tests/api.c b/tests/api.c index 5f8406b20ae..b5a7f8fcdc1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -240,6 +240,13 @@ #include #include #include +#include +#include +#include +#include +#include +#include +#include #include #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ @@ -249,12 +256,6 @@ #define HAVE_SSL_MEMIO_TESTS_DEPENDENCIES #endif -#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ - !defined(NO_CERTS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) - #define HAVE_CERT_CHAIN_VALIDATION -#endif - #if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY) #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || defined(SESSION_CERTS) #ifdef OPENSSL_EXTRA @@ -2783,22271 +2784,15128 @@ static int test_wolfSSL_CTX_load_system_CA_certs(void) return res; } -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) -static int test_cm_load_ca_buffer(const byte* cert_buf, size_t cert_sz, - int file_type) -{ - int ret; - WOLFSSL_CERT_MANAGER* cm; - - cm = wolfSSL_CertManagerNew(); - if (cm == NULL) { - fprintf(stderr, "test_cm_load_ca failed\n"); - return -1; - } - - ret = wolfSSL_CertManagerLoadCABuffer(cm, cert_buf, (sword32)cert_sz, file_type); - - wolfSSL_CertManagerFree(cm); - - return ret; -} - -static int test_cm_load_ca_file(const char* ca_cert_file) +static int test_wolfSSL_CheckOCSPResponse(void) { - int ret = 0; - byte* cert_buf = NULL; - size_t cert_sz = 0; -#if defined(WOLFSSL_PEM_TO_DER) - DerBuffer* pDer = NULL; -#endif - - ret = load_file(ca_cert_file, &cert_buf, &cert_sz); - if (ret == 0) { - /* normal test */ - ret = test_cm_load_ca_buffer(cert_buf, cert_sz, CERT_FILETYPE); - - if (ret == WOLFSSL_SUCCESS) { - /* test including null terminator in length */ - byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); - if (tmp == NULL) { - ret = MEMORY_E; - } - else { - cert_buf = tmp; - cert_buf[cert_sz] = '\0'; - ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1, - CERT_FILETYPE); - } - - } + EXPECT_DECLS; +#if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA) && \ + !defined(NO_RSA) && !defined(NO_SHA) + const char* responseFile = "./certs/ocsp/test-response.der"; + const char* responseMultiFile = "./certs/ocsp/test-multi-response.der"; + const char* responseNoInternFile = + "./certs/ocsp/test-response-nointern.der"; + const char* caFile = "./certs/ocsp/root-ca-cert.pem"; + OcspResponse* res = NULL; + byte data[4096]; + const unsigned char* pt; + int dataSz = 0; /* initialize to mitigate spurious maybe-uninitialized from + * gcc sanitizer with --enable-heapmath. + */ + XFILE f = XBADFILE; + WOLFSSL_OCSP_BASICRESP* bs = NULL; + WOLFSSL_X509_STORE* st = NULL; + WOLFSSL_X509* issuer = NULL; - #if defined(WOLFSSL_PEM_TO_DER) - if (ret == WOLFSSL_SUCCESS) { - /* test loading DER */ - ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, - NULL, NULL, NULL); - if (ret == 0 && pDer != NULL) { - ret = test_cm_load_ca_buffer(pDer->buffer, pDer->length, - WOLFSSL_FILETYPE_ASN1); - - wc_FreeDer(&pDer); - } - } - #endif + ExpectTrue((f = XFOPEN(responseFile, "rb")) != XBADFILE); + ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } - free(cert_buf); - return ret; -} + pt = data; + ExpectNotNull(res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz)); + ExpectNotNull(issuer = wolfSSL_X509_load_certificate_file(caFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(st = wolfSSL_X509_STORE_new()); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + ExpectNotNull(bs = wolfSSL_OCSP_response_get1_basic(res)); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); + bs = NULL; + wolfSSL_OCSP_RESPONSE_free(res); + res = NULL; + wolfSSL_X509_STORE_free(st); + st = NULL; + wolfSSL_X509_free(issuer); + issuer = NULL; -static int test_cm_load_ca_buffer_ex(const byte* cert_buf, size_t cert_sz, - int file_type, word32 flags) -{ - int ret; - WOLFSSL_CERT_MANAGER* cm; + /* check loading a response with optional certs */ + ExpectTrue((f = XFOPEN(responseNoInternFile, "rb")) != XBADFILE); + ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + f = XBADFILE; - cm = wolfSSL_CertManagerNew(); - if (cm == NULL) { - fprintf(stderr, "test_cm_load_ca failed\n"); - return -1; - } + pt = data; + ExpectNotNull(res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz)); + wolfSSL_OCSP_RESPONSE_free(res); + res = NULL; - ret = wolfSSL_CertManagerLoadCABuffer_ex(cm, cert_buf, (sword32)cert_sz, file_type, - 0, flags); + /* check loading a response with multiple certs */ + { + WOLFSSL_CERT_MANAGER* cm = NULL; + OcspEntry *entry = NULL; + CertStatus* status = NULL; + OcspRequest* request = NULL; - wolfSSL_CertManagerFree(cm); + byte serial1[] = {0x01}; + byte serial[] = {0x02}; - return ret; -} + byte issuerHash[] = { + 0x44, 0xA8, 0xDB, 0xD1, 0xBC, 0x97, 0x0A, 0x83, + 0x3B, 0x5B, 0x31, 0x9A, 0x4C, 0xB8, 0xD2, 0x52, + 0x37, 0x15, 0x8A, 0x88 + }; + byte issuerKeyHash[] = { + 0x73, 0xB0, 0x1C, 0xA4, 0x2F, 0x82, 0xCB, 0xCF, + 0x47, 0xA5, 0x38, 0xD7, 0xB0, 0x04, 0x82, 0x3A, + 0x7E, 0x72, 0x15, 0x21 + }; -static int test_cm_load_ca_file_ex(const char* ca_cert_file, word32 flags) -{ - int ret = 0; - byte* cert_buf = NULL; - size_t cert_sz = 0; -#if defined(WOLFSSL_PEM_TO_DER) - DerBuffer* pDer = NULL; -#endif + ExpectNotNull(entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL, + DYNAMIC_TYPE_OPENSSL)); - ret = load_file(ca_cert_file, &cert_buf, &cert_sz); - if (ret == 0) { - /* normal test */ - ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz, - CERT_FILETYPE, flags); + ExpectNotNull(status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_OPENSSL)); - if (ret == WOLFSSL_SUCCESS) { - /* test including null terminator in length */ - byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); - if (tmp == NULL) { - ret = MEMORY_E; - } - else { - cert_buf = tmp; - cert_buf[cert_sz] = '\0'; - ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz+1, - CERT_FILETYPE, flags); - } + if (entry != NULL) + XMEMSET(entry, 0, sizeof(OcspEntry)); + if (status != NULL) + XMEMSET(status, 0, sizeof(CertStatus)); - } + ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new()); + ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL, + DYNAMIC_TYPE_OCSP_REQUEST)); - #if defined(WOLFSSL_PEM_TO_DER) - if (ret == WOLFSSL_SUCCESS) { - /* test loading DER */ - ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, - NULL, NULL, NULL); - if (ret == 0 && pDer != NULL) { - ret = test_cm_load_ca_buffer_ex(pDer->buffer, pDer->length, - WOLFSSL_FILETYPE_ASN1, flags); - - wc_FreeDer(&pDer); - } + if (request != NULL && request->serial != NULL) { + request->serialSz = sizeof(serial); + XMEMCPY(request->serial, serial, sizeof(serial)); + XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash)); + XMEMCPY(request->issuerKeyHash, issuerKeyHash, + sizeof(issuerKeyHash)); } - #endif - } - free(cert_buf); + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, caFile, NULL), + WOLFSSL_SUCCESS); - return ret; -} + ExpectTrue((f = XFOPEN(responseMultiFile, "rb")) != XBADFILE); + ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + f = XBADFILE; -#endif /* !NO_FILESYSTEM && !NO_CERTS */ + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, + dataSz, NULL, status, entry, request), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, + dataSz, NULL, entry->status, entry, request), WOLFSSL_SUCCESS); + ExpectNotNull(entry->status); -static int test_wolfSSL_CertManagerAPI(void) -{ - EXPECT_DECLS; -#ifndef NO_CERTS - WOLFSSL_CERT_MANAGER* cm = NULL; - unsigned char c = 0; + if (request != NULL && request->serial != NULL) + XMEMCPY(request->serial, serial1, sizeof(serial1)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, + dataSz, NULL, status, entry, request), WOLFSSL_SUCCESS); - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + /* store both status's in the entry to check that "next" is not + * overwritten */ + if (EXPECT_SUCCESS() && status != NULL && entry != NULL) { + status->next = entry->status; + entry->status = status; + } - wolfSSL_CertManagerFree(NULL); - ExpectIntEQ(wolfSSL_CertManager_up_ref(NULL), 0); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef WOLFSSL_TRUST_PEER_CERT - ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#endif + if (request != NULL && request->serial != NULL) + XMEMCPY(request->serial, serial, sizeof(serial)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, + dataSz, NULL, entry->status, entry, request), WOLFSSL_SUCCESS); + ExpectNotNull(entry->status->next); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer_ex(NULL, &c, 1, - WOLFSSL_FILETYPE_ASN1, 0, 0), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + /* compare the status found */ + ExpectIntEQ(status->serialSz, entry->status->serialSz); + ExpectIntEQ(XMEMCMP(status->serial, entry->status->serial, + status->serialSz), 0); -#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, 1, -1), - WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); -#endif + if (status != NULL && entry != NULL && entry->status != status) { + XFREE(status, NULL, DYNAMIC_TYPE_OPENSSL); + } + wolfSSL_OCSP_CERTID_free(entry); + wolfSSL_OCSP_REQUEST_free(request); + wolfSSL_CertManagerFree(cm); + } -#if !defined(NO_FILESYSTEM) +/* FIPS v2 and below don't support long salts. */ +#if defined(WC_RSA_PSS) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ + (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) { - #ifdef WOLFSSL_PEM_TO_DER - const char* ca_cert = "./certs/ca-cert.pem"; - #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) - const char* ca_cert_der = "./certs/ca-cert.der"; - #endif - #else - const char* ca_cert = "./certs/ca-cert.der"; - #endif - const char* ca_path = "./certs"; + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; - #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) - ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, NULL, -1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, NULL, WOLFSSL_FILETYPE_ASN1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, ca_cert, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert, -1), - WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); -#ifdef WOLFSSL_PEM_TO_DER - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert_der, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); -#endif - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, "no-file", - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_BAD_FILE)); - #endif + /* check loading a response with RSA-PSS signature */ + ExpectTrue((f = XFOPEN(responsePssFile, "rb")) != XBADFILE); + ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); + if (f != XBADFILE) + XFCLOSE(f); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, ca_path), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, ca_path), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - } -#endif + pt = data; + ExpectNotNull(res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz)); -#ifdef OPENSSL_COMPATIBLE_DEFAULTS - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), 1); -#elif !defined(HAVE_CRL) - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); + /* try to verify the response */ + ExpectNotNull(issuer = wolfSSL_X509_load_certificate_file(caFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(st = wolfSSL_X509_STORE_new()); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + ExpectNotNull(bs = wolfSSL_OCSP_response_get1_basic(res)); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), + WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); + wolfSSL_OCSP_RESPONSE_free(res); + wolfSSL_X509_STORE_free(st); + wolfSSL_X509_free(issuer); + } #endif +#endif /* HAVE_OCSP */ + return EXPECT_RESULT(); +} - ExpectIntEQ(wolfSSL_CertManagerDisableCRL(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableCRL(cm), 1); -#ifdef HAVE_CRL - /* Test APIs when CRL is disabled. */ -#ifdef HAVE_CRL_IO - ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); -#endif - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, - sizeof_server_cert_der_2048), 1); - ExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); -#endif - - /* OCSP */ - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ - !defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); -#endif - -#ifdef HAVE_OCSP - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, NULL, 0, - NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, NULL, 1, - NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, &c, 1, - NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, NULL), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, ""), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, NULL), 1); +static int test_wolfSSL_FPKI(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + XFILE f = XBADFILE; + const char* fpkiCert = "./certs/fpki-cert.der"; + const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der"; + DecodedCert cert; + byte buf[4096]; + byte* uuid = NULL; + byte* fascn = NULL; + word32 fascnSz; + word32 uuidSz; + int bytes = 0; - ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(NULL, NULL, NULL, NULL), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(cm, NULL, NULL, NULL), 1); + ExpectTrue((f = XFOPEN(fpkiCert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(cm), 1); - /* Test APIs when OCSP is disabled. */ - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, &c, 1, - NULL, NULL, NULL, NULL), 1); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, 1), 1); + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); + fascn = NULL; -#endif + ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); + uuid = NULL; + wc_FreeDecodedCert(&cert); - ExpectIntEQ(wolfSSL_CertManager_up_ref(cm), 1); - if (EXPECT_SUCCESS()) { - wolfSSL_CertManagerFree(cm); - } - wolfSSL_CertManagerFree(cm); - cm = NULL; + XMEMSET(buf, 0, 4096); + fascnSz = uuidSz = bytes = 0; + f = XBADFILE; - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); -#ifdef HAVE_OCSP - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, WOLFSSL_OCSP_URL_OVERRIDE | - WOLFSSL_OCSP_CHECKALL), 1); -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ - defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), 1); - ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), 1); -#endif + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); - ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); + ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); + wc_FreeDecodedCert(&cert); #endif -#ifdef WOLFSSL_TRUST_PEER_CERT - ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(cm), 1); -#endif - wolfSSL_CertManagerFree(cm); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_CertManagerLoadCABuffer(void) +/* use RID in confuncture with other names to test parsing of unknown other + * names */ +static int test_wolfSSL_OtherName(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) -#if defined(WOLFSSL_PEM_TO_DER) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; -#endif - int ret; +#if !defined(NO_RSA) && !defined(NO_FILESYSTEM) + XFILE f = XBADFILE; + const char* ridCert = "./certs/rid-cert.der"; + DecodedCert cert; + byte buf[4096]; + int bytes = 0; - ExpectIntLE(ret = test_cm_load_ca_file(ca_cert), 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); -#endif + ExpectTrue((f = XFOPEN(ridCert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); - ExpectIntLE(ret = test_cm_load_ca_file(ca_expired_cert), 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ - !defined(NO_ASN_TIME) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); -#endif + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + wc_FreeDecodedCert(&cert); #endif + return EXPECT_RESULT(); } -static int test_wolfSSL_CertManagerLoadCABuffer_ex(void) +#ifdef HAVE_CERT_CHAIN_VALIDATION +#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION +static int test_wolfSSL_CertRsaPss(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) -#if defined(WOLFSSL_PEM_TO_DER) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; +/* FIPS v2 and below don't support long salts. */ +#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ + (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) + XFILE f = XBADFILE; +#ifndef NO_SHA256 + const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; +#ifdef WOLFSSL_PEM_TO_DER + const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; #else - const char* ca_cert = "./certs/ca-cert.der"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; + const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.der"; #endif - int ret; - - ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_cert, WOLFSSL_LOAD_FLAG_NONE), - 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); #endif - - ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_expired_cert, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), 1); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); -#elif defined(NO_RSA) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); -#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ - !defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \ - defined(OPENSSL_COMPATIBLE_DEFAULTS) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); +#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \ + RSA_MAX_SIZE >= 3072 + const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; +#endif +#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 +#ifdef WOLFSSL_PEM_TO_DER + const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; #else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.der"; #endif - #endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerLoadCABufferType(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_RSA) && !defined(NO_SHA256) && \ - !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) -#if defined(WOLFSSL_PEM_TO_DER) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* int1_cert = "./certs/intermediate/ca-int-cert.pem"; - const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem"; - const char* client_cert = "./certs/intermediate/client-int-cert.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* int1_cert = "./certs/intermediate/ca-int-cert.der"; - const char* int2_cert = "./certs/intermediate/ca-int2-cert.der"; - const char* client_cert = "./certs/intermediate/client-int-cert.der"; -#endif - byte* ca_cert_buf = NULL; - byte* int1_cert_buf = NULL; - byte* int2_cert_buf = NULL; - byte* client_cert_buf = NULL; - size_t ca_cert_sz = 0; - size_t int1_cert_sz = 0; - size_t int2_cert_sz = 0; - size_t client_cert_sz = 0; + DecodedCert cert; + byte buf[4096]; + int bytes = 0; WOLFSSL_CERT_MANAGER* cm = NULL; ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0); - ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0); - ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0); - ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0); - - ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, - (sword32)ca_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, - (sword32)ca_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, - (sword32)ca_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, - (sword32)int1_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, - (sword32)int2_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, - (sword32)client_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - - /* Intermediate certs have been unloaded, but CA cert is still - loaded. Expect first level intermediate to verify, rest to fail. */ - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, - (sword32)int1_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, - (sword32)int2_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, - (sword32)client_cert_sz, CERT_FILETYPE, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA), - WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, - int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, - int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, - client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); - - if (cm) - wolfSSL_CertManagerFree(cm); - if (ca_cert_buf) - free(ca_cert_buf); - if (int1_cert_buf) - free(int1_cert_buf); - if (int2_cert_buf) - free(int2_cert_buf); - if (client_cert_buf) - free(client_cert_buf); +#ifndef NO_SHA256 + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL)); #endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CertManagerGetCerts(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ - defined(WOLFSSL_SIGNER_DER_CERT) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_STACK* sk = NULL; - X509* x509 = NULL; - X509* cert1 = NULL; - FILE* file1 = NULL; -#ifdef DEBUG_WOLFSSL_VERBOSE - WOLFSSL_BIO* bio = NULL; +#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL)); #endif - int i = 0; - int ret = 0; - const byte* der = NULL; - int derSz = 0; - - ExpectNotNull(file1 = fopen("./certs/ca-cert.pem", "rb")); - ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); - if (file1 != NULL) { - fclose(file1); +#ifndef NO_SHA256 + ExpectTrue((f = XFOPEN(rsaPssSha256Cert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } - - ExpectNull(sk = wolfSSL_CertManagerGetCerts(NULL)); - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - ExpectNull(sk = wolfSSL_CertManagerGetCerts(cm)); - - ExpectNotNull(der = wolfSSL_X509_get_der(cert1, &derSz)); -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - /* Check that ASN_SELF_SIGNED_E is returned for a self-signed cert for QT - * and full OpenSSL compatibility */ - ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); -#else - ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); + wc_FreeDecodedCert(&cert); #endif - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, - "./certs/ca-cert.pem", NULL)); - - ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(cm)); - - for (i = 0; EXPECT_SUCCESS() && i < sk_X509_num(sk); i++) { - ExpectNotNull(x509 = sk_X509_value(sk, i)); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509, cert1)); +#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \ + RSA_MAX_SIZE >= 3072 + ExpectTrue((f = XFOPEN(rsaPssSha384Cert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); + wc_FreeDecodedCert(&cert); +#endif -#ifdef DEBUG_WOLFSSL_VERBOSE - bio = BIO_new(wolfSSL_BIO_s_file()); - if (bio != NULL) { - BIO_set_fp(bio, stderr, BIO_NOCLOSE); - X509_print(bio, x509); - BIO_free(bio); - } -#endif /* DEBUG_WOLFSSL_VERBOSE */ - } - wolfSSL_X509_free(cert1); - sk_X509_pop_free(sk, NULL); wolfSSL_CertManagerFree(cm); -#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ - defined(WOLFSSL_SIGNER_DER_CERT) */ + + (void)buf; + (void)bytes; +#endif return EXPECT_RESULT(); } +#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */ +#endif /* HAVE_CERT_CHAIN_VALIDATION */ -static int test_wolfSSL_CertManagerSetVerify(void) + +static int test_wolfSSL_CTX_load_verify_locations_ex(void) { EXPECT_DECLS; #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) - WOLFSSL_CERT_MANAGER* cm = NULL; - int tmp = myVerifyAction; + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) + WOLFSSL_CTX* ctx = NULL; #ifdef WOLFSSL_PEM_TO_DER const char* ca_cert = "./certs/ca-cert.pem"; - const char* expiredCert = "./certs/test/expired/expired-cert.pem"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; #else const char* ca_cert = "./certs/ca-cert.der"; - const char* expiredCert = "./certs/test/expired/expired-cert.der"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; #endif - wolfSSL_CertManagerSetVerify(NULL, NULL); - wolfSSL_CertManagerSetVerify(NULL, myVerify); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - wolfSSL_CertManagerSetVerify(cm, myVerify); + /* test good CA */ + ExpectTrue(WOLFSSL_SUCCESS == + wolfSSL_CTX_load_verify_locations_ex(ctx, ca_cert, NULL, + WOLFSSL_LOAD_FLAG_NONE)); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), -1); + /* test expired CA */ +#if !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_ASN_TIME) + ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL, + WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); #else - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), - WOLFSSL_SUCCESS); -#endif - /* Use the test CB that always accepts certs */ - myVerifyAction = VERIFY_OVERRIDE_ERROR; - - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, expiredCert, - CERT_FILETYPE), WOLFSSL_SUCCESS); - -#ifdef WOLFSSL_ALWAYS_VERIFY_CB - { - const char* verifyCert = "./certs/server-cert.der"; - /* Use the test CB that always fails certs */ - myVerifyAction = VERIFY_FORCE_FAIL; - - ExpectIntEQ(wolfSSL_CertManagerVerify(cm, verifyCert, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(VERIFY_CERT_ERROR)); - } + ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL, + WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); #endif + ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - myVerifyAction = tmp; + wolfSSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } - -static int test_wolfSSL_CertManagerNameConstraint(void) +static int test_wolfSSL_CTX_load_verify_buffer_ex(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-nc.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - int i = 0; - static const byte extNameConsOid[] = {85, 29, 30}; - - RsaKey key; - WC_RNG rng; - byte *der = NULL; - int derSz = 0; - word32 idx = 0; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - wc_InitRng(&rng); - - /* load in CA private key for signing */ - ExpectIntEQ(wc_InitRsaKey_ex(&key, HEAP_HINT, testDevId), 0); - ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key, - sizeof_server_key_der_2048), 0); - - /* get ca certificate then alter it */ - ExpectNotNull(der = - (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull(pt = (byte*)wolfSSL_X509_get_tbs(x509, &derSz)); - if (EXPECT_SUCCESS() && (der != NULL)) { - XMEMCPY(der, pt, (size_t)derSz); - - /* find the name constraint extension and alter it */ - pt = der; - for (i = 0; i < derSz - 3; i++) { - if (XMEMCMP(pt, extNameConsOid, 3) == 0) { - pt += 3; - break; - } - pt++; - } - ExpectIntNE(i, derSz - 3); /* did not find OID if this case is hit */ +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX* ctx; + const char* ca_expired_cert_file = "./certs/test/expired/expired-ca.der"; + byte ca_expired_cert[TWOK_BUF]; + word32 sizeof_ca_expired_cert = 0; + XFILE fp = XBADFILE; - /* go to the length value and set it to 0 */ - while (i < derSz && *pt != 0x81) { - pt++; - i++; - } - ExpectIntNE(i, derSz); /* did not place to alter */ - pt++; - *pt = 0x00; - } +#ifndef NO_WOLFSSL_CLIENT + ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); +#else + ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); +#endif + ExpectNotNull(ctx); - /* resign the altered certificate */ - ExpectIntGT((derSz = wc_SignCert(derSz, CTC_SHA256wRSA, der, - FOURK_BUF, &key, NULL, &rng)), 0); +#if defined(USE_CERT_BUFFERS_2048) + /* test good CA */ + ExpectTrue(WOLFSSL_SUCCESS == + wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_cert_der_2048, + sizeof_ca_cert_der_2048, WOLFSSL_FILETYPE_ASN1, 0, + WOLFSSL_LOAD_FLAG_NONE)); +#endif - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E)); - wolfSSL_CertManagerFree(cm); + /* load expired CA */ + XMEMSET(ca_expired_cert, 0, sizeof(ca_expired_cert)); + ExpectTrue((fp = XFOPEN(ca_expired_cert_file, "rb")) != XBADFILE); + ExpectIntGT(sizeof_ca_expired_cert = (word32)XFREAD(ca_expired_cert, 1, + sizeof(ca_expired_cert), fp), 0); + if (fp != XBADFILE) + XFCLOSE(fp); - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_X509_free(x509); - wc_FreeRsaKey(&key); - wc_FreeRng(&rng); + /* test expired CA failure */ - /* add email alt name to satisfy constraint */ - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); +#if !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_ASN_TIME) + ExpectIntNE(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, + sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, + WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, + sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, + WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); +#endif + /* test expired CA success */ + ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, + sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS); + + /* Fail when ctx is NULL. */ + ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(NULL, ca_expired_cert, + sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* Load as modified cert - bad initial length. */ + ca_expired_cert[2] = 0x7f; + ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, + sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 1, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WC_NO_ERR_TRACE(ASN_PARSE_E)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); + wolfSSL_CTX_free(ctx); +#endif - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + return EXPECT_RESULT(); +} - /* Good cert test with proper alt email name */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; +static int test_wolfSSL_CTX_load_verify_chain_buffer_format(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) && defined(OPENSSL_EXTRA) && \ + defined(USE_CERT_BUFFERS_2048) && (WOLFSSL_MIN_RSA_BITS <= 1024) && \ + !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX* ctx = NULL; - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + #ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif + + /* Public key 140 bytes??? */ + ExpectIntEQ(wolfSSL_CTX_load_verify_chain_buffer_format(ctx, + ca_cert_chain_der, sizeof_ca_cert_chain_der, WOLFSSL_FILETYPE_ASN1), + WOLFSSL_SUCCESS); - wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + wolfSSL_CTX_free(ctx); +#endif - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); + return EXPECT_RESULT(); +} - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +static int test_wolfSSL_CTX_add1_chain_cert(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(OPENSSL_EXTRA) && \ + defined(KEEP_OUR_CERT) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx; + WOLFSSL* ssl = NULL; + const char *certChain[] = { + "./certs/intermediate/client-int-cert.pem", + "./certs/intermediate/ca-int2-cert.pem", + "./certs/intermediate/ca-int-cert.pem", + "./certs/ca-cert.pem", + NULL + }; + const char** cert; + WOLFSSL_X509* x509 = NULL; + WOLF_STACK_OF(X509)* chain = NULL; + + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 0); + ExpectIntEQ(SSL_CTX_add0_chain_cert(ctx, x509), 0); + ExpectIntEQ(SSL_add1_chain_cert(ssl, x509), 0); + ExpectIntEQ(SSL_add0_chain_cert(ssl, x509), 0); wolfSSL_X509_free(x509); x509 = NULL; + for (cert = certChain; EXPECT_SUCCESS() && *cert != NULL; cert++) { + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(*cert, + WOLFSSL_FILETYPE_PEM)); - /* Cert with bad alt name list */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + /* Do negative tests once */ + if (cert == certChain) { + /* Negative tests. */ + ExpectIntEQ(SSL_CTX_add1_chain_cert(NULL, NULL), 0); + ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, NULL), 0); + ExpectIntEQ(SSL_CTX_add1_chain_cert(NULL, x509), 0); + ExpectIntEQ(SSL_CTX_add0_chain_cert(NULL, NULL), 0); + ExpectIntEQ(SSL_CTX_add0_chain_cert(ctx, NULL), 0); + ExpectIntEQ(SSL_CTX_add0_chain_cert(NULL, x509), 0); + } - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); + ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 1); + X509_free(x509); + x509 = NULL; + } + for (cert = certChain; EXPECT_SUCCESS() && *cert != NULL; cert++) { + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(*cert, + WOLFSSL_FILETYPE_PEM)); - wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); - wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + /* Do negative tests once */ + if (cert == certChain) { + /* Negative tests. */ + ExpectIntEQ(SSL_add1_chain_cert(NULL, NULL), 0); + ExpectIntEQ(SSL_add1_chain_cert(ssl, NULL), 0); + ExpectIntEQ(SSL_add1_chain_cert(NULL, x509), 0); + ExpectIntEQ(SSL_add0_chain_cert(NULL, NULL), 0); + ExpectIntEQ(SSL_add0_chain_cert(ssl, NULL), 0); + ExpectIntEQ(SSL_add0_chain_cert(NULL, x509), 0); + } - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + ExpectIntEQ(SSL_add1_chain_cert(ssl, x509), 1); + X509_free(x509); + x509 = NULL; + } - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + ExpectIntEQ(SSL_CTX_get0_chain_certs(ctx, &chain), 1); + ExpectIntEQ(sk_X509_num(chain), 3); + ExpectIntEQ(SSL_get0_chain_certs(ssl, &chain), 1); + ExpectIntEQ(sk_X509_num(chain), 3); - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif - return EXPECT_RESULT(); } - -static int test_wolfSSL_CertManagerNameConstraint2(void) +static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) - const char* ca_cert = "./certs/test/cert-ext-ndir.der"; - const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der"; - const char* server_cert = "./certs/server-cert.pem"; - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - const unsigned char *der = NULL; - const unsigned char *pt; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - int derSz = 0; - - /* C=US*/ - char altName[] = { - 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53 - }; - - /* C=ID */ - char altNameFail[] = { - 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44 - }; +#if !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) && \ + (!defined(NO_FILESYSTEM) || defined(USE_CERT_BUFFERS_2048)) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; +#ifndef NO_FILESYSTEM + const char* cert = svrCertFile; + unsigned char* buf = NULL; + size_t len = 0; - /* C=US ST=California*/ - char altNameExc[] = { - 0x30, 0x22, - 0x31, 0x0B, - 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, - 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61 - }; - /* load in CA private key for signing */ - pt = ca_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt, - sizeof_ca_key_der_2048)); + ExpectIntEQ(load_file(cert, &buf, &len), 0); +#endif - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); + /* Invalid parameters. */ +#ifndef NO_FILESYSTEM + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(NULL, + NULL, 0, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, + NULL, 0, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E)); + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(NULL, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_PEM_TO_DER + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, NULL, 0), + WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); #endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(NULL, buf, + (sword32)len), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(NULL, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_PEM_TO_DER + ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(ssl, NULL, 0), + WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); +#endif + ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(NULL, buf, (sword32)len), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* Test no name case. */ - ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, NULL, 0, ASN_DIR_TYPE), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname(x509, "", ASN_DIR_TYPE), + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, + (sword32)len, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, buf, (sword32)len), WOLFSSL_SUCCESS); - /* IP not supported. */ - ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE), - WOLFSSL_FAILURE); - /* add in matching DIR alt name and resign */ - wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif + ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(ssl, buf, (sword32)len), + WOLFSSL_SUCCESS); +#endif /* !NO_FILESYSTEM */ - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(NULL, + server_cert_der_2048, sizeof_server_cert_der_2048, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* check verify fail */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, + server_cert_der_2048, sizeof_server_cert_der_2048, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - /* add in miss matching DIR alt name and resign */ - wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), - ASN_DIR_TYPE); +#ifdef WOLFSSL_PEM_TO_DER + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, + server_cert_der_2048, sizeof_server_cert_der_2048), + WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(ssl, server_cert_der_2048, + sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); #endif - /* check that it still fails if one bad altname and one good altname is in - * the certificate */ - wolfSSL_X509_free(x509); - x509 = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); - wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), - ASN_DIR_TYPE); - -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#ifndef NO_FILESYSTEM + if (buf != NULL) { + free(buf); + } #endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); #endif + return EXPECT_RESULT(); +} - /* check it fails with switching position of bad altname */ - wolfSSL_X509_free(x509); - x509 = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), - ASN_DIR_TYPE); - wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); - -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif - wolfSSL_CertManagerFree(cm); +static int test_wolfSSL_CTX_use_certificate_chain_file_format(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + const char* server_chain_der = "./certs/server-cert-chain.der"; + const char* client_single_pem = cliCertFile; + WOLFSSL_CTX* ctx = NULL; - wolfSSL_X509_free(x509); - x509 = NULL; - wolfSSL_X509_free(ca); - ca = NULL; + (void)server_chain_der; + (void)client_single_pem; + (void)ctx; - /* now test with excluded name constraint */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + #ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc), - ASN_DIR_TYPE); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file_format(ctx, + server_chain_der, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file_format(ctx, + client_single_pem, CERT_FILETYPE), WOLFSSL_SUCCESS); -#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) - wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); -#else - wolfSSL_X509_sign(x509, priv, EVP_sha256()); -#endif - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); -#ifndef WOLFSSL_NO_ASN_STRICT - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); -#else - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); + wolfSSL_CTX_free(ctx); #endif - return EXPECT_RESULT(); } -static int test_wolfSSL_CertManagerNameConstraint3(void) +static int test_wolfSSL_use_certificate_chain_file(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-mnc.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - - byte *der = NULL; - int derSz = 0; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); - - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* check satisfying .wolfssl.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check satisfying .random.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; - - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE); - - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); - - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* check fail case when neither constraint is matched */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) + const char* server_chain_der = "./certs/server-cert-chain.der"; + const char* client_single_pem = cliCertFile; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); + (void)server_chain_der; + (void)client_single_pem; - wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + /* Invalid parameters. */ + ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(NULL, NULL, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(ssl, NULL, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(NULL, + server_chain_der, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_use_certificate_chain_file(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_use_certificate_chain_file(ssl, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_use_certificate_chain_file(NULL, client_single_pem), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_PEM_TO_DER + ExpectIntEQ(wolfSSL_use_certificate_chain_file(ssl, server_chain_der), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(ssl, + server_chain_der, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(ssl, + client_single_pem, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_use_certificate_chain_file(ssl, client_single_pem), + WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif - return EXPECT_RESULT(); } -static int test_wolfSSL_CertManagerNameConstraint4(void) +static int test_wolfSSL_CTX_SetTmpDH_file(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-ncdns.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - - byte *der = NULL; - int derSz; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_DH) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX *ctx = NULL; +#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) +#if defined(WOLFSSL_PEM_TO_DER) + const char* dsaParamFile = "./certs/dsaparams.pem"; +#else + const char* dsaParamFile = "./certs/dsaparams.der"; +#endif +#endif - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, - WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); + (void)ctx; - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + #ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif - /* check satisfying wolfssl.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + /* invalid context */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(NULL, + dhParamFile, CERT_FILETYPE)); - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + /* invalid dhParamFile file */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, + NULL, CERT_FILETYPE)); - wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, + bogusFile, CERT_FILETYPE)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; + /* success */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dhParamFile, + CERT_FILETYPE)); +#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dsaParamFile, + CERT_FILETYPE)); +#endif - /* check satisfying example.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"example.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; +static int test_wolfSSL_CTX_SetTmpDH_buffer(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_DH) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX *ctx = NULL; - wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); + #ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; + /* invalid context */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, + dh_key_der_2048, sizeof_dh_key_der_2048, + WOLFSSL_FILETYPE_ASN1)); - /* check satisfying wolfssl.com constraint passes with list of DNS's */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + /* invalid dhParamFile file */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, NULL, + 0, WOLFSSL_FILETYPE_ASN1)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, NULL, + 0, WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, + dsa_key_der_2048, sizeof_dsa_key_der_2048, + WOLFSSL_FILETYPE_ASN1)); - wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem"); + /* invalid file format */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, + dh_key_der_2048, sizeof_dh_key_der_2048, -1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; + /* success */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, + dh_key_der_2048, sizeof_dh_key_der_2048, + WOLFSSL_FILETYPE_ASN1)); - /* check fail when one DNS in the list is bad */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - - wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem"); +static int test_wc_DhSetNamedKey(void) +{ + EXPECT_DECLS; +#if !defined(HAVE_SELFTEST) && !defined(NO_DH) && \ + !defined(WOLFSSL_NO_MALLOC) && defined(HAVE_FFDHE) && \ + (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + DhKey *key = NULL; + key = (DhKey*)XMALLOC(sizeof(DhKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + ExpectNotNull(key); + if (key != NULL){ + #ifdef HAVE_FFDHE_2048 + if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ + ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_2048), 0); + ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_2048), 29); + wc_FreeDhKey(key); + } + #endif + #ifdef HAVE_FFDHE_3072 + if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ + ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_3072), 0); + ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_3072), 34); + wc_FreeDhKey(key); + } + #endif + #ifdef HAVE_FFDHE_4096 + if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ + ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_4096), 0); + ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_4096), 39); + wc_FreeDhKey(key); + } + #endif + #ifdef HAVE_FFDHE_6144 + if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ + ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_6144), 0); + ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_6144), 46); + wc_FreeDhKey(key); + } + #endif + #ifdef HAVE_FFDHE_8192 + if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ + ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_8192), 0); + ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_8192), 52); + wc_FreeDhKey(key); + } + #endif + XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + } +#endif + return EXPECT_RESULT(); +} - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; +static int test_wolfSSL_CTX_SetMinMaxDhKey_Sz(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_DH) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX *ctx; - /* check fail case when neither constraint is matched */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + (void)ctx; - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"common", 6, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); + #ifndef NO_WOLFSSL_CLIENT + ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + #else + ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); + #endif + ExpectNotNull(ctx); - wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMinDhKey_Sz(ctx, 3072)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMinDhKey_Sz(ctx, 2048)); - return EXPECT_RESULT(); -} + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, + dh_key_der_2048, sizeof_dh_key_der_2048, + WOLFSSL_FILETYPE_ASN1)); -static int test_wolfSSL_CertManagerNameConstraint5(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ - defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) - WOLFSSL_CERT_MANAGER* cm = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME* name = NULL; - const char* ca_cert = "./certs/test/cert-ext-ncmixed.der"; - const char* server_cert = "./certs/test/server-goodcn.pem"; - - byte *der = NULL; - int derSz; - byte *pt; - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - - pt = (byte*)server_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, sizeof_server_key_der_2048)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 1024)); - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_CTX_SetTmpDH_buffer(ctx, + dh_key_der_2048, sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); - DEBUG_WRITE_DER(der, derSz, "ca.der"); - ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 2048)); - /* check satisfying wolfssl.com constraint passes */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, + dh_key_der_2048, sizeof_dh_key_der_2048, + WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"example", 7, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} - wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); +static int test_wolfSSL_CTX_der_load_verify_locations(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_DER_LOAD) && \ + !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX* ctx = NULL; + const char* derCert = "./certs/server-cert.der"; + const char* nullPath = NULL; + const char* invalidPath = "./certs/this-cert-does-not-exist.der"; + const char* emptyPath = ""; - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); - x509 = NULL; + /* der load Case 1 ctx NULL */ + ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* fail with DNS check because of common name */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + #ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + /* Case 2 filePath NULL */ + ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, nullPath, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Case 3 invalid format */ + ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Case 4 filePath not valid */ + ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, invalidPath, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Case 5 filePath empty */ + ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, emptyPath, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#ifndef NO_RSA + /* Case 6 success case */ + ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif - wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem"); + wolfSSL_CTX_free(ctx); +#endif - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; + return EXPECT_RESULT(); +} - /* fail on permitted DNS name constraint */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; +static int test_wolfSSL_CTX_enable_disable(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + #ifdef HAVE_CRL + ExpectIntEQ(wolfSSL_CTX_DisableCRL(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + #endif - wolfSSL_X509_add_altname(x509, "www.example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem"); + #ifdef HAVE_OCSP + ExpectIntEQ(wolfSSL_CTX_DisableOCSP(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + #endif - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ExpectIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPMustStaple(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + #endif - /* fail on permitted email name constraint */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); - name = NULL; + #ifdef HAVE_EXTENDED_MASTER + ExpectIntEQ(wolfSSL_CTX_DisableExtendedMasterSecret(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + #endif + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); - wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); - wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem"); + #ifdef HAVE_EXTENDED_MASTER + ExpectIntEQ(wolfSSL_CTX_DisableExtendedMasterSecret(ctx), WOLFSSL_SUCCESS); + #endif - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); - wolfSSL_X509_free(x509); - x509 = NULL; + #elif !defined(NO_WOLFSSL_SERVER) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif - /* success with empty email name */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - name = NULL; + #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); - X509_NAME_free(name); + #ifdef HAVE_CRL + ExpectIntEQ(wolfSSL_CTX_DisableCRL(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, 0), WOLFSSL_SUCCESS); + #endif - wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem"); + #ifdef HAVE_OCSP + ExpectIntEQ(wolfSSL_CTX_DisableOCSP(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_URL_OVERRIDE), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_CHECKALL), + WOLFSSL_SUCCESS); + #endif - ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - wolfSSL_X509_free(x509); + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ExpectIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WOLFSSL_SUCCESS); + #endif + wolfSSL_CTX_free(ctx); + #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* !NO_CERTS && !NO_CERTS */ - wolfSSL_CertManagerFree(cm); - wolfSSL_X509_free(ca); - wolfSSL_EVP_PKEY_free(priv); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_CRL_duplicate_extensions(void) +static int test_wolfSSL_CTX_ticket_API(void) { EXPECT_DECLS; -#if defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_CERTS) && \ - defined(HAVE_CRL) && !defined(NO_RSA) && !defined(WOLFSSL_NO_ASN_STRICT) && \ - (defined(WC_ASN_RUNTIME_DATE_CHECK_CONTROL) || defined(NO_ASN_TIME_CHECK)) - const unsigned char crl_duplicate_akd[] = - "-----BEGIN X509 CRL-----\n" - "MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE\n" - "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK\n" - "TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v\n" - "dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqBEMEIwHwYDVR0jBBgw\n" - "FoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q\n" - "9+K5XGRxgzUwDQYJKoZIhvcNAQELBQADggEBAIFVw4jrS4taSXR/9gPzqGrqFeHr\n" - "IXCnFtHJTLxqa8vUOAqSwqysvNpepVKioMVoGrLjFMjANjWQqTEiMROAnLfJ/+L8\n" - "FHZkV/mZwOKAXMhIC9MrJzifxBICwmvD028qnwQm09EP8z4ICZptD6wPdRTDzduc\n" - "KBuAX+zn8pNrJgyrheRKpPgno9KsbCzK4D/RIt1sTK2M3vVOtY+vpsN70QYUXvQ4\n" - "r2RZac3omlT43x5lddPxIlcouQpwWcVvr/K+Va770MRrjn88PBrJmvsEw/QYVBXp\n" - "Gxv2b78HFDacba80sMIm8ltRdqUCa5qIc6OATsz7izCQXEbkTEeESrcK1MA=\n" - "-----END X509 CRL-----\n"; - - WOLFSSL_CERT_MANAGER* cm = NULL; - int ret; - - (void)wc_AsnSetSkipDateCheck(1); +#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; + void *userCtx = (void*)"this is my ctx"; - cm = wolfSSL_CertManagerNew(); - ExpectNotNull(cm); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - /* Test loading CRL with duplicate extensions */ - WOLFSSL_MSG("Testing CRL with duplicate Authority Key Identifier extensions"); - ret = wolfSSL_CertManagerLoadCRLBuffer(cm, crl_duplicate_akd, - sizeof(crl_duplicate_akd), - WOLFSSL_FILETYPE_PEM); - ExpectIntEQ(ret, ASN_PARSE_E); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_set_TicketEncCtx(ctx, userCtx)); + ExpectTrue(userCtx == wolfSSL_CTX_get_TicketEncCtx(ctx)); - wolfSSL_CertManagerFree(cm); + wolfSSL_CTX_free(ctx); - (void)wc_AsnSetSkipDateCheck(0); -#endif + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_set_TicketEncCtx(NULL, userCtx)); + ExpectNull(wolfSSL_CTX_get_TicketEncCtx(NULL)); +#endif /* HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER && !NO_TLS */ return EXPECT_RESULT(); } -static int test_wolfSSL_CertManagerCRL(void) +static int test_wolfSSL_set_minmax_proto_version(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ - !defined(NO_RSA) - const char* ca_cert = "./certs/ca-cert.pem"; - const char* crl1 = "./certs/crl/crl.pem"; - const char* crl2 = "./certs/crl/crl2.pem"; -#ifdef WC_RSA_PSS - const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; - const char* ca_rsapss = "./certs/rsapss/ca-rsapss.pem"; -#endif - /* ./certs/crl/crl.der */ - const unsigned char crl_buff[] = { - 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xED, 0x02, - 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, - 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, - 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, - 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, - 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, - 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, - 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, - 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, - 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, - 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, - 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, - 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, - 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, - 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, - 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, - 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, - 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x17, 0x0D, 0x32, 0x34, 0x30, 0x31, 0x30, 0x39, - 0x30, 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x17, - 0x0D, 0x32, 0x36, 0x31, 0x30, 0x30, 0x35, 0x30, - 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x30, 0x14, - 0x30, 0x12, 0x02, 0x01, 0x02, 0x17, 0x0D, 0x32, - 0x34, 0x30, 0x31, 0x30, 0x39, 0x30, 0x30, 0x33, - 0x34, 0x33, 0x30, 0x5A, 0xA0, 0x0E, 0x30, 0x0C, - 0x30, 0x0A, 0x06, 0x03, 0x55, 0x1D, 0x14, 0x04, - 0x03, 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, - 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, - 0xB3, 0x6F, 0xED, 0x72, 0xD2, 0x73, 0x6A, 0x77, - 0xBF, 0x3A, 0x55, 0xBC, 0x54, 0x18, 0x6A, 0x71, - 0xBC, 0x6A, 0xCC, 0xCD, 0x5D, 0x90, 0xF5, 0x64, - 0x8D, 0x1B, 0xF0, 0xE0, 0x48, 0x7B, 0xF2, 0x7B, - 0x06, 0x86, 0x53, 0x63, 0x9B, 0xD8, 0x24, 0x15, - 0x10, 0xB1, 0x19, 0x96, 0x9B, 0xD2, 0x75, 0xA8, - 0x25, 0xA2, 0x35, 0xA9, 0x14, 0xD6, 0xD5, 0x5E, - 0x53, 0xE3, 0x34, 0x9D, 0xF2, 0x8B, 0x07, 0x19, - 0x9B, 0x1F, 0xF1, 0x02, 0x0F, 0x04, 0x46, 0xE8, - 0xB8, 0xB6, 0xF2, 0x8D, 0xC7, 0xC0, 0x15, 0x3E, - 0x3E, 0x8E, 0x96, 0x73, 0x15, 0x1E, 0x62, 0xF6, - 0x4E, 0x2A, 0xF7, 0xAA, 0xA0, 0x91, 0x80, 0x12, - 0x7F, 0x81, 0x0C, 0x65, 0xCC, 0x38, 0xBE, 0x58, - 0x6C, 0x14, 0xA5, 0x21, 0xA1, 0x8D, 0xF7, 0x8A, - 0xB9, 0x24, 0xF4, 0x2D, 0xCA, 0xC0, 0x67, 0x43, - 0x0B, 0xC8, 0x1C, 0xB4, 0x7D, 0x12, 0x7F, 0xA2, - 0x1B, 0x19, 0x0E, 0x94, 0xCF, 0x7B, 0x9F, 0x75, - 0xA0, 0x08, 0x9A, 0x67, 0x3F, 0x87, 0x89, 0x3E, - 0xF8, 0x58, 0xA5, 0x8A, 0x1B, 0x2D, 0xDA, 0x9B, - 0xD0, 0x1B, 0x18, 0x92, 0xC3, 0xD2, 0x6A, 0xD7, - 0x1C, 0xFC, 0x45, 0x69, 0x77, 0xC3, 0x57, 0x65, - 0x75, 0x99, 0x9E, 0x47, 0x2A, 0x20, 0x25, 0xEF, - 0x90, 0xF2, 0x5F, 0x3B, 0x7D, 0x9C, 0x7D, 0x00, - 0xEA, 0x92, 0x54, 0xEB, 0x0B, 0xE7, 0x17, 0xAF, - 0x24, 0x1A, 0xF9, 0x7C, 0x83, 0x50, 0x68, 0x1D, - 0xDC, 0x5B, 0x60, 0x12, 0xA7, 0x52, 0x78, 0xD9, - 0xA9, 0xB0, 0x1F, 0x59, 0x48, 0x36, 0xC7, 0xA6, - 0x97, 0x34, 0xC7, 0x87, 0x3F, 0xAE, 0xFD, 0xA9, - 0x56, 0x5D, 0x48, 0xCC, 0x89, 0x7A, 0x79, 0x60, - 0x8F, 0x9B, 0x2B, 0x63, 0x3C, 0xB3, 0x04, 0x1D, - 0x5F, 0xF7, 0x20, 0xD2, 0xFD, 0xF2, 0x51, 0xB1, - 0x96, 0x93, 0x13, 0x5B, 0xAB, 0x74, 0x82, 0x8B - }; +#if defined(OPENSSL_EXTRA) && !defined(NO_TLS) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; - WOLFSSL_CERT_MANAGER* cm = NULL; + (void)ssl; - ExpectNotNull(cm = wolfSSL_CertManagerNew()); +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, - WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 16), 1); - ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); - - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, -1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, -1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, 1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, -1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, - sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(ctx, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(cm, NULL), 1); -#ifdef HAVE_CRL_IO - ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); -#endif + ExpectIntEQ(wolfSSL_set_min_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set_min_proto_version(ssl, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_set_max_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set_max_proto_version(ssl, 0), SSL_SUCCESS); -#ifndef NO_FILESYSTEM - ExpectIntEQ(wolfSSL_CertManagerLoadCRL(NULL, NULL, WOLFSSL_FILETYPE_ASN1, - 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, NULL, WOLFSSL_FILETYPE_ASN1, - 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* -1 seen as !WOLFSSL_FILETYPE_PEM */ - ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, "./certs/crl", -1, 0), 1); - - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(NULL, NULL, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, NULL, WOLFSSL_FILETYPE_ASN1), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* -1 seen as !WOLFSSL_FILETYPE_PEM */ - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, "./certs/crl/crl.pem", -1), - WC_NO_ERR_TRACE(ASN_PARSE_E)); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + ctx = NULL; #endif +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, 1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, -1, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CertManagerFreeCRL(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - DoExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); - - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCRL(cm, crl2, WOLFSSL_FILETYPE_PEM, 0)); - wolfSSL_CertManagerFreeCRL(cm); + ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(ctx, 0), SSL_SUCCESS); -#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); - ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, - sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(CRL_MISSING)); - ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server_cert_der_2048, - sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(CRL_MISSING)); -#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ - - ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff), - WOLFSSL_FILETYPE_ASN1), 1); - -#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS) - /* loading should fail without the CA set */ - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E)); - - /* now successfully load the RSA-PSS crl once loading in it's CA */ - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL)); - ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + wolfSSL_CTX_free(ctx); #endif - - wolfSSL_CertManagerFree(cm); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_CertManagerCheckOCSPResponse(void) +#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) && \ + defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +static int test_wolfSSL_CTX_set_max_proto_version_on_result(WOLFSSL* ssl) { EXPECT_DECLS; -#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) -/* Need one of these for wolfSSL_OCSP_REQUEST_new. */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \ - defined(HAVE_LIGHTY) - WOLFSSL_CERT_MANAGER* cm = NULL; - /* Raw OCSP response bytes captured using the following setup: - * - Run responder with - * openssl ocsp -port 9999 -ndays 9999 - * -index certs/ocsp/index-intermediate1-ca-issued-certs.txt - * -rsigner certs/ocsp/ocsp-responder-cert.pem - * -rkey certs/ocsp/ocsp-responder-key.pem - * -CA certs/ocsp/intermediate1-ca-cert.pem - * - Run client with - * openssl ocsp -host 127.0.0.1:9999 -respout resp.out - * -issuer certs/ocsp/intermediate1-ca-cert.pem - * -cert certs/ocsp/server1-cert.pem - * -CAfile certs/ocsp/root-ca-cert.pem -noverify - * - Select the response packet in Wireshark, and export it using - * "File->Export Packet Dissection->As "C" Arrays". Select "Selected - * packets only". After importing into the editor, remove the initial - * ~148 bytes of header, ending with the Content-Length and the \r\n\r\n. - */ - static const byte response[] = { - 0x30, 0x82, 0x07, 0x40, /* ....0..@ */ - 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x07, 0x39, 0x30, /* ......90 */ - 0x82, 0x07, 0x35, 0x06, 0x09, 0x2b, 0x06, 0x01, /* ..5..+.. */ - 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, /* ...0.... */ - 0x07, 0x26, 0x30, 0x82, 0x07, 0x22, 0x30, 0x82, /* .&0.."0. */ - 0x01, 0x40, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, /* .@...0.. */ - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ - 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ - 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ - 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ - 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ - 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ - 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ - 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, /* ring1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, /* olfSSL O */ - 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, /* CSP Resp */ - 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, /* onder1.0 */ - 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, /* ...*.H.. */ - 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, /* ......in */ - 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */ - 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, /* sl.com.. */ - 0x32, 0x30, 0x32, 0x34, 0x31, 0x32, 0x32, 0x30, /* 20241220 */ - 0x31, 0x37, 0x30, 0x37, 0x30, 0x34, 0x5a, 0x30, /* 170704Z0 */ - 0x64, 0x30, 0x62, 0x30, 0x3a, 0x30, 0x09, 0x06, /* d0b0:0.. */ - 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, /* .+...... */ - 0x04, 0x14, 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, /* ..qM.#@Y */ - 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, /* ...7C.1. */ - 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04, 0x04, 0x14, /* ..C..... */ - 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, /* ..:.,... */ - 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, /* ..L.*.q. */ - 0x64, 0x44, 0xda, 0x0e, 0x02, 0x01, 0x05, 0x80, /* dD...... */ - 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x34, 0x31, /* ...20241 */ - 0x32, 0x32, 0x30, 0x31, 0x37, 0x30, 0x37, 0x30, /* 22017070 */ - 0x34, 0x5a, 0xa0, 0x11, 0x18, 0x0f, 0x32, 0x30, /* 4Z....20 */ - 0x35, 0x32, 0x30, 0x35, 0x30, 0x36, 0x31, 0x37, /* 52050617 */ - 0x30, 0x37, 0x30, 0x34, 0x5a, 0xa1, 0x23, 0x30, /* 0704Z.#0 */ - 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, /* !0...+.. */ - 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, /* ...0.... */ - 0x04, 0x10, 0x12, 0x7c, 0x27, 0xbd, 0x22, 0x28, /* ...|'."( */ - 0x5e, 0x62, 0x81, 0xed, 0x6d, 0x2c, 0x2d, 0x59, /* ^b..m,-Y */ - 0x42, 0xd7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, /* B.0...*. */ - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, /* H....... */ - 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6c, 0xce, /* ......l. */ - 0xa8, 0xe8, 0xfe, 0xaf, 0x33, 0xe2, 0xce, 0x4e, /* ....3..N */ - 0x63, 0x8d, 0x61, 0x16, 0x0f, 0x70, 0xb2, 0x0c, /* c.a..p.. */ - 0x9a, 0xe3, 0x01, 0xd5, 0xca, 0xe5, 0x9b, 0x70, /* .......p */ - 0x81, 0x6f, 0x94, 0x09, 0xe8, 0x88, 0x98, 0x1a, /* .o...... */ - 0x67, 0xa0, 0xc2, 0xe7, 0x8f, 0x9b, 0x5f, 0x13, /* g....._. */ - 0x17, 0x8d, 0x93, 0x8c, 0x31, 0x61, 0x7d, 0x72, /* ....1a}r */ - 0x34, 0xbd, 0x21, 0x48, 0xca, 0xb2, 0xc9, 0xae, /* 4.!H.... */ - 0x28, 0x5f, 0x97, 0x19, 0xcb, 0xdf, 0xed, 0xd4, /* (_...... */ - 0x6e, 0x89, 0x30, 0x89, 0x11, 0xd1, 0x05, 0x08, /* n.0..... */ - 0x81, 0xe9, 0xa7, 0xba, 0xf7, 0x16, 0x0c, 0xbe, /* ........ */ - 0x48, 0x2e, 0xc0, 0x05, 0xac, 0x90, 0xc2, 0x35, /* H......5 */ - 0xce, 0x6c, 0x94, 0x5d, 0x2b, 0xad, 0x4f, 0x19, /* .l.]+.O. */ - 0xea, 0x7b, 0xd9, 0x4f, 0x49, 0x20, 0x8d, 0x98, /* .{.OI .. */ - 0xa9, 0xe4, 0x53, 0x6d, 0xca, 0x34, 0xdb, 0x4a, /* ..Sm.4.J */ - 0x28, 0xb3, 0x33, 0xfb, 0xfd, 0xcc, 0x4b, 0xfa, /* (.3...K. */ - 0xdb, 0x70, 0xe1, 0x96, 0xc8, 0xd4, 0xf1, 0x85, /* .p...... */ - 0x99, 0xaf, 0x06, 0xeb, 0xfd, 0x96, 0x21, 0x86, /* ......!. */ - 0x81, 0xee, 0xcf, 0xd2, 0xf4, 0x83, 0xc9, 0x1d, /* ........ */ - 0x8f, 0x42, 0xd1, 0xc1, 0xbc, 0x50, 0x0a, 0xfb, /* .B...P.. */ - 0x95, 0x39, 0x4c, 0x36, 0xa8, 0xfe, 0x2b, 0x8e, /* .9L6..+. */ - 0xc5, 0xb5, 0xe0, 0xab, 0xdb, 0xc0, 0xbf, 0x1d, /* ........ */ - 0x35, 0x4d, 0xc0, 0x52, 0xfb, 0x08, 0x04, 0x4c, /* 5M.R...L */ - 0x98, 0xf0, 0xb5, 0x5b, 0xff, 0x99, 0x74, 0xce, /* ...[..t. */ - 0xb7, 0xc9, 0xe3, 0xe5, 0x70, 0x2e, 0xd3, 0x1d, /* ....p... */ - 0x46, 0x38, 0xf9, 0x51, 0x17, 0x73, 0xd1, 0x08, /* F8.Q.s.. */ - 0x8d, 0x3d, 0x12, 0x47, 0xd0, 0x66, 0x77, 0xaf, /* .=.G.fw. */ - 0xfd, 0x4c, 0x75, 0x1f, 0xe9, 0x6c, 0xf4, 0x5a, /* .Lu..l.Z */ - 0xde, 0xec, 0x37, 0xc7, 0xc4, 0x0a, 0xbe, 0x91, /* ..7..... */ - 0xbc, 0x05, 0x08, 0x86, 0x47, 0x30, 0x2a, 0xc6, /* ....G0*. */ - 0x85, 0x4b, 0x55, 0x6c, 0xef, 0xdf, 0x2d, 0x5a, /* .KUl..-Z */ - 0xf7, 0x5b, 0xb5, 0xba, 0xed, 0x38, 0xb0, 0xcb, /* .[...8.. */ - 0xeb, 0x7e, 0x84, 0x3a, 0x69, 0x2c, 0xa0, 0x82, /* .~.:i,.. */ - 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, /* ..0...0. */ - 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, /* ..0..... */ - 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, /* ......0. */ - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, /* ..*.H... */ - 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, /* .....0.. */ - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ - 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ - 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ - 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ - 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ - 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ - 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ - 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ - 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, /* ring1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, /* ..U....w */ - 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, /* olfSSL r */ - 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, /* oot CA1. */ - 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, /* 0...*.H. */ - 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, /* .......i */ - 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, /* nfo@wolf */ - 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, /* ssl.com0 */ - 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, /* ...24121 */ - 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, /* 8212531Z */ - 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, /* ..270914 */ - 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, /* 212531Z0 */ - 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, /* ..1.0... */ - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, /* U....US1 */ - 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, /* .0...U.. */ - 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, /* ..Washin */ - 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, /* gton1.0. */ - 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, /* ..U....S */ - 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, /* eattle1. */ - 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, /* 0...U... */ - 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ - 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ - 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, /* ...Engin */ - 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, /* eering1. */ - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, /* 0...U... */ - 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ - 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, /* OCSP Re */ - 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, /* sponder1 */ - 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, /* .0...*.H */ - 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, /* ........ */ - 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, /* info@wol */ - 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, /* fssl.com */ - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, /* 0.."0... */ - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, /* ........ */ - 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, /* 0....... */ - 0x00, 0xb8, 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, /* ...#...{ */ - 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, /* .....a.. */ - 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, /* .c..#4Pm */ - 0xf8, 0x7c, 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, /* .|.....u */ - 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, /* \-.c...z */ - 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, /* ..E5+... */ - 0x22, 0xb4, 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, /* "..A8..t */ - 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, /* ..0".Q.. */ - 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, /* .?F+..Z? */ - 0x41, 0x74, 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, /* Atgu.... */ - 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, /* ..B..... */ - 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, /* ..e.C... */ - 0x16, 0x80, 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, /* ....$5!. */ - 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, /* U.ZQ..-. */ - 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, /* .ZOJs1P. */ - 0x4a, 0x16, 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, /* J..9...H */ - 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, /* .......r */ - 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, /* g.\..... */ - 0x76, 0xf8, 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, /* v..J.... */ - 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, /* fL(q..f. */ - 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, /* ..0..... */ - 0xf5, 0x1e, 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, /* ....]... */ - 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, /* ..<..qx. */ - 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, /* .?2..q.. */ - 0x8c, 0x27, 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, /* .'....CI */ - 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, /* ..p..... */ - 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, /* $..;..el */ - 0x00, 0x76, 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, /* .vP..... */ - 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, /* sh&...._ */ - 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, /* na...... */ - 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */ - 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, /* .et|qTe. */ - 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, /* 9....... */ - 0x01, 0x0a, 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, /* ..0...0. */ - 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, /* ..U....0 */ - 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, /* .0...U.. */ - 0x04, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, /* ....2g.. */ - 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, /* y....#.p */ - 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, /* @P.FV.06 */ - 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, /* 0....U.# */ - 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, /* ...0.... */ - 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, /* s.../... */ - 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, /* G.8....: */ - 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, /* ~r.!.... */ - 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, /* ..0..1.0 */ - 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, /* ...U.... */ - 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, /* US1.0... */ - 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, /* U....Was */ - 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, /* hington1 */ - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, /* .0...U.. */ - 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, /* ..Seattl */ - 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, /* e1.0...U */ - 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ - 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, /* SSL1.0.. */ - 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, /* .U....En */ - 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, /* gineerin */ - 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, /* g1.0...U */ - 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ - 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, /* SSL root */ - 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, /* CA1.0.. */ - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, /* .*.H.... */ - 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, /* ....info */ - 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, /* @wolfssl */ - 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, /* .com..c0 */ - 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, /* ...U.%.. */ - 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, /* 0...+... */ - 0x05, 0x07, 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, /* ....0... */ - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ - 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, /* ........ */ - 0x4d, 0xa2, 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, /* M..U.+.. */ - 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, /* e..5.`.. */ - 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, /* k....XW7 */ - 0xbd, 0x2e, 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, /* ..(n.V*5 */ - 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, /* ..>.=G!. */ - 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, /* ......>. */ - 0xaf, 0x9b, 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, /* ...#.V.s */ - 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, /* .....Ki. */ - 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, /* .:.....Y */ - 0xfd, 0xe2, 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, /* .....L., */ - 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, /* .W..:.2. */ - 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, /* J.r...&i */ - 0xd6, 0x6a, 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, /* .jLLx.<. */ - 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, /* ....#.[' */ - 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, /* ..\+.Mx. */ - 0x6b, 0x25, 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, /* k%./.... */ - 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, /* ..D!F.4k */ - 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, /* [...\`.. */ - 0xe6, 0x66, 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, /* .f..cVP} */ - 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, /* .,/{G..X */ - 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, /* w..' .r. */ - 0x4c, 0x7e, 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, /* L~O.._.. */ - 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, /* .Yz..Sw" */ - 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, /* A....... */ - 0x65, 0xbd, 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, /* e..q<... */ - 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, /* ........ */ - 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, /* ....+.[. */ - 0x28, 0xc1, 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, /* (..1s\+. */ - 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, /* `..6.... */ - 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, /* .u.)B..A */ - 0x55, 0xb9, 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, /* U.p..... */ - 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57 /* A.%..j.W */ - }; - OcspEntry entry[1]; - CertStatus status[1]; - OcspRequest* request = NULL; -#ifndef NO_FILESYSTEM - const char* ca_cert = "./certs/ca-cert.pem"; -#endif - - byte serial[] = {0x05}; - byte issuerHash[] = {0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04}; - byte issuerKeyHash[] = {0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, 0x64, 0x44, 0xda, 0x0e}; - + ExpectStrEQ(wolfSSL_get_version(ssl), "TLSv1.2"); + return EXPECT_RESULT(); +} - XMEMSET(entry, 0, sizeof(OcspEntry)); - XMEMSET(status, 0, sizeof(CertStatus)); +static int test_wolfSSL_CTX_set_max_proto_version_ctx_ready(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + /* Set TLS 1.2 */ + ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION), + WOLFSSL_SUCCESS); + return EXPECT_RESULT(); +} - ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new()); - ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL, - DYNAMIC_TYPE_OCSP_REQUEST)); +/* Test using wolfSSL_CTX_set_max_proto_version to limit the version below + * what was set at ctx creation. */ +static int test_wolfSSL_CTX_set_max_proto_version(void) +{ + EXPECT_DECLS; + test_ssl_cbf client_cbs; + test_ssl_cbf server_cbs; - if ((request != NULL) && (request->serial != NULL)) { - request->serialSz = sizeof(serial); - XMEMCPY(request->serial, serial, sizeof(serial)); - XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash)); - XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash)); - } + XMEMSET(&client_cbs, 0, sizeof(client_cbs)); + XMEMSET(&server_cbs, 0, sizeof(server_cbs)); - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, - "./certs/ocsp/intermediate1-ca-cert.pem", NULL), WOLFSSL_SUCCESS); + client_cbs.method = wolfTLS_client_method; + server_cbs.method = wolfTLS_server_method; - /* Response should be valid. */ - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, - sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); + server_cbs.ctx_ready = test_wolfSSL_CTX_set_max_proto_version_ctx_ready; - /* Flip a byte in the request serial number, response should be invalid - * now. */ - if ((request != NULL) && (request->serial != NULL)) - request->serial[0] ^= request->serial[0]; - ExpectIntNE(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, - sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); + client_cbs.on_result = test_wolfSSL_CTX_set_max_proto_version_on_result; + server_cbs.on_result = test_wolfSSL_CTX_set_max_proto_version_on_result; -#ifndef NO_FILESYSTEM - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, - sizeof(server_cert_der_2048)), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, - sizeof(server_cert_der_2048)), 1); -#endif + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs, + &server_cbs, NULL), TEST_SUCCESS); - wolfSSL_OCSP_REQUEST_free(request); - wolfSSL_CertManagerFree(cm); -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || - * WOLFSSL_APACHE_HTTPD || HAVE_LIGHTY */ -#endif /* HAVE_OCSP */ return EXPECT_RESULT(); } +#else +static int test_wolfSSL_CTX_set_max_proto_version(void) +{ + return TEST_SKIPPED; +} +#endif -static int test_wolfSSL_CheckOCSPResponse(void) +/*----------------------------------------------------------------------------* + | SSL + *----------------------------------------------------------------------------*/ + +static int test_server_wolfSSL_new(void) { EXPECT_DECLS; -#if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA) && \ - !defined(NO_RSA) && !defined(NO_SHA) - const char* responseFile = "./certs/ocsp/test-response.der"; - const char* responseMultiFile = "./certs/ocsp/test-multi-response.der"; - const char* responseNoInternFile = - "./certs/ocsp/test-response-nointern.der"; - const char* caFile = "./certs/ocsp/root-ca-cert.pem"; - OcspResponse* res = NULL; - byte data[4096]; - const unsigned char* pt; - int dataSz = 0; /* initialize to mitigate spurious maybe-uninitialized from - * gcc sanitizer with --enable-heapmath. - */ - XFILE f = XBADFILE; - WOLFSSL_OCSP_BASICRESP* bs = NULL; - WOLFSSL_X509_STORE* st = NULL; - WOLFSSL_X509* issuer = NULL; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_SERVER) && !defined(NO_RSA) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL_CTX *ctx_nocert = NULL; + WOLFSSL *ssl = NULL; - ExpectTrue((f = XFOPEN(responseFile, "rb")) != XBADFILE); - ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } + ExpectNotNull(ctx_nocert = wolfSSL_CTX_new(wolfSSLv23_server_method())); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - pt = data; - ExpectNotNull(res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz)); - ExpectNotNull(issuer = wolfSSL_X509_load_certificate_file(caFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(st = wolfSSL_X509_STORE_new()); - ExpectIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); - ExpectNotNull(bs = wolfSSL_OCSP_response_get1_basic(res)); - ExpectIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); - wolfSSL_OCSP_BASICRESP_free(bs); - bs = NULL; - wolfSSL_OCSP_RESPONSE_free(res); - res = NULL; - wolfSSL_X509_STORE_free(st); - st = NULL; - wolfSSL_X509_free(issuer); - issuer = NULL; + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE)); - /* check loading a response with optional certs */ - ExpectTrue((f = XFOPEN(responseNoInternFile, "rb")) != XBADFILE); - ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - f = XBADFILE; + /* invalid context */ + ExpectNull(ssl = wolfSSL_new(NULL)); +#if !defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_QT) && \ + !defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_INIT_CTX_KEY) + ExpectNull(ssl = wolfSSL_new(ctx_nocert)); +#endif - pt = data; - ExpectNotNull(res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz)); - wolfSSL_OCSP_RESPONSE_free(res); - res = NULL; + /* success */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* check loading a response with multiple certs */ - { - WOLFSSL_CERT_MANAGER* cm = NULL; - OcspEntry *entry = NULL; - CertStatus* status = NULL; - OcspRequest* request = NULL; + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + wolfSSL_CTX_free(ctx_nocert); +#endif - byte serial1[] = {0x01}; - byte serial[] = {0x02}; + return EXPECT_RESULT(); +} - byte issuerHash[] = { - 0x44, 0xA8, 0xDB, 0xD1, 0xBC, 0x97, 0x0A, 0x83, - 0x3B, 0x5B, 0x31, 0x9A, 0x4C, 0xB8, 0xD2, 0x52, - 0x37, 0x15, 0x8A, 0x88 - }; - byte issuerKeyHash[] = { - 0x73, 0xB0, 0x1C, 0xA4, 0x2F, 0x82, 0xCB, 0xCF, - 0x47, 0xA5, 0x38, 0xD7, 0xB0, 0x04, 0x82, 0x3A, - 0x7E, 0x72, 0x15, 0x21 - }; - ExpectNotNull(entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL, - DYNAMIC_TYPE_OPENSSL)); +static int test_client_wolfSSL_new(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) - ExpectNotNull(status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, - DYNAMIC_TYPE_OPENSSL)); + WOLFSSL_CTX *ctx = NULL; + WOLFSSL_CTX *ctx_nocert = NULL; + WOLFSSL *ssl = NULL; - if (entry != NULL) - XMEMSET(entry, 0, sizeof(OcspEntry)); - if (status != NULL) - XMEMSET(status, 0, sizeof(CertStatus)); + ExpectNotNull(ctx_nocert = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new()); - ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL, - DYNAMIC_TYPE_OCSP_REQUEST)); + ExpectTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - if (request != NULL && request->serial != NULL) { - request->serialSz = sizeof(serial); - XMEMCPY(request->serial, serial, sizeof(serial)); - XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash)); - XMEMCPY(request->issuerKeyHash, issuerKeyHash, - sizeof(issuerKeyHash)); - } + /* invalid context */ + ExpectNull(ssl = wolfSSL_new(NULL)); - ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); - ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, caFile, NULL), - WOLFSSL_SUCCESS); + /* success */ + ExpectNotNull(ssl = wolfSSL_new(ctx_nocert)); + wolfSSL_free(ssl); + ssl = NULL; - ExpectTrue((f = XFOPEN(responseMultiFile, "rb")) != XBADFILE); - ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - f = XBADFILE; - - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, - dataSz, NULL, status, entry, request), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, - dataSz, NULL, entry->status, entry, request), WOLFSSL_SUCCESS); - ExpectNotNull(entry->status); - - if (request != NULL && request->serial != NULL) - XMEMCPY(request->serial, serial1, sizeof(serial1)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, - dataSz, NULL, status, entry, request), WOLFSSL_SUCCESS); - - /* store both status's in the entry to check that "next" is not - * overwritten */ - if (EXPECT_SUCCESS() && status != NULL && entry != NULL) { - status->next = entry->status; - entry->status = status; - } - - if (request != NULL && request->serial != NULL) - XMEMCPY(request->serial, serial, sizeof(serial)); - ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data, - dataSz, NULL, entry->status, entry, request), WOLFSSL_SUCCESS); - ExpectNotNull(entry->status->next); - - /* compare the status found */ - ExpectIntEQ(status->serialSz, entry->status->serialSz); - ExpectIntEQ(XMEMCMP(status->serial, entry->status->serial, - status->serialSz), 0); - - if (status != NULL && entry != NULL && entry->status != status) { - XFREE(status, NULL, DYNAMIC_TYPE_OPENSSL); - } - wolfSSL_OCSP_CERTID_free(entry); - wolfSSL_OCSP_REQUEST_free(request); - wolfSSL_CertManagerFree(cm); - } - -/* FIPS v2 and below don't support long salts. */ -#if defined(WC_RSA_PSS) && \ - (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ - (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) - { - const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; - - /* check loading a response with RSA-PSS signature */ - ExpectTrue((f = XFOPEN(responsePssFile, "rb")) != XBADFILE); - ExpectIntGT(dataSz = (word32)XFREAD(data, 1, sizeof(data), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - pt = data; - ExpectNotNull(res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz)); - - /* try to verify the response */ - ExpectNotNull(issuer = wolfSSL_X509_load_certificate_file(caFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(st = wolfSSL_X509_STORE_new()); - ExpectIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); - ExpectNotNull(bs = wolfSSL_OCSP_response_get1_basic(res)); - ExpectIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), - WOLFSSL_SUCCESS); - wolfSSL_OCSP_BASICRESP_free(bs); - wolfSSL_OCSP_RESPONSE_free(res); - wolfSSL_X509_STORE_free(st); - wolfSSL_X509_free(issuer); - } -#endif -#endif /* HAVE_OCSP */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_FPKI(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - XFILE f = XBADFILE; - const char* fpkiCert = "./certs/fpki-cert.der"; - const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der"; - DecodedCert cert; - byte buf[4096]; - byte* uuid = NULL; - byte* fascn = NULL; - word32 fascnSz; - word32 uuidSz; - int bytes = 0; - - ExpectTrue((f = XFOPEN(fpkiCert, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); - ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); - ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); - ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); - XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); - fascn = NULL; - - ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); - ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); - XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); - uuid = NULL; - wc_FreeDecodedCert(&cert); - - XMEMSET(buf, 0, 4096); - fascnSz = uuidSz = bytes = 0; - f = XBADFILE; - - ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); - ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); - ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); - ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); - XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); + /* success */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + wolfSSL_free(ssl); - ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); - ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); - XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeDecodedCert(&cert); + wolfSSL_CTX_free(ctx); + wolfSSL_CTX_free(ctx_nocert); #endif return EXPECT_RESULT(); } -/* use RID in confuncture with other names to test parsing of unknown other - * names */ -static int test_wolfSSL_OtherName(void) +static int test_wolfSSL_SetTmpDH_file(void) { EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_FILESYSTEM) - XFILE f = XBADFILE; - const char* ridCert = "./certs/rid-cert.der"; - DecodedCert cert; - byte buf[4096]; - int bytes = 0; - - ExpectTrue((f = XFOPEN(ridCert, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); - ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); - wc_FreeDecodedCert(&cert); -#endif - - return EXPECT_RESULT(); -} +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_SERVER) && !defined(NO_DH) -#ifdef HAVE_CERT_CHAIN_VALIDATION -#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -static int test_wolfSSL_CertRsaPss(void) -{ - EXPECT_DECLS; -/* FIPS v2 and below don't support long salts. */ -#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && \ - (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ - (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) - XFILE f = XBADFILE; -#ifndef NO_SHA256 - const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; #ifdef WOLFSSL_PEM_TO_DER - const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; -#else - const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.der"; -#endif -#endif -#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \ - RSA_MAX_SIZE >= 3072 - const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; + const char* dhX942ParamFile = "./certs/x942dh2048.pem"; +#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) + const char* dsaParamFile = "./certs/dsaparams.pem"; #endif -#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 -#ifdef WOLFSSL_PEM_TO_DER - const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; #else - const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.der"; + const char* dhX942ParamFile = "./certs/x942dh2048.der"; +#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) + const char* dsaParamFile = "./certs/dsaparams.der"; #endif #endif - DecodedCert cert; - byte buf[4096]; - int bytes = 0; - WOLFSSL_CERT_MANAGER* cm = NULL; - ExpectNotNull(cm = wolfSSL_CertManagerNew()); -#ifndef NO_SHA256 - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL)); -#endif -#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072 - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL)); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#ifndef NO_RSA + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE)); +#elif defined(HAVE_ECC) + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, + CERT_FILETYPE)); +#elif defined(HAVE_ED25519) + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, edCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, edKeyFile, + CERT_FILETYPE)); +#elif defined(HAVE_ED448) + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, ed448CertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, ed448KeyFile, + CERT_FILETYPE)); #endif + ExpectNotNull(ssl = wolfSSL_new(ctx)); -#ifndef NO_SHA256 - ExpectTrue((f = XFOPEN(rsaPssSha256Cert, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); - ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); - wc_FreeDecodedCert(&cert); -#endif + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(NULL, + dhParamFile, CERT_FILETYPE)); -#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \ - RSA_MAX_SIZE >= 3072 - ExpectTrue((f = XFOPEN(rsaPssSha384Cert, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); - ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); - wc_FreeDecodedCert(&cert); -#endif + /* invalid dhParamFile file */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, + NULL, CERT_FILETYPE)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, + bogusFile, CERT_FILETYPE)); - wolfSSL_CertManagerFree(cm); + /* success */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhParamFile, + CERT_FILETYPE)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhX942ParamFile, + CERT_FILETYPE)); +#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dsaParamFile, + CERT_FILETYPE)); +#endif - (void)buf; - (void)bytes; + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */ -#endif /* HAVE_CERT_CHAIN_VALIDATION */ - -/* Test RSA-PSS digital signature creation and verification */ -static int test_wc_RsaPSS_DigitalSignVerify(void) +static int test_wolfSSL_SetTmpDH_buffer(void) { EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(NO_DH) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; - /* Early FIPS did not support PSS. */ -#if (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2))) && \ - (!defined(HAVE_SELFTEST) || (defined(HAVE_SELFTEST_VERSION) && \ - (HAVE_SELFTEST_VERSION > 2))) && \ - !defined(NO_RSA) && defined(WC_RSA_PSS) && defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_KEY_GEN) && defined(WC_RSA_NO_PADDING) && \ - !defined(NO_SHA256) - - /* Test digest */ - const unsigned char test_digest[32] = { - 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, - 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, - 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, - 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 - }; - const unsigned int digest_len = sizeof(test_digest); - - /* Variables for RSA key generation and signature operations */ - EVP_PKEY_CTX *pkctx = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *sign_ctx = NULL; - EVP_PKEY_CTX *verify_ctx = NULL; - unsigned char signature[256+MAX_DER_DIGEST_ASN_SZ] = {0}; - size_t signature_len = sizeof(signature); - int modulus_bits = 2048; - - /* Generate RSA key pair to avoid file dependencies */ - ExpectNotNull(pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); - ExpectIntEQ(EVP_PKEY_keygen_init(pkctx), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, modulus_bits), 1); - ExpectIntEQ(EVP_PKEY_keygen(pkctx, &pkey), 1); - - /* Create signing context */ - ExpectNotNull(sign_ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_sign_init(sign_ctx), 1); - - /* Configure RSA-PSS parameters for signing. */ - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(sign_ctx, RSA_PKCS1_PSS_PADDING), - 1); - /* Default salt length matched hash so use 32 for SHA256 */ - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(sign_ctx, 32), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(sign_ctx, EVP_sha256()), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(sign_ctx, EVP_sha256()), 1); - - /* Create the digital signature */ - ExpectIntEQ(EVP_PKEY_sign(sign_ctx, signature, &signature_len, test_digest, - digest_len), 1); - ExpectIntGT((int)signature_len, 0); - - /* Create verification context */ - ExpectNotNull(verify_ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_verify_init(verify_ctx), 1); - - /* Configure RSA-PSS parameters for verification */ - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(verify_ctx, RSA_PKCS1_PSS_PADDING), - 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(verify_ctx, 32), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(verify_ctx, EVP_sha256()), 1); - ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(verify_ctx, EVP_sha256()), 1); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, + sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, + sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* Verify the digital signature */ - ExpectIntEQ(EVP_PKEY_verify(verify_ctx, signature, signature_len, - test_digest, digest_len), 1); + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - /* Test with wrong digest to ensure verification fails (negative test) */ - { - const unsigned char wrong_digest[32] = { - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, - 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, - 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02 - }; - ExpectIntNE(EVP_PKEY_verify(verify_ctx, signature, signature_len, - wrong_digest, digest_len), 1); - } + /* invalid dhParamFile file */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, NULL, + 0, WOLFSSL_FILETYPE_ASN1)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, NULL, 0, + WOLFSSL_FILETYPE_ASN1)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dsa_key_der_2048, + sizeof_dsa_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - /* Clean up */ - if (verify_ctx) - EVP_PKEY_CTX_free(verify_ctx); - if (sign_ctx) - EVP_PKEY_CTX_free(sign_ctx); - if (pkey) - EVP_PKEY_free(pkey); - if (pkctx) - EVP_PKEY_CTX_free(pkctx); + /* success */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_CTX_load_verify_locations_ex(void) +static int test_wolfSSL_SetMinMaxDhKey_Sz(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) - WOLFSSL_CTX* ctx = NULL; -#ifdef WOLFSSL_PEM_TO_DER - const char* ca_cert = "./certs/ca-cert.pem"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; -#else - const char* ca_cert = "./certs/ca-cert.der"; - const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; -#endif +#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(NO_DH) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL_CTX *ctx2 = NULL; + WOLFSSL *ssl = NULL; + WOLFSSL *ssl2 = NULL; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, + sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, + sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMinDhKey_Sz(ctx, 3072)); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectNotNull(ctx2 = wolfSSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(wolfSSL_CTX_use_certificate_buffer(ctx2, server_cert_der_2048, + sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx2, server_key_der_2048, + sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 1024)); + ExpectNotNull(ssl2 = wolfSSL_new(ctx2)); - /* test good CA */ - ExpectTrue(WOLFSSL_SUCCESS == - wolfSSL_CTX_load_verify_locations_ex(ctx, ca_cert, NULL, - WOLFSSL_LOAD_FLAG_NONE)); + ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - /* test expired CA */ -#if !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_ASN_TIME) - ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL, - WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL, - WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); -#endif - ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMinDhKey_Sz(ssl, 2048)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - wolfSSL_CTX_free(ctx); -#endif + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMinDhKey_Sz(ssl, 3072)); + ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - return EXPECT_RESULT(); -} + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl2, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); -static int test_wolfSSL_CTX_load_verify_buffer_ex(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_RSA) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX* ctx; - const char* ca_expired_cert_file = "./certs/test/expired/expired-ca.der"; - byte ca_expired_cert[TWOK_BUF]; - word32 sizeof_ca_expired_cert = 0; - XFILE fp = XBADFILE; + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMaxDhKey_Sz(ssl2, 2048)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl2, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); -#ifndef NO_WOLFSSL_CLIENT - ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); -#else - ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); -#endif - ExpectNotNull(ctx); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMaxDhKey_Sz(ssl2, 1024)); + ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); -#if defined(USE_CERT_BUFFERS_2048) - /* test good CA */ - ExpectTrue(WOLFSSL_SUCCESS == - wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_cert_der_2048, - sizeof_ca_cert_der_2048, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_NONE)); + wolfSSL_free(ssl2); + wolfSSL_CTX_free(ctx2); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif + return EXPECT_RESULT(); +} - /* load expired CA */ - XMEMSET(ca_expired_cert, 0, sizeof(ca_expired_cert)); - ExpectTrue((fp = XFOPEN(ca_expired_cert_file, "rb")) != XBADFILE); - ExpectIntGT(sizeof_ca_expired_cert = (word32)XFREAD(ca_expired_cert, 1, - sizeof(ca_expired_cert), fp), 0); - if (fp != XBADFILE) - XFCLOSE(fp); - /* test expired CA failure */ +/* Test function for wolfSSL_SetMinVersion. Sets the minimum downgrade version + * allowed. + * POST: return 1 on success. + */ +static int test_wolfSSL_SetMinVersion(void) +{ + int res = TEST_SKIPPED; +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) + int failFlag = WOLFSSL_SUCCESS; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + int itr; + #ifndef NO_OLD_TLS + const int versions[] = { + #ifdef WOLFSSL_ALLOW_TLSV10 + WOLFSSL_TLSV1, + #endif + WOLFSSL_TLSV1_1, + WOLFSSL_TLSV1_2}; + #elif !defined(WOLFSSL_NO_TLS12) + const int versions[] = { WOLFSSL_TLSV1_2 }; + #else + const int versions[] = { WOLFSSL_TLSV1_3 }; + #endif -#if !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_ASN_TIME) - ExpectIntNE(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); -#endif - /* test expired CA success */ - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS); + ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + ssl = wolfSSL_new(ctx); - /* Fail when ctx is NULL. */ - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(NULL, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* Load as modified cert - bad initial length. */ - ca_expired_cert[2] = 0x7f; - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 1, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WC_NO_ERR_TRACE(ASN_PARSE_E)); + for (itr = 0; itr < (int)(sizeof(versions)/sizeof(int)); itr++) { + if (wolfSSL_SetMinVersion(ssl, *(versions + itr)) != WOLFSSL_SUCCESS) { + failFlag = WOLFSSL_FAILURE; + } + } + wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); + + res = TEST_RES_CHECK(failFlag == WOLFSSL_SUCCESS); #endif + return res; - return EXPECT_RESULT(); -} +} /* END test_wolfSSL_SetMinVersion */ -static int test_wolfSSL_CTX_load_verify_chain_buffer_format(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_RSA) && defined(OPENSSL_EXTRA) && \ - defined(USE_CERT_BUFFERS_2048) && (WOLFSSL_MIN_RSA_BITS <= 1024) && \ - !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX* ctx = NULL; - #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif +#include - /* Public key 140 bytes??? */ - ExpectIntEQ(wolfSSL_CTX_load_verify_chain_buffer_format(ctx, - ca_cert_chain_der, sizeof_ca_cert_chain_der, WOLFSSL_FILETYPE_ASN1), - WOLFSSL_SUCCESS); +/*----------------------------------------------------------------------------* + | IO + *----------------------------------------------------------------------------*/ - wolfSSL_CTX_free(ctx); -#endif +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \ + defined(HAVE_IO_TESTS_DEPENDENCIES) +#ifdef WOLFSSL_HAVE_TLS_UNIQUE + byte server_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by server */ + byte server_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from client */ + byte client_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by client */ + byte client_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from server */ +#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ - return EXPECT_RESULT(); -} +/* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */ +#if defined(HAVE_SESSION_TICKET) && defined(OPENSSL_EXTRA) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) -static int test_wolfSSL_CTX_add1_chain_cert(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(OPENSSL_EXTRA) && \ - defined(KEEP_OUR_CERT) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx; - WOLFSSL* ssl = NULL; - const char *certChain[] = { - "./certs/intermediate/client-int-cert.pem", - "./certs/intermediate/ca-int2-cert.pem", - "./certs/intermediate/ca-int-cert.pem", - "./certs/ca-cert.pem", - NULL - }; - const char** cert; - WOLFSSL_X509* x509 = NULL; - WOLF_STACK_OF(X509)* chain = NULL; + typedef struct openssl_key_ctx { + byte name[WOLFSSL_TICKET_NAME_SZ]; /* server name */ + byte key[WOLFSSL_TICKET_KEY_SZ]; /* cipher key */ + byte hmacKey[WOLFSSL_TICKET_NAME_SZ]; /* hmac key */ + byte iv[WOLFSSL_TICKET_IV_SZ]; /* cipher iv */ + } openssl_key_ctx; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = wolfSSL_new(ctx)); + static THREAD_LS_T openssl_key_ctx myOpenSSLKey_ctx; + static THREAD_LS_T WC_RNG myOpenSSLKey_rng; - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 0); - ExpectIntEQ(SSL_CTX_add0_chain_cert(ctx, x509), 0); - ExpectIntEQ(SSL_add1_chain_cert(ssl, x509), 0); - ExpectIntEQ(SSL_add0_chain_cert(ssl, x509), 0); - wolfSSL_X509_free(x509); - x509 = NULL; + static WC_INLINE int OpenSSLTicketInit(void) + { + int ret = wc_InitRng(&myOpenSSLKey_rng); + if (ret != 0) return ret; - for (cert = certChain; EXPECT_SUCCESS() && *cert != NULL; cert++) { - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(*cert, - WOLFSSL_FILETYPE_PEM)); + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.name, + sizeof(myOpenSSLKey_ctx.name)); + if (ret != 0) return ret; - /* Do negative tests once */ - if (cert == certChain) { - /* Negative tests. */ - ExpectIntEQ(SSL_CTX_add1_chain_cert(NULL, NULL), 0); - ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, NULL), 0); - ExpectIntEQ(SSL_CTX_add1_chain_cert(NULL, x509), 0); - ExpectIntEQ(SSL_CTX_add0_chain_cert(NULL, NULL), 0); - ExpectIntEQ(SSL_CTX_add0_chain_cert(ctx, NULL), 0); - ExpectIntEQ(SSL_CTX_add0_chain_cert(NULL, x509), 0); - } + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.key, + sizeof(myOpenSSLKey_ctx.key)); + if (ret != 0) return ret; - ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 1); - X509_free(x509); - x509 = NULL; - } - for (cert = certChain; EXPECT_SUCCESS() && *cert != NULL; cert++) { - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(*cert, - WOLFSSL_FILETYPE_PEM)); + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.hmacKey, + sizeof(myOpenSSLKey_ctx.hmacKey)); + if (ret != 0) return ret; - /* Do negative tests once */ - if (cert == certChain) { - /* Negative tests. */ - ExpectIntEQ(SSL_add1_chain_cert(NULL, NULL), 0); - ExpectIntEQ(SSL_add1_chain_cert(ssl, NULL), 0); - ExpectIntEQ(SSL_add1_chain_cert(NULL, x509), 0); - ExpectIntEQ(SSL_add0_chain_cert(NULL, NULL), 0); - ExpectIntEQ(SSL_add0_chain_cert(ssl, NULL), 0); - ExpectIntEQ(SSL_add0_chain_cert(NULL, x509), 0); - } + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.iv, + sizeof(myOpenSSLKey_ctx.iv)); + if (ret != 0) return ret; - ExpectIntEQ(SSL_add1_chain_cert(ssl, x509), 1); - X509_free(x509); - x509 = NULL; + return 0; } - ExpectIntEQ(SSL_CTX_get0_chain_certs(ctx, &chain), 1); - ExpectIntEQ(sk_X509_num(chain), 3); - ExpectIntEQ(SSL_get0_chain_certs(ssl, &chain), 1); - ExpectIntEQ(sk_X509_num(chain), 3); - - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) && \ - (!defined(NO_FILESYSTEM) || defined(USE_CERT_BUFFERS_2048)) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; -#ifndef NO_FILESYSTEM - const char* cert = svrCertFile; - unsigned char* buf = NULL; - size_t len = 0; - - ExpectIntEQ(load_file(cert, &buf, &len), 0); -#endif - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = wolfSSL_new(ctx)); + static int myTicketEncCbOpenSSL(WOLFSSL* ssl, + byte name[WOLFSSL_TICKET_NAME_SZ], + byte iv[WOLFSSL_TICKET_IV_SZ], + WOLFSSL_EVP_CIPHER_CTX *ectx, + WOLFSSL_HMAC_CTX *hctx, int enc) { + (void)ssl; + if (enc) { + XMEMCPY(name, myOpenSSLKey_ctx.name, sizeof(myOpenSSLKey_ctx.name)); + XMEMCPY(iv, myOpenSSLKey_ctx.iv, sizeof(myOpenSSLKey_ctx.iv)); + } + else if (XMEMCMP(name, myOpenSSLKey_ctx.name, + sizeof(myOpenSSLKey_ctx.name)) != 0 || + XMEMCMP(iv, myOpenSSLKey_ctx.iv, + sizeof(myOpenSSLKey_ctx.iv)) != 0) { + return 0; + } + HMAC_Init_ex(hctx, myOpenSSLKey_ctx.hmacKey, WOLFSSL_TICKET_NAME_SZ, EVP_sha256(), NULL); + if (enc) + EVP_EncryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv); + else + EVP_DecryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv); + return 1; + } - /* Invalid parameters. */ -#ifndef NO_FILESYSTEM - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(NULL, - NULL, 0, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, - NULL, 0, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E)); - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(NULL, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef WOLFSSL_PEM_TO_DER - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, NULL, 0), - WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); + static WC_INLINE void OpenSSLTicketCleanup(void) + { + wc_FreeRng(&myOpenSSLKey_rng); + } #endif - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(NULL, buf, - (sword32)len), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(NULL, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef WOLFSSL_PEM_TO_DER - ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(ssl, NULL, 0), - WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); #endif - ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(NULL, buf, (sword32)len), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, - (sword32)len, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, buf, (sword32)len), - WOLFSSL_SUCCESS); +/* helper functions */ +#ifdef HAVE_SSL_MEMIO_TESTS_DEPENDENCIES +static WC_INLINE int test_ssl_memio_write_cb(WOLFSSL *ssl, char *data, int sz, + void *ctx) +{ + struct test_ssl_memio_ctx *test_ctx; + byte *buf; + int *len; + int *msg_sizes; + int *msg_count; - ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(ssl, buf, (sword32)len), - WOLFSSL_SUCCESS); -#endif /* !NO_FILESYSTEM */ + test_ctx = (struct test_ssl_memio_ctx*)ctx; - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(NULL, - server_cert_der_2048, sizeof_server_cert_der_2048, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + if (wolfSSL_GetSide(ssl) == WOLFSSL_SERVER_END) { + buf = test_ctx->c_buff; + len = &test_ctx->c_len; + msg_sizes = test_ctx->c_msg_sizes; + msg_count = &test_ctx->c_msg_count; + } + else { + buf = test_ctx->s_buff; + len = &test_ctx->s_len; + msg_sizes = test_ctx->s_msg_sizes; + msg_count = &test_ctx->s_msg_count; + } - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, - server_cert_der_2048, sizeof_server_cert_der_2048, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + if ((unsigned)(*len + sz) > TEST_SSL_MEMIO_BUF_SZ) + return WOLFSSL_CBIO_ERR_WANT_WRITE; -#ifdef WOLFSSL_PEM_TO_DER - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_buffer(ctx, - server_cert_der_2048, sizeof_server_cert_der_2048), - WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); + if (*msg_count >= TEST_MEMIO_MAX_MSGS) + return WOLFSSL_CBIO_ERR_WANT_WRITE; - ExpectIntEQ(wolfSSL_use_certificate_chain_buffer(ssl, server_cert_der_2048, - sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); -#endif + XMEMCPY(buf + *len, data, sz); + msg_sizes[*msg_count] = sz; + (*msg_count)++; + *len += sz; - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#ifndef NO_FILESYSTEM - if (buf != NULL) { - free(buf); +#ifdef WOLFSSL_DUMP_MEMIO_STREAM + { + /* This can be imported into Wireshark by transforming the file with + * od -Ax -tx1 -v test_output.dump > test_output.dump.hex + * And then loading test_output.dump.hex into Wireshark using the + * "Import from Hex Dump..." option ion and selecting the TCP + * encapsulation option. */ + char dump_file_name[64]; + WOLFSSL_BIO *dump_file; + sprintf(dump_file_name, "%s/%s.dump", tmpDirName, currentTestName); + dump_file = wolfSSL_BIO_new_file(dump_file_name, "a"); + if (dump_file != NULL) { + (void)wolfSSL_BIO_write(dump_file, data, sz); + wolfSSL_BIO_free(dump_file); + } } #endif -#endif - return EXPECT_RESULT(); + + return sz; } -static int test_wolfSSL_CTX_use_certificate_chain_file_format(void) +static WC_INLINE int test_ssl_memio_read_cb(WOLFSSL *ssl, char *data, int sz, + void *ctx) { - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_RSA) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - const char* server_chain_der = "./certs/server-cert-chain.der"; - const char* client_single_pem = cliCertFile; - WOLFSSL_CTX* ctx = NULL; - - (void)server_chain_der; - (void)client_single_pem; - (void)ctx; + struct test_ssl_memio_ctx *test_ctx; + int read_sz; + byte *buf; + int *len; + int *msg_sizes; + int *msg_count; + int *msg_pos; + int is_dtls; - #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif + test_ctx = (struct test_ssl_memio_ctx*)ctx; + is_dtls = wolfSSL_dtls(ssl); - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file_format(ctx, - server_chain_der, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file_format(ctx, - client_single_pem, CERT_FILETYPE), WOLFSSL_SUCCESS); + if (wolfSSL_GetSide(ssl) == WOLFSSL_SERVER_END) { + buf = test_ctx->s_buff; + len = &test_ctx->s_len; + msg_sizes = test_ctx->s_msg_sizes; + msg_count = &test_ctx->s_msg_count; + msg_pos = &test_ctx->s_msg_pos; + } + else { + buf = test_ctx->c_buff; + len = &test_ctx->c_len; + msg_sizes = test_ctx->c_msg_sizes; + msg_count = &test_ctx->c_msg_count; + msg_pos = &test_ctx->c_msg_pos; + } - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} + if (*len == 0 || *msg_pos >= *msg_count) + return WOLFSSL_CBIO_ERR_WANT_READ; -static int test_wolfSSL_use_certificate_chain_file(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) - const char* server_chain_der = "./certs/server-cert-chain.der"; - const char* client_single_pem = cliCertFile; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; + /* Calculate how much we can read from current message */ + read_sz = msg_sizes[*msg_pos]; + if (read_sz > sz) + read_sz = sz; - (void)server_chain_der; - (void)client_single_pem; + if (read_sz > *len) + return WOLFSSL_CBIO_ERR_GENERAL; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = wolfSSL_new(ctx)); + /* Copy data from current message */ + XMEMCPY(data, buf, (size_t)read_sz); + /* remove the read data from the buffer */ + XMEMMOVE(buf, buf + read_sz, (size_t)(*len - read_sz)); + *len -= read_sz; + msg_sizes[*msg_pos] -= read_sz; - /* Invalid parameters. */ - ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(NULL, NULL, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(ssl, NULL, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(NULL, - server_chain_der, WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_use_certificate_chain_file(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_use_certificate_chain_file(ssl, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_use_certificate_chain_file(NULL, client_single_pem), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef WOLFSSL_PEM_TO_DER - ExpectIntEQ(wolfSSL_use_certificate_chain_file(ssl, server_chain_der), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif + /* if we are on dtls, discard the rest of the message */ + if (is_dtls && msg_sizes[*msg_pos] > 0) { + XMEMMOVE(buf, buf + msg_sizes[*msg_pos], (size_t)(*len - msg_sizes[*msg_pos])); + *len -= msg_sizes[*msg_pos]; + msg_sizes[*msg_pos] = 0; + } - ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(ssl, - server_chain_der, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_use_certificate_chain_file_format(ssl, - client_single_pem, CERT_FILETYPE), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_use_certificate_chain_file(ssl, client_single_pem), - WOLFSSL_SUCCESS); + /* If we've read the entire message */ + if (msg_sizes[*msg_pos] == 0) { + /* Move to next message */ + (*msg_pos)++; + if (*msg_pos >= *msg_count) { + *msg_pos = 0; + *msg_count = 0; + } + } - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); + return read_sz; } -static int test_wolfSSL_CTX_SetTmpDH_file(void) +int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) { - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_DH) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX *ctx = NULL; -#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) -#if defined(WOLFSSL_PEM_TO_DER) - const char* dsaParamFile = "./certs/dsaparams.pem"; -#else - const char* dsaParamFile = "./certs/dsaparams.der"; -#endif + EXPECT_DECLS_NO_MSGS(-2000); +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + int c_sharedCtx = 0; + int s_sharedCtx = 0; #endif + const char* clientCertFile = cliCertFile; + const char* clientKeyFile = cliKeyFile; + const char* serverCertFile = svrCertFile; + const char* serverKeyFile = svrKeyFile; - (void)ctx; - - #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif - - /* invalid context */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(NULL, - dhParamFile, CERT_FILETYPE)); - - /* invalid dhParamFile file */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, - NULL, CERT_FILETYPE)); - - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, - bogusFile, CERT_FILETYPE)); - - /* success */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dhParamFile, - CERT_FILETYPE)); -#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dsaParamFile, - CERT_FILETYPE)); + /******************************** + * Create WOLFSSL_CTX for client. + ********************************/ +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (ctx->c_ctx != NULL) { + c_sharedCtx = ctx->c_cb.isSharedCtx; + } + else #endif - - wolfSSL_CTX_free(ctx); + { + WOLFSSL_METHOD* method = NULL; + if (ctx->c_cb.method != NULL) { + method = ctx->c_cb.method(); + } + else { + method = wolfSSLv23_client_method(); + } + ExpectNotNull(ctx->c_ctx = wolfSSL_CTX_new(method)); + } + wolfSSL_SetIORecv(ctx->c_ctx, test_ssl_memio_read_cb); + wolfSSL_SetIOSend(ctx->c_ctx, test_ssl_memio_write_cb); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx->c_ctx, PasswordCallBack); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_SetTmpDH_buffer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_DH) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX *ctx = NULL; - - #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif - - /* invalid context */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, - dh_key_der_2048, sizeof_dh_key_der_2048, - WOLFSSL_FILETYPE_ASN1)); - - /* invalid dhParamFile file */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, NULL, - 0, WOLFSSL_FILETYPE_ASN1)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, NULL, - 0, WOLFSSL_FILETYPE_ASN1)); - - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, - dsa_key_der_2048, sizeof_dsa_key_der_2048, - WOLFSSL_FILETYPE_ASN1)); - - /* invalid file format */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, - dh_key_der_2048, sizeof_dh_key_der_2048, -1)); + if (ctx->c_cb.caPemFile == NULL) + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, + caCertFile, 0), WOLFSSL_SUCCESS); + else if (*ctx->c_cb.caPemFile != '\0') + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, + ctx->c_cb.caPemFile, 0), WOLFSSL_SUCCESS); + if (ctx->c_cb.certPemFile != NULL) { + clientCertFile = ctx->c_cb.certPemFile; + } + if (ctx->c_cb.keyPemFile != NULL) { + clientKeyFile = ctx->c_cb.keyPemFile; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!c_sharedCtx) +#endif + { + if (*clientCertFile != '\0') { + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx->c_ctx, + clientCertFile), WOLFSSL_SUCCESS); + } + if (*clientKeyFile != '\0') { + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->c_ctx, clientKeyFile, + CERT_FILETYPE), WOLFSSL_SUCCESS); + } + } +#ifdef HAVE_CRL + if (ctx->c_cb.crlPemFile != NULL) { + ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx->c_ctx, WOLFSSL_CRL_CHECKALL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_LoadCRLFile(ctx->c_ctx, ctx->c_cb.crlPemFile, + CERT_FILETYPE), WOLFSSL_SUCCESS); + } +#endif + if (ctx->c_ciphers != NULL) { + ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx->c_ctx, ctx->c_ciphers), + WOLFSSL_SUCCESS); + } + if (ctx->c_cb.ctx_ready != NULL) { + ExpectIntEQ(ctx->c_cb.ctx_ready(ctx->c_ctx), TEST_SUCCESS); + } - /* success */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, - dh_key_der_2048, sizeof_dh_key_der_2048, - WOLFSSL_FILETYPE_ASN1)); - wolfSSL_CTX_free(ctx); + /******************************** + * Create WOLFSSL_CTX for server. + ********************************/ + if (ctx->s_ctx != NULL) { +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + s_sharedCtx = 1; #endif - return EXPECT_RESULT(); -} - -static int test_wc_DhSetNamedKey(void) -{ - EXPECT_DECLS; -#if !defined(HAVE_SELFTEST) && !defined(NO_DH) && \ - !defined(WOLFSSL_NO_MALLOC) && defined(HAVE_FFDHE) && \ - (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - DhKey *key = NULL; - key = (DhKey*)XMALLOC(sizeof(DhKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - ExpectNotNull(key); - if (key != NULL){ - #ifdef HAVE_FFDHE_2048 - if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ - ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_2048), 0); - ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_2048), 29); - wc_FreeDhKey(key); + ctx->s_cb.isSharedCtx = 1; + } + else + { + WOLFSSL_METHOD* method = NULL; + if (ctx->s_cb.method != NULL) { + method = ctx->s_cb.method(); } - #endif - #ifdef HAVE_FFDHE_3072 - if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ - ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_3072), 0); - ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_3072), 34); - wc_FreeDhKey(key); + else { + method = wolfSSLv23_server_method(); } - #endif - #ifdef HAVE_FFDHE_4096 - if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ - ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_4096), 0); - ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_4096), 39); - wc_FreeDhKey(key); + ExpectNotNull(ctx->s_ctx = wolfSSL_CTX_new(method)); + ctx->s_cb.isSharedCtx = 0; + } + if (!ctx->s_cb.ticNoInit && (ctx->s_ctx != NULL)) { +#if defined(HAVE_SESSION_TICKET) && \ + ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + OpenSSLTicketInit(); + wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx->s_ctx, myTicketEncCbOpenSSL); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) + TicketInit(); + wolfSSL_CTX_set_TicketEncCb(ctx->s_ctx, myTicketEncCb); +#endif +#endif + } + wolfSSL_SetIORecv(ctx->s_ctx, test_ssl_memio_read_cb); + wolfSSL_SetIOSend(ctx->s_ctx, test_ssl_memio_write_cb); + wolfSSL_CTX_set_verify(ctx->s_ctx, WOLFSSL_VERIFY_PEER | + WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + if (ctx->s_cb.caPemFile == NULL) + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, + cliCertFile, 0), WOLFSSL_SUCCESS); + else if (*ctx->s_cb.caPemFile != '\0') + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, + ctx->s_cb.caPemFile, 0), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack); +#endif + if (ctx->s_cb.certPemFile != NULL) { + serverCertFile = ctx->s_cb.certPemFile; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!s_sharedCtx) +#endif + { + if (*serverCertFile != '\0') { + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx->s_ctx, + serverCertFile), WOLFSSL_SUCCESS); } - #endif - #ifdef HAVE_FFDHE_6144 - if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ - ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_6144), 0); - ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_6144), 46); - wc_FreeDhKey(key); + } + if (ctx->s_cb.keyPemFile != NULL) { + serverKeyFile = ctx->s_cb.keyPemFile; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!s_sharedCtx) +#endif + { + if (*serverKeyFile != '\0') { + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->s_ctx, serverKeyFile, + CERT_FILETYPE), WOLFSSL_SUCCESS); } - #endif - #ifdef HAVE_FFDHE_8192 - if (wc_InitDhKey_ex(key, HEAP_HINT, INVALID_DEVID) == 0){ - ExpectIntEQ(wc_DhSetNamedKey(key, WC_FFDHE_8192), 0); - ExpectIntEQ(wc_DhGetNamedKeyMinSize(WC_FFDHE_8192), 52); - wc_FreeDhKey(key); + } + if (ctx->s_ciphers != NULL) { + ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx->s_ctx, ctx->s_ciphers), + WOLFSSL_SUCCESS); + } + if (ctx->s_cb.ctx_ready != NULL) { + ExpectIntEQ(ctx->s_cb.ctx_ready(ctx->s_ctx), TEST_SUCCESS); + } + + + /**************************** + * Create WOLFSSL for client. + ****************************/ + ExpectNotNull(ctx->c_ssl = wolfSSL_new(ctx->c_ctx)); + wolfSSL_SetIOWriteCtx(ctx->c_ssl, ctx); + wolfSSL_SetIOReadCtx(ctx->c_ssl, ctx); +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (c_sharedCtx) { + if (*clientCertFile != '\0') { + ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->c_ssl, + clientCertFile), WOLFSSL_SUCCESS); + } + if (*clientKeyFile != '\0') { + ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->c_ssl, clientKeyFile, + CERT_FILETYPE), WOLFSSL_SUCCESS); + } + } +#endif + if (ctx->c_cb.ssl_ready != NULL) { + ExpectIntEQ(ctx->c_cb.ssl_ready(ctx->c_ssl), TEST_SUCCESS); + } + + /**************************** + * Create WOLFSSL for server. + ****************************/ + ExpectNotNull(ctx->s_ssl = wolfSSL_new(ctx->s_ctx)); + wolfSSL_SetIOWriteCtx(ctx->s_ssl, ctx); + wolfSSL_SetIOReadCtx(ctx->s_ssl, ctx); +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (s_sharedCtx) { + if (*serverCertFile != '\0') { + ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->s_ssl, + serverCertFile), WOLFSSL_SUCCESS); + } + if (*serverKeyFile != '\0') { + ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->s_ssl, serverKeyFile, + CERT_FILETYPE), WOLFSSL_SUCCESS); } - #endif - XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } #endif +#if !defined(NO_FILESYSTEM) && !defined(NO_DH) + wolfSSL_SetTmpDH_file(ctx->s_ssl, dhParamFile, CERT_FILETYPE); +#elif !defined(NO_DH) + /* will repick suites with DHE, higher priority than PSK */ + SetDH(ctx->s_ssl); +#endif + if (ctx->s_cb.ssl_ready != NULL) { + ExpectIntEQ(ctx->s_cb.ssl_ready(ctx->s_ssl), TEST_SUCCESS); + } + return EXPECT_RESULT(); } -static int test_wolfSSL_CTX_SetMinMaxDhKey_Sz(void) +int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds, + int* rounds) { - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_DH) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX *ctx; - - (void)ctx; - - #ifndef NO_WOLFSSL_CLIENT - ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - #else - ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); - #endif - ExpectNotNull(ctx); + int handshake_complete = 0; + int hs_c = 0; + int hs_s = 0; + int failing_s = 0; + int failing_c = 0; + int ret; + int err; - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMinDhKey_Sz(ctx, 3072)); + if (rounds != NULL) { + *rounds = 0; + } + while ((!handshake_complete) && (max_rounds > 0)) { + if (!hs_c) { + wolfSSL_SetLoggingPrefix("client"); + ret = wolfSSL_connect(ctx->c_ssl); + wolfSSL_SetLoggingPrefix(NULL); + if (ret == WOLFSSL_SUCCESS) { + hs_c = 1; + } + else { + err = wolfSSL_get_error(ctx->c_ssl, ret); + if (err != WOLFSSL_ERROR_WANT_READ && + err != WOLFSSL_ERROR_WANT_WRITE) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string((word32)err, buff)); + failing_c = 1; + hs_c = 1; + if (failing_c && failing_s) { + break; + } + } + } + } + if (!hs_s) { + wolfSSL_SetLoggingPrefix("server"); + ret = wolfSSL_accept(ctx->s_ssl); + wolfSSL_SetLoggingPrefix(NULL); + if (ret == WOLFSSL_SUCCESS) { + hs_s = 1; + } + else { + err = wolfSSL_get_error(ctx->s_ssl, ret); + if (err != WOLFSSL_ERROR_WANT_READ && + err != WOLFSSL_ERROR_WANT_WRITE) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string((word32)err, buff)); + failing_s = 1; + hs_s = 1; + if (failing_c && failing_s) { + break; + } + } + } + } + handshake_complete = hs_c && hs_s; + max_rounds--; + if (rounds != NULL) { + *rounds += 1; + } + } - ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + if (!handshake_complete || failing_c || failing_s) { + return TEST_FAIL; + } - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMinDhKey_Sz(ctx, 2048)); + return TEST_SUCCESS; +} - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, - dh_key_der_2048, sizeof_dh_key_der_2048, - WOLFSSL_FILETYPE_ASN1)); +static int test_ssl_memio_read_write(test_ssl_memio_ctx* ctx) +{ + EXPECT_DECLS_NO_MSGS(-3000); + char input[1024]; + int idx = 0; + const char* msg_c = "hello wolfssl!"; + int msglen_c = (int)XSTRLEN(msg_c); + const char* msg_s = "I hear you fa shizzle!"; + int msglen_s = (int)XSTRLEN(msg_s); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 1024)); + if (ctx->c_msg != NULL) { + msg_c = ctx->c_msg; + msglen_c = ctx->c_msglen; + } + if (ctx->s_msg != NULL) { + msg_s = ctx->s_msg; + msglen_s = ctx->s_msglen; + } - ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_CTX_SetTmpDH_buffer(ctx, - dh_key_der_2048, sizeof_dh_key_der_2048, - WOLFSSL_FILETYPE_ASN1)); + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_write(ctx->c_ssl, msg_c, msglen_c), msglen_c); + wolfSSL_SetLoggingPrefix("server"); + ExpectIntGT(idx = wolfSSL_read(ctx->s_ssl, input, sizeof(input) - 1), 0); + if (idx >= 0) { + input[idx] = '\0'; + } + ExpectIntGT(fprintf(stderr, "Client message: %s\n", input), 0); + ExpectIntEQ(wolfSSL_write(ctx->s_ssl, msg_s, msglen_s), msglen_s); + ctx->s_cb.return_code = EXPECT_RESULT(); + wolfSSL_SetLoggingPrefix("client"); + ExpectIntGT(idx = wolfSSL_read(ctx->c_ssl, input, sizeof(input) - 1), 0); + wolfSSL_SetLoggingPrefix(NULL); + if (idx >= 0) { + input[idx] = '\0'; + } + ExpectIntGT(fprintf(stderr, "Server response: %s\n", input), 0); + ctx->c_cb.return_code = EXPECT_RESULT(); + if (ctx->c_cb.on_result != NULL) { + ExpectIntEQ(ctx->c_cb.on_result(ctx->c_ssl), TEST_SUCCESS); + } + if (ctx->s_cb.on_result != NULL) { + ExpectIntEQ(ctx->s_cb.on_result(ctx->s_ssl), TEST_SUCCESS); + } - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 2048)); + return EXPECT_RESULT(); +} - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, - dh_key_der_2048, sizeof_dh_key_der_2048, - WOLFSSL_FILETYPE_ASN1)); +void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx) +{ + ctx->c_cb.last_err = wolfSSL_get_error(ctx->c_ssl, 0); + ctx->s_cb.last_err = wolfSSL_get_error(ctx->s_ssl, 0); + if (ctx->c_cb.on_cleanup != NULL) { + ctx->c_cb.on_cleanup(ctx->c_ssl); + } + if (ctx->s_cb.on_cleanup != NULL) { + ctx->s_cb.on_cleanup(ctx->s_ssl); + } + wolfSSL_shutdown(ctx->s_ssl); + wolfSSL_shutdown(ctx->c_ssl); + wolfSSL_free(ctx->s_ssl); + wolfSSL_free(ctx->c_ssl); + if (ctx->c_cb.on_ctx_cleanup != NULL) { + ctx->c_cb.on_ctx_cleanup(ctx->c_ctx); + } + if (!ctx->c_cb.isSharedCtx) { + wolfSSL_CTX_free(ctx->c_ctx); + ctx->c_ctx = NULL; + } + if (ctx->s_cb.on_ctx_cleanup != NULL) { + ctx->s_cb.on_ctx_cleanup(ctx->s_ctx); + } + if (!ctx->s_cb.isSharedCtx) { + wolfSSL_CTX_free(ctx->s_ctx); + ctx->s_ctx = NULL; + } - wolfSSL_CTX_free(ctx); + if (!ctx->s_cb.ticNoInit) { +#if defined(HAVE_SESSION_TICKET) && \ + ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + OpenSSLTicketCleanup(); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) + TicketCleanup(); #endif - return EXPECT_RESULT(); +#endif + } } -static int test_wolfSSL_CTX_der_load_verify_locations(void) +static int test_wolfSSL_client_server_nofail_memio_ex(test_ssl_cbf* client_cb, + test_ssl_cbf* server_cb, cbType client_on_handshake, + cbType server_on_handshake) { - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_DER_LOAD) && \ - !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX* ctx = NULL; - const char* derCert = "./certs/server-cert.der"; - const char* nullPath = NULL; - const char* invalidPath = "./certs/this-cert-does-not-exist.der"; - const char* emptyPath = ""; + /* We use EXPECT_DECLS_NO_MSGS() here because this helper routine is used + * for numerous but varied expected-to-fail scenarios that should not emit + * error messages on the expected failures. Instead, we return a distinct + * code for each failure point, allowing the caller to assert on a + * particular mode of expected failure. On success, the usual TEST_SUCCESS + * is returned. + */ + EXPECT_DECLS_NO_MSGS(-1000); + struct test_ssl_memio_ctx test_ctx; +#ifdef WOLFSSL_HAVE_TLS_UNIQUE + size_t msg_len; +#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ - /* der load Case 1 ctx NULL */ - ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + XMEMCPY(&test_ctx.c_cb, client_cb, sizeof(test_ssl_cbf)); + XMEMCPY(&test_ctx.s_cb, server_cb, sizeof(test_ssl_cbf)); - #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif + test_ctx.c_ctx = client_cb->ctx; + test_ctx.s_ctx = server_cb->ctx; + test_ctx.c_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID; + test_ctx.s_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID; - /* Case 2 filePath NULL */ - ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, nullPath, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Case 3 invalid format */ - ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Case 4 filePath not valid */ - ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, invalidPath, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Case 5 filePath empty */ - ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, emptyPath, - WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#ifndef NO_RSA - /* Case 6 success case */ - ExpectIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#endif + ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS); + ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS); - wolfSSL_CTX_free(ctx); -#endif + if (client_on_handshake != NULL) { + ExpectIntEQ(client_on_handshake(test_ctx.c_ctx, test_ctx.c_ssl), + TEST_SUCCESS); + } + if (server_on_handshake != NULL) { + ExpectIntEQ(server_on_handshake(test_ctx.s_ctx, test_ctx.s_ssl), + TEST_SUCCESS); + } + if (client_cb->on_handshake != NULL) { + ExpectIntEQ(client_cb->on_handshake(&test_ctx.c_ctx, &test_ctx.c_ssl), + TEST_SUCCESS); + } + if (server_cb->on_handshake != NULL) { + ExpectIntEQ(server_cb->on_handshake(&test_ctx.s_ctx, &test_ctx.s_ssl), + TEST_SUCCESS); + } +#ifdef WOLFSSL_HAVE_TLS_UNIQUE + XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2, + WC_MAX_DIGEST_SIZE); + ExpectIntGE(msg_len, 0); + + XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1, + WC_MAX_DIGEST_SIZE); + ExpectIntGE(msg_len, 0); +#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ + + ExpectIntEQ(test_ssl_memio_read_write(&test_ctx), TEST_SUCCESS); + test_ssl_memio_cleanup(&test_ctx); + + client_cb->return_code = test_ctx.c_cb.return_code; + client_cb->last_err = test_ctx.c_cb.last_err; + server_cb->return_code = test_ctx.s_cb.return_code; + server_cb->last_err = test_ctx.s_cb.last_err; return EXPECT_RESULT(); } -static int test_wolfSSL_CTX_enable_disable(void) +int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb, + test_ssl_cbf* server_cb, cbType client_on_handshake) { - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; + return (test_wolfSSL_client_server_nofail_memio_ex(client_cb, server_cb, + client_on_handshake, NULL)); +} +#endif - #ifdef HAVE_CRL - ExpectIntEQ(wolfSSL_CTX_DisableCRL(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - #endif +#ifdef HAVE_IO_TESTS_DEPENDENCIES - #ifdef HAVE_OCSP - ExpectIntEQ(wolfSSL_CTX_DisableOCSP(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - #endif +#ifdef WOLFSSL_SESSION_EXPORT +#ifdef WOLFSSL_DTLS +/* set up function for sending session information */ +static int test_export(WOLFSSL* inSsl, byte* buf, word32 sz, void* userCtx) +{ + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ - defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ExpectIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_EnableOCSPMustStaple(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - #endif + AssertNotNull(inSsl); + AssertNotNull(buf); + AssertIntNE(0, sz); - #ifndef NO_WOLFSSL_CLIENT + /* Set ctx to DTLS 1.2 */ + ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method()); + AssertNotNull(ctx); - #ifdef HAVE_EXTENDED_MASTER - ExpectIntEQ(wolfSSL_CTX_DisableExtendedMasterSecret(ctx), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - #endif - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ssl = wolfSSL_new(ctx); + AssertNotNull(ssl); - #ifdef HAVE_EXTENDED_MASTER - ExpectIntEQ(wolfSSL_CTX_DisableExtendedMasterSecret(ctx), WOLFSSL_SUCCESS); - #endif + AssertIntGE(wolfSSL_dtls_import(ssl, buf, sz), 0); - #elif !defined(NO_WOLFSSL_SERVER) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + (void)userCtx; + return 0; +} +#endif - #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) +/* returns negative value on fail and positive (including 0) on success */ +static int nonblocking_accept_read(void* args, WOLFSSL* ssl, SOCKET_T* sockfd) +{ + int ret, err, loop_count, count, timeout = 10; + char msg[] = "I hear you fa shizzle!"; + char input[1024]; - #ifdef HAVE_CRL - ExpectIntEQ(wolfSSL_CTX_DisableCRL(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, 0), WOLFSSL_SUCCESS); - #endif + loop_count = ((func_args*)args)->argc; - #ifdef HAVE_OCSP - ExpectIntEQ(wolfSSL_CTX_DisableOCSP(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_URL_OVERRIDE), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_CHECKALL), - WOLFSSL_SUCCESS); + #ifdef WOLFSSL_ASYNC_CRYPT + err = 0; /* Reset error */ #endif - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ - defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ExpectIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WOLFSSL_SUCCESS); + do { + #ifdef WOLFSSL_ASYNC_CRYPT + if (err == WC_NO_ERR_TRACE(WC_PENDING_E)) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) { break; } else if (ret == 0) { continue; } + } #endif - wolfSSL_CTX_free(ctx); - #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* !NO_CERTS && !NO_CERTS */ + ret = wolfSSL_accept(ssl); + err = wolfSSL_get_error(ssl, 0); - return EXPECT_RESULT(); -} + if (err == WOLFSSL_ERROR_WANT_READ || + err == WOLFSSL_ERROR_WANT_WRITE) { + int select_ret; -static int test_wolfSSL_CTX_ticket_API(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \ - !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; - void *userCtx = (void*)"this is my ctx"; + err = WC_PENDING_E; + select_ret = tcp_select(*sockfd, timeout); + if (select_ret == TEST_TIMEOUT) { + return WOLFSSL_FATAL_ERROR; + } + } + } while (err == WC_NO_ERR_TRACE(WC_PENDING_E)); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buff)); + return ret; + } - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + for (count = 0; count < loop_count; count++) { + int select_ret; - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_set_TicketEncCtx(ctx, userCtx)); - ExpectTrue(userCtx == wolfSSL_CTX_get_TicketEncCtx(ctx)); + select_ret = tcp_select(*sockfd, timeout); + if (select_ret == TEST_TIMEOUT) { + ret = WOLFSSL_FATAL_ERROR; + break; + } - wolfSSL_CTX_free(ctx); + do { + ret = wolfSSL_read(ssl, input, sizeof(input)-1); + if (ret > 0) { + input[ret] = '\0'; + fprintf(stderr, "Client message: %s\n", input); + } + } while (err == WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_SUCCESS); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_set_TicketEncCtx(NULL, userCtx)); - ExpectNull(wolfSSL_CTX_get_TicketEncCtx(NULL)); -#endif /* HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER && !NO_TLS */ - return EXPECT_RESULT(); + do { + if ((ret = wolfSSL_write(ssl, msg, sizeof(msg))) != sizeof(msg)) { + return WOLFSSL_FATAL_ERROR; + } + err = wolfSSL_get_error(ssl, ret); + } while (err == WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_SUCCESS); + } + return ret; } +#endif /* WOLFSSL_SESSION_EXPORT */ -static int test_wolfSSL_set_minmax_proto_version(void) +THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_TLS) - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; + SOCKET_T sockfd = 0; + SOCKET_T clientfd = 0; + word16 port; - (void)ssl; + callback_functions* cbf; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + func_args* opts = (func_args*)args; -#ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = wolfSSL_new(ctx)); + char msg[] = "I hear you fa shizzle!"; + char input[1024]; + int idx; + int ret, err = 0; + int sharedCtx = 0; + int doUdp = 0; + SOCKADDR_IN_T cliAddr; + socklen_t cliLen; + const char* certFile = svrCertFile; + const char* keyFile = svrKeyFile; - ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(ctx, 0), SSL_SUCCESS); +#ifdef WOLFSSL_HAVE_TLS_UNIQUE + size_t msg_len = 0; +#endif - ExpectIntEQ(wolfSSL_set_min_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set_min_proto_version(ssl, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_set_max_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set_max_proto_version(ssl, 0), SSL_SUCCESS); + wolfSSL_SetLoggingPrefix("server"); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - ctx = NULL; +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, 0), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(ctx, 0), SSL_SUCCESS); + opts->return_code = TEST_FAIL; + cbf = opts->callbacks; - wolfSSL_CTX_free(ctx); + if (cbf != NULL && cbf->ctx) { + ctx = cbf->ctx; + sharedCtx = 1; + } + else + { + WOLFSSL_METHOD* method = NULL; + if (cbf != NULL && cbf->method != NULL) { + method = cbf->method(); + + } + else { + method = wolfSSLv23_server_method(); + } + ctx = wolfSSL_CTX_new(method); + } + if (ctx == NULL) { + /* Release the wait for TCP ready. */ + signal_ready(opts->signal); + goto done; + } + + if (cbf == NULL || !cbf->ticNoInit) { +#if defined(HAVE_SESSION_TICKET) && \ + ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + OpenSSLTicketInit(); + wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) + TicketInit(); + wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb); #endif #endif + } - return EXPECT_RESULT(); -} +#if defined(USE_WINDOWS_API) + port = opts->signal->port; +#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ + !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) + /* Let tcp_listen assign port */ + port = 0; +#else + /* Use default port */ + port = wolfSSLPort; +#endif -#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) && \ - defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static int test_wolfSSL_CTX_set_max_proto_version_on_result(WOLFSSL* ssl) -{ - EXPECT_DECLS; - ExpectStrEQ(wolfSSL_get_version(ssl), "TLSv1.2"); - return EXPECT_RESULT(); -} + if (cbf != NULL) + doUdp = cbf->doUdp; -static int test_wolfSSL_CTX_set_max_proto_version_ctx_ready(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - /* Set TLS 1.2 */ - ExpectIntEQ(wolfSSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION), - WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} + /* do it here to detect failure */ + tcp_accept( + &sockfd, &clientfd, opts, port, 0, doUdp, 0, 0, 1, 0, 0); -/* Test using wolfSSL_CTX_set_max_proto_version to limit the version below - * what was set at ctx creation. */ -static int test_wolfSSL_CTX_set_max_proto_version(void) -{ - EXPECT_DECLS; - test_ssl_cbf client_cbs; - test_ssl_cbf server_cbs; + if (doUdp) { + cliLen = sizeof(cliAddr); - XMEMSET(&client_cbs, 0, sizeof(client_cbs)); - XMEMSET(&server_cbs, 0, sizeof(server_cbs)); + idx = (int)recvfrom(sockfd, input, sizeof(input), MSG_PEEK, + (struct sockaddr*)&cliAddr, &cliLen); - client_cbs.method = wolfTLS_client_method; - server_cbs.method = wolfTLS_server_method; + AssertIntGT(idx, 0); + } + else { + CloseSocket(sockfd); + } - server_cbs.ctx_ready = test_wolfSSL_CTX_set_max_proto_version_ctx_ready; + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - client_cbs.on_result = test_wolfSSL_CTX_set_max_proto_version_on_result; - server_cbs.on_result = test_wolfSSL_CTX_set_max_proto_version_on_result; +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs, - &server_cbs, NULL), TEST_SUCCESS); + if (wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0) + != WOLFSSL_SUCCESS) { + /*err_sys("can't load ca file, Please run from wolfSSL home dir");*/ + goto done; + } - return EXPECT_RESULT(); -} + if (cbf != NULL && cbf->certPemFile != NULL) + certFile = cbf->certPemFile; +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, certFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { #else -static int test_wolfSSL_CTX_set_max_proto_version(void) -{ - return TEST_SKIPPED; -} + if (wolfSSL_CTX_use_certificate_file(ctx, certFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { #endif + /*err_sys("can't load server cert chain file, " + "Please run from wolfSSL home dir");*/ + goto done; + } -/*----------------------------------------------------------------------------* - | SSL - *----------------------------------------------------------------------------*/ + if (cbf != NULL && cbf->keyPemFile != NULL) + keyFile = cbf->keyPemFile; +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, keyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_CTX_use_PrivateKey_file(ctx, keyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#endif + /*err_sys("can't load server key file, " + "Please run from wolfSSL home dir");*/ + goto done; + } -static int test_server_wolfSSL_new(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_SERVER) && !defined(NO_RSA) +#ifdef HAVE_CRL + if (cbf != NULL && cbf->crlPemFile != NULL) { + if (wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL) != WOLFSSL_SUCCESS) + goto done; + if (wolfSSL_CTX_LoadCRLFile(ctx, cbf->crlPemFile, CERT_FILETYPE) + != WOLFSSL_SUCCESS) + goto done; + } +#endif - WOLFSSL_CTX *ctx = NULL; - WOLFSSL_CTX *ctx_nocert = NULL; - WOLFSSL *ssl = NULL; + /* call ctx setup callback */ + if (cbf != NULL && cbf->ctx_ready != NULL) { + cbf->ctx_ready(ctx); + } - ExpectNotNull(ctx_nocert = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + goto done; + } - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE)); + if (doUdp) { + err = wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); + if (err != WOLFSSL_SUCCESS) + goto done; + } - /* invalid context */ - ExpectNull(ssl = wolfSSL_new(NULL)); -#if !defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_QT) && \ - !defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_INIT_CTX_KEY) - ExpectNull(ssl = wolfSSL_new(ctx_nocert)); +#ifdef WOLFSSL_SESSION_EXPORT + /* only add in more complex nonblocking case with session export tests */ + if (args && opts->argc > 0) { + /* set as nonblock and time out for waiting on read/write */ + tcp_set_nonblocking(&clientfd); + wolfSSL_dtls_set_using_nonblock(ssl, 1); + } +#endif +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (sharedCtx && wolfSSL_use_certificate_file(ssl, certFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_use_certificate_file(ssl, certFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#endif + /*err_sys("can't load server cert chain file, " + "Please run from wolfSSL home dir");*/ + goto done; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, keyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_use_PrivateKey_file(ssl, keyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { #endif + /*err_sys("can't load server key file, " + "Please run from wolfSSL home dir");*/ + goto done; + } - /* success */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); + if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { + /*err_sys("SSL_set_fd failed");*/ + goto done; + } - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - wolfSSL_CTX_free(ctx_nocert); +#if !defined(NO_FILESYSTEM) && !defined(NO_DH) + wolfSSL_SetTmpDH_file(ssl, dhParamFile, CERT_FILETYPE); +#elif !defined(NO_DH) + SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ #endif - return EXPECT_RESULT(); -} - + /* call ssl setup callback */ + if (cbf != NULL && cbf->ssl_ready != NULL) { + cbf->ssl_ready(ssl); + } -static int test_client_wolfSSL_new(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA) +#ifdef WOLFSSL_SESSION_EXPORT + /* only add in more complex nonblocking case with session export tests */ + if (opts->argc > 0) { + ret = nonblocking_accept_read(args, ssl, &clientfd); + if (ret >= 0) { + opts->return_code = TEST_SUCCESS; + } + #ifdef WOLFSSL_TIRTOS + Task_yield(); + #endif + goto done; + } +#endif - WOLFSSL_CTX *ctx = NULL; - WOLFSSL_CTX *ctx_nocert = NULL; - WOLFSSL *ssl = NULL; + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_negotiate(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string((word32)err, buff)); + /*err_sys("SSL_accept failed");*/ + goto done; + } - ExpectNotNull(ctx_nocert = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#ifdef WOLFSSL_HAVE_TLS_UNIQUE + XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE); + AssertIntGE(msg_len, 0); - ExpectTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); + XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE); + AssertIntGE(msg_len, 0); +#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ - /* invalid context */ - ExpectNull(ssl = wolfSSL_new(NULL)); + idx = wolfSSL_read(ssl, input, sizeof(input)-1); + if (idx > 0) { + input[idx] = '\0'; + fprintf(stderr, "Client message: %s\n", input); + } + else if (idx < 0) { + goto done; + } - /* success */ - ExpectNotNull(ssl = wolfSSL_new(ctx_nocert)); - wolfSSL_free(ssl); - ssl = NULL; + if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) { + /*err_sys("SSL_write failed");*/ + goto done; + } - /* success */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - wolfSSL_free(ssl); + if (cbf != NULL && cbf->on_result != NULL) + cbf->on_result(ssl); - wolfSSL_CTX_free(ctx); - wolfSSL_CTX_free(ctx_nocert); +#ifdef WOLFSSL_TIRTOS + Task_yield(); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_SetTmpDH_file(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_SERVER) && !defined(NO_DH) + opts->return_code = TEST_SUCCESS; - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; -#ifdef WOLFSSL_PEM_TO_DER - const char* dhX942ParamFile = "./certs/x942dh2048.pem"; -#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) - const char* dsaParamFile = "./certs/dsaparams.pem"; -#endif -#else - const char* dhX942ParamFile = "./certs/x942dh2048.der"; -#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) - const char* dsaParamFile = "./certs/dsaparams.der"; -#endif -#endif +done: + if (cbf != NULL) + cbf->last_err = err; + if (cbf != NULL && cbf->on_cleanup != NULL) + cbf->on_cleanup(ssl); - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#ifndef NO_RSA - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE)); -#elif defined(HAVE_ECC) - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, - CERT_FILETYPE)); -#elif defined(HAVE_ED25519) - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, edCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, edKeyFile, - CERT_FILETYPE)); -#elif defined(HAVE_ED448) - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, ed448CertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, ed448KeyFile, - CERT_FILETYPE)); -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + if (!sharedCtx) + wolfSSL_CTX_free(ctx); - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(NULL, - dhParamFile, CERT_FILETYPE)); + CloseSocket(clientfd); - /* invalid dhParamFile file */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, - NULL, CERT_FILETYPE)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, - bogusFile, CERT_FILETYPE)); +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - /* success */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhParamFile, - CERT_FILETYPE)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhX942ParamFile, - CERT_FILETYPE)); -#if defined(WOLFSSL_WPAS) && !defined(NO_DSA) - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dsaParamFile, - CERT_FILETYPE)); +#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ + && defined(HAVE_THREAD_LS) + wc_ecc_fp_free(); /* free per thread cache */ #endif - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); + if (cbf == NULL || !cbf->ticNoInit) { +#if defined(HAVE_SESSION_TICKET) && \ + ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + OpenSSLTicketCleanup(); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) + TicketCleanup(); +#endif #endif + } - return EXPECT_RESULT(); -} + wolfSSL_SetLoggingPrefix(NULL); -static int test_wolfSSL_SetTmpDH_buffer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_WOLFSSL_SERVER) && \ - !defined(NO_DH) - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, - sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, - sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - - /* invalid dhParamFile file */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, NULL, - 0, WOLFSSL_FILETYPE_ASN1)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, NULL, 0, - WOLFSSL_FILETYPE_ASN1)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dsa_key_der_2048, - sizeof_dsa_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - - /* success */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - - return EXPECT_RESULT(); + WOLFSSL_RETURN_FROM_THREAD(0); } -static int test_wolfSSL_SetMinMaxDhKey_Sz(void) +#if defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && \ + !defined(WOLFSSL_NO_TLS12) +static THREAD_RETURN WOLFSSL_THREAD test_server_loop(void* args) { - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_WOLFSSL_SERVER) && \ - !defined(NO_DH) - WOLFSSL_CTX *ctx = NULL; - WOLFSSL_CTX *ctx2 = NULL; - WOLFSSL *ssl = NULL; - WOLFSSL *ssl2 = NULL; + SOCKET_T sockfd; + SOCKET_T clientfd = -1; + word16 port; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, - sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, - sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMinDhKey_Sz(ctx, 3072)); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectNotNull(ctx2 = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(wolfSSL_CTX_use_certificate_buffer(ctx2, server_cert_der_2048, - sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx2, server_key_der_2048, - sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_SetMaxDhKey_Sz(ctx, 1024)); - ExpectNotNull(ssl2 = wolfSSL_new(ctx2)); + callback_functions* cbf; + WOLFSSL_CTX* ctx = 0; + WOLFSSL* ssl = 0; - ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + char msg[] = "I hear you fa shizzle!"; + char input[1024]; + int idx; + int ret, err = 0; + int sharedCtx = 0; + func_args* opts = (func_args*)args; + int loop_count = opts->argc; + int count = 0; - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMinDhKey_Sz(ssl, 2048)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMinDhKey_Sz(ssl, 3072)); - ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + opts->return_code = TEST_FAIL; + cbf = opts->callbacks; - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl2, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (cbf != NULL && cbf->ctx) { + ctx = cbf->ctx; + sharedCtx = 1; + } + else +#endif + { + WOLFSSL_METHOD* method = NULL; + if (cbf != NULL && cbf->method != NULL) { + method = cbf->method(); + } + else { + method = wolfSSLv23_server_method(); + } + ctx = wolfSSL_CTX_new(method); + } - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMaxDhKey_Sz(ssl2, 2048)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl2, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); +#if defined(USE_WINDOWS_API) + port = opts->signal->port; +#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ + !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) + /* Let tcp_listen assign port */ + port = 0; +#else + /* Use default port */ + port = wolfSSLPort; +#endif - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetMaxDhKey_Sz(ssl2, 1024)); - ExpectIntEQ(WC_NO_ERR_TRACE(DH_KEY_SIZE_E), wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, - sizeof_dh_key_der_2048, WOLFSSL_FILETYPE_ASN1)); + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - wolfSSL_free(ssl2); - wolfSSL_CTX_free(ctx2); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif - return EXPECT_RESULT(); -} + if (wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0) + != WOLFSSL_SUCCESS) { + /*err_sys("can't load ca file, Please run from wolfSSL home dir");*/ + /* Release the wait for TCP ready. */ + signal_ready(opts->signal); + goto done; + } + if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + /*err_sys("can't load server cert chain file, " + "Please run from wolfSSL home dir");*/ + /* Release the wait for TCP ready. */ + signal_ready(opts->signal); + goto done; + } + if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + /*err_sys("can't load server key file, " + "Please run from wolfSSL home dir");*/ + /* Release the wait for TCP ready. */ + signal_ready(opts->signal); + goto done; + } + /* call ctx setup callback */ + if (cbf != NULL && cbf->ctx_ready != NULL) { + cbf->ctx_ready(ctx); + } -/* Test function for wolfSSL_SetMinVersion. Sets the minimum downgrade version - * allowed. - * POST: return 1 on success. - */ -static int test_wolfSSL_SetMinVersion(void) -{ - int res = TEST_SKIPPED; -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) - int failFlag = WOLFSSL_SUCCESS; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - int itr; + while (count != loop_count) { + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + signal_ready(opts->signal); + goto done; + } + if (sharedCtx && wolfSSL_use_certificate_file(ssl, svrCertFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + /*err_sys("can't load server cert chain file, " + "Please run from wolfSSL home dir");*/ + /* Release the wait for TCP ready. */ + signal_ready(opts->signal); + goto done; + } + if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + /*err_sys("can't load server key file, " + "Please run from wolfSSL home dir");*/ + /* Release the wait for TCP ready. */ + signal_ready(opts->signal); + goto done; + } - #ifndef NO_OLD_TLS - const int versions[] = { - #ifdef WOLFSSL_ALLOW_TLSV10 - WOLFSSL_TLSV1, - #endif - WOLFSSL_TLSV1_1, - WOLFSSL_TLSV1_2}; - #elif !defined(WOLFSSL_NO_TLS12) - const int versions[] = { WOLFSSL_TLSV1_2 }; - #else - const int versions[] = { WOLFSSL_TLSV1_3 }; - #endif +#if !defined(NO_FILESYSTEM) && !defined(NO_DH) + wolfSSL_SetTmpDH_file(ssl, dhParamFile, CERT_FILETYPE); +#elif !defined(NO_DH) + SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ +#endif + /* call ssl setup callback */ + if (cbf != NULL && cbf->ssl_ready != NULL) { + cbf->ssl_ready(ssl); + } + /* do it here to detect failure */ + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, + 0); + CloseSocket(sockfd); + if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { + /*err_sys("SSL_set_fd failed");*/ + goto done; + } - ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - ssl = wolfSSL_new(ctx); + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_accept(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buff)); + /*err_sys("SSL_accept failed");*/ + goto done; + } - for (itr = 0; itr < (int)(sizeof(versions)/sizeof(int)); itr++) { - if (wolfSSL_SetMinVersion(ssl, *(versions + itr)) != WOLFSSL_SUCCESS) { - failFlag = WOLFSSL_FAILURE; + idx = wolfSSL_read(ssl, input, sizeof(input)-1); + if (idx > 0) { + input[idx] = '\0'; + fprintf(stderr, "Client message: %s\n", input); } - } - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); + if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) { + /*err_sys("SSL_write failed");*/ + goto done; + } + /* free ssl for this connection */ + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); ssl = NULL; + CloseSocket(clientfd); + clientfd = -1; - res = TEST_RES_CHECK(failFlag == WOLFSSL_SUCCESS); + count++; + } +#ifdef WOLFSSL_TIRTOS + Task_yield(); #endif - return res; -} /* END test_wolfSSL_SetMinVersion */ - - -#include -/*----------------------------------------------------------------------------* - | EVP - *----------------------------------------------------------------------------*/ + opts->return_code = TEST_SUCCESS; -static int test_wolfSSL_EVP_PKEY_print_public(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) - WOLFSSL_BIO* rbio = NULL; - WOLFSSL_BIO* wbio = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - char line[256] = { 0 }; - char line1[256] = { 0 }; - int i = 0; +done: + if (ssl != NULL) { + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + } + if (!sharedCtx) + wolfSSL_CTX_free(ctx); - /* test error cases */ - ExpectIntEQ( EVP_PKEY_print_public(NULL,NULL,0,NULL),0L); + if (clientfd != SOCKET_INVALID) + CloseSocket(clientfd); - /* - * test RSA public key print - * in this test, pass '3' for indent - */ -#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_1024) +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - ExpectNotNull(rbio = BIO_new_mem_buf( client_keypub_der_1024, - sizeof_client_keypub_der_1024)); +#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ + && defined(HAVE_THREAD_LS) + wc_ecc_fp_free(); /* free per thread cache */ +#endif - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + WOLFSSL_RETURN_FROM_THREAD(0); +} +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && !defined(WOLFSSL_TLS13) */ - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); +int test_client_nofail(void* args, cbType cb) +{ +#if !defined(NO_WOLFSSL_CLIENT) + SOCKET_T sockfd = 0; + callback_functions* cbf; - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,3,NULL),1); + WOLFSSL_CTX* ctx = 0; + WOLFSSL* ssl = 0; + WOLFSSL_CIPHER* cipher; - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " RSA Public-Key: (1024 bit)\n"); - ExpectIntEQ(XSTRNCMP(line, line1, XSTRLEN(line1)), 0); + char msg[64] = "hello wolfssl!"; + char reply[1024]; + int input; + int msgSz = (int)XSTRLEN(msg); + int ret, err = 0; + int cipherSuite; + int sharedCtx = 0; + int doUdp = 0; + const char* cipherName1, *cipherName2; - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " Modulus:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + wolfSSL_SetLoggingPrefix("client"); - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " 00:bc:73:0e:a8:49:f3:74:a2:a9:ef:18:a5:da:55:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif + ((func_args*)args)->return_code = TEST_FAIL; + cbf = ((func_args*)args)->callbacks; - /* skip to the end of modulus element*/ - for (i = 0; i < 8 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (cbf != NULL && cbf->ctx) { + ctx = cbf->ctx; + sharedCtx = cbf->isSharedCtx; + } + else +#endif + { + WOLFSSL_METHOD* method = NULL; + if (cbf != NULL && cbf->method != NULL) { + method = cbf->method(); + } + else { + method = wolfSSLv23_client_method(); + } + ctx = wolfSSL_CTX_new(method); } - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, " Exponent: 65537 (0x010001)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; - -#endif /* !NO_RSA && USE_CERT_BUFFERS_1024*/ - - /* - * test DSA public key print - */ -#if !defined(NO_DSA) && defined(USE_CERT_BUFFERS_2048) - ExpectNotNull(rbio = BIO_new_mem_buf( dsa_pub_key_der_2048, - sizeof_dsa_pub_key_der_2048)); + if (cbf != NULL) + doUdp = cbf->doUdp; - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + /* Do connect here so server detects failures */ + tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, + doUdp, 0, NULL); + /* Connect the socket so that we don't have to set the peer later on */ + if (doUdp) + udp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port); - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); + if (wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0) != WOLFSSL_SUCCESS) + { + /* err_sys("can't load ca file, Please run from wolfSSL home dir");*/ + goto done; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#endif + /*err_sys("can't load client cert file, " + "Please run from wolfSSL home dir");*/ + goto done; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "DSA Public-Key: (2048 bit)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + /*err_sys("can't load client key file, " + "Please run from wolfSSL home dir");*/ + goto done; + } - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "pub:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); +#ifdef WOLFSSL_SRTP + /* make sure that NULL (error condition) returns 1 */ + if (wolfSSL_CTX_set_tlsext_use_srtp(ctx, NULL) != 1) { + goto done; + } +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 00:C2:35:2D:EC:83:83:6C:73:13:9E:52:7C:74:C8:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); +#ifdef HAVE_CRL + if (cbf != NULL && cbf->crlPemFile != NULL) { + if (wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL) != WOLFSSL_SUCCESS) + goto done; + if (wolfSSL_CTX_LoadCRLFile(ctx, cbf->crlPemFile, CERT_FILETYPE) + != WOLFSSL_SUCCESS) + goto done; + } +#endif - /* skip to the end of pub element*/ - for (i = 0; i < 17 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + /* call ctx setup callback */ + if (cbf != NULL && cbf->ctx_ready != NULL) { + cbf->ctx_ready(ctx); } - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "P:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + goto done; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (sharedCtx && wolfSSL_use_certificate_file(ssl, cliCertFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_use_certificate_file(ssl, cliCertFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#endif + /*err_sys("can't load client cert file, " + "Please run from wolfSSL home dir");*/ + goto done; + } +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#else + if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#endif + /*err_sys("can't load client key file, " + "Please run from wolfSSL home dir");*/ + goto done; + } - /* skip to the end of P element*/ - for (i = 0; i < 18 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); +#ifdef WOLFSSL_SRTP + /* make sure that NULL (error condition) returns 1 */ + if (wolfSSL_set_tlsext_use_srtp(ssl, NULL) != 1) { + goto done; } +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "Q:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + if (!doUdp) { + if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { + /*err_sys("SSL_set_fd failed");*/ + goto done; + } + } + else { +#ifdef WOLFSSL_DTLS + if (wolfSSL_set_dtls_fd_connected(ssl, sockfd) != WOLFSSL_SUCCESS) { + /*err_sys("SSL_set_fd failed");*/ + goto done; + } +#else + goto done; +#endif + } - /* skip to the end of Q element*/ - for (i = 0; i < 3 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + /* call ssl setup callback */ + if (cbf != NULL && cbf->ssl_ready != NULL) { + cbf->ssl_ready(ssl); } - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "G:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - /* skip to the end of G element*/ - for (i = 0; i < 18 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_negotiate(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string((word32)err, buff)); + /*err_sys("SSL_connect failed");*/ + goto done; } - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; + /* test the various get cipher methods */ + /* Internal cipher suite names */ + cipherSuite = wolfSSL_get_current_cipher_suite(ssl); + cipherName1 = wolfSSL_get_cipher_name(ssl); + cipherName2 = wolfSSL_get_cipher_name_from_suite( + (byte)(cipherSuite >> 8), cipherSuite & 0xFF); + AssertStrEQ(cipherName1, cipherName2); -#endif /* !NO_DSA && USE_CERT_BUFFERS_2048 */ + /* IANA Cipher Suites Names */ + /* Unless WOLFSSL_CIPHER_INTERNALNAME or NO_ERROR_STRINGS, + then it's the internal cipher suite name */ + cipher = wolfSSL_get_current_cipher(ssl); + cipherName1 = wolfSSL_CIPHER_get_name(cipher); + cipherName2 = wolfSSL_get_cipher(ssl); + AssertStrEQ(cipherName1, cipherName2); +#if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ + !defined(WOLFSSL_QT) + cipherName1 = wolfSSL_get_cipher_name_iana_from_suite( + (byte)(cipherSuite >> 8), cipherSuite & 0xFF); + AssertStrEQ(cipherName1, cipherName2); +#endif - /* - * test ECC public key print - */ -#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + if (cb != NULL) + (cb)(ctx, ssl); - ExpectNotNull(rbio = BIO_new_mem_buf( ecc_clikeypub_der_256, - sizeof_ecc_clikeypub_der_256)); + if (wolfSSL_write(ssl, msg, msgSz) != msgSz) { + /*err_sys("SSL_write failed");*/ + goto done; + } - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + input = wolfSSL_read(ssl, reply, sizeof(reply)-1); + if (input > 0) { + reply[input] = '\0'; + fprintf(stderr, "Server response: %s\n", reply); + } - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + if (cbf != NULL && cbf->on_result != NULL) + cbf->on_result(ssl); - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); + ((func_args*)args)->return_code = TEST_SUCCESS; - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - ExpectStrEQ(line, "Public-Key: (256 bit)\n"); +done: + if (cbf != NULL) + cbf->last_err = err; + if (cbf != NULL && cbf->on_cleanup != NULL) + cbf->on_cleanup(ssl); - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "pub:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + wolfSSL_free(ssl); + if (!sharedCtx) + wolfSSL_CTX_free(ctx); - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 04:55:BF:F4:0F:44:50:9A:3D:CE:9B:B7:F0:C5:4D:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + CloseSocket(sockfd); - /* skip to the end of pub element*/ - for (i = 0; i < 4 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "ASN1 OID: prime256v1\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); +#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ + && defined(HAVE_THREAD_LS) + wc_ecc_fp_free(); /* free per thread cache */ +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "NIST CURVE: P-256\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); - - - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; - -#endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */ - - /* - * test DH public key print - */ -#if defined(WOLFSSL_DH_EXTRA) && defined(USE_CERT_BUFFERS_2048) - - ExpectNotNull(rbio = BIO_new_mem_buf( dh_pub_key_der_2048, - sizeof_dh_pub_key_der_2048)); - - ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); - - ExpectNotNull(wbio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL), 1); +#else + (void)args; + (void)cb; +#endif /* !NO_WOLFSSL_CLIENT */ - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "DH Public-Key: (2048 bit)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + wolfSSL_SetLoggingPrefix(NULL); - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "public-key:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + return 0; +} - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 34:41:BF:E9:F2:11:BF:05:DB:B2:72:A8:29:CC:BD:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); +void test_wolfSSL_client_server_nofail_ex(callback_functions* client_cb, + callback_functions* server_cb, cbType client_on_handshake) +{ + func_args client_args; + func_args server_args; + tcp_ready ready; + THREAD_TYPE serverThread; - /* skip to the end of public-key element*/ - for (i = 0; i < 17 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "prime:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, - " 00:D3:B2:99:84:5C:0A:4C:E7:37:CC:FC:18:37:01:\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + StartTCP(); + InitTcpReady(&ready); - /* skip to the end of prime element*/ - for (i = 0; i < 17 ;i++) { - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - } +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif - ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); - strcpy(line1, "generator: 2 (0x02)\n"); - ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + server_args.signal = &ready; + server_args.callbacks = server_cb; + client_args.signal = &ready; + client_args.callbacks = client_cb; - /* should reach EOF */ - ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, client_on_handshake); + join_thread(serverThread); - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(rbio); - BIO_free(wbio); - rbio = NULL; - wbio = NULL; + client_cb->return_code = client_args.return_code; + server_cb->return_code = server_args.return_code; -#endif /* WOLFSSL_DH_EXTRA && USE_CERT_BUFFERS_2048 */ + FreeTcpReady(&ready); - /* to prevent "unused variable" warning */ - (void)pkey; - (void)wbio; - (void)rbio; - (void)line; - (void)line1; - (void)i; -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif } -/* Test functions for base64 encode/decode */ -static int test_wolfSSL_EVP_ENCODE_CTX_new(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && \ -( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) - EVP_ENCODE_CTX* ctx = NULL; - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - ExpectIntEQ(ctx->remaining,0); - ExpectIntEQ(ctx->data[0],0); - ExpectIntEQ(ctx->data[sizeof(ctx->data) -1],0); - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_ENCODE_CTX_free(void) +void test_wolfSSL_client_server_nofail(callback_functions* client_cb, + callback_functions* server_cb) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && \ -( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ - return EXPECT_RESULT(); + test_wolfSSL_client_server_nofail_ex(client_cb, server_cb, NULL); } -static int test_wolfSSL_EVP_EncodeInit(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - ExpectIntEQ(ctx->remaining, 0); - ExpectIntEQ(ctx->data[0], 0); - ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); - - if (ctx != NULL) { - /* make ctx dirty */ - ctx->remaining = 10; - XMEMSET(ctx->data, 0x77, sizeof(ctx->data)); - } - - EVP_EncodeInit(ctx); - - ExpectIntEQ(ctx->remaining, 0); - ExpectIntEQ(ctx->data[0], 0); - ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_EncodeUpdate(void) +#if defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && \ + !defined(WOLFSSL_NO_TLS12) && !defined(NO_WOLFSSL_CLIENT) +static void test_client_reuse_WOLFSSLobj(void* args, cbType cb, + void* server_args) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) - int outl; - int total; - - const unsigned char plain0[] = {"Th"}; - const unsigned char plain1[] = {"This is a base64 encodeing test."}; - const unsigned char plain2[] = {"This is additional data."}; - - const unsigned char encBlock0[] = {"VGg="}; - const unsigned char enc0[] = {"VGg=\n"}; - /* expected encoded result for the first output 64 chars plus trailing LF*/ - const unsigned char enc1[] = {"VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\n"}; - - const unsigned char enc2[] = - {"VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\nYWwgZGF0YS4=\n"}; + SOCKET_T sockfd = 0; + callback_functions* cbf; - unsigned char encOutBuff[300]; + WOLFSSL_CTX* ctx = 0; + WOLFSSL* ssl = 0; + WOLFSSL_SESSION* session = NULL; - EVP_ENCODE_CTX* ctx = NULL; + char msg[64] = "hello wolfssl!"; + char reply[1024]; + int input; + int msgSz = (int)XSTRLEN(msg); + int ret, err = 0; + int sharedCtx = 0; - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - EVP_EncodeInit(ctx); + ((func_args*)args)->return_code = TEST_FAIL; + cbf = ((func_args*)args)->callbacks; - /* illegal parameter test */ - ExpectIntEQ( - EVP_EncodeUpdate( - NULL, /* pass NULL as ctx */ - encOutBuff, - &outl, - plain1, - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) + if (cbf != NULL && cbf->ctx) { + ctx = cbf->ctx; + sharedCtx = 1; + } + else +#endif + { + WOLFSSL_METHOD* method = NULL; + if (cbf != NULL && cbf->method != NULL) { + method = cbf->method(); + } + else { + method = wolfSSLv23_client_method(); + } + ctx = wolfSSL_CTX_new(method); + } - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - NULL, /* pass NULL as out buff */ - &outl, - plain1, - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - NULL, /* pass NULL as outl */ - plain1, - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); + /* Do connect here so server detects failures */ + tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, + 0, 0, NULL); - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - &outl, - NULL, /* pass NULL as in */ - sizeof(plain1)-1), - 0 /* expected result code 0: fail */ - ); + if (wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0) != + WOLFSSL_SUCCESS) { + /* err_sys("can't load ca file, Please run from wolfSSL home dir");*/ + goto done; + } + if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { + /*err_sys("can't load client cert file, " + "Please run from wolfSSL home dir");*/ + goto done; + } + if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { + /*err_sys("can't load client key file, " + "Please run from wolfSSL home dir");*/ + goto done; + } - ExpectIntEQ(EVP_EncodeBlock(NULL, NULL, 0), -1); + /* call ctx setup callback */ + if (cbf != NULL && cbf->ctx_ready != NULL) { + cbf->ctx_ready(ctx); + } - /* meaningless parameter test */ + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + goto done; + } + /* keep handshake resources for reusing WOLFSSL obj */ + wolfSSL_KeepArrays(ssl); + if (wolfSSL_KeepHandshakeResources(ssl)) { + /* err_sys("SSL_KeepHandshakeResources failed"); */ + goto done; + } + if (sharedCtx && wolfSSL_use_certificate_file(ssl, cliCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { + /*err_sys("can't load client cert file, " + "Please run from wolfSSL home dir");*/ + goto done; + } + if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { + /*err_sys("can't load client key file, " + "Please run from wolfSSL home dir");*/ + goto done; + } - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - &outl, - plain1, - 0), /* pass zero input */ - 1 /* expected result code 1: success */ - ); + if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { + /*err_sys("SSL_set_fd failed");*/ + goto done; + } - /* very small data encoding test */ + /* call ssl setup callback */ + if (cbf != NULL && cbf->ssl_ready != NULL) { + cbf->ssl_ready(ssl); + } - EVP_EncodeInit(ctx); + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buff)); + /*err_sys("SSL_connect failed");*/ + goto done; + } + /* Build first session */ + if (cb != NULL) + cb(ctx, ssl); - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, - &outl, - plain0, - sizeof(plain0)-1), - 1 /* expected result code 1: success */ - ); - ExpectIntEQ(outl,0); + if (wolfSSL_write(ssl, msg, msgSz) != msgSz) { + /*err_sys("SSL_write failed");*/ + goto done; + } - if (EXPECT_SUCCESS()) { - EVP_EncodeFinal( - ctx, - encOutBuff + outl, - &outl); + input = wolfSSL_read(ssl, reply, sizeof(reply)-1); + if (input > 0) { + reply[input] = '\0'; + fprintf(stderr, "Server response: %s\n", reply); } - ExpectIntEQ( outl, sizeof(enc0)-1); - ExpectIntEQ( - XSTRNCMP( - (const char*)encOutBuff, - (const char*)enc0,sizeof(enc0) ), - 0); - - XMEMSET( encOutBuff,0, sizeof(encOutBuff)); - ExpectIntEQ(EVP_EncodeBlock(encOutBuff, plain0, sizeof(plain0)-1), - sizeof(encBlock0)-1); - ExpectStrEQ(encOutBuff, encBlock0); - - /* pass small size( < 48bytes ) input, then make sure they are not - * encoded and just stored in ctx - */ + /* Session Resumption by reusing WOLFSSL object */ + wolfSSL_set_quiet_shutdown(ssl, 1); + if (wolfSSL_shutdown(ssl) != WOLFSSL_SUCCESS) { + /* err_sys ("SSL shutdown failed"); */ + goto done; + } + session = wolfSSL_get1_session(ssl); + if (wolfSSL_clear(ssl) != WOLFSSL_SUCCESS) { + wolfSSL_SESSION_free(session); + /* err_sys ("SSL_clear failed"); */ + goto done; + } + wolfSSL_set_session(ssl, session); + wolfSSL_SESSION_free(session); + session = NULL; + /* close socket once */ + CloseSocket(sockfd); + sockfd = 0; + /* wait until server ready */ + wait_tcp_ready((func_args*)server_args); + fprintf(stderr, "session resumption\n"); + /* Do re-connect */ + tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, + 0, 0, NULL); + if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { + /*err_sys("SSL_set_fd failed");*/ + goto done; + } - EVP_EncodeInit(ctx); + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string(err, buff)); + /*err_sys("SSL_connect failed");*/ + goto done; + } + /* Build first session */ + if (cb != NULL) + cb(ctx, ssl); - total = 0; - outl = 0; - XMEMSET( encOutBuff,0, sizeof(encOutBuff)); + if (wolfSSL_write(ssl, msg, msgSz) != msgSz) { + /*err_sys("SSL_write failed");*/ + goto done; + } - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff, /* buffer for output */ - &outl, /* size of output */ - plain1, /* input */ - sizeof(plain1)-1), /* size of input */ - 1); /* expected result code 1:success */ - - total += outl; - - ExpectIntEQ(outl, 0); /* no output expected */ - ExpectIntEQ(ctx->remaining, sizeof(plain1) -1); - ExpectTrue( - XSTRNCMP((const char*)(ctx->data), - (const char*)plain1, - ctx->remaining) ==0 ); - ExpectTrue(encOutBuff[0] == 0); - - /* call wolfSSL_EVP_EncodeUpdate again to make it encode - * the stored data and the new input together - */ - ExpectIntEQ( - EVP_EncodeUpdate( - ctx, - encOutBuff + outl, /* buffer for output */ - &outl, /* size of output */ - plain2, /* additional input */ - sizeof(plain2) -1), /* size of additional input */ - 1); /* expected result code 1:success */ - - total += outl; - - ExpectIntNE(outl, 0); /* some output is expected this time*/ - ExpectIntEQ(outl, BASE64_ENCODE_RESULT_BLOCK_SIZE +1); /* 64 bytes and LF */ - ExpectIntEQ( - XSTRNCMP((const char*)encOutBuff,(const char*)enc1,sizeof(enc1) ),0); + input = wolfSSL_read(ssl, reply, sizeof(reply)-1); + if (input > 0) { + reply[input] = '\0'; + fprintf(stderr, "Server response: %s\n", reply); + } - /* call wolfSSL_EVP_EncodeFinal to flush all the unprocessed input */ - EVP_EncodeFinal( - ctx, - encOutBuff + outl, - &outl); + ((func_args*)args)->return_code = TEST_SUCCESS; - total += outl; +done: + wolfSSL_free(ssl); + if (!sharedCtx) + wolfSSL_CTX_free(ctx); - ExpectIntNE(total,0); - ExpectIntNE(outl,0); - ExpectIntEQ(XSTRNCMP( - (const char*)encOutBuff,(const char*)enc2,sizeof(enc2) ),0); + CloseSocket(sockfd); - /* test with illeagal parameters */ - outl = 1; - EVP_EncodeFinal(NULL, encOutBuff + outl, &outl); - ExpectIntEQ(outl, 0); - outl = 1; - EVP_EncodeFinal(ctx, NULL, &outl); - ExpectIntEQ(outl, 0); - EVP_EncodeFinal(ctx, encOutBuff + outl, NULL); - EVP_EncodeFinal(NULL, NULL, NULL); +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_EncodeFinal(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) - /* tests for wolfSSL_EVP_EncodeFinal are included in - * test_wolfSSL_EVP_EncodeUpdate - */ - res = TEST_SUCCESS; -#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ - return res; + return; } +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && + !defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) */ +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)) && \ + defined(HAVE_ALPN) && defined(HAVE_SNI) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_BIO) + #define HAVE_ALPN_PROTOS_SUPPORT +#endif -static int test_wolfSSL_EVP_DecodeInit(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) - EVP_ENCODE_CTX* ctx = NULL; - - ExpectNotNull( ctx = EVP_ENCODE_CTX_new()); - ExpectIntEQ( ctx->remaining,0); - ExpectIntEQ( ctx->data[0],0); - ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); - - if (ctx != NULL) { - /* make ctx dirty */ - ctx->remaining = 10; - XMEMSET( ctx->data, 0x77, sizeof(ctx->data)); - } - - EVP_DecodeInit(ctx); - - ExpectIntEQ( ctx->remaining,0); - ExpectIntEQ( ctx->data[0],0); - ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); +/* Generic TLS client / server with callbacks for API unit tests + * Used by SNI / ALPN / crypto callback helper functions */ +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + (defined(HAVE_SNI) || defined(HAVE_ALPN) || defined(WOLF_CRYPTO_CB) || \ + defined(HAVE_ALPN_PROTOS_SUPPORT)) || defined(WOLFSSL_STATIC_MEMORY) + #define ENABLE_TLS_CALLBACK_TEST +#endif - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_DecodeUpdate(void) +#if defined(ENABLE_TLS_CALLBACK_TEST) || \ + (defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT)) +/* TLS server for API unit testing - generic */ +static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) - int outl; - unsigned char decOutBuff[300]; - - EVP_ENCODE_CTX* ctx = NULL; - - static const unsigned char enc1[] = - {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; -/* const unsigned char plain1[] = - {"This is a base64 decoding test."} */ - - ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); - - EVP_DecodeInit(ctx); - - /* illegal parameter tests */ - - /* pass NULL as ctx */ - ExpectIntEQ( - EVP_DecodeUpdate( - NULL, /* pass NULL as ctx */ - decOutBuff, - &outl, - enc1, - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - ExpectIntEQ( outl, 0); - - /* pass NULL as output */ - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - NULL, /* pass NULL as out buff */ - &outl, - enc1, - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - ExpectIntEQ( outl, 0); - - /* pass NULL as outl */ - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - NULL, /* pass NULL as outl */ - enc1, - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - - /* pass NULL as input */ - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - NULL, /* pass NULL as in */ - sizeof(enc1)-1), - -1 /* expected result code -1: fail */ - ); - ExpectIntEQ( outl, 0); - - ExpectIntEQ(EVP_DecodeBlock(NULL, NULL, 0), -1); - - /* pass zero length input */ - - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc1, - 0), /* pass zero as input len */ - 1 /* expected result code 1: success */ - ); - - /* decode correct base64 string */ - - { - static const unsigned char enc2[] = - {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; - static const unsigned char plain2[] = - {"This is a base64 decoding test."}; + callback_functions* callbacks = ((func_args*)args)->callbacks; - EVP_EncodeInit(ctx); + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + SOCKET_T sfd = 0; + SOCKET_T cfd = 0; + word16 port; - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc2, - sizeof(enc2)-1), - 0 /* expected result code 0: success */ - ); + char msg[] = "I hear you fa shizzle!"; + int len = (int) XSTRLEN(msg); + char input[1024]; + int idx; + int ret, err = 0; - ExpectIntEQ(outl,sizeof(plain2) -1); + ((func_args*)args)->return_code = TEST_FAIL; - ExpectIntEQ( - EVP_DecodeFinal( - ctx, - decOutBuff + outl, - &outl), - 1 /* expected result code 1: success */ - ); - ExpectIntEQ(outl, 0); /* expected DecodeFinal output no data */ +#if defined(USE_WINDOWS_API) + port = ((func_args*)args)->signal->port; +#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ + !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) + /* Let tcp_listen assign port */ + port = 0; +#else + /* Use default port */ + port = wolfSSLPort; +#endif - ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, - sizeof(plain2) -1 ),0); - ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc2, sizeof(enc2)), - sizeof(plain2)-1); - ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, - sizeof(plain2) -1 ),0); +#ifdef WOLFSSL_DTLS + if (callbacks->method == wolfDTLS_server_method +#ifdef WOLFSSL_STATIC_MEMORY + || callbacks->method_ex == wolfDTLS_server_method_ex +#endif +#ifndef NO_OLD_TLS + || callbacks->method == wolfDTLSv1_server_method +#ifdef WOLFSSL_STATIC_MEMORY + || callbacks->method_ex == wolfDTLSv1_server_method_ex +#endif +#endif +#ifndef WOLFSSL_NO_TLS12 + || callbacks->method == wolfDTLSv1_2_server_method +#ifdef WOLFSSL_STATIC_MEMORY + || callbacks->method_ex == wolfDTLSv1_2_server_method_ex +#endif +#endif +#ifdef WOLFSSL_DTLS13 + || callbacks->method == wolfDTLSv1_3_server_method +#ifdef WOLFSSL_STATIC_MEMORY + || callbacks->method_ex == wolfDTLSv1_3_server_method_ex +#endif +#endif + ) { + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0, 0, 0); } - - /* decode correct base64 string which does not have '\n' in its last*/ - + else +#endif { - static const unsigned char enc3[] = - {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg=="}; /* 44 chars */ - static const unsigned char plain3[] = - {"This is a base64 decoding test."}; /* 31 chars */ - - EVP_EncodeInit(ctx); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); + } - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc3, - sizeof(enc3)-1), - 0 /* expected result code 0: success */ - ); +#ifdef WOLFSSL_STATIC_MEMORY + if (callbacks->method_ex != NULL && callbacks->mem != NULL && + callbacks->memSz > 0) { + ret = wolfSSL_CTX_load_static_memory(&ctx, callbacks->method_ex, + callbacks->mem, callbacks->memSz, 0, 1); + if (ret != WOLFSSL_SUCCESS) { + fprintf(stderr, "CTX static new failed %d\n", ret); + goto cleanup; + } + } +#else + ctx = wolfSSL_CTX_new(callbacks->method()); +#endif + if (ctx == NULL) { + fprintf(stderr, "CTX new failed\n"); + goto cleanup; + } - ExpectIntEQ(outl,sizeof(plain3)-1); /* 31 chars should be output */ + /* set defaults */ + if (callbacks->caPemFile == NULL) + callbacks->caPemFile = cliCertFile; + if (callbacks->certPemFile == NULL) + callbacks->certPemFile = svrCertFile; + if (callbacks->keyPemFile == NULL) + callbacks->keyPemFile = svrKeyFile; - ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, - sizeof(plain3) -1 ),0); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - ExpectIntEQ( - EVP_DecodeFinal( - ctx, - decOutBuff + outl, - &outl), - 1 /* expected result code 1: success */ - ); + wolfSSL_CTX_SetDevId(ctx, callbacks->devId); - ExpectIntEQ(outl,0 ); + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc3, sizeof(enc3)-1), - sizeof(plain3)-1); - ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, - sizeof(plain3) -1 ),0); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif +#if defined(WOLFSSL_SESSION_EXPORT) && defined(WOLFSSL_DTLS) + if (callbacks->method == wolfDTLSv1_2_server_method) { + if (wolfSSL_CTX_dtls_set_export(ctx, test_export) != WOLFSSL_SUCCESS) + goto cleanup; } +#endif - /* decode string which has a padding char ('=') in the illegal position*/ - - { - static const unsigned char enc4[] = - {"VGhpcyBpcyBhIGJhc2U2N=CBkZWNvZGluZyB0ZXN0Lg==\n"}; - - EVP_EncodeInit(ctx); - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc4, - sizeof(enc4)-1), - -1 /* expected result code -1: error */ - ); - ExpectIntEQ(outl,0); - ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc4, sizeof(enc4)-1), -1); + if (wolfSSL_CTX_load_verify_locations(ctx, callbacks->caPemFile, 0) != + WOLFSSL_SUCCESS) { + goto cleanup; } - /* small data decode test */ + if (wolfSSL_CTX_use_certificate_file(ctx, callbacks->certPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } - { - static const unsigned char enc00[] = {"VG"}; - static const unsigned char enc01[] = {"g=\n"}; - static const unsigned char plain4[] = {"Th"}; + if (wolfSSL_CTX_use_PrivateKey_file(ctx, callbacks->keyPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } - EVP_EncodeInit(ctx); +#ifdef HAVE_CRL + if (callbacks->crlPemFile != NULL) { + if (wolfSSL_CTX_LoadCRLFile(ctx, callbacks->crlPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } + } +#endif - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff, - &outl, - enc00, - sizeof(enc00)-1), - 1 /* expected result code 1: success */ - ); - ExpectIntEQ(outl,0); + if (callbacks->ctx_ready) + callbacks->ctx_ready(ctx); - ExpectIntEQ( - EVP_DecodeUpdate( - ctx, - decOutBuff + outl, - &outl, - enc01, - sizeof(enc01)-1), - 0 /* expected result code 0: success */ - ); - - ExpectIntEQ(outl,sizeof(plain4)-1); - - /* test with illegal parameters */ - ExpectIntEQ(EVP_DecodeFinal(NULL,decOutBuff + outl,&outl), -1); - ExpectIntEQ(EVP_DecodeFinal(ctx,NULL,&outl), -1); - ExpectIntEQ(EVP_DecodeFinal(ctx,decOutBuff + outl, NULL), -1); - ExpectIntEQ(EVP_DecodeFinal(NULL,NULL, NULL), -1); + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + fprintf(stderr, "SSL new failed\n"); + goto cleanup; + } + if (wolfSSL_dtls(ssl)) { + SOCKADDR_IN_T cliAddr; + socklen_t cliLen; - if (EXPECT_SUCCESS()) { - EVP_DecodeFinal( - ctx, - decOutBuff + outl, - &outl); + cliLen = sizeof(cliAddr); + idx = (int)recvfrom(sfd, input, sizeof(input), MSG_PEEK, + (struct sockaddr*)&cliAddr, &cliLen); + if (idx <= 0) { + goto cleanup; } - - ExpectIntEQ( outl, 0); - ExpectIntEQ( - XSTRNCMP( - (const char*)decOutBuff, - (const char*)plain4,sizeof(plain4)-1 ), - 0); + wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); + } + else { + CloseSocket(sfd); } - EVP_ENCODE_CTX_free(ctx); -#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_DecodeFinal(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) - /* tests for wolfSSL_EVP_DecodeFinal are included in - * test_wolfSSL_EVP_DecodeUpdate - */ - res = TEST_SUCCESS; -#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ - return res; -} - -/* Test function for wolfSSL_EVP_get_cipherbynid. - */ + if (wolfSSL_set_fd(ssl, cfd) != WOLFSSL_SUCCESS) { + goto cleanup; + } -#ifdef OPENSSL_EXTRA -static int test_wolfSSL_EVP_get_cipherbynid(void) -{ - EXPECT_DECLS; -#ifndef NO_AES - const WOLFSSL_EVP_CIPHER* c; + if (callbacks->loadToSSL) { + wolfSSL_SetDevId(ssl, callbacks->devId); - c = wolfSSL_EVP_get_cipherbynid(419); - #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ - defined(WOLFSSL_AES_128) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_128_CBC", c)); - #else - ExpectNull(c); - #endif + if (wolfSSL_use_certificate_file(ssl, callbacks->certPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } - c = wolfSSL_EVP_get_cipherbynid(423); - #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ - defined(WOLFSSL_AES_192) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_192_CBC", c)); - #else - ExpectNull(c); - #endif + if (wolfSSL_use_PrivateKey_file(ssl, callbacks->keyPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } + } - c = wolfSSL_EVP_get_cipherbynid(427); - #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ - defined(WOLFSSL_AES_256) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_256_CBC", c)); - #else - ExpectNull(c); +#ifdef NO_PSK + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) + wolfSSL_SetTmpDH_file(ssl, dhParamFile, CERT_FILETYPE); + #elif !defined(NO_DH) + SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ #endif +#endif - c = wolfSSL_EVP_get_cipherbynid(904); - #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_128_CTR", c)); - #else - ExpectNull(c); - #endif + if (callbacks->ssl_ready) + callbacks->ssl_ready(ssl); - c = wolfSSL_EVP_get_cipherbynid(905); - #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_192_CTR", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(906); - #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_256_CTR", c)); - #else - ExpectNull(c); - #endif - - c = wolfSSL_EVP_get_cipherbynid(418); - #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_128) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_128_ECB", c)); - #else - ExpectNull(c); - #endif + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_accept(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "accept error = %d, %s\n", err, + wolfSSL_ERR_error_string((word32)err, buff)); + /*err_sys("SSL_accept failed");*/ + } + else { + WOLFSSL_ASYNC_WHILE_PENDING(idx = wolfSSL_read(ssl, input, sizeof(input)-1), + idx <= 0); + if (idx > 0) { + input[idx] = 0; + fprintf(stderr, "Client message: %s\n", input); + } - c = wolfSSL_EVP_get_cipherbynid(422); - #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_192) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_192_ECB", c)); - #else - ExpectNull(c); - #endif + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_write(ssl, msg, len), + len != ret); + if (len != ret) { + goto cleanup; + } - c = wolfSSL_EVP_get_cipherbynid(426); - #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256) - ExpectNotNull(c); - ExpectNotNull(XSTRCMP("EVP_AES_256_ECB", c)); - #else - ExpectNull(c); - #endif -#endif /* !NO_AES */ +#if defined(WOLFSSL_SESSION_EXPORT) && !defined(HAVE_IO_POOL) && \ + defined(WOLFSSL_DTLS) + if (wolfSSL_dtls(ssl)) { + byte* import; + word32 sz; -#ifndef NO_DES3 - ExpectNotNull(XSTRCMP("EVP_DES_CBC", wolfSSL_EVP_get_cipherbynid(31))); -#ifdef WOLFSSL_DES_ECB - ExpectNotNull(XSTRCMP("EVP_DES_ECB", wolfSSL_EVP_get_cipherbynid(29))); + wolfSSL_dtls_export(ssl, NULL, &sz); + import = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (import == NULL) { + goto cleanup; + } + idx = wolfSSL_dtls_export(ssl, import, &sz); + if (idx < 0) { + goto cleanup; + } + if (wolfSSL_dtls_import(ssl, import, idx) < 0) { + goto cleanup; + } + XFREE(import, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } #endif - ExpectNotNull(XSTRCMP("EVP_DES_EDE3_CBC", wolfSSL_EVP_get_cipherbynid(44))); -#ifdef WOLFSSL_DES_ECB - ExpectNotNull(XSTRCMP("EVP_DES_EDE3_ECB", wolfSSL_EVP_get_cipherbynid(33))); +#ifdef WOLFSSL_TIRTOS + Task_yield(); #endif -#endif /* !NO_DES3 */ + ((func_args*)args)->return_code = TEST_SUCCESS; + } -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - ExpectNotNull(XSTRCMP("EVP_CHACHA20_POLY13O5", EVP_get_cipherbynid(1018))); -#endif + if (callbacks->on_result) + callbacks->on_result(ssl); - /* test for nid is out of range */ - ExpectNull(wolfSSL_EVP_get_cipherbynid(1)); + wolfSSL_shutdown(ssl); - return EXPECT_RESULT(); -} +cleanup: + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + CloseSocket(cfd); -static int test_wolfSSL_EVP_CIPHER_CTX(void) -{ - EXPECT_DECLS; -#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - const EVP_CIPHER *init = EVP_aes_128_cbc(); - const EVP_CIPHER *test; - byte key[AES_BLOCK_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - ExpectNotNull(ctx); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - test = EVP_CIPHER_CTX_cipher(ctx); - ExpectTrue(init == test); - ExpectIntEQ(EVP_CIPHER_nid(test), NID_aes_128_cbc); +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - ExpectIntEQ(EVP_CIPHER_CTX_reset(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_reset(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ + && defined(HAVE_THREAD_LS) + wc_ecc_fp_free(); /* free per thread cache */ +#endif - EVP_CIPHER_CTX_free(ctx); - /* test EVP_CIPHER_CTX_cleanup with NULL */ - ExpectIntEQ(EVP_CIPHER_CTX_cleanup(NULL), WOLFSSL_SUCCESS); -#endif /* !NO_AES && HAVE_AES_CBC && WOLFSSL_AES_128 */ - return EXPECT_RESULT(); + WOLFSSL_RETURN_FROM_THREAD(0); } -#endif /* OPENSSL_EXTRA */ -/*----------------------------------------------------------------------------* - | IO - *----------------------------------------------------------------------------*/ - -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \ - defined(HAVE_IO_TESTS_DEPENDENCIES) -#ifdef WOLFSSL_HAVE_TLS_UNIQUE - byte server_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by server */ - byte server_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from client */ - byte client_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by client */ - byte client_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from server */ -#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ +/* TLS Client for API unit testing - generic */ +static void run_wolfssl_client(void* args) +{ + callback_functions* callbacks = ((func_args*)args)->callbacks; -/* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */ -#if defined(HAVE_SESSION_TICKET) && defined(OPENSSL_EXTRA) && \ - defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + SOCKET_T sfd = 0; - typedef struct openssl_key_ctx { - byte name[WOLFSSL_TICKET_NAME_SZ]; /* server name */ - byte key[WOLFSSL_TICKET_KEY_SZ]; /* cipher key */ - byte hmacKey[WOLFSSL_TICKET_NAME_SZ]; /* hmac key */ - byte iv[WOLFSSL_TICKET_IV_SZ]; /* cipher iv */ - } openssl_key_ctx; + char msg[] = "hello wolfssl server!"; + int len = (int) XSTRLEN(msg); + char input[1024]; + int ret, err = 0; - static THREAD_LS_T openssl_key_ctx myOpenSSLKey_ctx; - static THREAD_LS_T WC_RNG myOpenSSLKey_rng; + ((func_args*)args)->return_code = TEST_FAIL; - static WC_INLINE int OpenSSLTicketInit(void) - { - int ret = wc_InitRng(&myOpenSSLKey_rng); - if (ret != 0) return ret; + /* set defaults */ + if (callbacks->caPemFile == NULL) + callbacks->caPemFile = caCertFile; + if (callbacks->certPemFile == NULL) + callbacks->certPemFile = cliCertFile; + if (callbacks->keyPemFile == NULL) + callbacks->keyPemFile = cliKeyFile; - ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.name, - sizeof(myOpenSSLKey_ctx.name)); - if (ret != 0) return ret; +#ifdef WOLFSSL_STATIC_MEMORY + if (callbacks->method_ex != NULL && callbacks->mem != NULL && + callbacks->memSz > 0) { + ret = wolfSSL_CTX_load_static_memory(&ctx, callbacks->method_ex, + callbacks->mem, callbacks->memSz, 0, 1); + if (ret != WOLFSSL_SUCCESS) { + fprintf(stderr, "CTX static new failed %d\n", ret); + goto cleanup; + } + } +#else + ctx = wolfSSL_CTX_new(callbacks->method()); +#endif + if (ctx == NULL) { + fprintf(stderr, "CTX new failed\n"); + goto cleanup; + } - ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.key, - sizeof(myOpenSSLKey_ctx.key)); - if (ret != 0) return ret; +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.hmacKey, - sizeof(myOpenSSLKey_ctx.hmacKey)); - if (ret != 0) return ret; + if (!callbacks->loadToSSL) { + wolfSSL_CTX_SetDevId(ctx, callbacks->devId); + } - ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.iv, - sizeof(myOpenSSLKey_ctx.iv)); - if (ret != 0) return ret; +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif - return 0; + if (wolfSSL_CTX_load_verify_locations(ctx, callbacks->caPemFile, 0) != + WOLFSSL_SUCCESS) { + goto cleanup; } - static int myTicketEncCbOpenSSL(WOLFSSL* ssl, - byte name[WOLFSSL_TICKET_NAME_SZ], - byte iv[WOLFSSL_TICKET_IV_SZ], - WOLFSSL_EVP_CIPHER_CTX *ectx, - WOLFSSL_HMAC_CTX *hctx, int enc) { - (void)ssl; - if (enc) { - XMEMCPY(name, myOpenSSLKey_ctx.name, sizeof(myOpenSSLKey_ctx.name)); - XMEMCPY(iv, myOpenSSLKey_ctx.iv, sizeof(myOpenSSLKey_ctx.iv)); + if (!callbacks->loadToSSL) { + if (wolfSSL_CTX_use_certificate_file(ctx, callbacks->certPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; } - else if (XMEMCMP(name, myOpenSSLKey_ctx.name, - sizeof(myOpenSSLKey_ctx.name)) != 0 || - XMEMCMP(iv, myOpenSSLKey_ctx.iv, - sizeof(myOpenSSLKey_ctx.iv)) != 0) { - return 0; + + if (wolfSSL_CTX_use_PrivateKey_file(ctx, callbacks->keyPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; } - HMAC_Init_ex(hctx, myOpenSSLKey_ctx.hmacKey, WOLFSSL_TICKET_NAME_SZ, EVP_sha256(), NULL); - if (enc) - EVP_EncryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv); - else - EVP_DecryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv); - return 1; } - static WC_INLINE void OpenSSLTicketCleanup(void) - { - wc_FreeRng(&myOpenSSLKey_rng); +#ifdef HAVE_CRL + if (callbacks->crlPemFile != NULL) { + if (wolfSSL_CTX_LoadCRLFile(ctx, callbacks->crlPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } } #endif -#endif - -/* helper functions */ -#ifdef HAVE_SSL_MEMIO_TESTS_DEPENDENCIES -static WC_INLINE int test_ssl_memio_write_cb(WOLFSSL *ssl, char *data, int sz, - void *ctx) -{ - struct test_ssl_memio_ctx *test_ctx; - byte *buf; - int *len; - int *msg_sizes; - int *msg_count; - test_ctx = (struct test_ssl_memio_ctx*)ctx; + if (callbacks->ctx_ready) + callbacks->ctx_ready(ctx); - if (wolfSSL_GetSide(ssl) == WOLFSSL_SERVER_END) { - buf = test_ctx->c_buff; - len = &test_ctx->c_len; - msg_sizes = test_ctx->c_msg_sizes; - msg_count = &test_ctx->c_msg_count; + ssl = wolfSSL_new(ctx); + if (wolfSSL_dtls(ssl)) { + tcp_connect(&sfd, wolfSSLIP, ((func_args*)args)->signal->port, + 1, 0, ssl); } else { - buf = test_ctx->s_buff; - len = &test_ctx->s_len; - msg_sizes = test_ctx->s_msg_sizes; - msg_count = &test_ctx->s_msg_count; + tcp_connect(&sfd, wolfSSLIP, ((func_args*)args)->signal->port, + 0, 0, ssl); + } + if (wolfSSL_set_fd(ssl, sfd) != WOLFSSL_SUCCESS) { + goto cleanup; } - if ((unsigned)(*len + sz) > TEST_SSL_MEMIO_BUF_SZ) - return WOLFSSL_CBIO_ERR_WANT_WRITE; + if (callbacks->loadToSSL) { + wolfSSL_SetDevId(ssl, callbacks->devId); - if (*msg_count >= TEST_MEMIO_MAX_MSGS) - return WOLFSSL_CBIO_ERR_WANT_WRITE; + if (wolfSSL_use_certificate_file(ssl, callbacks->certPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } - XMEMCPY(buf + *len, data, sz); - msg_sizes[*msg_count] = sz; - (*msg_count)++; - *len += sz; + if (wolfSSL_use_PrivateKey_file(ssl, callbacks->keyPemFile, + CERT_FILETYPE) != WOLFSSL_SUCCESS) { + goto cleanup; + } + } -#ifdef WOLFSSL_DUMP_MEMIO_STREAM - { - /* This can be imported into Wireshark by transforming the file with - * od -Ax -tx1 -v test_output.dump > test_output.dump.hex - * And then loading test_output.dump.hex into Wireshark using the - * "Import from Hex Dump..." option ion and selecting the TCP - * encapsulation option. */ - char dump_file_name[64]; - WOLFSSL_BIO *dump_file; - sprintf(dump_file_name, "%s/%s.dump", tmpDirName, currentTestName); - dump_file = wolfSSL_BIO_new_file(dump_file_name, "a"); - if (dump_file != NULL) { - (void)wolfSSL_BIO_write(dump_file, data, sz); - wolfSSL_BIO_free(dump_file); + if (callbacks->ssl_ready) + callbacks->ssl_ready(ssl); + + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), + ret != WOLFSSL_SUCCESS); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_error_string((word32)err, buff)); + /*err_sys("SSL_connect failed");*/ + } + else { + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_write(ssl, msg, len), + ret != len); + if (len != ret) + goto cleanup; + + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_read(ssl, input, sizeof(input)-1), + ret <= 0); + if (ret > 0) { + input[ret] = '\0'; /* null term */ + fprintf(stderr, "Server response: %s\n", input); } + ((func_args*)args)->return_code = TEST_SUCCESS; } -#endif - return sz; + if (callbacks->on_result) + callbacks->on_result(ssl); + +cleanup: + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + CloseSocket(sfd); + +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif } -static WC_INLINE int test_ssl_memio_read_cb(WOLFSSL *ssl, char *data, int sz, - void *ctx) +#endif /* ENABLE_TLS_CALLBACK_TEST */ + + +static int test_wolfSSL_read_write(void) { - struct test_ssl_memio_ctx *test_ctx; - int read_sz; - byte *buf; - int *len; - int *msg_sizes; - int *msg_count; - int *msg_pos; - int is_dtls; + EXPECT_DECLS; +#ifndef NO_SHA256 + /* The unit testing for read and write shall happen simultaneously, since + * one can't do anything with one without the other. (Except for a failure + * test case.) This function will call all the others that will set up, + * execute, and report their test findings. + * + * Set up the success case first. This function will become the template + * for the other tests. This should eventually be renamed + * + * The success case isn't interesting, how can this fail? + * - Do not give the client context a CA certificate. The connect should + * fail. Do not need server for this? + * - Using NULL for the ssl object on server. Do not need client for this. + * - Using NULL for the ssl object on client. Do not need server for this. + * - Good ssl objects for client and server. Client write() without server + * read(). + * - Good ssl objects for client and server. Server write() without client + * read(). + * - Forgetting the password callback? + */ + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; - test_ctx = (struct test_ssl_memio_ctx*)ctx; - is_dtls = wolfSSL_dtls(ssl); + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - if (wolfSSL_GetSide(ssl) == WOLFSSL_SERVER_END) { - buf = test_ctx->s_buff; - len = &test_ctx->s_len; - msg_sizes = test_ctx->s_msg_sizes; - msg_count = &test_ctx->s_msg_count; - msg_pos = &test_ctx->s_msg_pos; - } - else { - buf = test_ctx->c_buff; - len = &test_ctx->c_len; - msg_sizes = test_ctx->c_msg_sizes; - msg_count = &test_ctx->c_msg_count; - msg_pos = &test_ctx->c_msg_pos; - } + StartTCP(); + InitTcpReady(&ready); - if (*len == 0 || *msg_pos >= *msg_count) - return WOLFSSL_CBIO_ERR_WANT_READ; +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif - /* Calculate how much we can read from current message */ - read_sz = msg_sizes[*msg_pos]; - if (read_sz > sz) - read_sz = sz; + server_args.signal = &ready; + client_args.signal = &ready; - if (read_sz > *len) - return WOLFSSL_CBIO_ERR_GENERAL; + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, NULL); + join_thread(serverThread); - /* Copy data from current message */ - XMEMCPY(data, buf, (size_t)read_sz); - /* remove the read data from the buffer */ - XMEMMOVE(buf, buf + read_sz, (size_t)(*len - read_sz)); - *len -= read_sz; - msg_sizes[*msg_pos] -= read_sz; + ExpectTrue(client_args.return_code); + ExpectTrue(server_args.return_code); - /* if we are on dtls, discard the rest of the message */ - if (is_dtls && msg_sizes[*msg_pos] > 0) { - XMEMMOVE(buf, buf + msg_sizes[*msg_pos], (size_t)(*len - msg_sizes[*msg_pos])); - *len -= msg_sizes[*msg_pos]; - msg_sizes[*msg_pos] = 0; - } + FreeTcpReady(&ready); - /* If we've read the entire message */ - if (msg_sizes[*msg_pos] == 0) { - /* Move to next message */ - (*msg_pos)++; - if (*msg_pos >= *msg_count) { - *msg_pos = 0; - *msg_count = 0; - } - } +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif +#endif + return EXPECT_RESULT(); +} - return read_sz; +static int test_wolfSSL_read_write_ex(void) +{ + EXPECT_DECLS; + WOLFSSL_CTX *ctx_c = NULL; + WOLFSSL_CTX *ctx_s = NULL; + WOLFSSL *ssl_c = NULL; + WOLFSSL *ssl_s = NULL; + struct test_memio_ctx test_ctx; + const char *test_str = "test"; + int test_str_size; + size_t count; + byte buf[255]; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfSSLv23_client_method, wolfSSLv23_server_method), 0); + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + test_str_size = XSTRLEN("test") + 1; + ExpectIntEQ(wolfSSL_write_ex(ssl_c, test_str, test_str_size, &count), + WOLFSSL_SUCCESS); + ExpectIntEQ(count, test_str_size); + count = 0; + ExpectIntEQ(wolfSSL_read_ex(ssl_s, buf, sizeof(buf), &count), WOLFSSL_SUCCESS); + ExpectIntEQ(count, test_str_size); + ExpectIntEQ(XSTRCMP((char*)buf, test_str), 0); + + + ExpectIntEQ(wolfSSL_shutdown(ssl_c), WOLFSSL_SHUTDOWN_NOT_DONE); + ExpectIntEQ(wolfSSL_shutdown(ssl_s), WOLFSSL_SHUTDOWN_NOT_DONE); + ExpectIntEQ(wolfSSL_shutdown(ssl_c), 1); + ExpectIntEQ(wolfSSL_shutdown(ssl_s), 1); + + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); + return TEST_SUCCESS; } -int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) +static int test_wolfSSL_reuse_WOLFSSLobj(void) { - EXPECT_DECLS_NO_MSGS(-2000); -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - int c_sharedCtx = 0; - int s_sharedCtx = 0; + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && \ + !defined(WOLFSSL_NO_TLS12) + /* The unit test for session resumption by reusing WOLFSSL object. + * WOLFSSL object is not cleared after first session. It reuse the object + * for second connection. + */ + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions client_cbf; + callback_functions server_cbf; + + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif - const char* clientCertFile = cliCertFile; - const char* clientKeyFile = cliKeyFile; - const char* serverCertFile = svrCertFile; - const char* serverKeyFile = svrKeyFile; - /******************************** - * Create WOLFSSL_CTX for client. - ********************************/ -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (ctx->c_ctx != NULL) { - c_sharedCtx = ctx->c_cb.isSharedCtx; - } - else + StartTCP(); + InitTcpReady(&ready); + +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); #endif - { - WOLFSSL_METHOD* method = NULL; - if (ctx->c_cb.method != NULL) { - method = ctx->c_cb.method(); - } - else { - method = wolfSSLv23_client_method(); - } - ExpectNotNull(ctx->c_ctx = wolfSSL_CTX_new(method)); - } - wolfSSL_SetIORecv(ctx->c_ctx, test_ssl_memio_read_cb); - wolfSSL_SetIOSend(ctx->c_ctx, test_ssl_memio_write_cb); -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx->c_ctx, PasswordCallBack); -#endif - if (ctx->c_cb.caPemFile == NULL) - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, - caCertFile, 0), WOLFSSL_SUCCESS); - else if (*ctx->c_cb.caPemFile != '\0') - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, - ctx->c_cb.caPemFile, 0), WOLFSSL_SUCCESS); - if (ctx->c_cb.certPemFile != NULL) { - clientCertFile = ctx->c_cb.certPemFile; - } - if (ctx->c_cb.keyPemFile != NULL) { - clientKeyFile = ctx->c_cb.keyPemFile; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!c_sharedCtx) -#endif - { - if (*clientCertFile != '\0') { - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx->c_ctx, - clientCertFile), WOLFSSL_SUCCESS); - } - if (*clientKeyFile != '\0') { - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->c_ctx, clientKeyFile, - CERT_FILETYPE), WOLFSSL_SUCCESS); - } - } -#ifdef HAVE_CRL - if (ctx->c_cb.crlPemFile != NULL) { - ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx->c_ctx, WOLFSSL_CRL_CHECKALL), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_LoadCRLFile(ctx->c_ctx, ctx->c_cb.crlPemFile, - CERT_FILETYPE), WOLFSSL_SUCCESS); - } -#endif - if (ctx->c_ciphers != NULL) { - ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx->c_ctx, ctx->c_ciphers), - WOLFSSL_SUCCESS); - } - if (ctx->c_cb.ctx_ready != NULL) { - ExpectIntEQ(ctx->c_cb.ctx_ready(ctx->c_ctx), TEST_SUCCESS); - } + client_cbf.method = wolfTLSv1_2_client_method; + server_cbf.method = wolfTLSv1_2_server_method; + client_args.callbacks = &client_cbf; + server_args.callbacks = &server_cbf; - /******************************** - * Create WOLFSSL_CTX for server. - ********************************/ - if (ctx->s_ctx != NULL) { -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - s_sharedCtx = 1; -#endif - ctx->s_cb.isSharedCtx = 1; - } - else - { - WOLFSSL_METHOD* method = NULL; - if (ctx->s_cb.method != NULL) { - method = ctx->s_cb.method(); - } - else { - method = wolfSSLv23_server_method(); - } - ExpectNotNull(ctx->s_ctx = wolfSSL_CTX_new(method)); - ctx->s_cb.isSharedCtx = 0; - } - if (!ctx->s_cb.ticNoInit && (ctx->s_ctx != NULL)) { -#if defined(HAVE_SESSION_TICKET) && \ - ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) - OpenSSLTicketInit(); - wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx->s_ctx, myTicketEncCbOpenSSL); -#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) - TicketInit(); - wolfSSL_CTX_set_TicketEncCb(ctx->s_ctx, myTicketEncCb); -#endif -#endif - } - wolfSSL_SetIORecv(ctx->s_ctx, test_ssl_memio_read_cb); - wolfSSL_SetIOSend(ctx->s_ctx, test_ssl_memio_write_cb); - wolfSSL_CTX_set_verify(ctx->s_ctx, WOLFSSL_VERIFY_PEER | - WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - if (ctx->s_cb.caPemFile == NULL) - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, - cliCertFile, 0), WOLFSSL_SUCCESS); - else if (*ctx->s_cb.caPemFile != '\0') - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, - ctx->s_cb.caPemFile, 0), WOLFSSL_SUCCESS); -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack); -#endif - if (ctx->s_cb.certPemFile != NULL) { - serverCertFile = ctx->s_cb.certPemFile; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!s_sharedCtx) -#endif - { - if (*serverCertFile != '\0') { - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx->s_ctx, - serverCertFile), WOLFSSL_SUCCESS); - } - } - if (ctx->s_cb.keyPemFile != NULL) { - serverKeyFile = ctx->s_cb.keyPemFile; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!s_sharedCtx) -#endif - { - if (*serverKeyFile != '\0') { - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx->s_ctx, serverKeyFile, - CERT_FILETYPE), WOLFSSL_SUCCESS); - } - } - if (ctx->s_ciphers != NULL) { - ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx->s_ctx, ctx->s_ciphers), - WOLFSSL_SUCCESS); - } - if (ctx->s_cb.ctx_ready != NULL) { - ExpectIntEQ(ctx->s_cb.ctx_ready(ctx->s_ctx), TEST_SUCCESS); - } + server_args.signal = &ready; + client_args.signal = &ready; + /* the var is used for loop number */ + server_args.argc = 2; + + start_thread(test_server_loop, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_reuse_WOLFSSLobj(&client_args, NULL, &server_args); + join_thread(serverThread); + ExpectTrue(client_args.return_code); + ExpectTrue(server_args.return_code); - /**************************** - * Create WOLFSSL for client. - ****************************/ - ExpectNotNull(ctx->c_ssl = wolfSSL_new(ctx->c_ctx)); - wolfSSL_SetIOWriteCtx(ctx->c_ssl, ctx); - wolfSSL_SetIOReadCtx(ctx->c_ssl, ctx); -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (c_sharedCtx) { - if (*clientCertFile != '\0') { - ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->c_ssl, - clientCertFile), WOLFSSL_SUCCESS); - } - if (*clientKeyFile != '\0') { - ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->c_ssl, clientKeyFile, - CERT_FILETYPE), WOLFSSL_SUCCESS); - } - } -#endif - if (ctx->c_cb.ssl_ready != NULL) { - ExpectIntEQ(ctx->c_cb.ssl_ready(ctx->c_ssl), TEST_SUCCESS); - } + FreeTcpReady(&ready); - /**************************** - * Create WOLFSSL for server. - ****************************/ - ExpectNotNull(ctx->s_ssl = wolfSSL_new(ctx->s_ctx)); - wolfSSL_SetIOWriteCtx(ctx->s_ssl, ctx); - wolfSSL_SetIOReadCtx(ctx->s_ssl, ctx); -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (s_sharedCtx) { - if (*serverCertFile != '\0') { - ExpectIntEQ(wolfSSL_use_certificate_chain_file(ctx->s_ssl, - serverCertFile), WOLFSSL_SUCCESS); - } - if (*serverKeyFile != '\0') { - ExpectIntEQ(wolfSSL_use_PrivateKey_file(ctx->s_ssl, serverKeyFile, - CERT_FILETYPE), WOLFSSL_SUCCESS); - } - } -#endif -#if !defined(NO_FILESYSTEM) && !defined(NO_DH) - wolfSSL_SetTmpDH_file(ctx->s_ssl, dhParamFile, CERT_FILETYPE); -#elif !defined(NO_DH) - /* will repick suites with DHE, higher priority than PSK */ - SetDH(ctx->s_ssl); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif - if (ctx->s_cb.ssl_ready != NULL) { - ExpectIntEQ(ctx->s_cb.ssl_ready(ctx->s_ssl), TEST_SUCCESS); - } - +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && + * !defined(WOLFSSL_TLS13) */ return EXPECT_RESULT(); } -int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds, - int* rounds) +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +static int test_wolfSSL_CTX_verifyDepth_ServerClient_1_ctx_ready( + WOLFSSL_CTX* ctx) { - int handshake_complete = 0; - int hs_c = 0; - int hs_s = 0; - int failing_s = 0; - int failing_c = 0; - int ret; - int err; - - if (rounds != NULL) { - *rounds = 0; - } - while ((!handshake_complete) && (max_rounds > 0)) { - if (!hs_c) { - wolfSSL_SetLoggingPrefix("client"); - ret = wolfSSL_connect(ctx->c_ssl); - wolfSSL_SetLoggingPrefix(NULL); - if (ret == WOLFSSL_SUCCESS) { - hs_c = 1; - } - else { - err = wolfSSL_get_error(ctx->c_ssl, ret); - if (err != WOLFSSL_ERROR_WANT_READ && - err != WOLFSSL_ERROR_WANT_WRITE) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string((word32)err, buff)); - failing_c = 1; - hs_c = 1; - if (failing_c && failing_s) { - break; - } - } - } - } - if (!hs_s) { - wolfSSL_SetLoggingPrefix("server"); - ret = wolfSSL_accept(ctx->s_ssl); - wolfSSL_SetLoggingPrefix(NULL); - if (ret == WOLFSSL_SUCCESS) { - hs_s = 1; - } - else { - err = wolfSSL_get_error(ctx->s_ssl, ret); - if (err != WOLFSSL_ERROR_WANT_READ && - err != WOLFSSL_ERROR_WANT_WRITE) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string((word32)err, buff)); - failing_s = 1; - hs_s = 1; - if (failing_c && failing_s) { - break; - } - } - } - } - handshake_complete = hs_c && hs_s; - max_rounds--; - if (rounds != NULL) { - *rounds += 1; - } - } - - if (!handshake_complete || failing_c || failing_s) { - return TEST_FAIL; - } - + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); + myVerifyAction = VERIFY_USE_PREVERIFY; + wolfSSL_CTX_set_verify_depth(ctx, 2); return TEST_SUCCESS; } +#endif -static int test_ssl_memio_read_write(test_ssl_memio_ctx* ctx) +static int test_wolfSSL_CTX_verifyDepth_ServerClient_1(void) { - EXPECT_DECLS_NO_MSGS(-3000); - char input[1024]; - int idx = 0; - const char* msg_c = "hello wolfssl!"; - int msglen_c = (int)XSTRLEN(msg_c); - const char* msg_s = "I hear you fa shizzle!"; - int msglen_s = (int)XSTRLEN(msg_s); + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cbf; + test_ssl_cbf server_cbf; - if (ctx->c_msg != NULL) { - msg_c = ctx->c_msg; - msglen_c = ctx->c_msglen; - } - if (ctx->s_msg != NULL) { - msg_s = ctx->s_msg; - msglen_s = ctx->s_msglen; - } + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_write(ctx->c_ssl, msg_c, msglen_c), msglen_c); - wolfSSL_SetLoggingPrefix("server"); - ExpectIntGT(idx = wolfSSL_read(ctx->s_ssl, input, sizeof(input) - 1), 0); - if (idx >= 0) { - input[idx] = '\0'; - } - ExpectIntGT(fprintf(stderr, "Client message: %s\n", input), 0); - ExpectIntEQ(wolfSSL_write(ctx->s_ssl, msg_s, msglen_s), msglen_s); - ctx->s_cb.return_code = EXPECT_RESULT(); - wolfSSL_SetLoggingPrefix("client"); - ExpectIntGT(idx = wolfSSL_read(ctx->c_ssl, input, sizeof(input) - 1), 0); - wolfSSL_SetLoggingPrefix(NULL); - if (idx >= 0) { - input[idx] = '\0'; - } - ExpectIntGT(fprintf(stderr, "Server response: %s\n", input), 0); - ctx->c_cb.return_code = EXPECT_RESULT(); - if (ctx->c_cb.on_result != NULL) { - ExpectIntEQ(ctx->c_cb.on_result(ctx->c_ssl), TEST_SUCCESS); - } - if (ctx->s_cb.on_result != NULL) { - ExpectIntEQ(ctx->s_cb.on_result(ctx->s_ssl), TEST_SUCCESS); - } +#ifdef WOLFSSL_TLS13 + client_cbf.method = wolfTLSv1_3_client_method; +#endif /* WOLFSSL_TLS13 */ + client_cbf.ctx_ready = + test_wolfSSL_CTX_verifyDepth_ServerClient_1_ctx_ready; + + /* test case 1 verify depth is equal to peer chain */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); + + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); +#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ return EXPECT_RESULT(); } -void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx) +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +static int test_wolfSSL_CTX_verifyDepth_ServerClient_2_ctx_ready( + WOLFSSL_CTX* ctx) { - ctx->c_cb.last_err = wolfSSL_get_error(ctx->c_ssl, 0); - ctx->s_cb.last_err = wolfSSL_get_error(ctx->s_ssl, 0); - if (ctx->c_cb.on_cleanup != NULL) { - ctx->c_cb.on_cleanup(ctx->c_ssl); - } - if (ctx->s_cb.on_cleanup != NULL) { - ctx->s_cb.on_cleanup(ctx->s_ssl); - } - wolfSSL_shutdown(ctx->s_ssl); - wolfSSL_shutdown(ctx->c_ssl); - wolfSSL_free(ctx->s_ssl); - wolfSSL_free(ctx->c_ssl); - if (ctx->c_cb.on_ctx_cleanup != NULL) { - ctx->c_cb.on_ctx_cleanup(ctx->c_ctx); - } - if (!ctx->c_cb.isSharedCtx) { - wolfSSL_CTX_free(ctx->c_ctx); - ctx->c_ctx = NULL; - } - if (ctx->s_cb.on_ctx_cleanup != NULL) { - ctx->s_cb.on_ctx_cleanup(ctx->s_ctx); - } - if (!ctx->s_cb.isSharedCtx) { - wolfSSL_CTX_free(ctx->s_ctx); - ctx->s_ctx = NULL; - } - - if (!ctx->s_cb.ticNoInit) { -#if defined(HAVE_SESSION_TICKET) && \ - ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) - OpenSSLTicketCleanup(); -#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) - TicketCleanup(); -#endif -#endif - } + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); + myVerifyAction = VERIFY_OVERRIDE_ERROR; + wolfSSL_CTX_set_verify_depth(ctx, 0); + return TEST_SUCCESS; } +#endif -static int test_wolfSSL_client_server_nofail_memio_ex(test_ssl_cbf* client_cb, - test_ssl_cbf* server_cb, cbType client_on_handshake, - cbType server_on_handshake) +static int test_wolfSSL_CTX_verifyDepth_ServerClient_2(void) { - /* We use EXPECT_DECLS_NO_MSGS() here because this helper routine is used - * for numerous but varied expected-to-fail scenarios that should not emit - * error messages on the expected failures. Instead, we return a distinct - * code for each failure point, allowing the caller to assert on a - * particular mode of expected failure. On success, the usual TEST_SUCCESS - * is returned. - */ - EXPECT_DECLS_NO_MSGS(-1000); - struct test_ssl_memio_ctx test_ctx; -#ifdef WOLFSSL_HAVE_TLS_UNIQUE - size_t msg_len; -#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ - - XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - XMEMCPY(&test_ctx.c_cb, client_cb, sizeof(test_ssl_cbf)); - XMEMCPY(&test_ctx.s_cb, server_cb, sizeof(test_ssl_cbf)); - - test_ctx.c_ctx = client_cb->ctx; - test_ctx.s_ctx = server_cb->ctx; - test_ctx.c_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID; - test_ctx.s_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID; - - ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS); - ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS); + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cbf; + test_ssl_cbf server_cbf; - if (client_on_handshake != NULL) { - ExpectIntEQ(client_on_handshake(test_ctx.c_ctx, test_ctx.c_ssl), - TEST_SUCCESS); - } - if (server_on_handshake != NULL) { - ExpectIntEQ(server_on_handshake(test_ctx.s_ctx, test_ctx.s_ssl), - TEST_SUCCESS); - } - if (client_cb->on_handshake != NULL) { - ExpectIntEQ(client_cb->on_handshake(&test_ctx.c_ctx, &test_ctx.c_ssl), - TEST_SUCCESS); - } - if (server_cb->on_handshake != NULL) { - ExpectIntEQ(server_cb->on_handshake(&test_ctx.s_ctx, &test_ctx.s_ssl), - TEST_SUCCESS); - } -#ifdef WOLFSSL_HAVE_TLS_UNIQUE - XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE); - msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2, - WC_MAX_DIGEST_SIZE); - ExpectIntGE(msg_len, 0); + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE); - msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1, - WC_MAX_DIGEST_SIZE); - ExpectIntGE(msg_len, 0); -#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ +#ifdef WOLFSSL_TLS13 + client_cbf.method = wolfTLSv1_3_client_method; +#endif /* WOLFSSL_TLS13 */ + client_cbf.ctx_ready = + test_wolfSSL_CTX_verifyDepth_ServerClient_2_ctx_ready; - ExpectIntEQ(test_ssl_memio_read_write(&test_ctx), TEST_SUCCESS); - test_ssl_memio_cleanup(&test_ctx); + /* test case 2 + * verify depth is zero, number of peer's chain is 2. + * verify result becomes MAX_CHAIN_ERROR, but it is overridden in + * callback. + */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - client_cb->return_code = test_ctx.c_cb.return_code; - client_cb->last_err = test_ctx.c_cb.last_err; - server_cb->return_code = test_ctx.s_cb.return_code; - server_cb->last_err = test_ctx.s_cb.last_err; + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); +#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ return EXPECT_RESULT(); } -int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb, - test_ssl_cbf* server_cb, cbType client_on_handshake) +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +static int test_wolfSSL_CTX_verifyDepth_ServerClient_3_ctx_ready( + WOLFSSL_CTX* ctx) { - return (test_wolfSSL_client_server_nofail_memio_ex(client_cb, server_cb, - client_on_handshake, NULL)); + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); + myVerifyAction = VERIFY_USE_PREVERIFY; + wolfSSL_CTX_set_verify_depth(ctx, 0); + return TEST_SUCCESS; } #endif -#ifdef HAVE_IO_TESTS_DEPENDENCIES - -#ifdef WOLFSSL_SESSION_EXPORT -#ifdef WOLFSSL_DTLS -/* set up function for sending session information */ -static int test_export(WOLFSSL* inSsl, byte* buf, word32 sz, void* userCtx) +static int test_wolfSSL_CTX_verifyDepth_ServerClient_3(void) { - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cbf; + test_ssl_cbf server_cbf; - AssertNotNull(inSsl); - AssertNotNull(buf); - AssertIntNE(0, sz); + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - /* Set ctx to DTLS 1.2 */ - ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method()); - AssertNotNull(ctx); +#ifdef WOLFSSL_TLS13 + client_cbf.method = wolfTLSv1_3_client_method; +#endif /* WOLFSSL_TLS13 */ + client_cbf.ctx_ready = + test_wolfSSL_CTX_verifyDepth_ServerClient_3_ctx_ready; - ssl = wolfSSL_new(ctx); - AssertNotNull(ssl); + /* test case 3 + * verify depth is zero, number of peer's chain is 2 + * verify result becomes MAX_CHAIN_ERRO. call-back returns failure. + * therefore, handshake becomes failure. + */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), -1001); - AssertIntGE(wolfSSL_dtls_import(ssl, buf, sz), 0); + ExpectIntEQ(client_cbf.return_code, -1000); + ExpectIntEQ(server_cbf.return_code, -1000); + ExpectIntEQ(client_cbf.last_err, WC_NO_ERR_TRACE(MAX_CHAIN_ERROR)); + ExpectIntEQ(server_cbf.last_err, WC_NO_ERR_TRACE(FATAL_ERROR)); +#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - (void)userCtx; - return 0; + return EXPECT_RESULT(); } -#endif -/* returns negative value on fail and positive (including 0) on success */ -static int nonblocking_accept_read(void* args, WOLFSSL* ssl, SOCKET_T* sockfd) -{ - int ret, err, loop_count, count, timeout = 10; - char msg[] = "I hear you fa shizzle!"; - char input[1024]; - - loop_count = ((func_args*)args)->argc; +#if defined(OPENSSL_ALL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(WOLFSSL_NO_TLS12) && \ + defined(HAVE_ECC) && !defined(NO_AES) && !defined(NO_SHA256) +static int test_wolfSSL_CTX_set_cipher_list_server_ctx_ready(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "DEFAULT:!NULL")); + return EXPECT_RESULT(); +} - #ifdef WOLFSSL_ASYNC_CRYPT - err = 0; /* Reset error */ - #endif - do { - #ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_NO_ERR_TRACE(WC_PENDING_E)) { - ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) { break; } else if (ret == 0) { continue; } - } - #endif - ret = wolfSSL_accept(ssl); - err = wolfSSL_get_error(ssl, 0); +static int test_wolfSSL_CTX_set_cipher_list_client_ctx_ready(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-SHA256")); + return EXPECT_RESULT(); +} +#endif - if (err == WOLFSSL_ERROR_WANT_READ || - err == WOLFSSL_ERROR_WANT_WRITE) { - int select_ret; +static int test_wolfSSL_CTX_set_cipher_list(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_ECC) && !defined(NO_AES) && !defined(NO_SHA256) - err = WC_PENDING_E; - select_ret = tcp_select(*sockfd, timeout); - if (select_ret == TEST_TIMEOUT) { - return WOLFSSL_FATAL_ERROR; - } - } - } while (err == WC_NO_ERR_TRACE(WC_PENDING_E)); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string(err, buff)); - return ret; - } + #if !defined(WOLFSSL_NO_TLS12) + WOLFSSL_CTX* ctxClient = NULL; + WOLFSSL* sslClient = NULL; + test_ssl_cbf client_cbf; + test_ssl_cbf server_cbf; - for (count = 0; count < loop_count; count++) { - int select_ret; + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - select_ret = tcp_select(*sockfd, timeout); - if (select_ret == TEST_TIMEOUT) { - ret = WOLFSSL_FATAL_ERROR; - break; - } + server_cbf.method = wolfTLSv1_2_server_method; + server_cbf.ctx_ready = test_wolfSSL_CTX_set_cipher_list_server_ctx_ready; + client_cbf.method = wolfTLSv1_2_client_method; + client_cbf.ctx_ready = test_wolfSSL_CTX_set_cipher_list_client_ctx_ready; - do { - ret = wolfSSL_read(ssl, input, sizeof(input)-1); - if (ret > 0) { - input[ret] = '\0'; - fprintf(stderr, "Client message: %s\n", input); - } - } while (err == WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_SUCCESS); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - do { - if ((ret = wolfSSL_write(ssl, msg, sizeof(msg))) != sizeof(msg)) { - return WOLFSSL_FATAL_ERROR; - } - err = wolfSSL_get_error(ssl, ret); - } while (err == WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_SUCCESS); - } - return ret; -} -#endif /* WOLFSSL_SESSION_EXPORT */ + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); -THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) -{ - SOCKET_T sockfd = 0; - SOCKET_T clientfd = 0; - word16 port; + /* check with cipher string that has '+' */ + ExpectNotNull((ctxClient = wolfSSL_CTX_new(wolfTLSv1_2_client_method()))); + /* Use trailing : with nothing to test for ASAN */ + ExpectTrue(wolfSSL_CTX_set_cipher_list(ctxClient, "ECDHE+AESGCM:")); + ExpectNotNull((sslClient = wolfSSL_new(ctxClient))); - callback_functions* cbf; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - func_args* opts = (func_args*)args; + /* check for the existence of an ECDHE ECDSA cipher suite */ + if (EXPECT_SUCCESS()) { + int i = 0; + int found = 0; + const char* suite; - char msg[] = "I hear you fa shizzle!"; - char input[1024]; - int idx; - int ret, err = 0; - int sharedCtx = 0; - int doUdp = 0; - SOCKADDR_IN_T cliAddr; - socklen_t cliLen; - const char* certFile = svrCertFile; - const char* keyFile = svrKeyFile; + WOLF_STACK_OF(WOLFSSL_CIPHER)* sk = NULL; + WOLFSSL_CIPHER* current; -#ifdef WOLFSSL_HAVE_TLS_UNIQUE - size_t msg_len = 0; -#endif + ExpectNotNull((sk = wolfSSL_get_ciphers_compat(sslClient))); + do { + current = wolfSSL_sk_SSL_CIPHER_value(sk, i++); + if (current) { + suite = wolfSSL_CIPHER_get_name(current); + if (suite && XSTRSTR(suite, "ECDSA")) { + found = 1; + break; + } + } + } while (current); + ExpectIntEQ(found, 1); + } - wolfSSL_SetLoggingPrefix("server"); + wolfSSL_free(sslClient); + wolfSSL_CTX_free(ctxClient); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); + #endif /* !WOLFSSL_NO_TLS12 */ #endif + return EXPECT_RESULT(); +} - opts->return_code = TEST_FAIL; - cbf = opts->callbacks; +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_HAVE_TLS_UNIQUE) +static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx, + WOLFSSL* ssl) +{ + EXPECT_DECLS; + size_t msg_len; - if (cbf != NULL && cbf->ctx) { - ctx = cbf->ctx; - sharedCtx = 1; - } - else - { - WOLFSSL_METHOD* method = NULL; - if (cbf != NULL && cbf->method != NULL) { - method = cbf->method(); + (void)ctx; - } - else { - method = wolfSSLv23_server_method(); - } - ctx = wolfSSL_CTX_new(method); - } - if (ctx == NULL) { - /* Release the wait for TCP ready. */ - signal_ready(opts->signal); - goto done; - } + /* get_finished test */ + /* 1. get own sent message */ + XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE); + ExpectIntGE(msg_len, 0); + /* 2. get peer message */ + XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE); + ExpectIntGE(msg_len, 0); - if (cbf == NULL || !cbf->ticNoInit) { -#if defined(HAVE_SESSION_TICKET) && \ - ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) - OpenSSLTicketInit(); - wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL); -#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) - TicketInit(); - wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb); -#endif + return EXPECT_RESULT(); +} #endif - } -#if defined(USE_WINDOWS_API) - port = opts->signal->port; -#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ - !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) - /* Let tcp_listen assign port */ - port = 0; -#else - /* Use default port */ - port = wolfSSLPort; -#endif +static int test_wolfSSL_get_finished(void) +{ + EXPECT_DECLS; +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_HAVE_TLS_UNIQUE) + test_ssl_cbf client_cbf; + test_ssl_cbf server_cbf; - if (cbf != NULL) - doUdp = cbf->doUdp; + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - /* do it here to detect failure */ - tcp_accept( - &sockfd, &clientfd, opts, port, 0, doUdp, 0, 0, 1, 0, 0); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, test_wolfSSL_get_finished_client_on_handshake), + TEST_SUCCESS); - if (doUdp) { - cliLen = sizeof(cliAddr); + /* test received msg vs sent msg */ + ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE)); + ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE)); +#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */ - idx = (int)recvfrom(sockfd, input, sizeof(input), MSG_PEEK, - (struct sockaddr*)&cliAddr, &cliLen); + return EXPECT_RESULT(); +} - AssertIntGT(idx, 0); - } - else { - CloseSocket(sockfd); - } +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + !defined(SINGLE_THREADED) && defined(WOLFSSL_TLS13) && \ + !defined(NO_SESSION_CACHE) - wolfSSL_CTX_set_verify(ctx, - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); +/* Sessions to restore/store */ +static WOLFSSL_SESSION* test_wolfSSL_CTX_add_session_client_sess; +static WOLFSSL_SESSION* test_wolfSSL_CTX_add_session_server_sess; +static WOLFSSL_CTX* test_wolfSSL_CTX_add_session_server_ctx; -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +static void test_wolfSSL_CTX_add_session_ctx_ready(WOLFSSL_CTX* ctx) +{ + /* Don't store sessions. Lookup is still enabled. */ + AssertIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); +#ifdef OPENSSL_EXTRA + AssertIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); #endif + /* Require both peers to provide certs */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); +} - if (wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0) - != WOLFSSL_SUCCESS) { - /*err_sys("can't load ca file, Please run from wolfSSL home dir");*/ - goto done; - } +static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) +{ + WOLFSSL_SESSION** sess; +#ifdef WOLFSSL_MUTEX_INITIALIZER + static wolfSSL_Mutex m = WOLFSSL_MUTEX_INITIALIZER(m); - if (cbf != NULL && cbf->certPemFile != NULL) - certFile = cbf->certPemFile; -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, certFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_CTX_use_certificate_file(ctx, certFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { + (void)wc_LockMutex(&m); #endif - /*err_sys("can't load server cert chain file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - - if (cbf != NULL && cbf->keyPemFile != NULL) - keyFile = cbf->keyPemFile; -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, keyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { + if (wolfSSL_is_server(ssl)) + sess = &test_wolfSSL_CTX_add_session_server_sess; + else + sess = &test_wolfSSL_CTX_add_session_client_sess; + if (*sess == NULL) { +#ifdef NO_SESSION_CACHE_REF + *sess = wolfSSL_get1_session(ssl); + AssertNotNull(*sess); #else - if (wolfSSL_CTX_use_PrivateKey_file(ctx, keyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { + /* Test for backwards compatibility */ + if (wolfSSL_is_server(ssl)) { + *sess = wolfSSL_get1_session(ssl); + AssertNotNull(*sess); + } + else { + *sess = wolfSSL_get_session(ssl); + AssertNotNull(*sess); + } #endif - /*err_sys("can't load server key file, " - "Please run from wolfSSL home dir");*/ - goto done; + /* Now save the session in the internal store to make it available + * for lookup. For TLS 1.3, we can't save the session without + * WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the + * session from cache. */ + if (wolfSSL_is_server(ssl) +#ifndef WOLFSSL_TICKET_HAVE_ID + && wolfSSL_version(ssl) != TLS1_3_VERSION +#endif + ) + AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), + *sess), WOLFSSL_SUCCESS); } - -#ifdef HAVE_CRL - if (cbf != NULL && cbf->crlPemFile != NULL) { - if (wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL) != WOLFSSL_SUCCESS) - goto done; - if (wolfSSL_CTX_LoadCRLFile(ctx, cbf->crlPemFile, CERT_FILETYPE) - != WOLFSSL_SUCCESS) - goto done; + else { + /* If we have a session retrieved then remaining connections should be + * resuming on that session */ + AssertIntEQ(wolfSSL_session_reused(ssl), 1); } +#ifdef WOLFSSL_MUTEX_INITIALIZER + wc_UnLockMutex(&m); #endif - /* call ctx setup callback */ - if (cbf != NULL && cbf->ctx_ready != NULL) { - cbf->ctx_ready(ctx); + /* Save CTX to be able to decrypt tickets */ + if (wolfSSL_is_server(ssl) && + test_wolfSSL_CTX_add_session_server_ctx == NULL) { + test_wolfSSL_CTX_add_session_server_ctx = wolfSSL_get_SSL_CTX(ssl); + AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx); + AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)), + WOLFSSL_SUCCESS); } - - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - goto done; +#ifdef SESSION_CERTS +#ifndef WOLFSSL_TICKET_HAVE_ID + if (wolfSSL_version(ssl) != TLS1_3_VERSION && + wolfSSL_session_reused(ssl)) +#endif + { + /* With WOLFSSL_TICKET_HAVE_ID the peer certs should be available + * for all connections. TLS 1.3 only has tickets so if we don't + * include the session id in the ticket then the certificates + * will not be available on resumption. */ + #ifdef KEEP_PEER_CERT + WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); + AssertNotNull(peer); + wolfSSL_X509_free(peer); + #endif + AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); + #ifdef OPENSSL_EXTRA + AssertNotNull(SSL_SESSION_get0_peer(*sess)); + #endif } +#endif /* SESSION_CERTS */ +} - if (doUdp) { - err = wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); - if (err != WOLFSSL_SUCCESS) - goto done; - } +static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl) +{ + /* Set the session to reuse for the client */ + AssertIntEQ(wolfSSL_set_session(ssl, + test_wolfSSL_CTX_add_session_client_sess), WOLFSSL_SUCCESS); +} +#endif -#ifdef WOLFSSL_SESSION_EXPORT - /* only add in more complex nonblocking case with session export tests */ - if (args && opts->argc > 0) { - /* set as nonblock and time out for waiting on read/write */ - tcp_set_nonblocking(&clientfd); - wolfSSL_dtls_set_using_nonblock(ssl, 1); - } +static int test_wolfSSL_CTX_add_session(void) +{ + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + !defined(SINGLE_THREADED) && defined(WOLFSSL_TLS13) && \ + !defined(NO_SESSION_CACHE) + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions client_cb; + callback_functions server_cb; + method_provider methods[][2] = { +#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ + !defined(NO_DES3)) + /* Without AES there are almost no ciphersuites available. This leads + * to no ciphersuites being available and an error. */ + { wolfTLSv1_1_client_method, wolfTLSv1_1_server_method }, #endif -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (sharedCtx && wolfSSL_use_certificate_file(ssl, certFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_use_certificate_file(ssl, certFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#ifndef WOLFSSL_NO_TLS12 + { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method }, #endif - /*err_sys("can't load server cert chain file, " - "Please run from wolfSSL home dir");*/ - goto done; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, keyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_use_PrivateKey_file(ssl, keyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { + /* Needs the default ticket callback since it is tied to the + * connection context and this makes it easy to carry over the ticket + * crypto context between connections */ +#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ + defined(HAVE_SESSION_TICKET) + { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method }, #endif - /*err_sys("can't load server key file, " - "Please run from wolfSSL home dir");*/ - goto done; - } + }; + const size_t methodsLen = sizeof(methods)/sizeof(*methods); + size_t i, j; - if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; - } + for (i = 0; i < methodsLen; i++) { + /* First run creates a connection while the second+ run will attempt + * to resume the connection. The trick is that the internal cache + * is turned off. wolfSSL_CTX_add_session should put the session in + * the cache anyway. */ + test_wolfSSL_CTX_add_session_client_sess = NULL; + test_wolfSSL_CTX_add_session_server_sess = NULL; + test_wolfSSL_CTX_add_session_server_ctx = NULL; -#if !defined(NO_FILESYSTEM) && !defined(NO_DH) - wolfSSL_SetTmpDH_file(ssl, dhParamFile, CERT_FILETYPE); -#elif !defined(NO_DH) - SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ +#ifdef NO_SESSION_CACHE_REF + for (j = 0; j < 4; j++) { +#else + /* The session may be overwritten in this case. Do only one resumption + * to stop this test from failing intermittently. */ + for (j = 0; j < 2; j++) { #endif - - /* call ssl setup callback */ - if (cbf != NULL && cbf->ssl_ready != NULL) { - cbf->ssl_ready(ssl); - } - -#ifdef WOLFSSL_SESSION_EXPORT - /* only add in more complex nonblocking case with session export tests */ - if (opts->argc > 0) { - ret = nonblocking_accept_read(args, ssl, &clientfd); - if (ret >= 0) { - opts->return_code = TEST_SUCCESS; - } - #ifdef WOLFSSL_TIRTOS - Task_yield(); - #endif - goto done; - } +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_negotiate(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string((word32)err, buff)); - /*err_sys("SSL_accept failed");*/ - goto done; - } + StartTCP(); + InitTcpReady(&ready); -#ifdef WOLFSSL_HAVE_TLS_UNIQUE - XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE); - msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE); - AssertIntGE(msg_len, 0); + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE); - msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE); - AssertIntGE(msg_len, 0); -#endif /* WOLFSSL_HAVE_TLS_UNIQUE */ + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = methods[i][0]; + server_cb.method = methods[i][1]; - idx = wolfSSL_read(ssl, input, sizeof(input)-1); - if (idx > 0) { - input[idx] = '\0'; - fprintf(stderr, "Client message: %s\n", input); - } - else if (idx < 0) { - goto done; - } - - if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) { - /*err_sys("SSL_write failed");*/ - goto done; - } - - if (cbf != NULL && cbf->on_result != NULL) - cbf->on_result(ssl); - -#ifdef WOLFSSL_TIRTOS - Task_yield(); -#endif + server_args.signal = &ready; + server_args.callbacks = &server_cb; + client_args.signal = &ready; + client_args.callbacks = &client_cb; - opts->return_code = TEST_SUCCESS; + if (test_wolfSSL_CTX_add_session_server_ctx != NULL) { + server_cb.ctx = test_wolfSSL_CTX_add_session_server_ctx; + server_cb.isSharedCtx = 1; + } + server_cb.ctx_ready = test_wolfSSL_CTX_add_session_ctx_ready; + client_cb.ctx_ready = test_wolfSSL_CTX_add_session_ctx_ready; + if (j != 0) + client_cb.ssl_ready = test_wolfSSL_CTX_add_session_ssl_ready; + server_cb.on_result = test_wolfSSL_CTX_add_session_on_result; + client_cb.on_result = test_wolfSSL_CTX_add_session_on_result; + server_cb.ticNoInit = 1; /* Use default builtin */ -done: - if (cbf != NULL) - cbf->last_err = err; - if (cbf != NULL && cbf->on_cleanup != NULL) - cbf->on_cleanup(ssl); + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, NULL); + join_thread(serverThread); - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); - if (!sharedCtx) - wolfSSL_CTX_free(ctx); + ExpectTrue(client_args.return_code); + ExpectTrue(server_args.return_code); - CloseSocket(clientfd); + FreeTcpReady(&ready); -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif + if (EXPECT_FAIL()) + break; + } + wolfSSL_SESSION_free(test_wolfSSL_CTX_add_session_client_sess); + wolfSSL_SESSION_free(test_wolfSSL_CTX_add_session_server_sess); + wolfSSL_CTX_free(test_wolfSSL_CTX_add_session_server_ctx); -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ + if (EXPECT_FAIL()) + break; + } #endif - if (cbf == NULL || !cbf->ticNoInit) { -#if defined(HAVE_SESSION_TICKET) && \ - ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) - OpenSSLTicketCleanup(); -#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) - TicketCleanup(); -#endif -#endif - } + return EXPECT_RESULT(); +} +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) - wolfSSL_SetLoggingPrefix(NULL); +/* twcase - prefix for test_wolfSSL_CTX_add_session_ext */ +/* Sessions to restore/store */ +static WOLFSSL_SESSION* twcase_server_first_session_ptr; +static WOLFSSL_SESSION* twcase_client_first_session_ptr; +static WOLFSSL_CTX* twcase_server_current_ctx_ptr; +static int twcase_new_session_called = 0; +static int twcase_remove_session_called = 0; +static int twcase_get_session_called = 0; - WOLFSSL_RETURN_FROM_THREAD(0); -} +/* Test default, SESSIONS_PER_ROW*SESSION_ROWS = 3*11, see ssl.c */ +#define SESSION_CACHE_SIZE 33 -#if defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && \ - !defined(WOLFSSL_NO_TLS12) -static THREAD_RETURN WOLFSSL_THREAD test_server_loop(void* args) -{ - SOCKET_T sockfd; - SOCKET_T clientfd = -1; - word16 port; +typedef struct { + const byte* key; /* key, altSessionID, session ID, NULL if empty */ + WOLFSSL_SESSION* value; +} hashTable_entry; - callback_functions* cbf; - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; +typedef struct { + hashTable_entry entries[SESSION_CACHE_SIZE]; /* hash slots */ + size_t capacity; /* size of entries */ + size_t length; /* number of items in the hash table */ + wolfSSL_Mutex htLock; /* lock */ +}hashTable; - char msg[] = "I hear you fa shizzle!"; - char input[1024]; - int idx; - int ret, err = 0; - int sharedCtx = 0; - func_args* opts = (func_args*)args; - int loop_count = opts->argc; - int count = 0; +static hashTable server_sessionCache; -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif +static int twcase_new_sessionCb(WOLFSSL *ssl, WOLFSSL_SESSION *sess) +{ + int i; + unsigned int len; + (void)ssl; - opts->return_code = TEST_FAIL; - cbf = opts->callbacks; + /* + * This example uses a hash table. + * Steps you should take for a non-demo code: + * - acquire a lock for the file named according to the session id + * - open the file + * - encrypt and write the SSL_SESSION object to the file + * - release the lock + * + * Return: + * 0: The callback does not wish to hold a reference of the sess + * 1: The callback wants to hold a reference of the sess. The callback is + * now also responsible for calling wolfSSL_SESSION_free() on sess. + */ + if (sess == NULL) + return 0; -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (cbf != NULL && cbf->ctx) { - ctx = cbf->ctx; - sharedCtx = 1; + if (wc_LockMutex(&server_sessionCache.htLock) != 0) { + return 0; } - else -#endif - { - WOLFSSL_METHOD* method = NULL; - if (cbf != NULL && cbf->method != NULL) { - method = cbf->method(); - } - else { - method = wolfSSLv23_server_method(); + for (i = 0; i < SESSION_CACHE_SIZE; i++) { + if (server_sessionCache.entries[i].value == NULL) { + server_sessionCache.entries[i].key = SSL_SESSION_get_id(sess, &len); + server_sessionCache.entries[i].value = sess; + server_sessionCache.length++; + break; } - ctx = wolfSSL_CTX_new(method); } + ++twcase_new_session_called; + wc_UnLockMutex(&server_sessionCache.htLock); + fprintf(stderr, "\t\ttwcase_new_session_called %d\n", + twcase_new_session_called); + return 1; +} -#if defined(USE_WINDOWS_API) - port = opts->signal->port; -#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ - !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) - /* Let tcp_listen assign port */ - port = 0; -#else - /* Use default port */ - port = wolfSSLPort; -#endif - - wolfSSL_CTX_set_verify(ctx, - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif +static void twcase_remove_sessionCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) +{ + int i; + (void)ctx; + (void)sess; - if (wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0) - != WOLFSSL_SUCCESS) { - /*err_sys("can't load ca file, Please run from wolfSSL home dir");*/ - /* Release the wait for TCP ready. */ - signal_ready(opts->signal); - goto done; - } - if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - /*err_sys("can't load server cert chain file, " - "Please run from wolfSSL home dir");*/ - /* Release the wait for TCP ready. */ - signal_ready(opts->signal); - goto done; - } - if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - /*err_sys("can't load server key file, " - "Please run from wolfSSL home dir");*/ - /* Release the wait for TCP ready. */ - signal_ready(opts->signal); - goto done; - } - /* call ctx setup callback */ - if (cbf != NULL && cbf->ctx_ready != NULL) { - cbf->ctx_ready(ctx); + if (sess == NULL) + return; + /* + * This example uses a hash table. + * Steps you should take for a non-demo code: + * - acquire a lock for the file named according to the session id + * - remove the file + * - release the lock + */ + if (wc_LockMutex(&server_sessionCache.htLock) != 0) { + return; } - - while (count != loop_count) { - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - signal_ready(opts->signal); - goto done; - } - if (sharedCtx && wolfSSL_use_certificate_file(ssl, svrCertFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - /*err_sys("can't load server cert chain file, " - "Please run from wolfSSL home dir");*/ - /* Release the wait for TCP ready. */ - signal_ready(opts->signal); - goto done; - } - if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - /*err_sys("can't load server key file, " - "Please run from wolfSSL home dir");*/ - /* Release the wait for TCP ready. */ - signal_ready(opts->signal); - goto done; - } - -#if !defined(NO_FILESYSTEM) && !defined(NO_DH) - wolfSSL_SetTmpDH_file(ssl, dhParamFile, CERT_FILETYPE); -#elif !defined(NO_DH) - SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ -#endif - /* call ssl setup callback */ - if (cbf != NULL && cbf->ssl_ready != NULL) { - cbf->ssl_ready(ssl); - } - /* do it here to detect failure */ - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, - 0); - CloseSocket(sockfd); - if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; + for (i = 0; i < SESSION_CACHE_SIZE; i++) { + if (server_sessionCache.entries[i].key != NULL && + XMEMCMP(server_sessionCache.entries[i].key, + sess->sessionID, SSL_MAX_SSL_SESSION_ID_LENGTH) == 0) { + wolfSSL_SESSION_free(server_sessionCache.entries[i].value); + server_sessionCache.entries[i].value = NULL; + server_sessionCache.entries[i].key = NULL; + server_sessionCache.length--; + break; } + } + ++twcase_remove_session_called; + wc_UnLockMutex(&server_sessionCache.htLock); + fprintf(stderr, "\t\ttwcase_remove_session_called %d\n", + twcase_remove_session_called); +} - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_accept(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string(err, buff)); - /*err_sys("SSL_accept failed");*/ - goto done; - } +static WOLFSSL_SESSION *twcase_get_sessionCb(WOLFSSL *ssl, + const unsigned char *id, int len, int *ref) +{ + int i; + (void)ssl; + (void)id; + (void)len; - idx = wolfSSL_read(ssl, input, sizeof(input)-1); - if (idx > 0) { - input[idx] = '\0'; - fprintf(stderr, "Client message: %s\n", input); - } + /* + * This example uses a hash table. + * Steps you should take for a non-demo code: + * - acquire a lock for the file named according to the session id in the + * 2nd arg + * - read and decrypt contents of file and create a new SSL_SESSION + * - object release the lock + * - return the new session object + */ + fprintf(stderr, "\t\ttwcase_get_session_called %d\n", + ++twcase_get_session_called); + /* This callback want to retain a copy of the object. If we want wolfSSL to + * be responsible for the pointer then set to 0. */ + *ref = 1; - if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) { - /*err_sys("SSL_write failed");*/ - goto done; + for (i = 0; i < SESSION_CACHE_SIZE; i++) { + if (server_sessionCache.entries[i].key != NULL && + XMEMCMP(server_sessionCache.entries[i].key, id, + SSL_MAX_SSL_SESSION_ID_LENGTH) == 0) { + return server_sessionCache.entries[i].value; } - /* free ssl for this connection */ - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); ssl = NULL; - CloseSocket(clientfd); - clientfd = -1; - - count++; } -#ifdef WOLFSSL_TIRTOS - Task_yield(); -#endif + return NULL; +} +static int twcase_get_sessionCb_cleanup(void) +{ + int i; + int cnt = 0; - opts->return_code = TEST_SUCCESS; + /* If twcase_get_sessionCb sets *ref = 1, the application is responsible + * for freeing sessions */ -done: - if (ssl != NULL) { - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); + for (i = 0; i < SESSION_CACHE_SIZE; i++) { + if (server_sessionCache.entries[i].value != NULL) { + wolfSSL_SESSION_free(server_sessionCache.entries[i].value); + cnt++; + } } - if (!sharedCtx) - wolfSSL_CTX_free(ctx); - if (clientfd != SOCKET_INVALID) - CloseSocket(clientfd); + fprintf(stderr, "\t\ttwcase_get_sessionCb_cleanup freed %d sessions\n", + cnt); -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif + return TEST_SUCCESS; +} -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ +static int twcase_cache_intOff_extOff(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + /* off - Disable internal cache */ + ExpectIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); +#ifdef OPENSSL_EXTRA + ExpectIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); #endif + /* off - Do not setup external cache */ - WOLFSSL_RETURN_FROM_THREAD(0); + /* Require both peers to provide certs */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + return EXPECT_RESULT(); } -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && !defined(WOLFSSL_TLS13) */ -int test_client_nofail(void* args, cbType cb) +static int twcase_cache_intOn_extOff(WOLFSSL_CTX* ctx) { -#if !defined(NO_WOLFSSL_CLIENT) - SOCKET_T sockfd = 0; - callback_functions* cbf; - - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; - WOLFSSL_CIPHER* cipher; + /* on - internal cache is on by default */ + /* off - Do not setup external cache */ + /* Require both peers to provide certs */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + return TEST_SUCCESS; +} - char msg[64] = "hello wolfssl!"; - char reply[1024]; - int input; - int msgSz = (int)XSTRLEN(msg); - int ret, err = 0; - int cipherSuite; - int sharedCtx = 0; - int doUdp = 0; - const char* cipherName1, *cipherName2; +static int twcase_cache_intOff_extOn(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + /* off - Disable internal cache */ + ExpectIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); +#ifdef OPENSSL_EXTRA + ExpectIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, + WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); +#endif + /* on - Enable external cache */ + wolfSSL_CTX_sess_set_new_cb(ctx, twcase_new_sessionCb); + wolfSSL_CTX_sess_set_remove_cb(ctx, twcase_remove_sessionCb); + wolfSSL_CTX_sess_set_get_cb(ctx, twcase_get_sessionCb); - wolfSSL_SetLoggingPrefix("client"); + /* Require both peers to provide certs */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + return EXPECT_RESULT(); +} -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif +static int twcase_cache_intOn_extOn(WOLFSSL_CTX* ctx) +{ + /* on - internal cache is on by default */ + /* on - Enable external cache */ + wolfSSL_CTX_sess_set_new_cb(ctx, twcase_new_sessionCb); + wolfSSL_CTX_sess_set_remove_cb(ctx, twcase_remove_sessionCb); + wolfSSL_CTX_sess_set_get_cb(ctx, twcase_get_sessionCb); - ((func_args*)args)->return_code = TEST_FAIL; - cbf = ((func_args*)args)->callbacks; + /* Require both peers to provide certs */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + return TEST_SUCCESS; +} +static int twcase_cache_intOn_extOn_noTicket(WOLFSSL_CTX* ctx) +{ + /* on - internal cache is on by default */ + /* on - Enable external cache */ + wolfSSL_CTX_sess_set_new_cb(ctx, twcase_new_sessionCb); + wolfSSL_CTX_sess_set_remove_cb(ctx, twcase_remove_sessionCb); + wolfSSL_CTX_sess_set_get_cb(ctx, twcase_get_sessionCb); -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (cbf != NULL && cbf->ctx) { - ctx = cbf->ctx; - sharedCtx = cbf->isSharedCtx; - } + wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TICKET); + /* Require both peers to provide certs */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + return TEST_SUCCESS; +} +static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl) +{ + EXPECT_DECLS; + WOLFSSL_SESSION** sess; + if (wolfSSL_is_server(ssl)) + sess = &twcase_server_first_session_ptr; else + return TEST_SUCCESS; + + if (*sess == NULL) { + ExpectNotNull(*sess = wolfSSL_get1_session(ssl)); + /* Now save the session in the internal store to make it available + * for lookup. For TLS 1.3, we can't save the session without + * WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the + * session from cache. */ + if (wolfSSL_is_server(ssl) +#ifndef WOLFSSL_TICKET_HAVE_ID + && wolfSSL_version(ssl) != TLS1_3_VERSION + && wolfSSL_version(ssl) != DTLS1_3_VERSION #endif - { - WOLFSSL_METHOD* method = NULL; - if (cbf != NULL && cbf->method != NULL) { - method = cbf->method(); - } - else { - method = wolfSSLv23_client_method(); + ) { + ExpectIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), + *sess), WOLFSSL_SUCCESS); } - ctx = wolfSSL_CTX_new(method); } - - if (cbf != NULL) - doUdp = cbf->doUdp; - -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif - - /* Do connect here so server detects failures */ - tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, - doUdp, 0, NULL); - /* Connect the socket so that we don't have to set the peer later on */ - if (doUdp) - udp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port); - - if (wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0) != WOLFSSL_SUCCESS) - { - /* err_sys("can't load ca file, Please run from wolfSSL home dir");*/ - goto done; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#endif - /*err_sys("can't load client cert file, " - "Please run from wolfSSL home dir");*/ - goto done; + /* Save CTX to be able to decrypt tickets */ + if (twcase_server_current_ctx_ptr == NULL) { + ExpectNotNull(twcase_server_current_ctx_ptr = wolfSSL_get_SSL_CTX(ssl)); + ExpectIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)), + WOLFSSL_SUCCESS); } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#ifdef SESSION_CERTS +#ifndef WOLFSSL_TICKET_HAVE_ID + if (wolfSSL_version(ssl) != TLS1_3_VERSION && + wolfSSL_session_reused(ssl)) #endif - - /*err_sys("can't load client key file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - -#ifdef WOLFSSL_SRTP - /* make sure that NULL (error condition) returns 1 */ - if (wolfSSL_CTX_set_tlsext_use_srtp(ctx, NULL) != 1) { - goto done; + { + /* With WOLFSSL_TICKET_HAVE_ID the peer certs should be available + * for all connections. TLS 1.3 only has tickets so if we don't + * include the session id in the ticket then the certificates + * will not be available on resumption. */ + #ifdef KEEP_PEER_CERT + WOLFSSL_X509* peer = NULL; + ExpectNotNull(peer = wolfSSL_get_peer_certificate(ssl)); + wolfSSL_X509_free(peer); + #endif + ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); } #endif + return EXPECT_RESULT(); +} -#ifdef HAVE_CRL - if (cbf != NULL && cbf->crlPemFile != NULL) { - if (wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL) != WOLFSSL_SUCCESS) - goto done; - if (wolfSSL_CTX_LoadCRLFile(ctx, cbf->crlPemFile, CERT_FILETYPE) - != WOLFSSL_SUCCESS) - goto done; +static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl) +{ + EXPECT_DECLS; + WOLFSSL_SESSION** sess; + sess = &twcase_client_first_session_ptr; + if (*sess == NULL) { + ExpectNotNull(*sess = wolfSSL_get1_session(ssl)); } -#endif - - /* call ctx setup callback */ - if (cbf != NULL && cbf->ctx_ready != NULL) { - cbf->ctx_ready(ctx); + else { + /* If we have a session retrieved then remaining connections should be + * resuming on that session */ + ExpectIntEQ(wolfSSL_session_reused(ssl), 1); } - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - goto done; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (sharedCtx && wolfSSL_use_certificate_file(ssl, cliCertFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_use_certificate_file(ssl, cliCertFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { +#ifdef SESSION_CERTS +#ifndef WOLFSSL_TICKET_HAVE_ID + if (wolfSSL_version(ssl) != TLS1_3_VERSION && + wolfSSL_session_reused(ssl)) #endif - /*err_sys("can't load client cert file, " - "Please run from wolfSSL home dir");*/ - goto done; - } -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { -#else - if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { + { + #ifdef KEEP_PEER_CERT + WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); + ExpectNotNull(peer); + wolfSSL_X509_free(peer); + #endif + ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); +#ifdef OPENSSL_EXTRA + ExpectNotNull(wolfSSL_SESSION_get0_peer(*sess)); #endif - /*err_sys("can't load client key file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - -#ifdef WOLFSSL_SRTP - /* make sure that NULL (error condition) returns 1 */ - if (wolfSSL_set_tlsext_use_srtp(ssl, NULL) != 1) { - goto done; } #endif + return EXPECT_RESULT(); +} +static int twcase_client_set_sess_ssl_ready(WOLFSSL* ssl) +{ + EXPECT_DECLS; + /* Set the session to reuse for the client */ + ExpectNotNull(ssl); + ExpectNotNull(twcase_client_first_session_ptr); + ExpectIntEQ(wolfSSL_set_session(ssl,twcase_client_first_session_ptr), + WOLFSSL_SUCCESS); + return EXPECT_RESULT(); +} - if (!doUdp) { - if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; - } - } - else { -#ifdef WOLFSSL_DTLS - if (wolfSSL_set_dtls_fd_connected(ssl, sockfd) != WOLFSSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; - } -#else - goto done; -#endif - } +struct test_add_session_ext_params { + method_provider client_meth; + method_provider server_meth; + const char* tls_version; +}; - /* call ssl setup callback */ - if (cbf != NULL && cbf->ssl_ready != NULL) { - cbf->ssl_ready(ssl); - } +static int test_wolfSSL_CTX_add_session_ext( + struct test_add_session_ext_params* param) +{ + EXPECT_DECLS; + /* Test the default 33 sessions */ + int j; - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_negotiate(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string((word32)err, buff)); - /*err_sys("SSL_connect failed");*/ - goto done; - } + /* Clear cache before starting */ + wolfSSL_CTX_flush_sessions(NULL, -1); - /* test the various get cipher methods */ - /* Internal cipher suite names */ - cipherSuite = wolfSSL_get_current_cipher_suite(ssl); - cipherName1 = wolfSSL_get_cipher_name(ssl); - cipherName2 = wolfSSL_get_cipher_name_from_suite( - (byte)(cipherSuite >> 8), cipherSuite & 0xFF); - AssertStrEQ(cipherName1, cipherName2); + XMEMSET(&server_sessionCache, 0, sizeof(hashTable)); + if (wc_InitMutex(&server_sessionCache.htLock) != 0) + return BAD_MUTEX_E; + server_sessionCache.capacity = SESSION_CACHE_SIZE; - /* IANA Cipher Suites Names */ - /* Unless WOLFSSL_CIPHER_INTERNALNAME or NO_ERROR_STRINGS, - then it's the internal cipher suite name */ - cipher = wolfSSL_get_current_cipher(ssl); - cipherName1 = wolfSSL_CIPHER_get_name(cipher); - cipherName2 = wolfSSL_get_cipher(ssl); - AssertStrEQ(cipherName1, cipherName2); -#if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ - !defined(WOLFSSL_QT) - cipherName1 = wolfSSL_get_cipher_name_iana_from_suite( - (byte)(cipherSuite >> 8), cipherSuite & 0xFF); - AssertStrEQ(cipherName1, cipherName2); -#endif + fprintf(stderr, "\tBegin %s\n", param->tls_version); + for (j = 0; j < 5; j++) { + int tls13 = XSTRSTR(param->tls_version, "TLSv1_3") != NULL; + int dtls = XSTRSTR(param->tls_version, "DTLS") != NULL; + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; - if (cb != NULL) - (cb)(ctx, ssl); + (void)dtls; - if (wolfSSL_write(ssl, msg, msgSz) != msgSz) { - /*err_sys("SSL_write failed");*/ - goto done; - } + /* Test five cache configurations */ + twcase_client_first_session_ptr = NULL; + twcase_server_first_session_ptr = NULL; + twcase_server_current_ctx_ptr = NULL; + twcase_new_session_called = 0; + twcase_remove_session_called = 0; + twcase_get_session_called = 0; - input = wolfSSL_read(ssl, reply, sizeof(reply)-1); - if (input > 0) { - reply[input] = '\0'; - fprintf(stderr, "Server response: %s\n", reply); - } + /* connection 1 - first connection */ + fprintf(stderr, "\tconnect: %s: j=%d\n", param->tls_version, j); - if (cbf != NULL && cbf->on_result != NULL) - cbf->on_result(ssl); + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); + client_cb.method = param->client_meth; + server_cb.method = param->server_meth; - ((func_args*)args)->return_code = TEST_SUCCESS; + if (dtls) + client_cb.doUdp = server_cb.doUdp = 1; -done: - if (cbf != NULL) - cbf->last_err = err; - if (cbf != NULL && cbf->on_cleanup != NULL) - cbf->on_cleanup(ssl); + /* Setup internal and external cache */ + switch (j) { + case 0: + /* SSL_OP_NO_TICKET stateful ticket case */ + server_cb.ctx_ready = twcase_cache_intOn_extOn_noTicket; + break; + case 1: + server_cb.ctx_ready = twcase_cache_intOn_extOn; + break; + case 2: + server_cb.ctx_ready = twcase_cache_intOff_extOn; + break; + case 3: + server_cb.ctx_ready = twcase_cache_intOn_extOff; + break; + case 4: + server_cb.ctx_ready = twcase_cache_intOff_extOff; + break; + } + client_cb.ctx_ready = twcase_cache_intOff_extOff; - wolfSSL_free(ssl); - if (!sharedCtx) - wolfSSL_CTX_free(ctx); + /* Add session to internal cache and save SSL session for testing */ + server_cb.on_result = twcase_server_sess_ctx_pre_shutdown; + /* Save client SSL session for testing */ + client_cb.on_result = twcase_client_sess_ctx_pre_shutdown; + server_cb.ticNoInit = 1; /* Use default builtin */ + /* Don't free/release ctx */ + server_cb.ctx = twcase_server_current_ctx_ptr; + server_cb.isSharedCtx = 1; - CloseSocket(sockfd); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif + ExpectIntEQ(twcase_get_session_called, 0); + if (EXPECT_FAIL()) { + wolfSSL_SESSION_free(twcase_client_first_session_ptr); + wolfSSL_SESSION_free(twcase_server_first_session_ptr); + wolfSSL_CTX_free(twcase_server_current_ctx_ptr); + break; + } -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ -#endif + switch (j) { + case 0: + case 1: + case 2: + /* cache cannot be searched with out a connection */ + /* Add a new session */ + ExpectIntEQ(twcase_new_session_called, 1); + /* In twcase_server_sess_ctx_pre_shutdown + * wolfSSL_CTX_add_session which evicts the existing session + * in cache and adds it back in */ + ExpectIntLE(twcase_remove_session_called, 1); + break; + case 3: + case 4: + /* no external cache */ + ExpectIntEQ(twcase_new_session_called, 0); + ExpectIntEQ(twcase_remove_session_called, 0); + break; + } -#else - (void)args; - (void)cb; -#endif /* !NO_WOLFSSL_CLIENT */ + /* connection 2 - session resume */ + fprintf(stderr, "\tresume: %s: j=%d\n", param->tls_version, j); + twcase_new_session_called = 0; + twcase_remove_session_called = 0; + twcase_get_session_called = 0; + server_cb.on_result = 0; + client_cb.on_result = 0; + server_cb.ticNoInit = 1; /* Use default builtin */ - wolfSSL_SetLoggingPrefix(NULL); + server_cb.ctx = twcase_server_current_ctx_ptr; - return 0; -} + /* try session resumption */ + client_cb.ssl_ready = twcase_client_set_sess_ssl_ready; -void test_wolfSSL_client_server_nofail_ex(callback_functions* client_cb, - callback_functions* server_cb, cbType client_on_handshake) -{ - func_args client_args; - func_args server_args; - tcp_ready ready; - THREAD_TYPE serverThread; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); + /* Clear cache before checking */ + wolfSSL_CTX_flush_sessions(NULL, -1); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif + switch (j) { + case 0: + if (tls13) { + /* (D)TLSv1.3 stateful case */ + /* cache hit */ + /* DTLS accesses cache once for stateless parsing and + * once for stateful parsing */ + ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); - StartTCP(); - InitTcpReady(&ready); + /* (D)TLSv1.3 creates a new ticket, + * updates both internal and external cache */ + ExpectIntEQ(twcase_new_session_called, 1); + /* A new session ID is created for a new ticket */ + ExpectIntEQ(twcase_remove_session_called, 2); -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); + } + else { + /* non (D)TLSv1.3 case, no update */ + /* DTLS accesses cache once for stateless parsing and + * once for stateful parsing */ +#ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME + ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); +#else + ExpectIntEQ(twcase_get_session_called, 1); #endif + ExpectIntEQ(twcase_new_session_called, 0); + /* Called on session added in + * twcase_server_sess_ctx_pre_shutdown */ + ExpectIntEQ(twcase_remove_session_called, 1); + } + break; + case 1: + if (tls13) { + /* (D)TLSv1.3 case */ + /* cache hit */ + ExpectIntEQ(twcase_get_session_called, 1); + /* (D)TLSv1.3 creates a new ticket, + * updates both internal and external cache */ + ExpectIntEQ(twcase_new_session_called, 1); + /* Called on session added in + * twcase_server_sess_ctx_pre_shutdown and by wolfSSL */ + ExpectIntEQ(twcase_remove_session_called, 1); + } + else { + /* non (D)TLSv1.3 case */ + /* cache hit */ + /* DTLS accesses cache once for stateless parsing and + * once for stateful parsing */ +#ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME + ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); +#else + ExpectIntEQ(twcase_get_session_called, 1); +#endif + ExpectIntEQ(twcase_new_session_called, 0); + /* Called on session added in + * twcase_server_sess_ctx_pre_shutdown */ + ExpectIntEQ(twcase_remove_session_called, 1); + } + break; + case 2: + if (tls13) { + /* (D)TLSv1.3 case */ + /* cache hit */ + ExpectIntEQ(twcase_get_session_called, 1); + /* (D)TLSv1.3 creates a new ticket, + * updates both internal and external cache */ + ExpectIntEQ(twcase_new_session_called, 1); + /* Called on session added in + * twcase_server_sess_ctx_pre_shutdown and by wolfSSL */ + ExpectIntEQ(twcase_remove_session_called, 1); + } + else { + /* non (D)TLSv1.3 case */ + /* cache hit */ + /* DTLS accesses cache once for stateless parsing and + * once for stateful parsing */ +#ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME + ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); +#else + ExpectIntEQ(twcase_get_session_called, 1); +#endif + ExpectIntEQ(twcase_new_session_called, 0); + /* Called on session added in + * twcase_server_sess_ctx_pre_shutdown */ + ExpectIntEQ(twcase_remove_session_called, 1); + } + break; + case 3: + case 4: + /* no external cache */ + ExpectIntEQ(twcase_get_session_called, 0); + ExpectIntEQ(twcase_new_session_called, 0); + ExpectIntEQ(twcase_remove_session_called, 0); + break; + } + wolfSSL_SESSION_free(twcase_client_first_session_ptr); + wolfSSL_SESSION_free(twcase_server_first_session_ptr); + wolfSSL_CTX_free(twcase_server_current_ctx_ptr); - server_args.signal = &ready; - server_args.callbacks = server_cb; - client_args.signal = &ready; - client_args.callbacks = client_cb; - - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - test_client_nofail(&client_args, client_on_handshake); - join_thread(serverThread); - - client_cb->return_code = client_args.return_code; - server_cb->return_code = server_args.return_code; + if (EXPECT_FAIL()) + break; + } + twcase_get_sessionCb_cleanup(); + XMEMSET(&server_sessionCache.entries, 0, + sizeof(server_sessionCache.entries)); + fprintf(stderr, "\tEnd %s\n", param->tls_version); - FreeTcpReady(&ready); + wc_FreeMutex(&server_sessionCache.htLock); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif + return EXPECT_RESULT(); } +#endif -void test_wolfSSL_client_server_nofail(callback_functions* client_cb, - callback_functions* server_cb) +static int test_wolfSSL_CTX_add_session_ext_tls13(void) { - test_wolfSSL_client_server_nofail_ex(client_cb, server_cb, NULL); + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) +#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ + defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) + struct test_add_session_ext_params param[1] = { + { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLSv1_3" } + }; + ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); } - - -#if defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && \ - !defined(WOLFSSL_NO_TLS12) && !defined(NO_WOLFSSL_CLIENT) -static void test_client_reuse_WOLFSSLobj(void* args, cbType cb, - void* server_args) +static int test_wolfSSL_CTX_add_session_ext_dtls13(void) { - SOCKET_T sockfd = 0; - callback_functions* cbf; - - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; - WOLFSSL_SESSION* session = NULL; - - char msg[64] = "hello wolfssl!"; - char reply[1024]; - int input; - int msgSz = (int)XSTRLEN(msg); - int ret, err = 0; - int sharedCtx = 0; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) +#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ + defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) +#ifdef WOLFSSL_DTLS13 + struct test_add_session_ext_params param[1] = { + { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, "DTLSv1_3" } + }; + ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); #endif - - ((func_args*)args)->return_code = TEST_FAIL; - cbf = ((func_args*)args)->callbacks; - -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (cbf != NULL && cbf->ctx) { - ctx = cbf->ctx; - sharedCtx = 1; - } - else #endif - { - WOLFSSL_METHOD* method = NULL; - if (cbf != NULL && cbf->method != NULL) { - method = cbf->method(); - } - else { - method = wolfSSLv23_client_method(); - } - ctx = wolfSSL_CTX_new(method); - } +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_CTX_add_session_ext_tls12(void) +{ + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) +#ifndef WOLFSSL_NO_TLS12 + struct test_add_session_ext_params param[1] = { + { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLSv1_2" } + }; + ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_CTX_add_session_ext_dtls12(void) +{ + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) +#ifndef WOLFSSL_NO_TLS12 +#ifdef WOLFSSL_DTLS + struct test_add_session_ext_params param[1] = { + { wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, "DTLSv1_2" } + }; + ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); +#endif +#endif +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_CTX_add_session_ext_tls11(void) +{ + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) +#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ + !defined(NO_DES3)) + struct test_add_session_ext_params param[1] = { + { wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLSv1_1" } + }; + ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_CTX_add_session_ext_dtls1(void) +{ + EXPECT_DECLS; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ + defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ + defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ + defined(HAVE_SESSION_TICKET) && \ + !defined(TITAN_SESSION_CACHE) && \ + !defined(HUGE_SESSION_CACHE) && \ + !defined(BIG_SESSION_CACHE) && \ + !defined(MEDIUM_SESSION_CACHE) +#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ + !defined(NO_DES3)) +#ifdef WOLFSSL_DTLS + struct test_add_session_ext_params param[1] = { + { wolfDTLSv1_client_method, wolfDTLSv1_server_method, "DTLSv1_0" } + }; + ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); +#endif +#endif +#endif + return EXPECT_RESULT(); +} -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) +/* canned export of a session using older version 3 */ +static unsigned char version_3[] = { + 0xA5, 0xA3, 0x01, 0x88, 0x00, 0x3c, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x80, 0x0C, 0x00, 0x00, 0x00, + 0x00, 0x80, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x30, + 0x05, 0x09, 0x0A, 0x01, 0x01, 0x00, 0x0D, 0x05, + 0xFE, 0xFD, 0x01, 0x25, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x06, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x06, 0x00, 0x01, 0x00, 0x07, 0x00, 0x00, + 0x00, 0x30, 0x00, 0x00, 0x00, 0x10, 0x01, 0x01, + 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x3F, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x05, + 0x12, 0xCF, 0x22, 0xA1, 0x9F, 0x1C, 0x39, 0x1D, + 0x31, 0x11, 0x12, 0x1D, 0x11, 0x18, 0x0D, 0x0B, + 0xF3, 0xE1, 0x4D, 0xDC, 0xB1, 0xF1, 0x39, 0x98, + 0x91, 0x6C, 0x48, 0xE5, 0xED, 0x11, 0x12, 0xA0, + 0x00, 0xF2, 0x25, 0x4C, 0x09, 0x26, 0xD1, 0x74, + 0xDF, 0x23, 0x40, 0x15, 0x6A, 0x42, 0x2A, 0x26, + 0xA5, 0xAC, 0x56, 0xD5, 0x4A, 0x20, 0xB7, 0xE9, + 0xEF, 0xEB, 0xAF, 0xA8, 0x1E, 0x23, 0x7C, 0x04, + 0xAA, 0xA1, 0x6D, 0x92, 0x79, 0x7B, 0xFA, 0x80, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x0C, 0x79, 0x7B, 0xFA, 0x80, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0xA1, 0x6D, + 0x92, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x04, 0x00, + 0x10, 0x00, 0x10, 0x08, 0x02, 0x05, 0x08, 0x01, + 0x30, 0x28, 0x00, 0x00, 0x0F, 0x00, 0x02, 0x00, + 0x09, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, + 0x2E, 0x31, 0xED, 0x4F +}; +#endif /* defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) */ + +static int test_wolfSSL_dtls_export(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions server_cbf; + callback_functions client_cbf; +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif - /* Do connect here so server detects failures */ - tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, - 0, 0, NULL); + InitTcpReady(&ready); - if (wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0) != - WOLFSSL_SUCCESS) { - /* err_sys("can't load ca file, Please run from wolfSSL home dir");*/ - goto done; - } - if (!sharedCtx && wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { - /*err_sys("can't load client cert file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - if (!sharedCtx && wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { - /*err_sys("can't load client key file, " - "Please run from wolfSSL home dir");*/ - goto done; - } +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif - /* call ctx setup callback */ - if (cbf != NULL && cbf->ctx_ready != NULL) { - cbf->ctx_ready(ctx); - } + /* set using dtls */ + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfDTLSv1_2_server_method; + client_cbf.method = wolfDTLSv1_2_client_method; + server_args.callbacks = &server_cbf; + client_args.callbacks = &client_cbf; - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - goto done; - } - /* keep handshake resources for reusing WOLFSSL obj */ - wolfSSL_KeepArrays(ssl); - if (wolfSSL_KeepHandshakeResources(ssl)) { - /* err_sys("SSL_KeepHandshakeResources failed"); */ - goto done; - } - if (sharedCtx && wolfSSL_use_certificate_file(ssl, cliCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { - /*err_sys("can't load client cert file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - if (sharedCtx && wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { - /*err_sys("can't load client key file, " - "Please run from wolfSSL home dir");*/ - goto done; - } + server_args.signal = &ready; + client_args.signal = &ready; - if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; - } + start_thread(run_wolfssl_server, &server_args, &serverThread); + wait_tcp_ready(&server_args); + run_wolfssl_client(&client_args); + join_thread(serverThread); - /* call ssl setup callback */ - if (cbf != NULL && cbf->ssl_ready != NULL) { - cbf->ssl_ready(ssl); - } + ExpectTrue(client_args.return_code); + ExpectTrue(server_args.return_code); - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string(err, buff)); - /*err_sys("SSL_connect failed");*/ - goto done; - } - /* Build first session */ - if (cb != NULL) - cb(ctx, ssl); + FreeTcpReady(&ready); - if (wolfSSL_write(ssl, msg, msgSz) != msgSz) { - /*err_sys("SSL_write failed");*/ - goto done; - } +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - input = wolfSSL_read(ssl, reply, sizeof(reply)-1); - if (input > 0) { - reply[input] = '\0'; - fprintf(stderr, "Server response: %s\n", reply); - } + if (EXPECT_SUCCESS()) { + SOCKET_T sockfd = 0; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + char msg[64] = "hello wolfssl!"; + char reply[1024]; + int msgSz = (int)XSTRLEN(msg); + byte *session, *window; + unsigned int sessionSz = 0; + unsigned int windowSz = 0; - /* Session Resumption by reusing WOLFSSL object */ - wolfSSL_set_quiet_shutdown(ssl, 1); - if (wolfSSL_shutdown(ssl) != WOLFSSL_SUCCESS) { - /* err_sys ("SSL shutdown failed"); */ - goto done; - } - session = wolfSSL_get1_session(ssl); - if (wolfSSL_clear(ssl) != WOLFSSL_SUCCESS) { - wolfSSL_SESSION_free(session); - /* err_sys ("SSL_clear failed"); */ - goto done; - } - wolfSSL_set_session(ssl, session); - wolfSSL_SESSION_free(session); - session = NULL; - /* close socket once */ - CloseSocket(sockfd); - sockfd = 0; - /* wait until server ready */ - wait_tcp_ready((func_args*)server_args); - fprintf(stderr, "session resumption\n"); - /* Do re-connect */ - tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, - 0, 0, NULL); - if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; - } +#ifndef TEST_IPV6 + struct sockaddr_in peerAddr; +#else + struct sockaddr_in6 peerAddr; +#endif /* TEST_IPV6 */ - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string(err, buff)); - /*err_sys("SSL_connect failed");*/ - goto done; - } - /* Build first session */ - if (cb != NULL) - cb(ctx, ssl); + int i; - if (wolfSSL_write(ssl, msg, msgSz) != msgSz) { - /*err_sys("SSL_write failed");*/ - goto done; - } - input = wolfSSL_read(ssl, reply, sizeof(reply)-1); - if (input > 0) { - reply[input] = '\0'; - fprintf(stderr, "Server response: %s\n", reply); - } + /* Set ctx to DTLS 1.2 */ + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - ((func_args*)args)->return_code = TEST_SUCCESS; + /* test importing version 3 */ + ExpectIntGE(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); -done: - wolfSSL_free(ssl); - if (!sharedCtx) + /* test importing bad length and bad version */ + version_3[2]++; + ExpectIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); + version_3[2]--; version_3[1] = 0XA0; + ExpectIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); + wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); - CloseSocket(sockfd); + /* check storing client state after connection and storing window only */ #ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); + fdOpenSession(Task_self()); #endif - return; -} -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && - !defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) */ - -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)) && \ - defined(HAVE_ALPN) && defined(HAVE_SNI) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_BIO) - #define HAVE_ALPN_PROTOS_SUPPORT -#endif + InitTcpReady(&ready); -/* Generic TLS client / server with callbacks for API unit tests - * Used by SNI / ALPN / crypto callback helper functions */ -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - (defined(HAVE_SNI) || defined(HAVE_ALPN) || defined(WOLF_CRYPTO_CB) || \ - defined(HAVE_ALPN_PROTOS_SUPPORT)) || defined(WOLFSSL_STATIC_MEMORY) - #define ENABLE_TLS_CALLBACK_TEST +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); #endif -#if defined(ENABLE_TLS_CALLBACK_TEST) || \ - (defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT)) -/* TLS server for API unit testing - generic */ -static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) -{ - callback_functions* callbacks = ((func_args*)args)->callbacks; + /* set using dtls */ + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfDTLSv1_2_server_method; + server_cbf.doUdp = 1; + server_args.callbacks = &server_cbf; + server_args.argc = 3; /* set loop_count to 3 */ - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - SOCKET_T sfd = 0; - SOCKET_T cfd = 0; - word16 port; - char msg[] = "I hear you fa shizzle!"; - int len = (int) XSTRLEN(msg); - char input[1024]; - int idx; - int ret, err = 0; + server_args.signal = &ready; + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); - ((func_args*)args)->return_code = TEST_FAIL; + /* create and connect with client */ + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method())); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 1, 0, NULL); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); -#if defined(USE_WINDOWS_API) - port = ((func_args*)args)->signal->port; -#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ - !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) - /* Let tcp_listen assign port */ - port = 0; + /* store server information connected too */ + XMEMSET(&peerAddr, 0, sizeof(peerAddr)); +#ifndef TEST_IPV6 + peerAddr.sin_family = AF_INET; + ExpectIntEQ(XINET_PTON(AF_INET, wolfSSLIP, &peerAddr.sin_addr),1); + peerAddr.sin_port = XHTONS(server_args.signal->port); #else - /* Use default port */ - port = wolfSSLPort; + peerAddr.sin6_family = AF_INET6; + ExpectIntEQ( + XINET_PTON(AF_INET6, wolfSSLIP, &peerAddr.sin6_addr),1); + peerAddr.sin6_port = XHTONS(server_args.signal->port); #endif -#ifdef WOLFSSL_DTLS - if (callbacks->method == wolfDTLS_server_method -#ifdef WOLFSSL_STATIC_MEMORY - || callbacks->method_ex == wolfDTLS_server_method_ex -#endif -#ifndef NO_OLD_TLS - || callbacks->method == wolfDTLSv1_server_method -#ifdef WOLFSSL_STATIC_MEMORY - || callbacks->method_ex == wolfDTLSv1_server_method_ex + ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, &peerAddr, sizeof(peerAddr)), + WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_dtls_export(ssl, NULL, &sessionSz), 0); + session = (byte*)XMALLOC(sessionSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + ExpectIntGT(wolfSSL_dtls_export(ssl, session, &sessionSz), 0); + ExpectIntEQ(wolfSSL_write(ssl, msg, msgSz), msgSz); + ExpectIntGT(wolfSSL_read(ssl, reply, sizeof(reply)), 0); + ExpectIntEQ(wolfSSL_dtls_export_state_only(ssl, NULL, &windowSz), 0); + window = (byte*)XMALLOC(windowSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + ExpectIntGT(wolfSSL_dtls_export_state_only(ssl, window, &windowSz), 0); + wolfSSL_free(ssl); + + for (i = 1; EXPECT_SUCCESS() && i < server_args.argc; i++) { + /* restore state */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntGT(wolfSSL_dtls_import(ssl, session, sessionSz), 0); + ExpectIntGT(wolfSSL_dtls_import(ssl, window, windowSz), 0); + ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, &peerAddr, sizeof(peerAddr)), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_write(ssl, msg, msgSz), msgSz); + ExpectIntGE(wolfSSL_read(ssl, reply, sizeof(reply)), 0); + ExpectIntGT(wolfSSL_dtls_export_state_only(ssl, window, &windowSz), 0); + wolfSSL_free(ssl); + } + XFREE(session, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(window, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wolfSSL_CTX_free(ctx); + + fprintf(stderr, "done and waiting for server\n"); + join_thread(serverThread); + ExpectIntEQ(server_args.return_code, TEST_SUCCESS); + + FreeTcpReady(&ready); + +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif + } #endif -#ifndef WOLFSSL_NO_TLS12 - || callbacks->method == wolfDTLSv1_2_server_method -#ifdef WOLFSSL_STATIC_MEMORY - || callbacks->method_ex == wolfDTLSv1_2_server_method_ex -#endif -#endif -#ifdef WOLFSSL_DTLS13 - || callbacks->method == wolfDTLSv1_3_server_method -#ifdef WOLFSSL_STATIC_MEMORY - || callbacks->method_ex == wolfDTLSv1_3_server_method_ex -#endif -#endif - ) { - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0, 0, 0); - } - else -#endif - { - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); - } - -#ifdef WOLFSSL_STATIC_MEMORY - if (callbacks->method_ex != NULL && callbacks->mem != NULL && - callbacks->memSz > 0) { - ret = wolfSSL_CTX_load_static_memory(&ctx, callbacks->method_ex, - callbacks->mem, callbacks->memSz, 0, 1); - if (ret != WOLFSSL_SUCCESS) { - fprintf(stderr, "CTX static new failed %d\n", ret); - goto cleanup; - } - } -#else - ctx = wolfSSL_CTX_new(callbacks->method()); -#endif - if (ctx == NULL) { - fprintf(stderr, "CTX new failed\n"); - goto cleanup; - } - - /* set defaults */ - if (callbacks->caPemFile == NULL) - callbacks->caPemFile = cliCertFile; - if (callbacks->certPemFile == NULL) - callbacks->certPemFile = svrCertFile; - if (callbacks->keyPemFile == NULL) - callbacks->keyPemFile = svrKeyFile; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - wolfSSL_CTX_SetDevId(ctx, callbacks->devId); - - wolfSSL_CTX_set_verify(ctx, - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif -#if defined(WOLFSSL_SESSION_EXPORT) && defined(WOLFSSL_DTLS) - if (callbacks->method == wolfDTLSv1_2_server_method) { - if (wolfSSL_CTX_dtls_set_export(ctx, test_export) != WOLFSSL_SUCCESS) - goto cleanup; - } -#endif - - - if (wolfSSL_CTX_load_verify_locations(ctx, callbacks->caPemFile, 0) != - WOLFSSL_SUCCESS) { - goto cleanup; - } - - if (wolfSSL_CTX_use_certificate_file(ctx, callbacks->certPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - - if (wolfSSL_CTX_use_PrivateKey_file(ctx, callbacks->keyPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - -#ifdef HAVE_CRL - if (callbacks->crlPemFile != NULL) { - if (wolfSSL_CTX_LoadCRLFile(ctx, callbacks->crlPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - } -#endif - - if (callbacks->ctx_ready) - callbacks->ctx_ready(ctx); - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - fprintf(stderr, "SSL new failed\n"); - goto cleanup; - } - if (wolfSSL_dtls(ssl)) { - SOCKADDR_IN_T cliAddr; - socklen_t cliLen; + return EXPECT_RESULT(); +} - cliLen = sizeof(cliAddr); - idx = (int)recvfrom(sfd, input, sizeof(input), MSG_PEEK, - (struct sockaddr*)&cliAddr, &cliLen); - if (idx <= 0) { - goto cleanup; - } - wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); - } - else { - CloseSocket(sfd); - } +#if defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_NO_TLS12) +#ifdef WOLFSSL_TLS13 +static const byte canned_client_tls13_session_v4[] = { + 0xA7, 0xA4, 0x01, 0x18, 0x00, 0x41, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x80, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x80, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, + 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, + 0x01, 0x0A, 0x0F, 0x10, 0x01, 0x02, 0x09, 0x00, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x03, 0x04, 0x00, + 0xB7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, 0x00, + 0x11, 0x01, 0x01, 0x00, 0x20, 0x84, 0x4F, 0x18, + 0xD8, 0xC1, 0x24, 0xD8, 0xBB, 0x17, 0x9E, 0x31, + 0xA3, 0xF8, 0xA7, 0x3C, 0xBA, 0xEC, 0xFA, 0xB4, + 0x7F, 0xC5, 0x78, 0xEB, 0x6D, 0xE3, 0x2B, 0x7B, + 0x94, 0xBE, 0x20, 0x11, 0x7E, 0x17, 0x10, 0xA7, + 0x10, 0x19, 0xEC, 0x62, 0xCC, 0xBE, 0xF5, 0x01, + 0x35, 0x3C, 0xEA, 0xEF, 0x44, 0x3C, 0x40, 0xA2, + 0xBC, 0x18, 0x43, 0xA1, 0xA1, 0x65, 0x5C, 0x48, + 0xE2, 0xF9, 0x38, 0xEB, 0x11, 0x10, 0x72, 0x7C, + 0x78, 0x22, 0x13, 0x3B, 0x19, 0x40, 0xF0, 0x73, + 0xBE, 0x96, 0x14, 0x78, 0x26, 0xB9, 0x6B, 0x2E, + 0x72, 0x22, 0x0D, 0x90, 0x94, 0xDD, 0x78, 0x77, + 0xFC, 0x0C, 0x2E, 0x63, 0x6E, 0xF0, 0x0C, 0x35, + 0x41, 0xCD, 0xF3, 0x49, 0x31, 0x08, 0xD0, 0x6F, + 0x02, 0x3D, 0xC1, 0xD3, 0xB7, 0xEE, 0x3A, 0xA0, + 0x8E, 0xA1, 0x4D, 0xC3, 0x2E, 0x5E, 0x06, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, + 0x35, 0x41, 0xCD, 0xF3, 0x49, 0x31, 0x08, 0xD0, + 0x6F, 0x02, 0x3D, 0xC1, 0xD3, 0xB7, 0xEE, 0x3A, + 0xA0, 0x8E, 0xA1, 0x4D, 0xC3, 0x2E, 0x5E, 0x06, + 0x00, 0x10, 0x00, 0x10, 0x00, 0x0C, 0x00, 0x10, + 0x00, 0x10, 0x07, 0x02, 0x04, 0x00, 0x00, 0x20, + 0x28, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x03 +}; - if (wolfSSL_set_fd(ssl, cfd) != WOLFSSL_SUCCESS) { - goto cleanup; - } +static const byte canned_client_tls13_session_v5[] = { + 0xa7, 0xa5, 0x01, 0x19, 0x00, 0x42, 0x00, 0x00, 0x01, 0x00, 0x00, 0x80, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x1c, 0x01, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x01, 0x0a, 0x0f, 0x10, + 0x01, 0x02, 0x09, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x04, + 0x00, 0xb7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, + 0x00, 0x11, 0x01, 0x01, 0x00, 0x20, 0x84, 0x4f, 0x18, 0xd8, 0xc1, 0x24, + 0xd8, 0xbb, 0x17, 0x9e, 0x31, 0xa3, 0xf8, 0xa7, 0x3c, 0xba, 0xec, 0xfa, + 0xb4, 0x7f, 0xc5, 0x78, 0xeb, 0x6d, 0xe3, 0x2b, 0x7b, 0x94, 0xbe, 0x20, + 0x11, 0x7e, 0x17, 0x10, 0xa7, 0x10, 0x19, 0xec, 0x62, 0xcc, 0xbe, 0xf5, + 0x01, 0x35, 0x3c, 0xea, 0xef, 0x44, 0x3c, 0x40, 0xa2, 0xbc, 0x18, 0x43, + 0xa1, 0xa1, 0x65, 0x5c, 0x48, 0xe2, 0xf9, 0x38, 0xeb, 0x11, 0x10, 0x72, + 0x7c, 0x78, 0x22, 0x13, 0x3b, 0x19, 0x40, 0xf0, 0x73, 0xbe, 0x96, 0x14, + 0x78, 0x26, 0xb9, 0x6b, 0x2e, 0x72, 0x22, 0x0d, 0x90, 0x94, 0xdd, 0x78, + 0x77, 0xfc, 0x0c, 0x2e, 0x63, 0x6e, 0xf0, 0x0c, 0x35, 0x41, 0xcd, 0xf3, + 0x49, 0x31, 0x08, 0xd0, 0x6f, 0x02, 0x3d, 0xc1, 0xd3, 0xb7, 0xee, 0x3a, + 0xa0, 0x8e, 0xa1, 0x4d, 0xc3, 0x2e, 0x5e, 0x06, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0c, 0x35, 0x41, 0xcd, 0xf3, 0x49, 0x31, 0x08, + 0xd0, 0x6f, 0x02, 0x3d, 0xc1, 0xd3, 0xb7, 0xee, 0x3a, 0xa0, 0x8e, 0xa1, + 0x4d, 0xc3, 0x2e, 0x5e, 0x06, 0x00, 0x10, 0x00, 0x10, 0x00, 0x0c, 0x00, + 0x10, 0x00, 0x10, 0x07, 0x02, 0x04, 0x00, 0x00, 0x20, 0x28, 0x00, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 +}; - if (callbacks->loadToSSL) { - wolfSSL_SetDevId(ssl, callbacks->devId); +static const byte canned_server_tls13_session[] = { + 0xA7, 0xA4, 0x01, 0x18, 0x00, 0x41, 0x01, 0x00, + 0x01, 0x00, 0x00, 0x80, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x80, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, + 0x01, 0x0A, 0x0F, 0x10, 0x01, 0x02, 0x00, 0x0F, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x03, 0x04, 0x00, + 0xB7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, + 0x11, 0x01, 0x01, 0x00, 0x20, 0x84, 0x4F, 0x18, + 0xD8, 0xC1, 0x24, 0xD8, 0xBB, 0x17, 0x9E, 0x31, + 0xA3, 0xF8, 0xA7, 0x3C, 0xBA, 0xEC, 0xFA, 0xB4, + 0x7F, 0xC5, 0x78, 0xEB, 0x6D, 0xE3, 0x2B, 0x7B, + 0x94, 0xBE, 0x20, 0x11, 0x7E, 0x17, 0x10, 0xA7, + 0x10, 0x19, 0xEC, 0x62, 0xCC, 0xBE, 0xF5, 0x01, + 0x35, 0x3C, 0xEA, 0xEF, 0x44, 0x3C, 0x40, 0xA2, + 0xBC, 0x18, 0x43, 0xA1, 0xA1, 0x65, 0x5C, 0x48, + 0xE2, 0xF9, 0x38, 0xEB, 0x11, 0x10, 0x72, 0x7C, + 0x78, 0x22, 0x13, 0x3B, 0x19, 0x40, 0xF0, 0x73, + 0xBE, 0x96, 0x14, 0x78, 0x26, 0xB9, 0x6B, 0x2E, + 0x72, 0x22, 0x0D, 0x90, 0x94, 0xDD, 0x78, 0x77, + 0xFC, 0x0C, 0x2E, 0x63, 0x6E, 0xF0, 0x0C, 0x35, + 0x41, 0xCD, 0xF3, 0x49, 0x31, 0x08, 0xD0, 0x6F, + 0x02, 0x3D, 0xC1, 0xD3, 0xB7, 0xEE, 0x3A, 0xA0, + 0x8E, 0xA1, 0x4D, 0xC3, 0x2E, 0x5E, 0x06, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, + 0xD3, 0xB7, 0xEE, 0x3A, 0xA0, 0x8E, 0xA1, 0x4D, + 0xC3, 0x2E, 0x5E, 0x06, 0x35, 0x41, 0xCD, 0xF3, + 0x49, 0x31, 0x08, 0xD0, 0x6F, 0x02, 0x3D, 0xC1, + 0x00, 0x10, 0x00, 0x10, 0x00, 0x0C, 0x00, 0x10, + 0x00, 0x10, 0x07, 0x02, 0x04, 0x00, 0x00, 0x20, + 0x28, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04 +}; +#endif /* WOLFSSL_TLS13 */ - if (wolfSSL_use_certificate_file(ssl, callbacks->certPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } +static const byte canned_client_session_v4[] = { + 0xA7, 0xA4, 0x01, 0x40, 0x00, 0x41, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x80, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, + 0x27, 0x0A, 0x0D, 0x10, 0x01, 0x01, 0x0A, 0x00, + 0x05, 0x00, 0x01, 0x01, 0x01, 0x03, 0x03, 0x00, + 0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, + 0x0A, 0x01, 0x01, 0x00, 0x20, 0x69, 0x11, 0x6D, + 0x97, 0x15, 0x6E, 0x52, 0x27, 0xD6, 0x1D, 0x1D, + 0xF5, 0x0D, 0x59, 0xA5, 0xAC, 0x2E, 0x8C, 0x0E, + 0xCB, 0x26, 0x1E, 0xE2, 0xCE, 0xBB, 0xCE, 0xE1, + 0x7D, 0xD7, 0xEF, 0xA5, 0x44, 0x80, 0x2A, 0xDE, + 0xBB, 0x75, 0xB0, 0x1D, 0x75, 0x17, 0x20, 0x4C, + 0x08, 0x05, 0x1B, 0xBA, 0x60, 0x1F, 0x6C, 0x91, + 0x8C, 0xAA, 0xBB, 0xE5, 0xA3, 0x0B, 0x12, 0x3E, + 0xC0, 0x35, 0x43, 0x1D, 0xE2, 0x10, 0xE2, 0x02, + 0x92, 0x4B, 0x8F, 0x05, 0xA9, 0x4B, 0xCC, 0x90, + 0xC3, 0x0E, 0xC2, 0x0F, 0xE9, 0x33, 0x85, 0x9B, + 0x3C, 0x19, 0x21, 0xD5, 0x62, 0xE5, 0xE1, 0x17, + 0x8F, 0x8C, 0x19, 0x52, 0xD8, 0x59, 0x10, 0x2D, + 0x20, 0x6F, 0xBA, 0xC1, 0x1C, 0xD1, 0x82, 0xC7, + 0x32, 0x1B, 0xBB, 0xCC, 0x30, 0x03, 0xD7, 0x3A, + 0xC8, 0x18, 0xED, 0x58, 0xC8, 0x11, 0xFE, 0x71, + 0x9C, 0x71, 0xD8, 0x6B, 0xE0, 0x25, 0x64, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, + 0x00, 0x00, 0x06, 0x01, 0x04, 0x08, 0x01, 0x20, + 0x28, 0x00, 0x09, 0xE1, 0x50, 0x70, 0x02, 0x2F, + 0x7E, 0xDA, 0xBD, 0x40, 0xC5, 0x58, 0x87, 0xCE, + 0x43, 0xF3, 0xC5, 0x8F, 0xA1, 0x59, 0x93, 0xEF, + 0x7E, 0xD3, 0xD0, 0xB5, 0x87, 0x1D, 0x81, 0x54, + 0x14, 0x63, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x03 +}; - if (wolfSSL_use_PrivateKey_file(ssl, callbacks->keyPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - } +static const byte canned_client_session_v5[] = { + 0xa7, 0xa5, 0x01, 0x41, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x27, 0x0a, 0x0d, 0x10, + 0x01, 0x01, 0x0a, 0x00, 0x05, 0x00, 0x01, 0x01, 0x01, 0x01, 0x03, 0x03, + 0x00, 0xbf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, + 0x00, 0x0a, 0x01, 0x01, 0x00, 0x20, 0x69, 0x11, 0x6d, 0x97, 0x15, 0x6e, + 0x52, 0x27, 0xd6, 0x1d, 0x1d, 0xf5, 0x0d, 0x59, 0xa5, 0xac, 0x2e, 0x8c, + 0x0e, 0xcb, 0x26, 0x1e, 0xe2, 0xce, 0xbb, 0xce, 0xe1, 0x7d, 0xd7, 0xef, + 0xa5, 0x44, 0x80, 0x2a, 0xde, 0xbb, 0x75, 0xb0, 0x1d, 0x75, 0x17, 0x20, + 0x4c, 0x08, 0x05, 0x1b, 0xba, 0x60, 0x1f, 0x6c, 0x91, 0x8c, 0xaa, 0xbb, + 0xe5, 0xa3, 0x0b, 0x12, 0x3e, 0xc0, 0x35, 0x43, 0x1d, 0xe2, 0x10, 0xe2, + 0x02, 0x92, 0x4b, 0x8f, 0x05, 0xa9, 0x4b, 0xcc, 0x90, 0xc3, 0x0e, 0xc2, + 0x0f, 0xe9, 0x33, 0x85, 0x9b, 0x3c, 0x19, 0x21, 0xd5, 0x62, 0xe5, 0xe1, + 0x17, 0x8f, 0x8c, 0x19, 0x52, 0xd8, 0x59, 0x10, 0x2d, 0x20, 0x6f, 0xba, + 0xc1, 0x1c, 0xd1, 0x82, 0xc7, 0x32, 0x1b, 0xbb, 0xcc, 0x30, 0x03, 0xd7, + 0x3a, 0xc8, 0x18, 0xed, 0x58, 0xc8, 0x11, 0xfe, 0x71, 0x9c, 0x71, 0xd8, + 0x6b, 0xe0, 0x25, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x00, 0x06, + 0x01, 0x04, 0x08, 0x01, 0x20, 0x28, 0x00, 0x09, 0xe1, 0x50, 0x70, 0x02, + 0x2f, 0x7e, 0xda, 0xbd, 0x40, 0xc5, 0x58, 0x87, 0xce, 0x43, 0xf3, 0xc5, + 0x8f, 0xa1, 0x59, 0x93, 0xef, 0x7e, 0xd3, 0xd0, 0xb5, 0x87, 0x1d, 0x81, + 0x54, 0x14, 0x63, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 +}; -#ifdef NO_PSK - #if !defined(NO_FILESYSTEM) && !defined(NO_DH) - wolfSSL_SetTmpDH_file(ssl, dhParamFile, CERT_FILETYPE); - #elif !defined(NO_DH) - SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ - #endif -#endif - if (callbacks->ssl_ready) - callbacks->ssl_ready(ssl); +static const byte canned_server_session[] = { + 0xA7, 0xA4, 0x01, 0x40, 0x00, 0x41, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, + 0x00, 0x80, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, + 0x27, 0x08, 0x0F, 0x10, 0x01, 0x01, 0x00, 0x11, + 0x05, 0x00, 0x01, 0x01, 0x01, 0x03, 0x03, 0x00, + 0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, + 0x0A, 0x01, 0x01, 0x00, 0x20, 0x69, 0x11, 0x6D, + 0x97, 0x15, 0x6E, 0x52, 0x27, 0xD6, 0x1D, 0x1D, + 0xF5, 0x0D, 0x59, 0xA5, 0xAC, 0x2E, 0x8C, 0x0E, + 0xCB, 0x26, 0x1E, 0xE2, 0xCE, 0xBB, 0xCE, 0xE1, + 0x7D, 0xD7, 0xEF, 0xA5, 0x44, 0x80, 0x2A, 0xDE, + 0xBB, 0x75, 0xB0, 0x1D, 0x75, 0x17, 0x20, 0x4C, + 0x08, 0x05, 0x1B, 0xBA, 0x60, 0x1F, 0x6C, 0x91, + 0x8C, 0xAA, 0xBB, 0xE5, 0xA3, 0x0B, 0x12, 0x3E, + 0xC0, 0x35, 0x43, 0x1D, 0xE2, 0x10, 0xE2, 0x02, + 0x92, 0x4B, 0x8F, 0x05, 0xA9, 0x4B, 0xCC, 0x90, + 0xC3, 0x0E, 0xC2, 0x0F, 0xE9, 0x33, 0x85, 0x9B, + 0x3C, 0x19, 0x21, 0xD5, 0x62, 0xE5, 0xE1, 0x17, + 0x8F, 0x8C, 0x19, 0x52, 0xD8, 0x59, 0x10, 0x2D, + 0x20, 0x6F, 0xBA, 0xC1, 0x1C, 0xD1, 0x82, 0xC7, + 0x32, 0x1B, 0xBB, 0xCC, 0x30, 0x03, 0xD7, 0x3A, + 0xC8, 0x18, 0xED, 0x58, 0xC8, 0x11, 0xFE, 0x71, + 0x9C, 0x71, 0xD8, 0x6B, 0xE0, 0x25, 0x64, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, + 0x00, 0x00, 0x06, 0x01, 0x04, 0x08, 0x01, 0x20, + 0x28, 0x00, 0xC5, 0x8F, 0xA1, 0x59, 0x93, 0xEF, + 0x7E, 0xD3, 0xD0, 0xB5, 0x87, 0x1D, 0x81, 0x54, + 0x14, 0x63, 0x09, 0xE1, 0x50, 0x70, 0x02, 0x2F, + 0x7E, 0xDA, 0xBD, 0x40, 0xC5, 0x58, 0x87, 0xCE, + 0x43, 0xF3, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04 +}; - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_accept(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "accept error = %d, %s\n", err, - wolfSSL_ERR_error_string((word32)err, buff)); - /*err_sys("SSL_accept failed");*/ - } - else { - WOLFSSL_ASYNC_WHILE_PENDING(idx = wolfSSL_read(ssl, input, sizeof(input)-1), - idx <= 0); - if (idx > 0) { - input[idx] = 0; - fprintf(stderr, "Client message: %s\n", input); - } +static THREAD_RETURN WOLFSSL_THREAD tls_export_server(void* args) +{ + SOCKET_T sockfd = 0; + SOCKET_T clientfd = 0; + word16 port; - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_write(ssl, msg, len), - len != ret); - if (len != ret) { - goto cleanup; - } + callback_functions* cbf; + WOLFSSL_CTX* ctx = 0; + WOLFSSL* ssl = 0; -#if defined(WOLFSSL_SESSION_EXPORT) && !defined(HAVE_IO_POOL) && \ - defined(WOLFSSL_DTLS) - if (wolfSSL_dtls(ssl)) { - byte* import; - word32 sz; + char msg[] = "I hear you fa shizzle!"; + char input[1024]; + int idx; - wolfSSL_dtls_export(ssl, NULL, &sz); - import = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (import == NULL) { - goto cleanup; - } - idx = wolfSSL_dtls_export(ssl, import, &sz); - if (idx < 0) { - goto cleanup; - } - if (wolfSSL_dtls_import(ssl, import, idx) < 0) { - goto cleanup; - } - XFREE(import, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } -#endif #ifdef WOLFSSL_TIRTOS - Task_yield(); + fdOpenSession(Task_self()); #endif - ((func_args*)args)->return_code = TEST_SUCCESS; - } - - if (callbacks->on_result) - callbacks->on_result(ssl); - - wolfSSL_shutdown(ssl); - -cleanup: - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - CloseSocket(cfd); + ((func_args*)args)->return_code = TEST_FAIL; + cbf = ((func_args*)args)->callbacks; -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ +#if defined(USE_WINDOWS_API) + port = ((func_args*)args)->signal->port; +#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ + !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) + /* Let tcp_listen assign port */ + port = 0; +#else + /* Use default port */ + port = wolfSSLPort; #endif - WOLFSSL_RETURN_FROM_THREAD(0); -} - -/* TLS Client for API unit testing - generic */ -static void run_wolfssl_client(void* args) -{ - callback_functions* callbacks = ((func_args*)args)->callbacks; - - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - SOCKET_T sfd = 0; - - char msg[] = "hello wolfssl server!"; - int len = (int) XSTRLEN(msg); - char input[1024]; - int ret, err = 0; - - ((func_args*)args)->return_code = TEST_FAIL; - - /* set defaults */ - if (callbacks->caPemFile == NULL) - callbacks->caPemFile = caCertFile; - if (callbacks->certPemFile == NULL) - callbacks->certPemFile = cliCertFile; - if (callbacks->keyPemFile == NULL) - callbacks->keyPemFile = cliKeyFile; + /* do it here to detect failure */ + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); + CloseSocket(sockfd); -#ifdef WOLFSSL_STATIC_MEMORY - if (callbacks->method_ex != NULL && callbacks->mem != NULL && - callbacks->memSz > 0) { - ret = wolfSSL_CTX_load_static_memory(&ctx, callbacks->method_ex, - callbacks->mem, callbacks->memSz, 0, 1); - if (ret != WOLFSSL_SUCCESS) { - fprintf(stderr, "CTX static new failed %d\n", ret); - goto cleanup; + { + WOLFSSL_METHOD* method = NULL; + if (cbf != NULL && cbf->method != NULL) { + method = cbf->method(); + } + else { + method = wolfTLSv1_2_server_method(); } + ctx = wolfSSL_CTX_new(method); } -#else - ctx = wolfSSL_CTX_new(callbacks->method()); -#endif if (ctx == NULL) { - fprintf(stderr, "CTX new failed\n"); - goto cleanup; + goto done; } + wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-SHA256"); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - if (!callbacks->loadToSSL) { - wolfSSL_CTX_SetDevId(ctx, callbacks->devId); + /* call ctx setup callback */ + if (cbf != NULL && cbf->ctx_ready != NULL) { + cbf->ctx_ready(ctx); } -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif - - if (wolfSSL_CTX_load_verify_locations(ctx, callbacks->caPemFile, 0) != - WOLFSSL_SUCCESS) { - goto cleanup; + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + goto done; } + wolfSSL_set_fd(ssl, clientfd); - if (!callbacks->loadToSSL) { - if (wolfSSL_CTX_use_certificate_file(ctx, callbacks->certPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - - if (wolfSSL_CTX_use_PrivateKey_file(ctx, callbacks->keyPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - } - -#ifdef HAVE_CRL - if (callbacks->crlPemFile != NULL) { - if (wolfSSL_CTX_LoadCRLFile(ctx, callbacks->crlPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - } -#endif - - if (callbacks->ctx_ready) - callbacks->ctx_ready(ctx); - - ssl = wolfSSL_new(ctx); - if (wolfSSL_dtls(ssl)) { - tcp_connect(&sfd, wolfSSLIP, ((func_args*)args)->signal->port, - 1, 0, ssl); - } - else { - tcp_connect(&sfd, wolfSSLIP, ((func_args*)args)->signal->port, - 0, 0, ssl); - } - if (wolfSSL_set_fd(ssl, sfd) != WOLFSSL_SUCCESS) { - goto cleanup; - } - - if (callbacks->loadToSSL) { - wolfSSL_SetDevId(ssl, callbacks->devId); - - if (wolfSSL_use_certificate_file(ssl, callbacks->certPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } - - if (wolfSSL_use_PrivateKey_file(ssl, callbacks->keyPemFile, - CERT_FILETYPE) != WOLFSSL_SUCCESS) { - goto cleanup; - } + /* call ssl setup callback */ + if (cbf != NULL && cbf->ssl_ready != NULL) { + cbf->ssl_ready(ssl); } - - if (callbacks->ssl_ready) - callbacks->ssl_ready(ssl); - - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), - ret != WOLFSSL_SUCCESS); - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, - wolfSSL_ERR_error_string((word32)err, buff)); - /*err_sys("SSL_connect failed");*/ + idx = wolfSSL_read(ssl, input, sizeof(input)-1); + if (idx > 0) { + input[idx] = '\0'; + fprintf(stderr, "Client message export/import: %s\n", input); } else { - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_write(ssl, msg, len), - ret != len); - if (len != ret) - goto cleanup; - - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_read(ssl, input, sizeof(input)-1), - ret <= 0); - if (ret > 0) { - input[ret] = '\0'; /* null term */ - fprintf(stderr, "Server response: %s\n", input); - } - ((func_args*)args)->return_code = TEST_SUCCESS; - } - - if (callbacks->on_result) - callbacks->on_result(ssl); - -cleanup: - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - CloseSocket(sfd); - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif -} - -#endif /* ENABLE_TLS_CALLBACK_TEST */ - - -static int test_wolfSSL_read_write(void) -{ - EXPECT_DECLS; -#ifndef NO_SHA256 - /* The unit testing for read and write shall happen simultaneously, since - * one can't do anything with one without the other. (Except for a failure - * test case.) This function will call all the others that will set up, - * execute, and report their test findings. - * - * Set up the success case first. This function will become the template - * for the other tests. This should eventually be renamed - * - * The success case isn't interesting, how can this fail? - * - Do not give the client context a CA certificate. The connect should - * fail. Do not need server for this? - * - Using NULL for the ssl object on server. Do not need client for this. - * - Using NULL for the ssl object on client. Do not need server for this. - * - Good ssl objects for client and server. Client write() without server - * read(). - * - Good ssl objects for client and server. Server write() without client - * read(). - * - Forgetting the password callback? - */ - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - StartTCP(); - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - server_args.signal = &ready; - client_args.signal = &ready; - - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - test_client_nofail(&client_args, NULL); - join_thread(serverThread); - - ExpectTrue(client_args.return_code); - ExpectTrue(server_args.return_code); - - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_read_write_ex(void) -{ - EXPECT_DECLS; - WOLFSSL_CTX *ctx_c = NULL; - WOLFSSL_CTX *ctx_s = NULL; - WOLFSSL *ssl_c = NULL; - WOLFSSL *ssl_s = NULL; - struct test_memio_ctx test_ctx; - const char *test_str = "test"; - int test_str_size; - size_t count; - byte buf[255]; - - XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, - wolfSSLv23_client_method, wolfSSLv23_server_method), 0); - ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); - test_str_size = XSTRLEN("test") + 1; - ExpectIntEQ(wolfSSL_write_ex(ssl_c, test_str, test_str_size, &count), - WOLFSSL_SUCCESS); - ExpectIntEQ(count, test_str_size); - count = 0; - ExpectIntEQ(wolfSSL_read_ex(ssl_s, buf, sizeof(buf), &count), WOLFSSL_SUCCESS); - ExpectIntEQ(count, test_str_size); - ExpectIntEQ(XSTRCMP((char*)buf, test_str), 0); - - - ExpectIntEQ(wolfSSL_shutdown(ssl_c), WOLFSSL_SHUTDOWN_NOT_DONE); - ExpectIntEQ(wolfSSL_shutdown(ssl_s), WOLFSSL_SHUTDOWN_NOT_DONE); - ExpectIntEQ(wolfSSL_shutdown(ssl_c), 1); - ExpectIntEQ(wolfSSL_shutdown(ssl_s), 1); - - wolfSSL_free(ssl_c); - wolfSSL_free(ssl_s); - wolfSSL_CTX_free(ctx_c); - wolfSSL_CTX_free(ctx_s); - return TEST_SUCCESS; -} - -static int test_wolfSSL_reuse_WOLFSSLobj(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && \ - !defined(WOLFSSL_NO_TLS12) - /* The unit test for session resumption by reusing WOLFSSL object. - * WOLFSSL object is not cleared after first session. It reuse the object - * for second connection. - */ - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions client_cbf; - callback_functions server_cbf; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - StartTCP(); - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - client_cbf.method = wolfTLSv1_2_client_method; - server_cbf.method = wolfTLSv1_2_server_method; - client_args.callbacks = &client_cbf; - server_args.callbacks = &server_cbf; - - server_args.signal = &ready; - client_args.signal = &ready; - /* the var is used for loop number */ - server_args.argc = 2; - - start_thread(test_server_loop, &server_args, &serverThread); - wait_tcp_ready(&server_args); - test_client_reuse_WOLFSSLobj(&client_args, NULL, &server_args); - join_thread(serverThread); - - ExpectTrue(client_args.return_code); - ExpectTrue(server_args.return_code); - - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SESSION_CACHE) && - * !defined(WOLFSSL_TLS13) */ - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static int test_wolfSSL_CTX_verifyDepth_ServerClient_1_ctx_ready( - WOLFSSL_CTX* ctx) -{ - wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); - myVerifyAction = VERIFY_USE_PREVERIFY; - wolfSSL_CTX_set_verify_depth(ctx, 2); - return TEST_SUCCESS; -} -#endif - -static int test_wolfSSL_CTX_verifyDepth_ServerClient_1(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cbf; - test_ssl_cbf server_cbf; - - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - -#ifdef WOLFSSL_TLS13 - client_cbf.method = wolfTLSv1_3_client_method; -#endif /* WOLFSSL_TLS13 */ - client_cbf.ctx_ready = - test_wolfSSL_CTX_verifyDepth_ServerClient_1_ctx_ready; - - /* test case 1 verify depth is equal to peer chain */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); -#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static int test_wolfSSL_CTX_verifyDepth_ServerClient_2_ctx_ready( - WOLFSSL_CTX* ctx) -{ - wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); - myVerifyAction = VERIFY_OVERRIDE_ERROR; - wolfSSL_CTX_set_verify_depth(ctx, 0); - return TEST_SUCCESS; -} -#endif - -static int test_wolfSSL_CTX_verifyDepth_ServerClient_2(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cbf; - test_ssl_cbf server_cbf; - - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - -#ifdef WOLFSSL_TLS13 - client_cbf.method = wolfTLSv1_3_client_method; -#endif /* WOLFSSL_TLS13 */ - client_cbf.ctx_ready = - test_wolfSSL_CTX_verifyDepth_ServerClient_2_ctx_ready; - - /* test case 2 - * verify depth is zero, number of peer's chain is 2. - * verify result becomes MAX_CHAIN_ERROR, but it is overridden in - * callback. - */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); -#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static int test_wolfSSL_CTX_verifyDepth_ServerClient_3_ctx_ready( - WOLFSSL_CTX* ctx) -{ - wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); - myVerifyAction = VERIFY_USE_PREVERIFY; - wolfSSL_CTX_set_verify_depth(ctx, 0); - return TEST_SUCCESS; -} -#endif - -static int test_wolfSSL_CTX_verifyDepth_ServerClient_3(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cbf; - test_ssl_cbf server_cbf; - - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - -#ifdef WOLFSSL_TLS13 - client_cbf.method = wolfTLSv1_3_client_method; -#endif /* WOLFSSL_TLS13 */ - client_cbf.ctx_ready = - test_wolfSSL_CTX_verifyDepth_ServerClient_3_ctx_ready; - - /* test case 3 - * verify depth is zero, number of peer's chain is 2 - * verify result becomes MAX_CHAIN_ERRO. call-back returns failure. - * therefore, handshake becomes failure. - */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), -1001); - - ExpectIntEQ(client_cbf.return_code, -1000); - ExpectIntEQ(server_cbf.return_code, -1000); - ExpectIntEQ(client_cbf.last_err, WC_NO_ERR_TRACE(MAX_CHAIN_ERROR)); - ExpectIntEQ(server_cbf.last_err, WC_NO_ERR_TRACE(FATAL_ERROR)); -#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_ALL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - !defined(WOLFSSL_NO_TLS12) && \ - defined(HAVE_ECC) && !defined(NO_AES) && !defined(NO_SHA256) -static int test_wolfSSL_CTX_set_cipher_list_server_ctx_ready(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "DEFAULT:!NULL")); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_set_cipher_list_client_ctx_ready(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-SHA256")); - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_CTX_set_cipher_list(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(HAVE_ECC) && !defined(NO_AES) && !defined(NO_SHA256) - - #if !defined(WOLFSSL_NO_TLS12) - WOLFSSL_CTX* ctxClient = NULL; - WOLFSSL* sslClient = NULL; - test_ssl_cbf client_cbf; - test_ssl_cbf server_cbf; - - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - - server_cbf.method = wolfTLSv1_2_server_method; - server_cbf.ctx_ready = test_wolfSSL_CTX_set_cipher_list_server_ctx_ready; - client_cbf.method = wolfTLSv1_2_client_method; - client_cbf.ctx_ready = test_wolfSSL_CTX_set_cipher_list_client_ctx_ready; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - - /* check with cipher string that has '+' */ - ExpectNotNull((ctxClient = wolfSSL_CTX_new(wolfTLSv1_2_client_method()))); - /* Use trailing : with nothing to test for ASAN */ - ExpectTrue(wolfSSL_CTX_set_cipher_list(ctxClient, "ECDHE+AESGCM:")); - ExpectNotNull((sslClient = wolfSSL_new(ctxClient))); - - /* check for the existence of an ECDHE ECDSA cipher suite */ - if (EXPECT_SUCCESS()) { - int i = 0; - int found = 0; - const char* suite; - - WOLF_STACK_OF(WOLFSSL_CIPHER)* sk = NULL; - WOLFSSL_CIPHER* current; - - ExpectNotNull((sk = wolfSSL_get_ciphers_compat(sslClient))); - do { - current = wolfSSL_sk_SSL_CIPHER_value(sk, i++); - if (current) { - suite = wolfSSL_CIPHER_get_name(current); - if (suite && XSTRSTR(suite, "ECDSA")) { - found = 1; - break; - } - } - } while (current); - ExpectIntEQ(found, 1); - } - - wolfSSL_free(sslClient); - wolfSSL_CTX_free(ctxClient); - - #endif /* !WOLFSSL_NO_TLS12 */ -#endif - return EXPECT_RESULT(); -} - -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(WOLFSSL_HAVE_TLS_UNIQUE) -static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx, - WOLFSSL* ssl) -{ - EXPECT_DECLS; - size_t msg_len; - - (void)ctx; - - /* get_finished test */ - /* 1. get own sent message */ - XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE); - msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE); - ExpectIntGE(msg_len, 0); - /* 2. get peer message */ - XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE); - msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE); - ExpectIntGE(msg_len, 0); - - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_get_finished(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(WOLFSSL_HAVE_TLS_UNIQUE) - test_ssl_cbf client_cbf; - test_ssl_cbf server_cbf; - - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, test_wolfSSL_get_finished_client_on_handshake), - TEST_SUCCESS); - - /* test received msg vs sent msg */ - ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE)); - ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE)); -#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */ - - return EXPECT_RESULT(); -} - -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - !defined(SINGLE_THREADED) && defined(WOLFSSL_TLS13) && \ - !defined(NO_SESSION_CACHE) - -/* Sessions to restore/store */ -static WOLFSSL_SESSION* test_wolfSSL_CTX_add_session_client_sess; -static WOLFSSL_SESSION* test_wolfSSL_CTX_add_session_server_sess; -static WOLFSSL_CTX* test_wolfSSL_CTX_add_session_server_ctx; - -static void test_wolfSSL_CTX_add_session_ctx_ready(WOLFSSL_CTX* ctx) -{ - /* Don't store sessions. Lookup is still enabled. */ - AssertIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); -#ifdef OPENSSL_EXTRA - AssertIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); -#endif - /* Require both peers to provide certs */ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); -} - -static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) -{ - WOLFSSL_SESSION** sess; -#ifdef WOLFSSL_MUTEX_INITIALIZER - static wolfSSL_Mutex m = WOLFSSL_MUTEX_INITIALIZER(m); - - (void)wc_LockMutex(&m); -#endif - if (wolfSSL_is_server(ssl)) - sess = &test_wolfSSL_CTX_add_session_server_sess; - else - sess = &test_wolfSSL_CTX_add_session_client_sess; - if (*sess == NULL) { -#ifdef NO_SESSION_CACHE_REF - *sess = wolfSSL_get1_session(ssl); - AssertNotNull(*sess); -#else - /* Test for backwards compatibility */ - if (wolfSSL_is_server(ssl)) { - *sess = wolfSSL_get1_session(ssl); - AssertNotNull(*sess); - } - else { - *sess = wolfSSL_get_session(ssl); - AssertNotNull(*sess); - } -#endif - /* Now save the session in the internal store to make it available - * for lookup. For TLS 1.3, we can't save the session without - * WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the - * session from cache. */ - if (wolfSSL_is_server(ssl) -#ifndef WOLFSSL_TICKET_HAVE_ID - && wolfSSL_version(ssl) != TLS1_3_VERSION -#endif - ) - AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), - *sess), WOLFSSL_SUCCESS); - } - else { - /* If we have a session retrieved then remaining connections should be - * resuming on that session */ - AssertIntEQ(wolfSSL_session_reused(ssl), 1); - } -#ifdef WOLFSSL_MUTEX_INITIALIZER - wc_UnLockMutex(&m); -#endif - - /* Save CTX to be able to decrypt tickets */ - if (wolfSSL_is_server(ssl) && - test_wolfSSL_CTX_add_session_server_ctx == NULL) { - test_wolfSSL_CTX_add_session_server_ctx = wolfSSL_get_SSL_CTX(ssl); - AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx); - AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)), - WOLFSSL_SUCCESS); - } -#ifdef SESSION_CERTS -#ifndef WOLFSSL_TICKET_HAVE_ID - if (wolfSSL_version(ssl) != TLS1_3_VERSION && - wolfSSL_session_reused(ssl)) -#endif - { - /* With WOLFSSL_TICKET_HAVE_ID the peer certs should be available - * for all connections. TLS 1.3 only has tickets so if we don't - * include the session id in the ticket then the certificates - * will not be available on resumption. */ - #ifdef KEEP_PEER_CERT - WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); - AssertNotNull(peer); - wolfSSL_X509_free(peer); - #endif - AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); - #ifdef OPENSSL_EXTRA - AssertNotNull(SSL_SESSION_get0_peer(*sess)); - #endif - } -#endif /* SESSION_CERTS */ -} - -static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl) -{ - /* Set the session to reuse for the client */ - AssertIntEQ(wolfSSL_set_session(ssl, - test_wolfSSL_CTX_add_session_client_sess), WOLFSSL_SUCCESS); -} -#endif - -static int test_wolfSSL_CTX_add_session(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - !defined(SINGLE_THREADED) && defined(WOLFSSL_TLS13) && \ - !defined(NO_SESSION_CACHE) - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions client_cb; - callback_functions server_cb; - method_provider methods[][2] = { -#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ - !defined(NO_DES3)) - /* Without AES there are almost no ciphersuites available. This leads - * to no ciphersuites being available and an error. */ - { wolfTLSv1_1_client_method, wolfTLSv1_1_server_method }, -#endif -#ifndef WOLFSSL_NO_TLS12 - { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method }, -#endif - /* Needs the default ticket callback since it is tied to the - * connection context and this makes it easy to carry over the ticket - * crypto context between connections */ -#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ - defined(HAVE_SESSION_TICKET) - { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method }, -#endif - }; - const size_t methodsLen = sizeof(methods)/sizeof(*methods); - size_t i, j; - - for (i = 0; i < methodsLen; i++) { - /* First run creates a connection while the second+ run will attempt - * to resume the connection. The trick is that the internal cache - * is turned off. wolfSSL_CTX_add_session should put the session in - * the cache anyway. */ - test_wolfSSL_CTX_add_session_client_sess = NULL; - test_wolfSSL_CTX_add_session_server_sess = NULL; - test_wolfSSL_CTX_add_session_server_ctx = NULL; - -#ifdef NO_SESSION_CACHE_REF - for (j = 0; j < 4; j++) { -#else - /* The session may be overwritten in this case. Do only one resumption - * to stop this test from failing intermittently. */ - for (j = 0; j < 2; j++) { -#endif -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - StartTCP(); - InitTcpReady(&ready); - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = methods[i][0]; - server_cb.method = methods[i][1]; - - server_args.signal = &ready; - server_args.callbacks = &server_cb; - client_args.signal = &ready; - client_args.callbacks = &client_cb; - - if (test_wolfSSL_CTX_add_session_server_ctx != NULL) { - server_cb.ctx = test_wolfSSL_CTX_add_session_server_ctx; - server_cb.isSharedCtx = 1; - } - server_cb.ctx_ready = test_wolfSSL_CTX_add_session_ctx_ready; - client_cb.ctx_ready = test_wolfSSL_CTX_add_session_ctx_ready; - if (j != 0) - client_cb.ssl_ready = test_wolfSSL_CTX_add_session_ssl_ready; - server_cb.on_result = test_wolfSSL_CTX_add_session_on_result; - client_cb.on_result = test_wolfSSL_CTX_add_session_on_result; - server_cb.ticNoInit = 1; /* Use default builtin */ - - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - test_client_nofail(&client_args, NULL); - join_thread(serverThread); - - ExpectTrue(client_args.return_code); - ExpectTrue(server_args.return_code); - - FreeTcpReady(&ready); - - if (EXPECT_FAIL()) - break; - } - wolfSSL_SESSION_free(test_wolfSSL_CTX_add_session_client_sess); - wolfSSL_SESSION_free(test_wolfSSL_CTX_add_session_server_sess); - wolfSSL_CTX_free(test_wolfSSL_CTX_add_session_server_ctx); - - if (EXPECT_FAIL()) - break; - } -#endif - - return EXPECT_RESULT(); -} -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) - -/* twcase - prefix for test_wolfSSL_CTX_add_session_ext */ -/* Sessions to restore/store */ -static WOLFSSL_SESSION* twcase_server_first_session_ptr; -static WOLFSSL_SESSION* twcase_client_first_session_ptr; -static WOLFSSL_CTX* twcase_server_current_ctx_ptr; -static int twcase_new_session_called = 0; -static int twcase_remove_session_called = 0; -static int twcase_get_session_called = 0; - -/* Test default, SESSIONS_PER_ROW*SESSION_ROWS = 3*11, see ssl.c */ -#define SESSION_CACHE_SIZE 33 - -typedef struct { - const byte* key; /* key, altSessionID, session ID, NULL if empty */ - WOLFSSL_SESSION* value; -} hashTable_entry; - -typedef struct { - hashTable_entry entries[SESSION_CACHE_SIZE]; /* hash slots */ - size_t capacity; /* size of entries */ - size_t length; /* number of items in the hash table */ - wolfSSL_Mutex htLock; /* lock */ -}hashTable; - -static hashTable server_sessionCache; - -static int twcase_new_sessionCb(WOLFSSL *ssl, WOLFSSL_SESSION *sess) -{ - int i; - unsigned int len; - (void)ssl; - - /* - * This example uses a hash table. - * Steps you should take for a non-demo code: - * - acquire a lock for the file named according to the session id - * - open the file - * - encrypt and write the SSL_SESSION object to the file - * - release the lock - * - * Return: - * 0: The callback does not wish to hold a reference of the sess - * 1: The callback wants to hold a reference of the sess. The callback is - * now also responsible for calling wolfSSL_SESSION_free() on sess. - */ - if (sess == NULL) - return 0; - - if (wc_LockMutex(&server_sessionCache.htLock) != 0) { - return 0; - } - for (i = 0; i < SESSION_CACHE_SIZE; i++) { - if (server_sessionCache.entries[i].value == NULL) { - server_sessionCache.entries[i].key = SSL_SESSION_get_id(sess, &len); - server_sessionCache.entries[i].value = sess; - server_sessionCache.length++; - break; - } - } - ++twcase_new_session_called; - wc_UnLockMutex(&server_sessionCache.htLock); - fprintf(stderr, "\t\ttwcase_new_session_called %d\n", - twcase_new_session_called); - return 1; -} - -static void twcase_remove_sessionCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) -{ - int i; - (void)ctx; - (void)sess; - - if (sess == NULL) - return; - /* - * This example uses a hash table. - * Steps you should take for a non-demo code: - * - acquire a lock for the file named according to the session id - * - remove the file - * - release the lock - */ - if (wc_LockMutex(&server_sessionCache.htLock) != 0) { - return; - } - for (i = 0; i < SESSION_CACHE_SIZE; i++) { - if (server_sessionCache.entries[i].key != NULL && - XMEMCMP(server_sessionCache.entries[i].key, - sess->sessionID, SSL_MAX_SSL_SESSION_ID_LENGTH) == 0) { - wolfSSL_SESSION_free(server_sessionCache.entries[i].value); - server_sessionCache.entries[i].value = NULL; - server_sessionCache.entries[i].key = NULL; - server_sessionCache.length--; - break; - } - } - ++twcase_remove_session_called; - wc_UnLockMutex(&server_sessionCache.htLock); - fprintf(stderr, "\t\ttwcase_remove_session_called %d\n", - twcase_remove_session_called); -} - -static WOLFSSL_SESSION *twcase_get_sessionCb(WOLFSSL *ssl, - const unsigned char *id, int len, int *ref) -{ - int i; - (void)ssl; - (void)id; - (void)len; - - /* - * This example uses a hash table. - * Steps you should take for a non-demo code: - * - acquire a lock for the file named according to the session id in the - * 2nd arg - * - read and decrypt contents of file and create a new SSL_SESSION - * - object release the lock - * - return the new session object - */ - fprintf(stderr, "\t\ttwcase_get_session_called %d\n", - ++twcase_get_session_called); - /* This callback want to retain a copy of the object. If we want wolfSSL to - * be responsible for the pointer then set to 0. */ - *ref = 1; - - for (i = 0; i < SESSION_CACHE_SIZE; i++) { - if (server_sessionCache.entries[i].key != NULL && - XMEMCMP(server_sessionCache.entries[i].key, id, - SSL_MAX_SSL_SESSION_ID_LENGTH) == 0) { - return server_sessionCache.entries[i].value; - } - } - return NULL; -} -static int twcase_get_sessionCb_cleanup(void) -{ - int i; - int cnt = 0; - - /* If twcase_get_sessionCb sets *ref = 1, the application is responsible - * for freeing sessions */ - - for (i = 0; i < SESSION_CACHE_SIZE; i++) { - if (server_sessionCache.entries[i].value != NULL) { - wolfSSL_SESSION_free(server_sessionCache.entries[i].value); - cnt++; - } - } - - fprintf(stderr, "\t\ttwcase_get_sessionCb_cleanup freed %d sessions\n", - cnt); - - return TEST_SUCCESS; -} - -static int twcase_cache_intOff_extOff(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - /* off - Disable internal cache */ - ExpectIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); -#ifdef OPENSSL_EXTRA - ExpectIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); -#endif - /* off - Do not setup external cache */ - - /* Require both peers to provide certs */ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - return EXPECT_RESULT(); -} - -static int twcase_cache_intOn_extOff(WOLFSSL_CTX* ctx) -{ - /* on - internal cache is on by default */ - /* off - Do not setup external cache */ - /* Require both peers to provide certs */ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - return TEST_SUCCESS; -} - -static int twcase_cache_intOff_extOn(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - /* off - Disable internal cache */ - ExpectIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx, - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS); -#ifdef OPENSSL_EXTRA - ExpectIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) & - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE, - WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE); -#endif - /* on - Enable external cache */ - wolfSSL_CTX_sess_set_new_cb(ctx, twcase_new_sessionCb); - wolfSSL_CTX_sess_set_remove_cb(ctx, twcase_remove_sessionCb); - wolfSSL_CTX_sess_set_get_cb(ctx, twcase_get_sessionCb); - - /* Require both peers to provide certs */ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - return EXPECT_RESULT(); -} - -static int twcase_cache_intOn_extOn(WOLFSSL_CTX* ctx) -{ - /* on - internal cache is on by default */ - /* on - Enable external cache */ - wolfSSL_CTX_sess_set_new_cb(ctx, twcase_new_sessionCb); - wolfSSL_CTX_sess_set_remove_cb(ctx, twcase_remove_sessionCb); - wolfSSL_CTX_sess_set_get_cb(ctx, twcase_get_sessionCb); - - /* Require both peers to provide certs */ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - return TEST_SUCCESS; -} -static int twcase_cache_intOn_extOn_noTicket(WOLFSSL_CTX* ctx) -{ - /* on - internal cache is on by default */ - /* on - Enable external cache */ - wolfSSL_CTX_sess_set_new_cb(ctx, twcase_new_sessionCb); - wolfSSL_CTX_sess_set_remove_cb(ctx, twcase_remove_sessionCb); - wolfSSL_CTX_sess_set_get_cb(ctx, twcase_get_sessionCb); - - wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TICKET); - /* Require both peers to provide certs */ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - return TEST_SUCCESS; -} -static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl) -{ - EXPECT_DECLS; - WOLFSSL_SESSION** sess; - if (wolfSSL_is_server(ssl)) - sess = &twcase_server_first_session_ptr; - else - return TEST_SUCCESS; - - if (*sess == NULL) { - ExpectNotNull(*sess = wolfSSL_get1_session(ssl)); - /* Now save the session in the internal store to make it available - * for lookup. For TLS 1.3, we can't save the session without - * WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the - * session from cache. */ - if (wolfSSL_is_server(ssl) -#ifndef WOLFSSL_TICKET_HAVE_ID - && wolfSSL_version(ssl) != TLS1_3_VERSION - && wolfSSL_version(ssl) != DTLS1_3_VERSION -#endif - ) { - ExpectIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), - *sess), WOLFSSL_SUCCESS); - } - } - /* Save CTX to be able to decrypt tickets */ - if (twcase_server_current_ctx_ptr == NULL) { - ExpectNotNull(twcase_server_current_ctx_ptr = wolfSSL_get_SSL_CTX(ssl)); - ExpectIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)), - WOLFSSL_SUCCESS); - } -#ifdef SESSION_CERTS -#ifndef WOLFSSL_TICKET_HAVE_ID - if (wolfSSL_version(ssl) != TLS1_3_VERSION && - wolfSSL_session_reused(ssl)) -#endif - { - /* With WOLFSSL_TICKET_HAVE_ID the peer certs should be available - * for all connections. TLS 1.3 only has tickets so if we don't - * include the session id in the ticket then the certificates - * will not be available on resumption. */ - #ifdef KEEP_PEER_CERT - WOLFSSL_X509* peer = NULL; - ExpectNotNull(peer = wolfSSL_get_peer_certificate(ssl)); - wolfSSL_X509_free(peer); - #endif - ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); - } -#endif - return EXPECT_RESULT(); -} - -static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl) -{ - EXPECT_DECLS; - WOLFSSL_SESSION** sess; - sess = &twcase_client_first_session_ptr; - if (*sess == NULL) { - ExpectNotNull(*sess = wolfSSL_get1_session(ssl)); - } - else { - /* If we have a session retrieved then remaining connections should be - * resuming on that session */ - ExpectIntEQ(wolfSSL_session_reused(ssl), 1); - } - -#ifdef SESSION_CERTS -#ifndef WOLFSSL_TICKET_HAVE_ID - if (wolfSSL_version(ssl) != TLS1_3_VERSION && - wolfSSL_session_reused(ssl)) -#endif - { - #ifdef KEEP_PEER_CERT - WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); - ExpectNotNull(peer); - wolfSSL_X509_free(peer); - #endif - ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); -#ifdef OPENSSL_EXTRA - ExpectNotNull(wolfSSL_SESSION_get0_peer(*sess)); -#endif - } -#endif - return EXPECT_RESULT(); -} -static int twcase_client_set_sess_ssl_ready(WOLFSSL* ssl) -{ - EXPECT_DECLS; - /* Set the session to reuse for the client */ - ExpectNotNull(ssl); - ExpectNotNull(twcase_client_first_session_ptr); - ExpectIntEQ(wolfSSL_set_session(ssl,twcase_client_first_session_ptr), - WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} - -struct test_add_session_ext_params { - method_provider client_meth; - method_provider server_meth; - const char* tls_version; -}; - -static int test_wolfSSL_CTX_add_session_ext( - struct test_add_session_ext_params* param) -{ - EXPECT_DECLS; - /* Test the default 33 sessions */ - int j; - - /* Clear cache before starting */ - wolfSSL_CTX_flush_sessions(NULL, -1); - - XMEMSET(&server_sessionCache, 0, sizeof(hashTable)); - if (wc_InitMutex(&server_sessionCache.htLock) != 0) - return BAD_MUTEX_E; - server_sessionCache.capacity = SESSION_CACHE_SIZE; - - fprintf(stderr, "\tBegin %s\n", param->tls_version); - for (j = 0; j < 5; j++) { - int tls13 = XSTRSTR(param->tls_version, "TLSv1_3") != NULL; - int dtls = XSTRSTR(param->tls_version, "DTLS") != NULL; - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; - - (void)dtls; - - /* Test five cache configurations */ - twcase_client_first_session_ptr = NULL; - twcase_server_first_session_ptr = NULL; - twcase_server_current_ctx_ptr = NULL; - twcase_new_session_called = 0; - twcase_remove_session_called = 0; - twcase_get_session_called = 0; - - /* connection 1 - first connection */ - fprintf(stderr, "\tconnect: %s: j=%d\n", param->tls_version, j); - - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); - client_cb.method = param->client_meth; - server_cb.method = param->server_meth; - - if (dtls) - client_cb.doUdp = server_cb.doUdp = 1; - - /* Setup internal and external cache */ - switch (j) { - case 0: - /* SSL_OP_NO_TICKET stateful ticket case */ - server_cb.ctx_ready = twcase_cache_intOn_extOn_noTicket; - break; - case 1: - server_cb.ctx_ready = twcase_cache_intOn_extOn; - break; - case 2: - server_cb.ctx_ready = twcase_cache_intOff_extOn; - break; - case 3: - server_cb.ctx_ready = twcase_cache_intOn_extOff; - break; - case 4: - server_cb.ctx_ready = twcase_cache_intOff_extOff; - break; - } - client_cb.ctx_ready = twcase_cache_intOff_extOff; - - /* Add session to internal cache and save SSL session for testing */ - server_cb.on_result = twcase_server_sess_ctx_pre_shutdown; - /* Save client SSL session for testing */ - client_cb.on_result = twcase_client_sess_ctx_pre_shutdown; - server_cb.ticNoInit = 1; /* Use default builtin */ - /* Don't free/release ctx */ - server_cb.ctx = twcase_server_current_ctx_ptr; - server_cb.isSharedCtx = 1; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); - - ExpectIntEQ(twcase_get_session_called, 0); - if (EXPECT_FAIL()) { - wolfSSL_SESSION_free(twcase_client_first_session_ptr); - wolfSSL_SESSION_free(twcase_server_first_session_ptr); - wolfSSL_CTX_free(twcase_server_current_ctx_ptr); - break; - } - - switch (j) { - case 0: - case 1: - case 2: - /* cache cannot be searched with out a connection */ - /* Add a new session */ - ExpectIntEQ(twcase_new_session_called, 1); - /* In twcase_server_sess_ctx_pre_shutdown - * wolfSSL_CTX_add_session which evicts the existing session - * in cache and adds it back in */ - ExpectIntLE(twcase_remove_session_called, 1); - break; - case 3: - case 4: - /* no external cache */ - ExpectIntEQ(twcase_new_session_called, 0); - ExpectIntEQ(twcase_remove_session_called, 0); - break; - } - - /* connection 2 - session resume */ - fprintf(stderr, "\tresume: %s: j=%d\n", param->tls_version, j); - twcase_new_session_called = 0; - twcase_remove_session_called = 0; - twcase_get_session_called = 0; - server_cb.on_result = 0; - client_cb.on_result = 0; - server_cb.ticNoInit = 1; /* Use default builtin */ - - server_cb.ctx = twcase_server_current_ctx_ptr; - - /* try session resumption */ - client_cb.ssl_ready = twcase_client_set_sess_ssl_ready; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); - - /* Clear cache before checking */ - wolfSSL_CTX_flush_sessions(NULL, -1); - - switch (j) { - case 0: - if (tls13) { - /* (D)TLSv1.3 stateful case */ - /* cache hit */ - /* DTLS accesses cache once for stateless parsing and - * once for stateful parsing */ - ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); - - /* (D)TLSv1.3 creates a new ticket, - * updates both internal and external cache */ - ExpectIntEQ(twcase_new_session_called, 1); - /* A new session ID is created for a new ticket */ - ExpectIntEQ(twcase_remove_session_called, 2); - - } - else { - /* non (D)TLSv1.3 case, no update */ - /* DTLS accesses cache once for stateless parsing and - * once for stateful parsing */ -#ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME - ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); -#else - ExpectIntEQ(twcase_get_session_called, 1); -#endif - ExpectIntEQ(twcase_new_session_called, 0); - /* Called on session added in - * twcase_server_sess_ctx_pre_shutdown */ - ExpectIntEQ(twcase_remove_session_called, 1); - } - break; - case 1: - if (tls13) { - /* (D)TLSv1.3 case */ - /* cache hit */ - ExpectIntEQ(twcase_get_session_called, 1); - /* (D)TLSv1.3 creates a new ticket, - * updates both internal and external cache */ - ExpectIntEQ(twcase_new_session_called, 1); - /* Called on session added in - * twcase_server_sess_ctx_pre_shutdown and by wolfSSL */ - ExpectIntEQ(twcase_remove_session_called, 1); - } - else { - /* non (D)TLSv1.3 case */ - /* cache hit */ - /* DTLS accesses cache once for stateless parsing and - * once for stateful parsing */ -#ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME - ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); -#else - ExpectIntEQ(twcase_get_session_called, 1); -#endif - ExpectIntEQ(twcase_new_session_called, 0); - /* Called on session added in - * twcase_server_sess_ctx_pre_shutdown */ - ExpectIntEQ(twcase_remove_session_called, 1); - } - break; - case 2: - if (tls13) { - /* (D)TLSv1.3 case */ - /* cache hit */ - ExpectIntEQ(twcase_get_session_called, 1); - /* (D)TLSv1.3 creates a new ticket, - * updates both internal and external cache */ - ExpectIntEQ(twcase_new_session_called, 1); - /* Called on session added in - * twcase_server_sess_ctx_pre_shutdown and by wolfSSL */ - ExpectIntEQ(twcase_remove_session_called, 1); - } - else { - /* non (D)TLSv1.3 case */ - /* cache hit */ - /* DTLS accesses cache once for stateless parsing and - * once for stateful parsing */ -#ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME - ExpectIntEQ(twcase_get_session_called, !dtls ? 1 : 2); -#else - ExpectIntEQ(twcase_get_session_called, 1); -#endif - ExpectIntEQ(twcase_new_session_called, 0); - /* Called on session added in - * twcase_server_sess_ctx_pre_shutdown */ - ExpectIntEQ(twcase_remove_session_called, 1); - } - break; - case 3: - case 4: - /* no external cache */ - ExpectIntEQ(twcase_get_session_called, 0); - ExpectIntEQ(twcase_new_session_called, 0); - ExpectIntEQ(twcase_remove_session_called, 0); - break; - } - wolfSSL_SESSION_free(twcase_client_first_session_ptr); - wolfSSL_SESSION_free(twcase_server_first_session_ptr); - wolfSSL_CTX_free(twcase_server_current_ctx_ptr); - - if (EXPECT_FAIL()) - break; - } - twcase_get_sessionCb_cleanup(); - XMEMSET(&server_sessionCache.entries, 0, - sizeof(server_sessionCache.entries)); - fprintf(stderr, "\tEnd %s\n", param->tls_version); - - wc_FreeMutex(&server_sessionCache.htLock); - - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_CTX_add_session_ext_tls13(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) -#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ - defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) - struct test_add_session_ext_params param[1] = { - { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLSv1_3" } - }; - ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_add_session_ext_dtls13(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) -#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ - defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) -#ifdef WOLFSSL_DTLS13 - struct test_add_session_ext_params param[1] = { - { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, "DTLSv1_3" } - }; - ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); -#endif -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_add_session_ext_tls12(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) -#ifndef WOLFSSL_NO_TLS12 - struct test_add_session_ext_params param[1] = { - { wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLSv1_2" } - }; - ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_add_session_ext_dtls12(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) -#ifndef WOLFSSL_NO_TLS12 -#ifdef WOLFSSL_DTLS - struct test_add_session_ext_params param[1] = { - { wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, "DTLSv1_2" } - }; - ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); -#endif -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_add_session_ext_tls11(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) -#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ - !defined(NO_DES3)) - struct test_add_session_ext_params param[1] = { - { wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLSv1_1" } - }; - ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_add_session_ext_dtls1(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \ - defined(WOLFSSL_TLS13) && !defined(NO_SESSION_CACHE) && \ - defined(OPENSSL_EXTRA) && defined(SESSION_CERTS) && \ - defined(HAVE_SESSION_TICKET) && \ - !defined(TITAN_SESSION_CACHE) && \ - !defined(HUGE_SESSION_CACHE) && \ - !defined(BIG_SESSION_CACHE) && \ - !defined(MEDIUM_SESSION_CACHE) -#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ - !defined(NO_DES3)) -#ifdef WOLFSSL_DTLS - struct test_add_session_ext_params param[1] = { - { wolfDTLSv1_client_method, wolfDTLSv1_server_method, "DTLSv1_0" } - }; - ExpectIntEQ(test_wolfSSL_CTX_add_session_ext(param), TEST_SUCCESS); -#endif -#endif -#endif - return EXPECT_RESULT(); -} - -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) -/* canned export of a session using older version 3 */ -static unsigned char version_3[] = { - 0xA5, 0xA3, 0x01, 0x88, 0x00, 0x3c, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x80, 0x0C, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x30, - 0x05, 0x09, 0x0A, 0x01, 0x01, 0x00, 0x0D, 0x05, - 0xFE, 0xFD, 0x01, 0x25, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x06, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x06, 0x00, 0x01, 0x00, 0x07, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x00, 0x10, 0x01, 0x01, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x3F, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x05, - 0x12, 0xCF, 0x22, 0xA1, 0x9F, 0x1C, 0x39, 0x1D, - 0x31, 0x11, 0x12, 0x1D, 0x11, 0x18, 0x0D, 0x0B, - 0xF3, 0xE1, 0x4D, 0xDC, 0xB1, 0xF1, 0x39, 0x98, - 0x91, 0x6C, 0x48, 0xE5, 0xED, 0x11, 0x12, 0xA0, - 0x00, 0xF2, 0x25, 0x4C, 0x09, 0x26, 0xD1, 0x74, - 0xDF, 0x23, 0x40, 0x15, 0x6A, 0x42, 0x2A, 0x26, - 0xA5, 0xAC, 0x56, 0xD5, 0x4A, 0x20, 0xB7, 0xE9, - 0xEF, 0xEB, 0xAF, 0xA8, 0x1E, 0x23, 0x7C, 0x04, - 0xAA, 0xA1, 0x6D, 0x92, 0x79, 0x7B, 0xFA, 0x80, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x0C, 0x79, 0x7B, 0xFA, 0x80, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0xA1, 0x6D, - 0x92, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x00, 0x20, 0x00, 0x04, 0x00, - 0x10, 0x00, 0x10, 0x08, 0x02, 0x05, 0x08, 0x01, - 0x30, 0x28, 0x00, 0x00, 0x0F, 0x00, 0x02, 0x00, - 0x09, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, - 0x2E, 0x31, 0xED, 0x4F -}; -#endif /* defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) */ - -static int test_wolfSSL_dtls_export(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions server_cbf; - callback_functions client_cbf; -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - /* set using dtls */ - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - server_cbf.method = wolfDTLSv1_2_server_method; - client_cbf.method = wolfDTLSv1_2_client_method; - server_args.callbacks = &server_cbf; - client_args.callbacks = &client_cbf; - - server_args.signal = &ready; - client_args.signal = &ready; - - start_thread(run_wolfssl_server, &server_args, &serverThread); - wait_tcp_ready(&server_args); - run_wolfssl_client(&client_args); - join_thread(serverThread); - - ExpectTrue(client_args.return_code); - ExpectTrue(server_args.return_code); - - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - if (EXPECT_SUCCESS()) { - SOCKET_T sockfd = 0; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - char msg[64] = "hello wolfssl!"; - char reply[1024]; - int msgSz = (int)XSTRLEN(msg); - byte *session, *window; - unsigned int sessionSz = 0; - unsigned int windowSz = 0; - -#ifndef TEST_IPV6 - struct sockaddr_in peerAddr; -#else - struct sockaddr_in6 peerAddr; -#endif /* TEST_IPV6 */ - - int i; - - - /* Set ctx to DTLS 1.2 */ - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method())); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - /* test importing version 3 */ - ExpectIntGE(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); - - /* test importing bad length and bad version */ - version_3[2]++; - ExpectIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); - version_3[2]--; version_3[1] = 0XA0; - ExpectIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - - /* check storing client state after connection and storing window only */ -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - /* set using dtls */ - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - server_cbf.method = wolfDTLSv1_2_server_method; - server_cbf.doUdp = 1; - server_args.callbacks = &server_cbf; - server_args.argc = 3; /* set loop_count to 3 */ - - - server_args.signal = &ready; - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - /* create and connect with client */ - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method())); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 1, 0, NULL); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); - - /* store server information connected too */ - XMEMSET(&peerAddr, 0, sizeof(peerAddr)); -#ifndef TEST_IPV6 - peerAddr.sin_family = AF_INET; - ExpectIntEQ(XINET_PTON(AF_INET, wolfSSLIP, &peerAddr.sin_addr),1); - peerAddr.sin_port = XHTONS(server_args.signal->port); -#else - peerAddr.sin6_family = AF_INET6; - ExpectIntEQ( - XINET_PTON(AF_INET6, wolfSSLIP, &peerAddr.sin6_addr),1); - peerAddr.sin6_port = XHTONS(server_args.signal->port); -#endif - - ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, &peerAddr, sizeof(peerAddr)), - WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_dtls_export(ssl, NULL, &sessionSz), 0); - session = (byte*)XMALLOC(sessionSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - ExpectIntGT(wolfSSL_dtls_export(ssl, session, &sessionSz), 0); - ExpectIntEQ(wolfSSL_write(ssl, msg, msgSz), msgSz); - ExpectIntGT(wolfSSL_read(ssl, reply, sizeof(reply)), 0); - ExpectIntEQ(wolfSSL_dtls_export_state_only(ssl, NULL, &windowSz), 0); - window = (byte*)XMALLOC(windowSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - ExpectIntGT(wolfSSL_dtls_export_state_only(ssl, window, &windowSz), 0); - wolfSSL_free(ssl); - - for (i = 1; EXPECT_SUCCESS() && i < server_args.argc; i++) { - /* restore state */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntGT(wolfSSL_dtls_import(ssl, session, sessionSz), 0); - ExpectIntGT(wolfSSL_dtls_import(ssl, window, windowSz), 0); - ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_dtls_set_peer(ssl, &peerAddr, sizeof(peerAddr)), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_write(ssl, msg, msgSz), msgSz); - ExpectIntGE(wolfSSL_read(ssl, reply, sizeof(reply)), 0); - ExpectIntGT(wolfSSL_dtls_export_state_only(ssl, window, &windowSz), 0); - wolfSSL_free(ssl); - } - XFREE(session, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(window, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_CTX_free(ctx); - - fprintf(stderr, "done and waiting for server\n"); - join_thread(serverThread); - ExpectIntEQ(server_args.return_code, TEST_SUCCESS); - - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - } -#endif - - return EXPECT_RESULT(); -} - -#if defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_NO_TLS12) -#ifdef WOLFSSL_TLS13 -static const byte canned_client_tls13_session_v4[] = { - 0xA7, 0xA4, 0x01, 0x18, 0x00, 0x41, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x80, 0x04, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, - 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, - 0x01, 0x0A, 0x0F, 0x10, 0x01, 0x02, 0x09, 0x00, - 0x05, 0x00, 0x00, 0x00, 0x00, 0x03, 0x04, 0x00, - 0xB7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, 0x00, - 0x11, 0x01, 0x01, 0x00, 0x20, 0x84, 0x4F, 0x18, - 0xD8, 0xC1, 0x24, 0xD8, 0xBB, 0x17, 0x9E, 0x31, - 0xA3, 0xF8, 0xA7, 0x3C, 0xBA, 0xEC, 0xFA, 0xB4, - 0x7F, 0xC5, 0x78, 0xEB, 0x6D, 0xE3, 0x2B, 0x7B, - 0x94, 0xBE, 0x20, 0x11, 0x7E, 0x17, 0x10, 0xA7, - 0x10, 0x19, 0xEC, 0x62, 0xCC, 0xBE, 0xF5, 0x01, - 0x35, 0x3C, 0xEA, 0xEF, 0x44, 0x3C, 0x40, 0xA2, - 0xBC, 0x18, 0x43, 0xA1, 0xA1, 0x65, 0x5C, 0x48, - 0xE2, 0xF9, 0x38, 0xEB, 0x11, 0x10, 0x72, 0x7C, - 0x78, 0x22, 0x13, 0x3B, 0x19, 0x40, 0xF0, 0x73, - 0xBE, 0x96, 0x14, 0x78, 0x26, 0xB9, 0x6B, 0x2E, - 0x72, 0x22, 0x0D, 0x90, 0x94, 0xDD, 0x78, 0x77, - 0xFC, 0x0C, 0x2E, 0x63, 0x6E, 0xF0, 0x0C, 0x35, - 0x41, 0xCD, 0xF3, 0x49, 0x31, 0x08, 0xD0, 0x6F, - 0x02, 0x3D, 0xC1, 0xD3, 0xB7, 0xEE, 0x3A, 0xA0, - 0x8E, 0xA1, 0x4D, 0xC3, 0x2E, 0x5E, 0x06, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, - 0x35, 0x41, 0xCD, 0xF3, 0x49, 0x31, 0x08, 0xD0, - 0x6F, 0x02, 0x3D, 0xC1, 0xD3, 0xB7, 0xEE, 0x3A, - 0xA0, 0x8E, 0xA1, 0x4D, 0xC3, 0x2E, 0x5E, 0x06, - 0x00, 0x10, 0x00, 0x10, 0x00, 0x0C, 0x00, 0x10, - 0x00, 0x10, 0x07, 0x02, 0x04, 0x00, 0x00, 0x20, - 0x28, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x03 -}; - -static const byte canned_client_tls13_session_v5[] = { - 0xa7, 0xa5, 0x01, 0x19, 0x00, 0x42, 0x00, 0x00, 0x01, 0x00, 0x00, 0x80, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x1c, 0x01, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x01, 0x0a, 0x0f, 0x10, - 0x01, 0x02, 0x09, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x04, - 0x00, 0xb7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, - 0x00, 0x11, 0x01, 0x01, 0x00, 0x20, 0x84, 0x4f, 0x18, 0xd8, 0xc1, 0x24, - 0xd8, 0xbb, 0x17, 0x9e, 0x31, 0xa3, 0xf8, 0xa7, 0x3c, 0xba, 0xec, 0xfa, - 0xb4, 0x7f, 0xc5, 0x78, 0xeb, 0x6d, 0xe3, 0x2b, 0x7b, 0x94, 0xbe, 0x20, - 0x11, 0x7e, 0x17, 0x10, 0xa7, 0x10, 0x19, 0xec, 0x62, 0xcc, 0xbe, 0xf5, - 0x01, 0x35, 0x3c, 0xea, 0xef, 0x44, 0x3c, 0x40, 0xa2, 0xbc, 0x18, 0x43, - 0xa1, 0xa1, 0x65, 0x5c, 0x48, 0xe2, 0xf9, 0x38, 0xeb, 0x11, 0x10, 0x72, - 0x7c, 0x78, 0x22, 0x13, 0x3b, 0x19, 0x40, 0xf0, 0x73, 0xbe, 0x96, 0x14, - 0x78, 0x26, 0xb9, 0x6b, 0x2e, 0x72, 0x22, 0x0d, 0x90, 0x94, 0xdd, 0x78, - 0x77, 0xfc, 0x0c, 0x2e, 0x63, 0x6e, 0xf0, 0x0c, 0x35, 0x41, 0xcd, 0xf3, - 0x49, 0x31, 0x08, 0xd0, 0x6f, 0x02, 0x3d, 0xc1, 0xd3, 0xb7, 0xee, 0x3a, - 0xa0, 0x8e, 0xa1, 0x4d, 0xc3, 0x2e, 0x5e, 0x06, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0c, 0x35, 0x41, 0xcd, 0xf3, 0x49, 0x31, 0x08, - 0xd0, 0x6f, 0x02, 0x3d, 0xc1, 0xd3, 0xb7, 0xee, 0x3a, 0xa0, 0x8e, 0xa1, - 0x4d, 0xc3, 0x2e, 0x5e, 0x06, 0x00, 0x10, 0x00, 0x10, 0x00, 0x0c, 0x00, - 0x10, 0x00, 0x10, 0x07, 0x02, 0x04, 0x00, 0x00, 0x20, 0x28, 0x00, 0x00, - 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 -}; - -static const byte canned_server_tls13_session[] = { - 0xA7, 0xA4, 0x01, 0x18, 0x00, 0x41, 0x01, 0x00, - 0x01, 0x00, 0x00, 0x80, 0x04, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, - 0x01, 0x0A, 0x0F, 0x10, 0x01, 0x02, 0x00, 0x0F, - 0x05, 0x00, 0x00, 0x00, 0x00, 0x03, 0x04, 0x00, - 0xB7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, - 0x11, 0x01, 0x01, 0x00, 0x20, 0x84, 0x4F, 0x18, - 0xD8, 0xC1, 0x24, 0xD8, 0xBB, 0x17, 0x9E, 0x31, - 0xA3, 0xF8, 0xA7, 0x3C, 0xBA, 0xEC, 0xFA, 0xB4, - 0x7F, 0xC5, 0x78, 0xEB, 0x6D, 0xE3, 0x2B, 0x7B, - 0x94, 0xBE, 0x20, 0x11, 0x7E, 0x17, 0x10, 0xA7, - 0x10, 0x19, 0xEC, 0x62, 0xCC, 0xBE, 0xF5, 0x01, - 0x35, 0x3C, 0xEA, 0xEF, 0x44, 0x3C, 0x40, 0xA2, - 0xBC, 0x18, 0x43, 0xA1, 0xA1, 0x65, 0x5C, 0x48, - 0xE2, 0xF9, 0x38, 0xEB, 0x11, 0x10, 0x72, 0x7C, - 0x78, 0x22, 0x13, 0x3B, 0x19, 0x40, 0xF0, 0x73, - 0xBE, 0x96, 0x14, 0x78, 0x26, 0xB9, 0x6B, 0x2E, - 0x72, 0x22, 0x0D, 0x90, 0x94, 0xDD, 0x78, 0x77, - 0xFC, 0x0C, 0x2E, 0x63, 0x6E, 0xF0, 0x0C, 0x35, - 0x41, 0xCD, 0xF3, 0x49, 0x31, 0x08, 0xD0, 0x6F, - 0x02, 0x3D, 0xC1, 0xD3, 0xB7, 0xEE, 0x3A, 0xA0, - 0x8E, 0xA1, 0x4D, 0xC3, 0x2E, 0x5E, 0x06, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, - 0xD3, 0xB7, 0xEE, 0x3A, 0xA0, 0x8E, 0xA1, 0x4D, - 0xC3, 0x2E, 0x5E, 0x06, 0x35, 0x41, 0xCD, 0xF3, - 0x49, 0x31, 0x08, 0xD0, 0x6F, 0x02, 0x3D, 0xC1, - 0x00, 0x10, 0x00, 0x10, 0x00, 0x0C, 0x00, 0x10, - 0x00, 0x10, 0x07, 0x02, 0x04, 0x00, 0x00, 0x20, - 0x28, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04 -}; -#endif /* WOLFSSL_TLS13 */ - -static const byte canned_client_session_v4[] = { - 0xA7, 0xA4, 0x01, 0x40, 0x00, 0x41, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, - 0x27, 0x0A, 0x0D, 0x10, 0x01, 0x01, 0x0A, 0x00, - 0x05, 0x00, 0x01, 0x01, 0x01, 0x03, 0x03, 0x00, - 0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, - 0x0A, 0x01, 0x01, 0x00, 0x20, 0x69, 0x11, 0x6D, - 0x97, 0x15, 0x6E, 0x52, 0x27, 0xD6, 0x1D, 0x1D, - 0xF5, 0x0D, 0x59, 0xA5, 0xAC, 0x2E, 0x8C, 0x0E, - 0xCB, 0x26, 0x1E, 0xE2, 0xCE, 0xBB, 0xCE, 0xE1, - 0x7D, 0xD7, 0xEF, 0xA5, 0x44, 0x80, 0x2A, 0xDE, - 0xBB, 0x75, 0xB0, 0x1D, 0x75, 0x17, 0x20, 0x4C, - 0x08, 0x05, 0x1B, 0xBA, 0x60, 0x1F, 0x6C, 0x91, - 0x8C, 0xAA, 0xBB, 0xE5, 0xA3, 0x0B, 0x12, 0x3E, - 0xC0, 0x35, 0x43, 0x1D, 0xE2, 0x10, 0xE2, 0x02, - 0x92, 0x4B, 0x8F, 0x05, 0xA9, 0x4B, 0xCC, 0x90, - 0xC3, 0x0E, 0xC2, 0x0F, 0xE9, 0x33, 0x85, 0x9B, - 0x3C, 0x19, 0x21, 0xD5, 0x62, 0xE5, 0xE1, 0x17, - 0x8F, 0x8C, 0x19, 0x52, 0xD8, 0x59, 0x10, 0x2D, - 0x20, 0x6F, 0xBA, 0xC1, 0x1C, 0xD1, 0x82, 0xC7, - 0x32, 0x1B, 0xBB, 0xCC, 0x30, 0x03, 0xD7, 0x3A, - 0xC8, 0x18, 0xED, 0x58, 0xC8, 0x11, 0xFE, 0x71, - 0x9C, 0x71, 0xD8, 0x6B, 0xE0, 0x25, 0x64, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, - 0x00, 0x00, 0x06, 0x01, 0x04, 0x08, 0x01, 0x20, - 0x28, 0x00, 0x09, 0xE1, 0x50, 0x70, 0x02, 0x2F, - 0x7E, 0xDA, 0xBD, 0x40, 0xC5, 0x58, 0x87, 0xCE, - 0x43, 0xF3, 0xC5, 0x8F, 0xA1, 0x59, 0x93, 0xEF, - 0x7E, 0xD3, 0xD0, 0xB5, 0x87, 0x1D, 0x81, 0x54, - 0x14, 0x63, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x03 -}; - -static const byte canned_client_session_v5[] = { - 0xa7, 0xa5, 0x01, 0x41, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x27, 0x0a, 0x0d, 0x10, - 0x01, 0x01, 0x0a, 0x00, 0x05, 0x00, 0x01, 0x01, 0x01, 0x01, 0x03, 0x03, - 0x00, 0xbf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x00, 0x0a, 0x01, 0x01, 0x00, 0x20, 0x69, 0x11, 0x6d, 0x97, 0x15, 0x6e, - 0x52, 0x27, 0xd6, 0x1d, 0x1d, 0xf5, 0x0d, 0x59, 0xa5, 0xac, 0x2e, 0x8c, - 0x0e, 0xcb, 0x26, 0x1e, 0xe2, 0xce, 0xbb, 0xce, 0xe1, 0x7d, 0xd7, 0xef, - 0xa5, 0x44, 0x80, 0x2a, 0xde, 0xbb, 0x75, 0xb0, 0x1d, 0x75, 0x17, 0x20, - 0x4c, 0x08, 0x05, 0x1b, 0xba, 0x60, 0x1f, 0x6c, 0x91, 0x8c, 0xaa, 0xbb, - 0xe5, 0xa3, 0x0b, 0x12, 0x3e, 0xc0, 0x35, 0x43, 0x1d, 0xe2, 0x10, 0xe2, - 0x02, 0x92, 0x4b, 0x8f, 0x05, 0xa9, 0x4b, 0xcc, 0x90, 0xc3, 0x0e, 0xc2, - 0x0f, 0xe9, 0x33, 0x85, 0x9b, 0x3c, 0x19, 0x21, 0xd5, 0x62, 0xe5, 0xe1, - 0x17, 0x8f, 0x8c, 0x19, 0x52, 0xd8, 0x59, 0x10, 0x2d, 0x20, 0x6f, 0xba, - 0xc1, 0x1c, 0xd1, 0x82, 0xc7, 0x32, 0x1b, 0xbb, 0xcc, 0x30, 0x03, 0xd7, - 0x3a, 0xc8, 0x18, 0xed, 0x58, 0xc8, 0x11, 0xfe, 0x71, 0x9c, 0x71, 0xd8, - 0x6b, 0xe0, 0x25, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x00, 0x06, - 0x01, 0x04, 0x08, 0x01, 0x20, 0x28, 0x00, 0x09, 0xe1, 0x50, 0x70, 0x02, - 0x2f, 0x7e, 0xda, 0xbd, 0x40, 0xc5, 0x58, 0x87, 0xce, 0x43, 0xf3, 0xc5, - 0x8f, 0xa1, 0x59, 0x93, 0xef, 0x7e, 0xd3, 0xd0, 0xb5, 0x87, 0x1d, 0x81, - 0x54, 0x14, 0x63, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 -}; - - -static const byte canned_server_session[] = { - 0xA7, 0xA4, 0x01, 0x40, 0x00, 0x41, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x80, 0x02, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, - 0x27, 0x08, 0x0F, 0x10, 0x01, 0x01, 0x00, 0x11, - 0x05, 0x00, 0x01, 0x01, 0x01, 0x03, 0x03, 0x00, - 0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, - 0x0A, 0x01, 0x01, 0x00, 0x20, 0x69, 0x11, 0x6D, - 0x97, 0x15, 0x6E, 0x52, 0x27, 0xD6, 0x1D, 0x1D, - 0xF5, 0x0D, 0x59, 0xA5, 0xAC, 0x2E, 0x8C, 0x0E, - 0xCB, 0x26, 0x1E, 0xE2, 0xCE, 0xBB, 0xCE, 0xE1, - 0x7D, 0xD7, 0xEF, 0xA5, 0x44, 0x80, 0x2A, 0xDE, - 0xBB, 0x75, 0xB0, 0x1D, 0x75, 0x17, 0x20, 0x4C, - 0x08, 0x05, 0x1B, 0xBA, 0x60, 0x1F, 0x6C, 0x91, - 0x8C, 0xAA, 0xBB, 0xE5, 0xA3, 0x0B, 0x12, 0x3E, - 0xC0, 0x35, 0x43, 0x1D, 0xE2, 0x10, 0xE2, 0x02, - 0x92, 0x4B, 0x8F, 0x05, 0xA9, 0x4B, 0xCC, 0x90, - 0xC3, 0x0E, 0xC2, 0x0F, 0xE9, 0x33, 0x85, 0x9B, - 0x3C, 0x19, 0x21, 0xD5, 0x62, 0xE5, 0xE1, 0x17, - 0x8F, 0x8C, 0x19, 0x52, 0xD8, 0x59, 0x10, 0x2D, - 0x20, 0x6F, 0xBA, 0xC1, 0x1C, 0xD1, 0x82, 0xC7, - 0x32, 0x1B, 0xBB, 0xCC, 0x30, 0x03, 0xD7, 0x3A, - 0xC8, 0x18, 0xED, 0x58, 0xC8, 0x11, 0xFE, 0x71, - 0x9C, 0x71, 0xD8, 0x6B, 0xE0, 0x25, 0x64, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, 0x00, 0x10, - 0x00, 0x00, 0x06, 0x01, 0x04, 0x08, 0x01, 0x20, - 0x28, 0x00, 0xC5, 0x8F, 0xA1, 0x59, 0x93, 0xEF, - 0x7E, 0xD3, 0xD0, 0xB5, 0x87, 0x1D, 0x81, 0x54, - 0x14, 0x63, 0x09, 0xE1, 0x50, 0x70, 0x02, 0x2F, - 0x7E, 0xDA, 0xBD, 0x40, 0xC5, 0x58, 0x87, 0xCE, - 0x43, 0xF3, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04 -}; - -static THREAD_RETURN WOLFSSL_THREAD tls_export_server(void* args) -{ - SOCKET_T sockfd = 0; - SOCKET_T clientfd = 0; - word16 port; - - callback_functions* cbf; - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; - - char msg[] = "I hear you fa shizzle!"; - char input[1024]; - int idx; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - ((func_args*)args)->return_code = TEST_FAIL; - cbf = ((func_args*)args)->callbacks; - -#if defined(USE_WINDOWS_API) - port = ((func_args*)args)->signal->port; -#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ - !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) - /* Let tcp_listen assign port */ - port = 0; -#else - /* Use default port */ - port = wolfSSLPort; -#endif - - /* do it here to detect failure */ - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); - CloseSocket(sockfd); - - { - WOLFSSL_METHOD* method = NULL; - if (cbf != NULL && cbf->method != NULL) { - method = cbf->method(); - } - else { - method = wolfTLSv1_2_server_method(); - } - ctx = wolfSSL_CTX_new(method); - } - if (ctx == NULL) { - goto done; - } - wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-SHA256"); - - /* call ctx setup callback */ - if (cbf != NULL && cbf->ctx_ready != NULL) { - cbf->ctx_ready(ctx); - } - - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - goto done; - } - wolfSSL_set_fd(ssl, clientfd); - - /* call ssl setup callback */ - if (cbf != NULL && cbf->ssl_ready != NULL) { - cbf->ssl_ready(ssl); - } - idx = wolfSSL_read(ssl, input, sizeof(input)-1); - if (idx > 0) { - input[idx] = '\0'; - fprintf(stderr, "Client message export/import: %s\n", input); - } - else { - fprintf(stderr, "ret = %d error = %d\n", idx, - wolfSSL_get_error(ssl, idx)); - goto done; - } - - if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) { - /*err_sys("SSL_write failed");*/ - WOLFSSL_RETURN_FROM_THREAD(0); - } - -#ifdef WOLFSSL_TIRTOS - Task_yield(); -#endif - - ((func_args*)args)->return_code = TEST_SUCCESS; - -done: - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - CloseSocket(clientfd); - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ -#endif - -#if defined(HAVE_SESSION_TICKET) && \ - ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) -#if defined(OPENSSL_EXTRA) && defined(HAVE_AESGCM) - OpenSSLTicketCleanup(); -#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) - TicketCleanup(); -#endif -#endif - - WOLFSSL_RETURN_FROM_THREAD(0); -} - - -static void load_tls12_canned_server(WOLFSSL* ssl) -{ - int clientfd = wolfSSL_get_fd(ssl); - AssertIntEQ(wolfSSL_tls_import(ssl, canned_server_session, - sizeof(canned_server_session)), sizeof(canned_server_session)); - wolfSSL_set_fd(ssl, clientfd); -} - - -#ifdef WOLFSSL_TLS13 -static void load_tls13_canned_server(WOLFSSL* ssl) -{ - int clientfd = wolfSSL_get_fd(ssl); - AssertIntEQ(wolfSSL_tls_import(ssl, canned_server_tls13_session, - sizeof(canned_server_tls13_session)), - sizeof(canned_server_tls13_session)); - wolfSSL_set_fd(ssl, clientfd); -} -#endif - - -/* v is for version WOLFSSL_TLSV1_2 or WOLFSSL_TLSV1_3 */ -static int test_wolfSSL_tls_export_run(method_provider server_method, - method_provider client_method, ssl_callback ssl_ready, - const byte* clientSession, int clientSessionSz, int cmpSess) -{ - EXPECT_DECLS; - SOCKET_T sockfd = 0; - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; - char msg[64] = "hello wolfssl!"; - char reply[1024]; - word32 replySz; - int msgSz = (int)XSTRLEN(msg); - - tcp_ready ready; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions server_cbf; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - (void)cmpSess; - - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - server_cbf.method = server_method; - server_cbf.ssl_ready = ssl_ready; - ExpectNotNull(ctx = wolfSSL_CTX_new(client_method())); - server_args.callbacks = &server_cbf; - server_args.signal = &ready; - - start_thread(tls_export_server, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - ExpectNotNull(ssl = wolfSSL_new(ctx)); - tcp_connect(&sockfd, wolfSSLIP, ready.port, 0, 0, ssl); - ExpectIntEQ(wolfSSL_tls_import(ssl, clientSession, clientSessionSz), - clientSessionSz); - replySz = sizeof(reply); - ExpectIntGT(wolfSSL_tls_export(ssl, (byte*)reply, &replySz), 0); -#if !defined(NO_PSK) && defined(HAVE_ANON) - if (cmpSess) { - /* index 20 has is setting if PSK was on and 49 is if anon is allowed */ - ExpectIntEQ(replySz, clientSessionSz); - ExpectBufEQ(reply, clientSession, replySz); - } -#endif - wolfSSL_set_fd(ssl, sockfd); - - ExpectIntEQ(wolfSSL_write(ssl, msg, msgSz), msgSz); - ExpectIntGT(wolfSSL_read(ssl, reply, sizeof(reply)-1), 0); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - CloseSocket(sockfd); - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ -#endif - - join_thread(serverThread); - - ExpectIntEQ(server_args.return_code, TEST_SUCCESS); - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_tls_export(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_NO_TLS12) - EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_2_server_method, - wolfTLSv1_2_client_method, load_tls12_canned_server, - canned_client_session_v4, sizeof(canned_client_session_v4), 0)); - EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_2_server_method, - wolfTLSv1_2_client_method, load_tls12_canned_server, - canned_client_session_v5, sizeof(canned_client_session_v5), 1)); - #ifdef WOLFSSL_TLS13 - EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_3_server_method, - wolfTLSv1_3_client_method, load_tls13_canned_server, - canned_client_tls13_session_v4, sizeof(canned_client_tls13_session_v4), - 0)); - EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_3_server_method, - wolfTLSv1_3_client_method, load_tls13_canned_server, - canned_client_tls13_session_v5, sizeof(canned_client_tls13_session_v5), - 1)); - #endif -#endif - - return EXPECT_RESULT(); -} - -/*----------------------------------------------------------------------------* - | TLS extensions tests - *----------------------------------------------------------------------------*/ - -#ifdef ENABLE_TLS_CALLBACK_TEST -/* Connection test runner - generic */ -static void test_wolfSSL_client_server(callback_functions* client_callbacks, - callback_functions* server_callbacks) -{ - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - - StartTCP(); - - client_args.callbacks = client_callbacks; - server_args.callbacks = server_callbacks; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - /* RUN Server side */ - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - server_args.signal = &ready; - client_args.signal = &ready; - start_thread(run_wolfssl_server, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - /* RUN Client side */ - run_wolfssl_client(&client_args); - join_thread(serverThread); - - FreeTcpReady(&ready); -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - - client_callbacks->return_code = client_args.return_code; - server_callbacks->return_code = server_args.return_code; -} -#endif /* ENABLE_TLS_CALLBACK_TEST */ - - -#ifdef HAVE_SNI -static int test_wolfSSL_UseSNI_params(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - /* invalid [ctx|ssl] */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(NULL, 0, "ctx", 3)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( NULL, 0, "ssl", 3)); - /* invalid type */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, (byte)-1, "ctx", 3)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, (byte)-1, "ssl", 3)); - /* invalid data */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, NULL, 3)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, NULL, 3)); - /* success case */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, "ctx", 3)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, "ssl", 3)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT */ - - return EXPECT_RESULT(); -} - -/* BEGIN of connection tests callbacks */ -static void use_SNI_at_ctx(WOLFSSL_CTX* ctx) -{ - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, "www.wolfssl.com", 15)); -} - -static void use_SNI_at_ssl(WOLFSSL* ssl) -{ - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "www.wolfssl.com", 15)); -} - -static void different_SNI_at_ssl(WOLFSSL* ssl) -{ - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "ww2.wolfssl.com", 15)); -} - -static void use_SNI_WITH_CONTINUE_at_ssl(WOLFSSL* ssl) -{ - use_SNI_at_ssl(ssl); - wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_CONTINUE_ON_MISMATCH); -} - -static void use_SNI_WITH_FAKE_ANSWER_at_ssl(WOLFSSL* ssl) -{ - use_SNI_at_ssl(ssl); - wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ANSWER_ON_MISMATCH); -} - -static void use_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) -{ - use_SNI_at_ctx(ctx); - wolfSSL_CTX_SNI_SetOptions(ctx, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ABORT_ON_ABSENCE); -} - -static void use_MANDATORY_SNI_at_ssl(WOLFSSL* ssl) -{ - use_SNI_at_ssl(ssl); - wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ABORT_ON_ABSENCE); -} - -static void use_PSEUDO_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) -{ - use_SNI_at_ctx(ctx); - wolfSSL_CTX_SNI_SetOptions(ctx, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ANSWER_ON_MISMATCH | WOLFSSL_SNI_ABORT_ON_ABSENCE); -} - -static void verify_UNKNOWN_SNI_on_server(WOLFSSL* ssl) -{ - AssertIntEQ(WC_NO_ERR_TRACE(UNKNOWN_SNI_HOST_NAME_E), - wolfSSL_get_error(ssl, 0)); -} - -static void verify_SNI_ABSENT_on_server(WOLFSSL* ssl) -{ - AssertIntEQ(WC_NO_ERR_TRACE(SNI_ABSENT_ERROR), wolfSSL_get_error(ssl, 0)); -} - -static void verify_SNI_no_matching(WOLFSSL* ssl) -{ - byte type = WOLFSSL_SNI_HOST_NAME; - void* request = (void*) &type; /* to be overwritten */ - - AssertIntEQ(WOLFSSL_SNI_NO_MATCH, wolfSSL_SNI_Status(ssl, type)); - AssertNotNull(request); - AssertIntEQ(0, wolfSSL_SNI_GetRequest(ssl, type, &request)); - AssertNull(request); -} - -static void verify_SNI_real_matching(WOLFSSL* ssl) -{ - byte type = WOLFSSL_SNI_HOST_NAME; - void* request = NULL; - - AssertIntEQ(WOLFSSL_SNI_REAL_MATCH, wolfSSL_SNI_Status(ssl, type)); - AssertIntEQ(15, wolfSSL_SNI_GetRequest(ssl, type, &request)); - AssertNotNull(request); - AssertStrEQ("www.wolfssl.com", (char*)request); -} - -static void verify_SNI_fake_matching(WOLFSSL* ssl) -{ - byte type = WOLFSSL_SNI_HOST_NAME; - void* request = NULL; - - AssertIntEQ(WOLFSSL_SNI_FAKE_MATCH, wolfSSL_SNI_Status(ssl, type)); - AssertIntEQ(15, wolfSSL_SNI_GetRequest(ssl, type, &request)); - AssertNotNull(request); - AssertStrEQ("ww2.wolfssl.com", (char*)request); -} - -static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl) -{ - AssertIntEQ(WC_NO_ERR_TRACE(FATAL_ERROR), wolfSSL_get_error(ssl, 0)); -} -/* END of connection tests callbacks */ - -static int test_wolfSSL_UseSNI_connection(void) -{ - int res = TEST_SKIPPED; -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) - callback_functions client_cb; - callback_functions server_cb; - size_t i; -#ifdef WOLFSSL_STATIC_MEMORY - byte cliMem[TEST_TLS_STATIC_MEMSZ]; - byte svrMem[TEST_TLS_STATIC_MEMSZ]; -#endif - struct { - method_provider client_meth; - method_provider server_meth; - #ifdef WOLFSSL_STATIC_MEMORY - wolfSSL_method_func client_meth_ex; - wolfSSL_method_func server_meth_ex; - #endif - } methods[] = { -#if defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_TLS13) - {wolfSSLv23_client_method, wolfSSLv23_server_method - #ifdef WOLFSSL_STATIC_MEMORY - ,wolfSSLv23_client_method_ex, wolfSSLv23_server_method_ex - #endif - }, -#endif -#ifndef WOLFSSL_NO_TLS12 - {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method - #ifdef WOLFSSL_STATIC_MEMORY - ,wolfTLSv1_2_client_method_ex, wolfTLSv1_2_server_method_ex - #endif - }, -#endif -#ifdef WOLFSSL_TLS13 - {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method - #ifdef WOLFSSL_STATIC_MEMORY - ,wolfTLSv1_3_client_method_ex, wolfTLSv1_3_server_method_ex - #endif - }, -#endif - }; - size_t methodsSz = sizeof(methods) / sizeof(*methods); - - for (i = 0; i < methodsSz; i++) { - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = methods[i].client_meth; - server_cb.method = methods[i].server_meth; - client_cb.devId = testDevId; - server_cb.devId = testDevId; - #ifdef WOLFSSL_STATIC_MEMORY - client_cb.method_ex = methods[i].client_meth_ex; - server_cb.method_ex = methods[i].server_meth_ex; - client_cb.mem = cliMem; - client_cb.memSz = (word32)sizeof(cliMem); - server_cb.mem = svrMem; - server_cb.memSz = (word32)sizeof(svrMem);; - #endif - - /* success case at ctx */ - fprintf(stderr, "\n\tsuccess case at ctx\n"); - client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* success case at ssl */ - fprintf(stderr, "\tsuccess case at ssl\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* default mismatch behavior */ - fprintf(stderr, "\tdefault mismatch behavior\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_UNKNOWN_SNI_on_server; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* continue on mismatch */ - fprintf(stderr, "\tcontinue on mismatch\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* fake answer on mismatch */ - fprintf(stderr, "\tfake answer on mismatch\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* sni abort - success */ - fprintf(stderr, "\tsni abort - success\n"); - client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* sni abort - abort when absent (ctx) */ - fprintf(stderr, "\tsni abort - abort when absent (ctx)\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; - server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* sni abort - abort when absent (ssl) */ - fprintf(stderr, "\tsni abort - abort when absent (ssl)\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* sni abort - success when overwritten */ - fprintf(stderr, "\tsni abort - success when overwritten\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* sni abort - success when allowing mismatches */ - fprintf(stderr, "\tsni abort - success when allowing mismatches\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; - server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_fake_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); - } - - res = TEST_RES_CHECK(1); -#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - - return res; -} - -static int test_wolfSSL_SNI_GetFromBuffer(void) -{ - EXPECT_DECLS; - byte buff[] = { /* www.paypal.com */ - 0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00, 0x00, 0x60, 0x03, 0x03, 0x5c, - 0xc4, 0xb3, 0x8c, 0x87, 0xef, 0xa4, 0x09, 0xe0, 0x02, 0xab, 0x86, 0xca, - 0x76, 0xf0, 0x9e, 0x01, 0x65, 0xf6, 0xa6, 0x06, 0x13, 0x1d, 0x0f, 0xa5, - 0x79, 0xb0, 0xd4, 0x77, 0x22, 0xeb, 0x1a, 0x00, 0x00, 0x16, 0x00, 0x6b, - 0x00, 0x67, 0x00, 0x39, 0x00, 0x33, 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x35, - 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x21, - 0x00, 0x00, 0x00, 0x13, 0x00, 0x11, 0x00, 0x00, 0x0e, 0x77, 0x77, 0x77, - 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x00, - 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 - }; - - byte buff2[] = { /* api.textmate.org */ - 0x16, 0x03, 0x01, 0x00, 0xc6, 0x01, 0x00, 0x00, 0xc2, 0x03, 0x03, 0x52, - 0x8b, 0x7b, 0xca, 0x69, 0xec, 0x97, 0xd5, 0x08, 0x03, 0x50, 0xfe, 0x3b, - 0x99, 0xc3, 0x20, 0xce, 0xa5, 0xf6, 0x99, 0xa5, 0x71, 0xf9, 0x57, 0x7f, - 0x04, 0x38, 0xf6, 0x11, 0x0b, 0xb8, 0xd3, 0x00, 0x00, 0x5e, 0x00, 0xff, - 0xc0, 0x24, 0xc0, 0x23, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x07, 0xc0, 0x08, - 0xc0, 0x28, 0xc0, 0x27, 0xc0, 0x14, 0xc0, 0x13, 0xc0, 0x11, 0xc0, 0x12, - 0xc0, 0x26, 0xc0, 0x25, 0xc0, 0x2a, 0xc0, 0x29, 0xc0, 0x05, 0xc0, 0x04, - 0xc0, 0x02, 0xc0, 0x03, 0xc0, 0x0f, 0xc0, 0x0e, 0xc0, 0x0c, 0xc0, 0x0d, - 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x35, - 0x00, 0x0a, 0x00, 0x67, 0x00, 0x6b, 0x00, 0x33, 0x00, 0x39, 0x00, 0x16, - 0x00, 0xaf, 0x00, 0xae, 0x00, 0x8d, 0x00, 0x8c, 0x00, 0x8a, 0x00, 0x8b, - 0x00, 0xb1, 0x00, 0xb0, 0x00, 0x2c, 0x00, 0x3b, 0x01, 0x00, 0x00, 0x3b, - 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, 0x00, 0x00, 0x10, 0x61, 0x70, 0x69, - 0x2e, 0x74, 0x65, 0x78, 0x74, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x6f, 0x72, - 0x67, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, - 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0d, 0x00, 0x0c, 0x00, - 0x0a, 0x05, 0x01, 0x04, 0x01, 0x02, 0x01, 0x04, 0x03, 0x02, 0x03 - }; - - byte buff3[] = { /* no sni extension */ - 0x16, 0x03, 0x03, 0x00, 0x4d, 0x01, 0x00, 0x00, 0x49, 0x03, 0x03, 0xea, - 0xa1, 0x9f, 0x60, 0xdd, 0x52, 0x12, 0x13, 0xbd, 0x84, 0x34, 0xd5, 0x1c, - 0x38, 0x25, 0xa8, 0x97, 0xd2, 0xd5, 0xc6, 0x45, 0xaf, 0x1b, 0x08, 0xe4, - 0x1e, 0xbb, 0xdf, 0x9d, 0x39, 0xf0, 0x65, 0x00, 0x00, 0x16, 0x00, 0x6b, - 0x00, 0x67, 0x00, 0x39, 0x00, 0x33, 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x35, - 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x0a, - 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 - }; - - byte buff4[] = { /* last extension has zero size */ - 0x16, 0x03, 0x01, 0x00, 0xba, 0x01, 0x00, 0x00, - 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, - 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, - 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, - 0x00, 0x28, 0xcc, 0x14, 0xcc, 0x13, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, - 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x07, 0xc0, 0x11, - 0x00, 0x33, 0x00, 0x32, 0x00, 0x39, 0x00, 0x9c, 0x00, 0x2f, 0x00, 0x35, - 0x00, 0x0a, 0x00, 0x05, 0x00, 0x04, 0x01, 0x00, 0x00, 0x65, 0xff, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, - 0x18, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, - 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x1b, 0x00, 0x19, 0x06, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, - 0x33, 0x2e, 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - 0x75, 0x50, 0x00, 0x00, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x0d, 0x00, 0x12, 0x00, 0x10, 0x04, 0x01, 0x05, 0x01, 0x02, - 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, 0x04, 0x02, 0x02, 0x02, 0x00, - 0x12, 0x00, 0x00 - }; - - byte buff5[] = { /* SSL v2.0 client hello */ - 0x00, 0x2b, 0x01, 0x03, 0x01, 0x00, 0x09, 0x00, 0x00, - /* dummy bytes below, just to pass size check */ - 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, - 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, - 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, - }; - - byte result[32] = {0}; - word32 length = 32; - - ExpectIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff4, sizeof(buff4), - 0, result, &length)); - - ExpectIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff3, sizeof(buff3), - 0, result, &length)); - - ExpectIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2), - 1, result, &length)); - - ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), - 0, result, &length)); - buff[0] = 0x16; - - ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), - 0, result, &length)); - buff[1] = 0x03; - - ExpectIntEQ(WC_NO_ERR_TRACE(SNI_UNSUPPORTED), wolfSSL_SNI_GetFromBuffer(buff, - sizeof(buff), 0, result, &length)); - buff[2] = 0x03; - - ExpectIntEQ(WC_NO_ERR_TRACE(INCOMPLETE_DATA), wolfSSL_SNI_GetFromBuffer(buff, - sizeof(buff), 0, result, &length)); - buff[4] = 0x64; - - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), - 0, result, &length)); - if (EXPECT_SUCCESS()) - result[length] = 0; - ExpectStrEQ("www.paypal.com", (const char*) result); - - length = 32; - - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2), - 0, result, &length)); - if (EXPECT_SUCCESS()) - result[length] = 0; - ExpectStrEQ("api.textmate.org", (const char*) result); - - /* SSL v2.0 tests */ - ExpectIntEQ(WC_NO_ERR_TRACE(SNI_UNSUPPORTED), wolfSSL_SNI_GetFromBuffer(buff5, - sizeof(buff5), 0, result, &length)); - - buff5[2] = 0x02; - ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff5, - sizeof(buff5), 0, result, &length)); - - buff5[2] = 0x01; buff5[6] = 0x08; - ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff5, - sizeof(buff5), 0, result, &length)); - - buff5[6] = 0x09; buff5[8] = 0x01; - ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff5, - sizeof(buff5), 0, result, &length)); - - return EXPECT_RESULT(); -} - -#endif /* HAVE_SNI */ - -#endif /* HAVE_IO_TESTS_DEPENDENCIES */ - - -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -/* Dummy peer functions to satisfy the exporter/importer */ -static int test_wolfSSL_dtls_export_peers_get_peer(WOLFSSL* ssl, char* ip, - int* ipSz, unsigned short* port, int* fam) -{ - (void)ssl; - ip[0] = -1; - *ipSz = 1; - *port = 1; - *fam = 2; - return 1; -} - -static int test_wolfSSL_dtls_export_peers_set_peer(WOLFSSL* ssl, char* ip, - int ipSz, unsigned short port, int fam) -{ - (void)ssl; - if (ip[0] != -1 || ipSz != 1 || port != 1 || fam != 2) - return 0; - return 1; -} - -static int test_wolfSSL_dtls_export_peers_on_handshake(WOLFSSL_CTX **ctx, - WOLFSSL **ssl) -{ - EXPECT_DECLS; - unsigned char* sessionBuf = NULL; - unsigned int sessionSz = 0; - void* ioWriteCtx = wolfSSL_GetIOWriteCtx(*ssl); - void* ioReadCtx = wolfSSL_GetIOReadCtx(*ssl); - - wolfSSL_CTX_SetIOGetPeer(*ctx, test_wolfSSL_dtls_export_peers_get_peer); - wolfSSL_CTX_SetIOSetPeer(*ctx, test_wolfSSL_dtls_export_peers_set_peer); - ExpectIntGE(wolfSSL_dtls_export(*ssl, NULL, &sessionSz), 0); - ExpectNotNull(sessionBuf = - (unsigned char*)XMALLOC(sessionSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectIntGE(wolfSSL_dtls_export(*ssl, sessionBuf, &sessionSz), 0); - wolfSSL_free(*ssl); - *ssl = NULL; - ExpectNotNull(*ssl = wolfSSL_new(*ctx)); - ExpectIntGE(wolfSSL_dtls_import(*ssl, sessionBuf, sessionSz), 0); - wolfSSL_SetIOWriteCtx(*ssl, ioWriteCtx); - wolfSSL_SetIOReadCtx(*ssl, ioReadCtx); - - XFREE(sessionBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_dtls_export_peers(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cbf; - test_ssl_cbf server_cbf; - size_t i, j; - struct test_params { - method_provider client_meth; - method_provider server_meth; - const char* dtls_version; - } params[] = { -#ifndef NO_OLD_TLS - {wolfDTLSv1_client_method, wolfDTLSv1_server_method, "1.0"}, -#endif - {wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, "1.2"}, - /* TODO DTLS 1.3 exporting not supported -#ifdef WOLFSSL_DTLS13 - {wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, "1.3"}, -#endif - */ - }; - - for (i = 0; i < sizeof(params)/sizeof(*params); i++) { - for (j = 0; j <= 3; j++) { - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - - printf("\n\tTesting DTLS %s connection;", params[i].dtls_version); - - client_cbf.method = params[i].client_meth; - server_cbf.method = params[i].server_meth; - - if (j & 0x1) { - client_cbf.on_handshake = - test_wolfSSL_dtls_export_peers_on_handshake; - printf(" With client export;"); - } - if (j & 0x2) { - server_cbf.on_handshake = - test_wolfSSL_dtls_export_peers_on_handshake; - printf(" With server export;"); - } - - printf("\n"); - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - if (!EXPECT_SUCCESS()) - break; - } - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_UseTrustedCA(void) -{ - EXPECT_DECLS; -#if defined(HAVE_TRUSTED_CA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ - && !defined(NO_RSA) -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - byte id[20]; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull((ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()))); - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); -#else - ExpectNotNull((ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()))); -#endif - ExpectNotNull((ssl = wolfSSL_new(ctx))); - XMEMSET(id, 0, sizeof(id)); - - /* error cases */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(NULL, 0, NULL, 0)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_CERT_SHA1+1, NULL, 0)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_CERT_SHA1, NULL, 0)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_CERT_SHA1, id, 5)); -#ifdef NO_SHA - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_KEY_SHA1, id, sizeof(id))); -#endif - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_X509_NAME, id, 0)); - - /* success cases */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_PRE_AGREED, NULL, 0)); -#ifndef NO_SHA - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_KEY_SHA1, id, sizeof(id))); -#endif - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, - WOLFSSL_TRUSTED_CA_X509_NAME, id, 5)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ -#endif /* HAVE_TRUSTED_CA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_UseMaxFragment(void) -{ - EXPECT_DECLS; -#if defined(HAVE_MAX_FRAGMENT) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - #ifndef NO_WOLFSSL_SERVER - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); - #else - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - #endif - WOLFSSL *ssl = NULL; - #ifdef OPENSSL_EXTRA - int (*UseMaxFragment)(SSL *s, unsigned char mode); - int (*CTX_UseMaxFragment)(SSL_CTX *c, unsigned char mode); - #else - int (*UseMaxFragment)(WOLFSSL *s, unsigned char mode); - int (*CTX_UseMaxFragment)(WOLFSSL_CTX *c, unsigned char mode); - #endif - - #ifndef NO_WOLFSSL_SERVER - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); - #endif - - ExpectNotNull(ctx); - - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - #ifdef OPENSSL_EXTRA - CTX_UseMaxFragment = SSL_CTX_set_tlsext_max_fragment_length; - UseMaxFragment = SSL_set_tlsext_max_fragment_length; - #else - UseMaxFragment = wolfSSL_UseMaxFragment; - CTX_UseMaxFragment = wolfSSL_CTX_UseMaxFragment; - #endif - - /* error cases */ - ExpectIntNE(WOLFSSL_SUCCESS, CTX_UseMaxFragment(NULL, WOLFSSL_MFL_2_9)); - ExpectIntNE(WOLFSSL_SUCCESS, UseMaxFragment( NULL, WOLFSSL_MFL_2_9)); - ExpectIntNE(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MIN-1)); - ExpectIntNE(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MAX+1)); - ExpectIntNE(WOLFSSL_SUCCESS, UseMaxFragment(ssl, WOLFSSL_MFL_MIN-1)); - ExpectIntNE(WOLFSSL_SUCCESS, UseMaxFragment(ssl, WOLFSSL_MFL_MAX+1)); - - /* success case */ - #ifdef OPENSSL_EXTRA - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_8)); - #else - ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_8)); - #endif - ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_9)); - ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_10)); - ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_11)); - ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_12)); - #ifdef OPENSSL_EXTRA - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_13)); - - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), UseMaxFragment( ssl, WOLFSSL_MFL_2_8)); - #else - ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_13)); - - ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_8)); - #endif - ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_9)); - ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_10)); - ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_11)); - ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_12)); - - #ifdef OPENSSL_EXTRA - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), UseMaxFragment( ssl, WOLFSSL_MFL_2_13)); - #else - ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_13)); - #endif - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - -#if defined(OPENSSL_EXTRA) && defined(HAVE_MAX_FRAGMENT) && \ - defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) - /* check negotiated max fragment size */ - { - WOLFSSL *ssl_c = NULL; - WOLFSSL *ssl_s = NULL; - struct test_memio_ctx test_ctx; - WOLFSSL_CTX *ctx_c = NULL; - WOLFSSL_CTX *ctx_s = NULL; - - XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, - wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); - ExpectIntEQ(wolfSSL_UseMaxFragment(ssl_c, WOLFSSL_MFL_2_8), - WOLFSSL_SUCCESS); - ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); -#ifndef NO_SESSION_CACHE - ExpectIntEQ(SSL_SESSION_get_max_fragment_length( - wolfSSL_get_session(ssl_c)), WOLFSSL_MFL_2_8); -#endif - - wolfSSL_free(ssl_c); - wolfSSL_free(ssl_s); - wolfSSL_CTX_free(ctx_c); - wolfSSL_CTX_free(ctx_s); - } -#endif -#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_UseTruncatedHMAC(void) -{ - EXPECT_DECLS; -#if defined(HAVE_TRUNCATED_HMAC) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - #ifndef NO_WOLFSSL_SERVER - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); - #else - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - #endif - WOLFSSL *ssl = NULL; - - ExpectNotNull(ctx); - - #ifndef NO_WOLFSSL_SERVER - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); - #endif - - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - /* error cases */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(NULL)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(NULL)); - - /* success case */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(ctx)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(ssl)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_UseSupportedCurve(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT) && \ - !defined(NO_TLS) - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - /* error cases */ - ExpectIntNE(WOLFSSL_SUCCESS, - wolfSSL_CTX_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSupportedCurve(ctx, 0)); - - ExpectIntNE(WOLFSSL_SUCCESS, - wolfSSL_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSupportedCurve(ssl, 0)); - - /* success case */ - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - - return EXPECT_RESULT(); -} - -#if defined(HAVE_ALPN) && defined(HAVE_IO_TESTS_DEPENDENCIES) - -static void verify_ALPN_FATAL_ERROR_on_client(WOLFSSL* ssl) -{ - AssertIntEQ(WC_NO_ERR_TRACE(UNKNOWN_ALPN_PROTOCOL_NAME_E), wolfSSL_get_error(ssl, 0)); -} - -static void use_ALPN_all(WOLFSSL* ssl) -{ - /* http/1.1,spdy/1,spdy/2,spdy/3 */ - char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -} - -static void use_ALPN_all_continue(WOLFSSL* ssl) -{ - /* http/1.1,spdy/1,spdy/2,spdy/3 */ - char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list), - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); -} - -static void use_ALPN_one(WOLFSSL* ssl) -{ - /* spdy/2 */ - char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -} - -static void use_ALPN_unknown(WOLFSSL* ssl) -{ - /* http/2.0 */ - char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -} - -static void use_ALPN_unknown_continue(WOLFSSL* ssl) -{ - /* http/2.0 */ - char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); -} - -static void verify_ALPN_not_matching_spdy3(WOLFSSL* ssl) -{ - /* spdy/3 */ - char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - - char *proto = NULL; - word16 protoSz = 0; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntNE(1, sizeof(nego_proto) == protoSz); - if (proto) { - AssertIntNE(0, XMEMCMP(nego_proto, proto, sizeof(nego_proto))); - } -} - -static void verify_ALPN_not_matching_continue(WOLFSSL* ssl) -{ - char *proto = NULL; - word16 protoSz = 0; - - AssertIntEQ(WC_NO_ERR_TRACE(WOLFSSL_ALPN_NOT_FOUND), - wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntEQ(1, (0 == protoSz)); - AssertIntEQ(1, (NULL == proto)); -} - -static void verify_ALPN_matching_http1(WOLFSSL* ssl) -{ - /* http/1.1 */ - char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; - char *proto; - word16 protoSz = 0; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntEQ(1, sizeof(nego_proto) == protoSz); - AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); -} - -static void verify_ALPN_matching_spdy2(WOLFSSL* ssl) -{ - /* spdy/2 */ - char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - char *proto; - word16 protoSz = 0; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntEQ(1, sizeof(nego_proto) == protoSz); - AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); -} - -static void verify_ALPN_client_list(WOLFSSL* ssl) -{ - /* http/1.1,spdy/1,spdy/2,spdy/3 */ - char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - char *clist = NULL; - word16 clistSz = 0; - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetPeerProtocol(ssl, &clist, - &clistSz)); - - /* check value */ - AssertIntEQ(1, sizeof(alpn_list) == clistSz); - AssertIntEQ(0, XMEMCMP(alpn_list, clist, clistSz)); - - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_FreePeerProtocol(ssl, &clist)); -} - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) - -/* ALPN select callback, success with spdy/2 */ -static int select_ALPN_spdy2(WOLFSSL *ssl, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg) -{ - /* spdy/2 */ - const char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - - (void)ssl; - (void)arg; - - /* adding +1 since LEN byte comes first */ - if (inlen < sizeof(proto) + 1) { - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - if (XMEMCMP(in + 1, proto, sizeof(proto)) == 0) { - *out = in + 1; - *outlen = (unsigned char)sizeof(proto); - return SSL_TLSEXT_ERR_OK; - } - - return SSL_TLSEXT_ERR_ALERT_FATAL; -} - -/* ALPN select callback, force failure */ -static int select_ALPN_failure(WOLFSSL *ssl, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg) -{ - (void)ssl; - (void)out; - (void)outlen; - (void)in; - (void)inlen; - (void)arg; - - return SSL_TLSEXT_ERR_ALERT_FATAL; -} - -static void use_ALPN_spdy2_callback(WOLFSSL* ssl) -{ - wolfSSL_set_alpn_select_cb(ssl, select_ALPN_spdy2, NULL); -} - -static void use_ALPN_failure_callback(WOLFSSL* ssl) -{ - wolfSSL_set_alpn_select_cb(ssl, select_ALPN_failure, NULL); -} -#endif /* OPENSSL_ALL | NGINX | HAPROXY | LIGHTY | QUIC */ - -static int test_wolfSSL_UseALPN_connection(void) -{ - int res = TEST_SKIPPED; -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) - callback_functions client_cb; - callback_functions server_cb; - - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = wolfSSLv23_client_method; - server_cb.method = wolfSSLv23_server_method; - client_cb.devId = testDevId; - server_cb.devId = testDevId; - - /* success case same list */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = verify_ALPN_matching_http1; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* success case only one for server */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_one; server_cb.on_result = verify_ALPN_matching_spdy2; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* success case only one for client */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_one; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = verify_ALPN_matching_spdy2; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* success case none for client */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = NULL; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* success case mismatch behavior but option 'continue' set */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all_continue; client_cb.on_result = verify_ALPN_not_matching_continue; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_unknown_continue; server_cb.on_result = NULL; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* success case read protocol send by client */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_one; server_cb.on_result = verify_ALPN_client_list; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* mismatch behavior with same list - * the first and only this one must be taken */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = verify_ALPN_not_matching_spdy3; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* default mismatch behavior */ - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_unknown; server_cb.on_result = verify_ALPN_FATAL_ERROR_on_client; - test_wolfSSL_client_server(&client_cb, &server_cb); - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) - - /* WOLFSSL-level ALPN select callback tests */ - /* Callback: success (one protocol, spdy/2) */ - client_cb.ctx_ready = NULL; - client_cb.ssl_ready = use_ALPN_one; - client_cb.on_result = verify_ALPN_matching_spdy2; - server_cb.ctx_ready = NULL; - server_cb.ssl_ready = use_ALPN_spdy2_callback; - server_cb.on_result = verify_ALPN_matching_spdy2; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* Callback: failure (one client protocol, spdy/2) */ - client_cb.ctx_ready = NULL; - client_cb.ssl_ready = use_ALPN_one; - client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; - server_cb.ssl_ready = use_ALPN_failure_callback; - server_cb.on_result = verify_ALPN_FATAL_ERROR_on_client; - test_wolfSSL_client_server(&client_cb, &server_cb); - -#endif /* OPENSSL_ALL | NGINX | HAPROXY | LIGHTY */ - - res = TEST_RES_CHECK(1); -#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - return res; -} - -static int test_wolfSSL_UseALPN_params(void) -{ - EXPECT_DECLS; -#ifndef NO_WOLFSSL_CLIENT - /* "http/1.1" */ - char http1[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; - /* "spdy/1" */ - char spdy1[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x31}; - /* "spdy/2" */ - char spdy2[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - /* "spdy/3" */ - char spdy3[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - char buff[256]; - word32 idx; - - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - /* error cases */ - ExpectIntNE(WOLFSSL_SUCCESS, - wolfSSL_UseALPN(NULL, http1, sizeof(http1), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, NULL, 0, - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* success case */ - /* http1 only */ - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_UseALPN(ssl, http1, sizeof(http1), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* http1, spdy1 */ - XMEMCPY(buff, http1, sizeof(http1)); - idx = sizeof(http1); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); - idx += sizeof(spdy1); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* http1, spdy2, spdy1 */ - XMEMCPY(buff, http1, sizeof(http1)); - idx = sizeof(http1); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy2, sizeof(spdy2)); - idx += sizeof(spdy2); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); - idx += sizeof(spdy1); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* spdy3, http1, spdy2, spdy1 */ - XMEMCPY(buff, spdy3, sizeof(spdy3)); - idx = sizeof(spdy3); - buff[idx++] = ','; - XMEMCPY(buff+idx, http1, sizeof(http1)); - idx += sizeof(http1); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy2, sizeof(spdy2)); - idx += sizeof(spdy2); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); - idx += sizeof(spdy1); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} -#endif /* HAVE_ALPN */ - -#ifdef HAVE_ALPN_PROTOS_SUPPORT -static void CTX_set_alpn_protos(SSL_CTX *ctx) -{ - unsigned char p[] = { - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 6, 's', 'p', 'd', 'y', '/', '2', - 6, 's', 'p', 'd', 'y', '/', '1', - }; - - unsigned char p_len = sizeof(p); - int ret; - - ret = SSL_CTX_set_alpn_protos(ctx, p, p_len); - -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - AssertIntEQ(ret, 0); -#else - AssertIntEQ(ret, SSL_SUCCESS); -#endif -} - -static void set_alpn_protos(SSL* ssl) -{ - unsigned char p[] = { - 6, 's', 'p', 'd', 'y', '/', '3', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1', - 6, 's', 'p', 'd', 'y', '/', '2', - 6, 's', 'p', 'd', 'y', '/', '1', - }; - - unsigned char p_len = sizeof(p); - int ret; - - ret = SSL_set_alpn_protos(ssl, p, p_len); - -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - AssertIntEQ(ret, 0); -#else - AssertIntEQ(ret, SSL_SUCCESS); -#endif - -} - -static void verify_alpn_matching_spdy3(WOLFSSL* ssl) -{ - /* "spdy/3" */ - char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - const unsigned char *proto; - unsigned int protoSz = 0; - - SSL_get0_alpn_selected(ssl, &proto, &protoSz); - - /* check value */ - AssertIntEQ(1, sizeof(nego_proto) == protoSz); - AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); -} - -static void verify_alpn_matching_http1(WOLFSSL* ssl) -{ - /* "http/1.1" */ - char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; - const unsigned char *proto; - unsigned int protoSz = 0; - - SSL_get0_alpn_selected(ssl, &proto, &protoSz); - - /* check value */ - AssertIntEQ(1, sizeof(nego_proto) == protoSz); - AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); -} - -static int test_wolfSSL_set_alpn_protos(void) -{ - int res = TEST_SKIPPED; -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) - callback_functions client_cb; - callback_functions server_cb; - - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = wolfSSLv23_client_method; - server_cb.method = wolfSSLv23_server_method; - client_cb.devId = testDevId; - server_cb.devId = testDevId; - - /* use CTX_alpn_protos */ - client_cb.ctx_ready = CTX_set_alpn_protos; - client_cb.ssl_ready = NULL; - client_cb.on_result = NULL; - server_cb.ctx_ready = CTX_set_alpn_protos; - server_cb.ssl_ready = NULL; - server_cb.on_result = verify_alpn_matching_http1; - test_wolfSSL_client_server(&client_cb, &server_cb); - - /* use set_alpn_protos */ - client_cb.ctx_ready = NULL; - client_cb.ssl_ready = set_alpn_protos; - client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; - server_cb.ssl_ready = set_alpn_protos; - server_cb.on_result = verify_alpn_matching_spdy3; - test_wolfSSL_client_server(&client_cb, &server_cb); - - res = TEST_SUCCESS; -#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - return res; -} - -#endif /* HAVE_ALPN_PROTOS_SUPPORT */ - -static int test_wolfSSL_wolfSSL_UseSecureRenegotiation(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(NO_WOLFSSL_CLIENT) && \ - !defined(NO_TLS) - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - /* error cases */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(NULL)); - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(NULL)); - - /* success cases */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(ctx)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -/* Test reconnecting with a different ciphersuite after a renegotiation. */ -static int test_wolfSSL_SCR_Reconnect(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SECURE_RENEGOTIATION) && \ - defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) && \ - defined(BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) && \ - defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) - struct test_memio_ctx test_ctx; - WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL; - WOLFSSL *ssl_c = NULL, *ssl_s = NULL; - byte data; - - XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - test_ctx.c_ciphers = "ECDHE-RSA-AES256-GCM-SHA384"; - test_ctx.s_ciphers = - "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305"; - ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, - wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(ctx_c)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(ctx_s)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl_c)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl_s)); - ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); - /* WOLFSSL_FATAL_ERROR since it will block */ - ExpectIntEQ(wolfSSL_Rehandshake(ssl_s), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)), - WOLFSSL_ERROR_WANT_READ); - ExpectIntEQ(wolfSSL_read(ssl_c, &data, 1), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)), - WOLFSSL_ERROR_WANT_READ); - ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); - wolfSSL_free(ssl_c); - ssl_c = NULL; - wolfSSL_free(ssl_s); - ssl_s = NULL; - wolfSSL_CTX_free(ctx_c); - ctx_c = NULL; - test_ctx.c_ciphers = "ECDHE-RSA-CHACHA20-POLY1305"; - ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, - wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); - ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); - wolfSSL_free(ssl_s); - wolfSSL_free(ssl_c); - wolfSSL_CTX_free(ctx_s); - wolfSSL_CTX_free(ctx_c); -#endif - return EXPECT_RESULT(); -} - -#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || defined(HAVE_ECC)) -/* Called when writing. */ -static int DummySend(WOLFSSL* ssl, char* buf, int sz, void* ctx) -{ - (void)ssl; - (void)buf; - (void)sz; - (void)ctx; - - /* Force error return from wolfSSL_accept_TLSv13(). */ - return WANT_WRITE; -} -/* Called when reading. */ -static int BufferInfoRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx) -{ - WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx; - int len = (int)msg->length; - - (void)ssl; - (void)sz; - - /* Pass back as much of message as will fit in buffer. */ - if (len > sz) - len = sz; - XMEMCPY(buf, msg->buffer, len); - /* Move over returned data. */ - msg->buffer += len; - msg->length -= (word32)len; - - /* Amount actually copied. */ - return len; -} -#endif - -/* Test the detection of duplicate known TLS extensions. - * Specifically in a ClientHello. - */ -static int test_tls_ext_duplicate(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || defined(HAVE_ECC)) - const unsigned char clientHelloDupTlsExt[] = { - 0x16, 0x03, 0x03, 0x00, 0x6a, 0x01, 0x00, 0x00, - 0x66, 0x03, 0x03, 0xf4, 0x65, 0xbd, 0x22, 0xfe, - 0x6e, 0xab, 0x66, 0xdd, 0xcf, 0xe9, 0x65, 0x55, - 0xe8, 0xdf, 0xc3, 0x8e, 0x4b, 0x00, 0xbc, 0xf8, - 0x23, 0x57, 0x1b, 0xa0, 0xc8, 0xa9, 0xe2, 0x8c, - 0x91, 0x6e, 0xf9, 0x20, 0xf7, 0x5c, 0xc5, 0x5b, - 0x75, 0x8c, 0x47, 0x0a, 0x0e, 0xc4, 0x1a, 0xda, - 0xef, 0x75, 0xe5, 0x21, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x13, 0x01, - 0x00, 0x9e, 0x01, 0x00, - /* Extensions - duplicate signature algorithms. */ - 0x00, 0x19, 0x00, 0x0d, - 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, 0x00, 0x0d, - 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, - /* Supported Versions extension for TLS 1.3. */ - 0x00, 0x2b, - 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 - }; - WOLFSSL_BUFFER_INFO msg; - const char* testCertFile; - const char* testKeyFile; - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - -#ifndef NO_RSA - testCertFile = svrCertFile; - testKeyFile = svrKeyFile; -#elif defined(HAVE_ECC) - testCertFile = eccCertFile; - testKeyFile = eccKeyFile; -#endif - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile, - CERT_FILETYPE)); - - /* Read from 'msg'. */ - wolfSSL_SetIORecv(ctx, BufferInfoRecv); - /* No where to send to - dummy sender. */ - wolfSSL_SetIOSend(ctx, DummySend); - - ssl = wolfSSL_new(ctx); - ExpectNotNull(ssl); - - msg.buffer = (unsigned char*)clientHelloDupTlsExt; - msg.length = (unsigned int)sizeof(clientHelloDupTlsExt); - wolfSSL_SetIOReadCtx(ssl, &msg); - - ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); - /* can return duplicate ext error or socket error if the peer closed down - * while sending alert */ - if (wolfSSL_get_error(ssl, 0) != WC_NO_ERR_TRACE(SOCKET_ERROR_E)) { - ExpectIntEQ(wolfSSL_get_error(ssl, 0), WC_NO_ERR_TRACE(DUPLICATE_TLS_EXT_E)); - } - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - - -/* Test TLS connection abort when legacy version field indicates TLS 1.3 or - * higher. Based on test_tls_ext_duplicate() but with legacy version modified - * to 0x0304. - */ -static int test_tls_bad_legacy_version(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION) -#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || defined(HAVE_ECC)) - /* This buffer (prior to Extensions) is exactly the same as the buffer in - * test_tls_ext_duplicate() except the 11th byte is set to 0x04. That - * change means the legacy protocol version field is invalid. That will be - * caught before the dulplicate signature algorithms extension. */ - const unsigned char clientHelloBadLegacyVersion[] = { - 0x16, 0x03, 0x03, 0x00, 0x6a, 0x01, 0x00, 0x00, - 0x66, 0x03, 0x04, 0xf4, 0x65, 0xbd, 0x22, 0xfe, - 0x6e, 0xab, 0x66, 0xdd, 0xcf, 0xe9, 0x65, 0x55, - 0xe8, 0xdf, 0xc3, 0x8e, 0x4b, 0x00, 0xbc, 0xf8, - 0x23, 0x57, 0x1b, 0xa0, 0xc8, 0xa9, 0xe2, 0x8c, - 0x91, 0x6e, 0xf9, 0x20, 0xf7, 0x5c, 0xc5, 0x5b, - 0x75, 0x8c, 0x47, 0x0a, 0x0e, 0xc4, 0x1a, 0xda, - 0xef, 0x75, 0xe5, 0x21, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x13, 0x01, - 0x00, 0x9e, 0x01, 0x00, - /* Extensions */ - 0x00, 0x19, 0x00, 0x0d, - 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, 0x00, 0x15, - 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, - /* Supported Versions extension for TLS 1.3. */ - 0x00, 0x2b, - 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 - }; - - WOLFSSL_BUFFER_INFO msg; - const char* testCertFile; - const char* testKeyFile; - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - -#ifndef NO_RSA - testCertFile = svrCertFile; - testKeyFile = svrKeyFile; -#elif defined(HAVE_ECC) - testCertFile = eccCertFile; - testKeyFile = eccKeyFile; -#endif - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile, - CERT_FILETYPE)); - - /* Read from 'msg'. */ - wolfSSL_SetIORecv(ctx, BufferInfoRecv); - /* No where to send to - dummy sender. */ - wolfSSL_SetIOSend(ctx, DummySend); - - ssl = wolfSSL_new(ctx); - ExpectNotNull(ssl); - - msg.buffer = (unsigned char*)clientHelloBadLegacyVersion; - msg.length = (unsigned int)sizeof(clientHelloBadLegacyVersion); - wolfSSL_SetIOReadCtx(ssl, &msg); - - ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); - /* Connection should fail due to bad legacy version field. When that - * happens the return code is VERSION_ERROR but that gets transformed into - * SOCKET_ERROR_E. */ - ExpectIntEQ(wolfSSL_get_error(ssl, 0), WC_NO_ERR_TRACE(SOCKET_ERROR_E)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -#endif - return EXPECT_RESULT(); -} -/*----------------------------------------------------------------------------* - | X509 Tests - *----------------------------------------------------------------------------*/ - -/* Testing functions dealing with PKCS12 parsing out X509 certs */ -static int test_wolfSSL_PKCS12(void) -{ - EXPECT_DECLS; - /* .p12 file is encrypted with DES3 */ -#ifndef HAVE_FIPS /* Password used in cert "wolfSSL test" is only 12-bytes - * (96-bit) FIPS mode requires Minimum of 14-byte (112-bit) - * Password Key - */ -#if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ - !defined(NO_STDIO_FILESYSTEM) && !defined(NO_TLS) && \ - !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) && \ - !defined(NO_SHA) && defined(HAVE_PKCS12) && !defined(NO_BIO) && \ - defined(WOLFSSL_AES_256) - byte buf[6000]; - char file[] = "./certs/test-servercert.p12"; - char order[] = "./certs/ecc-rsa-server.p12"; -#ifdef WC_RC2 - char rc2p12[] = "./certs/test-servercert-rc2.p12"; -#endif - char pass[] = "a password"; - const char goodPsw[] = "wolfSSL test"; - const char badPsw[] = "bad"; -#ifdef HAVE_ECC - WOLFSSL_X509_NAME *subject = NULL; - WOLFSSL_X509 *x509 = NULL; -#endif - XFILE f = XBADFILE; - int bytes = 0, ret = 0, goodPswLen = 0, badPswLen = 0; - WOLFSSL_BIO *bio = NULL; - WOLFSSL_EVP_PKEY *pkey = NULL; - WC_PKCS12 *pkcs12 = NULL; - WC_PKCS12 *pkcs12_2 = NULL; - WOLFSSL_X509 *cert = NULL; - WOLFSSL_X509 *tmp = NULL; - WOLF_STACK_OF(WOLFSSL_X509) *ca = NULL; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - WOLF_STACK_OF(WOLFSSL_X509) *tmp_ca = NULL; -#endif - - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - goodPswLen = (int)XSTRLEN(goodPsw); - badPswLen = (int)XSTRLEN(badPsw); - - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - - ExpectIntEQ(BIO_write(bio, buf, bytes), bytes); /* d2i consumes BIO */ - ExpectNotNull(d2i_PKCS12_bio(bio, &pkcs12)); - ExpectNotNull(pkcs12); - BIO_free(bio); - bio = NULL; - - /* check verify MAC directly */ - ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, goodPsw, goodPswLen), 1); - - /* check verify MAC fail case directly */ - ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, badPsw, badPswLen), 0); - - /* check verify MAC fail case */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); - ExpectNull(pkey); - ExpectNull(cert); - - /* check parse with no extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - - /* check parse with extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) - - /* Check that SSL_CTX_set0_chain correctly sets the certChain buffer */ -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) -#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - /* Copy stack structure */ - ExpectNotNull(tmp_ca = X509_chain_up_ref(ca)); - ExpectIntEQ(SSL_CTX_set0_chain(ctx, tmp_ca), 1); - /* CTX now owns the tmp_ca stack structure */ - tmp_ca = NULL; - ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); - ExpectNotNull(tmp_ca); - ExpectIntEQ(sk_X509_num(tmp_ca), sk_X509_num(ca)); - /* Check that the main cert is also set */ - ExpectNotNull(SSL_CTX_get0_certificate(ctx)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(SSL_get_certificate(ssl)); - SSL_free(ssl); - SSL_CTX_free(ctx); - ctx = NULL; -#endif -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ - /* should be 2 other certs on stack */ - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNull(sk_X509_pop(ca)); - - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, X509_free); - ca = NULL; - - /* check PKCS12_create */ - ExpectNull(PKCS12_create(pass, NULL, NULL, NULL, NULL, -1, -1, -1, -1,0)); - ExpectIntEQ(PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - SSL_SUCCESS); - ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, - -1, -1, 100, -1, 0))); - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), - SSL_SUCCESS); - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, - NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - 2000, 1, 0))); - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - /* convert to DER then back and parse */ - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(i2d_PKCS12_bio(bio, pkcs12_2), SSL_SUCCESS); - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - - ExpectNotNull(pkcs12_2 = d2i_PKCS12_bio(bio, NULL)); - BIO_free(bio); - bio = NULL; - ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), - SSL_SUCCESS); - - /* should be 2 other certs on stack */ - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNotNull(tmp = sk_X509_pop(ca)); - X509_free(tmp); - ExpectNull(sk_X509_pop(ca)); - - -#ifndef NO_RC4 - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, NULL, - NID_pbe_WithSHA1And128BitRC4, - NID_pbe_WithSHA1And128BitRC4, - 2000, 1, 0))); - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), - SSL_SUCCESS); - -#endif /* NO_RC4 */ - - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(cert); - cert = NULL; - PKCS12_free(pkcs12); - pkcs12 = NULL; - PKCS12_free(pkcs12_2); - pkcs12_2 = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - -#ifdef HAVE_ECC - /* test order of parsing */ - ExpectTrue((f = XFOPEN(order, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); - ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); - ExpectIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)), - WOLFSSL_SUCCESS); - - /* check use of pkey after parse */ -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) -#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), WOLFSSL_SUCCESS); - SSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif - - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - - /* compare subject lines of certificates */ - ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccRsaCertFile, - SSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - X509_free(x509); - x509 = NULL; - - /* test expected fail case */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, - SSL_FILETYPE_PEM)); - ExpectIntNE(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - X509_free(x509); - x509 = NULL; - X509_free(cert); - cert = NULL; - - /* get subject line from ca stack */ - ExpectNotNull(cert = sk_X509_pop(ca)); - ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); - - /* compare subject from certificate in ca to expected */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, - SSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - - /* modify case and compare subject from certificate in ca to expected. - * The first bit of the name is: - * /C=US/ST=Washington - * So we'll change subject->name[1] to 'c' (lower case) */ - if (subject != NULL) { - subject->name[1] = 'c'; - ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, - (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); - } - - EVP_PKEY_free(pkey); - pkey = NULL; - X509_free(x509); - x509 = NULL; - X509_free(cert); - cert = NULL; - BIO_free(bio); - bio = NULL; - PKCS12_free(pkcs12); - pkcs12 = NULL; - sk_X509_pop_free(ca, NULL); /* TEST d2i_PKCS12_fp */ - ca = NULL; - - /* test order of parsing */ - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - /* check verify MAC fail case */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); - ExpectNull(pkey); - ExpectNull(cert); - - /* check parse with no extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - - /* check parse with extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - 1); - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - sk_X509_pop_free(ca, NULL); - ca = NULL; - - PKCS12_free(pkcs12); - pkcs12 = NULL; -#endif /* HAVE_ECC */ - -#ifdef WC_RC2 - /* test PKCS#12 with RC2 encryption */ - ExpectTrue((f = XFOPEN(rc2p12, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - - ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); - ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); - - /* check verify MAC fail case */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); - ExpectNull(pkey); - ExpectNull(cert); - - /* check parse with not extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), - WOLFSSL_SUCCESS); - ExpectNotNull(pkey); - ExpectNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - wolfSSL_X509_free(cert); - cert = NULL; - - /* check parse with extra certs kept */ - ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), - WOLFSSL_SUCCESS); - ExpectNotNull(pkey); - ExpectNotNull(cert); - ExpectNotNull(ca); - - wolfSSL_EVP_PKEY_free(pkey); - wolfSSL_X509_free(cert); - sk_X509_pop_free(ca, NULL); - - BIO_free(bio); - bio = NULL; - PKCS12_free(pkcs12); - pkcs12 = NULL; -#endif /* WC_RC2 */ - - /* Test i2d_PKCS12_bio */ - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - - ExpectIntEQ(ret = i2d_PKCS12_bio(bio, pkcs12), 1); - - ExpectIntEQ(ret = i2d_PKCS12_bio(NULL, pkcs12), 0); - - ExpectIntEQ(ret = i2d_PKCS12_bio(bio, NULL), 0); - - PKCS12_free(pkcs12); - BIO_free(bio); - - (void)order; -#endif /* OPENSSL_EXTRA */ -#endif /* HAVE_FIPS */ - return EXPECT_RESULT(); -} - - -#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ - defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_PWDBASED) && \ - (!defined(NO_RSA) || defined(HAVE_ECC)) && !defined(NO_MD5) - #define TEST_PKCS8_ENC -#endif - -#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ - defined(HAVE_ECC) && defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_TLS) - -/* used to keep track if FailTestCallback was called */ -static int failTestCallbackCalled = 0; - -static WC_INLINE int FailTestCallBack(char* passwd, int sz, int rw, void* userdata) -{ - (void)passwd; - (void)sz; - (void)rw; - (void)userdata; - - /* mark called, test_wolfSSL_no_password_cb() will check and fail if set */ - failTestCallbackCalled = 1; - - return -1; -} -#endif - -static int test_wolfSSL_no_password_cb(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ - defined(HAVE_ECC) && defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; - byte buff[FOURK_BUF]; - const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; - const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem"; - XFILE f = XBADFILE; - int bytes = 0; - -#ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLS_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLS_server_method())); -#endif - wolfSSL_CTX_set_default_passwd_cb(ctx, FailTestCallBack); - - ExpectTrue((f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntLE(bytes, sizeof(buff)); - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - ExpectTrue((f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - ExpectIntLE(bytes, sizeof(buff)); - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - - wolfSSL_CTX_free(ctx); - - /* Password callback should not be called by default */ - ExpectIntEQ(failTestCallbackCalled, 0); -#endif - return EXPECT_RESULT(); -} - -#if defined(TEST_PKCS8_ENC) && !defined(NO_TLS) -/* for PKCS8 test case */ -static int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata) -{ - int flag = 0; - - (void)rw; - if (userdata != NULL) { - flag = *((int*)userdata); /* user set data */ - } - - switch (flag) { - case 1: /* flag set for specific WOLFSSL_CTX structure, note userdata - * can be anything the user wishes to be passed to the callback - * associated with the WOLFSSL_CTX */ - XSTRNCPY(passwd, "yassl123", sz); - return 8; - - default: - return BAD_FUNC_ARG; - } -} -#endif /* TEST_PKCS8_ENC && !NO_TLS */ - -/* Testing functions dealing with PKCS8 */ -static int test_wolfSSL_PKCS8(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ - !defined(WOLFCRYPT_ONLY) && !defined(NO_TLS) && \ - (!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - byte buff[FOURK_BUF]; - byte der[FOURK_BUF]; - #ifndef NO_RSA -#ifdef WOLFSSL_PEM_TO_DER - const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem"; -#endif - const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der"; - #endif -#ifdef WOLFSSL_PEM_TO_DER - const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem"; -#endif - #ifdef HAVE_ECC - const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; - #endif - XFILE f = XBADFILE; - int bytes = 0; - WOLFSSL_CTX* ctx = NULL; -#if defined(HAVE_ECC) && !defined(NO_CODING) && !defined(WOLFSSL_NO_PEM) - int ret; - ecc_key key; - word32 x = 0; -#endif -#ifdef TEST_PKCS8_ENC - #if !defined(NO_RSA) && !defined(NO_SHA) - const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem"; - const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der"; - #endif - #if defined(HAVE_ECC) && !defined(NO_SHA) - const char eccPkcs8EncPrivKeyPemFile[] = "./certs/ecc-keyPkcs8Enc.pem"; - const char eccPkcs8EncPrivKeyDerFile[] = "./certs/ecc-keyPkcs8Enc.der"; - #endif - int flag; -#endif - - (void)der; - -#ifndef NO_WOLFSSL_CLIENT - #ifndef WOLFSSL_NO_TLS12 - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); - #endif -#else - #ifndef WOLFSSL_NO_TLS12 - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - #endif -#endif - -#ifdef TEST_PKCS8_ENC - wolfSSL_CTX_set_default_passwd_cb(ctx, PKCS8TestCallBack); - wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag); - flag = 1; /* used by password callback as return code */ - - #if !defined(NO_RSA) && !defined(NO_SHA) - #if defined(WOLFSSL_PEM_TO_DER) - /* test loading PEM PKCS8 encrypted file */ - ExpectTrue((f = XFOPEN(serverKeyPkcs8EncPemFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - - /* this next case should fail because of password callback return code */ - flag = 0; /* used by password callback as return code */ - ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - - /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ - ExpectIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), - "yassl123"), 0); - - /* test that error value is returned with a bad password */ - ExpectIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), - "bad"), 0); - #endif - - /* test loading PEM PKCS8 encrypted file */ - ExpectTrue((f = XFOPEN(serverKeyPkcs8EncDerFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - flag = 1; /* used by password callback as return code */ - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* this next case should fail because of password callback return code */ - flag = 0; /* used by password callback as return code */ - ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - #endif /* !NO_RSA && !NO_SHA */ - - #if defined(HAVE_ECC) && !defined(NO_SHA) - #if defined(WOLFSSL_PEM_TO_DER) - /* test loading PEM PKCS8 encrypted ECC Key file */ - ExpectTrue((f = XFOPEN(eccPkcs8EncPrivKeyPemFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - flag = 1; /* used by password callback as return code */ - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - - /* this next case should fail because of password callback return code */ - flag = 0; /* used by password callback as return code */ - ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - - /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ - ExpectIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), - "yassl123"), 0); - - /* test that error value is returned with a bad password */ - ExpectIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), - "bad"), 0); - #endif - - /* test loading DER PKCS8 encrypted ECC Key file */ - ExpectTrue((f = XFOPEN(eccPkcs8EncPrivKeyDerFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - flag = 1; /* used by password callback as return code */ - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* this next case should fail because of password callback return code */ - flag = 0; /* used by password callback as return code */ - ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - /* leave flag as "okay" */ - flag = 1; - #endif /* HAVE_ECC && !NO_SHA */ -#endif /* TEST_PKCS8_ENC */ - - -#ifndef NO_RSA - /* test loading ASN.1 (DER) PKCS8 private key file (not encrypted) */ - ExpectTrue((f = XFOPEN(serverKeyPkcs8DerFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - #ifdef WOLFSSL_PEM_TO_DER - /* test loading PEM PKCS8 private key file (not encrypted) */ - ExpectTrue((f = XFOPEN(serverKeyPkcs8PemFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - #endif -#endif /* !NO_RSA */ - -#ifdef WOLFSSL_PEM_TO_DER - /* Test PKCS8 PEM ECC key no crypt */ - ExpectTrue((f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } -#endif -#ifdef HAVE_ECC -#ifdef WOLFSSL_PEM_TO_DER - /* Test PKCS8 PEM ECC key no crypt */ - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - - /* decrypt PKCS8 PEM to key in DER format */ - ExpectIntGT((bytes = wc_KeyPemToDer(buff, bytes, der, - (word32)sizeof(der), NULL)), 0); - ret = wc_ecc_init(&key); - if (ret == 0) { - ret = wc_EccPrivateKeyDecode(der, &x, &key, (word32)bytes); - wc_ecc_free(&key); - } - ExpectIntEQ(ret, 0); -#endif - - /* Test PKCS8 DER ECC key no crypt */ - ExpectTrue((f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - /* Test using a PKCS8 ECC PEM */ - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#else -#ifdef WOLFSSL_PEM_TO_DER - /* if HAVE_ECC is not defined then BEGIN EC PRIVATE KEY is not found */ - ExpectIntEQ((bytes = wc_KeyPemToDer(buff, bytes, der, - (word32)sizeof(der), NULL)), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); -#endif -#endif /* HAVE_ECC */ - - wolfSSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* !NO_FILESYSTEM && !NO_ASN && HAVE_PKCS8 */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS8_ED25519(void) -{ - EXPECT_DECLS; -#if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ - defined(WOLFSSL_AES_256) && \ - defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED25519) && \ - defined(HAVE_ED25519_KEY_IMPORT) - const byte encPrivKey[] = \ - "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" - "MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAheCGLmWGh7+AICCAAw\n" - "DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEC4L5P6GappsTyhOOoQfvh8EQJMX\n" - "OAdlsYKCOcFo4djg6AI1lRdeBRwVFWkha7gBdoCJOzS8wDvTbYcJMPvANu5ft3nl\n" - "2L9W4v7swXkV+X+a1ww=\n" - "-----END ENCRYPTED PRIVATE KEY-----\n"; - const char password[] = "abcdefghijklmnopqrstuvwxyz"; - byte der[FOURK_BUF]; -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX* ctx = NULL; -#endif - int bytes; - - XMEMSET(der, 0, sizeof(der)); - ExpectIntGT((bytes = wc_KeyPemToDer(encPrivKey, sizeof(encPrivKey), der, - (word32)sizeof(der), password)), 0); -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - wolfSSL_CTX_free(ctx); -#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS8_ED448(void) -{ - EXPECT_DECLS; -#if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ - defined(WOLFSSL_AES_256) && \ - defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED448) && \ - defined(HAVE_ED448_KEY_IMPORT) - const byte encPrivKey[] = \ - "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" - "MIGrMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAjSbZKnG4EPggICCAAw\n" - "DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEFvCFWBBHBlJBsYleBJlJWcEUNC7\n" - "Tf5pZviT5Btar4D/MNg6BsQHSDf5KW4ix871EsgDY2Zz+euaoWspiMntz7gU+PQu\n" - "T/JJcbD2Ly8BbE3l5WHMifAQqNLxJBfXrHkfYtAo\n" - "-----END ENCRYPTED PRIVATE KEY-----\n"; - const char password[] = "abcdefghijklmnopqrstuvwxyz"; - byte der[FOURK_BUF]; -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - WOLFSSL_CTX* ctx = NULL; -#endif - int bytes; - - XMEMSET(der, 0, sizeof(der)); - ExpectIntGT((bytes = wc_KeyPemToDer(encPrivKey, sizeof(encPrivKey), der, - (word32)sizeof(der), password)), 0); -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, bytes, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - - wolfSSL_CTX_free(ctx); -#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ -#endif - return EXPECT_RESULT(); -} - -/* Testing functions dealing with PKCS5 */ -static int test_wolfSSL_PKCS5(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) && !defined(NO_PWDBASED) -#ifdef HAVE_FIPS /* Password minimum length is 14 (112-bit) in FIPS MODE */ - const char* passwd = "myfipsPa$$W0rd"; -#else - const char *passwd = "pass1234"; -#endif - const unsigned char *salt = (unsigned char *)"salt1234"; - unsigned char *out = (unsigned char *)XMALLOC(WC_SHA_DIGEST_SIZE, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - int ret = 0; - - ExpectNotNull(out); - ExpectIntEQ(ret = PKCS5_PBKDF2_HMAC_SHA1(passwd,(int)XSTRLEN(passwd), salt, - (int)XSTRLEN((const char *) salt), 10, WC_SHA_DIGEST_SIZE,out), - WOLFSSL_SUCCESS); - -#ifdef WOLFSSL_SHA512 - ExpectIntEQ(ret = PKCS5_PBKDF2_HMAC(passwd,(int)XSTRLEN(passwd), salt, - (int)XSTRLEN((const char *) salt), 10, wolfSSL_EVP_sha512(), - WC_SHA_DIGEST_SIZE, out), SSL_SUCCESS); -#endif - - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SHA) */ - return EXPECT_RESULT(); -} - -/* test parsing URI from certificate */ -static int test_wolfSSL_URI(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \ - && (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ - defined(OPENSSL_EXTRA)) - WOLFSSL_X509* x509 = NULL; - const char uri[] = "./certs/client-uri-cert.pem"; - const char urn[] = "./certs/client-absolute-urn.pem"; - const char badUri[] = "./certs/client-relative-uri.pem"; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(uri, - WOLFSSL_FILETYPE_PEM)); - wolfSSL_FreeX509(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(urn, - WOLFSSL_FILETYPE_PEM)); - wolfSSL_FreeX509(x509); - x509 = NULL; - -#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) \ - && !defined(WOLFSSL_FPKI) - ExpectNull(x509 = wolfSSL_X509_load_certificate_file(badUri, - WOLFSSL_FILETYPE_PEM)); -#else - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(badUri, - WOLFSSL_FILETYPE_PEM)); -#endif - wolfSSL_FreeX509(x509); -#endif - return EXPECT_RESULT(); -} - - -#if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) -/* create certificate with version 2 */ -static int test_set_x509_badversion(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - WOLFSSL_X509 *x509 = NULL, *x509v2 = NULL; - WOLFSSL_EVP_PKEY *priv = NULL, *pub = NULL; - unsigned char *der = NULL, *key = NULL, *pt; - char *header = NULL, *name = NULL; - int derSz; - long keySz; - XFILE fp = XBADFILE; - WOLFSSL_ASN1_TIME *notBefore = NULL, *notAfter = NULL; - time_t t; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); - - ExpectTrue((fp = XFOPEN(cliKeyFile, "rb")) != XBADFILE); - ExpectIntEQ(wolfSSL_PEM_read(fp, &name, &header, &key, &keySz), - WOLFSSL_SUCCESS); - if (fp != XBADFILE) - XFCLOSE(fp); - pt = key; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, keySz)); - - - /* create the version 2 certificate */ - ExpectNotNull(x509v2 = X509_new()); - ExpectIntEQ(wolfSSL_X509_set_version(x509v2, 1), WOLFSSL_SUCCESS); - - ExpectIntEQ(wolfSSL_X509_set_subject_name(x509v2, - wolfSSL_X509_get_subject_name(x509)), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509v2, - wolfSSL_X509_get_issuer_name(x509)), WOLFSSL_SUCCESS); - ExpectNotNull(pub = wolfSSL_X509_get_pubkey(x509)); - ExpectIntEQ(X509_set_pubkey(x509v2, pub), WOLFSSL_SUCCESS); - - t = time(NULL); - ExpectNotNull(notBefore = wolfSSL_ASN1_TIME_adj(NULL, t, 0, 0)); - ExpectNotNull(notAfter = wolfSSL_ASN1_TIME_adj(NULL, t, 365, 0)); - ExpectTrue(wolfSSL_X509_set_notBefore(x509v2, notBefore)); - ExpectTrue(wolfSSL_X509_set_notAfter(x509v2, notAfter)); - - ExpectIntGT(wolfSSL_X509_sign(x509v2, priv, EVP_sha256()), 0); - derSz = wolfSSL_i2d_X509(x509v2, &der); - ExpectIntGT(derSz, 0); - ExpectIntEQ(wolfSSL_CTX_use_certificate_buffer(ctx, der, derSz, - WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - /* TODO: Replace with API call */ - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); - XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(name, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(header, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_X509_free(x509); - wolfSSL_X509_free(x509v2); - wolfSSL_EVP_PKEY_free(priv); - wolfSSL_EVP_PKEY_free(pub); - wolfSSL_ASN1_TIME_free(notBefore); - wolfSSL_ASN1_TIME_free(notAfter); - - return EXPECT_RESULT(); -} - - -/* override certificate version error */ -static int test_override_x509(int preverify, WOLFSSL_X509_STORE_CTX* store) -{ - EXPECT_DECLS; -#ifndef OPENSSL_COMPATIBLE_DEFAULTS - ExpectIntEQ(store->error, WC_NO_ERR_TRACE(ASN_VERSION_E)); -#else - ExpectIntEQ(store->error, 0); -#endif - ExpectIntEQ((int)wolfSSL_X509_get_version(store->current_cert), 1); - (void)preverify; - return EXPECT_RESULT() == TEST_SUCCESS; -} - - -/* set verify callback that will override bad certificate version */ -static int test_set_override_x509(WOLFSSL_CTX* ctx) -{ - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, test_override_x509); - return TEST_SUCCESS; -} -#endif - - -static int test_wolfSSL_X509_TLS_version_test_1(void) -{ - EXPECT_DECLS; -#if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - - /* test server rejects a client certificate that is not version 3 */ - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - func_cb_client.ctx_ready = &test_set_x509_badversion; -#ifndef WOLFSSL_NO_TLS12 - func_cb_client.method = wolfTLSv1_2_client_method; -#else - func_cb_client.method = wolfTLSv1_3_client_method; -#endif - -#ifndef WOLFSSL_NO_TLS12 - func_cb_server.method = wolfTLSv1_2_server_method; -#else - func_cb_server.method = wolfTLSv1_3_server_method; -#endif - -#ifndef OPENSSL_COMPATIBLE_DEFAULTS - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), -1001); -#else - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); -#endif -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_TLS_version_test_2(void) -{ - EXPECT_DECLS; -#if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - func_cb_client.ctx_ready = &test_set_x509_badversion; - func_cb_server.ctx_ready = &test_set_override_x509; -#ifndef WOLFSSL_NO_TLS12 - func_cb_client.method = wolfTLSv1_2_client_method; -#else - func_cb_client.method = wolfTLSv1_3_client_method; -#endif - -#ifndef WOLFSSL_NO_TLS12 - func_cb_server.method = wolfTLSv1_2_server_method; -#else - func_cb_server.method = wolfTLSv1_3_server_method; -#endif - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); -#endif - - return EXPECT_RESULT(); -} - -/* Testing function wolfSSL_CTX_SetMinVersion; sets the minimum downgrade - * version allowed. - * POST: 1 on success. - */ -static int test_wolfSSL_CTX_SetMinVersion(void) -{ - int res = TEST_SKIPPED; -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) - int failFlag = WOLFSSL_SUCCESS; - WOLFSSL_CTX* ctx; - int itr; - - #ifndef NO_OLD_TLS - const int versions[] = { - #ifdef WOLFSSL_ALLOW_TLSV10 - WOLFSSL_TLSV1, - #endif - WOLFSSL_TLSV1_1, - WOLFSSL_TLSV1_2 }; - #elif !defined(WOLFSSL_NO_TLS12) - const int versions[] = { WOLFSSL_TLSV1_2 }; - #elif defined(WOLFSSL_TLS13) - const int versions[] = { WOLFSSL_TLSV1_3 }; - #else - const int versions[0]; - #endif - - ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - - for (itr = 0; itr < (int)(sizeof(versions)/sizeof(int)); itr++) { - if (wolfSSL_CTX_SetMinVersion(ctx, *(versions + itr)) - != WOLFSSL_SUCCESS) { - failFlag = WOLFSSL_FAILURE; - } - } - - wolfSSL_CTX_free(ctx); - - res = TEST_RES_CHECK(failFlag == WOLFSSL_SUCCESS); -#endif - return res; - -} /* END test_wolfSSL_CTX_SetMinVersion */ - - -/*----------------------------------------------------------------------------* - | OCSP Stapling - *----------------------------------------------------------------------------*/ - - -/* Testing wolfSSL_UseOCSPStapling function. OCSP stapling eliminates the need - * need to contact the CA, lowering the cost of cert revocation checking. - * PRE: HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST - * POST: 1 returned for success. - */ -static int test_wolfSSL_UseOCSPStapling(void) -{ - EXPECT_DECLS; -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && defined(HAVE_OCSP) && \ - !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - -#ifndef NO_WOLFSSL_CLIENT - #ifndef WOLFSSL_NO_TLS12 - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); - #endif -#else - #ifndef WOLFSSL_NO_TLS12 - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - #endif -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - ExpectIntEQ(wolfSSL_UseOCSPStapling(NULL, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifndef NO_WOLFSSL_CLIENT - ExpectIntEQ(wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE), 1); -#else - ExpectIntEQ(wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#endif - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} /* END test_wolfSSL_UseOCSPStapling */ - - -/* Testing OCSP stapling version 2, wolfSSL_UseOCSPStaplingV2 function. OCSP - * stapling eliminates the need to contact the CA and lowers cert revocation - * check. - * PRE: HAVE_CERTIFICATE_STATUS_REQUEST_V2 and HAVE_OCSP defined. - */ -static int test_wolfSSL_UseOCSPStaplingV2(void) -{ - EXPECT_DECLS; -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && defined(HAVE_OCSP) && \ - !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - -#ifndef NO_WOLFSSL_CLIENT - #ifndef WOLFSSL_NO_TLS12 - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); - #endif -#else - #ifndef WOLFSSL_NO_TLS12 - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); - #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - #endif -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - ExpectIntEQ(wolfSSL_UseOCSPStaplingV2(NULL, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifndef NO_WOLFSSL_CLIENT - ExpectIntEQ(wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE), 1); -#else - ExpectIntEQ(wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#endif - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); - -} /* END test_wolfSSL_UseOCSPStaplingV2 */ - -/*----------------------------------------------------------------------------* - | Multicast Tests - *----------------------------------------------------------------------------*/ -static int test_wolfSSL_mcast(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \ - (defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - byte preMasterSecret[512]; - byte clientRandom[32]; - byte serverRandom[32]; - byte suite[2] = {0, 0xfe}; /* WDM_WITH_NULL_SHA256 */ - byte buf[256]; - word16 newId; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method())); - - ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 0), WOLFSSL_SUCCESS); - - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - XMEMSET(preMasterSecret, 0x23, sizeof(preMasterSecret)); - XMEMSET(clientRandom, 0xA5, sizeof(clientRandom)); - XMEMSET(serverRandom, 0x5A, sizeof(serverRandom)); - ExpectIntEQ(wolfSSL_set_secret(ssl, 23, preMasterSecret, - sizeof(preMasterSecret), clientRandom, serverRandom, suite), - WOLFSSL_SUCCESS); - - ExpectIntLE(wolfSSL_mcast_read(ssl, &newId, buf, sizeof(buf)), 0); - ExpectIntLE(newId, 100); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* WOLFSSL_DTLS && WOLFSSL_MULTICAST && (WOLFSSL_TLS13 || - * WOLFSSL_SNIFFER) */ - return EXPECT_RESULT(); -} - - -/*----------------------------------------------------------------------------* - | Wolfcrypt - *----------------------------------------------------------------------------*/ - -/* - * Testing wc_SetKeyUsage() - */ -static int test_wc_SetKeyUsage(void) -{ - EXPECT_DECLS; -#if !defined(NO_RSA) && defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && !defined(HAVE_FIPS) - Cert myCert; - - ExpectIntEQ(wc_InitCert(&myCert), 0); - - ExpectIntEQ(wc_SetKeyUsage(&myCert, "keyEncipherment,keyAgreement"), 0); - ExpectIntEQ(wc_SetKeyUsage(&myCert, "digitalSignature,nonRepudiation"), 0); - ExpectIntEQ(wc_SetKeyUsage(&myCert, "contentCommitment,encipherOnly"), 0); - ExpectIntEQ(wc_SetKeyUsage(&myCert, "decipherOnly"), 0); - ExpectIntEQ(wc_SetKeyUsage(&myCert, "cRLSign,keyCertSign"), 0); - - /* Test bad args. */ - ExpectIntEQ(wc_SetKeyUsage(NULL, "decipherOnly"), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_SetKeyUsage(&myCert, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_SetKeyUsage(&myCert, ""), WC_NO_ERR_TRACE(KEYUSAGE_E)); - ExpectIntEQ(wc_SetKeyUsage(&myCert, ","), WC_NO_ERR_TRACE(KEYUSAGE_E)); - ExpectIntEQ(wc_SetKeyUsage(&myCert, "digitalSignature, cRLSign"), - WC_NO_ERR_TRACE(KEYUSAGE_E)); -#endif - return EXPECT_RESULT(); -} /* END test_wc_SetKeyUsage */ - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) -static void sample_mutex_cb (int flag, int type, const char* file, int line) -{ - (void)flag; - (void)type; - (void)file; - (void)line; -} -#endif -/* - * Testing wc_LockMutex_ex - */ -static int test_wc_LockMutex_ex(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - int flag = CRYPTO_LOCK; - int type = 0; - const char* file = "./test-LockMutex_ex.txt"; - int line = 0; - - /* without SetMutexCb */ - ExpectIntEQ(wc_LockMutex_ex(flag, type, file, line), WC_NO_ERR_TRACE(BAD_STATE_E)); - /* with SetMutexCb */ - ExpectIntEQ(wc_SetMutexCb(sample_mutex_cb), 0); - ExpectIntEQ(wc_LockMutex_ex(flag, type, file, line), 0); - ExpectIntEQ(wc_SetMutexCb(NULL), 0); -#endif - return EXPECT_RESULT(); -} /* End test_wc_LockMutex_ex*/ -/* - * Testing wc_SetMutexCb - */ -static int test_wc_SetMutexCb(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - ExpectIntEQ(wc_SetMutexCb(sample_mutex_cb), 0); - ExpectIntEQ(wc_SetMutexCb(NULL), 0); -#endif - return EXPECT_RESULT(); -} /* End test_wc_SetMutexCb*/ - - -/* - * Testing ToTraditional - */ -static int test_ToTraditional(void) -{ - EXPECT_DECLS; -#if !defined(NO_ASN) && (defined(HAVE_PKCS8) || defined(HAVE_PKCS12)) && \ - (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_X509_SMALL)) && !defined(NO_FILESYSTEM) - XFILE f = XBADFILE; - byte input[TWOK_BUF]; - word32 sz = 0; - - ExpectTrue((f = XFOPEN("./certs/server-keyPkcs8.der", "rb")) != XBADFILE); - ExpectTrue((sz = (word32)XFREAD(input, 1, sizeof(input), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); - - /* Good case */ - ExpectIntGT(ToTraditional(input, sz), 0); - /* Bad cases */ - ExpectIntEQ(ToTraditional(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(ToTraditional(NULL, sz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef WOLFSSL_ASN_TEMPLATE - ExpectIntEQ(ToTraditional(input, 0), WC_NO_ERR_TRACE(BUFFER_E)); -#else - ExpectIntEQ(ToTraditional(input, 0), WC_NO_ERR_TRACE(ASN_PARSE_E)); -#endif -#endif - return EXPECT_RESULT(); -} /* End test_ToTraditional*/ - - -/* - * Testing wc_SetSubjectBuffer - */ -static int test_wc_SetSubjectBuffer(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - Cert cert; - XFILE file = XBADFILE; - byte* der = NULL; - word32 derSz; - - derSz = FOURK_BUF; - ExpectNotNull(der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - ExpectTrue((file = XFOPEN("./certs/ca-cert.der", "rb")) != XBADFILE); - ExpectTrue((derSz = (word32)XFREAD(der, 1, FOURK_BUF, file)) > 0); - if (file != XBADFILE) - XFCLOSE(file); - - ExpectIntEQ(wc_InitCert(&cert), 0); - ExpectIntEQ(wc_SetSubjectBuffer(&cert, der, (int)derSz), 0); - ExpectIntEQ(wc_SetSubjectBuffer(NULL, der, (int)derSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#endif - return EXPECT_RESULT(); -} /* End test_wc_SetSubjectBuffer*/ - -/* - * Testing wc_SetSubjectKeyIdFromPublicKey_ex - */ -static int test_wc_SetSubjectKeyIdFromPublicKey_ex(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) - WC_RNG rng; - Cert cert; -#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) - RsaKey rsaKey; - int bits = 2048; -#endif -#if defined(HAVE_ECC) - ecc_key eccKey; - int ret; -#endif -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) - ed25519_key ed25519Key; -#endif -#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) - ed448_key ed448Key; -#endif - -#ifndef HAVE_FIPS - ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0); -#else - ExpectIntEQ(wc_InitRng(&rng), 0); -#endif - - ExpectIntEQ(wc_InitCert(&cert), 0); - -#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) - /* RSA */ - XMEMSET(&rsaKey, 0, sizeof(RsaKey)); - ExpectIntEQ(wc_InitRsaKey(&rsaKey, HEAP_HINT), 0); - ExpectIntEQ(MAKE_RSA_KEY(&rsaKey, bits, WC_RSA_EXPONENT, &rng), 0); - ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, RSA_TYPE, &rsaKey), - 0); - DoExpectIntEQ(wc_FreeRsaKey(&rsaKey), 0); -#endif - -#if defined(HAVE_ECC) - /* ECC */ - XMEMSET(&eccKey, 0, sizeof(ecc_key)); - ExpectIntEQ(wc_ecc_init(&eccKey), 0); - ret = wc_ecc_make_key(&rng, KEY14, &eccKey); -#if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &eccKey.asyncDev, WC_ASYNC_FLAG_NONE); -#endif - ExpectIntEQ(ret, 0); - ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ECC_TYPE, &eccKey), - 0); - DoExpectIntEQ(wc_ecc_free(&eccKey), 0); -#endif - -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) - /* ED25519 */ - XMEMSET(&ed25519Key, 0, sizeof(ed25519_key)); - ExpectIntEQ(wc_ed25519_init(&ed25519Key), 0); - ExpectIntEQ(wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key), 0); - ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, - &ed25519Key), 0); - wc_ed25519_free(&ed25519Key); -#endif - -#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) - /* ED448 */ - XMEMSET(&ed448Key, 0, sizeof(ed448_key)); - ExpectIntEQ(wc_ed448_init(&ed448Key), 0); - ExpectIntEQ(wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key), 0); - ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED448_TYPE, - &ed448Key), 0); - wc_ed448_free(&ed448Key); -#endif - - wc_FreeRng(&rng); - DoExpectIntEQ(wc_FreeRng(&rng), 0); -#endif /* WOLFSSL_CERT_EXT && WOLFSSL_CERT_GEN */ - return EXPECT_RESULT(); -} /* End test_wc_SetSubjectKeyIdFromPublicKey_ex*/ - -/* - * Testing wc_SetAuthKeyIdFromPublicKey_ex - */ -static int test_wc_SetAuthKeyIdFromPublicKey_ex(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) - WC_RNG rng; - Cert cert; -#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) - RsaKey rsaKey; - int bits = 2048; -#endif -#if defined(HAVE_ECC) - ecc_key eccKey; - int ret; -#endif -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) - ed25519_key ed25519Key; -#endif -#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) - ed448_key ed448Key; -#endif - -#ifndef HAVE_FIPS - ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0); -#else - ExpectIntEQ(wc_InitRng(&rng), 0); -#endif - - ExpectIntEQ(wc_InitCert(&cert), 0); - -#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) - /* RSA */ - XMEMSET(&rsaKey, 0, sizeof(RsaKey)); - ExpectIntEQ(wc_InitRsaKey(&rsaKey, HEAP_HINT), 0); - ExpectIntEQ(MAKE_RSA_KEY(&rsaKey, bits, WC_RSA_EXPONENT, &rng), 0); - ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, RSA_TYPE, &rsaKey), 0); - DoExpectIntEQ(wc_FreeRsaKey(&rsaKey), 0); -#endif - -#if defined(HAVE_ECC) - /* ECC */ - XMEMSET(&eccKey, 0, sizeof(ecc_key)); - ExpectIntEQ(wc_ecc_init(&eccKey), 0); - ret = wc_ecc_make_key(&rng, KEY14, &eccKey); -#if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &eccKey.asyncDev, WC_ASYNC_FLAG_NONE); -#endif - ExpectIntEQ(ret, 0); - ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, ECC_TYPE, &eccKey), 0); - DoExpectIntEQ(wc_ecc_free(&eccKey), 0); -#endif - -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) - /* ED25519 */ - XMEMSET(&ed25519Key, 0, sizeof(ed25519_key)); - ExpectIntEQ(wc_ed25519_init(&ed25519Key), 0); - ExpectIntEQ(wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key), 0); - ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, - &ed25519Key), 0); - wc_ed25519_free(&ed25519Key); -#endif - -#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) - /* ED448 */ - XMEMSET(&ed448Key, 0, sizeof(ed448_key)); - ExpectIntEQ(wc_ed448_init(&ed448Key), 0); - ExpectIntEQ(wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key), 0); - ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED448_TYPE, &ed448Key), - 0); - wc_ed448_free(&ed448Key); -#endif - - DoExpectIntEQ(wc_FreeRng(&rng), 0); -#endif /* defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)*/ - return EXPECT_RESULT(); -} /* End test_wc_SetAuthKeyIdFromPublicKey_ex*/ - -static int test_wolfSSL_lhash(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_ALL - const char testStr[] = "Like a true nature's child\n" - "We were born\n" - "Born to be wild"; - -#ifdef NO_SHA - ExpectIntEQ(lh_strhash(testStr), 0xf9dc8a43); -#else - ExpectIntEQ(lh_strhash(testStr), 0x5b7541dc); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wc_PemToDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) - int ret; - DerBuffer* pDer = NULL; - const char* ca_cert = "./certs/server-cert.pem"; - const char* trusted_cert = "./certs/test/ossl-trusted-cert.pem"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - int eccKey = 0; - EncryptedInfo info; - - XMEMSET(&info, 0, sizeof(info)); - - ExpectIntEQ(ret = load_file(ca_cert, &cert_buf, &cert_sz), 0); - ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, CERT_TYPE, &pDer, NULL, - &info, &eccKey), 0); - wc_FreeDer(&pDer); - pDer = NULL; - - if (cert_buf != NULL) { - free(cert_buf); - cert_buf = NULL; - } - - /* Test that -----BEGIN TRUSTED CERTIFICATE----- banner parses OK */ - ExpectIntEQ(ret = load_file(trusted_cert, &cert_buf, &cert_sz), 0); - ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, TRUSTED_CERT_TYPE, &pDer, NULL, - &info, &eccKey), 0); - wc_FreeDer(&pDer); - pDer = NULL; - - if (cert_buf != NULL) { - free(cert_buf); - cert_buf = NULL; - } - -#ifdef HAVE_ECC - { - const char* ecc_private_key = "./certs/ecc-privOnlyKey.pem"; - byte key_buf[256] = {0}; - - /* Test fail of loading a key with cert type */ - ExpectIntEQ(load_file(ecc_private_key, &cert_buf, &cert_sz), 0); - key_buf[0] = '\n'; - ExpectNotNull(XMEMCPY(key_buf + 1, cert_buf, cert_sz)); - ExpectIntNE((ret = wc_PemToDer(key_buf, (long int)cert_sz + 1, CERT_TYPE, - &pDer, NULL, &info, &eccKey)), 0); - - #ifdef OPENSSL_EXTRA - ExpectIntEQ((ret = wc_PemToDer(key_buf, cert_sz + 1, PRIVATEKEY_TYPE, - &pDer, NULL, &info, &eccKey)), 0); - #endif - wc_FreeDer(&pDer); - if (cert_buf != NULL) - free(cert_buf); - } -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wc_AllocDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) - DerBuffer* pDer = NULL; - word32 testSize = 1024; - - ExpectIntEQ(wc_AllocDer(NULL, testSize, CERT_TYPE, HEAP_HINT), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_AllocDer(&pDer, testSize, CERT_TYPE, HEAP_HINT), 0); - ExpectNotNull(pDer); - wc_FreeDer(&pDer); -#endif - return EXPECT_RESULT(); -} - -static int test_wc_CertPemToDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) - const char* ca_cert = "./certs/ca-cert.pem"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - size_t cert_dersz = 0; - byte* cert_der = NULL; - - ExpectIntEQ(load_file(ca_cert, &cert_buf, &cert_sz), 0); - cert_dersz = cert_sz; /* DER will be smaller than PEM */ - ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); - ExpectIntGE(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, - (int)cert_dersz, CERT_TYPE), 0); - - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, -1, CERT_TYPE), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, -1, CERT_TYPE), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, -1, CERT_TYPE), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, (int)cert_dersz, - CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, - (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, - (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, -1, - CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - if (cert_der != NULL) - free(cert_der); - if (cert_buf != NULL) - free(cert_buf); -#endif - return EXPECT_RESULT(); -} - -static int test_wc_KeyPemToDer(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - int ret = 0; - const byte cert_buf[] = \ - "-----BEGIN PRIVATE KEY-----\n" - "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMG5KgWxP002pA\n" - "QJIdA4H5N0oM1Wf0LrHcos5RYUlrHDkC2b5p2BUpVRPmgDAFD2+8leim98x0BvcB\n" - "k48TNzrVynuwyVEY664+iQyzEBO5v27HPRydOddprbLCvRO036XINGIjauy1jHFi\n" - "HaDVx3bexSwgp9aefUGAszFXi4q1J4GacV7Cr2b/wBqUHqWv4ZXPu6R9/UYngTkD\n" - "UDJL5gLlLfcLzNyyodKPHPCIAKdWn6mSVdcHk8XVpK4y9lgz4E7YDWA6ohKZgWgG\n" - "2RDha8CMilFMDgYa0G0SiS9g3PQx0qh3AMXJJsKSVhScFCZufAE0kV6KvjP7jAqP\n" - "XBiSkRGPAgMBAAECggEAW7hmRyY2jRX2UMJThrM9VIs6fRLnYI0dQ0tsEJj536ay\n" - "nevQjArc05KWW0Yujg+WRDZPcry3RUqd9Djlmhp/F3Si6dpF1b+PMS3wJYVrf9Sd\n" - "SO5W7faArU4vnyBNe0HnY1Ta5xSVI65lg1RSIs88RTZwsooJwXYDGf0shq0/21CE\n" - "V8HOb27DDYNcEnm35lzaONjFnMqQQT2Vs9anRrPiSEXNleEvTgLVXZtGTyCGTz6v\n" - "x86Y8eSWL9YNHvPE1I+mDPuocfSR7eRNgRu7SK3mn94W5mqd7Ns072YKX/2XN1mO\n" - "66+ZFHO6v4dK1u7cSjuwrU1EhLHpUsgDz6Bna5InyQKBgQDv5l8RPy8UneKSADaf\n" - "M5L/5675I/5t4nqVjvbnQje00YveLTAEjlJBNR93Biln3sYgnvNamYDCxyEuUZ/I\n" - "S/vmBL9PoxfGZow4FcsIBOEbIn3E0SYJgCBNWthquUvGpKsYDnThJuhO+1cVmxAJ\n" - "BUOjLFnJYHM0a+Vmk9GexT2OBwKBgQDZzkUBOK7Im3eiYytFocUJyhqMH30d49X9\n" - "ujC7kGw4UWAqVe7YCSvlBa8nzWpRWK2kRpu3M0272RU0V4geyWqT+nr/SvRRPtNP\n" - "F5dY8l3yR7hjtSejqqjOfBcZT6ETJxI4tiG0+Nl5BlfM5M+0nxnkWpRcHuOR3j79\n" - "YUFERyN+OQKBgQCjlOKeUAc6d65W/+4/AFvsQ378Q57qLtSHxsR1TKHPmlNVXFqx\n" - "wJo1/JNIBduWCEHxXHF0BdfW+RGXE/FwEt/hKLuLAhrkHmjelX2sKieU6R/5ZOQa\n" - "9lMQbDHGFDOncAF6leD85hriQGBRSzrT69MDIOrYdfwYcroqCAGX0cb3YQKBgQC8\n" - "iIFQylj5SyHmjcMSNjKSA8CxFDzAV8yPIdE3Oo+CvGXqn5HsrRuy1hXE9VmXapR8\n" - "A6ackSszdHiXY0FvrNe1mfdH7wDHJwPQjdIzazCJHS3uGQxj7sDKY7226ie6pXJv\n" - "ZrCMr2/IBAaSVGm6ppHKCeIsT4ybYm7R85KEYLPHeQKBgBeJOMBinXQfWN/1jT9b\n" - "6Ywrutvp2zP8hVxQGSZJ0WG4iewZyFLsPUlbWRXOSYNPElHmdD0ZomdLVm+lSpAA\n" - "XSH5FJ/IFCwqq7Eft6Gf8NFRV+NjPMUny+PnjHe4oFP8YK/Ek22K3ttNG8Hw69Aw\n" - "AQue5o6oVfhgLiJzMdo/77gw\n" - "-----END PRIVATE KEY-----\n"; - const int cert_sz = sizeof(cert_buf); - const char cert_pw[] = "password"; - int cert_dersz = 0; - byte* cert_der = NULL; - - /* Bad arg: Cert buffer is NULL */ - ExpectIntEQ(wc_KeyPemToDer(NULL, cert_sz, cert_der, cert_dersz, ""), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - /* Bad arg: Cert DER buffer non-NULL but size zero (or less) */ - ExpectIntEQ(wc_KeyPemToDer(cert_buf, cert_sz, (byte*)&cert_der, 0, ""), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - /* Test normal operation */ - cert_dersz = cert_sz; /* DER will be smaller than PEM */ - ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); - ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, - cert_pw), 0); - ExpectIntLE(ret, cert_sz); - if (cert_der != NULL) { - free(cert_der); - cert_der = NULL; - } - - /* Test NULL for DER buffer to return needed DER buffer size */ - ExpectIntGT(ret = wc_KeyPemToDer(cert_buf, cert_sz, NULL, 0, ""), 0); - ExpectIntLE(ret, cert_sz); - if (EXPECT_SUCCESS()) - cert_dersz = ret; - ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); - ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, - cert_pw), 0); - ExpectIntLE(ret, cert_sz); - if (cert_der != NULL) - free(cert_der); -#endif - return EXPECT_RESULT(); -} - -static int test_wc_PubKeyPemToDer(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && \ - (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) - int ret = 0; - const char* key = "./certs/ecc-client-keyPub.pem"; - byte* cert_buf = NULL; - size_t cert_sz = 0, cert_dersz = 0; - byte* cert_der = NULL; - - ExpectIntEQ(wc_PubKeyPemToDer(cert_buf, (int)cert_sz, - cert_der, (int)cert_dersz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(load_file(key, &cert_buf, &cert_sz), 0); - cert_dersz = cert_sz; /* DER will be smaller than PEM */ - ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); - ExpectIntGE(wc_PubKeyPemToDer(cert_buf, (int)cert_sz, cert_der, - (int)cert_dersz), 0); - if (cert_der != NULL) { - free(cert_der); - cert_der = NULL; + fprintf(stderr, "ret = %d error = %d\n", idx, + wolfSSL_get_error(ssl, idx)); + goto done; } - /* Test NULL for DER buffer to return needed DER buffer size */ - ExpectIntGT(ret = wc_PubKeyPemToDer(cert_buf, (int)cert_sz, NULL, 0), 0); - ExpectIntLE(ret, cert_sz); - cert_dersz = (size_t)ret; - ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); - ExpectIntGE(wc_PubKeyPemToDer(cert_buf, (int)cert_sz, cert_der, - (int)cert_dersz), 0); - if (cert_der != NULL) { - free(cert_der); + if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) { + /*err_sys("SSL_write failed");*/ + WOLFSSL_RETURN_FROM_THREAD(0); } - if (cert_buf != NULL) { - free(cert_buf); - } +#ifdef WOLFSSL_TIRTOS + Task_yield(); #endif - return EXPECT_RESULT(); -} -static int test_wc_PemPubKeyToDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && \ - (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) - const char* key = "./certs/ecc-client-keyPub.pem"; - size_t cert_dersz = 1024; - byte* cert_der = NULL; + ((func_args*)args)->return_code = TEST_SUCCESS; - ExpectIntGE(wc_PemPubKeyToDer(NULL, cert_der, (int)cert_dersz), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +done: + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); - ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); - ExpectIntGE(wc_PemPubKeyToDer(key, cert_der, (int)cert_dersz), 0); - if (cert_der != NULL) { - free(cert_der); - } -#endif - return EXPECT_RESULT(); -} + CloseSocket(clientfd); -static int test_wc_GetPubKeyDerFromCert(void) -{ - EXPECT_DECLS; -#if !defined(NO_RSA) || defined(HAVE_ECC) - int ret; - word32 idx = 0; - byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ - word32 keyDerSz = (word32)sizeof(keyDer); - DecodedCert decoded; -#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) - byte certBuf[6000]; /* for PEM and CSR, client-cert.pem is 5-6kB */ - word32 certBufSz = sizeof(certBuf); +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); #endif -#if ((!defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024)) || \ - defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - XFILE fp = XBADFILE; + +#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ + && defined(HAVE_THREAD_LS) + wc_ecc_fp_free(); /* free per thread cache */ #endif -#ifndef NO_RSA - RsaKey rsaKey; - #if defined(USE_CERT_BUFFERS_2048) - byte* rsaCertDer = (byte*)client_cert_der_2048; - word32 rsaCertDerSz = sizeof_client_cert_der_2048; - #elif defined(USE_CERT_BUFFERS_1024) - byte* rsaCertDer = (byte*)client_cert_der_1024; - word32 rsaCertDerSz = sizeof_client_cert_der_1024; - #else - unsigned char rsaCertDer[TWOK_BUF]; - word32 rsaCertDerSz; - #endif + +#if defined(HAVE_SESSION_TICKET) && \ + ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AESGCM) + OpenSSLTicketCleanup(); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) + TicketCleanup(); #endif -#ifdef HAVE_ECC - ecc_key eccKey; - #if defined(USE_CERT_BUFFERS_256) - byte* eccCert = (byte*)cliecc_cert_der_256; - word32 eccCertSz = sizeof_cliecc_cert_der_256; - #else - unsigned char eccCert[ONEK_BUF]; - word32 eccCertSz; - XFILE fp2 = XBADFILE; - #endif #endif -#ifndef NO_RSA + WOLFSSL_RETURN_FROM_THREAD(0); +} -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != XBADFILE); - ExpectIntGT(rsaCertDerSz = (word32)XFREAD(rsaCertDer, 1, sizeof(rsaCertDer), - fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } -#endif - /* good test case - RSA DER cert */ - wc_InitDecodedCert(&decoded, rsaCertDer, rsaCertDerSz, NULL); - ExpectIntEQ(wc_ParseCert(&decoded, CERT_TYPE, NO_VERIFY, NULL), 0); +static void load_tls12_canned_server(WOLFSSL* ssl) +{ + int clientfd = wolfSSL_get_fd(ssl); + AssertIntEQ(wolfSSL_tls_import(ssl, canned_server_session, + sizeof(canned_server_session)), sizeof(canned_server_session)); + wolfSSL_set_fd(ssl, clientfd); +} - ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), 0); - ExpectIntGT(keyDerSz, 0); - /* sanity check, verify we can import DER public key */ - ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); - ExpectIntEQ(ret, 0); - ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); - if (ret == 0) { - wc_FreeRsaKey(&rsaKey); - } +#ifdef WOLFSSL_TLS13 +static void load_tls13_canned_server(WOLFSSL* ssl) +{ + int clientfd = wolfSSL_get_fd(ssl); + AssertIntEQ(wolfSSL_tls_import(ssl, canned_server_tls13_session, + sizeof(canned_server_tls13_session)), + sizeof(canned_server_tls13_session)); + wolfSSL_set_fd(ssl, clientfd); +} +#endif - /* test LENGTH_ONLY_E case */ - keyDerSz = 0; - ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, NULL, &keyDerSz), - WC_NO_ERR_TRACE(LENGTH_ONLY_E)); - ExpectIntGT(keyDerSz, 0); - /* bad args: DecodedCert NULL */ - ExpectIntEQ(wc_GetPubKeyDerFromCert(NULL, keyDer, &keyDerSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +/* v is for version WOLFSSL_TLSV1_2 or WOLFSSL_TLSV1_3 */ +static int test_wolfSSL_tls_export_run(method_provider server_method, + method_provider client_method, ssl_callback ssl_ready, + const byte* clientSession, int clientSessionSz, int cmpSess) +{ + EXPECT_DECLS; + SOCKET_T sockfd = 0; + WOLFSSL_CTX* ctx = 0; + WOLFSSL* ssl = 0; + char msg[64] = "hello wolfssl!"; + char reply[1024]; + word32 replySz; + int msgSz = (int)XSTRLEN(msg); - /* bad args: output key buff size */ - ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + tcp_ready ready; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions server_cbf; - /* bad args: zero size output key buffer */ - keyDerSz = 0; - ExpectIntEQ(ret = wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - wc_FreeDecodedCert(&decoded); + (void)cmpSess; - /* Certificate Request Tests */ - #if defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) - { - XMEMSET(certBuf, 0, sizeof(certBuf)); - ExpectTrue((fp = XFOPEN("./certs/csr.signed.der", "rb")) != XBADFILE); - ExpectIntGT(certBufSz = (word32)XFREAD(certBuf, 1, certBufSz, fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - } + InitTcpReady(&ready); - wc_InitDecodedCert(&decoded, certBuf, certBufSz, NULL); - ExpectIntEQ(wc_ParseCert(&decoded, CERTREQ_TYPE, VERIFY, NULL), 0); +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif - /* good test case - RSA DER certificate request */ - keyDerSz = sizeof(keyDer); - ExpectIntEQ(ret = wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), - 0); - ExpectIntGT(keyDerSz, 0); + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + server_cbf.method = server_method; + server_cbf.ssl_ready = ssl_ready; + ExpectNotNull(ctx = wolfSSL_CTX_new(client_method())); + server_args.callbacks = &server_cbf; + server_args.signal = &ready; - /* sanity check, verify we can import DER public key */ - ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); - ExpectIntEQ(ret, 0); - idx = 0; - ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); - if (ret == 0) { - wc_FreeRsaKey(&rsaKey); - } + start_thread(tls_export_server, &server_args, &serverThread); + wait_tcp_ready(&server_args); - wc_FreeDecodedCert(&decoded); + +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif + + ExpectNotNull(ssl = wolfSSL_new(ctx)); + tcp_connect(&sockfd, wolfSSLIP, ready.port, 0, 0, ssl); + ExpectIntEQ(wolfSSL_tls_import(ssl, clientSession, clientSessionSz), + clientSessionSz); + replySz = sizeof(reply); + ExpectIntGT(wolfSSL_tls_export(ssl, (byte*)reply, &replySz), 0); +#if !defined(NO_PSK) && defined(HAVE_ANON) + if (cmpSess) { + /* index 20 has is setting if PSK was on and 49 is if anon is allowed */ + ExpectIntEQ(replySz, clientSessionSz); + ExpectBufEQ(reply, clientSession, replySz); } - #endif /* WOLFSSL_CERT_REQ */ -#endif /* NO_RSA */ +#endif + wolfSSL_set_fd(ssl, sockfd); -#ifdef HAVE_ECC - #ifndef USE_CERT_BUFFERS_256 - ExpectTrue((fp2 = XFOPEN("./certs/client-ecc-cert.der", "rb")) != - XBADFILE); - ExpectIntGT(eccCertSz = (word32)XFREAD(eccCert, 1, ONEK_BUF, fp2), 0); - if (fp2 != XBADFILE) { - XFCLOSE(fp2); - } - #endif + ExpectIntEQ(wolfSSL_write(ssl, msg, msgSz), msgSz); + ExpectIntGT(wolfSSL_read(ssl, reply, sizeof(reply)-1), 0); - wc_InitDecodedCert(&decoded, eccCert, eccCertSz, NULL); - ExpectIntEQ(wc_ParseCert(&decoded, CERT_TYPE, NO_VERIFY, NULL), 0); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); - /* good test case - ECC */ - XMEMSET(keyDer, 0, sizeof(keyDer)); - keyDerSz = sizeof(keyDer); - ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), 0); - ExpectIntGT(keyDerSz, 0); + CloseSocket(sockfd); - /* sanity check, verify we can import DER public key */ - ret = wc_ecc_init(&eccKey); - ExpectIntEQ(ret, 0); - idx = 0; /* reset idx to 0, used above in RSA case */ - ExpectIntEQ(wc_EccPublicKeyDecode(keyDer, &idx, &eccKey, keyDerSz), 0); - if (ret == 0) { - wc_ecc_free(&eccKey); - } +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - /* test LENGTH_ONLY_E case */ - keyDerSz = 0; - ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, NULL, &keyDerSz), - WC_NO_ERR_TRACE(LENGTH_ONLY_E)); - ExpectIntGT(keyDerSz, 0); +#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ + && defined(HAVE_THREAD_LS) + wc_ecc_fp_free(); /* free per thread cache */ +#endif - wc_FreeDecodedCert(&decoded); + join_thread(serverThread); + + ExpectIntEQ(server_args.return_code, TEST_SUCCESS); + FreeTcpReady(&ready); + +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif -#endif /* !NO_RSA || HAVE_ECC */ + return EXPECT_RESULT(); } +#endif -static int test_wc_GetSubjectPubKeyInfoDerFromCert(void) +static int test_wolfSSL_tls_export(void) { EXPECT_DECLS; -#if !defined(NO_RSA) || defined(HAVE_ECC) - int ret; - word32 idx = 0; - byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ - word32 keyDerSz = (word32)sizeof(keyDer); -#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) - byte certBuf[6000]; /* for PEM and CSR, client-cert.pem is 5-6kB */ - word32 certBufSz = sizeof(certBuf); -#endif -#if ((!defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024)) || \ - defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - XFILE fp = XBADFILE; -#endif -#ifndef NO_RSA - RsaKey rsaKey; - #if defined(USE_CERT_BUFFERS_2048) - byte* rsaCertDer = (byte*)client_cert_der_2048; - word32 rsaCertDerSz = sizeof_client_cert_der_2048; - #elif defined(USE_CERT_BUFFERS_1024) - byte* rsaCertDer = (byte*)client_cert_der_1024; - word32 rsaCertDerSz = sizeof_client_cert_der_1024; - #else - unsigned char rsaCertDer[TWOK_BUF]; - word32 rsaCertDerSz; - #endif -#endif -#ifdef HAVE_ECC - ecc_key eccKey; - #if defined(USE_CERT_BUFFERS_256) - byte* eccCert = (byte*)cliecc_cert_der_256; - word32 eccCertSz = sizeof_cliecc_cert_der_256; - #else - unsigned char eccCert[ONEK_BUF]; - word32 eccCertSz; - XFILE fp2 = XBADFILE; +#if defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_NO_TLS12) + EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_2_server_method, + wolfTLSv1_2_client_method, load_tls12_canned_server, + canned_client_session_v4, sizeof(canned_client_session_v4), 0)); + EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_2_server_method, + wolfTLSv1_2_client_method, load_tls12_canned_server, + canned_client_session_v5, sizeof(canned_client_session_v5), 1)); + #ifdef WOLFSSL_TLS13 + EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_3_server_method, + wolfTLSv1_3_client_method, load_tls13_canned_server, + canned_client_tls13_session_v4, sizeof(canned_client_tls13_session_v4), + 0)); + EXPECT_TEST(test_wolfSSL_tls_export_run(wolfTLSv1_3_server_method, + wolfTLSv1_3_client_method, load_tls13_canned_server, + canned_client_tls13_session_v5, sizeof(canned_client_tls13_session_v5), + 1)); #endif #endif -#ifndef NO_RSA + return EXPECT_RESULT(); +} -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != XBADFILE); - ExpectIntGT(rsaCertDerSz = (word32)XFREAD(rsaCertDer, 1, sizeof(rsaCertDer), - fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } +/*----------------------------------------------------------------------------* + | TLS extensions tests + *----------------------------------------------------------------------------*/ + +#ifdef ENABLE_TLS_CALLBACK_TEST +/* Connection test runner - generic */ +static void test_wolfSSL_client_server(callback_functions* client_callbacks, + callback_functions* server_callbacks) +{ + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + + StartTCP(); + + client_args.callbacks = client_callbacks; + server_args.callbacks = server_callbacks; + +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); #endif - /* good test case - RSA DER cert */ - ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, rsaCertDerSz, - keyDer, &keyDerSz), 0); - ExpectIntGT(keyDerSz, 0); + /* RUN Server side */ + InitTcpReady(&ready); - /* sanity check, verify we can import DER public key */ - ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); - ExpectIntEQ(ret, 0); - ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); - if (ret == 0) { - wc_FreeRsaKey(&rsaKey); - } +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif - /* bad args: certDer */ - keyDerSz = (word32)sizeof(keyDer); - ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(NULL, rsaCertDerSz, keyDer, - &keyDerSz), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + server_args.signal = &ready; + client_args.signal = &ready; + start_thread(run_wolfssl_server, &server_args, &serverThread); + wait_tcp_ready(&server_args); - /* bad args: 0 sized certSz */ - keyDerSz = (word32)sizeof(keyDer); - ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, 0, keyDer, - &keyDerSz), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* RUN Client side */ + run_wolfssl_client(&client_args); + join_thread(serverThread); - /* bad args: NULL inout size */ - ExpectIntEQ(ret = wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, - rsaCertDerSz, keyDer, - NULL), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + FreeTcpReady(&ready); +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif - /* Certificate Request Tests */ - #if defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) - { - XMEMSET(certBuf, 0, sizeof(certBuf)); - ExpectTrue((fp = XFOPEN("./certs/csr.signed.der", "rb")) != XBADFILE); - ExpectIntGT(certBufSz = (word32)XFREAD(certBuf, 1, certBufSz, fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - } + client_callbacks->return_code = client_args.return_code; + server_callbacks->return_code = server_args.return_code; +} +#endif /* ENABLE_TLS_CALLBACK_TEST */ - /* good test case - RSA DER certificate request */ - keyDerSz = sizeof(keyDer); - ExpectIntEQ(ret = wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, - rsaCertDerSz, - keyDer, - &keyDerSz), 0); - ExpectIntGT(keyDerSz, 0); - /* sanity check, verify we can import DER public key */ - ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); - ExpectIntEQ(ret, 0); - idx = 0; - ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); - if (ret == 0) { - wc_FreeRsaKey(&rsaKey); - } - } - #endif /* WOLFSSL_CERT_REQ */ -#endif /* NO_RSA */ +#ifdef HAVE_SNI +static int test_wolfSSL_UseSNI_params(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); -#ifdef HAVE_ECC - #ifndef USE_CERT_BUFFERS_256 - ExpectTrue((fp2 = XFOPEN("./certs/client-ecc-cert.der", "rb")) != - XBADFILE); - ExpectIntGT(eccCertSz = (word32)XFREAD(eccCert, 1, ONEK_BUF, fp2), 0); - if (fp2 != XBADFILE) { - XFCLOSE(fp2); - } - #endif + ExpectNotNull(ctx); + ExpectNotNull(ssl); - /* good test case - ECC */ - XMEMSET(keyDer, 0, sizeof(keyDer)); - keyDerSz = sizeof(keyDer); - ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(eccCert, eccCertSz, keyDer, - &keyDerSz), 0); - ExpectIntGT(keyDerSz, 0); + /* invalid [ctx|ssl] */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(NULL, 0, "ctx", 3)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( NULL, 0, "ssl", 3)); + /* invalid type */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, (byte)-1, "ctx", 3)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, (byte)-1, "ssl", 3)); + /* invalid data */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, NULL, 3)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, NULL, 3)); + /* success case */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, "ctx", 3)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, "ssl", 3)); - /* sanity check, verify we can import DER public key */ - ret = wc_ecc_init(&eccKey); - ExpectIntEQ(ret, 0); - idx = 0; /* reset idx to 0, used above in RSA case */ - ExpectIntEQ(wc_EccPublicKeyDecode(keyDer, &idx, &eccKey, keyDerSz), 0); - if (ret == 0) { - wc_ecc_free(&eccKey); - } + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT */ -#endif -#endif /* !NO_RSA || HAVE_ECC */ return EXPECT_RESULT(); } -static int test_wc_CheckCertSigPubKey(void) +/* BEGIN of connection tests callbacks */ +static void use_SNI_at_ctx(WOLFSSL_CTX* ctx) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && defined(WOLFSSL_PEM_TO_DER) && defined(HAVE_ECC) - int ret = 0; - const char* ca_cert = "./certs/ca-cert.pem"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - byte* cert_der = NULL; - word32 cert_dersz = 0; - byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ - word32 keyDerSz = (word32)sizeof(keyDer); - DecodedCert decoded; + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, "www.wolfssl.com", 15)); +} + +static void use_SNI_at_ssl(WOLFSSL* ssl) +{ + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "www.wolfssl.com", 15)); +} - ExpectIntEQ(load_file(ca_cert, &cert_buf, &cert_sz), 0); - cert_dersz = (word32)cert_sz; /* DER will be smaller than PEM */ - ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); - ExpectIntGE(ret = wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, - (int)cert_dersz, CERT_TYPE), 0); +static void different_SNI_at_ssl(WOLFSSL* ssl) +{ + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "ww2.wolfssl.com", 15)); +} - wc_InitDecodedCert(&decoded, cert_der, cert_dersz, NULL); - ExpectIntEQ(wc_ParseCert(&decoded, CERT_TYPE, NO_VERIFY, NULL), 0); +static void use_SNI_WITH_CONTINUE_at_ssl(WOLFSSL* ssl) +{ + use_SNI_at_ssl(ssl); + wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, + WOLFSSL_SNI_CONTINUE_ON_MISMATCH); +} - ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), 0); - ExpectIntGT(keyDerSz, 0); +static void use_SNI_WITH_FAKE_ANSWER_at_ssl(WOLFSSL* ssl) +{ + use_SNI_at_ssl(ssl); + wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, + WOLFSSL_SNI_ANSWER_ON_MISMATCH); +} - /* Good test case. */ - ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, - keyDerSz, RSAk), 0); +static void use_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) +{ + use_SNI_at_ctx(ctx); + wolfSSL_CTX_SNI_SetOptions(ctx, WOLFSSL_SNI_HOST_NAME, + WOLFSSL_SNI_ABORT_ON_ABSENCE); +} - /* No certificate. */ - ExpectIntEQ(wc_CheckCertSigPubKey(NULL, cert_dersz, NULL, keyDer, keyDerSz, - ECDSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +static void use_MANDATORY_SNI_at_ssl(WOLFSSL* ssl) +{ + use_SNI_at_ssl(ssl); + wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, + WOLFSSL_SNI_ABORT_ON_ABSENCE); +} - /* Bad cert size. */ - ExpectIntNE(ret = wc_CheckCertSigPubKey(cert_der, 0, NULL, keyDer, keyDerSz, - RSAk), 0); - ExpectTrue(ret == WC_NO_ERR_TRACE(ASN_PARSE_E) || ret == WC_NO_ERR_TRACE(BUFFER_E)); +static void use_PSEUDO_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) +{ + use_SNI_at_ctx(ctx); + wolfSSL_CTX_SNI_SetOptions(ctx, WOLFSSL_SNI_HOST_NAME, + WOLFSSL_SNI_ANSWER_ON_MISMATCH | WOLFSSL_SNI_ABORT_ON_ABSENCE); +} - /* No public key. */ - ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, NULL, - keyDerSz, RSAk), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); +static void verify_UNKNOWN_SNI_on_server(WOLFSSL* ssl) +{ + AssertIntEQ(WC_NO_ERR_TRACE(UNKNOWN_SNI_HOST_NAME_E), + wolfSSL_get_error(ssl, 0)); +} - /* Bad public key size. */ - ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, 0, - RSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +static void verify_SNI_ABSENT_on_server(WOLFSSL* ssl) +{ + AssertIntEQ(WC_NO_ERR_TRACE(SNI_ABSENT_ERROR), wolfSSL_get_error(ssl, 0)); +} - /* Wrong aglo. */ - ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, - keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_PARSE_E)); +static void verify_SNI_no_matching(WOLFSSL* ssl) +{ + byte type = WOLFSSL_SNI_HOST_NAME; + void* request = (void*) &type; /* to be overwritten */ - wc_FreeDecodedCert(&decoded); - if (cert_der != NULL) - free(cert_der); - if (cert_buf != NULL) - free(cert_buf); -#endif - return EXPECT_RESULT(); + AssertIntEQ(WOLFSSL_SNI_NO_MATCH, wolfSSL_SNI_Status(ssl, type)); + AssertNotNull(request); + AssertIntEQ(0, wolfSSL_SNI_GetRequest(ssl, type, &request)); + AssertNull(request); } -static int test_wolfSSL_X509_ext_d2i(void) +static void verify_SNI_real_matching(WOLFSSL* ssl) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) - X509* x509 = NULL; + byte type = WOLFSSL_SNI_HOST_NAME; + void* request = NULL; - ExpectNotNull(x509 = wolfSSL_X509_new()); + AssertIntEQ(WOLFSSL_SNI_REAL_MATCH, wolfSSL_SNI_Status(ssl, type)); + AssertIntEQ(15, wolfSSL_SNI_GetRequest(ssl, type, &request)); + AssertNotNull(request); + AssertStrEQ("www.wolfssl.com", (char*)request); +} - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_basic_constraints, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_subject_alt_name, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_authority_key_identifier, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_subject_key_identifier, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_key_usage, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_crl_distribution_points, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_ext_key_usage, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_info_access, - NULL, NULL)); - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_certificate_policies, - NULL, NULL)); - /* Invalid NID for an extension. */ - ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_description, - NULL, NULL)); +static void verify_SNI_fake_matching(WOLFSSL* ssl) +{ + byte type = WOLFSSL_SNI_HOST_NAME; + void* request = NULL; - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); + AssertIntEQ(WOLFSSL_SNI_FAKE_MATCH, wolfSSL_SNI_Status(ssl, type)); + AssertIntEQ(15, wolfSSL_SNI_GetRequest(ssl, type, &request)); + AssertNotNull(request); + AssertStrEQ("ww2.wolfssl.com", (char*)request); } -static int test_wolfSSL_certs(void) +static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_TLS) && !defined(NO_RSA) - X509* x509ext = NULL; - X509* x509 = NULL; -#ifdef OPENSSL_ALL - WOLFSSL_X509_EXTENSION* ext = NULL; - ASN1_OBJECT* obj = NULL; -#endif - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - STACK_OF(ASN1_OBJECT)* sk = NULL; - ASN1_STRING* asn1_str = NULL; - AUTHORITY_KEYID* akey = NULL; - WOLFSSL_STACK* skid = NULL; - BASIC_CONSTRAINTS* bc = NULL; - int crit = 0; + AssertIntEQ(WC_NO_ERR_TRACE(FATAL_ERROR), wolfSSL_get_error(ssl, 0)); +} +/* END of connection tests callbacks */ -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(SSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(SSLv23_client_method())); +static int test_wolfSSL_UseSNI_connection(void) +{ + int res = TEST_SKIPPED; +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) + callback_functions client_cb; + callback_functions server_cb; + size_t i; +#ifdef WOLFSSL_STATIC_MEMORY + byte cliMem[TEST_TLS_STATIC_MEMSZ]; + byte svrMem[TEST_TLS_STATIC_MEMSZ]; #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(SSL_CTX_check_private_key(ctx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #endif - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(SSL_CTX_check_private_key(ctx), SSL_SUCCESS); + struct { + method_provider client_meth; + method_provider server_meth; + #ifdef WOLFSSL_STATIC_MEMORY + wolfSSL_method_func client_meth_ex; + wolfSSL_method_func server_meth_ex; #endif - ExpectNotNull(ssl = SSL_new(ctx)); - - /* Invalid parameters. */ - ExpectIntEQ(SSL_use_certificate_file(NULL, NULL, WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_use_certificate_file(ssl, NULL, WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_certificate_file(NULL, "./certs/server-cert.pem", - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + } methods[] = { +#if defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_TLS13) + {wolfSSLv23_client_method, wolfSSLv23_server_method + #ifdef WOLFSSL_STATIC_MEMORY + ,wolfSSLv23_client_method_ex, wolfSSLv23_server_method_ex + #endif + }, +#endif +#ifndef WOLFSSL_NO_TLS12 + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method + #ifdef WOLFSSL_STATIC_MEMORY + ,wolfTLSv1_2_client_method_ex, wolfTLSv1_2_server_method_ex + #endif + }, +#endif +#ifdef WOLFSSL_TLS13 + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method + #ifdef WOLFSSL_STATIC_MEMORY + ,wolfTLSv1_3_client_method_ex, wolfTLSv1_3_server_method_ex + #endif + }, +#endif + }; + size_t methodsSz = sizeof(methods) / sizeof(*methods); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + for (i = 0; i < methodsSz; i++) { + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = methods[i].client_meth; + server_cb.method = methods[i].server_meth; + client_cb.devId = testDevId; + server_cb.devId = testDevId; + #ifdef WOLFSSL_STATIC_MEMORY + client_cb.method_ex = methods[i].client_meth_ex; + server_cb.method_ex = methods[i].server_meth_ex; + client_cb.mem = cliMem; + client_cb.memSz = (word32)sizeof(cliMem); + server_cb.mem = svrMem; + server_cb.memSz = (word32)sizeof(svrMem);; #endif - #ifdef HAVE_PK_CALLBACKS - ExpectIntEQ((int)SSL_set_tlsext_debug_arg(ssl, NULL), WOLFSSL_SUCCESS); - #endif /* HAVE_PK_CALLBACKS */ + /* success case at ctx */ + fprintf(stderr, "\n\tsuccess case at ctx\n"); + client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* Invalid parameters. */ - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(SSL_use_certificate(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_certificate(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_certificate(NULL, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* No data in certificate. */ - ExpectIntEQ(SSL_use_certificate(ssl, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_X509_free(x509); - x509 = NULL; + /* success case at ssl */ + fprintf(stderr, "\tsuccess case at ssl\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* create and use x509 */ - ExpectNull(wolfSSL_X509_load_certificate_file(cliCertFileExt, -1)); - ExpectNull(wolfSSL_X509_load_certificate_file("/tmp/badfile", - WOLFSSL_FILETYPE_PEM)); - ExpectNull(wolfSSL_X509_load_certificate_file(NULL, WOLFSSL_FILETYPE_PEM)); - ExpectNull(wolfSSL_X509_load_certificate_file(cliCertFileExt, - WOLFSSL_FILETYPE_ASN1)); -#ifdef OPENSSL_ALL - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); -#endif - ExpectNotNull(x509ext = wolfSSL_X509_load_certificate_file(cliCertFileExt, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(SSL_use_certificate(ssl, x509ext), WOLFSSL_SUCCESS); + /* default mismatch behavior */ + fprintf(stderr, "\tdefault mismatch behavior\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_UNKNOWN_SNI_on_server; + test_wolfSSL_client_server(&client_cb, &server_cb); - #if !defined(NO_CHECK_PRIVATE_KEY) - /* with loading in a new cert the check on private key should now fail */ - ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif + /* continue on mismatch */ + fprintf(stderr, "\tcontinue on mismatch\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); + /* fake answer on mismatch */ + fprintf(stderr, "\tfake answer on mismatch\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - #if defined(USE_CERT_BUFFERS_2048) - /* Invalid parameters. */ - ExpectIntEQ(SSL_use_certificate_ASN1(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_certificate_ASN1(ssl, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_certificate_ASN1(NULL, - (unsigned char*)server_cert_der_2048, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* No data. */ - ExpectIntEQ(SSL_use_certificate_ASN1(ssl, - (unsigned char*)server_cert_der_2048, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* sni abort - success */ + fprintf(stderr, "\tsni abort - success\n"); + client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(SSL_use_certificate_ASN1(ssl, - (unsigned char*)server_cert_der_2048, - sizeof_server_cert_der_2048), WOLFSSL_SUCCESS); - #endif + /* sni abort - abort when absent (ctx) */ + fprintf(stderr, "\tsni abort - abort when absent (ctx)\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; + server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server; + test_wolfSSL_client_server(&client_cb, &server_cb); - #if !defined(NO_SHA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) - /************* Get Digest of Certificate ******************/ - { - byte digest[64]; /* max digest size */ - word32 digestSz; - X509* x509Empty = NULL; + /* sni abort - abort when absent (ssl) */ + fprintf(stderr, "\tsni abort - abort when absent (ssl)\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server; + test_wolfSSL_client_server(&client_cb, &server_cb); - XMEMSET(digest, 0, sizeof(digest)); - ExpectIntEQ(X509_digest(NULL, wolfSSL_EVP_sha1(), digest, &digestSz), - WOLFSSL_FAILURE); - ExpectIntEQ(X509_digest(x509ext, NULL, digest, &digestSz), - WOLFSSL_FAILURE); - ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), NULL, &digestSz), - WOLFSSL_FAILURE); - ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, &digestSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha256(), digest, - &digestSz), WOLFSSL_SUCCESS); + /* sni abort - success when overwritten */ + fprintf(stderr, "\tsni abort - success when overwritten\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectNotNull(x509Empty = wolfSSL_X509_new()); - ExpectIntEQ(X509_digest(x509Empty, wolfSSL_EVP_sha256(), digest, - &digestSz), WOLFSSL_FAILURE); - wolfSSL_X509_free(x509Empty); + /* sni abort - success when allowing mismatches */ + fprintf(stderr, "\tsni abort - success when allowing mismatches\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; + server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_fake_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); } - #endif /* !NO_SHA && !NO_SHA256 && !NO_PWDBASED */ - #if !defined(NO_SHA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) - /************* Get Digest of Certificate ******************/ - { - byte digest[64]; /* max digest size */ - word32 digestSz; - X509* x509Empty = NULL; + res = TEST_RES_CHECK(1); +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - XMEMSET(digest, 0, sizeof(digest)); - ExpectIntEQ(X509_pubkey_digest(NULL, wolfSSL_EVP_sha1(), digest, - &digestSz), WOLFSSL_FAILURE); - ExpectIntEQ(X509_pubkey_digest(x509ext, NULL, digest, &digestSz), - WOLFSSL_FAILURE); - ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), NULL, - &digestSz), WOLFSSL_FAILURE); - ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), digest, - NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), digest, - &digestSz), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha256(), digest, - &digestSz), WOLFSSL_SUCCESS); + return res; +} - ExpectNotNull(x509Empty = wolfSSL_X509_new()); - ExpectIntEQ(X509_pubkey_digest(x509Empty, wolfSSL_EVP_sha256(), digest, - &digestSz), WOLFSSL_FAILURE); - wolfSSL_X509_free(x509Empty); - } - #endif /* !NO_SHA && !NO_SHA256 && !NO_PWDBASED */ +static int test_wolfSSL_SNI_GetFromBuffer(void) +{ + EXPECT_DECLS; + byte buff[] = { /* www.paypal.com */ + 0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00, 0x00, 0x60, 0x03, 0x03, 0x5c, + 0xc4, 0xb3, 0x8c, 0x87, 0xef, 0xa4, 0x09, 0xe0, 0x02, 0xab, 0x86, 0xca, + 0x76, 0xf0, 0x9e, 0x01, 0x65, 0xf6, 0xa6, 0x06, 0x13, 0x1d, 0x0f, 0xa5, + 0x79, 0xb0, 0xd4, 0x77, 0x22, 0xeb, 0x1a, 0x00, 0x00, 0x16, 0x00, 0x6b, + 0x00, 0x67, 0x00, 0x39, 0x00, 0x33, 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x35, + 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x13, 0x00, 0x11, 0x00, 0x00, 0x0e, 0x77, 0x77, 0x77, + 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x00, + 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 + }; - /* test and checkout X509 extensions */ - ExpectNotNull(bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, - NID_basic_constraints, NULL, NULL)); - BASIC_CONSTRAINTS_free(bc); - bc = NULL; - ExpectNotNull(bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, - NID_basic_constraints, &crit, NULL)); - ExpectIntEQ(crit, 0); + byte buff2[] = { /* api.textmate.org */ + 0x16, 0x03, 0x01, 0x00, 0xc6, 0x01, 0x00, 0x00, 0xc2, 0x03, 0x03, 0x52, + 0x8b, 0x7b, 0xca, 0x69, 0xec, 0x97, 0xd5, 0x08, 0x03, 0x50, 0xfe, 0x3b, + 0x99, 0xc3, 0x20, 0xce, 0xa5, 0xf6, 0x99, 0xa5, 0x71, 0xf9, 0x57, 0x7f, + 0x04, 0x38, 0xf6, 0x11, 0x0b, 0xb8, 0xd3, 0x00, 0x00, 0x5e, 0x00, 0xff, + 0xc0, 0x24, 0xc0, 0x23, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x07, 0xc0, 0x08, + 0xc0, 0x28, 0xc0, 0x27, 0xc0, 0x14, 0xc0, 0x13, 0xc0, 0x11, 0xc0, 0x12, + 0xc0, 0x26, 0xc0, 0x25, 0xc0, 0x2a, 0xc0, 0x29, 0xc0, 0x05, 0xc0, 0x04, + 0xc0, 0x02, 0xc0, 0x03, 0xc0, 0x0f, 0xc0, 0x0e, 0xc0, 0x0c, 0xc0, 0x0d, + 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x35, + 0x00, 0x0a, 0x00, 0x67, 0x00, 0x6b, 0x00, 0x33, 0x00, 0x39, 0x00, 0x16, + 0x00, 0xaf, 0x00, 0xae, 0x00, 0x8d, 0x00, 0x8c, 0x00, 0x8a, 0x00, 0x8b, + 0x00, 0xb1, 0x00, 0xb0, 0x00, 0x2c, 0x00, 0x3b, 0x01, 0x00, 0x00, 0x3b, + 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, 0x00, 0x00, 0x10, 0x61, 0x70, 0x69, + 0x2e, 0x74, 0x65, 0x78, 0x74, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x6f, 0x72, + 0x67, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, + 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0d, 0x00, 0x0c, 0x00, + 0x0a, 0x05, 0x01, 0x04, 0x01, 0x02, 0x01, 0x04, 0x03, 0x02, 0x03 + }; -#ifdef OPENSSL_ALL - ExpectNull(X509V3_EXT_i2d(NID_basic_constraints, crit, NULL)); - { - int i; - int unsupportedNid[] = { - 0, - NID_inhibit_any_policy, - NID_certificate_policies, - NID_policy_mappings, - NID_name_constraints, - NID_policy_constraints, - NID_crl_distribution_points - }; - int unsupportedNidCnt = (int)(sizeof(unsupportedNid) / - sizeof(*unsupportedNid)); + byte buff3[] = { /* no sni extension */ + 0x16, 0x03, 0x03, 0x00, 0x4d, 0x01, 0x00, 0x00, 0x49, 0x03, 0x03, 0xea, + 0xa1, 0x9f, 0x60, 0xdd, 0x52, 0x12, 0x13, 0xbd, 0x84, 0x34, 0xd5, 0x1c, + 0x38, 0x25, 0xa8, 0x97, 0xd2, 0xd5, 0xc6, 0x45, 0xaf, 0x1b, 0x08, 0xe4, + 0x1e, 0xbb, 0xdf, 0x9d, 0x39, 0xf0, 0x65, 0x00, 0x00, 0x16, 0x00, 0x6b, + 0x00, 0x67, 0x00, 0x39, 0x00, 0x33, 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x35, + 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x0a, + 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 + }; - for (i = 0; i < unsupportedNidCnt; i++) { - ExpectNotNull(ext = X509V3_EXT_i2d(unsupportedNid[i], crit, bc)); - X509_EXTENSION_free(ext); - ext = NULL; - } - } - ExpectNotNull(ext = X509V3_EXT_i2d(NID_basic_constraints, crit, bc)); - X509_EXTENSION_free(ext); - ext = NULL; + byte buff4[] = { /* last extension has zero size */ + 0x16, 0x03, 0x01, 0x00, 0xba, 0x01, 0x00, 0x00, + 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, + 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, + 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, + 0x00, 0x28, 0xcc, 0x14, 0xcc, 0x13, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, + 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x07, 0xc0, 0x11, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x39, 0x00, 0x9c, 0x00, 0x2f, 0x00, 0x35, + 0x00, 0x0a, 0x00, 0x05, 0x00, 0x04, 0x01, 0x00, 0x00, 0x65, 0xff, 0x01, + 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, + 0x18, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, + 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x1b, 0x00, 0x19, 0x06, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, + 0x33, 0x2e, 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, + 0x75, 0x50, 0x00, 0x00, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0d, 0x00, 0x12, 0x00, 0x10, 0x04, 0x01, 0x05, 0x01, 0x02, + 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, 0x04, 0x02, 0x02, 0x02, 0x00, + 0x12, 0x00, 0x00 + }; + + byte buff5[] = { /* SSL v2.0 client hello */ + 0x00, 0x2b, 0x01, 0x03, 0x01, 0x00, 0x09, 0x00, 0x00, + /* dummy bytes below, just to pass size check */ + 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, + 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, + 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, + }; + + byte result[32] = {0}; + word32 length = 32; + + ExpectIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff4, sizeof(buff4), + 0, result, &length)); + + ExpectIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff3, sizeof(buff3), + 0, result, &length)); + + ExpectIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2), + 1, result, &length)); + + ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), + 0, result, &length)); + buff[0] = 0x16; + + ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), + 0, result, &length)); + buff[1] = 0x03; + + ExpectIntEQ(WC_NO_ERR_TRACE(SNI_UNSUPPORTED), wolfSSL_SNI_GetFromBuffer(buff, + sizeof(buff), 0, result, &length)); + buff[2] = 0x03; + + ExpectIntEQ(WC_NO_ERR_TRACE(INCOMPLETE_DATA), wolfSSL_SNI_GetFromBuffer(buff, + sizeof(buff), 0, result, &length)); + buff[4] = 0x64; + + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), + 0, result, &length)); + if (EXPECT_SUCCESS()) + result[length] = 0; + ExpectStrEQ("www.paypal.com", (const char*) result); - ExpectNotNull(ext = X509_EXTENSION_new()); - ExpectIntEQ(X509_EXTENSION_set_critical(NULL, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_EXTENSION_set_critical(ext, 1), WOLFSSL_SUCCESS); - ExpectNotNull(obj = OBJ_nid2obj(NID_basic_constraints)); - ExpectIntEQ(X509_EXTENSION_set_object(NULL, NULL), SSL_FAILURE); - ExpectIntEQ(X509_EXTENSION_set_object(NULL, obj), SSL_FAILURE); - ExpectIntEQ(X509_EXTENSION_set_object(ext, NULL), SSL_SUCCESS); - ExpectIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); - /* Check old object is being freed. */ - ExpectIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); - ASN1_OBJECT_free(obj); - obj = NULL; - X509_EXTENSION_free(ext); - ext = NULL; + length = 32; - ExpectNotNull(ext = X509_EXTENSION_new()); - ExpectIntEQ(X509_EXTENSION_set_critical(ext, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_EXTENSION_set_data(ext, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, - NID_key_usage, NULL, NULL)); - ASN1_STRING_free(asn1_str); - asn1_str = NULL; - ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, - NID_key_usage, &crit, NULL)); - ExpectIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); - ExpectIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); - ASN1_STRING_free(asn1_str); /* X509_EXTENSION_set_data has made a copy - * and X509_get_ext_d2i has created new */ - asn1_str = NULL; - X509_EXTENSION_free(ext); - ext = NULL; + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2), + 0, result, &length)); + if (EXPECT_SUCCESS()) + result[length] = 0; + ExpectStrEQ("api.textmate.org", (const char*) result); -#endif - BASIC_CONSTRAINTS_free(NULL); - BASIC_CONSTRAINTS_free(bc); - bc = NULL; + /* SSL v2.0 tests */ + ExpectIntEQ(WC_NO_ERR_TRACE(SNI_UNSUPPORTED), wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); - ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, - NID_key_usage, NULL, NULL)); - ASN1_STRING_free(asn1_str); - asn1_str = NULL; - ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, - NID_key_usage, &crit, NULL)); - ExpectIntEQ(crit, 1); - ExpectIntEQ(asn1_str->type, NID_key_usage); -#ifdef OPENSSL_ALL - ExpectNotNull(ext = X509V3_EXT_i2d(NID_key_usage, crit, asn1_str)); - X509_EXTENSION_free(ext); - ext = NULL; -#endif - ASN1_STRING_free(asn1_str); - asn1_str = NULL; + buff5[2] = 0x02; + ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); -#ifdef OPENSSL_ALL - ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_ext_key_usage, NULL, NULL)); - EXTENDED_KEY_USAGE_free(NULL); - EXTENDED_KEY_USAGE_free(sk); - sk = NULL; - ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_ext_key_usage, &crit, NULL)); - ExpectNotNull(ext = X509V3_EXT_i2d(NID_ext_key_usage, crit, sk)); - X509_EXTENSION_free(ext); - ext = NULL; - EXTENDED_KEY_USAGE_free(sk); - sk = NULL; -#else - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, NID_ext_key_usage, - &crit, NULL); - ExpectNull(sk); -#endif + buff5[2] = 0x01; buff5[6] = 0x08; + ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); - ExpectNotNull(akey = (AUTHORITY_KEYID*)X509_get_ext_d2i(x509ext, - NID_authority_key_identifier, NULL, NULL)); - wolfSSL_AUTHORITY_KEYID_free(NULL); - wolfSSL_AUTHORITY_KEYID_free(akey); - akey = NULL; - ExpectNotNull(akey = (AUTHORITY_KEYID*)X509_get_ext_d2i(x509ext, - NID_authority_key_identifier, &crit, NULL)); -#ifdef OPENSSL_ALL - ExpectNotNull(ext = X509V3_EXT_i2d(NID_authority_key_identifier, crit, - akey)); - X509_EXTENSION_free(ext); - ext = NULL; -#endif - wolfSSL_AUTHORITY_KEYID_free(akey); - akey = NULL; + buff5[6] = 0x09; buff5[8] = 0x01; + ExpectIntEQ(WC_NO_ERR_TRACE(BUFFER_ERROR), wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); - ExpectNotNull(skid = (WOLFSSL_STACK*)X509_get_ext_d2i(x509ext, - NID_subject_key_identifier, NULL, NULL)); - wolfSSL_sk_ASN1_OBJECT_pop_free(skid, wolfSSL_ASN1_OBJECT_free); - skid = NULL; - ExpectNotNull(skid = (WOLFSSL_STACK*)X509_get_ext_d2i(x509ext, - NID_subject_key_identifier, &crit, NULL)); -#ifdef OPENSSL_ALL - ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_key_identifier, crit, - skid)); - X509_EXTENSION_free(ext); - ext = NULL; -#endif - wolfSSL_sk_ASN1_OBJECT_pop_free(skid, wolfSSL_ASN1_OBJECT_free); - skid = NULL; + return EXPECT_RESULT(); +} - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_private_key_usage_period, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; +#endif /* HAVE_SNI */ - ExpectNotNull(sk = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509ext, - NID_subject_alt_name, NULL, NULL)); - sk_GENERAL_NAME_free(sk); - sk = NULL; - ExpectNotNull(sk = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509ext, - NID_subject_alt_name, &crit, NULL)); - { - int i; - for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) { - GENERAL_NAME* gen = sk_GENERAL_NAME_value(sk, i); - ExpectIntEQ(gen->type, GEN_DNS); - ExpectIntEQ(gen->d.dNSName->type, V_ASN1_IA5STRING); - } - } - sk_GENERAL_NAME_free(sk); - sk = NULL; +#endif /* HAVE_IO_TESTS_DEPENDENCIES */ - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_issuer_alt_name, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_info_access, &crit, NULL)); - sk_ASN1_OBJECT_free(sk); - sk = NULL; +#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +/* Dummy peer functions to satisfy the exporter/importer */ +static int test_wolfSSL_dtls_export_peers_get_peer(WOLFSSL* ssl, char* ip, + int* ipSz, unsigned short* port, int* fam) +{ + (void)ssl; + ip[0] = -1; + *ipSz = 1; + *port = 1; + *fam = 2; + return 1; +} - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_sinfo_access, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; +static int test_wolfSSL_dtls_export_peers_set_peer(WOLFSSL* ssl, char* ip, + int ipSz, unsigned short port, int fam) +{ + (void)ssl; + if (ip[0] != -1 || ipSz != 1 || port != 1 || fam != 2) + return 0; + return 1; +} - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_name_constraints, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; +static int test_wolfSSL_dtls_export_peers_on_handshake(WOLFSSL_CTX **ctx, + WOLFSSL **ssl) +{ + EXPECT_DECLS; + unsigned char* sessionBuf = NULL; + unsigned int sessionSz = 0; + void* ioWriteCtx = wolfSSL_GetIOWriteCtx(*ssl); + void* ioReadCtx = wolfSSL_GetIOReadCtx(*ssl); - /* no cert policy set */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_certificate_policies, &crit, NULL)); - sk_ASN1_OBJECT_free(sk); - sk = NULL; + wolfSSL_CTX_SetIOGetPeer(*ctx, test_wolfSSL_dtls_export_peers_get_peer); + wolfSSL_CTX_SetIOSetPeer(*ctx, test_wolfSSL_dtls_export_peers_set_peer); + ExpectIntGE(wolfSSL_dtls_export(*ssl, NULL, &sessionSz), 0); + ExpectNotNull(sessionBuf = + (unsigned char*)XMALLOC(sessionSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntGE(wolfSSL_dtls_export(*ssl, sessionBuf, &sessionSz), 0); + wolfSSL_free(*ssl); + *ssl = NULL; + ExpectNotNull(*ssl = wolfSSL_new(*ctx)); + ExpectIntGE(wolfSSL_dtls_import(*ssl, sessionBuf, sessionSz), 0); + wolfSSL_SetIOWriteCtx(*ssl, ioWriteCtx); + wolfSSL_SetIOReadCtx(*ssl, ioReadCtx); - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_policy_mappings, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; + XFREE(sessionBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return EXPECT_RESULT(); +} +#endif - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_policy_constraints, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; +static int test_wolfSSL_dtls_export_peers(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cbf; + test_ssl_cbf server_cbf; + size_t i, j; + struct test_params { + method_provider client_meth; + method_provider server_meth; + const char* dtls_version; + } params[] = { +#ifndef NO_OLD_TLS + {wolfDTLSv1_client_method, wolfDTLSv1_server_method, "1.0"}, +#endif + {wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method, "1.2"}, + /* TODO DTLS 1.3 exporting not supported +#ifdef WOLFSSL_DTLS13 + {wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, "1.3"}, +#endif + */ + }; - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_inhibit_any_policy, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; + for (i = 0; i < sizeof(params)/sizeof(*params); i++) { + for (j = 0; j <= 3; j++) { + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - /* NID not yet supported */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, - NID_tlsfeature, &crit, NULL)); - ExpectIntEQ(crit, -1); - sk_ASN1_OBJECT_free(sk); - sk = NULL; + printf("\n\tTesting DTLS %s connection;", params[i].dtls_version); - /* test invalid cases */ - crit = 0; - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, -1, &crit, - NULL)); - ExpectIntEQ(crit, -1); - /* NULL passed for criticality. */ - ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(NULL, - NID_tlsfeature, NULL, NULL)); + client_cbf.method = params[i].client_meth; + server_cbf.method = params[i].server_meth; - ExpectIntEQ(SSL_get_hit(ssl), 0); -#ifdef OPENSSL_ALL - X509_free(x509); + if (j & 0x1) { + client_cbf.on_handshake = + test_wolfSSL_dtls_export_peers_on_handshake; + printf(" With client export;"); + } + if (j & 0x2) { + server_cbf.on_handshake = + test_wolfSSL_dtls_export_peers_on_handshake; + printf(" With server export;"); + } + + printf("\n"); + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); + if (!EXPECT_SUCCESS()) + break; + } + } #endif - X509_free(x509ext); - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && !NO_CERTS */ return EXPECT_RESULT(); } -static int test_wolfSSL_private_keys(void) +static int test_wolfSSL_UseTrustedCA(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - EVP_PKEY* pkey = NULL; +#if defined(HAVE_TRUSTED_CA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ + && !defined(NO_RSA) +#if !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + byte id[20]; - OpenSSL_add_all_digests(); - OpenSSL_add_all_algorithms(); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull((ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()))); + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); +#else + ExpectNotNull((ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()))); +#endif + ExpectNotNull((ssl = wolfSSL_new(ctx))); + XMEMSET(id, 0, sizeof(id)); -#ifndef NO_RSA - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - #endif - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - /* Have to load a cert before you can check the private key against that - * certificates public key! */ - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_CTX_check_private_key(ctx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); - #endif - ExpectNotNull(ssl = SSL_new(ctx)); + /* error cases */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(NULL, 0, NULL, 0)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_CERT_SHA1+1, NULL, 0)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_CERT_SHA1, NULL, 0)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_CERT_SHA1, id, 5)); +#ifdef NO_SHA + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_KEY_SHA1, id, sizeof(id))); +#endif + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_X509_NAME, id, 0)); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif + /* success cases */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_PRE_AGREED, NULL, 0)); +#ifndef NO_SHA + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_KEY_SHA1, id, sizeof(id))); +#endif + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTrustedCA(ssl, + WOLFSSL_TRUSTED_CA_X509_NAME, id, 5)); - /* Invalid parameters. */ - ExpectIntEQ(SSL_use_PrivateKey_file(NULL, NULL, WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_use_PrivateKey_file(NULL, svrKeyFile, WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_use_PrivateKey_file(ssl, NULL, WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ +#endif /* HAVE_TRUSTED_CA */ + return EXPECT_RESULT(); +} -#ifdef USE_CERT_BUFFERS_2048 - { - const unsigned char* server_key = (const unsigned char*)server_key_der_2048; - unsigned char buf[FOURK_BUF]; - word32 bufSz; +static int test_wolfSSL_UseMaxFragment(void) +{ + EXPECT_DECLS; +#if defined(HAVE_MAX_FRAGMENT) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) - /* Invalid parameters. */ - ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(NULL, - (unsigned char*)client_key_der_2048, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, ssl, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, NULL, (unsigned char*)server_key, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, NULL, (unsigned char*)server_key, - 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + #ifndef NO_WOLFSSL_SERVER + WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); + #else + WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + #endif + WOLFSSL *ssl = NULL; + #ifdef OPENSSL_EXTRA + int (*UseMaxFragment)(SSL *s, unsigned char mode); + int (*CTX_UseMaxFragment)(SSL_CTX *c, unsigned char mode); + #else + int (*UseMaxFragment)(WOLFSSL *s, unsigned char mode); + int (*CTX_UseMaxFragment)(WOLFSSL_CTX *c, unsigned char mode); + #endif - ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl, - (unsigned char*)client_key_der_2048, - sizeof_client_key_der_2048), WOLFSSL_SUCCESS); - #if !defined(NO_CHECK_PRIVATE_KEY) - /* Should mismatch now that a different private key loaded */ - ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif + #ifndef NO_WOLFSSL_SERVER + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); + #endif - ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, ssl, - (unsigned char*)server_key, - sizeof_server_key_der_2048), WOLFSSL_SUCCESS); - #if !defined(NO_CHECK_PRIVATE_KEY) - /* After loading back in DER format of original key, should match */ - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif + ExpectNotNull(ctx); - /* test loading private key to the WOLFSSL_CTX */ - ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, - (unsigned char*)client_key_der_2048, - sizeof_client_key_der_2048), WOLFSSL_SUCCESS); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - #if !defined(NO_CHECK_PRIVATE_KEY) - /* Should mismatch now that a different private key loaded */ - ExpectIntNE(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); - #endif + #ifdef OPENSSL_EXTRA + CTX_UseMaxFragment = SSL_CTX_set_tlsext_max_fragment_length; + UseMaxFragment = SSL_set_tlsext_max_fragment_length; + #else + UseMaxFragment = wolfSSL_UseMaxFragment; + CTX_UseMaxFragment = wolfSSL_CTX_UseMaxFragment; + #endif - ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, - (unsigned char*)server_key, - sizeof_server_key_der_2048), WOLFSSL_SUCCESS); - #if !defined(NO_CHECK_PRIVATE_KEY) - /* After loading back in DER format of original key, should match */ - ExpectIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); - #endif + /* error cases */ + ExpectIntNE(WOLFSSL_SUCCESS, CTX_UseMaxFragment(NULL, WOLFSSL_MFL_2_9)); + ExpectIntNE(WOLFSSL_SUCCESS, UseMaxFragment( NULL, WOLFSSL_MFL_2_9)); + ExpectIntNE(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MIN-1)); + ExpectIntNE(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MAX+1)); + ExpectIntNE(WOLFSSL_SUCCESS, UseMaxFragment(ssl, WOLFSSL_MFL_MIN-1)); + ExpectIntNE(WOLFSSL_SUCCESS, UseMaxFragment(ssl, WOLFSSL_MFL_MAX+1)); - /* Invalid parameters. */ - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(SSL_use_PrivateKey(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_PrivateKey(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_use_PrivateKey(NULL, pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* pkey is empty - no key data to use. */ - ExpectIntEQ(SSL_use_PrivateKey(ssl, pkey), WC_NO_ERR_TRACE(ASN_PARSE_E)); - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; + /* success case */ + #ifdef OPENSSL_EXTRA + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_8)); + #else + ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_8)); + #endif + ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_9)); + ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_10)); + ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_11)); + ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_12)); + #ifdef OPENSSL_EXTRA + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_13)); + + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), UseMaxFragment( ssl, WOLFSSL_MFL_2_8)); + #else + ExpectIntEQ(WOLFSSL_SUCCESS, CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_13)); + + ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_8)); + #endif + ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_9)); + ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_10)); + ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_11)); + ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_12)); + + #ifdef OPENSSL_EXTRA + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), UseMaxFragment( ssl, WOLFSSL_MFL_2_13)); + #else + ExpectIntEQ(WOLFSSL_SUCCESS, UseMaxFragment( ssl, WOLFSSL_MFL_2_13)); + #endif - /* set PKEY and test again */ - ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, - &server_key, (long)sizeof_server_key_der_2048)); - ExpectIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_SUCCESS); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); - /* reuse PKEY structure and test - * this should be checked with a memory management sanity checker */ - ExpectFalse(server_key == (const unsigned char*)server_key_der_2048); - server_key = (const unsigned char*)server_key_der_2048; - ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, - &server_key, (long)sizeof_server_key_der_2048)); - ExpectIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && defined(HAVE_MAX_FRAGMENT) && \ + defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) + /* check negotiated max fragment size */ + { + WOLFSSL *ssl_c = NULL; + WOLFSSL *ssl_s = NULL; + struct test_memio_ctx test_ctx; + WOLFSSL_CTX *ctx_c = NULL; + WOLFSSL_CTX *ctx_s = NULL; - /* check striping PKCS8 header with wolfSSL_d2i_PrivateKey */ - bufSz = FOURK_BUF; - ExpectIntGT((bufSz = (word32)wc_CreatePKCS8Key(buf, &bufSz, - (byte*)server_key_der_2048, sizeof_server_key_der_2048, - RSAk, NULL, 0)), 0); - server_key = (const unsigned char*)buf; - ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &server_key, - (long)bufSz)); + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); + ExpectIntEQ(wolfSSL_UseMaxFragment(ssl_c, WOLFSSL_MFL_2_8), + WOLFSSL_SUCCESS); + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); +#ifndef NO_SESSION_CACHE + ExpectIntEQ(SSL_SESSION_get_max_fragment_length( + wolfSSL_get_session(ssl_c)), WOLFSSL_MFL_2_8); +#endif + + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); } #endif +#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_UseTruncatedHMAC(void) +{ + EXPECT_DECLS; +#if defined(HAVE_TRUNCATED_HMAC) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + #ifndef NO_WOLFSSL_SERVER + WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); + #else + WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + #endif + WOLFSSL *ssl = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - SSL_free(ssl); /* frees x509 also since loaded into ssl */ - ssl = NULL; - SSL_CTX_free(ctx); - ctx = NULL; -#endif /* end of RSA private key match tests */ + ExpectNotNull(ctx); + #ifndef NO_WOLFSSL_SERVER + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); + #endif -#ifdef HAVE_ECC - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(ssl = wolfSSL_new(ctx)); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif - SSL_free(ssl); - ssl = NULL; + /* error cases */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(NULL)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(NULL)); + /* success case */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(ctx)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseTruncatedHMAC(ssl)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEccKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif + return EXPECT_RESULT(); +} - #ifdef WOLFSSL_VALIDATE_ECC_IMPORT - ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif +static int test_wolfSSL_UseSupportedCurve(void) +{ + EXPECT_DECLS; +#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(NO_TLS) + WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); - SSL_free(ssl); - ssl = NULL; - SSL_CTX_free(ctx); - ctx = NULL; -#endif /* end of ECC private key match tests */ + ExpectNotNull(ctx); + ExpectNotNull(ssl); -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT) - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, edCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, edKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); + /* error cases */ + ExpectIntNE(WOLFSSL_SUCCESS, + wolfSSL_CTX_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSupportedCurve(ctx, 0)); - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif - SSL_free(ssl); - ssl = NULL; + ExpectIntNE(WOLFSSL_SUCCESS, + wolfSSL_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSupportedCurve(ssl, 0)); + /* success case */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEdKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif - #if !defined(NO_CHECK_PRIVATE_KEY) - #ifdef HAVE_ED25519_MAKE_KEY - ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #else - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif - #endif + return EXPECT_RESULT(); +} - SSL_free(ssl); - ssl = NULL; - SSL_CTX_free(ctx); - ctx = NULL; -#endif /* end of Ed25519 private key match tests */ +#if defined(HAVE_ALPN) && defined(HAVE_IO_TESTS_DEPENDENCIES) -#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT) - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, ed448CertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, ed448KeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); +static void verify_ALPN_FATAL_ERROR_on_client(WOLFSSL* ssl) +{ + AssertIntEQ(WC_NO_ERR_TRACE(UNKNOWN_ALPN_PROTOCOL_NAME_E), wolfSSL_get_error(ssl, 0)); +} - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif - SSL_free(ssl); - ssl = NULL; +static void use_ALPN_all(WOLFSSL* ssl) +{ + /* http/1.1,spdy/1,spdy/2,spdy/3 */ + char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list), + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); +} +static void use_ALPN_all_continue(WOLFSSL* ssl) +{ + /* http/1.1,spdy/1,spdy/2,spdy/3 */ + char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list), + WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); +} - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEd448KeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); +static void use_ALPN_one(WOLFSSL* ssl) +{ + /* spdy/2 */ + char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - #if !defined(NO_CHECK_PRIVATE_KEY) - ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); - #endif + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); +} - SSL_free(ssl); - ssl = NULL; - SSL_CTX_free(ctx); - ctx = NULL; -#endif /* end of Ed448 private key match tests */ +static void use_ALPN_unknown(WOLFSSL* ssl) +{ + /* http/2.0 */ + char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; - EVP_cleanup(); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); +} - /* test existence of no-op macros in wolfssl/openssl/ssl.h */ - CONF_modules_free(); - ENGINE_cleanup(); - CONF_modules_unload(); +static void use_ALPN_unknown_continue(WOLFSSL* ssl) +{ + /* http/2.0 */ + char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; - (void)ssl; - (void)ctx; - (void)pkey; -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ - return EXPECT_RESULT(); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), + WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); } -static int test_wolfSSL_tmp_dh(void) +static void verify_ALPN_not_matching_spdy3(WOLFSSL* ssl) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && !defined(NO_DH) && !defined(NO_BIO) && \ - !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - byte buff[6000]; - static const unsigned char p[] = { - 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, - 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, - 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, - 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, - 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, - 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, - 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, - 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, - 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, - 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, - 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, - 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, - 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, - 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, - 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, - 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, - 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, - 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, - 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, - 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, - 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, - 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, - 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, - 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, - 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, - 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, - 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, - 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, - 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, - 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, - 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, - 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x93 - }; - int pSz = (int)sizeof(p); -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) - static const unsigned char bad_p[] = { - 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, - 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, - 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, - 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, - 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, - 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, - 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, - 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, - 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, - 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, - 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, - 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, - 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, - 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, - 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, - 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, - 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, - 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, - 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, - 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, - 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, - 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, - 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, - 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, - 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, - 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, - 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, - 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, - 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, - 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, - 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, - 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x91 - }; -#endif - static const unsigned char g[] = { 0x02 }; - int gSz = (int)sizeof(g); -#if !defined(NO_DSA) - char file[] = "./certs/dsaparams.pem"; - DSA* dsa = NULL; -#else - char file[] = "./certs/dh2048.pem"; -#endif - XFILE f = XBADFILE; - int bytes = 0; - DH* dh = NULL; - DH* dh2 = NULL; - BIO* bio = NULL; - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; -#ifndef NO_WOLFSSL_CLIENT - SSL* ssl_c = NULL; - SSL_CTX* ctx_c = NULL; -#endif - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); -#endif -#ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx_c = SSL_CTX_new(wolfSSLv23_client_method())); - ExpectTrue(SSL_CTX_use_certificate_file(ctx_c, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx_c, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl_c = SSL_new(ctx_c)); -#ifdef NO_WOLFSSL_SERVER - ctx = ctx_c; - ssl = ssl_c; -#endif -#endif + /* spdy/3 */ + char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - XMEMSET(buff, 0, sizeof(buff)); - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) - XFCLOSE(f); + char *proto = NULL; + word16 protoSz = 0; - ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); -#if !defined(NO_DSA) - dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); - ExpectNotNull(dsa); + /* check value */ + AssertIntNE(1, sizeof(nego_proto) == protoSz); + if (proto) { + AssertIntNE(0, XMEMCMP(nego_proto, proto, sizeof(nego_proto))); + } +} - dh = wolfSSL_DSA_dup_DH(dsa); -#else - dh = wolfSSL_PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -#endif - ExpectNotNull(dh); -#if defined(WOLFSSL_DH_EXTRA) && \ - (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)) - ExpectNotNull(dh2 = wolfSSL_DH_dup(dh)); - DH_free(dh2); - dh2 = NULL; -#endif +static void verify_ALPN_not_matching_continue(WOLFSSL* ssl) +{ + char *proto = NULL; + word16 protoSz = 0; - /* Failure cases */ - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, g , 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, g , 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, g , 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 1, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , buff, 6000, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, bad_p, pSz, g, gSz), - WC_NO_ERR_TRACE(DH_CHECK_PUB_E)); -#endif - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, g , 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, g , 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, g , 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 1, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , buff, 6000, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) -#ifndef NO_WOLFSSL_SERVER - /* Parameters will be tested later so it passes now. */ - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl, bad_p, pSz, g, gSz), - WOLFSSL_SUCCESS); -#endif -#endif -#ifndef NO_WOLFSSL_CLIENT - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl_c, p, pSz, g, gSz), - WC_NO_ERR_TRACE(SIDE_ERROR)); -#endif - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_set_tmp_dh(ssl , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* No p/g to use. */ - dh2 = wolfSSL_DH_new(); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ((int)SSL_set_tmp_dh(ssl , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - DH_free(dh2); - dh2 = NULL; + AssertIntEQ(WC_NO_ERR_TRACE(WOLFSSL_ALPN_NOT_FOUND), + wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz), - WOLFSSL_SUCCESS); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), WOLFSSL_SUCCESS); -#ifndef NO_WOLFSSL_SERVER - ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WOLFSSL_SUCCESS); -#else - ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WC_NO_ERR_TRACE(SIDE_ERROR)); -#endif + /* check value */ + AssertIntEQ(1, (0 == protoSz)); + AssertIntEQ(1, (NULL == proto)); +} - BIO_free(bio); -#if !defined(NO_DSA) - DSA_free(dsa); -#endif - DH_free(dh); - dh = NULL; -#ifndef NO_WOLFSSL_CLIENT - if (ssl != ssl_c) { - SSL_free(ssl_c); - } -#endif - SSL_free(ssl); -#ifndef NO_WOLFSSL_CLIENT - if (ctx != ctx_c) { - SSL_CTX_free(ctx_c); - } -#endif - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); +static void verify_ALPN_matching_http1(WOLFSSL* ssl) +{ + /* http/1.1 */ + char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; + char *proto; + word16 protoSz = 0; + + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + /* check value */ + AssertIntEQ(1, sizeof(nego_proto) == protoSz); + AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); } -static int test_wolfSSL_ctrl(void) +static void verify_ALPN_matching_spdy2(WOLFSSL* ssl) { - EXPECT_DECLS; -#if defined (OPENSSL_EXTRA) && !defined(NO_BIO) - byte buff[6000]; - BIO* bio = NULL; - int bytes; - BUF_MEM* ptr = NULL; + /* spdy/2 */ + char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; + char *proto; + word16 protoSz = 0; - XMEMSET(buff, 0, sizeof(buff)); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - bytes = sizeof(buff); - ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); - ExpectNotNull(BIO_s_socket()); + /* check value */ + AssertIntEQ(1, sizeof(nego_proto) == protoSz); + AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); +} - ExpectIntEQ((int)wolfSSL_BIO_get_mem_ptr(bio, &ptr), WOLFSSL_SUCCESS); +static void verify_ALPN_client_list(WOLFSSL* ssl) +{ + /* http/1.1,spdy/1,spdy/2,spdy/3 */ + char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + char *clist = NULL; + word16 clistSz = 0; - /* needs tested after stubs filled out @TODO - SSL_ctrl - SSL_CTX_ctrl - */ + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_GetPeerProtocol(ssl, &clist, + &clistSz)); - BIO_free(bio); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_BIO) */ - return EXPECT_RESULT(); + /* check value */ + AssertIntEQ(1, sizeof(alpn_list) == clistSz); + AssertIntEQ(0, XMEMCMP(alpn_list, clist, clistSz)); + + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_ALPN_FreePeerProtocol(ssl, &clist)); } +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) -static int test_wolfSSL_EVP_PKEY_new_mac_key(void) +/* ALPN select callback, success with spdy/2 */ +static int select_ALPN_spdy2(WOLFSSL *ssl, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, + unsigned int inlen, void *arg) { - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - static const unsigned char pw[] = "password"; - static const int pwSz = sizeof(pw) - 1; - size_t checkPwSz = 0; - const unsigned char* checkPw = NULL; - WOLFSSL_EVP_PKEY* key = NULL; - - ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, pw, pwSz)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, NULL, pwSz)); - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, - pwSz)); - if (key != NULL) { - ExpectIntEQ(key->type, EVP_PKEY_HMAC); - ExpectIntEQ(key->save_type, EVP_PKEY_HMAC); - ExpectIntEQ(key->pkey_sz, pwSz); - ExpectIntEQ(XMEMCMP(key->pkey.ptr, pw, pwSz), 0); - } - ExpectNotNull(checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz)); - ExpectIntEQ((int)checkPwSz, pwSz); - ExpectIntEQ(XMEMCMP(checkPw, pw, pwSz), 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, - 0)); - ExpectIntEQ(key->pkey_sz, 0); - if (EXPECT_SUCCESS()) { - /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ - checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); - } - ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); - ExpectIntEQ((int)checkPwSz, 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; + /* spdy/2 */ + const char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, NULL, - 0)); - ExpectIntEQ(key->pkey_sz, 0); - if (EXPECT_SUCCESS()) { - /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ - checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); + (void)ssl; + (void)arg; + + /* adding +1 since LEN byte comes first */ + if (inlen < sizeof(proto) + 1) { + return SSL_TLSEXT_ERR_ALERT_FATAL; } - ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); - ExpectIntEQ((int)checkPwSz, 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} + if (XMEMCMP(in + 1, proto, sizeof(proto)) == 0) { + *out = in + 1; + *outlen = (unsigned char)sizeof(proto); + return SSL_TLSEXT_ERR_OK; + } -static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA -#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && \ - defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_128) - const char *priv = "ABCDEFGHIJKLMNOP"; - const WOLFSSL_EVP_CIPHER* cipher = EVP_aes_128_cbc(); - WOLFSSL_EVP_PKEY* key = NULL; - - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, NULL, AES_128_KEY_SIZE, cipher)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, 0, cipher)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, NULL)); - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, cipher)); - wolfSSL_EVP_PKEY_free(key); -#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT && WOLFSSL_AES_128 */ -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); + return SSL_TLSEXT_ERR_ALERT_FATAL; } -static int test_wolfSSL_EVP_Digest(void) +/* ALPN select callback, force failure */ +static int select_ALPN_failure(WOLFSSL *ssl, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, + unsigned int inlen, void *arg) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) - const char* in = "abc"; - int inLen = (int)XSTRLEN(in); - byte out[WC_SHA256_DIGEST_SIZE]; - unsigned int outLen; - const char* expOut = - "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" - "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" - "\x15\xAD"; + (void)ssl; + (void)out; + (void)outlen; + (void)in; + (void)inlen; + (void)arg; - ExpectIntEQ(wolfSSL_EVP_Digest((unsigned char*)in, inLen, out, &outLen, - "SHA256", NULL), 1); - ExpectIntEQ(outLen, WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(XMEMCMP(out, expOut, WC_SHA256_DIGEST_SIZE), 0); -#endif /* OPEN_EXTRA && ! NO_SHA256 */ - return EXPECT_RESULT(); + return SSL_TLSEXT_ERR_ALERT_FATAL; } -static int test_wolfSSL_EVP_Digest_all(void) +static void use_ALPN_spdy2_callback(WOLFSSL* ssl) { - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const char* digests[] = { -#ifndef NO_MD5 - "MD5", -#endif -#ifndef NO_SHA - "SHA", -#endif -#ifdef WOLFSSL_SHA224 - "SHA224", -#endif -#ifndef NO_SHA256 - "SHA256", -#endif -#ifdef WOLFSSL_SHA384 - "SHA384", -#endif -#ifdef WOLFSSL_SHA512 - "SHA512", -#endif -#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) - "SHA512-224", -#endif -#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) - "SHA512-256", -#endif -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - "SHA3-224", -#endif -#ifndef WOLFSSL_NOSHA3_256 - "SHA3-256", -#endif - "SHA3-384", -#ifndef WOLFSSL_NOSHA3_512 - "SHA3-512", -#endif -#endif /* WOLFSSL_SHA3 */ - NULL - }; - const char** d; - const unsigned char in[] = "abc"; - int inLen = XSTR_SIZEOF(in); - byte out[WC_MAX_DIGEST_SIZE]; - unsigned int outLen; + wolfSSL_set_alpn_select_cb(ssl, select_ALPN_spdy2, NULL); +} - for (d = digests; *d != NULL; d++) { - ExpectIntEQ(EVP_Digest(in, inLen, out, &outLen, *d, NULL), 1); - ExpectIntGT(outLen, 0); - ExpectIntEQ(EVP_MD_size(*d), outLen); - } -#endif - return EXPECT_RESULT(); +static void use_ALPN_failure_callback(WOLFSSL* ssl) +{ + wolfSSL_set_alpn_select_cb(ssl, select_ALPN_failure, NULL); } +#endif /* OPENSSL_ALL | NGINX | HAPROXY | LIGHTY | QUIC */ -static int test_wolfSSL_EVP_MD_size(void) +static int test_wolfSSL_UseALPN_connection(void) { - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - WOLFSSL_EVP_MD_CTX mdCtx; + int res = TEST_SKIPPED; +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) + callback_functions client_cb; + callback_functions server_cb; -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = wolfSSLv23_client_method; + server_cb.method = wolfSSLv23_server_method; + client_cb.devId = testDevId; + server_cb.devId = testDevId; - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-224"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif -#ifndef WOLFSSL_NOSHA3_256 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* success case same list */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = verify_ALPN_matching_http1; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-256"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* success case only one for server */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_one; server_cb.on_result = verify_ALPN_matching_spdy2; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-384"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#ifndef WOLFSSL_NOSHA3_512 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* success case only one for client */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_one; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = verify_ALPN_matching_spdy2; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-512"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif -#endif /* WOLFSSL_SHA3 */ + /* success case none for client */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = NULL; + test_wolfSSL_client_server(&client_cb, &server_cb); -#ifndef NO_SHA256 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* success case mismatch behavior but option 'continue' set */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all_continue; client_cb.on_result = verify_ALPN_not_matching_continue; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_unknown_continue; server_cb.on_result = NULL; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA256"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + /* success case read protocol send by client */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_one; server_cb.on_result = verify_ALPN_client_list; + test_wolfSSL_client_server(&client_cb, &server_cb); -#endif + /* mismatch behavior with same list + * the first and only this one must be taken */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_all; server_cb.on_result = verify_ALPN_not_matching_spdy3; + test_wolfSSL_client_server(&client_cb, &server_cb); -#ifndef NO_MD5 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* default mismatch behavior */ + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_ALPN_all; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_ALPN_unknown; server_cb.on_result = verify_ALPN_FATAL_ERROR_on_client; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "MD5"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_MD5_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_MD5_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_MD5_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_MD5_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) -#endif + /* WOLFSSL-level ALPN select callback tests */ + /* Callback: success (one protocol, spdy/2) */ + client_cb.ctx_ready = NULL; + client_cb.ssl_ready = use_ALPN_one; + client_cb.on_result = verify_ALPN_matching_spdy2; + server_cb.ctx_ready = NULL; + server_cb.ssl_ready = use_ALPN_spdy2_callback; + server_cb.on_result = verify_ALPN_matching_spdy2; + test_wolfSSL_client_server(&client_cb, &server_cb); -#ifdef WOLFSSL_SHA224 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* Callback: failure (one client protocol, spdy/2) */ + client_cb.ctx_ready = NULL; + client_cb.ssl_ready = use_ALPN_one; + client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; + server_cb.ssl_ready = use_ALPN_failure_callback; + server_cb.on_result = verify_ALPN_FATAL_ERROR_on_client; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA224"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif /* OPENSSL_ALL | NGINX | HAPROXY | LIGHTY */ -#endif + res = TEST_RES_CHECK(1); +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ + return res; +} -#ifdef WOLFSSL_SHA384 - wolfSSL_EVP_MD_CTX_init(&mdCtx); +static int test_wolfSSL_UseALPN_params(void) +{ + EXPECT_DECLS; +#ifndef NO_WOLFSSL_CLIENT + /* "http/1.1" */ + char http1[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; + /* "spdy/1" */ + char spdy1[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x31}; + /* "spdy/2" */ + char spdy2[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; + /* "spdy/3" */ + char spdy3[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + char buff[256]; + word32 idx; - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA384"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); -#endif + ExpectNotNull(ctx); + ExpectNotNull(ssl); -#ifdef WOLFSSL_SHA512 - wolfSSL_EVP_MD_CTX_init(&mdCtx); + /* error cases */ + ExpectIntNE(WOLFSSL_SUCCESS, + wolfSSL_UseALPN(NULL, http1, sizeof(http1), + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, NULL, 0, + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA512"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + /* success case */ + /* http1 only */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_UseALPN(ssl, http1, sizeof(http1), + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -#endif + /* http1, spdy1 */ + XMEMCPY(buff, http1, sizeof(http1)); + idx = sizeof(http1); + buff[idx++] = ','; + XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); + idx += sizeof(spdy1); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -#ifndef NO_SHA - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA1"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif - /* error case */ - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); - /* Cleanup is valid on uninit'ed struct */ - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} + /* http1, spdy2, spdy1 */ + XMEMCPY(buff, http1, sizeof(http1)); + idx = sizeof(http1); + buff[idx++] = ','; + XMEMCPY(buff+idx, spdy2, sizeof(spdy2)); + idx += sizeof(spdy2); + buff[idx++] = ','; + XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); + idx += sizeof(spdy1); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, + WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -static int test_wolfSSL_EVP_MD_pkey_type(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const WOLFSSL_EVP_MD* md; + /* spdy3, http1, spdy2, spdy1 */ + XMEMCPY(buff, spdy3, sizeof(spdy3)); + idx = sizeof(spdy3); + buff[idx++] = ','; + XMEMCPY(buff+idx, http1, sizeof(http1)); + idx += sizeof(http1); + buff[idx++] = ','; + XMEMCPY(buff+idx, spdy2, sizeof(spdy2)); + idx += sizeof(spdy2); + buff[idx++] = ','; + XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); + idx += sizeof(spdy1); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, + WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); -#ifndef NO_MD5 - ExpectNotNull(md = EVP_md5()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_md5WithRSAEncryption); -#endif -#ifndef NO_SHA - ExpectNotNull(md = EVP_sha1()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha1WithRSAEncryption); -#endif -#ifdef WOLFSSL_SHA224 - ExpectNotNull(md = EVP_sha224()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha224WithRSAEncryption); -#endif - ExpectNotNull(md = EVP_sha256()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha256WithRSAEncryption); -#ifdef WOLFSSL_SHA384 - ExpectNotNull(md = EVP_sha384()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha384WithRSAEncryption); -#endif -#ifdef WOLFSSL_SHA512 - ExpectNotNull(md = EVP_sha512()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha512WithRSAEncryption); -#endif + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } +#endif /* HAVE_ALPN */ -#ifdef OPENSSL_EXTRA -static int test_hmac_signing(const WOLFSSL_EVP_MD *type, const byte* testKey, - size_t testKeySz, const char* testData, size_t testDataSz, - const byte* testResult, size_t testResultSz) -{ - EXPECT_DECLS; - unsigned char check[WC_MAX_DIGEST_SIZE]; - size_t checkSz = 0; - WOLFSSL_EVP_PKEY* key = NULL; - WOLFSSL_EVP_MD_CTX mdCtx; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, - testKey, (int)testKeySz)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)testDataSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, (int)testResultSz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)testDataSz), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, (int)testResultSz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)testDataSz - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)testDataSz - 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - wolfSSL_EVP_PKEY_free(key); - - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_EVP_MD_hmac_signing(void) +#ifdef HAVE_ALPN_PROTOS_SUPPORT +static void CTX_set_alpn_protos(SSL_CTX *ctx) { - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - static const unsigned char testKey[] = - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b - }; - static const char testData[] = "Hi There"; -#ifdef WOLFSSL_SHA224 - static const unsigned char testResultSha224[] = - { - 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, - 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, - 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, - 0x53, 0x68, 0x4b, 0x22 - }; -#endif -#ifndef NO_SHA256 - static const unsigned char testResultSha256[] = - { - 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, - 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, - 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, - 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 - }; -#endif -#ifdef WOLFSSL_SHA384 - static const unsigned char testResultSha384[] = - { - 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, - 0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, - 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, - 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, - 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f, - 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6 - }; -#endif -#ifdef WOLFSSL_SHA512 - static const unsigned char testResultSha512[] = - { - 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, - 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, - 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, - 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, - 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02, - 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, - 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, - 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54 - }; -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - static const unsigned char testResultSha3_224[] = - { - 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, - 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, - 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, - 0xf3, 0xc8, 0x60, 0xf7 - }; - #endif - #ifndef WOLFSSL_NOSHA3_256 - static const unsigned char testResultSha3_256[] = - { - 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, - 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, - 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, - 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb - }; - #endif - #ifndef WOLFSSL_NOSHA3_384 - static const unsigned char testResultSha3_384[] = - { - 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, - 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, - 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, - 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, - 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, - 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd - }; - #endif - #ifndef WOLFSSL_NOSHA3_512 - static const unsigned char testResultSha3_512[] = - { - 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, - 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, - 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, - 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, - 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, - 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, - 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, - 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e + unsigned char p[] = { + 8, 'h', 't', 't', 'p', '/', '1', '.', '1', + 6, 's', 'p', 'd', 'y', '/', '2', + 6, 's', 'p', 'd', 'y', '/', '1', }; - #endif -#endif -#ifndef NO_SHA256 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha256(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha256, - sizeof(testResultSha256)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA224 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha224(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha224, - sizeof(testResultSha224)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA384 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha384(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha384, - sizeof(testResultSha384)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA512 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha512(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha512, - sizeof(testResultSha512)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_224(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_224, - sizeof(testResultSha3_224)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_256 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_256(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_256, - sizeof(testResultSha3_256)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_384 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_384(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_384, - sizeof(testResultSha3_384)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_512 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_512(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_512, - sizeof(testResultSha3_512)), TEST_SUCCESS); - #endif + unsigned char p_len = sizeof(p); + int ret; + + ret = SSL_CTX_set_alpn_protos(ctx, p, p_len); + +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + AssertIntEQ(ret, 0); +#else + AssertIntEQ(ret, SSL_SUCCESS); #endif -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); } - -static int test_wolfSSL_EVP_MD_rsa_signing(void) +static void set_alpn_protos(SSL* ssl) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) - WOLFSSL_EVP_PKEY* privKey = NULL; - WOLFSSL_EVP_PKEY* pubKey = NULL; - WOLFSSL_EVP_PKEY_CTX* keyCtx = NULL; - const char testData[] = "Hi There"; - WOLFSSL_EVP_MD_CTX mdCtx; - WOLFSSL_EVP_MD_CTX mdCtxCopy; - int ret; - size_t checkSz = -1; - int sz = 2048 / 8; - const unsigned char* cp; - const unsigned char* p; - unsigned char check[2048/8]; - size_t i; - int paddings[] = { - RSA_PKCS1_PADDING, -#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(WC_RSA_PSS) - RSA_PKCS1_PSS_PADDING, -#endif + unsigned char p[] = { + 6, 's', 'p', 'd', 'y', '/', '3', + 8, 'h', 't', 't', 'p', '/', '1', '.', '1', + 6, 's', 'p', 'd', 'y', '/', '2', + 6, 's', 'p', 'd', 'y', '/', '1', }; - - cp = client_key_der_2048; - ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp, - sizeof_client_key_der_2048))); - p = client_keypub_der_2048; - ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, - sizeof_client_keypub_der_2048))); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - wolfSSL_EVP_MD_CTX_init(&mdCtxCopy); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,sz); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtxCopy); - ExpectIntEQ(ret, 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - /* Check all signing padding types */ - for (i = 0; i < sizeof(paddings)/sizeof(int); i++) { - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, &keyCtx, - wolfSSL_EVP_sha256(), NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, - paddings[i]), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,sz); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, &keyCtx, - wolfSSL_EVP_sha256(), NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, - paddings[i]), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - } - - wolfSSL_EVP_PKEY_free(pubKey); - wolfSSL_EVP_PKEY_free(privKey); -#endif - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_MD_ecc_signing(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - WOLFSSL_EVP_PKEY* privKey = NULL; - WOLFSSL_EVP_PKEY* pubKey = NULL; - const char testData[] = "Hi There"; - WOLFSSL_EVP_MD_CTX mdCtx; + unsigned char p_len = sizeof(p); int ret; - const unsigned char* cp; - const unsigned char* p; - unsigned char check[2048/8]; - size_t checkSz = sizeof(check); - - XMEMSET(check, 0, sizeof(check)); - - cp = ecc_clikey_der_256; - ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp, - sizeof_ecc_clikey_der_256)); - p = ecc_clikeypub_der_256; - ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, - sizeof_ecc_clikeypub_der_256))); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_PKEY_free(pubKey); - wolfSSL_EVP_PKEY_free(privKey); -#endif - return EXPECT_RESULT(); -} + ret = SSL_set_alpn_protos(ssl, p, p_len); -static int test_wolfSSL_CTX_add_extra_chain_cert(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - char caFile[] = "./certs/client-ca.pem"; - char clientFile[] = "./certs/client-cert.pem"; - SSL_CTX* ctx = NULL; - X509* x509 = NULL; - BIO *bio = NULL; - X509 *cert = NULL; - X509 *ca = NULL; - STACK_OF(X509) *chain = NULL; - STACK_OF(X509) *chain2 = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + AssertIntEQ(ret, 0); #else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + AssertIntEQ(ret, SSL_SUCCESS); #endif - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, - WOLFSSL_FILETYPE_PEM)); - - /* Negative tests. */ - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); - - ExpectNotNull(x509 = wolfSSL_X509_new()); - /* Empty certificate. */ - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_X509_free(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, - WOLFSSL_FILETYPE_PEM)); - - /* additional test of getting EVP_PKEY key size from X509 - * Do not run with user RSA because wolfSSL_RSA_size is not currently - * allowed with user RSA */ - { - EVP_PKEY* pkey = NULL; - #if defined(HAVE_ECC) - X509* ecX509 = NULL; - #endif /* HAVE_ECC */ - - ExpectNotNull(pkey = X509_get_pubkey(x509)); - /* current RSA key is 2048 bit (256 bytes) */ - ExpectIntEQ(EVP_PKEY_size(pkey), 256); - - EVP_PKEY_free(pkey); - pkey = NULL; +} -#if defined(HAVE_ECC) - #if defined(USE_CERT_BUFFERS_256) - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( - cliecc_cert_der_256, sizeof_cliecc_cert_der_256, - SSL_FILETYPE_ASN1)); - #else - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( - cliEccCertFile, SSL_FILETYPE_PEM)); - #endif - pkey = X509_get_pubkey(ecX509); - ExpectNotNull(pkey); - /* current ECC key is 256 bit (32 bytes) */ - ExpectIntGE(EVP_PKEY_size(pkey), 72); +static void verify_alpn_matching_spdy3(WOLFSSL* ssl) +{ + /* "spdy/3" */ + char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + const unsigned char *proto; + unsigned int protoSz = 0; - X509_free(ecX509); - ecX509 = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* HAVE_ECC */ - } + SSL_get0_alpn_selected(ssl, &proto, &protoSz); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); - if (EXPECT_SUCCESS()) { - x509 = NULL; - } + /* check value */ + AssertIntEQ(1, sizeof(nego_proto) == protoSz); + AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); +} -#ifdef WOLFSSL_ENCRYPTED_KEYS - ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); - ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); -#endif - SSL_CTX_free(ctx); - ctx = NULL; +static void verify_alpn_matching_http1(WOLFSSL* ssl) +{ + /* "http/1.1" */ + char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; + const unsigned char *proto; + unsigned int protoSz = 0; -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - /* Test haproxy use case */ - ExpectNotNull(bio = BIO_new_file(svrCertFile, "r")); - /* Read Certificate */ - ExpectNotNull(cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); - ExpectNotNull(ca = PEM_read_bio_X509(bio, NULL, NULL, NULL)); - ExpectNotNull(chain = sk_X509_new_null()); - ExpectIntEQ(sk_X509_push(chain, ca), 1); - if (EXPECT_SUCCESS()) { - ca = NULL; - } - ExpectNotNull(chain2 = X509_chain_up_ref(chain)); - ExpectNotNull(ca = sk_X509_shift(chain2)); - ExpectIntEQ(SSL_CTX_use_certificate(ctx, cert), 1); - ExpectIntEQ(SSL_CTX_add_extra_chain_cert(ctx, ca), 1); - if (EXPECT_SUCCESS()) { - ca = NULL; - } + SSL_get0_alpn_selected(ssl, &proto, &protoSz); - BIO_free(bio); - X509_free(cert); - X509_free(ca); - X509_free(x509); - sk_X509_pop_free(chain, X509_free); - sk_X509_pop_free(chain2, X509_free); - SSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined (NO_BIO) */ - return EXPECT_RESULT(); + /* check value */ + AssertIntEQ(1, sizeof(nego_proto) == protoSz); + AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); } -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) -static int test_wolfSSL_ERR_peek_last_error_line(void) +static int test_wolfSSL_set_alpn_protos(void) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \ - !defined(NO_OLD_TLS) && !defined(WOLFSSL_NO_TLS12) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_ERROR_QUEUE) + int res = TEST_SKIPPED; +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) callback_functions client_cb; callback_functions server_cb; - int line = 0; - int flag = ERR_TXT_STRING; - const char* file = NULL; - const char* data = NULL; - /* create a failed connection and inspect the error */ XMEMSET(&client_cb, 0, sizeof(callback_functions)); XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = wolfTLSv1_1_client_method; - server_cb.method = wolfTLSv1_2_server_method; + client_cb.method = wolfSSLv23_client_method; + server_cb.method = wolfSSLv23_server_method; + client_cb.devId = testDevId; + server_cb.devId = testDevId; - test_wolfSSL_client_server_nofail(&client_cb, &server_cb); + /* use CTX_alpn_protos */ + client_cb.ctx_ready = CTX_set_alpn_protos; + client_cb.ssl_ready = NULL; + client_cb.on_result = NULL; + server_cb.ctx_ready = CTX_set_alpn_protos; + server_cb.ssl_ready = NULL; + server_cb.on_result = verify_alpn_matching_http1; + test_wolfSSL_client_server(&client_cb, &server_cb); - ExpectIntGT(ERR_get_error_line_data(NULL, NULL, &data, &flag), 0); - ExpectNotNull(data); + /* use set_alpn_protos */ + client_cb.ctx_ready = NULL; + client_cb.ssl_ready = set_alpn_protos; + client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; + server_cb.ssl_ready = set_alpn_protos; + server_cb.on_result = verify_alpn_matching_spdy3; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* check clearing error state */ - ERR_remove_state(0); - ExpectIntEQ((int)ERR_peek_last_error_line(NULL, NULL), 0); - ERR_peek_last_error_line(NULL, &line); - ExpectIntEQ(line, 0); - ERR_peek_last_error_line(&file, NULL); - ExpectNull(file); + res = TEST_SUCCESS; +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ + return res; +} - /* retry connection to fill error queue */ - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = wolfTLSv1_1_client_method; - server_cb.method = wolfTLSv1_2_server_method; +#endif /* HAVE_ALPN_PROTOS_SUPPORT */ - test_wolfSSL_client_server_nofail(&client_cb, &server_cb); +static int test_wolfSSL_wolfSSL_UseSecureRenegotiation(void) +{ + EXPECT_DECLS; +#if defined(HAVE_SECURE_RENEGOTIATION) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(NO_TLS) + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); - /* check that error code was stored */ - ExpectIntNE((int)ERR_peek_last_error_line(NULL, NULL), 0); - ERR_peek_last_error_line(NULL, &line); - ExpectIntNE(line, 0); - ERR_peek_last_error_line(&file, NULL); - ExpectNotNull(file); + ExpectNotNull(ctx); + ExpectNotNull(ssl); - fprintf(stderr, "\nTesting error print out\n"); - ERR_print_errors_fp(stderr); - fprintf(stderr, "Done testing print out\n\n"); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && - * !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ + /* error cases */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(NULL)); + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(NULL)); + + /* success cases */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(ctx)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); } -#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ -static int test_wolfSSL_PKCS7_certs(void) +/* Test reconnecting with a different ciphersuite after a renegotiation. */ +static int test_wolfSSL_SCR_Reconnect(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) - STACK_OF(X509)* sk = NULL; - STACK_OF(X509_INFO)* info_sk = NULL; - PKCS7 *p7 = NULL; - BIO* bio = NULL; - const byte* p = NULL; - int buflen = 0; - int i; +#if defined(HAVE_SECURE_RENEGOTIATION) && \ + defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) && \ + defined(BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) && \ + defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) + struct test_memio_ctx test_ctx; + WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL; + WOLFSSL *ssl_c = NULL, *ssl_s = NULL; + byte data; - /* Test twice. Once with d2i and once without to test - * that everything is free'd correctly. */ - for (i = 0; i < 2; i++) { - ExpectNotNull(p7 = PKCS7_new()); - if (p7 != NULL) { - p7->version = 1; - #ifdef NO_SHA - p7->hashOID = SHA256h; - #else - p7->hashOID = SHAh; - #endif - } - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(info_sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); - ExpectIntEQ(sk_X509_INFO_num(info_sk), 2); - ExpectNotNull(sk = sk_X509_new_null()); - while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { - X509_INFO* info = NULL; - ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); - if (EXPECT_SUCCESS() && info != NULL) { - ExpectIntGT(sk_X509_push(sk, info->x509), 0); - info->x509 = NULL; - } - X509_INFO_free(info); - } - sk_X509_INFO_pop_free(info_sk, X509_INFO_free); - info_sk = NULL; - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(wolfSSL_PKCS7_encode_certs(p7, sk, bio), 1); - if ((sk != NULL) && ((p7 == NULL) || (bio == NULL))) { - sk_X509_pop_free(sk, X509_free); - } - sk = NULL; - ExpectIntGT((buflen = BIO_get_mem_data(bio, &p)), 0); + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + test_ctx.c_ciphers = "ECDHE-RSA-AES256-GCM-SHA384"; + test_ctx.s_ciphers = + "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305"; + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(ctx_c)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSecureRenegotiation(ctx_s)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl_c)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSecureRenegotiation(ssl_s)); + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + /* WOLFSSL_FATAL_ERROR since it will block */ + ExpectIntEQ(wolfSSL_Rehandshake(ssl_s), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)), + WOLFSSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_read(ssl_c, &data, 1), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)), + WOLFSSL_ERROR_WANT_READ); + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + wolfSSL_free(ssl_c); + ssl_c = NULL; + wolfSSL_free(ssl_s); + ssl_s = NULL; + wolfSSL_CTX_free(ctx_c); + ctx_c = NULL; + test_ctx.c_ciphers = "ECDHE-RSA-CHACHA20-POLY1305"; + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + wolfSSL_free(ssl_s); + wolfSSL_free(ssl_c); + wolfSSL_CTX_free(ctx_s); + wolfSSL_CTX_free(ctx_c); +#endif + return EXPECT_RESULT(); +} - if (i == 0) { - PKCS7_free(p7); - p7 = NULL; - ExpectNotNull(d2i_PKCS7(&p7, &p, buflen)); - if (p7 != NULL) { - /* Reset certs to force wolfSSL_PKCS7_to_stack to regenerate - * them */ - ((WOLFSSL_PKCS7*)p7)->certs = NULL; - } - /* PKCS7_free free's the certs */ - ExpectNotNull(wolfSSL_PKCS7_to_stack(p7)); - } +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || defined(HAVE_ECC)) +/* Called when writing. */ +static int DummySend(WOLFSSL* ssl, char* buf, int sz, void* ctx) +{ + (void)ssl; + (void)buf; + (void)sz; + (void)ctx; - BIO_free(bio); - bio = NULL; - PKCS7_free(p7); - p7 = NULL; - } -#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) */ - return EXPECT_RESULT(); + /* Force error return from wolfSSL_accept_TLSv13(). */ + return WANT_WRITE; } +/* Called when reading. */ +static int BufferInfoRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx) +{ + WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx; + int len = (int)msg->length; -static int test_wolfSSL_CTX_get0_set1_param(void) + (void)ssl; + (void)sz; + + /* Pass back as much of message as will fit in buffer. */ + if (len > sz) + len = sz; + XMEMCPY(buf, msg->buffer, len); + /* Move over returned data. */ + msg->buffer += len; + msg->length -= (word32)len; + + /* Amount actually copied. */ + return len; +} +#endif + +/* Test the detection of duplicate known TLS extensions. + * Specifically in a ClientHello. + */ +static int test_tls_ext_duplicate(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - SSL_CTX* ctx = NULL; - WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; - WOLFSSL_X509_VERIFY_PARAM* pvpm = NULL; - char testIPv4[] = "127.0.0.1"; - char testhostName[] = "foo.hoge.com"; +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || defined(HAVE_ECC)) + const unsigned char clientHelloDupTlsExt[] = { + 0x16, 0x03, 0x03, 0x00, 0x6a, 0x01, 0x00, 0x00, + 0x66, 0x03, 0x03, 0xf4, 0x65, 0xbd, 0x22, 0xfe, + 0x6e, 0xab, 0x66, 0xdd, 0xcf, 0xe9, 0x65, 0x55, + 0xe8, 0xdf, 0xc3, 0x8e, 0x4b, 0x00, 0xbc, 0xf8, + 0x23, 0x57, 0x1b, 0xa0, 0xc8, 0xa9, 0xe2, 0x8c, + 0x91, 0x6e, 0xf9, 0x20, 0xf7, 0x5c, 0xc5, 0x5b, + 0x75, 0x8c, 0x47, 0x0a, 0x0e, 0xc4, 0x1a, 0xda, + 0xef, 0x75, 0xe5, 0x21, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x13, 0x01, + 0x00, 0x9e, 0x01, 0x00, + /* Extensions - duplicate signature algorithms. */ + 0x00, 0x19, 0x00, 0x0d, + 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, 0x00, 0x0d, + 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, + /* Supported Versions extension for TLS 1.3. */ + 0x00, 0x2b, + 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 + }; + WOLFSSL_BUFFER_INFO msg; + const char* testCertFile; + const char* testKeyFile; + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#ifndef NO_RSA + testCertFile = svrCertFile; + testKeyFile = svrKeyFile; +#elif defined(HAVE_ECC) + testCertFile = eccCertFile; + testKeyFile = eccKeyFile; #endif - ExpectNull(SSL_CTX_get0_param(NULL)); - ExpectNotNull(pParam = SSL_CTX_get0_param(ctx)); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectNotNull(pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL)); - ExpectNotNull(XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM))); + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile, + CERT_FILETYPE)); - ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, - (int)XSTRLEN(testhostName)), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4), - WOLFSSL_SUCCESS); - wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); + /* Read from 'msg'. */ + wolfSSL_SetIORecv(ctx, BufferInfoRecv); + /* No where to send to - dummy sender. */ + wolfSSL_SetIOSend(ctx, DummySend); - ExpectIntEQ(SSL_CTX_set1_param(ctx, pvpm), 1); - ExpectIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, - (int)XSTRLEN(testhostName))); - ExpectIntEQ(0x01, pParam->hostFlags); - ExpectIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + ssl = wolfSSL_new(ctx); + ExpectNotNull(ssl); - /* test for incorrect parameter */ - ExpectIntEQ(1,SSL_CTX_set1_param(ctx, NULL)); - ExpectIntEQ(1,SSL_CTX_set1_param(NULL, pvpm)); - ExpectIntEQ(1,SSL_CTX_set1_param(NULL, NULL)); + msg.buffer = (unsigned char*)clientHelloDupTlsExt; + msg.length = (unsigned int)sizeof(clientHelloDupTlsExt); + wolfSSL_SetIOReadCtx(ssl, &msg); - SSL_CTX_free(ctx); + ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + /* can return duplicate ext error or socket error if the peer closed down + * while sending alert */ + if (wolfSSL_get_error(ssl, 0) != WC_NO_ERR_TRACE(SOCKET_ERROR_E)) { + ExpectIntEQ(wolfSSL_get_error(ssl, 0), WC_NO_ERR_TRACE(DUPLICATE_TLS_EXT_E)); + } - XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_get0_param(void) + +/* Test TLS connection abort when legacy version field indicates TLS 1.3 or + * higher. Based on test_tls_ext_duplicate() but with legacy version modified + * to 0x0304. + */ +static int test_tls_bad_legacy_version(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; +#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION) +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || defined(HAVE_ECC)) + /* This buffer (prior to Extensions) is exactly the same as the buffer in + * test_tls_ext_duplicate() except the 11th byte is set to 0x04. That + * change means the legacy protocol version field is invalid. That will be + * caught before the dulplicate signature algorithms extension. */ + const unsigned char clientHelloBadLegacyVersion[] = { + 0x16, 0x03, 0x03, 0x00, 0x6a, 0x01, 0x00, 0x00, + 0x66, 0x03, 0x04, 0xf4, 0x65, 0xbd, 0x22, 0xfe, + 0x6e, 0xab, 0x66, 0xdd, 0xcf, 0xe9, 0x65, 0x55, + 0xe8, 0xdf, 0xc3, 0x8e, 0x4b, 0x00, 0xbc, 0xf8, + 0x23, 0x57, 0x1b, 0xa0, 0xc8, 0xa9, 0xe2, 0x8c, + 0x91, 0x6e, 0xf9, 0x20, 0xf7, 0x5c, 0xc5, 0x5b, + 0x75, 0x8c, 0x47, 0x0a, 0x0e, 0xc4, 0x1a, 0xda, + 0xef, 0x75, 0xe5, 0x21, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x13, 0x01, + 0x00, 0x9e, 0x01, 0x00, + /* Extensions */ + 0x00, 0x19, 0x00, 0x0d, + 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, 0x00, 0x15, + 0x00, 0x04, 0x00, 0x02, 0x04, 0x01, + /* Supported Versions extension for TLS 1.3. */ + 0x00, 0x2b, + 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 + }; -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + WOLFSSL_BUFFER_INFO msg; + const char* testCertFile; + const char* testKeyFile; + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + +#ifndef NO_RSA + testCertFile = svrCertFile; + testKeyFile = svrKeyFile; +#elif defined(HAVE_ECC) + testCertFile = eccCertFile; + testKeyFile = eccKeyFile; #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(SSL_get0_param(ssl)); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - SSL_free(ssl); - SSL_CTX_free(ctx); + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile, + CERT_FILETYPE)); + + /* Read from 'msg'. */ + wolfSSL_SetIORecv(ctx, BufferInfoRecv); + /* No where to send to - dummy sender. */ + wolfSSL_SetIOSend(ctx, DummySend); + + ssl = wolfSSL_new(ctx); + ExpectNotNull(ssl); + + msg.buffer = (unsigned char*)clientHelloBadLegacyVersion; + msg.length = (unsigned int)sizeof(clientHelloBadLegacyVersion); + wolfSSL_SetIOReadCtx(ssl, &msg); + + ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + /* Connection should fail due to bad legacy version field. When that + * happens the return code is VERSION_ERROR but that gets transformed into + * SOCKET_ERROR_E. */ + ExpectIntEQ(wolfSSL_get_error(ssl, 0), WC_NO_ERR_TRACE(SOCKET_ERROR_E)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif #endif return EXPECT_RESULT(); } +/*----------------------------------------------------------------------------* + | X509 Tests + *----------------------------------------------------------------------------*/ -static int test_wolfSSL_set1_host(void) +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ + defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_PWDBASED) && \ + (!defined(NO_RSA) || defined(HAVE_ECC)) && !defined(NO_MD5) + #define TEST_PKCS8_ENC +#endif + +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ + defined(HAVE_ECC) && defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_TLS) + +/* used to keep track if FailTestCallback was called */ +static int failTestCallbackCalled = 0; + +static WC_INLINE int FailTestCallBack(char* passwd, int sz, int rw, void* userdata) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - const char host[] = "www.test_wolfSSL_set1_host.com"; - const char emptyStr[] = ""; - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; - WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; + (void)passwd; + (void)sz; + (void)rw; + (void)userdata; -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + /* mark called, test_wolfSSL_no_password_cb() will check and fail if set */ + failTestCallbackCalled = 1; + + return -1; +} #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - pParam = SSL_get0_param(ssl); +static int test_wolfSSL_no_password_cb(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ + defined(HAVE_ECC) && defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; + byte buff[FOURK_BUF]; + const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; + const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem"; + XFILE f = XBADFILE; + int bytes = 0; - /* we should get back host string */ - ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLS_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLS_server_method())); +#endif + wolfSSL_CTX_set_default_passwd_cb(ctx, FailTestCallBack); - /* we should get back empty string */ - ExpectIntEQ(SSL_set1_host(ssl, emptyStr), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); + ExpectTrue((f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectIntLE(bytes, sizeof(buff)); + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - /* we should get back host string */ - ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); + ExpectTrue((f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + ExpectIntLE(bytes, sizeof(buff)); + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - /* we should get back empty string */ - ExpectIntEQ(SSL_set1_host(ssl, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); + wolfSSL_CTX_free(ctx); - SSL_free(ssl); - SSL_CTX_free(ctx); + /* Password callback should not be called by default */ + ExpectIntEQ(failTestCallbackCalled, 0); #endif return EXPECT_RESULT(); } -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ - defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) -static int test_wolfSSL_get_client_ciphers_ctx_ready(WOLFSSL_CTX* ctx) +#if defined(TEST_PKCS8_ENC) && !defined(NO_TLS) +/* for PKCS8 test case */ +static int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata) { - EXPECT_DECLS; - ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256")); - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_get_client_ciphers_on_result(WOLFSSL* ssl) { - EXPECT_DECLS; - WOLF_STACK_OF(WOLFSSL_CIPHER)* ciphers; + int flag = 0; - ciphers = SSL_get_client_ciphers(ssl); - if (wolfSSL_is_server(ssl) == 0) { - ExpectNull(ciphers); + (void)rw; + if (userdata != NULL) { + flag = *((int*)userdata); /* user set data */ } - else { - WOLFSSL_CIPHER* current; - /* client should have only sent over one cipher suite */ - ExpectNotNull(ciphers); - ExpectIntEQ(sk_SSL_CIPHER_num(ciphers), 1); - current = sk_SSL_CIPHER_value(ciphers, 0); - ExpectNotNull(current); - #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ - !defined(WOLFSSL_QT) - ExpectStrEQ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - SSL_CIPHER_get_name(current)); - #else - ExpectStrEQ("ECDHE-RSA-AES128-GCM-SHA256", - SSL_CIPHER_get_name(current)); - #endif + switch (flag) { + case 1: /* flag set for specific WOLFSSL_CTX structure, note userdata + * can be anything the user wishes to be passed to the callback + * associated with the WOLFSSL_CTX */ + XSTRNCPY(passwd, "yassl123", sz); + return 8; + + default: + return BAD_FUNC_ARG; } - return EXPECT_RESULT(); } -#endif +#endif /* TEST_PKCS8_ENC && !NO_TLS */ -static int test_wolfSSL_get_client_ciphers(void) +/* Testing functions dealing with PKCS8 */ +static int test_wolfSSL_PKCS8(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ - defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) - test_ssl_cbf server_cb; - test_ssl_cbf client_cb; +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) && \ + !defined(WOLFCRYPT_ONLY) && !defined(NO_TLS) && \ + (!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + byte buff[FOURK_BUF]; + byte der[FOURK_BUF]; + #ifndef NO_RSA +#ifdef WOLFSSL_PEM_TO_DER + const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem"; +#endif + const char serverKeyPkcs8DerFile[] = "./certs/server-keyPkcs8.der"; + #endif +#ifdef WOLFSSL_PEM_TO_DER + const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem"; +#endif + #ifdef HAVE_ECC + const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; + #endif + XFILE f = XBADFILE; + int bytes = 0; + WOLFSSL_CTX* ctx = NULL; +#if defined(HAVE_ECC) && !defined(NO_CODING) && !defined(WOLFSSL_NO_PEM) + int ret; + ecc_key key; + word32 x = 0; +#endif +#ifdef TEST_PKCS8_ENC + #if !defined(NO_RSA) && !defined(NO_SHA) + const char serverKeyPkcs8EncPemFile[] = "./certs/server-keyPkcs8Enc.pem"; + const char serverKeyPkcs8EncDerFile[] = "./certs/server-keyPkcs8Enc.der"; + #endif + #if defined(HAVE_ECC) && !defined(NO_SHA) + const char eccPkcs8EncPrivKeyPemFile[] = "./certs/ecc-keyPkcs8Enc.pem"; + const char eccPkcs8EncPrivKeyDerFile[] = "./certs/ecc-keyPkcs8Enc.der"; + #endif + int flag; +#endif - XMEMSET(&client_cb, 0, sizeof(test_ssl_cbf)); - XMEMSET(&server_cb, 0, sizeof(test_ssl_cbf)); - client_cb.method = wolfTLSv1_2_client_method; - server_cb.method = wolfTLSv1_2_server_method; - client_cb.devId = testDevId; - server_cb.devId = testDevId; - client_cb.ctx_ready = test_wolfSSL_get_client_ciphers_ctx_ready; - client_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; - server_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; + (void)der; - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); +#ifndef NO_WOLFSSL_CLIENT + #ifndef WOLFSSL_NO_TLS12 + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #endif +#else + #ifndef WOLFSSL_NO_TLS12 + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); + #endif #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_set_client_CA_list(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ - !defined(NO_BIO) && !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - X509_NAME* name = NULL; - STACK_OF(X509_NAME)* names = NULL; - STACK_OF(X509_NAME)* ca_list = NULL; - int names_len = 0; - int i; +#ifdef TEST_PKCS8_ENC + wolfSSL_CTX_set_default_passwd_cb(ctx, PKCS8TestCallBack); + wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)&flag); + flag = 1; /* used by password callback as return code */ - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - /* Send two X501 names in cert request */ - names = SSL_load_client_CA_file(cliCertFile); - ExpectNotNull(names); - ca_list = SSL_load_client_CA_file(caCertFile); - ExpectNotNull(ca_list); - ExpectNotNull(name = sk_X509_NAME_value(ca_list, 0)); - ExpectIntEQ(sk_X509_NAME_push(names, name), 2); - if (EXPECT_FAIL()) { - wolfSSL_X509_NAME_free(name); - name = NULL; + #if !defined(NO_RSA) && !defined(NO_SHA) + #if defined(WOLFSSL_PEM_TO_DER) + /* test loading PEM PKCS8 encrypted file */ + ExpectTrue((f = XFOPEN(serverKeyPkcs8EncPemFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } - SSL_CTX_set_client_CA_list(ctx, names); - /* This should only free the stack structure */ - sk_X509_NAME_free(ca_list); - ca_list = NULL; - ExpectNotNull(ca_list = SSL_CTX_get_client_CA_list(ctx)); - ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - ExpectIntEQ(sk_X509_NAME_find(NULL, name), BAD_FUNC_ARG); - ExpectIntEQ(sk_X509_NAME_find(names, NULL), WOLFSSL_FATAL_ERROR); - ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); - for (i = 0; i < names_len; i++) { - ExpectNotNull(name = sk_X509_NAME_value(names, i)); - ExpectIntEQ(sk_X509_NAME_find(names, name), i); - } + /* this next case should fail because of password callback return code */ + flag = 0; /* used by password callback as return code */ + ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - /* Needed to be able to create ssl object */ - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* load again as old names are responsibility of ctx to free*/ - names = SSL_load_client_CA_file(cliCertFile); - ExpectNotNull(names); - SSL_set_client_CA_list(ssl, names); - ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl)); - ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); + /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ + ExpectIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), + "yassl123"), 0); - ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); - for (i = 0; i < names_len; i++) { - ExpectNotNull(name = sk_X509_NAME_value(names, i)); - ExpectIntEQ(sk_X509_NAME_find(names, name), i); + /* test that error value is returned with a bad password */ + ExpectIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), + "bad"), 0); + #endif + + /* test loading PEM PKCS8 encrypted file */ + ExpectTrue((f = XFOPEN(serverKeyPkcs8EncDerFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } + flag = 1; /* used by password callback as return code */ + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); -#if !defined(SINGLE_THREADED) && defined(SESSION_CERTS) - { - tcp_ready ready; - func_args server_args; - callback_functions server_cb; - THREAD_TYPE serverThread; - WOLFSSL* ssl_client = NULL; - WOLFSSL_CTX* ctx_client = NULL; - SOCKET_T sockfd = 0; + /* this next case should fail because of password callback return code */ + flag = 0; /* used by password callback as return code */ + ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + #endif /* !NO_RSA && !NO_SHA */ - /* wolfSSL_get_client_CA_list() with handshake */ + #if defined(HAVE_ECC) && !defined(NO_SHA) + #if defined(WOLFSSL_PEM_TO_DER) + /* test loading PEM PKCS8 encrypted ECC Key file */ + ExpectTrue((f = XFOPEN(eccPkcs8EncPrivKeyPemFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + flag = 1; /* used by password callback as return code */ + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - StartTCP(); - InitTcpReady(&ready); + /* this next case should fail because of password callback return code */ + flag = 0; /* used by password callback as return code */ + ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); + /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ + ExpectIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), + "yassl123"), 0); - server_args.signal = &ready; - server_args.callbacks = &server_cb; + /* test that error value is returned with a bad password */ + ExpectIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), + "bad"), 0); + #endif - /* we are responsible for free'ing WOLFSSL_CTX */ - server_cb.ctx = ctx; - server_cb.isSharedCtx = 1; + /* test loading DER PKCS8 encrypted ECC Key file */ + ExpectTrue((f = XFOPEN(eccPkcs8EncPrivKeyDerFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + flag = 1; /* used by password callback as return code */ + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, - cliCertFile, 0)); + /* this next case should fail because of password callback return code */ + flag = 0; /* used by password callback as return code */ + ExpectIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); + /* leave flag as "okay" */ + flag = 1; + #endif /* HAVE_ECC && !NO_SHA */ +#endif /* TEST_PKCS8_ENC */ - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); - ExpectNotNull(ctx_client = - wolfSSL_CTX_new(wolfTLSv1_2_client_method())); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations( - ctx_client, caCertFile, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_certificate_file( - ctx_client, cliCertFile, SSL_FILETYPE_PEM)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_PrivateKey_file( - ctx_client, cliKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); - ExpectIntEQ(wolfSSL_set_fd(ssl_client, sockfd), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_connect(ssl_client), WOLFSSL_SUCCESS); +#ifndef NO_RSA + /* test loading ASN.1 (DER) PKCS8 private key file (not encrypted) */ + ExpectTrue((f = XFOPEN(serverKeyPkcs8DerFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl_client)); - /* We are expecting two cert names to be sent */ - ExpectIntEQ(sk_X509_NAME_num(ca_list), 2); + #ifdef WOLFSSL_PEM_TO_DER + /* test loading PEM PKCS8 private key file (not encrypted) */ + ExpectTrue((f = XFOPEN(serverKeyPkcs8PemFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + #endif +#endif /* !NO_RSA */ - ExpectNotNull(names = SSL_CTX_get_client_CA_list(ctx)); - for (i=0; icallbacks; - WOLFSSL_CTX* ctx = callbacks->ctx; - WOLFSSL* ssl = NULL; - SOCKET_T sfd = 0; - SOCKET_T cfd = 0; - word16 port; - char input[1024]; - int idx; - int ret, err = 0; - const char* privateName = "ech-private-name.com"; - int privateNameLen = (int)XSTRLEN(privateName); - - ((func_args*)args)->return_code = TEST_FAIL; - port = ((func_args*)args)->signal->port; - - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0)); - - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - - if (callbacks->ctx_ready) - callbacks->ctx_ready(ctx); - - ssl = wolfSSL_new(ctx); - - /* set the sni for the server */ - wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, privateName, privateNameLen); - - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, NULL, NULL); - CloseSocket(sfd); - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl, cfd)); - - if (callbacks->ssl_ready) - callbacks->ssl_ready(ssl); - do { - err = 0; /* Reset error */ - ret = wolfSSL_accept(ssl); - if (ret != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - } - } while (ret != WOLFSSL_SUCCESS && err == WC_NO_ERR_TRACE(WC_PENDING_E)); +static int test_wolfSSL_PKCS8_ED448(void) +{ + EXPECT_DECLS; +#if !defined(NO_ASN) && defined(HAVE_PKCS8) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_256) && \ + defined(WOLFSSL_ENCRYPTED_KEYS) && defined(HAVE_ED448) && \ + defined(HAVE_ED448_KEY_IMPORT) + const byte encPrivKey[] = \ + "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" + "MIGrMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAjSbZKnG4EPggICCAAw\n" + "DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEFvCFWBBHBlJBsYleBJlJWcEUNC7\n" + "Tf5pZviT5Btar4D/MNg6BsQHSDf5KW4ix871EsgDY2Zz+euaoWspiMntz7gU+PQu\n" + "T/JJcbD2Ly8BbE3l5WHMifAQqNLxJBfXrHkfYtAo\n" + "-----END ENCRYPTED PRIVATE KEY-----\n"; + const char password[] = "abcdefghijklmnopqrstuvwxyz"; + byte der[FOURK_BUF]; +#if !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX* ctx = NULL; +#endif + int bytes; - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff)); - } - else { - if (0 < (idx = wolfSSL_read(ssl, input, sizeof(input)-1))) { - input[idx] = 0; - fprintf(stderr, "Client message: %s\n", input); - } + XMEMSET(der, 0, sizeof(der)); + ExpectIntGT((bytes = wc_KeyPemToDer(encPrivKey, sizeof(encPrivKey), der, + (word32)sizeof(der), password)), 0); +#if !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, bytes, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); - AssertIntEQ(privateNameLen, wolfSSL_write(ssl, privateName, - privateNameLen)); - ((func_args*)args)->return_code = TEST_SUCCESS; - } + wolfSSL_CTX_free(ctx); +#endif /* !NO_TLS && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ +#endif + return EXPECT_RESULT(); +} - if (callbacks->on_result) - callbacks->on_result(ssl); +/* Testing functions dealing with PKCS5 */ +static int test_wolfSSL_PKCS5(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) && !defined(NO_PWDBASED) +#ifdef HAVE_FIPS /* Password minimum length is 14 (112-bit) in FIPS MODE */ + const char* passwd = "myfipsPa$$W0rd"; +#else + const char *passwd = "pass1234"; +#endif + const unsigned char *salt = (unsigned char *)"salt1234"; + unsigned char *out = (unsigned char *)XMALLOC(WC_SHA_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + int ret = 0; - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - CloseSocket(cfd); + ExpectNotNull(out); + ExpectIntEQ(ret = PKCS5_PBKDF2_HMAC_SHA1(passwd,(int)XSTRLEN(passwd), salt, + (int)XSTRLEN((const char *) salt), 10, WC_SHA_DIGEST_SIZE,out), + WOLFSSL_SUCCESS); -#ifdef FP_ECC - wc_ecc_fp_free(); +#ifdef WOLFSSL_SHA512 + ExpectIntEQ(ret = PKCS5_PBKDF2_HMAC(passwd,(int)XSTRLEN(passwd), salt, + (int)XSTRLEN((const char *) salt), 10, wolfSSL_EVP_sha512(), + WC_SHA_DIGEST_SIZE, out), SSL_SUCCESS); #endif - WOLFSSL_RETURN_FROM_THREAD(0); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_SHA) */ + return EXPECT_RESULT(); } -#endif /* HAVE_ECH && WOLFSSL_TLS13 */ -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) -static void keyLog_callback(const WOLFSSL* ssl, const char* line) +/* test parsing URI from certificate */ +static int test_wolfSSL_URI(void) { - XFILE fp; - const byte lf = '\n'; + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \ + && (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ + defined(OPENSSL_EXTRA)) + WOLFSSL_X509* x509 = NULL; + const char uri[] = "./certs/client-uri-cert.pem"; + const char urn[] = "./certs/client-absolute-urn.pem"; + const char badUri[] = "./certs/client-relative-uri.pem"; - AssertNotNull(ssl); - AssertNotNull(line); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(uri, + WOLFSSL_FILETYPE_PEM)); + wolfSSL_FreeX509(x509); + x509 = NULL; - fp = XFOPEN("./MyKeyLog.txt", "a"); - XFWRITE(line, 1, XSTRLEN(line), fp); - XFWRITE((void*)&lf, 1, 1, fp); - XFFLUSH(fp); - XFCLOSE(fp); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(urn, + WOLFSSL_FILETYPE_PEM)); + wolfSSL_FreeX509(x509); + x509 = NULL; + +#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) \ + && !defined(WOLFSSL_FPKI) + ExpectNull(x509 = wolfSSL_X509_load_certificate_file(badUri, + WOLFSSL_FILETYPE_PEM)); +#else + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(badUri, + WOLFSSL_FILETYPE_PEM)); +#endif + wolfSSL_FreeX509(x509); +#endif + return EXPECT_RESULT(); } -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ -static int test_wolfSSL_CTX_set_keylog_callback(void) + + +#if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) +/* create certificate with version 2 */ +static int test_set_x509_badversion(WOLFSSL_CTX* ctx) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ - !defined(NO_WOLFSSL_CLIENT) - SSL_CTX* ctx = NULL; + WOLFSSL_X509 *x509 = NULL, *x509v2 = NULL; + WOLFSSL_EVP_PKEY *priv = NULL, *pub = NULL; + unsigned char *der = NULL, *key = NULL, *pt; + char *header = NULL, *name = NULL; + int derSz; + long keySz; + XFILE fp = XBADFILE; + WOLFSSL_ASN1_TIME *notBefore = NULL, *notAfter = NULL; + time_t t; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); + + ExpectTrue((fp = XFOPEN(cliKeyFile, "rb")) != XBADFILE); + ExpectIntEQ(wolfSSL_PEM_read(fp, &name, &header, &key, &keySz), + WOLFSSL_SUCCESS); + if (fp != XBADFILE) + XFCLOSE(fp); + pt = key; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, keySz)); + + + /* create the version 2 certificate */ + ExpectNotNull(x509v2 = X509_new()); + ExpectIntEQ(wolfSSL_X509_set_version(x509v2, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509v2, + wolfSSL_X509_get_subject_name(x509)), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509v2, + wolfSSL_X509_get_issuer_name(x509)), WOLFSSL_SUCCESS); + ExpectNotNull(pub = wolfSSL_X509_get_pubkey(x509)); + ExpectIntEQ(X509_set_pubkey(x509v2, pub), WOLFSSL_SUCCESS); + + t = time(NULL); + ExpectNotNull(notBefore = wolfSSL_ASN1_TIME_adj(NULL, t, 0, 0)); + ExpectNotNull(notAfter = wolfSSL_ASN1_TIME_adj(NULL, t, 365, 0)); + ExpectTrue(wolfSSL_X509_set_notBefore(x509v2, notBefore)); + ExpectTrue(wolfSSL_X509_set_notAfter(x509v2, notAfter)); + + ExpectIntGT(wolfSSL_X509_sign(x509v2, priv, EVP_sha256()), 0); + derSz = wolfSSL_i2d_X509(x509v2, &der); + ExpectIntGT(derSz, 0); + ExpectIntEQ(wolfSSL_CTX_use_certificate_buffer(ctx, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + /* TODO: Replace with API call */ + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(name, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(header, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(x509v2); + wolfSSL_EVP_PKEY_free(priv); + wolfSSL_EVP_PKEY_free(pub); + wolfSSL_ASN1_TIME_free(notBefore); + wolfSSL_ASN1_TIME_free(notAfter); - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); - SSL_CTX_free(ctx); - SSL_CTX_set_keylog_callback(NULL, NULL); -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); } -static int test_wolfSSL_CTX_get_keylog_callback(void) + + +/* override certificate version error */ +static int test_override_x509(int preverify, WOLFSSL_X509_STORE_CTX* store) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ - !defined(NO_WOLFSSL_CLIENT) - SSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); - SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); - ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),keyLog_callback); - SSL_CTX_set_keylog_callback(ctx, NULL ); - ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); - SSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ - return EXPECT_RESULT(); +#ifndef OPENSSL_COMPATIBLE_DEFAULTS + ExpectIntEQ(store->error, WC_NO_ERR_TRACE(ASN_VERSION_E)); +#else + ExpectIntEQ(store->error, 0); +#endif + ExpectIntEQ((int)wolfSSL_X509_get_version(store->current_cert), 1); + (void)preverify; + return EXPECT_RESULT() == TEST_SUCCESS; } -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) -static int test_wolfSSL_Tls12_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) + +/* set verify callback that will override bad certificate version */ +static int test_set_override_x509(WOLFSSL_CTX* ctx) { - /* set keylog callback */ - wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, test_override_x509); return TEST_SUCCESS; } #endif -static int test_wolfSSL_Tls12_Key_Logging_test(void) + +static int test_wolfSSL_X509_TLS_version_test_1(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) - /* This test is intended for checking whether keylog callback is called - * in client during TLS handshake between the client and a server. - */ - test_ssl_cbf server_cbf; - test_ssl_cbf client_cbf; - XFILE fp = XBADFILE; - char buff[500]; - int found = 0; +#if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; - XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); - XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); - server_cbf.method = wolfTLSv1_2_server_method; - client_cbf.ctx_ready = &test_wolfSSL_Tls12_Key_Logging_client_ctx_ready; + /* test server rejects a client certificate that is not version 3 */ + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - /* clean up keylog file */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); - if (fp != XBADFILE) { - XFFLUSH(fp); - XFCLOSE(fp); - fp = XBADFILE; - } + func_cb_client.ctx_ready = &test_set_x509_badversion; +#ifndef WOLFSSL_NO_TLS12 + func_cb_client.method = wolfTLSv1_2_client_method; +#else + func_cb_client.method = wolfTLSv1_3_client_method; +#endif - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); +#ifndef WOLFSSL_NO_TLS12 + func_cb_server.method = wolfTLSv1_2_server_method; +#else + func_cb_server.method = wolfTLSv1_3_server_method; +#endif - /* check if the keylog file exists */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); - XFFLUSH(fp); /* Just to make sure any buffers get flushed */ +#ifndef OPENSSL_COMPATIBLE_DEFAULTS + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), -1001); +#else + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); +#endif +#endif - XMEMSET(buff, 0, sizeof(buff)); - while (EXPECT_SUCCESS() && XFGETS(buff, (int)sizeof(buff), fp) != NULL) { - if (0 == strncmp(buff,"CLIENT_RANDOM ", sizeof("CLIENT_RANDOM ")-1)) { - found = 1; - break; - } - } - if (fp != XBADFILE) { - XFCLOSE(fp); - } - /* a log starting with "CLIENT_RANDOM " should exit in the file */ - ExpectIntEQ(found, 1); - /* clean up */ - ExpectIntEQ(rem_file("./MyKeyLog.txt"), 0); -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ return EXPECT_RESULT(); } -#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ - defined(HAVE_SECRET_CALLBACK) -static int test_wolfSSL_Tls13_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) +static int test_wolfSSL_X509_TLS_version_test_2(void) { - /* set keylog callback */ - wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); - return TEST_SUCCESS; -} + EXPECT_DECLS; +#if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + func_cb_client.ctx_ready = &test_set_x509_badversion; + func_cb_server.ctx_ready = &test_set_override_x509; +#ifndef WOLFSSL_NO_TLS12 + func_cb_client.method = wolfTLSv1_2_client_method; +#else + func_cb_client.method = wolfTLSv1_3_client_method; #endif -static int test_wolfSSL_Tls13_Key_Logging_test(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ - defined(HAVE_SECRET_CALLBACK) -/* This test is intended for checking whether keylog callback is called - * in client during TLS handshake between the client and a server. - */ - test_ssl_cbf server_cbf; - test_ssl_cbf client_cbf; - XFILE fp = XBADFILE; +#ifndef WOLFSSL_NO_TLS12 + func_cb_server.method = wolfTLSv1_2_server_method; +#else + func_cb_server.method = wolfTLSv1_3_server_method; +#endif - XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); - XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); - server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ - client_cbf.ctx_ready = &test_wolfSSL_Tls13_Key_Logging_client_ctx_ready; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); +#endif - /* clean up keylog file */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } + return EXPECT_RESULT(); +} - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); +/* Testing function wolfSSL_CTX_SetMinVersion; sets the minimum downgrade + * version allowed. + * POST: 1 on success. + */ +static int test_wolfSSL_CTX_SetMinVersion(void) +{ + int res = TEST_SKIPPED; +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) + int failFlag = WOLFSSL_SUCCESS; + WOLFSSL_CTX* ctx; + int itr; - /* check if the keylog file exists */ - { - char buff[300] = {0}; - int found[4] = {0}; - int numfnd = 0; - int i; + #ifndef NO_OLD_TLS + const int versions[] = { + #ifdef WOLFSSL_ALLOW_TLSV10 + WOLFSSL_TLSV1, + #endif + WOLFSSL_TLSV1_1, + WOLFSSL_TLSV1_2 }; + #elif !defined(WOLFSSL_NO_TLS12) + const int versions[] = { WOLFSSL_TLSV1_2 }; + #elif defined(WOLFSSL_TLS13) + const int versions[] = { WOLFSSL_TLSV1_3 }; + #else + const int versions[0]; + #endif - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); + ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - while (EXPECT_SUCCESS() && - XFGETS(buff, (int)sizeof(buff), fp) != NULL) { - if (0 == strncmp(buff, "CLIENT_HANDSHAKE_TRAFFIC_SECRET ", - sizeof("CLIENT_HANDSHAKE_TRAFFIC_SECRET ")-1)) { - found[0] = 1; - continue; - } - else if (0 == strncmp(buff, "SERVER_HANDSHAKE_TRAFFIC_SECRET ", - sizeof("SERVER_HANDSHAKE_TRAFFIC_SECRET ")-1)) { - found[1] = 1; - continue; - } - else if (0 == strncmp(buff, "CLIENT_TRAFFIC_SECRET_0 ", - sizeof("CLIENT_TRAFFIC_SECRET_0 ")-1)) { - found[2] = 1; - continue; - } - else if (0 == strncmp(buff, "SERVER_TRAFFIC_SECRET_0 ", - sizeof("SERVER_TRAFFIC_SECRET_0 ")-1)) { - found[3] = 1; - continue; - } - } - if (fp != XBADFILE) - XFCLOSE(fp); - for (i = 0; i < 4; i++) { - if (found[i] != 0) - numfnd++; + for (itr = 0; itr < (int)(sizeof(versions)/sizeof(int)); itr++) { + if (wolfSSL_CTX_SetMinVersion(ctx, *(versions + itr)) + != WOLFSSL_SUCCESS) { + failFlag = WOLFSSL_FAILURE; } - ExpectIntEQ(numfnd, 4); } -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */ - return EXPECT_RESULT(); -} -#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) -static int test_wolfSSL_Tls13_ECH_params(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_CLIENT) - word32 outputLen = 0; - byte testBuf[72]; - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - ExpectNotNull(ctx); - ExpectNotNull(ssl); + wolfSSL_CTX_free(ctx); - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(NULL, - "ech-public-name.com", 0, 0, 0)); - /* invalid public name */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, NULL, 0, - 0, 0)); - /* invalid algorithms */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, - "ech-public-name.com", 1000, 1000, 1000)); + res = TEST_RES_CHECK(failFlag == WOLFSSL_SUCCESS); +#endif + return res; - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(NULL, - (char*)testBuf, sizeof(testBuf))); - /* invalid base64 configs */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, - NULL, sizeof(testBuf))); - /* invalid length */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, - (char*)testBuf, 0)); +} /* END test_wolfSSL_CTX_SetMinVersion */ - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(NULL, - testBuf, sizeof(testBuf))); - /* invalid configs */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, - NULL, sizeof(testBuf))); - /* invalid length */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, - testBuf, 0)); - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(NULL, NULL, - &outputLen)); - /* invalid output len */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(ctx, NULL, NULL)); +/*----------------------------------------------------------------------------* + | OCSP Stapling + *----------------------------------------------------------------------------*/ - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(NULL, - (char*)testBuf, sizeof(testBuf))); - /* invalid configs64 */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, NULL, - sizeof(testBuf))); - /* invalid size */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, - (char*)testBuf, 0)); - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(NULL, testBuf, - sizeof(testBuf))); - /* invalid configs */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, NULL, - sizeof(testBuf))); - /* invalid size */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, testBuf, 0)); +/* Testing wolfSSL_UseOCSPStapling function. OCSP stapling eliminates the need + * need to contact the CA, lowering the cost of cert revocation checking. + * PRE: HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST + * POST: 1 returned for success. + */ +static int test_wolfSSL_UseOCSPStapling(void) +{ + EXPECT_DECLS; +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && defined(HAVE_OCSP) && \ + !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(NULL, NULL, &outputLen)); - /* invalid size */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(ssl, NULL, NULL)); +#ifndef NO_WOLFSSL_CLIENT + #ifndef WOLFSSL_NO_TLS12 + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #endif +#else + #ifndef WOLFSSL_NO_TLS12 + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); + #endif +#endif + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + ExpectIntEQ(wolfSSL_UseOCSPStapling(NULL, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifndef NO_WOLFSSL_CLIENT + ExpectIntEQ(wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE), 1); +#else + ExpectIntEQ(wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#endif wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT */ - +#endif return EXPECT_RESULT(); -} +} /* END test_wolfSSL_UseOCSPStapling */ -static int test_wolfSSL_Tls13_ECH_ex(int hrr) + +/* Testing OCSP stapling version 2, wolfSSL_UseOCSPStaplingV2 function. OCSP + * stapling eliminates the need to contact the CA and lowers cert revocation + * check. + * PRE: HAVE_CERTIFICATE_STATUS_REQUEST_V2 and HAVE_OCSP defined. + */ +static int test_wolfSSL_UseOCSPStaplingV2(void) { EXPECT_DECLS; - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions server_cbf; - callback_functions client_cbf; - SOCKET_T sockfd = 0; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - const char* publicName = "ech-public-name.com"; - const char* privateName = "ech-private-name.com"; - int privateNameLen = 20; - char reply[1024]; - int replyLen = 0; - byte rawEchConfig[128]; - word32 rawEchConfigLen = sizeof(rawEchConfig); - - InitTcpReady(&ready); - ready.port = 22222; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && defined(HAVE_OCSP) && \ + !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; - /* create the server context here so we can get the ech config */ - ExpectNotNull(server_cbf.ctx = - wolfSSL_CTX_new(wolfTLSv1_3_server_method())); +#ifndef NO_WOLFSSL_CLIENT + #ifndef WOLFSSL_NO_TLS12 + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #endif +#else + #ifndef WOLFSSL_NO_TLS12 + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); + #else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); + #endif +#endif + ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* generate ech config */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(server_cbf.ctx, - publicName, 0, 0, 0)); + ExpectIntEQ(wolfSSL_UseOCSPStaplingV2(NULL, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifndef NO_WOLFSSL_CLIENT + ExpectIntEQ(wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE), 1); +#else + ExpectIntEQ(wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#endif - /* get the config for the client to use */ - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_GetEchConfigs(server_cbf.ctx, rawEchConfig, - &rawEchConfigLen)); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); - server_args.callbacks = &server_cbf; - server_args.signal = &ready; +} /* END test_wolfSSL_UseOCSPStaplingV2 */ - /* start server task */ - start_thread(server_task_ech, &server_args, &serverThread); - wait_tcp_ready(&server_args); +/*----------------------------------------------------------------------------* + | Multicast Tests + *----------------------------------------------------------------------------*/ +static int test_wolfSSL_mcast(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_MULTICAST) && \ + (defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + byte preMasterSecret[512]; + byte clientRandom[32]; + byte serverRandom[32]; + byte suite[2] = {0, 0xfe}; /* WDM_WITH_NULL_SHA256 */ + byte buf[256]; + word16 newId; - /* run as a TLS1.3 client */ - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method())); - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); + ExpectIntEQ(wolfSSL_CTX_mcast_set_member_id(ctx, 0), WOLFSSL_SUCCESS); - /* get connected the server task */ ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* set the ech configs for the client */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, rawEchConfig, - rawEchConfigLen)); - - /* set the sni for the client */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, - privateName, privateNameLen)); + XMEMSET(preMasterSecret, 0x23, sizeof(preMasterSecret)); + XMEMSET(clientRandom, 0xA5, sizeof(clientRandom)); + XMEMSET(serverRandom, 0x5A, sizeof(serverRandom)); + ExpectIntEQ(wolfSSL_set_secret(ssl, 23, preMasterSecret, + sizeof(preMasterSecret), clientRandom, serverRandom, suite), + WOLFSSL_SUCCESS); - /* force hello retry request */ - if (hrr) - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_NoKeyShares(ssl)); + ExpectIntLE(wolfSSL_mcast_read(ssl, &newId, buf, sizeof(buf)), 0); + ExpectIntLE(newId, 100); - /* connect like normal */ - ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); - ExpectIntEQ(ssl->options.echAccepted, 1); - ExpectIntEQ(wolfSSL_write(ssl, privateName, privateNameLen), - privateNameLen); - ExpectIntGT((replyLen = wolfSSL_read(ssl, reply, sizeof(reply))), 0); - /* add th null terminator for string compare */ - reply[replyLen] = 0; - /* check that the server replied with the private name */ - ExpectStrEQ(privateName, reply); wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); - - CloseSocket(sockfd); - - join_thread(serverThread); - - FreeTcpReady(&ready); - +#endif /* WOLFSSL_DTLS && WOLFSSL_MULTICAST && (WOLFSSL_TLS13 || + * WOLFSSL_SNIFFER) */ return EXPECT_RESULT(); } -static int test_wolfSSL_Tls13_ECH(void) -{ - return test_wolfSSL_Tls13_ECH_ex(0); -} -static int test_wolfSSL_Tls13_ECH_HRR(void) -{ - return test_wolfSSL_Tls13_ECH_ex(1); -} -#endif /* HAVE_ECH && WOLFSSL_TLS13 */ +/*----------------------------------------------------------------------------* + | Wolfcrypt + *----------------------------------------------------------------------------*/ -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ -defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) -static int post_auth_version_cb(WOLFSSL* ssl) +/* + * Testing wc_SetKeyUsage() + */ +static int test_wc_SetKeyUsage(void) { EXPECT_DECLS; - /* do handshake and then test version error */ - ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); - ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); +#if !defined(NO_RSA) && defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && !defined(HAVE_FIPS) + Cert myCert; + + ExpectIntEQ(wc_InitCert(&myCert), 0); + + ExpectIntEQ(wc_SetKeyUsage(&myCert, "keyEncipherment,keyAgreement"), 0); + ExpectIntEQ(wc_SetKeyUsage(&myCert, "digitalSignature,nonRepudiation"), 0); + ExpectIntEQ(wc_SetKeyUsage(&myCert, "contentCommitment,encipherOnly"), 0); + ExpectIntEQ(wc_SetKeyUsage(&myCert, "decipherOnly"), 0); + ExpectIntEQ(wc_SetKeyUsage(&myCert, "cRLSign,keyCertSign"), 0); + + /* Test bad args. */ + ExpectIntEQ(wc_SetKeyUsage(NULL, "decipherOnly"), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_SetKeyUsage(&myCert, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_SetKeyUsage(&myCert, ""), WC_NO_ERR_TRACE(KEYUSAGE_E)); + ExpectIntEQ(wc_SetKeyUsage(&myCert, ","), WC_NO_ERR_TRACE(KEYUSAGE_E)); + ExpectIntEQ(wc_SetKeyUsage(&myCert, "digitalSignature, cRLSign"), + WC_NO_ERR_TRACE(KEYUSAGE_E)); +#endif return EXPECT_RESULT(); -} +} /* END test_wc_SetKeyUsage */ -static int post_auth_version_client_cb(WOLFSSL* ssl) +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +static void sample_mutex_cb (int flag, int type, const char* file, int line) +{ + (void)flag; + (void)type; + (void)file; + (void)line; +} +#endif +/* + * Testing wc_LockMutex_ex + */ +static int test_wc_LockMutex_ex(void) { EXPECT_DECLS; - /* do handshake and then test version error */ - ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); - ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); - ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#if defined(OPENSSL_ALL) && !defined(NO_ERROR_QUEUE) - /* check was added to error queue */ - ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)); +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + int flag = CRYPTO_LOCK; + int type = 0; + const char* file = "./test-LockMutex_ex.txt"; + int line = 0; - /* check the string matches expected string */ - #ifndef NO_ERROR_STRINGS - ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL), - "WRONG_SSL_VERSION"); - #endif + /* without SetMutexCb */ + ExpectIntEQ(wc_LockMutex_ex(flag, type, file, line), WC_NO_ERR_TRACE(BAD_STATE_E)); + /* with SetMutexCb */ + ExpectIntEQ(wc_SetMutexCb(sample_mutex_cb), 0); + ExpectIntEQ(wc_LockMutex_ex(flag, type, file, line), 0); + ExpectIntEQ(wc_SetMutexCb(NULL), 0); #endif return EXPECT_RESULT(); -} - -static int post_auth_cb(WOLFSSL* ssl) +} /* End test_wc_LockMutex_ex*/ +/* + * Testing wc_SetMutexCb + */ +static int test_wc_SetMutexCb(void) { EXPECT_DECLS; - WOLFSSL_X509* x509 = NULL; - /* do handshake and then test version error */ - ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); - ExpectStrEQ("TLSv1.3", wolfSSL_get_version(ssl)); - ExpectNull(x509 = wolfSSL_get_peer_certificate(ssl)); - wolfSSL_X509_free(x509); - ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + ExpectIntEQ(wc_SetMutexCb(sample_mutex_cb), 0); + ExpectIntEQ(wc_SetMutexCb(NULL), 0); +#endif return EXPECT_RESULT(); -} +} /* End test_wc_SetMutexCb*/ -static int set_post_auth_cb(WOLFSSL* ssl) -{ - if (!wolfSSL_is_server(ssl)) { - EXPECT_DECLS; - ExpectIntEQ(wolfSSL_allow_post_handshake_auth(ssl), 0); - return EXPECT_RESULT(); - } - wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_POST_HANDSHAKE, NULL); - return TEST_SUCCESS; -} -#endif -static int test_wolfSSL_Tls13_postauth(void) +/* + * Testing ToTraditional + */ +static int test_ToTraditional(void) { EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) - test_ssl_cbf server_cbf; - test_ssl_cbf client_cbf; - - /* test version failure doing post auth with TLS 1.2 connection */ - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - server_cbf.method = wolfTLSv1_2_server_method; - server_cbf.ssl_ready = set_post_auth_cb; - server_cbf.on_result = post_auth_version_cb; - client_cbf.ssl_ready = set_post_auth_cb; - client_cbf.on_result = post_auth_version_client_cb; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); +#if !defined(NO_ASN) && (defined(HAVE_PKCS8) || defined(HAVE_PKCS12)) && \ + (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) && !defined(NO_FILESYSTEM) + XFILE f = XBADFILE; + byte input[TWOK_BUF]; + word32 sz = 0; - /* tests on post auth with TLS 1.3 */ - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - server_cbf.method = wolfTLSv1_3_server_method; - server_cbf.ssl_ready = set_post_auth_cb; - client_cbf.ssl_ready = set_post_auth_cb; - server_cbf.on_result = post_auth_cb; - client_cbf.on_result = NULL; + ExpectTrue((f = XFOPEN("./certs/server-keyPkcs8.der", "rb")) != XBADFILE); + ExpectTrue((sz = (word32)XFREAD(input, 1, sizeof(input), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); + /* Good case */ + ExpectIntGT(ToTraditional(input, sz), 0); + /* Bad cases */ + ExpectIntEQ(ToTraditional(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(ToTraditional(NULL, sz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_ASN_TEMPLATE + ExpectIntEQ(ToTraditional(input, 0), WC_NO_ERR_TRACE(BUFFER_E)); +#else + ExpectIntEQ(ToTraditional(input, 0), WC_NO_ERR_TRACE(ASN_PARSE_E)); +#endif #endif return EXPECT_RESULT(); -} +} /* End test_ToTraditional*/ -static int test_wolfSSL_CTX_set_srp_username(void) +/* + * Testing wc_SetSubjectBuffer + */ +static int test_wc_SetSubjectBuffer(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ - !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - const char *username = "TESTUSER"; - const char *password = "TESTPASSWORD"; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), - SSL_SUCCESS); - wolfSSL_CTX_free(ctx); - ctx = NULL; +#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + Cert cert; + XFILE file = XBADFILE; + byte* der = NULL; + word32 derSz; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), - SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), - SSL_SUCCESS); + derSz = FOURK_BUF; + ExpectNotNull(der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((file = XFOPEN("./certs/ca-cert.der", "rb")) != XBADFILE); + ExpectTrue((derSz = (word32)XFREAD(der, 1, FOURK_BUF, file)) > 0); + if (file != XBADFILE) + XFCLOSE(file); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(SSL_get_srp_username(ssl)); - ExpectStrEQ(SSL_get_srp_username(ssl), username); + ExpectIntEQ(wc_InitCert(&cert), 0); + ExpectIntEQ(wc_SetSubjectBuffer(&cert, der, (int)derSz), 0); + ExpectIntEQ(wc_SetSubjectBuffer(NULL, der, (int)derSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ - /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif return EXPECT_RESULT(); -} +} /* End test_wc_SetSubjectBuffer*/ -static int test_wolfSSL_CTX_set_srp_password(void) +/* + * Testing wc_SetSubjectKeyIdFromPublicKey_ex + */ +static int test_wc_SetSubjectKeyIdFromPublicKey_ex(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ - !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx = NULL; - const char *username = "TESTUSER"; - const char *password = "TESTPASSWORD"; +#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) + WC_RNG rng; + Cert cert; +#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + RsaKey rsaKey; + int bits = 2048; +#endif +#if defined(HAVE_ECC) + ecc_key eccKey; + int ret; +#endif +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) + ed25519_key ed25519Key; +#endif +#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) + ed448_key ed448Key; +#endif - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), - SSL_SUCCESS); - wolfSSL_CTX_free(ctx); - ctx = NULL; +#ifndef HAVE_FIPS + ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0); +#else + ExpectIntEQ(wc_InitRng(&rng), 0); +#endif - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), - SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), - SSL_SUCCESS); - wolfSSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ - /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ - return EXPECT_RESULT(); -} + ExpectIntEQ(wc_InitCert(&cert), 0); -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -#define TEST_ARG 0x1234 -static void msg_cb(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg) -{ - (void)write_p; - (void)version; - (void)content_type; - (void)buf; - (void)len; - (void)ssl; +#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + /* RSA */ + XMEMSET(&rsaKey, 0, sizeof(RsaKey)); + ExpectIntEQ(wc_InitRsaKey(&rsaKey, HEAP_HINT), 0); + ExpectIntEQ(MAKE_RSA_KEY(&rsaKey, bits, WC_RSA_EXPONENT, &rng), 0); + ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, RSA_TYPE, &rsaKey), + 0); + DoExpectIntEQ(wc_FreeRsaKey(&rsaKey), 0); +#endif - AssertTrue(arg == (void*)TEST_ARG); -} +#if defined(HAVE_ECC) + /* ECC */ + XMEMSET(&eccKey, 0, sizeof(ecc_key)); + ExpectIntEQ(wc_ecc_init(&eccKey), 0); + ret = wc_ecc_make_key(&rng, KEY14, &eccKey); +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &eccKey.asyncDev, WC_ASYNC_FLAG_NONE); +#endif + ExpectIntEQ(ret, 0); + ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ECC_TYPE, &eccKey), + 0); + DoExpectIntEQ(wc_ecc_free(&eccKey), 0); #endif -#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -#if defined(SESSION_CERTS) -#include "wolfssl/internal.h" +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) + /* ED25519 */ + XMEMSET(&ed25519Key, 0, sizeof(ed25519_key)); + ExpectIntEQ(wc_ed25519_init(&ed25519Key), 0); + ExpectIntEQ(wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key), 0); + ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, + &ed25519Key), 0); + wc_ed25519_free(&ed25519Key); #endif -static int msgSrvCb(SSL_CTX *ctx, SSL *ssl) + +#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) + /* ED448 */ + XMEMSET(&ed448Key, 0, sizeof(ed448_key)); + ExpectIntEQ(wc_ed448_init(&ed448Key), 0); + ExpectIntEQ(wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key), 0); + ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED448_TYPE, + &ed448Key), 0); + wc_ed448_free(&ed448Key); +#endif + + wc_FreeRng(&rng); + DoExpectIntEQ(wc_FreeRng(&rng), 0); +#endif /* WOLFSSL_CERT_EXT && WOLFSSL_CERT_GEN */ + return EXPECT_RESULT(); +} /* End test_wc_SetSubjectKeyIdFromPublicKey_ex*/ + +/* + * Testing wc_SetAuthKeyIdFromPublicKey_ex + */ +static int test_wc_SetAuthKeyIdFromPublicKey_ex(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) - STACK_OF(X509)* sk = NULL; - X509* x509 = NULL; - int i, num; - BIO* bio = NULL; +#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) + WC_RNG rng; + Cert cert; +#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + RsaKey rsaKey; + int bits = 2048; +#endif +#if defined(HAVE_ECC) + ecc_key eccKey; + int ret; +#endif +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) + ed25519_key ed25519Key; +#endif +#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) + ed448_key ed448Key; #endif - ExpectNotNull(ctx); - ExpectNotNull(ssl); +#ifndef HAVE_FIPS + ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0); +#else + ExpectIntEQ(wc_InitRng(&rng), 0); +#endif - fprintf(stderr, "\n===== msgSrvCb called ====\n"); -#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) - ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); - ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); - ExpectNotNull(SSL_get0_verified_chain(ssl)); + ExpectIntEQ(wc_InitCert(&cert), 0); + +#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + /* RSA */ + XMEMSET(&rsaKey, 0, sizeof(RsaKey)); + ExpectIntEQ(wc_InitRsaKey(&rsaKey, HEAP_HINT), 0); + ExpectIntEQ(MAKE_RSA_KEY(&rsaKey, bits, WC_RSA_EXPONENT, &rng), 0); + ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, RSA_TYPE, &rsaKey), 0); + DoExpectIntEQ(wc_FreeRsaKey(&rsaKey), 0); #endif -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) -#ifdef KEEP_PEER_CERT - { - WOLFSSL_X509* peer = NULL; - ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl)); - ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - fprintf(stderr, "Peer Certificate = :\n"); - X509_print(bio, peer); - X509_free(peer); - } +#if defined(HAVE_ECC) + /* ECC */ + XMEMSET(&eccKey, 0, sizeof(ecc_key)); + ExpectIntEQ(wc_ecc_init(&eccKey), 0); + ret = wc_ecc_make_key(&rng, KEY14, &eccKey); +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &eccKey.asyncDev, WC_ASYNC_FLAG_NONE); +#endif + ExpectIntEQ(ret, 0); + ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, ECC_TYPE, &eccKey), 0); + DoExpectIntEQ(wc_ecc_free(&eccKey), 0); +#endif + +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) + /* ED25519 */ + XMEMSET(&ed25519Key, 0, sizeof(ed25519_key)); + ExpectIntEQ(wc_ed25519_init(&ed25519Key), 0); + ExpectIntEQ(wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key), 0); + ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, + &ed25519Key), 0); + wc_ed25519_free(&ed25519Key); +#endif + +#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_EXPORT) + /* ED448 */ + XMEMSET(&ed448Key, 0, sizeof(ed448_key)); + ExpectIntEQ(wc_ed448_init(&ed448Key), 0); + ExpectIntEQ(wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key), 0); + ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED448_TYPE, &ed448Key), + 0); + wc_ed448_free(&ed448Key); #endif - ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); - if (sk == NULL) { - BIO_free(bio); - return TEST_FAIL; - } - num = sk_X509_num(sk); - ExpectTrue(num > 0); - for (i = 0; i < num; i++) { - ExpectNotNull(x509 = sk_X509_value(sk,i)); - if (x509 == NULL) - break; - fprintf(stderr, "Certificate at index [%d] = :\n",i); - X509_print(bio,x509); - fprintf(stderr, "\n\n"); - } - BIO_free(bio); + DoExpectIntEQ(wc_FreeRng(&rng), 0); +#endif /* defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)*/ + return EXPECT_RESULT(); +} /* End test_wc_SetAuthKeyIdFromPublicKey_ex*/ + +static int test_wolfSSL_lhash(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + const char testStr[] = "Like a true nature's child\n" + "We were born\n" + "Born to be wild"; + +#ifdef NO_SHA + ExpectIntEQ(lh_strhash(testStr), 0xf9dc8a43); +#else + ExpectIntEQ(lh_strhash(testStr), 0x5b7541dc); +#endif #endif return EXPECT_RESULT(); } -static int msgCb(SSL_CTX *ctx, SSL *ssl) +static int test_wc_PemToDer(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) - STACK_OF(X509)* sk = NULL; - X509* x509 = NULL; - int i, num; - BIO* bio = NULL; -#endif +#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) + int ret; + DerBuffer* pDer = NULL; + const char* ca_cert = "./certs/server-cert.pem"; + const char* trusted_cert = "./certs/test/ossl-trusted-cert.pem"; + byte* cert_buf = NULL; + size_t cert_sz = 0; + int eccKey = 0; + EncryptedInfo info; - ExpectNotNull(ctx); - ExpectNotNull(ssl); + XMEMSET(&info, 0, sizeof(info)); - fprintf(stderr, "\n===== msgcb called ====\n"); -#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) - ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); - ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); - ExpectNotNull(SSL_get0_verified_chain(ssl)); -#endif + ExpectIntEQ(ret = load_file(ca_cert, &cert_buf, &cert_sz), 0); + ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, CERT_TYPE, &pDer, NULL, + &info, &eccKey), 0); + wc_FreeDer(&pDer); + pDer = NULL; -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) - ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); - if (sk == NULL) { - BIO_free(bio); - return TEST_FAIL; + if (cert_buf != NULL) { + free(cert_buf); + cert_buf = NULL; } - num = sk_X509_num(sk); - ExpectTrue(num > 0); - for (i = 0; i < num; i++) { - ExpectNotNull(x509 = sk_X509_value(sk,i)); - if (x509 == NULL) - break; - fprintf(stderr, "Certificate at index [%d] = :\n",i); - X509_print(bio,x509); - fprintf(stderr, "\n\n"); + + /* Test that -----BEGIN TRUSTED CERTIFICATE----- banner parses OK */ + ExpectIntEQ(ret = load_file(trusted_cert, &cert_buf, &cert_sz), 0); + ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, TRUSTED_CERT_TYPE, &pDer, NULL, + &info, &eccKey), 0); + wc_FreeDer(&pDer); + pDer = NULL; + + if (cert_buf != NULL) { + free(cert_buf); + cert_buf = NULL; + } + +#ifdef HAVE_ECC + { + const char* ecc_private_key = "./certs/ecc-privOnlyKey.pem"; + byte key_buf[256] = {0}; + + /* Test fail of loading a key with cert type */ + ExpectIntEQ(load_file(ecc_private_key, &cert_buf, &cert_sz), 0); + key_buf[0] = '\n'; + ExpectNotNull(XMEMCPY(key_buf + 1, cert_buf, cert_sz)); + ExpectIntNE((ret = wc_PemToDer(key_buf, (long int)cert_sz + 1, CERT_TYPE, + &pDer, NULL, &info, &eccKey)), 0); + + #ifdef OPENSSL_EXTRA + ExpectIntEQ((ret = wc_PemToDer(key_buf, cert_sz + 1, PRIVATEKEY_TYPE, + &pDer, NULL, &info, &eccKey)), 0); + #endif + wc_FreeDer(&pDer); + if (cert_buf != NULL) + free(cert_buf); } - BIO_free(bio); +#endif #endif return EXPECT_RESULT(); } -#endif -static int test_wolfSSL_msgCb(void) +static int test_wc_AllocDer(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; - - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); -#ifndef WOLFSSL_NO_TLS12 - client_cb.method = wolfTLSv1_2_client_method; - server_cb.method = wolfTLSv1_2_server_method; -#else - client_cb.method = wolfTLSv1_3_client_method; - server_cb.method = wolfTLSv1_3_server_method; -#endif - server_cb.caPemFile = caCertFile; - client_cb.certPemFile = "./certs/intermediate/client-chain.pem"; +#if !defined(NO_CERTS) + DerBuffer* pDer = NULL; + word32 testSize = 1024; - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio_ex(&client_cb, - &server_cb, msgCb, msgSrvCb), TEST_SUCCESS); + ExpectIntEQ(wc_AllocDer(NULL, testSize, CERT_TYPE, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_AllocDer(&pDer, testSize, CERT_TYPE, HEAP_HINT), 0); + ExpectNotNull(pDer); + wc_FreeDer(&pDer); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_either_side(void) +static int test_wc_CertPemToDer(void) { EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; - - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); +#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) + const char* ca_cert = "./certs/ca-cert.pem"; + byte* cert_buf = NULL; + size_t cert_sz = 0; + size_t cert_dersz = 0; + byte* cert_der = NULL; - /* Use different CTX for client and server */ - client_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); - ExpectNotNull(client_cb.ctx); - server_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); - ExpectNotNull(server_cb.ctx); - /* we are responsible for free'ing WOLFSSL_CTX */ - server_cb.isSharedCtx = client_cb.isSharedCtx = 1; + ExpectIntEQ(load_file(ca_cert, &cert_buf, &cert_sz), 0); + cert_dersz = cert_sz; /* DER will be smaller than PEM */ + ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); + ExpectIntGE(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, + (int)cert_dersz, CERT_TYPE), 0); - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, -1, CERT_TYPE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, -1, CERT_TYPE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, -1, CERT_TYPE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, (int)cert_dersz, + CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, + (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, + (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, -1, + CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - wolfSSL_CTX_free(client_cb.ctx); - wolfSSL_CTX_free(server_cb.ctx); + if (cert_der != NULL) + free(cert_der); + if (cert_buf != NULL) + free(cert_buf); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_DTLS_either_side(void) +static int test_wc_KeyPemToDer(void) { EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; +#if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + int ret = 0; + const byte cert_buf[] = \ + "-----BEGIN PRIVATE KEY-----\n" + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMG5KgWxP002pA\n" + "QJIdA4H5N0oM1Wf0LrHcos5RYUlrHDkC2b5p2BUpVRPmgDAFD2+8leim98x0BvcB\n" + "k48TNzrVynuwyVEY664+iQyzEBO5v27HPRydOddprbLCvRO036XINGIjauy1jHFi\n" + "HaDVx3bexSwgp9aefUGAszFXi4q1J4GacV7Cr2b/wBqUHqWv4ZXPu6R9/UYngTkD\n" + "UDJL5gLlLfcLzNyyodKPHPCIAKdWn6mSVdcHk8XVpK4y9lgz4E7YDWA6ohKZgWgG\n" + "2RDha8CMilFMDgYa0G0SiS9g3PQx0qh3AMXJJsKSVhScFCZufAE0kV6KvjP7jAqP\n" + "XBiSkRGPAgMBAAECggEAW7hmRyY2jRX2UMJThrM9VIs6fRLnYI0dQ0tsEJj536ay\n" + "nevQjArc05KWW0Yujg+WRDZPcry3RUqd9Djlmhp/F3Si6dpF1b+PMS3wJYVrf9Sd\n" + "SO5W7faArU4vnyBNe0HnY1Ta5xSVI65lg1RSIs88RTZwsooJwXYDGf0shq0/21CE\n" + "V8HOb27DDYNcEnm35lzaONjFnMqQQT2Vs9anRrPiSEXNleEvTgLVXZtGTyCGTz6v\n" + "x86Y8eSWL9YNHvPE1I+mDPuocfSR7eRNgRu7SK3mn94W5mqd7Ns072YKX/2XN1mO\n" + "66+ZFHO6v4dK1u7cSjuwrU1EhLHpUsgDz6Bna5InyQKBgQDv5l8RPy8UneKSADaf\n" + "M5L/5675I/5t4nqVjvbnQje00YveLTAEjlJBNR93Biln3sYgnvNamYDCxyEuUZ/I\n" + "S/vmBL9PoxfGZow4FcsIBOEbIn3E0SYJgCBNWthquUvGpKsYDnThJuhO+1cVmxAJ\n" + "BUOjLFnJYHM0a+Vmk9GexT2OBwKBgQDZzkUBOK7Im3eiYytFocUJyhqMH30d49X9\n" + "ujC7kGw4UWAqVe7YCSvlBa8nzWpRWK2kRpu3M0272RU0V4geyWqT+nr/SvRRPtNP\n" + "F5dY8l3yR7hjtSejqqjOfBcZT6ETJxI4tiG0+Nl5BlfM5M+0nxnkWpRcHuOR3j79\n" + "YUFERyN+OQKBgQCjlOKeUAc6d65W/+4/AFvsQ378Q57qLtSHxsR1TKHPmlNVXFqx\n" + "wJo1/JNIBduWCEHxXHF0BdfW+RGXE/FwEt/hKLuLAhrkHmjelX2sKieU6R/5ZOQa\n" + "9lMQbDHGFDOncAF6leD85hriQGBRSzrT69MDIOrYdfwYcroqCAGX0cb3YQKBgQC8\n" + "iIFQylj5SyHmjcMSNjKSA8CxFDzAV8yPIdE3Oo+CvGXqn5HsrRuy1hXE9VmXapR8\n" + "A6ackSszdHiXY0FvrNe1mfdH7wDHJwPQjdIzazCJHS3uGQxj7sDKY7226ie6pXJv\n" + "ZrCMr2/IBAaSVGm6ppHKCeIsT4ybYm7R85KEYLPHeQKBgBeJOMBinXQfWN/1jT9b\n" + "6Ywrutvp2zP8hVxQGSZJ0WG4iewZyFLsPUlbWRXOSYNPElHmdD0ZomdLVm+lSpAA\n" + "XSH5FJ/IFCwqq7Eft6Gf8NFRV+NjPMUny+PnjHe4oFP8YK/Ek22K3ttNG8Hw69Aw\n" + "AQue5o6oVfhgLiJzMdo/77gw\n" + "-----END PRIVATE KEY-----\n"; + const int cert_sz = sizeof(cert_buf); + const char cert_pw[] = "password"; + int cert_dersz = 0; + byte* cert_der = NULL; - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); + /* Bad arg: Cert buffer is NULL */ + ExpectIntEQ(wc_KeyPemToDer(NULL, cert_sz, cert_der, cert_dersz, ""), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* Use different CTX for client and server */ - client_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); - ExpectNotNull(client_cb.ctx); - server_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); - ExpectNotNull(server_cb.ctx); - /* we are responsible for free'ing WOLFSSL_CTX */ - server_cb.isSharedCtx = client_cb.isSharedCtx = 1; + /* Bad arg: Cert DER buffer non-NULL but size zero (or less) */ + ExpectIntEQ(wc_KeyPemToDer(cert_buf, cert_sz, (byte*)&cert_der, 0, ""), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); + /* Test normal operation */ + cert_dersz = cert_sz; /* DER will be smaller than PEM */ + ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); + ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, + cert_pw), 0); + ExpectIntLE(ret, cert_sz); + if (cert_der != NULL) { + free(cert_der); + cert_der = NULL; + } - wolfSSL_CTX_free(client_cb.ctx); - wolfSSL_CTX_free(server_cb.ctx); + /* Test NULL for DER buffer to return needed DER buffer size */ + ExpectIntGT(ret = wc_KeyPemToDer(cert_buf, cert_sz, NULL, 0, ""), 0); + ExpectIntLE(ret, cert_sz); + if (EXPECT_SUCCESS()) + cert_dersz = ret; + ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); + ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, + cert_pw), 0); + ExpectIntLE(ret, cert_sz); + if (cert_der != NULL) + free(cert_der); #endif return EXPECT_RESULT(); } -static int test_generate_cookie(void) +static int test_wc_PubKeyPemToDer(void) { EXPECT_DECLS; -#if defined(WOLFSSL_DTLS) && defined(OPENSSL_EXTRA) && defined(USE_WOLFSSL_IO) - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; - byte buf[FOURK_BUF] = {0}; +#if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && \ + (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) + int ret = 0; + const char* key = "./certs/ecc-client-keyPub.pem"; + byte* cert_buf = NULL; + size_t cert_sz = 0, cert_dersz = 0; + byte* cert_der = NULL; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLS_method())); - ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(wc_PubKeyPemToDer(cert_buf, (int)cert_sz, + cert_der, (int)cert_dersz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* Test unconnected */ - ExpectIntEQ(EmbedGenerateCookie(ssl, buf, FOURK_BUF, NULL), WC_NO_ERR_TRACE(GEN_COOKIE_E)); + ExpectIntEQ(load_file(key, &cert_buf, &cert_sz), 0); + cert_dersz = cert_sz; /* DER will be smaller than PEM */ + ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); + ExpectIntGE(wc_PubKeyPemToDer(cert_buf, (int)cert_sz, cert_der, + (int)cert_dersz), 0); + if (cert_der != NULL) { + free(cert_der); + cert_der = NULL; + } - wolfSSL_CTX_SetGenCookie(ctx, EmbedGenerateCookie); + /* Test NULL for DER buffer to return needed DER buffer size */ + ExpectIntGT(ret = wc_PubKeyPemToDer(cert_buf, (int)cert_sz, NULL, 0), 0); + ExpectIntLE(ret, cert_sz); + cert_dersz = (size_t)ret; + ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); + ExpectIntGE(wc_PubKeyPemToDer(cert_buf, (int)cert_sz, cert_der, + (int)cert_dersz), 0); + if (cert_der != NULL) { + free(cert_der); + } - wolfSSL_SetCookieCtx(ssl, ctx); + if (cert_buf != NULL) { + free(cert_buf); + } +#endif + return EXPECT_RESULT(); +} - ExpectNotNull(wolfSSL_GetCookieCtx(ssl)); +static int test_wc_PemPubKeyToDer(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && \ + (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) + const char* key = "./certs/ecc-client-keyPub.pem"; + size_t cert_dersz = 1024; + byte* cert_der = NULL; - ExpectNull(wolfSSL_GetCookieCtx(NULL)); + ExpectIntGE(wc_PemPubKeyToDer(NULL, cert_der, (int)cert_dersz), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - SSL_free(ssl); - SSL_CTX_free(ctx); + ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); + ExpectIntGE(wc_PemPubKeyToDer(key, cert_der, (int)cert_dersz), 0); + if (cert_der != NULL) { + free(cert_der); + } #endif return EXPECT_RESULT(); } -static int test_wolfSSL_set_options(void) +static int test_wc_GetPubKeyDerFromCert(void) { EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_FILESYSTEM) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_RSA) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - char appData[] = "extra msg"; -#endif -#ifdef OPENSSL_EXTRA - unsigned char protos[] = { - 7, 't', 'l', 's', '/', '1', '.', '2', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1' - }; - unsigned int len = sizeof(protos); - void *arg = (void *)TEST_ARG; +#if !defined(NO_RSA) || defined(HAVE_ECC) + int ret; + word32 idx = 0; + byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ + word32 keyDerSz = (word32)sizeof(keyDer); + DecodedCert decoded; +#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) + byte certBuf[6000]; /* for PEM and CSR, client-cert.pem is 5-6kB */ + word32 certBufSz = sizeof(certBuf); #endif - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#if ((!defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024)) || \ + defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + XFILE fp = XBADFILE; #endif - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE)); - - ExpectTrue(wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1) - == WOLFSSL_OP_NO_TLSv1); - ExpectTrue(wolfSSL_CTX_get_options(ctx) == WOLFSSL_OP_NO_TLSv1); - - ExpectIntGT((int)wolfSSL_CTX_set_options(ctx, (WOLFSSL_OP_COOKIE_EXCHANGE | - WOLFSSL_OP_NO_SSLv2)), 0); - ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_COOKIE_EXCHANGE) & - WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); - ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2) & - WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); - ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); - ExpectFalse((wolfSSL_CTX_clear_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION)); - - wolfSSL_CTX_free(ctx); - ctx = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#ifndef NO_RSA + RsaKey rsaKey; + #if defined(USE_CERT_BUFFERS_2048) + byte* rsaCertDer = (byte*)client_cert_der_2048; + word32 rsaCertDerSz = sizeof_client_cert_der_2048; + #elif defined(USE_CERT_BUFFERS_1024) + byte* rsaCertDer = (byte*)client_cert_der_1024; + word32 rsaCertDerSz = sizeof_client_cert_der_1024; + #else + unsigned char rsaCertDer[TWOK_BUF]; + word32 rsaCertDerSz; + #endif #endif - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE)); -#ifdef OPENSSL_EXTRA - ExpectTrue(wolfSSL_CTX_set_msg_callback(ctx, msg_cb) == WOLFSSL_SUCCESS); +#ifdef HAVE_ECC + ecc_key eccKey; + #if defined(USE_CERT_BUFFERS_256) + byte* eccCert = (byte*)cliecc_cert_der_256; + word32 eccCertSz = sizeof_cliecc_cert_der_256; + #else + unsigned char eccCert[ONEK_BUF]; + word32 eccCertSz; + XFILE fp2 = XBADFILE; + #endif #endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -#ifdef HAVE_EX_DATA - ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WOLFSSL_SUCCESS); - ExpectNotNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); - if (ssl != NULL) { - ExpectIntEQ(XMEMCMP(wolfSSL_get_app_data((const WOLFSSL*)ssl), - appData, sizeof(appData)), 0); +#ifndef NO_RSA + +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != XBADFILE); + ExpectIntGT(rsaCertDerSz = (word32)XFREAD(rsaCertDer, 1, sizeof(rsaCertDer), + fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; } -#else - ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); -#endif #endif - ExpectTrue(wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1) == - WOLFSSL_OP_NO_TLSv1); + /* good test case - RSA DER cert */ + wc_InitDecodedCert(&decoded, rsaCertDer, rsaCertDerSz, NULL); + ExpectIntEQ(wc_ParseCert(&decoded, CERT_TYPE, NO_VERIFY, NULL), 0); - ExpectTrue(wolfSSL_get_options(ssl) == WOLFSSL_OP_NO_TLSv1); + ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), 0); + ExpectIntGT(keyDerSz, 0); - ExpectIntGT((int)wolfSSL_set_options(ssl, (WOLFSSL_OP_COOKIE_EXCHANGE | - WOLFSSL_OP_NO_SSLv2)), 0); + /* sanity check, verify we can import DER public key */ + ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); + ExpectIntEQ(ret, 0); + ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); + if (ret == 0) { + wc_FreeRsaKey(&rsaKey); + } - ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_COOKIE_EXCHANGE) & - WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); + /* test LENGTH_ONLY_E case */ + keyDerSz = 0; + ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, NULL, &keyDerSz), + WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectIntGT(keyDerSz, 0); - ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1_2) & - WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); + /* bad args: DecodedCert NULL */ + ExpectIntEQ(wc_GetPubKeyDerFromCert(NULL, keyDer, &keyDerSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); + /* bad args: output key buff size */ + ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef OPENSSL_EXTRA - ExpectFalse((wolfSSL_clear_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION)); -#endif + /* bad args: zero size output key buffer */ + keyDerSz = 0; + ExpectIntEQ(ret = wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#ifdef OPENSSL_EXTRA - ExpectTrue(wolfSSL_set_msg_callback(ssl, msg_cb) == WOLFSSL_SUCCESS); - wolfSSL_set_msg_callback_arg(ssl, arg); -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == 0); -#else - ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == WOLFSSL_SUCCESS); -#endif -#endif + wc_FreeDecodedCert(&decoded); + + /* Certificate Request Tests */ + #if defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) + { + XMEMSET(certBuf, 0, sizeof(certBuf)); + ExpectTrue((fp = XFOPEN("./certs/csr.signed.der", "rb")) != XBADFILE); + ExpectIntGT(certBufSz = (word32)XFREAD(certBuf, 1, certBufSz, fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + } -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) || \ - defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) + wc_InitDecodedCert(&decoded, certBuf, certBufSz, NULL); + ExpectIntEQ(wc_ParseCert(&decoded, CERTREQ_TYPE, VERIFY, NULL), 0); -#if defined(HAVE_ALPN) && !defined(NO_BIO) + /* good test case - RSA DER certificate request */ + keyDerSz = sizeof(keyDer); + ExpectIntEQ(ret = wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), + 0); + ExpectIntGT(keyDerSz, 0); -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == 0); -#else - ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == WOLFSSL_SUCCESS); -#endif + /* sanity check, verify we can import DER public key */ + ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); + ExpectIntEQ(ret, 0); + idx = 0; + ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); + if (ret == 0) { + wc_FreeRsaKey(&rsaKey); + } -#endif /* HAVE_ALPN && !NO_BIO */ -#endif + wc_FreeDecodedCert(&decoded); + } + #endif /* WOLFSSL_CERT_REQ */ +#endif /* NO_RSA */ - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} +#ifdef HAVE_ECC + #ifndef USE_CERT_BUFFERS_256 + ExpectTrue((fp2 = XFOPEN("./certs/client-ecc-cert.der", "rb")) != + XBADFILE); + ExpectIntGT(eccCertSz = (word32)XFREAD(eccCert, 1, ONEK_BUF, fp2), 0); + if (fp2 != XBADFILE) { + XFCLOSE(fp2); + } + #endif -static int test_wolfSSL_sk_SSL_CIPHER(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; - STACK_OF(SSL_CIPHER) *sk = NULL; - STACK_OF(SSL_CIPHER) *dupSk = NULL; + wc_InitDecodedCert(&decoded, eccCert, eccCertSz, NULL); + ExpectIntEQ(wc_ParseCert(&decoded, CERT_TYPE, NO_VERIFY, NULL), 0); -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(sk = SSL_get_ciphers(ssl)); - ExpectNotNull(dupSk = sk_SSL_CIPHER_dup(sk)); - ExpectIntGT(sk_SSL_CIPHER_num(sk), 0); - ExpectIntEQ(sk_SSL_CIPHER_num(sk), sk_SSL_CIPHER_num(dupSk)); + /* good test case - ECC */ + XMEMSET(keyDer, 0, sizeof(keyDer)); + keyDerSz = sizeof(keyDer); + ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), 0); + ExpectIntGT(keyDerSz, 0); - /* error case because connection has not been established yet */ - ExpectIntEQ(sk_SSL_CIPHER_find(sk, SSL_get_current_cipher(ssl)), -1); - sk_SSL_CIPHER_free(dupSk); + /* sanity check, verify we can import DER public key */ + ret = wc_ecc_init(&eccKey); + ExpectIntEQ(ret, 0); + idx = 0; /* reset idx to 0, used above in RSA case */ + ExpectIntEQ(wc_EccPublicKeyDecode(keyDer, &idx, &eccKey, keyDerSz), 0); + if (ret == 0) { + wc_ecc_free(&eccKey); + } - /* sk is pointer to internal struct that should be free'd in SSL_free */ - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + /* test LENGTH_ONLY_E case */ + keyDerSz = 0; + ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, NULL, &keyDerSz), + WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectIntGT(keyDerSz, 0); + + wc_FreeDecodedCert(&decoded); +#endif +#endif /* !NO_RSA || HAVE_ECC */ return EXPECT_RESULT(); } -static int test_wolfSSL_set1_curves_list(void) +static int test_wc_GetSubjectPubKeyInfoDerFromCert(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#ifdef HAVE_ECC - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-256"), WOLFSSL_SUCCESS); +#if !defined(NO_RSA) || defined(HAVE_ECC) + int ret; + word32 idx = 0; + byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ + word32 keyDerSz = (word32)sizeof(keyDer); +#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) + byte certBuf[6000]; /* for PEM and CSR, client-cert.pem is 5-6kB */ + word32 certBufSz = sizeof(certBuf); #endif -#ifdef HAVE_CURVE25519 - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if ((!defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024)) || \ + defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + XFILE fp = XBADFILE; #endif -#ifdef HAVE_CURVE448 - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#ifndef NO_RSA + RsaKey rsaKey; + #if defined(USE_CERT_BUFFERS_2048) + byte* rsaCertDer = (byte*)client_cert_der_2048; + word32 rsaCertDerSz = sizeof_client_cert_der_2048; + #elif defined(USE_CERT_BUFFERS_1024) + byte* rsaCertDer = (byte*)client_cert_der_1024; + word32 rsaCertDerSz = sizeof_client_cert_der_1024; + #else + unsigned char rsaCertDer[TWOK_BUF]; + word32 rsaCertDerSz; + #endif #endif - - ExpectIntEQ(SSL_set1_curves_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #ifdef HAVE_ECC - ExpectIntEQ(SSL_set1_curves_list(ssl, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_set1_curves_list(ssl, "P-256"), WOLFSSL_SUCCESS); + ecc_key eccKey; + #if defined(USE_CERT_BUFFERS_256) + byte* eccCert = (byte*)cliecc_cert_der_256; + word32 eccCertSz = sizeof_cliecc_cert_der_256; + #else + unsigned char eccCert[ONEK_BUF]; + word32 eccCertSz; + XFILE fp2 = XBADFILE; + #endif #endif -#ifdef HAVE_CURVE25519 - ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif -#ifdef HAVE_CURVE448 - ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif +#ifndef NO_RSA - SSL_free(ssl); - SSL_CTX_free(ctx); +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != XBADFILE); + ExpectIntGT(rsaCertDerSz = (word32)XFREAD(rsaCertDer, 1, sizeof(rsaCertDer), + fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } #endif - return EXPECT_RESULT(); -} -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) -static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) -{ - static int counter = 0; - EXPECT_DECLS; + /* good test case - RSA DER cert */ + ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, rsaCertDerSz, + keyDer, &keyDerSz), 0); + ExpectIntGT(keyDerSz, 0); - if (counter % 2) { - ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-256"), - WOLFSSL_SUCCESS); - } - else { - ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-384"), - WOLFSSL_SUCCESS); + /* sanity check, verify we can import DER public key */ + ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); + ExpectIntEQ(ret, 0); + ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); + if (ret == 0) { + wc_FreeRsaKey(&rsaKey); } - /* Ciphersuites that require curves */ - wolfSSL_CTX_set_cipher_list(ctx, "TLS13-AES256-GCM-SHA384:" - "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:" - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES128-GCM-SHA256:" - "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:" - "ECDHE-ECDSA-CHACHA20-POLY1305"); + /* bad args: certDer */ + keyDerSz = (word32)sizeof(keyDer); + ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(NULL, rsaCertDerSz, keyDer, + &keyDerSz), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - counter++; - return EXPECT_RESULT(); -} -#endif + /* bad args: 0 sized certSz */ + keyDerSz = (word32)sizeof(keyDer); + ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, 0, keyDer, + &keyDerSz), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -static int test_wolfSSL_curves_mismatch(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - size_t i; - struct { - method_provider client_meth; - method_provider server_meth; - const char* desc; - int client_last_err; - int server_last_err; - } test_params[] = { -#ifdef WOLFSSL_TLS13 - {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3", - /* Client gets error because server will attempt HRR */ - WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA), - WC_NO_ERR_TRACE(FATAL_ERROR) - }, -#endif -#ifndef WOLFSSL_NO_TLS12 - {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2", - WC_NO_ERR_TRACE(FATAL_ERROR), - /* Server gets error because <=1.2 doesn't have a mechanism - * to negotiate curves. */ -#ifdef OPENSSL_EXTRA - WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) -#else - WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) -#endif - }, -#endif -#ifndef NO_OLD_TLS - {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1", - WC_NO_ERR_TRACE(FATAL_ERROR), -#ifdef OPENSSL_EXTRA - WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) -#else - WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) -#endif - }, -#endif - }; + /* bad args: NULL inout size */ + ExpectIntEQ(ret = wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, + rsaCertDerSz, keyDer, + NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + /* Certificate Request Tests */ + #if defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM) + { + XMEMSET(certBuf, 0, sizeof(certBuf)); + ExpectTrue((fp = XFOPEN("./certs/csr.signed.der", "rb")) != XBADFILE); + ExpectIntGT(certBufSz = (word32)XFREAD(certBuf, 1, certBufSz, fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + } - printf("\tTesting with %s...\n", test_params[i].desc); + /* good test case - RSA DER certificate request */ + keyDerSz = sizeof(keyDer); + ExpectIntEQ(ret = wc_GetSubjectPubKeyInfoDerFromCert(rsaCertDer, + rsaCertDerSz, + keyDer, + &keyDerSz), 0); + ExpectIntGT(keyDerSz, 0); - func_cb_client.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; - func_cb_server.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; + /* sanity check, verify we can import DER public key */ + ret = wc_InitRsaKey(&rsaKey, HEAP_HINT); + ExpectIntEQ(ret, 0); + idx = 0; + ExpectIntEQ(wc_RsaPublicKeyDecode(keyDer, &idx, &rsaKey, keyDerSz), 0); + if (ret == 0) { + wc_FreeRsaKey(&rsaKey); + } + } + #endif /* WOLFSSL_CERT_REQ */ +#endif /* NO_RSA */ - func_cb_client.method = test_params[i].client_meth; - func_cb_server.method = test_params[i].server_meth; +#ifdef HAVE_ECC + #ifndef USE_CERT_BUFFERS_256 + ExpectTrue((fp2 = XFOPEN("./certs/client-ecc-cert.der", "rb")) != + XBADFILE); + ExpectIntGT(eccCertSz = (word32)XFREAD(eccCert, 1, ONEK_BUF, fp2), 0); + if (fp2 != XBADFILE) { + XFCLOSE(fp2); + } + #endif - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), -1001); - ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err); - ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err); + /* good test case - ECC */ + XMEMSET(keyDer, 0, sizeof(keyDer)); + keyDerSz = sizeof(keyDer); + ExpectIntEQ(wc_GetSubjectPubKeyInfoDerFromCert(eccCert, eccCertSz, keyDer, + &keyDerSz), 0); + ExpectIntGT(keyDerSz, 0); - if (!EXPECT_SUCCESS()) - break; - printf("\t%s passed\n", test_params[i].desc); + /* sanity check, verify we can import DER public key */ + ret = wc_ecc_init(&eccKey); + ExpectIntEQ(ret, 0); + idx = 0; /* reset idx to 0, used above in RSA case */ + ExpectIntEQ(wc_EccPublicKeyDecode(keyDer, &idx, &eccKey, keyDerSz), 0); + if (ret == 0) { + wc_ecc_free(&eccKey); } + #endif +#endif /* !NO_RSA || HAVE_ECC */ return EXPECT_RESULT(); } -static int test_wolfSSL_set1_sigalgs_list(void) +static int test_wc_CheckCertSigPubKey(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && defined(WOLFSSL_PEM_TO_DER) && defined(HAVE_ECC) + int ret = 0; + const char* ca_cert = "./certs/ca-cert.pem"; + byte* cert_buf = NULL; + size_t cert_sz = 0; + byte* cert_der = NULL; + word32 cert_dersz = 0; + byte keyDer[TWOK_BUF]; /* large enough for up to RSA 2048 */ + word32 keyDerSz = (word32)sizeof(keyDer); + DecodedCert decoded; -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(load_file(ca_cert, &cert_buf, &cert_sz), 0); + cert_dersz = (word32)cert_sz; /* DER will be smaller than PEM */ + ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); + ExpectIntGE(ret = wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, + (int)cert_dersz, CERT_TYPE), 0); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wc_InitDecodedCert(&decoded, cert_der, cert_dersz, NULL); + ExpectIntEQ(wc_ParseCert(&decoded, CERT_TYPE, NO_VERIFY, NULL), 0); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wc_GetPubKeyDerFromCert(&decoded, keyDer, &keyDerSz), 0); + ExpectIntGT(keyDerSz, 0); -#ifndef NO_RSA - #ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, "RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, "RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Good test case. */ + ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, + keyDerSz, RSAk), 0); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #ifdef WC_RSA_PSS - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-PSS+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-PSS+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "PSS+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "PSS+SHA256"), - WOLFSSL_SUCCESS); - #endif - #ifdef WOLFSSL_SHA512 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); - #elif defined(WOLFSSL_SHA384) - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); - #endif - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA:RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA:RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* No certificate. */ + ExpectIntEQ(wc_CheckCertSigPubKey(NULL, cert_dersz, NULL, keyDer, keyDerSz, + ECDSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256+RSA"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #endif -#endif -#ifdef HAVE_ECC - #ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ECDSA+SHA256"), - WOLFSSL_SUCCESS); - #ifdef WOLFSSL_SHA512 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); - #elif defined(WOLFSSL_SHA384) - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); - #endif - #endif -#endif -#ifdef HAVE_ED25519 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED25519"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED25519"), WOLFSSL_SUCCESS); -#endif -#ifdef HAVE_ED448 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED448"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED448"), WOLFSSL_SUCCESS); -#endif -#ifndef NO_DSA - #ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA256"), - WOLFSSL_SUCCESS); - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA1"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA1"), - WOLFSSL_SUCCESS); - #endif + /* Bad cert size. */ + ExpectIntNE(ret = wc_CheckCertSigPubKey(cert_der, 0, NULL, keyDer, keyDerSz, + RSAk), 0); + ExpectTrue(ret == WC_NO_ERR_TRACE(ASN_PARSE_E) || ret == WC_NO_ERR_TRACE(BUFFER_E)); + + /* No public key. */ + ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, NULL, + keyDerSz, RSAk), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + + /* Bad public key size. */ + ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, 0, + RSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + /* Wrong aglo. */ + ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, + keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_PARSE_E)); + + wc_FreeDecodedCert(&decoded); + if (cert_der != NULL) + free(cert_der); + if (cert_buf != NULL) + free(cert_buf); #endif + return EXPECT_RESULT(); +} - SSL_free(ssl); - SSL_CTX_free(ctx); +static int test_wolfSSL_X509_ext_d2i(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) + X509* x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_basic_constraints, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_subject_alt_name, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_authority_key_identifier, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_subject_key_identifier, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_key_usage, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_crl_distribution_points, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_ext_key_usage, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_info_access, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_certificate_policies, + NULL, NULL)); + /* Invalid NID for an extension. */ + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_description, + NULL, NULL)); + + wolfSSL_X509_free(x509); #endif return EXPECT_RESULT(); } -/* Testing wolfSSL_set_tlsext_status_type function. - * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined. - */ -static int test_wolfSSL_set_tlsext_status_type(void) +static int test_wolfSSL_certs(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ - !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_TLS) && !defined(NO_RSA) + X509* x509ext = NULL; + X509* x509 = NULL; +#ifdef OPENSSL_ALL + WOLFSSL_X509_EXTENSION* ext = NULL; + ASN1_OBJECT* obj = NULL; +#endif + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + STACK_OF(ASN1_OBJECT)* sk = NULL; + ASN1_STRING* asn1_str = NULL; + AUTHORITY_KEYID* akey = NULL; + WOLFSSL_STACK* skid = NULL; + BASIC_CONSTRAINTS* bc = NULL; + int crit = 0; - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(SSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(SSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(SSL_CTX_check_private_key(ctx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + #endif ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(SSL_CTX_check_private_key(ctx), SSL_SUCCESS); + #endif ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_set_tlsext_status_type(ssl,TLSEXT_STATUSTYPE_ocsp), - SSL_SUCCESS); - ExpectIntEQ(SSL_get_tlsext_status_type(ssl), TLSEXT_STATUSTYPE_ocsp); - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST && !NO_RSA */ - return EXPECT_RESULT(); -} -#ifndef NO_BIO + /* Invalid parameters. */ + ExpectIntEQ(SSL_use_certificate_file(NULL, NULL, WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_use_certificate_file(ssl, NULL, WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_certificate_file(NULL, "./certs/server-cert.pem", + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#if defined(OPENSSL_EXTRA) -static long bioCallback(BIO *bio, int cmd, const char* argp, int argi, - long argl, long ret) -{ - (void)bio; - (void)cmd; - (void)argp; - (void)argi; - (void)argl; - return ret; -} -#endif + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif + #ifdef HAVE_PK_CALLBACKS + ExpectIntEQ((int)SSL_set_tlsext_debug_arg(ssl, NULL), WOLFSSL_SUCCESS); + #endif /* HAVE_PK_CALLBACKS */ -static int test_wolfSSL_BIO(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const unsigned char* p = NULL; - byte buff[20]; - BIO* bio1 = NULL; - BIO* bio2 = NULL; - BIO* bio3 = NULL; - char* bufPt = NULL; - int i; + /* Invalid parameters. */ + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(SSL_use_certificate(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_certificate(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_certificate(NULL, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* No data in certificate. */ + ExpectIntEQ(SSL_use_certificate(ssl, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_X509_free(x509); + x509 = NULL; - for (i = 0; i < 20; i++) { - buff[i] = i; - } - /* test BIO_free with NULL */ - ExpectIntEQ(BIO_free(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* create and use x509 */ + ExpectNull(wolfSSL_X509_load_certificate_file(cliCertFileExt, -1)); + ExpectNull(wolfSSL_X509_load_certificate_file("/tmp/badfile", + WOLFSSL_FILETYPE_PEM)); + ExpectNull(wolfSSL_X509_load_certificate_file(NULL, WOLFSSL_FILETYPE_PEM)); + ExpectNull(wolfSSL_X509_load_certificate_file(cliCertFileExt, + WOLFSSL_FILETYPE_ASN1)); +#ifdef OPENSSL_ALL + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); +#endif + ExpectNotNull(x509ext = wolfSSL_X509_load_certificate_file(cliCertFileExt, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(SSL_use_certificate(ssl, x509ext), WOLFSSL_SUCCESS); - /* Creating and testing type BIO_s_bio */ - ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); - ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); - ExpectNotNull(bio3 = BIO_new(BIO_s_bio())); - - /* read/write before set up */ - ExpectIntEQ(BIO_read(bio1, buff, 2), WOLFSSL_BIO_UNSET); - ExpectIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET); - - ExpectIntEQ(BIO_set_nbio(bio1, 1), 1); - ExpectIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_set_write_buf_size(bio2, 8), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_make_bio_pair(bio1, bio2), WOLFSSL_SUCCESS); - - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); - ExpectNotNull(XMEMCPY(bufPt, buff, 10)); - ExpectIntEQ(BIO_write(bio1, buff + 10, 10), 10); - /* write buffer full */ - ExpectIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS); - ExpectIntEQ((int)BIO_ctrl_pending(bio1), 0); - - /* write the other direction with pair */ - ExpectIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); - ExpectNotNull(XMEMCPY(bufPt, buff, 8)); - ExpectIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR); - - /* try read */ - ExpectIntEQ((int)BIO_ctrl_pending(bio1), 8); - ExpectIntEQ((int)BIO_ctrl_pending(bio2), 20); - - /* try read using ctrl function */ - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); - ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); - ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); - - ExpectIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); - for (i = 0; i < 20; i++) { - ExpectIntEQ((int)bufPt[i], i); - } - ExpectIntEQ(BIO_nread(bio2, &bufPt, 1), 0); - ExpectIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); - for (i = 0; i < 8; i++) { - ExpectIntEQ((int)bufPt[i], i); - } - ExpectIntEQ(BIO_nread(bio1, &bufPt, 1), 0); - ExpectIntEQ(BIO_ctrl_reset_read_request(bio1), 1); - - /* new pair */ - ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio2); /* free bio2 and automatically remove from pair */ - bio2 = NULL; - ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WOLFSSL_SUCCESS); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 10), 0); - - /* test wrap around... */ - ExpectIntEQ(BIO_reset(bio1), 1); - ExpectIntEQ(BIO_reset(bio3), 1); - - /* fill write buffer, read only small amount then write again */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 4), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], i); - } - - /* try writing over read index */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); - ExpectNotNull(XMEMSET(bufPt, 0, 4)); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 20); - - /* read and write 0 bytes */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); - - /* should read only to end of write buffer then need to read again */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 20), 16); - for (i = 0; i < 16; i++) { - ExpectIntEQ(bufPt[i], buff[4 + i]); - } - - ExpectIntEQ(BIO_nread(bio3, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(BIO_nread0(bio3, &bufPt), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], 0); - } - - /* read index should not have advanced with nread0 */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 5), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], 0); - } - - /* write and fill up buffer checking reset of index state */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - - /* test reset on data in bio1 write buffer */ - ExpectIntEQ(BIO_reset(bio1), 1); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 3), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_INFO, 0, &p), 20); - ExpectNotNull(p); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 6), 6); - for (i = 0; i < 6; i++) { - ExpectIntEQ(bufPt[i], i); - } - - /* test case of writing twice with offset read index */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 1), 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + #if !defined(NO_CHECK_PRIVATE_KEY) + /* with loading in a new cert the check on private key should now fail */ + ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif - BIO_free(bio1); - bio1 = NULL; - BIO_free(bio3); - bio3 = NULL; - #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) - { - BIO* bioA = NULL; - BIO* bioB = NULL; - ExpectIntEQ(BIO_new_bio_pair(NULL, 256, NULL, 256), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(BIO_new_bio_pair(&bioA, 256, &bioB, 256), WOLFSSL_SUCCESS); - BIO_free(bioA); - bioA = NULL; - BIO_free(bioB); - bioB = NULL; - } - #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ - - /* BIOs with file pointers */ - #if !defined(NO_FILESYSTEM) + #if defined(USE_CERT_BUFFERS_2048) + /* Invalid parameters. */ + ExpectIntEQ(SSL_use_certificate_ASN1(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_certificate_ASN1(ssl, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_certificate_ASN1(NULL, + (unsigned char*)server_cert_der_2048, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* No data. */ + ExpectIntEQ(SSL_use_certificate_ASN1(ssl, + (unsigned char*)server_cert_der_2048, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(SSL_use_certificate_ASN1(ssl, + (unsigned char*)server_cert_der_2048, + sizeof_server_cert_der_2048), WOLFSSL_SUCCESS); + #endif + + #if !defined(NO_SHA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) + /************* Get Digest of Certificate ******************/ { - XFILE f1 = XBADFILE; - XFILE f2 = XBADFILE; - BIO* f_bio1 = NULL; - BIO* f_bio2 = NULL; - unsigned char cert[300]; - char testFile[] = "tests/bio_write_test.txt"; - char msg[] = "bio_write_test.txt contains the first 300 bytes of certs/server-cert.pem\ncreated by tests/unit.test\n\n"; - - ExpectNotNull(f_bio1 = BIO_new(BIO_s_file())); - ExpectNotNull(f_bio2 = BIO_new(BIO_s_file())); - - /* Failure due to wrong BIO type */ - ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - ExpectIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); - - ExpectTrue((f1 = XFOPEN(svrCertFile, "rb+")) != XBADFILE); - ExpectIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_write_filename(f_bio2, testFile), - WOLFSSL_SUCCESS); + byte digest[64]; /* max digest size */ + word32 digestSz; + X509* x509Empty = NULL; + + XMEMSET(digest, 0, sizeof(digest)); + ExpectIntEQ(X509_digest(NULL, wolfSSL_EVP_sha1(), digest, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_digest(x509ext, NULL, digest, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), NULL, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, &digestSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_SUCCESS); + + ExpectNotNull(x509Empty = wolfSSL_X509_new()); + ExpectIntEQ(X509_digest(x509Empty, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_FAILURE); + wolfSSL_X509_free(x509Empty); + } + #endif /* !NO_SHA && !NO_SHA256 && !NO_PWDBASED */ - ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - ExpectIntEQ(BIO_tell(f_bio1),sizeof(cert)); - ExpectIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); - ExpectIntEQ(BIO_tell(f_bio2),sizeof(msg)); - ExpectIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); - ExpectIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); - - ExpectIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_reset(f_bio2), 1); - ExpectIntEQ(BIO_tell(NULL),-1); - ExpectIntEQ(BIO_tell(f_bio2),0); - ExpectIntEQ(BIO_seek(f_bio2, 4), 0); - ExpectIntEQ(BIO_tell(f_bio2),4); - - BIO_free(f_bio1); - f_bio1 = NULL; - BIO_free(f_bio2); - f_bio2 = NULL; - - ExpectNotNull(f_bio1 = BIO_new_file(svrCertFile, "rb+")); - ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - BIO_free(f_bio1); - f_bio1 = NULL; - } - #endif /* !defined(NO_FILESYSTEM) */ - - /* BIO info callback */ + #if !defined(NO_SHA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) + /************* Get Digest of Certificate ******************/ { - const char* testArg = "test"; - BIO* cb_bio = NULL; - ExpectNotNull(cb_bio = BIO_new(BIO_s_mem())); + byte digest[64]; /* max digest size */ + word32 digestSz; + X509* x509Empty = NULL; - BIO_set_callback(cb_bio, bioCallback); - ExpectNotNull(BIO_get_callback(cb_bio)); - BIO_set_callback(cb_bio, NULL); - ExpectNull(BIO_get_callback(cb_bio)); + XMEMSET(digest, 0, sizeof(digest)); + ExpectIntEQ(X509_pubkey_digest(NULL, wolfSSL_EVP_sha1(), digest, + &digestSz), WOLFSSL_FAILURE); + ExpectIntEQ(X509_pubkey_digest(x509ext, NULL, digest, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), NULL, + &digestSz), WOLFSSL_FAILURE); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), digest, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), digest, + &digestSz), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_SUCCESS); + + ExpectNotNull(x509Empty = wolfSSL_X509_new()); + ExpectIntEQ(X509_pubkey_digest(x509Empty, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_FAILURE); + wolfSSL_X509_free(x509Empty); + } + #endif /* !NO_SHA && !NO_SHA256 && !NO_PWDBASED */ + + /* test and checkout X509 extensions */ + ExpectNotNull(bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, + NID_basic_constraints, NULL, NULL)); + BASIC_CONSTRAINTS_free(bc); + bc = NULL; + ExpectNotNull(bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, + NID_basic_constraints, &crit, NULL)); + ExpectIntEQ(crit, 0); - BIO_set_callback_arg(cb_bio, (char*)testArg); - ExpectStrEQ(BIO_get_callback_arg(cb_bio), testArg); - ExpectNull(BIO_get_callback_arg(NULL)); +#ifdef OPENSSL_ALL + ExpectNull(X509V3_EXT_i2d(NID_basic_constraints, crit, NULL)); + { + int i; + int unsupportedNid[] = { + 0, + NID_inhibit_any_policy, + NID_certificate_policies, + NID_policy_mappings, + NID_name_constraints, + NID_policy_constraints, + NID_crl_distribution_points + }; + int unsupportedNidCnt = (int)(sizeof(unsupportedNid) / + sizeof(*unsupportedNid)); - BIO_free(cb_bio); - cb_bio = NULL; + for (i = 0; i < unsupportedNidCnt; i++) { + ExpectNotNull(ext = X509V3_EXT_i2d(unsupportedNid[i], crit, bc)); + X509_EXTENSION_free(ext); + ext = NULL; + } } + ExpectNotNull(ext = X509V3_EXT_i2d(NID_basic_constraints, crit, bc)); + X509_EXTENSION_free(ext); + ext = NULL; - /* BIO_vfree */ - ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); - BIO_vfree(NULL); - BIO_vfree(bio1); -#endif - return EXPECT_RESULT(); -} + ExpectNotNull(ext = X509_EXTENSION_new()); + ExpectIntEQ(X509_EXTENSION_set_critical(NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_EXTENSION_set_critical(ext, 1), WOLFSSL_SUCCESS); + ExpectNotNull(obj = OBJ_nid2obj(NID_basic_constraints)); + ExpectIntEQ(X509_EXTENSION_set_object(NULL, NULL), SSL_FAILURE); + ExpectIntEQ(X509_EXTENSION_set_object(NULL, obj), SSL_FAILURE); + ExpectIntEQ(X509_EXTENSION_set_object(ext, NULL), SSL_SUCCESS); + ExpectIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); + /* Check old object is being freed. */ + ExpectIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); + ASN1_OBJECT_free(obj); + obj = NULL; + X509_EXTENSION_free(ext); + ext = NULL; -static int test_wolfSSL_BIO_BIO_ring_read(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) - BIO* bio1 = NULL; - BIO* bio2 = NULL; - byte data[50]; - byte tmp[50]; + ExpectNotNull(ext = X509_EXTENSION_new()); + ExpectIntEQ(X509_EXTENSION_set_critical(ext, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_EXTENSION_set_data(ext, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, NULL, NULL)); + ASN1_STRING_free(asn1_str); + asn1_str = NULL; + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, &crit, NULL)); + ExpectIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); + ExpectIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); + ASN1_STRING_free(asn1_str); /* X509_EXTENSION_set_data has made a copy + * and X509_get_ext_d2i has created new */ + asn1_str = NULL; + X509_EXTENSION_free(ext); + ext = NULL; - XMEMSET(data, 42, sizeof(data)); +#endif + BASIC_CONSTRAINTS_free(NULL); + BASIC_CONSTRAINTS_free(bc); + bc = NULL; + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, NULL, NULL)); + ASN1_STRING_free(asn1_str); + asn1_str = NULL; + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, &crit, NULL)); + ExpectIntEQ(crit, 1); + ExpectIntEQ(asn1_str->type, NID_key_usage); +#ifdef OPENSSL_ALL + ExpectNotNull(ext = X509V3_EXT_i2d(NID_key_usage, crit, asn1_str)); + X509_EXTENSION_free(ext); + ext = NULL; +#endif + ASN1_STRING_free(asn1_str); + asn1_str = NULL; - ExpectIntEQ(BIO_new_bio_pair(&bio1, sizeof(data), &bio2, sizeof(data)), - SSL_SUCCESS); +#ifdef OPENSSL_ALL + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_ext_key_usage, NULL, NULL)); + EXTENDED_KEY_USAGE_free(NULL); + EXTENDED_KEY_USAGE_free(sk); + sk = NULL; + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_ext_key_usage, &crit, NULL)); + ExpectNotNull(ext = X509V3_EXT_i2d(NID_ext_key_usage, crit, sk)); + X509_EXTENSION_free(ext); + ext = NULL; + EXTENDED_KEY_USAGE_free(sk); + sk = NULL; +#else + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, NID_ext_key_usage, + &crit, NULL); + ExpectNull(sk); +#endif - ExpectIntEQ(BIO_write(bio1, data, 40), 40); - ExpectIntEQ(BIO_read(bio1, tmp, 20), -1); - ExpectIntEQ(BIO_read(bio2, tmp, 20), 20); - ExpectBufEQ(tmp, data, 20); - ExpectIntEQ(BIO_write(bio1, data, 20), 20); - ExpectIntEQ(BIO_read(bio2, tmp, 40), 40); - ExpectBufEQ(tmp, data, 40); + ExpectNotNull(akey = (AUTHORITY_KEYID*)X509_get_ext_d2i(x509ext, + NID_authority_key_identifier, NULL, NULL)); + wolfSSL_AUTHORITY_KEYID_free(NULL); + wolfSSL_AUTHORITY_KEYID_free(akey); + akey = NULL; + ExpectNotNull(akey = (AUTHORITY_KEYID*)X509_get_ext_d2i(x509ext, + NID_authority_key_identifier, &crit, NULL)); +#ifdef OPENSSL_ALL + ExpectNotNull(ext = X509V3_EXT_i2d(NID_authority_key_identifier, crit, + akey)); + X509_EXTENSION_free(ext); + ext = NULL; +#endif + wolfSSL_AUTHORITY_KEYID_free(akey); + akey = NULL; - BIO_free(bio1); - BIO_free(bio2); + ExpectNotNull(skid = (WOLFSSL_STACK*)X509_get_ext_d2i(x509ext, + NID_subject_key_identifier, NULL, NULL)); + wolfSSL_sk_ASN1_OBJECT_pop_free(skid, wolfSSL_ASN1_OBJECT_free); + skid = NULL; + ExpectNotNull(skid = (WOLFSSL_STACK*)X509_get_ext_d2i(x509ext, + NID_subject_key_identifier, &crit, NULL)); +#ifdef OPENSSL_ALL + ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_key_identifier, crit, + skid)); + X509_EXTENSION_free(ext); + ext = NULL; #endif - return EXPECT_RESULT(); -} + wolfSSL_sk_ASN1_OBJECT_pop_free(skid, wolfSSL_ASN1_OBJECT_free); + skid = NULL; -#endif /* !NO_BIO */ + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_private_key_usage_period, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; + ExpectNotNull(sk = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509ext, + NID_subject_alt_name, NULL, NULL)); + sk_GENERAL_NAME_free(sk); + sk = NULL; + ExpectNotNull(sk = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509ext, + NID_subject_alt_name, &crit, NULL)); + { + int i; + for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) { + GENERAL_NAME* gen = sk_GENERAL_NAME_value(sk, i); + ExpectIntEQ(gen->type, GEN_DNS); + ExpectIntEQ(gen->d.dNSName->type, V_ASN1_IA5STRING); + } + } + sk_GENERAL_NAME_free(sk); + sk = NULL; -static int test_wolfSSL_a2i_IPADDRESS(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(WOLFSSL_USER_IO) - const unsigned char* data = NULL; - int dataSz = 0; - ASN1_OCTET_STRING *st = NULL; + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_issuer_alt_name, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - const unsigned char ipv4_exp[] = {0x7F, 0, 0, 1}; - const unsigned char ipv6_exp[] = { - 0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77 - }; - const unsigned char ipv6_home[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 - }; + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_info_access, &crit, NULL)); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - ExpectNull(st = a2i_IPADDRESS("127.0.0.1bad")); - ExpectNotNull(st = a2i_IPADDRESS("127.0.0.1")); - ExpectNotNull(data = ASN1_STRING_get0_data(st)); - ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP4_ADDR_LEN); - ExpectIntEQ(XMEMCMP(data, ipv4_exp, dataSz), 0); - ASN1_STRING_free(st); - st = NULL; + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_sinfo_access, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - ExpectNotNull(st = a2i_IPADDRESS("::1")); - ExpectNotNull(data = ASN1_STRING_get0_data(st)); - ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); - ExpectIntEQ(XMEMCMP(data, ipv6_home, dataSz), 0); - ASN1_STRING_free(st); - st = NULL; + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_name_constraints, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - ExpectNotNull(st = a2i_IPADDRESS("2021:db8::ff00:42:7777")); - ExpectNotNull(data = ASN1_STRING_get0_data(st)); - ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); - ExpectIntEQ(XMEMCMP(data, ipv6_exp, dataSz), 0); - ASN1_STRING_free(st); -#endif - return EXPECT_RESULT(); -} + /* no cert policy set */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_certificate_policies, &crit, NULL)); + sk_ASN1_OBJECT_free(sk); + sk = NULL; -static int test_wolfSSL_X509_ALGOR_get0(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ - !defined(NO_SHA256) && !defined(NO_RSA) - X509* x509 = NULL; - const ASN1_OBJECT* obj = NULL; - const X509_ALGOR* alg = NULL; - X509_ALGOR* alg2 = NULL; - int pptype = 0; - const void *ppval = NULL; - byte* der = NULL; - const byte* tmp = NULL; - const byte badObj[] = { 0x06, 0x00 }; + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_policy_mappings, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_policy_constraints, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - /* Invalid case */ - X509_ALGOR_get0(&obj, NULL, NULL, NULL); - ExpectNull(obj); + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_inhibit_any_policy, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - /* Valid case */ - X509_ALGOR_get0(NULL, NULL, NULL, alg); - X509_ALGOR_get0(&obj, &pptype, &ppval, alg); - ExpectNotNull(obj); - ExpectNull(ppval); - ExpectIntNE(pptype, 0); - /* Make sure NID of X509_ALGOR is Sha256 with RSA */ - ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256WithRSAEncryption); + /* NID not yet supported */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, + NID_tlsfeature, &crit, NULL)); + ExpectIntEQ(crit, -1); + sk_ASN1_OBJECT_free(sk); + sk = NULL; - ExpectIntEQ(i2d_X509_ALGOR(NULL, NULL), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(i2d_X509_ALGOR(alg, &der), 15); - ExpectNull(d2i_X509_ALGOR(NULL, NULL, 0)); - /* tmp is NULL. */ - ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); - tmp = badObj; - ExpectNull(d2i_X509_ALGOR(NULL, &tmp, (long)sizeof(badObj))); - tmp = der; - ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); - ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); - tmp = der; - ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); + /* test invalid cases */ + crit = 0; + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, -1, &crit, + NULL)); + ExpectIntEQ(crit, -1); + /* NULL passed for criticality. */ + ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(NULL, + NID_tlsfeature, NULL, NULL)); - XFREE(der, NULL, DYNAMIC_TYPE_ASN1); + ExpectIntEQ(SSL_get_hit(ssl), 0); +#ifdef OPENSSL_ALL X509_free(x509); - X509_ALGOR_free(NULL); - X509_ALGOR_free(alg2); - alg2 = NULL; #endif + X509_free(x509ext); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && !NO_CERTS */ return EXPECT_RESULT(); } - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - !defined(WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY) - -static int test_wolfSSL_check_domain_verify_count = 0; - -static WC_INLINE int test_wolfSSL_check_domain_verify_cb(int preverify, - WOLFSSL_X509_STORE_CTX* store) -{ - EXPECT_DECLS; - ExpectIntEQ(X509_STORE_CTX_get_error(store), 0); - ExpectIntEQ(preverify, 1); - ExpectIntGT(++test_wolfSSL_check_domain_verify_count, 0); - return EXPECT_SUCCESS(); -} - -static int test_wolfSSL_check_domain_client_cb(WOLFSSL* ssl) +static int test_wolfSSL_private_keys(void) { EXPECT_DECLS; - X509_VERIFY_PARAM *param = NULL; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + EVP_PKEY* pkey = NULL; - ExpectNotNull(param = SSL_get0_param(ssl)); + OpenSSL_add_all_digests(); + OpenSSL_add_all_algorithms(); - /* Domain check should only be done on the leaf cert */ - X509_VERIFY_PARAM_set_hostflags(param, - X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(param, - "wolfSSL Server Chain", 0), 1); - wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER, - test_wolfSSL_check_domain_verify_cb); - return EXPECT_RESULT(); -} +#ifndef NO_RSA + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); + /* Have to load a cert before you can check the private key against that + * certificates public key! */ + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_CTX_check_private_key(ctx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + #endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + WOLFSSL_FILETYPE_PEM)); + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); + #endif + ExpectNotNull(ssl = SSL_new(ctx)); -static int test_wolfSSL_check_domain_server_cb(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - /* Use a cert with different domains in chain */ - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx, - "certs/intermediate/server-chain.pem"), WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif -static int test_wolfSSL_check_domain(void) -{ - EXPECT_DECLS; - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; + /* Invalid parameters. */ + ExpectIntEQ(SSL_use_PrivateKey_file(NULL, NULL, WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_use_PrivateKey_file(NULL, svrKeyFile, WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_use_PrivateKey_file(ssl, NULL, WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); +#ifdef USE_CERT_BUFFERS_2048 + { + const unsigned char* server_key = (const unsigned char*)server_key_der_2048; + unsigned char buf[FOURK_BUF]; + word32 bufSz; - func_cb_client.ssl_ready = &test_wolfSSL_check_domain_client_cb; - func_cb_server.ctx_ready = &test_wolfSSL_check_domain_server_cb; + /* Invalid parameters. */ + ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(NULL, + (unsigned char*)client_key_der_2048, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, ssl, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, NULL, (unsigned char*)server_key, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, NULL, (unsigned char*)server_key, + 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); + ExpectIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl, + (unsigned char*)client_key_der_2048, + sizeof_client_key_der_2048), WOLFSSL_SUCCESS); + #if !defined(NO_CHECK_PRIVATE_KEY) + /* Should mismatch now that a different private key loaded */ + ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif - /* Should have been called once for each cert in sent chain */ -#ifdef WOLFSSL_VERIFY_CB_ALL_CERTS - ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 3); -#else - ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 1); -#endif + ExpectIntEQ(SSL_use_PrivateKey_ASN1(0, ssl, + (unsigned char*)server_key, + sizeof_server_key_der_2048), WOLFSSL_SUCCESS); + #if !defined(NO_CHECK_PRIVATE_KEY) + /* After loading back in DER format of original key, should match */ + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif - return EXPECT_RESULT(); -} + /* test loading private key to the WOLFSSL_CTX */ + ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, + (unsigned char*)client_key_der_2048, + sizeof_client_key_der_2048), WOLFSSL_SUCCESS); -#else + #if !defined(NO_CHECK_PRIVATE_KEY) + /* Should mismatch now that a different private key loaded */ + ExpectIntNE(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); + #endif -static int test_wolfSSL_check_domain(void) -{ - EXPECT_DECLS; - return EXPECT_RESULT(); -} + ExpectIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, + (unsigned char*)server_key, + sizeof_server_key_der_2048), WOLFSSL_SUCCESS); + #if !defined(NO_CHECK_PRIVATE_KEY) + /* After loading back in DER format of original key, should match */ + ExpectIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); + #endif -#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_SHA256) -static const char* dn = NULL; -static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl) -{ - EXPECT_DECLS; + /* Invalid parameters. */ + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(SSL_use_PrivateKey(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_PrivateKey(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_use_PrivateKey(NULL, pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* pkey is empty - no key data to use. */ + ExpectIntEQ(SSL_use_PrivateKey(ssl, pkey), WC_NO_ERR_TRACE(ASN_PARSE_E)); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; - ExpectIntEQ(wolfSSL_check_domain_name(ssl, dn), WOLFSSL_SUCCESS); + /* set PKEY and test again */ + ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, + &server_key, (long)sizeof_server_key_der_2048)); + ExpectIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} -static int test_wolfSSL_check_domain_basic(void) -{ - EXPECT_DECLS; - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; + /* reuse PKEY structure and test + * this should be checked with a memory management sanity checker */ + ExpectFalse(server_key == (const unsigned char*)server_key_der_2048); + server_key = (const unsigned char*)server_key_der_2048; + ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, + &server_key, (long)sizeof_server_key_der_2048)); + ExpectIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_SUCCESS); - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + /* check striping PKCS8 header with wolfSSL_d2i_PrivateKey */ + bufSz = FOURK_BUF; + ExpectIntGT((bufSz = (word32)wc_CreatePKCS8Key(buf, &bufSz, + (byte*)server_key_der_2048, sizeof_server_key_der_2048, + RSAk, NULL, 0)), 0); + server_key = (const unsigned char*)buf; + ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &server_key, + (long)bufSz)); + } +#endif - dn = "invalid.com"; - func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl; - /* Expect to fail */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), -1001); + EVP_PKEY_free(pkey); + pkey = NULL; + SSL_free(ssl); /* frees x509 also since loaded into ssl */ + ssl = NULL; + SSL_CTX_free(ctx); + ctx = NULL; +#endif /* end of RSA private key match tests */ - dn = "example.com"; - /* Expect to succeed */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); +#ifdef HAVE_ECC + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - return EXPECT_RESULT(); -} -#else -static int test_wolfSSL_check_domain_basic(void) -{ - EXPECT_DECLS; - return EXPECT_RESULT(); -} -#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif + SSL_free(ssl); + ssl = NULL; -static int test_wolfSSL_BUF(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - BUF_MEM* buf = NULL; - ExpectNotNull(buf = BUF_MEM_new()); - ExpectIntEQ(BUF_MEM_grow(buf, 10), 10); - ExpectIntEQ(BUF_MEM_grow(buf, -1), 0); - BUF_MEM_free(buf); -#endif - return EXPECT_RESULT(); -} -#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) -static int stub_rand_seed(const void *buf, int num) -{ - (void)buf; - (void)num; + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEccKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - return 123; -} + #ifdef WOLFSSL_VALIDATE_ECC_IMPORT + ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif -static int stub_rand_bytes(unsigned char *buf, int num) -{ - (void)buf; - (void)num; + SSL_free(ssl); + ssl = NULL; + SSL_CTX_free(ctx); + ctx = NULL; +#endif /* end of ECC private key match tests */ - return 456; -} +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT) + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, edCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, edKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); -static byte* was_stub_rand_cleanup_called(void) -{ - static byte was_called = 0; + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif + SSL_free(ssl); + ssl = NULL; - return &was_called; -} -static void stub_rand_cleanup(void) -{ - byte* was_called = was_stub_rand_cleanup_called(); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEdKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - *was_called = 1; + #if !defined(NO_CHECK_PRIVATE_KEY) + #ifdef HAVE_ED25519_MAKE_KEY + ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #else + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif + #endif - return; -} + SSL_free(ssl); + ssl = NULL; + SSL_CTX_free(ctx); + ctx = NULL; +#endif /* end of Ed25519 private key match tests */ -static byte* was_stub_rand_add_called(void) -{ - static byte was_called = 0; +#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT) + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, ed448CertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, ed448KeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - return &was_called; -} + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif + SSL_free(ssl); + ssl = NULL; -static int stub_rand_add(const void *buf, int num, double entropy) -{ - byte* was_called = was_stub_rand_add_called(); - (void)buf; - (void)num; - (void)entropy; + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, cliEd448KeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - *was_called = 1; + #if !defined(NO_CHECK_PRIVATE_KEY) + ExpectIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + #endif - return 0; -} + SSL_free(ssl); + ssl = NULL; + SSL_CTX_free(ctx); + ctx = NULL; +#endif /* end of Ed448 private key match tests */ -static int stub_rand_pseudo_bytes(unsigned char *buf, int num) -{ - (void)buf; - (void)num; + EVP_cleanup(); - return 9876; -} + /* test existence of no-op macros in wolfssl/openssl/ssl.h */ + CONF_modules_free(); + ENGINE_cleanup(); + CONF_modules_unload(); -static int stub_rand_status(void) -{ - return 5432; + (void)ssl; + (void)ctx; + (void)pkey; +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ + return EXPECT_RESULT(); } -#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ -static int test_wolfSSL_RAND_set_rand_method(void) +static int test_wolfSSL_tmp_dh(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) - RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; - unsigned char* buf = NULL; - int num = 0; - double entropy = 0; - int ret; - byte* was_cleanup_called = was_stub_rand_cleanup_called(); - byte* was_add_called = was_stub_rand_add_called(); +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && !defined(NO_DH) && !defined(NO_BIO) && \ + !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + byte buff[6000]; + static const unsigned char p[] = { + 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, + 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, + 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, + 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, + 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, + 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, + 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, + 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, + 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, + 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, + 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, + 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, + 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, + 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, + 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, + 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, + 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, + 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, + 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, + 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, + 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, + 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, + 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, + 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, + 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, + 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, + 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, + 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, + 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, + 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, + 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, + 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x93 + }; + int pSz = (int)sizeof(p); +#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) + static const unsigned char bad_p[] = { + 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, + 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, + 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, + 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, + 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, + 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, + 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, + 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, + 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, + 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, + 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, + 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, + 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, + 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, + 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, + 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, + 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, + 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, + 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, + 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, + 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, + 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, + 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, + 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, + 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, + 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, + 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, + 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, + 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, + 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, + 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, + 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x91 + }; +#endif + static const unsigned char g[] = { 0x02 }; + int gSz = (int)sizeof(g); +#if !defined(NO_DSA) + char file[] = "./certs/dsaparams.pem"; + DSA* dsa = NULL; +#else + char file[] = "./certs/dh2048.pem"; +#endif + XFILE f = XBADFILE; + int bytes = 0; + DH* dh = NULL; + DH* dh2 = NULL; + BIO* bio = NULL; + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; +#ifndef NO_WOLFSSL_CLIENT + SSL* ssl_c = NULL; + SSL_CTX* ctx_c = NULL; +#endif - ExpectNotNull(buf = (byte*)XMALLOC(32 * sizeof(byte), NULL, - DYNAMIC_TYPE_TMP_BUFFER)); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); +#endif +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx_c = SSL_CTX_new(wolfSSLv23_client_method())); + ExpectTrue(SSL_CTX_use_certificate_file(ctx_c, svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx_c, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl_c = SSL_new(ctx_c)); +#ifdef NO_WOLFSSL_SERVER + ctx = ctx_c; + ssl = ssl_c; +#endif +#endif - ExpectIntNE(wolfSSL_RAND_status(), 5432); - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 0); - - - rand_methods.seed = &stub_rand_seed; - rand_methods.bytes = &stub_rand_bytes; - rand_methods.cleanup = &stub_rand_cleanup; - rand_methods.add = &stub_rand_add; - rand_methods.pseudorand = &stub_rand_pseudo_bytes; - rand_methods.status = &stub_rand_status; - - ExpectIntEQ(RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); - ExpectIntEQ(RAND_seed(buf, num), 123); - ExpectIntEQ(RAND_bytes(buf, num), 456); - ExpectIntEQ(RAND_pseudo_bytes(buf, num), 9876); - ExpectIntEQ(RAND_status(), 5432); - - ExpectIntEQ(*was_add_called, 0); - /* The function pointer for RAND_add returns int, but RAND_add itself - * returns void. */ - RAND_add(buf, num, entropy); - ExpectIntEQ(*was_add_called, 1); - was_add_called = 0; - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 1); - *was_cleanup_called = 0; - - - ret = RAND_set_rand_method(NULL); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - ExpectIntNE(RAND_status(), 5432); - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 0); + XMEMSET(buff, 0, sizeof(buff)); + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) + XFCLOSE(f); - RAND_set_rand_method(NULL); + ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ - return EXPECT_RESULT(); -} +#if !defined(NO_DSA) + dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); + ExpectNotNull(dsa); -static int test_wolfSSL_RAND_bytes(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const int size1 = RNG_MAX_BLOCK_LEN; /* in bytes */ - const int size2 = RNG_MAX_BLOCK_LEN + 1; /* in bytes */ - const int size3 = RNG_MAX_BLOCK_LEN * 2; /* in bytes */ - const int size4 = RNG_MAX_BLOCK_LEN * 4; /* in bytes */ - int max_bufsize; - byte *my_buf = NULL; -#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ - !defined(__MINGW32__) - byte seed[16] = {0}; - byte randbuf[8] = {0}; - int pipefds[2] = {0}; - pid_t pid = 0; + dh = wolfSSL_DSA_dup_DH(dsa); +#else + dh = wolfSSL_PEM_read_bio_DHparams(bio, NULL, NULL, NULL); +#endif + ExpectNotNull(dh); +#if defined(WOLFSSL_DH_EXTRA) && \ + (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)) + ExpectNotNull(dh2 = wolfSSL_DH_dup(dh)); + DH_free(dh2); + dh2 = NULL; +#endif + + /* Failure cases */ + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, g , 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, g , 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, g , 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 1, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , buff, 6000, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); +#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, bad_p, pSz, g, gSz), + WC_NO_ERR_TRACE(DH_CHECK_PUB_E)); #endif + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, g , 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, g , 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, g , 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 1, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , buff, 6000, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); +#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) +#ifndef NO_WOLFSSL_SERVER + /* Parameters will be tested later so it passes now. */ + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl, bad_p, pSz, g, gSz), + WOLFSSL_SUCCESS); +#endif +#endif +#ifndef NO_WOLFSSL_CLIENT + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl_c, p, pSz, g, gSz), + WC_NO_ERR_TRACE(SIDE_ERROR)); +#endif + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_set_tmp_dh(ssl , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* No p/g to use. */ + dh2 = wolfSSL_DH_new(); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ((int)SSL_set_tmp_dh(ssl , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + DH_free(dh2); + dh2 = NULL; - /* sanity check */ - ExpectIntEQ(RAND_bytes(NULL, 16), 0); - ExpectIntEQ(RAND_bytes(NULL, 0), 0); - - max_bufsize = size4; - - ExpectNotNull(my_buf = (byte*)XMALLOC(max_bufsize * sizeof(byte), HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz), + WOLFSSL_SUCCESS); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), WOLFSSL_SUCCESS); +#ifndef NO_WOLFSSL_SERVER + ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WOLFSSL_SUCCESS); +#else + ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WC_NO_ERR_TRACE(SIDE_ERROR)); +#endif - ExpectIntEQ(RAND_bytes(my_buf, 0), 1); - ExpectIntEQ(RAND_bytes(my_buf, -1), 0); - - ExpectNotNull(XMEMSET(my_buf, 0, max_bufsize)); - ExpectIntEQ(RAND_bytes(my_buf, size1), 1); - ExpectIntEQ(RAND_bytes(my_buf, size2), 1); - ExpectIntEQ(RAND_bytes(my_buf, size3), 1); - ExpectIntEQ(RAND_bytes(my_buf, size4), 1); - XFREE(my_buf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - -#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ - !defined(__MINGW32__) - XMEMSET(seed, 0, sizeof(seed)); - RAND_cleanup(); - - /* No global methods set. */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - - ExpectIntEQ(pipe(pipefds), 0); - pid = fork(); - ExpectIntGE(pid, 0); - if (pid == 0) { - ssize_t n_written = 0; - - /* Child process. */ - close(pipefds[0]); - RAND_bytes(randbuf, sizeof(randbuf)); - n_written = write(pipefds[1], randbuf, sizeof(randbuf)); - close(pipefds[1]); - exit(n_written == sizeof(randbuf) ? 0 : 1); + BIO_free(bio); +#if !defined(NO_DSA) + DSA_free(dsa); +#endif + DH_free(dh); + dh = NULL; +#ifndef NO_WOLFSSL_CLIENT + if (ssl != ssl_c) { + SSL_free(ssl_c); } - else { - /* Parent process. */ - byte childrand[8] = {0}; - int waitstatus = 0; - - close(pipefds[1]); - ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); - ExpectIntEQ(read(pipefds[0], childrand, sizeof(childrand)), - sizeof(childrand)); - #ifdef WOLFSSL_NO_GETPID - ExpectBufEQ(randbuf, childrand, sizeof(randbuf)); - #else - ExpectBufNE(randbuf, childrand, sizeof(randbuf)); - #endif - close(pipefds[0]); - waitpid(pid, &waitstatus, 0); +#endif + SSL_free(ssl); +#ifndef NO_WOLFSSL_CLIENT + if (ctx != ctx_c) { + SSL_CTX_free(ctx_c); } - RAND_cleanup(); #endif + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_RAND(void) +static int test_wolfSSL_ctrl(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - byte seed[16]; - - XMEMSET(seed, 0, sizeof(seed)); - - /* No global methods set. */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - RAND_cleanup(); - - ExpectIntEQ(RAND_egd(NULL), -1); -#ifndef NO_FILESYSTEM - { - char fname[100]; +#if defined (OPENSSL_EXTRA) && !defined(NO_BIO) + byte buff[6000]; + BIO* bio = NULL; + int bytes; + BUF_MEM* ptr = NULL; - ExpectNotNull(RAND_file_name(fname, (sizeof(fname) - 1))); - ExpectIntEQ(RAND_write_file(NULL), 0); - } -#endif -#endif - return EXPECT_RESULT(); -} + XMEMSET(buff, 0, sizeof(buff)); + bytes = sizeof(buff); + ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); + ExpectNotNull(BIO_s_socket()); -#if defined(WC_RNG_SEED_CB) && defined(OPENSSL_EXTRA) -static int wc_DummyGenerateSeed(OS_Seed* os, byte* output, word32 sz) -{ - word32 i; - for (i = 0; i < sz; i++ ) - output[i] = (byte)i; + ExpectIntEQ((int)wolfSSL_BIO_get_mem_ptr(bio, &ptr), WOLFSSL_SUCCESS); - (void)os; + /* needs tested after stubs filled out @TODO + SSL_ctrl + SSL_CTX_ctrl + */ - return 0; + BIO_free(bio); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_BIO) */ + return EXPECT_RESULT(); } -#endif /* WC_RNG_SEED_CB */ -static int test_wolfSSL_RAND_poll(void) +static int test_wolfSSL_CTX_add_extra_chain_cert(void) { EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + char caFile[] = "./certs/client-ca.pem"; + char clientFile[] = "./certs/client-cert.pem"; + SSL_CTX* ctx = NULL; + X509* x509 = NULL; + BIO *bio = NULL; + X509 *cert = NULL; + X509 *ca = NULL; + STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *chain2 = NULL; -#if defined(OPENSSL_EXTRA) - byte seed[16]; - byte rand1[16]; -#ifdef WC_RNG_SEED_CB - byte rand2[16]; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif - XMEMSET(seed, 0, sizeof(seed)); - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - ExpectIntEQ(RAND_bytes(rand1, 16), 1); - RAND_cleanup(); - -#ifdef WC_RNG_SEED_CB - /* Test with custom seed and poll */ - wc_SetSeed_Cb(wc_DummyGenerateSeed); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, + WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_bytes(rand1, 16), 1); - RAND_cleanup(); + /* Negative tests. */ + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* test that the same value is generated twice with dummy seed function */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_bytes(rand2, 16), 1); - ExpectIntEQ(XMEMCMP(rand1, rand2, 16), 0); - RAND_cleanup(); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); - /* test that doing a poll is reseeding RNG */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - ExpectIntEQ(RAND_bytes(rand2, 16), 1); - ExpectIntNE(XMEMCMP(rand1, rand2, 16), 0); + ExpectNotNull(x509 = wolfSSL_X509_new()); + /* Empty certificate. */ + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_X509_free(x509); + x509 = NULL; - /* reset the seed function used */ - wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT); -#endif - RAND_cleanup(); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, + WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(RAND_egd(NULL), -1); -#endif + /* additional test of getting EVP_PKEY key size from X509 + * Do not run with user RSA because wolfSSL_RSA_size is not currently + * allowed with user RSA */ + { + EVP_PKEY* pkey = NULL; + #if defined(HAVE_ECC) + X509* ecX509 = NULL; + #endif /* HAVE_ECC */ - return EXPECT_RESULT(); -} + ExpectNotNull(pkey = X509_get_pubkey(x509)); + /* current RSA key is 2048 bit (256 bytes) */ + ExpectIntEQ(EVP_PKEY_size(pkey), 256); + EVP_PKEY_free(pkey); + pkey = NULL; -static int test_wolfSSL_PKCS8_Compat(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && defined(HAVE_ECC) && \ - !defined(NO_BIO) - PKCS8_PRIV_KEY_INFO* pt = NULL; - PKCS8_PRIV_KEY_INFO* pt2 = NULL; - BIO* bio = NULL; - XFILE f = XBADFILE; - int bytes = 0; - char pkcs8_buffer[512]; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) - EVP_PKEY *pkey = NULL; -#endif +#if defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( + cliecc_cert_der_256, sizeof_cliecc_cert_der_256, + SSL_FILETYPE_ASN1)); + #else + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( + cliEccCertFile, SSL_FILETYPE_PEM)); + #endif + pkey = X509_get_pubkey(ecX509); + ExpectNotNull(pkey); + /* current ECC key is 256 bit (32 bytes) */ + ExpectIntGE(EVP_PKEY_size(pkey), 72); - /* file from wolfssl/certs/ directory */ - ExpectTrue((f = XFOPEN("./certs/ecc-keyPkcs8.pem", "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), f)), - 0); - if (f != XBADFILE) - XFCLOSE(f); - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectNotNull(pt = d2i_PKCS8_PRIV_KEY_INFO_bio(bio, NULL)); + X509_free(ecX509); + ecX509 = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* HAVE_ECC */ + } -#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) - ExpectNotNull(pkey = EVP_PKCS82PKEY(pt)); - ExpectIntEQ(EVP_PKEY_type(pkey->type), EVP_PKEY_EC); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); + if (EXPECT_SUCCESS()) { + x509 = NULL; + } - /* gets PKCS8 pointer to pkey */ - ExpectNotNull(pt2 = EVP_PKEY2PKCS8(pkey)); +#ifdef WOLFSSL_ENCRYPTED_KEYS + ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); + ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); +#endif + SSL_CTX_free(ctx); + ctx = NULL; - EVP_PKEY_free(pkey); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif + /* Test haproxy use case */ + ExpectNotNull(bio = BIO_new_file(svrCertFile, "r")); + /* Read Certificate */ + ExpectNotNull(cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); + ExpectNotNull(ca = PEM_read_bio_X509(bio, NULL, NULL, NULL)); + ExpectNotNull(chain = sk_X509_new_null()); + ExpectIntEQ(sk_X509_push(chain, ca), 1); + if (EXPECT_SUCCESS()) { + ca = NULL; + } + ExpectNotNull(chain2 = X509_chain_up_ref(chain)); + ExpectNotNull(ca = sk_X509_shift(chain2)); + ExpectIntEQ(SSL_CTX_use_certificate(ctx, cert), 1); + ExpectIntEQ(SSL_CTX_add_extra_chain_cert(ctx, ca), 1); + if (EXPECT_SUCCESS()) { + ca = NULL; + } BIO_free(bio); - PKCS8_PRIV_KEY_INFO_free(pt); - PKCS8_PRIV_KEY_INFO_free(pt2); -#endif + X509_free(cert); + X509_free(ca); + X509_free(x509); + sk_X509_pop_free(chain, X509_free); + sk_X509_pop_free(chain2, X509_free); + SSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined (NO_BIO) */ return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_BIO) -static int NoPasswordCallBack(char* passwd, int sz, int rw, void* userdata) -{ - (void)passwd; - (void)sz; - (void)rw; - (void)userdata; - - return -1; -} -#endif - -static int test_wolfSSL_PKCS8_d2i(void) +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) +static int test_wolfSSL_ERR_peek_last_error_line(void) { EXPECT_DECLS; -#if !defined(HAVE_FIPS) && defined(OPENSSL_EXTRA) - /* This test ends up using HMAC as a part of PBKDF2, and HMAC - * requires a 12 byte password in FIPS mode. This test ends up - * trying to use an 8 byte password. */ - -#ifndef NO_FILESYSTEM - unsigned char pkcs8_buffer[2048]; - const unsigned char* p = NULL; - int bytes = 0; - XFILE file = XBADFILE; - WOLFSSL_EVP_PKEY* pkey = NULL; -#ifndef NO_BIO - BIO* bio = NULL; - #if defined(OPENSSL_ALL) && \ - ((!defined(NO_RSA) && !defined(NO_DES3)) || \ - defined(HAVE_ECC)) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - WOLFSSL_EVP_PKEY* evpPkey = NULL; - #endif -#endif -#ifndef NO_RSA - const char rsaDerPkcs8File[] = "./certs/server-keyPkcs8.der"; - const char rsaPemPkcs8File[] = "./certs/server-keyPkcs8.pem"; - #ifndef NO_DES3 - const char rsaDerPkcs8EncFile[] = "./certs/server-keyPkcs8Enc.der"; - #endif -#endif /* NO_RSA */ -#ifdef HAVE_ECC - const char ecDerPkcs8File[] = "certs/ecc-keyPkcs8.der"; - const char ecPemPkcs8File[] = "certs/ecc-keyPkcs8.pem"; - #ifndef NO_DES3 - const char ecDerPkcs8EncFile[] = "certs/ecc-keyPkcs8Enc.der"; - #endif -#endif /* HAVE_ECC */ -#endif /* !NO_FILESYSTEM */ - -#if defined(OPENSSL_ALL) && (!defined(NO_RSA) || defined(HAVE_ECC)) -#ifndef NO_RSA - #ifdef USE_CERT_BUFFERS_1024 - const unsigned char* rsa = (unsigned char*)server_key_der_1024; - int rsaSz = sizeof_server_key_der_1024; - #else - const unsigned char* rsa = (unsigned char*)server_key_der_2048; - int rsaSz = sizeof_server_key_der_2048; - #endif -#endif -#ifdef HAVE_ECC - const unsigned char* ec = (unsigned char*)ecc_key_der_256; - int ecSz = sizeof_ecc_key_der_256; -#endif -#endif /* OPENSSL_ALL && (!NO_RSA || HAVE_ECC) */ - +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \ + !defined(NO_OLD_TLS) && !defined(WOLFSSL_NO_TLS12) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_ERROR_QUEUE) + callback_functions client_cb; + callback_functions server_cb; + int line = 0; + int flag = ERR_TXT_STRING; + const char* file = NULL; + const char* data = NULL; -#ifndef NO_FILESYSTEM - (void)pkcs8_buffer; - (void)p; - (void)bytes; - (void)file; -#ifndef NO_BIO - (void)bio; -#endif -#endif + /* create a failed connection and inspect the error */ + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = wolfTLSv1_1_client_method; + server_cb.method = wolfTLSv1_2_server_method; -#ifdef OPENSSL_ALL -#ifndef NO_RSA - /* Try to auto-detect normal RSA private key */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &rsa, rsaSz)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif -#ifdef HAVE_ECC - /* Try to auto-detect normal EC private key */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &ec, ecSz)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif -#endif /* OPENSSL_ALL */ + test_wolfSSL_client_server_nofail(&client_cb, &server_cb); -#ifndef NO_FILESYSTEM -#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectIntEQ(PEM_write_PKCS8PrivateKey(XBADFILE, pkey, NULL, NULL, 0, NULL, - NULL), 0); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, NULL, NULL, NULL, 0, NULL, - NULL), 0); -#endif + ExpectIntGT(ERR_get_error_line_data(NULL, NULL, &data, &flag), 0); + ExpectNotNull(data); -#ifndef NO_RSA - /* Get DER encoded RSA PKCS#8 data. */ - ExpectTrue((file = XFOPEN(rsaDerPkcs8File, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } + /* check clearing error state */ + ERR_remove_state(0); + ExpectIntEQ((int)ERR_peek_last_error_line(NULL, NULL), 0); + ERR_peek_last_error_line(NULL, &line); + ExpectIntEQ(line, 0); + ERR_peek_last_error_line(&file, NULL); + ExpectNull(file); - p = pkcs8_buffer; -#ifdef OPENSSL_ALL - /* Try to decode - auto-detect key type. */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); -#else - ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, bytes)); -#endif + /* retry connection to fill error queue */ + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = wolfTLSv1_1_client_method; + server_cb.method = wolfTLSv1_2_server_method; - /* Get PEM encoded RSA PKCS#8 data. */ - ExpectTrue((file = XFOPEN(rsaPemPkcs8File, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(NULL, pkey, NULL, NULL, 0, NULL, - NULL), 0); - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, NULL, NULL, NULL, 0, NULL, - NULL), 0); - /* Write PKCS#8 PEM to BIO. */ - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - /* Write PKCS#8 PEM to stderr. */ - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - /* Compare file and written data */ - ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); - ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - BIO_free(bio); - bio = NULL; -#if !defined(NO_AES) && defined(HAVE_AESGCM) - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_gcm(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), 0); -#endif -#if !defined(NO_DES3) && !defined(NO_SHA) - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write Encrypted PKCS#8 PEM to BIO. */ - bytes = 1834; - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_des_ede3_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_des_ede3_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(evpPkey); - evpPkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* !NO_DES3 && !NO_SHA */ -#endif /* !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ - EVP_PKEY_free(pkey); - pkey = NULL; + test_wolfSSL_client_server_nofail(&client_cb, &server_cb); - /* PKCS#8 encrypted RSA key */ -#ifndef NO_DES3 - ExpectTrue((file = XFOPEN(rsaDerPkcs8EncFile, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ -#endif /* !NO_DES3 */ -#endif /* NO_RSA */ + /* check that error code was stored */ + ExpectIntNE((int)ERR_peek_last_error_line(NULL, NULL), 0); + ERR_peek_last_error_line(NULL, &line); + ExpectIntNE(line, 0); + ERR_peek_last_error_line(&file, NULL); + ExpectNotNull(file); -#ifdef HAVE_ECC - /* PKCS#8 encode EC key */ - ExpectTrue((file = XFOPEN(ecDerPkcs8File, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } + fprintf(stderr, "\nTesting error print out\n"); + ERR_print_errors_fp(stderr); + fprintf(stderr, "Done testing print out\n\n"); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && + * !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ + return EXPECT_RESULT(); +} +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - p = pkcs8_buffer; -#ifdef OPENSSL_ALL - /* Try to decode - auto-detect key type. */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); +static int test_wolfSSL_CTX_get0_set1_param(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) +#if !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + SSL_CTX* ctx = NULL; + WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; + WOLFSSL_X509_VERIFY_PARAM* pvpm = NULL; + char testIPv4[] = "127.0.0.1"; + char testhostName[] = "foo.hoge.com"; + +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); #else - ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, bytes)); + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif - /* Get PEM encoded RSA PKCS#8 data. */ - ExpectTrue((file = XFOPEN(ecPemPkcs8File, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) && \ - defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write PKCS#8 PEM to BIO. */ - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - /* Compare file and written data */ - ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); - ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write Encrypted PKCS#8 PEM to BIO (test write 0 then 379) */ - bytes = 379; - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), - NULL, 0, NoPasswordCallBack, (void*)"yassl123"), 0); - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectNull(SSL_CTX_get0_param(NULL)); + ExpectNotNull(pParam = SSL_CTX_get0_param(ctx)); - /* invalid cases to stderr */ - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), - (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); - #endif - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), - (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); + ExpectNotNull(pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL)); + ExpectNotNull(XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM))); - /* read/decode private key with password */ - ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(evpPkey); - evpPkey = NULL; - BIO_free(bio); - bio = NULL; + ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, + (int)XSTRLEN(testhostName)), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4), + WOLFSSL_SUCCESS); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); - /* https://github.com/wolfSSL/wolfssl/issues/8610 */ - bytes = (int)XSTRLEN((char *)pkcs8_buffer); - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); - ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); + ExpectIntEQ(SSL_CTX_set1_param(ctx, pvpm), 1); + ExpectIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, + (int)XSTRLEN(testhostName))); + ExpectIntEQ(0x01, pParam->hostFlags); + ExpectIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); - ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, - (void*)"yassl123")); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, evpPkey, NULL, - NULL, 0, NULL, NULL), bytes); - EVP_PKEY_free(evpPkey); - evpPkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 && HAVE_AES_CBC */ - EVP_PKEY_free(pkey); - pkey = NULL; + /* test for incorrect parameter */ + ExpectIntEQ(1,SSL_CTX_set1_param(ctx, NULL)); + ExpectIntEQ(1,SSL_CTX_set1_param(NULL, pvpm)); + ExpectIntEQ(1,SSL_CTX_set1_param(NULL, NULL)); - /* PKCS#8 encrypted EC key */ -#ifndef NO_DES3 - ExpectTrue((file = XFOPEN(ecDerPkcs8EncFile, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ -#endif /* !NO_DES3 */ -#endif /* HAVE_ECC */ + SSL_CTX_free(ctx); -#endif /* !NO_FILESYSTEM */ -#endif /* HAVE_FIPS && OPENSSL_EXTRA */ + XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ return EXPECT_RESULT(); } -#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ - !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) -#define LOGGING_THREADS 5 -#define ERROR_COUNT 10 -/* copied from logging.c since this is not exposed otherwise */ -#ifndef ERROR_QUEUE_MAX -#ifdef ERROR_QUEUE_PER_THREAD - #define ERROR_QUEUE_MAX 16 +static int test_wolfSSL_get0_param(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; + +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); #else - /* this breaks from compat of unlimited error queue size */ - #define ERROR_QUEUE_MAX 100 + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); + + ExpectNotNull(SSL_get0_param(ssl)); + + SSL_free(ssl); + SSL_CTX_free(ctx); #endif + return EXPECT_RESULT(); +} -static volatile int loggingThreadsReady; -static THREAD_RETURN WOLFSSL_THREAD test_logging(void* args) +static int test_wolfSSL_set1_host(void) { - const char* file; - int line; - unsigned long err; - int errorCount = 0; - int i; + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + const char host[] = "www.test_wolfSSL_set1_host.com"; + const char emptyStr[] = ""; + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; + WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; - (void)args; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - while (!loggingThreadsReady); - for (i = 0; i < ERROR_COUNT; i++) - ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); + pParam = SSL_get0_param(ssl); - while ((err = ERR_get_error_line(&file, &line))) { - AssertIntEQ(err, 990 + errorCount); - errorCount++; - } - AssertIntEQ(errorCount, ERROR_COUNT); + /* we should get back host string */ + ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - /* test max queue behavior, trying to add an arbitrary 3 errors over */ - ERR_clear_error(); /* ERR_get_error_line() does not remove */ - errorCount = 0; - for (i = 0; i < ERROR_QUEUE_MAX + 3; i++) - ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); + /* we should get back empty string */ + ExpectIntEQ(SSL_set1_host(ssl, emptyStr), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); - while ((err = ERR_get_error_line(&file, &line))) { - AssertIntEQ(err, 990 + errorCount); - errorCount++; - } + /* we should get back host string */ + ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - /* test that the 3 errors over the max were dropped */ - AssertIntEQ(errorCount, ERROR_QUEUE_MAX); + /* we should get back empty string */ + ExpectIntEQ(SSL_set1_host(ssl, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); - WOLFSSL_RETURN_FROM_THREAD(0); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) +static int test_wolfSSL_get_client_ciphers_ctx_ready(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256")); + return EXPECT_RESULT(); +} + + +static int test_wolfSSL_get_client_ciphers_on_result(WOLFSSL* ssl) { + EXPECT_DECLS; + WOLF_STACK_OF(WOLFSSL_CIPHER)* ciphers; + + ciphers = SSL_get_client_ciphers(ssl); + if (wolfSSL_is_server(ssl) == 0) { + ExpectNull(ciphers); + } + else { + WOLFSSL_CIPHER* current; + + /* client should have only sent over one cipher suite */ + ExpectNotNull(ciphers); + ExpectIntEQ(sk_SSL_CIPHER_num(ciphers), 1); + current = sk_SSL_CIPHER_value(ciphers, 0); + ExpectNotNull(current); + #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ + !defined(WOLFSSL_QT) + ExpectStrEQ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + SSL_CIPHER_get_name(current)); + #else + ExpectStrEQ("ECDHE-RSA-AES128-GCM-SHA256", + SSL_CIPHER_get_name(current)); + #endif + } + return EXPECT_RESULT(); } #endif -static int test_error_queue_per_thread(void) +static int test_wolfSSL_get_client_ciphers(void) { - int res = TEST_SKIPPED; -#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ - !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) - THREAD_TYPE loggingThreads[LOGGING_THREADS]; + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) + test_ssl_cbf server_cb; + test_ssl_cbf client_cb; + + XMEMSET(&client_cb, 0, sizeof(test_ssl_cbf)); + XMEMSET(&server_cb, 0, sizeof(test_ssl_cbf)); + client_cb.method = wolfTLSv1_2_client_method; + server_cb.method = wolfTLSv1_2_server_method; + client_cb.devId = testDevId; + server_cb.devId = testDevId; + client_cb.ctx_ready = test_wolfSSL_get_client_ciphers_ctx_ready; + client_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; + server_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_CTX_set_client_CA_list(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(NO_BIO) && !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + X509_NAME* name = NULL; + STACK_OF(X509_NAME)* names = NULL; + STACK_OF(X509_NAME)* ca_list = NULL; + int names_len = 0; int i; - ERR_clear_error(); /* clear out any error nodes */ + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + /* Send two X501 names in cert request */ + names = SSL_load_client_CA_file(cliCertFile); + ExpectNotNull(names); + ca_list = SSL_load_client_CA_file(caCertFile); + ExpectNotNull(ca_list); + ExpectNotNull(name = sk_X509_NAME_value(ca_list, 0)); + ExpectIntEQ(sk_X509_NAME_push(names, name), 2); + if (EXPECT_FAIL()) { + wolfSSL_X509_NAME_free(name); + name = NULL; + } + SSL_CTX_set_client_CA_list(ctx, names); + /* This should only free the stack structure */ + sk_X509_NAME_free(ca_list); + ca_list = NULL; + ExpectNotNull(ca_list = SSL_CTX_get_client_CA_list(ctx)); + ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); - loggingThreadsReady = 0; - for (i = 0; i < LOGGING_THREADS; i++) - start_thread(test_logging, NULL, &loggingThreads[i]); - loggingThreadsReady = 1; - for (i = 0; i < LOGGING_THREADS; i++) - join_thread(loggingThreads[i]); + ExpectIntEQ(sk_X509_NAME_find(NULL, name), BAD_FUNC_ARG); + ExpectIntEQ(sk_X509_NAME_find(names, NULL), WOLFSSL_FATAL_ERROR); + ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); + for (i = 0; i < names_len; i++) { + ExpectNotNull(name = sk_X509_NAME_value(names, i)); + ExpectIntEQ(sk_X509_NAME_find(names, name), i); + } - res = TEST_SUCCESS; + /* Needed to be able to create ssl object */ + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + /* load again as old names are responsibility of ctx to free*/ + names = SSL_load_client_CA_file(cliCertFile); + ExpectNotNull(names); + SSL_set_client_CA_list(ssl, names); + ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl)); + ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); + + ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); + for (i = 0; i < names_len; i++) { + ExpectNotNull(name = sk_X509_NAME_value(names, i)); + ExpectIntEQ(sk_X509_NAME_find(names, name), i); + } + +#if !defined(SINGLE_THREADED) && defined(SESSION_CERTS) + { + tcp_ready ready; + func_args server_args; + callback_functions server_cb; + THREAD_TYPE serverThread; + WOLFSSL* ssl_client = NULL; + WOLFSSL_CTX* ctx_client = NULL; + SOCKET_T sockfd = 0; + + /* wolfSSL_get_client_CA_list() with handshake */ + + StartTCP(); + InitTcpReady(&ready); + + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + + server_args.signal = &ready; + server_args.callbacks = &server_cb; + + /* we are responsible for free'ing WOLFSSL_CTX */ + server_cb.ctx = ctx; + server_cb.isSharedCtx = 1; + + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, + cliCertFile, 0)); + + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); + ExpectNotNull(ctx_client = + wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations( + ctx_client, caCertFile, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_certificate_file( + ctx_client, cliCertFile, SSL_FILETYPE_PEM)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_PrivateKey_file( + ctx_client, cliKeyFile, SSL_FILETYPE_PEM)); + + ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); + ExpectIntEQ(wolfSSL_set_fd(ssl_client, sockfd), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_connect(ssl_client), WOLFSSL_SUCCESS); + + ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl_client)); + /* We are expecting two cert names to be sent */ + ExpectIntEQ(sk_X509_NAME_num(ca_list), 2); + + ExpectNotNull(names = SSL_CTX_get_client_CA_list(ctx)); + for (i=0; icallbacks; + WOLFSSL_CTX* ctx = callbacks->ctx; + WOLFSSL* ssl = NULL; + SOCKET_T sfd = 0; + SOCKET_T cfd = 0; + word16 port; + char input[1024]; + int idx; + int ret, err = 0; + const char* privateName = "ech-private-name.com"; + int privateNameLen = (int)XSTRLEN(privateName); - PEMerr(4,4); - ExpectIntEQ(ERR_get_error(), 4); - /* Empty and free up all error nodes */ - ERR_clear_error(); + ((func_args*)args)->return_code = TEST_FAIL; + port = ((func_args*)args)->signal->port; - /* Verify all nodes are cleared */ - ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); - ERR_clear_error(); - ExpectIntEQ(ERR_get_error_line(&file, &line), 0); -#endif - return EXPECT_RESULT(); -} + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0)); -/* - * This is a regression test for a bug where the peek/get error functions were - * drawing from the end of the queue rather than the front. - */ -static int test_wolfSSL_ERR_get_error_order(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_HAVE_ERROR_QUEUE) && defined(OPENSSL_EXTRA) - /* Empty the queue. */ - wolfSSL_ERR_clear_error(); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + WOLFSSL_FILETYPE_PEM)); - wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_NO_SIGNER_E), "test", 0); - wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E), "test", 0); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); - ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); -#endif /* WOLFSSL_HAVE_ERROR_QUEUE && OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} + if (callbacks->ctx_ready) + callbacks->ctx_ready(ctx); -#ifndef NO_BIO + ssl = wolfSSL_new(ctx); -static int test_wolfSSL_ERR_print_errors(void) -{ - EXPECT_DECLS; -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) && !defined(NO_ERROR_STRINGS) - BIO* bio = NULL; - char buf[1024]; + /* set the sni for the server */ + wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, privateName, privateNameLen); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ERR_clear_error(); /* clear out any error nodes */ - ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); - /* Choosing -600 as an unused errno. */ - ERR_put_error(0,SYS_F_BIND, -600, "asn.c", 100); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, NULL, NULL); + CloseSocket(sfd); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl, cfd)); - ERR_print_errors(bio); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 56); - ExpectIntEQ(XSTRNCMP( - "error:173:wolfSSL library:Bad function argument:ssl.c:0", - buf, 55), 0); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 57); - ExpectIntEQ(XSTRNCMP( - "error:600:wolfSSL library:unknown error number:asn.c:100", - buf, 56), 0); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 1); - ExpectIntEQ(buf[0], '\0'); - ExpectIntEQ(ERR_get_error_line(NULL, NULL), 0); + if (callbacks->ssl_ready) + callbacks->ssl_ready(ssl); - BIO_free(bio); -#endif - return EXPECT_RESULT(); -} + do { + err = 0; /* Reset error */ + ret = wolfSSL_accept(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + } + } while (ret != WOLFSSL_SUCCESS && err == WC_NO_ERR_TRACE(WC_PENDING_E)); -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) -static int test_wolfSSL_error_cb(const char *str, size_t len, void *u) -{ - if (u != NULL) { - wolfSSL_BIO_write((BIO*)u, str, (int)len); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff)); } - return 0; -} -#endif + else { + if (0 < (idx = wolfSSL_read(ssl, input, sizeof(input)-1))) { + input[idx] = 0; + fprintf(stderr, "Client message: %s\n", input); + } -static int test_wolfSSL_ERR_print_errors_cb(void) -{ - EXPECT_DECLS; -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) - BIO* bio = NULL; - char buf[1024]; + AssertIntEQ(privateNameLen, wolfSSL_write(ssl, privateName, + privateNameLen)); + ((func_args*)args)->return_code = TEST_SUCCESS; + } - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ERR_clear_error(); /* clear out any error nodes */ - ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); - ERR_put_error(0,SYS_F_BIND, -275, "asn.c", 100); + if (callbacks->on_result) + callbacks->on_result(ssl); - ERR_print_errors_cb(test_wolfSSL_error_cb, bio); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 108); - ExpectIntEQ(XSTRNCMP( - "wolfSSL error occurred, error = 173 line:0 file:ssl.c", - buf, 53), 0); - ExpectIntEQ(XSTRNCMP( - "wolfSSL error occurred, error = 275 line:100 file:asn.c", - buf + 53, 55), 0); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 0); + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + CloseSocket(cfd); - BIO_free(bio); +#ifdef FP_ECC + wc_ecc_fp_free(); #endif - return EXPECT_RESULT(); + WOLFSSL_RETURN_FROM_THREAD(0); } -/* - * Testing WOLFSSL_ERROR_MSG - */ -static int test_WOLFSSL_ERROR_MSG(void) -{ - int res = TEST_SKIPPED; -#if defined(DEBUG_WOLFSSL) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) ||\ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) - const char* msg = TEST_STRING; - - WOLFSSL_ERROR_MSG(msg); +#endif /* HAVE_ECH && WOLFSSL_TLS13 */ - res = TEST_SUCCESS; -#endif - return res; -} /* End test_WOLFSSL_ERROR_MSG */ -/* - * Testing wc_ERR_remove_state - */ -static int test_wc_ERR_remove_state(void) +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) +static void keyLog_callback(const WOLFSSL* ssl, const char* line) { - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) - wc_ERR_remove_state(); + XFILE fp; + const byte lf = '\n'; - res = TEST_SUCCESS; -#endif - return res; -} /* End test_wc_ERR_remove_state */ -/* - * Testing wc_ERR_print_errors_fp - */ -static int test_wc_ERR_print_errors_fp(void) + AssertNotNull(ssl); + AssertNotNull(line); + + fp = XFOPEN("./MyKeyLog.txt", "a"); + XFWRITE(line, 1, XSTRLEN(line), fp); + XFWRITE((void*)&lf, 1, 1, fp); + XFFLUSH(fp); + XFCLOSE(fp); +} +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ +static int test_wolfSSL_CTX_set_keylog_callback(void) { EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) && \ - (!defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)) - long sz; - XFILE fp = XBADFILE; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ + !defined(NO_WOLFSSL_CLIENT) + SSL_CTX* ctx = NULL; - WOLFSSL_ERROR(WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectTrue((fp = XFOPEN("./tests/test-log-dump-to-file.txt", "a+")) != - XBADFILE); - wc_ERR_print_errors_fp(fp); -#if defined(DEBUG_WOLFSSL) - ExpectTrue(XFSEEK(fp, 0, XSEEK_END) == 0); - #ifdef NO_ERROR_QUEUE - ExpectIntEQ(sz = XFTELL(fp), 0); - #else - ExpectIntNE(sz = XFTELL(fp), 0); - #endif -#endif - if (fp != XBADFILE) - XFCLOSE(fp); - (void)sz; -#endif + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); + SSL_CTX_free(ctx); + SSL_CTX_set_keylog_callback(NULL, NULL); +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); -} /* End test_wc_ERR_print_errors_fp */ -#ifdef DEBUG_WOLFSSL -static void Logging_cb(const int logLevel, const char *const logMessage) -{ - (void)logLevel; - (void)logMessage; } -#endif -/* - * Testing wolfSSL_GetLoggingCb - */ -static int test_wolfSSL_GetLoggingCb(void) +static int test_wolfSSL_CTX_get_keylog_callback(void) { EXPECT_DECLS; -#ifdef DEBUG_WOLFSSL - /* Testing without wolfSSL_SetLoggingCb() */ - ExpectNull(wolfSSL_GetLoggingCb()); - /* Testing with wolfSSL_SetLoggingCb() */ - ExpectIntEQ(wolfSSL_SetLoggingCb(Logging_cb), 0); - ExpectNotNull(wolfSSL_GetLoggingCb()); - ExpectIntEQ(wolfSSL_SetLoggingCb(NULL), 0); -#endif - ExpectNull(wolfSSL_GetLoggingCb()); +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ + !defined(NO_WOLFSSL_CLIENT) + SSL_CTX* ctx = NULL; + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); + SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); + ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),keyLog_callback); + SSL_CTX_set_keylog_callback(ctx, NULL ); + ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); + SSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); -} /* End test_wolfSSL_GetLoggingCb */ +} -#endif /* !NO_BIO */ +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) +static int test_wolfSSL_Tls12_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) +{ + /* set keylog callback */ + wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); + return TEST_SUCCESS; +} +#endif -static int test_wolfSSL_OBJ(void) +static int test_wolfSSL_Tls12_Key_Logging_test(void) { -/* Password "wolfSSL test" is only 12 (96-bit) too short for testing in FIPS - * mode - */ EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_ASN) && \ - !defined(HAVE_FIPS) && !defined(NO_SHA) && defined(WOLFSSL_CERT_EXT) && \ - defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) - ASN1_OBJECT *obj = NULL; - ASN1_OBJECT *obj2 = NULL; - char buf[50]; - +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) + /* This test is intended for checking whether keylog callback is called + * in client during TLS handshake between the client and a server. + */ + test_ssl_cbf server_cbf; + test_ssl_cbf client_cbf; XFILE fp = XBADFILE; - X509 *x509 = NULL; - X509_NAME *x509Name = NULL; - X509_NAME_ENTRY *x509NameEntry = NULL; - ASN1_OBJECT *asn1Name = NULL; - int numNames = 0; - BIO *bio = NULL; - int nid; - int i, j; - const char *f[] = { - #ifndef NO_RSA - "./certs/ca-cert.der", - #endif - #ifdef HAVE_ECC - "./certs/ca-ecc-cert.der", - "./certs/ca-ecc384-cert.der", - #endif - NULL}; - ASN1_OBJECT *field_name_obj = NULL; - int lastpos = -1; - int tmp = -1; - ASN1_STRING *asn1 = NULL; - unsigned char *buf_dyn = NULL; - - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); - ExpectIntEQ(OBJ_obj2nid(obj), NID_any_policy); - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 11); - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - - ExpectNotNull(obj = OBJ_nid2obj(NID_sha256)); - ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256); - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 22); -#ifdef WOLFSSL_CERT_EXT - ExpectIntEQ(OBJ_txt2nid(buf), NID_sha256); -#endif - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); - ExpectNotNull(obj2 = OBJ_dup(obj)); - ExpectIntEQ(OBJ_cmp(obj, obj2), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - ASN1_OBJECT_free(obj2); - obj2 = NULL; + char buff[500]; + int found = 0; - for (i = 0; f[i] != NULL; i++) - { - ExpectTrue((fp = XFOPEN(f[i], "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_fp(fp, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectNotNull(x509Name = X509_get_issuer_name(x509)); - ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); - - /* Get the Common Name by using OBJ_txt2obj */ - ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), - WOLFSSL_FATAL_ERROR); - do - { - lastpos = tmp; - tmp = X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, lastpos); - } while (tmp > -1); - ExpectIntNE(lastpos, -1); - ASN1_OBJECT_free(field_name_obj); - field_name_obj = NULL; - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, lastpos)); - ExpectNotNull(asn1 = X509_NAME_ENTRY_get_data(x509NameEntry)); - ExpectIntGE(ASN1_STRING_to_UTF8(&buf_dyn, asn1), 0); - /* - * All Common Names should be www.wolfssl.com - * This makes testing easier as we can test for the expected value. - */ - ExpectStrEQ((char*)buf_dyn, "www.wolfssl.com"); - OPENSSL_free(buf_dyn); - buf_dyn = NULL; - bio = BIO_new(BIO_s_mem()); - ExpectTrue(bio != NULL); - for (j = 0; j < numNames; j++) - { - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); - ExpectNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); - ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); - } - BIO_free(bio); - bio = NULL; - X509_free(x509); - x509 = NULL; + XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); + XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); + server_cbf.method = wolfTLSv1_2_server_method; + client_cbf.ctx_ready = &test_wolfSSL_Tls12_Key_Logging_client_ctx_ready; + /* clean up keylog file */ + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); + if (fp != XBADFILE) { + XFFLUSH(fp); + XFCLOSE(fp); + fp = XBADFILE; } -#ifdef HAVE_PKCS12 - { - PKCS12 *p12 = NULL; - int boolRet; - EVP_PKEY *pkey = NULL; - const char *p12_f[] = { - /* bundle uses AES-CBC 256 and PKCS7 key uses DES3 */ - #if !defined(NO_DES3) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) - "./certs/test-servercert.p12", - #endif - NULL - }; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - for (i = 0; p12_f[i] != NULL; i++) - { - ExpectTrue((fp = XFOPEN(p12_f[i], "rb")) != XBADFILE); - ExpectNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", - &pkey, &x509, NULL)) > 0); - wc_PKCS12_free(p12); - p12 = NULL; - EVP_PKEY_free(pkey); - x509Name = X509_get_issuer_name(x509); - ExpectNotNull(x509Name); - ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); - ExpectTrue((bio = BIO_new(BIO_s_mem())) != NULL); - for (j = 0; j < numNames; j++) - { - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); - ExpectNotNull(asn1Name = - X509_NAME_ENTRY_get_object(x509NameEntry)); - ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); - } - BIO_free(bio); - bio = NULL; - X509_free(x509); - x509 = NULL; + /* check if the keylog file exists */ + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); + XFFLUSH(fp); /* Just to make sure any buffers get flushed */ + + XMEMSET(buff, 0, sizeof(buff)); + while (EXPECT_SUCCESS() && XFGETS(buff, (int)sizeof(buff), fp) != NULL) { + if (0 == strncmp(buff,"CLIENT_RANDOM ", sizeof("CLIENT_RANDOM ")-1)) { + found = 1; + break; } } -#endif /* HAVE_PKCS12 */ -#endif + if (fp != XBADFILE) { + XFCLOSE(fp); + } + /* a log starting with "CLIENT_RANDOM " should exit in the file */ + ExpectIntEQ(found, 1); + /* clean up */ + ExpectIntEQ(rem_file("./MyKeyLog.txt"), 0); +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_cmp(void) +#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ + defined(HAVE_SECRET_CALLBACK) +static int test_wolfSSL_Tls13_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) - ASN1_OBJECT *obj = NULL; - ASN1_OBJECT *obj2 = NULL; - - ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); - ExpectNotNull(obj2 = OBJ_nid2obj(NID_sha256)); - - ExpectIntEQ(OBJ_cmp(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(NULL, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, obj), 0); - ExpectIntEQ(OBJ_cmp(obj2, obj2), 0); - - ASN1_OBJECT_free(obj); - ASN1_OBJECT_free(obj2); -#endif - return EXPECT_RESULT(); + /* set keylog callback */ + wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); + return TEST_SUCCESS; } +#endif -static int test_wolfSSL_OBJ_txt2nid(void) +static int test_wolfSSL_Tls13_Key_Logging_test(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_APACHE_HTTPD) - int i; - static const struct { - const char* sn; - const char* ln; - const char* oid; - int nid; - } testVals[] = { -#ifdef WOLFSSL_APACHE_HTTPD - { "tlsfeature", "TLS Feature", "1.3.6.1.5.5.7.1.24", NID_tlsfeature }, - { "id-on-dnsSRV", "SRVName", "1.3.6.1.5.5.7.8.7", - NID_id_on_dnsSRV }, - { "msUPN", "Microsoft User Principal Name", - "1.3.6.1.4.1.311.20.2.3", NID_ms_upn }, -#endif - { NULL, NULL, NULL, NID_undef } - }; +#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ + defined(HAVE_SECRET_CALLBACK) +/* This test is intended for checking whether keylog callback is called + * in client during TLS handshake between the client and a server. + */ + test_ssl_cbf server_cbf; + test_ssl_cbf client_cbf; + XFILE fp = XBADFILE; - /* Invalid cases */ - ExpectIntEQ(OBJ_txt2nid(NULL), NID_undef); - ExpectIntEQ(OBJ_txt2nid("Bad name"), NID_undef); + XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); + XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); + server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ + client_cbf.ctx_ready = &test_wolfSSL_Tls13_Key_Logging_client_ctx_ready; - /* Valid cases */ - for (i = 0; testVals[i].sn != NULL; i++) { - ExpectIntEQ(OBJ_txt2nid(testVals[i].sn), testVals[i].nid); - ExpectIntEQ(OBJ_txt2nid(testVals[i].ln), testVals[i].nid); - ExpectIntEQ(OBJ_txt2nid(testVals[i].oid), testVals[i].nid); + /* clean up keylog file */ + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; } -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_OBJ_txt2obj(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_APACHE_HTTPD) || (defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) - int i; - char buf[50]; - ASN1_OBJECT* obj = NULL; - static const struct { - const char* oidStr; - const char* sn; - const char* ln; - } objs_list[] = { - #if defined(WOLFSSL_APACHE_HTTPD) - { "1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature" }, - { "1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName" }, - #endif - { "2.5.29.19", "basicConstraints", "X509v3 Basic Constraints"}, - { NULL, NULL, NULL } - }; - static const struct { - const char* numeric; - const char* name; - } objs_named[] = { - /* In dictionary but not in normal list. */ - { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, - /* Made up OID. */ - { "1.3.5.7", "1.3.5.7" }, - { NULL, NULL } - }; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - ExpectNull(obj = OBJ_txt2obj("Bad name", 0)); - ASN1_OBJECT_free(obj); - obj = NULL; - ExpectNull(obj = OBJ_txt2obj(NULL, 0)); - ASN1_OBJECT_free(obj); - obj = NULL; + /* check if the keylog file exists */ + { + char buff[300] = {0}; + int found[4] = {0}; + int numfnd = 0; + int i; + + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); - for (i = 0; objs_list[i].oidStr != NULL; i++) { - /* Test numerical value of oid (oidStr) */ - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].oidStr, 1)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - - /* Test short name (sn) */ - ExpectNull(obj = OBJ_txt2obj(objs_list[i].sn, 1)); - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].sn, 0)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - - /* Test long name (ln) - should fail when no_name = 1 */ - ExpectNull(obj = OBJ_txt2obj(objs_list[i].ln, 1)); - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].ln, 0)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - } - - for (i = 0; objs_named[i].numeric != NULL; i++) { - ExpectNotNull(obj = OBJ_txt2obj(objs_named[i].numeric, 1)); - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0); - ExpectIntEQ(XSTRNCMP(buf, objs_named[i].name, (int)XSTRLEN(buf)), 0); - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_named[i].numeric, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; + while (EXPECT_SUCCESS() && + XFGETS(buff, (int)sizeof(buff), fp) != NULL) { + if (0 == strncmp(buff, "CLIENT_HANDSHAKE_TRAFFIC_SECRET ", + sizeof("CLIENT_HANDSHAKE_TRAFFIC_SECRET ")-1)) { + found[0] = 1; + continue; + } + else if (0 == strncmp(buff, "SERVER_HANDSHAKE_TRAFFIC_SECRET ", + sizeof("SERVER_HANDSHAKE_TRAFFIC_SECRET ")-1)) { + found[1] = 1; + continue; + } + else if (0 == strncmp(buff, "CLIENT_TRAFFIC_SECRET_0 ", + sizeof("CLIENT_TRAFFIC_SECRET_0 ")-1)) { + found[2] = 1; + continue; + } + else if (0 == strncmp(buff, "SERVER_TRAFFIC_SECRET_0 ", + sizeof("SERVER_TRAFFIC_SECRET_0 ")-1)) { + found[3] = 1; + continue; + } + } + if (fp != XBADFILE) + XFCLOSE(fp); + for (i = 0; i < 4; i++) { + if (found[i] != 0) + numfnd++; + } + ExpectIntEQ(numfnd, 4); } -#endif +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */ return EXPECT_RESULT(); } +#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) +static int test_wolfSSL_Tls13_ECH_params(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_CLIENT) + word32 outputLen = 0; + byte testBuf[72]; + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); -/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ -static int test_GENERAL_NAME_set0_othername(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ - defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ - defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ - defined(WOLFSSL_FPKI) && !defined(NO_RSA) - /* ./configure --enable-opensslall --enable-certgen --enable-certreq - * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID - * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ - const char * cert_fname = "./certs/server-cert.der"; - const char * key_fname = "./certs/server-key.der"; - X509* x509 = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAMES* gns = NULL; - ASN1_OBJECT* upn_oid = NULL; - ASN1_UTF8STRING *utf8str = NULL; - ASN1_TYPE *value = NULL; - X509_EXTENSION * ext = NULL; - - byte* pt = NULL; - byte der[4096]; - int derSz = 0; - EVP_PKEY* priv = NULL; - XFILE f = XBADFILE; - - ExpectTrue((f = XFOPEN(cert_fname, "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_fp(f, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectNotNull(gn = GENERAL_NAME_new()); - ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); - ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); - ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); - ExpectNotNull(value = ASN1_TYPE_new()); - ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); - if ((value == NULL) || (value->value.ptr != (char*)utf8str)) { - wolfSSL_ASN1_STRING_free(utf8str); - } - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , value), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn , upn_oid, NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , value), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, value ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); - if (EXPECT_FAIL()) { - ASN1_TYPE_free(value); - } - ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); - ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); - if (EXPECT_FAIL()) { - GENERAL_NAME_free(gn); - gn = NULL; - } - ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); - ExpectIntEQ(X509_add_ext(x509, ext, -1), 1); - ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); - ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - pt = der; - ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, derSz)); - ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - gns = NULL; - ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); - - ExpectIntEQ(sk_GENERAL_NAME_num(NULL), 0); - ExpectIntEQ(sk_GENERAL_NAME_num(gns), 3); + ExpectNotNull(ctx); + ExpectNotNull(ssl); - ExpectNull(sk_GENERAL_NAME_value(NULL, 0)); - ExpectNull(sk_GENERAL_NAME_value(gns, 20)); - ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 2)); - ExpectIntEQ(gn->type, 0); + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(NULL, + "ech-public-name.com", 0, 0, 0)); + /* invalid public name */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, NULL, 0, + 0, 0)); + /* invalid algorithms */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, + "ech-public-name.com", 1000, 1000, 1000)); - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(NULL, + (char*)testBuf, sizeof(testBuf))); + /* invalid base64 configs */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, + NULL, sizeof(testBuf))); + /* invalid length */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, + (char*)testBuf, 0)); + + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(NULL, + testBuf, sizeof(testBuf))); + /* invalid configs */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, + NULL, sizeof(testBuf))); + /* invalid length */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, + testBuf, 0)); + + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(NULL, NULL, + &outputLen)); + /* invalid output len */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(ctx, NULL, NULL)); + + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(NULL, + (char*)testBuf, sizeof(testBuf))); + /* invalid configs64 */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, NULL, + sizeof(testBuf))); + /* invalid size */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, + (char*)testBuf, 0)); + + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(NULL, testBuf, + sizeof(testBuf))); + /* invalid configs */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, NULL, + sizeof(testBuf))); + /* invalid size */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, testBuf, 0)); + + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(NULL, NULL, &outputLen)); + /* invalid size */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(ssl, NULL, NULL)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT */ - ASN1_OBJECT_free(upn_oid); - X509_EXTENSION_free(ext); - X509_free(x509); - EVP_PKEY_free(priv); -#endif return EXPECT_RESULT(); } -/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ -static int test_othername_and_SID_ext(void) +static int test_wolfSSL_Tls13_ECH_ex(int hrr) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ - defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ - defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ - defined(WOLFSSL_FPKI) && defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_RSA) - /* ./configure --enable-opensslall --enable-certgen --enable-certreq - * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID - * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ - const char* csr_fname = "./certs/csr.signed.der"; - const char* key_fname = "./certs/server-key.der"; + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions server_cbf; + callback_functions client_cbf; + SOCKET_T sockfd = 0; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + const char* publicName = "ech-public-name.com"; + const char* privateName = "ech-private-name.com"; + int privateNameLen = 20; + char reply[1024]; + int replyLen = 0; + byte rawEchConfig[128]; + word32 rawEchConfigLen = sizeof(rawEchConfig); - byte der[4096]; - int derSz = 0; - byte badDer[2] = { 0x30, 0x00 }; - X509_REQ* x509 = NULL; - STACK_OF(X509_EXTENSION) *exts = NULL; + InitTcpReady(&ready); + ready.port = 22222; - X509_EXTENSION * san_ext = NULL; - X509_EXTENSION * ext = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAMES* gns = NULL; - ASN1_OBJECT* upn_oid = NULL; - ASN1_UTF8STRING *utf8str = NULL; - ASN1_TYPE *value = NULL; - ASN1_STRING *extval = NULL; + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ - /* SID extension. SID data format explained here: - * https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/ - */ - byte SidExtension[] = { - 48, 64, 160, 62, 6, 10, 43, 6, 1, 4, 1, 130, 55, 25, 2, 1, 160, - 48, 4, 46, 83, 45, 49, 45, 53, 45, 50, 49, 45, 50, 56, 52, 51, 57, - 48, 55, 52, 49, 56, 45, 51, 57, 50, 54, 50, 55, 55, 52, 50, 49, 45, - 51, 56, 49, 53, 57, 57, 51, 57, 55, 50, 45, 52, 54, 48, 49}; + /* create the server context here so we can get the ech config */ + ExpectNotNull(server_cbf.ctx = + wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - byte expectedAltName[] = { - 0x30, 0x27, 0xA0, 0x25, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, - 0x37, 0x14, 0x02, 0x03, 0xA0, 0x17, 0x0C, 0x15, 0x6F, 0x74, 0x68, 0x65, - 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D}; + /* generate ech config */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(server_cbf.ctx, + publicName, 0, 0, 0)); - X509_EXTENSION *sid_ext = NULL; - ASN1_OBJECT* sid_oid = NULL; - ASN1_OCTET_STRING *sid_data = NULL; + /* get the config for the client to use */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_GetEchConfigs(server_cbf.ctx, rawEchConfig, + &rawEchConfigLen)); - ASN1_OBJECT* alt_names_oid = NULL; + server_args.callbacks = &server_cbf; + server_args.signal = &ready; - EVP_PKEY* priv = NULL; - XFILE f = XBADFILE; - byte* pt = NULL; - BIO* bio = NULL; + /* start server task */ + start_thread(server_task_ech, &server_args, &serverThread); + wait_tcp_ready(&server_args); - ExpectTrue((f = XFOPEN(csr_fname, "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_REQ_fp(f, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntEQ(X509_REQ_set_version(x509, 2), 1); - ExpectNotNull(gn = GENERAL_NAME_new()); - ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); - ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); - ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); - ExpectNotNull(value = ASN1_TYPE_new()); - ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); - if (EXPECT_FAIL()) { - ASN1_UTF8STRING_free(utf8str); - } - ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); - if (EXPECT_FAIL()) { - ASN1_TYPE_free(value); - GENERAL_NAME_free(gn); - gn = NULL; - } - ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); - ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); - if (EXPECT_FAIL()) { - GENERAL_NAME_free(gn); - } - ExpectNotNull(san_ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); - ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); - ExpectNotNull(sid_data = ASN1_OCTET_STRING_new()); - ASN1_OCTET_STRING_set(sid_data, SidExtension, sizeof(SidExtension)); - ExpectNotNull(sid_ext = X509_EXTENSION_create_by_OBJ(NULL, sid_oid, 0, - sid_data)); - ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); - wolfSSL_sk_X509_EXTENSION_free(exts); - exts = NULL; - ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); - /* Ensure an empty stack doesn't raise an error. */ - ExpectIntEQ(X509_REQ_add_extensions(NULL, NULL), 0); - ExpectIntEQ(X509_REQ_add_extensions(x509, NULL), 0); - ExpectIntEQ(X509_REQ_add_extensions(NULL, exts), 0); - ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); - ExpectIntEQ(sk_X509_EXTENSION_push(exts, san_ext), 1); - if (EXPECT_FAIL()) { - X509_EXTENSION_free(san_ext); - } - ExpectIntEQ(sk_X509_EXTENSION_push(exts, sid_ext), 2); - if (EXPECT_FAIL()) { - X509_EXTENSION_free(sid_ext); - } - ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); - ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); - ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - pt = der; - ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, derSz)); - ExpectIntGT(X509_REQ_sign(x509, priv, EVP_sha256()), 0); - pt = der; - ExpectIntGT(derSz = i2d_X509_REQ(x509, &pt), 0); - X509_REQ_free(x509); - x509 = NULL; - ExpectNull(d2i_X509_REQ_INFO(&x509, NULL, derSz)); - pt = badDer; - ExpectNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, - sizeof(badDer))); - pt = der; - ExpectNotNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, derSz)); - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - gns = NULL; - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - exts = NULL; - ASN1_OBJECT_free(upn_oid); - ASN1_OBJECT_free(sid_oid); - sid_oid = NULL; - ASN1_OCTET_STRING_free(sid_data); - X509_REQ_free(x509); - EVP_PKEY_free(priv); + /* run as a TLS1.3 client */ + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); - /* At this point everything used to generate what is in der is cleaned up. - * We now read back from der to confirm the extensions were inserted - * correctly. */ - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); - ExpectNotNull(bio); + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); - ExpectIntEQ(BIO_write(bio, der, derSz), derSz); /* d2i consumes BIO */ - ExpectNotNull(d2i_X509_REQ_bio(bio, &x509)); - ExpectNotNull(x509); - BIO_free(bio); - ExpectNotNull(exts = (STACK_OF(X509_EXTENSION)*)X509_REQ_get_extensions( - x509)); - ExpectIntEQ(sk_X509_EXTENSION_num(NULL), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(sk_X509_EXTENSION_num(exts), 2); + /* get connected the server task */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* Check the SID extension. */ - ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); - ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, - X509_get_ext_by_OBJ(x509, sid_oid, -1))); - ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); - ExpectIntEQ(extval->length, sizeof(SidExtension)); - ExpectIntEQ(XMEMCMP(SidExtension, extval->data, sizeof(SidExtension)), 0); - ASN1_OBJECT_free(sid_oid); + /* set the ech configs for the client */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, rawEchConfig, + rawEchConfigLen)); - /* Check the AltNames extension. */ - ExpectNotNull(alt_names_oid = OBJ_txt2obj("subjectAltName", 0)); - ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, - X509_get_ext_by_OBJ(x509, alt_names_oid, -1))); - ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); - ExpectIntEQ(extval->length, sizeof(expectedAltName)); - ExpectIntEQ(XMEMCMP(expectedAltName, extval->data, sizeof(expectedAltName)), - 0); - ASN1_OBJECT_free(alt_names_oid); + /* set the sni for the client */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, + privateName, privateNameLen)); - /* Cleanup */ - ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); - ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); - ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 0)); - ExpectIntEQ(gn->type, 0); + /* force hello retry request */ + if (hrr) + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_NoKeyShares(ssl)); - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + /* connect like normal */ + ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); + ExpectIntEQ(ssl->options.echAccepted, 1); + ExpectIntEQ(wolfSSL_write(ssl, privateName, privateNameLen), + privateNameLen); + ExpectIntGT((replyLen = wolfSSL_read(ssl, reply, sizeof(reply))), 0); + /* add th null terminator for string compare */ + reply[replyLen] = 0; + /* check that the server replied with the private name */ + ExpectStrEQ(privateName, reply); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - X509_REQ_free(x509); -#endif - return EXPECT_RESULT(); -} + CloseSocket(sockfd); -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + join_thread(serverThread); -/* test that the callback arg is correct */ -static int certCbArg = 0; + FreeTcpReady(&ready); -static int certCb(WOLFSSL* ssl, void* arg) -{ - if (ssl == NULL || arg != &certCbArg) - return 0; - if (wolfSSL_is_server(ssl)) { - if (wolfSSL_use_certificate_file(ssl, svrCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - } - else { - if (wolfSSL_use_certificate_file(ssl, cliCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - } - return 1; + return EXPECT_RESULT(); } -static int certSetupCb(WOLFSSL_CTX* ctx) +static int test_wolfSSL_Tls13_ECH(void) { - SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg); - return TEST_SUCCESS; + return test_wolfSSL_Tls13_ECH_ex(0); } -/** - * This is only done because test_wolfSSL_client_server_nofail_memio has no way - * to stop certificate and key loading - */ -static int certClearCb(WOLFSSL* ssl) +static int test_wolfSSL_Tls13_ECH_HRR(void) { - /* Clear the loaded certs to force the callbacks to set them up */ - SSL_certs_clear(ssl); - return TEST_SUCCESS; + return test_wolfSSL_Tls13_ECH_ex(1); } +#endif /* HAVE_ECH && WOLFSSL_TLS13 */ -#endif - -static int test_wolfSSL_cert_cb(void) +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ +defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) +static int post_auth_version_cb(WOLFSSL* ssl) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - size_t i; - struct { - method_provider client_meth; - method_provider server_meth; - const char* desc; - } test_params[] = { -#ifdef WOLFSSL_TLS13 - {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3"}, -#endif -#ifndef WOLFSSL_NO_TLS12 - {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2"}, -#endif -#ifndef NO_OLD_TLS - {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1"}, -#ifdef WOLFSSL_ALLOW_TLSV10 - {wolfTLSv1_client_method, wolfTLSv1_server_method, "TLS 1.0"}, -#endif -#endif - }; - - for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - printf("\tTesting with %s...\n", test_params[i].desc); - - func_cb_client.method = test_params[i].client_meth; - func_cb_server.method = test_params[i].server_meth; - func_cb_client.ctx_ready = certSetupCb; - func_cb_client.ssl_ready = certClearCb; - func_cb_server.ctx_ready = certSetupCb; - func_cb_server.ssl_ready = certClearCb; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); - } -#endif + /* do handshake and then test version error */ + ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - -static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = NULL; -static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = NULL; -static int test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready(WOLFSSL_CTX* ctx) +static int post_auth_version_client_cb(WOLFSSL* ssl) { EXPECT_DECLS; - ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx, - test_wolfSSL_cert_cb_dyn_ciphers_client_cipher), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs), WOLFSSL_SUCCESS); + /* do handshake and then test version error */ + ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); + ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); + ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if defined(OPENSSL_ALL) && !defined(NO_ERROR_QUEUE) + /* check was added to error queue */ + ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)); + + /* check the string matches expected string */ + #ifndef NO_ERROR_STRINGS + ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL), + "WRONG_SSL_VERSION"); + #endif +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_cert_cb_dyn_ciphers_certCB(WOLFSSL* ssl, void* arg) +static int post_auth_cb(WOLFSSL* ssl) { - const byte* suites = NULL; - word16 suiteSz = 0; - const byte* hashSigAlgo = NULL; - word16 hashSigAlgoSz = 0; - word16 idx = 0; - int haveRSA = 0; - int haveECC = 0; - - (void)arg; - - if (wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo, - &hashSigAlgoSz) != WOLFSSL_SUCCESS) - return 0; - if (suites == NULL || suiteSz == 0 || hashSigAlgo == NULL || - hashSigAlgoSz == 0) - return 0; - - for (idx = 0; idx < suiteSz; idx += 2) { - WOLFSSL_CIPHERSUITE_INFO info = - wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]); - - if (info.rsaAuth) - haveRSA = 1; - else if (info.eccAuth) - haveECC = 1; - } - - if (hashSigAlgoSz > 0) { - /* sigalgs extension takes precedence over ciphersuites */ - haveRSA = 0; - haveECC = 0; - } - for (idx = 0; idx < hashSigAlgoSz; idx += 2) { - int hashAlgo = 0; - int sigAlgo = 0; - - if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], - &hashAlgo, &sigAlgo) != 0) - return 0; - - if (sigAlgo == RSAk || sigAlgo == RSAPSSk) - haveRSA = 1; - else if (sigAlgo == ECDSAk) - haveECC = 1; - } - - if (haveRSA) { - if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - } - else if (haveECC) { - if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - } - - return 1; + EXPECT_DECLS; + WOLFSSL_X509* x509 = NULL; + /* do handshake and then test version error */ + ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + ExpectStrEQ("TLSv1.3", wolfSSL_get_version(ssl)); + ExpectNull(x509 = wolfSSL_get_peer_certificate(ssl)); + wolfSSL_X509_free(x509); + ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS); + return EXPECT_RESULT(); } -static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx) +static int set_post_auth_cb(WOLFSSL* ssl) { - SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL); - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); + if (!wolfSSL_is_server(ssl)) { + EXPECT_DECLS; + ExpectIntEQ(wolfSSL_allow_post_handshake_auth(ssl), 0); + return EXPECT_RESULT(); + } + wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_POST_HANDSHAKE, NULL); return TEST_SUCCESS; } - #endif -/* Testing dynamic ciphers offered by client */ -static int test_wolfSSL_cert_cb_dyn_ciphers(void) +static int test_wolfSSL_Tls13_postauth(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - struct { - method_provider client_meth; - const char* client_ciphers; - const char* client_sigalgs; - const char* client_ca; - method_provider server_meth; - } test_params[] = { -#if !defined(NO_SHA256) && defined(HAVE_AESGCM) -#ifdef WOLFSSL_TLS13 -#if !defined(NO_RSA) && defined(WC_RSA_PSS) - {wolfTLSv1_3_client_method, - "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", - "RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method}, -#endif -#ifdef HAVE_ECC - {wolfTLSv1_3_client_method, - "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", - "ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method}, -#endif -#endif -#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_HARDEN_TLS) -#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH) - {wolfTLSv1_2_client_method, - "DHE-RSA-AES128-GCM-SHA256", - "RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method}, -#endif -#ifdef HAVE_ECC - {wolfTLSv1_2_client_method, - "ECDHE-ECDSA-AES128-GCM-SHA256", - "ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method}, -#endif -#endif +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + test_ssl_cbf server_cbf; + test_ssl_cbf client_cbf; + + /* test version failure doing post auth with TLS 1.2 connection */ + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + server_cbf.method = wolfTLSv1_2_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_version_cb; + client_cbf.ssl_ready = set_post_auth_cb; + client_cbf.on_result = post_auth_version_client_cb; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); + + /* tests on post auth with TLS 1.3 */ + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + server_cbf.method = wolfTLSv1_3_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + client_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_cb; + client_cbf.on_result = NULL; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); #endif - }; - size_t i; - size_t testCount = sizeof(test_params)/sizeof(*test_params); + return EXPECT_RESULT(); +} - if (testCount > 0) { - for (i = 0; i < testCount; i++) { - printf("\tTesting %s ciphers with %s sigalgs\n", - test_params[i].client_ciphers, - test_params[i].client_sigalgs); - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); +static int test_wolfSSL_CTX_set_srp_username(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ + !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + const char *username = "TESTUSER"; + const char *password = "TESTPASSWORD"; - test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = - test_params[i].client_ciphers; - test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = - test_params[i].client_sigalgs; - func_cb_client.method = test_params[i].client_meth; - func_cb_client.caPemFile = test_params[i].client_ca; - func_cb_client.ctx_ready = - test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), + SSL_SUCCESS); + wolfSSL_CTX_free(ctx); + ctx = NULL; - func_cb_server.ctx_ready = - test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready; - func_cb_server.ssl_ready = certClearCb; /* Reuse from prev test */ - func_cb_server.method = test_params[i].server_meth; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), + SSL_SUCCESS); - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); - } - } -#endif + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(SSL_get_srp_username(ssl)); + ExpectStrEQ(SSL_get_srp_username(ssl), username); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ + /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); } -static int test_wolfSSL_ciphersuite_auth(void) +static int test_wolfSSL_CTX_set_srp_password(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - WOLFSSL_CIPHERSUITE_INFO info; +#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ + !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx = NULL; + const char *username = "TESTUSER"; + const char *password = "TESTPASSWORD"; - (void)info; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), + SSL_SUCCESS); + wolfSSL_CTX_free(ctx); + ctx = NULL; -#ifndef WOLFSSL_NO_TLS12 -#ifdef HAVE_CHACHA - info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), + SSL_SUCCESS); + wolfSSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ + /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ + return EXPECT_RESULT(); +} - info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 1); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) +#define TEST_ARG 0x1234 +static void msg_cb(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg) +{ + (void)write_p; + (void)version; + (void)content_type; + (void)buf; + (void)len; + (void)ssl; - info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, - TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 1); + AssertTrue(arg == (void*)TEST_ARG); +} #endif -#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) -#ifndef NO_RSA - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); - - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 1); - ExpectIntEQ(info.psk, 0); - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 1); - ExpectIntEQ(info.psk, 0); +#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +#if defined(SESSION_CERTS) +#include "wolfssl/internal.h" +#endif +static int msgSrvCb(SSL_CTX *ctx, SSL *ssl) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) + STACK_OF(X509)* sk = NULL; + X509* x509 = NULL; + int i, num; + BIO* bio = NULL; #endif - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 1); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 1); - ExpectIntEQ(info.eccStatic, 1); - ExpectIntEQ(info.psk, 0); + ExpectNotNull(ctx); + ExpectNotNull(ssl); - info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE, - TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 1); -#endif + fprintf(stderr, "\n===== msgSrvCb called ====\n"); +#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) + ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); + ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); + ExpectNotNull(SSL_get0_verified_chain(ssl)); #endif -#ifdef WOLFSSL_TLS13 - info = wolfSSL_get_ciphersuite_info(TLS13_BYTE, - TLS_AES_128_GCM_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) +#ifdef KEEP_PEER_CERT + { + WOLFSSL_X509* peer = NULL; + ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl)); + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + fprintf(stderr, "Peer Certificate = :\n"); + X509_print(bio, peer); + X509_free(peer); + } #endif + ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); + if (sk == NULL) { + BIO_free(bio); + return TEST_FAIL; + } + num = sk_X509_num(sk); + ExpectTrue(num > 0); + for (i = 0; i < num; i++) { + ExpectNotNull(x509 = sk_X509_value(sk,i)); + if (x509 == NULL) + break; + fprintf(stderr, "Certificate at index [%d] = :\n",i); + X509_print(bio,x509); + fprintf(stderr, "\n\n"); + } + BIO_free(bio); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_sigalg_info(void) +static int msgCb(SSL_CTX *ctx, SSL *ssl) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; - word16 len = 0; - word16 idx = 0; - int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM; +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) + STACK_OF(X509)* sk = NULL; + X509* x509 = NULL; + int i, num; + BIO* bio = NULL; +#endif - InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); - for (idx = 0; idx < len; idx += 2) { - int hashAlgo = 0; - int sigAlgo = 0; + ExpectNotNull(ctx); + ExpectNotNull(ssl); - ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], - hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); + fprintf(stderr, "\n===== msgcb called ====\n"); +#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) + ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); + ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); + ExpectNotNull(SSL_get0_verified_chain(ssl)); +#endif - ExpectIntNE(hashAlgo, 0); - ExpectIntNE(sigAlgo, 0); +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); + if (sk == NULL) { + BIO_free(bio); + return TEST_FAIL; } - - InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1, - 0xFFFFFFFF, &len); - for (idx = 0; idx < len; idx += 2) { - int hashAlgo = 0; - int sigAlgo = 0; - - ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], - hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); - - ExpectIntNE(hashAlgo, 0); + num = sk_X509_num(sk); + ExpectTrue(num > 0); + for (i = 0; i < num; i++) { + ExpectNotNull(x509 = sk_X509_value(sk,i)); + if (x509 == NULL) + break; + fprintf(stderr, "Certificate at index [%d] = :\n",i); + X509_print(bio,x509); + fprintf(stderr, "\n\n"); } - + BIO_free(bio); #endif return EXPECT_RESULT(); } +#endif -static int test_wolfSSL_SESSION(void) +static int test_wolfSSL_msgCb(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && !defined(NO_SHA256) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_SESSION_CACHE) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL_SESSION* sess = NULL; - WOLFSSL_SESSION* sess_copy = NULL; -#ifdef OPENSSL_EXTRA -#ifdef HAVE_EXT_CACHE - unsigned char* sessDer = NULL; - unsigned char* ptr = NULL; - int sz = 0; -#endif - const unsigned char context[] = "user app context"; - unsigned int contextSz = (unsigned int)sizeof(context); -#endif - int ret = 0, err = 0; - SOCKET_T sockfd; - tcp_ready ready; - func_args server_args; - THREAD_TYPE serverThread; - char msg[80]; - const char* sendGET = "GET"; +#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; - /* TLS v1.3 requires session tickets */ - /* CHACHA and POLY1305 required for myTicketEncCb */ -#if !defined(WOLFSSL_NO_TLS12) && (!defined(WOLFSSL_TLS13) || \ - !(defined(HAVE_SESSION_TICKET) && ((defined(HAVE_CHACHA) && \ - defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)))) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); +#ifndef WOLFSSL_NO_TLS12 + client_cb.method = wolfTLSv1_2_client_method; + server_cb.method = wolfTLSv1_2_server_method; #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif - - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, - CERT_FILETYPE)); - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), - WOLFSSL_SUCCESS); -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif -#ifdef HAVE_SESSION_TICKET - /* Use session tickets, for ticket tests below */ - ExpectIntEQ(wolfSSL_CTX_UseSessionTicket(ctx), WOLFSSL_SUCCESS); + client_cb.method = wolfTLSv1_3_client_method; + server_cb.method = wolfTLSv1_3_server_method; #endif + server_cb.caPemFile = caCertFile; + client_cb.certPemFile = "./certs/intermediate/client-chain.pem"; - XMEMSET(&server_args, 0, sizeof(func_args)); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio_ex(&client_cb, + &server_cb, msgCb, msgSrvCb), TEST_SUCCESS); #endif + return EXPECT_RESULT(); +} - StartTCP(); - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif +static int test_wolfSSL_either_side(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; - server_args.signal = &ready; - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); - /* client connection */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - tcp_connect(&sockfd, wolfSSLIP, ready.port, 0, 0, ssl); - ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); + /* Use different CTX for client and server */ + client_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); + ExpectNotNull(client_cb.ctx); + server_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); + ExpectNotNull(server_cb.ctx); + /* we are responsible for free'ing WOLFSSL_CTX */ + server_cb.isSharedCtx = client_cb.isSharedCtx = 1; - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), - ret != WOLFSSL_SUCCESS); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); - WOLFSSL_ASYNC_WHILE_PENDING( - ret = wolfSSL_write(ssl, sendGET, (int)XSTRLEN(sendGET)), - ret <= 0); - ExpectIntEQ(ret, (int)XSTRLEN(sendGET)); + wolfSSL_CTX_free(client_cb.ctx); + wolfSSL_CTX_free(server_cb.ctx); +#endif + return EXPECT_RESULT(); +} - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_read(ssl, msg, sizeof(msg)), - ret != 23); - ExpectIntEQ(ret, 23); +static int test_wolfSSL_DTLS_either_side(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; - ExpectPtrNE((sess = wolfSSL_get1_session(ssl)), NULL); /* ref count 1 */ - ExpectPtrNE((sess_copy = wolfSSL_get1_session(ssl)), NULL); /* ref count 2 */ - ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1); -#ifdef HAVE_EXT_CACHE - ExpectPtrEq(sess, sess_copy); /* they should be the same pointer but without - * HAVE_EXT_CACHE we get new objects each time */ -#endif - wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; - wolfSSL_SESSION_free(sess); sess = NULL; /* free session ref */ + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); - sess = wolfSSL_get_session(ssl); + /* Use different CTX for client and server */ + client_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); + ExpectNotNull(client_cb.ctx); + server_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); + ExpectNotNull(server_cb.ctx); + /* we are responsible for free'ing WOLFSSL_CTX */ + server_cb.isSharedCtx = client_cb.isSharedCtx = 1; -#ifdef OPENSSL_EXTRA - ExpectIntEQ(SSL_SESSION_is_resumable(NULL), 0); - ExpectIntEQ(SSL_SESSION_is_resumable(sess), 1); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); - ExpectIntEQ(wolfSSL_SESSION_has_ticket(NULL), 0); - ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(NULL), 0); - #ifdef HAVE_SESSION_TICKET - ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 1); - ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(sess), - SESSION_TICKET_HINT_DEFAULT); - #else - ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 0); - #endif -#else - (void)sess; -#endif /* OPENSSL_EXTRA */ + wolfSSL_CTX_free(client_cb.ctx); + wolfSSL_CTX_free(server_cb.ctx); +#endif + return EXPECT_RESULT(); +} - /* Retain copy of the session for later testing */ - ExpectNotNull(sess = wolfSSL_get1_session(ssl)); +static int test_generate_cookie(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_DTLS) && defined(OPENSSL_EXTRA) && defined(USE_WOLFSSL_IO) + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; + byte buf[FOURK_BUF] = {0}; - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); ssl = NULL; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLS_method())); + ExpectNotNull(ssl = SSL_new(ctx)); - CloseSocket(sockfd); + /* Test unconnected */ + ExpectIntEQ(EmbedGenerateCookie(ssl, buf, FOURK_BUF, NULL), WC_NO_ERR_TRACE(GEN_COOKIE_E)); - join_thread(serverThread); + wolfSSL_CTX_SetGenCookie(ctx, EmbedGenerateCookie); - FreeTcpReady(&ready); + wolfSSL_SetCookieCtx(ssl, ctx); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif + ExpectNotNull(wolfSSL_GetCookieCtx(ssl)); -#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) - { - X509 *x509 = NULL; - char buf[30]; - int bufSz = 0; + ExpectNull(wolfSSL_GetCookieCtx(NULL)); - ExpectNotNull(x509 = SSL_SESSION_get0_peer(sess)); - ExpectIntGT((bufSz = X509_NAME_get_text_by_NID( - X509_get_subject_name(x509), NID_organizationalUnitName, buf, - sizeof(buf))), 0); - ExpectIntNE((bufSz == 7 || bufSz == 16), 0); /* should be one of these*/ - if (bufSz == 7) { - ExpectIntEQ(XMEMCMP(buf, "Support", bufSz), 0); - } - if (bufSz == 16) { - ExpectIntEQ(XMEMCMP(buf, "Programming-2048", bufSz), 0); - } - } + SSL_free(ssl); + SSL_CTX_free(ctx); #endif + return EXPECT_RESULT(); +} -#ifdef HAVE_EXT_CACHE - ExpectNotNull(sess_copy = wolfSSL_SESSION_dup(sess)); - wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; - sess_copy = NULL; +static int test_wolfSSL_set_options(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_FILESYSTEM) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_RSA) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + char appData[] = "extra msg"; +#endif +#ifdef OPENSSL_EXTRA + unsigned char protos[] = { + 7, 't', 'l', 's', '/', '1', '.', '2', + 8, 'h', 't', 't', 'p', '/', '1', '.', '1' + }; + unsigned int len = sizeof(protos); + void *arg = (void *)TEST_ARG; #endif -#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE) - /* get session from DER and update the timeout */ - ExpectIntEQ(wolfSSL_i2d_SSL_SESSION(NULL, &sessDer), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntGT((sz = wolfSSL_i2d_SSL_SESSION(sess, &sessDer)), 0); - wolfSSL_SESSION_free(sess); sess = NULL; - sess = NULL; - ptr = sessDer; - ExpectNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, NULL, sz)); - ExpectNotNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, - (const unsigned char**)&ptr, sz)); - XFREE(sessDer, NULL, DYNAMIC_TYPE_OPENSSL); - sessDer = NULL; - - ExpectIntGT(wolfSSL_SESSION_get_time(sess), 0); - ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); #endif + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE)); - /* successful set session test */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_set_session(ssl, sess), WOLFSSL_SUCCESS); + ExpectTrue(wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1) + == WOLFSSL_OP_NO_TLSv1); + ExpectTrue(wolfSSL_CTX_get_options(ctx) == WOLFSSL_OP_NO_TLSv1); -#ifdef HAVE_SESSION_TICKET - /* Test set/get session ticket */ - { - const char* ticket = "This is a session ticket"; - char buf[64] = {0}; - word32 bufSz = (word32)sizeof(buf); - word32 retSz = 0; + ExpectIntGT((int)wolfSSL_CTX_set_options(ctx, (WOLFSSL_OP_COOKIE_EXCHANGE | + WOLFSSL_OP_NO_SSLv2)), 0); + ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_COOKIE_EXCHANGE) & + WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); + ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2) & + WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); + ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); + ExpectFalse((wolfSSL_CTX_clear_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_set_SessionTicket(ssl, (byte *)ticket, - (word32)XSTRLEN(ticket))); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_get_SessionTicket(ssl, (byte *)buf, &bufSz)); - ExpectStrEQ(ticket, buf); + wolfSSL_CTX_free(ctx); + ctx = NULL; - /* return ticket length if buffer parameter is null */ - wolfSSL_get_SessionTicket(ssl, NULL, &retSz); - ExpectIntEQ(bufSz, retSz); - } +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); #endif - + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE)); #ifdef OPENSSL_EXTRA - /* session timeout case */ - /* make the session to be expired */ - ExpectIntEQ(SSL_SESSION_set_timeout(sess,1), SSL_SUCCESS); - XSLEEP_MS(1200); - - /* SSL_set_session should reject specified session but return success - * if WOLFSSL_ERROR_CODE_OPENSSL macro is defined for OpenSSL compatibility. - */ -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(wolfSSL_set_session(ssl,sess), SSL_SUCCESS); -#else - ExpectIntEQ(wolfSSL_set_session(ssl,sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectTrue(wolfSSL_CTX_set_msg_callback(ctx, msg_cb) == WOLFSSL_SUCCESS); #endif - ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); - -#ifdef WOLFSSL_SESSION_ID_CTX - /* fail case with miss match session context IDs (use compatibility API) */ - ExpectIntEQ(SSL_set_session_id_context(ssl, context, contextSz), - SSL_SUCCESS); - ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_free(ssl); ssl = NULL; - ExpectIntEQ(SSL_CTX_set_session_id_context(NULL, context, contextSz), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_set_session_id_context(ctx, context, contextSz), - SSL_SUCCESS); ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#ifdef HAVE_EX_DATA + ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); + if (ssl != NULL) { + ExpectIntEQ(XMEMCMP(wolfSSL_get_app_data((const WOLFSSL*)ssl), + appData, sizeof(appData)), 0); + } +#else + ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); #endif -#endif /* OPENSSL_EXTRA */ - - wolfSSL_free(ssl); - wolfSSL_SESSION_free(sess); - wolfSSL_CTX_free(ctx); #endif - return EXPECT_RESULT(); -} -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ - !defined(WOLFSSL_NO_TLS12) -static WOLFSSL_SESSION* test_wolfSSL_SESSION_expire_sess = NULL; + ExpectTrue(wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1) == + WOLFSSL_OP_NO_TLSv1); -static void test_wolfSSL_SESSION_expire_downgrade_ctx_ready(WOLFSSL_CTX* ctx) -{ - #ifdef WOLFSSL_ERROR_CODE_OPENSSL - /* returns previous timeout value */ - AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), 500); - #else - AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), WOLFSSL_SUCCESS); - #endif -} + ExpectTrue(wolfSSL_get_options(ssl) == WOLFSSL_OP_NO_TLSv1); + ExpectIntGT((int)wolfSSL_set_options(ssl, (WOLFSSL_OP_COOKIE_EXCHANGE | + WOLFSSL_OP_NO_SSLv2)), 0); -/* set the session to timeout in a second */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready(WOLFSSL* ssl) -{ - AssertIntEQ(wolfSSL_set_timeout(ssl, 2), 1); -} + ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_COOKIE_EXCHANGE) & + WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); + ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1_2) & + WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); -/* store the client side session from the first successful connection */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_result(WOLFSSL* ssl) -{ - AssertPtrNE((test_wolfSSL_SESSION_expire_sess = wolfSSL_get1_session(ssl)), - NULL); /* ref count 1 */ -} + ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); +#ifdef OPENSSL_EXTRA + ExpectFalse((wolfSSL_clear_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION)); +#endif -/* wait till session is expired then set it in the WOLFSSL struct for use */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait(WOLFSSL* ssl) -{ - AssertIntEQ(wolfSSL_set_timeout(ssl, 1), 1); - AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), - WOLFSSL_SUCCESS); - XSLEEP_MS(2000); /* wait 2 seconds for session to expire */ -} +#ifdef OPENSSL_EXTRA + ExpectTrue(wolfSSL_set_msg_callback(ssl, msg_cb) == WOLFSSL_SUCCESS); + wolfSSL_set_msg_callback_arg(ssl, arg); +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == 0); +#else + ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == WOLFSSL_SUCCESS); +#endif +#endif +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) || \ + defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) -/* set expired session in the WOLFSSL struct for use */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set(WOLFSSL* ssl) -{ - XSLEEP_MS(1200); /* wait a second for session to expire */ +#if defined(HAVE_ALPN) && !defined(NO_BIO) - /* set the expired session, call to set session fails but continuing on - after failure should be handled here */ -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) - AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), - WOLFSSL_SUCCESS); +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == 0); #else - AssertIntNE(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), - WOLFSSL_SUCCESS); + ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == WOLFSSL_SUCCESS); #endif -} +#endif /* HAVE_ALPN && !NO_BIO */ +#endif -/* check that the expired session was not reused */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse(WOLFSSL* ssl) -{ - /* since the session has expired it should not have been reused */ - AssertIntEQ(wolfSSL_session_reused(ssl), 0); -} + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif + return EXPECT_RESULT(); +} -static int test_wolfSSL_SESSION_expire_downgrade(void) +static int test_wolfSSL_sk_SSL_CIPHER(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ - !defined(WOLFSSL_NO_TLS12) - callback_functions server_cbf, client_cbf; - - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - - /* force server side to use TLS 1.2 */ - server_cbf.method = wolfTLSv1_2_server_method; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; + STACK_OF(SSL_CIPHER) *sk = NULL; + STACK_OF(SSL_CIPHER) *dupSk = NULL; - client_cbf.method = wolfSSLv23_client_method; - server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; - client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready; - client_cbf.on_result = test_wolfSSL_SESSION_expire_downgrade_ssl_result; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(sk = SSL_get_ciphers(ssl)); + ExpectNotNull(dupSk = sk_SSL_CIPHER_dup(sk)); + ExpectIntGT(sk_SSL_CIPHER_num(sk), 0); + ExpectIntEQ(sk_SSL_CIPHER_num(sk), sk_SSL_CIPHER_num(dupSk)); - test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + /* error case because connection has not been established yet */ + ExpectIntEQ(sk_SSL_CIPHER_find(sk, SSL_get_current_cipher(ssl)), -1); + sk_SSL_CIPHER_free(dupSk); - client_cbf.method = wolfSSLv23_client_method; - server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; - client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait; - client_cbf.on_result = - test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; + /* sk is pointer to internal struct that should be free'd in SSL_free */ + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + return EXPECT_RESULT(); +} - test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); +static int test_wolfSSL_set1_curves_list(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; - client_cbf.method = wolfSSLv23_client_method; - server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; - client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set; - client_cbf.on_result = - test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#ifdef HAVE_ECC + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-256"), WOLFSSL_SUCCESS); +#endif +#ifdef HAVE_CURVE25519 + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif +#ifdef HAVE_CURVE448 + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif - wolfSSL_SESSION_free(test_wolfSSL_SESSION_expire_sess); + ExpectIntEQ(SSL_set1_curves_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#ifdef HAVE_ECC + ExpectIntEQ(SSL_set1_curves_list(ssl, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_set1_curves_list(ssl, "P-256"), WOLFSSL_SUCCESS); #endif - return EXPECT_RESULT(); -} -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) -#ifdef WOLFSSL_ATOMIC_OPS - typedef wolfSSL_Atomic_Int SessRemCounter_t; +#ifdef HAVE_CURVE25519 + ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WOLFSSL_SUCCESS); #else - typedef int SessRemCounter_t; + ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif +#ifdef HAVE_CURVE448 + ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif -static SessRemCounter_t clientSessRemCountMalloc; -static SessRemCounter_t serverSessRemCountMalloc; -static SessRemCounter_t clientSessRemCountFree; -static SessRemCounter_t serverSessRemCountFree; -static WOLFSSL_CTX* serverSessCtx = NULL; -static WOLFSSL_SESSION* serverSess = NULL; -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) -static WOLFSSL_CTX* clientSessCtx = NULL; -static WOLFSSL_SESSION* clientSess = NULL; + SSL_free(ssl); + SSL_CTX_free(ctx); #endif -static int serverSessRemIdx = 3; -static int sessRemCtx_Server = WOLFSSL_SERVER_END; -static int sessRemCtx_Client = WOLFSSL_CLIENT_END; + return EXPECT_RESULT(); +} -static void SessRemCtxCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) +static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) { - int* side; + static int counter = 0; + EXPECT_DECLS; - (void)ctx; + if (counter % 2) { + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-256"), + WOLFSSL_SUCCESS); + } + else { + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-384"), + WOLFSSL_SUCCESS); + } - side = (int*)SSL_SESSION_get_ex_data(sess, serverSessRemIdx); - if (side != NULL) { - if (*side == WOLFSSL_CLIENT_END) - (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountFree, 1); - else - (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountFree, 1); + /* Ciphersuites that require curves */ + wolfSSL_CTX_set_cipher_list(ctx, "TLS13-AES256-GCM-SHA384:" + "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-CHACHA20-POLY1305"); - SSL_SESSION_set_ex_data(sess, serverSessRemIdx, NULL); - } + counter++; + return EXPECT_RESULT(); } - -static int SessRemCtxSetupCb(WOLFSSL_CTX* ctx) -{ - SSL_CTX_sess_set_remove_cb(ctx, SessRemCtxCb); -#if defined(WOLFSSL_TLS13) && !defined(HAVE_SESSION_TICKET) && \ - !defined(NO_SESSION_CACHE_REF) - { - EXPECT_DECLS; - /* Allow downgrade, set min version, and disable TLS 1.3. - * Do this because without NO_SESSION_CACHE_REF we will want to return a - * reference to the session cache. But with WOLFSSL_TLS13 and without - * HAVE_SESSION_TICKET we won't have a session ID to be able to place - * the session in the cache. In this case we need to downgrade to - * previous versions to just use the legacy session ID field. */ - ExpectIntEQ(SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), - SSL_SUCCESS); - ExpectIntEQ(SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION), - SSL_SUCCESS); - return EXPECT_RESULT(); - } -#else - return TEST_SUCCESS; #endif -} -static int SessRemSslSetupCb(WOLFSSL* ssl) +static int test_wolfSSL_curves_mismatch(void) { EXPECT_DECLS; - int* side; - - if (SSL_is_server(ssl)) { - side = &sessRemCtx_Server; - (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountMalloc, 1); - ExpectNotNull(serverSess = SSL_get1_session(ssl)); - ExpectIntEQ(SSL_CTX_up_ref(serverSessCtx = SSL_get_SSL_CTX(ssl)), - SSL_SUCCESS); - } - else { - side = &sessRemCtx_Client; - (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1); -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) - ExpectNotNull(clientSess = SSL_get1_session(ssl)); - ExpectIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)), - SSL_SUCCESS); +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + size_t i; + struct { + method_provider client_meth; + method_provider server_meth; + const char* desc; + int client_last_err; + int server_last_err; + } test_params[] = { +#ifdef WOLFSSL_TLS13 + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3", + /* Client gets error because server will attempt HRR */ + WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA), + WC_NO_ERR_TRACE(FATAL_ERROR) + }, +#endif +#ifndef WOLFSSL_NO_TLS12 + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2", + WC_NO_ERR_TRACE(FATAL_ERROR), + /* Server gets error because <=1.2 doesn't have a mechanism + * to negotiate curves. */ +#ifdef OPENSSL_EXTRA + WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) +#else + WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) +#endif + }, +#endif +#ifndef NO_OLD_TLS + {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1", + WC_NO_ERR_TRACE(FATAL_ERROR), +#ifdef OPENSSL_EXTRA + WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) +#else + WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) #endif - } - ExpectIntEQ(SSL_SESSION_set_ex_data(SSL_get_session(ssl), - serverSessRemIdx, side), SSL_SUCCESS); - - return EXPECT_RESULT(); -} + }, #endif + }; -static int test_wolfSSL_CTX_sess_set_remove_cb(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) - /* Check that the remove callback gets called for external data in a - * session object */ - test_ssl_cbf func_cb; + for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - wolfSSL_Atomic_Int_Init(&clientSessRemCountMalloc, 0); - wolfSSL_Atomic_Int_Init(&serverSessRemCountMalloc, 0); - wolfSSL_Atomic_Int_Init(&clientSessRemCountFree, 0); - wolfSSL_Atomic_Int_Init(&serverSessRemCountFree, 0); + printf("\tTesting with %s...\n", test_params[i].desc); - XMEMSET(&func_cb, 0, sizeof(func_cb)); - func_cb.ctx_ready = SessRemCtxSetupCb; - func_cb.on_result = SessRemSslSetupCb; + func_cb_client.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; + func_cb_server.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb, &func_cb, - NULL), TEST_SUCCESS); + func_cb_client.method = test_params[i].client_meth; + func_cb_server.method = test_params[i].server_meth; - /* Both should have been allocated */ - ExpectIntEQ(clientSessRemCountMalloc, 1); - ExpectIntEQ(serverSessRemCountMalloc, 1); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), -1001); + ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err); + ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err); - /* This should not be called yet. Session wasn't evicted from cache yet. */ - ExpectIntEQ(clientSessRemCountFree, 0); -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) - /* Force a cache lookup */ - ExpectNotNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); - /* Force a cache update */ - ExpectNotNull(SSL_SESSION_set_ex_data(clientSess, serverSessRemIdx - 1, 0)); - /* This should set the timeout to 0 and call the remove callback from within - * the session cache. */ - ExpectIntEQ(SSL_CTX_remove_session(clientSessCtx, clientSess), 0); - ExpectNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); - ExpectIntEQ(clientSessRemCountFree, 1); -#endif - /* Server session is in the cache so ex_data isn't free'd with the SSL - * object */ - ExpectIntEQ(serverSessRemCountFree, 0); - /* Force a cache lookup */ - ExpectNotNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); - /* Force a cache update */ - ExpectNotNull(SSL_SESSION_set_ex_data(serverSess, serverSessRemIdx - 1, 0)); - /* This should set the timeout to 0 and call the remove callback from within - * the session cache. */ - ExpectIntEQ(SSL_CTX_remove_session(serverSessCtx, serverSess), 0); - ExpectNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); - ExpectIntEQ(serverSessRemCountFree, 1); - /* Need to free the references that we kept */ - SSL_CTX_free(serverSessCtx); - SSL_SESSION_free(serverSess); -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) - SSL_CTX_free(clientSessCtx); - SSL_SESSION_free(clientSess); -#endif + if (!EXPECT_SUCCESS()) + break; + printf("\t%s passed\n", test_params[i].desc); + } #endif return EXPECT_RESULT(); } -static int test_wolfSSL_ticket_keys(void) +static int test_wolfSSL_set1_sigalgs_list(void) { EXPECT_DECLS; -#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ - !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; - byte keys[WOLFSSL_TICKET_KEYS_SZ]; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, sizeof(keys)), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, sizeof(keys)), - WOLFSSL_SUCCESS); +#ifndef NO_RSA + #ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, "RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, "RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_CTX_free(ctx); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + #ifdef WC_RSA_PSS + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-PSS+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-PSS+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "PSS+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "PSS+SHA256"), + WOLFSSL_SUCCESS); + #endif + #ifdef WOLFSSL_SHA512 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); + #elif defined(WOLFSSL_SHA384) + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); + #endif + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA:RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA:RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256+RSA"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + #endif +#endif +#ifdef HAVE_ECC + #ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ECDSA+SHA256"), + WOLFSSL_SUCCESS); + #ifdef WOLFSSL_SHA512 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); + #elif defined(WOLFSSL_SHA384) + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); + #endif + #endif +#endif +#ifdef HAVE_ED25519 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED25519"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED25519"), WOLFSSL_SUCCESS); +#endif +#ifdef HAVE_ED448 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED448"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED448"), WOLFSSL_SUCCESS); +#endif +#ifndef NO_DSA + #ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA256"), + WOLFSSL_SUCCESS); + #endif + #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA1"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA1"), + WOLFSSL_SUCCESS); + #endif +#endif + + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -#ifndef NO_BIO - -static int test_wolfSSL_d2i_PUBKEY(void) +/* Testing wolfSSL_set_tlsext_status_type function. + * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined. + */ +static int test_wolfSSL_set_tlsext_status_type(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectNull(d2i_PUBKEY_bio(NULL, NULL)); + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_set_tlsext_status_type(ssl,TLSEXT_STATUSTYPE_ocsp), + SSL_SUCCESS); + ExpectIntEQ(SSL_get_tlsext_status_type(ssl), TLSEXT_STATUSTYPE_ocsp); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST && !NO_RSA */ + return EXPECT_RESULT(); +} -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) - /* RSA PUBKEY test */ - ExpectIntGT(BIO_write(bio, client_keypub_der_2048, - sizeof_client_keypub_der_2048), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif -#if defined(USE_CERT_BUFFERS_256) && defined(HAVE_ECC) - /* ECC PUBKEY test */ - ExpectIntGT(BIO_write(bio, ecc_clikeypub_der_256, - sizeof_ecc_clikeypub_der_256), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif +static int test_wolfSSL_a2i_IPADDRESS(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(WOLFSSL_USER_IO) + const unsigned char* data = NULL; + int dataSz = 0; + ASN1_OCTET_STRING *st = NULL; -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DSA) - /* DSA PUBKEY test */ - ExpectIntGT(BIO_write(bio, dsa_pub_key_der_2048, - sizeof_dsa_pub_key_der_2048), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif + const unsigned char ipv4_exp[] = {0x7F, 0, 0, 1}; + const unsigned char ipv6_exp[] = { + 0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77 + }; + const unsigned char ipv6_home[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 + }; -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DH) && \ -defined(OPENSSL_EXTRA) && defined(WOLFSSL_DH_EXTRA) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) - /* DH PUBKEY test */ - ExpectIntGT(BIO_write(bio, dh_pub_key_der_2048, - sizeof_dh_pub_key_der_2048), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ -#endif /* USE_CERT_BUFFERS_2048 && !NO_DH && && OPENSSL_EXTRA */ + ExpectNull(st = a2i_IPADDRESS("127.0.0.1bad")); + ExpectNotNull(st = a2i_IPADDRESS("127.0.0.1")); + ExpectNotNull(data = ASN1_STRING_get0_data(st)); + ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP4_ADDR_LEN); + ExpectIntEQ(XMEMCMP(data, ipv4_exp, dataSz), 0); + ASN1_STRING_free(st); + st = NULL; - BIO_free(bio); + ExpectNotNull(st = a2i_IPADDRESS("::1")); + ExpectNotNull(data = ASN1_STRING_get0_data(st)); + ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); + ExpectIntEQ(XMEMCMP(data, ipv6_home, dataSz), 0); + ASN1_STRING_free(st); + st = NULL; - (void)pkey; + ExpectNotNull(st = a2i_IPADDRESS("2021:db8::ff00:42:7777")); + ExpectNotNull(data = ASN1_STRING_get0_data(st)); + ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); + ExpectIntEQ(XMEMCMP(data, ipv6_exp, dataSz), 0); + ASN1_STRING_free(st); #endif - return EXPECT_RESULT(); } -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) && \ - !defined(NO_TLS) -static int test_wolfSSL_d2i_PrivateKeys_bio(void) +static int test_wolfSSL_X509_ALGOR_get0(void) { EXPECT_DECLS; - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - WOLFSSL_CTX* ctx = NULL; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ + !defined(NO_SHA256) && !defined(NO_RSA) + X509* x509 = NULL; + const ASN1_OBJECT* obj = NULL; + const X509_ALGOR* alg = NULL; + X509_ALGOR* alg2 = NULL; + int pptype = 0; + const void *ppval = NULL; + byte* der = NULL; + const byte* tmp = NULL; + const byte badObj[] = { 0x06, 0x00 }; -#if defined(WOLFSSL_KEY_GEN) - unsigned char buff[4096]; - unsigned char* bufPtr = buff; -#endif + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); - /* test creating new EVP_PKEY with bad arg */ - ExpectNull((pkey = d2i_PrivateKey_bio(NULL, NULL))); + /* Invalid case */ + X509_ALGOR_get0(&obj, NULL, NULL, NULL); + ExpectNull(obj); - /* test loading RSA key using BIO */ -#if !defined(NO_RSA) && !defined(NO_FILESYSTEM) - { - XFILE file = XBADFILE; - const char* fname = "./certs/server-key.der"; - long lsz = 0; - size_t sz = 0; - byte* buf = NULL; + /* Valid case */ + X509_ALGOR_get0(NULL, NULL, NULL, alg); + X509_ALGOR_get0(&obj, &pptype, &ppval, alg); + ExpectNotNull(obj); + ExpectNull(ppval); + ExpectIntNE(pptype, 0); + /* Make sure NID of X509_ALGOR is Sha256 with RSA */ + ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256WithRSAEncryption); - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectTrue((lsz = XFTELL(file)) > 0); - sz = (size_t)lsz; - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - if (file != XBADFILE) { - XFCLOSE(file); - } + ExpectIntEQ(i2d_X509_ALGOR(NULL, NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(i2d_X509_ALGOR(alg, &der), 15); + ExpectNull(d2i_X509_ALGOR(NULL, NULL, 0)); + /* tmp is NULL. */ + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); + tmp = badObj; + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, (long)sizeof(badObj))); + tmp = der; + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); + ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); + tmp = der; + ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); - /* Test using BIO new mem and loading DER private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); - XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); - BIO_free(bio); - bio = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - } + XFREE(der, NULL, DYNAMIC_TYPE_ASN1); + X509_free(x509); + X509_ALGOR_free(NULL); + X509_ALGOR_free(alg2); + alg2 = NULL; #endif + return EXPECT_RESULT(); +} - /* test loading ECC key using BIO */ -#if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) - { - XFILE file = XBADFILE; - const char* fname = "./certs/ecc-key.der"; - long lsz = 0; - size_t sz = 0; - byte* buf = NULL; - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectTrue((lsz = XFTELL(file)) > 0); - sz = (size_t)lsz; - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - if (file != XBADFILE) - XFCLOSE(file); +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY) - /* Test using BIO new mem and loading DER private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); - XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); - BIO_free(bio); - bio = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - } -#endif +static int test_wolfSSL_check_domain_verify_count = 0; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif +static WC_INLINE int test_wolfSSL_check_domain_verify_cb(int preverify, + WOLFSSL_X509_STORE_CTX* store) +{ + EXPECT_DECLS; + ExpectIntEQ(X509_STORE_CTX_get_error(store), 0); + ExpectIntEQ(preverify, 1); + ExpectIntGT(++test_wolfSSL_check_domain_verify_count, 0); + return EXPECT_SUCCESS(); +} -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) - { - const unsigned char seqOnly[] = { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00 }; - RSA* rsa = NULL; - /* Tests bad parameters */ - ExpectNull(d2i_RSAPrivateKey_bio(NULL, NULL)); +static int test_wolfSSL_check_domain_client_cb(WOLFSSL* ssl) +{ + EXPECT_DECLS; + X509_VERIFY_PARAM *param = NULL; - /* Test using bad data. */ - ExpectIntGT(BIO_write(bio, seqOnly, sizeof(seqOnly)), 0); - ExpectNull(d2i_RSAPrivateKey_bio(bio, NULL)); + ExpectNotNull(param = SSL_get0_param(ssl)); - /* RSA not set yet, expecting to fail*/ - rsa = wolfSSL_RSA_new(); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_RSA_free(rsa); - rsa = NULL; + /* Domain check should only be done on the leaf cert */ + X509_VERIFY_PARAM_set_hostflags(param, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(param, + "wolfSSL Server Chain", 0), 1); + wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER, + test_wolfSSL_check_domain_verify_cb); + return EXPECT_RESULT(); +} -#if defined(USE_CERT_BUFFERS_2048) && defined(WOLFSSL_KEY_GEN) - /* set RSA using bio*/ - ExpectIntGT(BIO_write(bio, client_key_der_2048, - sizeof_client_key_der_2048), 0); - ExpectNotNull(d2i_RSAPrivateKey_bio(bio, &rsa)); - ExpectNotNull(rsa); +static int test_wolfSSL_check_domain_server_cb(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + /* Use a cert with different domains in chain */ + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx, + "certs/intermediate/server-chain.pem"), WOLFSSL_SUCCESS); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_check_domain(void) +{ + EXPECT_DECLS; + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; - /* Tests bad parameters */ - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, rsa), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WOLFSSL_SUCCESS); + func_cb_client.ssl_ready = &test_wolfSSL_check_domain_client_cb; + func_cb_server.ctx_ready = &test_wolfSSL_check_domain_server_cb; - /* i2d RSAprivate key tests */ - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 1192); - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), - sizeof_client_key_der_2048); - bufPtr -= sizeof_client_key_der_2048; - ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, - sizeof_client_key_der_2048), 0); - bufPtr = NULL; - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), - sizeof_client_key_der_2048); - ExpectNotNull(bufPtr); - ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, - sizeof_client_key_der_2048), 0); - XFREE(bufPtr, NULL, DYNAMIC_TYPE_OPENSSL); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); - RSA_free(rsa); - rsa = NULL; - ExpectIntGT(BIO_write(bio, client_key_der_2048, - sizeof_client_key_der_2048), 0); - ExpectNotNull(d2i_RSA_PUBKEY_bio(bio, &rsa)); - (void)BIO_reset(bio); + /* Should have been called once for each cert in sent chain */ +#ifdef WOLFSSL_VERIFY_CB_ALL_CERTS + ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 3); +#else + ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 1); +#endif - RSA_free(rsa); - rsa = RSA_new(); - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 0); -#endif /* USE_CERT_BUFFERS_2048 WOLFSSL_KEY_GEN */ - RSA_free(rsa); - } -#endif /* WOLFSSL_KEY_GEN && !NO_RSA */ - SSL_CTX_free(ctx); - ctx = NULL; - BIO_free(bio); - bio = NULL; + return EXPECT_RESULT(); +} + +#else +static int test_wolfSSL_check_domain(void) +{ + EXPECT_DECLS; return EXPECT_RESULT(); } -#endif /* OPENSSL_ALL || (WOLFSSL_ASIO && !NO_RSA) */ -#endif /* !NO_BIO */ +#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_SHA256) +static const char* dn = NULL; +static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl) +{ + EXPECT_DECLS; + ExpectIntEQ(wolfSSL_check_domain_name(ssl, dn), WOLFSSL_SUCCESS); -static int test_wolfSSL_sk_GENERAL_NAME(void) + return EXPECT_RESULT(); +} +static int test_wolfSSL_check_domain_basic(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) - X509* x509 = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAME* dup_gn = NULL; - unsigned char buf[4096]; - const unsigned char* bufPt = NULL; - int bytes = 0; - int i; - int j; - XFILE f = XBADFILE; - STACK_OF(GENERAL_NAME)* sk = NULL; + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; - ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); - if (f != XBADFILE) - XFCLOSE(f); + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - for (j = 0; j < 2; ++j) { - bufPt = buf; - ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); + dn = "invalid.com"; + func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl; - ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); + /* Expect to fail */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), -1001); - ExpectIntEQ(sk_GENERAL_NAME_num(sk), 1); - for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) { - ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, i)); + dn = "example.com"; - if (gn != NULL) { - switch (gn->type) { - case GEN_DNS: - fprintf(stderr, "found type GEN_DNS\n"); - break; - case GEN_EMAIL: - fprintf(stderr, "found type GEN_EMAIL\n"); - break; - case GEN_URI: - fprintf(stderr, "found type GEN_URI\n"); - break; - } - } + /* Expect to succeed */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); - ExpectNotNull(dup_gn = wolfSSL_GENERAL_NAME_dup(gn)); - wolfSSL_GENERAL_NAME_free(dup_gn); - dup_gn = NULL; - } - X509_free(x509); - x509 = NULL; - if (j == 0) { - sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); - } - else { - /* - * We had a bug where GENERAL_NAMES_free didn't free all the memory - * it was supposed to. This is a regression test for that bug. - */ - GENERAL_NAMES_free(sk); - } - sk = NULL; - } + return EXPECT_RESULT(); +} +#else +static int test_wolfSSL_check_domain_basic(void) +{ + EXPECT_DECLS; + return EXPECT_RESULT(); +} +#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ - ExpectNull(wolfSSL_GENERAL_NAME_dup(NULL)); - ExpectIntEQ(wolfSSL_GENERAL_NAME_set_type(NULL, WOLFSSL_GEN_IA5), - BAD_FUNC_ARG); - wolfSSL_GENERAL_NAMES_free(NULL); +static int test_wolfSSL_BUF(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + BUF_MEM* buf = NULL; + ExpectNotNull(buf = BUF_MEM_new()); + ExpectIntEQ(BUF_MEM_grow(buf, 10), 10); + ExpectIntEQ(BUF_MEM_grow(buf, -1), 0); + BUF_MEM_free(buf); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_GENERAL_NAME_print(void) +static int test_wolfSSL_PKCS8_Compat(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_BIO) && !defined(NO_RSA) - X509* x509 = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAME* dup_gn = NULL; - unsigned char buf[4096]; - const unsigned char* bufPt = NULL; - int bytes = 0; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && defined(HAVE_ECC) && \ + !defined(NO_BIO) + PKCS8_PRIV_KEY_INFO* pt = NULL; + PKCS8_PRIV_KEY_INFO* pt2 = NULL; + BIO* bio = NULL; XFILE f = XBADFILE; - STACK_OF(GENERAL_NAME)* sk = NULL; - BIO* out = NULL; - unsigned char outbuf[128]; + int bytes = 0; + char pkcs8_buffer[512]; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) + EVP_PKEY *pkey = NULL; +#endif - X509_EXTENSION* ext = NULL; - AUTHORITY_INFO_ACCESS* aia = NULL; - ACCESS_DESCRIPTION* ad = NULL; - ASN1_IA5STRING *dnsname = NULL; - ASN1_OBJECT* ridObj = NULL; + /* file from wolfssl/certs/ directory */ + ExpectTrue((f = XFOPEN("./certs/ecc-keyPkcs8.pem", "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), f)), + 0); + if (f != XBADFILE) + XFCLOSE(f); + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectNotNull(pt = d2i_PKCS8_PRIV_KEY_INFO_bio(bio, NULL)); - const unsigned char v4Addr[] = {192,168,53,1}; - const unsigned char v6Addr[] = - {0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77}; - const unsigned char email[] = - {'i', 'n', 'f', 'o', '@', 'w', 'o', 'l', - 'f', 's', 's', 'l', '.', 'c', 'o', 'm'}; - const unsigned char ridData[] = { 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05 }; - const unsigned char* p; - unsigned long len; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) + ExpectNotNull(pkey = EVP_PKCS82PKEY(pt)); + ExpectIntEQ(EVP_PKEY_type(pkey->type), EVP_PKEY_EC); - const char* dnsStr = "DNS:example.com"; - const char* uriStr = "URI:http://127.0.0.1:22220"; - const char* v4addStr = "IP Address:192.168.53.1"; - const char* v6addStr = "IP Address:2021:DB8:0:0:0:FF00:42:7777"; - const char* emailStr = "email:info@wolfssl.com"; - const char* othrStr = "othername:"; - const char* x400Str = "X400Name:"; - const char* ediStr = "EdiPartyName:"; - const char* dirNameStr = "DirName:"; - const char* ridStr = "Registered ID:1.2.3.4.5"; + /* gets PKCS8 pointer to pkey */ + ExpectNotNull(pt2 = EVP_PKEY2PKCS8(pkey)); - /* BIO to output */ - ExpectNotNull(out = BIO_new(BIO_s_mem())); + EVP_PKEY_free(pkey); +#endif - /* test for NULL param */ - gn = NULL; + BIO_free(bio); + PKCS8_PRIV_KEY_INFO_free(pt); + PKCS8_PRIV_KEY_INFO_free(pt2); +#endif + return EXPECT_RESULT(); +} - ExpectIntEQ(GENERAL_NAME_print(NULL, NULL), 0); - ExpectIntEQ(GENERAL_NAME_print(NULL, gn), 0); - ExpectIntEQ(GENERAL_NAME_print(out, NULL), 0); +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_BIO) +static int NoPasswordCallBack(char* passwd, int sz, int rw, void* userdata) +{ + (void)passwd; + (void)sz; + (void)rw; + (void)userdata; + return -1; +} +#endif - /* test for GEN_DNS */ - ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } +static int test_wolfSSL_PKCS8_d2i(void) +{ + EXPECT_DECLS; +#if !defined(HAVE_FIPS) && defined(OPENSSL_EXTRA) + /* This test ends up using HMAC as a part of PBKDF2, and HMAC + * requires a 12 byte password in FIPS mode. This test ends up + * trying to use an 8 byte password. */ - bufPt = buf; - ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); - ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); +#ifndef NO_FILESYSTEM + unsigned char pkcs8_buffer[2048]; + const unsigned char* p = NULL; + int bytes = 0; + XFILE file = XBADFILE; + WOLFSSL_EVP_PKEY* pkey = NULL; +#ifndef NO_BIO + BIO* bio = NULL; + #if defined(OPENSSL_ALL) && \ + ((!defined(NO_RSA) && !defined(NO_DES3)) || \ + defined(HAVE_ECC)) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + WOLFSSL_EVP_PKEY* evpPkey = NULL; + #endif +#endif +#ifndef NO_RSA + const char rsaDerPkcs8File[] = "./certs/server-keyPkcs8.der"; + const char rsaPemPkcs8File[] = "./certs/server-keyPkcs8.pem"; + #ifndef NO_DES3 + const char rsaDerPkcs8EncFile[] = "./certs/server-keyPkcs8Enc.der"; + #endif +#endif /* NO_RSA */ +#ifdef HAVE_ECC + const char ecDerPkcs8File[] = "certs/ecc-keyPkcs8.der"; + const char ecPemPkcs8File[] = "certs/ecc-keyPkcs8.pem"; + #ifndef NO_DES3 + const char ecDerPkcs8EncFile[] = "certs/ecc-keyPkcs8Enc.der"; + #endif +#endif /* HAVE_ECC */ +#endif /* !NO_FILESYSTEM */ - ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, 0)); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); +#if defined(OPENSSL_ALL) && (!defined(NO_RSA) || defined(HAVE_ECC)) +#ifndef NO_RSA + #ifdef USE_CERT_BUFFERS_1024 + const unsigned char* rsa = (unsigned char*)server_key_der_1024; + int rsaSz = sizeof_server_key_der_1024; + #else + const unsigned char* rsa = (unsigned char*)server_key_der_2048; + int rsaSz = sizeof_server_key_der_2048; + #endif +#endif +#ifdef HAVE_ECC + const unsigned char* ec = (unsigned char*)ecc_key_der_256; + int ecSz = sizeof_ecc_key_der_256; +#endif +#endif /* OPENSSL_ALL && (!NO_RSA || HAVE_ECC) */ - XMEMSET(outbuf, 0, sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); - sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); - gn = NULL; - sk = NULL; - X509_free(x509); - x509 = NULL; +#ifndef NO_FILESYSTEM + (void)pkcs8_buffer; + (void)p; + (void)bytes; + (void)file; +#ifndef NO_BIO + (void)bio; +#endif +#endif - /* Lets test for setting as well. */ - ExpectNotNull(gn = GENERAL_NAME_new()); - ExpectNotNull(dnsname = ASN1_IA5STRING_new()); - ExpectIntEQ(ASN1_STRING_set(dnsname, "example.com", -1), 1); - GENERAL_NAME_set0_value(gn, GEN_DNS, dnsname); - dnsname = NULL; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf, 0, sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, NULL); - wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, NULL); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, NULL); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, outbuf); - wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_DNS, NULL); - wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, outbuf); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, outbuf); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; - GENERAL_NAME_free(gn); +#ifdef OPENSSL_ALL +#ifndef NO_RSA + /* Try to auto-detect normal RSA private key */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &rsa, rsaSz)); + EVP_PKEY_free(pkey); + pkey = NULL; +#endif +#ifdef HAVE_ECC + /* Try to auto-detect normal EC private key */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &ec, ecSz)); + EVP_PKEY_free(pkey); + pkey = NULL; +#endif +#endif /* OPENSSL_ALL */ - /* test for GEN_URI */ +#ifndef NO_FILESYSTEM +#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectIntEQ(PEM_write_PKCS8PrivateKey(XBADFILE, pkey, NULL, NULL, 0, NULL, + NULL), 0); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, NULL, NULL, NULL, 0, NULL, + NULL), 0); +#endif - ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; +#ifndef NO_RSA + /* Get DER encoded RSA PKCS#8 data. */ + ExpectTrue((file = XFOPEN(rsaDerPkcs8File, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; } - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 4)); - ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i( - ext)); - ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION *)wolfSSL_sk_value(aia, 0)); + p = pkcs8_buffer; +#ifdef OPENSSL_ALL + /* Try to decode - auto-detect key type. */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); +#else + ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, bytes)); +#endif - if (ad != NULL) { - gn = ad->location; + /* Get PEM encoded RSA PKCS#8 data. */ + ExpectTrue((file = XFOPEN(rsaPemPkcs8File, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; } - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - gn = NULL; +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(NULL, pkey, NULL, NULL, 0, NULL, + NULL), 0); + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, NULL, NULL, NULL, 0, NULL, + NULL), 0); + /* Write PKCS#8 PEM to BIO. */ + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + /* Write PKCS#8 PEM to stderr. */ + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + /* Compare file and written data */ + ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); + ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); + BIO_free(bio); + bio = NULL; +#if !defined(NO_AES) && defined(HAVE_AESGCM) + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_gcm(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), 0); +#endif +#if !defined(NO_DES3) && !defined(NO_SHA) + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write Encrypted PKCS#8 PEM to BIO. */ + bytes = 1834; + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_des_ede3_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_des_ede3_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(evpPkey); + evpPkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* !NO_DES3 && !NO_SHA */ +#endif /* !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ + EVP_PKEY_free(pkey); + pkey = NULL; - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, uriStr, XSTRLEN(uriStr)), 0); + /* PKCS#8 encrypted RSA key */ +#ifndef NO_DES3 + ExpectTrue((file = XFOPEN(rsaDerPkcs8EncFile, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ +#endif /* !NO_DES3 */ +#endif /* NO_RSA */ - wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); - aia = NULL; - aia = (AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i(ext); - ExpectNotNull(aia); - AUTHORITY_INFO_ACCESS_pop_free(aia, NULL); - aia = NULL; - X509_free(x509); - x509 = NULL; +#ifdef HAVE_ECC + /* PKCS#8 encode EC key */ + ExpectTrue((file = XFOPEN(ecDerPkcs8File, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } - /* test for GEN_IPADD */ + p = pkcs8_buffer; +#ifdef OPENSSL_ALL + /* Try to decode - auto-detect key type. */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); +#else + ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, bytes)); +#endif - /* ip v4 address */ - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_IPADD; - if (gn->d.iPAddress != NULL) { - gn->d.iPAddress->length = sizeof(v4Addr); - } + /* Get PEM encoded RSA PKCS#8 data. */ + ExpectTrue((file = XFOPEN(ecPemPkcs8File, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; } - ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v4Addr, - sizeof(v4Addr)), 1); +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write PKCS#8 PEM to BIO. */ + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + /* Compare file and written data */ + ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); + ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write Encrypted PKCS#8 PEM to BIO (test write 0 then 379) */ + bytes = 379; + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), + NULL, 0, NoPasswordCallBack, (void*)"yassl123"), 0); + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, v4addStr, XSTRLEN(v4addStr)), 0); + /* invalid cases to stderr */ + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), + (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); + #endif + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), + (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; + /* read/decode private key with password */ + ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(evpPkey); + evpPkey = NULL; + BIO_free(bio); + bio = NULL; - GENERAL_NAME_free(gn); - gn = NULL; + /* https://github.com/wolfSSL/wolfssl/issues/8610 */ + bytes = (int)XSTRLEN((char *)pkcs8_buffer); + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); + ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - /* ip v6 address */ + ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, + (void*)"yassl123")); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, evpPkey, NULL, + NULL, 0, NULL, NULL), bytes); + EVP_PKEY_free(evpPkey); + evpPkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 && HAVE_AES_CBC */ + EVP_PKEY_free(pkey); + pkey = NULL; - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_IPADD; - if (gn->d.iPAddress != NULL) { - gn->d.iPAddress->length = sizeof(v6Addr); - } + /* PKCS#8 encrypted EC key */ +#ifndef NO_DES3 + ExpectTrue((file = XFOPEN(ecDerPkcs8EncFile, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; } - ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v6Addr, - sizeof(v6Addr)), 1); +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ +#endif /* !NO_DES3 */ +#endif /* HAVE_ECC */ - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, v6addStr, XSTRLEN(v6addStr)), 0); +#endif /* !NO_FILESYSTEM */ +#endif /* HAVE_FIPS && OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; +#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ + !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) +#define LOGGING_THREADS 5 +#define ERROR_COUNT 10 +/* copied from logging.c since this is not exposed otherwise */ +#ifndef ERROR_QUEUE_MAX +#ifdef ERROR_QUEUE_PER_THREAD + #define ERROR_QUEUE_MAX 16 +#else + /* this breaks from compat of unlimited error queue size */ + #define ERROR_QUEUE_MAX 100 +#endif +#endif - GENERAL_NAME_free(gn); - gn = NULL; +static volatile int loggingThreadsReady; +static THREAD_RETURN WOLFSSL_THREAD test_logging(void* args) +{ + const char* file; + int line; + unsigned long err; + int errorCount = 0; + int i; - /* test for GEN_EMAIL */ + (void)args; - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_EMAIL; - if (gn->d.rfc822Name != NULL) { - gn->d.rfc822Name->length = sizeof(email); - } + while (!loggingThreadsReady); + for (i = 0; i < ERROR_COUNT; i++) + ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); + + while ((err = ERR_get_error_line(&file, &line))) { + AssertIntEQ(err, 990 + errorCount); + errorCount++; } - ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.rfc822Name, email, sizeof(email)), - 1); + AssertIntEQ(errorCount, ERROR_COUNT); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, emailStr, XSTRLEN(emailStr)), 0); + /* test max queue behavior, trying to add an arbitrary 3 errors over */ + ERR_clear_error(); /* ERR_get_error_line() does not remove */ + errorCount = 0; + for (i = 0; i < ERROR_QUEUE_MAX + 3; i++) + ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; + while ((err = ERR_get_error_line(&file, &line))) { + AssertIntEQ(err, 990 + errorCount); + errorCount++; + } - GENERAL_NAME_free(gn); - gn = NULL; + /* test that the 3 errors over the max were dropped */ + AssertIntEQ(errorCount, ERROR_QUEUE_MAX); - /* test for GEN_OTHERNAME */ + WOLFSSL_RETURN_FROM_THREAD(0); +} +#endif - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_OTHERNAME; - } +static int test_error_queue_per_thread(void) +{ + int res = TEST_SKIPPED; +#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ + !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) + THREAD_TYPE loggingThreads[LOGGING_THREADS]; + int i; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, othrStr, XSTRLEN(othrStr)), 0); + ERR_clear_error(); /* clear out any error nodes */ - GENERAL_NAME_free(gn); - gn = NULL; + loggingThreadsReady = 0; + for (i = 0; i < LOGGING_THREADS; i++) + start_thread(test_logging, NULL, &loggingThreads[i]); + loggingThreadsReady = 1; + for (i = 0; i < LOGGING_THREADS; i++) + join_thread(loggingThreads[i]); - /* test for GEN_X400 */ + res = TEST_SUCCESS; +#endif + return res; +} - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_X400; - } +static int test_wolfSSL_ERR_put_error(void) +{ + EXPECT_DECLS; +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) + const char* file; + int line; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, x400Str, XSTRLEN(x400Str)), 0); + ERR_clear_error(); /* clear out any error nodes */ + ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); + ExpectIntEQ(ERR_get_error_line(&file, &line), 0); + ERR_put_error(0,SYS_F_BIND, 1, "this file", 1); + ExpectIntEQ(ERR_get_error_line(&file, &line), 1); + ERR_put_error(0,SYS_F_CONNECT, 2, "this file", 2); + ExpectIntEQ(ERR_get_error_line(&file, &line), 2); + ERR_put_error(0,SYS_F_FOPEN, 3, "this file", 3); + ExpectIntEQ(ERR_get_error_line(&file, &line), 3); + ERR_put_error(0,SYS_F_FREAD, 4, "this file", 4); + ExpectIntEQ(ERR_get_error_line(&file, &line), 4); + ERR_put_error(0,SYS_F_GETADDRINFO, 5, "this file", 5); + ExpectIntEQ(ERR_get_error_line(&file, &line), 5); + ERR_put_error(0,SYS_F_GETSOCKOPT, 6, "this file", 6); + ExpectIntEQ(ERR_get_error_line(&file, &line), 6); + ERR_put_error(0,SYS_F_GETSOCKNAME, 7, "this file", 7); + ExpectIntEQ(ERR_get_error_line(&file, &line), 7); + ERR_put_error(0,SYS_F_GETHOSTBYNAME, 8, "this file", 8); + ExpectIntEQ(ERR_get_error_line(&file, &line), 8); + ERR_put_error(0,SYS_F_GETNAMEINFO, 9, "this file", 9); + ExpectIntEQ(ERR_get_error_line(&file, &line), 9); + ERR_put_error(0,SYS_F_GETSERVBYNAME, 10, "this file", 10); + ExpectIntEQ(ERR_get_error_line(&file, &line), 10); + ERR_put_error(0,SYS_F_IOCTLSOCKET, 11, "this file", 11); + ExpectIntEQ(ERR_get_error_line(&file, &line), 11); + ERR_put_error(0,SYS_F_LISTEN, 12, "this file", 12); + ExpectIntEQ(ERR_get_error_line(&file, &line), 12); + ERR_put_error(0,SYS_F_OPENDIR, 13, "this file", 13); + ExpectIntEQ(ERR_get_error_line(&file, &line), 13); + ERR_put_error(0,SYS_F_SETSOCKOPT, 14, "this file", 14); + ExpectIntEQ(ERR_get_error_line(&file, &line), 14); + ERR_put_error(0,SYS_F_SOCKET, 15, "this file", 15); + ExpectIntEQ(ERR_get_error_line(&file, &line), 15); - /* Restore to GEN_IA5 (default) to avoid memory leak. */ - if (gn != NULL) { - gn->type = GEN_IA5; - } +#if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) + ERR_put_error(ERR_LIB_ASN1, SYS_F_ACCEPT, ASN1_R_HEADER_TOO_LONG, + "this file", 100); + ExpectIntEQ(wolfSSL_ERR_peek_last_error_line(&file, &line), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + ExpectIntEQ(line, 100); + ExpectIntEQ(wolfSSL_ERR_peek_error(), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + ExpectIntEQ(ERR_get_error_line(&file, &line), ASN1_R_HEADER_TOO_LONG); +#endif - /* Duplicating GEN_X400 not supported. */ - ExpectNull(GENERAL_NAME_dup(gn)); + /* try reading past end of error queue */ + file = NULL; + ExpectIntEQ(ERR_get_error_line(&file, &line), 0); + ExpectNull(file); + ExpectIntEQ(ERR_get_error_line_data(&file, &line, NULL, NULL), 0); - GENERAL_NAME_free(gn); - gn = NULL; + PEMerr(4,4); + ExpectIntEQ(ERR_get_error(), 4); + /* Empty and free up all error nodes */ + ERR_clear_error(); - /* test for GEN_EDIPARTY */ + /* Verify all nodes are cleared */ + ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); + ERR_clear_error(); + ExpectIntEQ(ERR_get_error_line(&file, &line), 0); +#endif + return EXPECT_RESULT(); +} - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_EDIPARTY; - } +/* + * This is a regression test for a bug where the peek/get error functions were + * drawing from the end of the queue rather than the front. + */ +static int test_wolfSSL_ERR_get_error_order(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_HAVE_ERROR_QUEUE) && defined(OPENSSL_EXTRA) + /* Empty the queue. */ + wolfSSL_ERR_clear_error(); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, ediStr, XSTRLEN(ediStr)), 0); + wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_NO_SIGNER_E), "test", 0); + wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E), "test", 0); - /* Restore to GEN_IA5 (default) to avoid memory leak. */ - if (gn != NULL) { - gn->type = GEN_IA5; - } + ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); + ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); +#endif /* WOLFSSL_HAVE_ERROR_QUEUE && OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} - /* Duplicating GEN_EDIPARTY not supported. */ - ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); +#ifndef NO_BIO - GENERAL_NAME_free(gn); - gn = NULL; +static int test_wolfSSL_ERR_print_errors(void) +{ + EXPECT_DECLS; +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) && !defined(NO_ERROR_STRINGS) + BIO* bio = NULL; + char buf[1024]; - /* test for GEN_DIRNAME */ - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_DIRNAME; - } - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, dirNameStr, XSTRLEN(dirNameStr)), - 0); - /* Duplicating GEN_DIRNAME not supported. */ - ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); - /* Restore to GEN_IA5 (default) to avoid memory leak. */ - if (gn != NULL) { - gn->type = GEN_IA5; - } - GENERAL_NAME_free(gn); - gn = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ERR_clear_error(); /* clear out any error nodes */ + ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); + /* Choosing -600 as an unused errno. */ + ERR_put_error(0,SYS_F_BIND, -600, "asn.c", 100); - /* test for GEN_RID */ - p = ridData; - len = sizeof(ridData); - ExpectNotNull(ridObj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, len)); - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_RID; - wolfSSL_ASN1_STRING_free(gn->d.ia5); - gn->d.registeredID = ridObj; - } - else { - wolfSSL_ASN1_OBJECT_free(ridObj); - } - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, ridStr, XSTRLEN(ridStr)), 0); - /* Duplicating GEN_DIRNAME not supported. */ - ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(gn); - gn = NULL; + ERR_print_errors(bio); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 56); + ExpectIntEQ(XSTRNCMP( + "error:173:wolfSSL library:Bad function argument:ssl.c:0", + buf, 55), 0); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 57); + ExpectIntEQ(XSTRNCMP( + "error:600:wolfSSL library:unknown error number:asn.c:100", + buf, 56), 0); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 1); + ExpectIntEQ(buf[0], '\0'); + ExpectIntEQ(ERR_get_error_line(NULL, NULL), 0); - BIO_free(out); -#endif /* OPENSSL_ALL */ + BIO_free(bio); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_sk_DIST_POINT(void) +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) +static int test_wolfSSL_error_cb(const char *str, size_t len, void *u) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) - X509* x509 = NULL; - unsigned char buf[4096]; - const unsigned char* bufPt; - int bytes = 0; - int i = 0; - int j = 0; - XFILE f = XBADFILE; - DIST_POINT* dp = NULL; - DIST_POINT_NAME* dpn = NULL; - GENERAL_NAME* gn = NULL; - ASN1_IA5STRING* uri = NULL; - STACK_OF(DIST_POINT)* dps = NULL; - STACK_OF(GENERAL_NAME)* gns = NULL; - const char cliCertDerCrlDistPoint[] = "./certs/client-crl-dist.der"; - - ExpectTrue((f = XFOPEN(cliCertDerCrlDistPoint, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); - if (f != XBADFILE) - XFCLOSE(f); + if (u != NULL) { + wolfSSL_BIO_write((BIO*)u, str, (int)len); + } + return 0; +} +#endif - bufPt = buf; - ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); +static int test_wolfSSL_ERR_print_errors_cb(void) +{ + EXPECT_DECLS; +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) + BIO* bio = NULL; + char buf[1024]; - ExpectNotNull(dps = (STACK_OF(DIST_POINT)*)X509_get_ext_d2i(x509, - NID_crl_distribution_points, NULL, NULL)); + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ERR_clear_error(); /* clear out any error nodes */ + ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); + ERR_put_error(0,SYS_F_BIND, -275, "asn.c", 100); - ExpectIntEQ(sk_DIST_POINT_num(dps), 1); - for (i = 0; i < sk_DIST_POINT_num(dps); i++) { - ExpectNotNull(dp = sk_DIST_POINT_value(dps, i)); - ExpectNotNull(dpn = dp->distpoint); + ERR_print_errors_cb(test_wolfSSL_error_cb, bio); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 108); + ExpectIntEQ(XSTRNCMP( + "wolfSSL error occurred, error = 173 line:0 file:ssl.c", + buf, 53), 0); + ExpectIntEQ(XSTRNCMP( + "wolfSSL error occurred, error = 275 line:100 file:asn.c", + buf + 53, 55), 0); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 0); - /* this should be type 0, fullname */ - ExpectIntEQ(dpn->type, 0); + BIO_free(bio); +#endif - ExpectNotNull(gns = dp->distpoint->name.fullname); - ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); + return EXPECT_RESULT(); +} +/* + * Testing WOLFSSL_ERROR_MSG + */ +static int test_WOLFSSL_ERROR_MSG(void) +{ + int res = TEST_SKIPPED; +#if defined(DEBUG_WOLFSSL) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) ||\ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) + const char* msg = TEST_STRING; - for (j = 0; j < sk_GENERAL_NAME_num(gns); j++) { - ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, j)); - ExpectIntEQ(gn->type, GEN_URI); - ExpectNotNull(uri = gn->d.uniformResourceIdentifier); - ExpectNotNull(uri->data); - ExpectIntGT(uri->length, 0); - } - } + WOLFSSL_ERROR_MSG(msg); - ExpectNotNull(dp = wolfSSL_DIST_POINT_new()); - wolfSSL_DIST_POINT_free(NULL); - wolfSSL_DIST_POINTS_free(NULL); - wolfSSL_sk_DIST_POINT_free(NULL); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(dps, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, dp), WOLFSSL_FAILURE); - ExpectNull(wolfSSL_sk_DIST_POINT_value(NULL, 0)); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_num(NULL), WOLFSSL_FATAL_ERROR); - wolfSSL_DIST_POINT_free(dp); + res = TEST_SUCCESS; +#endif + return res; +} /* End test_WOLFSSL_ERROR_MSG */ +/* + * Testing wc_ERR_remove_state + */ +static int test_wc_ERR_remove_state(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) + wc_ERR_remove_state(); - X509_free(x509); - CRL_DIST_POINTS_free(dps); + res = TEST_SUCCESS; +#endif + return res; +} /* End test_wc_ERR_remove_state */ +/* + * Testing wc_ERR_print_errors_fp + */ +static int test_wc_ERR_print_errors_fp(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) && \ + (!defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)) + long sz; + XFILE fp = XBADFILE; + WOLFSSL_ERROR(WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectTrue((fp = XFOPEN("./tests/test-log-dump-to-file.txt", "a+")) != + XBADFILE); + wc_ERR_print_errors_fp(fp); +#if defined(DEBUG_WOLFSSL) + ExpectTrue(XFSEEK(fp, 0, XSEEK_END) == 0); + #ifdef NO_ERROR_QUEUE + ExpectIntEQ(sz = XFTELL(fp), 0); + #else + ExpectIntNE(sz = XFTELL(fp), 0); + #endif +#endif + if (fp != XBADFILE) + XFCLOSE(fp); + (void)sz; #endif return EXPECT_RESULT(); +} /* End test_wc_ERR_print_errors_fp */ +#ifdef DEBUG_WOLFSSL +static void Logging_cb(const int logLevel, const char *const logMessage) +{ + (void)logLevel; + (void)logMessage; } - - - -static int test_wolfSSL_verify_mode(void) +#endif +/* + * Testing wolfSSL_GetLoggingCb + */ +static int test_wolfSSL_GetLoggingCb(void) { EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_TLS) && (defined(OPENSSL_ALL) || \ - defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ - defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); - SSL_free(ssl); - ssl = NULL; - - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); - - wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); - ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); +#ifdef DEBUG_WOLFSSL + /* Testing without wolfSSL_SetLoggingCb() */ + ExpectNull(wolfSSL_GetLoggingCb()); + /* Testing with wolfSSL_SetLoggingCb() */ + ExpectIntEQ(wolfSSL_SetLoggingCb(Logging_cb), 0); + ExpectNotNull(wolfSSL_GetLoggingCb()); + ExpectIntEQ(wolfSSL_SetLoggingCb(NULL), 0); +#endif + ExpectNull(wolfSSL_GetLoggingCb()); - SSL_free(ssl); - ssl = NULL; + return EXPECT_RESULT(); +} /* End test_wolfSSL_GetLoggingCb */ - wolfSSL_CTX_set_verify(ctx, - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); +#endif /* !NO_BIO */ - wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0); - ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); +/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ +static int test_GENERAL_NAME_set0_othername(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ + defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ + defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_FPKI) && !defined(NO_RSA) + /* ./configure --enable-opensslall --enable-certgen --enable-certreq + * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID + * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ + const char * cert_fname = "./certs/server-cert.der"; + const char * key_fname = "./certs/server-key.der"; + X509* x509 = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAMES* gns = NULL; + ASN1_OBJECT* upn_oid = NULL; + ASN1_UTF8STRING *utf8str = NULL; + ASN1_TYPE *value = NULL; + X509_EXTENSION * ext = NULL; - wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); + byte* pt = NULL; + byte der[4096]; + int derSz = 0; + EVP_PKEY* priv = NULL; + XFILE f = XBADFILE; - wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT); + ExpectTrue((f = XFOPEN(cert_fname, "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_fp(f, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectNotNull(gn = GENERAL_NAME_new()); + ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); + ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); + ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); + ExpectNotNull(value = ASN1_TYPE_new()); + ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); + if ((value == NULL) || (value->value.ptr != (char*)utf8str)) { + wolfSSL_ASN1_STRING_free(utf8str); + } + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , value), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , upn_oid, NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , value), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, value ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); + if (EXPECT_FAIL()) { + ASN1_TYPE_free(value); + } + ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); + ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); + if (EXPECT_FAIL()) { + GENERAL_NAME_free(gn); + gn = NULL; + } + ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); + ExpectIntEQ(X509_add_ext(x509, ext, -1), 1); + ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); + ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + pt = der; + ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, derSz)); + ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + gns = NULL; + ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); - wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK); + ExpectIntEQ(sk_GENERAL_NAME_num(NULL), 0); + ExpectIntEQ(sk_GENERAL_NAME_num(gns), 3); -#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) - wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE); -#endif + ExpectNull(sk_GENERAL_NAME_value(NULL, 0)); + ExpectNull(sk_GENERAL_NAME_value(gns, 20)); + ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 2)); + ExpectIntEQ(gn->type, 0); - ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - SSL_free(ssl); - SSL_CTX_free(ctx); + ASN1_OBJECT_free(upn_oid); + X509_EXTENSION_free(ext); + X509_free(x509); + EVP_PKEY_free(priv); #endif return EXPECT_RESULT(); } - -static int test_wolfSSL_verify_depth(void) +/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ +static int test_othername_and_SID_ext(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - long depth = 0; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ + defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ + defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_FPKI) && defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_RSA) + /* ./configure --enable-opensslall --enable-certgen --enable-certreq + * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID + * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ + const char* csr_fname = "./certs/csr.signed.der"; + const char* key_fname = "./certs/server-key.der"; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntGT((depth = SSL_CTX_get_verify_depth(ctx)), 0); + byte der[4096]; + int derSz = 0; + byte badDer[2] = { 0x30, 0x00 }; + X509_REQ* x509 = NULL; + STACK_OF(X509_EXTENSION) *exts = NULL; - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_depth(ssl), SSL_CTX_get_verify_depth(ctx)); - SSL_free(ssl); - ssl = NULL; + X509_EXTENSION * san_ext = NULL; + X509_EXTENSION * ext = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAMES* gns = NULL; + ASN1_OBJECT* upn_oid = NULL; + ASN1_UTF8STRING *utf8str = NULL; + ASN1_TYPE *value = NULL; + ASN1_STRING *extval = NULL; - SSL_CTX_set_verify_depth(ctx, -1); - ExpectIntEQ(depth, SSL_CTX_get_verify_depth(ctx)); + /* SID extension. SID data format explained here: + * https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/ + */ + byte SidExtension[] = { + 48, 64, 160, 62, 6, 10, 43, 6, 1, 4, 1, 130, 55, 25, 2, 1, 160, + 48, 4, 46, 83, 45, 49, 45, 53, 45, 50, 49, 45, 50, 56, 52, 51, 57, + 48, 55, 52, 49, 56, 45, 51, 57, 50, 54, 50, 55, 55, 52, 50, 49, 45, + 51, 56, 49, 53, 57, 57, 51, 57, 55, 50, 45, 52, 54, 48, 49}; - SSL_CTX_set_verify_depth(ctx, 2); - ExpectIntEQ(2, SSL_CTX_get_verify_depth(ctx)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(2, SSL_get_verify_depth(ssl)); + byte expectedAltName[] = { + 0x30, 0x27, 0xA0, 0x25, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, + 0x37, 0x14, 0x02, 0x03, 0xA0, 0x17, 0x0C, 0x15, 0x6F, 0x74, 0x68, 0x65, + 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, + 0x6C, 0x2E, 0x63, 0x6F, 0x6D}; - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} + X509_EXTENSION *sid_ext = NULL; + ASN1_OBJECT* sid_oid = NULL; + ASN1_OCTET_STRING *sid_data = NULL; -static int test_wolfSSL_verify_result(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(OPENSSL_ALL)) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - long result = 0xDEADBEEF; + ASN1_OBJECT* alt_names_oid = NULL; - ExpectIntEQ(WC_NO_ERR_TRACE(WOLFSSL_FAILURE), wolfSSL_get_verify_result(ssl)); + EVP_PKEY* priv = NULL; + XFILE f = XBADFILE; + byte* pt = NULL; + BIO* bio = NULL; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = SSL_new(ctx)); + ExpectTrue((f = XFOPEN(csr_fname, "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_REQ_fp(f, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectIntEQ(X509_REQ_set_version(x509, 2), 1); + ExpectNotNull(gn = GENERAL_NAME_new()); + ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); + ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); + ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); + ExpectNotNull(value = ASN1_TYPE_new()); + ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); + if (EXPECT_FAIL()) { + ASN1_UTF8STRING_free(utf8str); + } + ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); + if (EXPECT_FAIL()) { + ASN1_TYPE_free(value); + GENERAL_NAME_free(gn); + gn = NULL; + } + ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); + ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); + if (EXPECT_FAIL()) { + GENERAL_NAME_free(gn); + } + ExpectNotNull(san_ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); + ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); + ExpectNotNull(sid_data = ASN1_OCTET_STRING_new()); + ASN1_OCTET_STRING_set(sid_data, SidExtension, sizeof(SidExtension)); + ExpectNotNull(sid_ext = X509_EXTENSION_create_by_OBJ(NULL, sid_oid, 0, + sid_data)); + ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); + wolfSSL_sk_X509_EXTENSION_free(exts); + exts = NULL; + ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); + /* Ensure an empty stack doesn't raise an error. */ + ExpectIntEQ(X509_REQ_add_extensions(NULL, NULL), 0); + ExpectIntEQ(X509_REQ_add_extensions(x509, NULL), 0); + ExpectIntEQ(X509_REQ_add_extensions(NULL, exts), 0); + ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); + ExpectIntEQ(sk_X509_EXTENSION_push(exts, san_ext), 1); + if (EXPECT_FAIL()) { + X509_EXTENSION_free(san_ext); + } + ExpectIntEQ(sk_X509_EXTENSION_push(exts, sid_ext), 2); + if (EXPECT_FAIL()) { + X509_EXTENSION_free(sid_ext); + } + ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); + ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); + ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + pt = der; + ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, derSz)); + ExpectIntGT(X509_REQ_sign(x509, priv, EVP_sha256()), 0); + pt = der; + ExpectIntGT(derSz = i2d_X509_REQ(x509, &pt), 0); + X509_REQ_free(x509); + x509 = NULL; + ExpectNull(d2i_X509_REQ_INFO(&x509, NULL, derSz)); + pt = badDer; + ExpectNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, + sizeof(badDer))); + pt = der; + ExpectNotNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, derSz)); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + gns = NULL; + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + exts = NULL; + ASN1_OBJECT_free(upn_oid); + ASN1_OBJECT_free(sid_oid); + sid_oid = NULL; + ASN1_OCTET_STRING_free(sid_data); + X509_REQ_free(x509); + EVP_PKEY_free(priv); - wolfSSL_set_verify_result(ssl, result); - ExpectIntEQ(result, wolfSSL_get_verify_result(ssl)); + /* At this point everything used to generate what is in der is cleaned up. + * We now read back from der to confirm the extensions were inserted + * correctly. */ + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + ExpectNotNull(bio); - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} + ExpectIntEQ(BIO_write(bio, der, derSz), derSz); /* d2i consumes BIO */ + ExpectNotNull(d2i_X509_REQ_bio(bio, &x509)); + ExpectNotNull(x509); + BIO_free(bio); + ExpectNotNull(exts = (STACK_OF(X509_EXTENSION)*)X509_REQ_get_extensions( + x509)); + ExpectIntEQ(sk_X509_EXTENSION_num(NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(sk_X509_EXTENSION_num(exts), 2); -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) -static void sslMsgCb(int w, int version, int type, const void* buf, - size_t sz, SSL* ssl, void* arg) -{ - int i; - unsigned char* pt = (unsigned char*)buf; + /* Check the SID extension. */ + ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); + ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, + X509_get_ext_by_OBJ(x509, sid_oid, -1))); + ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); + ExpectIntEQ(extval->length, sizeof(SidExtension)); + ExpectIntEQ(XMEMCMP(SidExtension, extval->data, sizeof(SidExtension)), 0); + ASN1_OBJECT_free(sid_oid); - fprintf(stderr, "%s %d bytes of version %d , type %d : ", - (w)?"Writing":"Reading", (int)sz, version, type); - for (i = 0; i < (int)sz; i++) fprintf(stderr, "%02X", pt[i]); - fprintf(stderr, "\n"); - (void)ssl; - (void)arg; -} -#endif /* OPENSSL_EXTRA */ + /* Check the AltNames extension. */ + ExpectNotNull(alt_names_oid = OBJ_txt2obj("subjectAltName", 0)); + ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, + X509_get_ext_by_OBJ(x509, alt_names_oid, -1))); + ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); + ExpectIntEQ(extval->length, sizeof(expectedAltName)); + ExpectIntEQ(XMEMCMP(expectedAltName, extval->data, sizeof(expectedAltName)), + 0); + ASN1_OBJECT_free(alt_names_oid); -static int test_wolfSSL_msg_callback(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; + /* Cleanup */ + ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); + ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); + ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 0)); + ExpectIntEQ(gn->type, 0); - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_set_msg_callback(ssl, NULL), SSL_SUCCESS); - ExpectIntEQ(SSL_set_msg_callback(ssl, &sslMsgCb), SSL_SUCCESS); - ExpectIntEQ(SSL_set_msg_callback(NULL, &sslMsgCb), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - SSL_free(ssl); - SSL_CTX_free(ctx); + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(x509); #endif return EXPECT_RESULT(); } -/* test_EVP_Cipher_extra, Extra-test on EVP_CipherUpdate/Final. see also test.c */ -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) &&\ - (!defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)) -static void binary_dump(void *ptr, int size) -{ - #ifdef WOLFSSL_EVP_PRINT - int i = 0; - unsigned char *p = (unsigned char *) ptr; - - fprintf(stderr, "{"); - while ((p != NULL) && (i < size)) { - if ((i % 8) == 0) { - fprintf(stderr, "\n"); - fprintf(stderr, " "); - } - fprintf(stderr, "0x%02x, ", p[i]); - i++; - } - fprintf(stderr, "\n};\n"); - #else - (void) ptr; - (void) size; - #endif -} +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static int last_val = 0x0f; +/* test that the callback arg is correct */ +static int certCbArg = 0; -static int check_result(unsigned char *data, int len) +static int certCb(WOLFSSL* ssl, void* arg) { - int i; - - for ( ; len; ) { - last_val = (last_val + 1) % 16; - for (i = 0; i < 16; len--, i++, data++) - if (*data != last_val) { - return -1; - } + if (ssl == NULL || arg != &certCbArg) + return 0; + if (wolfSSL_is_server(ssl)) { + if (wolfSSL_use_certificate_file(ssl, svrCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; } - return 0; + else { + if (wolfSSL_use_certificate_file(ssl, cliCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + } + return 1; } -static int r_offset; -static int w_offset; - -static void init_offset(void) -{ - r_offset = 0; - w_offset = 0; -} -static void get_record(unsigned char *data, unsigned char *buf, int len) +static int certSetupCb(WOLFSSL_CTX* ctx) { - XMEMCPY(buf, data+r_offset, len); - r_offset += len; + SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg); + return TEST_SUCCESS; } -static void set_record(unsigned char *data, unsigned char *buf, int len) +/** + * This is only done because test_wolfSSL_client_server_nofail_memio has no way + * to stop certificate and key loading + */ +static int certClearCb(WOLFSSL* ssl) { - XMEMCPY(data+w_offset, buf, len); - w_offset += len; + /* Clear the loaded certs to force the callbacks to set them up */ + SSL_certs_clear(ssl); + return TEST_SUCCESS; } -static void set_plain(unsigned char *plain, int rec) -{ - int i, j; - unsigned char *p = plain; - - #define BLOCKSZ 16 - - for (i=0; i<(rec/BLOCKSZ); i++) { - for (j=0; j 0 && keylen != klen) { - ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); - } - ilen = EVP_CIPHER_CTX_iv_length(evp); - if (ilen > 0 && ivlen != ilen) { - ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); - } + printf("\tTesting with %s...\n", test_params[i].desc); - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + func_cb_client.method = test_params[i].client_meth; + func_cb_server.method = test_params[i].server_meth; + func_cb_client.ctx_ready = certSetupCb; + func_cb_client.ssl_ready = certClearCb; + func_cb_server.ctx_ready = certSetupCb; + func_cb_server.ssl_ready = certClearCb; - for (j = 0; j 0) - set_record(cipher, outb, outl); + if (info.rsaAuth) + haveRSA = 1; + else if (info.eccAuth) + haveECC = 1; } - for (i = 0; test_drive[i]; i++) { - last_val = 0x0f; - - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 0)), 0); - - init_offset(); - - for (j = 0; test_drive[i][j]; j++) { - inl = test_drive[i][j]; - get_record(cipher, inb, inl); - - ExpectIntNE((ret = EVP_DecryptUpdate(evp, outb, &outl, inb, inl)), - 0); - - binary_dump(outb, outl); - ExpectIntEQ((ret = check_result(outb, outl)), 0); - ExpectFalse(outl > ((inl/16+1)*16) && outl > 16); - } + if (hashSigAlgoSz > 0) { + /* sigalgs extension takes precedence over ciphersuites */ + haveRSA = 0; + haveECC = 0; + } + for (idx = 0; idx < hashSigAlgoSz; idx += 2) { + int hashAlgo = 0; + int sigAlgo = 0; - ret = EVP_CipherFinal(evp, outb, &outl); + if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], + &hashAlgo, &sigAlgo) != 0) + return 0; - binary_dump(outb, outl); + if (sigAlgo == RSAk || sigAlgo == RSAPSSk) + haveRSA = 1; + else if (sigAlgo == ECDSAk) + haveECC = 1; + } - ret = (((test_drive_len[i] % 16) != 0) && (ret == 0)) || - (((test_drive_len[i] % 16) == 0) && (ret == 1)); - ExpectTrue(ret); + if (haveRSA) { + if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + } + else if (haveECC) { + if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; } - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(evp), WOLFSSL_SUCCESS); + return 1; +} - EVP_CIPHER_CTX_free(evp); - evp = NULL; +static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx) +{ + SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); + return TEST_SUCCESS; +} - /* Do an extra test to verify correct behavior with empty input. */ +#endif - ExpectNotNull(evp = EVP_CIPHER_CTX_new()); - ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); +/* Testing dynamic ciphers offered by client */ +static int test_wolfSSL_cert_cb_dyn_ciphers(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + struct { + method_provider client_meth; + const char* client_ciphers; + const char* client_sigalgs; + const char* client_ca; + method_provider server_meth; + } test_params[] = { +#if !defined(NO_SHA256) && defined(HAVE_AESGCM) +#ifdef WOLFSSL_TLS13 +#if !defined(NO_RSA) && defined(WC_RSA_PSS) + {wolfTLSv1_3_client_method, + "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", + "RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method}, +#endif +#ifdef HAVE_ECC + {wolfTLSv1_3_client_method, + "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", + "ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method}, +#endif +#endif +#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_HARDEN_TLS) +#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH) + {wolfTLSv1_2_client_method, + "DHE-RSA-AES128-GCM-SHA256", + "RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method}, +#endif +#ifdef HAVE_ECC + {wolfTLSv1_2_client_method, + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method}, +#endif +#endif +#endif + }; + size_t i; + size_t testCount = sizeof(test_params)/sizeof(*test_params); - ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); + if (testCount > 0) { + for (i = 0; i < testCount; i++) { + printf("\tTesting %s ciphers with %s sigalgs\n", + test_params[i].client_ciphers, + test_params[i].client_sigalgs); - klen = EVP_CIPHER_CTX_key_length(evp); - if (klen > 0 && keylen != klen) { - ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); - } - ilen = EVP_CIPHER_CTX_iv_length(evp); - if (ilen > 0 && ivlen != ilen) { - ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); - } + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = + test_params[i].client_ciphers; + test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = + test_params[i].client_sigalgs; + func_cb_client.method = test_params[i].client_meth; + func_cb_client.caPemFile = test_params[i].client_ca; + func_cb_client.ctx_ready = + test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready; - /* outl should be set to 0 after passing NULL, 0 for input args. */ - outl = -1; - ExpectIntNE((ret = EVP_CipherUpdate(evp, outb, &outl, NULL, 0)), 0); - ExpectIntEQ(outl, 0); + func_cb_server.ctx_ready = + test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready; + func_cb_server.ssl_ready = certClearCb; /* Reuse from prev test */ + func_cb_server.method = test_params[i].server_meth; - EVP_CIPHER_CTX_free(evp); -#endif /* test_EVP_Cipher */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); + } + } +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_SEP(void) +static int test_wolfSSL_ciphersuite_auth(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_SEP) - WOLFSSL_X509* x509 = NULL; -#if 0 - byte* out; -#endif - int outSz; - - ExpectNotNull(x509 = wolfSSL_X509_new()); - - outSz = 0; - ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, &outSz)); - ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, &outSz)); - - outSz = 0; - ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, &outSz)); - ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); +#if defined(OPENSSL_EXTRA) + WOLFSSL_CIPHERSUITE_INFO info; - outSz = 0; - ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, &outSz)); - ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); + (void)info; - ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, - WC_NID_certificate_policies), 0); +#ifndef WOLFSSL_NO_TLS12 +#ifdef HAVE_CHACHA + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - wolfSSL_X509_free(x509); - x509 = NULL; + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); -#if 0 - /* Use certificate with the extension here. */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM)); + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 1); +#endif +#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) +#ifndef NO_RSA + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - outSz = 0; - ExpectNotNull(out = wolfSSL_X509_get_device_type(x509, NULL, &outSz)); - ExpectIntGT(outSz, 0); - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); - outSz = 0; - ExpectNotNull(out = wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); - ExpectIntGT(outSz, 0); - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); +#endif + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - outSz = 0; - ExpectNotNull(out = wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); - ExpectIntGT(outSz, 0); - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); - wolfSSL_X509_free(x509); + info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE, + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 1); #endif #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_OpenSSL_add_all_algorithms(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - ExpectIntEQ(wolfSSL_add_all_algorithms(), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_noconf(), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_TLS13 + info = wolfSSL_get_ciphersuite_info(TLS13_BYTE, + TLS_AES_128_GCM_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); +#endif - ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_conf(), WOLFSSL_SUCCESS); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_OPENSSL_hexstr2buf(void) +static int test_wolfSSL_sigalg_info(void) { EXPECT_DECLS; #if defined(OPENSSL_EXTRA) - #define MAX_HEXSTR_BUFSZ 9 - #define NUM_CASES 5 - struct Output { - const unsigned char buffer[MAX_HEXSTR_BUFSZ]; - long ret; - }; - int i; - int j; + byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; + word16 len = 0; + word16 idx = 0; + int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM; - const char* inputs[NUM_CASES] = { - "aabcd1357e", - "01:12:23:34:a5:b6:c7:d8:e9", - ":01:02", - "012", - ":ab:ac:d" - }; - struct Output expectedOutputs[NUM_CASES] = { - {{0xaa, 0xbc, 0xd1, 0x35, 0x7e}, 5}, - {{0x01, 0x12, 0x23, 0x34, 0xa5, 0xb6, 0xc7, 0xd8, 0xe9}, 9}, - {{0x01, 0x02}, 2}, - {{0x00}, 0}, - {{0x00}, 0} - }; - long len = 0; - unsigned char* returnedBuf = NULL; + InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); + for (idx = 0; idx < len; idx += 2) { + int hashAlgo = 0; + int sigAlgo = 0; - for (i = 0; i < NUM_CASES && !EXPECT_FAIL(); ++i) { - returnedBuf = wolfSSL_OPENSSL_hexstr2buf(inputs[i], &len); - if (returnedBuf == NULL) { - ExpectIntEQ(expectedOutputs[i].ret, 0); - continue; - } + ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], + hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); - ExpectIntEQ(expectedOutputs[i].ret, len); + ExpectIntNE(hashAlgo, 0); + ExpectIntNE(sigAlgo, 0); + } - for (j = 0; j < len; ++j) { - ExpectIntEQ(expectedOutputs[i].buffer[j], returnedBuf[j]); - } - OPENSSL_free(returnedBuf); + InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1, + 0xFFFFFFFF, &len); + for (idx = 0; idx < len; idx += 2) { + int hashAlgo = 0; + int sigAlgo = 0; + + ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], + hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); + + ExpectIntNE(hashAlgo, 0); } + #endif return EXPECT_RESULT(); } -#if defined(OPENSSL_ALL) -static int test_wolfSSL_sk_CIPHER_description(void) +static int test_wolfSSL_SESSION(void) { EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_TLS) - const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; - int i; - int numCiphers = 0; - const SSL_METHOD *method = NULL; - const SSL_CIPHER *cipher = NULL; - STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; - SSL_CTX *ctx = NULL; - SSL *ssl = NULL; - char buf[256]; - char test_str[9] = "0000000"; - const char badStr[] = "unknown"; - const char certPath[] = "./certs/client-cert.pem"; - XMEMSET(buf, 0, sizeof(buf)); +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && !defined(NO_SHA256) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_SESSION_CACHE) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL_SESSION* sess = NULL; + WOLFSSL_SESSION* sess_copy = NULL; +#ifdef OPENSSL_EXTRA +#ifdef HAVE_EXT_CACHE + unsigned char* sessDer = NULL; + unsigned char* ptr = NULL; + int sz = 0; +#endif + const unsigned char context[] = "user app context"; + unsigned int contextSz = (unsigned int)sizeof(context); +#endif + int ret = 0, err = 0; + SOCKET_T sockfd; + tcp_ready ready; + func_args server_args; + THREAD_TYPE serverThread; + char msg[80]; + const char* sendGET = "GET"; - ExpectNotNull(method = TLSv1_2_client_method()); - ExpectNotNull(ctx = SSL_CTX_new(method)); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - SSL_CTX_set_verify_depth(ctx, 4); - SSL_CTX_set_options(ctx, flags); - ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), - WOLFSSL_SUCCESS); + /* TLS v1.3 requires session tickets */ + /* CHACHA and POLY1305 required for myTicketEncCb */ +#if !defined(WOLFSSL_NO_TLS12) && (!defined(WOLFSSL_TLS13) || \ + !(defined(HAVE_SESSION_TICKET) && ((defined(HAVE_CHACHA) && \ + defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)))) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif - ExpectNotNull(ssl = SSL_new(ctx)); - /* SSL_get_ciphers returns a stack of all configured ciphers - * A flag, getCipherAtOffset, is set to later have SSL_CIPHER_description - */ - ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, + CERT_FILETYPE)); + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), + WOLFSSL_SUCCESS); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif +#ifdef HAVE_SESSION_TICKET + /* Use session tickets, for ticket tests below */ + ExpectIntEQ(wolfSSL_CTX_UseSessionTicket(ctx), WOLFSSL_SUCCESS); +#endif - /* loop through the amount of supportedCiphers */ - numCiphers = sk_num(supportedCiphers); - for (i = 0; i < numCiphers; ++i) { - int j; - /* sk_value increments "sk->data.cipher->cipherOffset". - * wolfSSL_sk_CIPHER_description sets the description for - * the cipher based on the provided offset. - */ - if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) { - SSL_CIPHER_description(cipher, buf, sizeof(buf)); - } + XMEMSET(&server_args, 0, sizeof(func_args)); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - /* Search cipher description string for "unknown" descriptor */ - for (j = 0; j < (int)XSTRLEN(buf); j++) { - int k = 0; - while ((k < (int)XSTRLEN(badStr)) && (buf[j] == badStr[k])) { - test_str[k] = badStr[k]; - j++; - k++; - } - } - /* Fail if test_str == badStr == "unknown" */ - ExpectStrNE(test_str,badStr); - } - SSL_free(ssl); - SSL_CTX_free(ctx); + StartTCP(); + InitTcpReady(&ready); + +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_get_ciphers_compat(void) -{ - EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_TLS) - const SSL_METHOD *method = NULL; - const char certPath[] = "./certs/client-cert.pem"; - STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; - SSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; + server_args.signal = &ready; + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); - ExpectNotNull(method = SSLv23_client_method()); - ExpectNotNull(ctx = SSL_CTX_new(method)); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - SSL_CTX_set_verify_depth(ctx, 4); - SSL_CTX_set_options(ctx, flags); - ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), - WOLFSSL_SUCCESS); + /* client connection */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + tcp_connect(&sockfd, wolfSSLIP, ready.port, 0, 0, ssl); + ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); + + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), + ret != WOLFSSL_SUCCESS); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + + WOLFSSL_ASYNC_WHILE_PENDING( + ret = wolfSSL_write(ssl, sendGET, (int)XSTRLEN(sendGET)), + ret <= 0); + ExpectIntEQ(ret, (int)XSTRLEN(sendGET)); + + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_read(ssl, msg, sizeof(msg)), + ret != 23); + ExpectIntEQ(ret, 23); + + ExpectPtrNE((sess = wolfSSL_get1_session(ssl)), NULL); /* ref count 1 */ + ExpectPtrNE((sess_copy = wolfSSL_get1_session(ssl)), NULL); /* ref count 2 */ + ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1); +#ifdef HAVE_EXT_CACHE + ExpectPtrEq(sess, sess_copy); /* they should be the same pointer but without + * HAVE_EXT_CACHE we get new objects each time */ +#endif + wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; + wolfSSL_SESSION_free(sess); sess = NULL; /* free session ref */ - ExpectNotNull(ssl = SSL_new(ctx)); + sess = wolfSSL_get_session(ssl); - /* Test Bad NULL input */ - ExpectNull(supportedCiphers = SSL_get_ciphers(NULL)); - /* Test for Good input */ - ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); - /* Further usage of SSL_get_ciphers/wolfSSL_get_ciphers_compat is - * tested in test_wolfSSL_sk_CIPHER_description according to Qt usage */ +#ifdef OPENSSL_EXTRA + ExpectIntEQ(SSL_SESSION_is_resumable(NULL), 0); + ExpectIntEQ(SSL_SESSION_is_resumable(sess), 1); - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} + ExpectIntEQ(wolfSSL_SESSION_has_ticket(NULL), 0); + ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(NULL), 0); + #ifdef HAVE_SESSION_TICKET + ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 1); + ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(sess), + SESSION_TICKET_HINT_DEFAULT); + #else + ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 0); + #endif +#else + (void)sess; +#endif /* OPENSSL_EXTRA */ -static int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) -{ - EXPECT_DECLS; -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - DSA *dsa = NULL; - DSA *setDsa = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY *set1Pkey = NULL; + /* Retain copy of the session for later testing */ + ExpectNotNull(sess = wolfSSL_get1_session(ssl)); - SHA_CTX sha; - byte signature[DSA_SIG_SIZE]; - byte hash[WC_SHA_DIGEST_SIZE]; - word32 bytes; - int answer; -#ifdef USE_CERT_BUFFERS_1024 - const unsigned char* dsaKeyDer = dsa_key_der_1024; - int dsaKeySz = sizeof_dsa_key_der_1024; - byte tmp[ONEK_BUF]; + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); ssl = NULL; - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsaKeyDer , dsaKeySz); - bytes = dsaKeySz; -#elif defined(USE_CERT_BUFFERS_2048) - const unsigned char* dsaKeyDer = dsa_key_der_2048; - int dsaKeySz = sizeof_dsa_key_der_2048; - byte tmp[TWOK_BUF]; + CloseSocket(sockfd); - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsaKeyDer , dsaKeySz); - bytes = (word32)dsaKeySz; -#else - byte tmp[TWOK_BUF]; - const unsigned char* dsaKeyDer = (const unsigned char*)tmp; - int dsaKeySz; - XFILE fp = XBADFILE; + join_thread(serverThread); - XMEMSET(tmp, 0, sizeof(tmp)); - ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); - ExpectIntGT(dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); - if (fp != XBADFILE) - XFCLOSE(fp); -#endif /* END USE_CERT_BUFFERS_1024 */ + FreeTcpReady(&ready); - /* Create hash to later Sign and Verify */ - ExpectIntEQ(SHA1_Init(&sha), WOLFSSL_SUCCESS); - ExpectIntEQ(SHA1_Update(&sha, tmp, bytes), WOLFSSL_SUCCESS); - ExpectIntEQ(SHA1_Final(hash,&sha), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - /* Initialize pkey with der format dsa key */ - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &pkey, &dsaKeyDer, - (long)dsaKeySz)); +#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) + { + X509 *x509 = NULL; + char buf[30]; + int bufSz = 0; - /* Test wolfSSL_EVP_PKEY_get1_DSA */ - /* Should Fail: NULL argument */ - ExpectNull(dsa = EVP_PKEY_get0_DSA(NULL)); - ExpectNull(dsa = EVP_PKEY_get1_DSA(NULL)); - /* Should Pass: Initialized pkey argument */ - ExpectNotNull(dsa = EVP_PKEY_get0_DSA(pkey)); - ExpectNotNull(dsa = EVP_PKEY_get1_DSA(pkey)); + ExpectNotNull(x509 = SSL_SESSION_get0_peer(sess)); + ExpectIntGT((bufSz = X509_NAME_get_text_by_NID( + X509_get_subject_name(x509), NID_organizationalUnitName, buf, + sizeof(buf))), 0); + ExpectIntNE((bufSz == 7 || bufSz == 16), 0); /* should be one of these*/ + if (bufSz == 7) { + ExpectIntEQ(XMEMCMP(buf, "Support", bufSz), 0); + } + if (bufSz == 16) { + ExpectIntEQ(XMEMCMP(buf, "Programming-2048", bufSz), 0); + } + } +#endif -#ifdef USE_CERT_BUFFERS_1024 - ExpectIntEQ(DSA_bits(dsa), 1024); -#else - ExpectIntEQ(DSA_bits(dsa), 2048); +#ifdef HAVE_EXT_CACHE + ExpectNotNull(sess_copy = wolfSSL_SESSION_dup(sess)); + wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; + sess_copy = NULL; #endif - /* Sign */ - ExpectIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS); - /* Verify. */ - ExpectIntEQ(wolfSSL_DSA_do_verify(hash, signature, dsa, &answer), - WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE) + /* get session from DER and update the timeout */ + ExpectIntEQ(wolfSSL_i2d_SSL_SESSION(NULL, &sessDer), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntGT((sz = wolfSSL_i2d_SSL_SESSION(sess, &sessDer)), 0); + wolfSSL_SESSION_free(sess); sess = NULL; + sess = NULL; + ptr = sessDer; + ExpectNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, NULL, sz)); + ExpectNotNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, + (const unsigned char**)&ptr, sz)); + XFREE(sessDer, NULL, DYNAMIC_TYPE_OPENSSL); + sessDer = NULL; - /* Test wolfSSL_EVP_PKEY_set1_DSA */ - /* Should Fail: set1Pkey not initialized */ - ExpectIntNE(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); + ExpectIntGT(wolfSSL_SESSION_get_time(sess), 0); + ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); +#endif - /* Initialize set1Pkey */ - set1Pkey = EVP_PKEY_new(); + /* successful set session test */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_set_session(ssl, sess), WOLFSSL_SUCCESS); - /* Should Fail Verify: setDsa not initialized from set1Pkey */ - ExpectIntNE(wolfSSL_DSA_do_verify(hash,signature,setDsa,&answer), - WOLFSSL_SUCCESS); +#ifdef HAVE_SESSION_TICKET + /* Test set/get session ticket */ + { + const char* ticket = "This is a session ticket"; + char buf[64] = {0}; + word32 bufSz = (word32)sizeof(buf); + word32 retSz = 0; - /* Should Pass: set dsa into set1Pkey */ - ExpectIntEQ(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_set_SessionTicket(ssl, (byte *)ticket, + (word32)XSTRLEN(ticket))); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_get_SessionTicket(ssl, (byte *)buf, &bufSz)); + ExpectStrEQ(ticket, buf); - DSA_free(dsa); - DSA_free(setDsa); - EVP_PKEY_free(pkey); - EVP_PKEY_free(set1Pkey); -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ - return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_DSA */ + /* return ticket length if buffer parameter is null */ + wolfSSL_get_SessionTicket(ssl, NULL, &retSz); + ExpectIntEQ(bufSz, retSz); + } +#endif -static int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY (void) -{ - EXPECT_DECLS; -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; - WOLFSSL_EC_KEY* ecGet1 = NULL; - EVP_PKEY* pkey = NULL; +#ifdef OPENSSL_EXTRA + /* session timeout case */ + /* make the session to be expired */ + ExpectIntEQ(SSL_SESSION_set_timeout(sess,1), SSL_SUCCESS); + XSLEEP_MS(1200); - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + /* SSL_set_session should reject specified session but return success + * if WOLFSSL_ERROR_CODE_OPENSSL macro is defined for OpenSSL compatibility. + */ +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(wolfSSL_set_session(ssl,sess), SSL_SUCCESS); +#else + ExpectIntEQ(wolfSSL_set_session(ssl,sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); - /* Test wolfSSL_EVP_PKEY_set1_EC_KEY */ - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(NULL, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Should fail since ecKey is empty */ - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_SESSION_ID_CTX + /* fail case with miss match session context IDs (use compatibility API) */ + ExpectIntEQ(SSL_set_session_id_context(ssl, context, contextSz), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_free(ssl); ssl = NULL; - /* Test wolfSSL_EVP_PKEY_get1_EC_KEY */ - ExpectNull(wolfSSL_EVP_PKEY_get1_EC_KEY(NULL)); - ExpectNotNull(ecGet1 = wolfSSL_EVP_PKEY_get1_EC_KEY(pkey)); + ExpectIntEQ(SSL_CTX_set_session_id_context(NULL, context, contextSz), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_set_session_id_context(ctx, context, contextSz), + SSL_SUCCESS); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif +#endif /* OPENSSL_EXTRA */ - wolfSSL_EC_KEY_free(ecKey); - wolfSSL_EC_KEY_free(ecGet1); - EVP_PKEY_free(pkey); -#endif /* HAVE_ECC */ + wolfSSL_free(ssl); + wolfSSL_SESSION_free(sess); + wolfSSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_EC_KEY */ +} + +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ + !defined(WOLFSSL_NO_TLS12) +static WOLFSSL_SESSION* test_wolfSSL_SESSION_expire_sess = NULL; -static int test_wolfSSL_EVP_PKEY_set1_get1_DH (void) +static void test_wolfSSL_SESSION_expire_downgrade_ctx_ready(WOLFSSL_CTX* ctx) { - EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) - DH *dh = NULL; - DH *setDh = NULL; - EVP_PKEY *pkey = NULL; + #ifdef WOLFSSL_ERROR_CODE_OPENSSL + /* returns previous timeout value */ + AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), 500); + #else + AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), WOLFSSL_SUCCESS); + #endif +} - XFILE f = XBADFILE; - unsigned char buf[4096]; - const unsigned char* pt = buf; - const char* dh2048 = "./certs/dh2048.der"; - long len = 0; - int code = -1; - XMEMSET(buf, 0, sizeof(buf)); +/* set the session to timeout in a second */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready(WOLFSSL* ssl) +{ + AssertIntEQ(wolfSSL_set_timeout(ssl, 2), 1); +} - ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); - /* Load dh2048.der into DH with internal format */ - ExpectNotNull(setDh = wolfSSL_d2i_DHparams(NULL, &pt, len)); +/* store the client side session from the first successful connection */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_result(WOLFSSL* ssl) +{ + AssertPtrNE((test_wolfSSL_SESSION_expire_sess = wolfSSL_get1_session(ssl)), + NULL); /* ref count 1 */ +} - ExpectIntEQ(wolfSSL_DH_check(setDh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - code = -1; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); +/* wait till session is expired then set it in the WOLFSSL struct for use */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait(WOLFSSL* ssl) +{ + AssertIntEQ(wolfSSL_set_timeout(ssl, 1), 1); + AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), + WOLFSSL_SUCCESS); + XSLEEP_MS(2000); /* wait 2 seconds for session to expire */ +} - /* Set DH into PKEY */ - ExpectIntEQ(wolfSSL_EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); - /* Get DH from PKEY */ - ExpectNotNull(dh = wolfSSL_EVP_PKEY_get1_DH(pkey)); +/* set expired session in the WOLFSSL struct for use */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set(WOLFSSL* ssl) +{ + XSLEEP_MS(1200); /* wait a second for session to expire */ - ExpectIntEQ(wolfSSL_DH_check(dh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); + /* set the expired session, call to set session fails but continuing on + after failure should be handled here */ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) + AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), + WOLFSSL_SUCCESS); +#else + AssertIntNE(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), + WOLFSSL_SUCCESS); +#endif +} - EVP_PKEY_free(pkey); - DH_free(setDh); - setDh = NULL; - DH_free(dh); - dh = NULL; -#endif /* !NO_DH && WOLFSSL_DH_EXTRA && !NO_FILESYSTEM */ -#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ -#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ - return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_DH */ -static int test_wolfSSL_CTX_ctrl(void) +/* check that the expired session was not reused */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse(WOLFSSL* ssl) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) - char caFile[] = "./certs/client-ca.pem"; - char clientFile[] = "./certs/client-cert.pem"; - SSL_CTX* ctx = NULL; - X509* x509 = NULL; -#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) - byte buf[6000]; - char file[] = "./certs/dsaparams.pem"; - XFILE f = XBADFILE; - int bytes = 0; - BIO* bio = NULL; - DSA* dsa = NULL; - DH* dh = NULL; -#endif -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; + /* since the session has expired it should not have been reused */ + AssertIntEQ(wolfSSL_session_reused(ssl), 0); +} #endif - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +static int test_wolfSSL_SESSION_expire_downgrade(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ + !defined(WOLFSSL_NO_TLS12) + callback_functions server_cbf, client_cbf; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_X509_free(x509); - } + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, - WOLFSSL_FILETYPE_PEM)); + /* force server side to use TLS 1.2 */ + server_cbf.method = wolfTLSv1_2_server_method; -#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) - /* Initialize DH */ - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); + client_cbf.method = wolfSSLv23_client_method; + server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; + client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready; + client_cbf.on_result = test_wolfSSL_SESSION_expire_downgrade_ssl_result; - ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); + test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - ExpectNotNull(dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL)); + client_cbf.method = wolfSSLv23_client_method; + server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; + client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait; + client_cbf.on_result = + test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; - ExpectNotNull(dh = wolfSSL_DSA_dup_DH(dsa)); -#endif -#ifdef HAVE_ECC - /* Initialize WOLFSSL_EC_KEY */ - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); -#endif + test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - /* additional test of getting EVP_PKEY key size from X509 - * Do not run with user RSA because wolfSSL_RSA_size is not currently - * allowed with user RSA */ - { - EVP_PKEY* pkey = NULL; -#if defined(HAVE_ECC) - X509* ecX509 = NULL; -#endif /* HAVE_ECC */ + client_cbf.method = wolfSSLv23_client_method; + server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; + client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set; + client_cbf.on_result = + test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; - ExpectNotNull(pkey = X509_get_pubkey(x509)); - /* current RSA key is 2048 bit (256 bytes) */ - ExpectIntEQ(EVP_PKEY_size(pkey), 256); + test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - EVP_PKEY_free(pkey); - pkey = NULL; + wolfSSL_SESSION_free(test_wolfSSL_SESSION_expire_sess); +#endif + return EXPECT_RESULT(); +} -#if defined(HAVE_ECC) -#if defined(USE_CERT_BUFFERS_256) - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( - cliecc_cert_der_256, sizeof_cliecc_cert_der_256, - SSL_FILETYPE_ASN1)); +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) +#ifdef WOLFSSL_ATOMIC_OPS + typedef wolfSSL_Atomic_Int SessRemCounter_t; #else - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( - cliEccCertFile, SSL_FILETYPE_PEM)); + typedef int SessRemCounter_t; #endif - ExpectNotNull(pkey = X509_get_pubkey(ecX509)); - /* current ECC key is 256 bit (32 bytes) */ - ExpectIntGE(EVP_PKEY_size(pkey), 72); - - X509_free(ecX509); - EVP_PKEY_free(pkey); -#endif /* HAVE_ECC */ - } +static SessRemCounter_t clientSessRemCountMalloc; +static SessRemCounter_t serverSessRemCountMalloc; +static SessRemCounter_t clientSessRemCountFree; +static SessRemCounter_t serverSessRemCountFree; - /* Tests should fail with passed in NULL pointer */ - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#if !defined(NO_DH) && !defined(NO_DSA) - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif -#ifdef HAVE_ECC - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +static WOLFSSL_CTX* serverSessCtx = NULL; +static WOLFSSL_SESSION* serverSess = NULL; +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) +static WOLFSSL_CTX* clientSessCtx = NULL; +static WOLFSSL_SESSION* clientSess = NULL; #endif +static int serverSessRemIdx = 3; +static int sessRemCtx_Server = WOLFSSL_SERVER_END; +static int sessRemCtx_Client = WOLFSSL_CLIENT_END; - /* Test with SSL_CTRL_EXTRA_CHAIN_CERT - * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_add_extra_chain_cert - */ - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509), - SSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_X509_free(x509); - } - - /* Test with SSL_CTRL_OPTIONS - * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_set_options - */ - ExpectTrue(wolfSSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, SSL_OP_NO_TLSv1, - NULL) == SSL_OP_NO_TLSv1); - ExpectTrue(SSL_CTX_get_options(ctx) == SSL_OP_NO_TLSv1); - - /* Test with SSL_CTRL_SET_TMP_DH - * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_dh - */ -#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh), - SSL_SUCCESS); -#endif +static void SessRemCtxCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) +{ + int* side; - /* Test with SSL_CTRL_SET_TMP_ECDH - * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_ecdh - */ -#ifdef HAVE_ECC - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, ecKey), - SSL_SUCCESS); -#endif + (void)ctx; -#ifdef WOLFSSL_ENCRYPTED_KEYS - ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); - ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); -#endif + side = (int*)SSL_SESSION_get_ex_data(sess, serverSessRemIdx); + if (side != NULL) { + if (*side == WOLFSSL_CLIENT_END) + (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountFree, 1); + else + (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountFree, 1); - /* Test for min/max proto */ -#ifndef WOLFSSL_NO_TLS12 - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, - 0, NULL), SSL_SUCCESS); - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, - TLS1_2_VERSION, NULL), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); -#endif -#ifdef WOLFSSL_TLS13 - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, - 0, NULL), SSL_SUCCESS); + SSL_SESSION_set_ex_data(sess, serverSessRemIdx, NULL); + } +} - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, - TLS1_3_VERSION, NULL), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_3_VERSION); -#ifndef WOLFSSL_NO_TLS12 - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, - TLS1_2_VERSION, NULL), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION); -#endif -#endif - /* Cleanup and Pass */ -#if !defined(NO_DH) && !defined(NO_DSA) -#ifndef NO_BIO - BIO_free(bio); - DSA_free(dsa); - DH_free(dh); - dh = NULL; -#endif -#endif -#ifdef HAVE_ECC - wolfSSL_EC_KEY_free(ecKey); +static int SessRemCtxSetupCb(WOLFSSL_CTX* ctx) +{ + SSL_CTX_sess_set_remove_cb(ctx, SessRemCtxCb); +#if defined(WOLFSSL_TLS13) && !defined(HAVE_SESSION_TICKET) && \ + !defined(NO_SESSION_CACHE_REF) + { + EXPECT_DECLS; + /* Allow downgrade, set min version, and disable TLS 1.3. + * Do this because without NO_SESSION_CACHE_REF we will want to return a + * reference to the session cache. But with WOLFSSL_TLS13 and without + * HAVE_SESSION_TICKET we won't have a session ID to be able to place + * the session in the cache. In this case we need to downgrade to + * previous versions to just use the legacy session ID field. */ + ExpectIntEQ(SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), + SSL_SUCCESS); + ExpectIntEQ(SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION), + SSL_SUCCESS); + return EXPECT_RESULT(); + } +#else + return TEST_SUCCESS; #endif - SSL_CTX_free(ctx); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_assign(void) +static int SessRemSslSetupCb(WOLFSSL* ssl) { EXPECT_DECLS; -#if !defined(NO_RSA) || !defined(NO_DSA) || defined(HAVE_ECC) - int type; - WOLFSSL_EVP_PKEY* pkey = NULL; -#ifndef NO_RSA - WOLFSSL_RSA* rsa = NULL; -#endif -#ifndef NO_DSA - WOLFSSL_DSA* dsa = NULL; -#endif -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; -#endif - -#ifndef NO_RSA - type = EVP_PKEY_RSA; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(rsa = wolfSSL_RSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_RSA_free(rsa); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* NO_RSA */ - -#ifndef NO_DSA - type = EVP_PKEY_DSA; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dsa = wolfSSL_DSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, dsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DSA_free(dsa); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* NO_DSA */ + int* side; -#ifdef HAVE_ECC - type = EVP_PKEY_EC; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_EC_KEY_free(ecKey); + if (SSL_is_server(ssl)) { + side = &sessRemCtx_Server; + (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountMalloc, 1); + ExpectNotNull(serverSess = SSL_get1_session(ssl)); + ExpectIntEQ(SSL_CTX_up_ref(serverSessCtx = SSL_get_SSL_CTX(ssl)), + SSL_SUCCESS); } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* HAVE_ECC */ -#endif /* !NO_RSA || !NO_DSA || HAVE_ECC */ + else { + side = &sessRemCtx_Client; + (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1); +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) + ExpectNotNull(clientSess = SSL_get1_session(ssl)); + ExpectIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)), + SSL_SUCCESS); +#endif + } + ExpectIntEQ(SSL_SESSION_set_ex_data(SSL_get_session(ssl), + serverSessRemIdx, side), SSL_SUCCESS); + return EXPECT_RESULT(); } +#endif -static int test_wolfSSL_EVP_PKEY_assign_DH(void) +static int test_wolfSSL_CTX_sess_set_remove_cb(void) { EXPECT_DECLS; -#if !defined(NO_DH) && \ - !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - XFILE f = XBADFILE; - unsigned char buf[4096]; - const unsigned char* pt = buf; - const char* params1 = "./certs/dh2048.der"; - long len = 0; - WOLFSSL_DH* dh = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - XMEMSET(buf, 0, sizeof(buf)); - - /* Load DH parameters DER. */ - ExpectTrue((f = XFOPEN(params1, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) + /* Check that the remove callback gets called for external data in a + * session object */ + test_ssl_cbf func_cb; - ExpectNotNull(dh = wolfSSL_d2i_DHparams(NULL, &pt, len)); - ExpectIntEQ(DH_generate_key(dh), WOLFSSL_SUCCESS); + wolfSSL_Atomic_Int_Init(&clientSessRemCountMalloc, 0); + wolfSSL_Atomic_Int_Init(&serverSessRemCountMalloc, 0); + wolfSSL_Atomic_Int_Init(&clientSessRemCountFree, 0); + wolfSSL_Atomic_Int_Init(&serverSessRemCountFree, 0); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + XMEMSET(&func_cb, 0, sizeof(func_cb)); + func_cb.ctx_ready = SessRemCtxSetupCb; + func_cb.on_result = SessRemSslSetupCb; - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, dh), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb, &func_cb, + NULL), TEST_SUCCESS); - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, dh), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DH_free(dh); - } + /* Both should have been allocated */ + ExpectIntEQ(clientSessRemCountMalloc, 1); + ExpectIntEQ(serverSessRemCountMalloc, 1); - EVP_PKEY_free(pkey); + /* This should not be called yet. Session wasn't evicted from cache yet. */ + ExpectIntEQ(clientSessRemCountFree, 0); +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) + /* Force a cache lookup */ + ExpectNotNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); + /* Force a cache update */ + ExpectNotNull(SSL_SESSION_set_ex_data(clientSess, serverSessRemIdx - 1, 0)); + /* This should set the timeout to 0 and call the remove callback from within + * the session cache. */ + ExpectIntEQ(SSL_CTX_remove_session(clientSessCtx, clientSess), 0); + ExpectNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); + ExpectIntEQ(clientSessRemCountFree, 1); +#endif + /* Server session is in the cache so ex_data isn't free'd with the SSL + * object */ + ExpectIntEQ(serverSessRemCountFree, 0); + /* Force a cache lookup */ + ExpectNotNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); + /* Force a cache update */ + ExpectNotNull(SSL_SESSION_set_ex_data(serverSess, serverSessRemIdx - 1, 0)); + /* This should set the timeout to 0 and call the remove callback from within + * the session cache. */ + ExpectIntEQ(SSL_CTX_remove_session(serverSessCtx, serverSess), 0); + ExpectNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); + ExpectIntEQ(serverSessRemCountFree, 1); + /* Need to free the references that we kept */ + SSL_CTX_free(serverSessCtx); + SSL_SESSION_free(serverSess); +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) + SSL_CTX_free(clientSessCtx); + SSL_SESSION_free(clientSess); +#endif #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_base_id(void) +static int test_wolfSSL_ticket_keys(void) { EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; +#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ + !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; + byte keys[WOLFSSL_TICKET_KEYS_SZ]; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(NULL), NID_undef); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(pkey), EVP_PKEY_RSA); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - EVP_PKEY_free(pkey); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, sizeof(keys)), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, sizeof(keys)), + WOLFSSL_SUCCESS); + wolfSSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_id(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - - ExpectIntEQ(wolfSSL_EVP_PKEY_id(NULL), 0); - - ExpectIntEQ(wolfSSL_EVP_PKEY_id(pkey), EVP_PKEY_RSA); - - EVP_PKEY_free(pkey); - return EXPECT_RESULT(); -} +#ifndef NO_BIO -static int test_wolfSSL_EVP_PKEY_paramgen(void) +static int test_wolfSSL_d2i_PUBKEY(void) { EXPECT_DECLS; - /* ECC check taken from ecc.c. It is the condition that defines ECC256 */ -#if defined(OPENSSL_ALL) && !defined(NO_ECC_SECP) && \ - ((!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ - ECC_MIN_KEY_SZ <= 256) - EVP_PKEY_CTX* ctx = NULL; - EVP_PKEY* pkey = NULL; +#if defined(OPENSSL_EXTRA) + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectNull(d2i_PUBKEY_bio(NULL, NULL)); - /* Test error conditions. */ - ExpectIntEQ(EVP_PKEY_paramgen(NULL, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) + /* RSA PUBKEY test */ + ExpectIntGT(BIO_write(bio, client_keypub_der_2048, + sizeof_client_keypub_der_2048), 0); + ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; +#endif -#ifndef NO_RSA - EVP_PKEY_CTX_free(ctx); - /* Parameter generation for RSA not supported yet. */ - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if defined(USE_CERT_BUFFERS_256) && defined(HAVE_ECC) + /* ECC PUBKEY test */ + ExpectIntGT(BIO_write(bio, ecc_clikeypub_der_256, + sizeof_ecc_clikeypub_der_256), 0); + ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; #endif -#ifdef HAVE_ECC - EVP_PKEY_CTX_free(ctx); - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, - NID_X9_62_prime256v1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); +#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DSA) + /* DSA PUBKEY test */ + ExpectIntGT(BIO_write(bio, dsa_pub_key_der_2048, + sizeof_dsa_pub_key_der_2048), 0); + ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; #endif - EVP_PKEY_CTX_free(ctx); +#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DH) && \ +defined(OPENSSL_EXTRA) && defined(WOLFSSL_DH_EXTRA) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) + /* DH PUBKEY test */ + ExpectIntGT(BIO_write(bio, dh_pub_key_der_2048, + sizeof_dh_pub_key_der_2048), 0); + ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* USE_CERT_BUFFERS_2048 && !NO_DH && && OPENSSL_EXTRA */ + + BIO_free(bio); + + (void)pkey; #endif + return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_keygen(void) +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) && \ + !defined(NO_TLS) +static int test_wolfSSL_d2i_PrivateKeys_bio(void) { EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; -#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - WOLFSSL_EVP_PKEY* params = NULL; - DH* dh = NULL; - const BIGNUM* pubkey = NULL; - const BIGNUM* privkey = NULL; - ASN1_INTEGER* asn1int = NULL; - unsigned int length = 0; - byte* derBuffer = NULL; + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + WOLFSSL_CTX* ctx = NULL; + +#if defined(WOLFSSL_KEY_GEN) + unsigned char buff[4096]; + unsigned char* bufPtr = buff; #endif - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + /* test creating new EVP_PKEY with bad arg */ + ExpectNull((pkey = d2i_PrivateKey_bio(NULL, NULL))); - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); + /* test loading RSA key using BIO */ +#if !defined(NO_RSA) && !defined(NO_FILESYSTEM) + { + XFILE file = XBADFILE; + const char* fname = "./certs/server-key.der"; + long lsz = 0; + size_t sz = 0; + byte* buf = NULL; - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectTrue((lsz = XFTELL(file)) > 0); + sz = (size_t)lsz; + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + if (file != XBADFILE) { + XFCLOSE(file); + } - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; + /* Test using BIO new mem and loading DER private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); + XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); + BIO_free(bio); + bio = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif -#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - /* Test DH keygen */ + /* test loading ECC key using BIO */ +#if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) { - ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_get_2048_256()); - ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(params, NULL)); - ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); - - DH_free(dh); - dh = NULL; - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(params); - - /* try exporting generated key to DER, to verify */ - ExpectNotNull(dh = EVP_PKEY_get1_DH(pkey)); - DH_get0_key(dh, &pubkey, &privkey); - ExpectNotNull(pubkey); - ExpectNotNull(privkey); - ExpectNotNull(asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)); - ExpectIntGT((length = i2d_ASN1_INTEGER(asn1int, &derBuffer)), 0); - - ASN1_INTEGER_free(asn1int); - DH_free(dh); - dh = NULL; - XFREE(derBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFILE file = XBADFILE; + const char* fname = "./certs/ecc-key.der"; + long lsz = 0; + size_t sz = 0; + byte* buf = NULL; + + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectTrue((lsz = XFTELL(file)) > 0); + sz = (size_t)lsz; + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + if (file != XBADFILE) + XFCLOSE(file); + /* Test using BIO new mem and loading DER private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); + XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); + BIO_free(bio); + bio = NULL; EVP_PKEY_free(pkey); + pkey = NULL; } #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_keygen_init(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); +#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) + { + const unsigned char seqOnly[] = { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00 }; + RSA* rsa = NULL; + /* Tests bad parameters */ + ExpectNull(d2i_RSAPrivateKey_bio(NULL, NULL)); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(NULL), WOLFSSL_SUCCESS); + /* Test using bad data. */ + ExpectIntGT(BIO_write(bio, seqOnly, sizeof(seqOnly)), 0); + ExpectNull(d2i_RSAPrivateKey_bio(bio, NULL)); - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); + /* RSA not set yet, expecting to fail*/ + rsa = wolfSSL_RSA_new(); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_RSA_free(rsa); + rsa = NULL; - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_missing_parameters(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) - WOLFSSL_EVP_PKEY* pkey = NULL; +#if defined(USE_CERT_BUFFERS_2048) && defined(WOLFSSL_KEY_GEN) + /* set RSA using bio*/ + ExpectIntGT(BIO_write(bio, client_key_der_2048, + sizeof_client_key_der_2048), 0); + ExpectNotNull(d2i_RSAPrivateKey_bio(bio, &rsa)); + ExpectNotNull(rsa); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + /* Tests bad parameters */ + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, rsa), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(pkey), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(NULL), 0); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WOLFSSL_SUCCESS); + + /* i2d RSAprivate key tests */ + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 1192); + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), + sizeof_client_key_der_2048); + bufPtr -= sizeof_client_key_der_2048; + ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, + sizeof_client_key_der_2048), 0); + bufPtr = NULL; + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), + sizeof_client_key_der_2048); + ExpectNotNull(bufPtr); + ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, + sizeof_client_key_der_2048), 0); + XFREE(bufPtr, NULL, DYNAMIC_TYPE_OPENSSL); + + RSA_free(rsa); + rsa = NULL; + ExpectIntGT(BIO_write(bio, client_key_der_2048, + sizeof_client_key_der_2048), 0); + ExpectNotNull(d2i_RSA_PUBKEY_bio(bio, &rsa)); + (void)BIO_reset(bio); + + RSA_free(rsa); + rsa = RSA_new(); + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 0); +#endif /* USE_CERT_BUFFERS_2048 WOLFSSL_KEY_GEN */ + RSA_free(rsa); + } +#endif /* WOLFSSL_KEY_GEN && !NO_RSA */ + SSL_CTX_free(ctx); + ctx = NULL; + BIO_free(bio); + bio = NULL; - EVP_PKEY_free(pkey); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_copy_parameters(void) +#endif /* OPENSSL_ALL || (WOLFSSL_ASIO && !NO_RSA) */ + +#endif /* !NO_BIO */ + + +static int test_wolfSSL_sk_GENERAL_NAME(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_DH) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) && (defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ - defined(WOLFSSL_OPENSSH)) && defined(WOLFSSL_DH_EXTRA) && \ - !defined(NO_FILESYSTEM) - WOLFSSL_EVP_PKEY* params = NULL; - WOLFSSL_EVP_PKEY* copy = NULL; - DH* dh = NULL; - BIGNUM* p1; - BIGNUM* g1; - BIGNUM* q1; - BIGNUM* p2; - BIGNUM* g2; - BIGNUM* q2; - - /* create DH with DH_get_2048_256 params */ - ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_get_2048_256()); - ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); - DH_get0_pqg(dh, (const BIGNUM**)&p1, - (const BIGNUM**)&q1, - (const BIGNUM**)&g1); - DH_free(dh); - dh = NULL; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) + X509* x509 = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAME* dup_gn = NULL; + unsigned char buf[4096]; + const unsigned char* bufPt = NULL; + int bytes = 0; + int i; + int j; + XFILE f = XBADFILE; + STACK_OF(GENERAL_NAME)* sk = NULL; - /* create DH with random generated DH params */ - ExpectNotNull(copy = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_generate_parameters(2048, 2, NULL, NULL)); - ExpectIntEQ(EVP_PKEY_set1_DH(copy, dh), WOLFSSL_SUCCESS); - DH_free(dh); - dh = NULL; + ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); + if (f != XBADFILE) + XFCLOSE(f); + + for (j = 0; j < 2; ++j) { + bufPt = buf; + ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); - ExpectIntEQ(EVP_PKEY_copy_parameters(copy, params), WOLFSSL_SUCCESS); - ExpectNotNull(dh = EVP_PKEY_get1_DH(copy)); - ExpectNotNull(dh->p); - ExpectNotNull(dh->g); - ExpectNotNull(dh->q); - DH_get0_pqg(dh, (const BIGNUM**)&p2, - (const BIGNUM**)&q2, - (const BIGNUM**)&g2); + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); - ExpectIntEQ(BN_cmp(p1, p2), 0); - ExpectIntEQ(BN_cmp(q1, q2), 0); - ExpectIntEQ(BN_cmp(g1, g2), 0); + ExpectIntEQ(sk_GENERAL_NAME_num(sk), 1); + for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) { + ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, i)); - DH_free(dh); - dh = NULL; - EVP_PKEY_free(copy); - EVP_PKEY_free(params); + if (gn != NULL) { + switch (gn->type) { + case GEN_DNS: + fprintf(stderr, "found type GEN_DNS\n"); + break; + case GEN_EMAIL: + fprintf(stderr, "found type GEN_EMAIL\n"); + break; + case GEN_URI: + fprintf(stderr, "found type GEN_URI\n"); + break; + } + } + + ExpectNotNull(dup_gn = wolfSSL_GENERAL_NAME_dup(gn)); + wolfSSL_GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + } + X509_free(x509); + x509 = NULL; + if (j == 0) { + sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); + } + else { + /* + * We had a bug where GENERAL_NAMES_free didn't free all the memory + * it was supposed to. This is a regression test for that bug. + */ + GENERAL_NAMES_free(sk); + } + sk = NULL; + } + + ExpectNull(wolfSSL_GENERAL_NAME_dup(NULL)); + ExpectIntEQ(wolfSSL_GENERAL_NAME_set_type(NULL, WOLFSSL_GEN_IA5), + BAD_FUNC_ARG); + wolfSSL_GENERAL_NAMES_free(NULL); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void) +static int test_wolfSSL_GENERAL_NAME_print(void) { EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - int bits = 2048; +#if defined(OPENSSL_ALL) && !defined(NO_BIO) && !defined(NO_RSA) + X509* x509 = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAME* dup_gn = NULL; + unsigned char buf[4096]; + const unsigned char* bufPt = NULL; + int bytes = 0; + XFILE f = XBADFILE; + STACK_OF(GENERAL_NAME)* sk = NULL; + BIO* out = NULL; + unsigned char outbuf[128]; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + X509_EXTENSION* ext = NULL; + AUTHORITY_INFO_ACCESS* aia = NULL; + ACCESS_DESCRIPTION* ad = NULL; + ASN1_IA5STRING *dnsname = NULL; + ASN1_OBJECT* ridObj = NULL; - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits), - WOLFSSL_SUCCESS); + const unsigned char v4Addr[] = {192,168,53,1}; + const unsigned char v6Addr[] = + {0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77}; + const unsigned char email[] = + {'i', 'n', 'f', 'o', '@', 'w', 'o', 'l', + 'f', 's', 's', 'l', '.', 'c', 'o', 'm'}; + const unsigned char ridData[] = { 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05 }; + const unsigned char* p; + unsigned long len; - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); + const char* dnsStr = "DNS:example.com"; + const char* uriStr = "URI:http://127.0.0.1:22220"; + const char* v4addStr = "IP Address:192.168.53.1"; + const char* v6addStr = "IP Address:2021:DB8:0:0:0:FF00:42:7777"; + const char* emailStr = "email:info@wolfssl.com"; + const char* othrStr = "othername:"; + const char* x400Str = "X400Name:"; + const char* ediStr = "EdiPartyName:"; + const char* dirNameStr = "DirName:"; + const char* ridStr = "Registered ID:1.2.3.4.5"; - return EXPECT_RESULT(); -} + /* BIO to output */ + ExpectNotNull(out = BIO_new(BIO_s_mem())); -static int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void) -{ - EXPECT_DECLS; - /* This is large enough to be used for all key sizes */ - byte key[AES_256_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int i; - int nids[] = { - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - NID_aes_128_gcm, - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - }; - int iv_lengths[] = { - #ifdef HAVE_AES_CBC - AES_BLOCK_SIZE, - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - GCM_NONCE_MID_SZ, - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - AES_BLOCK_SIZE, - #endif - #ifndef NO_DES3 - DES_BLOCK_SIZE, - DES_BLOCK_SIZE, - #endif - }; - int nidsLen = (sizeof(nids)/sizeof(int)); + /* test for NULL param */ + gn = NULL; + + ExpectIntEQ(GENERAL_NAME_print(NULL, NULL), 0); + ExpectIntEQ(GENERAL_NAME_print(NULL, gn), 0); + ExpectIntEQ(GENERAL_NAME_print(out, NULL), 0); + + + /* test for GEN_DNS */ + ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + bufPt = buf; + ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); + + ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, 0)); + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + + XMEMSET(outbuf, 0, sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); + + sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); + gn = NULL; + sk = NULL; + X509_free(x509); + x509 = NULL; - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER* init = wolfSSL_EVP_get_cipherbynid(nids[i]); - EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); - wolfSSL_EVP_CIPHER_CTX_init(ctx); + /* Lets test for setting as well. */ + ExpectNotNull(gn = GENERAL_NAME_new()); + ExpectNotNull(dnsname = ASN1_IA5STRING_new()); + ExpectIntEQ(ASN1_STRING_set(dnsname, "example.com", -1), 1); + GENERAL_NAME_set0_value(gn, GEN_DNS, dnsname); + dnsname = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf, 0, sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, NULL); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, NULL); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, NULL); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, outbuf); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_DNS, NULL); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, outbuf); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, outbuf); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + GENERAL_NAME_free(gn); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_iv_length(ctx), iv_lengths[i]); + /* test for GEN_URI */ - EVP_CIPHER_CTX_free(ctx); + ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } - return EXPECT_RESULT(); -} + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 4)); + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i( + ext)); + ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION *)wolfSSL_sk_value(aia, 0)); -static int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) -{ - EXPECT_DECLS; - byte key[AES_256_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int i; - int nids[] = { - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - #ifdef WOLFSSL_AES_256 - NID_aes_256_cbc, - #endif - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - NID_aes_128_gcm, - #ifdef WOLFSSL_AES_256 - NID_aes_256_gcm, - #endif - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - #ifdef WOLFSSL_AES_256 - NID_aes_256_ctr, - #endif - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - }; - int key_lengths[] = { - #ifdef HAVE_AES_CBC - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #ifndef NO_DES3 - DES_KEY_SIZE, - DES3_KEY_SIZE, - #endif - }; - int nidsLen = (sizeof(nids)/sizeof(int)); + if (ad != NULL) { + gn = ad->location; + } + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + gn = NULL; - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER *init = wolfSSL_EVP_get_cipherbynid(nids[i]); - EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); - wolfSSL_EVP_CIPHER_CTX_init(ctx); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, uriStr, XSTRLEN(uriStr)), 0); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_key_length(ctx), key_lengths[i]); + wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); + aia = NULL; + aia = (AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i(ext); + ExpectNotNull(aia); + AUTHORITY_INFO_ACCESS_pop_free(aia, NULL); + aia = NULL; + X509_free(x509); + x509 = NULL; - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, key_lengths[i]), - WOLFSSL_SUCCESS); + /* test for GEN_IPADD */ - EVP_CIPHER_CTX_free(ctx); + /* ip v4 address */ + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_IPADD; + if (gn->d.iPAddress != NULL) { + gn->d.iPAddress->length = sizeof(v4Addr); + } } + ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v4Addr, + sizeof(v4Addr)), 1); - return EXPECT_RESULT(); -} + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, v4addStr, XSTRLEN(v4addStr)), 0); -static int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && !defined(NO_DES3) - int ivLen, keyLen; - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); -#ifdef HAVE_AESGCM - byte key[AES_128_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - const EVP_CIPHER *init = EVP_aes_128_gcm(); -#else - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_BLOCK_SIZE] = {0}; - const EVP_CIPHER *init = EVP_des_ede3_cbc(); -#endif + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + GENERAL_NAME_free(gn); + gn = NULL; - ivLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx); - keyLen = wolfSSL_EVP_CIPHER_CTX_key_length(ctx); + /* ip v6 address */ - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, iv, ivLen), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, NULL, ivLen), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, keyLen), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_IPADD; + if (gn->d.iPAddress != NULL) { + gn->d.iPAddress->length = sizeof(v6Addr); + } + } + ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v6Addr, + sizeof(v6Addr)), 1); - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, ivLen), 1); + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, v6addStr, XSTRLEN(v6addStr)), 0); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; -static int test_wolfSSL_EVP_PKEY_CTX_new_id(void) -{ - EXPECT_DECLS; - WOLFSSL_ENGINE* e = NULL; - int id = 0; - EVP_PKEY_CTX *ctx = NULL; + GENERAL_NAME_free(gn); + gn = NULL; - ExpectNotNull(ctx = wolfSSL_EVP_PKEY_CTX_new_id(id, e)); + /* test for GEN_EMAIL */ - EVP_PKEY_CTX_free(ctx); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_EMAIL; + if (gn->d.rfc822Name != NULL) { + gn->d.rfc822Name->length = sizeof(email); + } + } + ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.rfc822Name, email, sizeof(email)), + 1); - return EXPECT_RESULT(); -} + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, emailStr, XSTRLEN(emailStr)), 0); -static int test_wolfSSL_EVP_rc4(void) -{ - EXPECT_DECLS; -#if !defined(NO_RC4) - ExpectNotNull(wolfSSL_EVP_rc4()); -#endif - return EXPECT_RESULT(); -} + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; -static int test_wolfSSL_EVP_enc_null(void) -{ - EXPECT_DECLS; - ExpectNotNull(wolfSSL_EVP_enc_null()); - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_rc2_cbc(void) + GENERAL_NAME_free(gn); + gn = NULL; -{ - EXPECT_DECLS; -#if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_rc2_cbc()); -#endif - return EXPECT_RESULT(); -} + /* test for GEN_OTHERNAME */ -static int test_wolfSSL_EVP_mdc2(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_mdc2()); -#endif - return EXPECT_RESULT(); -} + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_OTHERNAME; + } -static int test_wolfSSL_EVP_md4(void) -{ - EXPECT_DECLS; -#if !defined(NO_MD4) - ExpectNotNull(wolfSSL_EVP_md4()); -#endif - return EXPECT_RESULT(); -} + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, othrStr, XSTRLEN(othrStr)), 0); -static int test_wolfSSL_EVP_aes_256_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) - ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); -#endif - return EXPECT_RESULT(); -} + GENERAL_NAME_free(gn); + gn = NULL; -static int test_wolfSSL_EVP_aes_192_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) - ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); -#endif - return EXPECT_RESULT(); -} + /* test for GEN_X400 */ -static int test_wolfSSL_EVP_aes_256_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) - ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); -#endif - return EXPECT_RESULT(); -} + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_X400; + } -static int test_wolfSSL_EVP_aes_192_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) - ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); -#endif - return EXPECT_RESULT(); -} + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, x400Str, XSTRLEN(x400Str)), 0); -static int test_wolfSSL_EVP_aes_128_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) - ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); -#endif - return EXPECT_RESULT(); -} + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } -static int test_wolfSSL_EVP_ripemd160(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_ripemd160()); -#endif - return EXPECT_RESULT(); -} + /* Duplicating GEN_X400 not supported. */ + ExpectNull(GENERAL_NAME_dup(gn)); -static int test_wolfSSL_EVP_get_digestbynid(void) -{ - EXPECT_DECLS; + GENERAL_NAME_free(gn); + gn = NULL; -#ifndef NO_MD5 - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_md5)); -#endif -#ifndef NO_SHA - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1)); -#endif -#ifndef NO_SHA256 - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha256)); -#endif - ExpectNull(wolfSSL_EVP_get_digestbynid(0)); + /* test for GEN_EDIPARTY */ - return EXPECT_RESULT(); -} + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_EDIPARTY; + } -static int test_wolfSSL_EVP_MD_nid(void) -{ - EXPECT_DECLS; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, ediStr, XSTRLEN(ediStr)), 0); -#ifndef NO_MD5 - ExpectIntEQ(EVP_MD_nid(EVP_md5()), NID_md5); -#endif -#ifndef NO_SHA - ExpectIntEQ(EVP_MD_nid(EVP_sha1()), NID_sha1); -#endif -#ifndef NO_SHA256 - ExpectIntEQ(EVP_MD_nid(EVP_sha256()), NID_sha256); -#endif - ExpectIntEQ(EVP_MD_nid(NULL), NID_undef); + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } - return EXPECT_RESULT(); -} + /* Duplicating GEN_EDIPARTY not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); -static int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void) -{ - EXPECT_DECLS; -#if defined(HAVE_ECC) - WOLFSSL_EVP_PKEY* pkey = NULL; + GENERAL_NAME_free(gn); + gn = NULL; + + /* test for GEN_DIRNAME */ + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_DIRNAME; + } + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dirNameStr, XSTRLEN(dirNameStr)), + 0); + /* Duplicating GEN_DIRNAME not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } + GENERAL_NAME_free(gn); + gn = NULL; - ExpectNull(EVP_PKEY_get0_EC_KEY(NULL)); + /* test for GEN_RID */ + p = ridData; + len = sizeof(ridData); + ExpectNotNull(ridObj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, len)); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_RID; + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.registeredID = ridObj; + } + else { + wolfSSL_ASN1_OBJECT_free(ridObj); + } + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, ridStr, XSTRLEN(ridStr)), 0); + /* Duplicating GEN_DIRNAME not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(gn); + gn = NULL; - ExpectNotNull(pkey = EVP_PKEY_new()); - ExpectNull(EVP_PKEY_get0_EC_KEY(pkey)); - EVP_PKEY_free(pkey); -#endif + BIO_free(out); +#endif /* OPENSSL_ALL */ return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_X_STATE(void) +static int test_wolfSSL_sk_DIST_POINT(void) { EXPECT_DECLS; -#if !defined(NO_DES3) && !defined(NO_RC4) - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_IV_SIZE] = {0}; - EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *init = NULL; - - /* Bad test cases */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = EVP_des_ede3_cbc()); - - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) + X509* x509 = NULL; + unsigned char buf[4096]; + const unsigned char* bufPt; + int bytes = 0; + int i = 0; + int j = 0; + XFILE f = XBADFILE; + DIST_POINT* dp = NULL; + DIST_POINT_NAME* dpn = NULL; + GENERAL_NAME* gn = NULL; + ASN1_IA5STRING* uri = NULL; + STACK_OF(DIST_POINT)* dps = NULL; + STACK_OF(GENERAL_NAME)* gns = NULL; + const char cliCertDerCrlDistPoint[] = "./certs/client-crl-dist.der"; - ExpectNull(wolfSSL_EVP_X_STATE(NULL)); - ExpectNull(wolfSSL_EVP_X_STATE(ctx)); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; + ExpectTrue((f = XFOPEN(cliCertDerCrlDistPoint, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); + if (f != XBADFILE) + XFCLOSE(f); - /* Good test case */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = wolfSSL_EVP_rc4()); + bufPt = buf; + ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectNotNull(dps = (STACK_OF(DIST_POINT)*)X509_get_ext_d2i(x509, + NID_crl_distribution_points, NULL, NULL)); - ExpectNotNull(wolfSSL_EVP_X_STATE(ctx)); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_X_STATE_LEN(void) -{ - EXPECT_DECLS; -#if !defined(NO_DES3) && !defined(NO_RC4) - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_IV_SIZE] = {0}; - EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *init = NULL; + ExpectIntEQ(sk_DIST_POINT_num(dps), 1); + for (i = 0; i < sk_DIST_POINT_num(dps); i++) { + ExpectNotNull(dp = sk_DIST_POINT_value(dps, i)); + ExpectNotNull(dpn = dp->distpoint); - /* Bad test cases */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = EVP_des_ede3_cbc()); + /* this should be type 0, fullname */ + ExpectIntEQ(dpn->type, 0); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectNotNull(gns = dp->distpoint->name.fullname); + ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(NULL), 0); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; + for (j = 0; j < sk_GENERAL_NAME_num(gns); j++) { + ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, j)); + ExpectIntEQ(gn->type, GEN_URI); + ExpectNotNull(uri = gn->d.uniformResourceIdentifier); + ExpectNotNull(uri->data); + ExpectIntGT(uri->length, 0); + } + } - /* Good test case */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = wolfSSL_EVP_rc4()); + ExpectNotNull(dp = wolfSSL_DIST_POINT_new()); + wolfSSL_DIST_POINT_free(NULL); + wolfSSL_DIST_POINTS_free(NULL); + wolfSSL_sk_DIST_POINT_free(NULL); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(dps, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, dp), WOLFSSL_FAILURE); + ExpectNull(wolfSSL_sk_DIST_POINT_value(NULL, 0)); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_num(NULL), WOLFSSL_FATAL_ERROR); + wolfSSL_DIST_POINT_free(dp); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + X509_free(x509); + CRL_DIST_POINTS_free(dps); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), sizeof(Arc4)); - EVP_CIPHER_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_CIPHER_block_size(void) + + +static int test_wolfSSL_verify_mode(void) { EXPECT_DECLS; -#if defined(HAVE_AES_CBC) || defined(HAVE_AESGCM) || \ - defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AES_ECB) || \ - defined(WOLFSSL_AES_OFB) || !defined(NO_RC4) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) +#if !defined(NO_RSA) && !defined(NO_TLS) && (defined(OPENSSL_ALL) || \ + defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; -#ifdef HAVE_AES_CBC - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_cbc()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_cbc()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_cbc()), AES_BLOCK_SIZE); - #endif -#endif + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_gcm()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_gcm()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_gcm()), 1); - #endif -#endif + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + SSL_free(ssl); + ssl = NULL; -#ifdef HAVE_AESCCM - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ccm()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ccm()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ccm()), 1); - #endif -#endif + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); -#ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ctr()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ctr()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ctr()), 1); - #endif -#endif + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); -#ifdef HAVE_AES_ECB - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ecb()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ecb()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ecb()), AES_BLOCK_SIZE); - #endif -#endif + SSL_free(ssl); + ssl = NULL; -#ifdef WOLFSSL_AES_OFB - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ofb()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ofb()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ofb()), 1); - #endif -#endif + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); -#ifndef NO_RC4 - ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_rc4()), 1); -#endif + wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0); + ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_chacha20_poly1305()), 1); -#endif -#endif + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); -#ifdef WOLFSSL_SM4_ECB - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ecb()), SM4_BLOCK_SIZE); -#endif -#ifdef WOLFSSL_SM4_CBC - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_cbc()), SM4_BLOCK_SIZE); -#endif -#ifdef WOLFSSL_SM4_CTR - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ctr()), 1); -#endif -#ifdef WOLFSSL_SM4_GCM - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_gcm()), 1); -#endif -#ifdef WOLFSSL_SM4_CCM - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ccm()), 1); -#endif + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT); - return EXPECT_RESULT(); -} + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK); -static int test_wolfSSL_EVP_CIPHER_iv_length(void) -{ - EXPECT_DECLS; - int nids[] = { - #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - #ifdef WOLFSSL_AES_128 - NID_aes_128_cbc, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_cbc, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_cbc, - #endif - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - NID_aes_128_gcm, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_gcm, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_gcm, - #endif - #endif /* HAVE_AESGCM */ - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - NID_aes_128_ctr, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_ctr, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_ctr, - #endif - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - NID_chacha20_poly1305, - #endif - }; - int iv_lengths[] = { - #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - #ifdef WOLFSSL_AES_128 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_192 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_256 - AES_BLOCK_SIZE, - #endif - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - GCM_NONCE_MID_SZ, - #endif - #ifdef WOLFSSL_AES_192 - GCM_NONCE_MID_SZ, - #endif - #ifdef WOLFSSL_AES_256 - GCM_NONCE_MID_SZ, - #endif - #endif /* HAVE_AESGCM */ - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_192 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_256 - AES_BLOCK_SIZE, - #endif - #endif - #ifndef NO_DES3 - DES_BLOCK_SIZE, - DES_BLOCK_SIZE, - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - CHACHA20_POLY1305_AEAD_IV_SIZE, - #endif - }; - int i; - int nidsLen = (sizeof(nids)/sizeof(int)); +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE); +#endif - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER *c = EVP_get_cipherbynid(nids[i]); - ExpectIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); - } + ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_SignInit_ex(void) + +static int test_wolfSSL_verify_depth(void) { EXPECT_DECLS; - WOLFSSL_EVP_MD_CTX mdCtx; - WOLFSSL_ENGINE* e = 0; - const EVP_MD* md = EVP_sha256(); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + long depth = 0; + + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntGT((depth = SSL_CTX_get_verify_depth(ctx)), 0); + + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_depth(ssl), SSL_CTX_get_verify_depth(ctx)); + SSL_free(ssl); + ssl = NULL; - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_SignInit_ex(&mdCtx, md, e), WOLFSSL_SUCCESS); + SSL_CTX_set_verify_depth(ctx, -1); + ExpectIntEQ(depth, SSL_CTX_get_verify_depth(ctx)); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + SSL_CTX_set_verify_depth(ctx, 2); + ExpectIntEQ(2, SSL_CTX_get_verify_depth(ctx)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(2, SSL_get_verify_depth(ssl)); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_DigestFinalXOF(void) +static int test_wolfSSL_verify_result(void) { EXPECT_DECLS; -#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256) && defined(OPENSSL_ALL) - WOLFSSL_EVP_MD_CTX mdCtx; - unsigned char shake[256]; - unsigned char zeros[10]; - unsigned char data[] = "Test data"; - unsigned int sz; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(OPENSSL_ALL)) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + long result = 0xDEADBEEF; - XMEMSET(zeros, 0, sizeof(zeros)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_MD_flags(EVP_shake256()), EVP_MD_FLAG_XOF); - ExpectIntEQ(EVP_MD_flags(EVP_sha3_256()), 0); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - XMEMSET(shake, 0, sizeof(shake)); - ExpectIntEQ(EVP_DigestFinalXOF(&mdCtx, shake, 10), WOLFSSL_SUCCESS); + ExpectIntEQ(WC_NO_ERR_TRACE(WOLFSSL_FAILURE), wolfSSL_get_verify_result(ssl)); - /* make sure was only size of 10 */ - ExpectIntEQ(XMEMCMP(&shake[11], zeros, 10), 0); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = SSL_new(ctx)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, 32); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + wolfSSL_set_verify_result(ssl, result); + ExpectIntEQ(result, wolfSSL_get_verify_result(ssl)); - #if defined(WOLFSSL_SHAKE128) - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake128()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, 16); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - #endif + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_DigestFinal_ex(void) +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) +static void sslMsgCb(int w, int version, int type, const void* buf, + size_t sz, SSL* ssl, void* arg) { - EXPECT_DECLS; -#if !defined(NO_SHA256) - WOLFSSL_EVP_MD_CTX mdCtx; - unsigned int s = 0; - unsigned char md[WC_SHA256_DIGEST_SIZE]; - unsigned char md2[WC_SHA256_DIGEST_SIZE]; - - /* Bad Case */ -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#else - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - -#endif + int i; + unsigned char* pt = (unsigned char*)buf; - /* Good Case */ - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, EVP_sha256()), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md2, &s), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); -#endif - return EXPECT_RESULT(); + fprintf(stderr, "%s %d bytes of version %d , type %d : ", + (w)?"Writing":"Reading", (int)sz, version, type); + for (i = 0; i < (int)sz; i++) fprintf(stderr, "%02X", pt[i]); + fprintf(stderr, "\n"); + (void)ssl; + (void)arg; } +#endif /* OPENSSL_EXTRA */ -static int test_wolfSSL_QT_EVP_PKEY_CTX_free(void) +static int test_wolfSSL_msg_callback(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; -#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L - /* void */ - EVP_PKEY_CTX_free(ctx); -#else - /* int */ - ExpectIntEQ(EVP_PKEY_CTX_free(ctx), WOLFSSL_SUCCESS); -#endif + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_set_msg_callback(ssl, NULL), SSL_SUCCESS); + ExpectIntEQ(SSL_set_msg_callback(ssl, &sslMsgCb), SSL_SUCCESS); + ExpectIntEQ(SSL_set_msg_callback(NULL, &sslMsgCb), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - EVP_PKEY_free(pkey); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_param_check(void) +static int test_wolfSSL_X509_SEP(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_SEP) + WOLFSSL_X509* x509 = NULL; +#if 0 + byte* out; +#endif + int outSz; - DH *dh = NULL; - DH *setDh = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; + ExpectNotNull(x509 = wolfSSL_X509_new()); - FILE* f = NULL; - unsigned char buf[512]; - const unsigned char* pt = buf; - const char* dh2048 = "./certs/dh2048.der"; - long len = 0; - int code = -1; + outSz = 0; + ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, &outSz)); - XMEMSET(buf, 0, sizeof(buf)); + outSz = 0; + ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); - ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); + outSz = 0; + ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); - /* Load dh2048.der into DH with internal format */ - ExpectNotNull(setDh = d2i_DHparams(NULL, &pt, len)); - ExpectIntEQ(DH_check(setDh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - code = -1; + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_certificate_policies), 0); - pkey = wolfSSL_EVP_PKEY_new(); - /* Set DH into PKEY */ - ExpectIntEQ(EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); - /* create ctx from pkey */ - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_param_check(ctx), 1/* valid */); + wolfSSL_X509_free(x509); + x509 = NULL; - /* TODO: more invalid cases */ - ExpectIntEQ(EVP_PKEY_param_check(NULL), 0); +#if 0 + /* Use certificate with the extension here. */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM)); - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - DH_free(setDh); - setDh = NULL; - DH_free(dh); - dh = NULL; + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_device_type(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + wolfSSL_X509_free(x509); #endif #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_BytesToKey(void) +static int test_wolfSSL_OpenSSL_add_all_algorithms(void) { EXPECT_DECLS; -#if !defined(NO_AES) && defined(HAVE_AES_CBC) - byte key[AES_BLOCK_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int count = 0; - const EVP_MD* md = EVP_sha256(); - const EVP_CIPHER *type; - const unsigned char *salt = (unsigned char *)"salt1234"; - int sz = 5; - const byte data[] = { - 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, - 0x72,0x6c,0x64 - }; - - type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); +#if defined(OPENSSL_EXTRA) + ExpectIntEQ(wolfSSL_add_all_algorithms(), WOLFSSL_SUCCESS); - /* Bad cases */ - ExpectIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), - 0); - ExpectIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), - 16); - md = "2"; - ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_noconf(), WOLFSSL_SUCCESS); - /* Good case */ - md = EVP_sha256(); - ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), - 16); + ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_conf(), WOLFSSL_SUCCESS); #endif return EXPECT_RESULT(); } -static int test_evp_cipher_aes_gcm(void) +static int test_wolfSSL_OPENSSL_hexstr2buf(void) { EXPECT_DECLS; -#if defined(HAVE_AESGCM) && ((!defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) - /* - * This test checks data at various points in the encrypt/decrypt process - * against known values produced using the same test with OpenSSL. This - * interop testing is critical for verifying the correctness of our - * EVP_Cipher implementation with AES-GCM. Specifically, this test exercises - * a flow supported by OpenSSL that uses the control command - * EVP_CTRL_GCM_IV_GEN to increment the IV between cipher operations without - * the need to call EVP_CipherInit. OpenSSH uses this flow, for example. We - * had a bug with OpenSSH where wolfSSL OpenSSH servers could only talk to - * wolfSSL OpenSSH clients because there was a bug in this flow that - * happened to "cancel out" if both sides of the connection had the bug. - */ - enum { - NUM_ENCRYPTIONS = 3, - AAD_SIZE = 4 - }; - static const byte plainText1[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23 - }; - static const byte plainText2[] = { - 0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14, - 0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22, - 0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c - }; - static const byte plainText3[] = { - 0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e, - 0x5b, 0x57, 0x10 - }; - static const byte* plainTexts[NUM_ENCRYPTIONS] = { - plainText1, - plainText2, - plainText3 - }; - static const int plainTextSzs[NUM_ENCRYPTIONS] = { - sizeof(plainText1), - sizeof(plainText2), - sizeof(plainText3) - }; - static const byte aad1[AAD_SIZE] = { - 0x00, 0x00, 0x00, 0x01 - }; - static const byte aad2[AAD_SIZE] = { - 0x00, 0x00, 0x00, 0x10 - }; - static const byte aad3[AAD_SIZE] = { - 0x00, 0x00, 0x01, 0x00 - }; - static const byte* aads[NUM_ENCRYPTIONS] = { - aad1, - aad2, - aad3 - }; - const byte iv[GCM_NONCE_MID_SZ] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF +#if defined(OPENSSL_EXTRA) + #define MAX_HEXSTR_BUFSZ 9 + #define NUM_CASES 5 + struct Output { + const unsigned char buffer[MAX_HEXSTR_BUFSZ]; + long ret; }; - byte currentIv[GCM_NONCE_MID_SZ]; - const byte key[] = { - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, - 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f + int i; + int j; + + const char* inputs[NUM_CASES] = { + "aabcd1357e", + "01:12:23:34:a5:b6:c7:d8:e9", + ":01:02", + "012", + ":ab:ac:d" }; - const byte expIvs[NUM_ENCRYPTIONS][GCM_NONCE_MID_SZ] = { - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xEF - }, - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xF0 - }, - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xF1 - } + struct Output expectedOutputs[NUM_CASES] = { + {{0xaa, 0xbc, 0xd1, 0x35, 0x7e}, 5}, + {{0x01, 0x12, 0x23, 0x34, 0xa5, 0xb6, 0xc7, 0xd8, 0xe9}, 9}, + {{0x01, 0x02}, 2}, + {{0x00}, 0}, + {{0x00}, 0} }; - const byte expTags[NUM_ENCRYPTIONS][AES_BLOCK_SIZE] = { - { - 0x65, 0x4F, 0xF7, 0xA0, 0xBB, 0x7B, 0x90, 0xB7, 0x9C, 0xC8, 0x14, - 0x3D, 0x32, 0x18, 0x34, 0xA9 - }, - { - 0x50, 0x3A, 0x13, 0x8D, 0x91, 0x1D, 0xEC, 0xBB, 0xBA, 0x5B, 0x57, - 0xA2, 0xFD, 0x2D, 0x6B, 0x7F - }, - { - 0x3B, 0xED, 0x18, 0x9C, 0xB3, 0xE3, 0x61, 0x1E, 0x11, 0xEB, 0x13, - 0x5B, 0xEC, 0x52, 0x49, 0x32, + long len = 0; + unsigned char* returnedBuf = NULL; + + for (i = 0; i < NUM_CASES && !EXPECT_FAIL(); ++i) { + returnedBuf = wolfSSL_OPENSSL_hexstr2buf(inputs[i], &len); + if (returnedBuf == NULL) { + ExpectIntEQ(expectedOutputs[i].ret, 0); + continue; } - }; - static const byte expCipherText1[] = { - 0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15, - 0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51, - 0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE - }; - static const byte expCipherText2[] = { - 0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45, - 0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2, - 0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0 - }; - static const byte expCipherText3[] = { - 0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B, - 0x80, 0x5E, 0x6B, - }; - static const byte* expCipherTexts[NUM_ENCRYPTIONS] = { - expCipherText1, - expCipherText2, - expCipherText3 - }; - byte* cipherText = NULL; - byte* calcPlainText = NULL; - byte tag[AES_BLOCK_SIZE]; - EVP_CIPHER_CTX* encCtx = NULL; - EVP_CIPHER_CTX* decCtx = NULL; - int i, j, outl; - - /****************************************************/ - for (i = 0; i < 3; ++i) { - ExpectNotNull(encCtx = EVP_CIPHER_CTX_new()); - ExpectNotNull(decCtx = EVP_CIPHER_CTX_new()); - /* First iteration, set key before IV. */ - if (i == 0) { - ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), key, NULL, 1), - SSL_SUCCESS); + ExpectIntEQ(expectedOutputs[i].ret, len); - /* - * The call to EVP_CipherInit below (with NULL key) should clear the - * authIvGenEnable flag set by EVP_CTRL_GCM_SET_IV_FIXED. As such, a - * subsequent EVP_CTRL_GCM_IV_GEN should fail. This matches OpenSSL - * behavior. - */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(encCtx, NULL, NULL, iv, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), key, NULL, 0), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, NULL, NULL, iv, 0), - SSL_SUCCESS); - } - /* Second iteration, IV before key. */ - else { - ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), NULL, iv, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(encCtx, NULL, key, NULL, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), NULL, iv, 0), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, NULL, key, NULL, 0), - SSL_SUCCESS); + for (j = 0; j < len; ++j) { + ExpectIntEQ(expectedOutputs[i].buffer[j], returnedBuf[j]); } + OPENSSL_free(returnedBuf); + } +#endif + return EXPECT_RESULT(); +} - /* - * EVP_CTRL_GCM_IV_GEN should fail if EVP_CTRL_GCM_SET_IV_FIXED hasn't - * been issued first. - */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - - for (j = 0; j < NUM_ENCRYPTIONS; ++j) { - /*************** Encrypt ***************/ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), SSL_SUCCESS); - /* Check current IV against expected. */ - ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); - - /* Add AAD. */ - if (i == 2) { - /* Test streaming API. */ - ExpectIntEQ(EVP_CipherUpdate(encCtx, NULL, &outl, aads[j], - AAD_SIZE), SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE), - AAD_SIZE); - } +#if defined(OPENSSL_ALL) +static int test_wolfSSL_sk_CIPHER_description(void) +{ + EXPECT_DECLS; +#if !defined(NO_RSA) && !defined(NO_TLS) + const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; + int i; + int numCiphers = 0; + const SSL_METHOD *method = NULL; + const SSL_CIPHER *cipher = NULL; + STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + char buf[256]; + char test_str[9] = "0000000"; + const char badStr[] = "unknown"; + const char certPath[] = "./certs/client-cert.pem"; + XMEMSET(buf, 0, sizeof(buf)); - ExpectNotNull(cipherText = (byte*)XMALLOC(plainTextSzs[j], NULL, - DYNAMIC_TYPE_TMP_BUFFER)); + ExpectNotNull(method = TLSv1_2_client_method()); + ExpectNotNull(ctx = SSL_CTX_new(method)); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + SSL_CTX_set_verify_depth(ctx, 4); + SSL_CTX_set_options(ctx, flags); + ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), + WOLFSSL_SUCCESS); - /* Encrypt plaintext. */ - if (i == 2) { - ExpectIntEQ(EVP_CipherUpdate(encCtx, cipherText, &outl, - plainTexts[j], plainTextSzs[j]), - SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(encCtx, cipherText, (byte *)plainTexts[j], - plainTextSzs[j]), plainTextSzs[j]); - } + ExpectNotNull(ssl = SSL_new(ctx)); + /* SSL_get_ciphers returns a stack of all configured ciphers + * A flag, getCipherAtOffset, is set to later have SSL_CIPHER_description + */ + ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); - if (i == 2) { - ExpectIntEQ(EVP_CipherFinal(encCtx, cipherText, &outl), - SSL_SUCCESS); - } - else { - /* - * Calling EVP_Cipher with NULL input and output for AES-GCM is - * akin to calling EVP_CipherFinal. - */ - ExpectIntGE(EVP_Cipher(encCtx, NULL, NULL, 0), 0); - } + /* loop through the amount of supportedCiphers */ + numCiphers = sk_num(supportedCiphers); + for (i = 0; i < numCiphers; ++i) { + int j; + /* sk_value increments "sk->data.cipher->cipherOffset". + * wolfSSL_sk_CIPHER_description sets the description for + * the cipher based on the provided offset. + */ + if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) { + SSL_CIPHER_description(cipher, buf, sizeof(buf)); + } - /* Check ciphertext against expected. */ - ExpectIntEQ(XMEMCMP(cipherText, expCipherTexts[j], plainTextSzs[j]), - 0); - - /* Get and check tag against expected. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, - sizeof(tag), tag), SSL_SUCCESS); - ExpectIntEQ(XMEMCMP(tag, expTags[j], sizeof(tag)), 0); - - /*************** Decrypt ***************/ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), SSL_SUCCESS); - /* Check current IV against expected. */ - ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); - - /* Add AAD. */ - if (i == 2) { - /* Test streaming API. */ - ExpectIntEQ(EVP_CipherUpdate(decCtx, NULL, &outl, aads[j], - AAD_SIZE), SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE), - AAD_SIZE); + /* Search cipher description string for "unknown" descriptor */ + for (j = 0; j < (int)XSTRLEN(buf); j++) { + int k = 0; + while ((k < (int)XSTRLEN(badStr)) && (buf[j] == badStr[k])) { + test_str[k] = badStr[k]; + j++; + k++; } + } + /* Fail if test_str == badStr == "unknown" */ + ExpectStrNE(test_str,badStr); + } + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} - /* Set expected tag. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, - sizeof(tag), tag), SSL_SUCCESS); - - /* Decrypt ciphertext. */ - ExpectNotNull(calcPlainText = (byte*)XMALLOC(plainTextSzs[j], NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - if (i == 2) { - ExpectIntEQ(EVP_CipherUpdate(decCtx, calcPlainText, &outl, - cipherText, plainTextSzs[j]), - SSL_SUCCESS); - } - else { - /* This first EVP_Cipher call will check the tag, too. */ - ExpectIntEQ(EVP_Cipher(decCtx, calcPlainText, cipherText, - plainTextSzs[j]), plainTextSzs[j]); - } +static int test_wolfSSL_get_ciphers_compat(void) +{ + EXPECT_DECLS; +#if !defined(NO_RSA) && !defined(NO_TLS) + const SSL_METHOD *method = NULL; + const char certPath[] = "./certs/client-cert.pem"; + STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; + SSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; - if (i == 2) { - ExpectIntEQ(EVP_CipherFinal(decCtx, calcPlainText, &outl), - SSL_SUCCESS); - } - else { - ExpectIntGE(EVP_Cipher(decCtx, NULL, NULL, 0), 0); - } + ExpectNotNull(method = SSLv23_client_method()); + ExpectNotNull(ctx = SSL_CTX_new(method)); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + SSL_CTX_set_verify_depth(ctx, 4); + SSL_CTX_set_options(ctx, flags); + ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), + WOLFSSL_SUCCESS); - /* Check plaintext against expected. */ - ExpectIntEQ(XMEMCMP(calcPlainText, plainTexts[j], plainTextSzs[j]), - 0); + ExpectNotNull(ssl = SSL_new(ctx)); - XFREE(cipherText, NULL, DYNAMIC_TYPE_TMP_BUFFER); - cipherText = NULL; - XFREE(calcPlainText, NULL, DYNAMIC_TYPE_TMP_BUFFER); - calcPlainText = NULL; - } + /* Test Bad NULL input */ + ExpectNull(supportedCiphers = SSL_get_ciphers(NULL)); + /* Test for Good input */ + ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); + /* Further usage of SSL_get_ciphers/wolfSSL_get_ciphers_compat is + * tested in test_wolfSSL_sk_CIPHER_description according to Qt usage */ - EVP_CIPHER_CTX_free(encCtx); - encCtx = NULL; - EVP_CIPHER_CTX_free(decCtx); - decCtx = NULL; - } + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_ln(void) + +static int test_wolfSSL_CTX_ctrl(void) { EXPECT_DECLS; - const int nid_set[] = { - NID_commonName, - NID_serialNumber, - NID_countryName, - NID_localityName, - NID_stateOrProvinceName, - NID_organizationName, - NID_organizationalUnitName, - NID_domainComponent, - NID_businessCategory, - NID_jurisdictionCountryName, - NID_jurisdictionStateOrProvinceName, - NID_emailAddress - }; - const char* ln_set[] = { - "commonName", - "serialNumber", - "countryName", - "localityName", - "stateOrProvinceName", - "organizationName", - "organizationalUnitName", - "domainComponent", - "businessCategory", - "jurisdictionCountryName", - "jurisdictionStateOrProvinceName", - "emailAddress", - }; - size_t i = 0, maxIdx = sizeof(ln_set)/sizeof(char*); +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) + char caFile[] = "./certs/client-ca.pem"; + char clientFile[] = "./certs/client-cert.pem"; + SSL_CTX* ctx = NULL; + X509* x509 = NULL; +#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) + byte buf[6000]; + char file[] = "./certs/dsaparams.pem"; + XFILE f = XBADFILE; + int bytes = 0; + BIO* bio = NULL; + DSA* dsa = NULL; + DH* dh = NULL; +#endif +#ifdef HAVE_ECC + WOLFSSL_EC_KEY* ecKey = NULL; +#endif + + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_X509_free(x509); + } - ExpectIntEQ(OBJ_ln2nid(NULL), NID_undef); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, + WOLFSSL_FILETYPE_PEM)); + +#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) + /* Initialize DH */ + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); + + ExpectNotNull(dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL)); + ExpectNotNull(dh = wolfSSL_DSA_dup_DH(dsa)); +#endif #ifdef HAVE_ECC -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + /* Initialize WOLFSSL_EC_KEY */ + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); +#endif + + /* additional test of getting EVP_PKEY key size from X509 + * Do not run with user RSA because wolfSSL_RSA_size is not currently + * allowed with user RSA */ { - EC_builtin_curve r[27]; - size_t nCurves = sizeof(r) / sizeof(r[0]); - nCurves = EC_get_builtin_curves(r, nCurves); - - for (i = 0; i < nCurves; i++) { - /* skip ECC_CURVE_INVALID */ - if (r[i].nid != ECC_CURVE_INVALID) { - ExpectIntEQ(OBJ_ln2nid(r[i].comment), r[i].nid); - ExpectStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment); - } - } + EVP_PKEY* pkey = NULL; +#if defined(HAVE_ECC) + X509* ecX509 = NULL; +#endif /* HAVE_ECC */ + + ExpectNotNull(pkey = X509_get_pubkey(x509)); + /* current RSA key is 2048 bit (256 bytes) */ + ExpectIntEQ(EVP_PKEY_size(pkey), 256); + + EVP_PKEY_free(pkey); + pkey = NULL; + +#if defined(HAVE_ECC) +#if defined(USE_CERT_BUFFERS_256) + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( + cliecc_cert_der_256, sizeof_cliecc_cert_der_256, + SSL_FILETYPE_ASN1)); +#else + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( + cliEccCertFile, SSL_FILETYPE_PEM)); +#endif + ExpectNotNull(pkey = X509_get_pubkey(ecX509)); + /* current ECC key is 256 bit (32 bytes) */ + ExpectIntGE(EVP_PKEY_size(pkey), 72); + + X509_free(ecX509); + EVP_PKEY_free(pkey); +#endif /* HAVE_ECC */ } + + /* Tests should fail with passed in NULL pointer */ + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if !defined(NO_DH) && !defined(NO_DSA) + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif +#ifdef HAVE_ECC + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif - for (i = 0; i < maxIdx; i++) { - ExpectIntEQ(OBJ_ln2nid(ln_set[i]), nid_set[i]); - ExpectStrEQ(OBJ_nid2ln(nid_set[i]), ln_set[i]); + /* Test with SSL_CTRL_EXTRA_CHAIN_CERT + * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_add_extra_chain_cert + */ + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509), + SSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_X509_free(x509); } - return EXPECT_RESULT(); -} + /* Test with SSL_CTRL_OPTIONS + * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_set_options + */ + ExpectTrue(wolfSSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, SSL_OP_NO_TLSv1, + NULL) == SSL_OP_NO_TLSv1); + ExpectTrue(SSL_CTX_get_options(ctx) == SSL_OP_NO_TLSv1); -static int test_wolfSSL_OBJ_sn(void) -{ - EXPECT_DECLS; - int i = 0, maxIdx = 7; - const int nid_set[] = {NID_commonName,NID_countryName,NID_localityName, - NID_stateOrProvinceName,NID_organizationName, - NID_organizationalUnitName,NID_emailAddress}; - const char* sn_open_set[] = {"CN","C","L","ST","O","OU","emailAddress"}; + /* Test with SSL_CTRL_SET_TMP_DH + * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_dh + */ +#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh), + SSL_SUCCESS); +#endif - ExpectIntEQ(wolfSSL_OBJ_sn2nid(NULL), NID_undef); - for (i = 0; i < maxIdx; i++) { - ExpectIntEQ(wolfSSL_OBJ_sn2nid(sn_open_set[i]), nid_set[i]); - ExpectStrEQ(wolfSSL_OBJ_nid2sn(nid_set[i]), sn_open_set[i]); - } + /* Test with SSL_CTRL_SET_TMP_ECDH + * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_ecdh + */ +#ifdef HAVE_ECC + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, ecKey), + SSL_SUCCESS); +#endif + +#ifdef WOLFSSL_ENCRYPTED_KEYS + ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); + ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); +#endif + + /* Test for min/max proto */ +#ifndef WOLFSSL_NO_TLS12 + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, + 0, NULL), SSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, + TLS1_2_VERSION, NULL), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); +#endif +#ifdef WOLFSSL_TLS13 + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, + 0, NULL), SSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, + TLS1_3_VERSION, NULL), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_3_VERSION); +#ifndef WOLFSSL_NO_TLS12 + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, + TLS1_2_VERSION, NULL), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION); +#endif +#endif + /* Cleanup and Pass */ +#if !defined(NO_DH) && !defined(NO_DSA) +#ifndef NO_BIO + BIO_free(bio); + DSA_free(dsa); + DH_free(dh); + dh = NULL; +#endif +#endif +#ifdef HAVE_ECC + wolfSSL_EC_KEY_free(ecKey); +#endif + SSL_CTX_free(ctx); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ return EXPECT_RESULT(); } @@ -25146,24 +18004,6 @@ static int test_wolfSSL_NCONF(void) } #endif /* OPENSSL_ALL */ -static int test_wolfSSL_EVP_PKEY_up_ref(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) - EVP_PKEY* pkey; - - pkey = EVP_PKEY_new(); - ExpectNotNull(pkey); - ExpectIntEQ(EVP_PKEY_up_ref(NULL), 0); - ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); - EVP_PKEY_free(pkey); - ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); - EVP_PKEY_free(pkey); - EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - static int test_wolfSSL_d2i_and_i2d_PublicKey(void) { EXPECT_DECLS; @@ -25983,155 +18823,6 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_derive(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) -#if (!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)) || defined(HAVE_ECC) - EVP_PKEY_CTX *ctx = NULL; - unsigned char *skey = NULL; - size_t skeylen; - EVP_PKEY *pkey = NULL; - EVP_PKEY *peerkey = NULL; - const unsigned char* key; - -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) - /* DH */ - key = dh_key_der_2048; - ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, - sizeof_dh_key_der_2048))); - ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(pkey)), 1); - key = dh_key_der_2048; - ExpectNotNull((peerkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, - sizeof_dh_key_der_2048))); - ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(peerkey)), 1); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); - ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); - ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); - ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, - DYNAMIC_TYPE_OPENSSL)); - ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); - - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - EVP_PKEY_free(peerkey); - peerkey = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); - skey = NULL; -#endif - -#ifdef HAVE_ECC - /* ECDH */ - key = ecc_clikey_der_256; - ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &key, - sizeof_ecc_clikey_der_256))); - key = ecc_clikeypub_der_256; - ExpectNotNull((peerkey = d2i_PUBKEY(NULL, &key, - sizeof_ecc_clikeypub_der_256))); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); - ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); - ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); - ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, - DYNAMIC_TYPE_OPENSSL)); - ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); - - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(peerkey); - EVP_PKEY_free(pkey); - XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); -#endif /* HAVE_ECC */ -#endif /* (!NO_DH && WOLFSSL_DH_EXTRA) || HAVE_ECC */ -#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PBE_scrypt(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SCRYPT) && defined(HAVE_PBKDF2) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 5)) -#if !defined(NO_PWDBASED) && !defined(NO_SHA256) - int ret; - - const char pwd[] = {'p','a','s','s','w','o','r','d'}; - int pwdlen = sizeof(pwd); - const byte salt[] = {'N','a','C','l'}; - int saltlen = sizeof(salt); - byte key[80]; - word64 numOvr32 = (word64)INT32_MAX + 1; - - /* expected derived key for N:16, r:1, p:1 */ - const byte expectedKey[] = { - 0xAE, 0xC6, 0xB7, 0x48, 0x3E, 0xD2, 0x6E, 0x08, 0x80, 0x2B, - 0x41, 0xF4, 0x03, 0x20, 0x86, 0xA0, 0xE8, 0x86, 0xBE, 0x7A, - 0xC4, 0x8F, 0xCF, 0xD9, 0x2F, 0xF0, 0xCE, 0xF8, 0x10, 0x97, - 0x52, 0xF4, 0xAC, 0x74, 0xB0, 0x77, 0x26, 0x32, 0x56, 0xA6, - 0x5A, 0x99, 0x70, 0x1B, 0x7A, 0x30, 0x4D, 0x46, 0x61, 0x1C, - 0x8A, 0xA3, 0x91, 0xE7, 0x99, 0xCE, 0x10, 0xA2, 0x77, 0x53, - 0xE7, 0xE9, 0xC0, 0x9A}; - - /* N r p mx key keylen */ - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 0, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* N must be greater than 1 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 3, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* N must be power of 2 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 0, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* r must be greater than 0 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 0, 0, key, 64); - ExpectIntEQ(ret, 0); /* p must be greater than 0 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 0); - ExpectIntEQ(ret, 0); /* keylen must be greater than 0 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 9, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* r must be smaller than 9 */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, NULL, 64); - ExpectIntEQ(ret, 1); /* should succeed if key is NULL */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, numOvr32, 1, 0, - key, 64); - ExpectIntEQ(ret, 0); /* should fail since r is greater than INT32_MAC */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, numOvr32, 0, - key, 64); - ExpectIntEQ(ret, 0); /* should fail since p is greater than INT32_MAC */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 0, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed even if salt is NULL */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 4, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* if salt is NULL, saltlen must be 0, otherwise fail*/ - - ret = EVP_PBE_scrypt(NULL, 0, salt, saltlen, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed if pwd is NULL and pwdlen is 0*/ - - ret = EVP_PBE_scrypt(NULL, 4, salt, saltlen, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 0); /* if pwd is NULL, pwdlen must be 0 */ - - ret = EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); /* should succeed even both pwd and salt are NULL */ - - ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 16, 1, 1, 0, key, 64); - ExpectIntEQ(ret, 1); - - ret = XMEMCMP(expectedKey, key, sizeof(expectedKey)); - ExpectIntEQ(ret, 0); /* derived key must be the same as expected-key */ -#endif /* !NO_PWDBASED && !NO_SHA256 */ -#endif /* OPENSSL_EXTRA && HAVE_SCRYPT && HAVE_PBKDF2 */ - return EXPECT_RESULT(); -} - static int test_no_op_functions(void) { EXPECT_DECLS; @@ -26920,511 +19611,6 @@ static int test_MakeCertWithCaFalse(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_encrypt(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) - WOLFSSL_RSA* rsa = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx = NULL; - const char* in = "What is easy to do is easy not to do."; - size_t inlen = XSTRLEN(in); - size_t outEncLen = 0; - byte* outEnc = NULL; - byte* outDec = NULL; - size_t outDecLen = 0; - size_t rsaKeySz = 2048/8; /* Bytes */ -#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) - byte* inTmp = NULL; - byte* outEncTmp = NULL; - byte* outDecTmp = NULL; -#endif - - ExpectNotNull(outEnc = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outEnc != NULL) { - XMEMSET(outEnc, 0, rsaKeySz); - } - ExpectNotNull(outDec = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outDec != NULL) { - XMEMSET(outDec, 0, rsaKeySz); - } - - ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - RSA_free(rsa); - } - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); - - /* Test pkey references count is decremented. pkey shouldn't be destroyed - since ctx uses it.*/ - ExpectIntEQ(pkey->ref.count, 2); - EVP_PKEY_free(pkey); - ExpectIntEQ(pkey->ref.count, 1); - - /* Encrypt data */ - /* Check that we can get the required output buffer length by passing in a - * NULL output buffer. */ - ExpectIntEQ(EVP_PKEY_encrypt(ctx, NULL, &outEncLen, - (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); - ExpectIntEQ(rsaKeySz, outEncLen); - /* Now do the actual encryption. */ - ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEnc, &outEncLen, - (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); - - /* Decrypt data */ - ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); - /* Check that we can get the required output buffer length by passing in a - * NULL output buffer. */ - ExpectIntEQ(EVP_PKEY_decrypt(ctx, NULL, &outDecLen, outEnc, outEncLen), - WOLFSSL_SUCCESS); - ExpectIntEQ(rsaKeySz, outDecLen); - /* Now do the actual decryption. */ - ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDec, &outDecLen, outEnc, outEncLen), - WOLFSSL_SUCCESS); - - ExpectIntEQ(XMEMCMP(in, outDec, outDecLen), 0); - -#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) - /* The input length must be the same size as the RSA key.*/ - ExpectNotNull(inTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (inTmp != NULL) { - XMEMSET(inTmp, 9, rsaKeySz); - } - ExpectNotNull(outEncTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outEncTmp != NULL) { - XMEMSET(outEncTmp, 0, rsaKeySz); - } - ExpectNotNull(outDecTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - if (outDecTmp != NULL) { - XMEMSET(outDecTmp, 0, rsaKeySz); - } - ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEncTmp, &outEncLen, inTmp, rsaKeySz), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDecTmp, &outDecLen, outEncTmp, - outEncLen), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(inTmp, outDecTmp, outDecLen), 0); -#endif - EVP_PKEY_CTX_free(ctx); - XFREE(outEnc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outDec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) - XFREE(inTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outEncTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outDecTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#endif -#endif - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #endif -#endif -#endif -#if defined(OPENSSL_EXTRA) -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #endif -#endif -#endif -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY - #endif -#endif -#endif - -#ifdef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY -static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - WOLFSSL_RSA* rsa = NULL; -#endif -#endif -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - WOLFSSL_DSA* dsa = NULL; -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - WOLFSSL_EC_KEY* ecKey = NULL; -#endif -#endif - WOLFSSL_EVP_PKEY* pkey = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx_verify = NULL; - const char* in = "What is easy to do is easy not to do."; - size_t inlen = XSTRLEN(in); - byte hash[SHA256_DIGEST_LENGTH] = {0}; - byte zero[SHA256_DIGEST_LENGTH] = {0}; - SHA256_CTX c; - byte* sig = NULL; - byte* sigVerify = NULL; - size_t siglen; - size_t siglenOnlyLen; - size_t keySz = 2048/8; /* Bytes */ - - ExpectNotNull(sig = - (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectNotNull(sigVerify = - (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); - - siglen = keySz; - ExpectNotNull(XMEMSET(sig, 0, keySz)); - ExpectNotNull(XMEMSET(sigVerify, 0, keySz)); - - /* Generate hash */ - SHA256_Init(&c); - SHA256_Update(&c, in, inlen); - SHA256_Final(hash, &c); -#ifdef WOLFSSL_SMALL_STACK_CACHE - /* workaround for small stack cache case */ - wc_Sha256Free((wc_Sha256*)&c); -#endif - - /* Generate key */ - ExpectNotNull(pkey = EVP_PKEY_new()); - switch (keyType) { - case EVP_PKEY_RSA: -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - { - ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); - } -#endif -#endif - break; - case EVP_PKEY_DSA: -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - ExpectNotNull(dsa = DSA_new()); - ExpectIntEQ(DSA_generate_parameters_ex(dsa, 2048, - NULL, 0, NULL, NULL, NULL), 1); - ExpectIntEQ(DSA_generate_key(dsa), 1); - ExpectIntEQ(EVP_PKEY_set1_DSA(pkey, dsa), WOLFSSL_SUCCESS); -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ - break; - case EVP_PKEY_EC: -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - { - ExpectNotNull(ecKey = EC_KEY_new()); - ExpectIntEQ(EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ( - EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - EC_KEY_free(ecKey); - } - } -#endif -#endif - break; - } - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - if (keyType == EVP_PKEY_RSA) - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); -#endif -#endif - - /* Check returning only length */ - ExpectIntEQ(EVP_PKEY_sign(ctx, NULL, &siglenOnlyLen, hash, - SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); - ExpectIntGT(siglenOnlyLen, 0); - /* Sign data */ - ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, hash, - SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); - ExpectIntGE(siglenOnlyLen, siglen); - - /* Verify signature */ - ExpectNotNull(ctx_verify = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - if (keyType == EVP_PKEY_RSA) - ExpectIntEQ( - EVP_PKEY_CTX_set_rsa_padding(ctx_verify, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); -#endif -#endif - ExpectIntEQ(EVP_PKEY_verify( - ctx_verify, sig, siglen, hash, SHA256_DIGEST_LENGTH), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_verify( - ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - if (keyType == EVP_PKEY_RSA) { - #if defined(WC_RSA_NO_PADDING) || defined(WC_RSA_DIRECT) - /* Try RSA sign/verify with no padding. */ - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, - siglen), WOLFSSL_SUCCESS); - ExpectIntGE(siglenOnlyLen, siglen); - ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, - RSA_NO_PADDING), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, - siglen), WOLFSSL_SUCCESS); - #endif - - /* Wrong padding schemes. */ - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, - RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); - ExpectIntNE(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, - siglen), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, - RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); - ExpectIntNE(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, - siglen), WOLFSSL_SUCCESS); - - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, - RSA_PKCS1_PADDING), WOLFSSL_SUCCESS); - } -#endif -#endif - - /* error cases */ - siglen = keySz; /* Reset because sig size may vary slightly */ - ExpectIntNE(EVP_PKEY_sign_init(NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntNE(EVP_PKEY_sign(NULL, sig, &siglen, (byte*)in, inlen), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, (byte*)in, inlen), - WOLFSSL_SUCCESS); - - EVP_PKEY_free(pkey); - pkey = NULL; -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - DSA_free(dsa); - dsa = NULL; -#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ - EVP_PKEY_CTX_free(ctx_verify); - ctx_verify = NULL; - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - - XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sigVerify, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_EVP_PKEY_sign_verify_rsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_RSA), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_DSA), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_sign_verify_ec(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_EC), TEST_SUCCESS); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_EVP_PKEY_rsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) - WOLFSSL_RSA* rsa = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(rsa = wolfSSL_RSA_new()); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(EVP_PKEY_assign_RSA(NULL, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_RSA_free(rsa); - } - ExpectPtrEq(EVP_PKEY_get0_RSA(pkey), rsa); - wolfSSL_EVP_PKEY_free(pkey); -#endif - return EXPECT_RESULT(); -} - -static int test_EVP_PKEY_ec(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - WOLFSSL_EC_KEY* ecKey = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(NULL, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Should fail since ecKey is empty */ - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_EC_KEY_free(ecKey); - } - wolfSSL_EVP_PKEY_free(pkey); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_EVP_PKEY_cmp(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - EVP_PKEY *a = NULL; - EVP_PKEY *b = NULL; - const unsigned char *in; - -#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) - in = client_key_der_2048; - ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - &in, (long)sizeof_client_key_der_2048)); - in = client_key_der_2048; - ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - &in, (long)sizeof_client_key_der_2048)); - - /* Test success case RSA */ -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); -#else - ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); -#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ - - EVP_PKEY_free(b); - b = NULL; - EVP_PKEY_free(a); - a = NULL; -#endif - -#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - in = ecc_clikey_der_256; - ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, - &in, (long)sizeof_ecc_clikey_der_256)); - in = ecc_clikey_der_256; - ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, - &in, (long)sizeof_ecc_clikey_der_256)); - - /* Test success case ECC */ -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); -#else - ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); -#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ - - EVP_PKEY_free(b); - b = NULL; - EVP_PKEY_free(a); - a = NULL; -#endif - - /* Test failure cases */ -#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && \ - defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - - in = client_key_der_2048; - ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, - &in, (long)sizeof_client_key_der_2048)); - in = ecc_clikey_der_256; - ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, - &in, (long)sizeof_ecc_clikey_der_256)); - -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(a, b), -1); -#else - ExpectIntNE(EVP_PKEY_cmp(a, b), 0); -#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ - EVP_PKEY_free(b); - b = NULL; - EVP_PKEY_free(a); - a = NULL; -#endif - - /* invalid or empty failure cases */ - a = EVP_PKEY_new(); - b = EVP_PKEY_new(); -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(EVP_PKEY_cmp(NULL, NULL), 0); - ExpectIntEQ(EVP_PKEY_cmp(a, NULL), 0); - ExpectIntEQ(EVP_PKEY_cmp(NULL, b), 0); -#ifdef NO_RSA - /* Type check will fail since RSA is the default EVP key type */ - ExpectIntEQ(EVP_PKEY_cmp(a, b), -2); -#else - ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); -#endif -#else - ExpectIntNE(EVP_PKEY_cmp(NULL, NULL), 0); - ExpectIntNE(EVP_PKEY_cmp(a, NULL), 0); - ExpectIntNE(EVP_PKEY_cmp(NULL, b), 0); - ExpectIntNE(EVP_PKEY_cmp(a, b), 0); -#endif - EVP_PKEY_free(b); - EVP_PKEY_free(a); - - (void)in; -#endif - return EXPECT_RESULT(); -} - static int test_ERR_load_crypto_strings(void) { #if defined(OPENSSL_ALL) @@ -28033,817 +20219,6 @@ static int test_wolfSSL_X509_REQ_print(void) return EXPECT_RESULT(); } -static int test_wolfssl_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ - !defined(NO_RSA) - PKCS7* pkcs7 = NULL; - byte data[FOURK_BUF]; - word32 len = sizeof(data); - const byte* p = data; - byte content[] = "Test data to encode."; -#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) - BIO* bio = NULL; - byte key[sizeof(client_key_der_2048)]; - word32 keySz = (word32)sizeof(key); - byte* out = NULL; -#endif - - ExpectIntGT((len = (word32)CreatePKCS7SignedData(data, (int)len, content, - (word32)sizeof(content), 0, 0, 0, RSA_TYPE)), 0); - - ExpectNull(pkcs7 = d2i_PKCS7(NULL, NULL, (int)len)); - ExpectNull(pkcs7 = d2i_PKCS7(NULL, &p, 0)); - ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); - ExpectIntEQ(wolfSSL_PKCS7_verify(NULL, NULL, NULL, NULL, NULL, - PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* fail case, without PKCS7_NOVERIFY */ - p = data; - ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, - 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* success case, with PKCS7_NOVERIFY */ - p = data; - ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, - PKCS7_NOVERIFY), WOLFSSL_SUCCESS); - -#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) - /* test i2d */ - XMEMCPY(key, client_key_der_2048, keySz); - if (pkcs7 != NULL) { - pkcs7->privateKey = key; - pkcs7->privateKeySz = (word32)sizeof(key); - pkcs7->encryptOID = RSAk; - #ifdef NO_SHA - pkcs7->hashOID = SHA256h; - #else - pkcs7->hashOID = SHAh; - #endif - } - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(i2d_PKCS7_bio(bio, pkcs7), 1); -#ifndef NO_ASN_TIME - ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 655); -#else - ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 625); -#endif - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - BIO_free(bio); -#endif - - PKCS7_free(NULL); - PKCS7_free(pkcs7); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS7_sign(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - - PKCS7* p7 = NULL; - PKCS7* p7Ver = NULL; - byte* out = NULL; - byte* tmpPtr = NULL; - int outLen = 0; - int flags = 0; - byte data[] = "Test data to encode."; - - const char* cert = "./certs/server-cert.pem"; - const char* key = "./certs/server-key.pem"; - const char* ca = "./certs/ca-cert.pem"; - - WOLFSSL_BIO* certBio = NULL; - WOLFSSL_BIO* keyBio = NULL; - WOLFSSL_BIO* caBio = NULL; - WOLFSSL_BIO* inBio = NULL; - X509* signCert = NULL; - EVP_PKEY* signKey = NULL; - X509* caCert = NULL; - X509_STORE* store = NULL; -#ifndef NO_PKCS7_STREAM - int z; - int ret; -#endif /* !NO_PKCS7_STREAM */ - - /* read signer cert/key into BIO */ - ExpectNotNull(certBio = BIO_new_file(cert, "r")); - ExpectNotNull(keyBio = BIO_new_file(key, "r")); - ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); - ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); - - /* read CA cert into store (for verify) */ - ExpectNotNull(caBio = BIO_new_file(ca, "r")); - ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); - - /* data to be signed into BIO */ - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - /* PKCS7_sign, bad args: signer NULL */ - ExpectNull(p7 = PKCS7_sign(NULL, signKey, NULL, inBio, 0)); - /* PKCS7_sign, bad args: signer key NULL */ - ExpectNull(p7 = PKCS7_sign(signCert, NULL, NULL, inBio, 0)); - /* PKCS7_sign, bad args: in data NULL without PKCS7_STREAM */ - ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, NULL, 0)); - /* PKCS7_sign, bad args: PKCS7_NOCERTS flag not supported */ - ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_NOCERTS)); - /* PKCS7_sign, bad args: PKCS7_PARTIAL flag not supported */ - ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_PARTIAL)); - - /* TEST SUCCESS: Not detached, not streaming, not MIME */ - { - flags = PKCS7_BINARY; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - - /* verify with d2i_PKCS7 */ - tmpPtr = out; - ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - PKCS7_free(p7Ver); - p7Ver = NULL; - - /* verify with wc_PKCS7_VerifySignedData */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); - ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); - - #ifndef NO_PKCS7_STREAM - /* verify with wc_PKCS7_VerifySignedData streaming */ - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); - /* test for streaming */ - ret = -1; - for (z = 0; z < outLen && ret != 0; z++) { - ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); - if (ret < 0){ - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); - } - } - ExpectIntEQ(ret, 0); - #endif /* !NO_PKCS7_STREAM */ - - /* compare the signer found to expected signer */ - ExpectIntNE(p7Ver->verifyCertSz, 0); - tmpPtr = NULL; - ExpectIntEQ(i2d_X509(signCert, &tmpPtr), p7Ver->verifyCertSz); - ExpectIntEQ(XMEMCMP(tmpPtr, p7Ver->verifyCert, p7Ver->verifyCertSz), 0); - XFREE(tmpPtr, NULL, DYNAMIC_TYPE_OPENSSL); - tmpPtr = NULL; - - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - - ExpectNotNull(out); - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* TEST SUCCESS: Not detached, streaming, not MIME. Also bad arg - * tests for PKCS7_final() while we have a PKCS7 pointer to use */ - { - /* re-populate input BIO, may have been consumed */ - BIO_free(inBio); - inBio = NULL; - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_BINARY | PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - - /* PKCS7_final, bad args: PKCS7 null */ - ExpectIntEQ(PKCS7_final(NULL, inBio, 0), 0); - /* PKCS7_final, bad args: PKCS7 null */ - ExpectIntEQ(PKCS7_final(p7, NULL, 0), 0); - - tmpPtr = out; - ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - PKCS7_free(p7Ver); - p7Ver = NULL; - - ExpectNotNull(out); - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* TEST SUCCESS: Detached, not streaming, not MIME */ - { - /* re-populate input BIO, may have been consumed */ - BIO_free(inBio); - inBio = NULL; - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_BINARY | PKCS7_DETACHED; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - ExpectNotNull(out); - - /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - - #ifndef NO_PKCS7_STREAM - /* verify with wc_PKCS7_VerifySignedData streaming */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - /* test for streaming */ - if (EXPECT_SUCCESS()) { - ret = -1; - for (z = 0; z < outLen && ret != 0; z++) { - ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); - if (ret < 0){ - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); - } - } - ExpectIntEQ(ret, 0); - } - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - #endif /* !NO_PKCS7_STREAM */ - - /* verify expected failure (NULL return) from d2i_PKCS7, it does not - * yet support detached content */ - tmpPtr = out; - ExpectNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); - PKCS7_free(p7Ver); - p7Ver = NULL; - - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* TEST SUCCESS: Detached, streaming, not MIME */ - { - /* re-populate input BIO, may have been consumed */ - BIO_free(inBio); - inBio = NULL; - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); - ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); - - /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - - ExpectNotNull(out); - - #ifndef NO_PKCS7_STREAM - /* verify with wc_PKCS7_VerifySignedData streaming */ - ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); - if (p7Ver != NULL) { - p7Ver->content = data; - p7Ver->contentSz = sizeof(data); - } - /* test for streaming */ - if (EXPECT_SUCCESS()) { - ret = -1; - for (z = 0; z < outLen && ret != 0; z++) { - ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); - if (ret < 0){ - ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); - } - } - ExpectIntEQ(ret, 0); - } - wc_PKCS7_Free(p7Ver); - p7Ver = NULL; - #endif /* !NO_PKCS7_STREAM */ - - XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); - PKCS7_free(p7); - p7 = NULL; - } - - X509_STORE_free(store); - X509_free(caCert); - X509_free(signCert); - EVP_PKEY_free(signKey); - BIO_free(inBio); - BIO_free(keyBio); - BIO_free(certBio); - BIO_free(caBio); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS7_SIGNED_new(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) - PKCS7_SIGNED* pkcs7 = NULL; - - ExpectNotNull(pkcs7 = PKCS7_SIGNED_new()); - ExpectIntEQ(pkcs7->contentOID, SIGNED_DATA); - - PKCS7_SIGNED_free(pkcs7); -#endif - return EXPECT_RESULT(); -} - -#ifndef NO_BIO - -static int test_wolfSSL_PEM_write_bio_encryptedKey(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ - defined(WOLFSSL_ENCRYPTED_KEYS) && \ - (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \ - !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_DES3) - RSA* rsaKey = NULL; - RSA* retKey = NULL; - const EVP_CIPHER *cipher = NULL; - BIO* bio = NULL; - BIO* retbio = NULL; - byte* out; - const char* password = "wolfssl"; - word32 passwordSz =(word32)XSTRLEN((char*)password); - int membufSz = 0; - -#if defined(USE_CERT_BUFFERS_2048) - const byte* key = client_key_der_2048; - word32 keySz = sizeof_client_key_der_2048; -#elif defined(USE_CERT_BUFFERS_1024) - const byte* key = client_key_der_1024; - word32 keySz = sizeof_client_key_der_1024; -#endif - /* Import Rsa Key */ - ExpectNotNull(rsaKey = wolfSSL_RSA_new()); - ExpectIntEQ(wolfSSL_RSA_LoadDer_ex(rsaKey, key, keySz, - WOLFSSL_RSA_LOAD_PRIVATE), 1); - - ExpectNotNull(cipher = EVP_des_ede3_cbc()); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_RSAPrivateKey(bio, rsaKey, cipher, - (byte*)password, passwordSz, NULL, NULL), 1); - ExpectIntGT((membufSz = BIO_get_mem_data(bio, &out)), 0); - ExpectNotNull(retbio = BIO_new_mem_buf(out, membufSz)); - ExpectNotNull((retKey = PEM_read_bio_RSAPrivateKey(retbio, NULL, - NULL, (void*)password))); - if (bio != NULL) { - BIO_free(bio); - } - if (retbio != NULL) { - BIO_free(retbio); - } - if (retKey != NULL) { - RSA_free(retKey); - } - if (rsaKey != NULL) { - RSA_free(rsaKey); - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PEM_write_bio_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) - PKCS7* pkcs7 = NULL; - BIO* bio = NULL; - const byte* cert_buf = NULL; - int ret = 0; - WC_RNG rng; - const byte data[] = { /* Hello World */ - 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, - 0x72,0x6c,0x64 - }; -#ifndef NO_RSA - #if defined(USE_CERT_BUFFERS_2048) - byte key[sizeof(client_key_der_2048)]; - byte cert[sizeof(client_cert_der_2048)]; - word32 keySz = (word32)sizeof(key); - word32 certSz = (word32)sizeof(cert); - XMEMSET(key, 0, keySz); - XMEMSET(cert, 0, certSz); - XMEMCPY(key, client_key_der_2048, keySz); - XMEMCPY(cert, client_cert_der_2048, certSz); - #elif defined(USE_CERT_BUFFERS_1024) - byte key[sizeof_client_key_der_1024]; - byte cert[sizeof(sizeof_client_cert_der_1024)]; - word32 keySz = (word32)sizeof(key); - word32 certSz = (word32)sizeof(cert); - XMEMSET(key, 0, keySz); - XMEMSET(cert, 0, certSz); - XMEMCPY(key, client_key_der_1024, keySz); - XMEMCPY(cert, client_cert_der_1024, certSz); - #else - unsigned char cert[ONEK_BUF]; - unsigned char key[ONEK_BUF]; - XFILE fp = XBADFILE; - int certSz; - int keySz; - - ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != - XBADFILE); - ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_client_cert_der_1024, - fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectTrue((fp = XFOPEN("./certs/1024/client-key.der", "rb")) != - XBADFILE); - ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_client_key_der_1024, fp), - 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - #endif -#elif defined(HAVE_ECC) - #if defined(USE_CERT_BUFFERS_256) - unsigned char cert[sizeof(cliecc_cert_der_256)]; - unsigned char key[sizeof(ecc_clikey_der_256)]; - int certSz = (int)sizeof(cert); - int keySz = (int)sizeof(key); - XMEMSET(cert, 0, certSz); - XMEMSET(key, 0, keySz); - XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); - XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); - #else - unsigned char cert[ONEK_BUF]; - unsigned char key[ONEK_BUF]; - XFILE fp = XBADFILE; - int certSz, keySz; - - ExpectTrue((fp = XFOPEN("./certs/client-ecc-cert.der", "rb")) != - XBADFILE); - ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_cliecc_cert_der_256, - fp), 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectTrue((fp = XFOPEN("./certs/client-ecc-key.der", "rb")) != - XBADFILE); - ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_ecc_clikey_der_256, fp), - 0); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - #endif -#else - #error PKCS7 requires ECC or RSA -#endif - - ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); - /* initialize with DER encoded cert */ - ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, (word32)certSz), 0); - - /* init rng */ - XMEMSET(&rng, 0, sizeof(WC_RNG)); - ExpectIntEQ(wc_InitRng(&rng), 0); - - if (pkcs7 != NULL) { - pkcs7->rng = &rng; - pkcs7->content = (byte*)data; /* not used for ex */ - pkcs7->contentSz = (word32)sizeof(data); - pkcs7->contentOID = SIGNED_DATA; - pkcs7->privateKey = key; - pkcs7->privateKeySz = (word32)sizeof(key); - pkcs7->encryptOID = RSAk; - #ifdef NO_SHA - pkcs7->hashOID = SHA256h; - #else - pkcs7->hashOID = SHAh; - #endif - pkcs7->signedAttribs = NULL; - pkcs7->signedAttribsSz = 0; - } - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write PKCS#7 PEM to BIO, the function converts the DER to PEM cert*/ - ExpectIntEQ(PEM_write_bio_PKCS7(bio, pkcs7), WOLFSSL_SUCCESS); - - /* Read PKCS#7 PEM from BIO */ - ret = wolfSSL_BIO_get_mem_data(bio, &cert_buf); - ExpectIntGE(ret, 0); - - BIO_free(bio); - wc_PKCS7_Free(pkcs7); - wc_FreeRng(&rng); -#endif - return EXPECT_RESULT(); -} - -#ifdef HAVE_SMIME -/* // NOLINTBEGIN(clang-analyzer-unix.Stream) */ -static int test_wolfSSL_SMIME_read_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) - PKCS7* pkcs7 = NULL; - BIO* bio = NULL; - BIO* bcont = NULL; - BIO* out = NULL; - const byte* outBuf = NULL; - int outBufLen = 0; - static const char contTypeText[] = "Content-Type: text/plain\r\n\r\n"; - XFILE smimeTestFile = XBADFILE; - - ExpectTrue((smimeTestFile = XFOPEN("./certs/test/smime-test.p7s", "rb")) != - XBADFILE); - - /* smime-test.p7s */ - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - ExpectNotNull(bio); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), SSL_SUCCESS); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* smime-test-multipart.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-multipart.p7s", "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), SSL_SUCCESS); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* smime-test-multipart-badsig.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", - "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); /* can read in the unverified smime bundle */ - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* smime-test-canon.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, - PKCS7_NOVERIFY), SSL_SUCCESS); - if (smimeTestFile != XBADFILE) { - XFCLOSE(smimeTestFile); - smimeTestFile = XBADFILE; - } - if (bcont) BIO_free(bcont); - bcont = NULL; - wolfSSL_PKCS7_free(pkcs7); - pkcs7 = NULL; - - /* Test PKCS7_TEXT, PKCS7_verify() should remove Content-Type: text/plain */ - smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); - ExpectFalse(smimeTestFile == XBADFILE); - ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); - pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNotNull(pkcs7); - out = wolfSSL_BIO_new(BIO_s_mem()); - ExpectNotNull(out); - ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, out, - PKCS7_NOVERIFY | PKCS7_TEXT), SSL_SUCCESS); - ExpectIntGT((outBufLen = BIO_get_mem_data(out, &outBuf)), 0); - /* Content-Type should not show up at beginning of output buffer */ - ExpectIntGT(outBufLen, XSTRLEN(contTypeText)); - ExpectIntGT(XMEMCMP(outBuf, contTypeText, XSTRLEN(contTypeText)), 0); - - BIO_free(out); - BIO_free(bio); - if (bcont) BIO_free(bcont); - wolfSSL_PKCS7_free(pkcs7); -#endif - return EXPECT_RESULT(); -} -/* // NOLINTEND(clang-analyzer-unix.Stream) */ - -static int test_wolfSSL_SMIME_write_PKCS7(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_RSA) - PKCS7* p7 = NULL; - PKCS7* p7Ver = NULL; - int flags = 0; - byte data[] = "Test data to encode."; - - const char* cert = "./certs/server-cert.pem"; - const char* key = "./certs/server-key.pem"; - const char* ca = "./certs/ca-cert.pem"; - - WOLFSSL_BIO* certBio = NULL; - WOLFSSL_BIO* keyBio = NULL; - WOLFSSL_BIO* caBio = NULL; - WOLFSSL_BIO* inBio = NULL; - WOLFSSL_BIO* outBio = NULL; - WOLFSSL_BIO* content = NULL; - X509* signCert = NULL; - EVP_PKEY* signKey = NULL; - X509* caCert = NULL; - X509_STORE* store = NULL; - - /* read signer cert/key into BIO */ - ExpectNotNull(certBio = BIO_new_file(cert, "r")); - ExpectNotNull(keyBio = BIO_new_file(key, "r")); - ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); - ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); - - /* read CA cert into store (for verify) */ - ExpectNotNull(caBio = BIO_new_file(ca, "r")); - ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); - - - /* generate and verify SMIME: not detached */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - /* bad arg: out NULL */ - ExpectIntEQ(SMIME_write_PKCS7(NULL, p7, inBio, flags), 0); - /* bad arg: pkcs7 NULL */ - ExpectIntEQ(SMIME_write_PKCS7(outBio, NULL, inBio, flags), 0); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* generate and verify SMIME: not detached, add Content-Type */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_STREAM | PKCS7_TEXT; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* generate and verify SMIME: detached */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_DETACHED | PKCS7_STREAM; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - /* generate and verify SMIME: PKCS7_TEXT to add Content-Type header */ - { - ExpectNotNull(inBio = BIO_new(BIO_s_mem())); - ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); - - flags = PKCS7_STREAM | PKCS7_DETACHED | PKCS7_TEXT; - ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); - ExpectNotNull(outBio = BIO_new(BIO_s_mem())); - ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); - - ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); - ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); - - BIO_free(content); - content = NULL; - BIO_free(inBio); - inBio = NULL; - BIO_free(outBio); - outBio = NULL; - PKCS7_free(p7Ver); - p7Ver = NULL; - PKCS7_free(p7); - p7 = NULL; - } - - X509_STORE_free(store); - X509_free(caCert); - X509_free(signCert); - EVP_PKEY_free(signKey); - BIO_free(keyBio); - BIO_free(certBio); - BIO_free(caBio); -#endif - return EXPECT_RESULT(); -} -#endif /* HAVE_SMIME */ -#endif /* !NO_BIO */ - - /*----------------------------------------------------------------------------* | Certificate Failure Checks *----------------------------------------------------------------------------*/ @@ -29573,1436 +20948,6 @@ static int test_wolfSSL_PEM_read(void) return EXPECT_RESULT(); } -static int test_wolfssl_EVP_aes_gcm_AAD_2_parts(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - const byte iv[12] = { 0 }; - const byte key[16] = { 0 }; - const byte cleartext[16] = { 0 }; - const byte aad[] = { - 0x01, 0x10, 0x00, 0x2a, 0x08, 0x00, 0x04, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, - 0x00, 0x00, 0xdc, 0x4d, 0xad, 0x6b, 0x06, 0x93, - 0x4f - }; - byte out1Part[16]; - byte outTag1Part[16]; - byte out2Part[16]; - byte outTag2Part[16]; - byte decryptBuf[16]; - int len = 0; - int tlen; - EVP_CIPHER_CTX* ctx = NULL; - - /* ENCRYPT */ - /* Send AAD and data in 1 part */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, out1Part, &len, cleartext, - sizeof(cleartext)), 1); - tlen += len; - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out1Part, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, - outTag1Part), 1); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* DECRYPT */ - /* Send AAD and data in 1 part */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, - sizeof(cleartext)), 1); - tlen += len; - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, - outTag1Part), 1); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); - - /* ENCRYPT */ - /* Send AAD and data in 2 parts */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, 1), 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), - 1); - ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part, &len, cleartext, 1), 1); - tlen += len; - ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part + tlen, &len, cleartext + 1, - sizeof(cleartext) - 1), 1); - tlen += len; - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out2Part + tlen, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, - outTag2Part), 1); - - ExpectIntEQ(XMEMCMP(out1Part, out2Part, sizeof(out1Part)), 0); - ExpectIntEQ(XMEMCMP(outTag1Part, outTag2Part, sizeof(outTag1Part)), 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* DECRYPT */ - /* Send AAD and data in 2 parts */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - tlen = 0; - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), - 1); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, 1), 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), - 1); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, 1), 1); - tlen += len; - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf + tlen, &len, out1Part + 1, - sizeof(cleartext) - 1), 1); - tlen += len; - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, - outTag1Part), 1); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf + tlen, &len), 1); - tlen += len; - ExpectIntEQ(tlen, sizeof(cleartext)); - - ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); - - /* Test AAD reuse */ - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aes_gcm_zeroLen(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) - /* Zero length plain text */ - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - unsigned char tag_kat[] = { - 0x53,0x0f,0x8a,0xfb,0xc7,0x45,0x36,0xb9, - 0xa9,0x63,0xb4,0xf1,0xc4,0xcb,0x73,0x8b - }; - - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aes_gcm(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - /* A 256 bit key, AES_128 will use the first 128 bit*/ - byte *key = (byte*)"01234567890123456789012345678901"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012345"; - int ivSz = AES_BLOCK_SIZE; - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[AES_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, - AES_BLOCK_SIZE, tag)); - wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - tag[AES_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - - wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); - } -#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aria_gcm(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ARIA) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - - /* A 256 bit key, AES_128 will use the first 128 bit*/ - byte *key = (byte*)"01234567890123456789012345678901"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012345"; - int ivSz = ARIA_BLOCK_SIZE; - /* Message to be encrypted */ - const int plaintxtSz = 40; - byte plaintxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; - XMEMCPY(plaintxt,"for things to change you have to change",plaintxtSz); - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[ARIA_BLOCK_SIZE] = {0}; - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; - byte decryptedtxt[plaintxtSz]; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - #define TEST_ARIA_GCM_COUNT 6 - EVP_CIPHER_CTX en[TEST_ARIA_GCM_COUNT]; - EVP_CIPHER_CTX de[TEST_ARIA_GCM_COUNT]; - - for (i = 0; i < TEST_ARIA_GCM_COUNT; i++) { - - EVP_CIPHER_CTX_init(&en[i]); - switch (i) { - case 0: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), NULL, key, iv)); - break; - case 1: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), NULL, key, iv)); - break; - case 2: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), NULL, key, iv)); - break; - case 3: - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - break; - case 4: - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - break; - case 5: - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - break; - } - XMEMSET(ciphertxt,0,sizeof(ciphertxt)); - AssertIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - AssertIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, plaintxtSz)); - ciphertxtSz = len; - AssertIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - AssertIntNE(0, XMEMCMP(plaintxt, ciphertxt, plaintxtSz)); - ciphertxtSz += len; - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, ARIA_BLOCK_SIZE, tag)); - AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); - - EVP_CIPHER_CTX_init(&de[i]); - switch (i) { - case 0: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), NULL, key, iv)); - break; - case 1: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), NULL, key, iv)); - break; - case 2: - /* Default uses 96-bits IV length */ - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), NULL, key, iv)); - break; - case 3: - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - break; - case 4: - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - break; - case 5: - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), NULL, NULL, NULL)); - /* non-default must to set the IV length first */ - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - break; - } - XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, ciphertxtSz)); - decryptedtxtSz = len; - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, ARIA_BLOCK_SIZE, tag)); - AssertIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - AssertIntEQ(plaintxtSz, decryptedtxtSz); - AssertIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); - /* modify tag*/ - tag[AES_BLOCK_SIZE-1]+=0xBB; - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, ARIA_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, ciphertxtSz)); - AssertIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - AssertIntEQ(0, len); - AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); - } - - res = TEST_RES_CHECK(1); -#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ - return res; -} - -static int test_wolfssl_EVP_aes_ccm_zeroLen(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) - /* Zero length plain text */ - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_aes_ccm(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ - !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - /* A 256 bit key, AES_128 will use the first 128 bit*/ - byte *key = (byte*)"01234567890123456789012345678901"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012"; - int ivSz = (int)XSTRLEN((char*)iv); - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[AES_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - int ret; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, - AES_BLOCK_SIZE, tag)); - ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); - ExpectIntEQ(ret, 1); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, - key, iv)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, - key, iv)); -#endif - } - else { -#ifdef WOLFSSL_AES_128 - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_192) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, - NULL, NULL)); -#elif defined(WOLFSSL_AES_256) - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, - NULL, NULL)); -#endif - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - tag[AES_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - AES_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); - ExpectIntEQ(ret, 1); - } -#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESCCM */ - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_chacha20_poly1305(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - byte key[CHACHA20_POLY1305_AEAD_KEYSIZE]; - byte iv [CHACHA20_POLY1305_AEAD_IV_SIZE]; - byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; - byte aad[] = {0xAA, 0XBB, 0xCC, 0xDD, 0xEE, 0xFF}; - byte cipherText[sizeof(plainText)]; - byte decryptedText[sizeof(plainText)]; - byte tag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; - EVP_CIPHER_CTX* ctx = NULL; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - /* Invalid IV length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, - CHACHA20_POLY1305_AEAD_IV_SIZE-1, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid IV length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, - CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); - /* Invalid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(aad)); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - /* Invalid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, tag), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid tag length. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, - CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(aad)); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20_poly1305(), - key, NULL, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, NULL, &outSz, - aad, sizeof(aad)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(aad)); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_chacha20(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) - byte key[CHACHA_MAX_KEY_SZ]; - byte iv [WOLFSSL_EVP_CHACHA_IV_BYTES]; - byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; - byte cipherText[sizeof(plainText)]; - byte decryptedText[sizeof(plainText)]; - EVP_CIPHER_CTX* ctx = NULL; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - 16, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, - NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20(), - key, NULL, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - EVP_CIPHER_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfssl_EVP_sm4_ecb(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_ECB) - EXPECT_DECLS; - byte key[SM4_KEY_SIZE]; - byte plainText[SM4_BLOCK_SIZE] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF - }; - byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; - byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; - EVP_CIPHER_CTX* ctx; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, SM4_BLOCK_SIZE); - ExpectBufNE(cipherText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - res = EXPECT_RESULT(); -#endif - return res; -} - -static int test_wolfssl_EVP_sm4_cbc(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CBC) - EXPECT_DECLS; - byte key[SM4_KEY_SIZE]; - byte iv[SM4_BLOCK_SIZE]; - byte plainText[SM4_BLOCK_SIZE] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF - }; - byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; - byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; - EVP_CIPHER_CTX* ctx; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, SM4_BLOCK_SIZE); - ExpectBufNE(cipherText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_cbc(), key, NULL, 0), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - res = EXPECT_RESULT(); -#endif - return res; -} - -static int test_wolfssl_EVP_sm4_ctr(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CTR) - EXPECT_DECLS; - byte key[SM4_KEY_SIZE]; - byte iv[SM4_BLOCK_SIZE]; - byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; - byte cipherText[sizeof(plainText)]; - byte decryptedText[sizeof(plainText)]; - EVP_CIPHER_CTX* ctx; - int outSz; - - XMEMSET(key, 0, sizeof(key)); - XMEMSET(iv, 0, sizeof(iv)); - - /* Encrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - /* Any tag length must fail - not an AEAD cipher. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, - sizeof(plainText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(plainText)); - ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufNE(cipherText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Decrypt. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - /* Test partial Inits. CipherInit() allow setting of key and iv - * in separate calls. */ - ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_ctr(), key, NULL, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, - sizeof(cipherText)), WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, sizeof(cipherText)); - ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(outSz, 0); - ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); - EVP_CIPHER_CTX_free(ctx); - - res = EXPECT_RESULT(); -#endif - return res; -} - -static int test_wolfssl_EVP_sm4_gcm_zeroLen(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) - /* Zero length plain text */ - EXPECT_DECLS; - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - unsigned char tag_kat[16] = { - 0x23,0x2f,0x0c,0xfe,0x30,0x8b,0x49,0xea, - 0x6f,0xc8,0x82,0x29,0xb5,0xdc,0x85,0x8d - }; - - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_gcm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ - return res; -} - -static int test_wolfssl_EVP_sm4_gcm(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) - EXPECT_DECLS; - byte *key = (byte*)"0123456789012345"; - /* A 128 bit IV */ - byte *iv = (byte*)"0123456789012345"; - int ivSz = SM4_BLOCK_SIZE; - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[SM4_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - tag[SM4_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); - } - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ - return res; -} - -static int test_wolfssl_EVP_sm4_ccm_zeroLen(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) - /* Zero length plain text */ - EXPECT_DECLS; - byte key[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte iv[] = { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 - }; /* align */ - byte plaintxt[1]; - int ivSz = 12; - int plaintxtSz = 0; - unsigned char tag[16]; - - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - - EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); - - ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, - plaintxtSz)); - ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); - - ExpectIntEQ(0, ciphertxtSz); - - EVP_CIPHER_CTX_init(de); - ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_ccm(), NULL, key, iv)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(0, decryptedtxtSz); - - EVP_CIPHER_CTX_free(en); - EVP_CIPHER_CTX_free(de); - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ - return res; -} - -static int test_wolfssl_EVP_sm4_ccm(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) - EXPECT_DECLS; - byte *key = (byte*)"0123456789012345"; - byte *iv = (byte*)"0123456789012"; - int ivSz = (int)XSTRLEN((char*)iv); - /* Message to be encrypted */ - byte *plaintxt = (byte*)"for things to change you have to change"; - /* Additional non-confidential data */ - byte *aad = (byte*)"Don't spend major time on minor things."; - - unsigned char tag[SM4_BLOCK_SIZE] = {0}; - int plaintxtSz = (int)XSTRLEN((char*)plaintxt); - int aadSz = (int)XSTRLEN((char*)aad); - byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; - byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; - int ciphertxtSz = 0; - int decryptedtxtSz = 0; - int len = 0; - int i = 0; - EVP_CIPHER_CTX en[2]; - EVP_CIPHER_CTX de[2]; - - for (i = 0; i < 2; i++) { - EVP_CIPHER_CTX_init(&en[i]); - - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); - } - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, - plaintxtSz)); - ciphertxtSz = len; - ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); - ciphertxtSz += len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); - - EVP_CIPHER_CTX_init(&de[i]); - if (i == 0) { - /* Default uses 96-bits IV length */ - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, key, - iv)); - } - else { - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, NULL, - NULL)); - /* non-default must to set the IV length first */ - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, - ivSz, NULL)); - ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); - - } - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - decryptedtxtSz = len; - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - decryptedtxtSz += len; - ExpectIntEQ(ciphertxtSz, decryptedtxtSz); - ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); - - /* modify tag*/ - tag[SM4_BLOCK_SIZE-1]+=0xBB; - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); - ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, - SM4_BLOCK_SIZE, tag)); - /* fail due to wrong tag */ - ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, - ciphertxtSz)); - ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); - ExpectIntEQ(0, len); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); - } - - res = EXPECT_RESULT(); -#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ - return res; -} - -static int test_wolfSSL_EVP_PKEY_hkdf(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_HKDF) - EVP_PKEY_CTX* ctx = NULL; - byte salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}; - byte key[] = {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F}; - byte info[] = {0X01, 0x02, 0x03, 0x04, 0x05}; - byte info2[] = {0X06, 0x07, 0x08, 0x09, 0x0A}; - byte outKey[34]; - size_t outKeySz = sizeof(outKey); - /* These expected outputs were gathered by running the same test below using - * OpenSSL. */ - const byte extractAndExpand[] = { - 0x8B, 0xEB, 0x90, 0xA9, 0x04, 0xFF, 0x05, 0x10, 0xE4, 0xB5, 0xB1, 0x10, - 0x31, 0x34, 0xFF, 0x07, 0x5B, 0xE3, 0xC6, 0x93, 0xD4, 0xF8, 0xC7, 0xEE, - 0x96, 0xDA, 0x78, 0x7A, 0xE2, 0x9A, 0x2D, 0x05, 0x4B, 0xF6 - }; - const byte extractOnly[] = { - 0xE7, 0x6B, 0x9E, 0x0F, 0xE4, 0x02, 0x1D, 0x62, 0xEA, 0x97, 0x74, 0x5E, - 0xF4, 0x3C, 0x65, 0x4D, 0xC1, 0x46, 0x98, 0xAA, 0x79, 0x9A, 0xCB, 0x9C, - 0xCC, 0x3E, 0x7F, 0x2A, 0x2B, 0x41, 0xA1, 0x9E - }; - const byte expandOnly[] = { - 0xFF, 0x29, 0x29, 0x56, 0x9E, 0xA7, 0x66, 0x02, 0xDB, 0x4F, 0xDB, 0x53, - 0x7D, 0x21, 0x67, 0x52, 0xC3, 0x0E, 0xF3, 0xFC, 0x71, 0xCE, 0x67, 0x2B, - 0xEA, 0x3B, 0xE9, 0xFC, 0xDD, 0xC8, 0xCC, 0xB7, 0x42, 0x74 - }; - const byte extractAndExpandAddInfo[] = { - 0x5A, 0x74, 0x79, 0x83, 0xA3, 0xA4, 0x2E, 0xB7, 0xD4, 0x08, 0xC2, 0x6A, - 0x2F, 0xA5, 0xE3, 0x4E, 0xF1, 0xF4, 0x87, 0x3E, 0xA6, 0xC7, 0x88, 0x45, - 0xD7, 0xE2, 0x15, 0xBC, 0xB8, 0x10, 0xEF, 0x6C, 0x4D, 0x7A - }; - - ExpectNotNull((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL))); - ExpectIntEQ(EVP_PKEY_derive_init(ctx), WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(NULL, EVP_sha256()), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL md. */ - ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_sha256()), WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(NULL, salt, sizeof(salt)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL salt is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, sizeof(salt)), - WOLFSSL_SUCCESS); - /* Salt length <= 0. */ - /* Length 0 salt is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, sizeof(salt)), - WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(NULL, key, sizeof(key)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL key. */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, NULL, sizeof(key)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Key length <= 0 */ - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, sizeof(key)), - WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(NULL, info, sizeof(info)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* NULL info is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, NULL, sizeof(info)), - WOLFSSL_SUCCESS); - /* Info length <= 0 */ - /* Length 0 info is ok. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, sizeof(info)), - WOLFSSL_SUCCESS); - /* NULL ctx. */ - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(NULL, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Extract and expand (default). */ - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(extractAndExpand)); - ExpectIntEQ(XMEMCMP(outKey, extractAndExpand, outKeySz), 0); - /* Extract only. */ - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(extractOnly)); - ExpectIntEQ(XMEMCMP(outKey, extractOnly, outKeySz), 0); - outKeySz = sizeof(outKey); - /* Expand only. */ - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(expandOnly)); - ExpectIntEQ(XMEMCMP(outKey, expandOnly, outKeySz), 0); - outKeySz = sizeof(outKey); - /* Extract and expand with appended additional info. */ - ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info2, sizeof(info2)), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, - EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); - ExpectIntEQ(outKeySz, sizeof(extractAndExpandAddInfo)); - ExpectIntEQ(XMEMCMP(outKey, extractAndExpandAddInfo, outKeySz), 0); - - EVP_PKEY_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && HAVE_HKDF */ - return EXPECT_RESULT(); -} - static int test_wolfSSL_dup_CA_list(void) { int res = TEST_SKIPPED; @@ -32755,253 +22700,6 @@ static int test_wolfSSL_dtls_stateless(void) #endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE && * HAVE_IO_TESTS_DEPENDENCIES && !SINGLE_THREADED */ -#ifdef HAVE_CERT_CHAIN_VALIDATION -#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -#ifdef WOLFSSL_PEM_TO_DER -#ifndef NO_SHA256 -static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) -{ - int ret; - - if ((ret = wolfSSL_CertManagerLoadCA(cm, certA, 0)) != WOLFSSL_SUCCESS) { - fprintf(stderr, "loading cert %s failed\n", certA); - fprintf(stderr, "Error: (%d): %s\n", ret, - wolfSSL_ERR_reason_error_string((word32)ret)); - return -1; - } - - return 0; -} - -static int verify_cert_with_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) -{ - int ret; - if ((ret = wolfSSL_CertManagerVerify(cm, certA, CERT_FILETYPE)) - != WOLFSSL_SUCCESS) { - fprintf(stderr, "could not verify the cert: %s\n", certA); - fprintf(stderr, "Error: (%d): %s\n", ret, - wolfSSL_ERR_reason_error_string((word32)ret)); - return -1; - } - else { - fprintf(stderr, "successfully verified: %s\n", certA); - } - - return 0; -} -#define LOAD_ONE_CA(a, b, c, d) \ - do { \ - (a) = load_ca_into_cm(c, d); \ - if ((a) != 0) \ - return (b); \ - else \ - (b)--; \ - } while(0) - -#define VERIFY_ONE_CERT(a, b, c, d) \ - do { \ - (a) = verify_cert_with_cm(c, d);\ - if ((a) != 0) \ - return (b); \ - else \ - (b)--; \ - } while(0) - -static int test_chainG(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain G is a valid chain per RFC 5280 section 4.2.1.9 */ - char chainGArr[9][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainG-ICA7-pathlen100.pem", - "certs/test-pathlen/chainG-ICA6-pathlen10.pem", - "certs/test-pathlen/chainG-ICA5-pathlen20.pem", - "certs/test-pathlen/chainG-ICA4-pathlen5.pem", - "certs/test-pathlen/chainG-ICA3-pathlen99.pem", - "certs/test-pathlen/chainG-ICA2-pathlen1.pem", - "certs/test-pathlen/chainG-ICA1-pathlen0.pem", - "certs/test-pathlen/chainG-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainGArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[3]); /* if failure, i = -4 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[4]); /* if failure, i = -5 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[5]); /* if failure, i = -6 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[6]); /* if failure, i = -7 here */ - LOAD_ONE_CA(ret, i, cm, chainGArr[7]); /* if failure, i = -8 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[1]); /* if failure, i = -9 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[2]); /* if failure, i = -10 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[3]); /* if failure, i = -11 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[4]); /* if failure, i = -12 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[5]); /* if failure, i = -13 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[6]); /* if failure, i = -14 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[7]); /* if failure, i = -15 here */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -16 here */ - - /* test validating the entity twice, should have no effect on pathLen since - * entity/leaf cert */ - VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -17 here */ - - return ret; -} - -static int test_chainH(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain H is NOT a valid chain per RFC5280 section 4.2.1.9: - * ICA4-pathlen of 2 signing ICA3-pathlen of 2 (reduce max path len to 2) - * ICA3-pathlen of 2 signing ICA2-pathlen of 2 (reduce max path len to 1) - * ICA2-pathlen of 2 signing ICA1-pathlen of 0 (reduce max path len to 0) - * ICA1-pathlen of 0 signing entity (pathlen is already 0, ERROR) - * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 - */ - char chainHArr[6][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainH-ICA4-pathlen2.pem", - "certs/test-pathlen/chainH-ICA3-pathlen2.pem", - "certs/test-pathlen/chainH-ICA2-pathlen2.pem", - "certs/test-pathlen/chainH-ICA1-pathlen0.pem", - "certs/test-pathlen/chainH-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainHArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[3]); /* if failure, i = -4 here */ - LOAD_ONE_CA(ret, i, cm, chainHArr[4]); /* if failure, i = -5 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[1]); /* if failure, i = -6 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[2]); /* if failure, i = -7 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[3]); /* if failure, i = -8 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[4]); /* if failure, i = -9 here */ - VERIFY_ONE_CERT(ret, i, cm, chainHArr[5]); /* if failure, i = -10 here */ - - return ret; -} - -static int test_chainI(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain I is a valid chain per RFC5280 section 4.2.1.9: - * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 2) - * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 1) - * ICA1-no_pathlen signing entity (reduce maxPathLen to 0) - * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 - */ - char chainIArr[5][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainI-ICA3-pathlen2.pem", - "certs/test-pathlen/chainI-ICA2-no_pathlen.pem", - "certs/test-pathlen/chainI-ICA1-no_pathlen.pem", - "certs/test-pathlen/chainI-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainIArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainIArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainIArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainIArr[3]); /* if failure, i = -4 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[1]); /* if failure, i = -5 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[2]); /* if failure, i = -6 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[3]); /* if failure, i = -7 here */ - VERIFY_ONE_CERT(ret, i, cm, chainIArr[4]); /* if failure, i = -8 here */ - - return ret; -} - -static int test_chainJ(WOLFSSL_CERT_MANAGER* cm) -{ - int ret; - int i = -1; - /* Chain J is NOT a valid chain per RFC5280 section 4.2.1.9: - * ICA4-pathlen of 2 signing ICA3 without a pathlen (reduce maxPathLen to 2) - * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 1) - * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 0) - * ICA1-no_pathlen signing entity (ERROR, pathlen zero and non-leaf cert) - */ - char chainJArr[6][50] = {"certs/ca-cert.pem", - "certs/test-pathlen/chainJ-ICA4-pathlen2.pem", - "certs/test-pathlen/chainJ-ICA3-no_pathlen.pem", - "certs/test-pathlen/chainJ-ICA2-no_pathlen.pem", - "certs/test-pathlen/chainJ-ICA1-no_pathlen.pem", - "certs/test-pathlen/chainJ-entity.pem"}; - - LOAD_ONE_CA(ret, i, cm, chainJArr[0]); /* if failure, i = -1 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[1]); /* if failure, i = -2 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[2]); /* if failure, i = -3 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[3]); /* if failure, i = -4 here */ - LOAD_ONE_CA(ret, i, cm, chainJArr[4]); /* if failure, i = -5 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[1]); /* if failure, i = -6 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[2]); /* if failure, i = -7 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[3]); /* if failure, i = -8 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[4]); /* if failure, i = -9 here */ - VERIFY_ONE_CERT(ret, i, cm, chainJArr[5]); /* if failure, i = -10 here */ - - return ret; -} -#endif - -static int test_various_pathlen_chains(void) -{ - EXPECT_DECLS; -#ifndef NO_SHA256 - WOLFSSL_CERT_MANAGER* cm = NULL; - - /* Test chain G (large chain with varying pathLens) */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(test_chainG(cm), -1); -#else - ExpectIntEQ(test_chainG(cm), 0); -#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - /* end test chain G */ - - /* Test chain H (5 chain with same pathLens) */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntLT(test_chainH(cm), 0); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - /* end test chain H */ - - /* Test chain I (only first ICA has pathLen set and it's set to 2, - * followed by 2 ICA's, should pass) */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); -#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) - ExpectIntEQ(test_chainI(cm), -1); -#else - ExpectIntEQ(test_chainI(cm), 0); -#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - cm = NULL; - - /* Test chain J (Again only first ICA has pathLen set and it's set to 2, - * this time followed by 3 ICA's, should fail */ - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntLT(test_chainJ(cm), 0); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); - cm = NULL; - - ExpectNotNull(cm = wolfSSL_CertManagerNew()); - ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); - wolfSSL_CertManagerFree(cm); -#endif - - return EXPECT_RESULT(); -} -#endif -#endif -#endif /* !NO_RSA && !NO_SHA && !NO_FILESYSTEM && !NO_CERTS */ - #if defined(HAVE_KEYING_MATERIAL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) static int test_export_keying_material_cb(WOLFSSL_CTX *ctx, WOLFSSL *ssl) { @@ -34859,243 +24557,6 @@ static int test_wolfSSL_ERR_strings(void) return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_shake128(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ - defined(WOLFSSL_SHAKE128) - const EVP_MD* md = NULL; - - ExpectNotNull(md = EVP_shake128()); - ExpectIntEQ(XSTRNCMP(md, "SHAKE128", XSTRLEN("SHAKE128")), 0); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_shake256(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ - defined(WOLFSSL_SHAKE256) - const EVP_MD* md = NULL; - - ExpectNotNull(md = EVP_shake256()); - ExpectIntEQ(XSTRNCMP(md, "SHAKE256", XSTRLEN("SHAKE256")), 0); -#endif - - return EXPECT_RESULT(); -} - -/* - * Testing EVP digest API with SM3 - */ -static int test_wolfSSL_EVP_sm3(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM3) - EXPECT_DECLS; - const EVP_MD* md = NULL; - EVP_MD_CTX* mdCtx = NULL; - byte data[WC_SM3_BLOCK_SIZE * 4]; - byte hash[WC_SM3_DIGEST_SIZE]; - byte calcHash[WC_SM3_DIGEST_SIZE]; - byte expHash[WC_SM3_DIGEST_SIZE] = { - 0x38, 0x48, 0x15, 0xa7, 0x0e, 0xae, 0x0b, 0x27, - 0x5c, 0xde, 0x9d, 0xa5, 0xd1, 0xa4, 0x30, 0xa1, - 0xca, 0xd4, 0x54, 0x58, 0x44, 0xa2, 0x96, 0x1b, - 0xd7, 0x14, 0x80, 0x3f, 0x80, 0x1a, 0x07, 0xb6 - }; - word32 chunk; - word32 i; - unsigned int sz; - int ret; - - XMEMSET(data, 0, sizeof(data)); - - md = EVP_sm3(); - ExpectTrue(md != NULL); - ExpectIntEQ(XSTRNCMP(md, "SM3", XSTRLEN("SM3")), 0); - mdCtx = EVP_MD_CTX_new(); - ExpectTrue(mdCtx != NULL); - - /* Invalid Parameters */ - ExpectIntEQ(EVP_DigestInit(NULL, md), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Valid Parameters */ - ExpectIntEQ(EVP_DigestInit(mdCtx, md), WOLFSSL_SUCCESS); - - ExpectIntEQ(EVP_DigestUpdate(NULL, NULL, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestUpdate(NULL, data, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Valid Parameters */ - ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE - 2), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE * 2), - WOLFSSL_SUCCESS); - /* Ensure too many bytes for lengths. */ - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_PAD_SIZE), - WOLFSSL_SUCCESS); - - /* Invalid Parameters */ - ExpectIntEQ(EVP_DigestFinal(NULL, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Valid Parameters */ - ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); - ExpectBufEQ(hash, expHash, WC_SM3_DIGEST_SIZE); - - /* Chunk tests. */ - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, sizeof(data)), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(mdCtx, calcHash, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, WC_SM3_DIGEST_SIZE); - for (chunk = 1; chunk <= WC_SM3_BLOCK_SIZE + 1; chunk++) { - for (i = 0; i + chunk <= (word32)sizeof(data); i += chunk) { - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, chunk), - WOLFSSL_SUCCESS); - } - if (i < (word32)sizeof(data)) { - ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, - (word32)sizeof(data) - i), WOLFSSL_SUCCESS); - } - ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); - ExpectBufEQ(hash, calcHash, WC_SM3_DIGEST_SIZE); - } - - /* Not testing when the low 32-bit length overflows. */ - - ret = EVP_MD_CTX_cleanup(mdCtx); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - wolfSSL_EVP_MD_CTX_free(mdCtx); - - res = EXPECT_RESULT(); -#endif - return res; -} /* END test_EVP_sm3 */ - -static int test_EVP_blake2(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && (defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)) - const EVP_MD* md = NULL; - (void)md; - -#if defined(HAVE_BLAKE2) - ExpectNotNull(md = EVP_blake2b512()); - ExpectIntEQ(XSTRNCMP(md, "BLAKE2b512", XSTRLEN("BLAKE2b512")), 0); -#endif - -#if defined(HAVE_BLAKE2S) - ExpectNotNull(md = EVP_blake2s256()); - ExpectIntEQ(XSTRNCMP(md, "BLAKE2s256", XSTRLEN("BLAKE2s256")), 0); -#endif -#endif - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) -static void list_md_fn(const EVP_MD* m, const char* from, - const char* to, void* arg) -{ - const char* mn; - BIO *bio; - - (void) from; - (void) to; - (void) arg; - (void) mn; - (void) bio; - - if (!m) { - /* alias */ - AssertNull(m); - AssertNotNull(to); - } - else { - AssertNotNull(m); - AssertNull(to); - } - - AssertNotNull(from); - -#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) - mn = EVP_get_digestbyname(from); - /* print to stderr */ - AssertNotNull(arg); - - bio = BIO_new(BIO_s_file()); - BIO_set_fp(bio, arg, BIO_NOCLOSE); - BIO_printf(bio, "Use %s message digest algorithm\n", mn); - BIO_free(bio); -#endif -} -#endif - -static int test_EVP_MD_do_all(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) - EVP_MD_do_all(NULL, stderr); - - EVP_MD_do_all(list_md_fn, stderr); - - res = TEST_SUCCESS; -#endif - - return res; -} - -#if defined(OPENSSL_EXTRA) -static void obj_name_t(const OBJ_NAME* nm, void* arg) -{ - (void)arg; - (void)nm; - - AssertIntGT(nm->type, OBJ_NAME_TYPE_UNDEF); - -#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) - /* print to stderr */ - AssertNotNull(arg); - - BIO *bio = BIO_new(BIO_s_file()); - BIO_set_fp(bio, arg, BIO_NOCLOSE); - BIO_printf(bio, "%s\n", nm); - BIO_free(bio); -#endif -} - -#endif -static int test_OBJ_NAME_do_all(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) - - OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, NULL, NULL); - - OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, NULL, stderr); - - OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_PKEY_METH, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_COMP_METH, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_NUM, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_UNDEF, obj_name_t, stderr); - OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, obj_name_t, stderr); - OBJ_NAME_do_all(-1, obj_name_t, stderr); - - res = TEST_SUCCESS; -#endif - - return res; -} static int test_SSL_CIPHER_get_xxx(void) { @@ -41619,11 +31080,6 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_lhash), -#ifndef NO_BIO - TEST_DECL(test_wolfSSL_BIO), - TEST_DECL(test_wolfSSL_BIO_BIO_ring_read), -#endif - TEST_DECL(test_wolfSSL_certs), TEST_DECL(test_wolfSSL_X509_ext_d2i), @@ -41631,90 +31087,11 @@ TEST_CASE testCases[] = { TEST_SSL_PEM_DECLS, /* EVP API testing */ - TEST_DECL(test_wolfSSL_EVP_ENCODE_CTX_new), - TEST_DECL(test_wolfSSL_EVP_ENCODE_CTX_free), - TEST_DECL(test_wolfSSL_EVP_EncodeInit), - TEST_DECL(test_wolfSSL_EVP_EncodeUpdate), - TEST_DECL(test_wolfSSL_EVP_CipherUpdate_Null), - TEST_DECL(test_wolfSSL_EVP_CIPHER_type_string), - TEST_DECL(test_wolfSSL_EVP_EncodeFinal), - TEST_DECL(test_wolfSSL_EVP_DecodeInit), - TEST_DECL(test_wolfSSL_EVP_DecodeUpdate), - TEST_DECL(test_wolfSSL_EVP_DecodeFinal), - - TEST_DECL(test_wolfSSL_EVP_shake128), - TEST_DECL(test_wolfSSL_EVP_shake256), - TEST_DECL(test_wolfSSL_EVP_sm3), - TEST_DECL(test_EVP_blake2), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_md4), - TEST_DECL(test_wolfSSL_EVP_ripemd160), - TEST_DECL(test_wolfSSL_EVP_get_digestbynid), - TEST_DECL(test_wolfSSL_EVP_MD_nid), - - TEST_DECL(test_wolfSSL_EVP_DigestFinal_ex), - TEST_DECL(test_wolfSSL_EVP_DigestFinalXOF), -#endif - - TEST_DECL(test_EVP_MD_do_all), - TEST_DECL(test_wolfSSL_EVP_MD_size), - TEST_DECL(test_wolfSSL_EVP_MD_pkey_type), - TEST_DECL(test_wolfSSL_EVP_Digest), - TEST_DECL(test_wolfSSL_EVP_Digest_all), - TEST_DECL(test_wolfSSL_EVP_MD_hmac_signing), - TEST_DECL(test_wolfSSL_EVP_MD_rsa_signing), - TEST_DECL(test_wolfSSL_EVP_MD_ecc_signing), - - TEST_DECL(test_wolfssl_EVP_aes_gcm), - TEST_DECL(test_wolfssl_EVP_aes_gcm_AAD_2_parts), - TEST_DECL(test_wolfssl_EVP_aes_gcm_zeroLen), - TEST_DECL(test_wolfssl_EVP_aes_ccm), - TEST_DECL(test_wolfssl_EVP_aes_ccm_zeroLen), - TEST_DECL(test_wolfssl_EVP_chacha20), - TEST_DECL(test_wolfssl_EVP_chacha20_poly1305), - TEST_DECL(test_wolfssl_EVP_sm4_ecb), - TEST_DECL(test_wolfssl_EVP_sm4_cbc), - TEST_DECL(test_wolfssl_EVP_sm4_ctr), - TEST_DECL(test_wolfssl_EVP_sm4_gcm_zeroLen), - TEST_DECL(test_wolfssl_EVP_sm4_gcm), - TEST_DECL(test_wolfssl_EVP_sm4_ccm_zeroLen), - TEST_DECL(test_wolfssl_EVP_sm4_ccm), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_aes_256_gcm), - TEST_DECL(test_wolfSSL_EVP_aes_192_gcm), - TEST_DECL(test_wolfSSL_EVP_aes_256_ccm), - TEST_DECL(test_wolfSSL_EVP_aes_192_ccm), - TEST_DECL(test_wolfSSL_EVP_aes_128_ccm), - TEST_DECL(test_wolfSSL_EVP_rc4), - TEST_DECL(test_wolfSSL_EVP_enc_null), - TEST_DECL(test_wolfSSL_EVP_rc2_cbc), - TEST_DECL(test_wolfSSL_EVP_mdc2), - - TEST_DECL(test_evp_cipher_aes_gcm), -#endif - TEST_DECL(test_wolfssl_EVP_aria_gcm), - TEST_DECL(test_wolfSSL_EVP_Cipher_extra), -#ifdef OPENSSL_EXTRA - TEST_DECL(test_wolfSSL_EVP_get_cipherbynid), - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX), -#endif -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX_iv_length), - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX_key_length), - TEST_DECL(test_wolfSSL_EVP_CIPHER_CTX_set_iv), - TEST_DECL(test_wolfSSL_EVP_CIPHER_block_size), - TEST_DECL(test_wolfSSL_EVP_CIPHER_iv_length), - TEST_DECL(test_wolfSSL_EVP_X_STATE), - TEST_DECL(test_wolfSSL_EVP_X_STATE_LEN), - TEST_DECL(test_wolfSSL_EVP_BytesToKey), -#endif - - TEST_DECL(test_wolfSSL_EVP_PKEY_print_public), - TEST_DECL(test_wolfSSL_EVP_PKEY_new_mac_key), - TEST_DECL(test_wolfSSL_EVP_PKEY_new_CMAC_key), - TEST_DECL(test_wolfSSL_EVP_PKEY_up_ref), - TEST_DECL(test_wolfSSL_EVP_PKEY_hkdf), - TEST_DECL(test_wolfSSL_EVP_PKEY_derive), + TEST_EVP_ENC_DECLS, + TEST_EVP_DIGEST_DECLS, + TEST_EVP_CIPHER_DECLS, + TEST_EVP_PKEY_DECLS, + TEST_DECL(test_wolfSSL_d2i_and_i2d_PublicKey), TEST_DECL(test_wolfSSL_d2i_and_i2d_PublicKey_ecc), #ifndef NO_BIO @@ -41727,43 +31104,9 @@ TEST_CASE testCases[] = { #ifndef NO_BIO TEST_DECL(test_wolfSSL_d2i_PrivateKeys_bio), #endif /* !NO_BIO */ -#endif -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_PKEY_set1_get1_DSA), - TEST_DECL(test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY), - TEST_DECL(test_wolfSSL_EVP_PKEY_set1_get1_DH), - TEST_DECL(test_wolfSSL_EVP_PKEY_assign), - TEST_DECL(test_wolfSSL_EVP_PKEY_assign_DH), - TEST_DECL(test_wolfSSL_EVP_PKEY_base_id), - TEST_DECL(test_wolfSSL_EVP_PKEY_id), - TEST_DECL(test_wolfSSL_EVP_PKEY_paramgen), - TEST_DECL(test_wolfSSL_EVP_PKEY_keygen), - TEST_DECL(test_wolfSSL_EVP_PKEY_keygen_init), - TEST_DECL(test_wolfSSL_EVP_PKEY_missing_parameters), - TEST_DECL(test_wolfSSL_EVP_PKEY_copy_parameters), - TEST_DECL(test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits), - TEST_DECL(test_wolfSSL_EVP_PKEY_CTX_new_id), - TEST_DECL(test_wolfSSL_EVP_PKEY_get0_EC_KEY), -#endif - - TEST_DECL(test_EVP_PKEY_rsa), - TEST_DECL(test_wc_RsaPSS_DigitalSignVerify), - TEST_DECL(test_EVP_PKEY_ec), - TEST_DECL(test_wolfSSL_EVP_PKEY_encrypt), - TEST_DECL(test_wolfSSL_EVP_PKEY_sign_verify_rsa), - TEST_DECL(test_wolfSSL_EVP_PKEY_sign_verify_dsa), - TEST_DECL(test_wolfSSL_EVP_PKEY_sign_verify_ec), - TEST_DECL(test_EVP_PKEY_cmp), - -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_EVP_SignInit_ex), - TEST_DECL(test_wolfSSL_EVP_PKEY_param_check), - TEST_DECL(test_wolfSSL_QT_EVP_PKEY_CTX_free), #endif - TEST_DECL(test_wolfSSL_EVP_PBE_scrypt), - TEST_DECL(test_wolfSSL_CTX_add_extra_chain_cert), #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) TEST_DECL(test_wolfSSL_ERR_peek_last_error_line), #endif @@ -41821,10 +31164,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_REQ_print), /* RAND compatibility API */ - TEST_DECL(test_wolfSSL_RAND_set_rand_method), - TEST_DECL(test_wolfSSL_RAND_bytes), - TEST_DECL(test_wolfSSL_RAND), - TEST_DECL(test_wolfSSL_RAND_poll), + TEST_OSSL_RAND_DECLS, /* BN compatibility API */ TEST_OSSL_ASN1_BN_DECLS, @@ -41837,21 +31177,10 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_PKCS8_d2i), /* OpenSSL PKCS7 API test */ - TEST_DECL(test_wolfssl_PKCS7), - TEST_DECL(test_wolfSSL_PKCS7_certs), - TEST_DECL(test_wolfSSL_PKCS7_sign), - TEST_DECL(test_wolfSSL_PKCS7_SIGNED_new), -#ifndef NO_BIO - TEST_DECL(test_wolfSSL_PEM_write_bio_PKCS7), - TEST_DECL(test_wolfSSL_PEM_write_bio_encryptedKey), -#ifdef HAVE_SMIME - TEST_DECL(test_wolfSSL_SMIME_read_PKCS7), - TEST_DECL(test_wolfSSL_SMIME_write_PKCS7), -#endif /* HAVE_SMIME */ -#endif /* !NO_BIO */ - + TEST_OSSL_PKCS7_DECLS, + TEST_OSSL_SMIME_DECLS, /* OpenSSL PKCS12 API test */ - TEST_DECL(test_wolfSSL_PKCS12), + TEST_OSSL_PKCS12_DECLS, /* Can't memory test as callbacks use Assert. */ TEST_DECL(test_error_queue_per_thread), @@ -41861,15 +31190,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_ERR_print_errors), #endif - TEST_DECL(test_OBJ_NAME_do_all), - TEST_DECL(test_wolfSSL_OBJ), - TEST_DECL(test_wolfSSL_OBJ_cmp), - TEST_DECL(test_wolfSSL_OBJ_txt2nid), - TEST_DECL(test_wolfSSL_OBJ_txt2obj), -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_OBJ_ln), - TEST_DECL(test_wolfSSL_OBJ_sn), -#endif + TEST_OSSL_OBJ_DECLS, #ifndef NO_BIO TEST_OSSL_BIO_DECLS, @@ -41963,26 +31284,9 @@ TEST_CASE testCases[] = { /********************************* * CertManager API tests *********************************/ + TEST_CERTMAN_DECLS, - TEST_DECL(test_wolfSSL_CertManagerAPI), - TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer), - TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer_ex), - TEST_DECL(test_wolfSSL_CertManagerLoadCABufferType), - TEST_DECL(test_wolfSSL_CertManagerGetCerts), - TEST_DECL(test_wolfSSL_CertManagerSetVerify), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint2), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint3), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint4), - TEST_DECL(test_wolfSSL_CertManagerNameConstraint5), - TEST_DECL(test_wolfSSL_CertManagerCRL), - TEST_DECL(test_wolfSSL_CRL_duplicate_extensions), - TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse), TEST_DECL(test_wolfSSL_CheckOCSPResponse), -#if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) && \ - defined(WOLFSSL_PEM_TO_DER) - TEST_DECL(test_various_pathlen_chains), -#endif /********************************* * SSL/TLS API tests @@ -42075,6 +31379,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CTX_load_verify_locations), /* Large number of memory allocations. */ TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs), + TEST_DECL(test_wolfSSL_CTX_add_extra_chain_cert), #if defined(HAVE_CERT_CHAIN_VALIDATION) && \ !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) diff --git a/tests/api/api.h b/tests/api/api.h index 125ec273d03..fa14484c906 100644 --- a/tests/api/api.h +++ b/tests/api/api.h @@ -52,6 +52,11 @@ #define FOURK_BUF 4096 #endif +#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ + !defined(NO_CERTS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) + #define HAVE_CERT_CHAIN_VALIDATION +#endif #ifndef NO_RSA #define GEN_BUF 294 diff --git a/tests/api/include.am b/tests/api/include.am index 79d15c0ef96..59091b0812f 100644 --- a/tests/api/include.am +++ b/tests/api/include.am @@ -93,6 +93,16 @@ tests_unit_test_SOURCES += tests/api/test_ossl_x509_str.c tests_unit_test_SOURCES += tests/api/test_ossl_x509_lu.c # SSL PEM tests_unit_test_SOURCES += tests/api/test_ossl_pem.c +# SSL Random +tests_unit_test_SOURCES += tests/api/test_ossl_rand.c +tests_unit_test_SOURCES += tests/api/test_ossl_obj.c +tests_unit_test_SOURCES += tests/api/test_ossl_p7p12.c +# EVP APIs +tests_unit_test_SOURCES += tests/api/test_evp_digest.c +tests_unit_test_SOURCES += tests/api/test_evp_cipher.c +tests_unit_test_SOURCES += tests/api/test_evp_pkey.c +# CertificateManager +tests_unit_test_SOURCES += tests/api/test_certman.c # TLS 1.3 specific tests_unit_test_SOURCES += tests/api/test_tls13.c endif @@ -174,5 +184,12 @@ EXTRA_DIST += tests/api/test_ossl_x509_info.h EXTRA_DIST += tests/api/test_ossl_x509_str.h EXTRA_DIST += tests/api/test_ossl_x509_lu.h EXTRA_DIST += tests/api/test_ossl_pem.h +EXTRA_DIST += tests/api/test_ossl_rand.h +EXTRA_DIST += tests/api/test_ossl_obj.h +EXTRA_DIST += tests/api/test_ossl_p7p12.h +EXTRA_DIST += tests/api/test_evp_digest.h +EXTRA_DIST += tests/api/test_evp_cipher.h +EXTRA_DIST += tests/api/test_evp_pkey.h +EXTRA_DIST += tests/api/test_certman.h EXTRA_DIST += tests/api/test_tls13.h diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c new file mode 100644 index 00000000000..a2ff33373ba --- /dev/null +++ b/tests/api/test_certman.c @@ -0,0 +1,2370 @@ +/* test_certman.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include +#include + +int test_wolfSSL_CertManagerAPI(void) +{ + EXPECT_DECLS; +#ifndef NO_CERTS + WOLFSSL_CERT_MANAGER* cm = NULL; + unsigned char c = 0; + + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + + wolfSSL_CertManagerFree(NULL); + ExpectIntEQ(wolfSSL_CertManager_up_ref(NULL), 0); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#ifdef WOLFSSL_TRUST_PEER_CERT + ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#endif + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer_ex(NULL, &c, 1, + WOLFSSL_FILETYPE_ASN1, 0, 0), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + +#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, 1, -1), + WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); +#endif + +#if !defined(NO_FILESYSTEM) + { + #ifdef WOLFSSL_PEM_TO_DER + const char* ca_cert = "./certs/ca-cert.pem"; + #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) + const char* ca_cert_der = "./certs/ca-cert.der"; + #endif + #else + const char* ca_cert = "./certs/ca-cert.der"; + #endif + const char* ca_path = "./certs"; + + #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) + ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, NULL, WOLFSSL_FILETYPE_ASN1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, ca_cert, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert, -1), + WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE)); +#ifdef WOLFSSL_PEM_TO_DER + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert_der, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)); +#endif + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, "no-file", + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_BAD_FILE)); + #endif + + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, ca_path), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, ca_path), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + } +#endif + +#ifdef OPENSSL_COMPATIBLE_DEFAULTS + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), 1); +#elif !defined(HAVE_CRL) + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); +#endif + + ExpectIntEQ(wolfSSL_CertManagerDisableCRL(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableCRL(cm), 1); +#ifdef HAVE_CRL + /* Test APIs when CRL is disabled. */ +#ifdef HAVE_CRL_IO + ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); +#endif + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, + sizeof_server_cert_der_2048), 1); + ExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); +#endif + + /* OCSP */ + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + !defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); +#endif + +#ifdef HAVE_OCSP + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, NULL, 0, + NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, NULL, 1, + NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, &c, 1, + NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, ""), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, NULL), 1); + + ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(NULL, NULL, NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(cm, NULL, NULL, NULL), 1); + + ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(cm), 1); + /* Test APIs when OCSP is disabled. */ + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, &c, 1, + NULL, NULL, NULL, NULL), 1); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, 1), 1); + +#endif + + ExpectIntEQ(wolfSSL_CertManager_up_ref(cm), 1); + if (EXPECT_SUCCESS()) { + wolfSSL_CertManagerFree(cm); + } + wolfSSL_CertManagerFree(cm); + cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + +#ifdef HAVE_OCSP + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, WOLFSSL_OCSP_URL_OVERRIDE | + WOLFSSL_OCSP_CHECKALL), 1); +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), 1); + ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), 1); +#endif + + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1); +#endif + +#ifdef WOLFSSL_TRUST_PEER_CERT + ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(cm), 1); +#endif + wolfSSL_CertManagerFree(cm); +#endif + return EXPECT_RESULT(); +} + +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) +static int test_cm_load_ca_buffer(const byte* cert_buf, size_t cert_sz, + int file_type) +{ + int ret; + WOLFSSL_CERT_MANAGER* cm; + + cm = wolfSSL_CertManagerNew(); + if (cm == NULL) { + fprintf(stderr, "test_cm_load_ca failed\n"); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer(cm, cert_buf, (sword32)cert_sz, + file_type); + + wolfSSL_CertManagerFree(cm); + + return ret; +} + +static int test_cm_load_ca_file(const char* ca_cert_file) +{ + int ret = 0; + byte* cert_buf = NULL; + size_t cert_sz = 0; +#if defined(WOLFSSL_PEM_TO_DER) + DerBuffer* pDer = NULL; +#endif + + ret = load_file(ca_cert_file, &cert_buf, &cert_sz); + if (ret == 0) { + /* normal test */ + ret = test_cm_load_ca_buffer(cert_buf, cert_sz, CERT_FILETYPE); + + if (ret == WOLFSSL_SUCCESS) { + /* test including null terminator in length */ + byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); + if (tmp == NULL) { + ret = MEMORY_E; + } + else { + cert_buf = tmp; + cert_buf[cert_sz] = '\0'; + ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1, + CERT_FILETYPE); + } + + } + + #if defined(WOLFSSL_PEM_TO_DER) + if (ret == WOLFSSL_SUCCESS) { + /* test loading DER */ + ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, + NULL, NULL, NULL); + if (ret == 0 && pDer != NULL) { + ret = test_cm_load_ca_buffer(pDer->buffer, pDer->length, + WOLFSSL_FILETYPE_ASN1); + + wc_FreeDer(&pDer); + } + } + #endif + + } + free(cert_buf); + + return ret; +} + +static int test_cm_load_ca_buffer_ex(const byte* cert_buf, size_t cert_sz, + int file_type, word32 flags) +{ + int ret; + WOLFSSL_CERT_MANAGER* cm; + + cm = wolfSSL_CertManagerNew(); + if (cm == NULL) { + fprintf(stderr, "test_cm_load_ca failed\n"); + return -1; + } + + ret = wolfSSL_CertManagerLoadCABuffer_ex(cm, cert_buf, (sword32)cert_sz, + file_type, 0, flags); + + wolfSSL_CertManagerFree(cm); + + return ret; +} + +static int test_cm_load_ca_file_ex(const char* ca_cert_file, word32 flags) +{ + int ret = 0; + byte* cert_buf = NULL; + size_t cert_sz = 0; +#if defined(WOLFSSL_PEM_TO_DER) + DerBuffer* pDer = NULL; +#endif + + ret = load_file(ca_cert_file, &cert_buf, &cert_sz); + if (ret == 0) { + /* normal test */ + ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz, + CERT_FILETYPE, flags); + + if (ret == WOLFSSL_SUCCESS) { + /* test including null terminator in length */ + byte* tmp = (byte*)realloc(cert_buf, cert_sz+1); + if (tmp == NULL) { + ret = MEMORY_E; + } + else { + cert_buf = tmp; + cert_buf[cert_sz] = '\0'; + ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz+1, + CERT_FILETYPE, flags); + } + + } + + #if defined(WOLFSSL_PEM_TO_DER) + if (ret == WOLFSSL_SUCCESS) { + /* test loading DER */ + ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer, + NULL, NULL, NULL); + if (ret == 0 && pDer != NULL) { + ret = test_cm_load_ca_buffer_ex(pDer->buffer, pDer->length, + WOLFSSL_FILETYPE_ASN1, flags); + + wc_FreeDer(&pDer); + } + } + #endif + + } + free(cert_buf); + + return ret; +} + +#endif /* !NO_FILESYSTEM && !NO_CERTS */ + +int test_wolfSSL_CertManagerLoadCABuffer(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) +#if defined(WOLFSSL_PEM_TO_DER) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; +#endif + int ret; + + ExpectIntLE(ret = test_cm_load_ca_file(ca_cert), 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + + ExpectIntLE(ret = test_cm_load_ca_file(ca_expired_cert), 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS && \ + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && !defined(NO_ASN_TIME) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerLoadCABuffer_ex(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) +#if defined(WOLFSSL_PEM_TO_DER) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* ca_expired_cert = "./certs/test/expired/expired-ca.der"; +#endif + int ret; + + ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_cert, WOLFSSL_LOAD_FLAG_NONE), + 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + + ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_expired_cert, + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), 1); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); +#elif defined(NO_RSA) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E)); +#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS && \ + WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && !defined(NO_ASN_TIME) && \ + defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS) + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerLoadCABufferType(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) && !defined(NO_SHA256) && \ + !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) +#if defined(WOLFSSL_PEM_TO_DER) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* int1_cert = "./certs/intermediate/ca-int-cert.pem"; + const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem"; + const char* client_cert = "./certs/intermediate/client-int-cert.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* int1_cert = "./certs/intermediate/ca-int-cert.der"; + const char* int2_cert = "./certs/intermediate/ca-int2-cert.der"; + const char* client_cert = "./certs/intermediate/client-int-cert.der"; +#endif + byte* ca_cert_buf = NULL; + byte* int1_cert_buf = NULL; + byte* int2_cert_buf = NULL; + byte* client_cert_buf = NULL; + size_t ca_cert_sz = 0; + size_t int1_cert_sz = 0; + size_t int2_cert_sz = 0; + size_t client_cert_sz = 0; + WOLFSSL_CERT_MANAGER* cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0); + ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0); + ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0); + ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0); + + ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, + (sword32)ca_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, + (sword32)ca_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf, + (sword32)ca_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, + (sword32)int1_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, + (sword32)int2_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, + (sword32)client_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + + /* Intermediate certs have been unloaded, but CA cert is still + loaded. Expect first level intermediate to verify, rest to fail. */ + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf, + (sword32)int1_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf, + (sword32)int2_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf, + (sword32)client_cert_sz, CERT_FILETYPE, 0, + WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA), + WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf, + int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf, + int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf, + client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS); + + if (cm) + wolfSSL_CertManagerFree(cm); + if (ca_cert_buf) + free(ca_cert_buf); + if (int1_cert_buf) + free(int1_cert_buf); + if (int2_cert_buf) + free(int2_cert_buf); + if (client_cert_buf) + free(client_cert_buf); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerGetCerts(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_STACK* sk = NULL; + X509* x509 = NULL; + X509* cert1 = NULL; + FILE* file1 = NULL; +#ifdef DEBUG_WOLFSSL_VERBOSE + WOLFSSL_BIO* bio = NULL; +#endif + int i = 0; + int ret = 0; + const byte* der = NULL; + int derSz = 0; + + ExpectNotNull(file1 = fopen("./certs/ca-cert.pem", "rb")); + + ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); + if (file1 != NULL) { + fclose(file1); + } + + ExpectNull(sk = wolfSSL_CertManagerGetCerts(NULL)); + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + ExpectNull(sk = wolfSSL_CertManagerGetCerts(cm)); + + ExpectNotNull(der = wolfSSL_X509_get_der(cert1, &derSz)); +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + /* Check that ASN_SELF_SIGNED_E is returned for a self-signed cert for QT + * and full OpenSSL compatibility */ + ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); +#else + ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); +#endif + + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm, + "./certs/ca-cert.pem", NULL)); + + ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(cm)); + + for (i = 0; EXPECT_SUCCESS() && i < sk_X509_num(sk); i++) { + ExpectNotNull(x509 = sk_X509_value(sk, i)); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509, cert1)); + +#ifdef DEBUG_WOLFSSL_VERBOSE + bio = BIO_new(wolfSSL_BIO_s_file()); + if (bio != NULL) { + BIO_set_fp(bio, stderr, BIO_NOCLOSE); + X509_print(bio, x509); + BIO_free(bio); + } +#endif /* DEBUG_WOLFSSL_VERBOSE */ + } + wolfSSL_X509_free(cert1); + sk_X509_pop_free(sk, NULL); + wolfSSL_CertManagerFree(cm); +#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) */ + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerSetVerify(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) + WOLFSSL_CERT_MANAGER* cm = NULL; + int tmp = myVerifyAction; +#ifdef WOLFSSL_PEM_TO_DER + const char* ca_cert = "./certs/ca-cert.pem"; + const char* expiredCert = "./certs/test/expired/expired-cert.pem"; +#else + const char* ca_cert = "./certs/ca-cert.der"; + const char* expiredCert = "./certs/test/expired/expired-cert.der"; +#endif + + wolfSSL_CertManagerSetVerify(NULL, NULL); + wolfSSL_CertManagerSetVerify(NULL, myVerify); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + + wolfSSL_CertManagerSetVerify(cm, myVerify); + +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), -1); +#else + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), + WOLFSSL_SUCCESS); +#endif + /* Use the test CB that always accepts certs */ + myVerifyAction = VERIFY_OVERRIDE_ERROR; + + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, expiredCert, + CERT_FILETYPE), WOLFSSL_SUCCESS); + +#ifdef WOLFSSL_ALWAYS_VERIFY_CB + { + const char* verifyCert = "./certs/server-cert.der"; + /* Use the test CB that always fails certs */ + myVerifyAction = VERIFY_FORCE_FAIL; + + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, verifyCert, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(VERIFY_CERT_ERROR)); + } +#endif + + wolfSSL_CertManagerFree(cm); + myVerifyAction = tmp; +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-nc.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + int i = 0; + static const byte extNameConsOid[] = {85, 29, 30}; + + RsaKey key; + WC_RNG rng; + byte *der = NULL; + int derSz = 0; + word32 idx = 0; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + wc_InitRng(&rng); + + /* load in CA private key for signing */ + ExpectIntEQ(wc_InitRsaKey_ex(&key, HEAP_HINT, testDevId), 0); + ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key, + sizeof_server_key_der_2048), 0); + + /* get ca certificate then alter it */ + ExpectNotNull(der = + (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull(pt = (byte*)wolfSSL_X509_get_tbs(x509, &derSz)); + if (EXPECT_SUCCESS() && (der != NULL)) { + XMEMCPY(der, pt, (size_t)derSz); + + /* find the name constraint extension and alter it */ + pt = der; + for (i = 0; i < derSz - 3; i++) { + if (XMEMCMP(pt, extNameConsOid, 3) == 0) { + pt += 3; + break; + } + pt++; + } + ExpectIntNE(i, derSz - 3); /* did not find OID if this case is hit */ + + /* go to the length value and set it to 0 */ + while (i < derSz && *pt != 0x81) { + pt++; + i++; + } + ExpectIntNE(i, derSz); /* did not place to alter */ + pt++; + *pt = 0x00; + } + + /* resign the altered certificate */ + ExpectIntGT((derSz = wc_SignCert(derSz, CTC_SHA256wRSA, der, + FOURK_BUF, &key, NULL, &rng)), 0); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E)); + wolfSSL_CertManagerFree(cm); + + XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wolfSSL_X509_free(x509); + wc_FreeRsaKey(&key); + wc_FreeRng(&rng); + + /* add email alt name to satisfy constraint */ + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* Good cert test with proper alt email name */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + + /* Cert with bad alt name list */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); + wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint2(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) + const char* ca_cert = "./certs/test/cert-ext-ndir.der"; + const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der"; + const char* server_cert = "./certs/server-cert.pem"; + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + const unsigned char *der = NULL; + const unsigned char *pt; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + int derSz = 0; + + /* C=US*/ + char altName[] = { + 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53 + }; + + /* C=ID */ + char altNameFail[] = { + 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44 + }; + + /* C=US ST=California*/ + char altNameExc[] = { + 0x30, 0x22, + 0x31, 0x0B, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, + 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, + 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61 + }; + /* load in CA private key for signing */ + pt = ca_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt, + sizeof_ca_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* Test no name case. */ + ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, NULL, 0, ASN_DIR_TYPE), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, "", ASN_DIR_TYPE), + WOLFSSL_SUCCESS); + /* IP not supported. */ + ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE), + WOLFSSL_FAILURE); + + /* add in matching DIR alt name and resign */ + wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check verify fail */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + + /* add in miss matching DIR alt name and resign */ + wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), + ASN_DIR_TYPE); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + + /* check that it still fails if one bad altname and one good altname is in + * the certificate */ + wolfSSL_X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); + wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), + ASN_DIR_TYPE); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + + /* check it fails with switching position of bad altname */ + wolfSSL_X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail), + ASN_DIR_TYPE); + wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + wolfSSL_CertManagerFree(cm); + + wolfSSL_X509_free(x509); + x509 = NULL; + wolfSSL_X509_free(ca); + ca = NULL; + + /* now test with excluded name constraint */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc), + ASN_DIR_TYPE); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + +#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) + wolfSSL_X509_sign(x509, priv, EVP_sha3_256()); +#else + wolfSSL_X509_sign(x509, priv, EVP_sha256()); +#endif + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#ifndef WOLFSSL_NO_ASN_STRICT + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); +#else + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint3(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-mnc.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + + byte *der = NULL; + int derSz = 0; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* check satisfying .wolfssl.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check satisfying .random.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check fail case when neither constraint is matched */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint4(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-ncdns.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + + byte *der = NULL; + int derSz; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* check satisfying wolfssl.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check satisfying example.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"example.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check satisfying wolfssl.com constraint passes with list of DNS's */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check fail when one DNS in the list is bad */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* check fail case when neither constraint is matched */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"common", 6, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(x509); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerNameConstraint5(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \ + defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ + !defined(NO_SHA256) + WOLFSSL_CERT_MANAGER* cm = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME* name = NULL; + const char* ca_cert = "./certs/test/cert-ext-ncmixed.der"; + const char* server_cert = "./certs/test/server-goodcn.pem"; + + byte *der = NULL; + int derSz; + byte *pt; + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + + pt = (byte*)server_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, sizeof_server_key_der_2048)); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert, + WOLFSSL_FILETYPE_ASN1)); + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz))); + DEBUG_WRITE_DER(der, derSz, "ca.der"); + + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* check satisfying wolfssl.com constraint passes */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"example", 7, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* fail with DNS check because of common name */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* fail on permitted DNS name constraint */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "www.example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* fail on permitted email name constraint */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + + wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); + wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE); + wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E)); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* success with empty email name */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + X509_NAME_free(name); + + wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem"); + + ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz))); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + + wolfSSL_CertManagerFree(cm); + wolfSSL_X509_free(ca); + wolfSSL_EVP_PKEY_free(priv); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerCRL(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ + !defined(NO_RSA) + const char* ca_cert = "./certs/ca-cert.pem"; + const char* crl1 = "./certs/crl/crl.pem"; + const char* crl2 = "./certs/crl/crl2.pem"; +#ifdef WC_RSA_PSS + const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; + const char* ca_rsapss = "./certs/rsapss/ca-rsapss.pem"; +#endif + /* ./certs/crl/crl.der */ + const unsigned char crl_buff[] = { + 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xED, 0x02, + 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, + 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, + 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, + 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, + 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, + 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, + 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, + 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, + 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, + 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, + 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, + 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, + 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, + 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, + 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, + 0x17, 0x0D, 0x32, 0x34, 0x30, 0x31, 0x30, 0x39, + 0x30, 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x17, + 0x0D, 0x32, 0x36, 0x31, 0x30, 0x30, 0x35, 0x30, + 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x30, 0x14, + 0x30, 0x12, 0x02, 0x01, 0x02, 0x17, 0x0D, 0x32, + 0x34, 0x30, 0x31, 0x30, 0x39, 0x30, 0x30, 0x33, + 0x34, 0x33, 0x30, 0x5A, 0xA0, 0x0E, 0x30, 0x0C, + 0x30, 0x0A, 0x06, 0x03, 0x55, 0x1D, 0x14, 0x04, + 0x03, 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, + 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0xB3, 0x6F, 0xED, 0x72, 0xD2, 0x73, 0x6A, 0x77, + 0xBF, 0x3A, 0x55, 0xBC, 0x54, 0x18, 0x6A, 0x71, + 0xBC, 0x6A, 0xCC, 0xCD, 0x5D, 0x90, 0xF5, 0x64, + 0x8D, 0x1B, 0xF0, 0xE0, 0x48, 0x7B, 0xF2, 0x7B, + 0x06, 0x86, 0x53, 0x63, 0x9B, 0xD8, 0x24, 0x15, + 0x10, 0xB1, 0x19, 0x96, 0x9B, 0xD2, 0x75, 0xA8, + 0x25, 0xA2, 0x35, 0xA9, 0x14, 0xD6, 0xD5, 0x5E, + 0x53, 0xE3, 0x34, 0x9D, 0xF2, 0x8B, 0x07, 0x19, + 0x9B, 0x1F, 0xF1, 0x02, 0x0F, 0x04, 0x46, 0xE8, + 0xB8, 0xB6, 0xF2, 0x8D, 0xC7, 0xC0, 0x15, 0x3E, + 0x3E, 0x8E, 0x96, 0x73, 0x15, 0x1E, 0x62, 0xF6, + 0x4E, 0x2A, 0xF7, 0xAA, 0xA0, 0x91, 0x80, 0x12, + 0x7F, 0x81, 0x0C, 0x65, 0xCC, 0x38, 0xBE, 0x58, + 0x6C, 0x14, 0xA5, 0x21, 0xA1, 0x8D, 0xF7, 0x8A, + 0xB9, 0x24, 0xF4, 0x2D, 0xCA, 0xC0, 0x67, 0x43, + 0x0B, 0xC8, 0x1C, 0xB4, 0x7D, 0x12, 0x7F, 0xA2, + 0x1B, 0x19, 0x0E, 0x94, 0xCF, 0x7B, 0x9F, 0x75, + 0xA0, 0x08, 0x9A, 0x67, 0x3F, 0x87, 0x89, 0x3E, + 0xF8, 0x58, 0xA5, 0x8A, 0x1B, 0x2D, 0xDA, 0x9B, + 0xD0, 0x1B, 0x18, 0x92, 0xC3, 0xD2, 0x6A, 0xD7, + 0x1C, 0xFC, 0x45, 0x69, 0x77, 0xC3, 0x57, 0x65, + 0x75, 0x99, 0x9E, 0x47, 0x2A, 0x20, 0x25, 0xEF, + 0x90, 0xF2, 0x5F, 0x3B, 0x7D, 0x9C, 0x7D, 0x00, + 0xEA, 0x92, 0x54, 0xEB, 0x0B, 0xE7, 0x17, 0xAF, + 0x24, 0x1A, 0xF9, 0x7C, 0x83, 0x50, 0x68, 0x1D, + 0xDC, 0x5B, 0x60, 0x12, 0xA7, 0x52, 0x78, 0xD9, + 0xA9, 0xB0, 0x1F, 0x59, 0x48, 0x36, 0xC7, 0xA6, + 0x97, 0x34, 0xC7, 0x87, 0x3F, 0xAE, 0xFD, 0xA9, + 0x56, 0x5D, 0x48, 0xCC, 0x89, 0x7A, 0x79, 0x60, + 0x8F, 0x9B, 0x2B, 0x63, 0x3C, 0xB3, 0x04, 0x1D, + 0x5F, 0xF7, 0x20, 0xD2, 0xFD, 0xF2, 0x51, 0xB1, + 0x96, 0x93, 0x13, 0x5B, 0xAB, 0x74, 0x82, 0x8B + }; + + WOLFSSL_CERT_MANAGER* cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, + WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 16), 1); + ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1); + + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, 1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, + sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + + ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(cm, NULL), 1); +#ifdef HAVE_CRL_IO + ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1); +#endif + +#ifndef NO_FILESYSTEM + ExpectIntEQ(wolfSSL_CertManagerLoadCRL(NULL, NULL, WOLFSSL_FILETYPE_ASN1, + 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, NULL, WOLFSSL_FILETYPE_ASN1, + 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* -1 seen as !WOLFSSL_FILETYPE_PEM */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, "./certs/crl", -1, 0), 1); + + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(NULL, NULL, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, NULL, WOLFSSL_FILETYPE_ASN1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* -1 seen as !WOLFSSL_FILETYPE_PEM */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, "./certs/crl/crl.pem", -1), + WC_NO_ERR_TRACE(ASN_PARSE_E)); +#endif + + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, 1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, -1, + WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + ExpectIntEQ(wolfSSL_CertManagerFreeCRL(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + DoExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1); + + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCRL(cm, crl2, WOLFSSL_FILETYPE_PEM, 0)); + wolfSSL_CertManagerFreeCRL(cm); + +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); + ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, + sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(CRL_MISSING)); + ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server_cert_der_2048, + sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1), + WC_NO_ERR_TRACE(CRL_MISSING)); +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ + + ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff), + WOLFSSL_FILETYPE_ASN1), 1); + +#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS) + /* loading should fail without the CA set */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E)); + + /* now successfully load the RSA-PSS crl once loading in it's CA */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL)); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); +#endif + + wolfSSL_CertManagerFree(cm); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_CRL_duplicate_extensions(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_CERTS) && \ + defined(HAVE_CRL) && !defined(NO_RSA) && \ + !defined(WOLFSSL_NO_ASN_STRICT) && \ + (defined(WC_ASN_RUNTIME_DATE_CHECK_CONTROL) || defined(NO_ASN_TIME_CHECK)) + const unsigned char crl_duplicate_akd[] = + "-----BEGIN X509 CRL-----\n" + "MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE\n" + "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK\n" + "TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v\n" + "dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqBEMEIwHwYDVR0jBBgw\n" + "FoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q\n" + "9+K5XGRxgzUwDQYJKoZIhvcNAQELBQADggEBAIFVw4jrS4taSXR/9gPzqGrqFeHr\n" + "IXCnFtHJTLxqa8vUOAqSwqysvNpepVKioMVoGrLjFMjANjWQqTEiMROAnLfJ/+L8\n" + "FHZkV/mZwOKAXMhIC9MrJzifxBICwmvD028qnwQm09EP8z4ICZptD6wPdRTDzduc\n" + "KBuAX+zn8pNrJgyrheRKpPgno9KsbCzK4D/RIt1sTK2M3vVOtY+vpsN70QYUXvQ4\n" + "r2RZac3omlT43x5lddPxIlcouQpwWcVvr/K+Va770MRrjn88PBrJmvsEw/QYVBXp\n" + "Gxv2b78HFDacba80sMIm8ltRdqUCa5qIc6OATsz7izCQXEbkTEeESrcK1MA=\n" + "-----END X509 CRL-----\n"; + + WOLFSSL_CERT_MANAGER* cm = NULL; + int ret; + + (void)wc_AsnSetSkipDateCheck(1); + + cm = wolfSSL_CertManagerNew(); + ExpectNotNull(cm); + + /* Test loading CRL with duplicate extensions */ + WOLFSSL_MSG("Testing CRL with duplicate Authority Key Identifier " + "extensions"); + ret = wolfSSL_CertManagerLoadCRLBuffer(cm, crl_duplicate_akd, + sizeof(crl_duplicate_akd), + WOLFSSL_FILETYPE_PEM); + ExpectIntEQ(ret, ASN_PARSE_E); + + wolfSSL_CertManagerFree(cm); + + (void)wc_AsnSetSkipDateCheck(0); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_CertManagerCheckOCSPResponse(void) +{ + EXPECT_DECLS; +#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) +/* Need one of these for wolfSSL_OCSP_REQUEST_new. */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \ + defined(HAVE_LIGHTY) + WOLFSSL_CERT_MANAGER* cm = NULL; + /* Raw OCSP response bytes captured using the following setup: + * - Run responder with + * openssl ocsp -port 9999 -ndays 9999 + * -index certs/ocsp/index-intermediate1-ca-issued-certs.txt + * -rsigner certs/ocsp/ocsp-responder-cert.pem + * -rkey certs/ocsp/ocsp-responder-key.pem + * -CA certs/ocsp/intermediate1-ca-cert.pem + * - Run client with + * openssl ocsp -host 127.0.0.1:9999 -respout resp.out + * -issuer certs/ocsp/intermediate1-ca-cert.pem + * -cert certs/ocsp/server1-cert.pem + * -CAfile certs/ocsp/root-ca-cert.pem -noverify + * - Select the response packet in Wireshark, and export it using + * "File->Export Packet Dissection->As "C" Arrays". Select "Selected + * packets only". After importing into the editor, remove the initial + * ~148 bytes of header, ending with the Content-Length and the \r\n\r\n. + */ + static const byte response[] = { + 0x30, 0x82, 0x07, 0x40, /* ....0..@ */ + 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x07, 0x39, 0x30, /* ......90 */ + 0x82, 0x07, 0x35, 0x06, 0x09, 0x2b, 0x06, 0x01, /* ..5..+.. */ + 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, /* ...0.... */ + 0x07, 0x26, 0x30, 0x82, 0x07, 0x22, 0x30, 0x82, /* .&0.."0. */ + 0x01, 0x40, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, /* .@...0.. */ + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ + 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ + 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, /* ring1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, /* olfSSL O */ + 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, /* CSP Resp */ + 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, /* onder1.0 */ + 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, /* ...*.H.. */ + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, /* ......in */ + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */ + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, /* sl.com.. */ + 0x32, 0x30, 0x32, 0x34, 0x31, 0x32, 0x32, 0x30, /* 20241220 */ + 0x31, 0x37, 0x30, 0x37, 0x30, 0x34, 0x5a, 0x30, /* 170704Z0 */ + 0x64, 0x30, 0x62, 0x30, 0x3a, 0x30, 0x09, 0x06, /* d0b0:0.. */ + 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, /* .+...... */ + 0x04, 0x14, 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, /* ..qM.#@Y */ + 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, /* ...7C.1. */ + 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04, 0x04, 0x14, /* ..C..... */ + 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, /* ..:.,... */ + 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, /* ..L.*.q. */ + 0x64, 0x44, 0xda, 0x0e, 0x02, 0x01, 0x05, 0x80, /* dD...... */ + 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x34, 0x31, /* ...20241 */ + 0x32, 0x32, 0x30, 0x31, 0x37, 0x30, 0x37, 0x30, /* 22017070 */ + 0x34, 0x5a, 0xa0, 0x11, 0x18, 0x0f, 0x32, 0x30, /* 4Z....20 */ + 0x35, 0x32, 0x30, 0x35, 0x30, 0x36, 0x31, 0x37, /* 52050617 */ + 0x30, 0x37, 0x30, 0x34, 0x5a, 0xa1, 0x23, 0x30, /* 0704Z.#0 */ + 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, /* !0...+.. */ + 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, /* ...0.... */ + 0x04, 0x10, 0x12, 0x7c, 0x27, 0xbd, 0x22, 0x28, /* ...|'."( */ + 0x5e, 0x62, 0x81, 0xed, 0x6d, 0x2c, 0x2d, 0x59, /* ^b..m,-Y */ + 0x42, 0xd7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, /* B.0...*. */ + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, /* H....... */ + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6c, 0xce, /* ......l. */ + 0xa8, 0xe8, 0xfe, 0xaf, 0x33, 0xe2, 0xce, 0x4e, /* ....3..N */ + 0x63, 0x8d, 0x61, 0x16, 0x0f, 0x70, 0xb2, 0x0c, /* c.a..p.. */ + 0x9a, 0xe3, 0x01, 0xd5, 0xca, 0xe5, 0x9b, 0x70, /* .......p */ + 0x81, 0x6f, 0x94, 0x09, 0xe8, 0x88, 0x98, 0x1a, /* .o...... */ + 0x67, 0xa0, 0xc2, 0xe7, 0x8f, 0x9b, 0x5f, 0x13, /* g....._. */ + 0x17, 0x8d, 0x93, 0x8c, 0x31, 0x61, 0x7d, 0x72, /* ....1a}r */ + 0x34, 0xbd, 0x21, 0x48, 0xca, 0xb2, 0xc9, 0xae, /* 4.!H.... */ + 0x28, 0x5f, 0x97, 0x19, 0xcb, 0xdf, 0xed, 0xd4, /* (_...... */ + 0x6e, 0x89, 0x30, 0x89, 0x11, 0xd1, 0x05, 0x08, /* n.0..... */ + 0x81, 0xe9, 0xa7, 0xba, 0xf7, 0x16, 0x0c, 0xbe, /* ........ */ + 0x48, 0x2e, 0xc0, 0x05, 0xac, 0x90, 0xc2, 0x35, /* H......5 */ + 0xce, 0x6c, 0x94, 0x5d, 0x2b, 0xad, 0x4f, 0x19, /* .l.]+.O. */ + 0xea, 0x7b, 0xd9, 0x4f, 0x49, 0x20, 0x8d, 0x98, /* .{.OI .. */ + 0xa9, 0xe4, 0x53, 0x6d, 0xca, 0x34, 0xdb, 0x4a, /* ..Sm.4.J */ + 0x28, 0xb3, 0x33, 0xfb, 0xfd, 0xcc, 0x4b, 0xfa, /* (.3...K. */ + 0xdb, 0x70, 0xe1, 0x96, 0xc8, 0xd4, 0xf1, 0x85, /* .p...... */ + 0x99, 0xaf, 0x06, 0xeb, 0xfd, 0x96, 0x21, 0x86, /* ......!. */ + 0x81, 0xee, 0xcf, 0xd2, 0xf4, 0x83, 0xc9, 0x1d, /* ........ */ + 0x8f, 0x42, 0xd1, 0xc1, 0xbc, 0x50, 0x0a, 0xfb, /* .B...P.. */ + 0x95, 0x39, 0x4c, 0x36, 0xa8, 0xfe, 0x2b, 0x8e, /* .9L6..+. */ + 0xc5, 0xb5, 0xe0, 0xab, 0xdb, 0xc0, 0xbf, 0x1d, /* ........ */ + 0x35, 0x4d, 0xc0, 0x52, 0xfb, 0x08, 0x04, 0x4c, /* 5M.R...L */ + 0x98, 0xf0, 0xb5, 0x5b, 0xff, 0x99, 0x74, 0xce, /* ...[..t. */ + 0xb7, 0xc9, 0xe3, 0xe5, 0x70, 0x2e, 0xd3, 0x1d, /* ....p... */ + 0x46, 0x38, 0xf9, 0x51, 0x17, 0x73, 0xd1, 0x08, /* F8.Q.s.. */ + 0x8d, 0x3d, 0x12, 0x47, 0xd0, 0x66, 0x77, 0xaf, /* .=.G.fw. */ + 0xfd, 0x4c, 0x75, 0x1f, 0xe9, 0x6c, 0xf4, 0x5a, /* .Lu..l.Z */ + 0xde, 0xec, 0x37, 0xc7, 0xc4, 0x0a, 0xbe, 0x91, /* ..7..... */ + 0xbc, 0x05, 0x08, 0x86, 0x47, 0x30, 0x2a, 0xc6, /* ....G0*. */ + 0x85, 0x4b, 0x55, 0x6c, 0xef, 0xdf, 0x2d, 0x5a, /* .KUl..-Z */ + 0xf7, 0x5b, 0xb5, 0xba, 0xed, 0x38, 0xb0, 0xcb, /* .[...8.. */ + 0xeb, 0x7e, 0x84, 0x3a, 0x69, 0x2c, 0xa0, 0x82, /* .~.:i,.. */ + 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, /* ..0...0. */ + 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, /* ..0..... */ + 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, /* ......0. */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, /* ..*.H... */ + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, /* .....0.. */ + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */ + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */ + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */ + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */ + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */ + 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */ + 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */ + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, /* ring1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, /* ..U....w */ + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, /* olfSSL r */ + 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, /* oot CA1. */ + 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, /* 0...*.H. */ + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, /* .......i */ + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, /* nfo@wolf */ + 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, /* ssl.com0 */ + 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, /* ...24121 */ + 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, /* 8212531Z */ + 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, /* ..270914 */ + 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, /* 212531Z0 */ + 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, /* ..1.0... */ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, /* U....US1 */ + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, /* .0...U.. */ + 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, /* ..Washin */ + 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, /* gton1.0. */ + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, /* ..U....S */ + 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, /* eattle1. */ + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, /* 0...U... */ + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */ + 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, /* ...Engin */ + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, /* eering1. */ + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, /* 0...U... */ + 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */ + 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, /* OCSP Re */ + 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, /* sponder1 */ + 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, /* .0...*.H */ + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, /* ........ */ + 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, /* info@wol */ + 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, /* fssl.com */ + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, /* 0.."0... */ + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, /* ........ */ + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, /* 0....... */ + 0x00, 0xb8, 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, /* ...#...{ */ + 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, /* .....a.. */ + 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, /* .c..#4Pm */ + 0xf8, 0x7c, 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, /* .|.....u */ + 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, /* \-.c...z */ + 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, /* ..E5+... */ + 0x22, 0xb4, 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, /* "..A8..t */ + 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, /* ..0".Q.. */ + 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, /* .?F+..Z? */ + 0x41, 0x74, 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, /* Atgu.... */ + 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, /* ..B..... */ + 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, /* ..e.C... */ + 0x16, 0x80, 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, /* ....$5!. */ + 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, /* U.ZQ..-. */ + 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, /* .ZOJs1P. */ + 0x4a, 0x16, 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, /* J..9...H */ + 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, /* .......r */ + 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, /* g.\..... */ + 0x76, 0xf8, 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, /* v..J.... */ + 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, /* fL(q..f. */ + 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, /* ..0..... */ + 0xf5, 0x1e, 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, /* ....]... */ + 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, /* ..<..qx. */ + 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, /* .?2..q.. */ + 0x8c, 0x27, 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, /* .'....CI */ + 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, /* ..p..... */ + 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, /* $..;..el */ + 0x00, 0x76, 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, /* .vP..... */ + 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, /* sh&...._ */ + 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, /* na...... */ + 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */ + 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, /* .et|qTe. */ + 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, /* 9....... */ + 0x01, 0x0a, 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, /* ..0...0. */ + 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, /* ..U....0 */ + 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, /* .0...U.. */ + 0x04, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, /* ....2g.. */ + 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, /* y....#.p */ + 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, /* @P.FV.06 */ + 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, /* 0....U.# */ + 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, /* ...0.... */ + 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, /* s.../... */ + 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, /* G.8....: */ + 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, /* ~r.!.... */ + 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, /* ..0..1.0 */ + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, /* ...U.... */ + 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, /* US1.0... */ + 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, /* U....Was */ + 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, /* hington1 */ + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, /* .0...U.. */ + 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, /* ..Seattl */ + 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, /* e1.0...U */ + 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ + 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, /* SSL1.0.. */ + 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, /* .U....En */ + 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, /* gineerin */ + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, /* g1.0...U */ + 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */ + 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, /* SSL root */ + 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, /* CA1.0.. */ + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, /* .*.H.... */ + 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, /* ....info */ + 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, /* @wolfssl */ + 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, /* .com..c0 */ + 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, /* ...U.%.. */ + 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, /* 0...+... */ + 0x05, 0x07, 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, /* ....0... */ + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */ + 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, /* ........ */ + 0x4d, 0xa2, 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, /* M..U.+.. */ + 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, /* e..5.`.. */ + 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, /* k....XW7 */ + 0xbd, 0x2e, 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, /* ..(n.V*5 */ + 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, /* ..>.=G!. */ + 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, /* ......>. */ + 0xaf, 0x9b, 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, /* ...#.V.s */ + 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, /* .....Ki. */ + 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, /* .:.....Y */ + 0xfd, 0xe2, 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, /* .....L., */ + 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, /* .W..:.2. */ + 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, /* J.r...&i */ + 0xd6, 0x6a, 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, /* .jLLx.<. */ + 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, /* ....#.[' */ + 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, /* ..\+.Mx. */ + 0x6b, 0x25, 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, /* k%./.... */ + 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, /* ..D!F.4k */ + 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, /* [...\`.. */ + 0xe6, 0x66, 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, /* .f..cVP} */ + 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, /* .,/{G..X */ + 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, /* w..' .r. */ + 0x4c, 0x7e, 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, /* L~O.._.. */ + 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, /* .Yz..Sw" */ + 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, /* A....... */ + 0x65, 0xbd, 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, /* e..q<... */ + 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, /* ........ */ + 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, /* ....+.[. */ + 0x28, 0xc1, 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, /* (..1s\+. */ + 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, /* `..6.... */ + 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, /* .u.)B..A */ + 0x55, 0xb9, 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, /* U.p..... */ + 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57 /* A.%..j.W */ + }; + OcspEntry entry[1]; + CertStatus status[1]; + OcspRequest* request = NULL; +#ifndef NO_FILESYSTEM + const char* ca_cert = "./certs/ca-cert.pem"; +#endif + + byte serial[] = {0x05}; + byte issuerHash[] = { + 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, 0xc0, 0x96, + 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, 0xba, 0xb1, + 0x43, 0x18, 0xda, 0x04 + }; + byte issuerKeyHash[] = { + 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, + 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, + 0x64, 0x44, 0xda, 0x0e + }; + + + XMEMSET(entry, 0, sizeof(OcspEntry)); + XMEMSET(status, 0, sizeof(CertStatus)); + + ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new()); + ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL, + DYNAMIC_TYPE_OCSP_REQUEST)); + + if ((request != NULL) && (request->serial != NULL)) { + request->serialSz = sizeof(serial); + XMEMCPY(request->serial, serial, sizeof(serial)); + XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash)); + XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash)); + } + + ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL)); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, + "./certs/ocsp/intermediate1-ca-cert.pem", NULL), WOLFSSL_SUCCESS); + + /* Response should be valid. */ + ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, + sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); + + /* Flip a byte in the request serial number, response should be invalid + * now. */ + if ((request != NULL) && (request->serial != NULL)) + request->serial[0] ^= request->serial[0]; + ExpectIntNE(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response, + sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS); + +#ifndef NO_FILESYSTEM + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, + sizeof(server_cert_der_2048)), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL)); + ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048, + sizeof(server_cert_der_2048)), 1); +#endif + + wolfSSL_OCSP_REQUEST_free(request); + wolfSSL_CertManagerFree(cm); +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || + * WOLFSSL_APACHE_HTTPD || HAVE_LIGHTY */ +#endif /* HAVE_OCSP */ + return EXPECT_RESULT(); +} + +#ifdef HAVE_CERT_CHAIN_VALIDATION +#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION +#ifdef WOLFSSL_PEM_TO_DER +#ifndef NO_SHA256 +static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) +{ + int ret; + + if ((ret = wolfSSL_CertManagerLoadCA(cm, certA, 0)) != WOLFSSL_SUCCESS) { + fprintf(stderr, "loading cert %s failed\n", certA); + fprintf(stderr, "Error: (%d): %s\n", ret, + wolfSSL_ERR_reason_error_string((word32)ret)); + return -1; + } + + return 0; +} + +static int verify_cert_with_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) +{ + int ret; + if ((ret = wolfSSL_CertManagerVerify(cm, certA, CERT_FILETYPE)) + != WOLFSSL_SUCCESS) { + fprintf(stderr, "could not verify the cert: %s\n", certA); + fprintf(stderr, "Error: (%d): %s\n", ret, + wolfSSL_ERR_reason_error_string((word32)ret)); + return -1; + } + else { + fprintf(stderr, "successfully verified: %s\n", certA); + } + + return 0; +} +#define LOAD_ONE_CA(a, b, c, d) \ + do { \ + (a) = load_ca_into_cm(c, d); \ + if ((a) != 0) \ + return (b); \ + else \ + (b)--; \ + } while(0) + +#define VERIFY_ONE_CERT(a, b, c, d) \ + do { \ + (a) = verify_cert_with_cm(c, d);\ + if ((a) != 0) \ + return (b); \ + else \ + (b)--; \ + } while(0) + +static int test_chainG(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain G is a valid chain per RFC 5280 section 4.2.1.9 */ + char chainGArr[9][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainG-ICA7-pathlen100.pem", + "certs/test-pathlen/chainG-ICA6-pathlen10.pem", + "certs/test-pathlen/chainG-ICA5-pathlen20.pem", + "certs/test-pathlen/chainG-ICA4-pathlen5.pem", + "certs/test-pathlen/chainG-ICA3-pathlen99.pem", + "certs/test-pathlen/chainG-ICA2-pathlen1.pem", + "certs/test-pathlen/chainG-ICA1-pathlen0.pem", + "certs/test-pathlen/chainG-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainGArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[3]); /* if failure, i = -4 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[4]); /* if failure, i = -5 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[5]); /* if failure, i = -6 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[6]); /* if failure, i = -7 here */ + LOAD_ONE_CA(ret, i, cm, chainGArr[7]); /* if failure, i = -8 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[1]); /* if failure, i = -9 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[2]); /* if failure, i = -10 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[3]); /* if failure, i = -11 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[4]); /* if failure, i = -12 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[5]); /* if failure, i = -13 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[6]); /* if failure, i = -14 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[7]); /* if failure, i = -15 here */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -16 here */ + + /* test validating the entity twice, should have no effect on pathLen since + * entity/leaf cert */ + VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -17 here */ + + return ret; +} + +static int test_chainH(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain H is NOT a valid chain per RFC5280 section 4.2.1.9: + * ICA4-pathlen of 2 signing ICA3-pathlen of 2 (reduce max path len to 2) + * ICA3-pathlen of 2 signing ICA2-pathlen of 2 (reduce max path len to 1) + * ICA2-pathlen of 2 signing ICA1-pathlen of 0 (reduce max path len to 0) + * ICA1-pathlen of 0 signing entity (pathlen is already 0, ERROR) + * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 + */ + char chainHArr[6][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainH-ICA4-pathlen2.pem", + "certs/test-pathlen/chainH-ICA3-pathlen2.pem", + "certs/test-pathlen/chainH-ICA2-pathlen2.pem", + "certs/test-pathlen/chainH-ICA1-pathlen0.pem", + "certs/test-pathlen/chainH-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainHArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[3]); /* if failure, i = -4 here */ + LOAD_ONE_CA(ret, i, cm, chainHArr[4]); /* if failure, i = -5 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[1]); /* if failure, i = -6 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[2]); /* if failure, i = -7 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[3]); /* if failure, i = -8 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[4]); /* if failure, i = -9 here */ + VERIFY_ONE_CERT(ret, i, cm, chainHArr[5]); /* if failure, i = -10 here */ + + return ret; +} + +static int test_chainI(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain I is a valid chain per RFC5280 section 4.2.1.9: + * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 2) + * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 1) + * ICA1-no_pathlen signing entity (reduce maxPathLen to 0) + * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1 + */ + char chainIArr[5][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainI-ICA3-pathlen2.pem", + "certs/test-pathlen/chainI-ICA2-no_pathlen.pem", + "certs/test-pathlen/chainI-ICA1-no_pathlen.pem", + "certs/test-pathlen/chainI-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainIArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainIArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainIArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainIArr[3]); /* if failure, i = -4 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[1]); /* if failure, i = -5 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[2]); /* if failure, i = -6 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[3]); /* if failure, i = -7 here */ + VERIFY_ONE_CERT(ret, i, cm, chainIArr[4]); /* if failure, i = -8 here */ + + return ret; +} + +static int test_chainJ(WOLFSSL_CERT_MANAGER* cm) +{ + int ret; + int i = -1; + /* Chain J is NOT a valid chain per RFC5280 section 4.2.1.9: + * ICA4-pathlen of 2 signing ICA3 without a pathlen (reduce maxPathLen to 2) + * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 1) + * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 0) + * ICA1-no_pathlen signing entity (ERROR, pathlen zero and non-leaf cert) + */ + char chainJArr[6][50] = {"certs/ca-cert.pem", + "certs/test-pathlen/chainJ-ICA4-pathlen2.pem", + "certs/test-pathlen/chainJ-ICA3-no_pathlen.pem", + "certs/test-pathlen/chainJ-ICA2-no_pathlen.pem", + "certs/test-pathlen/chainJ-ICA1-no_pathlen.pem", + "certs/test-pathlen/chainJ-entity.pem"}; + + LOAD_ONE_CA(ret, i, cm, chainJArr[0]); /* if failure, i = -1 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[1]); /* if failure, i = -2 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[2]); /* if failure, i = -3 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[3]); /* if failure, i = -4 here */ + LOAD_ONE_CA(ret, i, cm, chainJArr[4]); /* if failure, i = -5 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[1]); /* if failure, i = -6 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[2]); /* if failure, i = -7 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[3]); /* if failure, i = -8 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[4]); /* if failure, i = -9 here */ + VERIFY_ONE_CERT(ret, i, cm, chainJArr[5]); /* if failure, i = -10 here */ + + return ret; +} +#endif +#endif +#endif +#endif + +int test_various_pathlen_chains(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_PEM_TO_DER) && defined(HAVE_CERT_CHAIN_VALIDATION) && \ + !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) +#ifndef NO_SHA256 + WOLFSSL_CERT_MANAGER* cm = NULL; + + /* Test chain G (large chain with varying pathLens) */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(test_chainG(cm), -1); +#else + ExpectIntEQ(test_chainG(cm), 0); +#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + /* end test chain G */ + + /* Test chain H (5 chain with same pathLens) */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntLT(test_chainH(cm), 0); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + /* end test chain H */ + + /* Test chain I (only first ICA has pathLen set and it's set to 2, + * followed by 2 ICA's, should pass) */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); +#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) + ExpectIntEQ(test_chainI(cm), -1); +#else + ExpectIntEQ(test_chainI(cm), 0); +#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */ + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + cm = NULL; + + /* Test chain J (Again only first ICA has pathLen set and it's set to 2, + * this time followed by 3 ICA's, should fail */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntLT(test_chainJ(cm), 0); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); + cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); +#endif +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_certman.h b/tests/api/test_certman.h new file mode 100644 index 00000000000..e278b76a140 --- /dev/null +++ b/tests/api/test_certman.h @@ -0,0 +1,61 @@ +/* test_certman.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_CERTMAN_H +#define WOLFCRYPT_TEST_CERTMAN_H + +#include + +int test_wolfSSL_CertManagerAPI(void); +int test_wolfSSL_CertManagerLoadCABuffer(void); +int test_wolfSSL_CertManagerLoadCABuffer_ex(void); +int test_wolfSSL_CertManagerLoadCABufferType(void); +int test_wolfSSL_CertManagerGetCerts(void); +int test_wolfSSL_CertManagerSetVerify(void); +int test_wolfSSL_CertManagerNameConstraint(void); +int test_wolfSSL_CertManagerNameConstraint2(void); +int test_wolfSSL_CertManagerNameConstraint3(void); +int test_wolfSSL_CertManagerNameConstraint4(void); +int test_wolfSSL_CertManagerNameConstraint5(void); +int test_wolfSSL_CertManagerCRL(void); +int test_wolfSSL_CRL_duplicate_extensions(void); +int test_wolfSSL_CertManagerCheckOCSPResponse(void); +int test_various_pathlen_chains(void); + +#define TEST_CERTMAN_DECLS \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerAPI), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerLoadCABuffer), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerLoadCABuffer_ex), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerLoadCABufferType), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerGetCerts), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerSetVerify), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint2), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint3), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint4), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint5), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCRL), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CRL_duplicate_extensions), \ + TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCheckOCSPResponse), \ + TEST_DECL_GROUP("certman", test_various_pathlen_chains) + +#endif /* WOLFCRYPT_TEST_CERTMAN_H */ + diff --git a/tests/api/test_evp.c b/tests/api/test_evp.c index 43166aab2aa..8c768eb8771 100644 --- a/tests/api/test_evp.c +++ b/tests/api/test_evp.c @@ -26,75 +26,546 @@ #include #include -/* Test for NULL_CIPHER_TYPE in wolfSSL_EVP_CipherUpdate() */ -int test_wolfSSL_EVP_CipherUpdate_Null(void) +/* Test functions for base64 encode/decode */ +int test_wolfSSL_EVP_ENCODE_CTX_new(void) { EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - WOLFSSL_EVP_CIPHER_CTX* ctx; - const char* testData = "Test NULL cipher data"; - unsigned char output[100]; - int outputLen = 0; - int testDataLen = (int)XSTRLEN(testData); +#if defined(OPENSSL_EXTRA) && \ +( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) + EVP_ENCODE_CTX* ctx = NULL; - /* Create and initialize the cipher context */ - ctx = wolfSSL_EVP_CIPHER_CTX_new(); - ExpectNotNull(ctx); + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + ExpectIntEQ(ctx->remaining,0); + ExpectIntEQ(ctx->data[0],0); + ExpectIntEQ(ctx->data[sizeof(ctx->data) -1],0); + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_ENCODE_CTX_free(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && \ +( defined(WOLFSSL_BASE64_ENCODE) || defined(WOLFSSL_BASE64_DECODE)) + EVP_ENCODE_CTX* ctx = NULL; - /* Initialize with NULL cipher */ - ExpectIntEQ(wolfSSL_EVP_CipherInit_ex(ctx, wolfSSL_EVP_enc_null(), - NULL, NULL, NULL, 1), WOLFSSL_SUCCESS); + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && (WOLFSSL_BASE64_ENCODE || WOLFSSL_BASE64_DECODE) */ + return EXPECT_RESULT(); +} - /* Test encryption (which should just copy the data) */ - ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, output, &outputLen, - (const unsigned char*)testData, - testDataLen), WOLFSSL_SUCCESS); +int test_wolfSSL_EVP_EncodeInit(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) + EVP_ENCODE_CTX* ctx = NULL; + + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + ExpectIntEQ(ctx->remaining, 0); + ExpectIntEQ(ctx->data[0], 0); + ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); - /* Verify output length matches input length */ - ExpectIntEQ(outputLen, testDataLen); + if (ctx != NULL) { + /* make ctx dirty */ + ctx->remaining = 10; + XMEMSET(ctx->data, 0x77, sizeof(ctx->data)); + } - /* Verify output data matches input data (no encryption occurred) */ - ExpectIntEQ(XMEMCMP(output, testData, testDataLen), 0); + EVP_EncodeInit(ctx); - /* Clean up */ - wolfSSL_EVP_CIPHER_CTX_free(ctx); -#endif /* OPENSSL_EXTRA */ + ExpectIntEQ(ctx->remaining, 0); + ExpectIntEQ(ctx->data[0], 0); + ExpectIntEQ(ctx->data[sizeof(ctx->data) -1], 0); + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ return EXPECT_RESULT(); } -/* Test for wolfSSL_EVP_CIPHER_type_string() */ -int test_wolfSSL_EVP_CIPHER_type_string(void) +int test_wolfSSL_EVP_EncodeUpdate(void) { EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const char* cipherStr; - - /* Test with valid cipher types */ -#ifdef HAVE_AES_CBC - #ifdef WOLFSSL_AES_128 - cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_AES_128_CBC_TYPE); - ExpectNotNull(cipherStr); - ExpectStrEQ(cipherStr, "AES-128-CBC"); - #endif -#endif - -#ifndef NO_DES3 - cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_DES_CBC_TYPE); - ExpectNotNull(cipherStr); - ExpectStrEQ(cipherStr, "DES-CBC"); -#endif - - /* Test with NULL cipher type */ - cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_NULL_CIPHER_TYPE); - ExpectNotNull(cipherStr); - ExpectStrEQ(cipherStr, "NULL"); - - /* Test with invalid cipher type */ - cipherStr = wolfSSL_EVP_CIPHER_type_string(0xFFFF); - ExpectNull(cipherStr); -#endif /* OPENSSL_EXTRA */ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) + int outl; + int total; + + const unsigned char plain0[] = {"Th"}; + const unsigned char plain1[] = {"This is a base64 encodeing test."}; + const unsigned char plain2[] = {"This is additional data."}; + + const unsigned char encBlock0[] = {"VGg="}; + const unsigned char enc0[] = {"VGg=\n"}; + /* expected encoded result for the first output 64 chars plus trailing LF*/ + const unsigned char enc1[] = { + "VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\n" + }; + + const unsigned char enc2[] = { + "VGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVpbmcgdGVzdC5UaGlzIGlzIGFkZGl0aW9u\n" + "YWwgZGF0YS4=\n" + }; + + unsigned char encOutBuff[300]; + + EVP_ENCODE_CTX* ctx = NULL; + + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + + EVP_EncodeInit(ctx); + + /* illegal parameter test */ + ExpectIntEQ( + EVP_EncodeUpdate( + NULL, /* pass NULL as ctx */ + encOutBuff, + &outl, + plain1, + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + NULL, /* pass NULL as out buff */ + &outl, + plain1, + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + NULL, /* pass NULL as outl */ + plain1, + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + &outl, + NULL, /* pass NULL as in */ + sizeof(plain1)-1), + 0 /* expected result code 0: fail */ + ); + + ExpectIntEQ(EVP_EncodeBlock(NULL, NULL, 0), -1); + + /* meaningless parameter test */ + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + &outl, + plain1, + 0), /* pass zero input */ + 1 /* expected result code 1: success */ + ); + + /* very small data encoding test */ + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, + &outl, + plain0, + sizeof(plain0)-1), + 1 /* expected result code 1: success */ + ); + ExpectIntEQ(outl,0); + if (EXPECT_SUCCESS()) { + EVP_EncodeFinal( + ctx, + encOutBuff + outl, + &outl); + } + + ExpectIntEQ( outl, sizeof(enc0)-1); + ExpectIntEQ( + XSTRNCMP( + (const char*)encOutBuff, + (const char*)enc0,sizeof(enc0) ), + 0); + + XMEMSET( encOutBuff,0, sizeof(encOutBuff)); + ExpectIntEQ(EVP_EncodeBlock(encOutBuff, plain0, sizeof(plain0)-1), + sizeof(encBlock0)-1); + ExpectStrEQ(encOutBuff, encBlock0); + + /* pass small size( < 48bytes ) input, then make sure they are not + * encoded and just stored in ctx + */ + + EVP_EncodeInit(ctx); + + total = 0; + outl = 0; + XMEMSET( encOutBuff,0, sizeof(encOutBuff)); + + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff, /* buffer for output */ + &outl, /* size of output */ + plain1, /* input */ + sizeof(plain1)-1), /* size of input */ + 1); /* expected result code 1:success */ + + total += outl; + + ExpectIntEQ(outl, 0); /* no output expected */ + ExpectIntEQ(ctx->remaining, sizeof(plain1) -1); + ExpectTrue( + XSTRNCMP((const char*)(ctx->data), + (const char*)plain1, + ctx->remaining) ==0 ); + ExpectTrue(encOutBuff[0] == 0); + + /* call wolfSSL_EVP_EncodeUpdate again to make it encode + * the stored data and the new input together + */ + ExpectIntEQ( + EVP_EncodeUpdate( + ctx, + encOutBuff + outl, /* buffer for output */ + &outl, /* size of output */ + plain2, /* additional input */ + sizeof(plain2) -1), /* size of additional input */ + 1); /* expected result code 1:success */ + + total += outl; + + ExpectIntNE(outl, 0); /* some output is expected this time*/ + ExpectIntEQ(outl, BASE64_ENCODE_RESULT_BLOCK_SIZE +1); /* 64 bytes and LF */ + ExpectIntEQ( + XSTRNCMP((const char*)encOutBuff,(const char*)enc1,sizeof(enc1) ),0); + + /* call wolfSSL_EVP_EncodeFinal to flush all the unprocessed input */ + EVP_EncodeFinal( + ctx, + encOutBuff + outl, + &outl); + + total += outl; + + ExpectIntNE(total,0); + ExpectIntNE(outl,0); + ExpectIntEQ(XSTRNCMP( + (const char*)encOutBuff,(const char*)enc2,sizeof(enc2) ),0); + + /* test with illeagal parameters */ + outl = 1; + EVP_EncodeFinal(NULL, encOutBuff + outl, &outl); + ExpectIntEQ(outl, 0); + outl = 1; + EVP_EncodeFinal(ctx, NULL, &outl); + ExpectIntEQ(outl, 0); + EVP_EncodeFinal(ctx, encOutBuff + outl, NULL); + EVP_EncodeFinal(NULL, NULL, NULL); + + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ return EXPECT_RESULT(); } +int test_wolfSSL_EVP_EncodeFinal(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_ENCODE) + /* tests for wolfSSL_EVP_EncodeFinal are included in + * test_wolfSSL_EVP_EncodeUpdate + */ + res = TEST_SUCCESS; +#endif /* OPENSSL_EXTRA && WOLFSSL_BASE64_ENCODE*/ + return res; +} + + +int test_wolfSSL_EVP_DecodeInit(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) + EVP_ENCODE_CTX* ctx = NULL; + + ExpectNotNull( ctx = EVP_ENCODE_CTX_new()); + ExpectIntEQ( ctx->remaining,0); + ExpectIntEQ( ctx->data[0],0); + ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); + + if (ctx != NULL) { + /* make ctx dirty */ + ctx->remaining = 10; + XMEMSET( ctx->data, 0x77, sizeof(ctx->data)); + } + + EVP_DecodeInit(ctx); + + ExpectIntEQ( ctx->remaining,0); + ExpectIntEQ( ctx->data[0],0); + ExpectIntEQ( ctx->data[sizeof(ctx->data) -1],0); + + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_DecodeUpdate(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) + int outl; + unsigned char decOutBuff[300]; + + EVP_ENCODE_CTX* ctx = NULL; + + static const unsigned char enc1[] = + {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; +/* const unsigned char plain1[] = + {"This is a base64 decoding test."} */ + + ExpectNotNull(ctx = EVP_ENCODE_CTX_new()); + + EVP_DecodeInit(ctx); + + /* illegal parameter tests */ + + /* pass NULL as ctx */ + ExpectIntEQ( + EVP_DecodeUpdate( + NULL, /* pass NULL as ctx */ + decOutBuff, + &outl, + enc1, + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + ExpectIntEQ( outl, 0); + + /* pass NULL as output */ + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + NULL, /* pass NULL as out buff */ + &outl, + enc1, + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + ExpectIntEQ( outl, 0); + + /* pass NULL as outl */ + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + NULL, /* pass NULL as outl */ + enc1, + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + + /* pass NULL as input */ + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + NULL, /* pass NULL as in */ + sizeof(enc1)-1), + -1 /* expected result code -1: fail */ + ); + ExpectIntEQ( outl, 0); + + ExpectIntEQ(EVP_DecodeBlock(NULL, NULL, 0), -1); + + /* pass zero length input */ + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc1, + 0), /* pass zero as input len */ + 1 /* expected result code 1: success */ + ); + + /* decode correct base64 string */ + + { + static const unsigned char enc2[] = + {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg==\n"}; + static const unsigned char plain2[] = + {"This is a base64 decoding test."}; + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc2, + sizeof(enc2)-1), + 0 /* expected result code 0: success */ + ); + + ExpectIntEQ(outl,sizeof(plain2) -1); + + ExpectIntEQ( + EVP_DecodeFinal( + ctx, + decOutBuff + outl, + &outl), + 1 /* expected result code 1: success */ + ); + ExpectIntEQ(outl, 0); /* expected DecodeFinal output no data */ + + ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, + sizeof(plain2) -1 ),0); + ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc2, sizeof(enc2)), + sizeof(plain2)-1); + ExpectIntEQ(XSTRNCMP( (const char*)plain2,(const char*)decOutBuff, + sizeof(plain2) -1 ),0); + } + + /* decode correct base64 string which does not have '\n' in its last*/ + + { + static const unsigned char enc3[] = + {"VGhpcyBpcyBhIGJhc2U2NCBkZWNvZGluZyB0ZXN0Lg=="}; /* 44 chars */ + static const unsigned char plain3[] = + {"This is a base64 decoding test."}; /* 31 chars */ + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc3, + sizeof(enc3)-1), + 0 /* expected result code 0: success */ + ); + + ExpectIntEQ(outl,sizeof(plain3)-1); /* 31 chars should be output */ + + ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, + sizeof(plain3) -1 ),0); + + ExpectIntEQ( + EVP_DecodeFinal( + ctx, + decOutBuff + outl, + &outl), + 1 /* expected result code 1: success */ + ); + + ExpectIntEQ(outl,0 ); + + ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc3, sizeof(enc3)-1), + sizeof(plain3)-1); + ExpectIntEQ(XSTRNCMP( (const char*)plain3,(const char*)decOutBuff, + sizeof(plain3) -1 ),0); + } + + /* decode string which has a padding char ('=') in the illegal position*/ + + { + static const unsigned char enc4[] = + {"VGhpcyBpcyBhIGJhc2U2N=CBkZWNvZGluZyB0ZXN0Lg==\n"}; + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc4, + sizeof(enc4)-1), + -1 /* expected result code -1: error */ + ); + ExpectIntEQ(outl,0); + ExpectIntEQ(EVP_DecodeBlock(decOutBuff, enc4, sizeof(enc4)-1), -1); + } + + /* small data decode test */ + + { + static const unsigned char enc00[] = {"VG"}; + static const unsigned char enc01[] = {"g=\n"}; + static const unsigned char plain4[] = {"Th"}; + + EVP_EncodeInit(ctx); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff, + &outl, + enc00, + sizeof(enc00)-1), + 1 /* expected result code 1: success */ + ); + ExpectIntEQ(outl,0); + + ExpectIntEQ( + EVP_DecodeUpdate( + ctx, + decOutBuff + outl, + &outl, + enc01, + sizeof(enc01)-1), + 0 /* expected result code 0: success */ + ); + + ExpectIntEQ(outl,sizeof(plain4)-1); + + /* test with illegal parameters */ + ExpectIntEQ(EVP_DecodeFinal(NULL,decOutBuff + outl,&outl), -1); + ExpectIntEQ(EVP_DecodeFinal(ctx,NULL,&outl), -1); + ExpectIntEQ(EVP_DecodeFinal(ctx,decOutBuff + outl, NULL), -1); + ExpectIntEQ(EVP_DecodeFinal(NULL,NULL, NULL), -1); + + if (EXPECT_SUCCESS()) { + EVP_DecodeFinal( + ctx, + decOutBuff + outl, + &outl); + } + + ExpectIntEQ( outl, 0); + ExpectIntEQ( + XSTRNCMP( + (const char*)decOutBuff, + (const char*)plain4,sizeof(plain4)-1 ), + 0); + } + + EVP_ENCODE_CTX_free(ctx); +#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_DecodeFinal(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_BASE64_DECODE) + /* tests for wolfSSL_EVP_DecodeFinal are included in + * test_wolfSSL_EVP_DecodeUpdate + */ + res = TEST_SUCCESS; +#endif /* OPENSSL && WOLFSSL_BASE_DECODE */ + return res; +} diff --git a/tests/api/test_evp.h b/tests/api/test_evp.h index 013ac50aa54..a246099030b 100644 --- a/tests/api/test_evp.h +++ b/tests/api/test_evp.h @@ -22,7 +22,25 @@ #ifndef WOLFSSL_TEST_EVP_H #define WOLFSSL_TEST_EVP_H -int test_wolfSSL_EVP_CipherUpdate_Null(void); -int test_wolfSSL_EVP_CIPHER_type_string(void); +#include + +int test_wolfSSL_EVP_ENCODE_CTX_new(void); +int test_wolfSSL_EVP_ENCODE_CTX_free(void); +int test_wolfSSL_EVP_EncodeInit(void); +int test_wolfSSL_EVP_EncodeUpdate(void); +int test_wolfSSL_EVP_EncodeFinal(void); +int test_wolfSSL_EVP_DecodeInit(void); +int test_wolfSSL_EVP_DecodeUpdate(void); +int test_wolfSSL_EVP_DecodeFinal(void); + +#define TEST_EVP_ENC_DECLS \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_ENCODE_CTX_new), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_ENCODE_CTX_free), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_EncodeInit), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_EncodeUpdate), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_EncodeFinal), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_DecodeInit), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_DecodeUpdate), \ + TEST_DECL_GROUP("evp_enc", test_wolfSSL_EVP_DecodeFinal) #endif /* WOLFSSL_TEST_EVP_H */ diff --git a/tests/api/test_evp_cipher.c b/tests/api/test_evp_cipher.c new file mode 100644 index 00000000000..99fae5a654b --- /dev/null +++ b/tests/api/test_evp_cipher.c @@ -0,0 +1,2704 @@ +/* test_evp_cipher.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) + #include +#endif + + +int test_wolfSSL_EVP_CIPHER_CTX(void) +{ + EXPECT_DECLS; +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) && \ + defined(OPENSSL_EXTRA) + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + const EVP_CIPHER *init = EVP_aes_128_cbc(); + const EVP_CIPHER *test; + byte key[AES_BLOCK_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + + ExpectNotNull(ctx); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + test = EVP_CIPHER_CTX_cipher(ctx); + ExpectTrue(init == test); + ExpectIntEQ(EVP_CIPHER_nid(test), NID_aes_128_cbc); + + ExpectIntEQ(EVP_CIPHER_CTX_reset(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_reset(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + EVP_CIPHER_CTX_free(ctx); + /* test EVP_CIPHER_CTX_cleanup with NULL */ + ExpectIntEQ(EVP_CIPHER_CTX_cleanup(NULL), WOLFSSL_SUCCESS); +#endif /* !NO_AES && HAVE_AES_CBC && WOLFSSL_AES_128 && OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + /* This is large enough to be used for all key sizes */ + byte key[AES_256_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int i; + int nids[] = { + #ifdef HAVE_AES_CBC + NID_aes_128_cbc, + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + NID_aes_128_gcm, + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + NID_aes_128_ctr, + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + }; + int iv_lengths[] = { + #ifdef HAVE_AES_CBC + AES_BLOCK_SIZE, + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + GCM_NONCE_MID_SZ, + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + AES_BLOCK_SIZE, + #endif + #ifndef NO_DES3 + DES_BLOCK_SIZE, + DES_BLOCK_SIZE, + #endif + }; + int nidsLen = (sizeof(nids)/sizeof(int)); + + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER* init = wolfSSL_EVP_get_cipherbynid(nids[i]); + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_iv_length(ctx), iv_lengths[i]); + + EVP_CIPHER_CTX_free(ctx); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + byte key[AES_256_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int i; + int nids[] = { + #ifdef HAVE_AES_CBC + NID_aes_128_cbc, + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + NID_aes_128_gcm, + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + NID_aes_128_ctr, + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + }; + int key_lengths[] = { + #ifdef HAVE_AES_CBC + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #ifndef NO_DES3 + DES_KEY_SIZE, + DES3_KEY_SIZE, + #endif + }; + int nidsLen = (sizeof(nids)/sizeof(int)); + + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER *init = wolfSSL_EVP_get_cipherbynid(nids[i]); + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_key_length(ctx), key_lengths[i]); + + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, key_lengths[i]), + WOLFSSL_SUCCESS); + + EVP_CIPHER_CTX_free(ctx); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && !defined(NO_DES3) && defined(OPENSSL_ALL) + int ivLen, keyLen; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); +#ifdef HAVE_AESGCM + byte key[AES_128_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + const EVP_CIPHER *init = EVP_aes_128_gcm(); +#else + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_BLOCK_SIZE] = {0}; + const EVP_CIPHER *init = EVP_des_ede3_cbc(); +#endif + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ivLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx); + keyLen = wolfSSL_EVP_CIPHER_CTX_key_length(ctx); + + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, iv, ivLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, NULL, ivLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, keyLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, ivLen), 1); + + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_get_cipherbynid(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA +#ifndef NO_AES + const WOLFSSL_EVP_CIPHER* c; + + c = wolfSSL_EVP_get_cipherbynid(419); + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_128) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_128_CBC", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(423); + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_192) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_192_CBC", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(427); + #if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ + defined(WOLFSSL_AES_256) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_256_CBC", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(904); + #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_128) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_128_CTR", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(905); + #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_192) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_192_CTR", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(906); + #if defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_256_CTR", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(418); + #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_128) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_128_ECB", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(422); + #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_192) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_192_ECB", c)); + #else + ExpectNull(c); + #endif + + c = wolfSSL_EVP_get_cipherbynid(426); + #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256) + ExpectNotNull(c); + ExpectNotNull(XSTRCMP("EVP_AES_256_ECB", c)); + #else + ExpectNull(c); + #endif +#endif /* !NO_AES */ + +#ifndef NO_DES3 + ExpectNotNull(XSTRCMP("EVP_DES_CBC", wolfSSL_EVP_get_cipherbynid(31))); +#ifdef WOLFSSL_DES_ECB + ExpectNotNull(XSTRCMP("EVP_DES_ECB", wolfSSL_EVP_get_cipherbynid(29))); +#endif + ExpectNotNull(XSTRCMP("EVP_DES_EDE3_CBC", wolfSSL_EVP_get_cipherbynid(44))); +#ifdef WOLFSSL_DES_ECB + ExpectNotNull(XSTRCMP("EVP_DES_EDE3_ECB", wolfSSL_EVP_get_cipherbynid(33))); +#endif +#endif /* !NO_DES3 */ + +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + ExpectNotNull(XSTRCMP("EVP_CHACHA20_POLY13O5", EVP_get_cipherbynid(1018))); +#endif + + /* test for nid is out of range */ + ExpectNull(wolfSSL_EVP_get_cipherbynid(1)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_block_size(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL +#ifdef HAVE_AES_CBC + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_cbc()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_cbc()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_cbc()), AES_BLOCK_SIZE); + #endif +#endif + +#ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_gcm()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_gcm()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_gcm()), 1); + #endif +#endif + +#ifdef HAVE_AESCCM + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ccm()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ccm()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ccm()), 1); + #endif +#endif + +#ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ctr()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ctr()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ctr()), 1); + #endif +#endif + +#ifdef HAVE_AES_ECB + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ecb()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ecb()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ecb()), AES_BLOCK_SIZE); + #endif +#endif + +#ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ofb()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ofb()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ofb()), 1); + #endif +#endif + +#ifndef NO_RC4 + ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_rc4()), 1); +#endif + +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_chacha20_poly1305()), 1); +#endif + +#ifdef WOLFSSL_SM4_ECB + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ecb()), SM4_BLOCK_SIZE); +#endif +#ifdef WOLFSSL_SM4_CBC + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_cbc()), SM4_BLOCK_SIZE); +#endif +#ifdef WOLFSSL_SM4_CTR + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ctr()), 1); +#endif +#ifdef WOLFSSL_SM4_GCM + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_gcm()), 1); +#endif +#ifdef WOLFSSL_SM4_CCM + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ccm()), 1); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_CIPHER_iv_length(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + int nids[] = { + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + NID_aes_128_cbc, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_cbc, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + NID_aes_128_gcm, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_gcm, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif + #endif /* HAVE_AESGCM */ + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + NID_aes_128_ctr, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_ctr, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + NID_chacha20_poly1305, + #endif + }; + int iv_lengths[] = { + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + GCM_NONCE_MID_SZ, + #endif + #ifdef WOLFSSL_AES_192 + GCM_NONCE_MID_SZ, + #endif + #ifdef WOLFSSL_AES_256 + GCM_NONCE_MID_SZ, + #endif + #endif /* HAVE_AESGCM */ + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif + #ifndef NO_DES3 + DES_BLOCK_SIZE, + DES_BLOCK_SIZE, + #endif + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + CHACHA20_POLY1305_AEAD_IV_SIZE, + #endif + }; + int i; + int nidsLen = (sizeof(nids)/sizeof(int)); + + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER *c = EVP_get_cipherbynid(nids[i]); + ExpectIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); + } +#endif + return EXPECT_RESULT(); +} + +/* Test for NULL_CIPHER_TYPE in wolfSSL_EVP_CipherUpdate() */ +int test_wolfSSL_EVP_CipherUpdate_Null(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + WOLFSSL_EVP_CIPHER_CTX* ctx; + const char* testData = "Test NULL cipher data"; + unsigned char output[100]; + int outputLen = 0; + int testDataLen = (int)XSTRLEN(testData); + + /* Create and initialize the cipher context */ + ctx = wolfSSL_EVP_CIPHER_CTX_new(); + ExpectNotNull(ctx); + + /* Initialize with NULL cipher */ + ExpectIntEQ(wolfSSL_EVP_CipherInit_ex(ctx, wolfSSL_EVP_enc_null(), + NULL, NULL, NULL, 1), WOLFSSL_SUCCESS); + + /* Test encryption (which should just copy the data) */ + ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, output, &outputLen, + (const unsigned char*)testData, + testDataLen), WOLFSSL_SUCCESS); + + /* Verify output length matches input length */ + ExpectIntEQ(outputLen, testDataLen); + + /* Verify output data matches input data (no encryption occurred) */ + ExpectIntEQ(XMEMCMP(output, testData, testDataLen), 0); + + /* Clean up */ + wolfSSL_EVP_CIPHER_CTX_free(ctx); +#endif /* OPENSSL_EXTRA */ + + return EXPECT_RESULT(); +} + +/* Test for wolfSSL_EVP_CIPHER_type_string() */ +int test_wolfSSL_EVP_CIPHER_type_string(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + const char* cipherStr; + + /* Test with valid cipher types */ +#ifdef HAVE_AES_CBC + #ifdef WOLFSSL_AES_128 + cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_AES_128_CBC_TYPE); + ExpectNotNull(cipherStr); + ExpectStrEQ(cipherStr, "AES-128-CBC"); + #endif +#endif + +#ifndef NO_DES3 + cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_DES_CBC_TYPE); + ExpectNotNull(cipherStr); + ExpectStrEQ(cipherStr, "DES-CBC"); +#endif + + /* Test with NULL cipher type */ + cipherStr = wolfSSL_EVP_CIPHER_type_string(WC_NULL_CIPHER_TYPE); + ExpectNotNull(cipherStr); + ExpectStrEQ(cipherStr, "NULL"); + + /* Test with invalid cipher type */ + cipherStr = wolfSSL_EVP_CIPHER_type_string(0xFFFF); + ExpectNull(cipherStr); +#endif /* OPENSSL_EXTRA */ + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_BytesToKey(void) +{ + EXPECT_DECLS; +#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(OPENSSL_ALL) + byte key[AES_BLOCK_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int count = 0; + const EVP_MD* md = EVP_sha256(); + const EVP_CIPHER *type; + const unsigned char *salt = (unsigned char *)"salt1234"; + int sz = 5; + const byte data[] = { + 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, + 0x72,0x6c,0x64 + }; + + type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); + + /* Bad cases */ + ExpectIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), + 0); + ExpectIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), + 16); + md = "2"; + ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + md = EVP_sha256(); + ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + 16); +#endif + return EXPECT_RESULT(); +} + +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) &&\ + (!defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)) +static void binary_dump(void *ptr, int size) +{ + #ifdef WOLFSSL_EVP_PRINT + int i = 0; + unsigned char *p = (unsigned char *) ptr; + + fprintf(stderr, "{"); + while ((p != NULL) && (i < size)) { + if ((i % 8) == 0) { + fprintf(stderr, "\n"); + fprintf(stderr, " "); + } + fprintf(stderr, "0x%02x, ", p[i]); + i++; + } + fprintf(stderr, "\n};\n"); + #else + (void) ptr; + (void) size; + #endif +} + +static int last_val = 0x0f; + +static int check_result(unsigned char *data, int len) +{ + int i; + + for ( ; len; ) { + last_val = (last_val + 1) % 16; + for (i = 0; i < 16; len--, i++, data++) + if (*data != last_val) { + return -1; + } + } + return 0; +} + +static int r_offset; +static int w_offset; + +static void init_offset(void) +{ + r_offset = 0; + w_offset = 0; +} + +static void get_record(unsigned char *data, unsigned char *buf, int len) +{ + XMEMCPY(buf, data+r_offset, len); + r_offset += len; +} + +static void set_record(unsigned char *data, unsigned char *buf, int len) +{ + XMEMCPY(data+w_offset, buf, len); + w_offset += len; +} + +static void set_plain(unsigned char *plain, int rec) +{ + int i, j; + unsigned char *p = plain; + + #define BLOCKSZ 16 + + for (i=0; i<(rec/BLOCKSZ); i++) { + for (j=0; j 0 && keylen != klen) { + ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); + } + ilen = EVP_CIPHER_CTX_iv_length(evp); + if (ilen > 0 && ivlen != ilen) { + ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + } + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + + for (j = 0; j 0) + set_record(cipher, outb, outl); + } + + for (i = 0; test_drive[i]; i++) { + last_val = 0x0f; + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 0)), 0); + + init_offset(); + + for (j = 0; test_drive[i][j]; j++) { + inl = test_drive[i][j]; + get_record(cipher, inb, inl); + + ExpectIntNE((ret = EVP_DecryptUpdate(evp, outb, &outl, inb, inl)), + 0); + + binary_dump(outb, outl); + ExpectIntEQ((ret = check_result(outb, outl)), 0); + ExpectFalse(outl > ((inl/16+1)*16) && outl > 16); + } + + ret = EVP_CipherFinal(evp, outb, &outl); + + binary_dump(outb, outl); + + ret = (((test_drive_len[i] % 16) != 0) && (ret == 0)) || + (((test_drive_len[i] % 16) == 0) && (ret == 1)); + ExpectTrue(ret); + } + + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(evp), WOLFSSL_SUCCESS); + + EVP_CIPHER_CTX_free(evp); + evp = NULL; + + /* Do an extra test to verify correct behavior with empty input. */ + + ExpectNotNull(evp = EVP_CIPHER_CTX_new()); + ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); + + ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); + + klen = EVP_CIPHER_CTX_key_length(evp); + if (klen > 0 && keylen != klen) { + ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); + } + ilen = EVP_CIPHER_CTX_iv_length(evp); + if (ilen > 0 && ivlen != ilen) { + ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + } + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + + /* outl should be set to 0 after passing NULL, 0 for input args. */ + outl = -1; + ExpectIntNE((ret = EVP_CipherUpdate(evp, outb, &outl, NULL, 0)), 0); + ExpectIntEQ(outl, 0); + + EVP_CIPHER_CTX_free(evp); +#endif /* test_EVP_Cipher */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_X_STATE(void) +{ + EXPECT_DECLS; +#if !defined(NO_DES3) && !defined(NO_RC4) && defined(OPENSSL_ALL) + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_IV_SIZE] = {0}; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *init = NULL; + + /* Bad test cases */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = EVP_des_ede3_cbc()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectNull(wolfSSL_EVP_X_STATE(NULL)); + ExpectNull(wolfSSL_EVP_X_STATE(ctx)); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Good test case */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = wolfSSL_EVP_rc4()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectNotNull(wolfSSL_EVP_X_STATE(ctx)); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_X_STATE_LEN(void) +{ + EXPECT_DECLS; +#if !defined(NO_DES3) && !defined(NO_RC4) && defined(OPENSSL_ALL) + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_IV_SIZE] = {0}; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *init = NULL; + + /* Bad test cases */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = EVP_des_ede3_cbc()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(NULL), 0); + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Good test case */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = wolfSSL_EVP_rc4()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), sizeof(Arc4)); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_aes_256_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_192_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_128_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_128_gcm()); +#endif + return EXPECT_RESULT(); +} + +int test_evp_cipher_aes_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(OPENSSL_ALL) && ((!defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) + /* + * This test checks data at various points in the encrypt/decrypt process + * against known values produced using the same test with OpenSSL. This + * interop testing is critical for verifying the correctness of our + * EVP_Cipher implementation with AES-GCM. Specifically, this test exercises + * a flow supported by OpenSSL that uses the control command + * EVP_CTRL_GCM_IV_GEN to increment the IV between cipher operations without + * the need to call EVP_CipherInit. OpenSSH uses this flow, for example. We + * had a bug with OpenSSH where wolfSSL OpenSSH servers could only talk to + * wolfSSL OpenSSH clients because there was a bug in this flow that + * happened to "cancel out" if both sides of the connection had the bug. + */ + enum { + NUM_ENCRYPTIONS = 3, + AAD_SIZE = 4 + }; + static const byte plainText1[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23 + }; + static const byte plainText2[] = { + 0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14, + 0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22, + 0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c + }; + static const byte plainText3[] = { + 0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e, + 0x5b, 0x57, 0x10 + }; + static const byte* plainTexts[NUM_ENCRYPTIONS] = { + plainText1, + plainText2, + plainText3 + }; + static const int plainTextSzs[NUM_ENCRYPTIONS] = { + sizeof(plainText1), + sizeof(plainText2), + sizeof(plainText3) + }; + static const byte aad1[AAD_SIZE] = { + 0x00, 0x00, 0x00, 0x01 + }; + static const byte aad2[AAD_SIZE] = { + 0x00, 0x00, 0x00, 0x10 + }; + static const byte aad3[AAD_SIZE] = { + 0x00, 0x00, 0x01, 0x00 + }; + static const byte* aads[NUM_ENCRYPTIONS] = { + aad1, + aad2, + aad3 + }; + const byte iv[GCM_NONCE_MID_SZ] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte currentIv[GCM_NONCE_MID_SZ]; + const byte key[] = { + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, + 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f + }; + const byte expIvs[NUM_ENCRYPTIONS][GCM_NONCE_MID_SZ] = { + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xEF + }, + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xF0 + }, + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xF1 + } + }; + const byte expTags[NUM_ENCRYPTIONS][AES_BLOCK_SIZE] = { + { + 0x65, 0x4F, 0xF7, 0xA0, 0xBB, 0x7B, 0x90, 0xB7, 0x9C, 0xC8, 0x14, + 0x3D, 0x32, 0x18, 0x34, 0xA9 + }, + { + 0x50, 0x3A, 0x13, 0x8D, 0x91, 0x1D, 0xEC, 0xBB, 0xBA, 0x5B, 0x57, + 0xA2, 0xFD, 0x2D, 0x6B, 0x7F + }, + { + 0x3B, 0xED, 0x18, 0x9C, 0xB3, 0xE3, 0x61, 0x1E, 0x11, 0xEB, 0x13, + 0x5B, 0xEC, 0x52, 0x49, 0x32, + } + }; + static const byte expCipherText1[] = { + 0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15, + 0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51, + 0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE + }; + static const byte expCipherText2[] = { + 0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45, + 0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2, + 0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0 + }; + static const byte expCipherText3[] = { + 0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B, + 0x80, 0x5E, 0x6B, + }; + static const byte* expCipherTexts[NUM_ENCRYPTIONS] = { + expCipherText1, + expCipherText2, + expCipherText3 + }; + byte* cipherText = NULL; + byte* calcPlainText = NULL; + byte tag[AES_BLOCK_SIZE]; + EVP_CIPHER_CTX* encCtx = NULL; + EVP_CIPHER_CTX* decCtx = NULL; + int i, j, outl; + + /****************************************************/ + for (i = 0; i < 3; ++i) { + ExpectNotNull(encCtx = EVP_CIPHER_CTX_new()); + ExpectNotNull(decCtx = EVP_CIPHER_CTX_new()); + + /* First iteration, set key before IV. */ + if (i == 0) { + ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), key, NULL, 1), + SSL_SUCCESS); + + /* + * The call to EVP_CipherInit below (with NULL key) should clear the + * authIvGenEnable flag set by EVP_CTRL_GCM_SET_IV_FIXED. As such, a + * subsequent EVP_CTRL_GCM_IV_GEN should fail. This matches OpenSSL + * behavior. + */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, + -1, (void*)iv), SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(encCtx, NULL, NULL, iv, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), key, NULL, 0), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, NULL, NULL, iv, 0), + SSL_SUCCESS); + } + /* Second iteration, IV before key. */ + else { + ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), NULL, iv, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(encCtx, NULL, key, NULL, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), NULL, iv, 0), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, NULL, key, NULL, 0), + SSL_SUCCESS); + } + + /* + * EVP_CTRL_GCM_IV_GEN should fail if EVP_CTRL_GCM_SET_IV_FIXED hasn't + * been issued first. + */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); + + for (j = 0; j < NUM_ENCRYPTIONS; ++j) { + /*************** Encrypt ***************/ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), SSL_SUCCESS); + /* Check current IV against expected. */ + ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); + + /* Add AAD. */ + if (i == 2) { + /* Test streaming API. */ + ExpectIntEQ(EVP_CipherUpdate(encCtx, NULL, &outl, aads[j], + AAD_SIZE), SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE), + AAD_SIZE); + } + + ExpectNotNull(cipherText = (byte*)XMALLOC(plainTextSzs[j], NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + + /* Encrypt plaintext. */ + if (i == 2) { + ExpectIntEQ(EVP_CipherUpdate(encCtx, cipherText, &outl, + plainTexts[j], plainTextSzs[j]), + SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(encCtx, cipherText, + (byte *)plainTexts[j], plainTextSzs[j]), + plainTextSzs[j]); + } + + if (i == 2) { + ExpectIntEQ(EVP_CipherFinal(encCtx, cipherText, &outl), + SSL_SUCCESS); + } + else { + /* + * Calling EVP_Cipher with NULL input and output for AES-GCM is + * akin to calling EVP_CipherFinal. + */ + ExpectIntGE(EVP_Cipher(encCtx, NULL, NULL, 0), 0); + } + + /* Check ciphertext against expected. */ + ExpectIntEQ(XMEMCMP(cipherText, expCipherTexts[j], plainTextSzs[j]), + 0); + + /* Get and check tag against expected. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, + sizeof(tag), tag), SSL_SUCCESS); + ExpectIntEQ(XMEMCMP(tag, expTags[j], sizeof(tag)), 0); + + /*************** Decrypt ***************/ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), SSL_SUCCESS); + /* Check current IV against expected. */ + ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); + + /* Add AAD. */ + if (i == 2) { + /* Test streaming API. */ + ExpectIntEQ(EVP_CipherUpdate(decCtx, NULL, &outl, aads[j], + AAD_SIZE), SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE), + AAD_SIZE); + } + + /* Set expected tag. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, + sizeof(tag), tag), SSL_SUCCESS); + + /* Decrypt ciphertext. */ + ExpectNotNull(calcPlainText = (byte*)XMALLOC(plainTextSzs[j], NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + if (i == 2) { + ExpectIntEQ(EVP_CipherUpdate(decCtx, calcPlainText, &outl, + cipherText, plainTextSzs[j]), + SSL_SUCCESS); + } + else { + /* This first EVP_Cipher call will check the tag, too. */ + ExpectIntEQ(EVP_Cipher(decCtx, calcPlainText, cipherText, + plainTextSzs[j]), plainTextSzs[j]); + } + + if (i == 2) { + ExpectIntEQ(EVP_CipherFinal(decCtx, calcPlainText, &outl), + SSL_SUCCESS); + } + else { + ExpectIntGE(EVP_Cipher(decCtx, NULL, NULL, 0), 0); + } + + /* Check plaintext against expected. */ + ExpectIntEQ(XMEMCMP(calcPlainText, plainTexts[j], plainTextSzs[j]), + 0); + + XFREE(cipherText, NULL, DYNAMIC_TYPE_TMP_BUFFER); + cipherText = NULL; + XFREE(calcPlainText, NULL, DYNAMIC_TYPE_TMP_BUFFER); + calcPlainText = NULL; + } + + EVP_CIPHER_CTX_free(encCtx); + encCtx = NULL; + EVP_CIPHER_CTX_free(decCtx); + decCtx = NULL; + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_gcm(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + /* A 256 bit key, AES_128 will use the first 128 bit*/ + byte *key = (byte*)"01234567890123456789012345678901"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012345"; + int ivSz = AES_BLOCK_SIZE; + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[AES_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_gcm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, + AES_BLOCK_SIZE, tag)); + wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_gcm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_gcm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + tag[AES_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + + wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); + } +#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_gcm_AAD_2_parts(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + const byte iv[12] = { 0 }; + const byte key[16] = { 0 }; + const byte cleartext[16] = { 0 }; + const byte aad[] = { + 0x01, 0x10, 0x00, 0x2a, 0x08, 0x00, 0x04, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, + 0x00, 0x00, 0xdc, 0x4d, 0xad, 0x6b, 0x06, 0x93, + 0x4f + }; + byte out1Part[16]; + byte outTag1Part[16]; + byte out2Part[16]; + byte outTag2Part[16]; + byte decryptBuf[16]; + int len = 0; + int tlen; + EVP_CIPHER_CTX* ctx = NULL; + + /* ENCRYPT */ + /* Send AAD and data in 1 part */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, out1Part, &len, cleartext, + sizeof(cleartext)), 1); + tlen += len; + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out1Part, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, + outTag1Part), 1); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* DECRYPT */ + /* Send AAD and data in 1 part */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, sizeof(aad)), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, + sizeof(cleartext)), 1); + tlen += len; + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, + outTag1Part), 1); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); + + /* ENCRYPT */ + /* Send AAD and data in 2 parts */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad, 1), 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), + 1); + ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part, &len, cleartext, 1), 1); + tlen += len; + ExpectIntEQ(EVP_EncryptUpdate(ctx, out2Part + tlen, &len, cleartext + 1, + sizeof(cleartext) - 1), 1); + tlen += len; + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, out2Part + tlen, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, + outTag2Part), 1); + + ExpectIntEQ(XMEMCMP(out1Part, out2Part, sizeof(out1Part)), 0); + ExpectIntEQ(XMEMCMP(outTag1Part, outTag2Part, sizeof(outTag1Part)), 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* DECRYPT */ + /* Send AAD and data in 2 parts */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + tlen = 0; + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL), + 1); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad, 1), 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &len, aad + 1, sizeof(aad) - 1), + 1); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf, &len, out1Part, 1), 1); + tlen += len; + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptBuf + tlen, &len, out1Part + 1, + sizeof(cleartext) - 1), 1); + tlen += len; + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, + outTag1Part), 1); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptBuf + tlen, &len), 1); + tlen += len; + ExpectIntEQ(tlen, sizeof(cleartext)); + + ExpectIntEQ(XMEMCMP(decryptBuf, cleartext, len), 0); + + /* Test AAD reuse */ + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_gcm_zeroLen(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) + /* Zero length plain text */ + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + unsigned char tag_kat[] = { + 0x53,0x0f,0x8a,0xfb,0xc7,0x45,0x36,0xb9, + 0xa9,0x63,0xb4,0xf1,0xc4,0xcb,0x73,0x8b + }; + + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_256_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_192_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_aes_128_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_ccm(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + /* A 256 bit key, AES_128 will use the first 128 bit*/ + byte *key = (byte*)"01234567890123456789012345678901"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012"; + int ivSz = (int)XSTRLEN((char*)iv); + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[AES_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + int ret; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_128_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_192_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aes_256_ccm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, + AES_BLOCK_SIZE, tag)); + ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]); + ExpectIntEQ(ret, 1); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, + key, iv)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, + key, iv)); +#endif + } + else { +#ifdef WOLFSSL_AES_128 + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_128_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_192) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_192_ccm(), NULL, + NULL, NULL)); +#elif defined(WOLFSSL_AES_256) + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aes_256_ccm(), NULL, + NULL, NULL)); +#endif + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + tag[AES_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + AES_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + ret = wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]); + ExpectIntEQ(ret, 1); + } +#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESCCM */ + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aes_ccm_zeroLen(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_AES) && defined(HAVE_AESCCM) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256) + /* Zero length plain text */ + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + + byte ciphertxt[AES_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[AES_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_aes_256_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_aes_256_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_chacha20(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) + byte key[CHACHA_MAX_KEY_SZ]; + byte iv [WOLFSSL_EVP_CHACHA_IV_BYTES]; + byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; + byte cipherText[sizeof(plainText)]; + byte decryptedText[sizeof(plainText)]; + EVP_CIPHER_CTX* ctx = NULL; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + 16, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20(), + key, NULL, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_chacha20_poly1305(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + byte key[CHACHA20_POLY1305_AEAD_KEYSIZE]; + byte iv [CHACHA20_POLY1305_AEAD_IV_SIZE]; + byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; + byte aad[] = {0xAA, 0XBB, 0xCC, 0xDD, 0xEE, 0xFF}; + byte cipherText[sizeof(plainText)]; + byte decryptedText[sizeof(plainText)]; + byte tag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; + EVP_CIPHER_CTX* ctx = NULL; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + /* Invalid IV length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + CHACHA20_POLY1305_AEAD_IV_SIZE-1, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid IV length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); + /* Invalid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + /* Invalid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE-1, tag), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid tag length. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + CHACHA20_POLY1305_AEAD_IV_SIZE, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE, tag), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, NULL, &outSz, aad, sizeof(aad)), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_chacha20_poly1305(), + key, NULL, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherUpdate(ctx, NULL, &outSz, + aad, sizeof(aad)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(outSz, sizeof(aad)); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + EVP_CIPHER_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfssl_EVP_aria_gcm(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ARIA) && \ + !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) + + /* A 256 bit key, AES_128 will use the first 128 bit*/ + byte *key = (byte*)"01234567890123456789012345678901"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012345"; + int ivSz = ARIA_BLOCK_SIZE; + /* Message to be encrypted */ + const int plaintxtSz = 40; + byte plaintxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; + XMEMCPY(plaintxt,"for things to change you have to change",plaintxtSz); + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[ARIA_BLOCK_SIZE] = {0}; + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[WC_ARIA_GCM_GET_CIPHERTEXT_SIZE(plaintxtSz)]; + byte decryptedtxt[plaintxtSz]; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + #define TEST_ARIA_GCM_COUNT 6 + EVP_CIPHER_CTX en[TEST_ARIA_GCM_COUNT]; + EVP_CIPHER_CTX de[TEST_ARIA_GCM_COUNT]; + + for (i = 0; i < TEST_ARIA_GCM_COUNT; i++) { + + EVP_CIPHER_CTX_init(&en[i]); + switch (i) { + case 0: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), + NULL, key, iv)); + break; + case 1: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), + NULL, key, iv)); + break; + case 2: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), + NULL, key, iv)); + break; + case 3: + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_128_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + break; + case 4: + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_192_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + break; + case 5: + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_aria_256_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + break; + } + XMEMSET(ciphertxt,0,sizeof(ciphertxt)); + AssertIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + AssertIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + AssertIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + AssertIntNE(0, XMEMCMP(plaintxt, ciphertxt, plaintxtSz)); + ciphertxtSz += len; + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, + ARIA_BLOCK_SIZE, tag)); + AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); + + EVP_CIPHER_CTX_init(&de[i]); + switch (i) { + case 0: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), + NULL, key, iv)); + break; + case 1: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), + NULL, key, iv)); + break; + case 2: + /* Default uses 96-bits IV length */ + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), + NULL, key, iv)); + break; + case 3: + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_128_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + break; + case 4: + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_192_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + break; + case 5: + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_aria_256_gcm(), + NULL, NULL, NULL)); + /* non-default must to set the IV length first */ + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], + EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + AssertIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + break; + } + XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + ARIA_BLOCK_SIZE, tag)); + AssertIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + AssertIntEQ(plaintxtSz, decryptedtxtSz); + AssertIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + XMEMSET(decryptedtxt,0,sizeof(decryptedtxt)); + /* modify tag*/ + tag[AES_BLOCK_SIZE-1]+=0xBB; + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + AssertIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + ARIA_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + AssertIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + AssertIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + AssertIntEQ(0, len); + AssertIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); + } + + res = TEST_RES_CHECK(1); +#endif /* OPENSSL_EXTRA && !NO_AES && HAVE_AESGCM */ + return res; +} + +int test_wolfssl_EVP_sm4_ecb(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_ECB) + EXPECT_DECLS; + byte key[SM4_KEY_SIZE]; + byte plainText[SM4_BLOCK_SIZE] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; + byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; + EVP_CIPHER_CTX* ctx; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, SM4_BLOCK_SIZE); + ExpectBufNE(cipherText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ecb(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + res = EXPECT_RESULT(); +#endif + return res; +} + +int test_wolfssl_EVP_sm4_cbc(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CBC) + EXPECT_DECLS; + byte key[SM4_KEY_SIZE]; + byte iv[SM4_BLOCK_SIZE]; + byte plainText[SM4_BLOCK_SIZE] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE]; + byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE]; + EVP_CIPHER_CTX* ctx; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, SM4_BLOCK_SIZE); + ExpectBufNE(cipherText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_cbc(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_cbc(), key, NULL, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText + outSz, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + res = EXPECT_RESULT(); +#endif + return res; +} + +int test_wolfssl_EVP_sm4_ctr(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CTR) + EXPECT_DECLS; + byte key[SM4_KEY_SIZE]; + byte iv[SM4_BLOCK_SIZE]; + byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF}; + byte cipherText[sizeof(plainText)]; + byte decryptedText[sizeof(plainText)]; + EVP_CIPHER_CTX* ctx; + int outSz; + + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + + /* Encrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + /* Any tag length must fail - not an AEAD cipher. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_EncryptUpdate(ctx, cipherText, &outSz, plainText, + sizeof(plainText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(plainText)); + ExpectIntEQ(EVP_EncryptFinal_ex(ctx, cipherText, &outSz), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufNE(cipherText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Decrypt. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, EVP_sm4_ctr(), NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + /* Test partial Inits. CipherInit() allow setting of key and iv + * in separate calls. */ + ExpectNotNull((ctx = EVP_CIPHER_CTX_new())); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, EVP_sm4_ctr(), key, NULL, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DecryptUpdate(ctx, decryptedText, &outSz, cipherText, + sizeof(cipherText)), WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, sizeof(cipherText)); + ExpectIntEQ(EVP_DecryptFinal_ex(ctx, decryptedText, &outSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(outSz, 0); + ExpectBufEQ(decryptedText, plainText, sizeof(plainText)); + EVP_CIPHER_CTX_free(ctx); + + res = EXPECT_RESULT(); +#endif + return res; +} + +int test_wolfssl_EVP_sm4_gcm_zeroLen(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) + /* Zero length plain text */ + EXPECT_DECLS; + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + unsigned char tag_kat[16] = { + 0x23,0x2f,0x0c,0xfe,0x30,0x8b,0x49,0xea, + 0x6f,0xc8,0x82,0x29,0xb5,0xdc,0x85,0x8d + }; + + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_GCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + ExpectIntEQ(0, XMEMCMP(tag, tag_kat, sizeof(tag))); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_gcm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_GCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ + return res; +} + +int test_wolfssl_EVP_sm4_gcm(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_GCM) + EXPECT_DECLS; + byte *key = (byte*)"0123456789012345"; + /* A 128 bit IV */ + byte *iv = (byte*)"0123456789012345"; + int ivSz = SM4_BLOCK_SIZE; + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[SM4_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_gcm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_GCM_GET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_gcm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + tag[SM4_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_GCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); + } + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_GCM */ + return res; +} + +int test_wolfssl_EVP_sm4_ccm_zeroLen(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) + /* Zero length plain text */ + EXPECT_DECLS; + byte key[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte iv[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; /* align */ + byte plaintxt[1]; + int ivSz = 12; + int plaintxtSz = 0; + unsigned char tag[16]; + + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + + EVP_CIPHER_CTX *en = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX *de = EVP_CIPHER_CTX_new(); + + ExpectIntEQ(1, EVP_EncryptInit_ex(en, EVP_sm4_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptUpdate(en, ciphertxt, &ciphertxtSz , plaintxt, + plaintxtSz)); + ExpectIntEQ(1, EVP_EncryptFinal_ex(en, ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(en, EVP_CTRL_CCM_GET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_CIPHER_CTX_cleanup(en)); + + ExpectIntEQ(0, ciphertxtSz); + + EVP_CIPHER_CTX_init(de); + ExpectIntEQ(1, EVP_DecryptInit_ex(de, EVP_sm4_ccm(), NULL, key, iv)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_IVLEN, ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptUpdate(de, NULL, &len, ciphertxt, len)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(de, EVP_CTRL_CCM_SET_TAG, 16, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(de, decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(0, decryptedtxtSz); + + EVP_CIPHER_CTX_free(en); + EVP_CIPHER_CTX_free(de); + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ + return res; +} + +int test_wolfssl_EVP_sm4_ccm(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM4_CCM) + EXPECT_DECLS; + byte *key = (byte*)"0123456789012345"; + byte *iv = (byte*)"0123456789012"; + int ivSz = (int)XSTRLEN((char*)iv); + /* Message to be encrypted */ + byte *plaintxt = (byte*)"for things to change you have to change"; + /* Additional non-confidential data */ + byte *aad = (byte*)"Don't spend major time on minor things."; + + unsigned char tag[SM4_BLOCK_SIZE] = {0}; + int plaintxtSz = (int)XSTRLEN((char*)plaintxt); + int aadSz = (int)XSTRLEN((char*)aad); + byte ciphertxt[SM4_BLOCK_SIZE * 4] = {0}; + byte decryptedtxt[SM4_BLOCK_SIZE * 4] = {0}; + int ciphertxtSz = 0; + int decryptedtxtSz = 0; + int len = 0; + int i = 0; + EVP_CIPHER_CTX en[2]; + EVP_CIPHER_CTX de[2]; + + for (i = 0; i < 2; i++) { + EVP_CIPHER_CTX_init(&en[i]); + + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], EVP_sm4_ccm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_EncryptInit_ex(&en[i], NULL, NULL, key, iv)); + } + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_EncryptUpdate(&en[i], ciphertxt, &len, plaintxt, + plaintxtSz)); + ciphertxtSz = len; + ExpectIntEQ(1, EVP_EncryptFinal_ex(&en[i], ciphertxt, &len)); + ciphertxtSz += len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&en[i], EVP_CTRL_CCM_GET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&en[i]), 1); + + EVP_CIPHER_CTX_init(&de[i]); + if (i == 0) { + /* Default uses 96-bits IV length */ + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, key, + iv)); + } + else { + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], EVP_sm4_ccm(), NULL, NULL, + NULL)); + /* non-default must to set the IV length first */ + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_IVLEN, + ivSz, NULL)); + ExpectIntEQ(1, EVP_DecryptInit_ex(&de[i], NULL, NULL, key, iv)); + + } + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + decryptedtxtSz = len; + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + ExpectIntEQ(1, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + decryptedtxtSz += len; + ExpectIntEQ(ciphertxtSz, decryptedtxtSz); + ExpectIntEQ(0, XMEMCMP(plaintxt, decryptedtxt, decryptedtxtSz)); + + /* modify tag*/ + tag[SM4_BLOCK_SIZE-1]+=0xBB; + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], NULL, &len, aad, aadSz)); + ExpectIntEQ(1, EVP_CIPHER_CTX_ctrl(&de[i], EVP_CTRL_CCM_SET_TAG, + SM4_BLOCK_SIZE, tag)); + /* fail due to wrong tag */ + ExpectIntEQ(1, EVP_DecryptUpdate(&de[i], decryptedtxt, &len, ciphertxt, + ciphertxtSz)); + ExpectIntEQ(0, EVP_DecryptFinal_ex(&de[i], decryptedtxt, &len)); + ExpectIntEQ(0, len); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(&de[i]), 1); + } + + res = EXPECT_RESULT(); +#endif /* OPENSSL_EXTRA && WOLFSSL_SM4_CCM */ + return res; +} + + +int test_wolfSSL_EVP_rc4(void) +{ + EXPECT_DECLS; +#if !defined(NO_RC4) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_rc4()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_enc_null(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + ExpectNotNull(wolfSSL_EVP_enc_null()); +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_rc2_cbc(void) + +{ + EXPECT_DECLS; +#if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB) + ExpectNull(wolfSSL_EVP_rc2_cbc()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_mdc2(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_STUB) && defined(OPENSSL_ALL) + ExpectNull(wolfSSL_EVP_mdc2()); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_evp_cipher.h b/tests/api/test_evp_cipher.h new file mode 100644 index 00000000000..eef58ed1219 --- /dev/null +++ b/tests/api/test_evp_cipher.h @@ -0,0 +1,108 @@ +/* test_evp_cipher.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_EVP_CIPHER_H +#define WOLFCRYPT_TEST_EVP_CIPHER_H + +#include + +int test_wolfSSL_EVP_CIPHER_CTX(void); +int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void); +int test_wolfSSL_EVP_CIPHER_CTX_key_length(void); +int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void); +int test_wolfSSL_EVP_get_cipherbynid(void); +int test_wolfSSL_EVP_CIPHER_block_size(void); +int test_wolfSSL_EVP_CIPHER_iv_length(void); +int test_wolfSSL_EVP_CipherUpdate_Null(void); +int test_wolfSSL_EVP_CIPHER_type_string(void); +int test_wolfSSL_EVP_BytesToKey(void); +int test_wolfSSL_EVP_Cipher_extra(void); +int test_wolfSSL_EVP_X_STATE(void); +int test_wolfSSL_EVP_X_STATE_LEN(void); +int test_wolfSSL_EVP_aes_256_gcm(void); +int test_wolfSSL_EVP_aes_192_gcm(void); +int test_wolfSSL_EVP_aes_128_gcm(void); +int test_evp_cipher_aes_gcm(void); +int test_wolfssl_EVP_aes_gcm(void); +int test_wolfssl_EVP_aes_gcm_AAD_2_parts(void); +int test_wolfssl_EVP_aes_gcm_zeroLen(void); +int test_wolfSSL_EVP_aes_256_ccm(void); +int test_wolfSSL_EVP_aes_192_ccm(void); +int test_wolfSSL_EVP_aes_128_ccm(void); +int test_wolfssl_EVP_aes_ccm(void); +int test_wolfssl_EVP_aes_ccm_zeroLen(void); +int test_wolfssl_EVP_chacha20(void); +int test_wolfssl_EVP_chacha20_poly1305(void); +int test_wolfssl_EVP_aria_gcm(void); +int test_wolfssl_EVP_sm4_ecb(void); +int test_wolfssl_EVP_sm4_cbc(void); +int test_wolfssl_EVP_sm4_ctr(void); +int test_wolfssl_EVP_sm4_gcm_zeroLen(void); +int test_wolfssl_EVP_sm4_gcm(void); +int test_wolfssl_EVP_sm4_ccm_zeroLen(void); +int test_wolfssl_EVP_sm4_ccm(void); +int test_wolfSSL_EVP_rc4(void); +int test_wolfSSL_EVP_enc_null(void); +int test_wolfSSL_EVP_rc2_cbc(void); +int test_wolfSSL_EVP_mdc2(void); + +#define TEST_EVP_CIPHER_DECLS \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX_iv_length), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX_key_length), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_CTX_set_iv), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_get_cipherbynid), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_block_size), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_iv_length), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CipherUpdate_Null), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_CIPHER_type_string), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_BytesToKey), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_Cipher_extra), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_X_STATE), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_X_STATE_LEN), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_256_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_192_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_128_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_evp_cipher_aes_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_gcm_AAD_2_parts), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_gcm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_256_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_192_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_aes_128_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aes_ccm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_chacha20), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_chacha20_poly1305), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_aria_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ecb), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_cbc), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ctr), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_gcm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_gcm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ccm_zeroLen), \ + TEST_DECL_GROUP("evp_cipher", test_wolfssl_EVP_sm4_ccm), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_rc4), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_enc_null), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_rc2_cbc), \ + TEST_DECL_GROUP("evp_cipher", test_wolfSSL_EVP_mdc2) + +#endif /* WOLFCRYPT_TEST_EVP_CIPHER_H */ diff --git a/tests/api/test_evp_digest.c b/tests/api/test_evp_digest.c new file mode 100644 index 00000000000..798175ef3fd --- /dev/null +++ b/tests/api/test_evp_digest.c @@ -0,0 +1,589 @@ +/* test_evp_digest.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include + +int test_wolfSSL_EVP_shake128(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ + defined(WOLFSSL_SHAKE128) + const EVP_MD* md = NULL; + + ExpectNotNull(md = EVP_shake128()); + ExpectIntEQ(XSTRNCMP(md, "SHAKE128", XSTRLEN("SHAKE128")), 0); +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_shake256(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA3) && \ + defined(WOLFSSL_SHAKE256) + const EVP_MD* md = NULL; + + ExpectNotNull(md = EVP_shake256()); + ExpectIntEQ(XSTRNCMP(md, "SHAKE256", XSTRLEN("SHAKE256")), 0); +#endif + + return EXPECT_RESULT(); +} + +/* + * Testing EVP digest API with SM3 + */ +int test_wolfSSL_EVP_sm3(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SM3) + EXPECT_DECLS; + const EVP_MD* md = NULL; + EVP_MD_CTX* mdCtx = NULL; + byte data[WC_SM3_BLOCK_SIZE * 4]; + byte hash[WC_SM3_DIGEST_SIZE]; + byte calcHash[WC_SM3_DIGEST_SIZE]; + byte expHash[WC_SM3_DIGEST_SIZE] = { + 0x38, 0x48, 0x15, 0xa7, 0x0e, 0xae, 0x0b, 0x27, + 0x5c, 0xde, 0x9d, 0xa5, 0xd1, 0xa4, 0x30, 0xa1, + 0xca, 0xd4, 0x54, 0x58, 0x44, 0xa2, 0x96, 0x1b, + 0xd7, 0x14, 0x80, 0x3f, 0x80, 0x1a, 0x07, 0xb6 + }; + word32 chunk; + word32 i; + unsigned int sz; + int ret; + + XMEMSET(data, 0, sizeof(data)); + + md = EVP_sm3(); + ExpectTrue(md != NULL); + ExpectIntEQ(XSTRNCMP(md, "SM3", XSTRLEN("SM3")), 0); + mdCtx = EVP_MD_CTX_new(); + ExpectTrue(mdCtx != NULL); + + /* Invalid Parameters */ + ExpectIntEQ(EVP_DigestInit(NULL, md), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Valid Parameters */ + ExpectIntEQ(EVP_DigestInit(mdCtx, md), WOLFSSL_SUCCESS); + + ExpectIntEQ(EVP_DigestUpdate(NULL, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestUpdate(NULL, data, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Valid Parameters */ + ExpectIntEQ(EVP_DigestUpdate(mdCtx, NULL, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE - 2), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_BLOCK_SIZE * 2), + WOLFSSL_SUCCESS); + /* Ensure too many bytes for lengths. */ + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, WC_SM3_PAD_SIZE), + WOLFSSL_SUCCESS); + + /* Invalid Parameters */ + ExpectIntEQ(EVP_DigestFinal(NULL, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(NULL, hash, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_DigestFinal(mdCtx, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Valid Parameters */ + ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); + ExpectBufEQ(hash, expHash, WC_SM3_DIGEST_SIZE); + + /* Chunk tests. */ + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data, sizeof(data)), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(mdCtx, calcHash, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, WC_SM3_DIGEST_SIZE); + for (chunk = 1; chunk <= WC_SM3_BLOCK_SIZE + 1; chunk++) { + for (i = 0; i + chunk <= (word32)sizeof(data); i += chunk) { + for (i = 0; i + chunk <= (word32)sizeof(data); i += chunk) { + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, chunk), + WOLFSSL_SUCCESS); + } + if (i < (word32)sizeof(data)) { + ExpectIntEQ(EVP_DigestUpdate(mdCtx, data + i, + (word32)sizeof(data) - i), WOLFSSL_SUCCESS); + } + ExpectIntEQ(EVP_DigestFinal(mdCtx, hash, NULL), WOLFSSL_SUCCESS); + ExpectBufEQ(hash, calcHash, WC_SM3_DIGEST_SIZE); + } + + /* Not testing when the low 32-bit length overflows. */ + + ret = EVP_MD_CTX_cleanup(mdCtx); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + wolfSSL_EVP_MD_CTX_free(mdCtx); + + res = EXPECT_RESULT(); +#endif + return res; +} /* END test_EVP_sm3 */ + +int test_EVP_blake2(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && (defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)) + const EVP_MD* md = NULL; + (void)md; + +#if defined(HAVE_BLAKE2) + ExpectNotNull(md = EVP_blake2b512()); + ExpectIntEQ(XSTRNCMP(md, "BLAKE2b512", XSTRLEN("BLAKE2b512")), 0); +#endif + +#if defined(HAVE_BLAKE2S) + ExpectNotNull(md = EVP_blake2s256()); + ExpectIntEQ(XSTRNCMP(md, "BLAKE2s256", XSTRLEN("BLAKE2s256")), 0); +#endif +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_md4(void) +{ + EXPECT_DECLS; +#if !defined(NO_MD4) && defined(OPENSSL_ALL) + ExpectNotNull(wolfSSL_EVP_md4()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_ripemd160(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_STUB) && defined(OPENSSL_ALL) + ExpectNull(wolfSSL_EVP_ripemd160()); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_get_digestbynid(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL +#ifndef NO_MD5 + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_md5)); +#endif +#ifndef NO_SHA + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1)); +#endif +#ifndef NO_SHA256 + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha256)); +#endif + ExpectNull(wolfSSL_EVP_get_digestbynid(0)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_Digest(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) + const char* in = "abc"; + int inLen = (int)XSTRLEN(in); + byte out[WC_SHA256_DIGEST_SIZE]; + unsigned int outLen; + const char* expOut = + "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" + "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" + "\x15\xAD"; + + ExpectIntEQ(wolfSSL_EVP_Digest((unsigned char*)in, inLen, out, &outLen, + "SHA256", NULL), 1); + ExpectIntEQ(outLen, WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(XMEMCMP(out, expOut, WC_SHA256_DIGEST_SIZE), 0); +#endif /* OPEN_EXTRA && ! NO_SHA256 */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_Digest_all(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + const char* digests[] = { +#ifndef NO_MD5 + "MD5", +#endif +#ifndef NO_SHA + "SHA", +#endif +#ifdef WOLFSSL_SHA224 + "SHA224", +#endif +#ifndef NO_SHA256 + "SHA256", +#endif +#ifdef WOLFSSL_SHA384 + "SHA384", +#endif +#ifdef WOLFSSL_SHA512 + "SHA512", +#endif +#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) + "SHA512-224", +#endif +#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) + "SHA512-256", +#endif +#ifdef WOLFSSL_SHA3 +#ifndef WOLFSSL_NOSHA3_224 + "SHA3-224", +#endif +#ifndef WOLFSSL_NOSHA3_256 + "SHA3-256", +#endif + "SHA3-384", +#ifndef WOLFSSL_NOSHA3_512 + "SHA3-512", +#endif +#endif /* WOLFSSL_SHA3 */ + NULL + }; + const char** d; + const unsigned char in[] = "abc"; + int inLen = XSTR_SIZEOF(in); + byte out[WC_MAX_DIGEST_SIZE]; + unsigned int outLen; + + for (d = digests; *d != NULL; d++) { + ExpectIntEQ(EVP_Digest(in, inLen, out, &outLen, *d, NULL), 1); + ExpectIntGT(outLen, 0); + ExpectIntEQ(EVP_MD_size(*d), outLen); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_DigestFinal_ex(void) +{ + EXPECT_DECLS; +#if !defined(NO_SHA256) && defined(OPENSSL_ALL) + WOLFSSL_EVP_MD_CTX mdCtx; + unsigned int s = 0; + unsigned char md[WC_SHA256_DIGEST_SIZE]; + unsigned char md2[WC_SHA256_DIGEST_SIZE]; + + /* Bad Case */ +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#else + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + +#endif + + /* Good Case */ + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, EVP_sha256()), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md2, &s), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_DigestFinalXOF(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256) && defined(OPENSSL_ALL) + WOLFSSL_EVP_MD_CTX mdCtx; + unsigned char shake[256]; + unsigned char zeros[10]; + unsigned char data[] = "Test data"; + unsigned int sz; + + XMEMSET(zeros, 0, sizeof(zeros)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_MD_flags(EVP_shake256()), EVP_MD_FLAG_XOF); + ExpectIntEQ(EVP_MD_flags(EVP_sha3_256()), 0); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + XMEMSET(shake, 0, sizeof(shake)); + ExpectIntEQ(EVP_DigestFinalXOF(&mdCtx, shake, 10), WOLFSSL_SUCCESS); + + /* make sure was only size of 10 */ + ExpectIntEQ(XMEMCMP(&shake[11], zeros, 10), 0); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, 32); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + + #if defined(WOLFSSL_SHAKE128) + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake128()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, 16); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + #endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_MD_nid(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL +#ifndef NO_MD5 + ExpectIntEQ(EVP_MD_nid(EVP_md5()), NID_md5); +#endif +#ifndef NO_SHA + ExpectIntEQ(EVP_MD_nid(EVP_sha1()), NID_sha1); +#endif +#ifndef NO_SHA256 + ExpectIntEQ(EVP_MD_nid(EVP_sha256()), NID_sha256); +#endif + ExpectIntEQ(EVP_MD_nid(NULL), NID_undef); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) +static void list_md_fn(const EVP_MD* m, const char* from, + const char* to, void* arg) +{ + const char* mn; + BIO *bio; + + (void) from; + (void) to; + (void) arg; + (void) mn; + (void) bio; + + if (!m) { + /* alias */ + AssertNull(m); + AssertNotNull(to); + } + else { + AssertNotNull(m); + AssertNull(to); + } + + AssertNotNull(from); + +#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) + mn = EVP_get_digestbyname(from); + /* print to stderr */ + AssertNotNull(arg); + + bio = BIO_new(BIO_s_file()); + BIO_set_fp(bio, arg, BIO_NOCLOSE); + BIO_printf(bio, "Use %s message digest algorithm\n", mn); + BIO_free(bio); +#endif +} +#endif + +int test_EVP_MD_do_all(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) + EVP_MD_do_all(NULL, stderr); + + EVP_MD_do_all(list_md_fn, stderr); + + res = TEST_SUCCESS; +#endif + + return res; +} + +int test_wolfSSL_EVP_MD_size(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + WOLFSSL_EVP_MD_CTX mdCtx; + +#ifdef WOLFSSL_SHA3 +#ifndef WOLFSSL_NOSHA3_224 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-224"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif +#ifndef WOLFSSL_NOSHA3_256 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-256"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-384"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#ifndef WOLFSSL_NOSHA3_512 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-512"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif +#endif /* WOLFSSL_SHA3 */ + +#ifndef NO_SHA256 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA256"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifndef NO_MD5 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "MD5"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_MD5_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_MD5_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_MD5_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_MD5_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifdef WOLFSSL_SHA224 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA224"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifdef WOLFSSL_SHA384 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA384"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifdef WOLFSSL_SHA512 + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA512"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + +#endif + +#ifndef NO_SHA + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA1"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + /* error case */ + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); + /* Cleanup is valid on uninit'ed struct */ + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_evp_digest.h b/tests/api/test_evp_digest.h new file mode 100644 index 00000000000..e6989139e9c --- /dev/null +++ b/tests/api/test_evp_digest.h @@ -0,0 +1,58 @@ +/* test_evp_digest.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_EVP_DIGEST_H +#define WOLFCRYPT_TEST_EVP_DIGEST_H + +#include + +int test_wolfSSL_EVP_shake128(void); +int test_wolfSSL_EVP_shake256(void); +int test_wolfSSL_EVP_sm3(void); +int test_EVP_blake2(void); +int test_wolfSSL_EVP_md4(void); +int test_wolfSSL_EVP_ripemd160(void); +int test_wolfSSL_EVP_get_digestbynid(void); +int test_wolfSSL_EVP_Digest(void); +int test_wolfSSL_EVP_Digest_all(void); +int test_wolfSSL_EVP_DigestFinal_ex(void); +int test_wolfSSL_EVP_DigestFinalXOF(void); +int test_wolfSSL_EVP_MD_nid(void); +int test_EVP_MD_do_all(void); +int test_wolfSSL_EVP_MD_size(void); + +#define TEST_EVP_DIGEST_DECLS \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_shake128), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_shake256), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_sm3), \ + TEST_DECL_GROUP("evp_digest", test_EVP_blake2), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_md4), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_ripemd160), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_get_digestbynid), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_Digest), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_Digest_all), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_DigestFinal_ex), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_DigestFinalXOF), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_MD_nid), \ + TEST_DECL_GROUP("evp_digest", test_EVP_MD_do_all), \ + TEST_DECL_GROUP("evp_digest", test_wolfSSL_EVP_MD_size) + +#endif /* WOLFCRYPT_TEST_EVP_DIGEST_H */ diff --git a/tests/api/test_evp_pkey.c b/tests/api/test_evp_pkey.c new file mode 100644 index 00000000000..35f1c720bbe --- /dev/null +++ b/tests/api/test_evp_pkey.c @@ -0,0 +1,2359 @@ +/* test_evp_pkey.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + + +int test_wolfSSL_EVP_PKEY_CTX_new_id(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_ENGINE* e = NULL; + int id = 0; + EVP_PKEY_CTX *ctx = NULL; + + ExpectNotNull(ctx = wolfSSL_EVP_PKEY_CTX_new_id(id, e)); + + EVP_PKEY_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + int bits = 2048; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits), + WOLFSSL_SUCCESS); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_QT_EVP_PKEY_CTX_free(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(OPENSSL_ALL) + EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L + /* void */ + EVP_PKEY_CTX_free(ctx); +#else + /* int */ + ExpectIntEQ(EVP_PKEY_CTX_free(ctx), WOLFSSL_SUCCESS); +#endif + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_up_ref(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) + EVP_PKEY* pkey; + + pkey = EVP_PKEY_new(); + ExpectNotNull(pkey); + ExpectIntEQ(EVP_PKEY_up_ref(NULL), 0); + ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); + EVP_PKEY_free(pkey); + ExpectIntEQ(EVP_PKEY_up_ref(pkey), 1); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_base_id(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(NULL), NID_undef); + + ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(pkey), EVP_PKEY_RSA); + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_PKEY_id(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + ExpectIntEQ(wolfSSL_EVP_PKEY_id(NULL), 0); + + ExpectIntEQ(wolfSSL_EVP_PKEY_id(pkey), EVP_PKEY_RSA); + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_MD_pkey_type(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + const WOLFSSL_EVP_MD* md; + +#ifndef NO_MD5 + ExpectNotNull(md = EVP_md5()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_md5WithRSAEncryption); +#endif +#ifndef NO_SHA + ExpectNotNull(md = EVP_sha1()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha1WithRSAEncryption); +#endif +#ifdef WOLFSSL_SHA224 + ExpectNotNull(md = EVP_sha224()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha224WithRSAEncryption); +#endif + ExpectNotNull(md = EVP_sha256()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha256WithRSAEncryption); +#ifdef WOLFSSL_SHA384 + ExpectNotNull(md = EVP_sha384()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha384WithRSAEncryption); +#endif +#ifdef WOLFSSL_SHA512 + ExpectNotNull(md = EVP_sha512()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha512WithRSAEncryption); +#endif +#endif + return EXPECT_RESULT(); +} + +#ifdef OPENSSL_EXTRA +static int test_hmac_signing(const WOLFSSL_EVP_MD *type, const byte* testKey, + size_t testKeySz, const char* testData, size_t testDataSz, + const byte* testResult, size_t testResultSz) +{ + EXPECT_DECLS; + unsigned char check[WC_MAX_DIGEST_SIZE]; + size_t checkSz = 0; + WOLFSSL_EVP_PKEY* key = NULL; + WOLFSSL_EVP_MD_CTX mdCtx; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, + testKey, (int)testKeySz)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)testDataSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, (int)testResultSz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)testDataSz), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, (int)testResultSz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)testDataSz - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)testDataSz - 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + + wolfSSL_EVP_PKEY_free(key); + + return EXPECT_RESULT(); +} +#endif + +int test_wolfSSL_EVP_MD_hmac_signing(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + static const unsigned char testKey[] = + { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b + }; + static const char testData[] = "Hi There"; +#ifdef WOLFSSL_SHA224 + static const unsigned char testResultSha224[] = + { + 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, + 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, + 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, + 0x53, 0x68, 0x4b, 0x22 + }; +#endif +#ifndef NO_SHA256 + static const unsigned char testResultSha256[] = + { + 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, + 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, + 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, + 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 + }; +#endif +#ifdef WOLFSSL_SHA384 + static const unsigned char testResultSha384[] = + { + 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, + 0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, + 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, + 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, + 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f, + 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6 + }; +#endif +#ifdef WOLFSSL_SHA512 + static const unsigned char testResultSha512[] = + { + 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, + 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, + 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, + 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, + 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02, + 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, + 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, + 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54 + }; +#endif +#ifdef WOLFSSL_SHA3 + #ifndef WOLFSSL_NOSHA3_224 + static const unsigned char testResultSha3_224[] = + { + 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, + 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, + 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, + 0xf3, 0xc8, 0x60, 0xf7 + }; + #endif + #ifndef WOLFSSL_NOSHA3_256 + static const unsigned char testResultSha3_256[] = + { + 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, + 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, + 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, + 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb + }; + #endif + #ifndef WOLFSSL_NOSHA3_384 + static const unsigned char testResultSha3_384[] = + { + 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, + 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, + 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, + 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, + 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, + 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd + }; + #endif + #ifndef WOLFSSL_NOSHA3_512 + static const unsigned char testResultSha3_512[] = + { + 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, + 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, + 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, + 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, + 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, + 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, + 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, + 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e + }; + #endif +#endif + +#ifndef NO_SHA256 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha256(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha256, + sizeof(testResultSha256)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA224 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha224(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha224, + sizeof(testResultSha224)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA384 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha384(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha384, + sizeof(testResultSha384)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA512 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha512(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha512, + sizeof(testResultSha512)), TEST_SUCCESS); +#endif +#ifdef WOLFSSL_SHA3 + #ifndef WOLFSSL_NOSHA3_224 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_224(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_224, + sizeof(testResultSha3_224)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_256 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_256(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_256, + sizeof(testResultSha3_256)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_384 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_384(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_384, + sizeof(testResultSha3_384)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_512 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_512(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_512, + sizeof(testResultSha3_512)), TEST_SUCCESS); + #endif +#endif +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_new_mac_key(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + static const unsigned char pw[] = "password"; + static const int pwSz = sizeof(pw) - 1; + size_t checkPwSz = 0; + const unsigned char* checkPw = NULL; + WOLFSSL_EVP_PKEY* key = NULL; + + ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, pw, pwSz)); + ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, NULL, pwSz)); + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, + pwSz)); + if (key != NULL) { + ExpectIntEQ(key->type, EVP_PKEY_HMAC); + ExpectIntEQ(key->save_type, EVP_PKEY_HMAC); + ExpectIntEQ(key->pkey_sz, pwSz); + ExpectIntEQ(XMEMCMP(key->pkey.ptr, pw, pwSz), 0); + } + ExpectNotNull(checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz)); + ExpectIntEQ((int)checkPwSz, pwSz); + ExpectIntEQ(XMEMCMP(checkPw, pw, pwSz), 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, + 0)); + ExpectIntEQ(key->pkey_sz, 0); + if (EXPECT_SUCCESS()) { + /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ + checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); + } + ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); + ExpectIntEQ((int)checkPwSz, 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, NULL, + 0)); + ExpectIntEQ(key->pkey_sz, 0); + if (EXPECT_SUCCESS()) { + /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ + checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); + } + ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); + ExpectIntEQ((int)checkPwSz, 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_hkdf(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_HKDF) + EVP_PKEY_CTX* ctx = NULL; + byte salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}; + byte key[] = {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F}; + byte info[] = {0X01, 0x02, 0x03, 0x04, 0x05}; + byte info2[] = {0X06, 0x07, 0x08, 0x09, 0x0A}; + byte outKey[34]; + size_t outKeySz = sizeof(outKey); + /* These expected outputs were gathered by running the same test below using + * OpenSSL. */ + const byte extractAndExpand[] = { + 0x8B, 0xEB, 0x90, 0xA9, 0x04, 0xFF, 0x05, 0x10, 0xE4, 0xB5, 0xB1, 0x10, + 0x31, 0x34, 0xFF, 0x07, 0x5B, 0xE3, 0xC6, 0x93, 0xD4, 0xF8, 0xC7, 0xEE, + 0x96, 0xDA, 0x78, 0x7A, 0xE2, 0x9A, 0x2D, 0x05, 0x4B, 0xF6 + }; + const byte extractOnly[] = { + 0xE7, 0x6B, 0x9E, 0x0F, 0xE4, 0x02, 0x1D, 0x62, 0xEA, 0x97, 0x74, 0x5E, + 0xF4, 0x3C, 0x65, 0x4D, 0xC1, 0x46, 0x98, 0xAA, 0x79, 0x9A, 0xCB, 0x9C, + 0xCC, 0x3E, 0x7F, 0x2A, 0x2B, 0x41, 0xA1, 0x9E + }; + const byte expandOnly[] = { + 0xFF, 0x29, 0x29, 0x56, 0x9E, 0xA7, 0x66, 0x02, 0xDB, 0x4F, 0xDB, 0x53, + 0x7D, 0x21, 0x67, 0x52, 0xC3, 0x0E, 0xF3, 0xFC, 0x71, 0xCE, 0x67, 0x2B, + 0xEA, 0x3B, 0xE9, 0xFC, 0xDD, 0xC8, 0xCC, 0xB7, 0x42, 0x74 + }; + const byte extractAndExpandAddInfo[] = { + 0x5A, 0x74, 0x79, 0x83, 0xA3, 0xA4, 0x2E, 0xB7, 0xD4, 0x08, 0xC2, 0x6A, + 0x2F, 0xA5, 0xE3, 0x4E, 0xF1, 0xF4, 0x87, 0x3E, 0xA6, 0xC7, 0x88, 0x45, + 0xD7, 0xE2, 0x15, 0xBC, 0xB8, 0x10, 0xEF, 0x6C, 0x4D, 0x7A + }; + + ExpectNotNull((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL))); + ExpectIntEQ(EVP_PKEY_derive_init(ctx), WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(NULL, EVP_sha256()), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL md. */ + ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_sha256()), WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(NULL, salt, sizeof(salt)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL salt is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, sizeof(salt)), + WOLFSSL_SUCCESS); + /* Salt length <= 0. */ + /* Length 0 salt is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, sizeof(salt)), + WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(NULL, key, sizeof(key)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL key. */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, NULL, sizeof(key)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Key length <= 0 */ + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_set1_hkdf_key(ctx, key, sizeof(key)), + WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(NULL, info, sizeof(info)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* NULL info is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, NULL, sizeof(info)), + WOLFSSL_SUCCESS); + /* Info length <= 0 */ + /* Length 0 info is ok. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info, sizeof(info)), + WOLFSSL_SUCCESS); + /* NULL ctx. */ + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(NULL, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Extract and expand (default). */ + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(extractAndExpand)); + ExpectIntEQ(XMEMCMP(outKey, extractAndExpand, outKeySz), 0); + /* Extract only. */ + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(extractOnly)); + ExpectIntEQ(XMEMCMP(outKey, extractOnly, outKeySz), 0); + outKeySz = sizeof(outKey); + /* Expand only. */ + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(expandOnly)); + ExpectIntEQ(XMEMCMP(outKey, expandOnly, outKeySz), 0); + outKeySz = sizeof(outKey); + /* Extract and expand with appended additional info. */ + ExpectIntEQ(EVP_PKEY_CTX_add1_hkdf_info(ctx, info2, sizeof(info2)), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_hkdf_mode(ctx, + EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_derive(ctx, outKey, &outKeySz), WOLFSSL_SUCCESS); + ExpectIntEQ(outKeySz, sizeof(extractAndExpandAddInfo)); + ExpectIntEQ(XMEMCMP(outKey, extractAndExpandAddInfo, outKeySz), 0); + + EVP_PKEY_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && HAVE_HKDF */ + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_PBE_scrypt(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SCRYPT) && defined(HAVE_PBKDF2) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 5)) +#if !defined(NO_PWDBASED) && !defined(NO_SHA256) + int ret; + + const char pwd[] = {'p','a','s','s','w','o','r','d'}; + int pwdlen = sizeof(pwd); + const byte salt[] = {'N','a','C','l'}; + int saltlen = sizeof(salt); + byte key[80]; + word64 numOvr32 = (word64)INT32_MAX + 1; + + /* expected derived key for N:16, r:1, p:1 */ + const byte expectedKey[] = { + 0xAE, 0xC6, 0xB7, 0x48, 0x3E, 0xD2, 0x6E, 0x08, 0x80, 0x2B, + 0x41, 0xF4, 0x03, 0x20, 0x86, 0xA0, 0xE8, 0x86, 0xBE, 0x7A, + 0xC4, 0x8F, 0xCF, 0xD9, 0x2F, 0xF0, 0xCE, 0xF8, 0x10, 0x97, + 0x52, 0xF4, 0xAC, 0x74, 0xB0, 0x77, 0x26, 0x32, 0x56, 0xA6, + 0x5A, 0x99, 0x70, 0x1B, 0x7A, 0x30, 0x4D, 0x46, 0x61, 0x1C, + 0x8A, 0xA3, 0x91, 0xE7, 0x99, 0xCE, 0x10, 0xA2, 0x77, 0x53, + 0xE7, 0xE9, 0xC0, 0x9A}; + + /* N r p mx key keylen */ + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 0, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* N must be greater than 1 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 3, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* N must be power of 2 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 0, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* r must be greater than 0 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 0, 0, key, 64); + ExpectIntEQ(ret, 0); /* p must be greater than 0 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 0); + ExpectIntEQ(ret, 0); /* keylen must be greater than 0 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 9, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* r must be smaller than 9 */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, NULL, 64); + ExpectIntEQ(ret, 1); /* should succeed if key is NULL */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, numOvr32, 1, 0, + key, 64); + ExpectIntEQ(ret, 0); /* should fail since r is greater than INT32_MAC */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 2, 1, numOvr32, 0, + key, 64); + ExpectIntEQ(ret, 0); /* should fail since p is greater than INT32_MAC */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 0, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed even if salt is NULL */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, NULL, 4, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* if salt is NULL, saltlen must be 0, otherwise fail*/ + + ret = EVP_PBE_scrypt(NULL, 0, salt, saltlen, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed if pwd is NULL and pwdlen is 0*/ + + ret = EVP_PBE_scrypt(NULL, 4, salt, saltlen, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 0); /* if pwd is NULL, pwdlen must be 0 */ + + ret = EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); /* should succeed even both pwd and salt are NULL */ + + ret = EVP_PBE_scrypt(pwd, pwdlen, salt, saltlen, 16, 1, 1, 0, key, 64); + ExpectIntEQ(ret, 1); + + ret = XMEMCMP(expectedKey, key, sizeof(expectedKey)); + ExpectIntEQ(ret, 0); /* derived key must be the same as expected-key */ +#endif /* !NO_PWDBASED && !NO_SHA256 */ +#endif /* OPENSSL_EXTRA && HAVE_SCRYPT && HAVE_PBKDF2 */ + return EXPECT_RESULT(); +} + +int test_EVP_PKEY_cmp(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + EVP_PKEY *a = NULL; + EVP_PKEY *b = NULL; + const unsigned char *in; + +#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) + in = client_key_der_2048; + ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + &in, (long)sizeof_client_key_der_2048)); + in = client_key_der_2048; + ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + &in, (long)sizeof_client_key_der_2048)); + + /* Test success case RSA */ +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); +#else + ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); +#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ + + EVP_PKEY_free(b); + b = NULL; + EVP_PKEY_free(a); + a = NULL; +#endif + +#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + in = ecc_clikey_der_256; + ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, + &in, (long)sizeof_ecc_clikey_der_256)); + in = ecc_clikey_der_256; + ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, + &in, (long)sizeof_ecc_clikey_der_256)); + + /* Test success case ECC */ +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(a, b), 1); +#else + ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); +#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ + + EVP_PKEY_free(b); + b = NULL; + EVP_PKEY_free(a); + a = NULL; +#endif + + /* Test failure cases */ +#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && \ + defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + + in = client_key_der_2048; + ExpectNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, + &in, (long)sizeof_client_key_der_2048)); + in = ecc_clikey_der_256; + ExpectNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, + &in, (long)sizeof_ecc_clikey_der_256)); + +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(a, b), -1); +#else + ExpectIntNE(EVP_PKEY_cmp(a, b), 0); +#endif /* WOLFSSL_ERROR_CODE_OPENSSL */ + EVP_PKEY_free(b); + b = NULL; + EVP_PKEY_free(a); + a = NULL; +#endif + + /* invalid or empty failure cases */ + a = EVP_PKEY_new(); + b = EVP_PKEY_new(); +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(EVP_PKEY_cmp(NULL, NULL), 0); + ExpectIntEQ(EVP_PKEY_cmp(a, NULL), 0); + ExpectIntEQ(EVP_PKEY_cmp(NULL, b), 0); +#ifdef NO_RSA + /* Type check will fail since RSA is the default EVP key type */ + ExpectIntEQ(EVP_PKEY_cmp(a, b), -2); +#else + ExpectIntEQ(EVP_PKEY_cmp(a, b), 0); +#endif +#else + ExpectIntNE(EVP_PKEY_cmp(NULL, NULL), 0); + ExpectIntNE(EVP_PKEY_cmp(a, NULL), 0); + ExpectIntNE(EVP_PKEY_cmp(NULL, b), 0); + ExpectIntNE(EVP_PKEY_cmp(a, b), 0); +#endif + EVP_PKEY_free(b); + EVP_PKEY_free(a); + + (void)in; +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined (NO_DSA) && !defined(HAVE_SELFTEST) && \ + defined(WOLFSSL_KEY_GEN) + DSA *dsa = NULL; + DSA *setDsa = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *set1Pkey = NULL; + + SHA_CTX sha; + byte signature[DSA_SIG_SIZE]; + byte hash[WC_SHA_DIGEST_SIZE]; + word32 bytes; + int answer; +#ifdef USE_CERT_BUFFERS_1024 + const unsigned char* dsaKeyDer = dsa_key_der_1024; + int dsaKeySz = sizeof_dsa_key_der_1024; + byte tmp[ONEK_BUF]; + + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsaKeyDer , dsaKeySz); + bytes = dsaKeySz; +#elif defined(USE_CERT_BUFFERS_2048) + const unsigned char* dsaKeyDer = dsa_key_der_2048; + int dsaKeySz = sizeof_dsa_key_der_2048; + byte tmp[TWOK_BUF]; + + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsaKeyDer , dsaKeySz); + bytes = (word32)dsaKeySz; +#else + byte tmp[TWOK_BUF]; + const unsigned char* dsaKeyDer = (const unsigned char*)tmp; + int dsaKeySz; + XFILE fp = XBADFILE; + + XMEMSET(tmp, 0, sizeof(tmp)); + ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); + ExpectIntGT(dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); + if (fp != XBADFILE) + XFCLOSE(fp); +#endif /* END USE_CERT_BUFFERS_1024 */ + + /* Create hash to later Sign and Verify */ + ExpectIntEQ(SHA1_Init(&sha), WOLFSSL_SUCCESS); + ExpectIntEQ(SHA1_Update(&sha, tmp, bytes), WOLFSSL_SUCCESS); + ExpectIntEQ(SHA1_Final(hash,&sha), WOLFSSL_SUCCESS); + + /* Initialize pkey with der format dsa key */ + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &pkey, &dsaKeyDer, + (long)dsaKeySz)); + + /* Test wolfSSL_EVP_PKEY_get1_DSA */ + /* Should Fail: NULL argument */ + ExpectNull(dsa = EVP_PKEY_get0_DSA(NULL)); + ExpectNull(dsa = EVP_PKEY_get1_DSA(NULL)); + /* Should Pass: Initialized pkey argument */ + ExpectNotNull(dsa = EVP_PKEY_get0_DSA(pkey)); + ExpectNotNull(dsa = EVP_PKEY_get1_DSA(pkey)); + +#ifdef USE_CERT_BUFFERS_1024 + ExpectIntEQ(DSA_bits(dsa), 1024); +#else + ExpectIntEQ(DSA_bits(dsa), 2048); +#endif + + /* Sign */ + ExpectIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS); + /* Verify. */ + ExpectIntEQ(wolfSSL_DSA_do_verify(hash, signature, dsa, &answer), + WOLFSSL_SUCCESS); + + /* Test wolfSSL_EVP_PKEY_set1_DSA */ + /* Should Fail: set1Pkey not initialized */ + ExpectIntNE(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); + + /* Initialize set1Pkey */ + set1Pkey = EVP_PKEY_new(); + + /* Should Fail Verify: setDsa not initialized from set1Pkey */ + ExpectIntNE(wolfSSL_DSA_do_verify(hash,signature,setDsa,&answer), + WOLFSSL_SUCCESS); + + /* Should Pass: set dsa into set1Pkey */ + ExpectIntEQ(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); + + DSA_free(dsa); + DSA_free(setDsa); + EVP_PKEY_free(pkey); + EVP_PKEY_free(set1Pkey); +#endif /* OPENSSL_ALL && !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ + return EXPECT_RESULT(); +} /* END test_EVP_PKEY_set1_get1_DSA */ + +int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY(void) +{ + EXPECT_DECLS; +#if defined(HAVE_ECC) && defined(OPENSSL_ALL) + WOLFSSL_EC_KEY* ecKey = NULL; + WOLFSSL_EC_KEY* ecGet1 = NULL; + EVP_PKEY* pkey = NULL; + + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + /* Test wolfSSL_EVP_PKEY_set1_EC_KEY */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(NULL, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Should fail since ecKey is empty */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + + /* Test wolfSSL_EVP_PKEY_get1_EC_KEY */ + ExpectNull(wolfSSL_EVP_PKEY_get1_EC_KEY(NULL)); + ExpectNotNull(ecGet1 = wolfSSL_EVP_PKEY_get1_EC_KEY(pkey)); + + wolfSSL_EC_KEY_free(ecKey); + wolfSSL_EC_KEY_free(ecGet1); + EVP_PKEY_free(pkey); +#endif /* HAVE_ECC && OPENSSL_ALL */ + return EXPECT_RESULT(); +} /* END test_EVP_PKEY_set1_get1_EC_KEY */ + +int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void) +{ + EXPECT_DECLS; +#if defined(HAVE_ECC) && defined(OPENSSL_ALL) + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNull(EVP_PKEY_get0_EC_KEY(NULL)); + + ExpectNotNull(pkey = EVP_PKEY_new()); + ExpectNull(EVP_PKEY_get0_EC_KEY(pkey)); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_set1_get1_DH(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) + DH *dh = NULL; + DH *setDh = NULL; + EVP_PKEY *pkey = NULL; + + XFILE f = XBADFILE; + unsigned char buf[4096]; + const unsigned char* pt = buf; + const char* dh2048 = "./certs/dh2048.der"; + long len = 0; + int code = -1; + + XMEMSET(buf, 0, sizeof(buf)); + + ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); + + /* Load dh2048.der into DH with internal format */ + ExpectNotNull(setDh = wolfSSL_d2i_DHparams(NULL, &pt, len)); + + ExpectIntEQ(wolfSSL_DH_check(setDh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + code = -1; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + /* Set DH into PKEY */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); + + /* Get DH from PKEY */ + ExpectNotNull(dh = wolfSSL_EVP_PKEY_get1_DH(pkey)); + + ExpectIntEQ(wolfSSL_DH_check(dh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + + EVP_PKEY_free(pkey); + DH_free(setDh); + setDh = NULL; + DH_free(dh); + dh = NULL; +#endif /* !NO_DH && WOLFSSL_DH_EXTRA && !NO_FILESYSTEM */ +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ + return EXPECT_RESULT(); +} /* END test_EVP_PKEY_set1_get1_DH */ + +int test_wolfSSL_EVP_PKEY_assign(void) +{ + EXPECT_DECLS; +#if (!defined(NO_RSA) || !defined(NO_DSA) || defined(HAVE_ECC)) && \ + defined(OPENSSL_ALL) + int type; + WOLFSSL_EVP_PKEY* pkey = NULL; +#ifndef NO_RSA + WOLFSSL_RSA* rsa = NULL; +#endif +#ifndef NO_DSA + WOLFSSL_DSA* dsa = NULL; +#endif +#ifdef HAVE_ECC + WOLFSSL_EC_KEY* ecKey = NULL; +#endif + +#ifndef NO_RSA + type = EVP_PKEY_RSA; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* NO_RSA */ + +#ifndef NO_DSA + type = EVP_PKEY_DSA; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dsa = wolfSSL_DSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, dsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, dsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, dsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DSA_free(dsa); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* NO_DSA */ + +#ifdef HAVE_ECC + type = EVP_PKEY_EC; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ecKey); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* HAVE_ECC */ +#endif /* (!NO_RSA || !NO_DSA || HAVE_ECC) && OPENSSL_ALL */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_assign_DH(void) +{ + EXPECT_DECLS; +#if !defined(NO_DH) && defined(OPENSSL_ALL) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + XFILE f = XBADFILE; + unsigned char buf[4096]; + const unsigned char* pt = buf; + const char* params1 = "./certs/dh2048.der"; + long len = 0; + WOLFSSL_DH* dh = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Load DH parameters DER. */ + ExpectTrue((f = XFOPEN(params1, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectNotNull(dh = wolfSSL_d2i_DHparams(NULL, &pt, len)); + ExpectIntEQ(DH_generate_key(dh), WOLFSSL_SUCCESS); + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, dh), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, dh), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DH_free(dh); + } + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_EVP_PKEY_rsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) + WOLFSSL_RSA* rsa = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(EVP_PKEY_assign_RSA(NULL, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + ExpectPtrEq(EVP_PKEY_get0_RSA(pkey), rsa); + wolfSSL_EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_EVP_PKEY_ec(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + WOLFSSL_EC_KEY* ecKey = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(NULL, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Should fail since ecKey is empty */ + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ecKey); + } + wolfSSL_EVP_PKEY_free(pkey); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_missing_parameters(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + + ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(NULL), 0); + + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_copy_parameters(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_DH) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) && defined(WOLFSSL_DH_EXTRA) && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && !defined(NO_FILESYSTEM) + WOLFSSL_EVP_PKEY* params = NULL; + WOLFSSL_EVP_PKEY* copy = NULL; + DH* dh = NULL; + BIGNUM* p1; + BIGNUM* g1; + BIGNUM* q1; + BIGNUM* p2; + BIGNUM* g2; + BIGNUM* q2; + + /* create DH with DH_get_2048_256 params */ + ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_get_2048_256()); + ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); + DH_get0_pqg(dh, (const BIGNUM**)&p1, + (const BIGNUM**)&q1, + (const BIGNUM**)&g1); + DH_free(dh); + dh = NULL; + + /* create DH with random generated DH params */ + ExpectNotNull(copy = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_generate_parameters(2048, 2, NULL, NULL)); + ExpectIntEQ(EVP_PKEY_set1_DH(copy, dh), WOLFSSL_SUCCESS); + DH_free(dh); + dh = NULL; + + ExpectIntEQ(EVP_PKEY_copy_parameters(copy, params), WOLFSSL_SUCCESS); + ExpectNotNull(dh = EVP_PKEY_get1_DH(copy)); + ExpectNotNull(dh->p); + ExpectNotNull(dh->g); + ExpectNotNull(dh->q); + DH_get0_pqg(dh, (const BIGNUM**)&p2, + (const BIGNUM**)&q2, + (const BIGNUM**)&g2); + + ExpectIntEQ(BN_cmp(p1, p2), 0); + ExpectIntEQ(BN_cmp(q1, q2), 0); + ExpectIntEQ(BN_cmp(g1, g2), 0); + + DH_free(dh); + dh = NULL; + EVP_PKEY_free(copy); + EVP_PKEY_free(params); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_paramgen(void) +{ + EXPECT_DECLS; + /* ECC check taken from ecc.c. It is the condition that defines ECC256 */ +#if defined(OPENSSL_ALL) && !defined(NO_ECC_SECP) && \ + ((!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ + ECC_MIN_KEY_SZ <= 256) + EVP_PKEY_CTX* ctx = NULL; + EVP_PKEY* pkey = NULL; + + /* Test error conditions. */ + ExpectIntEQ(EVP_PKEY_paramgen(NULL, &pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + +#ifndef NO_RSA + EVP_PKEY_CTX_free(ctx); + /* Parameter generation for RSA not supported yet. */ + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + +#ifdef HAVE_ECC + EVP_PKEY_CTX_free(ctx); + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, + NID_X9_62_prime256v1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); +#endif + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_param_check(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) + + DH *dh = NULL; + DH *setDh = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + + FILE* f = NULL; + unsigned char buf[512]; + const unsigned char* pt = buf; + const char* dh2048 = "./certs/dh2048.der"; + long len = 0; + int code = -1; + + XMEMSET(buf, 0, sizeof(buf)); + + ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); + + /* Load dh2048.der into DH with internal format */ + ExpectNotNull(setDh = d2i_DHparams(NULL, &pt, len)); + ExpectIntEQ(DH_check(setDh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + code = -1; + + pkey = wolfSSL_EVP_PKEY_new(); + /* Set DH into PKEY */ + ExpectIntEQ(EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); + /* create ctx from pkey */ + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_param_check(ctx), 1/* valid */); + + /* TODO: more invalid cases */ + ExpectIntEQ(EVP_PKEY_param_check(NULL), 0); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + DH_free(setDh); + setDh = NULL; + DH_free(dh); + dh = NULL; +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_keygen_init(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(NULL), WOLFSSL_SUCCESS); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_keygen(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; +#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + WOLFSSL_EVP_PKEY* params = NULL; + DH* dh = NULL; + const BIGNUM* pubkey = NULL; + const BIGNUM* privkey = NULL; + ASN1_INTEGER* asn1int = NULL; + unsigned int length = 0; + byte* derBuffer = NULL; +#endif + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + +#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + /* Test DH keygen */ + { + ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_get_2048_256()); + ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(params, NULL)); + ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); + + DH_free(dh); + dh = NULL; + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(params); + + /* try exporting generated key to DER, to verify */ + ExpectNotNull(dh = EVP_PKEY_get1_DH(pkey)); + DH_get0_key(dh, &pubkey, &privkey); + ExpectNotNull(pubkey); + ExpectNotNull(privkey); + ExpectNotNull(asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)); + ExpectIntGT((length = i2d_ASN1_INTEGER(asn1int, &derBuffer)), 0); + + ASN1_INTEGER_free(asn1int); + DH_free(dh); + dh = NULL; + XFREE(derBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + EVP_PKEY_free(pkey); + } +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_SignInit_ex(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_EVP_MD_CTX mdCtx; + WOLFSSL_ENGINE* e = 0; + const EVP_MD* md = EVP_sha256(); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_SignInit_ex(&mdCtx, md, e), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #endif +#endif +#endif +#if defined(OPENSSL_EXTRA) +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #endif +#endif +#endif +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + #ifndef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #define TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY + #endif +#endif +#endif + +#ifdef TEST_WOLFSSL_EVP_PKEY_SIGN_VERIFY +static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + WOLFSSL_RSA* rsa = NULL; +#endif +#endif +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + WOLFSSL_DSA* dsa = NULL; +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + WOLFSSL_EC_KEY* ecKey = NULL; +#endif +#endif + WOLFSSL_EVP_PKEY* pkey = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx_verify = NULL; + const char* in = "What is easy to do is easy not to do."; + size_t inlen = XSTRLEN(in); + byte hash[SHA256_DIGEST_LENGTH] = {0}; + byte zero[SHA256_DIGEST_LENGTH] = {0}; + SHA256_CTX c; + byte* sig = NULL; + byte* sigVerify = NULL; + size_t siglen; + size_t siglenOnlyLen; + size_t keySz = 2048/8; /* Bytes */ + + ExpectNotNull(sig = + (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectNotNull(sigVerify = + (byte*)XMALLOC(keySz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + + siglen = keySz; + ExpectNotNull(XMEMSET(sig, 0, keySz)); + ExpectNotNull(XMEMSET(sigVerify, 0, keySz)); + + /* Generate hash */ + SHA256_Init(&c); + SHA256_Update(&c, in, inlen); + SHA256_Final(hash, &c); +#ifdef WOLFSSL_SMALL_STACK_CACHE + /* workaround for small stack cache case */ + wc_Sha256Free((wc_Sha256*)&c); +#endif + + /* Generate key */ + ExpectNotNull(pkey = EVP_PKEY_new()); + switch (keyType) { + case EVP_PKEY_RSA: +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); + } +#endif +#endif + break; + case EVP_PKEY_DSA: +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + ExpectNotNull(dsa = DSA_new()); + ExpectIntEQ(DSA_generate_parameters_ex(dsa, 2048, + NULL, 0, NULL, NULL, NULL), 1); + ExpectIntEQ(DSA_generate_key(dsa), 1); + ExpectIntEQ(EVP_PKEY_set1_DSA(pkey, dsa), WOLFSSL_SUCCESS); +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ + break; + case EVP_PKEY_EC: +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + ExpectNotNull(ecKey = EC_KEY_new()); + ExpectIntEQ(EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ( + EVP_PKEY_assign_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + EC_KEY_free(ecKey); + } + } +#endif +#endif + break; + } + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + if (keyType == EVP_PKEY_RSA) + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); +#endif +#endif + + /* Check returning only length */ + ExpectIntEQ(EVP_PKEY_sign(ctx, NULL, &siglenOnlyLen, hash, + SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); + ExpectIntGT(siglenOnlyLen, 0); + /* Sign data */ + ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, hash, + SHA256_DIGEST_LENGTH), WOLFSSL_SUCCESS); + ExpectIntGE(siglenOnlyLen, siglen); + + /* Verify signature */ + ExpectNotNull(ctx_verify = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + if (keyType == EVP_PKEY_RSA) + ExpectIntEQ( + EVP_PKEY_CTX_set_rsa_padding(ctx_verify, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); +#endif +#endif + ExpectIntEQ(EVP_PKEY_verify( + ctx_verify, sig, siglen, hash, SHA256_DIGEST_LENGTH), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_verify( + ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + if (keyType == EVP_PKEY_RSA) { + #if defined(WC_RSA_NO_PADDING) || defined(WC_RSA_DIRECT) + /* Try RSA sign/verify with no padding. */ + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, + siglen), WOLFSSL_SUCCESS); + ExpectIntGE(siglenOnlyLen, siglen); + ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, + RSA_NO_PADDING), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, + siglen), WOLFSSL_SUCCESS); + #endif + + /* Wrong padding schemes. */ + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, + RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); + ExpectIntNE(EVP_PKEY_sign(ctx, sigVerify, &siglen, sig, + siglen), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_verify_init(ctx_verify), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, + RSA_PKCS1_OAEP_PADDING), WOLFSSL_SUCCESS); + ExpectIntNE(EVP_PKEY_verify(ctx_verify, sigVerify, siglen, sig, + siglen), WOLFSSL_SUCCESS); + + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx_verify, + RSA_PKCS1_PADDING), WOLFSSL_SUCCESS); + } +#endif +#endif + + /* error cases */ + siglen = keySz; /* Reset because sig size may vary slightly */ + ExpectIntNE(EVP_PKEY_sign_init(NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntNE(EVP_PKEY_sign(NULL, sig, &siglen, (byte*)in, inlen), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &siglen, (byte*)in, inlen), + WOLFSSL_SUCCESS); + + EVP_PKEY_free(pkey); + pkey = NULL; +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + DSA_free(dsa); + dsa = NULL; +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ + EVP_PKEY_CTX_free(ctx_verify); + ctx_verify = NULL; + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + + XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sigVerify, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} +#endif + +int test_wolfSSL_EVP_PKEY_sign_verify_rsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_RSA), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_DSA), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} +int test_wolfSSL_EVP_PKEY_sign_verify_ec(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_EC), TEST_SUCCESS); +#endif +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_MD_rsa_signing(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) + WOLFSSL_EVP_PKEY* privKey = NULL; + WOLFSSL_EVP_PKEY* pubKey = NULL; + WOLFSSL_EVP_PKEY_CTX* keyCtx = NULL; + const char testData[] = "Hi There"; + WOLFSSL_EVP_MD_CTX mdCtx; + WOLFSSL_EVP_MD_CTX mdCtxCopy; + int ret; + size_t checkSz = -1; + int sz = 2048 / 8; + const unsigned char* cp; + const unsigned char* p; + unsigned char check[2048/8]; + size_t i; + int paddings[] = { + RSA_PKCS1_PADDING, +#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(WC_RSA_PSS) + RSA_PKCS1_PSS_PADDING, +#endif + }; + + + cp = client_key_der_2048; + ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp, + sizeof_client_key_der_2048))); + p = client_keypub_der_2048; + ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, + sizeof_client_keypub_der_2048))); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + wolfSSL_EVP_MD_CTX_init(&mdCtxCopy); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,sz); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtxCopy); + ExpectIntEQ(ret, 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + /* Check all signing padding types */ + for (i = 0; i < sizeof(paddings)/sizeof(int); i++) { + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, &keyCtx, + wolfSSL_EVP_sha256(), NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, + paddings[i]), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,sz); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, &keyCtx, + wolfSSL_EVP_sha256(), NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, + paddings[i]), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + } + + wolfSSL_EVP_PKEY_free(pubKey); + wolfSSL_EVP_PKEY_free(privKey); +#endif + return EXPECT_RESULT(); +} + +/* Test RSA-PSS digital signature creation and verification */ +int test_wc_RsaPSS_DigitalSignVerify(void) +{ + EXPECT_DECLS; + + /* Early FIPS did not support PSS. */ +#if (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && \ + (!defined(HAVE_SELFTEST) || (defined(HAVE_SELFTEST_VERSION) && \ + (HAVE_SELFTEST_VERSION > 2))) && \ + !defined(NO_RSA) && defined(WC_RSA_PSS) && defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_KEY_GEN) && defined(WC_RSA_NO_PADDING) && \ + !defined(NO_SHA256) + + /* Test digest */ + const unsigned char test_digest[32] = { + 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, + 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, + 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, + 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09 + }; + const unsigned int digest_len = sizeof(test_digest); + + /* Variables for RSA key generation and signature operations */ + EVP_PKEY_CTX *pkctx = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *sign_ctx = NULL; + EVP_PKEY_CTX *verify_ctx = NULL; + unsigned char signature[256+MAX_DER_DIGEST_ASN_SZ] = {0}; + size_t signature_len = sizeof(signature); + int modulus_bits = 2048; + + /* Generate RSA key pair to avoid file dependencies */ + ExpectNotNull(pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); + ExpectIntEQ(EVP_PKEY_keygen_init(pkctx), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, modulus_bits), 1); + ExpectIntEQ(EVP_PKEY_keygen(pkctx, &pkey), 1); + + /* Create signing context */ + ExpectNotNull(sign_ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_sign_init(sign_ctx), 1); + + /* Configure RSA-PSS parameters for signing. */ + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(sign_ctx, RSA_PKCS1_PSS_PADDING), + 1); + /* Default salt length matched hash so use 32 for SHA256 */ + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(sign_ctx, 32), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(sign_ctx, EVP_sha256()), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(sign_ctx, EVP_sha256()), 1); + + /* Create the digital signature */ + ExpectIntEQ(EVP_PKEY_sign(sign_ctx, signature, &signature_len, test_digest, + digest_len), 1); + ExpectIntGT((int)signature_len, 0); + + /* Create verification context */ + ExpectNotNull(verify_ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_verify_init(verify_ctx), 1); + + /* Configure RSA-PSS parameters for verification */ + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(verify_ctx, RSA_PKCS1_PSS_PADDING), + 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_pss_saltlen(verify_ctx, 32), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_mgf1_md(verify_ctx, EVP_sha256()), 1); + ExpectIntEQ(EVP_PKEY_CTX_set_signature_md(verify_ctx, EVP_sha256()), 1); + + /* Verify the digital signature */ + ExpectIntEQ(EVP_PKEY_verify(verify_ctx, signature, signature_len, + test_digest, digest_len), 1); + + /* Test with wrong digest to ensure verification fails (negative test) */ + { + const unsigned char wrong_digest[32] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, + 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02 + }; + ExpectIntNE(EVP_PKEY_verify(verify_ctx, signature, signature_len, + wrong_digest, digest_len), 1); + } + + /* Clean up */ + if (verify_ctx) + EVP_PKEY_CTX_free(verify_ctx); + if (sign_ctx) + EVP_PKEY_CTX_free(sign_ctx); + if (pkey) + EVP_PKEY_free(pkey); + if (pkctx) + EVP_PKEY_CTX_free(pkctx); + +#endif + + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_MD_ecc_signing(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + WOLFSSL_EVP_PKEY* privKey = NULL; + WOLFSSL_EVP_PKEY* pubKey = NULL; + const char testData[] = "Hi There"; + WOLFSSL_EVP_MD_CTX mdCtx; + int ret; + const unsigned char* cp; + const unsigned char* p; + unsigned char check[2048/8]; + size_t checkSz = sizeof(check); + + XMEMSET(check, 0, sizeof(check)); + + cp = ecc_clikey_der_256; + ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp, + sizeof_ecc_clikey_der_256)); + p = ecc_clikeypub_der_256; + ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, + sizeof_ecc_clikeypub_der_256))); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + + wolfSSL_EVP_PKEY_free(pubKey); + wolfSSL_EVP_PKEY_free(privKey); +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_EVP_PKEY_encrypt(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) + WOLFSSL_RSA* rsa = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx = NULL; + const char* in = "What is easy to do is easy not to do."; + size_t inlen = XSTRLEN(in); + size_t outEncLen = 0; + byte* outEnc = NULL; + byte* outDec = NULL; + size_t outDecLen = 0; + size_t rsaKeySz = 2048/8; /* Bytes */ +#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) + byte* inTmp = NULL; + byte* outEncTmp = NULL; + byte* outDecTmp = NULL; +#endif + + ExpectNotNull(outEnc = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outEnc != NULL) { + XMEMSET(outEnc, 0, rsaKeySz); + } + ExpectNotNull(outDec = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outDec != NULL) { + XMEMSET(outDec, 0, rsaKeySz); + } + + ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + RSA_free(rsa); + } + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING), + WOLFSSL_SUCCESS); + + /* Test pkey references count is decremented. pkey shouldn't be destroyed + since ctx uses it.*/ + ExpectIntEQ(pkey->ref.count, 2); + EVP_PKEY_free(pkey); + ExpectIntEQ(pkey->ref.count, 1); + + /* Encrypt data */ + /* Check that we can get the required output buffer length by passing in a + * NULL output buffer. */ + ExpectIntEQ(EVP_PKEY_encrypt(ctx, NULL, &outEncLen, + (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); + ExpectIntEQ(rsaKeySz, outEncLen); + /* Now do the actual encryption. */ + ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEnc, &outEncLen, + (const unsigned char*)in, inlen), WOLFSSL_SUCCESS); + + /* Decrypt data */ + ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); + /* Check that we can get the required output buffer length by passing in a + * NULL output buffer. */ + ExpectIntEQ(EVP_PKEY_decrypt(ctx, NULL, &outDecLen, outEnc, outEncLen), + WOLFSSL_SUCCESS); + ExpectIntEQ(rsaKeySz, outDecLen); + /* Now do the actual decryption. */ + ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDec, &outDecLen, outEnc, outEncLen), + WOLFSSL_SUCCESS); + + ExpectIntEQ(XMEMCMP(in, outDec, outDecLen), 0); + +#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) + /* The input length must be the same size as the RSA key.*/ + ExpectNotNull(inTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (inTmp != NULL) { + XMEMSET(inTmp, 9, rsaKeySz); + } + ExpectNotNull(outEncTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outEncTmp != NULL) { + XMEMSET(outEncTmp, 0, rsaKeySz); + } + ExpectNotNull(outDecTmp = (byte*)XMALLOC(rsaKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (outDecTmp != NULL) { + XMEMSET(outDecTmp, 0, rsaKeySz); + } + ExpectIntEQ(EVP_PKEY_encrypt_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_encrypt(ctx, outEncTmp, &outEncLen, inTmp, rsaKeySz), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_decrypt_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_decrypt(ctx, outDecTmp, &outDecLen, outEncTmp, + outEncLen), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(inTmp, outDecTmp, outDecLen), 0); +#endif + EVP_PKEY_CTX_free(ctx); + XFREE(outEnc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outDec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#if !defined(HAVE_FIPS) && defined(WC_RSA_NO_PADDING) + XFREE(inTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outEncTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outDecTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_derive(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) +#if (!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)) || defined(HAVE_ECC) + EVP_PKEY_CTX *ctx = NULL; + unsigned char *skey = NULL; + size_t skeylen; + EVP_PKEY *pkey = NULL; + EVP_PKEY *peerkey = NULL; + const unsigned char* key; + +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) + /* DH */ + key = dh_key_der_2048; + ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, + sizeof_dh_key_der_2048))); + ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(pkey)), 1); + key = dh_key_der_2048; + ExpectNotNull((peerkey = d2i_PrivateKey(EVP_PKEY_DH, NULL, &key, + sizeof_dh_key_der_2048))); + ExpectIntEQ(DH_generate_key(EVP_PKEY_get0_DH(peerkey)), 1); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); + ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); + ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); + ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, + DYNAMIC_TYPE_OPENSSL)); + ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(peerkey); + peerkey = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); + skey = NULL; +#endif + +#ifdef HAVE_ECC + /* ECDH */ + key = ecc_clikey_der_256; + ExpectNotNull((pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &key, + sizeof_ecc_clikey_der_256))); + key = ecc_clikeypub_der_256; + ExpectNotNull((peerkey = d2i_PUBKEY(NULL, &key, + sizeof_ecc_clikeypub_der_256))); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_derive_init(ctx), 1); + ExpectIntEQ(EVP_PKEY_derive_set_peer(ctx, peerkey), 1); + ExpectIntEQ(EVP_PKEY_derive(ctx, NULL, &skeylen), 1); + ExpectNotNull(skey = (unsigned char*)XMALLOC(skeylen, NULL, + DYNAMIC_TYPE_OPENSSL)); + ExpectIntEQ(EVP_PKEY_derive(ctx, skey, &skeylen), 1); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(peerkey); + EVP_PKEY_free(pkey); + XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); +#endif /* HAVE_ECC */ +#endif /* (!NO_DH && WOLFSSL_DH_EXTRA) || HAVE_ECC */ +#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_EVP_PKEY_print_public(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) + WOLFSSL_BIO* rbio = NULL; + WOLFSSL_BIO* wbio = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + char line[256] = { 0 }; + char line1[256] = { 0 }; + int i = 0; + + /* test error cases */ + ExpectIntEQ( EVP_PKEY_print_public(NULL,NULL,0,NULL),0L); + + /* + * test RSA public key print + * in this test, pass '3' for indent + */ +#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_1024) + + ExpectNotNull(rbio = BIO_new_mem_buf( client_keypub_der_1024, + sizeof_client_keypub_der_1024)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,3,NULL),1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " RSA Public-Key: (1024 bit)\n"); + ExpectIntEQ(XSTRNCMP(line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " Modulus:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " 00:bc:73:0e:a8:49:f3:74:a2:a9:ef:18:a5:da:55:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of modulus element*/ + for (i = 0; i < 8 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, " Exponent: 65537 (0x010001)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* !NO_RSA && USE_CERT_BUFFERS_1024*/ + + /* + * test DSA public key print + */ +#if !defined(NO_DSA) && defined(USE_CERT_BUFFERS_2048) + ExpectNotNull(rbio = BIO_new_mem_buf( dsa_pub_key_der_2048, + sizeof_dsa_pub_key_der_2048)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "DSA Public-Key: (2048 bit)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "pub:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 00:C2:35:2D:EC:83:83:6C:73:13:9E:52:7C:74:C8:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of pub element*/ + for (i = 0; i < 17 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "P:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of P element*/ + for (i = 0; i < 18 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "Q:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of Q element*/ + for (i = 0; i < 3 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "G:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of G element*/ + for (i = 0; i < 18 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* !NO_DSA && USE_CERT_BUFFERS_2048 */ + + /* + * test ECC public key print + */ +#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + + ExpectNotNull(rbio = BIO_new_mem_buf( ecc_clikeypub_der_256, + sizeof_ecc_clikeypub_der_256)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL),1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + ExpectStrEQ(line, "Public-Key: (256 bit)\n"); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "pub:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 04:55:BF:F4:0F:44:50:9A:3D:CE:9B:B7:F0:C5:4D:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of pub element*/ + for (i = 0; i < 4 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "ASN1 OID: prime256v1\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "NIST CURVE: P-256\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* HAVE_ECC && USE_CERT_BUFFERS_256 */ + + /* + * test DH public key print + */ +#if defined(WOLFSSL_DH_EXTRA) && defined(USE_CERT_BUFFERS_2048) + + ExpectNotNull(rbio = BIO_new_mem_buf( dh_pub_key_der_2048, + sizeof_dh_pub_key_der_2048)); + + ExpectNotNull(wolfSSL_d2i_PUBKEY_bio(rbio, &pkey)); + + ExpectNotNull(wbio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(EVP_PKEY_print_public(wbio, pkey,0,NULL), 1); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "DH Public-Key: (2048 bit)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "public-key:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 34:41:BF:E9:F2:11:BF:05:DB:B2:72:A8:29:CC:BD:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of public-key element*/ + for (i = 0; i < 17 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "prime:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, + " 00:D3:B2:99:84:5C:0A:4C:E7:37:CC:FC:18:37:01:\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* skip to the end of prime element*/ + for (i = 0; i < 17 ;i++) { + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + } + + ExpectIntGT(BIO_gets(wbio, line, sizeof(line)), 0); + strcpy(line1, "generator: 2 (0x02)\n"); + ExpectIntEQ(XSTRNCMP( line, line1, XSTRLEN(line1)), 0); + + /* should reach EOF */ + ExpectIntLE(BIO_gets(wbio, line, sizeof(line)), 0); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(rbio); + BIO_free(wbio); + rbio = NULL; + wbio = NULL; + +#endif /* WOLFSSL_DH_EXTRA && USE_CERT_BUFFERS_2048 */ + + /* to prevent "unused variable" warning */ + (void)pkey; + (void)wbio; + (void)rbio; + (void)line; + (void)line1; + (void)i; +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_evp_pkey.h b/tests/api/test_evp_pkey.h new file mode 100644 index 00000000000..222a19ea505 --- /dev/null +++ b/tests/api/test_evp_pkey.h @@ -0,0 +1,102 @@ +/* test_evp_pkey.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_EVP_PKEY_H +#define WOLFCRYPT_TEST_EVP_PKEY_H + +#include + +int test_wolfSSL_EVP_PKEY_CTX_new_id(void); +int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void); +int test_wolfSSL_QT_EVP_PKEY_CTX_free(void); +int test_wolfSSL_EVP_PKEY_up_ref(void); +int test_wolfSSL_EVP_PKEY_base_id(void); +int test_wolfSSL_EVP_PKEY_id(void); +int test_wolfSSL_EVP_MD_pkey_type(void); +int test_wolfSSL_EVP_MD_hmac_signing(void); +int test_wolfSSL_EVP_PKEY_new_mac_key(void); +int test_wolfSSL_EVP_PKEY_hkdf(void); +int test_wolfSSL_EVP_PBE_scrypt(void); +int test_EVP_PKEY_cmp(void); +int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void); +int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY (void); +int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void); +int test_wolfSSL_EVP_PKEY_set1_get1_DH (void); +int test_wolfSSL_EVP_PKEY_assign(void); +int test_wolfSSL_EVP_PKEY_assign_DH(void); +int test_EVP_PKEY_rsa(void); +int test_EVP_PKEY_ec(void); +int test_wolfSSL_EVP_PKEY_missing_parameters(void); +int test_wolfSSL_EVP_PKEY_copy_parameters(void); +int test_wolfSSL_EVP_PKEY_paramgen(void); +int test_wolfSSL_EVP_PKEY_param_check(void); +int test_wolfSSL_EVP_PKEY_keygen_init(void); +int test_wolfSSL_EVP_PKEY_keygen(void); +int test_wolfSSL_EVP_SignInit_ex(void); +int test_wolfSSL_EVP_PKEY_sign_verify_rsa(void); +int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void); +int test_wolfSSL_EVP_PKEY_sign_verify_ec(void); +int test_wolfSSL_EVP_MD_rsa_signing(void); +int test_wc_RsaPSS_DigitalSignVerify(void); +int test_wolfSSL_EVP_MD_ecc_signing(void); +int test_wolfSSL_EVP_PKEY_encrypt(void); +int test_wolfSSL_EVP_PKEY_derive(void); +int test_wolfSSL_EVP_PKEY_print_public(void); + +#define TEST_EVP_PKEY_DECLS \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_CTX_new_id), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits),\ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_QT_EVP_PKEY_CTX_free), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_up_ref), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_base_id), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_id), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_pkey_type), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_hmac_signing), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_new_mac_key), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_hkdf), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PBE_scrypt), \ + TEST_DECL_GROUP("evp_pkey", test_EVP_PKEY_cmp), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_set1_get1_DSA), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_get0_EC_KEY), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_set1_get1_DH), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_assign), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_assign_DH), \ + TEST_DECL_GROUP("evp_pkey", test_EVP_PKEY_rsa), \ + TEST_DECL_GROUP("evp_pkey", test_EVP_PKEY_ec), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_missing_parameters), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_copy_parameters), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_paramgen), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_param_check), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_keygen_init), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_keygen), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_SignInit_ex), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_sign_verify_rsa), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_sign_verify_dsa), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_sign_verify_ec), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_rsa_signing), \ + TEST_DECL_GROUP("evp_pkey", test_wc_RsaPSS_DigitalSignVerify), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_ecc_signing), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_encrypt), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_derive), \ + TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_print_public) + +#endif /* WOLFCRYPT_TEST_EVP_PKEY_H */ diff --git a/tests/api/test_ossl_asn1.c b/tests/api/test_ossl_asn1.c index b046fd4c3fc..f91cd0c6a9c 100644 --- a/tests/api/test_ossl_asn1.c +++ b/tests/api/test_ossl_asn1.c @@ -1195,7 +1195,8 @@ int test_wolfSSL_ASN1_STRING_to_UTF8(void) ExpectNotNull(e = wolfSSL_X509_NAME_get_entry(subject, idx)); ExpectNotNull(a = wolfSSL_X509_NAME_ENTRY_get_data(e)); ExpectIntEQ((len = wolfSSL_ASN1_STRING_to_UTF8(&actual_output, a)), 15); - ExpectIntEQ(strncmp((const char*)actual_output, targetOutput, (size_t)len), 0); + ExpectIntEQ(strncmp((const char*)actual_output, targetOutput, (size_t)len), + 0); a = NULL; /* wolfSSL_ASN1_STRING_to_UTF8(NULL, valid) */ @@ -1269,9 +1270,12 @@ int test_wolfSSL_ASN1_STRING_canon(void) ExpectNotNull(canon = ASN1_STRING_new()); /* Invalid parameter testing. */ - ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_STRING_canon(canon, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, orig), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_STRING_canon(canon, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_STRING_canon(NULL, orig), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_ASN1_STRING_canon(canon, orig), 1); ExpectIntEQ(ASN1_STRING_cmp(orig, canon), 0); @@ -1622,9 +1626,12 @@ int test_wolfSSL_ASN1_GENERALIZEDTIME_print(void) ExpectIntEQ(wolfSSL_ASN1_TIME_set_string(gtime, "20180504123500Z"), 1); /* Invalid parameters testing. */ - ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(bio, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, gtime), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(bio, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(NULL, gtime), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_ASN1_GENERALIZEDTIME_print(bio, gtime), 1); ExpectIntEQ(BIO_read(bio, buf, sizeof(buf)), 20); diff --git a/tests/api/test_ossl_bio.c b/tests/api/test_ossl_bio.c index cedf9f91844..2fdc792cc3e 100644 --- a/tests/api/test_ossl_bio.c +++ b/tests/api/test_ossl_bio.c @@ -58,7 +58,8 @@ int test_wolfSSL_BIO_gets(void) /* try with bad args */ ExpectNull(bio = BIO_new_mem_buf(NULL, sizeof(msg))); #ifdef OPENSSL_ALL - ExpectIntEQ(BIO_set_mem_buf(bio, NULL, BIO_NOCLOSE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(BIO_set_mem_buf(bio, NULL, BIO_NOCLOSE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); #endif /* try with real msg */ @@ -594,7 +595,8 @@ int test_wolfSSL_BIO_tls(void) int test_wolfSSL_BIO_datagram(void) { EXPECT_DECLS; -#if !defined(NO_BIO) && defined(WOLFSSL_DTLS) && defined(WOLFSSL_HAVE_BIO_ADDR) && defined(OPENSSL_EXTRA) +#if !defined(NO_BIO) && defined(WOLFSSL_DTLS) && \ + defined(WOLFSSL_HAVE_BIO_ADDR) && defined(OPENSSL_EXTRA) int ret; SOCKET_T fd1 = SOCKET_INVALID, fd2 = SOCKET_INVALID; WOLFSSL_BIO *bio1 = NULL, *bio2 = NULL; @@ -636,7 +638,8 @@ int test_wolfSSL_BIO_datagram(void) sin1.sin_port = 0; slen = (socklen_t)sizeof(sin1); ExpectIntEQ(bind(fd1, (const struct sockaddr *)&sin1, slen), 0); - ExpectIntEQ(setsockopt(fd1, SOL_SOCKET, SO_RCVTIMEO, (const char *)&timeout, sizeof(timeout)), 0); + ExpectIntEQ(setsockopt(fd1, SOL_SOCKET, SO_RCVTIMEO, + (const char *)&timeout, sizeof(timeout)), 0); ExpectIntEQ(getsockname(fd1, (struct sockaddr *)&sin1, &slen), 0); } @@ -646,7 +649,8 @@ int test_wolfSSL_BIO_datagram(void) sin2.sin_port = 0; slen = (socklen_t)sizeof(sin2); ExpectIntEQ(bind(fd2, (const struct sockaddr *)&sin2, slen), 0); - ExpectIntEQ(setsockopt(fd2, SOL_SOCKET, SO_RCVTIMEO, (const char *)&timeout, sizeof(timeout)), 0); + ExpectIntEQ(setsockopt(fd2, SOL_SOCKET, SO_RCVTIMEO, + (const char *)&timeout, sizeof(timeout)), 0); ExpectIntEQ(getsockname(fd2, (struct sockaddr *)&sin2, &slen), 0); } @@ -661,15 +665,19 @@ int test_wolfSSL_BIO_datagram(void) } if (EXPECT_SUCCESS()) { - /* for OpenSSL compatibility, direct copying of sockaddrs into BIO_ADDRs must work right. */ + /* for OpenSSL compatibility, direct copying of sockaddrs into BIO_ADDRs + * must work right. */ XMEMCPY(&bio_addr2->sa_in, &sin2, sizeof(sin2)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, bio_addr2), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, + bio_addr2), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr2); } test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); #ifdef WOLFSSL_BIO_HAVE_FLOW_STATS @@ -682,58 +690,76 @@ int test_wolfSSL_BIO_datagram(void) */ test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); - ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), WOLFSSL_BIO_ERROR); + ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), + WOLFSSL_BIO_ERROR); ExpectIntNE(BIO_should_retry(bio1), 0); - ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), WOLFSSL_BIO_ERROR); + ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), + WOLFSSL_BIO_ERROR); ExpectIntNE(BIO_should_retry(bio2), 0); /* now "connect" the sockets. */ - ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin2, (socklen_t)sizeof(sin2)), 0); - ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, (socklen_t)sizeof(sin1)), 0); + ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin2, + (socklen_t)sizeof(sin2)), 0); + ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, + (socklen_t)sizeof(sin1)), 0); if (EXPECT_SUCCESS()) { XMEMCPY(&bio_addr2->sa_in, &sin2, sizeof(sin2)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, bio_addr2), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + bio_addr2), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr2); } if (EXPECT_SUCCESS()) { XMEMCPY(&bio_addr1->sa_in, &sin1, sizeof(sin1)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, bio_addr1), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + bio_addr1), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr1); } test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio2, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio1, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); test_msg_recvd[0] = 0; - ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), (int)sizeof(test_msg)); - ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_write(bio1, test_msg, sizeof(test_msg)), + (int)sizeof(test_msg)); + ExpectIntEQ(wolfSSL_BIO_read(bio2, test_msg_recvd, sizeof(test_msg_recvd)), + (int)sizeof(test_msg)); ExpectIntEQ(XMEMCMP(test_msg_recvd, test_msg, sizeof(test_msg)), 0); #ifdef __linux__ /* now "disconnect" the sockets and attempt transmits expected to fail. */ sin1.sin_family = AF_UNSPEC; - ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin1, (socklen_t)sizeof(sin1)), 0); - ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, (socklen_t)sizeof(sin1)), 0); + ExpectIntEQ(connect(fd1, (const struct sockaddr *)&sin1, + (socklen_t)sizeof(sin1)), 0); + ExpectIntEQ(connect(fd2, (const struct sockaddr *)&sin1, + (socklen_t)sizeof(sin1)), 0); sin1.sin_family = AF_INET; - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio2, BIO_CTRL_DGRAM_SET_CONNECTED, 0, + NULL), WOLFSSL_SUCCESS); if (EXPECT_SUCCESS()) { - sin2.sin_addr.s_addr = htonl(0xc0a8c0a8); /* 192.168.192.168 -- invalid for loopback interface. */ + /* 192.168.192.168 -- invalid for loopback interface. */ + sin2.sin_addr.s_addr = htonl(0xc0a8c0a8); XMEMCPY(&bio_addr2->sa_in, &sin2, sizeof(sin2)); - ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, bio_addr2), WOLFSSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_BIO_ctrl(bio1, BIO_CTRL_DGRAM_SET_PEER, 0, + bio_addr2), WOLFSSL_SUCCESS); wolfSSL_BIO_ADDR_clear(bio_addr2); } @@ -796,7 +822,8 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args) (void)args; - AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, wolfSSLPort), 0); + AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, + wolfSSLPort), 0); clientBio = BIO_new_connect(connectAddr); AssertNotNull(clientBio); AssertIntEQ(BIO_do_connect(clientBio), 1); @@ -804,7 +831,8 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args) AssertNotNull(ctx); sslClient = SSL_new(ctx); AssertNotNull(sslClient); - AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), + WOLFSSL_SUCCESS); SSL_set_bio(sslClient, clientBio, clientBio); AssertIntEQ(SSL_connect(sslClient), 1); @@ -1156,5 +1184,287 @@ int test_wolfSSL_BIO_get_len(void) return EXPECT_RESULT(); } +#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) +static long bioCallback(BIO *bio, int cmd, const char* argp, int argi, + long argl, long ret) +{ + (void)bio; + (void)cmd; + (void)argp; + (void)argi; + (void)argl; + return ret; +} +#endif + +int test_wolfSSL_BIO(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) + const unsigned char* p = NULL; + byte buff[20]; + BIO* bio1 = NULL; + BIO* bio2 = NULL; + BIO* bio3 = NULL; + char* bufPt = NULL; + int i; + + for (i = 0; i < 20; i++) { + buff[i] = i; + } + /* test BIO_free with NULL */ + ExpectIntEQ(BIO_free(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Creating and testing type BIO_s_bio */ + ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); + ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); + ExpectNotNull(bio3 = BIO_new(BIO_s_bio())); + + /* read/write before set up */ + ExpectIntEQ(BIO_read(bio1, buff, 2), WOLFSSL_BIO_UNSET); + ExpectIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET); + + ExpectIntEQ(BIO_set_nbio(bio1, 1), 1); + ExpectIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_set_write_buf_size(bio2, 8), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_make_bio_pair(bio1, bio2), WOLFSSL_SUCCESS); + + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); + ExpectNotNull(XMEMCPY(bufPt, buff, 10)); + ExpectIntEQ(BIO_write(bio1, buff + 10, 10), 10); + /* write buffer full */ + ExpectIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS); + ExpectIntEQ((int)BIO_ctrl_pending(bio1), 0); + + /* write the other direction with pair */ + ExpectIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); + ExpectNotNull(XMEMCPY(bufPt, buff, 8)); + ExpectIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR); + + /* try read */ + ExpectIntEQ((int)BIO_ctrl_pending(bio1), 8); + ExpectIntEQ((int)BIO_ctrl_pending(bio2), 20); + + /* try read using ctrl function */ + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); + ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); + ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); + + ExpectIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); + for (i = 0; i < 20; i++) { + ExpectIntEQ((int)bufPt[i], i); + } + ExpectIntEQ(BIO_nread(bio2, &bufPt, 1), 0); + ExpectIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); + for (i = 0; i < 8; i++) { + ExpectIntEQ((int)bufPt[i], i); + } + ExpectIntEQ(BIO_nread(bio1, &bufPt, 1), 0); + ExpectIntEQ(BIO_ctrl_reset_read_request(bio1), 1); + + /* new pair */ + ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio2); /* free bio2 and automatically remove from pair */ + bio2 = NULL; + ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WOLFSSL_SUCCESS); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 10), 0); + + /* test wrap around... */ + ExpectIntEQ(BIO_reset(bio1), 1); + ExpectIntEQ(BIO_reset(bio3), 1); + + /* fill write buffer, read only small amount then write again */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 4), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], i); + } + + /* try writing over read index */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); + ExpectNotNull(XMEMSET(bufPt, 0, 4)); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 20); + + /* read and write 0 bytes */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); + + /* should read only to end of write buffer then need to read again */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 20), 16); + for (i = 0; i < 16; i++) { + ExpectIntEQ(bufPt[i], buff[4 + i]); + } + + ExpectIntEQ(BIO_nread(bio3, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BIO_nread0(bio3, &bufPt), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], 0); + } + + /* read index should not have advanced with nread0 */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 5), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], 0); + } + + /* write and fill up buffer checking reset of index state */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + + /* test reset on data in bio1 write buffer */ + ExpectIntEQ(BIO_reset(bio1), 1); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 3), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_INFO, 0, &p), 20); + ExpectNotNull(p); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 6), 6); + for (i = 0; i < 6; i++) { + ExpectIntEQ(bufPt[i], i); + } + + /* test case of writing twice with offset read index */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 1), 1); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + + BIO_free(bio1); + bio1 = NULL; + BIO_free(bio3); + bio3 = NULL; + + #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) + { + BIO* bioA = NULL; + BIO* bioB = NULL; + ExpectIntEQ(BIO_new_bio_pair(NULL, 256, NULL, 256), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(BIO_new_bio_pair(&bioA, 256, &bioB, 256), WOLFSSL_SUCCESS); + BIO_free(bioA); + bioA = NULL; + BIO_free(bioB); + bioB = NULL; + } + #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ + + /* BIOs with file pointers */ + #if !defined(NO_FILESYSTEM) + { + XFILE f1 = XBADFILE; + XFILE f2 = XBADFILE; + BIO* f_bio1 = NULL; + BIO* f_bio2 = NULL; + unsigned char cert[300]; + char testFile[] = "tests/bio_write_test.txt"; + char msg[] = "bio_write_test.txt contains the first 300 bytes of " + "certs/server-cert.pem\n" + "created by tests/unit.test\n\n"; + + ExpectNotNull(f_bio1 = BIO_new(BIO_s_file())); + ExpectNotNull(f_bio2 = BIO_new(BIO_s_file())); + + /* Failure due to wrong BIO type */ + ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + ExpectIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); + + ExpectTrue((f1 = XFOPEN(svrCertFile, "rb+")) != XBADFILE); + ExpectIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_write_filename(f_bio2, testFile), + WOLFSSL_SUCCESS); + + ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + ExpectIntEQ(BIO_tell(f_bio1),sizeof(cert)); + ExpectIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); + ExpectIntEQ(BIO_tell(f_bio2),sizeof(msg)); + ExpectIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); + ExpectIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); + + ExpectIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_reset(f_bio2), 1); + ExpectIntEQ(BIO_tell(NULL),-1); + ExpectIntEQ(BIO_tell(f_bio2),0); + ExpectIntEQ(BIO_seek(f_bio2, 4), 0); + ExpectIntEQ(BIO_tell(f_bio2),4); + + BIO_free(f_bio1); + f_bio1 = NULL; + BIO_free(f_bio2); + f_bio2 = NULL; + + ExpectNotNull(f_bio1 = BIO_new_file(svrCertFile, "rb+")); + ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + BIO_free(f_bio1); + f_bio1 = NULL; + } + #endif /* !defined(NO_FILESYSTEM) */ + + /* BIO info callback */ + { + const char* testArg = "test"; + BIO* cb_bio = NULL; + ExpectNotNull(cb_bio = BIO_new(BIO_s_mem())); + + BIO_set_callback(cb_bio, bioCallback); + ExpectNotNull(BIO_get_callback(cb_bio)); + BIO_set_callback(cb_bio, NULL); + ExpectNull(BIO_get_callback(cb_bio)); + + BIO_set_callback_arg(cb_bio, (char*)testArg); + ExpectStrEQ(BIO_get_callback_arg(cb_bio), testArg); + ExpectNull(BIO_get_callback_arg(NULL)); + + BIO_free(cb_bio); + cb_bio = NULL; + } + + /* BIO_vfree */ + ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); + BIO_vfree(NULL); + BIO_vfree(bio1); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_BIO_BIO_ring_read(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_BIO) + BIO* bio1 = NULL; + BIO* bio2 = NULL; + byte data[50]; + byte tmp[50]; + + XMEMSET(data, 42, sizeof(data)); + + + ExpectIntEQ(BIO_new_bio_pair(&bio1, sizeof(data), &bio2, sizeof(data)), + SSL_SUCCESS); + + ExpectIntEQ(BIO_write(bio1, data, 40), 40); + ExpectIntEQ(BIO_read(bio1, tmp, 20), -1); + ExpectIntEQ(BIO_read(bio2, tmp, 20), 20); + ExpectBufEQ(tmp, data, 20); + ExpectIntEQ(BIO_write(bio1, data, 20), 20); + ExpectIntEQ(BIO_read(bio2, tmp, 40), 40); + ExpectBufEQ(tmp, data, 40); + + BIO_free(bio1); + BIO_free(bio2); +#endif + return EXPECT_RESULT(); +} + #endif /* !NO_BIO */ diff --git a/tests/api/test_ossl_bio.h b/tests/api/test_ossl_bio.h index 8bcbc743f8b..aff38a9bbe5 100644 --- a/tests/api/test_ossl_bio.h +++ b/tests/api/test_ossl_bio.h @@ -40,6 +40,8 @@ int test_wolfSSL_BIO_f_md(void); int test_wolfSSL_BIO_up_ref(void); int test_wolfSSL_BIO_reset(void); int test_wolfSSL_BIO_get_len(void); +int test_wolfSSL_BIO(void); +int test_wolfSSL_BIO_BIO_ring_read(void); #define TEST_OSSL_BIO_DECLS \ TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_gets), \ @@ -52,7 +54,9 @@ int test_wolfSSL_BIO_get_len(void); TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_f_md), \ TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_up_ref), \ TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_reset), \ - TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_get_len) + TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_get_len), \ + TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO), \ + TEST_DECL_GROUP("ossl_bio", test_wolfSSL_BIO_BIO_ring_read) #define TEST_OSSL_BIO_TLS_DECLS \ TEST_DECL_GROUP("ossl_bio_tls", test_wolfSSL_BIO_connect), \ diff --git a/tests/api/test_ossl_bn.c b/tests/api/test_ossl_bn.c index 176772eec7b..be0841a39de 100644 --- a/tests/api/test_ossl_bn.c +++ b/tests/api/test_ossl_bn.c @@ -217,14 +217,16 @@ int test_wolfSSL_BN_init(void) ExpectIntEQ(BN_set_word(&cv, 5), SSL_SUCCESS); /* a^b mod c = */ - ExpectIntEQ(BN_mod_exp(&dv, NULL, &bv, &cv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BN_mod_exp(&dv, NULL, &bv, &cv, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(BN_mod_exp(&dv, ap, &bv, &cv, NULL), WOLFSSL_SUCCESS); /* check result 3^2 mod 5 */ ExpectIntEQ(BN_get_word(&dv), 4); /* a*b mod c = */ - ExpectIntEQ(BN_mod_mul(&dv, NULL, &bv, &cv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BN_mod_mul(&dv, NULL, &bv, &cv, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(BN_mod_mul(&dv, ap, &bv, &cv, NULL), SSL_SUCCESS); /* check result 3*2 mod 5 */ @@ -1027,7 +1029,8 @@ int test_wolfSSL_BN_prime(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_ASN) && \ !defined(OPENSSL_EXTRA_NO_BN) && !defined(WOLFSSL_SP_MATH) -#if defined(WOLFSSL_KEY_GEN) && (!defined(NO_RSA) || !defined(NO_DH) || !defined(NO_DSA)) +#if defined(WOLFSSL_KEY_GEN) && (!defined(NO_RSA) || !defined(NO_DH) || \ + !defined(NO_DSA)) BIGNUM* a = NULL; BIGNUM* add = NULL; BIGNUM* rem = NULL; diff --git a/tests/api/test_ossl_dgst.c b/tests/api/test_ossl_dgst.c index 8bc6c467e66..bce1f6229ae 100644 --- a/tests/api/test_ossl_dgst.c +++ b/tests/api/test_ossl_dgst.c @@ -161,8 +161,10 @@ int test_wolfSSL_MD5_Transform(void) ExpectIntEQ(MD5_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(MD5_Transform(&md5.compat, NULL), 0); ExpectIntEQ(wc_Md5Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Md5Transform(&md5.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Md5Transform(&md5.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init MD5 CTX */ ExpectIntEQ(wolfSSL_MD5_Init(&md5.compat), 1); @@ -359,8 +361,10 @@ int test_wolfSSL_SHA_Transform(void) ExpectIntEQ(SHA1_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA1_Transform(&sha.compat, NULL), 0); ExpectIntEQ(wc_ShaTransform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_ShaTransform(&sha.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_ShaTransform(&sha.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA CTX */ ExpectIntEQ(SHA_Init(&sha.compat), 1); @@ -500,8 +504,10 @@ int test_wolfSSL_SHA256_Transform(void) ExpectIntEQ(SHA256_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA256_Transform(&sha256.compat, NULL), 0); ExpectIntEQ(wc_Sha256Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha256Transform(&sha256.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha256Transform(&sha256.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA256 CTX */ ExpectIntEQ(SHA256_Init(&sha256.compat), 1); @@ -574,8 +580,10 @@ int test_wolfSSL_SHA512_Transform(void) ExpectIntEQ(SHA512_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA512_Transform(&sha512.compat, NULL), 0); ExpectIntEQ(wc_Sha512Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512Transform(&sha512.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512Transform(&sha512.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA512 CTX */ ExpectIntEQ(wolfSSL_SHA512_Init(&sha512.compat), 1); @@ -584,8 +592,8 @@ int test_wolfSSL_SHA512_Transform(void) sLen = (word32)XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); ExpectIntEQ(SHA512_Transform(&sha512.compat, (const byte*)&local[0]), 1); - ExpectIntEQ(XMEMCMP(sha512.native.digest, output1, - WC_SHA512_DIGEST_SIZE), 0); + ExpectIntEQ(XMEMCMP(sha512.native.digest, output1, WC_SHA512_DIGEST_SIZE), + 0); ExpectIntEQ(SHA512_Final(local, &sha512.compat), 1); /* frees resources */ /* Init SHA512 CTX */ @@ -594,8 +602,8 @@ int test_wolfSSL_SHA512_Transform(void) XMEMSET(local, 0, WC_SHA512_BLOCK_SIZE); XMEMCPY(local, input2, sLen); ExpectIntEQ(SHA512_Transform(&sha512.compat, (const byte*)&local[0]), 1); - ExpectIntEQ(XMEMCMP(sha512.native.digest, output2, - WC_SHA512_DIGEST_SIZE), 0); + ExpectIntEQ(XMEMCMP(sha512.native.digest, output2, WC_SHA512_DIGEST_SIZE), + 0); ExpectIntEQ(SHA512_Final(local, &sha512.compat), 1); /* frees resources */ (void)input1; @@ -643,10 +651,12 @@ int test_wolfSSL_SHA512_224_Transform(void) ExpectIntEQ(SHA512_224_Transform(NULL, NULL), 0); ExpectIntEQ(SHA512_224_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA512_224_Transform(&sha512.compat, NULL), 0); - ExpectIntEQ(wc_Sha512_224Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_224Transform(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wc_Sha512_224Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512_224Transform(&sha512.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_224Transform(&sha512.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA512 CTX */ ExpectIntEQ(wolfSSL_SHA512_224_Init(&sha512.compat), 1); @@ -716,10 +726,12 @@ int test_wolfSSL_SHA512_256_Transform(void) ExpectIntEQ(SHA512_256_Transform(NULL, NULL), 0); ExpectIntEQ(SHA512_256_Transform(NULL, (const byte*)&input1), 0); ExpectIntEQ(SHA512_256_Transform(&sha512.compat, NULL), 0); - ExpectIntEQ(wc_Sha512_256Transform(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_256Transform(NULL, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wc_Sha512_256Transform(NULL, (const byte*)&input1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_Sha512_256Transform(&sha512.native, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_Sha512_256Transform(&sha512.native, NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); /* Init SHA512 CTX */ ExpectIntEQ(wolfSSL_SHA512_256_Init(&sha512.compat), 1); diff --git a/tests/api/test_ossl_ec.c b/tests/api/test_ossl_ec.c index dd5bf28cbca..cf314a44877 100644 --- a/tests/api/test_ossl_ec.c +++ b/tests/api/test_ossl_ec.c @@ -1345,12 +1345,15 @@ int test_wolfSSL_EC_KEY_print_fp(void) EC_KEY* key = NULL; /* Bad file pointer. */ - ExpectIntEQ(wolfSSL_EC_KEY_print_fp(NULL, key, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_print_fp(NULL, key, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); /* NULL key. */ - ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectNotNull((key = wolfSSL_EC_KEY_new_by_curve_name(NID_secp224r1))); /* Negative indent. */ - ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, key, -1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, key, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(wolfSSL_EC_KEY_print_fp(stderr, key, 4), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_EC_KEY_generate_key(key), WOLFSSL_SUCCESS); diff --git a/tests/api/test_ossl_obj.c b/tests/api/test_ossl_obj.c new file mode 100644 index 00000000000..e6dc3f0252f --- /dev/null +++ b/tests/api/test_ossl_obj.c @@ -0,0 +1,465 @@ +/* test_ossl_obj.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + +#if defined(OPENSSL_EXTRA) +static void obj_name_t(const OBJ_NAME* nm, void* arg) +{ + (void)arg; + (void)nm; + + AssertIntGT(nm->type, OBJ_NAME_TYPE_UNDEF); + +#if !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL_VERBOSE) + /* print to stderr */ + AssertNotNull(arg); + + BIO *bio = BIO_new(BIO_s_file()); + BIO_set_fp(bio, arg, BIO_NOCLOSE); + BIO_printf(bio, "%s\n", nm); + BIO_free(bio); +#endif +} + +#endif +int test_OBJ_NAME_do_all(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) + + OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, NULL, NULL); + + OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, NULL, stderr); + + OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_PKEY_METH, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_COMP_METH, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_NUM, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_UNDEF, obj_name_t, stderr); + OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, obj_name_t, stderr); + OBJ_NAME_do_all(-1, obj_name_t, stderr); + + res = TEST_SUCCESS; +#endif + + return res; +} + +int test_wolfSSL_OBJ(void) +{ +/* Password "wolfSSL test" is only 12 (96-bit) too short for testing in FIPS + * mode + */ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_ASN) && \ + !defined(HAVE_FIPS) && !defined(NO_SHA) && defined(WOLFSSL_CERT_EXT) && \ + defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) + ASN1_OBJECT *obj = NULL; + ASN1_OBJECT *obj2 = NULL; + char buf[50]; + + XFILE fp = XBADFILE; + X509 *x509 = NULL; + X509_NAME *x509Name = NULL; + X509_NAME_ENTRY *x509NameEntry = NULL; + ASN1_OBJECT *asn1Name = NULL; + int numNames = 0; + BIO *bio = NULL; + int nid; + int i, j; + const char *f[] = { + #ifndef NO_RSA + "./certs/ca-cert.der", + #endif + #ifdef HAVE_ECC + "./certs/ca-ecc-cert.der", + "./certs/ca-ecc384-cert.der", + #endif + NULL}; + ASN1_OBJECT *field_name_obj = NULL; + int lastpos = -1; + int tmp = -1; + ASN1_STRING *asn1 = NULL; + unsigned char *buf_dyn = NULL; + + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); + ExpectIntEQ(OBJ_obj2nid(obj), NID_any_policy); + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 11); + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + + ExpectNotNull(obj = OBJ_nid2obj(NID_sha256)); + ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256); + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 22); +#ifdef WOLFSSL_CERT_EXT + ExpectIntEQ(OBJ_txt2nid(buf), NID_sha256); +#endif + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); + ExpectNotNull(obj2 = OBJ_dup(obj)); + ExpectIntEQ(OBJ_cmp(obj, obj2), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + ASN1_OBJECT_free(obj2); + obj2 = NULL; + + for (i = 0; f[i] != NULL; i++) + { + ExpectTrue((fp = XFOPEN(f[i], "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectNotNull(x509Name = X509_get_issuer_name(x509)); + ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + + /* Get the Common Name by using OBJ_txt2obj */ + ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), + WOLFSSL_FATAL_ERROR); + do + { + lastpos = tmp; + tmp = X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, lastpos); + } while (tmp > -1); + ExpectIntNE(lastpos, -1); + ASN1_OBJECT_free(field_name_obj); + field_name_obj = NULL; + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, lastpos)); + ExpectNotNull(asn1 = X509_NAME_ENTRY_get_data(x509NameEntry)); + ExpectIntGE(ASN1_STRING_to_UTF8(&buf_dyn, asn1), 0); + /* + * All Common Names should be www.wolfssl.com + * This makes testing easier as we can test for the expected value. + */ + ExpectStrEQ((char*)buf_dyn, "www.wolfssl.com"); + OPENSSL_free(buf_dyn); + buf_dyn = NULL; + bio = BIO_new(BIO_s_mem()); + ExpectTrue(bio != NULL); + for (j = 0; j < numNames; j++) + { + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + ExpectNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); + ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + } + BIO_free(bio); + bio = NULL; + X509_free(x509); + x509 = NULL; + + } + +#ifdef HAVE_PKCS12 + { + PKCS12 *p12 = NULL; + int boolRet; + EVP_PKEY *pkey = NULL; + const char *p12_f[] = { + /* bundle uses AES-CBC 256 and PKCS7 key uses DES3 */ + #if !defined(NO_DES3) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) + "./certs/test-servercert.p12", + #endif + NULL + }; + + for (i = 0; p12_f[i] != NULL; i++) + { + ExpectTrue((fp = XFOPEN(p12_f[i], "rb")) != XBADFILE); + ExpectNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", + &pkey, &x509, NULL)) > 0); + wc_PKCS12_free(p12); + p12 = NULL; + EVP_PKEY_free(pkey); + x509Name = X509_get_issuer_name(x509); + ExpectNotNull(x509Name); + ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + ExpectTrue((bio = BIO_new(BIO_s_mem())) != NULL); + for (j = 0; j < numNames; j++) + { + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + ExpectNotNull(asn1Name = + X509_NAME_ENTRY_get_object(x509NameEntry)); + ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + } + BIO_free(bio); + bio = NULL; + X509_free(x509); + x509 = NULL; + } + } +#endif /* HAVE_PKCS12 */ +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_cmp(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) + ASN1_OBJECT *obj = NULL; + ASN1_OBJECT *obj2 = NULL; + + ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); + ExpectNotNull(obj2 = OBJ_nid2obj(NID_sha256)); + + ExpectIntEQ(OBJ_cmp(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(NULL, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, obj), 0); + ExpectIntEQ(OBJ_cmp(obj2, obj2), 0); + + ASN1_OBJECT_free(obj); + ASN1_OBJECT_free(obj2); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_txt2nid(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_APACHE_HTTPD) + int i; + static const struct { + const char* sn; + const char* ln; + const char* oid; + int nid; + } testVals[] = { +#ifdef WOLFSSL_APACHE_HTTPD + { "tlsfeature", "TLS Feature", "1.3.6.1.5.5.7.1.24", NID_tlsfeature }, + { "id-on-dnsSRV", "SRVName", "1.3.6.1.5.5.7.8.7", + NID_id_on_dnsSRV }, + { "msUPN", "Microsoft User Principal Name", + "1.3.6.1.4.1.311.20.2.3", NID_ms_upn }, +#endif + { NULL, NULL, NULL, NID_undef } + }; + + /* Invalid cases */ + ExpectIntEQ(OBJ_txt2nid(NULL), NID_undef); + ExpectIntEQ(OBJ_txt2nid("Bad name"), NID_undef); + + /* Valid cases */ + for (i = 0; testVals[i].sn != NULL; i++) { + ExpectIntEQ(OBJ_txt2nid(testVals[i].sn), testVals[i].nid); + ExpectIntEQ(OBJ_txt2nid(testVals[i].ln), testVals[i].nid); + ExpectIntEQ(OBJ_txt2nid(testVals[i].oid), testVals[i].nid); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_txt2obj(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_APACHE_HTTPD) || (defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) + int i; + char buf[50]; + ASN1_OBJECT* obj = NULL; + static const struct { + const char* oidStr; + const char* sn; + const char* ln; + } objs_list[] = { + #if defined(WOLFSSL_APACHE_HTTPD) + { "1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature" }, + { "1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName" }, + #endif + { "2.5.29.19", "basicConstraints", "X509v3 Basic Constraints"}, + { NULL, NULL, NULL } + }; + static const struct { + const char* numeric; + const char* name; + } objs_named[] = { + /* In dictionary but not in normal list. */ + { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, + /* Made up OID. */ + { "1.3.5.7", "1.3.5.7" }, + { NULL, NULL } + }; + + ExpectNull(obj = OBJ_txt2obj("Bad name", 0)); + ASN1_OBJECT_free(obj); + obj = NULL; + ExpectNull(obj = OBJ_txt2obj(NULL, 0)); + ASN1_OBJECT_free(obj); + obj = NULL; + + for (i = 0; objs_list[i].oidStr != NULL; i++) { + /* Test numerical value of oid (oidStr) */ + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].oidStr, 1)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Test short name (sn) */ + ExpectNull(obj = OBJ_txt2obj(objs_list[i].sn, 1)); + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].sn, 0)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Test long name (ln) - should fail when no_name = 1 */ + ExpectNull(obj = OBJ_txt2obj(objs_list[i].ln, 1)); + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].ln, 0)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + } + + for (i = 0; objs_named[i].numeric != NULL; i++) { + ExpectNotNull(obj = OBJ_txt2obj(objs_named[i].numeric, 1)); + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0); + ExpectIntEQ(XSTRNCMP(buf, objs_named[i].name, (int)XSTRLEN(buf)), 0); + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_named[i].numeric, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_ln(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + const int nid_set[] = { + NID_commonName, + NID_serialNumber, + NID_countryName, + NID_localityName, + NID_stateOrProvinceName, + NID_organizationName, + NID_organizationalUnitName, + NID_domainComponent, + NID_businessCategory, + NID_jurisdictionCountryName, + NID_jurisdictionStateOrProvinceName, + NID_emailAddress + }; + const char* ln_set[] = { + "commonName", + "serialNumber", + "countryName", + "localityName", + "stateOrProvinceName", + "organizationName", + "organizationalUnitName", + "domainComponent", + "businessCategory", + "jurisdictionCountryName", + "jurisdictionStateOrProvinceName", + "emailAddress", + }; + size_t i = 0, maxIdx = sizeof(ln_set)/sizeof(char*); + + ExpectIntEQ(OBJ_ln2nid(NULL), NID_undef); + +#ifdef HAVE_ECC +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + EC_builtin_curve r[27]; + size_t nCurves = sizeof(r) / sizeof(r[0]); + nCurves = EC_get_builtin_curves(r, nCurves); + + for (i = 0; i < nCurves; i++) { + /* skip ECC_CURVE_INVALID */ + if (r[i].nid != ECC_CURVE_INVALID) { + ExpectIntEQ(OBJ_ln2nid(r[i].comment), r[i].nid); + ExpectStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment); + } + } + } +#endif +#endif + + for (i = 0; i < maxIdx; i++) { + ExpectIntEQ(OBJ_ln2nid(ln_set[i]), nid_set[i]); + ExpectStrEQ(OBJ_nid2ln(nid_set[i]), ln_set[i]); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_OBJ_sn(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + int i = 0, maxIdx = 7; + const int nid_set[] = {NID_commonName,NID_countryName,NID_localityName, + NID_stateOrProvinceName,NID_organizationName, + NID_organizationalUnitName,NID_emailAddress}; + const char* sn_open_set[] = {"CN","C","L","ST","O","OU","emailAddress"}; + + ExpectIntEQ(wolfSSL_OBJ_sn2nid(NULL), NID_undef); + for (i = 0; i < maxIdx; i++) { + ExpectIntEQ(wolfSSL_OBJ_sn2nid(sn_open_set[i]), nid_set[i]); + ExpectStrEQ(wolfSSL_OBJ_nid2sn(nid_set[i]), sn_open_set[i]); + } +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_obj.h b/tests/api/test_ossl_obj.h new file mode 100644 index 00000000000..c780e664d1a --- /dev/null +++ b/tests/api/test_ossl_obj.h @@ -0,0 +1,45 @@ +/* test_ossl_obj.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_OBJ_H +#define WOLFCRYPT_TEST_OSSL_OBJ_H + +#include + +int test_OBJ_NAME_do_all(void); +int test_wolfSSL_OBJ(void); +int test_wolfSSL_OBJ_cmp(void); +int test_wolfSSL_OBJ_txt2nid(void); +int test_wolfSSL_OBJ_txt2obj(void); +int test_wolfSSL_OBJ_ln(void); +int test_wolfSSL_OBJ_sn(void); + +#define TEST_OSSL_OBJ_DECLS \ + TEST_DECL_GROUP("ossl_obj", test_OBJ_NAME_do_all), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_cmp), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_txt2nid), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_txt2obj), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_ln), \ + TEST_DECL_GROUP("ossl_obj", test_wolfSSL_OBJ_sn) + +#endif /* WOLFCRYPT_TEST_OSSL_OBJ_H */ + diff --git a/tests/api/test_ossl_p7p12.c b/tests/api/test_ossl_p7p12.c new file mode 100644 index 00000000000..6611cf83187 --- /dev/null +++ b/tests/api/test_ossl_p7p12.c @@ -0,0 +1,1321 @@ +/* test_ossl_p7p12.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include +#include +#include + +int test_wolfssl_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ + !defined(NO_RSA) + PKCS7* pkcs7 = NULL; + byte data[FOURK_BUF]; + word32 len = sizeof(data); + const byte* p = data; + byte content[] = "Test data to encode."; +#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) + BIO* bio = NULL; + byte key[sizeof(client_key_der_2048)]; + word32 keySz = (word32)sizeof(key); + byte* out = NULL; +#endif + + ExpectIntGT((len = (word32)CreatePKCS7SignedData(data, (int)len, content, + (word32)sizeof(content), 0, 0, 0, RSA_TYPE)), 0); + + ExpectNull(pkcs7 = d2i_PKCS7(NULL, NULL, (int)len)); + ExpectNull(pkcs7 = d2i_PKCS7(NULL, &p, 0)); + ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); + ExpectIntEQ(wolfSSL_PKCS7_verify(NULL, NULL, NULL, NULL, NULL, + PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* fail case, without PKCS7_NOVERIFY */ + p = data; + ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, + 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* success case, with PKCS7_NOVERIFY */ + p = data; + ExpectNotNull(pkcs7 = d2i_PKCS7(NULL, &p, (int)len)); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL, + PKCS7_NOVERIFY), WOLFSSL_SUCCESS); + +#if !defined(NO_RSA) & defined(USE_CERT_BUFFERS_2048) + /* test i2d */ + XMEMCPY(key, client_key_der_2048, keySz); + if (pkcs7 != NULL) { + pkcs7->privateKey = key; + pkcs7->privateKeySz = (word32)sizeof(key); + pkcs7->encryptOID = RSAk; + #ifdef NO_SHA + pkcs7->hashOID = SHA256h; + #else + pkcs7->hashOID = SHAh; + #endif + } + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(i2d_PKCS7_bio(bio, pkcs7), 1); +#ifndef NO_ASN_TIME + ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 655); +#else + ExpectIntEQ(i2d_PKCS7(pkcs7, &out), 625); +#endif + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + BIO_free(bio); +#endif + + PKCS7_free(NULL); + PKCS7_free(pkcs7); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PKCS7_certs(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) + STACK_OF(X509)* sk = NULL; + STACK_OF(X509_INFO)* info_sk = NULL; + PKCS7 *p7 = NULL; + BIO* bio = NULL; + const byte* p = NULL; + int buflen = 0; + int i; + + /* Test twice. Once with d2i and once without to test + * that everything is free'd correctly. */ + for (i = 0; i < 2; i++) { + ExpectNotNull(p7 = PKCS7_new()); + if (p7 != NULL) { + p7->version = 1; + #ifdef NO_SHA + p7->hashOID = SHA256h; + #else + p7->hashOID = SHAh; + #endif + } + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(info_sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); + ExpectIntEQ(sk_X509_INFO_num(info_sk), 2); + ExpectNotNull(sk = sk_X509_new_null()); + while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { + X509_INFO* info = NULL; + ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); + if (EXPECT_SUCCESS() && info != NULL) { + ExpectIntGT(sk_X509_push(sk, info->x509), 0); + info->x509 = NULL; + } + X509_INFO_free(info); + } + sk_X509_INFO_pop_free(info_sk, X509_INFO_free); + info_sk = NULL; + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(wolfSSL_PKCS7_encode_certs(p7, sk, bio), 1); + if ((sk != NULL) && ((p7 == NULL) || (bio == NULL))) { + sk_X509_pop_free(sk, X509_free); + } + sk = NULL; + ExpectIntGT((buflen = BIO_get_mem_data(bio, &p)), 0); + + if (i == 0) { + PKCS7_free(p7); + p7 = NULL; + ExpectNotNull(d2i_PKCS7(&p7, &p, buflen)); + if (p7 != NULL) { + /* Reset certs to force wolfSSL_PKCS7_to_stack to regenerate + * them */ + ((WOLFSSL_PKCS7*)p7)->certs = NULL; + } + /* PKCS7_free free's the certs */ + ExpectNotNull(wolfSSL_PKCS7_to_stack(p7)); + } + + BIO_free(bio); + bio = NULL; + PKCS7_free(p7); + p7 = NULL; + } +#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PKCS7_sign(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + + PKCS7* p7 = NULL; + PKCS7* p7Ver = NULL; + byte* out = NULL; + byte* tmpPtr = NULL; + int outLen = 0; + int flags = 0; + byte data[] = "Test data to encode."; + + const char* cert = "./certs/server-cert.pem"; + const char* key = "./certs/server-key.pem"; + const char* ca = "./certs/ca-cert.pem"; + + WOLFSSL_BIO* certBio = NULL; + WOLFSSL_BIO* keyBio = NULL; + WOLFSSL_BIO* caBio = NULL; + WOLFSSL_BIO* inBio = NULL; + X509* signCert = NULL; + EVP_PKEY* signKey = NULL; + X509* caCert = NULL; + X509_STORE* store = NULL; +#ifndef NO_PKCS7_STREAM + int z; + int ret; +#endif /* !NO_PKCS7_STREAM */ + + /* read signer cert/key into BIO */ + ExpectNotNull(certBio = BIO_new_file(cert, "r")); + ExpectNotNull(keyBio = BIO_new_file(key, "r")); + ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); + ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); + + /* read CA cert into store (for verify) */ + ExpectNotNull(caBio = BIO_new_file(ca, "r")); + ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); + + /* data to be signed into BIO */ + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + /* PKCS7_sign, bad args: signer NULL */ + ExpectNull(p7 = PKCS7_sign(NULL, signKey, NULL, inBio, 0)); + /* PKCS7_sign, bad args: signer key NULL */ + ExpectNull(p7 = PKCS7_sign(signCert, NULL, NULL, inBio, 0)); + /* PKCS7_sign, bad args: in data NULL without PKCS7_STREAM */ + ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, NULL, 0)); + /* PKCS7_sign, bad args: PKCS7_NOCERTS flag not supported */ + ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_NOCERTS)); + /* PKCS7_sign, bad args: PKCS7_PARTIAL flag not supported */ + ExpectNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, PKCS7_PARTIAL)); + + /* TEST SUCCESS: Not detached, not streaming, not MIME */ + { + flags = PKCS7_BINARY; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + + /* verify with d2i_PKCS7 */ + tmpPtr = out; + ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + PKCS7_free(p7Ver); + p7Ver = NULL; + + /* verify with wc_PKCS7_VerifySignedData */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); + ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); + + #ifndef NO_PKCS7_STREAM + /* verify with wc_PKCS7_VerifySignedData streaming */ + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_Init(p7Ver, HEAP_HINT, INVALID_DEVID), 0); + /* test for streaming */ + ret = -1; + for (z = 0; z < outLen && ret != 0; z++) { + ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); + if (ret < 0){ + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); + } + } + ExpectIntEQ(ret, 0); + #endif /* !NO_PKCS7_STREAM */ + + /* compare the signer found to expected signer */ + ExpectIntNE(p7Ver->verifyCertSz, 0); + tmpPtr = NULL; + ExpectIntEQ(i2d_X509(signCert, &tmpPtr), p7Ver->verifyCertSz); + ExpectIntEQ(XMEMCMP(tmpPtr, p7Ver->verifyCert, p7Ver->verifyCertSz), 0); + XFREE(tmpPtr, NULL, DYNAMIC_TYPE_OPENSSL); + tmpPtr = NULL; + + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + + ExpectNotNull(out); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* TEST SUCCESS: Not detached, streaming, not MIME. Also bad arg + * tests for PKCS7_final() while we have a PKCS7 pointer to use */ + { + /* re-populate input BIO, may have been consumed */ + BIO_free(inBio); + inBio = NULL; + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_BINARY | PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + + /* PKCS7_final, bad args: PKCS7 null */ + ExpectIntEQ(PKCS7_final(NULL, inBio, 0), 0); + /* PKCS7_final, bad args: PKCS7 null */ + ExpectIntEQ(PKCS7_final(p7, NULL, 0), 0); + + tmpPtr = out; + ExpectNotNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + PKCS7_free(p7Ver); + p7Ver = NULL; + + ExpectNotNull(out); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* TEST SUCCESS: Detached, not streaming, not MIME */ + { + /* re-populate input BIO, may have been consumed */ + BIO_free(inBio); + inBio = NULL; + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_BINARY | PKCS7_DETACHED; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + ExpectNotNull(out); + + /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + + #ifndef NO_PKCS7_STREAM + /* verify with wc_PKCS7_VerifySignedData streaming */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + /* test for streaming */ + if (EXPECT_SUCCESS()) { + ret = -1; + for (z = 0; z < outLen && ret != 0; z++) { + ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); + if (ret < 0){ + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); + } + } + ExpectIntEQ(ret, 0); + } + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + #endif /* !NO_PKCS7_STREAM */ + + /* verify expected failure (NULL return) from d2i_PKCS7, it does not + * yet support detached content */ + tmpPtr = out; + ExpectNull(p7Ver = d2i_PKCS7(NULL, (const byte**)&tmpPtr, outLen)); + PKCS7_free(p7Ver); + p7Ver = NULL; + + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* TEST SUCCESS: Detached, streaming, not MIME */ + { + /* re-populate input BIO, may have been consumed */ + BIO_free(inBio); + inBio = NULL; + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectIntEQ(PKCS7_final(p7, inBio, flags), 1); + ExpectIntGT((outLen = i2d_PKCS7(p7, &out)), 0); + + /* verify with wolfCrypt, d2i_PKCS7 does not support detached content */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + ExpectIntEQ(wc_PKCS7_VerifySignedData(p7Ver, out, (word32)outLen), 0); + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + + ExpectNotNull(out); + + #ifndef NO_PKCS7_STREAM + /* verify with wc_PKCS7_VerifySignedData streaming */ + ExpectNotNull(p7Ver = wc_PKCS7_New(HEAP_HINT, testDevId)); + if (p7Ver != NULL) { + p7Ver->content = data; + p7Ver->contentSz = sizeof(data); + } + /* test for streaming */ + if (EXPECT_SUCCESS()) { + ret = -1; + for (z = 0; z < outLen && ret != 0; z++) { + ret = wc_PKCS7_VerifySignedData(p7Ver, out + z, 1); + if (ret < 0){ + ExpectIntEQ(ret, WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)); + } + } + ExpectIntEQ(ret, 0); + } + wc_PKCS7_Free(p7Ver); + p7Ver = NULL; + #endif /* !NO_PKCS7_STREAM */ + + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + PKCS7_free(p7); + p7 = NULL; + } + + X509_STORE_free(store); + X509_free(caCert); + X509_free(signCert); + EVP_PKEY_free(signKey); + BIO_free(inBio); + BIO_free(keyBio); + BIO_free(certBio); + BIO_free(caBio); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PKCS7_SIGNED_new(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) + PKCS7_SIGNED* pkcs7 = NULL; + + ExpectNotNull(pkcs7 = PKCS7_SIGNED_new()); + ExpectIntEQ(pkcs7->contentOID, SIGNED_DATA); + + PKCS7_SIGNED_free(pkcs7); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_write_bio_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ + !defined(NO_BIO) + PKCS7* pkcs7 = NULL; + BIO* bio = NULL; + const byte* cert_buf = NULL; + int ret = 0; + WC_RNG rng; + const byte data[] = { /* Hello World */ + 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, + 0x72,0x6c,0x64 + }; +#ifndef NO_RSA + #if defined(USE_CERT_BUFFERS_2048) + byte key[sizeof(client_key_der_2048)]; + byte cert[sizeof(client_cert_der_2048)]; + word32 keySz = (word32)sizeof(key); + word32 certSz = (word32)sizeof(cert); + XMEMSET(key, 0, keySz); + XMEMSET(cert, 0, certSz); + XMEMCPY(key, client_key_der_2048, keySz); + XMEMCPY(cert, client_cert_der_2048, certSz); + #elif defined(USE_CERT_BUFFERS_1024) + byte key[sizeof_client_key_der_1024]; + byte cert[sizeof(sizeof_client_cert_der_1024)]; + word32 keySz = (word32)sizeof(key); + word32 certSz = (word32)sizeof(cert); + XMEMSET(key, 0, keySz); + XMEMSET(cert, 0, certSz); + XMEMCPY(key, client_key_der_1024, keySz); + XMEMCPY(cert, client_cert_der_1024, certSz); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + XFILE fp = XBADFILE; + int certSz; + int keySz; + + ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) != + XBADFILE); + ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_client_cert_der_1024, + fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectTrue((fp = XFOPEN("./certs/1024/client-key.der", "rb")) != + XBADFILE); + ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_client_key_der_1024, fp), + 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof(cliecc_cert_der_256)]; + unsigned char key[sizeof(ecc_clikey_der_256)]; + int certSz = (int)sizeof(cert); + int keySz = (int)sizeof(key); + XMEMSET(cert, 0, certSz); + XMEMSET(key, 0, keySz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + XFILE fp = XBADFILE; + int certSz, keySz; + + ExpectTrue((fp = XFOPEN("./certs/client-ecc-cert.der", "rb")) != + XBADFILE); + ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof_cliecc_cert_der_256, + fp), 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectTrue((fp = XFOPEN("./certs/client-ecc-key.der", "rb")) != + XBADFILE); + ExpectIntGT(keySz = (int)XFREAD(key, 1, sizeof_ecc_clikey_der_256, fp), + 0); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + #endif +#else + #error PKCS7 requires ECC or RSA +#endif + + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + /* initialize with DER encoded cert */ + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, (word32)certSz), 0); + + /* init rng */ + XMEMSET(&rng, 0, sizeof(WC_RNG)); + ExpectIntEQ(wc_InitRng(&rng), 0); + + if (pkcs7 != NULL) { + pkcs7->rng = &rng; + pkcs7->content = (byte*)data; /* not used for ex */ + pkcs7->contentSz = (word32)sizeof(data); + pkcs7->contentOID = SIGNED_DATA; + pkcs7->privateKey = key; + pkcs7->privateKeySz = (word32)sizeof(key); + pkcs7->encryptOID = RSAk; + #ifdef NO_SHA + pkcs7->hashOID = SHA256h; + #else + pkcs7->hashOID = SHAh; + #endif + pkcs7->signedAttribs = NULL; + pkcs7->signedAttribsSz = 0; + } + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write PKCS#7 PEM to BIO, the function converts the DER to PEM cert*/ + ExpectIntEQ(PEM_write_bio_PKCS7(bio, pkcs7), WOLFSSL_SUCCESS); + + /* Read PKCS#7 PEM from BIO */ + ret = wolfSSL_BIO_get_mem_data(bio, &cert_buf); + ExpectIntGE(ret, 0); + + BIO_free(bio); + wc_PKCS7_Free(pkcs7); + wc_FreeRng(&rng); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_write_bio_encryptedKey(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ + defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ + defined(WOLFSSL_ENCRYPTED_KEYS) && \ + (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_BIO) && !defined(NO_CERTS) && \ + !defined(NO_DES3) + RSA* rsaKey = NULL; + RSA* retKey = NULL; + const EVP_CIPHER *cipher = NULL; + BIO* bio = NULL; + BIO* retbio = NULL; + byte* out; + const char* password = "wolfssl"; + word32 passwordSz =(word32)XSTRLEN((char*)password); + int membufSz = 0; + +#if defined(USE_CERT_BUFFERS_2048) + const byte* key = client_key_der_2048; + word32 keySz = sizeof_client_key_der_2048; +#elif defined(USE_CERT_BUFFERS_1024) + const byte* key = client_key_der_1024; + word32 keySz = sizeof_client_key_der_1024; +#endif + /* Import Rsa Key */ + ExpectNotNull(rsaKey = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_RSA_LoadDer_ex(rsaKey, key, keySz, + WOLFSSL_RSA_LOAD_PRIVATE), 1); + + ExpectNotNull(cipher = EVP_des_ede3_cbc()); + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_RSAPrivateKey(bio, rsaKey, cipher, + (byte*)password, passwordSz, NULL, NULL), 1); + ExpectIntGT((membufSz = BIO_get_mem_data(bio, &out)), 0); + ExpectNotNull(retbio = BIO_new_mem_buf(out, membufSz)); + ExpectNotNull((retKey = PEM_read_bio_RSAPrivateKey(retbio, NULL, + NULL, (void*)password))); + if (bio != NULL) { + BIO_free(bio); + } + if (retbio != NULL) { + BIO_free(retbio); + } + if (retKey != NULL) { + RSA_free(retKey); + } + if (rsaKey != NULL) { + RSA_free(rsaKey); + } +#endif + return EXPECT_RESULT(); +} + +/* // NOLINTBEGIN(clang-analyzer-unix.Stream) */ +int test_wolfSSL_SMIME_read_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && !defined(NO_BIO) && defined(HAVE_SMIME) + PKCS7* pkcs7 = NULL; + BIO* bio = NULL; + BIO* bcont = NULL; + BIO* out = NULL; + const byte* outBuf = NULL; + int outBufLen = 0; + static const char contTypeText[] = "Content-Type: text/plain\r\n\r\n"; + XFILE smimeTestFile = XBADFILE; + + ExpectTrue((smimeTestFile = XFOPEN("./certs/test/smime-test.p7s", "rb")) != + XBADFILE); + + /* smime-test.p7s */ + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); + ExpectNotNull(bio); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), SSL_SUCCESS); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* smime-test-multipart.p7s */ + smimeTestFile = XFOPEN("./certs/test/smime-test-multipart.p7s", "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), SSL_SUCCESS); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* smime-test-multipart-badsig.p7s */ + smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", + "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); /* can read in the unverified smime bundle */ + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* smime-test-canon.p7s */ + smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, + PKCS7_NOVERIFY), SSL_SUCCESS); + if (smimeTestFile != XBADFILE) { + XFCLOSE(smimeTestFile); + smimeTestFile = XBADFILE; + } + if (bcont) BIO_free(bcont); + bcont = NULL; + wolfSSL_PKCS7_free(pkcs7); + pkcs7 = NULL; + + /* Test PKCS7_TEXT, PKCS7_verify() should remove Content-Type: text/plain */ + smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); + ExpectFalse(smimeTestFile == XBADFILE); + ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); + pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); + ExpectNotNull(pkcs7); + out = wolfSSL_BIO_new(BIO_s_mem()); + ExpectNotNull(out); + ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, out, + PKCS7_NOVERIFY | PKCS7_TEXT), SSL_SUCCESS); + ExpectIntGT((outBufLen = BIO_get_mem_data(out, &outBuf)), 0); + /* Content-Type should not show up at beginning of output buffer */ + ExpectIntGT(outBufLen, XSTRLEN(contTypeText)); + ExpectIntGT(XMEMCMP(outBuf, contTypeText, XSTRLEN(contTypeText)), 0); + + BIO_free(out); + BIO_free(bio); + if (bcont) BIO_free(bcont); + wolfSSL_PKCS7_free(pkcs7); +#endif + return EXPECT_RESULT(); +} +/* // NOLINTEND(clang-analyzer-unix.Stream) */ + +int test_wolfSSL_SMIME_write_PKCS7(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_RSA) && \ + !defined(NO_BIO) && defined(HAVE_SMIME) + PKCS7* p7 = NULL; + PKCS7* p7Ver = NULL; + int flags = 0; + byte data[] = "Test data to encode."; + + const char* cert = "./certs/server-cert.pem"; + const char* key = "./certs/server-key.pem"; + const char* ca = "./certs/ca-cert.pem"; + + WOLFSSL_BIO* certBio = NULL; + WOLFSSL_BIO* keyBio = NULL; + WOLFSSL_BIO* caBio = NULL; + WOLFSSL_BIO* inBio = NULL; + WOLFSSL_BIO* outBio = NULL; + WOLFSSL_BIO* content = NULL; + X509* signCert = NULL; + EVP_PKEY* signKey = NULL; + X509* caCert = NULL; + X509_STORE* store = NULL; + + /* read signer cert/key into BIO */ + ExpectNotNull(certBio = BIO_new_file(cert, "r")); + ExpectNotNull(keyBio = BIO_new_file(key, "r")); + ExpectNotNull(signCert = PEM_read_bio_X509(certBio, NULL, 0, NULL)); + ExpectNotNull(signKey = PEM_read_bio_PrivateKey(keyBio, NULL, 0, NULL)); + + /* read CA cert into store (for verify) */ + ExpectNotNull(caBio = BIO_new_file(ca, "r")); + ExpectNotNull(caCert = PEM_read_bio_X509(caBio, NULL, 0, NULL)); + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, caCert), 1); + + + /* generate and verify SMIME: not detached */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + /* bad arg: out NULL */ + ExpectIntEQ(SMIME_write_PKCS7(NULL, p7, inBio, flags), 0); + /* bad arg: pkcs7 NULL */ + ExpectIntEQ(SMIME_write_PKCS7(outBio, NULL, inBio, flags), 0); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* generate and verify SMIME: not detached, add Content-Type */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_STREAM | PKCS7_TEXT; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, NULL, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* generate and verify SMIME: detached */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_DETACHED | PKCS7_STREAM; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + /* generate and verify SMIME: PKCS7_TEXT to add Content-Type header */ + { + ExpectNotNull(inBio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(inBio, data, sizeof(data)), 0); + + flags = PKCS7_STREAM | PKCS7_DETACHED | PKCS7_TEXT; + ExpectNotNull(p7 = PKCS7_sign(signCert, signKey, NULL, inBio, flags)); + ExpectNotNull(outBio = BIO_new(BIO_s_mem())); + ExpectIntEQ(SMIME_write_PKCS7(outBio, p7, inBio, flags), 1); + + ExpectNotNull(p7Ver = SMIME_read_PKCS7(outBio, &content)); + ExpectIntEQ(PKCS7_verify(p7Ver, NULL, store, content, NULL, flags), 1); + + BIO_free(content); + content = NULL; + BIO_free(inBio); + inBio = NULL; + BIO_free(outBio); + outBio = NULL; + PKCS7_free(p7Ver); + p7Ver = NULL; + PKCS7_free(p7); + p7 = NULL; + } + + X509_STORE_free(store); + X509_free(caCert); + X509_free(signCert); + EVP_PKEY_free(signKey); + BIO_free(keyBio); + BIO_free(certBio); + BIO_free(caBio); +#endif + return EXPECT_RESULT(); +} + +/* Testing functions dealing with PKCS12 parsing out X509 certs */ +int test_wolfSSL_PKCS12(void) +{ + EXPECT_DECLS; + /* .p12 file is encrypted with DES3 */ +#ifndef HAVE_FIPS /* Password used in cert "wolfSSL test" is only 12-bytes + * (96-bit) FIPS mode requires Minimum of 14-byte (112-bit) + * Password Key + */ +#if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ + !defined(NO_STDIO_FILESYSTEM) && !defined(NO_TLS) && \ + !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) && \ + !defined(NO_SHA) && defined(HAVE_PKCS12) && !defined(NO_BIO) && \ + defined(WOLFSSL_AES_256) + byte buf[6000]; + char file[] = "./certs/test-servercert.p12"; + char order[] = "./certs/ecc-rsa-server.p12"; +#ifdef WC_RC2 + char rc2p12[] = "./certs/test-servercert-rc2.p12"; +#endif + char pass[] = "a password"; + const char goodPsw[] = "wolfSSL test"; + const char badPsw[] = "bad"; +#ifdef HAVE_ECC + WOLFSSL_X509_NAME *subject = NULL; + WOLFSSL_X509 *x509 = NULL; +#endif + XFILE f = XBADFILE; + int bytes = 0, ret = 0, goodPswLen = 0, badPswLen = 0; + WOLFSSL_BIO *bio = NULL; + WOLFSSL_EVP_PKEY *pkey = NULL; + WC_PKCS12 *pkcs12 = NULL; + WC_PKCS12 *pkcs12_2 = NULL; + WOLFSSL_X509 *cert = NULL; + WOLFSSL_X509 *tmp = NULL; + WOLF_STACK_OF(WOLFSSL_X509) *ca = NULL; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + WOLF_STACK_OF(WOLFSSL_X509) *tmp_ca = NULL; +#endif + + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + goodPswLen = (int)XSTRLEN(goodPsw); + badPswLen = (int)XSTRLEN(badPsw); + + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + + ExpectIntEQ(BIO_write(bio, buf, bytes), bytes); /* d2i consumes BIO */ + ExpectNotNull(d2i_PKCS12_bio(bio, &pkcs12)); + ExpectNotNull(pkcs12); + BIO_free(bio); + bio = NULL; + + /* check verify MAC directly */ + ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, goodPsw, goodPswLen), 1); + + /* check verify MAC fail case directly */ + ExpectIntEQ(ret = PKCS12_verify_mac(pkcs12, badPsw, badPswLen), 0); + + /* check verify MAC fail case */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); + ExpectNull(pkey); + ExpectNull(cert); + + /* check parse with no extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + + /* check parse with extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) + + /* Check that SSL_CTX_set0_chain correctly sets the certChain buffer */ +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) +#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + /* Copy stack structure */ + ExpectNotNull(tmp_ca = X509_chain_up_ref(ca)); + ExpectIntEQ(SSL_CTX_set0_chain(ctx, tmp_ca), 1); + /* CTX now owns the tmp_ca stack structure */ + tmp_ca = NULL; + ExpectIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); + ExpectNotNull(tmp_ca); + ExpectIntEQ(sk_X509_num(tmp_ca), sk_X509_num(ca)); + /* Check that the main cert is also set */ + ExpectNotNull(SSL_CTX_get0_certificate(ctx)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(SSL_get_certificate(ssl)); + SSL_free(ssl); + SSL_CTX_free(ctx); + ctx = NULL; +#endif +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ + /* should be 2 other certs on stack */ + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNull(sk_X509_pop(ca)); + + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, X509_free); + ca = NULL; + + /* check PKCS12_create */ + ExpectNull(PKCS12_create(pass, NULL, NULL, NULL, NULL, -1, -1, -1, -1,0)); + ExpectIntEQ(PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + SSL_SUCCESS); + ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, + -1, -1, 100, -1, 0))); + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), + SSL_SUCCESS); + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, ca, + NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + 2000, 1, 0))); + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + /* convert to DER then back and parse */ + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(i2d_PKCS12_bio(bio, pkcs12_2), SSL_SUCCESS); + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + + ExpectNotNull(pkcs12_2 = d2i_PKCS12_bio(bio, NULL)); + BIO_free(bio); + bio = NULL; + ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), + SSL_SUCCESS); + + /* should be 2 other certs on stack */ + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNotNull(tmp = sk_X509_pop(ca)); + X509_free(tmp); + ExpectNull(sk_X509_pop(ca)); + + +#ifndef NO_RC4 + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + ExpectNotNull((pkcs12_2 = PKCS12_create(pass, NULL, pkey, cert, NULL, + NID_pbe_WithSHA1And128BitRC4, + NID_pbe_WithSHA1And128BitRC4, + 2000, 1, 0))); + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + ExpectIntEQ(PKCS12_parse(pkcs12_2, "a password", &pkey, &cert, &ca), + SSL_SUCCESS); + +#endif /* NO_RC4 */ + + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(cert); + cert = NULL; + PKCS12_free(pkcs12); + pkcs12 = NULL; + PKCS12_free(pkcs12_2); + pkcs12_2 = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + +#ifdef HAVE_ECC + /* test order of parsing */ + ExpectTrue((f = XFOPEN(order, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); + ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); + ExpectIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)), + WOLFSSL_SUCCESS); + + /* check use of pkey after parse */ +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX)) && defined(SESSION_CERTS) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) +#if !defined(NO_WOLFSSL_CLIENT) && defined(SESSION_CERTS) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), WOLFSSL_SUCCESS); + SSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif + + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + + /* compare subject lines of certificates */ + ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccRsaCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + X509_free(x509); + x509 = NULL; + + /* test expected fail case */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, + SSL_FILETYPE_PEM)); + ExpectIntNE(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + X509_free(x509); + x509 = NULL; + X509_free(cert); + cert = NULL; + + /* get subject line from ca stack */ + ExpectNotNull(cert = sk_X509_pop(ca)); + ExpectNotNull(subject = wolfSSL_X509_get_subject_name(cert)); + + /* compare subject from certificate in ca to expected */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + + /* modify case and compare subject from certificate in ca to expected. + * The first bit of the name is: + * /C=US/ST=Washington + * So we'll change subject->name[1] to 'c' (lower case) */ + if (subject != NULL) { + subject->name[1] = 'c'; + ExpectIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject, + (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0); + } + + EVP_PKEY_free(pkey); + pkey = NULL; + X509_free(x509); + x509 = NULL; + X509_free(cert); + cert = NULL; + BIO_free(bio); + bio = NULL; + PKCS12_free(pkcs12); + pkcs12 = NULL; + sk_X509_pop_free(ca, NULL); /* TEST d2i_PKCS12_fp */ + ca = NULL; + + /* test order of parsing */ + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + /* check verify MAC fail case */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); + ExpectNull(pkey); + ExpectNull(cert); + + /* check parse with no extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + + /* check parse with extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + 1); + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + sk_X509_pop_free(ca, NULL); + ca = NULL; + + PKCS12_free(pkcs12); + pkcs12 = NULL; +#endif /* HAVE_ECC */ + +#ifdef WC_RC2 + /* test PKCS#12 with RC2 encryption */ + ExpectTrue((f = XFOPEN(rc2p12, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); + ExpectNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL)); + + /* check verify MAC fail case */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL), 0); + ExpectNull(pkey); + ExpectNull(cert); + + /* check parse with not extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL), + WOLFSSL_SUCCESS); + ExpectNotNull(pkey); + ExpectNotNull(cert); + + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_X509_free(cert); + cert = NULL; + + /* check parse with extra certs kept */ + ExpectIntEQ(ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca), + WOLFSSL_SUCCESS); + ExpectNotNull(pkey); + ExpectNotNull(cert); + ExpectNotNull(ca); + + wolfSSL_EVP_PKEY_free(pkey); + wolfSSL_X509_free(cert); + sk_X509_pop_free(ca, NULL); + + BIO_free(bio); + bio = NULL; + PKCS12_free(pkcs12); + pkcs12 = NULL; +#endif /* WC_RC2 */ + + /* Test i2d_PKCS12_bio */ + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectNotNull(pkcs12 = d2i_PKCS12_fp(f, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + + ExpectIntEQ(ret = i2d_PKCS12_bio(bio, pkcs12), 1); + + ExpectIntEQ(ret = i2d_PKCS12_bio(NULL, pkcs12), 0); + + ExpectIntEQ(ret = i2d_PKCS12_bio(bio, NULL), 0); + + PKCS12_free(pkcs12); + BIO_free(bio); + + (void)order; +#endif /* OPENSSL_EXTRA */ +#endif /* HAVE_FIPS */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_p7p12.h b/tests/api/test_ossl_p7p12.h new file mode 100644 index 00000000000..32863c1ae26 --- /dev/null +++ b/tests/api/test_ossl_p7p12.h @@ -0,0 +1,54 @@ +/* test_ossl_p7p12.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_P7P12_H +#define WOLFCRYPT_TEST_OSSL_P7P12_H + +#include + +int test_wolfssl_PKCS7(void); +int test_wolfSSL_PKCS7_certs(void); +int test_wolfSSL_PKCS7_sign(void); +int test_wolfSSL_PKCS7_SIGNED_new(void); +int test_wolfSSL_PEM_write_bio_PKCS7(void); +int test_wolfSSL_PEM_write_bio_encryptedKey(void); +int test_wolfSSL_SMIME_read_PKCS7(void); +int test_wolfSSL_SMIME_write_PKCS7(void); +int test_wolfSSL_PKCS12(void); + +#define TEST_OSSL_PKCS7_DECLS \ + TEST_DECL_GROUP("ossl_p7", test_wolfssl_PKCS7), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PKCS7_certs), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PKCS7_sign), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PKCS7_SIGNED_new), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PEM_write_bio_PKCS7), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_PEM_write_bio_encryptedKey), \ + TEST_DECL_GROUP("ossl_p7", test_wolfSSL_RAND_poll) + +#define TEST_OSSL_SMIME_DECLS \ + TEST_DECL_GROUP("ossl_smime", test_wolfSSL_SMIME_read_PKCS7), \ + TEST_DECL_GROUP("ossl_smime", test_wolfSSL_SMIME_write_PKCS7) + +#define TEST_OSSL_PKCS12_DECLS \ + TEST_DECL_GROUP("ossl_p12", test_wolfSSL_PKCS12) + +#endif /* WOLFCRYPT_TEST_OSSL_P7P12_H */ + diff --git a/tests/api/test_ossl_rand.c b/tests/api/test_ossl_rand.c new file mode 100644 index 00000000000..a5b02814530 --- /dev/null +++ b/tests/api/test_ossl_rand.c @@ -0,0 +1,340 @@ +/* test_ossl_rand.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#if defined(__linux__) || defined(__FreeBSD__) +#include +#include +#endif + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#ifdef OPENSSL_EXTRA + #include +#endif +#include +#include + + +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) +static int stub_rand_seed(const void *buf, int num) +{ + (void)buf; + (void)num; + + return 123; +} + +static int stub_rand_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 456; +} + +static byte* was_stub_rand_cleanup_called(void) +{ + static byte was_called = 0; + + return &was_called; +} + +static void stub_rand_cleanup(void) +{ + byte* was_called = was_stub_rand_cleanup_called(); + + *was_called = 1; + + return; +} + +static byte* was_stub_rand_add_called(void) +{ + static byte was_called = 0; + + return &was_called; +} + +static int stub_rand_add(const void *buf, int num, double entropy) +{ + byte* was_called = was_stub_rand_add_called(); + + (void)buf; + (void)num; + (void)entropy; + + *was_called = 1; + + return 0; +} + +static int stub_rand_pseudo_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 9876; +} + +static int stub_rand_status(void) +{ + return 5432; +} +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + +int test_wolfSSL_RAND_set_rand_method(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) + RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; + unsigned char* buf = NULL; + int num = 0; + double entropy = 0; + int ret; + byte* was_cleanup_called = was_stub_rand_cleanup_called(); + byte* was_add_called = was_stub_rand_add_called(); + + ExpectNotNull(buf = (byte*)XMALLOC(32 * sizeof(byte), NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + + ExpectIntNE(wolfSSL_RAND_status(), 5432); + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 0); + + + rand_methods.seed = &stub_rand_seed; + rand_methods.bytes = &stub_rand_bytes; + rand_methods.cleanup = &stub_rand_cleanup; + rand_methods.add = &stub_rand_add; + rand_methods.pseudorand = &stub_rand_pseudo_bytes; + rand_methods.status = &stub_rand_status; + + ExpectIntEQ(RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); + ExpectIntEQ(RAND_seed(buf, num), 123); + ExpectIntEQ(RAND_bytes(buf, num), 456); + ExpectIntEQ(RAND_pseudo_bytes(buf, num), 9876); + ExpectIntEQ(RAND_status(), 5432); + + ExpectIntEQ(*was_add_called, 0); + /* The function pointer for RAND_add returns int, but RAND_add itself + * returns void. */ + RAND_add(buf, num, entropy); + ExpectIntEQ(*was_add_called, 1); + was_add_called = 0; + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 1); + *was_cleanup_called = 0; + + + ret = RAND_set_rand_method(NULL); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntNE(RAND_status(), 5432); + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 0); + + RAND_set_rand_method(NULL); + + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_RAND_bytes(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + const int size1 = RNG_MAX_BLOCK_LEN; /* in bytes */ + const int size2 = RNG_MAX_BLOCK_LEN + 1; /* in bytes */ + const int size3 = RNG_MAX_BLOCK_LEN * 2; /* in bytes */ + const int size4 = RNG_MAX_BLOCK_LEN * 4; /* in bytes */ + int max_bufsize; + byte *my_buf = NULL; +#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ + !defined(__MINGW32__) + byte seed[16] = {0}; + byte randbuf[8] = {0}; + int pipefds[2] = {0}; + pid_t pid = 0; +#endif + + /* sanity check */ + ExpectIntEQ(RAND_bytes(NULL, 16), 0); + ExpectIntEQ(RAND_bytes(NULL, 0), 0); + + max_bufsize = size4; + + ExpectNotNull(my_buf = (byte*)XMALLOC(max_bufsize * sizeof(byte), HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + + ExpectIntEQ(RAND_bytes(my_buf, 0), 1); + ExpectIntEQ(RAND_bytes(my_buf, -1), 0); + + ExpectNotNull(XMEMSET(my_buf, 0, max_bufsize)); + ExpectIntEQ(RAND_bytes(my_buf, size1), 1); + ExpectIntEQ(RAND_bytes(my_buf, size2), 1); + ExpectIntEQ(RAND_bytes(my_buf, size3), 1); + ExpectIntEQ(RAND_bytes(my_buf, size4), 1); + XFREE(my_buf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + +#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ + !defined(__MINGW32__) + XMEMSET(seed, 0, sizeof(seed)); + RAND_cleanup(); + + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + + ExpectIntEQ(pipe(pipefds), 0); + pid = fork(); + ExpectIntGE(pid, 0); + if (pid == 0) { + ssize_t n_written = 0; + + /* Child process. */ + close(pipefds[0]); + RAND_bytes(randbuf, sizeof(randbuf)); + n_written = write(pipefds[1], randbuf, sizeof(randbuf)); + close(pipefds[1]); + exit(n_written == sizeof(randbuf) ? 0 : 1); + } + else { + /* Parent process. */ + byte childrand[8] = {0}; + int waitstatus = 0; + + close(pipefds[1]); + ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); + ExpectIntEQ(read(pipefds[0], childrand, sizeof(childrand)), + sizeof(childrand)); + #ifdef WOLFSSL_NO_GETPID + ExpectBufEQ(randbuf, childrand, sizeof(randbuf)); + #else + ExpectBufNE(randbuf, childrand, sizeof(randbuf)); + #endif + close(pipefds[0]); + waitpid(pid, &waitstatus, 0); + } + RAND_cleanup(); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_RAND(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + byte seed[16]; + + XMEMSET(seed, 0, sizeof(seed)); + + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + RAND_cleanup(); + + ExpectIntEQ(RAND_egd(NULL), -1); +#ifndef NO_FILESYSTEM + { + char fname[100]; + + ExpectNotNull(RAND_file_name(fname, (sizeof(fname) - 1))); + ExpectIntEQ(RAND_write_file(NULL), 0); + } +#endif +#endif + return EXPECT_RESULT(); +} + + +#if defined(WC_RNG_SEED_CB) && defined(OPENSSL_EXTRA) +static int wc_DummyGenerateSeed(OS_Seed* os, byte* output, word32 sz) +{ + word32 i; + for (i = 0; i < sz; i++ ) + output[i] = (byte)i; + + (void)os; + + return 0; +} +#endif /* WC_RNG_SEED_CB */ + + +int test_wolfSSL_RAND_poll(void) +{ + EXPECT_DECLS; + +#if defined(OPENSSL_EXTRA) + byte seed[16]; + byte rand1[16]; +#ifdef WC_RNG_SEED_CB + byte rand2[16]; +#endif + + XMEMSET(seed, 0, sizeof(seed)); + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(rand1, 16), 1); + RAND_cleanup(); + +#ifdef WC_RNG_SEED_CB + /* Test with custom seed and poll */ + wc_SetSeed_Cb(wc_DummyGenerateSeed); + + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_bytes(rand1, 16), 1); + RAND_cleanup(); + + /* test that the same value is generated twice with dummy seed function */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_bytes(rand2, 16), 1); + ExpectIntEQ(XMEMCMP(rand1, rand2, 16), 0); + RAND_cleanup(); + + /* test that doing a poll is reseeding RNG */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(rand2, 16), 1); + ExpectIntNE(XMEMCMP(rand1, rand2, 16), 0); + + /* reset the seed function used */ + wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT); +#endif + RAND_cleanup(); + + ExpectIntEQ(RAND_egd(NULL), -1); +#endif + + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_rand.h b/tests/api/test_ossl_rand.h new file mode 100644 index 00000000000..4f10956aa08 --- /dev/null +++ b/tests/api/test_ossl_rand.h @@ -0,0 +1,39 @@ +/* test_ossl_rand.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_RAND_H +#define WOLFCRYPT_TEST_OSSL_RAND_H + +#include + +int test_wolfSSL_RAND_set_rand_method(void); +int test_wolfSSL_RAND_bytes(void); +int test_wolfSSL_RAND(void); +int test_wolfSSL_RAND_poll(void); + +#define TEST_OSSL_RAND_DECLS \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND_set_rand_method), \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND_bytes), \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND), \ + TEST_DECL_GROUP("ossl_rand", test_wolfSSL_RAND_poll) + +#endif /* WOLFCRYPT_TEST_OSSL_RAND_H */ + diff --git a/tests/api/test_ossl_rsa.c b/tests/api/test_ossl_rsa.c index 1947ad7ee63..7adbe126a67 100644 --- a/tests/api/test_ossl_rsa.c +++ b/tests/api/test_ossl_rsa.c @@ -1470,8 +1470,10 @@ int test_wolfSSL_RSA_To_Der(void) rsa = NULL; ExpectNotNull(wolfSSL_d2i_RSAPrivateKey(&rsa, &der, privDerSz)); - ExpectIntEQ(wolfSSL_RSA_To_Der(NULL, &outDer, 0, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 2, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(NULL, &outDer, 0, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 2, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, NULL, 0, HEAP_HINT), privDerSz); outDer = out; @@ -1491,14 +1493,17 @@ int test_wolfSSL_RSA_To_Der(void) RSA_free(rsa); ExpectNotNull(rsa = RSA_new()); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 1, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 1, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); RSA_free(rsa); der = pubDer; rsa = NULL; ExpectNotNull(wolfSSL_d2i_RSAPublicKey(&rsa, &der, pubDerSz)); - ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_RSA_To_Der(rsa, &outDer, 0, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); RSA_free(rsa); #endif #endif