diff --git a/CMakeLists.txt b/CMakeLists.txt index 12bcf1031cc..a23cb522f99 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2693,6 +2693,18 @@ if(WOLFSSL_EXAMPLES) tests/api/test_ossl_mac.c tests/api/test_ossl_rsa.c tests/api/test_ossl_sk.c + tests/api/test_ossl_x509.c + tests/api/test_ossl_x509_ext.c + tests/api/test_ossl_x509_name.c + tests/api/test_ossl_x509_pk.c + tests/api/test_ossl_x509_vp.c + tests/api/test_ossl_x509_io.c + tests/api/test_ossl_x509_crypto.c + tests/api/test_ossl_x509_acert.c + tests/api/test_ossl_x509_info.c + tests/api/test_ossl_x509_str.c + tests/api/test_ossl_x509_lu.c + tests/api/test_ossl_pem.c tests/api/test_tls13.c tests/srp.c tests/suites.c diff --git a/tests/api.c b/tests/api.c index d56ddc2a10e..4e1109a65ea 100644 --- a/tests/api.c +++ b/tests/api.c @@ -228,6 +228,18 @@ #include #include #include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include #include #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ @@ -3434,31 +3446,6 @@ static int test_wolfSSL_CertManagerSetVerify(void) return EXPECT_RESULT(); } -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_UNIT_TEST_CERTS) -/* Used when debugging name constraint tests. Not static to allow use in - * multiple locations with complex define guards. */ -void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName) -{ - BIO* out = BIO_new_file(fileName, "wb"); - if (out != NULL) { - PEM_write_bio_X509(out, x509); - BIO_free(out); - } -} -void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName) -{ - BIO* out = BIO_new_file(fileName, "wb"); - if (out != NULL) { - BIO_write(out, der, derSz); - BIO_free(out); - } -} -#else -#define DEBUG_WRITE_CERT_X509(x509, fileName) WC_DO_NOTHING -#define DEBUG_WRITE_DER(der, derSz, fileName) WC_DO_NOTHING -#endif - static int test_wolfSSL_CertManagerNameConstraint(void) { @@ -13050,66 +13037,6 @@ static int test_tls_bad_legacy_version(void) /*----------------------------------------------------------------------------* | X509 Tests *----------------------------------------------------------------------------*/ -static int test_wolfSSL_X509_NAME_get_entry(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) -#if defined(OPENSSL_ALL) || \ - (defined(OPENSSL_EXTRA) && \ - (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS))) - /* use openssl like name to test mapping */ - X509_NAME_ENTRY* ne = NULL; - X509_NAME* name = NULL; - X509* x509 = NULL; - ASN1_STRING* asn = NULL; - char* subCN = NULL; - int idx = 0; - ASN1_OBJECT *object = NULL; -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \ - defined(WOLFSSL_NGINX) -#ifndef NO_BIO - BIO* bio = NULL; -#endif -#endif - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = X509_get_subject_name(x509)); - ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); - ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); - ExpectNull(X509_NAME_ENTRY_get_data(NULL)); - ExpectNotNull(asn = X509_NAME_ENTRY_get_data(ne)); - ExpectNotNull(subCN = (char*)ASN1_STRING_data(asn)); - wolfSSL_FreeX509(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = X509_get_subject_name(x509)); - ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); - -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \ - defined(WOLFSSL_NGINX) -#ifndef NO_BIO - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(bio, name, 4, - (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_NAME_print_ex_fp(XBADFILE, name, 4, - (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_print_ex_fp(stderr, name, 4, - (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); - BIO_free(bio); -#endif -#endif - - ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); - ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne)); - wolfSSL_FreeX509(x509); -#endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (KEEP_PEER_CERT || SESSION_CERTS) */ -#endif /* !NO_CERTS && !NO_RSA && !NO_FILESYSTEM */ - - return EXPECT_RESULT(); -} /* Testing functions dealing with PKCS12 parsing out X509 certs */ static int test_wolfSSL_PKCS12(void) @@ -13987,601 +13914,6 @@ static int test_wolfSSL_URI(void) } -static int test_wolfSSL_TBS(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \ - && defined(OPENSSL_EXTRA) - WOLFSSL_X509* x509 = NULL; - const unsigned char* tbs; - int tbsSz; - - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectNull(tbs = wolfSSL_X509_get_tbs(x509, &tbsSz)); - wolfSSL_X509_free(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caCertFile, - WOLFSSL_FILETYPE_PEM)); - - ExpectNull(tbs = wolfSSL_X509_get_tbs(NULL, &tbsSz)); - ExpectNull(tbs = wolfSSL_X509_get_tbs(x509, NULL)); - ExpectNotNull(tbs = wolfSSL_X509_get_tbs(x509, &tbsSz)); - ExpectIntEQ(tbsSz, 1003); - - wolfSSL_FreeX509(x509); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_verify(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ - defined(OPENSSL_EXTRA) - WOLFSSL_X509* ca = NULL; - WOLFSSL_X509* serv = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - unsigned char buf[2048]; - const unsigned char* pt = NULL; - int bufSz = 0; - - ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile, - WOLFSSL_FILETYPE_PEM)); - - ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, NULL), - WOLFSSL_SUCCESS); - ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, &bufSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, NULL, &bufSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(bufSz, 294); - - bufSz--; - ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz), - WOLFSSL_SUCCESS); - bufSz = 2048; - ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_get_pubkey_type(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_get_pubkey_type(ca), RSAk); - - - ExpectNotNull(serv = wolfSSL_X509_load_certificate_file(svrCertFile, - WOLFSSL_FILETYPE_PEM)); - - /* success case */ - pt = buf; - ExpectNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz)); - - ExpectIntEQ(i2d_PUBKEY(pkey, NULL), bufSz); - - ExpectIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_SUCCESS); - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - - /* fail case */ - bufSz = 2048; - ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(serv, buf, &bufSz), - WOLFSSL_SUCCESS); - pt = buf; - ExpectNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz)); - ExpectIntEQ(wolfSSL_X509_verify(serv, pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(wolfSSL_X509_verify(NULL, pkey), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_X509_verify(serv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - -#ifndef NO_WOLFSSL_STUB - ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(NULL)); - ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(serv)); -#endif - - wolfSSL_EVP_PKEY_free(pkey); - - wolfSSL_FreeX509(ca); - wolfSSL_FreeX509(serv); -#endif - return EXPECT_RESULT(); -} - -#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) -/* Given acert file and its pubkey file, read them and then - * attempt to verify signed acert. - * - * If expect_pass is true, then verification should pass. - * If expect_pass is false, then verification should fail. - * */ -static int do_acert_verify_test(const char * acert_file, - const char * pkey_file, - size_t expect_pass) -{ - X509_ACERT * x509 = NULL; - EVP_PKEY * pkey = NULL; - BIO * bp = NULL; - int verify_rc = 0; - - /* First read the attribute certificate. */ - bp = BIO_new_file(acert_file, "r"); - if (bp == NULL) { - return -1; - } - - x509 = PEM_read_bio_X509_ACERT(bp, NULL, NULL, NULL); - BIO_free(bp); - bp = NULL; - - if (x509 == NULL) { - return -1; - } - - /* Next read the associated pub key. */ - bp = BIO_new_file(pkey_file, "r"); - - if (bp == NULL) { - X509_ACERT_free(x509); - x509 = NULL; - return -1; - } - - pkey = PEM_read_bio_PUBKEY(bp, &pkey, NULL, NULL); - BIO_free(bp); - bp = NULL; - - if (pkey == NULL) { - X509_ACERT_free(x509); - x509 = NULL; - return -1; - } - - /* Finally, do verification. */ - verify_rc = X509_ACERT_verify(x509, pkey); - - X509_ACERT_free(x509); - x509 = NULL; - - EVP_PKEY_free(pkey); - pkey = NULL; - - if (expect_pass && verify_rc != 1) { - return -1; - } - - if (!expect_pass && verify_rc == 1) { - return -1; - } - - return 0; -} -#endif - -static int test_wolfSSL_X509_ACERT_verify(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) - /* Walk over list of signed ACERTs and their pubkeys. - * All should load and pass verification. */ - const char * acerts[4] = {"certs/acert/acert.pem", - "certs/acert/acert_ietf.pem", - "certs/acert/rsa_pss/acert.pem", - "certs/acert/rsa_pss/acert_ietf.pem"}; - const char * pkeys[4] = {"certs/acert/acert_pubkey.pem", - "certs/acert/acert_ietf_pubkey.pem", - "certs/acert/rsa_pss/acert_pubkey.pem", - "certs/acert/rsa_pss/acert_ietf_pubkey.pem"}; - int rc = 0; - size_t i = 0; - size_t j = 0; - - for (i = 0; i < 4; ++i) { - for (j = i; j < 4; ++j) { - rc = do_acert_verify_test(acerts[i], pkeys[j], i == j); - - if (rc) { - fprintf(stderr, "error: %s: i = %zu, j = %zu, rc = %d\n", - "do_acert_verify_test", i, j, rc); - break; - } - } - - if (rc) { break; } - } - - ExpectIntEQ(rc, 0); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_ACERT_misc_api(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) - const char * acerts[4] = {"certs/acert/acert.pem", - "certs/acert/acert_ietf.pem", - "certs/acert/rsa_pss/acert.pem", - "certs/acert/rsa_pss/acert_ietf.pem"}; - int rc = 0; - X509_ACERT * x509 = NULL; - BIO * bp = NULL; - long ver_long = 0; - int ver = 0; - int nid = 0; - const byte * raw_attr = NULL; - word32 attr_len = 0; - size_t i = 0; - int buf_len = 0; - byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, - 0xa2, 0xaa, 0xb5, 0x40, 0x21, - 0x44, 0xb8, 0x2c, 0x4f, 0xd9, - 0x80, 0x1b, 0x5f, 0x57, 0xc2}; - - for (i = 0; i < 4; ++i) { - const char * acert_file = acerts[i]; - int is_rsa_pss = 0; - int is_ietf_acert = 0; - byte serial[64]; - int serial_len = sizeof(serial); - - XMEMSET(serial, 0, sizeof(serial)); - - is_rsa_pss = XSTRSTR(acert_file, "rsa_pss") != NULL ? 1 : 0; - is_ietf_acert = XSTRSTR(acert_file, "ietf.pem") != NULL ? 1 : 0; - - /* First read the attribute certificate. */ - bp = BIO_new_file(acert_file, "r"); - ExpectNotNull(bp); - - x509 = PEM_read_bio_X509_ACERT(bp, NULL, NULL, NULL); - ExpectNotNull(x509); - - /* We're done with the bio for now. */ - if (bp != NULL) { - BIO_free(bp); - bp = NULL; - } - - /* Check version and signature NID. */ - ver_long = X509_ACERT_get_version(x509); - ExpectIntEQ(ver_long, 1); - - ver = wolfSSL_X509_ACERT_version(x509); - ExpectIntEQ(ver, 2); - - nid = X509_ACERT_get_signature_nid(x509); - - if (is_rsa_pss) { - ExpectIntEQ(nid, NID_rsassaPss); - } - else { - ExpectIntEQ(nid, NID_sha256WithRSAEncryption); - } - - /* Get the serial number buffer. - * The ietf acert example has a 20 byte serial number. */ - rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, &serial_len); - ExpectIntEQ(rc, SSL_SUCCESS); - - if (is_ietf_acert) { - ExpectIntEQ(serial_len, 20); - ExpectIntEQ(XMEMCMP(serial, ietf_serial, sizeof(ietf_serial)), 0); - } - else { - ExpectIntEQ(serial_len, 1); - ExpectTrue(serial[0] == 0x01); - } - - /* Repeat the same but with null serial buffer. This is ok. */ - rc = wolfSSL_X509_ACERT_get_serial_number(x509, NULL, &serial_len); - ExpectIntEQ(rc, SSL_SUCCESS); - - if (is_ietf_acert) { - ExpectIntEQ(serial_len, 20); - } - else { - ExpectIntEQ(serial_len, 1); - ExpectTrue(serial[0] == 0x01); - } - - /* Get the attributes buffer. */ - rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, &attr_len); - ExpectIntEQ(rc, SSL_SUCCESS); - - if (is_ietf_acert) { - /* This cert has a 65 byte attributes field. */ - ExpectNotNull(raw_attr); - ExpectIntEQ(attr_len, 65); - } - else { - /* This cert has a 237 byte attributes field. */ - ExpectNotNull(raw_attr); - ExpectIntEQ(attr_len, 237); - } - - /* Test printing acert to memory bio. */ - ExpectNotNull(bp = BIO_new(BIO_s_mem())); - rc = X509_ACERT_print(bp, x509); - ExpectIntEQ(rc, SSL_SUCCESS); - - /* Now do a bunch of invalid stuff with partially valid inputs. */ - rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, NULL); - ExpectIntEQ(rc, BAD_FUNC_ARG); - - rc = wolfSSL_X509_ACERT_get_attr_buf(x509, NULL, &attr_len); - ExpectIntEQ(rc, BAD_FUNC_ARG); - - rc = wolfSSL_X509_ACERT_get_attr_buf(NULL, &raw_attr, &attr_len); - ExpectIntEQ(rc, BAD_FUNC_ARG); - - ver_long = X509_ACERT_get_version(NULL); - ExpectIntEQ(ver_long, 0); - - ver = wolfSSL_X509_ACERT_version(NULL); - ExpectIntEQ(ver, 0); - - rc = wolfSSL_X509_ACERT_get_signature(x509, NULL, NULL); - ExpectIntEQ(rc, WOLFSSL_FATAL_ERROR); - - rc = wolfSSL_X509_ACERT_get_signature(x509, NULL, &buf_len); - ExpectIntEQ(rc, SSL_SUCCESS); - ExpectIntEQ(buf_len, 256); - - rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, NULL); - ExpectIntEQ(rc, BAD_FUNC_ARG); - - rc = X509_ACERT_print(bp, NULL); - ExpectIntEQ(rc, WOLFSSL_FAILURE); - - rc = X509_ACERT_print(NULL, x509); - ExpectIntEQ(rc, WOLFSSL_FAILURE); - - /* Finally free the acert and bio, we're done with them. */ - if (x509 != NULL) { - X509_ACERT_free(x509); - x509 = NULL; - } - - if (bp != NULL) { - BIO_free(bp); - bp = NULL; - } - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_ACERT_buffer(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && defined(WC_RSA_PSS) && \ - (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)) - const byte acert_ietf[] = \ - "-----BEGIN ATTRIBUTE CERTIFICATE-----\n" - "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n" - "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n" - "IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4\n" - "LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj\n" - "BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP\n" - "gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI\n" - "i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs\n" - "GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn\n" - "ERw2bQMmw/""/nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+\n" - "mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6\n" - "coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8\n" - "d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A\n" - "Bw==\n" - "-----END ATTRIBUTE CERTIFICATE-----\n"; - X509_ACERT * x509 = NULL; - int rc = 0; - byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, - 0xa2, 0xaa, 0xb5, 0x40, 0x21, - 0x44, 0xb8, 0x2c, 0x4f, 0xd9, - 0x80, 0x1b, 0x5f, 0x57, 0xc2}; - byte serial[64]; - int serial_len = sizeof(serial); - const byte * raw_attr = NULL; - word32 attr_len = 0; - - x509 = wolfSSL_X509_ACERT_load_certificate_buffer_ex(acert_ietf, - sizeof(acert_ietf), - WOLFSSL_FILETYPE_PEM, - HEAP_HINT); - - rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, &serial_len); - ExpectIntEQ(rc, SSL_SUCCESS); - - ExpectIntEQ(serial_len, 20); - ExpectIntEQ(XMEMCMP(serial, ietf_serial, sizeof(ietf_serial)), 0); - - /* Get the attributes buffer. */ - rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, &attr_len); - ExpectIntEQ(rc, SSL_SUCCESS); - - /* This cert has a 65 byte attributes field. */ - ExpectNotNull(raw_attr); - ExpectIntEQ(attr_len, 65); - - ExpectNotNull(x509); - - if (x509 != NULL) { - wolfSSL_X509_ACERT_free(x509); - x509 = NULL; - } -#endif - return EXPECT_RESULT(); -} - -/* note: when ACERT generation and signing are implemented, - * this test will be filled out appropriately. - * */ -static int test_wolfSSL_X509_ACERT_new_and_sign(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && defined(WC_RSA_PSS) && \ - (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)) - X509_ACERT * x509 = NULL; - int rc = 0; - - x509 = X509_ACERT_new(); - ExpectNotNull(x509); - - if (x509 != NULL) { - wolfSSL_X509_ACERT_free(x509); - x509 = NULL; - } - - /* Same but with static memory hint. */ - x509 = wolfSSL_X509_ACERT_new_ex(HEAP_HINT); - ExpectNotNull(x509); - - #ifndef NO_WOLFSSL_STUB - /* ACERT sign not implemented yet. */ - if (x509 != NULL) { - rc = wolfSSL_X509_ACERT_sign(x509, NULL, NULL); - ExpectIntEQ(rc, WOLFSSL_NOT_IMPLEMENTED); - } - #else - (void) rc; - #endif /* NO_WOLFSSL_STUB */ - - if (x509 != NULL) { - wolfSSL_X509_ACERT_free(x509); - x509 = NULL; - } - -#endif - return EXPECT_RESULT(); -} - -/* Test ACERT support, but with ASN functions only. - * - * This example acert_ietf has both Holder IssuerSerial - * and Holder entityName fields. - * */ -static int test_wolfSSL_X509_ACERT_asn(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) - const byte acert_ietf[] = \ - "-----BEGIN ATTRIBUTE CERTIFICATE-----\n" - "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n" - "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n" - "IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4\n" - "LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj\n" - "BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP\n" - "gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI\n" - "i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs\n" - "GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn\n" - "ERw2bQMmw/""/nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+\n" - "mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6\n" - "coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8\n" - "d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A\n" - "Bw==\n" - "-----END ATTRIBUTE CERTIFICATE-----\n"; - int rc = 0; - int n_diff = 0; - byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, - 0xa2, 0xaa, 0xb5, 0x40, 0x21, - 0x44, 0xb8, 0x2c, 0x4f, 0xd9, - 0x80, 0x1b, 0x5f, 0x57, 0xc2}; - byte holderIssuerName[] = {0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x0c, - 0x02, 0x43, 0x41}; - byte holderEntityName[] = {0x31, 0x17, 0x30, 0x15, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x0c, - 0x0e, 0x73, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x2e, 0x65, 0x78, - 0x61, 0x6d, 0x70, 0x6c, 0x65}; - DerBuffer * der = NULL; - WC_DECLARE_VAR(acert, DecodedAcert, 1, 0); - - rc = wc_PemToDer(acert_ietf, sizeof(acert_ietf), ACERT_TYPE, &der, - HEAP_HINT, NULL, NULL); - - ExpectIntEQ(rc, 0); - ExpectNotNull(der); - - if (der != NULL) { - ExpectNotNull(der->buffer); - } - -#ifdef WOLFSSL_SMALL_STACK - acert = (DecodedAcert*)XMALLOC(sizeof(DecodedAcert), HEAP_HINT, - DYNAMIC_TYPE_DCERT); - ExpectNotNull(acert); -#else - XMEMSET(acert, 0, sizeof(DecodedAcert)); -#endif - - if (der != NULL && der->buffer != NULL -#ifdef WOLFSSL_SMALL_STACK - && acert != NULL -#endif - ) { - wc_InitDecodedAcert(acert, der->buffer, der->length, HEAP_HINT); - rc = wc_ParseX509Acert(acert, VERIFY_SKIP_DATE); - ExpectIntEQ(rc, 0); - - ExpectIntEQ(acert->serialSz, 20); - ExpectIntEQ(XMEMCMP(acert->serial, ietf_serial, sizeof(ietf_serial)), - 0); - - /* This cert has a 65 byte attributes field. */ - ExpectNotNull(acert->rawAttr); - ExpectIntEQ(acert->rawAttrLen, 65); - - ExpectNotNull(acert->holderIssuerName); - ExpectNotNull(acert->holderEntityName); - - if ((acert->holderIssuerName != NULL) && - (acert->holderEntityName != NULL)) { - ExpectNotNull(acert->holderEntityName->name); - ExpectNotNull(acert->holderIssuerName->name); - } - - if ((acert->holderIssuerName != NULL) && - (acert->holderEntityName != NULL) && - (acert->holderIssuerName->name != NULL) && - (acert->holderEntityName->name != NULL)) { - ExpectIntEQ(acert->holderIssuerName->len, - sizeof(holderIssuerName)); - ExpectIntEQ(acert->holderEntityName->len, - sizeof(holderEntityName)); - - ExpectIntEQ(acert->holderIssuerName->type, ASN_DIR_TYPE); - ExpectIntEQ(acert->holderEntityName->type, ASN_DIR_TYPE); - - n_diff = XMEMCMP(acert->holderIssuerName->name, holderIssuerName, - sizeof(holderIssuerName)); - ExpectIntEQ(n_diff, 0); - - n_diff = XMEMCMP(acert->holderEntityName->name, holderEntityName, - sizeof(holderEntityName)); - ExpectIntEQ(n_diff, 0); - } - - wc_FreeDecodedAcert(acert); - } - -#ifdef WOLFSSL_SMALL_STACK - if (acert != NULL) { - XFREE(acert, HEAP_HINT, DYNAMIC_TYPE_DCERT); - acert = NULL; - } -#endif - - if (der != NULL) { - wc_FreeDer(&der); - der = NULL; - } - -#endif - return EXPECT_RESULT(); -} - #if !defined(NO_DH) && !defined(NO_AES) && defined(WOLFSSL_CERT_GEN) && \ defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) @@ -15242,946 +14574,198 @@ static int test_wolfSSL_lhash(void) return EXPECT_RESULT(); } -static int test_wolfSSL_X509_NAME(void) +static int test_wc_PemToDer(void) { EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ - defined(OPENSSL_EXTRA)) - X509* x509 = NULL; -#ifndef OPENSSL_EXTRA - const unsigned char* c = NULL; - int bytes = 0; -#endif - unsigned char buf[4096]; - XFILE f = XBADFILE; - const X509_NAME* a = NULL; - const X509_NAME* b = NULL; - X509_NAME* d2i_name = NULL; - int sz = 0; - unsigned char* tmp = NULL; - char file[] = "./certs/ca-cert.der"; -#ifndef OPENSSL_EXTRA_X509_SMALL - byte empty[] = { /* CN=empty emailAddress= */ - 0x30, 0x21, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, - 0x55, 0x04, 0x03, 0x0C, 0x05, 0x65, 0x6D, 0x70, - 0x74, 0x79, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, - 0x01, 0x16, 0x00 - }; -#endif -#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED) - byte digest[64]; /* max digest size */ - word32 digestSz; -#endif - -#ifndef OPENSSL_EXTRA_X509_SMALL - /* test compile of deprecated function, returns 0 */ - ExpectIntEQ(CRYPTO_thread_id(), 0); -#endif - - ExpectNotNull(a = X509_NAME_new()); - ExpectNotNull(b = X509_NAME_new()); -#ifndef OPENSSL_EXTRA_X509_SMALL - ExpectIntEQ(X509_NAME_cmp(a, b), 0); -#endif - X509_NAME_free((X509_NAME*)b); - X509_NAME_free((X509_NAME*)a); - a = NULL; - - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); -#ifndef OPENSSL_EXTRA - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - c = buf; - ExpectNotNull(x509 = wolfSSL_X509_d2i_ex(NULL, c, bytes, HEAP_HINT)); -#else - ExpectNull(wolfSSL_X509_d2i_fp(NULL, XBADFILE)); - ExpectNotNull(wolfSSL_X509_d2i_fp(&x509, f)); - if (f != XBADFILE) - XFCLOSE(f); -#endif +#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) + int ret; + DerBuffer* pDer = NULL; + const char* ca_cert = "./certs/server-cert.pem"; + const char* trusted_cert = "./certs/test/ossl-trusted-cert.pem"; + byte* cert_buf = NULL; + size_t cert_sz = 0; + int eccKey = 0; + EncryptedInfo info; - /* test cmp function */ - ExpectNull(X509_get_issuer_name(NULL)); - ExpectNotNull(a = X509_get_issuer_name(x509)); - ExpectNull(X509_get_subject_name(NULL)); - ExpectNotNull(b = X509_get_subject_name(x509)); -#ifdef KEEP_PEER_CERT - ExpectNull(wolfSSL_X509_get_subjectCN(NULL)); - ExpectNotNull(wolfSSL_X509_get_subjectCN(x509)); -#endif + XMEMSET(&info, 0, sizeof(info)); -#if defined(OPENSSL_EXTRA) - ExpectIntEQ(X509_check_issued(NULL, NULL), - WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); - ExpectIntEQ(X509_check_issued(x509, NULL), - WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); - ExpectIntEQ(X509_check_issued(NULL, x509), - WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); - ExpectIntEQ(X509_check_issued(x509, x509), WOLFSSL_X509_V_OK); - - ExpectIntEQ(X509_NAME_cmp(NULL, NULL), -2); - ExpectIntEQ(X509_NAME_cmp(NULL, b), -2); - ExpectIntEQ(X509_NAME_cmp(a, NULL), -2); - ExpectIntEQ(X509_NAME_cmp(a, b), 0); /* self signed should be 0 */ - -#if !defined(NO_PWDBASED) - ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), 0); - ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, NULL, NULL), 0); -#ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), NULL, - NULL), 0); -#endif - ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, digest, NULL), 0); - ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, &digestSz), 0); - ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, digest, - &digestSz), 0); -#ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), digest, - &digestSz), 0); - ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), NULL, - &digestSz), 0); - ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest, - NULL), 1); - ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest, - &digestSz), 1); - ExpectTrue(digestSz == 32); -#endif -#else - ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), - NOT_COMPILED_IN); -#endif -#endif /* OPENSSL_EXTRA */ + ExpectIntEQ(ret = load_file(ca_cert, &cert_buf, &cert_sz), 0); + ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, CERT_TYPE, &pDer, NULL, + &info, &eccKey), 0); + wc_FreeDer(&pDer); + pDer = NULL; - tmp = buf; - ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)a, &tmp)), 0); - if (sz > 0 && tmp == buf) { - fprintf(stderr, "\nERROR - %s line %d failed with:", __FILE__, - __LINE__); - fprintf(stderr, " Expected pointer to be incremented\n"); - abort(); + if (cert_buf != NULL) { + free(cert_buf); + cert_buf = NULL; } -#ifndef OPENSSL_EXTRA_X509_SMALL - tmp = buf; - ExpectNotNull(d2i_name = d2i_X509_NAME(NULL, &tmp, sz)); -#endif + /* Test that -----BEGIN TRUSTED CERTIFICATE----- banner parses OK */ + ExpectIntEQ(ret = load_file(trusted_cert, &cert_buf, &cert_sz), 0); + ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, TRUSTED_CERT_TYPE, &pDer, NULL, + &info, &eccKey), 0); + wc_FreeDer(&pDer); + pDer = NULL; - /* if output parameter is NULL, should still return required size. */ - ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, NULL)), 0); - /* retry but with the function creating a buffer */ - tmp = NULL; - ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, &tmp)), 0); - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - tmp = NULL; + if (cert_buf != NULL) { + free(cert_buf); + cert_buf = NULL; + } -#ifdef WOLFSSL_CERT_NAME_ALL - /* test for givenName and name */ +#ifdef HAVE_ECC { - WOLFSSL_X509_NAME_ENTRY* entry = NULL; - WOLFSSL_X509_NAME_ENTRY empty; - const byte gName[] = "test-given-name"; - const byte name[] = "test-name"; - - XMEMSET(&empty, 0, sizeof(empty)); - - ExpectNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, - NID_givenName, ASN_UTF8STRING, NULL, sizeof(gName))); - ExpectNotNull(entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, - NID_givenName, ASN_UTF8STRING, gName, sizeof(gName))); - ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry, - NID_givenName, ASN_UTF8STRING, gName, sizeof(gName))); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL , NULL , -1, 0), - 0); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, NULL , -1, 0), - 0); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL , entry , -1, 0), - 0); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, &empty, -1, 0), - 0); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , 99, 0), - 0); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , -1, 0), - 1); - wolfSSL_X509_NAME_ENTRY_free(entry); - entry = NULL; + const char* ecc_private_key = "./certs/ecc-privOnlyKey.pem"; + byte key_buf[256] = {0}; - ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry, - NID_name, ASN_UTF8STRING, name, sizeof(name))); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry, -1, 0), - 1); - wolfSSL_X509_NAME_ENTRY_free(entry); + /* Test fail of loading a key with cert type */ + ExpectIntEQ(load_file(ecc_private_key, &cert_buf, &cert_sz), 0); + key_buf[0] = '\n'; + ExpectNotNull(XMEMCPY(key_buf + 1, cert_buf, cert_sz)); + ExpectIntNE((ret = wc_PemToDer(key_buf, (long int)cert_sz + 1, CERT_TYPE, + &pDer, NULL, &info, &eccKey)), 0); - tmp = NULL; - ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, &tmp)), 0); - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); + #ifdef OPENSSL_EXTRA + ExpectIntEQ((ret = wc_PemToDer(key_buf, cert_sz + 1, PRIVATEKEY_TYPE, + &pDer, NULL, &info, &eccKey)), 0); + #endif + wc_FreeDer(&pDer); + if (cert_buf != NULL) + free(cert_buf); } #endif - - b = NULL; - ExpectNull(X509_NAME_dup(NULL)); - ExpectNotNull(b = X509_NAME_dup((X509_NAME*)a)); -#ifndef OPENSSL_EXTRA_X509_SMALL - ExpectIntEQ(X509_NAME_cmp(a, b), 0); -#endif - ExpectIntEQ(X509_NAME_entry_count(NULL), 0); - ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7); - X509_NAME_free((X509_NAME*)b); - ExpectNotNull(b = wolfSSL_X509_NAME_new()); - ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 0); - ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, NULL), BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, NULL), BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, (X509_NAME*)b), BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, (X509_NAME*)b), 1); - ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7); - X509_NAME_free((X509_NAME*)b); - X509_NAME_free(d2i_name); - d2i_name = NULL; - X509_free(x509); - -#ifndef OPENSSL_EXTRA_X509_SMALL - /* test with an empty domain component */ - tmp = empty; - sz = sizeof(empty); - ExpectNotNull(d2i_name = d2i_X509_NAME(NULL, &tmp, sz)); - ExpectIntEQ(X509_NAME_entry_count(d2i_name), 2); - - /* size of empty emailAddress will be 0 */ - tmp = buf; - ExpectIntEQ(X509_NAME_get_text_by_NID(d2i_name, NID_emailAddress, - (char*)tmp, sizeof(buf)), 0); - - /* should contain no organization name */ - tmp = buf; - ExpectIntEQ(X509_NAME_get_text_by_NID(d2i_name, NID_organizationName, - (char*)tmp, sizeof(buf)), -1); - X509_NAME_free(d2i_name); -#endif #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_NAME_hash(void) +static int test_wc_AllocDer(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_BIO) - BIO* bio = NULL; - X509* x509 = NULL; - X509_NAME* name = NULL; - - ExpectIntEQ(X509_NAME_hash(NULL), 0); - ExpectNotNull(name = wolfSSL_X509_NAME_new_ex(NULL)); - ExpectIntEQ(X509_NAME_hash(name), 0); - X509_NAME_free(name); +#if !defined(NO_CERTS) + DerBuffer* pDer = NULL; + word32 testSize = 1024; - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); - ExpectIntEQ(X509_NAME_hash(X509_get_subject_name(x509)), 0x137DC03F); - ExpectIntEQ(X509_NAME_hash(X509_get_issuer_name(x509)), 0xFDB2DA4); - X509_free(x509); - BIO_free(bio); + ExpectIntEQ(wc_AllocDer(NULL, testSize, CERT_TYPE, HEAP_HINT), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_AllocDer(&pDer, testSize, CERT_TYPE, HEAP_HINT), 0); + ExpectNotNull(pDer); + wc_FreeDer(&pDer); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_NAME_print_ex(void) +static int test_wc_CertPemToDer(void) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) && \ - !defined(NO_BIO) && !defined(NO_RSA) - int memSz = 0; - byte* mem = NULL; - BIO* bio = NULL; - BIO* membio = NULL; - X509* x509 = NULL; - X509_NAME* name = NULL; - X509_NAME* empty = NULL; - - const char* expNormal = "C=US, CN=wolfssl.com"; - const char* expEqSpace = "C = US, CN = wolfssl.com"; - const char* expReverse = "CN=wolfssl.com, C=US"; - - const char* expNotEscaped = "C= US,+\"\\ , CN=#wolfssl.com<>;"; - const char* expNotEscapedRev = "CN=#wolfssl.com<>;, C= US,+\"\\ "; - const char* expRFC5523 = - "CN=\\#wolfssl.com\\<\\>\\;, C=\\ US\\,\\+\\\"\\\\\\ "; - - /* Test with real cert (svrCertFile) first */ - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); - ExpectNotNull(name = X509_get_subject_name(x509)); - - /* Test without flags */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectNotNull(empty = wolfSSL_X509_NAME_new()); - ExpectIntEQ(X509_NAME_print_ex(NULL, NULL, 0, 0), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_print_ex(membio, NULL, 0, 0), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_print_ex(NULL, name, 0, 0), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_print_ex(membio, empty, 0, 0), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); - wolfSSL_X509_NAME_free(empty); - BIO_free(membio); - membio = NULL; - - /* Test flag: XN_FLAG_RFC2253 */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, - XN_FLAG_RFC2253), WOLFSSL_SUCCESS); - BIO_free(membio); - membio = NULL; - - /* Test flag: XN_FLAG_RFC2253 | XN_FLAG_DN_REV */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, - XN_FLAG_RFC2253 | XN_FLAG_DN_REV), WOLFSSL_SUCCESS); - BIO_free(membio); - membio = NULL; - - X509_free(x509); - BIO_free(bio); - name = NULL; - - /* Test with empty issuer cert empty-issuer-cert.pem. - * See notes in certs/test/gen-testcerts.sh for how it was generated. */ - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, noIssuerCertFile), 0); - ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); - ExpectNotNull(name = X509_get_subject_name(x509)); - - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); - /* Should be empty string "" */ - ExpectIntEQ((memSz = BIO_get_mem_data(membio, &mem)), 0); - - BIO_free(membio); - membio = NULL; - X509_free(x509); - BIO_free(bio); - name = NULL; - - /* Test normal case without escaped characters */ - { - /* Create name: "/C=US/CN=wolfssl.com" */ - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", - MBSTRING_UTF8, (byte*)"US", 2, -1, 0), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", - MBSTRING_UTF8, (byte*)"wolfssl.com", 11, -1, 0), - WOLFSSL_SUCCESS); - - /* Test without flags */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expNormal)); - ExpectIntEQ(XSTRNCMP((char*)mem, expNormal, XSTRLEN(expNormal)), 0); - BIO_free(membio); - membio = NULL; - - /* Test with XN_FLAG_ONELINE which should enable XN_FLAG_SPC_EQ for - spaces around '=' */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, XN_FLAG_ONELINE), - WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expEqSpace)); - ExpectIntEQ(XSTRNCMP((char*)mem, expEqSpace, XSTRLEN(expEqSpace)), 0); - BIO_free(membio); - membio = NULL; - - /* Test flags: XN_FLAG_RFC2253 - should be reversed */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, - XN_FLAG_RFC2253), WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expReverse)); - BIO_free(membio); - membio = NULL; - - /* Test flags: XN_FLAG_DN_REV - reversed */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, - XN_FLAG_DN_REV), WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expReverse)); - ExpectIntEQ(XSTRNCMP((char*)mem, expReverse, XSTRLEN(expReverse)), 0); - BIO_free(membio); - membio = NULL; - - X509_NAME_free(name); - name = NULL; - } - - /* Test RFC2253 characters are escaped with backslashes */ - { - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", - /* space at beginning and end, and: ,+"\ */ - MBSTRING_UTF8, (byte*)" US,+\"\\ ", 8, -1, 0), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", - /* # at beginning, and: <>;*/ - MBSTRING_UTF8, (byte*)"#wolfssl.com<>;", 15, -1, 0), - WOLFSSL_SUCCESS); - - /* Test without flags */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expNotEscaped)); - ExpectIntEQ(XSTRNCMP((char*)mem, expNotEscaped, - XSTRLEN(expNotEscaped)), 0); - BIO_free(membio); - membio = NULL; +#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) + const char* ca_cert = "./certs/ca-cert.pem"; + byte* cert_buf = NULL; + size_t cert_sz = 0; + size_t cert_dersz = 0; + byte* cert_der = NULL; - /* Test flags: XN_FLAG_RFC5523 - should be reversed and escaped */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, - XN_FLAG_RFC2253), WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expRFC5523)); - ExpectIntEQ(XSTRNCMP((char*)mem, expRFC5523, XSTRLEN(expRFC5523)), 0); - BIO_free(membio); - membio = NULL; + ExpectIntEQ(load_file(ca_cert, &cert_buf, &cert_sz), 0); + cert_dersz = cert_sz; /* DER will be smaller than PEM */ + ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); + ExpectIntGE(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, + (int)cert_dersz, CERT_TYPE), 0); - /* Test flags: XN_FLAG_DN_REV - reversed but not escaped */ - ExpectNotNull(membio = BIO_new(BIO_s_mem())); - ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, - XN_FLAG_DN_REV), WOLFSSL_SUCCESS); - ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); - ExpectIntEQ(memSz, XSTRLEN(expNotEscapedRev)); - ExpectIntEQ(XSTRNCMP((char*)mem, expNotEscapedRev, - XSTRLEN(expNotEscapedRev)), 0); - BIO_free(membio); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, -1, CERT_TYPE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, -1, CERT_TYPE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, -1, CERT_TYPE), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, (int)cert_dersz, + CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, + (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, + (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, -1, + CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - X509_NAME_free(name); - } + if (cert_der != NULL) + free(cert_der); + if (cert_buf != NULL) + free(cert_buf); #endif return EXPECT_RESULT(); } -#ifndef NO_BIO -static int test_wolfSSL_X509_INFO_multiple_info(void) +static int test_wc_KeyPemToDer(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - STACK_OF(X509_INFO) *info_stack = NULL; - X509_INFO *info = NULL; - int len; - int i; - const char* files[] = { - cliCertFile, - cliKeyFile, - /* This needs to be the order as svrCertFile contains the - * intermediate cert as well. */ - svrKeyFile, - svrCertFile, - NULL, - }; - const char** curFile; - BIO *fileBIO = NULL; - BIO *concatBIO = NULL; - byte tmp[FOURK_BUF]; - - /* concatenate the cert and the key file to force PEM_X509_INFO_read_bio - * to group objects together. */ - ExpectNotNull(concatBIO = BIO_new(BIO_s_mem())); - for (curFile = files; EXPECT_SUCCESS() && *curFile != NULL; curFile++) { - int fileLen = 0; - ExpectNotNull(fileBIO = BIO_new_file(*curFile, "rb")); - ExpectIntGT(fileLen = wolfSSL_BIO_get_len(fileBIO), 0); - if (EXPECT_SUCCESS()) { - while ((len = BIO_read(fileBIO, tmp, sizeof(tmp))) > 0) { - ExpectIntEQ(BIO_write(concatBIO, tmp, len), len); - fileLen -= len; - if (EXPECT_FAIL()) - break; - } - /* Make sure we read the entire file */ - ExpectIntEQ(fileLen, 0); - } - BIO_free(fileBIO); - fileBIO = NULL; - } +#if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + int ret = 0; + const byte cert_buf[] = \ + "-----BEGIN PRIVATE KEY-----\n" + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMG5KgWxP002pA\n" + "QJIdA4H5N0oM1Wf0LrHcos5RYUlrHDkC2b5p2BUpVRPmgDAFD2+8leim98x0BvcB\n" + "k48TNzrVynuwyVEY664+iQyzEBO5v27HPRydOddprbLCvRO036XINGIjauy1jHFi\n" + "HaDVx3bexSwgp9aefUGAszFXi4q1J4GacV7Cr2b/wBqUHqWv4ZXPu6R9/UYngTkD\n" + "UDJL5gLlLfcLzNyyodKPHPCIAKdWn6mSVdcHk8XVpK4y9lgz4E7YDWA6ohKZgWgG\n" + "2RDha8CMilFMDgYa0G0SiS9g3PQx0qh3AMXJJsKSVhScFCZufAE0kV6KvjP7jAqP\n" + "XBiSkRGPAgMBAAECggEAW7hmRyY2jRX2UMJThrM9VIs6fRLnYI0dQ0tsEJj536ay\n" + "nevQjArc05KWW0Yujg+WRDZPcry3RUqd9Djlmhp/F3Si6dpF1b+PMS3wJYVrf9Sd\n" + "SO5W7faArU4vnyBNe0HnY1Ta5xSVI65lg1RSIs88RTZwsooJwXYDGf0shq0/21CE\n" + "V8HOb27DDYNcEnm35lzaONjFnMqQQT2Vs9anRrPiSEXNleEvTgLVXZtGTyCGTz6v\n" + "x86Y8eSWL9YNHvPE1I+mDPuocfSR7eRNgRu7SK3mn94W5mqd7Ns072YKX/2XN1mO\n" + "66+ZFHO6v4dK1u7cSjuwrU1EhLHpUsgDz6Bna5InyQKBgQDv5l8RPy8UneKSADaf\n" + "M5L/5675I/5t4nqVjvbnQje00YveLTAEjlJBNR93Biln3sYgnvNamYDCxyEuUZ/I\n" + "S/vmBL9PoxfGZow4FcsIBOEbIn3E0SYJgCBNWthquUvGpKsYDnThJuhO+1cVmxAJ\n" + "BUOjLFnJYHM0a+Vmk9GexT2OBwKBgQDZzkUBOK7Im3eiYytFocUJyhqMH30d49X9\n" + "ujC7kGw4UWAqVe7YCSvlBa8nzWpRWK2kRpu3M0272RU0V4geyWqT+nr/SvRRPtNP\n" + "F5dY8l3yR7hjtSejqqjOfBcZT6ETJxI4tiG0+Nl5BlfM5M+0nxnkWpRcHuOR3j79\n" + "YUFERyN+OQKBgQCjlOKeUAc6d65W/+4/AFvsQ378Q57qLtSHxsR1TKHPmlNVXFqx\n" + "wJo1/JNIBduWCEHxXHF0BdfW+RGXE/FwEt/hKLuLAhrkHmjelX2sKieU6R/5ZOQa\n" + "9lMQbDHGFDOncAF6leD85hriQGBRSzrT69MDIOrYdfwYcroqCAGX0cb3YQKBgQC8\n" + "iIFQylj5SyHmjcMSNjKSA8CxFDzAV8yPIdE3Oo+CvGXqn5HsrRuy1hXE9VmXapR8\n" + "A6ackSszdHiXY0FvrNe1mfdH7wDHJwPQjdIzazCJHS3uGQxj7sDKY7226ie6pXJv\n" + "ZrCMr2/IBAaSVGm6ppHKCeIsT4ybYm7R85KEYLPHeQKBgBeJOMBinXQfWN/1jT9b\n" + "6Ywrutvp2zP8hVxQGSZJ0WG4iewZyFLsPUlbWRXOSYNPElHmdD0ZomdLVm+lSpAA\n" + "XSH5FJ/IFCwqq7Eft6Gf8NFRV+NjPMUny+PnjHe4oFP8YK/Ek22K3ttNG8Hw69Aw\n" + "AQue5o6oVfhgLiJzMdo/77gw\n" + "-----END PRIVATE KEY-----\n"; + const int cert_sz = sizeof(cert_buf); + const char cert_pw[] = "password"; + int cert_dersz = 0; + byte* cert_der = NULL; - ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(concatBIO, NULL, NULL, - NULL)); - ExpectIntEQ(sk_X509_INFO_num(info_stack), 3); - for (i = 0; i < sk_X509_INFO_num(info_stack); i++) { - ExpectNotNull(info = sk_X509_INFO_value(info_stack, i)); - ExpectNotNull(info->x509); - ExpectNull(info->crl); - if (i != 2) { - ExpectNotNull(info->x_pkey); - ExpectIntEQ(X509_check_private_key(info->x509, - info->x_pkey->dec_pkey), 1); - } - else { - ExpectNull(info->x_pkey); - } + /* Bad arg: Cert buffer is NULL */ + ExpectIntEQ(wc_KeyPemToDer(NULL, cert_sz, cert_der, cert_dersz, ""), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + /* Bad arg: Cert DER buffer non-NULL but size zero (or less) */ + ExpectIntEQ(wc_KeyPemToDer(cert_buf, cert_sz, (byte*)&cert_der, 0, ""), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + + /* Test normal operation */ + cert_dersz = cert_sz; /* DER will be smaller than PEM */ + ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); + ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, + cert_pw), 0); + ExpectIntLE(ret, cert_sz); + if (cert_der != NULL) { + free(cert_der); + cert_der = NULL; } - sk_X509_INFO_pop_free(info_stack, X509_INFO_free); - BIO_free(concatBIO); + /* Test NULL for DER buffer to return needed DER buffer size */ + ExpectIntGT(ret = wc_KeyPemToDer(cert_buf, cert_sz, NULL, 0, ""), 0); + ExpectIntLE(ret, cert_sz); + if (EXPECT_SUCCESS()) + cert_dersz = ret; + ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); + ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, + cert_pw), 0); + ExpectIntLE(ret, cert_sz); + if (cert_der != NULL) + free(cert_der); #endif return EXPECT_RESULT(); } -#endif -#ifndef NO_BIO -static int test_wolfSSL_X509_INFO(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - STACK_OF(X509_INFO) *info_stack = NULL; - X509_INFO *info = NULL; - BIO *cert = NULL; - int i; - /* PEM in hex format to avoid null terminator */ - byte data[] = { - 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, - 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x63, 0x2d, 0x2d, 0x2d, 0x2d, - 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x44, 0x4d, 0x54, 0x42, 0x75, 0x51, 0x3d, - 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x2d, 0x2d, - 0x2d, 0x2d, 0x2d - }; - /* PEM in hex format to avoid null terminator */ - byte data2[] = { - 0x41, 0x53, 0x4e, 0x31, 0x20, 0x4f, 0x49, 0x44, 0x3a, 0x20, 0x70, 0x72, - 0x69, 0x6d, 0x65, 0x32, 0x35, 0x36, 0x76, 0x31, 0x0a, 0x2d, 0x2d, 0x2d, - 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x45, 0x43, 0x20, 0x50, - 0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x2d, 0x2d, 0x2d, - 0x2d, 0x43, 0x65, 0x72, 0x74, 0x69, 0x2d, 0x0a, 0x42, 0x67, 0x67, 0x71, - 0x68, 0x6b, 0x6a, 0x4f, 0x50, 0x51, 0x4d, 0x42, 0x42, 0x77, 0x3d, 0x3d, - 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d - }; - - ExpectNotNull(cert = BIO_new_file(cliCertFileExt, "rb")); - ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); - for (i = 0; i < sk_X509_INFO_num(info_stack); i++) { - ExpectNotNull(info = sk_X509_INFO_value(info_stack, i)); - ExpectNotNull(info->x509); - ExpectNull(info->crl); - ExpectNull(info->x_pkey); - } - sk_X509_INFO_pop_free(info_stack, X509_INFO_free); - info_stack = NULL; - BIO_free(cert); - cert = NULL; - - ExpectNotNull(cert = BIO_new_file(cliCertFileExt, "rb")); - ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); - sk_X509_INFO_pop_free(info_stack, X509_INFO_free); - info_stack = NULL; - BIO_free(cert); - cert = NULL; - - /* This case should fail due to invalid input. */ - ExpectNotNull(cert = BIO_new(BIO_s_mem())); - ExpectIntEQ(BIO_write(cert, data, sizeof(data)), sizeof(data)); - ExpectNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); - sk_X509_INFO_pop_free(info_stack, X509_INFO_free); - info_stack = NULL; - BIO_free(cert); - cert = NULL; - ExpectNotNull(cert = BIO_new(BIO_s_mem())); - ExpectIntEQ(BIO_write(cert, data2, sizeof(data2)), sizeof(data2)); - ExpectNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); - sk_X509_INFO_pop_free(info_stack, X509_INFO_free); - BIO_free(cert); -#endif - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_X509_subject_name_hash(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256)) - X509* x509 = NULL; - X509_NAME* subjectName = NULL; - unsigned long ret1 = 0; - unsigned long ret2 = 0; - - ExpectNotNull(x509 = X509_new()); - ExpectIntEQ(X509_subject_name_hash(NULL), 0); - ExpectIntEQ(X509_subject_name_hash(x509), 0); - X509_free(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(subjectName = wolfSSL_X509_get_subject_name(x509)); - - /* These two - * - X509_subject_name_hash(x509) - * - X509_NAME_hash(X509_get_subject_name(x509)) - * should give the same hash, if !defined(NO_SHA) is true. */ - - ret1 = X509_subject_name_hash(x509); - ExpectIntNE(ret1, 0); - -#if !defined(NO_SHA) - ret2 = X509_NAME_hash(X509_get_subject_name(x509)); - ExpectIntNE(ret2, 0); - - ExpectIntEQ(ret1, ret2); -#else - (void) ret2; -#endif - - X509_free(x509); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_issuer_name_hash(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ - && !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256)) - X509* x509 = NULL; - X509_NAME* issuertName = NULL; - unsigned long ret1 = 0; - unsigned long ret2 = 0; - - ExpectNotNull(x509 = X509_new()); - ExpectIntEQ(X509_issuer_name_hash(NULL), 0); - ExpectIntEQ(X509_issuer_name_hash(x509), 0); - X509_free(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(issuertName = wolfSSL_X509_get_issuer_name(x509)); - - /* These two - * - X509_issuer_name_hash(x509) - * - X509_NAME_hash(X509_get_issuer_name(x509)) - * should give the same hash, if !defined(NO_SHA) is true. */ - - ret1 = X509_issuer_name_hash(x509); - ExpectIntNE(ret1, 0); - -#if !defined(NO_SHA) - ret2 = X509_NAME_hash(X509_get_issuer_name(x509)); - ExpectIntNE(ret2, 0); - - ExpectIntEQ(ret1, ret2); -#else - (void) ret2; -#endif - - X509_free(x509); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_check_host(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ - && !defined(NO_SHA) && !defined(NO_RSA) - X509* x509 = NULL; - const char altName[] = "example.com"; - const char badAltName[] = "a.example.com"; - - ExpectIntEQ(X509_check_host(NULL, NULL, XSTRLEN(altName), 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* cliCertFile has subjectAltName set to 'example.com', '127.0.0.1' */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); - - ExpectIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL), - WOLFSSL_SUCCESS); - - ExpectIntEQ(X509_check_host(x509, badAltName, XSTRLEN(badAltName), 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(X509_check_host(x509, NULL, 0, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Check WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag set */ - ExpectIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), - WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), WOLFSSL_SUCCESS); - - ExpectIntEQ(X509_check_host(x509, NULL, 0, - WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(X509_check_host(x509, badAltName, XSTRLEN(badAltName), - WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), - WOLFSSL_NO_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), - WOLFSSL_NO_PARTIAL_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), - WOLFSSL_MULTI_LABEL_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - X509_free(x509); - - ExpectIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Check again with WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag set */ - ExpectIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), - WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_check_email(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) - X509* x509 = NULL; - X509* empty = NULL; - const char goodEmail[] = "info@wolfssl.com"; - const char badEmail[] = "disinfo@wolfssl.com"; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(empty = wolfSSL_X509_new()); - - ExpectIntEQ(wolfSSL_X509_check_email(NULL, NULL, 0, 0), 0); - ExpectIntEQ(wolfSSL_X509_check_email(x509, NULL, 0, 0), 0); - ExpectIntEQ(wolfSSL_X509_check_email(NULL, goodEmail, XSTRLEN(goodEmail), - 0), 0); - ExpectIntEQ(wolfSSL_X509_check_email(empty, goodEmail, XSTRLEN(goodEmail), - 0), 0); - - /* Should fail on non-matching email address */ - ExpectIntEQ(wolfSSL_X509_check_email(x509, badEmail, XSTRLEN(badEmail), 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Should succeed on matching email address */ - ExpectIntEQ(wolfSSL_X509_check_email(x509, goodEmail, XSTRLEN(goodEmail), 0), - WOLFSSL_SUCCESS); - /* Should compute length internally when not provided */ - ExpectIntEQ(wolfSSL_X509_check_email(x509, goodEmail, 0, 0), - WOLFSSL_SUCCESS); - /* Should fail when email address is NULL */ - ExpectIntEQ(wolfSSL_X509_check_email(x509, NULL, 0, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - X509_free(empty); - X509_free(x509); - - /* Should fail when x509 is NULL */ - ExpectIntEQ(wolfSSL_X509_check_email(NULL, goodEmail, 0, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif /* OPENSSL_EXTRA && WOLFSSL_CERT_GEN */ - return EXPECT_RESULT(); -} - -static int test_wc_PemToDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) - int ret; - DerBuffer* pDer = NULL; - const char* ca_cert = "./certs/server-cert.pem"; - const char* trusted_cert = "./certs/test/ossl-trusted-cert.pem"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - int eccKey = 0; - EncryptedInfo info; - - XMEMSET(&info, 0, sizeof(info)); - - ExpectIntEQ(ret = load_file(ca_cert, &cert_buf, &cert_sz), 0); - ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, CERT_TYPE, &pDer, NULL, - &info, &eccKey), 0); - wc_FreeDer(&pDer); - pDer = NULL; - - if (cert_buf != NULL) { - free(cert_buf); - cert_buf = NULL; - } - - /* Test that -----BEGIN TRUSTED CERTIFICATE----- banner parses OK */ - ExpectIntEQ(ret = load_file(trusted_cert, &cert_buf, &cert_sz), 0); - ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, TRUSTED_CERT_TYPE, &pDer, NULL, - &info, &eccKey), 0); - wc_FreeDer(&pDer); - pDer = NULL; - - if (cert_buf != NULL) { - free(cert_buf); - cert_buf = NULL; - } - -#ifdef HAVE_ECC - { - const char* ecc_private_key = "./certs/ecc-privOnlyKey.pem"; - byte key_buf[256] = {0}; - - /* Test fail of loading a key with cert type */ - ExpectIntEQ(load_file(ecc_private_key, &cert_buf, &cert_sz), 0); - key_buf[0] = '\n'; - ExpectNotNull(XMEMCPY(key_buf + 1, cert_buf, cert_sz)); - ExpectIntNE((ret = wc_PemToDer(key_buf, (long int)cert_sz + 1, CERT_TYPE, - &pDer, NULL, &info, &eccKey)), 0); - - #ifdef OPENSSL_EXTRA - ExpectIntEQ((ret = wc_PemToDer(key_buf, cert_sz + 1, PRIVATEKEY_TYPE, - &pDer, NULL, &info, &eccKey)), 0); - #endif - wc_FreeDer(&pDer); - if (cert_buf != NULL) - free(cert_buf); - } -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wc_AllocDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) - DerBuffer* pDer = NULL; - word32 testSize = 1024; - - ExpectIntEQ(wc_AllocDer(NULL, testSize, CERT_TYPE, HEAP_HINT), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_AllocDer(&pDer, testSize, CERT_TYPE, HEAP_HINT), 0); - ExpectNotNull(pDer); - wc_FreeDer(&pDer); -#endif - return EXPECT_RESULT(); -} - -static int test_wc_CertPemToDer(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) - const char* ca_cert = "./certs/ca-cert.pem"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - size_t cert_dersz = 0; - byte* cert_der = NULL; - - ExpectIntEQ(load_file(ca_cert, &cert_buf, &cert_sz), 0); - cert_dersz = cert_sz; /* DER will be smaller than PEM */ - ExpectNotNull(cert_der = (byte*)malloc(cert_dersz)); - ExpectIntGE(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, - (int)cert_dersz, CERT_TYPE), 0); - - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, -1, CERT_TYPE), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, -1, CERT_TYPE), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, -1, CERT_TYPE), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, NULL, (int)cert_dersz, - CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(NULL, (int)cert_sz, cert_der, - (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, NULL, - (int)cert_dersz, CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wc_CertPemToDer(cert_buf, (int)cert_sz, cert_der, -1, - CERT_TYPE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - if (cert_der != NULL) - free(cert_der); - if (cert_buf != NULL) - free(cert_buf); -#endif - return EXPECT_RESULT(); -} - -static int test_wc_KeyPemToDer(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - int ret = 0; - const byte cert_buf[] = \ - "-----BEGIN PRIVATE KEY-----\n" - "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMG5KgWxP002pA\n" - "QJIdA4H5N0oM1Wf0LrHcos5RYUlrHDkC2b5p2BUpVRPmgDAFD2+8leim98x0BvcB\n" - "k48TNzrVynuwyVEY664+iQyzEBO5v27HPRydOddprbLCvRO036XINGIjauy1jHFi\n" - "HaDVx3bexSwgp9aefUGAszFXi4q1J4GacV7Cr2b/wBqUHqWv4ZXPu6R9/UYngTkD\n" - "UDJL5gLlLfcLzNyyodKPHPCIAKdWn6mSVdcHk8XVpK4y9lgz4E7YDWA6ohKZgWgG\n" - "2RDha8CMilFMDgYa0G0SiS9g3PQx0qh3AMXJJsKSVhScFCZufAE0kV6KvjP7jAqP\n" - "XBiSkRGPAgMBAAECggEAW7hmRyY2jRX2UMJThrM9VIs6fRLnYI0dQ0tsEJj536ay\n" - "nevQjArc05KWW0Yujg+WRDZPcry3RUqd9Djlmhp/F3Si6dpF1b+PMS3wJYVrf9Sd\n" - "SO5W7faArU4vnyBNe0HnY1Ta5xSVI65lg1RSIs88RTZwsooJwXYDGf0shq0/21CE\n" - "V8HOb27DDYNcEnm35lzaONjFnMqQQT2Vs9anRrPiSEXNleEvTgLVXZtGTyCGTz6v\n" - "x86Y8eSWL9YNHvPE1I+mDPuocfSR7eRNgRu7SK3mn94W5mqd7Ns072YKX/2XN1mO\n" - "66+ZFHO6v4dK1u7cSjuwrU1EhLHpUsgDz6Bna5InyQKBgQDv5l8RPy8UneKSADaf\n" - "M5L/5675I/5t4nqVjvbnQje00YveLTAEjlJBNR93Biln3sYgnvNamYDCxyEuUZ/I\n" - "S/vmBL9PoxfGZow4FcsIBOEbIn3E0SYJgCBNWthquUvGpKsYDnThJuhO+1cVmxAJ\n" - "BUOjLFnJYHM0a+Vmk9GexT2OBwKBgQDZzkUBOK7Im3eiYytFocUJyhqMH30d49X9\n" - "ujC7kGw4UWAqVe7YCSvlBa8nzWpRWK2kRpu3M0272RU0V4geyWqT+nr/SvRRPtNP\n" - "F5dY8l3yR7hjtSejqqjOfBcZT6ETJxI4tiG0+Nl5BlfM5M+0nxnkWpRcHuOR3j79\n" - "YUFERyN+OQKBgQCjlOKeUAc6d65W/+4/AFvsQ378Q57qLtSHxsR1TKHPmlNVXFqx\n" - "wJo1/JNIBduWCEHxXHF0BdfW+RGXE/FwEt/hKLuLAhrkHmjelX2sKieU6R/5ZOQa\n" - "9lMQbDHGFDOncAF6leD85hriQGBRSzrT69MDIOrYdfwYcroqCAGX0cb3YQKBgQC8\n" - "iIFQylj5SyHmjcMSNjKSA8CxFDzAV8yPIdE3Oo+CvGXqn5HsrRuy1hXE9VmXapR8\n" - "A6ackSszdHiXY0FvrNe1mfdH7wDHJwPQjdIzazCJHS3uGQxj7sDKY7226ie6pXJv\n" - "ZrCMr2/IBAaSVGm6ppHKCeIsT4ybYm7R85KEYLPHeQKBgBeJOMBinXQfWN/1jT9b\n" - "6Ywrutvp2zP8hVxQGSZJ0WG4iewZyFLsPUlbWRXOSYNPElHmdD0ZomdLVm+lSpAA\n" - "XSH5FJ/IFCwqq7Eft6Gf8NFRV+NjPMUny+PnjHe4oFP8YK/Ek22K3ttNG8Hw69Aw\n" - "AQue5o6oVfhgLiJzMdo/77gw\n" - "-----END PRIVATE KEY-----\n"; - const int cert_sz = sizeof(cert_buf); - const char cert_pw[] = "password"; - int cert_dersz = 0; - byte* cert_der = NULL; - - /* Bad arg: Cert buffer is NULL */ - ExpectIntEQ(wc_KeyPemToDer(NULL, cert_sz, cert_der, cert_dersz, ""), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - /* Bad arg: Cert DER buffer non-NULL but size zero (or less) */ - ExpectIntEQ(wc_KeyPemToDer(cert_buf, cert_sz, (byte*)&cert_der, 0, ""), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - /* Test normal operation */ - cert_dersz = cert_sz; /* DER will be smaller than PEM */ - ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); - ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, - cert_pw), 0); - ExpectIntLE(ret, cert_sz); - if (cert_der != NULL) { - free(cert_der); - cert_der = NULL; - } - - /* Test NULL for DER buffer to return needed DER buffer size */ - ExpectIntGT(ret = wc_KeyPemToDer(cert_buf, cert_sz, NULL, 0, ""), 0); - ExpectIntLE(ret, cert_sz); - if (EXPECT_SUCCESS()) - cert_dersz = ret; - ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz)); - ExpectIntGE(ret = wc_KeyPemToDer(cert_buf, cert_sz, cert_der, cert_dersz, - cert_pw), 0); - ExpectIntLE(ret, cert_sz); - if (cert_der != NULL) - free(cert_der); -#endif - return EXPECT_RESULT(); -} - -static int test_wc_PubKeyPemToDer(void) +static int test_wc_PubKeyPemToDer(void) { EXPECT_DECLS; #if defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && \ @@ -17045,44 +15629,6 @@ static int test_wolfSSL_certs(void) return EXPECT_RESULT(); } -static int test_wolfSSL_X509_check_private_key(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - defined(USE_CERT_BUFFERS_2048) && !defined(NO_CHECK_PRIVATE_KEY) && \ - !defined(NO_FILESYSTEM) - X509* x509 = NULL; - EVP_PKEY* pkey = NULL; - const byte* key; - - /* Check with correct key */ - ExpectNotNull((x509 = X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM))); - key = client_key_der_2048; - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &key, - (long)sizeof_client_key_der_2048)); - ExpectIntEQ(X509_check_private_key(x509, pkey), 1); - EVP_PKEY_free(pkey); - pkey = NULL; - - /* Check with wrong key */ - key = server_key_der_2048; - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &key, - (long)sizeof_server_key_der_2048)); - ExpectIntEQ(X509_check_private_key(x509, pkey), 0); - - /* test for incorrect parameter */ - ExpectIntEQ(X509_check_private_key(NULL, pkey), 0); - ExpectIntEQ(X509_check_private_key(x509, NULL), 0); - ExpectIntEQ(X509_check_private_key(NULL, NULL), 0); - - EVP_PKEY_free(pkey); - X509_free(x509); -#endif - return EXPECT_RESULT(); -} - - static int test_wolfSSL_private_keys(void) { EXPECT_DECLS; @@ -17344,12883 +15890,6750 @@ static int test_wolfSSL_private_keys(void) return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_def_callback(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - char buf[10]; - const char* defpwd = "DEF PWD"; - int defpwdLen = (int)XSTRLEN(defpwd); - int smallLen = 1; - - /* Bad parameters. */ - ExpectIntEQ(wolfSSL_PEM_def_callback(NULL, sizeof(buf), 0, NULL), 0); - ExpectIntEQ(wolfSSL_PEM_def_callback(NULL, sizeof(buf), 0, (void*)defpwd), - 0); - ExpectIntEQ(wolfSSL_PEM_def_callback(buf, sizeof(buf), 0, NULL), 0); - - XMEMSET(buf, 0, sizeof(buf)); - ExpectIntEQ(wolfSSL_PEM_def_callback(buf, sizeof(buf), 0, (void*)defpwd), - defpwdLen); - ExpectIntEQ(XMEMCMP(buf, defpwd, defpwdLen), 0); - ExpectIntEQ(buf[defpwdLen], 0); - /* Size of buffer is smaller than default password. */ - XMEMSET(buf, 0, sizeof(buf)); - ExpectIntEQ(wolfSSL_PEM_def_callback(buf, smallLen, 0, (void*)defpwd), - smallLen); - ExpectIntEQ(XMEMCMP(buf, defpwd, smallLen), 0); - ExpectIntEQ(buf[smallLen], 0); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PEM_read_PrivateKey(void) +static int test_wolfSSL_tmp_dh(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || \ - !defined(NO_DSA) || defined(HAVE_ECC) || !defined(NO_DH)) - XFILE file = XBADFILE; -#if !defined(NO_RSA) - const char* fname_rsa = "./certs/server-key.pem"; - RSA* rsa = NULL; - WOLFSSL_EVP_PKEY_CTX* ctx = NULL; - unsigned char* sig = NULL; - size_t sigLen = 0; - const unsigned char tbs[] = {0, 1, 2, 3, 4, 5, 6, 7}; - size_t tbsLen = sizeof(tbs); +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && !defined(NO_DH) && !defined(NO_BIO) && \ + !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + byte buff[6000]; + static const unsigned char p[] = { + 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, + 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, + 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, + 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, + 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, + 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, + 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, + 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, + 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, + 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, + 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, + 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, + 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, + 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, + 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, + 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, + 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, + 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, + 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, + 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, + 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, + 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, + 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, + 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, + 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, + 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, + 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, + 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, + 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, + 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, + 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, + 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x93 + }; + int pSz = (int)sizeof(p); +#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) + static const unsigned char bad_p[] = { + 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, + 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, + 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, + 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, + 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, + 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, + 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, + 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, + 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, + 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, + 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, + 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, + 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, + 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, + 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, + 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, + 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, + 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, + 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, + 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, + 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, + 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, + 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, + 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, + 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, + 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, + 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, + 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, + 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, + 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, + 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, + 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x91 + }; #endif + static const unsigned char g[] = { 0x02 }; + int gSz = (int)sizeof(g); #if !defined(NO_DSA) - const char* fname_dsa = "./certs/dsa2048.pem"; -#endif -#if defined(HAVE_ECC) - const char* fname_ec = "./certs/ecc-key.pem"; + char file[] = "./certs/dsaparams.pem"; + DSA* dsa = NULL; +#else + char file[] = "./certs/dh2048.pem"; #endif -#if !defined(NO_DH) - const char* fname_dh = "./certs/dh-priv-2048.pem"; + XFILE f = XBADFILE; + int bytes = 0; + DH* dh = NULL; + DH* dh2 = NULL; + BIO* bio = NULL; + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; +#ifndef NO_WOLFSSL_CLIENT + SSL* ssl_c = NULL; + SSL_CTX* ctx_c = NULL; #endif - EVP_PKEY* pkey = NULL; - - /* Check error case. */ - ExpectNull(pkey = PEM_read_PrivateKey(NULL, NULL, NULL, NULL)); - /* not a PEM key. */ - ExpectTrue((file = XFOPEN("./certs/ecc-key.der", "rb")) != XBADFILE); - ExpectNull(PEM_read_PrivateKey(file, NULL, NULL, NULL)); - if (file != XBADFILE) - XFCLOSE(file); - file = XBADFILE; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); +#endif +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx_c = SSL_CTX_new(wolfSSLv23_client_method())); + ExpectTrue(SSL_CTX_use_certificate_file(ctx_c, svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx_c, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl_c = SSL_new(ctx_c)); +#ifdef NO_WOLFSSL_SERVER + ctx = ctx_c; + ssl = ssl_c; +#endif +#endif -#ifndef NO_RSA - /* Read in an RSA key. */ - ExpectTrue((file = XFOPEN(fname_rsa, "rb")) != XBADFILE); - ExpectNotNull(pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL)); - if (file != XBADFILE) - XFCLOSE(file); - file = XBADFILE; + XMEMSET(buff, 0, sizeof(buff)); + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) + XFCLOSE(f); - /* Make sure the key is usable by signing some data with it. */ - ExpectNotNull(rsa = EVP_PKEY_get0_RSA(pkey)); - ExpectIntGT((sigLen = RSA_size(rsa)), 0); - ExpectNotNull(sig = (unsigned char*)XMALLOC(sigLen, HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &sigLen, tbs, tbsLen), - WOLFSSL_SUCCESS); + ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); - XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif +#if !defined(NO_DSA) + dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); + ExpectNotNull(dsa); -#ifndef NO_DSA - /* Read in a DSA key. */ - ExpectTrue((file = XFOPEN(fname_dsa, "rb")) != XBADFILE); -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH) - ExpectNotNull(pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; + dh = wolfSSL_DSA_dup_DH(dsa); #else - ExpectNull(PEM_read_PrivateKey(file, NULL, NULL, NULL)); -#endif - if (file != XBADFILE) - XFCLOSE(file); - file = XBADFILE; + dh = wolfSSL_PEM_read_bio_DHparams(bio, NULL, NULL, NULL); #endif - -#ifdef HAVE_ECC - /* Read in an EC key. */ - ExpectTrue((file = XFOPEN(fname_ec, "rb")) != XBADFILE); - ExpectNotNull(pkey = EVP_PKEY_new()); - ExpectPtrEq(PEM_read_PrivateKey(file, &pkey, NULL, NULL), pkey); - if (file != XBADFILE) - XFCLOSE(file); - file = XBADFILE; - EVP_PKEY_free(pkey); - pkey = NULL; + ExpectNotNull(dh); +#if defined(WOLFSSL_DH_EXTRA) && \ + (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)) + ExpectNotNull(dh2 = wolfSSL_DH_dup(dh)); + DH_free(dh2); + dh2 = NULL; #endif -#ifndef NO_DH - /* Read in a DH key. */ - ExpectTrue((file = XFOPEN(fname_dh, "rb")) != XBADFILE); -#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ - defined(WOLFSSL_OPENSSH)) && (!defined(HAVE_FIPS) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) - ExpectNotNull(pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#else - ExpectNull(PEM_read_PrivateKey(file, NULL, NULL, NULL)); + /* Failure cases */ + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, g , 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 0, NULL, 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, g , 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, g , 0), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 1, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , buff, 6000, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); +#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, bad_p, pSz, g, gSz), + WC_NO_ERR_TRACE(DH_CHECK_PUB_E)); #endif - if (file != XBADFILE) - XFCLOSE(file); - file = XBADFILE; + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, g , 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 0, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, g , 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, g , 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 1, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , buff, 6000, g , 1), + WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); +#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) +#ifndef NO_WOLFSSL_SERVER + /* Parameters will be tested later so it passes now. */ + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl, bad_p, pSz, g, gSz), + WOLFSSL_SUCCESS); #endif #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PEM_read_PUBKEY(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) \ - && !defined(NO_FILESYSTEM) - XFILE file = XBADFILE; - const char* fname = "./certs/client-keyPub.pem"; - EVP_PKEY* pkey = NULL; - - /* Check error case. */ - ExpectNull(pkey = PEM_read_PUBKEY(NULL, NULL, NULL, NULL)); - - /* Read in an RSA key. */ - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectNotNull(pkey = PEM_read_PUBKEY(file, NULL, NULL, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; - if (file != XBADFILE) - XFCLOSE(file); - file = XBADFILE; - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectNotNull(pkey = EVP_PKEY_new()); - ExpectPtrEq(PEM_read_PUBKEY(file, &pkey, NULL, NULL), pkey); - EVP_PKEY_free(pkey); - if (file != XBADFILE) - XFCLOSE(file); +#ifndef NO_WOLFSSL_CLIENT + ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl_c, p, pSz, g, gSz), + WC_NO_ERR_TRACE(SIDE_ERROR)); #endif - return EXPECT_RESULT(); -} + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_set_tmp_dh(ssl , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ((int)SSL_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* No p/g to use. */ + dh2 = wolfSSL_DH_new(); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ((int)SSL_set_tmp_dh(ssl , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + DH_free(dh2); + dh2 = NULL; -/* test loading RSA key using BIO */ -static int test_wolfSSL_PEM_PrivateKey_rsa(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - defined(USE_CERT_BUFFERS_2048) && !defined(NO_FILESYSTEM) && \ - !defined(NO_BIO) - BIO* bio = NULL; - XFILE file = XBADFILE; - const char* fname = "./certs/server-key.pem"; - const char* fname_rsa_p8 = "./certs/server-keyPkcs8.pem"; - EVP_PKEY* pkey = NULL; - size_t sz = 0; - byte* buf = NULL; - EVP_PKEY* pkey2 = NULL; - EVP_PKEY* pkey3 = NULL; - RSA* rsa_key = NULL; -#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) - unsigned char extra[10]; - int i; - BIO* pub_bio = NULL; - const unsigned char* server_key = (const unsigned char*)server_key_der_2048; + ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz), + WOLFSSL_SUCCESS); + ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), WOLFSSL_SUCCESS); +#ifndef NO_WOLFSSL_SERVER + ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WOLFSSL_SUCCESS); +#else + ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WC_NO_ERR_TRACE(SIDE_ERROR)); #endif - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectIntGT(sz = XFTELL(file), 0); - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); - if (buf != NULL) { - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - } - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } - - /* Test using BIO new mem and loading PEM private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); - XFREE(buf, NULL, DYNAMIC_TYPE_FILE); - buf = NULL; BIO_free(bio); - bio = NULL; - - /* New empty EVP_PKEY */ - ExpectNotNull(pkey2 = EVP_PKEY_new()); - if (pkey2 != NULL) { - pkey2->type = EVP_PKEY_RSA; - } - /* Test parameter copy */ - ExpectIntEQ(EVP_PKEY_copy_parameters(pkey2, pkey), 0); - EVP_PKEY_free(pkey2); - EVP_PKEY_free(pkey); - pkey = NULL; - - /* Qt unit test case : rsa pkcs8 key */ - ExpectTrue((file = XFOPEN(fname_rsa_p8, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectIntGT(sz = XFTELL(file), 0); - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); - if (buf) { - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); +#if !defined(NO_DSA) + DSA_free(dsa); +#endif + DH_free(dh); + dh = NULL; +#ifndef NO_WOLFSSL_CLIENT + if (ssl != ssl_c) { + SSL_free(ssl_c); } - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; +#endif + SSL_free(ssl); +#ifndef NO_WOLFSSL_CLIENT + if (ctx != ctx_c) { + SSL_CTX_free(ctx_c); } - - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); - XFREE(buf, NULL, DYNAMIC_TYPE_FILE); - buf = NULL; - BIO_free(bio); - bio = NULL; - ExpectNotNull(pkey3 = EVP_PKEY_new()); - - ExpectNotNull(rsa_key = EVP_PKEY_get1_RSA(pkey)); - ExpectIntEQ(EVP_PKEY_set1_RSA(pkey3, rsa_key), WOLFSSL_SUCCESS); - -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 1/* match */); -#else - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 0); #endif + SSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} - RSA_free(rsa_key); - EVP_PKEY_free(pkey3); - EVP_PKEY_free(pkey); - pkey = NULL; - pkey2 = NULL; - -#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) - #define BIO_PEM_TEST_CHAR 'a' - XMEMSET(extra, BIO_PEM_TEST_CHAR, sizeof(extra)); - - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(BIO_set_write_buf_size(bio, 4096), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(pub_bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(BIO_set_write_buf_size(pub_bio, 4096), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +static int test_wolfSSL_ctrl(void) +{ + EXPECT_DECLS; +#if defined (OPENSSL_EXTRA) && !defined(NO_BIO) + byte buff[6000]; + BIO* bio = NULL; + int bytes; + BUF_MEM* ptr = NULL; - ExpectNull(d2i_PrivateKey(EVP_PKEY_EC, &pkey, &server_key, - (long)sizeof_server_key_der_2048)); - ExpectNull(pkey); + XMEMSET(buff, 0, sizeof(buff)); - ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &server_key, - (long)sizeof_server_key_der_2048)); - ExpectIntEQ(PEM_write_bio_PrivateKey(NULL, pkey, NULL, NULL, 0, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, NULL, NULL, NULL, 0, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntGT(BIO_pending(bio), 0); - ExpectIntEQ(BIO_pending(bio), 1679); - /* Check if the pubkey API writes only the public key */ -#ifdef WOLFSSL_KEY_GEN - ExpectIntEQ(PEM_write_bio_PUBKEY(NULL, pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, pkey), WOLFSSL_SUCCESS); - ExpectIntGT(BIO_pending(pub_bio), 0); - /* Previously both the private key and the pubkey calls would write - * out the private key and the PEM header was the only difference. - * The public PEM should be significantly shorter than the - * private key versison. */ - ExpectIntEQ(BIO_pending(pub_bio), 451); -#else - /* Not supported. */ - ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, pkey), 0); -#endif + bytes = sizeof(buff); + ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); + ExpectNotNull(BIO_s_socket()); - /* test creating new EVP_PKEY with good args */ - ExpectNotNull((pkey2 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); - if (pkey && pkey->pkey.ptr && pkey2 && pkey2->pkey.ptr) { - ExpectIntEQ((int)XMEMCMP(pkey->pkey.ptr, pkey2->pkey.ptr, - pkey->pkey_sz), 0); - } + ExpectIntEQ((int)wolfSSL_BIO_get_mem_ptr(bio, &ptr), WOLFSSL_SUCCESS); - /* test of reuse of EVP_PKEY */ - ExpectNull(PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)); - ExpectIntEQ(BIO_pending(bio), 0); - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - SSL_SUCCESS); - /* add 10 extra bytes after PEM */ - ExpectIntEQ(BIO_write(bio, extra, 10), 10); - ExpectNotNull(PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)); - ExpectNotNull(pkey); - if (pkey && pkey->pkey.ptr && pkey2 && pkey2->pkey.ptr) { - ExpectIntEQ((int)XMEMCMP(pkey->pkey.ptr, pkey2->pkey.ptr, - pkey->pkey_sz), 0); - } - /* check 10 extra bytes still there */ - ExpectIntEQ(BIO_pending(bio), 10); - ExpectIntEQ(BIO_read(bio, extra, 10), 10); - for (i = 0; i < 10; i++) { - ExpectIntEQ(extra[i], BIO_PEM_TEST_CHAR); - } + /* needs tested after stubs filled out @TODO + SSL_ctrl + SSL_CTX_ctrl + */ - BIO_free(pub_bio); BIO_free(bio); - bio = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - EVP_PKEY_free(pkey2); -#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ -#endif /* OPENSSL_EXTRA && !NO_CERTS && !NO_RSA && USE_CERT_BUFFERS_2048 && - * !NO_FILESYSTEM && !NO_BIO */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_BIO) */ return EXPECT_RESULT(); } -/* test loading ECC key using BIO */ -static int test_wolfSSL_PEM_PrivateKey_ecc(void) + +static int test_wolfSSL_EVP_PKEY_new_mac_key(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(HAVE_ECC) && \ - !defined(NO_FILESYSTEM) && !defined(NO_BIO) - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - XFILE file = XBADFILE; - const char* fname = "./certs/ecc-key.pem"; - const char* fname_ecc_p8 = "./certs/ecc-keyPkcs8.pem"; - - size_t sz = 0; - byte* buf = NULL; - EVP_PKEY* pkey2 = NULL; - EVP_PKEY* pkey3 = NULL; - EC_KEY* ec_key = NULL; - int nid = 0; - BIO* pub_bio = NULL; - - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectIntGT(sz = XFTELL(file), 0); - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); - if (buf) { - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - } - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } - - /* Test using BIO new mem and loading PEM private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); - BIO_free(bio); - bio = NULL; - XFREE(buf, NULL, DYNAMIC_TYPE_FILE); - buf = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectNotNull(pub_bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectIntGT(BIO_pending(bio), 0); - /* No parameters. */ - ExpectIntEQ(BIO_pending(bio), 227); - /* Check if the pubkey API writes only the public key */ -#ifdef WOLFSSL_KEY_GEN - ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, pkey), WOLFSSL_SUCCESS); - ExpectIntGT(BIO_pending(pub_bio), 0); - /* Previously both the private key and the pubkey calls would write - * out the private key and the PEM header was the only difference. - * The public PEM should be significantly shorter than the - * private key versison. */ - ExpectIntEQ(BIO_pending(pub_bio), 178); -#endif - BIO_free(pub_bio); - BIO_free(bio); - bio = NULL; - ExpectNotNull(pkey2 = EVP_PKEY_new()); - ExpectNotNull(pkey3 = EVP_PKEY_new()); - if (pkey2 != NULL) { - pkey2->type = EVP_PKEY_EC; - } - /* Test parameter copy */ - ExpectIntEQ(EVP_PKEY_copy_parameters(pkey2, pkey), 1); +#ifdef OPENSSL_EXTRA + static const unsigned char pw[] = "password"; + static const int pwSz = sizeof(pw) - 1; + size_t checkPwSz = 0; + const unsigned char* checkPw = NULL; + WOLFSSL_EVP_PKEY* key = NULL; + ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, pw, pwSz)); + ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, NULL, pwSz)); - /* Qt unit test case 1*/ - ExpectNotNull(ec_key = EVP_PKEY_get1_EC_KEY(pkey)); - ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey3, ec_key), WOLFSSL_SUCCESS); - #ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 1/* match */); - #else - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 0); - #endif - /* Test default digest */ - ExpectIntEQ(EVP_PKEY_get_default_digest_nid(pkey, &nid), 1); - ExpectIntEQ(nid, NID_sha256); - EC_KEY_free(ec_key); - ec_key = NULL; - EVP_PKEY_free(pkey3); - pkey3 = NULL; - EVP_PKEY_free(pkey2); - pkey2 = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - - /* Qt unit test case ec pkcs8 key */ - ExpectTrue((file = XFOPEN(fname_ecc_p8, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectIntGT(sz = XFTELL(file), 0); - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); - if (buf) { - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, + pwSz)); + if (key != NULL) { + ExpectIntEQ(key->type, EVP_PKEY_HMAC); + ExpectIntEQ(key->save_type, EVP_PKEY_HMAC); + ExpectIntEQ(key->pkey_sz, pwSz); + ExpectIntEQ(XMEMCMP(key->pkey.ptr, pw, pwSz), 0); } - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; + ExpectNotNull(checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz)); + ExpectIntEQ((int)checkPwSz, pwSz); + ExpectIntEQ(XMEMCMP(checkPw, pw, pwSz), 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; + + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, + 0)); + ExpectIntEQ(key->pkey_sz, 0); + if (EXPECT_SUCCESS()) { + /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ + checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); } + ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); + ExpectIntEQ((int)checkPwSz, 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); - XFREE(buf, NULL, DYNAMIC_TYPE_FILE); - buf = NULL; - BIO_free(bio); - bio = NULL; - ExpectNotNull(pkey3 = EVP_PKEY_new()); - /* Qt unit test case */ - ExpectNotNull(ec_key = EVP_PKEY_get1_EC_KEY(pkey)); - ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey3, ec_key), WOLFSSL_SUCCESS); -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 1/* match */); -#else - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 0); -#endif - EC_KEY_free(ec_key); - EVP_PKEY_free(pkey3); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, NULL, + 0)); + ExpectIntEQ(key->pkey_sz, 0); + if (EXPECT_SUCCESS()) { + /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ + checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); + } + ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); + ExpectIntEQ((int)checkPwSz, 0); + wolfSSL_EVP_PKEY_free(key); + key = NULL; +#endif /* OPENSSL_EXTRA */ return EXPECT_RESULT(); } -/* test loading DSA key using BIO */ -static int test_wolfSSL_PEM_PrivateKey_dsa(void) + +static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_DSA) && \ - !defined(NO_FILESYSTEM) && !defined(NO_BIO) -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - - ExpectNotNull(bio = BIO_new_file("./certs/dsa2048.pem", "rb")); - /* Private DSA EVP_PKEY */ - ExpectNotNull(pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, NULL, - NULL)); - BIO_free(bio); - bio = NULL; - - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); -#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) -#ifdef WOLFSSL_ASN_TEMPLATE - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), 1216); -#else - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), 1212); -#endif -#endif - -#ifdef WOLFSSL_KEY_GEN - ExpectIntEQ(PEM_write_bio_PUBKEY(bio, pkey), 1); -#ifdef WOLFSSL_ASN_TEMPLATE - ExpectIntEQ(BIO_pending(bio), 2394); -#else - ExpectIntEQ(BIO_pending(bio), 2390); -#endif - BIO_reset(bio); -#endif - - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - 1); - ExpectIntEQ(BIO_pending(bio), 1196); +#ifdef OPENSSL_EXTRA +#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && \ + defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_128) + const char *priv = "ABCDEFGHIJKLMNOP"; + const WOLFSSL_EVP_CIPHER* cipher = EVP_aes_128_cbc(); + WOLFSSL_EVP_PKEY* key = NULL; - BIO_free(bio); - bio = NULL; + ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, NULL, AES_128_KEY_SIZE, cipher)); + ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, (const unsigned char *)priv, 0, cipher)); + ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif -#endif + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, cipher)); + wolfSSL_EVP_PKEY_free(key); +#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT && WOLFSSL_AES_128 */ +#endif /* OPENSSL_EXTRA */ return EXPECT_RESULT(); } -/* test loading DH key using BIO */ -static int test_wolfSSL_PEM_PrivateKey_dh(void) +static int test_wolfSSL_EVP_Digest(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_DH) && \ - !defined(NO_FILESYSTEM) && !defined(NO_BIO) -#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ - defined(WOLFSSL_OPENSSH)) && (!defined(HAVE_FIPS) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - int expectedBytes = 0; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) + const char* in = "abc"; + int inLen = (int)XSTRLEN(in); + byte out[WC_SHA256_DIGEST_SIZE]; + unsigned int outLen; + const char* expOut = + "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" + "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" + "\x15\xAD"; - ExpectNotNull(bio = BIO_new_file("./certs/dh-priv-2048.pem", "rb")); - /* Private DH EVP_PKEY */ - ExpectNotNull(pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, NULL, - NULL)); - BIO_free(bio); - bio = NULL; - - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - -#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - expectedBytes += 806; - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), expectedBytes); -#endif -#ifdef WOLFSSL_KEY_GEN - ExpectIntEQ(PEM_write_bio_PUBKEY(bio, pkey), 0); -#endif - - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - 1); - expectedBytes += 806; - ExpectIntEQ(BIO_pending(bio), expectedBytes); - - BIO_free(bio); - bio = NULL; - - EVP_PKEY_free(pkey); - pkey = NULL; -#endif -#endif + ExpectIntEQ(wolfSSL_EVP_Digest((unsigned char*)in, inLen, out, &outLen, + "SHA256", NULL), 1); + ExpectIntEQ(outLen, WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(XMEMCMP(out, expOut, WC_SHA256_DIGEST_SIZE), 0); +#endif /* OPEN_EXTRA && ! NO_SHA256 */ return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_PrivateKey(void) +static int test_wolfSSL_EVP_Digest_all(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - (!defined(NO_RSA) || defined(HAVE_ECC)) && defined(USE_CERT_BUFFERS_2048) -#ifndef NO_BIO - BIO* bio = NULL; +#ifdef OPENSSL_EXTRA + const char* digests[] = { +#ifndef NO_MD5 + "MD5", #endif - EVP_PKEY* pkey = NULL; - const unsigned char* server_key = (const unsigned char*)server_key_der_2048; - -#ifndef NO_BIO - - /* test creating new EVP_PKEY with bad arg */ - ExpectNull((pkey = PEM_read_bio_PrivateKey(NULL, NULL, NULL, NULL))); - - /* Test bad EVP_PKEY type. */ - /* New HMAC EVP_PKEY */ - ExpectNotNull(bio = BIO_new_mem_buf("", 1)); - ExpectNotNull(pkey = EVP_PKEY_new()); - if (pkey != NULL) { - pkey->type = EVP_PKEY_HMAC; - } - ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - 0); -#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), 0); +#ifndef NO_SHA + "SHA", #endif -#ifdef WOLFSSL_KEY_GEN - ExpectIntEQ(PEM_write_bio_PUBKEY(bio, pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#ifdef WOLFSSL_SHA224 + "SHA224", #endif - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(bio); - bio = NULL; - - - /* key is DES encrypted */ - #if !defined(NO_DES3) && defined(WOLFSSL_ENCRYPTED_KEYS) && \ - !defined(NO_RSA) && !defined(NO_BIO) && !defined(NO_FILESYSTEM) && \ - !defined(NO_MD5) && defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) - { - XFILE f = XBADFILE; - wc_pem_password_cb* passwd_cb = NULL; - void* passwd_cb_userdata; - SSL_CTX* ctx = NULL; - char passwd[] = "bad password"; - - #ifndef WOLFSSL_NO_TLS12 - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_client_method())); - #endif - #else - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(TLSv1_3_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(TLSv1_3_client_method())); - #endif - #endif - - ExpectNotNull(bio = BIO_new_file("./certs/server-keyEnc.pem", "rb")); - SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); - ExpectNotNull(passwd_cb = SSL_CTX_get_default_passwd_cb(ctx)); - ExpectNull(passwd_cb_userdata = - SSL_CTX_get_default_passwd_cb_userdata(ctx)); - - /* fail case with password call back */ - ExpectNull(pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, - (void*)passwd)); - BIO_free(bio); - ExpectNotNull(bio = BIO_new_file("./certs/server-keyEnc.pem", "rb")); - ExpectNull(pkey = PEM_read_bio_PrivateKey(bio, NULL, passwd_cb, - (void*)passwd)); - BIO_free(bio); - - ExpectTrue((f = XFOPEN("./certs/server-keyEnc.pem", "rb")) != XBADFILE); - ExpectNotNull(bio = BIO_new_fp(f, BIO_CLOSE)); - if ((bio == NULL) && (f != XBADFILE)) { - XFCLOSE(f); - } - - /* use callback that works */ - ExpectNotNull(pkey = PEM_read_bio_PrivateKey(bio, NULL, passwd_cb, - (void*)"yassl123")); - - ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), SSL_SUCCESS); - - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(bio); - bio = NULL; - SSL_CTX_free(ctx); - } - #endif /* !defined(NO_DES3) */ - -#endif /* !NO_BIO */ - - #if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) - { - unsigned char buf[2048]; - size_t bytes = 0; - XFILE f = XBADFILE; - SSL_CTX* ctx = NULL; - - #ifndef WOLFSSL_NO_TLS12 - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_client_method())); - #endif - #else - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfTLSv1_3_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(wolfTLSv1_3_client_method())); - #endif - #endif - - ExpectTrue((f = XFOPEN("./certs/ecc-key.der", "rb")) != XBADFILE); - ExpectIntGT(bytes = (size_t)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - server_key = buf; - pkey = NULL; - ExpectNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &server_key, (long int)bytes)); - ExpectNull(pkey); - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_EC, &pkey, &server_key, (long int)bytes)); - ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), SSL_SUCCESS); +#ifndef NO_SHA256 + "SHA256", +#endif +#ifdef WOLFSSL_SHA384 + "SHA384", +#endif +#ifdef WOLFSSL_SHA512 + "SHA512", +#endif +#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) + "SHA512-224", +#endif +#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) + "SHA512-256", +#endif +#ifdef WOLFSSL_SHA3 +#ifndef WOLFSSL_NOSHA3_224 + "SHA3-224", +#endif +#ifndef WOLFSSL_NOSHA3_256 + "SHA3-256", +#endif + "SHA3-384", +#ifndef WOLFSSL_NOSHA3_512 + "SHA3-512", +#endif +#endif /* WOLFSSL_SHA3 */ + NULL + }; + const char** d; + const unsigned char in[] = "abc"; + int inLen = XSTR_SIZEOF(in); + byte out[WC_MAX_DIGEST_SIZE]; + unsigned int outLen; - EVP_PKEY_free(pkey); - pkey = NULL; - SSL_CTX_free(ctx); - server_key = NULL; + for (d = digests; *d != NULL; d++) { + ExpectIntEQ(EVP_Digest(in, inLen, out, &outLen, *d, NULL), 1); + ExpectIntGT(outLen, 0); + ExpectIntEQ(EVP_MD_size(*d), outLen); } - #endif - -#ifndef NO_BIO - (void)bio; #endif - (void)pkey; - (void)server_key; -#endif /* OPENSSL_EXTRA && !NO_CERTS && !NO_RSA && USE_CERT_BUFFERS_2048 */ return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_file_RSAKey(void) +static int test_wolfSSL_EVP_MD_size(void) { EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - RSA* rsa = NULL; - XFILE fp = XBADFILE; +#ifdef OPENSSL_EXTRA + WOLFSSL_EVP_MD_CTX mdCtx; - ExpectTrue((fp = XFOPEN("./certs/rsa-pub-2048.pem", "rb")) != XBADFILE); - ExpectNotNull((rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL))); - if (fp != XBADFILE) - XFCLOSE(fp); - ExpectIntEQ(RSA_size(rsa), 256); +#ifdef WOLFSSL_SHA3 +#ifndef WOLFSSL_NOSHA3_224 + wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(PEM_write_RSAPublicKey(XBADFILE, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_RSAPublicKey(stderr, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_RSAPublicKey(stderr, rsa), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-224"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif +#ifndef WOLFSSL_NOSHA3_256 + wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(PEM_write_RSA_PUBKEY(XBADFILE, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_RSA_PUBKEY(stderr, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_RSA_PUBKEY(stderr, rsa), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-256"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + wolfSSL_EVP_MD_CTX_init(&mdCtx); - RSA_free(rsa); -#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - (defined(WOLFSSL_KEY_GEN) || WOLFSSL_CERT_GEN) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_CERTS) */ - return EXPECT_RESULT(); -} + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-384"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#ifndef WOLFSSL_NOSHA3_512 + wolfSSL_EVP_MD_CTX_init(&mdCtx); -static int test_wolfSSL_PEM_file_RSAPrivateKey(void) -{ - EXPECT_DECLS; -#if !defined(NO_RSA) && defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(NO_FILESYSTEM) && \ - (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) - RSA* rsa = NULL; - XFILE f = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-512"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif +#endif /* WOLFSSL_SHA3 */ - ExpectTrue((f = XFOPEN(svrKeyFile, "rb")) != XBADFILE); - ExpectNotNull((rsa = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL))); - ExpectIntEQ(RSA_size(rsa), 256); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } +#ifndef NO_SHA256 + wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(PEM_write_RSAPrivateKey(XBADFILE, rsa, NULL, NULL, 0, NULL, - NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_RSAPrivateKey(stderr, NULL, NULL, NULL, 0, NULL, - NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_RSAPrivateKey(stderr, rsa, NULL, NULL, 0, NULL, NULL), - WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA256"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA256_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA256_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - RSA_free(rsa); +#endif -#ifdef HAVE_ECC - ExpectTrue((f = XFOPEN(eccKeyFile, "rb")) != XBADFILE); - ExpectNull((rsa = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL))); - if (f != XBADFILE) - XFCLOSE(f); -#endif /* HAVE_ECC */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ - return EXPECT_RESULT(); -} +#ifndef NO_MD5 + wolfSSL_EVP_MD_CTX_init(&mdCtx); -static int test_wolfSSL_PEM_read_RSA_PUBKEY(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - XFILE file = XBADFILE; - const char* fname = "./certs/client-keyPub.pem"; - RSA *rsa = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "MD5"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_MD5_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_MD5_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_MD5_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_MD5_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - ExpectNull(wolfSSL_PEM_read_RSA_PUBKEY(XBADFILE, NULL, NULL, NULL)); +#endif - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectNotNull((rsa = PEM_read_RSA_PUBKEY(file, NULL, NULL, NULL))); - ExpectIntEQ(RSA_size(rsa), 256); - RSA_free(rsa); - if (file != XBADFILE) - XFCLOSE(file); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ - return EXPECT_RESULT(); -} +#ifdef WOLFSSL_SHA224 + wolfSSL_EVP_MD_CTX_init(&mdCtx); -#ifndef NO_BIO -static int test_wolfSSL_PEM_bio_RSAKey(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - RSA* rsa = NULL; - BIO* bio = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA224"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA224_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA224_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - /* PrivateKey */ - ExpectNotNull(bio = BIO_new_file(svrKeyFile, "rb")); - ExpectNull((rsa = PEM_read_bio_RSAPrivateKey(NULL, NULL, NULL, NULL))); - ExpectNotNull(PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL)); - ExpectNotNull(rsa); - ExpectIntEQ(RSA_size(rsa), 256); - ExpectIntEQ(PEM_write_bio_RSAPrivateKey(NULL, NULL, NULL, NULL, 0, NULL, \ - NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_RSAPrivateKey(bio, rsa, NULL, NULL, 0, NULL, \ - NULL), WOLFSSL_SUCCESS); - BIO_free(bio); - bio = NULL; - RSA_free(rsa); - rsa = NULL; +#endif - /* PUBKEY */ - ExpectNotNull(bio = BIO_new_file("./certs/rsa-pub-2048.pem", "rb")); - ExpectNull((rsa = PEM_read_bio_RSA_PUBKEY(NULL, NULL, NULL, NULL))); - ExpectNotNull((rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL))); - ExpectIntEQ(RSA_size(rsa), 256); - ExpectIntEQ(PEM_write_bio_RSA_PUBKEY(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_RSA_PUBKEY(bio, rsa), WOLFSSL_SUCCESS); - BIO_free(bio); - bio = NULL; +#ifdef WOLFSSL_SHA384 + wolfSSL_EVP_MD_CTX_init(&mdCtx); - RSA_free(rsa); - rsa = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA384"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA384_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA384_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - /* Ensure that keys beginning with BEGIN RSA PUBLIC KEY can be read, too. */ - ExpectNotNull(bio = BIO_new_file("./certs/server-keyPub.pem", "rb")); - ExpectNotNull((rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL))); - BIO_free(bio); - bio = NULL; - RSA_free(rsa); - rsa = NULL; +#endif - #ifdef HAVE_ECC - /* ensure that non-rsa keys do not work */ - ExpectNotNull(bio = BIO_new_file(eccKeyFile, "rb")); /* ecc key */ - ExpectNull((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL))); - ExpectNull((rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL))); - BIO_free(bio); - bio = NULL; - RSA_free(rsa); - rsa = NULL; - #endif /* HAVE_ECC */ -#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - (defined(WOLFSSL_KEY_GEN) || WOLFSSL_CERT_GEN) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_CERTS) */ - return EXPECT_RESULT(); -} +#ifdef WOLFSSL_SHA512 + wolfSSL_EVP_MD_CTX_init(&mdCtx); -static int test_wolfSSL_PEM_bio_RSAPrivateKey(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - RSA* rsa = NULL; - RSA* rsa_dup = NULL; - BIO* bio = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA512"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA512_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA512_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - ExpectNotNull(bio = BIO_new_file(svrKeyFile, "rb")); - ExpectNotNull((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL))); - ExpectIntEQ(RSA_size(rsa), 256); +#endif -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) - ExpectNull(rsa_dup = RSAPublicKey_dup(NULL)); - /* Test duplicating empty key. */ - ExpectNotNull(rsa_dup = RSA_new()); - ExpectNull(RSAPublicKey_dup(rsa_dup)); - RSA_free(rsa_dup); - rsa_dup = NULL; - ExpectNotNull(rsa_dup = RSAPublicKey_dup(rsa)); - ExpectPtrNE(rsa_dup, rsa); -#endif - - /* test if valgrind complains about unreleased memory */ - RSA_up_ref(rsa); - RSA_free(rsa); +#ifndef NO_SHA + wolfSSL_EVP_MD_CTX_init(&mdCtx); - BIO_free(bio); - bio = NULL; - RSA_free(rsa); - rsa = NULL; - RSA_free(rsa_dup); - rsa_dup = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#ifdef HAVE_ECC - ExpectNotNull(bio = BIO_new_file(eccKeyFile, "rb")); - ExpectNull((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL))); + wolfSSL_EVP_MD_CTX_init(&mdCtx); - BIO_free(bio); -#endif /* HAVE_ECC */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA1"), 1); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), + WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif + /* error case */ + wolfSSL_EVP_MD_CTX_init(&mdCtx); + + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); + /* Cleanup is valid on uninit'ed struct */ + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); +#endif /* OPENSSL_EXTRA */ return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_bio_DSAKey(void) +static int test_wolfSSL_EVP_MD_pkey_type(void) { EXPECT_DECLS; -#ifndef HAVE_SELFTEST -#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) && !defined(NO_CERTS) && \ - defined(WOLFSSL_KEY_GEN) && !defined(NO_FILESYSTEM) && !defined(NO_DSA) - DSA* dsa = NULL; - BIO* bio = NULL; - - /* PrivateKey */ - ExpectNotNull(bio = BIO_new_file("./certs/1024/dsa1024.pem", "rb")); - ExpectNull((dsa = PEM_read_bio_DSAPrivateKey(NULL, NULL, NULL, NULL))); - ExpectNotNull((dsa = PEM_read_bio_DSAPrivateKey(bio, NULL, NULL, NULL))); - ExpectIntEQ(BN_num_bytes(dsa->g), 128); - ExpectIntEQ(PEM_write_bio_DSAPrivateKey(NULL, NULL, NULL, NULL, 0, NULL, - NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_DSAPrivateKey(bio, dsa, NULL, NULL, 0, NULL, - NULL), WOLFSSL_SUCCESS); - BIO_free(bio); - bio = NULL; - DSA_free(dsa); - dsa = NULL; - - /* PUBKEY */ - ExpectNotNull(bio = BIO_new_file("./certs/1024/dsa-pub-1024.pem", "rb")); - ExpectNull((dsa = PEM_read_bio_DSA_PUBKEY(NULL, NULL, NULL, NULL))); - ExpectNotNull((dsa = PEM_read_bio_DSA_PUBKEY(bio, NULL, NULL, NULL))); - ExpectIntEQ(BN_num_bytes(dsa->g), 128); - ExpectIntEQ(PEM_write_bio_DSA_PUBKEY(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_DSA_PUBKEY(bio, dsa), WOLFSSL_SUCCESS); - BIO_free(bio); - bio = NULL; - DSA_free(dsa); - dsa = NULL; +#ifdef OPENSSL_EXTRA + const WOLFSSL_EVP_MD* md; - #ifdef HAVE_ECC - /* ensure that non-dsa keys do not work */ - ExpectNotNull(bio = BIO_new_file(eccKeyFile, "rb")); /* ecc key */ - ExpectNull((dsa = PEM_read_bio_DSAPrivateKey(bio, NULL, NULL, NULL))); - ExpectNull((dsa = PEM_read_bio_DSA_PUBKEY(bio, NULL, NULL, NULL))); - BIO_free(bio); - bio = NULL; - DSA_free(dsa); - dsa = NULL; - #endif /* HAVE_ECC */ -#endif /* defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) && \ - !defined(NO_CERTS) && defined(WOLFSSL_KEY_GEN) && \ - !defined(NO_FILESYSTEM) && !defined(NO_DSA) */ -#endif /* HAVE_SELFTEST */ +#ifndef NO_MD5 + ExpectNotNull(md = EVP_md5()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_md5WithRSAEncryption); +#endif +#ifndef NO_SHA + ExpectNotNull(md = EVP_sha1()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha1WithRSAEncryption); +#endif +#ifdef WOLFSSL_SHA224 + ExpectNotNull(md = EVP_sha224()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha224WithRSAEncryption); +#endif + ExpectNotNull(md = EVP_sha256()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha256WithRSAEncryption); +#ifdef WOLFSSL_SHA384 + ExpectNotNull(md = EVP_sha384()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha384WithRSAEncryption); +#endif +#ifdef WOLFSSL_SHA512 + ExpectNotNull(md = EVP_sha512()); + ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha512WithRSAEncryption); +#endif +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_bio_ECKey(void) +#ifdef OPENSSL_EXTRA +static int test_hmac_signing(const WOLFSSL_EVP_MD *type, const byte* testKey, + size_t testKeySz, const char* testData, size_t testDataSz, + const byte* testResult, size_t testResultSz) { EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ - defined(WOLFSSL_KEY_GEN) && !defined(NO_FILESYSTEM) && defined(HAVE_ECC) - EC_KEY* ec = NULL; - EC_KEY* ec2; - BIO* bio = NULL; -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - unsigned char* pem = NULL; - int pLen; -#endif - static char ec_key_bad_1[] = "-----BEGIN PUBLIC KEY-----\n" - "MAA=\n" - "-----END PUBLIC KEY-----"; - static char ec_priv_key_bad_1[] = "-----BEGIN EC PRIVATE KEY-----\n" - "MAA=\n" - "-----END EC PRIVATE KEY-----"; - - /* PrivateKey */ - ExpectNotNull(bio = BIO_new_file("./certs/ecc-key.pem", "rb")); - ExpectNull((ec = PEM_read_bio_ECPrivateKey(NULL, NULL, NULL, NULL))); - ec2 = NULL; - ExpectNotNull((ec = PEM_read_bio_ECPrivateKey(bio, &ec2, NULL, NULL))); - ExpectIntEQ(ec == ec2, 1); - ExpectIntEQ(wc_ecc_size((ecc_key*)ec->internal), 32); - ExpectIntEQ(PEM_write_bio_ECPrivateKey(NULL, NULL, NULL, NULL, 0, NULL, - NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_bio_ECPrivateKey(bio, NULL, NULL, NULL, 0, NULL, - NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_bio_ECPrivateKey(NULL, ec, NULL, NULL, 0, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio); - bio = NULL; - /* Public key data - fail. */ - ExpectNotNull(bio = BIO_new_file("./certs/ecc-client-keyPub.pem", "rb")); - ExpectNull(PEM_read_bio_ECPrivateKey(bio, NULL, NULL, NULL)); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_ECPrivateKey(bio, ec, NULL, NULL, 0, NULL, \ - NULL), WOLFSSL_SUCCESS); - BIO_free(bio); - bio = NULL; + unsigned char check[WC_MAX_DIGEST_SIZE]; + size_t checkSz = 0; + WOLFSSL_EVP_PKEY* key = NULL; + WOLFSSL_EVP_MD_CTX mdCtx; - ExpectIntEQ(PEM_write_ECPrivateKey(XBADFILE, NULL, NULL, NULL, 0, NULL, - NULL),WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_ECPrivateKey(stderr, NULL, NULL, NULL, 0, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_ECPrivateKey(XBADFILE, ec, NULL, NULL, 0, NULL, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_ECPrivateKey(stderr, ec, NULL, NULL, 0, NULL, NULL), - WOLFSSL_SUCCESS); + ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, + testKey, (int)testKeySz)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)testDataSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, (int)testResultSz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, NULL, - NULL), 0); -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, NULL, - NULL), 0); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, &pem, - NULL), 0); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, NULL, - &pLen), 0); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, &pem, - &pLen), 0); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, NULL, - &pLen), 0); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, &pem, - NULL), 0); - ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, &pem, - &pLen), 1); - ExpectIntGT(pLen, 0); - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - EC_KEY_free(ec); - ec = NULL; - - /* PUBKEY */ - ExpectNotNull(bio = BIO_new_file("./certs/ecc-client-keyPub.pem", "rb")); - ExpectNull((ec = PEM_read_bio_EC_PUBKEY(NULL, NULL, NULL, NULL))); - ec2 = NULL; - ExpectNotNull((ec = PEM_read_bio_EC_PUBKEY(bio, &ec2, NULL, NULL))); - ExpectIntEQ(ec == ec2, 1); - ExpectIntEQ(wc_ecc_size((ecc_key*)ec->internal), 32); - ExpectIntEQ(PEM_write_bio_EC_PUBKEY(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio); - bio = NULL; - /* Test 0x30, 0x00 fails. */ - ExpectNotNull(bio = BIO_new_mem_buf((unsigned char*)ec_key_bad_1, - sizeof(ec_key_bad_1))); - ExpectNull(PEM_read_bio_EC_PUBKEY(bio, NULL, NULL, NULL)); - BIO_free(bio); - bio = NULL; + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)testDataSz), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - /* Private key data - fail. */ - ExpectNotNull(bio = BIO_new_file("./certs/ecc-key.pem", "rb")); - ExpectNull(PEM_read_bio_EC_PUBKEY(bio, NULL, NULL, NULL)); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_EC_PUBKEY(bio, ec), WOLFSSL_SUCCESS); - BIO_free(bio); - bio = NULL; + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, (int)testResultSz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)testDataSz - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,(int)testResultSz); + ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); + + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)testDataSz - 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - /* Same test as above, but with a file pointer rather than a BIO. */ - ExpectIntEQ(PEM_write_EC_PUBKEY(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_EC_PUBKEY(NULL, ec), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_EC_PUBKEY(stderr, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(PEM_write_EC_PUBKEY(stderr, ec), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - EC_KEY_free(ec); - ec = NULL; + wolfSSL_EVP_PKEY_free(key); - #ifndef NO_RSA - /* ensure that non-ec keys do not work */ - ExpectNotNull(bio = BIO_new_file(svrKeyFile, "rb")); /* rsa key */ - ExpectNull((ec = PEM_read_bio_ECPrivateKey(bio, NULL, NULL, NULL))); - ExpectNull((ec = PEM_read_bio_EC_PUBKEY(bio, NULL, NULL, NULL))); - BIO_free(bio); - bio = NULL; - EC_KEY_free(ec); - ec = NULL; - #endif /* !NO_RSA */ - /* Test 0x30, 0x00 fails. */ - ExpectNotNull(bio = BIO_new_mem_buf((unsigned char*)ec_priv_key_bad_1, - sizeof(ec_priv_key_bad_1))); - ExpectNull(PEM_read_bio_ECPrivateKey(bio, NULL, NULL, NULL)); - BIO_free(bio); - bio = NULL; -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ return EXPECT_RESULT(); } +#endif -static int test_wolfSSL_PEM_PUBKEY(void) +static int test_wolfSSL_EVP_MD_hmac_signing(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - - /* test creating new EVP_PKEY with bad arg */ - ExpectNull((pkey = PEM_read_bio_PUBKEY(NULL, NULL, NULL, NULL))); - - /* test loading ECC key using BIO */ -#if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) +#ifdef OPENSSL_EXTRA + static const unsigned char testKey[] = { - XFILE file = XBADFILE; - const char* fname = "./certs/ecc-client-keyPub.pem"; - size_t sz = 0; - byte* buf = NULL; - - EVP_PKEY* pkey2 = NULL; - EC_KEY* ec_key = NULL; - - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectIntEQ(XFSEEK(file, 0, XSEEK_END), 0); - ExpectIntGT(sz = XFTELL(file), 0); - ExpectIntEQ(XFSEEK(file, 0, XSEEK_SET), 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); - if (buf != NULL) { - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - } - if (file != XBADFILE) { - XFCLOSE(file); - } - - /* Test using BIO new mem and loading PEM private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL))); - BIO_free(bio); - bio = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull(pkey = EVP_PKEY_new()); - ExpectPtrEq(PEM_read_bio_PUBKEY(bio, &pkey, NULL, NULL), pkey); - XFREE(buf, NULL, DYNAMIC_TYPE_FILE); - BIO_free(bio); - bio = NULL; - - /* Qt unit test case*/ - ExpectNotNull(pkey2 = EVP_PKEY_new()); - ExpectNotNull(ec_key = EVP_PKEY_get1_EC_KEY(pkey)); - ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey2, ec_key), WOLFSSL_SUCCESS); - #ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey2), 1/* match */); - #else - ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey2), 0); - #endif - - EC_KEY_free(ec_key); - EVP_PKEY_free(pkey2); - EVP_PKEY_free(pkey); - pkey = NULL; - } -#endif - - (void)bio; - (void)pkey; -#endif - return EXPECT_RESULT(); -} - -#endif /* !NO_BIO */ - -static int test_wolfSSL_tmp_dh(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && !defined(NO_DH) && !defined(NO_BIO) && \ - !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - byte buff[6000]; - static const unsigned char p[] = { - 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, - 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, - 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, - 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, - 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, - 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, - 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, - 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, - 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, - 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, - 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, - 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, - 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, - 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, - 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, - 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, - 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, - 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, - 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, - 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, - 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, - 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, - 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, - 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, - 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, - 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, - 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, - 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, - 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, - 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, - 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, - 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x93 - }; - int pSz = (int)sizeof(p); -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) - static const unsigned char bad_p[] = { - 0xb0, 0xa1, 0x08, 0x06, 0x9c, 0x08, 0x13, 0xba, - 0x59, 0x06, 0x3c, 0xbc, 0x30, 0xd5, 0xf5, 0x00, - 0xc1, 0x4f, 0x44, 0xa7, 0xd6, 0xef, 0x4a, 0xc6, - 0x25, 0x27, 0x1c, 0xe8, 0xd2, 0x96, 0x53, 0x0a, - 0x5c, 0x91, 0xdd, 0xa2, 0xc2, 0x94, 0x84, 0xbf, - 0x7d, 0xb2, 0x44, 0x9f, 0x9b, 0xd2, 0xc1, 0x8a, - 0xc5, 0xbe, 0x72, 0x5c, 0xa7, 0xe7, 0x91, 0xe6, - 0xd4, 0x9f, 0x73, 0x07, 0x85, 0x5b, 0x66, 0x48, - 0xc7, 0x70, 0xfa, 0xb4, 0xee, 0x02, 0xc9, 0x3d, - 0x9a, 0x4a, 0xda, 0x3d, 0xc1, 0x46, 0x3e, 0x19, - 0x69, 0xd1, 0x17, 0x46, 0x07, 0xa3, 0x4d, 0x9f, - 0x2b, 0x96, 0x17, 0x39, 0x6d, 0x30, 0x8d, 0x2a, - 0xf3, 0x94, 0xd3, 0x75, 0xcf, 0xa0, 0x75, 0xe6, - 0xf2, 0x92, 0x1f, 0x1a, 0x70, 0x05, 0xaa, 0x04, - 0x83, 0x57, 0x30, 0xfb, 0xda, 0x76, 0x93, 0x38, - 0x50, 0xe8, 0x27, 0xfd, 0x63, 0xee, 0x3c, 0xe5, - 0xb7, 0xc8, 0x09, 0xae, 0x6f, 0x50, 0x35, 0x8e, - 0x84, 0xce, 0x4a, 0x00, 0xe9, 0x12, 0x7e, 0x5a, - 0x31, 0xd7, 0x33, 0xfc, 0x21, 0x13, 0x76, 0xcc, - 0x16, 0x30, 0xdb, 0x0c, 0xfc, 0xc5, 0x62, 0xa7, - 0x35, 0xb8, 0xef, 0xb7, 0xb0, 0xac, 0xc0, 0x36, - 0xf6, 0xd9, 0xc9, 0x46, 0x48, 0xf9, 0x40, 0x90, - 0x00, 0x2b, 0x1b, 0xaa, 0x6c, 0xe3, 0x1a, 0xc3, - 0x0b, 0x03, 0x9e, 0x1b, 0xc2, 0x46, 0xe4, 0x48, - 0x4e, 0x22, 0x73, 0x6f, 0xc3, 0x5f, 0xd4, 0x9a, - 0xd6, 0x30, 0x07, 0x48, 0xd6, 0x8c, 0x90, 0xab, - 0xd4, 0xf6, 0xf1, 0xe3, 0x48, 0xd3, 0x58, 0x4b, - 0xa6, 0xb9, 0xcd, 0x29, 0xbf, 0x68, 0x1f, 0x08, - 0x4b, 0x63, 0x86, 0x2f, 0x5c, 0x6b, 0xd6, 0xb6, - 0x06, 0x65, 0xf7, 0xa6, 0xdc, 0x00, 0x67, 0x6b, - 0xbb, 0xc3, 0xa9, 0x41, 0x83, 0xfb, 0xc7, 0xfa, - 0xc8, 0xe2, 0x1e, 0x7e, 0xaf, 0x00, 0x3f, 0x91 + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b }; -#endif - static const unsigned char g[] = { 0x02 }; - int gSz = (int)sizeof(g); -#if !defined(NO_DSA) - char file[] = "./certs/dsaparams.pem"; - DSA* dsa = NULL; -#else - char file[] = "./certs/dh2048.pem"; -#endif - XFILE f = XBADFILE; - int bytes = 0; - DH* dh = NULL; - DH* dh2 = NULL; - BIO* bio = NULL; - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; -#ifndef NO_WOLFSSL_CLIENT - SSL* ssl_c = NULL; - SSL_CTX* ctx_c = NULL; -#endif - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); -#endif -#ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx_c = SSL_CTX_new(wolfSSLv23_client_method())); - ExpectTrue(SSL_CTX_use_certificate_file(ctx_c, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx_c, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(ssl_c = SSL_new(ctx_c)); -#ifdef NO_WOLFSSL_SERVER - ctx = ctx_c; - ssl = ssl_c; -#endif -#endif - - XMEMSET(buff, 0, sizeof(buff)); - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); - -#if !defined(NO_DSA) - dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); - ExpectNotNull(dsa); - - dh = wolfSSL_DSA_dup_DH(dsa); -#else - dh = wolfSSL_PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -#endif - ExpectNotNull(dh); -#if defined(WOLFSSL_DH_EXTRA) && \ - (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)) - ExpectNotNull(dh2 = wolfSSL_DH_dup(dh)); - DH_free(dh2); - dh2 = NULL; -#endif - - /* Failure cases */ - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, NULL, 0, g , 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 0, NULL, 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , NULL, 0, g , 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(NULL, p , 0, g , 0), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , p , 1, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx , buff, 6000, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, bad_p, pSz, g, gSz), - WC_NO_ERR_TRACE(DH_CHECK_PUB_E)); -#endif - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, NULL, 0, g , 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 0, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , NULL, 0, g , 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(NULL, p , 0, g , 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , p , 1, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl , buff, 6000, g , 1), - WC_NO_ERR_TRACE(DH_KEY_SIZE_E)); -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) -#ifndef NO_WOLFSSL_SERVER - /* Parameters will be tested later so it passes now. */ - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl, bad_p, pSz, g, gSz), - WOLFSSL_SUCCESS); -#endif -#endif -#ifndef NO_WOLFSSL_CLIENT - ExpectIntEQ((int)wolfSSL_SetTmpDH(ssl_c, p, pSz, g, gSz), - WC_NO_ERR_TRACE(SIDE_ERROR)); -#endif - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_set_tmp_dh(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_set_tmp_dh(ssl , NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ((int)SSL_set_tmp_dh(NULL, dh ), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - /* No p/g to use. */ - dh2 = wolfSSL_DH_new(); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ((int)SSL_set_tmp_dh(ssl , dh2 ), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - DH_free(dh2); - dh2 = NULL; - - ExpectIntEQ((int)wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz), - WOLFSSL_SUCCESS); - ExpectIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), WOLFSSL_SUCCESS); -#ifndef NO_WOLFSSL_SERVER - ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WOLFSSL_SUCCESS); -#else - ExpectIntEQ((int)SSL_set_tmp_dh(ssl, dh), WC_NO_ERR_TRACE(SIDE_ERROR)); -#endif - - BIO_free(bio); -#if !defined(NO_DSA) - DSA_free(dsa); -#endif - DH_free(dh); - dh = NULL; -#ifndef NO_WOLFSSL_CLIENT - if (ssl != ssl_c) { - SSL_free(ssl_c); - } -#endif - SSL_free(ssl); -#ifndef NO_WOLFSSL_CLIENT - if (ctx != ctx_c) { - SSL_CTX_free(ctx_c); - } -#endif - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_ctrl(void) -{ - EXPECT_DECLS; -#if defined (OPENSSL_EXTRA) && !defined(NO_BIO) - byte buff[6000]; - BIO* bio = NULL; - int bytes; - BUF_MEM* ptr = NULL; - - XMEMSET(buff, 0, sizeof(buff)); - - bytes = sizeof(buff); - ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); - ExpectNotNull(BIO_s_socket()); - - ExpectIntEQ((int)wolfSSL_BIO_get_mem_ptr(bio, &ptr), WOLFSSL_SUCCESS); - - /* needs tested after stubs filled out @TODO - SSL_ctrl - SSL_CTX_ctrl - */ - - BIO_free(bio); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_BIO) */ - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_PKEY_new_mac_key(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - static const unsigned char pw[] = "password"; - static const int pwSz = sizeof(pw) - 1; - size_t checkPwSz = 0; - const unsigned char* checkPw = NULL; - WOLFSSL_EVP_PKEY* key = NULL; - - ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, pw, pwSz)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_mac_key(0, NULL, NULL, pwSz)); - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, - pwSz)); - if (key != NULL) { - ExpectIntEQ(key->type, EVP_PKEY_HMAC); - ExpectIntEQ(key->save_type, EVP_PKEY_HMAC); - ExpectIntEQ(key->pkey_sz, pwSz); - ExpectIntEQ(XMEMCMP(key->pkey.ptr, pw, pwSz), 0); - } - ExpectNotNull(checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz)); - ExpectIntEQ((int)checkPwSz, pwSz); - ExpectIntEQ(XMEMCMP(checkPw, pw, pwSz), 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pw, - 0)); - ExpectIntEQ(key->pkey_sz, 0); - if (EXPECT_SUCCESS()) { - /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ - checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); - } - ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); - ExpectIntEQ((int)checkPwSz, 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, NULL, - 0)); - ExpectIntEQ(key->pkey_sz, 0); - if (EXPECT_SUCCESS()) { - /* Allocation for key->pkey.ptr may fail - OK key len is 0 */ - checkPw = wolfSSL_EVP_PKEY_get0_hmac(key, &checkPwSz); - } - ExpectTrue((checkPwSz == 0) || (checkPw != NULL)); - ExpectIntEQ((int)checkPwSz, 0); - wolfSSL_EVP_PKEY_free(key); - key = NULL; -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA -#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && \ - defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_128) - const char *priv = "ABCDEFGHIJKLMNOP"; - const WOLFSSL_EVP_CIPHER* cipher = EVP_aes_128_cbc(); - WOLFSSL_EVP_PKEY* key = NULL; - - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, NULL, AES_128_KEY_SIZE, cipher)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, 0, cipher)); - ExpectNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, NULL)); - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, cipher)); - wolfSSL_EVP_PKEY_free(key); -#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT && WOLFSSL_AES_128 */ -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_Digest(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) - const char* in = "abc"; - int inLen = (int)XSTRLEN(in); - byte out[WC_SHA256_DIGEST_SIZE]; - unsigned int outLen; - const char* expOut = - "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" - "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" - "\x15\xAD"; - - ExpectIntEQ(wolfSSL_EVP_Digest((unsigned char*)in, inLen, out, &outLen, - "SHA256", NULL), 1); - ExpectIntEQ(outLen, WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(XMEMCMP(out, expOut, WC_SHA256_DIGEST_SIZE), 0); -#endif /* OPEN_EXTRA && ! NO_SHA256 */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_Digest_all(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const char* digests[] = { -#ifndef NO_MD5 - "MD5", -#endif -#ifndef NO_SHA - "SHA", -#endif + static const char testData[] = "Hi There"; #ifdef WOLFSSL_SHA224 - "SHA224", -#endif -#ifndef NO_SHA256 - "SHA256", -#endif -#ifdef WOLFSSL_SHA384 - "SHA384", -#endif -#ifdef WOLFSSL_SHA512 - "SHA512", -#endif -#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) - "SHA512-224", -#endif -#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) - "SHA512-256", -#endif -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - "SHA3-224", -#endif -#ifndef WOLFSSL_NOSHA3_256 - "SHA3-256", -#endif - "SHA3-384", -#ifndef WOLFSSL_NOSHA3_512 - "SHA3-512", -#endif -#endif /* WOLFSSL_SHA3 */ - NULL + static const unsigned char testResultSha224[] = + { + 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, + 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, + 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, + 0x53, 0x68, 0x4b, 0x22 }; - const char** d; - const unsigned char in[] = "abc"; - int inLen = XSTR_SIZEOF(in); - byte out[WC_MAX_DIGEST_SIZE]; - unsigned int outLen; - - for (d = digests; *d != NULL; d++) { - ExpectIntEQ(EVP_Digest(in, inLen, out, &outLen, *d, NULL), 1); - ExpectIntGT(outLen, 0); - ExpectIntEQ(EVP_MD_size(*d), outLen); - } -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_MD_size(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - WOLFSSL_EVP_MD_CTX mdCtx; - -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-224"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif -#ifndef WOLFSSL_NOSHA3_256 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-256"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-384"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#ifndef WOLFSSL_NOSHA3_512 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA3-512"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA3_512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA3_512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); #endif -#endif /* WOLFSSL_SHA3 */ - #ifndef NO_SHA256 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA256"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA256_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA256_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifndef NO_MD5 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "MD5"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_MD5_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_MD5_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_MD5_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_MD5_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifdef WOLFSSL_SHA224 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA224"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA224_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA224_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifdef WOLFSSL_SHA384 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA384"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA384_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA384_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifdef WOLFSSL_SHA512 - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA512"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA512_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA512_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - -#endif - -#ifndef NO_SHA - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, "SHA1"), 1); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_size(&mdCtx), WC_SHA_DIGEST_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), WC_SHA_BLOCK_SIZE); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif - /* error case */ - wolfSSL_EVP_MD_CTX_init(&mdCtx); - - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); - /* Cleanup is valid on uninit'ed struct */ - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_MD_pkey_type(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - const WOLFSSL_EVP_MD* md; - -#ifndef NO_MD5 - ExpectNotNull(md = EVP_md5()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_md5WithRSAEncryption); -#endif -#ifndef NO_SHA - ExpectNotNull(md = EVP_sha1()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha1WithRSAEncryption); -#endif -#ifdef WOLFSSL_SHA224 - ExpectNotNull(md = EVP_sha224()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha224WithRSAEncryption); -#endif - ExpectNotNull(md = EVP_sha256()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha256WithRSAEncryption); -#ifdef WOLFSSL_SHA384 - ExpectNotNull(md = EVP_sha384()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha384WithRSAEncryption); -#endif -#ifdef WOLFSSL_SHA512 - ExpectNotNull(md = EVP_sha512()); - ExpectIntEQ(EVP_MD_pkey_type(md), NID_sha512WithRSAEncryption); -#endif -#endif - return EXPECT_RESULT(); -} - -#ifdef OPENSSL_EXTRA -static int test_hmac_signing(const WOLFSSL_EVP_MD *type, const byte* testKey, - size_t testKeySz, const char* testData, size_t testDataSz, - const byte* testResult, size_t testResultSz) -{ - EXPECT_DECLS; - unsigned char check[WC_MAX_DIGEST_SIZE]; - size_t checkSz = 0; - WOLFSSL_EVP_PKEY* key = NULL; - WOLFSSL_EVP_MD_CTX mdCtx; - - ExpectNotNull(key = wolfSSL_EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, - testKey, (int)testKeySz)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)testDataSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, (int)testResultSz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)testDataSz), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, (int)testResultSz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)testDataSz - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,(int)testResultSz); - ExpectIntEQ(XMEMCMP(testResult, check, testResultSz), 0); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, type, NULL, key), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)testDataSz - 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, testResult, checkSz), 1); - - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - - wolfSSL_EVP_PKEY_free(key); - - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_EVP_MD_hmac_signing(void) -{ - EXPECT_DECLS; -#ifdef OPENSSL_EXTRA - static const unsigned char testKey[] = - { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b - }; - static const char testData[] = "Hi There"; -#ifdef WOLFSSL_SHA224 - static const unsigned char testResultSha224[] = - { - 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, - 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 0xf3, 0x3f, - 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, - 0x53, 0x68, 0x4b, 0x22 - }; -#endif -#ifndef NO_SHA256 - static const unsigned char testResultSha256[] = - { - 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, - 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, - 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, - 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 - }; -#endif -#ifdef WOLFSSL_SHA384 - static const unsigned char testResultSha384[] = - { - 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, - 0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, - 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, - 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, - 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f, - 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6 - }; -#endif -#ifdef WOLFSSL_SHA512 - static const unsigned char testResultSha512[] = - { - 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, - 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, - 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, - 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, - 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02, - 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, - 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, - 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54 - }; -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - static const unsigned char testResultSha3_224[] = - { - 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, - 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, - 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, - 0xf3, 0xc8, 0x60, 0xf7 - }; - #endif - #ifndef WOLFSSL_NOSHA3_256 - static const unsigned char testResultSha3_256[] = - { - 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, - 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, - 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, - 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb - }; - #endif - #ifndef WOLFSSL_NOSHA3_384 - static const unsigned char testResultSha3_384[] = - { - 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, - 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, - 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, - 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, - 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, - 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd - }; - #endif - #ifndef WOLFSSL_NOSHA3_512 - static const unsigned char testResultSha3_512[] = - { - 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, - 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, - 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, - 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, - 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, - 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, - 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, - 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e - }; - #endif -#endif - -#ifndef NO_SHA256 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha256(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha256, - sizeof(testResultSha256)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA224 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha224(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha224, - sizeof(testResultSha224)), TEST_SUCCESS); + static const unsigned char testResultSha256[] = + { + 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, + 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, + 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, + 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 + }; #endif #ifdef WOLFSSL_SHA384 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha384(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha384, - sizeof(testResultSha384)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA512 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha512(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha512, - sizeof(testResultSha512)), TEST_SUCCESS); -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_224(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_224, - sizeof(testResultSha3_224)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_256 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_256(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_256, - sizeof(testResultSha3_256)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_384 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_384(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_384, - sizeof(testResultSha3_384)), TEST_SUCCESS); - #endif - #ifndef WOLFSSL_NOSHA3_512 - ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_512(), testKey, - sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_512, - sizeof(testResultSha3_512)), TEST_SUCCESS); - #endif -#endif -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_MD_rsa_signing(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) - WOLFSSL_EVP_PKEY* privKey = NULL; - WOLFSSL_EVP_PKEY* pubKey = NULL; - WOLFSSL_EVP_PKEY_CTX* keyCtx = NULL; - const char testData[] = "Hi There"; - WOLFSSL_EVP_MD_CTX mdCtx; - WOLFSSL_EVP_MD_CTX mdCtxCopy; - int ret; - size_t checkSz = -1; - int sz = 2048 / 8; - const unsigned char* cp; - const unsigned char* p; - unsigned char check[2048/8]; - size_t i; - int paddings[] = { - RSA_PKCS1_PADDING, -#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(WC_RSA_PSS) - RSA_PKCS1_PSS_PADDING, -#endif - }; - - - cp = client_key_der_2048; - ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp, - sizeof_client_key_der_2048))); - p = client_keypub_der_2048; - ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, - sizeof_client_keypub_der_2048))); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - wolfSSL_EVP_MD_CTX_init(&mdCtxCopy); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,sz); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtxCopy); - ExpectIntEQ(ret, 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - /* Check all signing padding types */ - for (i = 0; i < sizeof(paddings)/sizeof(int); i++) { - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, &keyCtx, - wolfSSL_EVP_sha256(), NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, - paddings[i]), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - ExpectIntEQ((int)checkSz, sz); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ((int)checkSz,sz); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, &keyCtx, - wolfSSL_EVP_sha256(), NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, - paddings[i]), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - } - - wolfSSL_EVP_PKEY_free(pubKey); - wolfSSL_EVP_PKEY_free(privKey); -#endif - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_EVP_MD_ecc_signing(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) - WOLFSSL_EVP_PKEY* privKey = NULL; - WOLFSSL_EVP_PKEY* pubKey = NULL; - const char testData[] = "Hi There"; - WOLFSSL_EVP_MD_CTX mdCtx; - int ret; - const unsigned char* cp; - const unsigned char* p; - unsigned char check[2048/8]; - size_t checkSz = sizeof(check); - - XMEMSET(check, 0, sizeof(check)); - - cp = ecc_clikey_der_256; - ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp, - sizeof_ecc_clikey_der_256)); - p = ecc_clikeypub_der_256; - ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, - sizeof_ecc_clikeypub_der_256))); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, - (unsigned int)XSTRLEN(testData)), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, privKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), 1); - checkSz = sizeof(check); - ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), - NULL, pubKey), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, - (unsigned int)XSTRLEN(testData) - 4), - 1); - ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); - ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); - ExpectIntEQ(ret, 1); - - wolfSSL_EVP_PKEY_free(pubKey); - wolfSSL_EVP_PKEY_free(privKey); -#endif - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_CTX_add_extra_chain_cert(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - char caFile[] = "./certs/client-ca.pem"; - char clientFile[] = "./certs/client-cert.pem"; - SSL_CTX* ctx = NULL; - X509* x509 = NULL; - BIO *bio = NULL; - X509 *cert = NULL; - X509 *ca = NULL; - STACK_OF(X509) *chain = NULL; - STACK_OF(X509) *chain2 = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, - WOLFSSL_FILETYPE_PEM)); - - /* Negative tests. */ - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); - - ExpectNotNull(x509 = wolfSSL_X509_new()); - /* Empty certificate. */ - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_X509_free(x509); - x509 = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, - WOLFSSL_FILETYPE_PEM)); - - /* additional test of getting EVP_PKEY key size from X509 - * Do not run with user RSA because wolfSSL_RSA_size is not currently - * allowed with user RSA */ - { - EVP_PKEY* pkey = NULL; - #if defined(HAVE_ECC) - X509* ecX509 = NULL; - #endif /* HAVE_ECC */ - - ExpectNotNull(pkey = X509_get_pubkey(x509)); - /* current RSA key is 2048 bit (256 bytes) */ - ExpectIntEQ(EVP_PKEY_size(pkey), 256); - - EVP_PKEY_free(pkey); - pkey = NULL; - -#if defined(HAVE_ECC) - #if defined(USE_CERT_BUFFERS_256) - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( - cliecc_cert_der_256, sizeof_cliecc_cert_der_256, - SSL_FILETYPE_ASN1)); - #else - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( - cliEccCertFile, SSL_FILETYPE_PEM)); - #endif - pkey = X509_get_pubkey(ecX509); - ExpectNotNull(pkey); - /* current ECC key is 256 bit (32 bytes) */ - ExpectIntGE(EVP_PKEY_size(pkey), 72); - - X509_free(ecX509); - ecX509 = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* HAVE_ECC */ - } - - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); - if (EXPECT_SUCCESS()) { - x509 = NULL; - } - -#ifdef WOLFSSL_ENCRYPTED_KEYS - ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); - ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); -#endif - SSL_CTX_free(ctx); - ctx = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - /* Test haproxy use case */ - ExpectNotNull(bio = BIO_new_file(svrCertFile, "r")); - /* Read Certificate */ - ExpectNotNull(cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); - ExpectNotNull(ca = PEM_read_bio_X509(bio, NULL, NULL, NULL)); - ExpectNotNull(chain = sk_X509_new_null()); - ExpectIntEQ(sk_X509_push(chain, ca), 1); - if (EXPECT_SUCCESS()) { - ca = NULL; - } - ExpectNotNull(chain2 = X509_chain_up_ref(chain)); - ExpectNotNull(ca = sk_X509_shift(chain2)); - ExpectIntEQ(SSL_CTX_use_certificate(ctx, cert), 1); - ExpectIntEQ(SSL_CTX_add_extra_chain_cert(ctx, ca), 1); - if (EXPECT_SUCCESS()) { - ca = NULL; - } - - BIO_free(bio); - X509_free(cert); - X509_free(ca); - X509_free(x509); - sk_X509_pop_free(chain, X509_free); - sk_X509_pop_free(chain2, X509_free); - SSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined (NO_BIO) */ - return EXPECT_RESULT(); -} - -#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) -static int test_wolfSSL_ERR_peek_last_error_line(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \ - !defined(NO_OLD_TLS) && !defined(WOLFSSL_NO_TLS12) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_ERROR_QUEUE) - callback_functions client_cb; - callback_functions server_cb; - int line = 0; - int flag = ERR_TXT_STRING; - const char* file = NULL; - const char* data = NULL; - - /* create a failed connection and inspect the error */ - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = wolfTLSv1_1_client_method; - server_cb.method = wolfTLSv1_2_server_method; - - test_wolfSSL_client_server_nofail(&client_cb, &server_cb); - - ExpectIntGT(ERR_get_error_line_data(NULL, NULL, &data, &flag), 0); - ExpectNotNull(data); - - /* check clearing error state */ - ERR_remove_state(0); - ExpectIntEQ((int)ERR_peek_last_error_line(NULL, NULL), 0); - ERR_peek_last_error_line(NULL, &line); - ExpectIntEQ(line, 0); - ERR_peek_last_error_line(&file, NULL); - ExpectNull(file); - - /* retry connection to fill error queue */ - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = wolfTLSv1_1_client_method; - server_cb.method = wolfTLSv1_2_server_method; - - test_wolfSSL_client_server_nofail(&client_cb, &server_cb); - - /* check that error code was stored */ - ExpectIntNE((int)ERR_peek_last_error_line(NULL, NULL), 0); - ERR_peek_last_error_line(NULL, &line); - ExpectIntNE(line, 0); - ERR_peek_last_error_line(&file, NULL); - ExpectNotNull(file); - - fprintf(stderr, "\nTesting error print out\n"); - ERR_print_errors_fp(stderr); - fprintf(stderr, "Done testing print out\n\n"); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && - * !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ - return EXPECT_RESULT(); -} -#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -static int verify_cb(int ok, X509_STORE_CTX *ctx) -{ - (void) ok; - (void) ctx; - fprintf(stderr, "ENTER verify_cb\n"); - return SSL_SUCCESS; -} -#endif - -static int test_wolfSSL_X509_Name_canon(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_SHA) && \ - defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && !defined(NO_RSA) - const long ex_hash1 = 0x0fdb2da4; - const long ex_hash2 = 0x9f3e8c9e; - X509_NAME *name = NULL; - X509 *x509 = NULL; - XFILE file = XBADFILE; - unsigned long hash = 0; - byte digest[WC_MAX_DIGEST_SIZE] = {0}; - byte *pbuf = NULL; - word32 len = 0; - (void) ex_hash2; - - ExpectTrue((file = XFOPEN(caCertFile, "rb")) != XBADFILE); - ExpectNotNull(x509 = PEM_read_X509(file, NULL, NULL, NULL)); - ExpectNotNull(name = X509_get_issuer_name(x509)); - - /* When output buffer is NULL, should return necessary output buffer - * length.*/ - ExpectIntEQ(wolfSSL_i2d_X509_NAME_canon(NULL, NULL), BAD_FUNC_ARG); - ExpectIntGT(wolfSSL_i2d_X509_NAME_canon(name, NULL), 0); - ExpectIntGT((len = (word32)wolfSSL_i2d_X509_NAME_canon(name, &pbuf)), 0); - ExpectIntEQ(wc_ShaHash((const byte*)pbuf, (word32)len, digest), 0); - - hash = (((unsigned long)digest[3] << 24) | - ((unsigned long)digest[2] << 16) | - ((unsigned long)digest[1] << 8) | - ((unsigned long)digest[0])); - ExpectIntEQ(hash, ex_hash1); - - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } - X509_free(x509); - x509 = NULL; - XFREE(pbuf, NULL, DYNAMIC_TYPE_OPENSSL); - pbuf = NULL; - - ExpectTrue((file = XFOPEN(cliCertFile, "rb")) != XBADFILE); - ExpectNotNull(x509 = PEM_read_X509(file, NULL, NULL, NULL)); - ExpectNotNull(name = X509_get_issuer_name(x509)); - - ExpectIntGT((len = (word32)wolfSSL_i2d_X509_NAME_canon(name, &pbuf)), 0); - ExpectIntEQ(wc_ShaHash((const byte*)pbuf, (word32)len, digest), 0); - - hash = (((unsigned long)digest[3] << 24) | - ((unsigned long)digest[2] << 16) | - ((unsigned long)digest[1] << 8) | - ((unsigned long)digest[0])); - - ExpectIntEQ(hash, ex_hash2); - - if (file != XBADFILE) - XFCLOSE(file); - X509_free(x509); - XFREE(pbuf, NULL, DYNAMIC_TYPE_OPENSSL); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) - const int MAX_DIR = 4; - const char paths[][32] = { - "./certs/ed25519", - "./certs/ecc", - "./certs/crl", - "./certs/", - }; - - char CertCrl_path[MAX_FILENAME_SZ]; - char *p; - X509_STORE* str = NULL; - X509_LOOKUP* lookup = NULL; - WOLFSSL_STACK* sk = NULL; - int len, total_len, i; - - (void)sk; - - XMEMSET(CertCrl_path, 0, MAX_FILENAME_SZ); - - /* illegal string */ - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "", - SSL_FILETYPE_PEM, NULL), 0); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_STORE, "", - SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_LOAD_STORE, "", - SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, 0, "", - SSL_FILETYPE_PEM, NULL), WOLFSSL_FAILURE); - - /* free store */ - X509_STORE_free(str); - str = NULL; - - /* short folder string */ - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "./", - SSL_FILETYPE_PEM,NULL), 1); - #if defined(WOLFSSL_INT_H) - /* only available when including internal.h */ - ExpectNotNull(sk = lookup->dirs->dir_entry); - #endif - /* free store */ - X509_STORE_free(str); - str = NULL; - - /* typical function check */ - p = &CertCrl_path[0]; - total_len = 0; - - for (i = MAX_DIR - 1; i>=0 && total_len < MAX_FILENAME_SZ; i--) { - len = (int)XSTRLEN((const char*)&paths[i]); - total_len += len; - XSTRNCPY(p, paths[i], MAX_FILENAME_SZ - total_len); - p += len; - if (i != 0) *(p++) = SEPARATOR_CHAR; - } - - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, CertCrl_path, - SSL_FILETYPE_PEM,NULL), 1); - #if defined(WOLFSSL_INT_H) - /* only available when including internal.h */ - ExpectNotNull(sk = lookup->dirs->dir_entry); - #endif - - X509_STORE_free(str); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_LOOKUP_ctrl_file(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ - defined(WOLFSSL_SIGNER_DER_CERT) - X509_STORE_CTX* ctx = NULL; - X509_STORE* str = NULL; - X509_LOOKUP* lookup = NULL; - - X509* cert1 = NULL; - X509* x509Ca = NULL; - X509* x509Svr = NULL; - X509* issuer = NULL; - - WOLFSSL_STACK* sk = NULL; - X509_NAME* caName = NULL; - X509_NAME* issuerName = NULL; - - XFILE file1 = XBADFILE; - int i; - int cert_count = 0; - int cmp; - - char der[] = "certs/ca-cert.der"; - -#ifdef HAVE_CRL - char pem[][100] = { - "./certs/crl/crl.pem", - "./certs/crl/crl2.pem", - "./certs/crl/caEccCrl.pem", - "./certs/crl/eccCliCRL.pem", - "./certs/crl/eccSrvCRL.pem", - "" - }; -#endif - ExpectTrue((file1 = XFOPEN("./certs/ca-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); - if (file1 != XBADFILE) - XFCLOSE(file1); - - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); - ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, NULL, - WOLFSSL_FILETYPE_PEM), 0); - ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(lookup, NULL, - WOLFSSL_FILETYPE_PEM), 0); - ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, caCertFile, - WOLFSSL_FILETYPE_PEM), 0); - ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, der , - WOLFSSL_FILETYPE_PEM), 0); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile, - SSL_FILETYPE_PEM,NULL), 1); - ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm)); - ExpectIntEQ((cert_count = sk_X509_num(sk)), 1); - - /* check if CA cert is loaded into the store */ - for (i = 0; i < cert_count; i++) { - x509Ca = sk_X509_value(sk, i); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1)); - } - - ExpectNotNull((x509Svr = - wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); - - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509Svr, NULL), SSL_SUCCESS); - - ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL)); - issuer = X509_STORE_CTX_get0_current_issuer(ctx); - ExpectNull(issuer); - - ExpectIntEQ(X509_verify_cert(ctx), 1); - - issuer = X509_STORE_CTX_get0_current_issuer(ctx); - ExpectNotNull(issuer); - caName = X509_get_subject_name(x509Ca); - ExpectNotNull(caName); - issuerName = X509_get_subject_name(issuer); - ExpectNotNull(issuerName); - cmp = X509_NAME_cmp(caName, issuerName); - ExpectIntEQ(cmp, 0); - - /* load der format */ - issuer = NULL; - X509_STORE_CTX_free(ctx); - ctx = NULL; - X509_STORE_free(str); - str = NULL; - sk_X509_pop_free(sk, NULL); - sk = NULL; - X509_free(x509Svr); - x509Svr = NULL; - - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, der, - SSL_FILETYPE_ASN1,NULL), 1); - ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm)); - ExpectIntEQ((cert_count = sk_X509_num(sk)), 1); - /* check if CA cert is loaded into the store */ - for (i = 0; i < cert_count; i++) { - x509Ca = sk_X509_value(sk, i); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1)); - } - - X509_STORE_free(str); - str = NULL; - sk_X509_pop_free(sk, NULL); - sk = NULL; - X509_free(cert1); - cert1 = NULL; - -#ifdef HAVE_CRL - ExpectNotNull(str = wolfSSL_X509_STORE_new()); - ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile, - SSL_FILETYPE_PEM,NULL), 1); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, - "certs/server-revoked-cert.pem", - SSL_FILETYPE_PEM,NULL), 1); - if (str) { - ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, svrCertFile, - WOLFSSL_FILETYPE_PEM), 1); - /* since store hasn't yet known the revoked cert*/ - ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, - "certs/server-revoked-cert.pem", - WOLFSSL_FILETYPE_PEM), 1); - } - for (i = 0; pem[i][0] != '\0'; i++) - { - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, pem[i], - SSL_FILETYPE_PEM, NULL), 1); - } - - if (str) { - /* since store knows crl list */ - ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, - "certs/server-revoked-cert.pem", - WOLFSSL_FILETYPE_PEM ), WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); - } - - ExpectIntEQ(X509_LOOKUP_ctrl(NULL, 0, NULL, 0, NULL), 0); - X509_STORE_free(str); -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) - X509_STORE_CTX_cleanup(NULL); - X509_STORE_CTX_trusted_stack(NULL, NULL); - - res = TEST_SUCCESS; -#endif - return res; -} - -static int test_wolfSSL_X509_STORE_CTX_get_issuer(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - X509_STORE_CTX* ctx = NULL; - X509_STORE* str = NULL; - X509* x509Ca = NULL; - X509* x509Svr = NULL; - X509* issuer = NULL; - X509_NAME* caName = NULL; - X509_NAME* issuerName = NULL; - - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull((x509Ca = - wolfSSL_X509_load_certificate_file(caCertFile, SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(str, x509Ca), SSL_SUCCESS); - ExpectNotNull((x509Svr = - wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); - - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509Svr, NULL), SSL_SUCCESS); - - /* Issuer0 is not set until chain is built for verification */ - ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL)); - ExpectNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); - - /* Issuer1 will use the store to make a new issuer */ - ExpectIntEQ(X509_STORE_CTX_get1_issuer(&issuer, ctx, x509Svr), 1); - ExpectNotNull(issuer); - X509_free(issuer); - - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); - ExpectNotNull(caName = X509_get_subject_name(x509Ca)); - ExpectNotNull(issuerName = X509_get_subject_name(issuer)); -#ifdef WOLFSSL_SIGNER_DER_CERT - ExpectIntEQ(X509_NAME_cmp(caName, issuerName), 0); -#endif - - X509_STORE_CTX_free(ctx); - X509_free(x509Svr); - X509_STORE_free(str); - X509_free(x509Ca); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PKCS7_certs(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) - STACK_OF(X509)* sk = NULL; - STACK_OF(X509_INFO)* info_sk = NULL; - PKCS7 *p7 = NULL; - BIO* bio = NULL; - const byte* p = NULL; - int buflen = 0; - int i; - - /* Test twice. Once with d2i and once without to test - * that everything is free'd correctly. */ - for (i = 0; i < 2; i++) { - ExpectNotNull(p7 = PKCS7_new()); - if (p7 != NULL) { - p7->version = 1; - #ifdef NO_SHA - p7->hashOID = SHA256h; - #else - p7->hashOID = SHAh; - #endif - } - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(info_sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); - ExpectIntEQ(sk_X509_INFO_num(info_sk), 2); - ExpectNotNull(sk = sk_X509_new_null()); - while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { - X509_INFO* info = NULL; - ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); - if (EXPECT_SUCCESS() && info != NULL) { - ExpectIntGT(sk_X509_push(sk, info->x509), 0); - info->x509 = NULL; - } - X509_INFO_free(info); - } - sk_X509_INFO_pop_free(info_sk, X509_INFO_free); - info_sk = NULL; - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(wolfSSL_PKCS7_encode_certs(p7, sk, bio), 1); - if ((sk != NULL) && ((p7 == NULL) || (bio == NULL))) { - sk_X509_pop_free(sk, X509_free); - } - sk = NULL; - ExpectIntGT((buflen = BIO_get_mem_data(bio, &p)), 0); - - if (i == 0) { - PKCS7_free(p7); - p7 = NULL; - ExpectNotNull(d2i_PKCS7(&p7, &p, buflen)); - if (p7 != NULL) { - /* Reset certs to force wolfSSL_PKCS7_to_stack to regenerate - * them */ - ((WOLFSSL_PKCS7*)p7)->certs = NULL; - } - /* PKCS7_free free's the certs */ - ExpectNotNull(wolfSSL_PKCS7_to_stack(p7)); - } - - BIO_free(bio); - bio = NULL; - PKCS7_free(p7); - p7 = NULL; - } -#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509_STORE_CTX* ctx = NULL; - X509_STORE* str = NULL; - X509* x509 = NULL; -#ifdef OPENSSL_ALL - X509* x5092 = NULL; - STACK_OF(X509) *sk = NULL; - STACK_OF(X509) *sk2 = NULL; - STACK_OF(X509) *sk3 = NULL; -#endif - - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull((str = wolfSSL_X509_STORE_new())); - ExpectNotNull((x509 = - wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(str, x509), SSL_SUCCESS); -#ifdef OPENSSL_ALL - /* sk_X509_new only in OPENSSL_ALL */ - sk = sk_X509_new_null(); - ExpectNotNull(sk); - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509, sk), SSL_SUCCESS); -#else - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509, NULL), SSL_SUCCESS); -#endif - ExpectIntEQ(SSL_get_ex_data_X509_STORE_CTX_idx(), 0); - X509_STORE_CTX_set_error(ctx, -5); - X509_STORE_CTX_set_error(NULL, -5); - - X509_STORE_CTX_free(ctx); - ctx = NULL; -#ifdef OPENSSL_ALL - sk_X509_pop_free(sk, NULL); - sk = NULL; -#endif - X509_STORE_free(str); - str = NULL; - X509_free(x509); - x509 = NULL; - - ExpectNotNull(ctx = X509_STORE_CTX_new()); - X509_STORE_CTX_set_verify_cb(ctx, verify_cb); - X509_STORE_CTX_free(ctx); - ctx = NULL; - -#ifdef OPENSSL_ALL - /* test X509_STORE_CTX_get(1)_chain */ - ExpectNotNull((x509 = X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM))); - ExpectNotNull((x5092 = X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM))); - ExpectNotNull((sk = sk_X509_new_null())); - ExpectIntEQ(sk_X509_push(sk, x509), 1); - if (EXPECT_FAIL()) { - X509_free(x509); - x509 = NULL; - } - ExpectNotNull((str = X509_STORE_new())); - ExpectNotNull((ctx = X509_STORE_CTX_new())); - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x5092, sk), 1); - ExpectNull((sk2 = X509_STORE_CTX_get_chain(NULL))); - ExpectNull((sk2 = X509_STORE_CTX_get_chain(ctx))); - ExpectNull((sk3 = X509_STORE_CTX_get1_chain(NULL))); - ExpectNull((sk3 = X509_STORE_CTX_get1_chain(ctx))); - X509_STORE_CTX_free(ctx); - ctx = NULL; - X509_STORE_free(str); - str = NULL; - /* CTX certs not freed yet */ - X509_free(x5092); - x5092 = NULL; - sk_X509_pop_free(sk, NULL); - sk = NULL; - /* sk3 is dup so free here */ - sk_X509_pop_free(sk3, NULL); - sk3 = NULL; -#endif - - /* test X509_STORE_CTX_get/set_ex_data */ - { - int i = 0, tmpData = 5; - void* tmpDataRet; - ExpectNotNull(ctx = X509_STORE_CTX_new()); - #ifdef HAVE_EX_DATA - for (i = 0; i < MAX_EX_DATA; i++) { - ExpectIntEQ(X509_STORE_CTX_set_ex_data(ctx, i, &tmpData), - WOLFSSL_SUCCESS); - tmpDataRet = (int*)X509_STORE_CTX_get_ex_data(ctx, i); - ExpectNotNull(tmpDataRet); - ExpectIntEQ(tmpData, *(int*)tmpDataRet); - } - #else - ExpectIntEQ(X509_STORE_CTX_set_ex_data(ctx, i, &tmpData), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - tmpDataRet = (int*)X509_STORE_CTX_get_ex_data(ctx, i); - ExpectNull(tmpDataRet); - #endif - X509_STORE_CTX_free(ctx); - ctx = NULL; - } - - /* test X509_STORE_get/set_ex_data */ - { - int i = 0, tmpData = 99; - void* tmpDataRet; - ExpectNotNull(str = X509_STORE_new()); - #ifdef HAVE_EX_DATA - for (i = 0; i < MAX_EX_DATA; i++) { - ExpectIntEQ(X509_STORE_set_ex_data(str, i, &tmpData), - WOLFSSL_SUCCESS); - tmpDataRet = (int*)X509_STORE_get_ex_data(str, i); - ExpectNotNull(tmpDataRet); - ExpectIntEQ(tmpData, *(int*)tmpDataRet); - } - #else - ExpectIntEQ(X509_STORE_set_ex_data(str, i, &tmpData), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - tmpDataRet = (int*)X509_STORE_get_ex_data(str, i); - ExpectNull(tmpDataRet); - #endif - X509_STORE_free(str); - str = NULL; - } - -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - -typedef struct { - const char *caFile; - const char *caIntFile; - const char *caInt2File; - const char *leafFile; - X509 *x509Ca; - X509 *x509CaInt; - X509 *x509CaInt2; - X509 *x509Leaf; - STACK_OF(X509)* expectedChain; -} X509_STORE_test_data; - -static X509 * test_wolfSSL_X509_STORE_CTX_ex_helper(const char *file) -{ - XFILE fp = XBADFILE; - X509 *x = NULL; - - fp = XFOPEN(file, "rb"); - if (fp == NULL) { - return NULL; - } - x = PEM_read_X509(fp, 0, 0, 0); - XFCLOSE(fp); - - return x; -} - -static int test_wolfSSL_X509_STORE_CTX_ex1(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - int i = 0; - - /* Test case 1, add X509 certs to store and verify */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex2(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - int i = 0; - - /* Test case 2, add certs by filename to store and verify */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_load_locations( - store, testData->caFile, NULL), 1); - ExpectIntEQ(X509_STORE_load_locations( - store, testData->caIntFile, NULL), 1); - ExpectIntEQ(X509_STORE_load_locations( - store, testData->caInt2File, NULL), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex3(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - int i = 0; - - /* Test case 3, mix and match X509 with files */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - ExpectIntEQ(X509_STORE_load_locations( - store, testData->caFile, NULL), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex4(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - STACK_OF(X509)* inter = NULL; - int i = 0; - - /* Test case 4, CA loaded by file, intermediates passed on init */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_load_locations( - store, testData->caFile, NULL), 1); - ExpectNotNull(inter = sk_X509_new_null()); - ExpectIntGE(sk_X509_push(inter, testData->x509CaInt), 1); - ExpectIntGE(sk_X509_push(inter, testData->x509CaInt2), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, inter), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - sk_X509_free(inter); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex5(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - STACK_OF(X509)* trusted = NULL; - int i = 0; - - /* Test case 5, manually set trusted stack */ - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(trusted = sk_X509_new_null()); - ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); - ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt), 1); - ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt2), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - X509_STORE_CTX_trusted_stack(ctx, trusted); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - sk_X509_free(trusted); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex6(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - STACK_OF(X509)* trusted = NULL; - STACK_OF(X509)* inter = NULL; - int i = 0; - - /* Test case 6, manually set trusted stack will be unified with - * any intermediates provided on init */ - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(trusted = sk_X509_new_null()); - ExpectNotNull(inter = sk_X509_new_null()); - ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); - ExpectIntGE(sk_X509_push(inter, testData->x509CaInt), 1); - ExpectIntGE(sk_X509_push(inter, testData->x509CaInt2), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, inter), 1); - X509_STORE_CTX_trusted_stack(ctx, trusted); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - sk_X509_free(trusted); - sk_X509_free(inter); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex7(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - int i = 0; - - /* Test case 7, certs added to store after ctx init are still used */ - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - ExpectIntNE(X509_verify_cert(ctx), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex8(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - int i = 0; - - /* Test case 8, Only full chain verifies */ - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - ExpectIntNE(X509_verify_cert(ctx), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - ExpectIntNE(X509_verify_cert(ctx), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntNE(X509_verify_cert(ctx), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); - for (i = 0; i < sk_X509_num(chain); i++) { - ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), - sk_X509_value(testData->expectedChain, i)), 0); - } - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex9(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - X509_STORE_CTX* ctx2 = NULL; - STACK_OF(X509)* trusted = NULL; - - /* Test case 9, certs added to store should not be reflected in ctx that - * has been manually set with a trusted stack, but are reflected in ctx - * that has not set trusted stack */ - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull(ctx2 = X509_STORE_CTX_new()); - ExpectNotNull(trusted = sk_X509_new_null()); - ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); - ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt), 1); - ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt2), 1); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - ExpectIntEQ(X509_STORE_CTX_init(ctx2, store, testData->x509Leaf, NULL), 1); - ExpectIntNE(X509_verify_cert(ctx), 1); - ExpectIntNE(X509_verify_cert(ctx2), 1); - X509_STORE_CTX_trusted_stack(ctx, trusted); - /* CTX1 should now verify */ - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectIntNE(X509_verify_cert(ctx2), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - /* CTX2 should now verify */ - ExpectIntEQ(X509_verify_cert(ctx2), 1); - X509_STORE_CTX_free(ctx); - X509_STORE_CTX_free(ctx2); - X509_STORE_free(store); - sk_X509_free(trusted); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex10(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - - /* Test case 10, ensure partial chain flag works */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - /* Fails because chain is incomplete */ - ExpectIntNE(X509_verify_cert(ctx), 1); - ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN), 1); - /* Partial chain now OK */ - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex11(X509_STORE_test_data *testData) -{ - EXPECT_DECLS; - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - - /* Test case 11, test partial chain flag on ctx itself */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); - ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); - /* Fails because chain is incomplete */ - ExpectIntNE(X509_verify_cert(ctx), 1); - X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_PARTIAL_CHAIN); - /* Partial chain now OK */ - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_ex12(void) -{ - EXPECT_DECLS; -#ifdef HAVE_ECC - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - STACK_OF(X509)* chain = NULL; - X509* rootEccX509 = NULL; - X509* badAkiX509 = NULL; - X509* ca1X509 = NULL; - - const char* intCARootECCFile = "./certs/ca-ecc-cert.pem"; - const char* intCA1ECCFile = "./certs/intermediate/ca-int-ecc-cert.pem"; - const char* intCABadAKIECCFile = "./certs/intermediate/ca-ecc-bad-aki.pem"; - - /* Test case 12, multiple CAs with the same SKI including 1 with intentionally - bad/unregistered AKI. x509_verify_cert should still form a valid chain - using the valid CA, ignoring the bad CA. Developed from customer provided - reproducer. */ - - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(rootEccX509 = test_wolfSSL_X509_STORE_CTX_ex_helper(intCARootECCFile)); - ExpectIntEQ(X509_STORE_add_cert(store, rootEccX509), 1); - ExpectNotNull(badAkiX509 = test_wolfSSL_X509_STORE_CTX_ex_helper(intCABadAKIECCFile)); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, badAkiX509, NULL), 1); - ExpectIntEQ(X509_verify_cert(ctx), 0); - X509_STORE_CTX_cleanup(ctx); - - ExpectIntEQ(X509_STORE_add_cert(store, badAkiX509), 1); - ExpectNotNull(ca1X509 = test_wolfSSL_X509_STORE_CTX_ex_helper(intCA1ECCFile)); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, ca1X509, NULL), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); - - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - X509_free(rootEccX509); - X509_free(badAkiX509); - X509_free(ca1X509); -#endif - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_X509_STORE_CTX_ex(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509_STORE_test_data testData; - XMEMSET((void *)&testData, 0, sizeof(X509_STORE_test_data)); - testData.caFile = "./certs/ca-cert.pem"; - testData.caIntFile = "./certs/intermediate/ca-int-cert.pem"; - testData.caInt2File = "./certs/intermediate/ca-int2-cert.pem"; - testData.leafFile = "./certs/intermediate/server-chain.pem"; - - ExpectNotNull(testData.x509Ca = \ - test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caFile)); - ExpectNotNull(testData.x509CaInt = \ - test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caIntFile)); - ExpectNotNull(testData.x509CaInt2 = \ - test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caInt2File)); - ExpectNotNull(testData.x509Leaf = \ - test_wolfSSL_X509_STORE_CTX_ex_helper(testData.leafFile)); - ExpectNotNull(testData.expectedChain = sk_X509_new_null()); - ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509Leaf), 1); - ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509CaInt2), 1); - ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509CaInt), 1); - ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509Ca), 1); - - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex1(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex2(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex3(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex4(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex5(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex6(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex7(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex8(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex9(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex10(&testData), 1); - ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex11(&testData), 1); - test_wolfSSL_X509_STORE_CTX_ex12(); - - if(testData.x509Ca) { - X509_free(testData.x509Ca); - } - if(testData.x509CaInt) { - X509_free(testData.x509CaInt); - } - if(testData.x509CaInt2) { - X509_free(testData.x509CaInt2); - } - if(testData.x509Leaf) { - X509_free(testData.x509Leaf); - } - if (testData.expectedChain) { - sk_X509_free(testData.expectedChain); - } - -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - - return EXPECT_RESULT(); -} - - -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) -static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename, - STACK_OF(X509)* chain) -{ - EXPECT_DECLS; - XFILE fp = XBADFILE; - X509* cert = NULL; - - ExpectTrue((fp = XFOPEN(filename, "rb")) - != XBADFILE); - ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectIntGT(sk_X509_push(chain, cert), 0); - if (EXPECT_FAIL()) - X509_free(cert); - - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_ALL) - -static int last_errcode; -static int last_errdepth; - -static int X509Callback(int ok, X509_STORE_CTX *ctx) -{ - - if (!ok) { - last_errcode = X509_STORE_CTX_get_error(ctx); - last_errdepth = X509_STORE_CTX_get_error_depth(ctx); - } - /* Always return OK to allow verification to continue.*/ - return 1; -} - -static int test_X509_STORE_InvalidCa(void) -{ - EXPECT_DECLS; - const char* filename = "./certs/intermediate/ca_false_intermediate/" - "test_int_not_cacert.pem"; - const char* srvfile = "./certs/intermediate/ca_false_intermediate/" - "test_sign_bynoca_srv.pem"; - X509_STORE_CTX* ctx = NULL; - X509_STORE* str = NULL; - XFILE fp = XBADFILE; - X509* cert = NULL; - STACK_OF(X509)* untrusted = NULL; - - last_errcode = 0; - last_errdepth = 0; - - ExpectTrue((fp = XFOPEN(srvfile, "rb")) - != XBADFILE); - ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectNotNull(str = X509_STORE_new()); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull(untrusted = sk_X509_new_null()); - - /* create cert chain stack */ - ExpectIntEQ(test_X509_STORE_untrusted_load_cert_to_stack(filename, - untrusted), TEST_SUCCESS); - - X509_STORE_set_verify_cb(str, X509Callback); - - ExpectIntEQ(X509_STORE_load_locations(str, - "./certs/intermediate/ca_false_intermediate/test_ca.pem", - NULL), 1); - - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); - ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA); - - X509_free(cert); - X509_STORE_free(str); - X509_STORE_CTX_free(ctx); - sk_X509_pop_free(untrusted, NULL); - - return EXPECT_RESULT(); -} -#endif /* OPENSSL_ALL */ - - - -static int test_X509_STORE_untrusted_certs(const char** filenames, int ret, - int err, int loadCA) -{ - EXPECT_DECLS; - X509_STORE_CTX* ctx = NULL; - X509_STORE* str = NULL; - XFILE fp = XBADFILE; - X509* cert = NULL; - STACK_OF(X509)* untrusted = NULL; - - ExpectTrue((fp = XFOPEN("./certs/intermediate/server-int-cert.pem", "rb")) - != XBADFILE); - ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectNotNull(str = X509_STORE_new()); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull(untrusted = sk_X509_new_null()); - - ExpectIntEQ(X509_STORE_set_flags(str, 0), 1); - if (loadCA) { - ExpectIntEQ(X509_STORE_load_locations(str, "./certs/ca-cert.pem", NULL), - 1); - } - for (; *filenames; filenames++) { - ExpectIntEQ(test_X509_STORE_untrusted_load_cert_to_stack(*filenames, - untrusted), TEST_SUCCESS); - } - - ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); - ExpectIntEQ(X509_verify_cert(ctx), ret); - ExpectIntEQ(X509_STORE_CTX_get_error(ctx), err); - - X509_free(cert); - X509_STORE_free(str); - X509_STORE_CTX_free(ctx); - sk_X509_pop_free(untrusted, NULL); - - return EXPECT_RESULT(); -} -#endif - -static int test_X509_STORE_untrusted(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - const char* untrusted1[] = { - "./certs/intermediate/ca-int2-cert.pem", - NULL - }; - const char* untrusted2[] = { - "./certs/intermediate/ca-int-cert.pem", - "./certs/intermediate/ca-int2-cert.pem", - NULL - }; - const char* untrusted3[] = { - "./certs/intermediate/ca-int-cert.pem", - "./certs/intermediate/ca-int2-cert.pem", - "./certs/ca-cert.pem", - NULL - }; - /* Adding unrelated certs that should be ignored */ - const char* untrusted4[] = { - "./certs/client-ca.pem", - "./certs/intermediate/ca-int-cert.pem", - "./certs/server-cert.pem", - "./certs/intermediate/ca-int2-cert.pem", - NULL - }; - - /* Only immediate issuer in untrusted chain. Fails since can't build chain - * to loaded CA. */ - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 1), TEST_SUCCESS); - /* Succeeds because path to loaded CA is available. */ - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted2, 1, 0, 1), - TEST_SUCCESS); - /* Root CA in untrusted chain is OK so long as CA has been loaded - * properly */ - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1), - TEST_SUCCESS); - /* Still needs properly loaded CA, while including it in untrusted - * list is not an error, it also doesn't count for verify */ - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0), - TEST_SUCCESS); - /* Succeeds because path to loaded CA is available. */ - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1), - TEST_SUCCESS); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_set_flags(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509_STORE* store = NULL; - X509* x509 = NULL; - - ExpectNotNull((store = wolfSSL_X509_STORE_new())); - ExpectNotNull((x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - WOLFSSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(store, x509), WOLFSSL_SUCCESS); - -#ifdef HAVE_CRL - ExpectIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), - WOLFSSL_SUCCESS); -#else - ExpectIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), - WC_NO_ERR_TRACE(NOT_COMPILED_IN)); -#endif - - wolfSSL_X509_free(x509); - wolfSSL_X509_STORE_free(store); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_LOOKUP_load_file(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_ECC) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) - WOLFSSL_X509_STORE* store = NULL; - WOLFSSL_X509_LOOKUP* lookup = NULL; - - ExpectNotNull(store = wolfSSL_X509_STORE_new()); - ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); - /* One RSA and one ECC certificate in file. */ - ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/client-ca.pem", - X509_FILETYPE_PEM), 1); - ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/crl/crl2.pem", - X509_FILETYPE_PEM), 1); - - if (store != NULL) { - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, cliCertFile, - WOLFSSL_FILETYPE_PEM), 1); - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, - WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - } - ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", - X509_FILETYPE_PEM), 1); - if (store != NULL) { - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, - WOLFSSL_FILETYPE_PEM), 1); - } - - wolfSSL_X509_STORE_free(store); -#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_set_time(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - WOLFSSL_X509_STORE_CTX* ctx = NULL; - time_t c_time; - - ExpectNotNull(ctx = wolfSSL_X509_STORE_CTX_new()); - c_time = 365*24*60*60; - wolfSSL_X509_STORE_CTX_set_time(ctx, 0, c_time); - ExpectTrue((ctx->param->flags & WOLFSSL_USE_CHECK_TIME) == - WOLFSSL_USE_CHECK_TIME); - ExpectTrue(ctx->param->check_time == c_time); - wolfSSL_X509_STORE_CTX_free(ctx); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_get0_set1_param(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) -#if !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) - SSL_CTX* ctx = NULL; - WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; - WOLFSSL_X509_VERIFY_PARAM* pvpm = NULL; - char testIPv4[] = "127.0.0.1"; - char testhostName[] = "foo.hoge.com"; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - - ExpectNull(SSL_CTX_get0_param(NULL)); - ExpectNotNull(pParam = SSL_CTX_get0_param(ctx)); - - ExpectNotNull(pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL)); - ExpectNotNull(XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM))); - - ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, - (int)XSTRLEN(testhostName)), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4), - WOLFSSL_SUCCESS); - wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); - - ExpectIntEQ(SSL_CTX_set1_param(ctx, pvpm), 1); - ExpectIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, - (int)XSTRLEN(testhostName))); - ExpectIntEQ(0x01, pParam->hostFlags); - ExpectIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); - - /* test for incorrect parameter */ - ExpectIntEQ(1,SSL_CTX_set1_param(ctx, NULL)); - ExpectIntEQ(1,SSL_CTX_set1_param(NULL, pvpm)); - ExpectIntEQ(1,SSL_CTX_set1_param(NULL, NULL)); - - SSL_CTX_free(ctx); - - XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_get0_param(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - - ExpectNotNull(SSL_get0_param(ssl)); - - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_VERIFY_PARAM_set1_host(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const char host[] = "www.example.com"; - WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; - - ExpectNotNull(pParam = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); - if (pParam != NULL) { - XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); - - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(NULL, host, sizeof(host)), - WOLFSSL_FAILURE); - - X509_VERIFY_PARAM_set1_host(pParam, host, sizeof(host)); - - ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - - XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); - - ExpectIntNE(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - - XFREE(pParam, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); - } -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_set1_host(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - const char host[] = "www.test_wolfSSL_set1_host.com"; - const char emptyStr[] = ""; - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; - WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - - pParam = SSL_get0_param(ssl); - - /* we should get back host string */ - ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - - /* we should get back empty string */ - ExpectIntEQ(SSL_set1_host(ssl, emptyStr), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); - - /* we should get back host string */ - ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - - /* we should get back empty string */ - ExpectIntEQ(SSL_set1_host(ssl, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); - - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) - unsigned char buf[16] = {0}; - WOLFSSL_X509_VERIFY_PARAM* param = NULL; - - ExpectNotNull(param = X509_VERIFY_PARAM_new()); - - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 16), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 4), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 0), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, buf, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 16), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 4), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 16), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 4), WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 0), WOLFSSL_FAILURE); - - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 0), WOLFSSL_SUCCESS); - - /* test 127.0.0.1 */ - buf[0] =0x7f; buf[1] = 0; buf[2] = 0; buf[3] = 1; - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 4), SSL_SUCCESS); - ExpectIntEQ(XSTRNCMP(param->ipasc, "127.0.0.1", sizeof(param->ipasc)), 0); - - /* test 2001:db8:3333:4444:5555:6666:7777:8888 */ - buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; - buf[4]=51;buf[5]=51;buf[6]=68;buf[7]=68; - buf[8]=85;buf[9]=85;buf[10]=102;buf[11]=102; - buf[12]=119;buf[13]=119;buf[14]=136;buf[15]=136; - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); - ExpectIntEQ(XSTRNCMP(param->ipasc, - "2001:db8:3333:4444:5555:6666:7777:8888", sizeof(param->ipasc)), 0); - - /* test 2001:db8:: */ - buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; - buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0; - buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0; - buf[12]=0;buf[13]=0;buf[14]=0;buf[15]=0; - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); - ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8::", sizeof(param->ipasc)), 0); - - /* test ::1234:5678 */ - buf[0]=0;buf[1]=0;buf[2]=0;buf[3]=0; - buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0; - buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0; - buf[12]=18;buf[13]=52;buf[14]=86;buf[15]=120; - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); - ExpectIntEQ(XSTRNCMP(param->ipasc, "::1234:5678", sizeof(param->ipasc)), 0); - - - /* test 2001:db8::1234:5678 */ - buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; - buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0; - buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0; - buf[12]=18;buf[13]=52;buf[14]=86;buf[15]=120; - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); - ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8::1234:5678", - sizeof(param->ipasc)), 0); - - /* test 2001:0db8:0001:0000:0000:0ab9:c0a8:0102*/ - /* 2001:db8:1::ab9:c0a8:102 */ - buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; - buf[4]=0;buf[5]=1;buf[6]=0;buf[7]=0; - buf[8]=0;buf[9]=0;buf[10]=10;buf[11]=185; - buf[12]=192;buf[13]=168;buf[14]=1;buf[15]=2; - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); - ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8:1::ab9:c0a8:102", - sizeof(param->ipasc)), 0); - - XFREE(param, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_CTX_get0_store(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - X509_STORE* store = NULL; - X509_STORE_CTX* ctx = NULL; - X509_STORE_CTX* ctx_no_init = NULL; - - ExpectNotNull((store = X509_STORE_new())); - ExpectNotNull(ctx = X509_STORE_CTX_new()); - ExpectNotNull(ctx_no_init = X509_STORE_CTX_new()); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, NULL, NULL), SSL_SUCCESS); - - ExpectNull(X509_STORE_CTX_get0_store(NULL)); - /* should return NULL if ctx has not bee initialized */ - ExpectNull(X509_STORE_CTX_get0_store(ctx_no_init)); - ExpectNotNull(X509_STORE_CTX_get0_store(ctx)); - - wolfSSL_X509_STORE_CTX_free(ctx); - wolfSSL_X509_STORE_CTX_free(ctx_no_init); - X509_STORE_free(store); -#endif /* OPENSSL_EXTRA */ - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ - defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) -static int test_wolfSSL_get_client_ciphers_ctx_ready(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256")); - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_get_client_ciphers_on_result(WOLFSSL* ssl) { - EXPECT_DECLS; - WOLF_STACK_OF(WOLFSSL_CIPHER)* ciphers; - - ciphers = SSL_get_client_ciphers(ssl); - if (wolfSSL_is_server(ssl) == 0) { - ExpectNull(ciphers); - } - else { - WOLFSSL_CIPHER* current; - - /* client should have only sent over one cipher suite */ - ExpectNotNull(ciphers); - ExpectIntEQ(sk_SSL_CIPHER_num(ciphers), 1); - current = sk_SSL_CIPHER_value(ciphers, 0); - ExpectNotNull(current); - #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ - !defined(WOLFSSL_QT) - ExpectStrEQ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - SSL_CIPHER_get_name(current)); - #else - ExpectStrEQ("ECDHE-RSA-AES128-GCM-SHA256", - SSL_CIPHER_get_name(current)); - #endif - } - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_get_client_ciphers(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ - defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) - test_ssl_cbf server_cb; - test_ssl_cbf client_cb; - - XMEMSET(&client_cb, 0, sizeof(test_ssl_cbf)); - XMEMSET(&server_cb, 0, sizeof(test_ssl_cbf)); - client_cb.method = wolfTLSv1_2_client_method; - server_cb.method = wolfTLSv1_2_server_method; - client_cb.devId = testDevId; - server_cb.devId = testDevId; - client_cb.ctx_ready = test_wolfSSL_get_client_ciphers_ctx_ready; - client_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; - server_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_set_client_CA_list(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ - !defined(NO_BIO) && !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - X509_NAME* name = NULL; - STACK_OF(X509_NAME)* names = NULL; - STACK_OF(X509_NAME)* ca_list = NULL; - int names_len = 0; - int i; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - /* Send two X501 names in cert request */ - names = SSL_load_client_CA_file(cliCertFile); - ExpectNotNull(names); - ca_list = SSL_load_client_CA_file(caCertFile); - ExpectNotNull(ca_list); - ExpectNotNull(name = sk_X509_NAME_value(ca_list, 0)); - ExpectIntEQ(sk_X509_NAME_push(names, name), 2); - if (EXPECT_FAIL()) { - wolfSSL_X509_NAME_free(name); - name = NULL; - } - SSL_CTX_set_client_CA_list(ctx, names); - /* This should only free the stack structure */ - sk_X509_NAME_free(ca_list); - ca_list = NULL; - ExpectNotNull(ca_list = SSL_CTX_get_client_CA_list(ctx)); - ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); - - ExpectIntEQ(sk_X509_NAME_find(NULL, name), BAD_FUNC_ARG); - ExpectIntEQ(sk_X509_NAME_find(names, NULL), WOLFSSL_FATAL_ERROR); - ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); - for (i = 0; i < names_len; i++) { - ExpectNotNull(name = sk_X509_NAME_value(names, i)); - ExpectIntEQ(sk_X509_NAME_find(names, name), i); - } - - /* Needed to be able to create ssl object */ - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - /* load again as old names are responsibility of ctx to free*/ - names = SSL_load_client_CA_file(cliCertFile); - ExpectNotNull(names); - SSL_set_client_CA_list(ssl, names); - ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl)); - ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); - - ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); - for (i = 0; i < names_len; i++) { - ExpectNotNull(name = sk_X509_NAME_value(names, i)); - ExpectIntEQ(sk_X509_NAME_find(names, name), i); - } - -#if !defined(SINGLE_THREADED) && defined(SESSION_CERTS) - { - tcp_ready ready; - func_args server_args; - callback_functions server_cb; - THREAD_TYPE serverThread; - WOLFSSL* ssl_client = NULL; - WOLFSSL_CTX* ctx_client = NULL; - SOCKET_T sockfd = 0; - - /* wolfSSL_get_client_CA_list() with handshake */ - - StartTCP(); - InitTcpReady(&ready); - - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - - server_args.signal = &ready; - server_args.callbacks = &server_cb; - - /* we are responsible for free'ing WOLFSSL_CTX */ - server_cb.ctx = ctx; - server_cb.isSharedCtx = 1; - - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, - cliCertFile, 0)); - - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); - ExpectNotNull(ctx_client = - wolfSSL_CTX_new(wolfTLSv1_2_client_method())); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations( - ctx_client, caCertFile, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_certificate_file( - ctx_client, cliCertFile, SSL_FILETYPE_PEM)); - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_PrivateKey_file( - ctx_client, cliKeyFile, SSL_FILETYPE_PEM)); - - ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); - ExpectIntEQ(wolfSSL_set_fd(ssl_client, sockfd), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_connect(ssl_client), WOLFSSL_SUCCESS); - - ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl_client)); - /* We are expecting two cert names to be sent */ - ExpectIntEQ(sk_X509_NAME_num(ca_list), 2); - - ExpectNotNull(names = SSL_CTX_get_client_CA_list(ctx)); - for (i=0; icallbacks; - WOLFSSL_CTX* ctx = callbacks->ctx; - WOLFSSL* ssl = NULL; - SOCKET_T sfd = 0; - SOCKET_T cfd = 0; - word16 port; - char input[1024]; - int idx; - int ret, err = 0; - const char* privateName = "ech-private-name.com"; - int privateNameLen = (int)XSTRLEN(privateName); - - ((func_args*)args)->return_code = TEST_FAIL; - port = ((func_args*)args)->signal->port; - - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0)); - - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - WOLFSSL_FILETYPE_PEM)); - - AssertIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - WOLFSSL_FILETYPE_PEM)); - - if (callbacks->ctx_ready) - callbacks->ctx_ready(ctx); - - ssl = wolfSSL_new(ctx); - - /* set the sni for the server */ - wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, privateName, privateNameLen); - - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, NULL, NULL); - CloseSocket(sfd); - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl, cfd)); - - if (callbacks->ssl_ready) - callbacks->ssl_ready(ssl); - - do { - err = 0; /* Reset error */ - ret = wolfSSL_accept(ssl); - if (ret != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - } - } while (ret != WOLFSSL_SUCCESS && err == WC_NO_ERR_TRACE(WC_PENDING_E)); - - if (ret != WOLFSSL_SUCCESS) { - char buff[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff)); - } - else { - if (0 < (idx = wolfSSL_read(ssl, input, sizeof(input)-1))) { - input[idx] = 0; - fprintf(stderr, "Client message: %s\n", input); - } - - AssertIntEQ(privateNameLen, wolfSSL_write(ssl, privateName, - privateNameLen)); - ((func_args*)args)->return_code = TEST_SUCCESS; - } - - if (callbacks->on_result) - callbacks->on_result(ssl); - - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - CloseSocket(cfd); - -#ifdef FP_ECC - wc_ecc_fp_free(); -#endif - - WOLFSSL_RETURN_FROM_THREAD(0); -} -#endif /* HAVE_ECH && WOLFSSL_TLS13 */ - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) -static void keyLog_callback(const WOLFSSL* ssl, const char* line) -{ - XFILE fp; - const byte lf = '\n'; - - AssertNotNull(ssl); - AssertNotNull(line); - - fp = XFOPEN("./MyKeyLog.txt", "a"); - XFWRITE(line, 1, XSTRLEN(line), fp); - XFWRITE((void*)&lf, 1, 1, fp); - XFFLUSH(fp); - XFCLOSE(fp); -} -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ -static int test_wolfSSL_CTX_set_keylog_callback(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ - !defined(NO_WOLFSSL_CLIENT) - SSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); - SSL_CTX_free(ctx); - SSL_CTX_set_keylog_callback(NULL, NULL); -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ - return EXPECT_RESULT(); -} -static int test_wolfSSL_CTX_get_keylog_callback(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ - !defined(NO_WOLFSSL_CLIENT) - SSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); - SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); - ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),keyLog_callback); - SSL_CTX_set_keylog_callback(ctx, NULL ); - ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); - SSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) -static int test_wolfSSL_Tls12_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) -{ - /* set keylog callback */ - wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); - return TEST_SUCCESS; -} -#endif - -static int test_wolfSSL_Tls12_Key_Logging_test(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) - /* This test is intended for checking whether keylog callback is called - * in client during TLS handshake between the client and a server. - */ - test_ssl_cbf server_cbf; - test_ssl_cbf client_cbf; - XFILE fp = XBADFILE; - char buff[500]; - int found = 0; - - XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); - XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); - server_cbf.method = wolfTLSv1_2_server_method; - client_cbf.ctx_ready = &test_wolfSSL_Tls12_Key_Logging_client_ctx_ready; - - /* clean up keylog file */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); - if (fp != XBADFILE) { - XFFLUSH(fp); - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - - /* check if the keylog file exists */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); - XFFLUSH(fp); /* Just to make sure any buffers get flushed */ - - XMEMSET(buff, 0, sizeof(buff)); - while (EXPECT_SUCCESS() && XFGETS(buff, (int)sizeof(buff), fp) != NULL) { - if (0 == strncmp(buff,"CLIENT_RANDOM ", sizeof("CLIENT_RANDOM ")-1)) { - found = 1; - break; - } - } - if (fp != XBADFILE) { - XFCLOSE(fp); - } - /* a log starting with "CLIENT_RANDOM " should exit in the file */ - ExpectIntEQ(found, 1); - /* clean up */ - ExpectIntEQ(rem_file("./MyKeyLog.txt"), 0); -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ - return EXPECT_RESULT(); -} - -#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ - defined(HAVE_SECRET_CALLBACK) -static int test_wolfSSL_Tls13_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) -{ - /* set keylog callback */ - wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); - return TEST_SUCCESS; -} -#endif - -static int test_wolfSSL_Tls13_Key_Logging_test(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ - defined(HAVE_SECRET_CALLBACK) -/* This test is intended for checking whether keylog callback is called - * in client during TLS handshake between the client and a server. - */ - test_ssl_cbf server_cbf; - test_ssl_cbf client_cbf; - XFILE fp = XBADFILE; - - XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); - XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); - server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ - client_cbf.ctx_ready = &test_wolfSSL_Tls13_Key_Logging_client_ctx_ready; - - /* clean up keylog file */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - - /* check if the keylog file exists */ - { - char buff[300] = {0}; - int found[4] = {0}; - int numfnd = 0; - int i; - - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); - - while (EXPECT_SUCCESS() && - XFGETS(buff, (int)sizeof(buff), fp) != NULL) { - if (0 == strncmp(buff, "CLIENT_HANDSHAKE_TRAFFIC_SECRET ", - sizeof("CLIENT_HANDSHAKE_TRAFFIC_SECRET ")-1)) { - found[0] = 1; - continue; - } - else if (0 == strncmp(buff, "SERVER_HANDSHAKE_TRAFFIC_SECRET ", - sizeof("SERVER_HANDSHAKE_TRAFFIC_SECRET ")-1)) { - found[1] = 1; - continue; - } - else if (0 == strncmp(buff, "CLIENT_TRAFFIC_SECRET_0 ", - sizeof("CLIENT_TRAFFIC_SECRET_0 ")-1)) { - found[2] = 1; - continue; - } - else if (0 == strncmp(buff, "SERVER_TRAFFIC_SECRET_0 ", - sizeof("SERVER_TRAFFIC_SECRET_0 ")-1)) { - found[3] = 1; - continue; - } - } - if (fp != XBADFILE) - XFCLOSE(fp); - for (i = 0; i < 4; i++) { - if (found[i] != 0) - numfnd++; - } - ExpectIntEQ(numfnd, 4); - } -#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */ - return EXPECT_RESULT(); -} -#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) -static int test_wolfSSL_Tls13_ECH_params(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_CLIENT) - word32 outputLen = 0; - byte testBuf[72]; - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(NULL, - "ech-public-name.com", 0, 0, 0)); - /* invalid public name */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, NULL, 0, - 0, 0)); - /* invalid algorithms */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, - "ech-public-name.com", 1000, 1000, 1000)); - - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(NULL, - (char*)testBuf, sizeof(testBuf))); - /* invalid base64 configs */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, - NULL, sizeof(testBuf))); - /* invalid length */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, - (char*)testBuf, 0)); - - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(NULL, - testBuf, sizeof(testBuf))); - /* invalid configs */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, - NULL, sizeof(testBuf))); - /* invalid length */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, - testBuf, 0)); - - /* invalid ctx */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(NULL, NULL, - &outputLen)); - /* invalid output len */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(ctx, NULL, NULL)); - - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(NULL, - (char*)testBuf, sizeof(testBuf))); - /* invalid configs64 */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, NULL, - sizeof(testBuf))); - /* invalid size */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, - (char*)testBuf, 0)); - - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(NULL, testBuf, - sizeof(testBuf))); - /* invalid configs */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, NULL, - sizeof(testBuf))); - /* invalid size */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, testBuf, 0)); - - /* invalid ssl */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(NULL, NULL, &outputLen)); - /* invalid size */ - ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(ssl, NULL, NULL)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT */ - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_Tls13_ECH_ex(int hrr) -{ - EXPECT_DECLS; - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions server_cbf; - callback_functions client_cbf; - SOCKET_T sockfd = 0; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - const char* publicName = "ech-public-name.com"; - const char* privateName = "ech-private-name.com"; - int privateNameLen = 20; - char reply[1024]; - int replyLen = 0; - byte rawEchConfig[128]; - word32 rawEchConfigLen = sizeof(rawEchConfig); - - InitTcpReady(&ready); - ready.port = 22222; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ - - /* create the server context here so we can get the ech config */ - ExpectNotNull(server_cbf.ctx = - wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - - /* generate ech config */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(server_cbf.ctx, - publicName, 0, 0, 0)); - - /* get the config for the client to use */ - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_GetEchConfigs(server_cbf.ctx, rawEchConfig, - &rawEchConfigLen)); - - server_args.callbacks = &server_cbf; - server_args.signal = &ready; - - /* start server task */ - start_thread(server_task_ech, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - /* run as a TLS1.3 client */ - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); - - tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); - - /* get connected the server task */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - - /* set the ech configs for the client */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, rawEchConfig, - rawEchConfigLen)); - - /* set the sni for the client */ - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, - privateName, privateNameLen)); - - /* force hello retry request */ - if (hrr) - ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_NoKeyShares(ssl)); - - /* connect like normal */ - ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); - ExpectIntEQ(ssl->options.echAccepted, 1); - ExpectIntEQ(wolfSSL_write(ssl, privateName, privateNameLen), - privateNameLen); - ExpectIntGT((replyLen = wolfSSL_read(ssl, reply, sizeof(reply))), 0); - /* add th null terminator for string compare */ - reply[replyLen] = 0; - /* check that the server replied with the private name */ - ExpectStrEQ(privateName, reply); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - CloseSocket(sockfd); - - join_thread(serverThread); - - FreeTcpReady(&ready); - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_Tls13_ECH(void) -{ - return test_wolfSSL_Tls13_ECH_ex(0); -} - -static int test_wolfSSL_Tls13_ECH_HRR(void) -{ - return test_wolfSSL_Tls13_ECH_ex(1); -} -#endif /* HAVE_ECH && WOLFSSL_TLS13 */ - -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ -defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) -static int post_auth_version_cb(WOLFSSL* ssl) -{ - EXPECT_DECLS; - /* do handshake and then test version error */ - ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); - ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); - return EXPECT_RESULT(); -} - -static int post_auth_version_client_cb(WOLFSSL* ssl) -{ - EXPECT_DECLS; - /* do handshake and then test version error */ - ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); - ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); - ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#if defined(OPENSSL_ALL) && !defined(NO_ERROR_QUEUE) - /* check was added to error queue */ - ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)); - - /* check the string matches expected string */ - #ifndef NO_ERROR_STRINGS - ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL), - "WRONG_SSL_VERSION"); - #endif -#endif - return EXPECT_RESULT(); -} - -static int post_auth_cb(WOLFSSL* ssl) -{ - EXPECT_DECLS; - WOLFSSL_X509* x509 = NULL; - /* do handshake and then test version error */ - ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); - ExpectStrEQ("TLSv1.3", wolfSSL_get_version(ssl)); - ExpectNull(x509 = wolfSSL_get_peer_certificate(ssl)); - wolfSSL_X509_free(x509); - ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} - -static int set_post_auth_cb(WOLFSSL* ssl) -{ - if (!wolfSSL_is_server(ssl)) { - EXPECT_DECLS; - ExpectIntEQ(wolfSSL_allow_post_handshake_auth(ssl), 0); - return EXPECT_RESULT(); - } - wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_POST_HANDSHAKE, NULL); - return TEST_SUCCESS; -} -#endif - -static int test_wolfSSL_Tls13_postauth(void) -{ - EXPECT_DECLS; -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) - test_ssl_cbf server_cbf; - test_ssl_cbf client_cbf; - - /* test version failure doing post auth with TLS 1.2 connection */ - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - server_cbf.method = wolfTLSv1_2_server_method; - server_cbf.ssl_ready = set_post_auth_cb; - server_cbf.on_result = post_auth_version_cb; - client_cbf.ssl_ready = set_post_auth_cb; - client_cbf.on_result = post_auth_version_client_cb; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); - - /* tests on post auth with TLS 1.3 */ - XMEMSET(&server_cbf, 0, sizeof(server_cbf)); - XMEMSET(&client_cbf, 0, sizeof(client_cbf)); - server_cbf.method = wolfTLSv1_3_server_method; - server_cbf.ssl_ready = set_post_auth_cb; - client_cbf.ssl_ready = set_post_auth_cb; - server_cbf.on_result = post_auth_cb; - client_cbf.on_result = NULL; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, - &server_cbf, NULL), TEST_SUCCESS); -#endif - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_X509_NID(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_ASN) - int sigType; - int nameSz = 0; - - X509* cert = NULL; - EVP_PKEY* pubKeyTmp = NULL; - X509_NAME* name = NULL; - - char commonName[80]; - char countryName[80]; - char localityName[80]; - char stateName[80]; - char orgName[80]; - char orgUnit[80]; - - /* ------ PARSE ORIGINAL SELF-SIGNED CERTIFICATE ------ */ - - /* convert cert from DER to internal WOLFSSL_X509 struct */ - ExpectNotNull(cert = wolfSSL_X509_d2i_ex(&cert, client_cert_der_2048, - sizeof_client_cert_der_2048, HEAP_HINT)); - - /* ------ EXTRACT CERTIFICATE ELEMENTS ------ */ - - /* extract PUBLIC KEY from cert */ - ExpectNotNull(pubKeyTmp = X509_get_pubkey(cert)); - - /* extract signatureType */ - ExpectIntEQ(wolfSSL_X509_get_signature_type(NULL), 0); - ExpectIntNE((sigType = wolfSSL_X509_get_signature_type(cert)), 0); - - /* extract subjectName info */ - ExpectNotNull(name = X509_get_subject_name(cert)); - ExpectIntEQ(X509_NAME_get_text_by_NID(name, -1, NULL, 0), -1); - ExpectIntEQ(X509_NAME_get_text_by_NID(NULL, NID_commonName, NULL, 0), -1); - ExpectIntEQ(X509_NAME_get_text_by_NID(name, NID_commonName, - commonName, -2), 0); - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, - NULL, 0)), 0); - ExpectIntEQ(nameSz, 15); - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, - commonName, sizeof(commonName))), 0); - ExpectIntEQ(nameSz, 15); - ExpectIntEQ(XMEMCMP(commonName, "www.wolfssl.com", nameSz), 0); - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, - commonName, 9)), 0); - ExpectIntEQ(nameSz, 8); - ExpectIntEQ(XMEMCMP(commonName, "www.wolf", nameSz), 0); - - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_countryName, - countryName, sizeof(countryName))), 0); - ExpectIntEQ(XMEMCMP(countryName, "US", nameSz), 0); - - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_localityName, - localityName, sizeof(localityName))), 0); - ExpectIntEQ(XMEMCMP(localityName, "Bozeman", nameSz), 0); - - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, - NID_stateOrProvinceName, stateName, sizeof(stateName))), 0); - ExpectIntEQ(XMEMCMP(stateName, "Montana", nameSz), 0); - - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_organizationName, - orgName, sizeof(orgName))), 0); - ExpectIntEQ(XMEMCMP(orgName, "wolfSSL_2048", nameSz), 0); - - ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, - NID_organizationalUnitName, orgUnit, sizeof(orgUnit))), 0); - ExpectIntEQ(XMEMCMP(orgUnit, "Programming-2048", nameSz), 0); - - EVP_PKEY_free(pubKeyTmp); - X509_free(cert); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_set_srp_username(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ - !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; - const char *username = "TESTUSER"; - const char *password = "TESTPASSWORD"; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), - SSL_SUCCESS); - wolfSSL_CTX_free(ctx); - ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), - SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), - SSL_SUCCESS); - - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(SSL_get_srp_username(ssl)); - ExpectStrEQ(SSL_get_srp_username(ssl), username); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ - /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_CTX_set_srp_password(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ - !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL_CTX* ctx = NULL; - const char *username = "TESTUSER"; - const char *password = "TESTPASSWORD"; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), - SSL_SUCCESS); - wolfSSL_CTX_free(ctx); - ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), - SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), - SSL_SUCCESS); - wolfSSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ - /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) - X509_STORE *store = NULL; - -#ifdef HAVE_CRL - X509_STORE_CTX *storeCtx = NULL; - X509 *ca = NULL; - X509 *cert = NULL; - const char srvCert[] = "./certs/server-revoked-cert.pem"; - const char caCert[] = "./certs/ca-cert.pem"; -#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP - X509_CRL *crl = NULL; - const char crlPem[] = "./certs/crl/crl.revoked"; - XFILE fp = XBADFILE; -#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ - - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); - ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, - SSL_FILETYPE_PEM))); - ExpectNotNull((storeCtx = X509_STORE_CTX_new())); - ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); - ExpectIntEQ(X509_verify_cert(storeCtx), SSL_SUCCESS); - X509_STORE_free(store); - store = NULL; - X509_STORE_CTX_free(storeCtx); - storeCtx = NULL; - X509_free(cert); - cert = NULL; - X509_free(ca); - ca = NULL; - -#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP - /* should fail to verify now after adding in CRL */ - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); - ExpectTrue((fp = XFOPEN(crlPem, "rb")) != XBADFILE); - ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, - NULL, NULL)); - if (fp != XBADFILE) - XFCLOSE(fp); - ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); - ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),SSL_SUCCESS); - ExpectNotNull((storeCtx = X509_STORE_CTX_new())); - ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); - ExpectIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS); - ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), - WOLFSSL_X509_V_ERR_CERT_REVOKED); - X509_CRL_free(crl); - crl = NULL; - X509_STORE_free(store); - store = NULL; - X509_STORE_CTX_free(storeCtx); - storeCtx = NULL; - X509_free(cert); - cert = NULL; - X509_free(ca); - ca = NULL; -#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ -#endif /* HAVE_CRL */ - - - -#if !defined(WOLFCRYPT_ONLY) && !defined(NO_FILESYSTEM) - { - #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; - int i; - for (i = 0; i < 2; i++) { - #ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - #else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); - #endif - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - SSL_CTX_set_cert_store(ctx, store); - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - SSL_CTX_set_cert_store(ctx, store); - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - ExpectIntEQ(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM), SSL_SUCCESS); - ExpectIntEQ(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - SSL_FILETYPE_PEM), SSL_SUCCESS); - ExpectNotNull(ssl = SSL_new(ctx)); - if (i == 0) { - ExpectIntEQ(SSL_set0_verify_cert_store(ssl, store), - SSL_SUCCESS); - } - else { - ExpectIntEQ(SSL_set1_verify_cert_store(ssl, store), SSL_SUCCESS); - #ifdef OPENSSL_ALL - ExpectIntEQ(SSL_CTX_set1_verify_cert_store(ctx, store), SSL_SUCCESS); - #endif - } - if (EXPECT_FAIL() || (i == 1)) { - X509_STORE_free(store); - store = NULL; - } - SSL_free(ssl); - ssl = NULL; - SSL_CTX_free(ctx); - ctx = NULL; - } - #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ - } -#endif -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_load_locations(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ - !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && !defined(NO_RSA) && \ - !defined(NO_TLS) - SSL_CTX *ctx = NULL; - X509_STORE *store = NULL; - - const char ca_file[] = "./certs/ca-cert.pem"; - const char client_pem_file[] = "./certs/client-cert.pem"; - const char client_der_file[] = "./certs/client-cert.der"; - const char ecc_file[] = "./certs/ecc-key.pem"; - const char certs_path[] = "./certs/"; - const char bad_path[] = "./bad-path/"; -#ifdef HAVE_CRL - const char crl_path[] = "./certs/crl/"; - const char crl_file[] = "./certs/crl/crl.pem"; -#endif - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(SSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(SSLv23_client_method())); -#endif - ExpectNotNull(store = SSL_CTX_get_cert_store(ctx)); - ExpectIntEQ(wolfSSL_CertManagerLoadCA(store->cm, ca_file, NULL), - WOLFSSL_SUCCESS); - - /* Test bad arguments */ - ExpectIntEQ(X509_STORE_load_locations(NULL, ca_file, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_STORE_load_locations(store, NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_STORE_load_locations(store, client_der_file, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_STORE_load_locations(store, ecc_file, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_STORE_load_locations(store, NULL, bad_path), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - -#ifdef HAVE_CRL - /* Test with CRL */ - ExpectIntEQ(X509_STORE_load_locations(store, crl_file, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_STORE_load_locations(store, NULL, crl_path), - WOLFSSL_SUCCESS); -#endif - - /* Test with CA */ - ExpectIntEQ(X509_STORE_load_locations(store, ca_file, NULL), - WOLFSSL_SUCCESS); - - /* Test with client_cert and certs path */ - ExpectIntEQ(X509_STORE_load_locations(store, client_pem_file, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_STORE_load_locations(store, NULL, certs_path), - WOLFSSL_SUCCESS); - -#if defined(XGETENV) && !defined(NO_GETENV) && defined(_POSIX_C_SOURCE) && \ - _POSIX_C_SOURCE >= 200112L - ExpectIntEQ(wolfSSL_CTX_UnloadCAs(ctx), WOLFSSL_SUCCESS); - /* Test with env vars */ - ExpectIntEQ(setenv("SSL_CERT_FILE", client_pem_file, 1), 0); - ExpectIntEQ(setenv("SSL_CERT_DIR", certs_path, 1), 0); - ExpectIntEQ(X509_STORE_set_default_paths(store), WOLFSSL_SUCCESS); -#endif - -#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) - /* Clear nodes */ - ERR_clear_error(); -#endif - - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_X509_STORE_get0_objects(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_DIR) && !defined(NO_RSA) - X509_STORE *store = NULL; - X509_STORE *store_cpy = NULL; - SSL_CTX *ctx = NULL; - X509_OBJECT *obj = NULL; -#ifdef HAVE_CRL - X509_OBJECT *objCopy = NULL; -#endif - STACK_OF(X509_OBJECT) *objs = NULL; - STACK_OF(X509_OBJECT) *objsCopy = NULL; - int i; - - /* Setup store */ -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(SSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(SSLv23_client_method())); -#endif - ExpectNotNull(store_cpy = X509_STORE_new()); - ExpectNotNull(store = SSL_CTX_get_cert_store(ctx)); - ExpectIntEQ(X509_STORE_load_locations(store, cliCertFile, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_STORE_load_locations(store, caCertFile, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_STORE_load_locations(store, svrCertFile, NULL), - WOLFSSL_SUCCESS); -#ifdef HAVE_CRL - ExpectIntEQ(X509_STORE_load_locations(store, NULL, crlPemDir), - WOLFSSL_SUCCESS); -#endif - /* Store ready */ - - /* Similar to HaProxy ssl_set_cert_crl_file use case */ - ExpectNotNull(objs = X509_STORE_get0_objects(store)); -#ifdef HAVE_CRL -#ifdef WOLFSSL_SIGNER_DER_CERT - ExpectIntEQ(sk_X509_OBJECT_num(objs), 4); -#else - ExpectIntEQ(sk_X509_OBJECT_num(objs), 1); -#endif -#else -#ifdef WOLFSSL_SIGNER_DER_CERT - ExpectIntEQ(sk_X509_OBJECT_num(objs), 3); -#else - ExpectIntEQ(sk_X509_OBJECT_num(objs), 0); -#endif -#endif - ExpectIntEQ(sk_X509_OBJECT_num(NULL), 0); - ExpectNull(sk_X509_OBJECT_value(NULL, 0)); - ExpectNull(sk_X509_OBJECT_value(NULL, 1)); - ExpectNull(sk_X509_OBJECT_value(objs, sk_X509_OBJECT_num(objs))); - ExpectNull(sk_X509_OBJECT_value(objs, sk_X509_OBJECT_num(objs) + 1)); -#ifndef NO_WOLFSSL_STUB - ExpectNull(sk_X509_OBJECT_delete(objs, 0)); -#endif - ExpectNotNull(objsCopy = sk_X509_OBJECT_deep_copy(objs, NULL, NULL)); - ExpectIntEQ(sk_X509_OBJECT_num(objs), sk_X509_OBJECT_num(objsCopy)); - for (i = 0; i < sk_X509_OBJECT_num(objs) && EXPECT_SUCCESS(); i++) { - obj = (X509_OBJECT*)sk_X509_OBJECT_value(objs, i); - #ifdef HAVE_CRL - objCopy = (X509_OBJECT*)sk_X509_OBJECT_value(objsCopy, i); - #endif - switch (X509_OBJECT_get_type(obj)) { - case X509_LU_X509: - { - X509* x509 = NULL; - X509_NAME *subj_name = NULL; - ExpectNull(X509_OBJECT_get0_X509_CRL(NULL)); - ExpectNull(X509_OBJECT_get0_X509_CRL(obj)); - ExpectNotNull(x509 = X509_OBJECT_get0_X509(obj)); - ExpectIntEQ(X509_STORE_add_cert(store_cpy, x509), WOLFSSL_SUCCESS); - ExpectNotNull(subj_name = X509_get_subject_name(x509)); - ExpectPtrEq(obj, X509_OBJECT_retrieve_by_subject(objs, X509_LU_X509, - subj_name)); - - break; - } - case X509_LU_CRL: -#ifdef HAVE_CRL - { - X509_CRL* crl = NULL; - ExpectNull(X509_OBJECT_get0_X509(NULL)); - ExpectNull(X509_OBJECT_get0_X509(obj)); - ExpectNotNull(crl = X509_OBJECT_get0_X509_CRL(obj)); - ExpectIntEQ(X509_STORE_add_crl(store_cpy, crl), WOLFSSL_SUCCESS); - - ExpectNotNull(crl = X509_OBJECT_get0_X509_CRL(objCopy)); - break; - } -#endif - case X509_LU_NONE: - default: - Fail(("X509_OBJECT_get_type should return x509 or crl " - "(when built with crl support)"), - ("Unrecognized X509_OBJECT type or none")); - } - } - - X509_STORE_free(store_cpy); - SSL_CTX_free(ctx); - - wolfSSL_sk_X509_OBJECT_free(NULL); - objs = NULL; - wolfSSL_sk_pop_free(objsCopy, NULL); - objsCopy = NULL; - ExpectNotNull(objs = wolfSSL_sk_X509_OBJECT_new()); - ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(objs, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(NULL, obj), WOLFSSL_FAILURE); - ExpectNotNull(objsCopy = sk_X509_OBJECT_deep_copy(objs, NULL, NULL)); - wolfSSL_sk_X509_OBJECT_free(objsCopy); - wolfSSL_sk_X509_OBJECT_free(objs); -#endif - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -#define TEST_ARG 0x1234 -static void msg_cb(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg) -{ - (void)write_p; - (void)version; - (void)content_type; - (void)buf; - (void)len; - (void)ssl; - - AssertTrue(arg == (void*)TEST_ARG); -} -#endif - -#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -#if defined(SESSION_CERTS) -#include "wolfssl/internal.h" -#endif -static int msgSrvCb(SSL_CTX *ctx, SSL *ssl) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) - STACK_OF(X509)* sk = NULL; - X509* x509 = NULL; - int i, num; - BIO* bio = NULL; -#endif - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - fprintf(stderr, "\n===== msgSrvCb called ====\n"); -#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) - ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); - ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); - ExpectNotNull(SSL_get0_verified_chain(ssl)); -#endif - -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) -#ifdef KEEP_PEER_CERT - { - WOLFSSL_X509* peer = NULL; - ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl)); - ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - fprintf(stderr, "Peer Certificate = :\n"); - X509_print(bio, peer); - X509_free(peer); - } -#endif - - ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); - if (sk == NULL) { - BIO_free(bio); - return TEST_FAIL; - } - num = sk_X509_num(sk); - ExpectTrue(num > 0); - for (i = 0; i < num; i++) { - ExpectNotNull(x509 = sk_X509_value(sk,i)); - if (x509 == NULL) - break; - fprintf(stderr, "Certificate at index [%d] = :\n",i); - X509_print(bio,x509); - fprintf(stderr, "\n\n"); - } - BIO_free(bio); -#endif - return EXPECT_RESULT(); -} - -static int msgCb(SSL_CTX *ctx, SSL *ssl) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) - STACK_OF(X509)* sk = NULL; - X509* x509 = NULL; - int i, num; - BIO* bio = NULL; -#endif - - ExpectNotNull(ctx); - ExpectNotNull(ssl); - - fprintf(stderr, "\n===== msgcb called ====\n"); -#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) - ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); - ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); - ExpectNotNull(SSL_get0_verified_chain(ssl)); -#endif - -#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) - ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); - if (sk == NULL) { - BIO_free(bio); - return TEST_FAIL; - } - num = sk_X509_num(sk); - ExpectTrue(num > 0); - for (i = 0; i < num; i++) { - ExpectNotNull(x509 = sk_X509_value(sk,i)); - if (x509 == NULL) - break; - fprintf(stderr, "Certificate at index [%d] = :\n",i); - X509_print(bio,x509); - fprintf(stderr, "\n\n"); - } - BIO_free(bio); -#endif - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_msgCb(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; - - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); -#ifndef WOLFSSL_NO_TLS12 - client_cb.method = wolfTLSv1_2_client_method; - server_cb.method = wolfTLSv1_2_server_method; -#else - client_cb.method = wolfTLSv1_3_client_method; - server_cb.method = wolfTLSv1_3_server_method; -#endif - server_cb.caPemFile = caCertFile; - client_cb.certPemFile = "./certs/intermediate/client-chain.pem"; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio_ex(&client_cb, - &server_cb, msgCb, msgSrvCb), TEST_SUCCESS); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_either_side(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; - - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); - - /* Use different CTX for client and server */ - client_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); - ExpectNotNull(client_cb.ctx); - server_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); - ExpectNotNull(server_cb.ctx); - /* we are responsible for free'ing WOLFSSL_CTX */ - server_cb.isSharedCtx = client_cb.isSharedCtx = 1; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); - - wolfSSL_CTX_free(client_cb.ctx); - wolfSSL_CTX_free(server_cb.ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_DTLS_either_side(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ - defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) - test_ssl_cbf client_cb; - test_ssl_cbf server_cb; - - XMEMSET(&client_cb, 0, sizeof(client_cb)); - XMEMSET(&server_cb, 0, sizeof(server_cb)); - - /* Use different CTX for client and server */ - client_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); - ExpectNotNull(client_cb.ctx); - server_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); - ExpectNotNull(server_cb.ctx); - /* we are responsible for free'ing WOLFSSL_CTX */ - server_cb.isSharedCtx = client_cb.isSharedCtx = 1; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, - &server_cb, NULL), TEST_SUCCESS); - - wolfSSL_CTX_free(client_cb.ctx); - wolfSSL_CTX_free(server_cb.ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_generate_cookie(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_DTLS) && defined(OPENSSL_EXTRA) && defined(USE_WOLFSSL_IO) - SSL_CTX* ctx = NULL; - SSL* ssl = NULL; - byte buf[FOURK_BUF] = {0}; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLS_method())); - ExpectNotNull(ssl = SSL_new(ctx)); - - /* Test unconnected */ - ExpectIntEQ(EmbedGenerateCookie(ssl, buf, FOURK_BUF, NULL), WC_NO_ERR_TRACE(GEN_COOKIE_E)); - - wolfSSL_CTX_SetGenCookie(ctx, EmbedGenerateCookie); - - wolfSSL_SetCookieCtx(ssl, ctx); - - ExpectNotNull(wolfSSL_GetCookieCtx(ssl)); - - ExpectNull(wolfSSL_GetCookieCtx(NULL)); - - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_set_options(void) -{ - EXPECT_DECLS; -#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_FILESYSTEM) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_RSA) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - char appData[] = "extra msg"; -#endif -#ifdef OPENSSL_EXTRA - unsigned char protos[] = { - 7, 't', 'l', 's', '/', '1', '.', '2', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1' - }; - unsigned int len = sizeof(protos); - void *arg = (void *)TEST_ARG; -#endif - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE)); - - ExpectTrue(wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1) - == WOLFSSL_OP_NO_TLSv1); - ExpectTrue(wolfSSL_CTX_get_options(ctx) == WOLFSSL_OP_NO_TLSv1); - - ExpectIntGT((int)wolfSSL_CTX_set_options(ctx, (WOLFSSL_OP_COOKIE_EXCHANGE | - WOLFSSL_OP_NO_SSLv2)), 0); - ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_COOKIE_EXCHANGE) & - WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); - ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2) & - WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); - ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); - ExpectFalse((wolfSSL_CTX_clear_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION)); - - wolfSSL_CTX_free(ctx); - ctx = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - CERT_FILETYPE)); -#ifdef OPENSSL_EXTRA - ExpectTrue(wolfSSL_CTX_set_msg_callback(ctx, msg_cb) == WOLFSSL_SUCCESS); -#endif - - ExpectNotNull(ssl = wolfSSL_new(ctx)); -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -#ifdef HAVE_EX_DATA - ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WOLFSSL_SUCCESS); - ExpectNotNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); - if (ssl != NULL) { - ExpectIntEQ(XMEMCMP(wolfSSL_get_app_data((const WOLFSSL*)ssl), - appData, sizeof(appData)), 0); - } -#else - ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); -#endif -#endif - - ExpectTrue(wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1) == - WOLFSSL_OP_NO_TLSv1); - - ExpectTrue(wolfSSL_get_options(ssl) == WOLFSSL_OP_NO_TLSv1); - - ExpectIntGT((int)wolfSSL_set_options(ssl, (WOLFSSL_OP_COOKIE_EXCHANGE | - WOLFSSL_OP_NO_SSLv2)), 0); - - ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_COOKIE_EXCHANGE) & - WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); - - ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1_2) & - WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); - - ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); - -#ifdef OPENSSL_EXTRA - ExpectFalse((wolfSSL_clear_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & - WOLFSSL_OP_NO_COMPRESSION)); -#endif - -#ifdef OPENSSL_EXTRA - ExpectTrue(wolfSSL_set_msg_callback(ssl, msg_cb) == WOLFSSL_SUCCESS); - wolfSSL_set_msg_callback_arg(ssl, arg); -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == 0); -#else - ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == WOLFSSL_SUCCESS); -#endif -#endif - -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) || \ - defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) - -#if defined(HAVE_ALPN) && !defined(NO_BIO) - -#ifdef WOLFSSL_ERROR_CODE_OPENSSL - ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == 0); -#else - ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == WOLFSSL_SUCCESS); -#endif - -#endif /* HAVE_ALPN && !NO_BIO */ -#endif - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_sk_SSL_CIPHER(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; - STACK_OF(SSL_CIPHER) *sk = NULL; - STACK_OF(SSL_CIPHER) *dupSk = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(sk = SSL_get_ciphers(ssl)); - ExpectNotNull(dupSk = sk_SSL_CIPHER_dup(sk)); - ExpectIntGT(sk_SSL_CIPHER_num(sk), 0); - ExpectIntEQ(sk_SSL_CIPHER_num(sk), sk_SSL_CIPHER_num(dupSk)); - - /* error case because connection has not been established yet */ - ExpectIntEQ(sk_SSL_CIPHER_find(sk, SSL_get_current_cipher(ssl)), -1); - sk_SSL_CIPHER_free(dupSk); - - /* sk is pointer to internal struct that should be free'd in SSL_free */ - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - return EXPECT_RESULT(); -} - -static int test_wolfSSL_set1_curves_list(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); -#endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#ifdef HAVE_ECC - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-256"), WOLFSSL_SUCCESS); -#endif -#ifdef HAVE_CURVE25519 - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif -#ifdef HAVE_CURVE448 - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif - - ExpectIntEQ(SSL_set1_curves_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#ifdef HAVE_ECC - ExpectIntEQ(SSL_set1_curves_list(ssl, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_set1_curves_list(ssl, "P-256"), WOLFSSL_SUCCESS); -#endif - -#ifdef HAVE_CURVE25519 - ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif -#ifdef HAVE_CURVE448 - ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WOLFSSL_SUCCESS); -#else - ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif - - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) -static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) -{ - static int counter = 0; - EXPECT_DECLS; - - if (counter % 2) { - ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-256"), - WOLFSSL_SUCCESS); - } - else { - ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-384"), - WOLFSSL_SUCCESS); - } - - /* Ciphersuites that require curves */ - wolfSSL_CTX_set_cipher_list(ctx, "TLS13-AES256-GCM-SHA384:" - "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:" - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES128-GCM-SHA256:" - "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:" - "ECDHE-ECDSA-CHACHA20-POLY1305"); - - counter++; - return EXPECT_RESULT(); -} -#endif - -static int test_wolfSSL_curves_mismatch(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - size_t i; - struct { - method_provider client_meth; - method_provider server_meth; - const char* desc; - int client_last_err; - int server_last_err; - } test_params[] = { -#ifdef WOLFSSL_TLS13 - {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3", - /* Client gets error because server will attempt HRR */ - WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA), - WC_NO_ERR_TRACE(FATAL_ERROR) - }, -#endif -#ifndef WOLFSSL_NO_TLS12 - {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2", - WC_NO_ERR_TRACE(FATAL_ERROR), - /* Server gets error because <=1.2 doesn't have a mechanism - * to negotiate curves. */ -#ifdef OPENSSL_EXTRA - WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) -#else - WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) -#endif - }, -#endif -#ifndef NO_OLD_TLS - {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1", - WC_NO_ERR_TRACE(FATAL_ERROR), -#ifdef OPENSSL_EXTRA - WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) -#else - WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) -#endif - }, + static const unsigned char testResultSha384[] = + { + 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, + 0x6b, 0x08, 0x25, 0xf4, 0xab, 0x46, 0x90, 0x7f, + 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, + 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, + 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f, + 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6 + }; #endif +#ifdef WOLFSSL_SHA512 + static const unsigned char testResultSha512[] = + { + 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, + 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0, + 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, + 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, + 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02, + 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, + 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70, + 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54 }; - - for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - printf("\tTesting with %s...\n", test_params[i].desc); - - func_cb_client.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; - func_cb_server.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; - - func_cb_client.method = test_params[i].client_meth; - func_cb_server.method = test_params[i].server_meth; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), -1001); - ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err); - ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err); - - if (!EXPECT_SUCCESS()) - break; - printf("\t%s passed\n", test_params[i].desc); - } #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_set1_sigalgs_list(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_TLS) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_FILESYSTEM) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#ifdef WOLFSSL_SHA3 + #ifndef WOLFSSL_NOSHA3_224 + static const unsigned char testResultSha3_224[] = + { + 0x3b, 0x16, 0x54, 0x6b, 0xbc, 0x7b, 0xe2, 0x70, + 0x6a, 0x03, 0x1d, 0xca, 0xfd, 0x56, 0x37, 0x3d, + 0x98, 0x84, 0x36, 0x76, 0x41, 0xd8, 0xc5, 0x9a, + 0xf3, 0xc8, 0x60, 0xf7 + }; + #endif + #ifndef WOLFSSL_NOSHA3_256 + static const unsigned char testResultSha3_256[] = + { + 0xba, 0x85, 0x19, 0x23, 0x10, 0xdf, 0xfa, 0x96, + 0xe2, 0xa3, 0xa4, 0x0e, 0x69, 0x77, 0x43, 0x51, + 0x14, 0x0b, 0xb7, 0x18, 0x5e, 0x12, 0x02, 0xcd, + 0xcc, 0x91, 0x75, 0x89, 0xf9, 0x5e, 0x16, 0xbb + }; + #endif + #ifndef WOLFSSL_NOSHA3_384 + static const unsigned char testResultSha3_384[] = + { + 0x68, 0xd2, 0xdc, 0xf7, 0xfd, 0x4d, 0xdd, 0x0a, + 0x22, 0x40, 0xc8, 0xa4, 0x37, 0x30, 0x5f, 0x61, + 0xfb, 0x73, 0x34, 0xcf, 0xb5, 0xd0, 0x22, 0x6e, + 0x1b, 0xc2, 0x7d, 0xc1, 0x0a, 0x2e, 0x72, 0x3a, + 0x20, 0xd3, 0x70, 0xb4, 0x77, 0x43, 0x13, 0x0e, + 0x26, 0xac, 0x7e, 0x3d, 0x53, 0x28, 0x86, 0xbd + }; + #endif + #ifndef WOLFSSL_NOSHA3_512 + static const unsigned char testResultSha3_512[] = + { + 0xeb, 0x3f, 0xbd, 0x4b, 0x2e, 0xaa, 0xb8, 0xf5, + 0xc5, 0x04, 0xbd, 0x3a, 0x41, 0x46, 0x5a, 0xac, + 0xec, 0x15, 0x77, 0x0a, 0x7c, 0xab, 0xac, 0x53, + 0x1e, 0x48, 0x2f, 0x86, 0x0b, 0x5e, 0xc7, 0xba, + 0x47, 0xcc, 0xb2, 0xc6, 0xf2, 0xaf, 0xce, 0x8f, + 0x88, 0xd2, 0x2b, 0x6d, 0xc6, 0x13, 0x80, 0xf2, + 0x3a, 0x66, 0x8f, 0xd3, 0x88, 0x8b, 0xb8, 0x05, + 0x37, 0xc0, 0xa0, 0xb8, 0x64, 0x07, 0x68, 0x9e + }; + #endif #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - -#ifndef NO_RSA - #ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, "RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, "RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #ifdef WC_RSA_PSS - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-PSS+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-PSS+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "PSS+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "PSS+SHA256"), - WOLFSSL_SUCCESS); - #endif - #ifdef WOLFSSL_SHA512 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); - #elif defined(WOLFSSL_SHA384) - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); - #endif - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA:RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA:RSA+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256+SHA256"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256+RSA"), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #endif +#ifndef NO_SHA256 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha256(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha256, + sizeof(testResultSha256)), TEST_SUCCESS); #endif -#ifdef HAVE_ECC - #ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ECDSA+SHA256"), - WOLFSSL_SUCCESS); - #ifdef WOLFSSL_SHA512 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); - #elif defined(WOLFSSL_SHA384) - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, - "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); - #endif - #endif +#ifdef WOLFSSL_SHA224 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha224(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha224, + sizeof(testResultSha224)), TEST_SUCCESS); #endif -#ifdef HAVE_ED25519 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED25519"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED25519"), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_SHA384 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha384(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha384, + sizeof(testResultSha384)), TEST_SUCCESS); #endif -#ifdef HAVE_ED448 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED448"), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED448"), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_SHA512 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha512(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha512, + sizeof(testResultSha512)), TEST_SUCCESS); #endif -#ifndef NO_DSA - #ifndef NO_SHA256 - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA256"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA256"), - WOLFSSL_SUCCESS); +#ifdef WOLFSSL_SHA3 + #ifndef WOLFSSL_NOSHA3_224 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_224(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_224, + sizeof(testResultSha3_224)), TEST_SUCCESS); #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA1"), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA1"), - WOLFSSL_SUCCESS); + #ifndef WOLFSSL_NOSHA3_256 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_256(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_256, + sizeof(testResultSha3_256)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_384 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_384(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_384, + sizeof(testResultSha3_384)), TEST_SUCCESS); + #endif + #ifndef WOLFSSL_NOSHA3_512 + ExpectIntEQ(test_hmac_signing(wolfSSL_EVP_sha3_512(), testKey, + sizeof(testKey), testData, XSTRLEN(testData), testResultSha3_512, + sizeof(testResultSha3_512)), TEST_SUCCESS); #endif #endif - - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); -} - -/* Testing wolfSSL_set_tlsext_status_type function. - * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined. - */ -static int test_wolfSSL_set_tlsext_status_type(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ - !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) - SSL* ssl = NULL; - SSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_set_tlsext_status_type(ssl,TLSEXT_STATUSTYPE_ocsp), - SSL_SUCCESS); - ExpectIntEQ(SSL_get_tlsext_status_type(ssl), TLSEXT_STATUSTYPE_ocsp); - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST && !NO_RSA */ +#endif /* OPENSSL_EXTRA */ return EXPECT_RESULT(); } -#ifndef NO_BIO -static int test_wolfSSL_PEM_read_bio(void) +static int test_wolfSSL_EVP_MD_rsa_signing(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - byte buff[6000]; - XFILE f = XBADFILE; - int bytes = 0; - X509* x509 = NULL; - BIO* bio = NULL; - BUF_MEM* buf = NULL; - - ExpectTrue((f = XFOPEN(cliCertFile, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); - ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); - ExpectIntEQ(BIO_set_mem_eof_return(bio, -0xDEAD), 1); - ExpectNotNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); - ExpectIntEQ((int)BIO_set_fd(bio, 0, BIO_CLOSE), 1); - /* BIO should return the set EOF value */ - ExpectIntEQ(BIO_read(bio, buff, sizeof(buff)), -0xDEAD); - ExpectIntEQ(BIO_set_close(bio, BIO_NOCLOSE), 1); - ExpectIntEQ(BIO_set_close(NULL, BIO_NOCLOSE), 1); - ExpectIntEQ(SSL_SUCCESS, BIO_get_mem_ptr(bio, &buf)); - - BIO_free(bio); - BUF_MEM_free(buf); - X509_free(x509); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ - return EXPECT_RESULT(); -} - - -#if defined(OPENSSL_EXTRA) -static long bioCallback(BIO *bio, int cmd, const char* argp, int argi, - long argl, long ret) -{ - (void)bio; - (void)cmd; - (void)argp; - (void)argi; - (void)argl; - return ret; -} +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) + WOLFSSL_EVP_PKEY* privKey = NULL; + WOLFSSL_EVP_PKEY* pubKey = NULL; + WOLFSSL_EVP_PKEY_CTX* keyCtx = NULL; + const char testData[] = "Hi There"; + WOLFSSL_EVP_MD_CTX mdCtx; + WOLFSSL_EVP_MD_CTX mdCtxCopy; + int ret; + size_t checkSz = -1; + int sz = 2048 / 8; + const unsigned char* cp; + const unsigned char* p; + unsigned char check[2048/8]; + size_t i; + int paddings[] = { + RSA_PKCS1_PADDING, +#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(WC_RSA_PSS) + RSA_PKCS1_PSS_PADDING, #endif + }; -static int test_wolfSSL_BIO(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const unsigned char* p = NULL; - byte buff[20]; - BIO* bio1 = NULL; - BIO* bio2 = NULL; - BIO* bio3 = NULL; - char* bufPt = NULL; - int i; - - for (i = 0; i < 20; i++) { - buff[i] = i; - } - /* test BIO_free with NULL */ - ExpectIntEQ(BIO_free(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + cp = client_key_der_2048; + ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp, + sizeof_client_key_der_2048))); + p = client_keypub_der_2048; + ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, + sizeof_client_keypub_der_2048))); - /* Creating and testing type BIO_s_bio */ - ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); - ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); - ExpectNotNull(bio3 = BIO_new(BIO_s_bio())); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + wolfSSL_EVP_MD_CTX_init(&mdCtxCopy); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,sz); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_copy_ex(&mdCtxCopy, &mdCtx), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtxCopy); + ExpectIntEQ(ret, 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - /* read/write before set up */ - ExpectIntEQ(BIO_read(bio1, buff, 2), WOLFSSL_BIO_UNSET); - ExpectIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - ExpectIntEQ(BIO_set_nbio(bio1, 1), 1); - ExpectIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_set_write_buf_size(bio2, 8), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_make_bio_pair(bio1, bio2), WOLFSSL_SUCCESS); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); - ExpectNotNull(XMEMCPY(bufPt, buff, 10)); - ExpectIntEQ(BIO_write(bio1, buff + 10, 10), 10); - /* write buffer full */ - ExpectIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS); - ExpectIntEQ((int)BIO_ctrl_pending(bio1), 0); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - /* write the other direction with pair */ - ExpectIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); - ExpectNotNull(XMEMCPY(bufPt, buff, 8)); - ExpectIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR); + /* Check all signing padding types */ + for (i = 0; i < sizeof(paddings)/sizeof(int); i++) { + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, &keyCtx, + wolfSSL_EVP_sha256(), NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, + paddings[i]), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + ExpectIntEQ((int)checkSz, sz); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ((int)checkSz,sz); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - /* try read */ - ExpectIntEQ((int)BIO_ctrl_pending(bio1), 8); - ExpectIntEQ((int)BIO_ctrl_pending(bio2), 20); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, &keyCtx, + wolfSSL_EVP_sha256(), NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_padding(keyCtx, + paddings[i]), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); + } - /* try read using ctrl function */ - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); - ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); - ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); + wolfSSL_EVP_PKEY_free(pubKey); + wolfSSL_EVP_PKEY_free(privKey); +#endif + return EXPECT_RESULT(); +} - ExpectIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); - for (i = 0; i < 20; i++) { - ExpectIntEQ((int)bufPt[i], i); - } - ExpectIntEQ(BIO_nread(bio2, &bufPt, 1), 0); - ExpectIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); - for (i = 0; i < 8; i++) { - ExpectIntEQ((int)bufPt[i], i); - } - ExpectIntEQ(BIO_nread(bio1, &bufPt, 1), 0); - ExpectIntEQ(BIO_ctrl_reset_read_request(bio1), 1); - /* new pair */ - ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - BIO_free(bio2); /* free bio2 and automatically remove from pair */ - bio2 = NULL; - ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WOLFSSL_SUCCESS); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 10), 0); +static int test_wolfSSL_EVP_MD_ecc_signing(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) + WOLFSSL_EVP_PKEY* privKey = NULL; + WOLFSSL_EVP_PKEY* pubKey = NULL; + const char testData[] = "Hi There"; + WOLFSSL_EVP_MD_CTX mdCtx; + int ret; + const unsigned char* cp; + const unsigned char* p; + unsigned char check[2048/8]; + size_t checkSz = sizeof(check); - /* test wrap around... */ - ExpectIntEQ(BIO_reset(bio1), 1); - ExpectIntEQ(BIO_reset(bio3), 1); + XMEMSET(check, 0, sizeof(check)); - /* fill write buffer, read only small amount then write again */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 4), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], i); - } + cp = ecc_clikey_der_256; + ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp, + sizeof_ecc_clikey_der_256)); + p = ecc_clikeypub_der_256; + ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p, + sizeof_ecc_clikeypub_der_256))); - /* try writing over read index */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); - ExpectNotNull(XMEMSET(bufPt, 0, 4)); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 20); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - /* read and write 0 bytes */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, + (unsigned int)XSTRLEN(testData)), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - /* should read only to end of write buffer then need to read again */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 20), 16); - for (i = 0; i < 16; i++) { - ExpectIntEQ(bufPt[i], buff[4 + i]); - } + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, privKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData, 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, NULL, &checkSz), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ExpectIntEQ(wolfSSL_EVP_DigestSignUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), 1); + checkSz = sizeof(check); + ExpectIntEQ(wolfSSL_EVP_DigestSignFinal(&mdCtx, check, &checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - ExpectIntEQ(BIO_nread(bio3, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(BIO_nread0(bio3, &bufPt), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], 0); - } + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL, wolfSSL_EVP_sha256(), + NULL, pubKey), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData, 4), 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyUpdate(&mdCtx, testData + 4, + (unsigned int)XSTRLEN(testData) - 4), + 1); + ExpectIntEQ(wolfSSL_EVP_DigestVerifyFinal(&mdCtx, check, checkSz), 1); + ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx); + ExpectIntEQ(ret, 1); - /* read index should not have advanced with nread0 */ - ExpectIntEQ(BIO_nread(bio3, &bufPt, 5), 4); - for (i = 0; i < 4; i++) { - ExpectIntEQ(bufPt[i], 0); - } + wolfSSL_EVP_PKEY_free(pubKey); + wolfSSL_EVP_PKEY_free(privKey); +#endif + return EXPECT_RESULT(); +} - /* write and fill up buffer checking reset of index state */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - /* test reset on data in bio1 write buffer */ - ExpectIntEQ(BIO_reset(bio1), 1); - ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 3), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_INFO, 0, &p), 20); - ExpectNotNull(p); - ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 6), 6); - for (i = 0; i < 6; i++) { - ExpectIntEQ(bufPt[i], i); - } +static int test_wolfSSL_CTX_add_extra_chain_cert(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + char caFile[] = "./certs/client-ca.pem"; + char clientFile[] = "./certs/client-cert.pem"; + SSL_CTX* ctx = NULL; + X509* x509 = NULL; + BIO *bio = NULL; + X509 *cert = NULL; + X509 *ca = NULL; + STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *chain2 = NULL; - /* test case of writing twice with offset read index */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - ExpectIntEQ(BIO_nread(bio3, &bufPt, 1), 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); - ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif - BIO_free(bio1); - bio1 = NULL; - BIO_free(bio3); - bio3 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, + WOLFSSL_FILETYPE_PEM)); - #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) - { - BIO* bioA = NULL; - BIO* bioB = NULL; - ExpectIntEQ(BIO_new_bio_pair(NULL, 256, NULL, 256), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(BIO_new_bio_pair(&bioA, 256, &bioB, 256), WOLFSSL_SUCCESS); - BIO_free(bioA); - bioA = NULL; - BIO_free(bioB); - bioB = NULL; - } - #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ + /* Negative tests. */ + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(NULL, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* BIOs with file pointers */ - #if !defined(NO_FILESYSTEM) - { - XFILE f1 = XBADFILE; - XFILE f2 = XBADFILE; - BIO* f_bio1 = NULL; - BIO* f_bio2 = NULL; - unsigned char cert[300]; - char testFile[] = "tests/bio_write_test.txt"; - char msg[] = "bio_write_test.txt contains the first 300 bytes of certs/server-cert.pem\ncreated by tests/unit.test\n\n"; + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); - ExpectNotNull(f_bio1 = BIO_new(BIO_s_file())); - ExpectNotNull(f_bio2 = BIO_new(BIO_s_file())); + ExpectNotNull(x509 = wolfSSL_X509_new()); + /* Empty certificate. */ + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_X509_free(x509); + x509 = NULL; - /* Failure due to wrong BIO type */ - ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - ExpectIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, + WOLFSSL_FILETYPE_PEM)); - ExpectTrue((f1 = XFOPEN(svrCertFile, "rb+")) != XBADFILE); - ExpectIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_write_filename(f_bio2, testFile), - WOLFSSL_SUCCESS); + /* additional test of getting EVP_PKEY key size from X509 + * Do not run with user RSA because wolfSSL_RSA_size is not currently + * allowed with user RSA */ + { + EVP_PKEY* pkey = NULL; + #if defined(HAVE_ECC) + X509* ecX509 = NULL; + #endif /* HAVE_ECC */ - ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - ExpectIntEQ(BIO_tell(f_bio1),sizeof(cert)); - ExpectIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); - ExpectIntEQ(BIO_tell(f_bio2),sizeof(msg)); - ExpectIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); - ExpectIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); + ExpectNotNull(pkey = X509_get_pubkey(x509)); + /* current RSA key is 2048 bit (256 bytes) */ + ExpectIntEQ(EVP_PKEY_size(pkey), 256); - ExpectIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); - ExpectIntEQ(BIO_reset(f_bio2), 1); - ExpectIntEQ(BIO_tell(NULL),-1); - ExpectIntEQ(BIO_tell(f_bio2),0); - ExpectIntEQ(BIO_seek(f_bio2, 4), 0); - ExpectIntEQ(BIO_tell(f_bio2),4); + EVP_PKEY_free(pkey); + pkey = NULL; - BIO_free(f_bio1); - f_bio1 = NULL; - BIO_free(f_bio2); - f_bio2 = NULL; +#if defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( + cliecc_cert_der_256, sizeof_cliecc_cert_der_256, + SSL_FILETYPE_ASN1)); + #else + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( + cliEccCertFile, SSL_FILETYPE_PEM)); + #endif + pkey = X509_get_pubkey(ecX509); + ExpectNotNull(pkey); + /* current ECC key is 256 bit (32 bytes) */ + ExpectIntGE(EVP_PKEY_size(pkey), 72); - ExpectNotNull(f_bio1 = BIO_new_file(svrCertFile, "rb+")); - ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - BIO_free(f_bio1); - f_bio1 = NULL; + X509_free(ecX509); + ecX509 = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* HAVE_ECC */ } - #endif /* !defined(NO_FILESYSTEM) */ - - /* BIO info callback */ - { - const char* testArg = "test"; - BIO* cb_bio = NULL; - ExpectNotNull(cb_bio = BIO_new(BIO_s_mem())); - BIO_set_callback(cb_bio, bioCallback); - ExpectNotNull(BIO_get_callback(cb_bio)); - BIO_set_callback(cb_bio, NULL); - ExpectNull(BIO_get_callback(cb_bio)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); + if (EXPECT_SUCCESS()) { + x509 = NULL; + } - BIO_set_callback_arg(cb_bio, (char*)testArg); - ExpectStrEQ(BIO_get_callback_arg(cb_bio), testArg); - ExpectNull(BIO_get_callback_arg(NULL)); +#ifdef WOLFSSL_ENCRYPTED_KEYS + ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); + ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); +#endif + SSL_CTX_free(ctx); + ctx = NULL; - BIO_free(cb_bio); - cb_bio = NULL; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + /* Test haproxy use case */ + ExpectNotNull(bio = BIO_new_file(svrCertFile, "r")); + /* Read Certificate */ + ExpectNotNull(cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); + ExpectNotNull(ca = PEM_read_bio_X509(bio, NULL, NULL, NULL)); + ExpectNotNull(chain = sk_X509_new_null()); + ExpectIntEQ(sk_X509_push(chain, ca), 1); + if (EXPECT_SUCCESS()) { + ca = NULL; + } + ExpectNotNull(chain2 = X509_chain_up_ref(chain)); + ExpectNotNull(ca = sk_X509_shift(chain2)); + ExpectIntEQ(SSL_CTX_use_certificate(ctx, cert), 1); + ExpectIntEQ(SSL_CTX_add_extra_chain_cert(ctx, ca), 1); + if (EXPECT_SUCCESS()) { + ca = NULL; } - /* BIO_vfree */ - ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); - BIO_vfree(NULL); - BIO_vfree(bio1); -#endif + BIO_free(bio); + X509_free(cert); + X509_free(ca); + X509_free(x509); + sk_X509_pop_free(chain, X509_free); + sk_X509_pop_free(chain2, X509_free); + SSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined (NO_BIO) */ return EXPECT_RESULT(); } -static int test_wolfSSL_BIO_BIO_ring_read(void) +#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) +static int test_wolfSSL_ERR_peek_last_error_line(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) - BIO* bio1 = NULL; - BIO* bio2 = NULL; - byte data[50]; - byte tmp[50]; - - XMEMSET(data, 42, sizeof(data)); - - - ExpectIntEQ(BIO_new_bio_pair(&bio1, sizeof(data), &bio2, sizeof(data)), - SSL_SUCCESS); - - ExpectIntEQ(BIO_write(bio1, data, 40), 40); - ExpectIntEQ(BIO_read(bio1, tmp, 20), -1); - ExpectIntEQ(BIO_read(bio2, tmp, 20), 20); - ExpectBufEQ(tmp, data, 20); - ExpectIntEQ(BIO_write(bio1, data, 20), 20); - ExpectIntEQ(BIO_read(bio2, tmp, 40), 40); - ExpectBufEQ(tmp, data, 40); +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \ + !defined(NO_OLD_TLS) && !defined(WOLFSSL_NO_TLS12) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_ERROR_QUEUE) + callback_functions client_cb; + callback_functions server_cb; + int line = 0; + int flag = ERR_TXT_STRING; + const char* file = NULL; + const char* data = NULL; - BIO_free(bio1); - BIO_free(bio2); -#endif - return EXPECT_RESULT(); -} + /* create a failed connection and inspect the error */ + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = wolfTLSv1_1_client_method; + server_cb.method = wolfTLSv1_2_server_method; -#endif /* !NO_BIO */ + test_wolfSSL_client_server_nofail(&client_cb, &server_cb); + ExpectIntGT(ERR_get_error_line_data(NULL, NULL, &data, &flag), 0); + ExpectNotNull(data); -static int test_wolfSSL_a2i_IPADDRESS(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(WOLFSSL_USER_IO) - const unsigned char* data = NULL; - int dataSz = 0; - ASN1_OCTET_STRING *st = NULL; + /* check clearing error state */ + ERR_remove_state(0); + ExpectIntEQ((int)ERR_peek_last_error_line(NULL, NULL), 0); + ERR_peek_last_error_line(NULL, &line); + ExpectIntEQ(line, 0); + ERR_peek_last_error_line(&file, NULL); + ExpectNull(file); - const unsigned char ipv4_exp[] = {0x7F, 0, 0, 1}; - const unsigned char ipv6_exp[] = { - 0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77 - }; - const unsigned char ipv6_home[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 - }; + /* retry connection to fill error queue */ + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = wolfTLSv1_1_client_method; + server_cb.method = wolfTLSv1_2_server_method; - ExpectNull(st = a2i_IPADDRESS("127.0.0.1bad")); - ExpectNotNull(st = a2i_IPADDRESS("127.0.0.1")); - ExpectNotNull(data = ASN1_STRING_get0_data(st)); - ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP4_ADDR_LEN); - ExpectIntEQ(XMEMCMP(data, ipv4_exp, dataSz), 0); - ASN1_STRING_free(st); - st = NULL; + test_wolfSSL_client_server_nofail(&client_cb, &server_cb); - ExpectNotNull(st = a2i_IPADDRESS("::1")); - ExpectNotNull(data = ASN1_STRING_get0_data(st)); - ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); - ExpectIntEQ(XMEMCMP(data, ipv6_home, dataSz), 0); - ASN1_STRING_free(st); - st = NULL; + /* check that error code was stored */ + ExpectIntNE((int)ERR_peek_last_error_line(NULL, NULL), 0); + ERR_peek_last_error_line(NULL, &line); + ExpectIntNE(line, 0); + ERR_peek_last_error_line(&file, NULL); + ExpectNotNull(file); - ExpectNotNull(st = a2i_IPADDRESS("2021:db8::ff00:42:7777")); - ExpectNotNull(data = ASN1_STRING_get0_data(st)); - ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); - ExpectIntEQ(XMEMCMP(data, ipv6_exp, dataSz), 0); - ASN1_STRING_free(st); -#endif + fprintf(stderr, "\nTesting error print out\n"); + ERR_print_errors_fp(stderr); + fprintf(stderr, "Done testing print out\n\n"); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && + * !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ return EXPECT_RESULT(); } +#endif /* !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */ - -static int test_wolfSSL_X509_cmp_time(void) +static int test_wolfSSL_PKCS7_certs(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) \ -&& !defined(USER_TIME) && !defined(TIME_OVERRIDES) - WOLFSSL_ASN1_TIME asn_time; - time_t t; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) + STACK_OF(X509)* sk = NULL; + STACK_OF(X509_INFO)* info_sk = NULL; + PKCS7 *p7 = NULL; + BIO* bio = NULL; + const byte* p = NULL; + int buflen = 0; + int i; + + /* Test twice. Once with d2i and once without to test + * that everything is free'd correctly. */ + for (i = 0; i < 2; i++) { + ExpectNotNull(p7 = PKCS7_new()); + if (p7 != NULL) { + p7->version = 1; + #ifdef NO_SHA + p7->hashOID = SHA256h; + #else + p7->hashOID = SHAh; + #endif + } + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(info_sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); + ExpectIntEQ(sk_X509_INFO_num(info_sk), 2); + ExpectNotNull(sk = sk_X509_new_null()); + while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { + X509_INFO* info = NULL; + ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); + if (EXPECT_SUCCESS() && info != NULL) { + ExpectIntGT(sk_X509_push(sk, info->x509), 0); + info->x509 = NULL; + } + X509_INFO_free(info); + } + sk_X509_INFO_pop_free(info_sk, X509_INFO_free); + info_sk = NULL; + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(wolfSSL_PKCS7_encode_certs(p7, sk, bio), 1); + if ((sk != NULL) && ((p7 == NULL) || (bio == NULL))) { + sk_X509_pop_free(sk, X509_free); + } + sk = NULL; + ExpectIntGT((buflen = BIO_get_mem_data(bio, &p)), 0); - ExpectIntEQ(0, wolfSSL_X509_cmp_time(NULL, &t)); - XMEMSET(&asn_time, 0, sizeof(WOLFSSL_ASN1_TIME)); - ExpectIntEQ(0, wolfSSL_X509_cmp_time(&asn_time, &t)); + if (i == 0) { + PKCS7_free(p7); + p7 = NULL; + ExpectNotNull(d2i_PKCS7(&p7, &p, buflen)); + if (p7 != NULL) { + /* Reset certs to force wolfSSL_PKCS7_to_stack to regenerate + * them */ + ((WOLFSSL_PKCS7*)p7)->certs = NULL; + } + /* PKCS7_free free's the certs */ + ExpectNotNull(wolfSSL_PKCS7_to_stack(p7)); + } - ExpectIntEQ(ASN1_TIME_set_string(&asn_time, "000222211515Z"), 1); - ExpectIntEQ(-1, wolfSSL_X509_cmp_time(&asn_time, NULL)); - ExpectIntEQ(-1, wolfSSL_X509_cmp_current_time(&asn_time)); -#endif + BIO_free(bio); + bio = NULL; + PKCS7_free(p7); + p7 = NULL; + } +#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_PKCS7) */ return EXPECT_RESULT(); } -static int test_wolfSSL_X509_time_adj(void) +static int test_wolfSSL_CTX_get0_set1_param(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) && \ - !defined(USER_TIME) && !defined(TIME_OVERRIDES) && \ - defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) && \ - !defined(NO_ASN_TIME) - X509* x509 = NULL; - time_t t; - time_t not_before; - time_t not_after; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( - client_cert_der_2048, sizeof_client_cert_der_2048, - WOLFSSL_FILETYPE_ASN1)); - - t = 0; - not_before = wc_Time(0); - not_after = wc_Time(0) + (60 * 24 * 30); /* 30 days after */ - ExpectNotNull(X509_time_adj(X509_get_notBefore(x509), not_before, &t)); - ExpectNotNull(X509_time_adj(X509_get_notAfter(x509), not_after, &t)); - /* Check X509_gmtime_adj, too. */ - ExpectNotNull(X509_gmtime_adj(X509_get_notAfter(x509), not_after)); +#if defined(OPENSSL_EXTRA) +#if !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + SSL_CTX* ctx = NULL; + WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; + WOLFSSL_X509_VERIFY_PARAM* pvpm = NULL; + char testIPv4[] = "127.0.0.1"; + char testhostName[] = "foo.hoge.com"; - X509_free(x509); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_X509_bad_altname(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) - const unsigned char malformed_alt_name_cert[] = { - 0x30, 0x82, 0x02, 0xf9, 0x30, 0x82, 0x01, 0xe1, 0xa0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x02, 0x10, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0f, 0x31, 0x0d, - 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x61, 0x61, 0x31, - 0x31, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x32, 0x30, 0x37, 0x31, - 0x37, 0x32, 0x34, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x34, 0x30, 0x32, - 0x31, 0x34, 0x30, 0x36, 0x32, 0x36, 0x35, 0x33, 0x5a, 0x30, 0x0f, 0x31, - 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x61, 0x61, - 0x61, 0x61, 0x30, 0x82, 0x01, 0x20, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, - 0x0d, 0x00, 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa8, - 0x8a, 0x5e, 0x26, 0x23, 0x1b, 0x31, 0xd3, 0x37, 0x1a, 0x70, 0xb2, 0xec, - 0x3f, 0x74, 0xd4, 0xb4, 0x44, 0xe3, 0x7a, 0xa5, 0xc0, 0xf5, 0xaa, 0x97, - 0x26, 0x9a, 0x04, 0xff, 0xda, 0xbe, 0xe5, 0x09, 0x03, 0x98, 0x3d, 0xb5, - 0xbf, 0x01, 0x2c, 0x9a, 0x0a, 0x3a, 0xfb, 0xbc, 0x3c, 0xe7, 0xbe, 0x83, - 0x5c, 0xb3, 0x70, 0xe8, 0x5c, 0xe3, 0xd1, 0x83, 0xc3, 0x94, 0x08, 0xcd, - 0x1a, 0x87, 0xe5, 0xe0, 0x5b, 0x9c, 0x5c, 0x6e, 0xb0, 0x7d, 0xe2, 0x58, - 0x6c, 0xc3, 0xb5, 0xc8, 0x9d, 0x11, 0xf1, 0x5d, 0x96, 0x0d, 0x66, 0x1e, - 0x56, 0x7f, 0x8f, 0x59, 0xa7, 0xa5, 0xe1, 0xc5, 0xe7, 0x81, 0x4c, 0x09, - 0x9d, 0x5e, 0x96, 0xf0, 0x9a, 0xc2, 0x8b, 0x70, 0xd5, 0xab, 0x79, 0x58, - 0x5d, 0xb7, 0x58, 0xaa, 0xfd, 0x75, 0x52, 0xaa, 0x4b, 0xa7, 0x25, 0x68, - 0x76, 0x59, 0x00, 0xee, 0x78, 0x2b, 0x91, 0xc6, 0x59, 0x91, 0x99, 0x38, - 0x3e, 0xa1, 0x76, 0xc3, 0xf5, 0x23, 0x6b, 0xe6, 0x07, 0xea, 0x63, 0x1c, - 0x97, 0x49, 0xef, 0xa0, 0xfe, 0xfd, 0x13, 0xc9, 0xa9, 0x9f, 0xc2, 0x0b, - 0xe6, 0x87, 0x92, 0x5b, 0xcc, 0xf5, 0x42, 0x95, 0x4a, 0xa4, 0x6d, 0x64, - 0xba, 0x7d, 0xce, 0xcb, 0x04, 0xd0, 0xf8, 0xe7, 0xe3, 0xda, 0x75, 0x60, - 0xd3, 0x8b, 0x6a, 0x64, 0xfc, 0x78, 0x56, 0x21, 0x69, 0x5a, 0xe8, 0xa7, - 0x8f, 0xfb, 0x8f, 0x82, 0xe3, 0xae, 0x36, 0xa2, 0x93, 0x66, 0x92, 0xcb, - 0x82, 0xa3, 0xbe, 0x84, 0x00, 0x86, 0xdc, 0x7e, 0x6d, 0x53, 0x77, 0x84, - 0x17, 0xb9, 0x55, 0x43, 0x0d, 0xf1, 0x16, 0x1f, 0xd5, 0x43, 0x75, 0x99, - 0x66, 0x19, 0x52, 0xd0, 0xac, 0x5f, 0x74, 0xad, 0xb2, 0x90, 0x15, 0x50, - 0x04, 0x74, 0x43, 0xdf, 0x6c, 0x35, 0xd0, 0xfd, 0x32, 0x37, 0xb3, 0x8d, - 0xf5, 0xe5, 0x09, 0x02, 0x01, 0x03, 0xa3, 0x61, 0x30, 0x5f, 0x30, 0x0c, - 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, - 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82, - 0x04, 0x61, 0x2a, 0x00, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, - 0x04, 0x16, 0x04, 0x14, 0x92, 0x6a, 0x1e, 0x52, 0x3a, 0x1a, 0x57, 0x9f, - 0xc9, 0x82, 0x9a, 0xce, 0xc8, 0xc0, 0xa9, 0x51, 0x9d, 0x2f, 0xc7, 0x72, - 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, - 0x14, 0x6b, 0xf9, 0xa4, 0x2d, 0xa5, 0xe9, 0x39, 0x89, 0xa8, 0x24, 0x58, - 0x79, 0x87, 0x11, 0xfc, 0x6f, 0x07, 0x91, 0xef, 0xa6, 0x30, 0x0d, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, - 0x03, 0x82, 0x01, 0x01, 0x00, 0x3f, 0xd5, 0x37, 0x2f, 0xc7, 0xf8, 0x8b, - 0x39, 0x1c, 0xe3, 0xdf, 0x77, 0xee, 0xc6, 0x4b, 0x5f, 0x84, 0xcf, 0xfa, - 0x33, 0x2c, 0xb2, 0xb5, 0x4b, 0x09, 0xee, 0x56, 0xc0, 0xf2, 0xf0, 0xeb, - 0xad, 0x1c, 0x02, 0xef, 0xae, 0x09, 0x53, 0xc0, 0x06, 0xad, 0x4e, 0xfd, - 0x3e, 0x8c, 0x13, 0xb3, 0xbf, 0x80, 0x05, 0x36, 0xb5, 0x3f, 0x2b, 0xc7, - 0x60, 0x53, 0x14, 0xbf, 0x33, 0x63, 0x47, 0xc3, 0xc6, 0x28, 0xda, 0x10, - 0x12, 0xe2, 0xc4, 0xeb, 0xc5, 0x64, 0x66, 0xc0, 0xcc, 0x6b, 0x84, 0xda, - 0x0c, 0xe9, 0xf6, 0xe3, 0xf8, 0x8e, 0x3d, 0x95, 0x5f, 0xba, 0x9f, 0xe1, - 0xc7, 0xed, 0x6e, 0x97, 0xcc, 0xbd, 0x7d, 0xe5, 0x4e, 0xab, 0xbc, 0x1b, - 0xf1, 0x3a, 0x09, 0x33, 0x09, 0xe1, 0xcc, 0xec, 0x21, 0x16, 0x8e, 0xb1, - 0x74, 0x9e, 0xc8, 0x13, 0x7c, 0xdf, 0x07, 0xaa, 0xeb, 0x70, 0xd7, 0x91, - 0x5c, 0xc4, 0xef, 0x83, 0x88, 0xc3, 0xe4, 0x97, 0xfa, 0xe4, 0xdf, 0xd7, - 0x0d, 0xff, 0xba, 0x78, 0x22, 0xfc, 0x3f, 0xdc, 0xd8, 0x02, 0x8d, 0x93, - 0x57, 0xf9, 0x9e, 0x39, 0x3a, 0x77, 0x00, 0xd9, 0x19, 0xaa, 0x68, 0xa1, - 0xe6, 0x9e, 0x13, 0xeb, 0x37, 0x16, 0xf5, 0x77, 0xa4, 0x0b, 0x40, 0x04, - 0xd3, 0xa5, 0x49, 0x78, 0x35, 0xfa, 0x3b, 0xf6, 0x02, 0xab, 0x85, 0xee, - 0xcb, 0x9b, 0x62, 0xda, 0x05, 0x00, 0x22, 0x2f, 0xf8, 0xbd, 0x0b, 0xe5, - 0x2c, 0xb2, 0x53, 0x78, 0x0a, 0xcb, 0x69, 0xc0, 0xb6, 0x9f, 0x96, 0xff, - 0x58, 0x22, 0x70, 0x9c, 0x01, 0x2e, 0x56, 0x60, 0x5d, 0x37, 0xe3, 0x40, - 0x25, 0xc9, 0x90, 0xc8, 0x0f, 0x41, 0x68, 0xb4, 0xfd, 0x10, 0xe2, 0x09, - 0x99, 0x08, 0x5d, 0x7b, 0xc9, 0xe3, 0x29, 0xd4, 0x5a, 0xcf, 0xc9, 0x34, - 0x55, 0xa1, 0x40, 0x44, 0xd6, 0x88, 0x16, 0xbb, 0xdd - }; + ExpectNull(SSL_CTX_get0_param(NULL)); + ExpectNotNull(pParam = SSL_CTX_get0_param(ctx)); - X509* x509 = NULL; - int certSize = (int)sizeof(malformed_alt_name_cert) / sizeof(unsigned char); - const char *name = "aaaaa"; - int nameLen = (int)XSTRLEN(name); + ExpectNotNull(pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL)); + ExpectNotNull(XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM))); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( - malformed_alt_name_cert, certSize, SSL_FILETYPE_ASN1)); + ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, + (int)XSTRLEN(testhostName)), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4), + WOLFSSL_SUCCESS); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); - /* malformed_alt_name_cert has a malformed alternative - * name of "a*\0*". Ensure that it does not match "aaaaa" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name, nameLen, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), 1); + ExpectIntEQ(SSL_CTX_set1_param(ctx, pvpm), 1); + ExpectIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, + (int)XSTRLEN(testhostName))); + ExpectIntEQ(0x01, pParam->hostFlags); + ExpectIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); - /* Also make sure WOLFSSL_LEFT_MOST_WILDCARD_ONLY fails too */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name, nameLen, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), 1); + /* test for incorrect parameter */ + ExpectIntEQ(1,SSL_CTX_set1_param(ctx, NULL)); + ExpectIntEQ(1,SSL_CTX_set1_param(NULL, pvpm)); + ExpectIntEQ(1,SSL_CTX_set1_param(NULL, NULL)); - X509_free(x509); + SSL_CTX_free(ctx); -#endif + XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ return EXPECT_RESULT(); } -static int test_wolfSSL_X509_name_match(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) - /* A certificate with the subject alternative name a* */ - const unsigned char cert_der[] = { - 0x30, 0x82, 0x03, 0xac, 0x30, 0x82, 0x02, 0x94, 0xa0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x14, 0x0f, 0xa5, 0x10, 0x85, 0xef, 0x58, 0x10, 0x59, 0xfc, - 0x0f, 0x20, 0x1f, 0x53, 0xf5, 0x30, 0x39, 0x34, 0x49, 0x54, 0x05, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, - 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, - 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, - 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, - 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, - 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, - 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, - 0x30, 0x32, 0x30, 0x31, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x34, - 0x30, 0x35, 0x32, 0x38, 0x32, 0x30, 0x31, 0x35, 0x35, 0x38, 0x5a, 0x30, - 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, - 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, - 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, - 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, - 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, - 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, - 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, - 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, - 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, - 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, - 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf4, 0xca, 0x3d, - 0xd4, 0xbc, 0x9b, 0xea, 0x74, 0xfe, 0x73, 0xf4, 0x16, 0x23, 0x0b, 0x4a, - 0x09, 0x54, 0xf6, 0x7b, 0x10, 0x99, 0x11, 0x93, 0xb2, 0xdb, 0x4d, 0x7d, - 0x23, 0xab, 0xf9, 0xcd, 0xf6, 0x54, 0xd4, 0xf6, 0x39, 0x57, 0xee, 0x97, - 0xb2, 0xb9, 0xfc, 0x7e, 0x9c, 0xb3, 0xfb, 0x56, 0xb6, 0x84, 0xd6, 0x2d, - 0x59, 0x1c, 0xed, 0xda, 0x9b, 0x19, 0xf5, 0x8a, 0xa7, 0x8a, 0x89, 0xd6, - 0xa1, 0xc0, 0xe6, 0x16, 0xad, 0x04, 0xcf, 0x5a, 0x1f, 0xdf, 0x62, 0x6c, - 0x68, 0x45, 0xe9, 0x55, 0x2e, 0x42, 0xa3, 0x1b, 0x3b, 0x86, 0x23, 0x22, - 0xa1, 0x20, 0x48, 0xd1, 0x52, 0xc0, 0x8b, 0xab, 0xe2, 0x8a, 0x15, 0x68, - 0xbd, 0x89, 0x6f, 0x9f, 0x45, 0x75, 0xb4, 0x27, 0xc1, 0x72, 0x41, 0xfd, - 0x79, 0x89, 0xb0, 0x74, 0xa2, 0xe9, 0x61, 0x48, 0x4c, 0x54, 0xad, 0x6b, - 0x61, 0xbf, 0x0e, 0x27, 0x58, 0xb4, 0xf6, 0x9c, 0x2c, 0x9f, 0xc2, 0x3e, - 0x3b, 0xb3, 0x90, 0x41, 0xbc, 0x61, 0xcd, 0x01, 0x57, 0x90, 0x82, 0xec, - 0x46, 0xba, 0x4f, 0x89, 0x8e, 0x7f, 0x49, 0x4f, 0x46, 0x69, 0x37, 0x8b, - 0xa0, 0xba, 0x85, 0xe8, 0x42, 0xff, 0x9a, 0xa1, 0x53, 0x81, 0x5c, 0xf3, - 0x8e, 0x85, 0x1c, 0xd4, 0x90, 0x60, 0xa0, 0x37, 0x59, 0x04, 0x65, 0xa6, - 0xb5, 0x12, 0x00, 0xc3, 0x04, 0x51, 0xa7, 0x83, 0x96, 0x62, 0x3d, 0x49, - 0x97, 0xe8, 0x6b, 0x9a, 0x5d, 0x51, 0x24, 0xee, 0xad, 0x45, 0x18, 0x0f, - 0x3f, 0x97, 0xec, 0xdf, 0xcf, 0x42, 0x8a, 0x96, 0xc7, 0xd8, 0x82, 0x87, - 0x7f, 0x57, 0x70, 0x22, 0xfb, 0x29, 0x3e, 0x3c, 0xa3, 0xc1, 0xd5, 0x71, - 0xb3, 0x84, 0x06, 0x53, 0xa3, 0x86, 0x20, 0x35, 0xe3, 0x41, 0xb9, 0xd8, - 0x00, 0x22, 0x4f, 0x6d, 0xe6, 0xfd, 0xf0, 0xf4, 0xa2, 0x39, 0x0a, 0x1a, - 0x23, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x30, 0x30, 0x2e, 0x30, 0x0d, - 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x06, 0x30, 0x04, 0x82, 0x02, 0x61, - 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, - 0x45, 0x05, 0xf3, 0x4d, 0x3e, 0x7e, 0x9c, 0xf5, 0x08, 0xee, 0x2c, 0x13, - 0x32, 0xe3, 0xf2, 0x14, 0xe8, 0x0e, 0x71, 0x21, 0x30, 0x0d, 0x06, 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, - 0x82, 0x01, 0x01, 0x00, 0xa8, 0x28, 0xe5, 0x22, 0x65, 0xcf, 0x47, 0xfe, - 0x82, 0x17, 0x99, 0x20, 0xdb, 0xb1, 0x57, 0xd4, 0x91, 0x1a, 0x83, 0xde, - 0xc1, 0xaf, 0xc4, 0x1f, 0xfb, 0xa4, 0x6a, 0xad, 0xdc, 0x58, 0x72, 0xd9, - 0x9b, 0xab, 0xa5, 0xbb, 0xf4, 0x98, 0xd4, 0xdf, 0x36, 0xcb, 0xb5, 0x78, - 0xce, 0x4b, 0x25, 0x5b, 0x24, 0x92, 0xfe, 0xe8, 0xd4, 0xe4, 0xbd, 0x6f, - 0x71, 0x1a, 0x81, 0x2a, 0x6f, 0x35, 0x93, 0xf7, 0xcc, 0xed, 0xe5, 0x06, - 0xd2, 0x96, 0x41, 0xb5, 0xa9, 0x8a, 0xc0, 0xc9, 0x17, 0xe3, 0x13, 0x5e, - 0x94, 0x5e, 0xfa, 0xfc, 0xf0, 0x00, 0x2e, 0xe1, 0xd8, 0x1b, 0x23, 0x3f, - 0x7c, 0x4d, 0x9f, 0xfb, 0xb7, 0x95, 0xc1, 0x94, 0x7f, 0x7f, 0xb5, 0x4f, - 0x93, 0x6d, 0xc3, 0x2b, 0xb2, 0x28, 0x36, 0xd2, 0x7c, 0x01, 0x3c, 0xae, - 0x35, 0xdb, 0xc8, 0x95, 0x1b, 0x5f, 0x6c, 0x0f, 0x57, 0xb3, 0xcc, 0x97, - 0x98, 0x80, 0x06, 0xaa, 0xe4, 0x93, 0x1f, 0xb7, 0xa0, 0x54, 0xf1, 0x4f, - 0x6f, 0x11, 0xdf, 0xab, 0xd3, 0xbf, 0xf0, 0x3a, 0x81, 0x60, 0xaf, 0x7a, - 0xf7, 0x09, 0xd5, 0xae, 0x0c, 0x7d, 0xae, 0x8d, 0x47, 0x06, 0xbe, 0x11, - 0x6e, 0xf8, 0x7e, 0x49, 0xf8, 0xac, 0x24, 0x0a, 0x4b, 0xc2, 0xf6, 0xe8, - 0x2c, 0xec, 0x35, 0xef, 0xa9, 0x13, 0xb8, 0xd2, 0x9c, 0x92, 0x61, 0x91, - 0xec, 0x7b, 0x0c, 0xea, 0x9a, 0x71, 0x36, 0x15, 0x34, 0x2b, 0x7a, 0x25, - 0xac, 0xfe, 0xc7, 0x26, 0x89, 0x70, 0x3e, 0x64, 0x68, 0x97, 0x4b, 0xaa, - 0xc1, 0x24, 0x14, 0xbd, 0x45, 0x2f, 0xe0, 0xfe, 0xf4, 0x2b, 0x8e, 0x08, - 0x3e, 0xe4, 0xb5, 0x3d, 0x5d, 0xf4, 0xc3, 0xd6, 0x9c, 0xb5, 0x33, 0x1b, - 0x3b, 0xda, 0x6e, 0x99, 0x7b, 0x09, 0xd1, 0x30, 0x97, 0x23, 0x52, 0x6d, - 0x1b, 0x71, 0x3a, 0xf4, 0x54, 0xf0, 0xe5, 0x9e - }; +static int test_wolfSSL_get0_param(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; - WOLFSSL_X509* x509 = NULL; - int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); - const char *name1 = "aaaaa"; - int nameLen1 = (int)(XSTRLEN(name1)); - const char *name2 = "a"; - int nameLen2 = (int)(XSTRLEN(name2)); - const char *name3 = "abbbb"; - int nameLen3 = (int)(XSTRLEN(name3)); - const char *name4 = "bbb"; - int nameLen4 = (int)(XSTRLEN(name4)); - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( - cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); - - /* Ensure that "a*" matches "aaaaa" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*" matches "a" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*" matches "abbbb" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*" does not match "bbb" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), 1); - - /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag should fail on all cases, since - * 'a*' alt name does not have wildcard left-most */ - - /* Ensure that "a*" does not match "aaaaa" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name1, nameLen1, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*" does not match "a" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name2, nameLen2, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*" does not match "abbbb" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name3, nameLen3, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*" does not match "bbb" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - wolfSSL_X509_free(x509); + ExpectNotNull(SSL_get0_param(ssl)); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_name_match2(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) - /* A certificate with the subject alternative name a*b* */ - const unsigned char cert_der[] = { - 0x30, 0x82, 0x03, 0xae, 0x30, 0x82, 0x02, 0x96, 0xa0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x14, 0x41, 0x8c, 0x8b, 0xaa, 0x0e, 0xd8, 0x5a, 0xc0, 0x52, - 0x46, 0x0e, 0xe5, 0xd8, 0xb9, 0x48, 0x93, 0x7e, 0x8a, 0x7c, 0x65, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, - 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, - 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, - 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, - 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, - 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, - 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, - 0x30, 0x32, 0x30, 0x34, 0x33, 0x34, 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x34, - 0x30, 0x35, 0x32, 0x38, 0x32, 0x30, 0x34, 0x33, 0x34, 0x30, 0x5a, 0x30, - 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, - 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, - 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, - 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, - 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, - 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, - 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, - 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, - 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, - 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, - 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x60, 0x80, - 0xf3, 0xee, 0x19, 0xd2, 0xe4, 0x15, 0x94, 0x54, 0x12, 0x88, 0xee, 0xda, - 0x11, 0x11, 0x87, 0x99, 0x88, 0xb3, 0x71, 0xc7, 0x97, 0x78, 0x1b, 0x57, - 0x37, 0x1d, 0x0b, 0x1f, 0x2f, 0x2c, 0x35, 0x13, 0x75, 0xd3, 0x31, 0x3e, - 0x6f, 0x80, 0x21, 0xa5, 0xa3, 0xad, 0x10, 0x81, 0xb6, 0x37, 0xd4, 0x55, - 0x2e, 0xc1, 0xb8, 0x37, 0xa3, 0x3c, 0xe8, 0x81, 0x03, 0x3c, 0xda, 0x5f, - 0x6f, 0x45, 0x32, 0x2b, 0x0e, 0x99, 0x27, 0xfd, 0xe5, 0x6c, 0x07, 0xd9, - 0x4e, 0x0a, 0x8b, 0x23, 0x74, 0x96, 0x25, 0x97, 0xae, 0x6d, 0x19, 0xba, - 0xbf, 0x0f, 0xc8, 0xa1, 0xe5, 0xea, 0xa8, 0x00, 0x09, 0xc3, 0x9a, 0xef, - 0x09, 0x33, 0xc1, 0x33, 0x2e, 0x7b, 0x6d, 0xa7, 0x66, 0x87, 0xb6, 0x3a, - 0xb9, 0xdb, 0x4c, 0x5e, 0xb5, 0x55, 0x69, 0x37, 0x17, 0x92, 0x1f, 0xe3, - 0x53, 0x1a, 0x2d, 0x25, 0xd0, 0xcf, 0x72, 0x37, 0xc2, 0x89, 0x83, 0x78, - 0xcf, 0xac, 0x2e, 0x46, 0x92, 0x5c, 0x4a, 0xba, 0x7d, 0xa0, 0x22, 0x34, - 0xb1, 0x22, 0x26, 0x99, 0xda, 0xe8, 0x97, 0xe2, 0x0c, 0xd3, 0xbc, 0x97, - 0x7e, 0xa8, 0xb9, 0xe3, 0xe2, 0x7f, 0x56, 0xef, 0x22, 0xee, 0x15, 0x95, - 0xa6, 0xd1, 0xf4, 0xa7, 0xac, 0x4a, 0xab, 0xc1, 0x1a, 0xda, 0xc5, 0x5f, - 0xa5, 0x5e, 0x2f, 0x15, 0x9c, 0x36, 0xbe, 0xd3, 0x47, 0xb6, 0x86, 0xb9, - 0xc6, 0x59, 0x39, 0x36, 0xad, 0x84, 0x53, 0x95, 0x72, 0x91, 0x89, 0x51, - 0x32, 0x77, 0xf1, 0xa5, 0x93, 0xfe, 0xf0, 0x41, 0x7c, 0x64, 0xf1, 0xb0, - 0x8b, 0x81, 0x8d, 0x3a, 0x2c, 0x9e, 0xbe, 0x2e, 0x8b, 0xf7, 0x80, 0x63, - 0x35, 0x32, 0xfa, 0x26, 0xe0, 0x63, 0xbf, 0x5e, 0xaf, 0xf0, 0x08, 0xe0, - 0x80, 0x65, 0x38, 0xfa, 0x21, 0xaa, 0x91, 0x34, 0x48, 0x3d, 0x32, 0x5c, - 0xbf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x32, 0x30, 0x30, 0x30, 0x0f, - 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82, 0x04, 0x61, - 0x2a, 0x62, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, - 0x04, 0x14, 0x3d, 0x55, 0x74, 0xf8, 0x3a, 0x26, 0x03, 0x8c, 0x6a, 0x2e, - 0x91, 0x0e, 0x18, 0x70, 0xb4, 0xa4, 0xcc, 0x04, 0x00, 0xd3, 0x30, 0x0d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, - 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0x3b, 0xff, 0x46, 0x0c, 0xb5, - 0x21, 0xdc, 0xcf, 0x61, 0x9a, 0x25, 0x93, 0x99, 0x68, 0x2f, 0x16, 0x71, - 0x15, 0x00, 0x5f, 0xb0, 0x9b, 0x43, 0x5c, 0x47, 0xe2, 0x8e, 0xc8, 0xea, - 0xb3, 0x30, 0x4d, 0x87, 0x90, 0xcf, 0x24, 0x37, 0x5c, 0xfd, 0xc8, 0xc6, - 0x09, 0x36, 0xb2, 0xfb, 0xfd, 0xc1, 0x82, 0x92, 0x77, 0x5b, 0x9d, 0xeb, - 0xac, 0x47, 0xbc, 0xda, 0x7c, 0x89, 0x19, 0x03, 0x9e, 0xcd, 0x96, 0x2a, - 0x90, 0x55, 0x23, 0x19, 0xac, 0x9d, 0x49, 0xfb, 0xa0, 0x31, 0x7d, 0x6b, - 0x1a, 0x16, 0x13, 0xb1, 0xa9, 0xc9, 0xc4, 0xaf, 0xf1, 0xb4, 0xa7, 0x9b, - 0x08, 0x64, 0x6a, 0x09, 0xcd, 0x4a, 0x03, 0x4c, 0x93, 0xb6, 0xcf, 0x29, - 0xdb, 0x56, 0x88, 0x8e, 0xed, 0x08, 0x6d, 0x8d, 0x76, 0xa3, 0xd7, 0xc6, - 0x69, 0xa1, 0xf5, 0xd2, 0xd0, 0x0a, 0x4b, 0xfa, 0x88, 0x66, 0x6c, 0xe5, - 0x4a, 0xee, 0x13, 0xad, 0xad, 0x22, 0x25, 0x73, 0x39, 0x56, 0x74, 0x0e, - 0xda, 0xcd, 0x35, 0x67, 0xe3, 0x81, 0x5c, 0xc5, 0xae, 0x3c, 0x4f, 0x47, - 0x3e, 0x97, 0xde, 0xac, 0xf6, 0xe1, 0x26, 0xe2, 0xe0, 0x66, 0x48, 0x20, - 0x7c, 0x02, 0x81, 0x3e, 0x7d, 0x34, 0xb7, 0x73, 0x3e, 0x2e, 0xd6, 0x20, - 0x1c, 0xdf, 0xf1, 0xae, 0x86, 0x8b, 0xb2, 0xc2, 0x9b, 0x68, 0x9c, 0xf6, - 0x1a, 0x5e, 0x30, 0x06, 0x39, 0x0a, 0x1f, 0x7b, 0xd7, 0x18, 0x4b, 0x06, - 0x9d, 0xff, 0x84, 0x57, 0xcc, 0x92, 0xad, 0x81, 0x0a, 0x19, 0x11, 0xc4, - 0xac, 0x59, 0x00, 0xe8, 0x5a, 0x70, 0x78, 0xd6, 0x9f, 0xe0, 0x82, 0x2a, - 0x1f, 0x09, 0x36, 0x1c, 0x52, 0x98, 0xf7, 0x95, 0x8f, 0xf9, 0x48, 0x4f, - 0x30, 0x52, 0xb5, 0xf3, 0x8d, 0x13, 0x93, 0x27, 0xbe, 0xb4, 0x75, 0x39, - 0x65, 0xc6, 0x48, 0x4e, 0x32, 0xd7, 0xf4, 0xc3, 0x26, 0x8d - }; +static int test_wolfSSL_set1_host(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + const char host[] = "www.test_wolfSSL_set1_host.com"; + const char emptyStr[] = ""; + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; + WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; - WOLFSSL_X509* x509 = NULL; - int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); - const char *name1 = "ab"; - int nameLen1 = (int)(XSTRLEN(name1)); - const char *name2 = "acccbccc"; - int nameLen2 = (int)(XSTRLEN(name2)); - const char *name3 = "accb"; - int nameLen3 = (int)(XSTRLEN(name3)); - const char *name4 = "accda"; - int nameLen4 = (int)(XSTRLEN(name4)); - const char *name5 = "acc\0bcc"; - int nameLen5 = 7; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( - cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); - - /* Ensure that "a*b*" matches "ab" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*b*" matches "acccbccc" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*b*" matches "accb" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "a*b*" does not match "accda" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - - /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag should fail on all cases, since - * 'a*b*' alt name does not have wildcard left-most */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509_check_host(x509, name4, nameLen4, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_FAILURE); - - /* Ensure that "a*b*" matches "ab", testing openssl behavior replication - * on check len input handling, 0 for len is OK as it should then use - * strlen(name1) */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, 0, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Openssl also allows for len to include NULL terminator */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1 + 1, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that check string with NULL terminator in middle is - * rejected */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name5, nameLen5, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); - wolfSSL_X509_free(x509); + pParam = SSL_get0_param(ssl); -#endif - return EXPECT_RESULT(); -} + /* we should get back host string */ + ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); -static int test_wolfSSL_X509_name_match3(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) - /* A certificate with the subject alternative name *.example.com */ - const unsigned char cert_der[] = { - 0x30, 0x82, 0x03, 0xb7, 0x30, 0x82, 0x02, 0x9f, 0xa0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x14, 0x59, 0xbb, 0xf6, 0xde, 0xb8, 0x3d, 0x0e, 0x8c, 0xe4, - 0xbd, 0x98, 0xa3, 0xbe, 0x3e, 0x8f, 0xdc, 0xbd, 0x7f, 0xcc, 0xae, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, - 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, - 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, - 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, - 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, - 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, - 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, - 0x31, 0x30, 0x30, 0x33, 0x37, 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x33, 0x34, - 0x30, 0x35, 0x32, 0x39, 0x30, 0x30, 0x33, 0x37, 0x34, 0x39, 0x5a, 0x30, - 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, - 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, - 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, - 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, - 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, - 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, - 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, - 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, - 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, - 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, - 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xda, 0x78, 0x16, - 0x05, 0x65, 0xf2, 0x85, 0xf2, 0x61, 0x7f, 0xb1, 0x4d, 0x73, 0xe2, 0x82, - 0xb5, 0x3d, 0xf7, 0x9d, 0x05, 0x65, 0xed, 0x9d, 0xc3, 0x29, 0x7a, 0x92, - 0x2c, 0x06, 0x5f, 0xc8, 0x13, 0x55, 0x42, 0x4e, 0xbd, 0xe2, 0x56, 0x2a, - 0x4b, 0xac, 0xe6, 0x1b, 0x10, 0xc9, 0xdb, 0x9a, 0x45, 0x36, 0xed, 0xf3, - 0x26, 0x8c, 0x22, 0x88, 0x1e, 0x6d, 0x2b, 0x41, 0xfa, 0x0d, 0x43, 0x88, - 0x88, 0xde, 0x8d, 0x2e, 0xca, 0x6e, 0x7c, 0x62, 0x66, 0x3e, 0xfa, 0x4e, - 0x71, 0xea, 0x7d, 0x3b, 0x32, 0x33, 0x5c, 0x7a, 0x7e, 0xea, 0x74, 0xbd, - 0xb6, 0x8f, 0x4c, 0x1c, 0x7a, 0x79, 0x94, 0xf1, 0xe8, 0x02, 0x67, 0x98, - 0x25, 0xb4, 0x31, 0x80, 0xc1, 0xae, 0xbf, 0xef, 0xf2, 0x6c, 0x78, 0x42, - 0xef, 0xb5, 0xc6, 0x01, 0x47, 0x79, 0x8d, 0x92, 0xce, 0xc1, 0xb5, 0x98, - 0x76, 0xf0, 0x84, 0xa2, 0x53, 0x90, 0xe5, 0x39, 0xc7, 0xbd, 0xf2, 0xbb, - 0xe3, 0x3f, 0x00, 0xf6, 0xf0, 0x46, 0x86, 0xee, 0x55, 0xbd, 0x2c, 0x1f, - 0x97, 0x24, 0x7c, 0xbc, 0xda, 0x2f, 0x1b, 0x53, 0xef, 0x26, 0x56, 0xcc, - 0xb7, 0xd8, 0xca, 0x17, 0x20, 0x4e, 0x62, 0x03, 0x66, 0x32, 0xb3, 0xd1, - 0x71, 0x26, 0x6c, 0xff, 0xd1, 0x9e, 0x44, 0x86, 0x2a, 0xae, 0xba, 0x43, - 0x00, 0x13, 0x7e, 0x50, 0xdd, 0x3e, 0x27, 0x39, 0x70, 0x1c, 0x0c, 0x0b, - 0xe8, 0xa2, 0xae, 0x03, 0x09, 0x2e, 0xd8, 0x71, 0xee, 0x7b, 0x1a, 0x09, - 0x2d, 0xe1, 0xd5, 0xde, 0xf5, 0xa3, 0x36, 0x77, 0x90, 0x97, 0x99, 0xd7, - 0x6c, 0xb7, 0x5c, 0x9d, 0xf7, 0x7e, 0x41, 0x89, 0xfe, 0xe4, 0x08, 0xc6, - 0x0b, 0xe4, 0x9b, 0x5f, 0x51, 0xa6, 0x08, 0xb8, 0x99, 0x81, 0xe9, 0xce, - 0xb4, 0x2d, 0xb2, 0x92, 0x9f, 0xe5, 0x1a, 0x98, 0x76, 0x20, 0x70, 0x54, - 0x93, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x3b, 0x30, 0x39, 0x30, 0x18, - 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x11, 0x30, 0x0f, 0x82, 0x0d, 0x2a, - 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x60, - 0xd4, 0x26, 0xbb, 0xcc, 0x7c, 0x29, 0xa2, 0x88, 0x3c, 0x76, 0x7d, 0xb4, - 0x86, 0x8b, 0x47, 0x64, 0x5b, 0x87, 0xe0, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, - 0x01, 0x01, 0x00, 0xc3, 0x0d, 0x03, 0x67, 0xbb, 0x47, 0x8b, 0xf3, 0x20, - 0xdc, 0x7d, 0x2e, 0xe1, 0xd9, 0xf0, 0x01, 0xc4, 0x66, 0xc2, 0xe1, 0xcd, - 0xc3, 0x4a, 0x72, 0xf0, 0x6e, 0x38, 0xcf, 0x63, 0x01, 0x96, 0x9e, 0x84, - 0xb9, 0xce, 0x1d, 0xba, 0x4b, 0xe0, 0x70, 0x86, 0x2b, 0x5a, 0xab, 0xec, - 0xbf, 0xc2, 0xaa, 0x64, 0xa2, 0x6c, 0xd2, 0x42, 0x52, 0xd4, 0xbe, 0x8a, - 0xca, 0x9c, 0x03, 0xf3, 0xd6, 0x5f, 0xcd, 0x23, 0x9f, 0xf5, 0xa9, 0x04, - 0x40, 0x5b, 0x66, 0x78, 0xc0, 0xac, 0xa1, 0xdb, 0x5d, 0xd1, 0x94, 0xfc, - 0x47, 0x94, 0xf5, 0x45, 0xe3, 0x70, 0x13, 0x3f, 0x66, 0x6d, 0xdd, 0x73, - 0x68, 0x68, 0xe2, 0xd2, 0x89, 0xcb, 0x7f, 0xc6, 0xca, 0xd6, 0x96, 0x0b, - 0xcc, 0xdd, 0xa1, 0x74, 0xda, 0x33, 0xe8, 0x9e, 0xda, 0xb7, 0xd9, 0x12, - 0xab, 0x85, 0x9d, 0x0c, 0xde, 0xa0, 0x7d, 0x7e, 0xa1, 0x91, 0xed, 0xe5, - 0x32, 0x7c, 0xc5, 0xea, 0x1d, 0x4a, 0xb5, 0x38, 0x63, 0x17, 0xf3, 0x4f, - 0x2c, 0x4a, 0x58, 0x86, 0x09, 0x33, 0x86, 0xc4, 0xe7, 0x56, 0x6f, 0x32, - 0x71, 0xb7, 0xd0, 0x83, 0x12, 0x9e, 0x26, 0x0a, 0x3a, 0x45, 0xcb, 0xd7, - 0x4e, 0xab, 0xa4, 0xc3, 0xee, 0x4c, 0xc0, 0x38, 0xa1, 0xfa, 0xba, 0xfa, - 0xb7, 0x80, 0x69, 0x67, 0xa3, 0xef, 0x89, 0xba, 0xce, 0x89, 0x91, 0x3d, - 0x6a, 0x76, 0xe9, 0x3b, 0x32, 0x86, 0x76, 0x85, 0x6b, 0x4f, 0x7f, 0xbc, - 0x7a, 0x5b, 0x31, 0x92, 0x79, 0x35, 0xf8, 0xb9, 0xb1, 0xd7, 0xdb, 0xa9, - 0x6a, 0x8a, 0x91, 0x60, 0x65, 0xd4, 0x76, 0x54, 0x55, 0x57, 0xb9, 0x35, - 0xe0, 0xf5, 0xbb, 0x8f, 0xd4, 0x40, 0x75, 0xbb, 0x47, 0xa8, 0xf9, 0x0f, - 0xea, 0xc9, 0x6e, 0x84, 0xd5, 0xf5, 0x58, 0x2d, 0xe5, 0x76, 0x7b, 0xdf, - 0x97, 0x05, 0x5e, 0xaf, 0x50, 0xf5, 0x48 - }; + /* we should get back empty string */ + ExpectIntEQ(SSL_set1_host(ssl, emptyStr), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); - WOLFSSL_X509* x509 = NULL; - int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); - const char *name1 = "foo.example.com"; - int nameLen1 = (int)(XSTRLEN(name1)); - const char *name2 = "x.y.example.com"; - int nameLen2 = (int)(XSTRLEN(name2)); - const char *name3 = "example.com"; - int nameLen3 = (int)(XSTRLEN(name3)); - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( - cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); - - /* Ensure that "*.example.com" matches "foo.example.com" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "*.example.com" does NOT match "x.y.example.com" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name2, nameLen2, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - /* Ensure that "*.example.com" does NOT match "example.com" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name3, nameLen3, - WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); - - /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY, should match "foo.example.com" */ - ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); - /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY, should NOT match "x.y.example.com" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name2, nameLen2, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); - /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY, should NOT match "example.com" */ - ExpectIntNE(wolfSSL_X509_check_host(x509, name3, nameLen3, - WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, - NULL), WOLFSSL_SUCCESS); + /* we should get back host string */ + ExpectIntEQ(SSL_set1_host(ssl, host), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); - wolfSSL_X509_free(x509); + /* we should get back empty string */ + ExpectIntEQ(SSL_set1_host(ssl, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(XMEMCMP(pParam->hostName, emptyStr, sizeof(emptyStr)), 0); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_max_altnames(void) +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) +static int test_wolfSSL_get_client_ciphers_ctx_ready(WOLFSSL_CTX* ctx) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_RSA) + ExpectTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256")); + return EXPECT_RESULT(); +} - /* Only test if max alt names has not been modified */ -#if WOLFSSL_MAX_ALT_NAMES <= 1024 - WOLFSSL_CTX* ctx = NULL; - /* File contains a certificate encoded with 130 subject alternative names */ - const char* over_max_altnames_cert = \ - "./certs/test/cert-over-max-altnames.pem"; +static int test_wolfSSL_get_client_ciphers_on_result(WOLFSSL* ssl) { + EXPECT_DECLS; + WOLF_STACK_OF(WOLFSSL_CIPHER)* ciphers; -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif + ciphers = SSL_get_client_ciphers(ssl); + if (wolfSSL_is_server(ssl) == 0) { + ExpectNull(ciphers); + } + else { + WOLFSSL_CIPHER* current; - ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, - over_max_altnames_cert, NULL, WOLFSSL_LOAD_FLAG_NONE), - WOLFSSL_SUCCESS); - wolfSSL_CTX_free(ctx); -#endif -#endif + /* client should have only sent over one cipher suite */ + ExpectNotNull(ciphers); + ExpectIntEQ(sk_SSL_CIPHER_num(ciphers), 1); + current = sk_SSL_CIPHER_value(ciphers, 0); + ExpectNotNull(current); + #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ + !defined(WOLFSSL_QT) + ExpectStrEQ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + SSL_CIPHER_get_name(current)); + #else + ExpectStrEQ("ECDHE-RSA-AES128-GCM-SHA256", + SSL_CIPHER_get_name(current)); + #endif + } return EXPECT_RESULT(); } +#endif -static int test_wolfSSL_X509_max_name_constraints(void) +static int test_wolfSSL_get_client_ciphers(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_RSA) && !defined(IGNORE_NAME_CONSTRAINTS) - - /* Only test if max name constraints has not been modified */ -#if WOLFSSL_MAX_NAME_CONSTRAINTS == 128 - - WOLFSSL_CTX* ctx = NULL; - /* File contains a certificate with 130 name constraints */ - const char* over_max_nc = "./certs/test/cert-over-max-nc.pem"; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + defined(HAVE_ECC) && !defined(NO_TLS) && defined(HAVE_AESGCM) + test_ssl_cbf server_cb; + test_ssl_cbf client_cb; - ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, over_max_nc, - NULL, WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); - wolfSSL_CTX_free(ctx); -#endif + XMEMSET(&client_cb, 0, sizeof(test_ssl_cbf)); + XMEMSET(&server_cb, 0, sizeof(test_ssl_cbf)); + client_cb.method = wolfTLSv1_2_client_method; + server_cb.method = wolfTLSv1_2_server_method; + client_cb.devId = testDevId; + server_cb.devId = testDevId; + client_cb.ctx_ready = test_wolfSSL_get_client_ciphers_ctx_ready; + client_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; + server_cb.on_result = test_wolfSSL_get_client_ciphers_on_result; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509(void) +static int test_wolfSSL_CTX_set_client_CA_list(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) - X509* x509 = NULL; -#ifndef NO_BIO - BIO* bio = NULL; - X509_STORE_CTX* ctx = NULL; - X509_STORE* store = NULL; -#endif - char der[] = "certs/ca-cert.der"; - XFILE fp = XBADFILE; - int derSz = 0; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \ + !defined(NO_BIO) && !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + X509_NAME* name = NULL; + STACK_OF(X509_NAME)* names = NULL; + STACK_OF(X509_NAME)* ca_list = NULL; + int names_len = 0; + int i; -#ifndef NO_BIO - ExpectNotNull(bio = BIO_new(BIO_s_mem())); -#endif + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + /* Send two X501 names in cert request */ + names = SSL_load_client_CA_file(cliCertFile); + ExpectNotNull(names); + ca_list = SSL_load_client_CA_file(caCertFile); + ExpectNotNull(ca_list); + ExpectNotNull(name = sk_X509_NAME_value(ca_list, 0)); + ExpectIntEQ(sk_X509_NAME_push(names, name), 2); + if (EXPECT_FAIL()) { + wolfSSL_X509_NAME_free(name); + name = NULL; + } + SSL_CTX_set_client_CA_list(ctx, names); + /* This should only free the stack structure */ + sk_X509_NAME_free(ca_list); + ca_list = NULL; + ExpectNotNull(ca_list = SSL_CTX_get_client_CA_list(ctx)); + ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); - ExpectNotNull(x509 = X509_new()); - ExpectNull(wolfSSL_X509_get_der(x509, &derSz)); -#if !defined(NO_BIO) && defined(WOLFSSL_CERT_GEN) - ExpectIntEQ(i2d_X509_bio(bio, x509), WOLFSSL_FAILURE); -#endif - ExpectNull(wolfSSL_X509_dup(x509)); - X509_free(x509); - x509 = NULL; + ExpectIntEQ(sk_X509_NAME_find(NULL, name), BAD_FUNC_ARG); + ExpectIntEQ(sk_X509_NAME_find(names, NULL), WOLFSSL_FATAL_ERROR); + ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); + for (i = 0; i < names_len; i++) { + ExpectNotNull(name = sk_X509_NAME_value(names, i)); + ExpectIntEQ(sk_X509_NAME_find(names, name), i); + } -#ifndef NO_BIO - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + /* Needed to be able to create ssl object */ + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + /* load again as old names are responsibility of ctx to free*/ + names = SSL_load_client_CA_file(cliCertFile); + ExpectNotNull(names); + SSL_set_client_CA_list(ssl, names); + ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl)); + ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); -#ifdef WOLFSSL_CERT_GEN - ExpectIntEQ(i2d_X509_bio(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(i2d_X509_bio(bio, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(i2d_X509_bio(NULL, x509), WOLFSSL_FAILURE); - ExpectIntEQ(i2d_X509_bio(bio, x509), SSL_SUCCESS); -#endif + ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); + for (i = 0; i < names_len; i++) { + ExpectNotNull(name = sk_X509_NAME_value(names, i)); + ExpectIntEQ(sk_X509_NAME_find(names, name), i); + } - ExpectNotNull(ctx = X509_STORE_CTX_new()); +#if !defined(SINGLE_THREADED) && defined(SESSION_CERTS) + { + tcp_ready ready; + func_args server_args; + callback_functions server_cb; + THREAD_TYPE serverThread; + WOLFSSL* ssl_client = NULL; + WOLFSSL_CTX* ctx_client = NULL; + SOCKET_T sockfd = 0; - ExpectIntEQ(X509_verify_cert(ctx), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectNotNull(wolfSSL_X509_verify_cert_error_string(CRL_MISSING)); + /* wolfSSL_get_client_CA_list() with handshake */ - ExpectNotNull(store = X509_STORE_new()); - ExpectIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); - ExpectIntEQ(X509_STORE_CTX_init(ctx, store, x509, NULL), SSL_SUCCESS); - ExpectIntEQ(X509_verify_cert(ctx), SSL_SUCCESS); + StartTCP(); + InitTcpReady(&ready); -#ifndef NO_WOLFSSL_STUB - ExpectNull(X509_get_default_cert_file_env()); - ExpectNull(X509_get_default_cert_file()); - ExpectNull(X509_get_default_cert_dir_env()); - ExpectNull(X509_get_default_cert_dir()); -#endif + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); - ExpectNull(wolfSSL_X509_get_der(NULL, NULL)); - ExpectNull(wolfSSL_X509_get_der(x509, NULL)); - ExpectNull(wolfSSL_X509_get_der(NULL, &derSz)); + server_args.signal = &ready; + server_args.callbacks = &server_cb; - ExpectIntEQ(wolfSSL_X509_version(NULL), 0); - ExpectIntEQ(wolfSSL_X509_version(x509), 3); + /* we are responsible for free'ing WOLFSSL_CTX */ + server_cb.ctx = ctx; + server_cb.isSharedCtx = 1; - X509_STORE_CTX_free(ctx); - X509_STORE_free(store); - X509_free(x509); - x509 = NULL; - BIO_free(bio); - bio = NULL; -#endif + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, + cliCertFile, 0)); - /** d2i_X509_fp test **/ - ExpectTrue((fp = XFOPEN(der, "rb")) != XBADFILE); - ExpectNotNull(x509 = (X509 *)d2i_X509_fp(fp, (X509 **)NULL)); - ExpectNotNull(x509); + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); -#ifdef HAVE_EX_DATA_CRYPTO - ExpectIntEQ(wolfSSL_X509_get_ex_new_index(1, NULL, NULL, NULL, NULL), 0); -#endif - ExpectNull(wolfSSL_X509_get_ex_data(NULL, 1)); - ExpectNull(wolfSSL_X509_get_ex_data(x509, 1)); -#ifdef HAVE_EX_DATA - ExpectIntEQ(wolfSSL_X509_set_ex_data(NULL, 1, der), 0); - ExpectIntEQ(wolfSSL_X509_set_ex_data(x509, 1, der), 1); - ExpectPtrEq(wolfSSL_X509_get_ex_data(x509, 1), der); -#else - ExpectIntEQ(wolfSSL_X509_set_ex_data(NULL, 1, der), 0); - ExpectIntEQ(wolfSSL_X509_set_ex_data(x509, 1, der), 0); - ExpectNull(wolfSSL_X509_get_ex_data(x509, 1)); -#endif + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); + ExpectNotNull(ctx_client = + wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations( + ctx_client, caCertFile, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_certificate_file( + ctx_client, cliCertFile, SSL_FILETYPE_PEM)); + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_use_PrivateKey_file( + ctx_client, cliKeyFile, SSL_FILETYPE_PEM)); - X509_free(x509); - x509 = NULL; - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectTrue((fp = XFOPEN(der, "rb")) != XBADFILE); - ExpectNull((X509 *)d2i_X509_fp(XBADFILE, (X509 **)&x509)); - ExpectNotNull((X509 *)d2i_X509_fp(fp, (X509 **)&x509)); - ExpectNotNull(x509); - X509_free(x509); - x509 = NULL; - if (fp != XBADFILE) - XFCLOSE(fp); + ExpectNotNull(ssl_client = wolfSSL_new(ctx_client)); + ExpectIntEQ(wolfSSL_set_fd(ssl_client, sockfd), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_connect(ssl_client), WOLFSSL_SUCCESS); -#ifndef NO_BIO - ExpectNotNull(bio = BIO_new_file(der, "rb")); - ExpectNull(d2i_X509_bio(NULL, &x509)); - ExpectNotNull(x509 = d2i_X509_bio(bio, NULL)); - ExpectNotNull(x509); - X509_free(x509); - BIO_free(bio); - bio = NULL; -#endif + ExpectNotNull(ca_list = SSL_get_client_CA_list(ssl_client)); + /* We are expecting two cert names to be sent */ + ExpectIntEQ(sk_X509_NAME_num(ca_list), 2); + + ExpectNotNull(names = SSL_CTX_get_client_CA_list(ctx)); + for (i=0; icallbacks; + WOLFSSL_CTX* ctx = callbacks->ctx; + WOLFSSL* ssl = NULL; + SOCKET_T sfd = 0; + SOCKET_T cfd = 0; + word16 port; + char input[1024]; + int idx; + int ret, err = 0; + const char* privateName = "ech-private-name.com"; + int privateNameLen = (int)XSTRLEN(privateName); - /* Get the stack of extensions */ - ExpectNotNull(ext_stack = wolfSSL_X509_get0_extensions(x509)); + ((func_args*)args)->return_code = TEST_FAIL; + port = ((func_args*)args)->signal->port; - /* Test X509v3_get_ext_count */ - ExpectIntGT((count = X509v3_get_ext_count(ext_stack)), 0); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0)); - /* Test X509v3_get_ext_by_NID - find Basic Constraints extension */ - ExpectIntGE((idx = X509v3_get_ext_by_NID(ext_stack, NID_basic_constraints, - -1)), 0); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + WOLFSSL_FILETYPE_PEM)); - /* Test X509v3_get_ext - get extension by index */ - ExpectNotNull(ext = X509v3_get_ext(ext_stack, idx)); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + WOLFSSL_FILETYPE_PEM)); - /* Verify that the extension is the correct one */ - ExpectIntEQ(wolfSSL_OBJ_obj2nid(wolfSSL_X509_EXTENSION_get_object(ext)), - NID_basic_constraints); + if (callbacks->ctx_ready) + callbacks->ctx_ready(ctx); - /* Test negative cases */ - ExpectIntEQ(X509v3_get_ext_by_NID(NULL, NID_basic_constraints, -1), - WOLFSSL_FATAL_ERROR); - ExpectNull(X509v3_get_ext(NULL, 0)); - ExpectNull(X509v3_get_ext(ext_stack, -1)); - ExpectNull(X509v3_get_ext(ext_stack, count)); + ssl = wolfSSL_new(ctx); - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); -} + /* set the sni for the server */ + wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, privateName, privateNameLen); -static int test_wolfSSL_X509_sign2(void) -{ - EXPECT_DECLS; - /* test requires WOLFSSL_AKID_NAME to match expected output */ -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_AKID_NAME) && \ - (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ - defined(WOLFSSL_IP_ALT_NAME)) - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *ca = NULL; - const unsigned char *der = NULL; - const unsigned char *pt = NULL; - WOLFSSL_EVP_PKEY *priv = NULL; - WOLFSSL_X509_NAME *name = NULL; - int derSz; -#ifndef NO_ASN_TIME - WOLFSSL_ASN1_TIME *notBefore = NULL; - WOLFSSL_ASN1_TIME *notAfter = NULL; + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, NULL, NULL); + CloseSocket(sfd); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_fd(ssl, cfd)); - const int year = 365*24*60*60; - const int day = 24*60*60; - const int hour = 60*60; - const int mini = 60; - time_t t; -#endif + if (callbacks->ssl_ready) + callbacks->ssl_ready(ssl); - const unsigned char expected[] = { - 0x30, 0x82, 0x05, 0x13, 0x30, 0x82, 0x03, 0xFB, 0xA0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x14, 0x6B, 0x61, 0x49, 0x45, 0xFF, 0x4A, 0xD1, 0x54, 0x16, - 0xB4, 0x35, 0x37, 0xC4, 0x98, 0x5D, 0xA9, 0xF6, 0x67, 0x60, 0x91, 0x30, - 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, - 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, - 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, - 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, - 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, - 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, - 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, - 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, - 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, - 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, - 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, - 0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, 0x30, - 0x30, 0x5A, 0x17, 0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, 0x30, - 0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, - 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, - 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, - 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, - 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, - 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, 0x17, - 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, - 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, 0x30, 0x34, 0x38, 0x31, - 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, - 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, - 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, - 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, - 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, - 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, - 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC3, 0x03, 0xD1, 0x2B, 0xFE, - 0x39, 0xA4, 0x32, 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C, 0x74, - 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47, 0xD6, 0xA6, 0x36, 0xB2, 0x07, - 0x32, 0x8E, 0xD0, 0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, 0x81, - 0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67, 0xBB, 0xA1, 0x75, 0xC8, 0x36, - 0x2C, 0x4A, 0xD2, 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF, 0xEC, - 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, 0x9A, 0xBF, 0x65, 0xCC, 0x7F, - 0x65, 0x24, 0x69, 0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7, 0xC5, - 0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A, 0x7A, 0x78, 0xE1, 0x01, 0x56, - 0x56, 0x91, 0xA6, 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, 0xEF, - 0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, 0xA1, 0x3B, 0xF5, 0xF1, 0xA3, - 0x4A, 0x35, 0xE4, 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E, 0x97, - 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81, 0xAF, 0x20, 0x0B, 0x43, 0x14, - 0xC5, 0x74, 0x67, 0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, 0x40, - 0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72, 0x22, 0x17, 0xD7, 0x52, 0x65, - 0x24, 0x73, 0xB0, 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C, 0x7B, - 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, 0x50, 0x6D, 0x3B, 0xA3, 0x3B, - 0xA3, 0x99, 0x5E, 0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A, 0xD9, - 0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB, 0xFF, 0x25, 0x4C, 0xC4, 0xD1, - 0x79, 0xF4, 0x71, 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, 0x72, - 0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7, 0x15, 0xF7, - 0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, 0x02, - 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4F, 0x30, 0x82, 0x01, 0x4B, - 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, - 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, - 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, - 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, - 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, - 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7, - 0x85, 0x65, 0xC0, 0x30, 0x81, 0xDE, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, - 0x81, 0xD6, 0x30, 0x81, 0xD3, 0x80, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, - 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7, - 0x85, 0x65, 0xC0, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E, - 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, - 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, - 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, - 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, - 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, - 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, - 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, - 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, - 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, - 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, - 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, - 0x6F, 0x6D, 0x82, 0x14, 0x6B, 0x61, 0x49, 0x45, 0xFF, 0x4A, 0xD1, 0x54, - 0x16, 0xB4, 0x35, 0x37, 0xC4, 0x98, 0x5D, 0xA9, 0xF6, 0x67, 0x60, 0x91, - 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, - 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, - 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, - 0x01, 0x01, 0x00, 0x2F, 0x9F, 0x83, 0x05, 0x15, 0x1E, 0x5D, 0x7C, 0x22, - 0x12, 0x20, 0xEE, 0x07, 0x35, 0x25, 0x39, 0xDD, 0x34, 0x06, 0xD3, 0x89, - 0x31, 0x51, 0x8B, 0x9A, 0xE5, 0xE8, 0x60, 0x30, 0x07, 0x7A, 0xBB, 0x17, - 0xB9, 0x54, 0x72, 0x83, 0xA2, 0x1F, 0x62, 0xE0, 0x18, 0xAC, 0x93, 0x5E, - 0x63, 0xC7, 0xDD, 0x12, 0x58, 0x96, 0xC7, 0x90, 0x8B, 0x12, 0x50, 0xD2, - 0x60, 0x0E, 0x24, 0x07, 0x53, 0x55, 0xD7, 0x8E, 0xC9, 0x56, 0x12, 0x28, - 0xD8, 0xFD, 0x47, 0xE3, 0x13, 0xFB, 0x3C, 0xD6, 0x3D, 0x82, 0x09, 0x7E, - 0x10, 0x19, 0xE1, 0xCD, 0xCC, 0x4C, 0x78, 0xDF, 0xE5, 0xFB, 0x2C, 0x8C, - 0x88, 0xF7, 0x5B, 0x99, 0x93, 0xC6, 0xC7, 0x22, 0xA5, 0xFA, 0x76, 0x6C, - 0xE9, 0xBC, 0x69, 0xBA, 0x02, 0x82, 0x18, 0xAF, 0x47, 0xD0, 0x9C, 0x5F, - 0xED, 0xAE, 0x5A, 0x95, 0x59, 0x78, 0x86, 0x24, 0x22, 0xB6, 0x81, 0x03, - 0x58, 0x9A, 0x14, 0x93, 0xDC, 0x24, 0x58, 0xF3, 0xD2, 0x6C, 0x8E, 0xD2, - 0x6D, 0x8B, 0xE8, 0x4E, 0xC6, 0xA0, 0x2B, 0x0D, 0xDB, 0x1A, 0x76, 0x28, - 0xA9, 0x8D, 0xFB, 0x51, 0xA6, 0xF0, 0x82, 0x30, 0xEE, 0x78, 0x1C, 0x71, - 0xA8, 0x11, 0x8A, 0xA5, 0xC3, 0x91, 0xAB, 0x9A, 0x46, 0xFF, 0x8D, 0xCD, - 0x82, 0x3F, 0x5D, 0xB6, 0x28, 0x46, 0x6D, 0x66, 0xE2, 0xEE, 0x1E, 0x82, - 0x0D, 0x1A, 0x74, 0x87, 0xFB, 0xFD, 0x96, 0x26, 0x50, 0x09, 0xEC, 0xA7, - 0x73, 0x89, 0x43, 0x3B, 0x42, 0x2D, 0xA9, 0x6B, 0x0F, 0x61, 0x81, 0x97, - 0x11, 0x71, 0xF9, 0xDB, 0x9B, 0x69, 0x4B, 0x6E, 0xD3, 0x7D, 0xDA, 0xC6, - 0x61, 0x9F, 0x39, 0x87, 0x53, 0x52, 0xA8, 0x4D, 0xAD, 0x80, 0x29, 0x6C, - 0x19, 0xF0, 0x8D, 0xB1, 0x0D, 0x4E, 0xFB, 0x1B, 0xB7, 0xF1, 0x85, 0x49, - 0x08, 0x2A, 0x94, 0xD0, 0x4E, 0x0B, 0x8F - }; + do { + err = 0; /* Reset error */ + ret = wolfSSL_accept(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + } + } while (ret != WOLFSSL_SUCCESS && err == WC_NO_ERR_TRACE(WC_PENDING_E)); - pt = ca_key_der_2048; - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt, - sizeof_ca_key_der_2048)); + if (ret != WOLFSSL_SUCCESS) { + char buff[WOLFSSL_MAX_ERROR_SZ]; + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buff)); + } + else { + if (0 < (idx = wolfSSL_read(ssl, input, sizeof(input)-1))) { + input[idx] = 0; + fprintf(stderr, "Client message: %s\n", input); + } - pt = client_cert_der_2048; - ExpectNotNull(x509 = wolfSSL_d2i_X509(NULL, &pt, - sizeof_client_cert_der_2048)); + AssertIntEQ(privateNameLen, wolfSSL_write(ssl, privateName, + privateNameLen)); + ((func_args*)args)->return_code = TEST_SUCCESS; + } - pt = ca_cert_der_2048; - ExpectNotNull(ca = wolfSSL_d2i_X509(NULL, &pt, sizeof_ca_cert_der_2048)); - ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); - ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + if (callbacks->on_result) + callbacks->on_result(ssl); -#ifndef NO_ASN_TIME - t = (time_t)30 * year + 45 * day + 20 * hour + 30 * mini + 7 * day; - ExpectNotNull(notBefore = wolfSSL_ASN1_TIME_adj(NULL, t, 0, 0)); - ExpectNotNull(notAfter = wolfSSL_ASN1_TIME_adj(NULL, t, 365, 0)); - ExpectIntEQ(notAfter->length, 13); + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + CloseSocket(cfd); - ExpectTrue(wolfSSL_X509_set_notBefore(x509, notBefore)); - ExpectTrue(wolfSSL_X509_set1_notBefore(x509, notBefore)); - ExpectTrue(wolfSSL_X509_set_notAfter(x509, notAfter)); - ExpectTrue(wolfSSL_X509_set1_notAfter(x509, notAfter)); +#ifdef FP_ECC + wc_ecc_fp_free(); #endif - ExpectNull(wolfSSL_X509_notBefore(NULL)); - ExpectNotNull(wolfSSL_X509_notBefore(x509)); - ExpectNull(wolfSSL_X509_notAfter(NULL)); - ExpectNotNull(wolfSSL_X509_notAfter(x509)); + WOLFSSL_RETURN_FROM_THREAD(0); +} +#endif /* HAVE_ECH && WOLFSSL_TLS13 */ - ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); - ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) +static void keyLog_callback(const WOLFSSL* ssl, const char* line) +{ + XFILE fp; + const byte lf = '\n'; - ExpectIntEQ(derSz, sizeof(expected)); -#ifndef NO_ASN_TIME - ExpectIntEQ(XMEMCMP(der, expected, derSz), 0); -#endif + AssertNotNull(ssl); + AssertNotNull(line); - wolfSSL_X509_free(ca); - wolfSSL_X509_free(x509); - wolfSSL_EVP_PKEY_free(priv); -#ifndef NO_ASN_TIME - wolfSSL_ASN1_TIME_free(notBefore); - wolfSSL_ASN1_TIME_free(notAfter); -#endif -#endif + fp = XFOPEN("./MyKeyLog.txt", "a"); + XFWRITE(line, 1, XSTRLEN(line), fp); + XFWRITE((void*)&lf, 1, 1, fp); + XFFLUSH(fp); + XFCLOSE(fp); +} +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ +static int test_wolfSSL_CTX_set_keylog_callback(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ + !defined(NO_WOLFSSL_CLIENT) + SSL_CTX* ctx = NULL; + + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); + SSL_CTX_free(ctx); + SSL_CTX_set_keylog_callback(NULL, NULL); +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); } +static int test_wolfSSL_CTX_get_keylog_callback(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) && \ + !defined(NO_WOLFSSL_CLIENT) + SSL_CTX* ctx = NULL; + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); + SSL_CTX_set_keylog_callback(ctx, keyLog_callback ); + ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),keyLog_callback); + SSL_CTX_set_keylog_callback(ctx, NULL ); + ExpectPtrEq(SSL_CTX_get_keylog_callback(ctx),NULL); + SSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && !NO_WOLFSSL_CLIENT */ + return EXPECT_RESULT(); +} -static int test_wolfSSL_X509_sign(void) +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) +static int test_wolfSSL_Tls12_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_ASN_TIME) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_RSA) - int ret = 0; - char *cn = NULL; - word32 cnSz = 0; - X509_NAME *name = NULL; - X509_NAME *emptyName = NULL; - X509 *x509 = NULL; - X509 *ca = NULL; - DecodedCert dCert; - EVP_PKEY *pub = NULL; - EVP_PKEY *priv = NULL; - EVP_MD_CTX *mctx = NULL; -#if defined(USE_CERT_BUFFERS_1024) - const unsigned char* rsaPriv = client_key_der_1024; - const unsigned char* rsaPub = client_keypub_der_1024; - const unsigned char* certIssuer = client_cert_der_1024; - long clientKeySz = (long)sizeof_client_key_der_1024; - long clientPubKeySz = (long)sizeof_client_keypub_der_1024; - long certIssuerSz = (long)sizeof_client_cert_der_1024; -#elif defined(USE_CERT_BUFFERS_2048) - const unsigned char* rsaPriv = client_key_der_2048; - const unsigned char* rsaPub = client_keypub_der_2048; - const unsigned char* certIssuer = client_cert_der_2048; - long clientKeySz = (long)sizeof_client_key_der_2048; - long clientPubKeySz = (long)sizeof_client_keypub_der_2048; - long certIssuerSz = (long)sizeof_client_cert_der_2048; -#endif - byte sn[16]; - int snSz = sizeof(sn); - int sigSz = 0; -#ifndef NO_WOLFSSL_STUB - const WOLFSSL_ASN1_BIT_STRING* sig = NULL; - const WOLFSSL_X509_ALGOR* alg = NULL; + /* set keylog callback */ + wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); + return TEST_SUCCESS; +} #endif - /* Set X509_NAME fields */ - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, - (byte*)"US", 2, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, 0), SSL_SUCCESS); +static int test_wolfSSL_Tls12_Key_Logging_test(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) + /* This test is intended for checking whether keylog callback is called + * in client during TLS handshake between the client and a server. + */ + test_ssl_cbf server_cbf; + test_ssl_cbf client_cbf; + XFILE fp = XBADFILE; + char buff[500]; + int found = 0; + + XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); + XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); + server_cbf.method = wolfTLSv1_2_server_method; + client_cbf.ctx_ready = &test_wolfSSL_Tls12_Key_Logging_client_ctx_ready; - /* Get private and public keys */ - ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &rsaPriv, - clientKeySz)); - ExpectNotNull(pub = wolfSSL_d2i_PUBKEY(NULL, &rsaPub, clientPubKeySz)); - ExpectNotNull(x509 = X509_new()); - ExpectIntEQ(X509_sign(x509, priv, EVP_sha256()), 0); - /* Set version 3 */ - ExpectIntNE(X509_set_version(x509, 2L), 0); - /* Set subject name, add pubkey, and sign certificate */ - ExpectIntEQ(X509_set_subject_name(x509, name), SSL_SUCCESS); - X509_NAME_free(name); - name = NULL; - ExpectIntEQ(X509_set_pubkey(x509, pub), SSL_SUCCESS); -#ifdef WOLFSSL_ALT_NAMES - ExpectNull(wolfSSL_X509_get_next_altname(NULL)); - ExpectNull(wolfSSL_X509_get_next_altname(x509)); - - /* Add some subject alt names */ - ExpectIntNE(wolfSSL_X509_add_altname(NULL, - "ipsum", ASN_DNS_TYPE), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname(x509, - NULL, ASN_DNS_TYPE), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname(x509, - "sphygmomanometer", - ASN_DNS_TYPE), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname(x509, - "supercalifragilisticexpialidocious", - ASN_DNS_TYPE), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname(x509, - "Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch", - ASN_DNS_TYPE), SSL_SUCCESS); -#ifdef WOLFSSL_IP_ALT_NAME - { - unsigned char ip4_type[] = {127,128,0,255}; - unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab, - 0xff, 0xee, 0x99, 0x88, - 0x77, 0x66, 0x55, 0x44, - 0x00, 0x33, 0x22, 0x11}; - ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip4_type, - sizeof(ip4_type), ASN_IP_TYPE), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip6_type, - sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS); + /* clean up keylog file */ + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); + if (fp != XBADFILE) { + XFFLUSH(fp); + XFCLOSE(fp); + fp = XBADFILE; } -#endif - { - int i; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - if (x509 != NULL) { - x509->altNamesNext = x509->altNames; - } -#ifdef WOLFSSL_IP_ALT_NAME - /* No names in IP address. */ - ExpectNull(wolfSSL_X509_get_next_altname(x509)); - ExpectNull(wolfSSL_X509_get_next_altname(x509)); -#endif - for (i = 0; i < 3; i++) { - ExpectNotNull(wolfSSL_X509_get_next_altname(x509)); + /* check if the keylog file exists */ + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); + XFFLUSH(fp); /* Just to make sure any buffers get flushed */ + + XMEMSET(buff, 0, sizeof(buff)); + while (EXPECT_SUCCESS() && XFGETS(buff, (int)sizeof(buff), fp) != NULL) { + if (0 == strncmp(buff,"CLIENT_RANDOM ", sizeof("CLIENT_RANDOM ")-1)) { + found = 1; + break; } - ExpectNull(wolfSSL_X509_get_next_altname(x509)); -#ifdef WOLFSSL_MULTICIRCULATE_ALTNAMELIST - ExpectNotNull(wolfSSL_X509_get_next_altname(x509)); -#endif } -#endif /* WOLFSSL_ALT_NAMES */ - - { - ASN1_UTCTIME* infinite_past = NULL; - ExpectNotNull(infinite_past = ASN1_UTCTIME_set(NULL, 0)); - ExpectIntEQ(X509_set1_notBefore(x509, infinite_past), 1); - ASN1_UTCTIME_free(infinite_past); + if (fp != XBADFILE) { + XFCLOSE(fp); } - - /* test valid sign case */ - ExpectIntGT(ret = X509_sign(x509, priv, EVP_sha256()), 0); - /* test getting signature */ -#ifndef NO_WOLFSSL_STUB - wolfSSL_X509_get0_signature(&sig, &alg, x509); -#endif - ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, &sigSz), - WOLFSSL_SUCCESS); - ExpectIntGT(sigSz, 0); - ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, NULL), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, NULL), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, &sigSz), - WOLFSSL_FATAL_ERROR); - sigSz = 0; - ExpectIntEQ(wolfSSL_X509_get_signature(x509, sn, &sigSz), - WOLFSSL_FATAL_ERROR); - - /* test valid X509_sign_ctx case */ - ExpectNotNull(mctx = EVP_MD_CTX_new()); - ExpectIntEQ(EVP_DigestSignInit(mctx, NULL, EVP_sha256(), NULL, priv), 1); - ExpectIntGT(X509_sign_ctx(x509, mctx), 0); - -#if defined(OPENSSL_ALL) && defined(WOLFSSL_ALT_NAMES) - ExpectIntEQ(X509_get_ext_count(x509), 1); -#endif -#if defined(WOLFSSL_ALT_NAMES) && defined(WOLFSSL_IP_ALT_NAME) - ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1); - ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1); -#endif - - ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz), - WOLFSSL_SUCCESS); - DEBUG_WRITE_CERT_X509(x509, "signed.pem"); - - /* Variation in size depends on ASN.1 encoding when MSB is set. - * WOLFSSL_ASN_TEMPLATE code does not generate a serial number - * with the MSB set. See GenerateInteger in asn.c */ -#ifndef USE_CERT_BUFFERS_1024 -#ifndef WOLFSSL_ALT_NAMES - /* Valid case - size should be 781-786 with 16 byte serial number */ - ExpectTrue((781 + snSz <= ret) && (ret <= 781 + 5 + snSz)); -#elif defined(WOLFSSL_IP_ALT_NAME) - /* Valid case - size should be 955-960 with 16 byte serial number */ - ExpectTrue((939 + snSz <= ret) && (ret <= 939 + 5 + snSz)); -#else - /* Valid case - size should be 926-931 with 16 byte serial number */ - ExpectTrue((910 + snSz <= ret) && (ret <= 910 + 5 + snSz)); -#endif -#else -#ifndef WOLFSSL_ALT_NAMES - /* Valid case - size should be 537-542 with 16 byte serial number */ - ExpectTrue((521 + snSz <= ret) && (ret <= 521 + 5 + snSz)); -#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) - /* Valid case - size should be 695-670 with 16 byte serial number */ - ExpectTrue((679 + snSz <= ret) && (ret <= 679 + 5 + snSz)); -#else - /* Valid case - size should be 666-671 with 16 byte serial number */ - ExpectTrue((650 + snSz <= ret) && (ret <= 650 + 5 + snSz)); -#endif -#endif - /* check that issuer name is as expected after signature */ - InitDecodedCert(&dCert, certIssuer, (word32)certIssuerSz, 0); - ExpectIntEQ(ParseCert(&dCert, CERT_TYPE, NO_VERIFY, NULL), 0); - - ExpectNotNull(emptyName = X509_NAME_new()); - ExpectNotNull(ca = d2i_X509(NULL, &certIssuer, (int)certIssuerSz)); - ExpectIntEQ(wolfSSL_X509_get_isCA(NULL), 0); - ExpectIntEQ(wolfSSL_X509_get_isCA(ca), 1); - ExpectNotNull(name = X509_get_subject_name(ca)); - ExpectIntEQ(X509_NAME_get_sz(NULL), WOLFSSL_FATAL_ERROR); - ExpectIntGT(cnSz = X509_NAME_get_sz(name), 0); - ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); - ExpectNull(X509_NAME_oneline(NULL, cn, (int)cnSz)); - ExpectPtrEq(X509_NAME_oneline(name, cn, 0), cn); - ExpectPtrEq(X509_NAME_oneline(emptyName, cn, (int)cnSz), cn); - ExpectNull(X509_NAME_oneline(emptyName, NULL, 0)); - ExpectPtrEq(X509_NAME_oneline(name, cn, (int)cnSz), cn); - ExpectIntEQ(0, XSTRNCMP(cn, dCert.subject, XSTRLEN(cn))); - XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); - cn = NULL; - -#if defined(XSNPRINTF) - ExpectNull(wolfSSL_X509_get_name_oneline(NULL, NULL, 0)); - ExpectNotNull(cn = wolfSSL_X509_get_name_oneline(name, NULL, 0)); - ExpectIntGT((int)(cnSz = (word32)XSTRLEN(cn) + 1), 0); - ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn); - ExpectNull(wolfSSL_X509_get_name_oneline(NULL, cn, (int)cnSz)); - ExpectNull(wolfSSL_X509_get_name_oneline(name, cn, cnSz - 1)); - ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn); - ExpectPtrEq(wolfSSL_X509_get_name_oneline(emptyName, cn, (int)cnSz), cn); - XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); - cn = NULL; -#endif - X509_NAME_free(emptyName); - -#ifdef WOLFSSL_MULTI_ATTRIB - /* test adding multiple OU's to the signer */ - ExpectNotNull(name = X509_get_subject_name(ca)); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, - (byte*)"OU1", 3, -1, 0), SSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, - (byte*)"OU2", 3, -1, 0), SSL_SUCCESS); - ExpectIntGT(X509_sign(ca, priv, EVP_sha256()), 0); -#endif - - ExpectNotNull(name = X509_get_subject_name(ca)); - ExpectIntEQ(X509_set_issuer_name(x509, name), SSL_SUCCESS); - - ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); - ExpectNotNull(name = X509_get_issuer_name(x509)); - cnSz = X509_NAME_get_sz(name); - ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); - ExpectNotNull(cn = X509_NAME_oneline(name, cn, (int)cnSz)); - /* compare and don't include the multi-attrib "/OU=OU1/OU=OU2" above */ - ExpectIntEQ(0, XSTRNCMP(cn, dCert.issuer, XSTRLEN(dCert.issuer))); - XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); - cn = NULL; - - FreeDecodedCert(&dCert); - - /* Test invalid parameters */ - ExpectIntEQ(X509_sign(NULL, priv, EVP_sha256()), 0); - ExpectIntEQ(X509_sign(x509, NULL, EVP_sha256()), 0); - ExpectIntEQ(X509_sign(x509, priv, NULL), 0); - - ExpectIntEQ(X509_sign_ctx(NULL, mctx), 0); - EVP_MD_CTX_free(mctx); - mctx = NULL; - ExpectNotNull(mctx = EVP_MD_CTX_new()); - ExpectIntEQ(X509_sign_ctx(x509, mctx), 0); - ExpectIntEQ(X509_sign_ctx(x509, NULL), 0); - - /* test invalid version number */ -#if defined(OPENSSL_ALL) - ExpectIntNE(X509_set_version(x509, 6L), 0); - ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); - - /* uses ParseCert which fails on bad version number */ - ExpectIntEQ(X509_get_ext_count(x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif - - EVP_MD_CTX_free(mctx); - EVP_PKEY_free(priv); - EVP_PKEY_free(pub); - X509_free(x509); - X509_free(ca); -#endif + /* a log starting with "CLIENT_RANDOM " should exit in the file */ + ExpectIntEQ(found, 1); + /* clean up */ + ExpectIntEQ(rem_file("./MyKeyLog.txt"), 0); +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */ return EXPECT_RESULT(); } -static int test_wolfSSL_X509_get0_tbs_sigalg(void) +#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ + defined(HAVE_SECRET_CALLBACK) +static int test_wolfSSL_Tls13_Key_Logging_client_ctx_ready(WOLFSSL_CTX* ctx) { - EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) - X509* x509 = NULL; - const X509_ALGOR* alg; - - ExpectNotNull(x509 = X509_new()); - - ExpectNull(alg = X509_get0_tbs_sigalg(NULL)); - ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); - - X509_free(x509); -#endif - return EXPECT_RESULT(); + /* set keylog callback */ + wolfSSL_CTX_set_keylog_callback(ctx, keyLog_callback); + return TEST_SUCCESS; } +#endif -static int test_wolfSSL_X509_ALGOR_get0(void) +static int test_wolfSSL_Tls13_Key_Logging_test(void) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ - !defined(NO_SHA256) && !defined(NO_RSA) - X509* x509 = NULL; - const ASN1_OBJECT* obj = NULL; - const X509_ALGOR* alg = NULL; - X509_ALGOR* alg2 = NULL; - int pptype = 0; - const void *ppval = NULL; - byte* der = NULL; - const byte* tmp = NULL; - const byte badObj[] = { 0x06, 0x00 }; +#if defined(WOLFSSL_TLS13) && defined(OPENSSL_EXTRA) && \ + defined(HAVE_SECRET_CALLBACK) +/* This test is intended for checking whether keylog callback is called + * in client during TLS handshake between the client and a server. + */ + test_ssl_cbf server_cbf; + test_ssl_cbf client_cbf; + XFILE fp = XBADFILE; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); + XMEMSET(&server_cbf, 0, sizeof(test_ssl_cbf)); + XMEMSET(&client_cbf, 0, sizeof(test_ssl_cbf)); + server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ + client_cbf.ctx_ready = &test_wolfSSL_Tls13_Key_Logging_client_ctx_ready; - /* Invalid case */ - X509_ALGOR_get0(&obj, NULL, NULL, NULL); - ExpectNull(obj); + /* clean up keylog file */ + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "w")) != XBADFILE); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } - /* Valid case */ - X509_ALGOR_get0(NULL, NULL, NULL, alg); - X509_ALGOR_get0(&obj, &pptype, &ppval, alg); - ExpectNotNull(obj); - ExpectNull(ppval); - ExpectIntNE(pptype, 0); - /* Make sure NID of X509_ALGOR is Sha256 with RSA */ - ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256WithRSAEncryption); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - ExpectIntEQ(i2d_X509_ALGOR(NULL, NULL), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(i2d_X509_ALGOR(alg, &der), 15); - ExpectNull(d2i_X509_ALGOR(NULL, NULL, 0)); - /* tmp is NULL. */ - ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); - tmp = badObj; - ExpectNull(d2i_X509_ALGOR(NULL, &tmp, (long)sizeof(badObj))); - tmp = der; - ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); - ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); - tmp = der; - ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); + /* check if the keylog file exists */ + { + char buff[300] = {0}; + int found[4] = {0}; + int numfnd = 0; + int i; - XFREE(der, NULL, DYNAMIC_TYPE_ASN1); - X509_free(x509); - X509_ALGOR_free(NULL); - X509_ALGOR_free(alg2); - alg2 = NULL; -#endif + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); + + while (EXPECT_SUCCESS() && + XFGETS(buff, (int)sizeof(buff), fp) != NULL) { + if (0 == strncmp(buff, "CLIENT_HANDSHAKE_TRAFFIC_SECRET ", + sizeof("CLIENT_HANDSHAKE_TRAFFIC_SECRET ")-1)) { + found[0] = 1; + continue; + } + else if (0 == strncmp(buff, "SERVER_HANDSHAKE_TRAFFIC_SECRET ", + sizeof("SERVER_HANDSHAKE_TRAFFIC_SECRET ")-1)) { + found[1] = 1; + continue; + } + else if (0 == strncmp(buff, "CLIENT_TRAFFIC_SECRET_0 ", + sizeof("CLIENT_TRAFFIC_SECRET_0 ")-1)) { + found[2] = 1; + continue; + } + else if (0 == strncmp(buff, "SERVER_TRAFFIC_SECRET_0 ", + sizeof("SERVER_TRAFFIC_SECRET_0 ")-1)) { + found[3] = 1; + continue; + } + } + if (fp != XBADFILE) + XFCLOSE(fp); + for (i = 0; i < 4; i++) { + if (found[i] != 0) + numfnd++; + } + ExpectIntEQ(numfnd, 4); + } +#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */ return EXPECT_RESULT(); } - - -static int test_wolfSSL_X509_VERIFY_PARAM(void) +#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) +static int test_wolfSSL_Tls13_ECH_params(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - X509_VERIFY_PARAM *paramTo = NULL; - X509_VERIFY_PARAM *paramFrom = NULL; - char testIPv4[] = "127.0.0.1"; - char testIPv6[] = "0001:0000:0000:0000:0000:0000:0000:0000/32"; - char testhostName1[] = "foo.hoge.com"; - char testhostName2[] = "foobar.hoge.com"; - - ExpectNotNull(paramTo = X509_VERIFY_PARAM_new()); - ExpectNotNull(XMEMSET(paramTo, 0, sizeof(X509_VERIFY_PARAM))); +#if !defined(NO_WOLFSSL_CLIENT) + word32 outputLen = 0; + byte testBuf[72]; + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); - ExpectNotNull(paramFrom = X509_VERIFY_PARAM_new()); - ExpectNotNull(XMEMSET(paramFrom, 0, sizeof(X509_VERIFY_PARAM))); + ExpectNotNull(ctx); + ExpectNotNull(ssl); - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1, - (int)XSTRLEN(testhostName1)), 1); - ExpectIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1, - (int)XSTRLEN(testhostName1))); + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(NULL, + "ech-public-name.com", 0, 0, 0)); + /* invalid public name */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, NULL, 0, + 0, 0)); + /* invalid algorithms */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(ctx, + "ech-public-name.com", 1000, 1000, 1000)); - X509_VERIFY_PARAM_set_hostflags(NULL, 0x00); + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(NULL, + (char*)testBuf, sizeof(testBuf))); + /* invalid base64 configs */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, + NULL, sizeof(testBuf))); + /* invalid length */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx, + (char*)testBuf, 0)); - X509_VERIFY_PARAM_set_hostflags(paramFrom, 0x01); - ExpectIntEQ(0x01, paramFrom->hostFlags); + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(NULL, + testBuf, sizeof(testBuf))); + /* invalid configs */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, + NULL, sizeof(testBuf))); + /* invalid length */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigs(ctx, + testBuf, 0)); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(NULL, testIPv4), 0); + /* invalid ctx */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(NULL, NULL, + &outputLen)); + /* invalid output len */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_GetEchConfigs(ctx, NULL, NULL)); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv4), 1); - ExpectIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(NULL, + (char*)testBuf, sizeof(testBuf))); + /* invalid configs64 */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, NULL, + sizeof(testBuf))); + /* invalid size */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl, + (char*)testBuf, 0)); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, NULL), 1); + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(NULL, testBuf, + sizeof(testBuf))); + /* invalid configs */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, NULL, + sizeof(testBuf))); + /* invalid size */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, testBuf, 0)); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv6), 1); - ExpectIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + /* invalid ssl */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(NULL, NULL, &outputLen)); + /* invalid size */ + ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_GetEchConfigs(ssl, NULL, NULL)); - /* null pointer */ - ExpectIntEQ(X509_VERIFY_PARAM_set1(NULL, paramFrom), 0); - /* in the case of "from" null, returns success */ - ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, NULL), 1); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT */ - ExpectIntEQ(X509_VERIFY_PARAM_set1(NULL, NULL), 0); + return EXPECT_RESULT(); +} - /* inherit flags test : VPARAM_DEFAULT */ - ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); - ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, - (int)XSTRLEN(testhostName1))); - ExpectIntEQ(0x01, paramTo->hostFlags); - ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); +static int test_wolfSSL_Tls13_ECH_ex(int hrr) +{ + EXPECT_DECLS; + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions server_cbf; + callback_functions client_cbf; + SOCKET_T sockfd = 0; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + const char* publicName = "ech-public-name.com"; + const char* privateName = "ech-private-name.com"; + int privateNameLen = 20; + char reply[1024]; + int replyLen = 0; + byte rawEchConfig[128]; + word32 rawEchConfigLen = sizeof(rawEchConfig); - /* inherit flags test : VPARAM OVERWRITE */ - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, - (int)XSTRLEN(testhostName2)), 1); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1); - X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + InitTcpReady(&ready); + ready.port = 22222; - if (paramTo != NULL) { - paramTo->inherit_flags = X509_VP_FLAG_OVERWRITE; - } + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfTLSv1_3_server_method; /* TLS1.3 */ - ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); - ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, - (int)XSTRLEN(testhostName1))); - ExpectIntEQ(0x01, paramTo->hostFlags); - ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + /* create the server context here so we can get the ech config */ + ExpectNotNull(server_cbf.ctx = + wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - /* inherit flags test : VPARAM_RESET_FLAGS */ - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, - (int)XSTRLEN(testhostName2)), 1); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1); - X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10); + /* generate ech config */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_GenerateEchConfig(server_cbf.ctx, + publicName, 0, 0, 0)); - if (paramTo != NULL) { - paramTo->inherit_flags = X509_VP_FLAG_RESET_FLAGS; - } + /* get the config for the client to use */ + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_GetEchConfigs(server_cbf.ctx, rawEchConfig, + &rawEchConfigLen)); - ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); - ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, - (int)XSTRLEN(testhostName1))); - ExpectIntEQ(0x01, paramTo->hostFlags); - ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + server_args.callbacks = &server_cbf; + server_args.signal = &ready; - /* inherit flags test : VPARAM_LOCKED */ - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, - (int)XSTRLEN(testhostName2)), 1); - ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1); - X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + /* start server task */ + start_thread(server_task_ech, &server_args, &serverThread); + wait_tcp_ready(&server_args); - if (paramTo != NULL) { - paramTo->inherit_flags = X509_VP_FLAG_LOCKED; - } + /* run as a TLS1.3 client */ + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); - ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); - ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2, - (int)XSTRLEN(testhostName2))); - ExpectIntEQ(0x00, paramTo->hostFlags); - ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); - /* test for incorrect parameters */ - ExpectIntEQ(X509_VERIFY_PARAM_set_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL), - 0); + /* get connected the server task */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(X509_VERIFY_PARAM_set_flags(NULL, 0), 0); + /* set the ech configs for the client */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigs(ssl, rawEchConfig, + rawEchConfigLen)); - /* inherit flags test : VPARAM_ONCE, not testable yet */ + /* set the sni for the client */ + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, + privateName, privateNameLen)); - ExpectIntEQ(X509_VERIFY_PARAM_set_flags(paramTo, X509_V_FLAG_CRL_CHECK_ALL), - 1); + /* force hello retry request */ + if (hrr) + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_NoKeyShares(ssl)); - ExpectIntEQ(X509_VERIFY_PARAM_get_flags(NULL), 0); - ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), - X509_V_FLAG_CRL_CHECK_ALL); + /* connect like normal */ + ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); + ExpectIntEQ(ssl->options.echAccepted, 1); + ExpectIntEQ(wolfSSL_write(ssl, privateName, privateNameLen), + privateNameLen); + ExpectIntGT((replyLen = wolfSSL_read(ssl, reply, sizeof(reply))), 0); + /* add th null terminator for string compare */ + reply[replyLen] = 0; + /* check that the server replied with the private name */ + ExpectStrEQ(privateName, reply); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); - ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL), - WOLFSSL_FAILURE); - ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(paramTo, - X509_V_FLAG_CRL_CHECK_ALL), 1); + CloseSocket(sockfd); - ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), 0); + join_thread(serverThread); - ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup(NULL)); - ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup("")); - ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_client")); - ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_server")); + FreeTcpReady(&ready); - X509_VERIFY_PARAM_free(paramTo); - X509_VERIFY_PARAM_free(paramFrom); - X509_VERIFY_PARAM_free(NULL); /* to confirm NULL parameter gives no harm */ -#endif return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - !defined(WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY) - -static int test_wolfSSL_check_domain_verify_count = 0; - -static WC_INLINE int test_wolfSSL_check_domain_verify_cb(int preverify, - WOLFSSL_X509_STORE_CTX* store) +static int test_wolfSSL_Tls13_ECH(void) { - EXPECT_DECLS; - ExpectIntEQ(X509_STORE_CTX_get_error(store), 0); - ExpectIntEQ(preverify, 1); - ExpectIntGT(++test_wolfSSL_check_domain_verify_count, 0); - return EXPECT_SUCCESS(); + return test_wolfSSL_Tls13_ECH_ex(0); } -static int test_wolfSSL_check_domain_client_cb(WOLFSSL* ssl) +static int test_wolfSSL_Tls13_ECH_HRR(void) { - EXPECT_DECLS; - X509_VERIFY_PARAM *param = NULL; - - ExpectNotNull(param = SSL_get0_param(ssl)); - - /* Domain check should only be done on the leaf cert */ - X509_VERIFY_PARAM_set_hostflags(param, - X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - ExpectIntEQ(X509_VERIFY_PARAM_set1_host(param, - "wolfSSL Server Chain", 0), 1); - wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER, - test_wolfSSL_check_domain_verify_cb); - return EXPECT_RESULT(); + return test_wolfSSL_Tls13_ECH_ex(1); } +#endif /* HAVE_ECH && WOLFSSL_TLS13 */ -static int test_wolfSSL_check_domain_server_cb(WOLFSSL_CTX* ctx) +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ +defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) +static int post_auth_version_cb(WOLFSSL* ssl) { EXPECT_DECLS; - /* Use a cert with different domains in chain */ - ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx, - "certs/intermediate/server-chain.pem"), WOLFSSL_SUCCESS); + /* do handshake and then test version error */ + ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); return EXPECT_RESULT(); } -static int test_wolfSSL_check_domain(void) +static int post_auth_version_client_cb(WOLFSSL* ssl) { EXPECT_DECLS; - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - func_cb_client.ssl_ready = &test_wolfSSL_check_domain_client_cb; - func_cb_server.ctx_ready = &test_wolfSSL_check_domain_server_cb; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); + /* do handshake and then test version error */ + ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS); + ExpectStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); + ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#if defined(OPENSSL_ALL) && !defined(NO_ERROR_QUEUE) + /* check was added to error queue */ + ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)); - /* Should have been called once for each cert in sent chain */ -#ifdef WOLFSSL_VERIFY_CB_ALL_CERTS - ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 3); -#else - ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 1); + /* check the string matches expected string */ + #ifndef NO_ERROR_STRINGS + ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL), + "WRONG_SSL_VERSION"); + #endif #endif - return EXPECT_RESULT(); } -#else - -static int test_wolfSSL_check_domain(void) +static int post_auth_cb(WOLFSSL* ssl) { EXPECT_DECLS; + WOLFSSL_X509* x509 = NULL; + /* do handshake and then test version error */ + ExpectIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + ExpectStrEQ("TLSv1.3", wolfSSL_get_version(ssl)); + ExpectNull(x509 = wolfSSL_get_peer_certificate(ssl)); + wolfSSL_X509_free(x509); + ExpectIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS); return EXPECT_RESULT(); } -#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_SHA256) -static const char* dn = NULL; -static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl) +static int set_post_auth_cb(WOLFSSL* ssl) { - EXPECT_DECLS; - - ExpectIntEQ(wolfSSL_check_domain_name(ssl, dn), WOLFSSL_SUCCESS); - - return EXPECT_RESULT(); + if (!wolfSSL_is_server(ssl)) { + EXPECT_DECLS; + ExpectIntEQ(wolfSSL_allow_post_handshake_auth(ssl), 0); + return EXPECT_RESULT(); + } + wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_POST_HANDSHAKE, NULL); + return TEST_SUCCESS; } -static int test_wolfSSL_check_domain_basic(void) +#endif + +static int test_wolfSSL_Tls13_postauth(void) { EXPECT_DECLS; - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - dn = "invalid.com"; - func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl; +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + test_ssl_cbf server_cbf; + test_ssl_cbf client_cbf; - /* Expect to fail */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), -1001); + /* test version failure doing post auth with TLS 1.2 connection */ + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + server_cbf.method = wolfTLSv1_2_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_version_cb; + client_cbf.ssl_ready = set_post_auth_cb; + client_cbf.on_result = post_auth_version_client_cb; - dn = "example.com"; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); - /* Expect to succeed */ - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); + /* tests on post auth with TLS 1.3 */ + XMEMSET(&server_cbf, 0, sizeof(server_cbf)); + XMEMSET(&client_cbf, 0, sizeof(client_cbf)); + server_cbf.method = wolfTLSv1_3_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + client_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_cb; + client_cbf.on_result = NULL; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf, + &server_cbf, NULL), TEST_SUCCESS); +#endif return EXPECT_RESULT(); } -#else -static int test_wolfSSL_check_domain_basic(void) -{ - EXPECT_DECLS; - return EXPECT_RESULT(); -} -#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ -static int test_wolfSSL_X509_get_X509_PUBKEY(void) + +static int test_wolfSSL_CTX_set_srp_username(void) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) - X509* x509 = NULL; - X509_PUBKEY* pubKey; +#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ + !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + const char *username = "TESTUSER"; + const char *password = "TESTPASSWORD"; + + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), + SSL_SUCCESS); + wolfSSL_CTX_free(ctx); + ctx = NULL; - ExpectNotNull(x509 = X509_new()); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), + SSL_SUCCESS); - ExpectNull(pubKey = wolfSSL_X509_get_X509_PUBKEY(NULL)); - ExpectNotNull(pubKey = wolfSSL_X509_get_X509_PUBKEY(x509)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(SSL_get_srp_username(ssl)); + ExpectStrEQ(SSL_get_srp_username(ssl), username); - X509_free(x509); -#endif + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ + /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); } -static int test_wolfSSL_X509_PUBKEY_RSA(void) +static int test_wolfSSL_CTX_set_srp_password(void) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ - !defined(NO_SHA256) && !defined(NO_RSA) - X509* x509 = NULL; - ASN1_OBJECT* obj = NULL; - const ASN1_OBJECT* pa_oid = NULL; - X509_PUBKEY* pubKey = NULL; - X509_PUBKEY* pubKey2 = NULL; - EVP_PKEY* evpKey = NULL; - byte buf[1024]; - byte* tmp; - - const unsigned char *pk = NULL; - int ppklen; - int pptype; - X509_ALGOR *pa = NULL; - const void *pval; +#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && \ + !defined(NO_SHA256) && !defined(WC_NO_RNG) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL_CTX* ctx = NULL; + const char *username = "TESTUSER"; + const char *password = "TESTPASSWORD"; - ExpectNotNull(x509 = X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), + SSL_SUCCESS); + wolfSSL_CTX_free(ctx); + ctx = NULL; - ExpectNotNull(pubKey = X509_get_X509_PUBKEY(x509)); - ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey), 1); - ExpectNotNull(pk); - ExpectNotNull(pa); - ExpectNotNull(pubKey); - ExpectIntGT(ppklen, 0); - - tmp = buf; - ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, NULL), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, &tmp), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, NULL), 294); - ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, &tmp), 294); - - ExpectIntEQ(OBJ_obj2nid(obj), NID_rsaEncryption); - - ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey)); - ExpectNotNull(pubKey2 = X509_PUBKEY_new()); - ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, NULL), 0); - ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 0); - ExpectIntEQ(X509_PUBKEY_set(NULL, NULL), 0); - ExpectIntEQ(X509_PUBKEY_set(&pubKey2, NULL), 0); - ExpectIntEQ(X509_PUBKEY_set(NULL, evpKey), 0); - ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1); - ExpectIntEQ(X509_PUBKEY_get0_param(NULL, NULL, NULL, NULL, pubKey2), 1); - ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1); - ExpectNotNull(pk); - ExpectNotNull(pa); - ExpectIntGT(ppklen, 0); - X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa); - ExpectNotNull(pa_oid); - ExpectNull(pval); - ExpectIntEQ(pptype, V_ASN1_NULL); - ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_RSA); - - X509_PUBKEY_free(NULL); - X509_PUBKEY_free(pubKey2); - X509_free(x509); - EVP_PKEY_free(evpKey); -#endif + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntEQ(wolfSSL_CTX_set_srp_username(ctx, (char *)username), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_srp_password(ctx, (char *)password), + SSL_SUCCESS); + wolfSSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && WOLFCRYPT_HAVE_SRP */ + /* && !NO_SHA256 && !WC_NO_RNG && !NO_WOLFSSL_CLIENT */ return EXPECT_RESULT(); } -static int test_wolfSSL_X509_PUBKEY_EC(void) +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) +#define TEST_ARG 0x1234 +static void msg_cb(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg) { - EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && defined(HAVE_ECC) - X509* x509 = NULL; - ASN1_OBJECT* obj = NULL; - ASN1_OBJECT* poid = NULL; - const ASN1_OBJECT* pa_oid = NULL; - X509_PUBKEY* pubKey = NULL; - X509_PUBKEY* pubKey2 = NULL; - EVP_PKEY* evpKey = NULL; - - const unsigned char *pk = NULL; - int ppklen; - int pptype; - X509_ALGOR *pa = NULL; - const void *pval; - char buf[50]; + (void)write_p; + (void)version; + (void)content_type; + (void)buf; + (void)len; + (void)ssl; - ExpectNotNull(x509 = X509_load_certificate_file(cliEccCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull(pubKey = X509_get_X509_PUBKEY(x509)); - ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey)); - ExpectNotNull(pubKey2 = X509_PUBKEY_new()); - ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1); - ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1); - ExpectNotNull(pk); - ExpectNotNull(pa); - ExpectIntGT(ppklen, 0); - X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa); - ExpectNotNull(pa_oid); - ExpectNotNull(pval); - ExpectIntEQ(pptype, V_ASN1_OBJECT); - ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_EC); - poid = (ASN1_OBJECT *)pval; - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), poid, 0), 0); - ExpectIntEQ(OBJ_txt2nid(buf), NID_X9_62_prime256v1); - - X509_PUBKEY_free(pubKey2); - X509_free(x509); - EVP_PKEY_free(evpKey); -#endif - return EXPECT_RESULT(); + AssertTrue(arg == (void*)TEST_ARG); } +#endif -static int test_wolfSSL_X509_PUBKEY_DSA(void) +#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +#if defined(SESSION_CERTS) +#include "wolfssl/internal.h" +#endif +static int msgSrvCb(SSL_CTX *ctx, SSL *ssl) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && !defined(NO_DSA) - word32 bytes; -#ifdef USE_CERT_BUFFERS_1024 - byte tmp[ONEK_BUF]; -#elif defined(USE_CERT_BUFFERS_2048) - byte tmp[TWOK_BUF]; -#else - byte tmp[TWOK_BUF]; -#endif /* END USE_CERT_BUFFERS_1024 */ - const unsigned char* dsaKeyDer = tmp; +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) + STACK_OF(X509)* sk = NULL; + X509* x509 = NULL; + int i, num; + BIO* bio = NULL; +#endif - ASN1_OBJECT* obj = NULL; - ASN1_STRING* str; - const ASN1_OBJECT* pa_oid = NULL; - X509_PUBKEY* pubKey = NULL; - EVP_PKEY* evpKey = NULL; + ExpectNotNull(ctx); + ExpectNotNull(ssl); - const unsigned char *pk = NULL; - int ppklen, pptype; - X509_ALGOR *pa = NULL; - const void *pval; + fprintf(stderr, "\n===== msgSrvCb called ====\n"); +#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) + ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); + ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); + ExpectNotNull(SSL_get0_verified_chain(ssl)); +#endif -#ifdef USE_CERT_BUFFERS_1024 - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsa_key_der_1024, sizeof_dsa_key_der_1024); - bytes = sizeof_dsa_key_der_1024; -#elif defined(USE_CERT_BUFFERS_2048) - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsa_key_der_2048, sizeof_dsa_key_der_2048); - bytes = sizeof_dsa_key_der_2048; -#else +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) +#ifdef KEEP_PEER_CERT { - XFILE fp = XBADFILE; - XMEMSET(tmp, 0, sizeof(tmp)); - ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); - ExpectIntGT(bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); - if (fp != XBADFILE) - XFCLOSE(fp); + WOLFSSL_X509* peer = NULL; + ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl)); + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + fprintf(stderr, "Peer Certificate = :\n"); + X509_print(bio, peer); + X509_free(peer); } #endif - /* Initialize pkey with der format dsa key */ - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &evpKey, &dsaKeyDer, bytes)); - - ExpectNotNull(pubKey = X509_PUBKEY_new()); - ExpectIntEQ(X509_PUBKEY_set(&pubKey, evpKey), 1); - ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey), 1); - ExpectNotNull(pk); - ExpectNotNull(pa); - ExpectIntGT(ppklen, 0); - X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa); - ExpectNotNull(pa_oid); - ExpectNotNull(pval); - ExpectIntEQ(pptype, V_ASN1_SEQUENCE); - ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_DSA); - str = (ASN1_STRING *)pval; - DEBUG_WRITE_DER(ASN1_STRING_data(str), ASN1_STRING_length(str), "str.der"); -#ifdef USE_CERT_BUFFERS_1024 - ExpectIntEQ(ASN1_STRING_length(str), 291); -#else - ExpectIntEQ(ASN1_STRING_length(str), 549); -#endif /* END USE_CERT_BUFFERS_1024 */ - - X509_PUBKEY_free(pubKey); - EVP_PKEY_free(evpKey); + ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); + if (sk == NULL) { + BIO_free(bio); + return TEST_FAIL; + } + num = sk_X509_num(sk); + ExpectTrue(num > 0); + for (i = 0; i < num; i++) { + ExpectNotNull(x509 = sk_X509_value(sk,i)); + if (x509 == NULL) + break; + fprintf(stderr, "Certificate at index [%d] = :\n",i); + X509_print(bio,x509); + fprintf(stderr, "\n\n"); + } + BIO_free(bio); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_BUF(void) +static int msgCb(SSL_CTX *ctx, SSL *ssl) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - BUF_MEM* buf = NULL; - ExpectNotNull(buf = BUF_MEM_new()); - ExpectIntEQ(BUF_MEM_grow(buf, 10), 10); - ExpectIntEQ(BUF_MEM_grow(buf, -1), 0); - BUF_MEM_free(buf); +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) + STACK_OF(X509)* sk = NULL; + X509* x509 = NULL; + int i, num; + BIO* bio = NULL; #endif - return EXPECT_RESULT(); -} - -#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) -static int stub_rand_seed(const void *buf, int num) -{ - (void)buf; - (void)num; - - return 123; -} - -static int stub_rand_bytes(unsigned char *buf, int num) -{ - (void)buf; - (void)num; - return 456; -} + ExpectNotNull(ctx); + ExpectNotNull(ssl); -static byte* was_stub_rand_cleanup_called(void) -{ - static byte was_called = 0; + fprintf(stderr, "\n===== msgcb called ====\n"); +#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) + ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL); + ExpectIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); + ExpectNotNull(SSL_get0_verified_chain(ssl)); +#endif - return &was_called; +#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); + if (sk == NULL) { + BIO_free(bio); + return TEST_FAIL; + } + num = sk_X509_num(sk); + ExpectTrue(num > 0); + for (i = 0; i < num; i++) { + ExpectNotNull(x509 = sk_X509_value(sk,i)); + if (x509 == NULL) + break; + fprintf(stderr, "Certificate at index [%d] = :\n",i); + X509_print(bio,x509); + fprintf(stderr, "\n\n"); + } + BIO_free(bio); +#endif + return EXPECT_RESULT(); } +#endif -static void stub_rand_cleanup(void) +static int test_wolfSSL_msgCb(void) { - byte* was_called = was_stub_rand_cleanup_called(); - - *was_called = 1; - - return; -} + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(DEBUG_WOLFSSL) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; -static byte* was_stub_rand_add_called(void) -{ - static byte was_called = 0; + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); +#ifndef WOLFSSL_NO_TLS12 + client_cb.method = wolfTLSv1_2_client_method; + server_cb.method = wolfTLSv1_2_server_method; +#else + client_cb.method = wolfTLSv1_3_client_method; + server_cb.method = wolfTLSv1_3_server_method; +#endif + server_cb.caPemFile = caCertFile; + client_cb.certPemFile = "./certs/intermediate/client-chain.pem"; - return &was_called; + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio_ex(&client_cb, + &server_cb, msgCb, msgSrvCb), TEST_SUCCESS); +#endif + return EXPECT_RESULT(); } -static int stub_rand_add(const void *buf, int num, double entropy) +static int test_wolfSSL_either_side(void) { - byte* was_called = was_stub_rand_add_called(); - - (void)buf; - (void)num; - (void)entropy; - - *was_called = 1; + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; - return 0; -} + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); -static int stub_rand_pseudo_bytes(unsigned char *buf, int num) -{ - (void)buf; - (void)num; + /* Use different CTX for client and server */ + client_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); + ExpectNotNull(client_cb.ctx); + server_cb.ctx = wolfSSL_CTX_new(wolfSSLv23_method()); + ExpectNotNull(server_cb.ctx); + /* we are responsible for free'ing WOLFSSL_CTX */ + server_cb.isSharedCtx = client_cb.isSharedCtx = 1; - return 9876; -} + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); -static int stub_rand_status(void) -{ - return 5432; + wolfSSL_CTX_free(client_cb.ctx); + wolfSSL_CTX_free(server_cb.ctx); +#endif + return EXPECT_RESULT(); } -#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ -static int test_wolfSSL_RAND_set_rand_method(void) +static int test_wolfSSL_DTLS_either_side(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) - RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; - unsigned char* buf = NULL; - int num = 0; - double entropy = 0; - int ret; - byte* was_cleanup_called = was_stub_rand_cleanup_called(); - byte* was_add_called = was_stub_rand_add_called(); - - ExpectNotNull(buf = (byte*)XMALLOC(32 * sizeof(byte), NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - - ExpectIntNE(wolfSSL_RAND_status(), 5432); - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 0); - - - rand_methods.seed = &stub_rand_seed; - rand_methods.bytes = &stub_rand_bytes; - rand_methods.cleanup = &stub_rand_cleanup; - rand_methods.add = &stub_rand_add; - rand_methods.pseudorand = &stub_rand_pseudo_bytes; - rand_methods.status = &stub_rand_status; - - ExpectIntEQ(RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); - ExpectIntEQ(RAND_seed(buf, num), 123); - ExpectIntEQ(RAND_bytes(buf, num), 456); - ExpectIntEQ(RAND_pseudo_bytes(buf, num), 9876); - ExpectIntEQ(RAND_status(), 5432); - - ExpectIntEQ(*was_add_called, 0); - /* The function pointer for RAND_add returns int, but RAND_add itself - * returns void. */ - RAND_add(buf, num, entropy); - ExpectIntEQ(*was_add_called, 1); - was_add_called = 0; - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 1); - *was_cleanup_called = 0; +#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)) && \ + defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) + test_ssl_cbf client_cb; + test_ssl_cbf server_cb; + XMEMSET(&client_cb, 0, sizeof(client_cb)); + XMEMSET(&server_cb, 0, sizeof(server_cb)); - ret = RAND_set_rand_method(NULL); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - ExpectIntNE(RAND_status(), 5432); - ExpectIntEQ(*was_cleanup_called, 0); - RAND_cleanup(); - ExpectIntEQ(*was_cleanup_called, 0); + /* Use different CTX for client and server */ + client_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); + ExpectNotNull(client_cb.ctx); + server_cb.ctx = wolfSSL_CTX_new(wolfDTLS_method()); + ExpectNotNull(server_cb.ctx); + /* we are responsible for free'ing WOLFSSL_CTX */ + server_cb.isSharedCtx = client_cb.isSharedCtx = 1; - RAND_set_rand_method(NULL); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb, + &server_cb, NULL), TEST_SUCCESS); - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + wolfSSL_CTX_free(client_cb.ctx); + wolfSSL_CTX_free(server_cb.ctx); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_RAND_bytes(void) +static int test_generate_cookie(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - const int size1 = RNG_MAX_BLOCK_LEN; /* in bytes */ - const int size2 = RNG_MAX_BLOCK_LEN + 1; /* in bytes */ - const int size3 = RNG_MAX_BLOCK_LEN * 2; /* in bytes */ - const int size4 = RNG_MAX_BLOCK_LEN * 4; /* in bytes */ - int max_bufsize; - byte *my_buf = NULL; -#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ - !defined(__MINGW32__) - byte seed[16] = {0}; - byte randbuf[8] = {0}; - int pipefds[2] = {0}; - pid_t pid = 0; -#endif - - /* sanity check */ - ExpectIntEQ(RAND_bytes(NULL, 16), 0); - ExpectIntEQ(RAND_bytes(NULL, 0), 0); - - max_bufsize = size4; - - ExpectNotNull(my_buf = (byte*)XMALLOC(max_bufsize * sizeof(byte), HEAP_HINT, - DYNAMIC_TYPE_TMP_BUFFER)); +#if defined(WOLFSSL_DTLS) && defined(OPENSSL_EXTRA) && defined(USE_WOLFSSL_IO) + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; + byte buf[FOURK_BUF] = {0}; - ExpectIntEQ(RAND_bytes(my_buf, 0), 1); - ExpectIntEQ(RAND_bytes(my_buf, -1), 0); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfDTLS_method())); + ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(XMEMSET(my_buf, 0, max_bufsize)); - ExpectIntEQ(RAND_bytes(my_buf, size1), 1); - ExpectIntEQ(RAND_bytes(my_buf, size2), 1); - ExpectIntEQ(RAND_bytes(my_buf, size3), 1); - ExpectIntEQ(RAND_bytes(my_buf, size4), 1); - XFREE(my_buf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + /* Test unconnected */ + ExpectIntEQ(EmbedGenerateCookie(ssl, buf, FOURK_BUF, NULL), WC_NO_ERR_TRACE(GEN_COOKIE_E)); -#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ - !defined(__MINGW32__) - XMEMSET(seed, 0, sizeof(seed)); - RAND_cleanup(); + wolfSSL_CTX_SetGenCookie(ctx, EmbedGenerateCookie); - /* No global methods set. */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + wolfSSL_SetCookieCtx(ssl, ctx); - ExpectIntEQ(pipe(pipefds), 0); - pid = fork(); - ExpectIntGE(pid, 0); - if (pid == 0) { - ssize_t n_written = 0; + ExpectNotNull(wolfSSL_GetCookieCtx(ssl)); - /* Child process. */ - close(pipefds[0]); - RAND_bytes(randbuf, sizeof(randbuf)); - n_written = write(pipefds[1], randbuf, sizeof(randbuf)); - close(pipefds[1]); - exit(n_written == sizeof(randbuf) ? 0 : 1); - } - else { - /* Parent process. */ - byte childrand[8] = {0}; - int waitstatus = 0; + ExpectNull(wolfSSL_GetCookieCtx(NULL)); - close(pipefds[1]); - ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); - ExpectIntEQ(read(pipefds[0], childrand, sizeof(childrand)), - sizeof(childrand)); - #ifdef WOLFSSL_NO_GETPID - ExpectBufEQ(randbuf, childrand, sizeof(randbuf)); - #else - ExpectBufNE(randbuf, childrand, sizeof(randbuf)); - #endif - close(pipefds[0]); - waitpid(pid, &waitstatus, 0); - } - RAND_cleanup(); -#endif + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_RAND(void) +static int test_wolfSSL_set_options(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - byte seed[16]; - - XMEMSET(seed, 0, sizeof(seed)); - - /* No global methods set. */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - RAND_cleanup(); - - ExpectIntEQ(RAND_egd(NULL), -1); -#ifndef NO_FILESYSTEM - { - char fname[100]; - - ExpectNotNull(RAND_file_name(fname, (sizeof(fname) - 1))); - ExpectIntEQ(RAND_write_file(NULL), 0); - } +#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_FILESYSTEM) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_RSA) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + char appData[] = "extra msg"; #endif +#ifdef OPENSSL_EXTRA + unsigned char protos[] = { + 7, 't', 'l', 's', '/', '1', '.', '2', + 8, 'h', 't', 't', 'p', '/', '1', '.', '1' + }; + unsigned int len = sizeof(protos); + void *arg = (void *)TEST_ARG; #endif - return EXPECT_RESULT(); -} +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE)); -#if defined(WC_RNG_SEED_CB) && defined(OPENSSL_EXTRA) -static int wc_DummyGenerateSeed(OS_Seed* os, byte* output, word32 sz) -{ - word32 i; - for (i = 0; i < sz; i++ ) - output[i] = (byte)i; - - (void)os; + ExpectTrue(wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1) + == WOLFSSL_OP_NO_TLSv1); + ExpectTrue(wolfSSL_CTX_get_options(ctx) == WOLFSSL_OP_NO_TLSv1); - return 0; -} -#endif /* WC_RNG_SEED_CB */ + ExpectIntGT((int)wolfSSL_CTX_set_options(ctx, (WOLFSSL_OP_COOKIE_EXCHANGE | + WOLFSSL_OP_NO_SSLv2)), 0); + ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_COOKIE_EXCHANGE) & + WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); + ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2) & + WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); + ExpectTrue((wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); + ExpectFalse((wolfSSL_CTX_clear_options(ctx, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION)); + wolfSSL_CTX_free(ctx); + ctx = NULL; -static int test_wolfSSL_RAND_poll(void) -{ - EXPECT_DECLS; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + CERT_FILETYPE)); +#ifdef OPENSSL_EXTRA + ExpectTrue(wolfSSL_CTX_set_msg_callback(ctx, msg_cb) == WOLFSSL_SUCCESS); +#endif -#if defined(OPENSSL_EXTRA) - byte seed[16]; - byte rand1[16]; -#ifdef WC_RNG_SEED_CB - byte rand2[16]; + ExpectNotNull(ssl = wolfSSL_new(ctx)); +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#ifdef HAVE_EX_DATA + ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); + if (ssl != NULL) { + ExpectIntEQ(XMEMCMP(wolfSSL_get_app_data((const WOLFSSL*)ssl), + appData, sizeof(appData)), 0); + } +#else + ExpectIntEQ(wolfSSL_set_app_data(ssl, (void*)appData), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNull(wolfSSL_get_app_data((const WOLFSSL*)ssl)); +#endif #endif - XMEMSET(seed, 0, sizeof(seed)); - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - ExpectIntEQ(RAND_bytes(rand1, 16), 1); - RAND_cleanup(); + ExpectTrue(wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1) == + WOLFSSL_OP_NO_TLSv1); -#ifdef WC_RNG_SEED_CB - /* Test with custom seed and poll */ - wc_SetSeed_Cb(wc_DummyGenerateSeed); + ExpectTrue(wolfSSL_get_options(ssl) == WOLFSSL_OP_NO_TLSv1); - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_bytes(rand1, 16), 1); - RAND_cleanup(); + ExpectIntGT((int)wolfSSL_set_options(ssl, (WOLFSSL_OP_COOKIE_EXCHANGE | + WOLFSSL_OP_NO_SSLv2)), 0); - /* test that the same value is generated twice with dummy seed function */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_bytes(rand2, 16), 1); - ExpectIntEQ(XMEMCMP(rand1, rand2, 16), 0); - RAND_cleanup(); + ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_COOKIE_EXCHANGE) & + WOLFSSL_OP_COOKIE_EXCHANGE) == WOLFSSL_OP_COOKIE_EXCHANGE); - /* test that doing a poll is reseeding RNG */ - ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); - ExpectIntEQ(RAND_poll(), 1); - ExpectIntEQ(RAND_bytes(rand2, 16), 1); - ExpectIntNE(XMEMCMP(rand1, rand2, 16), 0); + ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1_2) & + WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2); - /* reset the seed function used */ - wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT); -#endif - RAND_cleanup(); + ExpectTrue((wolfSSL_set_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION) == WOLFSSL_OP_NO_COMPRESSION); - ExpectIntEQ(RAND_egd(NULL), -1); +#ifdef OPENSSL_EXTRA + ExpectFalse((wolfSSL_clear_options(ssl, WOLFSSL_OP_NO_COMPRESSION) & + WOLFSSL_OP_NO_COMPRESSION)); #endif - return EXPECT_RESULT(); -} - - -static int test_wolfSSL_PKCS8_Compat(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && defined(HAVE_ECC) && \ - !defined(NO_BIO) - PKCS8_PRIV_KEY_INFO* pt = NULL; - PKCS8_PRIV_KEY_INFO* pt2 = NULL; - BIO* bio = NULL; - XFILE f = XBADFILE; - int bytes = 0; - char pkcs8_buffer[512]; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) - EVP_PKEY *pkey = NULL; +#ifdef OPENSSL_EXTRA + ExpectTrue(wolfSSL_set_msg_callback(ssl, msg_cb) == WOLFSSL_SUCCESS); + wolfSSL_set_msg_callback_arg(ssl, arg); +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == 0); +#else + ExpectTrue(wolfSSL_CTX_set_alpn_protos(ctx, protos, len) == WOLFSSL_SUCCESS); +#endif #endif - /* file from wolfssl/certs/ directory */ - ExpectTrue((f = XFOPEN("./certs/ecc-keyPkcs8.pem", "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), f)), - 0); - if (f != XBADFILE) - XFCLOSE(f); - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectNotNull(pt = d2i_PKCS8_PRIV_KEY_INFO_bio(bio, NULL)); +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) || \ + defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) -#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) - ExpectNotNull(pkey = EVP_PKCS82PKEY(pt)); - ExpectIntEQ(EVP_PKEY_type(pkey->type), EVP_PKEY_EC); +#if defined(HAVE_ALPN) && !defined(NO_BIO) - /* gets PKCS8 pointer to pkey */ - ExpectNotNull(pt2 = EVP_PKEY2PKCS8(pkey)); +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == 0); +#else + ExpectTrue(wolfSSL_set_alpn_protos(ssl, protos, len) == WOLFSSL_SUCCESS); +#endif - EVP_PKEY_free(pkey); +#endif /* HAVE_ALPN && !NO_BIO */ #endif - BIO_free(bio); - PKCS8_PRIV_KEY_INFO_free(pt); - PKCS8_PRIV_KEY_INFO_free(pt2); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_BIO) -static int NoPasswordCallBack(char* passwd, int sz, int rw, void* userdata) +static int test_wolfSSL_sk_SSL_CIPHER(void) { - (void)passwd; - (void)sz; - (void)rw; - (void)userdata; + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) +#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; + STACK_OF(SSL_CIPHER) *sk = NULL; + STACK_OF(SSL_CIPHER) *dupSk = NULL; - return -1; -} +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectNotNull(sk = SSL_get_ciphers(ssl)); + ExpectNotNull(dupSk = sk_SSL_CIPHER_dup(sk)); + ExpectIntGT(sk_SSL_CIPHER_num(sk), 0); + ExpectIntEQ(sk_SSL_CIPHER_num(sk), sk_SSL_CIPHER_num(dupSk)); -static int test_wolfSSL_PKCS8_d2i(void) + /* error case because connection has not been established yet */ + ExpectIntEQ(sk_SSL_CIPHER_find(sk, SSL_get_current_cipher(ssl)), -1); + sk_SSL_CIPHER_free(dupSk); + + /* sk is pointer to internal struct that should be free'd in SSL_free */ + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + return EXPECT_RESULT(); +} + +static int test_wolfSSL_set1_curves_list(void) { EXPECT_DECLS; -#if !defined(HAVE_FIPS) && defined(OPENSSL_EXTRA) - /* This test ends up using HMAC as a part of PBKDF2, and HMAC - * requires a 12 byte password in FIPS mode. This test ends up - * trying to use an 8 byte password. */ +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; -#ifndef NO_FILESYSTEM - unsigned char pkcs8_buffer[2048]; - const unsigned char* p = NULL; - int bytes = 0; - XFILE file = XBADFILE; - WOLFSSL_EVP_PKEY* pkey = NULL; -#ifndef NO_BIO - BIO* bio = NULL; - #if defined(OPENSSL_ALL) && \ - ((!defined(NO_RSA) && !defined(NO_DES3)) || \ - defined(HAVE_ECC)) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - WOLFSSL_EVP_PKEY* evpPkey = NULL; - #endif +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif -#ifndef NO_RSA - const char rsaDerPkcs8File[] = "./certs/server-keyPkcs8.der"; - const char rsaPemPkcs8File[] = "./certs/server-keyPkcs8.pem"; - #ifndef NO_DES3 - const char rsaDerPkcs8EncFile[] = "./certs/server-keyPkcs8Enc.der"; - #endif -#endif /* NO_RSA */ -#ifdef HAVE_ECC - const char ecDerPkcs8File[] = "certs/ecc-keyPkcs8.der"; - const char ecPemPkcs8File[] = "certs/ecc-keyPkcs8.pem"; - #ifndef NO_DES3 - const char ecDerPkcs8EncFile[] = "certs/ecc-keyPkcs8Enc.der"; - #endif -#endif /* HAVE_ECC */ -#endif /* !NO_FILESYSTEM */ + ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); -#if defined(OPENSSL_ALL) && (!defined(NO_RSA) || defined(HAVE_ECC)) -#ifndef NO_RSA - #ifdef USE_CERT_BUFFERS_1024 - const unsigned char* rsa = (unsigned char*)server_key_der_1024; - int rsaSz = sizeof_server_key_der_1024; - #else - const unsigned char* rsa = (unsigned char*)server_key_der_2048; - int rsaSz = sizeof_server_key_der_2048; - #endif -#endif + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #ifdef HAVE_ECC - const unsigned char* ec = (unsigned char*)ecc_key_der_256; - int ecSz = sizeof_ecc_key_der_256; + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "P-256"), WOLFSSL_SUCCESS); #endif -#endif /* OPENSSL_ALL && (!NO_RSA || HAVE_ECC) */ - - -#ifndef NO_FILESYSTEM - (void)pkcs8_buffer; - (void)p; - (void)bytes; - (void)file; -#ifndef NO_BIO - (void)bio; +#ifdef HAVE_CURVE25519 + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif +#ifdef HAVE_CURVE448 + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif -#ifdef OPENSSL_ALL -#ifndef NO_RSA - /* Try to auto-detect normal RSA private key */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &rsa, rsaSz)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif + ExpectIntEQ(SSL_set1_curves_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #ifdef HAVE_ECC - /* Try to auto-detect normal EC private key */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &ec, ecSz)); - EVP_PKEY_free(pkey); - pkey = NULL; + ExpectIntEQ(SSL_set1_curves_list(ssl, "P-25X"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_set1_curves_list(ssl, "P-256"), WOLFSSL_SUCCESS); #endif -#endif /* OPENSSL_ALL */ -#ifndef NO_FILESYSTEM -#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectIntEQ(PEM_write_PKCS8PrivateKey(XBADFILE, pkey, NULL, NULL, 0, NULL, - NULL), 0); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, NULL, NULL, NULL, 0, NULL, - NULL), 0); +#ifdef HAVE_CURVE25519 + ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WOLFSSL_SUCCESS); +#else + ExpectIntEQ(SSL_set1_curves_list(ssl, "X25519"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif - -#ifndef NO_RSA - /* Get DER encoded RSA PKCS#8 data. */ - ExpectTrue((file = XFOPEN(rsaDerPkcs8File, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } - - p = pkcs8_buffer; -#ifdef OPENSSL_ALL - /* Try to decode - auto-detect key type. */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); +#ifdef HAVE_CURVE448 + ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WOLFSSL_SUCCESS); #else - ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, bytes)); + ExpectIntEQ(SSL_set1_curves_list(ssl, "X448"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif - /* Get PEM encoded RSA PKCS#8 data. */ - ExpectTrue((file = XFOPEN(rsaPemPkcs8File, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(NULL, pkey, NULL, NULL, 0, NULL, - NULL), 0); - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, NULL, NULL, NULL, 0, NULL, - NULL), 0); - /* Write PKCS#8 PEM to BIO. */ - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - /* Write PKCS#8 PEM to stderr. */ - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - /* Compare file and written data */ - ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); - ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - BIO_free(bio); - bio = NULL; -#if !defined(NO_AES) && defined(HAVE_AESGCM) - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_gcm(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), 0); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif -#if !defined(NO_DES3) && !defined(NO_SHA) - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write Encrypted PKCS#8 PEM to BIO. */ - bytes = 1834; - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_des_ede3_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_des_ede3_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(evpPkey); - evpPkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* !NO_DES3 && !NO_SHA */ -#endif /* !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ - EVP_PKEY_free(pkey); - pkey = NULL; + return EXPECT_RESULT(); +} - /* PKCS#8 encrypted RSA key */ -#ifndef NO_DES3 - ExpectTrue((file = XFOPEN(rsaDerPkcs8EncFile, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ -#endif /* !NO_DES3 */ -#endif /* NO_RSA */ +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) +static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) +{ + static int counter = 0; + EXPECT_DECLS; -#ifdef HAVE_ECC - /* PKCS#8 encode EC key */ - ExpectTrue((file = XFOPEN(ecDerPkcs8File, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; + if (counter % 2) { + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-256"), + WOLFSSL_SUCCESS); } - - p = pkcs8_buffer; -#ifdef OPENSSL_ALL - /* Try to decode - auto-detect key type. */ - ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); -#else - ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, bytes)); -#endif - - /* Get PEM encoded RSA PKCS#8 data. */ - ExpectTrue((file = XFOPEN(ecPemPkcs8File, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; + else { + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-384"), + WOLFSSL_SUCCESS); } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) && \ - defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write PKCS#8 PEM to BIO. */ - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, - NULL), bytes); - /* Compare file and written data */ - ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); - ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - BIO_free(bio); - bio = NULL; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* Write Encrypted PKCS#8 PEM to BIO (test write 0 then 379) */ - bytes = 379; - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), - NULL, 0, NoPasswordCallBack, (void*)"yassl123"), 0); - ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - - /* invalid cases to stderr */ - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), - (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); - #endif - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), - NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), - (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); - - /* read/decode private key with password */ - ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(evpPkey); - evpPkey = NULL; - BIO_free(bio); - bio = NULL; - - /* https://github.com/wolfSSL/wolfssl/issues/8610 */ - bytes = (int)XSTRLEN((char *)pkcs8_buffer); - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); - ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - - ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, - (void*)"yassl123")); - ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, evpPkey, NULL, - NULL, 0, NULL, NULL), bytes); - EVP_PKEY_free(evpPkey); - evpPkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 && HAVE_AES_CBC */ - EVP_PKEY_free(pkey); - pkey = NULL; - /* PKCS#8 encrypted EC key */ -#ifndef NO_DES3 - ExpectTrue((file = XFOPEN(ecDerPkcs8EncFile, "rb")) != XBADFILE); - ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); - ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), - file)), 0); - if (file != XBADFILE) { - XFCLOSE(file); - file = XBADFILE; - } -#if defined(OPENSSL_ALL) && \ - !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) - ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); - ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, - (void*)"yassl123")); - EVP_PKEY_free(pkey); - pkey = NULL; - BIO_free(bio); - bio = NULL; -#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ -#endif /* !NO_DES3 */ -#endif /* HAVE_ECC */ + /* Ciphersuites that require curves */ + wolfSSL_CTX_set_cipher_list(ctx, "TLS13-AES256-GCM-SHA384:" + "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-CHACHA20-POLY1305"); -#endif /* !NO_FILESYSTEM */ -#endif /* HAVE_FIPS && OPENSSL_EXTRA */ + counter++; return EXPECT_RESULT(); } +#endif -#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ - !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) -#define LOGGING_THREADS 5 -#define ERROR_COUNT 10 -/* copied from logging.c since this is not exposed otherwise */ -#ifndef ERROR_QUEUE_MAX -#ifdef ERROR_QUEUE_PER_THREAD - #define ERROR_QUEUE_MAX 16 +static int test_wolfSSL_curves_mismatch(void) +{ + EXPECT_DECLS; +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + size_t i; + struct { + method_provider client_meth; + method_provider server_meth; + const char* desc; + int client_last_err; + int server_last_err; + } test_params[] = { +#ifdef WOLFSSL_TLS13 + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3", + /* Client gets error because server will attempt HRR */ + WC_NO_ERR_TRACE(BAD_KEY_SHARE_DATA), + WC_NO_ERR_TRACE(FATAL_ERROR) + }, +#endif +#ifndef WOLFSSL_NO_TLS12 + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2", + WC_NO_ERR_TRACE(FATAL_ERROR), + /* Server gets error because <=1.2 doesn't have a mechanism + * to negotiate curves. */ +#ifdef OPENSSL_EXTRA + WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) #else - /* this breaks from compat of unlimited error queue size */ - #define ERROR_QUEUE_MAX 100 + WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) +#endif + }, +#endif +#ifndef NO_OLD_TLS + {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1", + WC_NO_ERR_TRACE(FATAL_ERROR), +#ifdef OPENSSL_EXTRA + WC_NO_ERR_TRACE(WOLFSSL_ERROR_SYSCALL) +#else + WC_NO_ERR_TRACE(MATCH_SUITE_ERROR) #endif + }, #endif + }; -static volatile int loggingThreadsReady; -static THREAD_RETURN WOLFSSL_THREAD test_logging(void* args) -{ - const char* file; - int line; - unsigned long err; - int errorCount = 0; - int i; + for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - (void)args; + printf("\tTesting with %s...\n", test_params[i].desc); - while (!loggingThreadsReady); - for (i = 0; i < ERROR_COUNT; i++) - ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); + func_cb_client.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; + func_cb_server.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; - while ((err = ERR_get_error_line(&file, &line))) { - AssertIntEQ(err, 990 + errorCount); - errorCount++; - } - AssertIntEQ(errorCount, ERROR_COUNT); + func_cb_client.method = test_params[i].client_meth; + func_cb_server.method = test_params[i].server_meth; - /* test max queue behavior, trying to add an arbitrary 3 errors over */ - ERR_clear_error(); /* ERR_get_error_line() does not remove */ - errorCount = 0; - for (i = 0; i < ERROR_QUEUE_MAX + 3; i++) - ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), -1001); + ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err); + ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err); - while ((err = ERR_get_error_line(&file, &line))) { - AssertIntEQ(err, 990 + errorCount); - errorCount++; + if (!EXPECT_SUCCESS()) + break; + printf("\t%s passed\n", test_params[i].desc); } - - /* test that the 3 errors over the max were dropped */ - AssertIntEQ(errorCount, ERROR_QUEUE_MAX); - - WOLFSSL_RETURN_FROM_THREAD(0); -} #endif + return EXPECT_RESULT(); +} -static int test_error_queue_per_thread(void) +static int test_wolfSSL_set1_sigalgs_list(void) { - int res = TEST_SKIPPED; -#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ - !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) - THREAD_TYPE loggingThreads[LOGGING_THREADS]; - int i; - - ERR_clear_error(); /* clear out any error nodes */ - - loggingThreadsReady = 0; - for (i = 0; i < LOGGING_THREADS; i++) - start_thread(test_logging, NULL, &loggingThreads[i]); - loggingThreadsReady = 1; - for (i = 0; i < LOGGING_THREADS; i++) - join_thread(loggingThreads[i]); + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + !defined(NO_TLS) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_FILESYSTEM) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; - res = TEST_SUCCESS; +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif - return res; -} + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); -static int test_wolfSSL_ERR_put_error(void) -{ - EXPECT_DECLS; -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) - const char* file; - int line; + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ERR_clear_error(); /* clear out any error nodes */ - ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); - ExpectIntEQ(ERR_get_error_line(&file, &line), 0); - ERR_put_error(0,SYS_F_BIND, 1, "this file", 1); - ExpectIntEQ(ERR_get_error_line(&file, &line), 1); - ERR_put_error(0,SYS_F_CONNECT, 2, "this file", 2); - ExpectIntEQ(ERR_get_error_line(&file, &line), 2); - ERR_put_error(0,SYS_F_FOPEN, 3, "this file", 3); - ExpectIntEQ(ERR_get_error_line(&file, &line), 3); - ERR_put_error(0,SYS_F_FREAD, 4, "this file", 4); - ExpectIntEQ(ERR_get_error_line(&file, &line), 4); - ERR_put_error(0,SYS_F_GETADDRINFO, 5, "this file", 5); - ExpectIntEQ(ERR_get_error_line(&file, &line), 5); - ERR_put_error(0,SYS_F_GETSOCKOPT, 6, "this file", 6); - ExpectIntEQ(ERR_get_error_line(&file, &line), 6); - ERR_put_error(0,SYS_F_GETSOCKNAME, 7, "this file", 7); - ExpectIntEQ(ERR_get_error_line(&file, &line), 7); - ERR_put_error(0,SYS_F_GETHOSTBYNAME, 8, "this file", 8); - ExpectIntEQ(ERR_get_error_line(&file, &line), 8); - ERR_put_error(0,SYS_F_GETNAMEINFO, 9, "this file", 9); - ExpectIntEQ(ERR_get_error_line(&file, &line), 9); - ERR_put_error(0,SYS_F_GETSERVBYNAME, 10, "this file", 10); - ExpectIntEQ(ERR_get_error_line(&file, &line), 10); - ERR_put_error(0,SYS_F_IOCTLSOCKET, 11, "this file", 11); - ExpectIntEQ(ERR_get_error_line(&file, &line), 11); - ERR_put_error(0,SYS_F_LISTEN, 12, "this file", 12); - ExpectIntEQ(ERR_get_error_line(&file, &line), 12); - ERR_put_error(0,SYS_F_OPENDIR, 13, "this file", 13); - ExpectIntEQ(ERR_get_error_line(&file, &line), 13); - ERR_put_error(0,SYS_F_SETSOCKOPT, 14, "this file", 14); - ExpectIntEQ(ERR_get_error_line(&file, &line), 14); - ERR_put_error(0,SYS_F_SOCKET, 15, "this file", 15); - ExpectIntEQ(ERR_get_error_line(&file, &line), 15); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, ""), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) - ERR_put_error(ERR_LIB_ASN1, SYS_F_ACCEPT, ASN1_R_HEADER_TOO_LONG, - "this file", 100); - ExpectIntEQ(wolfSSL_ERR_peek_last_error_line(&file, &line), - (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); - ExpectIntEQ(line, 100); - ExpectIntEQ(wolfSSL_ERR_peek_error(), - (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); - ExpectIntEQ(ERR_get_error_line(&file, &line), ASN1_R_HEADER_TOO_LONG); -#endif +#ifndef NO_RSA + #ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, "RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(NULL, "RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* try reading past end of error queue */ - file = NULL; - ExpectIntEQ(ERR_get_error_line(&file, &line), 0); - ExpectNull(file); - ExpectIntEQ(ERR_get_error_line_data(&file, &line, NULL, NULL), 0); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + #ifdef WC_RSA_PSS + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA-PSS+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA-PSS+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "PSS+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "PSS+SHA256"), + WOLFSSL_SUCCESS); + #endif + #ifdef WOLFSSL_SHA512 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "RSA+SHA256:RSA+SHA512"), WOLFSSL_SUCCESS); + #elif defined(WOLFSSL_SHA384) + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "RSA+SHA256:RSA+SHA384"), WOLFSSL_SUCCESS); + #endif + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA"), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA:RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA:RSA+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - PEMerr(4,4); - ExpectIntEQ(ERR_get_error(), 4); - /* Empty and free up all error nodes */ - ERR_clear_error(); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256+SHA256"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "RSA+SHA256+RSA"), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + #endif +#endif +#ifdef HAVE_ECC + #ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ECDSA+SHA256"), + WOLFSSL_SUCCESS); + #ifdef WOLFSSL_SHA512 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "ECDSA+SHA256:ECDSA+SHA512"), WOLFSSL_SUCCESS); + #elif defined(WOLFSSL_SHA384) + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, + "ECDSA+SHA256:ECDSA+SHA384"), WOLFSSL_SUCCESS); + #endif + #endif +#endif +#ifdef HAVE_ED25519 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED25519"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED25519"), WOLFSSL_SUCCESS); +#endif +#ifdef HAVE_ED448 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "ED448"), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "ED448"), WOLFSSL_SUCCESS); +#endif +#ifndef NO_DSA + #ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA256"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA256"), + WOLFSSL_SUCCESS); + #endif + #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, "DSA+SHA1"), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl, "DSA+SHA1"), + WOLFSSL_SUCCESS); + #endif +#endif - /* Verify all nodes are cleared */ - ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); - ERR_clear_error(); - ExpectIntEQ(ERR_get_error_line(&file, &line), 0); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -/* - * This is a regression test for a bug where the peek/get error functions were - * drawing from the end of the queue rather than the front. +/* Testing wolfSSL_set_tlsext_status_type function. + * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined. */ -static int test_wolfSSL_ERR_get_error_order(void) +static int test_wolfSSL_set_tlsext_status_type(void) { EXPECT_DECLS; -#if defined(WOLFSSL_HAVE_ERROR_QUEUE) && defined(OPENSSL_EXTRA) - /* Empty the queue. */ - wolfSSL_ERR_clear_error(); - - wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_NO_SIGNER_E), "test", 0); - wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E), "test", 0); +#if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) + SSL* ssl = NULL; + SSL_CTX* ctx = NULL; - ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); - ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); - ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); -#endif /* WOLFSSL_HAVE_ERROR_QUEUE && OPENSSL_EXTRA */ + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_set_tlsext_status_type(ssl,TLSEXT_STATUSTYPE_ocsp), + SSL_SUCCESS); + ExpectIntEQ(SSL_get_tlsext_status_type(ssl), TLSEXT_STATUSTYPE_ocsp); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST && !NO_RSA */ return EXPECT_RESULT(); } #ifndef NO_BIO -static int test_wolfSSL_ERR_print_errors(void) -{ - EXPECT_DECLS; -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) && !defined(NO_ERROR_STRINGS) - BIO* bio = NULL; - char buf[1024]; - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ERR_clear_error(); /* clear out any error nodes */ - ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); - /* Choosing -600 as an unused errno. */ - ERR_put_error(0,SYS_F_BIND, -600, "asn.c", 100); - - ERR_print_errors(bio); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 56); - ExpectIntEQ(XSTRNCMP( - "error:173:wolfSSL library:Bad function argument:ssl.c:0", - buf, 55), 0); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 57); - ExpectIntEQ(XSTRNCMP( - "error:600:wolfSSL library:unknown error number:asn.c:100", - buf, 56), 0); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 1); - ExpectIntEQ(buf[0], '\0'); - ExpectIntEQ(ERR_get_error_line(NULL, NULL), 0); - - BIO_free(bio); -#endif - return EXPECT_RESULT(); -} - -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) -static int test_wolfSSL_error_cb(const char *str, size_t len, void *u) +#if defined(OPENSSL_EXTRA) +static long bioCallback(BIO *bio, int cmd, const char* argp, int argi, + long argl, long ret) { - if (u != NULL) { - wolfSSL_BIO_write((BIO*)u, str, (int)len); - } - return 0; + (void)bio; + (void)cmd; + (void)argp; + (void)argi; + (void)argl; + return ret; } #endif -static int test_wolfSSL_ERR_print_errors_cb(void) + +static int test_wolfSSL_BIO(void) { EXPECT_DECLS; -#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ - defined(DEBUG_WOLFSSL) - BIO* bio = NULL; - char buf[1024]; +#if defined(OPENSSL_EXTRA) + const unsigned char* p = NULL; + byte buff[20]; + BIO* bio1 = NULL; + BIO* bio2 = NULL; + BIO* bio3 = NULL; + char* bufPt = NULL; + int i; - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ERR_clear_error(); /* clear out any error nodes */ - ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); - ERR_put_error(0,SYS_F_BIND, -275, "asn.c", 100); + for (i = 0; i < 20; i++) { + buff[i] = i; + } + /* test BIO_free with NULL */ + ExpectIntEQ(BIO_free(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ERR_print_errors_cb(test_wolfSSL_error_cb, bio); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 108); - ExpectIntEQ(XSTRNCMP( - "wolfSSL error occurred, error = 173 line:0 file:ssl.c", - buf, 53), 0); - ExpectIntEQ(XSTRNCMP( - "wolfSSL error occurred, error = 275 line:100 file:asn.c", - buf + 53, 55), 0); - ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 0); + /* Creating and testing type BIO_s_bio */ + ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); + ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); + ExpectNotNull(bio3 = BIO_new(BIO_s_bio())); - BIO_free(bio); -#endif + /* read/write before set up */ + ExpectIntEQ(BIO_read(bio1, buff, 2), WOLFSSL_BIO_UNSET); + ExpectIntEQ(BIO_write(bio1, buff, 2), WOLFSSL_BIO_UNSET); - return EXPECT_RESULT(); -} -/* - * Testing WOLFSSL_ERROR_MSG - */ -static int test_WOLFSSL_ERROR_MSG(void) -{ - int res = TEST_SKIPPED; -#if defined(DEBUG_WOLFSSL) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) ||\ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) - const char* msg = TEST_STRING; + ExpectIntEQ(BIO_set_nbio(bio1, 1), 1); + ExpectIntEQ(BIO_set_write_buf_size(bio1, 20), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_set_write_buf_size(bio2, 8), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_make_bio_pair(bio1, bio2), WOLFSSL_SUCCESS); - WOLFSSL_ERROR_MSG(msg); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); + ExpectNotNull(XMEMCPY(bufPt, buff, 10)); + ExpectIntEQ(BIO_write(bio1, buff + 10, 10), 10); + /* write buffer full */ + ExpectIntEQ(BIO_write(bio1, buff, 10), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_flush(bio1), WOLFSSL_SUCCESS); + ExpectIntEQ((int)BIO_ctrl_pending(bio1), 0); - res = TEST_SUCCESS; -#endif - return res; -} /* End test_WOLFSSL_ERROR_MSG */ -/* - * Testing wc_ERR_remove_state - */ -static int test_wc_ERR_remove_state(void) -{ - int res = TEST_SKIPPED; -#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) - wc_ERR_remove_state(); + /* write the other direction with pair */ + ExpectIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); + ExpectNotNull(XMEMCPY(bufPt, buff, 8)); + ExpectIntEQ(BIO_write(bio2, buff, 10), WOLFSSL_BIO_ERROR); - res = TEST_SUCCESS; -#endif - return res; -} /* End test_wc_ERR_remove_state */ -/* - * Testing wc_ERR_print_errors_fp - */ -static int test_wc_ERR_print_errors_fp(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) && \ - (!defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)) - long sz; - XFILE fp = XBADFILE; + /* try read */ + ExpectIntEQ((int)BIO_ctrl_pending(bio1), 8); + ExpectIntEQ((int)BIO_ctrl_pending(bio2), 20); - WOLFSSL_ERROR(WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectTrue((fp = XFOPEN("./tests/test-log-dump-to-file.txt", "a+")) != - XBADFILE); - wc_ERR_print_errors_fp(fp); -#if defined(DEBUG_WOLFSSL) - ExpectTrue(XFSEEK(fp, 0, XSEEK_END) == 0); - #ifdef NO_ERROR_QUEUE - ExpectIntEQ(sz = XFTELL(fp), 0); - #else - ExpectIntNE(sz = XFTELL(fp), 0); - #endif -#endif - if (fp != XBADFILE) - XFCLOSE(fp); - (void)sz; -#endif - return EXPECT_RESULT(); -} /* End test_wc_ERR_print_errors_fp */ -#ifdef DEBUG_WOLFSSL -static void Logging_cb(const int logLevel, const char *const logMessage) -{ - (void)logLevel; - (void)logMessage; -} -#endif -/* - * Testing wolfSSL_GetLoggingCb - */ -static int test_wolfSSL_GetLoggingCb(void) -{ - EXPECT_DECLS; -#ifdef DEBUG_WOLFSSL - /* Testing without wolfSSL_SetLoggingCb() */ - ExpectNull(wolfSSL_GetLoggingCb()); - /* Testing with wolfSSL_SetLoggingCb() */ - ExpectIntEQ(wolfSSL_SetLoggingCb(Logging_cb), 0); - ExpectNotNull(wolfSSL_GetLoggingCb()); - ExpectIntEQ(wolfSSL_SetLoggingCb(NULL), 0); -#endif - ExpectNull(wolfSSL_GetLoggingCb()); + /* try read using ctrl function */ + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); + ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); + ExpectIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); + + ExpectIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); + for (i = 0; i < 20; i++) { + ExpectIntEQ((int)bufPt[i], i); + } + ExpectIntEQ(BIO_nread(bio2, &bufPt, 1), 0); + ExpectIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); + for (i = 0; i < 8; i++) { + ExpectIntEQ((int)bufPt[i], i); + } + ExpectIntEQ(BIO_nread(bio1, &bufPt, 1), 0); + ExpectIntEQ(BIO_ctrl_reset_read_request(bio1), 1); + + /* new pair */ + ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio2); /* free bio2 and automatically remove from pair */ + bio2 = NULL; + ExpectIntEQ(BIO_make_bio_pair(bio1, bio3), WOLFSSL_SUCCESS); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 10), 0); + + /* test wrap around... */ + ExpectIntEQ(BIO_reset(bio1), 1); + ExpectIntEQ(BIO_reset(bio3), 1); + + /* fill write buffer, read only small amount then write again */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 4), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], i); + } - return EXPECT_RESULT(); -} /* End test_wolfSSL_GetLoggingCb */ + /* try writing over read index */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); + ExpectNotNull(XMEMSET(bufPt, 0, 4)); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 20); -#endif /* !NO_BIO */ + /* read and write 0 bytes */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); -static int test_wolfSSL_OBJ(void) -{ -/* Password "wolfSSL test" is only 12 (96-bit) too short for testing in FIPS - * mode - */ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_ASN) && \ - !defined(HAVE_FIPS) && !defined(NO_SHA) && defined(WOLFSSL_CERT_EXT) && \ - defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && \ - !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) - ASN1_OBJECT *obj = NULL; - ASN1_OBJECT *obj2 = NULL; - char buf[50]; + /* should read only to end of write buffer then need to read again */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 20), 16); + for (i = 0; i < 16; i++) { + ExpectIntEQ(bufPt[i], buff[4 + i]); + } - XFILE fp = XBADFILE; - X509 *x509 = NULL; - X509_NAME *x509Name = NULL; - X509_NAME_ENTRY *x509NameEntry = NULL; - ASN1_OBJECT *asn1Name = NULL; - int numNames = 0; - BIO *bio = NULL; - int nid; - int i, j; - const char *f[] = { - #ifndef NO_RSA - "./certs/ca-cert.der", - #endif - #ifdef HAVE_ECC - "./certs/ca-ecc-cert.der", - "./certs/ca-ecc384-cert.der", - #endif - NULL}; - ASN1_OBJECT *field_name_obj = NULL; - int lastpos = -1; - int tmp = -1; - ASN1_STRING *asn1 = NULL; - unsigned char *buf_dyn = NULL; + ExpectIntEQ(BIO_nread(bio3, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(BIO_nread0(bio3, &bufPt), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], 0); + } - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); - ExpectIntEQ(OBJ_obj2nid(obj), NID_any_policy); - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 11); - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); - ASN1_OBJECT_free(obj); - obj = NULL; + /* read index should not have advanced with nread0 */ + ExpectIntEQ(BIO_nread(bio3, &bufPt, 5), 4); + for (i = 0; i < 4; i++) { + ExpectIntEQ(bufPt[i], 0); + } - ExpectNotNull(obj = OBJ_nid2obj(NID_sha256)); - ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256); - ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 22); -#ifdef WOLFSSL_CERT_EXT - ExpectIntEQ(OBJ_txt2nid(buf), NID_sha256); -#endif - ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); - ExpectNotNull(obj2 = OBJ_dup(obj)); - ExpectIntEQ(OBJ_cmp(obj, obj2), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - ASN1_OBJECT_free(obj2); - obj2 = NULL; + /* write and fill up buffer checking reset of index state */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); - for (i = 0; f[i] != NULL; i++) + /* test reset on data in bio1 write buffer */ + ExpectIntEQ(BIO_reset(bio1), 1); + ExpectIntEQ((int)BIO_ctrl_pending(bio3), 0); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 3), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + ExpectIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_INFO, 0, &p), 20); + ExpectNotNull(p); + ExpectNotNull(XMEMCPY(bufPt, buff, 20)); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 6), 6); + for (i = 0; i < 6; i++) { + ExpectIntEQ(bufPt[i], i); + } + + /* test case of writing twice with offset read index */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + ExpectIntEQ(BIO_nread(bio3, &bufPt, 1), 1); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); + ExpectIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + + BIO_free(bio1); + bio1 = NULL; + BIO_free(bio3); + bio3 = NULL; + + #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) { - ExpectTrue((fp = XFOPEN(f[i], "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_fp(fp, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectNotNull(x509Name = X509_get_issuer_name(x509)); - ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + BIO* bioA = NULL; + BIO* bioB = NULL; + ExpectIntEQ(BIO_new_bio_pair(NULL, 256, NULL, 256), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(BIO_new_bio_pair(&bioA, 256, &bioB, 256), WOLFSSL_SUCCESS); + BIO_free(bioA); + bioA = NULL; + BIO_free(bioB); + bioB = NULL; + } + #endif /* OPENSSL_ALL || WOLFSSL_ASIO */ - /* Get the Common Name by using OBJ_txt2obj */ - ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), - WOLFSSL_FATAL_ERROR); - ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), - WOLFSSL_FATAL_ERROR); - do - { - lastpos = tmp; - tmp = X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, lastpos); - } while (tmp > -1); - ExpectIntNE(lastpos, -1); - ASN1_OBJECT_free(field_name_obj); - field_name_obj = NULL; - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, lastpos)); - ExpectNotNull(asn1 = X509_NAME_ENTRY_get_data(x509NameEntry)); - ExpectIntGE(ASN1_STRING_to_UTF8(&buf_dyn, asn1), 0); - /* - * All Common Names should be www.wolfssl.com - * This makes testing easier as we can test for the expected value. - */ - ExpectStrEQ((char*)buf_dyn, "www.wolfssl.com"); - OPENSSL_free(buf_dyn); - buf_dyn = NULL; - bio = BIO_new(BIO_s_mem()); - ExpectTrue(bio != NULL); - for (j = 0; j < numNames; j++) - { - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); - ExpectNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); - ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); - } - BIO_free(bio); - bio = NULL; - X509_free(x509); - x509 = NULL; + /* BIOs with file pointers */ + #if !defined(NO_FILESYSTEM) + { + XFILE f1 = XBADFILE; + XFILE f2 = XBADFILE; + BIO* f_bio1 = NULL; + BIO* f_bio2 = NULL; + unsigned char cert[300]; + char testFile[] = "tests/bio_write_test.txt"; + char msg[] = "bio_write_test.txt contains the first 300 bytes of certs/server-cert.pem\ncreated by tests/unit.test\n\n"; + + ExpectNotNull(f_bio1 = BIO_new(BIO_s_file())); + ExpectNotNull(f_bio2 = BIO_new(BIO_s_file())); + + /* Failure due to wrong BIO type */ + ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + ExpectIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); + + ExpectTrue((f1 = XFOPEN(svrCertFile, "rb+")) != XBADFILE); + ExpectIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_write_filename(f_bio2, testFile), + WOLFSSL_SUCCESS); + + ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + ExpectIntEQ(BIO_tell(f_bio1),sizeof(cert)); + ExpectIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); + ExpectIntEQ(BIO_tell(f_bio2),sizeof(msg)); + ExpectIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); + ExpectIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); + + ExpectIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_reset(f_bio2), 1); + ExpectIntEQ(BIO_tell(NULL),-1); + ExpectIntEQ(BIO_tell(f_bio2),0); + ExpectIntEQ(BIO_seek(f_bio2, 4), 0); + ExpectIntEQ(BIO_tell(f_bio2),4); + + BIO_free(f_bio1); + f_bio1 = NULL; + BIO_free(f_bio2); + f_bio2 = NULL; + ExpectNotNull(f_bio1 = BIO_new_file(svrCertFile, "rb+")); + ExpectIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + ExpectIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + BIO_free(f_bio1); + f_bio1 = NULL; } + #endif /* !defined(NO_FILESYSTEM) */ -#ifdef HAVE_PKCS12 + /* BIO info callback */ { - PKCS12 *p12 = NULL; - int boolRet; - EVP_PKEY *pkey = NULL; - const char *p12_f[] = { - /* bundle uses AES-CBC 256 and PKCS7 key uses DES3 */ - #if !defined(NO_DES3) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) - "./certs/test-servercert.p12", - #endif - NULL - }; + const char* testArg = "test"; + BIO* cb_bio = NULL; + ExpectNotNull(cb_bio = BIO_new(BIO_s_mem())); - for (i = 0; p12_f[i] != NULL; i++) - { - ExpectTrue((fp = XFOPEN(p12_f[i], "rb")) != XBADFILE); - ExpectNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", - &pkey, &x509, NULL)) > 0); - wc_PKCS12_free(p12); - p12 = NULL; - EVP_PKEY_free(pkey); - x509Name = X509_get_issuer_name(x509); - ExpectNotNull(x509Name); - ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); - ExpectTrue((bio = BIO_new(BIO_s_mem())) != NULL); - for (j = 0; j < numNames; j++) - { - ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); - ExpectNotNull(asn1Name = - X509_NAME_ENTRY_get_object(x509NameEntry)); - ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); - } - BIO_free(bio); - bio = NULL; - X509_free(x509); - x509 = NULL; - } + BIO_set_callback(cb_bio, bioCallback); + ExpectNotNull(BIO_get_callback(cb_bio)); + BIO_set_callback(cb_bio, NULL); + ExpectNull(BIO_get_callback(cb_bio)); + + BIO_set_callback_arg(cb_bio, (char*)testArg); + ExpectStrEQ(BIO_get_callback_arg(cb_bio), testArg); + ExpectNull(BIO_get_callback_arg(NULL)); + + BIO_free(cb_bio); + cb_bio = NULL; } -#endif /* HAVE_PKCS12 */ + + /* BIO_vfree */ + ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); + BIO_vfree(NULL); + BIO_vfree(bio1); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_cmp(void) +static int test_wolfSSL_BIO_BIO_ring_read(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) - ASN1_OBJECT *obj = NULL; - ASN1_OBJECT *obj2 = NULL; +#if defined(OPENSSL_ALL) + BIO* bio1 = NULL; + BIO* bio2 = NULL; + byte data[50]; + byte tmp[50]; - ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); - ExpectNotNull(obj2 = OBJ_nid2obj(NID_sha256)); + XMEMSET(data, 42, sizeof(data)); - ExpectIntEQ(OBJ_cmp(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(NULL, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(OBJ_cmp(obj, obj), 0); - ExpectIntEQ(OBJ_cmp(obj2, obj2), 0); - ASN1_OBJECT_free(obj); - ASN1_OBJECT_free(obj2); + ExpectIntEQ(BIO_new_bio_pair(&bio1, sizeof(data), &bio2, sizeof(data)), + SSL_SUCCESS); + + ExpectIntEQ(BIO_write(bio1, data, 40), 40); + ExpectIntEQ(BIO_read(bio1, tmp, 20), -1); + ExpectIntEQ(BIO_read(bio2, tmp, 20), 20); + ExpectBufEQ(tmp, data, 20); + ExpectIntEQ(BIO_write(bio1, data, 20), 20); + ExpectIntEQ(BIO_read(bio2, tmp, 40), 40); + ExpectBufEQ(tmp, data, 40); + + BIO_free(bio1); + BIO_free(bio2); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_txt2nid(void) +#endif /* !NO_BIO */ + + +static int test_wolfSSL_a2i_IPADDRESS(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_APACHE_HTTPD) - int i; - static const struct { - const char* sn; - const char* ln; - const char* oid; - int nid; - } testVals[] = { -#ifdef WOLFSSL_APACHE_HTTPD - { "tlsfeature", "TLS Feature", "1.3.6.1.5.5.7.1.24", NID_tlsfeature }, - { "id-on-dnsSRV", "SRVName", "1.3.6.1.5.5.7.8.7", - NID_id_on_dnsSRV }, - { "msUPN", "Microsoft User Principal Name", - "1.3.6.1.4.1.311.20.2.3", NID_ms_upn }, -#endif - { NULL, NULL, NULL, NID_undef } +#if defined(OPENSSL_ALL) && !defined(WOLFSSL_USER_IO) + const unsigned char* data = NULL; + int dataSz = 0; + ASN1_OCTET_STRING *st = NULL; + + const unsigned char ipv4_exp[] = {0x7F, 0, 0, 1}; + const unsigned char ipv6_exp[] = { + 0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77 + }; + const unsigned char ipv6_home[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }; - /* Invalid cases */ - ExpectIntEQ(OBJ_txt2nid(NULL), NID_undef); - ExpectIntEQ(OBJ_txt2nid("Bad name"), NID_undef); + ExpectNull(st = a2i_IPADDRESS("127.0.0.1bad")); + ExpectNotNull(st = a2i_IPADDRESS("127.0.0.1")); + ExpectNotNull(data = ASN1_STRING_get0_data(st)); + ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP4_ADDR_LEN); + ExpectIntEQ(XMEMCMP(data, ipv4_exp, dataSz), 0); + ASN1_STRING_free(st); + st = NULL; - /* Valid cases */ - for (i = 0; testVals[i].sn != NULL; i++) { - ExpectIntEQ(OBJ_txt2nid(testVals[i].sn), testVals[i].nid); - ExpectIntEQ(OBJ_txt2nid(testVals[i].ln), testVals[i].nid); - ExpectIntEQ(OBJ_txt2nid(testVals[i].oid), testVals[i].nid); - } + ExpectNotNull(st = a2i_IPADDRESS("::1")); + ExpectNotNull(data = ASN1_STRING_get0_data(st)); + ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); + ExpectIntEQ(XMEMCMP(data, ipv6_home, dataSz), 0); + ASN1_STRING_free(st); + st = NULL; + + ExpectNotNull(st = a2i_IPADDRESS("2021:db8::ff00:42:7777")); + ExpectNotNull(data = ASN1_STRING_get0_data(st)); + ExpectIntEQ(dataSz = ASN1_STRING_length(st), WOLFSSL_IP6_ADDR_LEN); + ExpectIntEQ(XMEMCMP(data, ipv6_exp, dataSz), 0); + ASN1_STRING_free(st); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_txt2obj(void) +static int test_wolfSSL_X509_ALGOR_get0(void) { EXPECT_DECLS; -#if defined(WOLFSSL_APACHE_HTTPD) || (defined(OPENSSL_EXTRA) && \ - defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) - int i; - char buf[50]; - ASN1_OBJECT* obj = NULL; - static const struct { - const char* oidStr; - const char* sn; - const char* ln; - } objs_list[] = { - #if defined(WOLFSSL_APACHE_HTTPD) - { "1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature" }, - { "1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName" }, - #endif - { "2.5.29.19", "basicConstraints", "X509v3 Basic Constraints"}, - { NULL, NULL, NULL } - }; - static const struct { - const char* numeric; - const char* name; - } objs_named[] = { - /* In dictionary but not in normal list. */ - { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, - /* Made up OID. */ - { "1.3.5.7", "1.3.5.7" }, - { NULL, NULL } - }; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ + !defined(NO_SHA256) && !defined(NO_RSA) + X509* x509 = NULL; + const ASN1_OBJECT* obj = NULL; + const X509_ALGOR* alg = NULL; + X509_ALGOR* alg2 = NULL; + int pptype = 0; + const void *ppval = NULL; + byte* der = NULL; + const byte* tmp = NULL; + const byte badObj[] = { 0x06, 0x00 }; - ExpectNull(obj = OBJ_txt2obj("Bad name", 0)); - ASN1_OBJECT_free(obj); - obj = NULL; - ExpectNull(obj = OBJ_txt2obj(NULL, 0)); - ASN1_OBJECT_free(obj); - obj = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); - for (i = 0; objs_list[i].oidStr != NULL; i++) { - /* Test numerical value of oid (oidStr) */ - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].oidStr, 1)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); + /* Invalid case */ + X509_ALGOR_get0(&obj, NULL, NULL, NULL); + ExpectNull(obj); - /* Test short name (sn) */ - ExpectNull(obj = OBJ_txt2obj(objs_list[i].sn, 1)); - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].sn, 0)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); + /* Valid case */ + X509_ALGOR_get0(NULL, NULL, NULL, alg); + X509_ALGOR_get0(&obj, &pptype, &ppval, alg); + ExpectNotNull(obj); + ExpectNull(ppval); + ExpectIntNE(pptype, 0); + /* Make sure NID of X509_ALGOR is Sha256 with RSA */ + ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256WithRSAEncryption); - /* Test long name (ln) - should fail when no_name = 1 */ - ExpectNull(obj = OBJ_txt2obj(objs_list[i].ln, 1)); - ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].ln, 0)); - /* Convert object back to text to confirm oid is correct */ - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - XMEMSET(buf, 0, sizeof(buf)); - } + ExpectIntEQ(i2d_X509_ALGOR(NULL, NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(i2d_X509_ALGOR(alg, &der), 15); + ExpectNull(d2i_X509_ALGOR(NULL, NULL, 0)); + /* tmp is NULL. */ + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); + tmp = badObj; + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, (long)sizeof(badObj))); + tmp = der; + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); + ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); + tmp = der; + ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); - for (i = 0; objs_named[i].numeric != NULL; i++) { - ExpectNotNull(obj = OBJ_txt2obj(objs_named[i].numeric, 1)); - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0); - ExpectIntEQ(XSTRNCMP(buf, objs_named[i].name, (int)XSTRLEN(buf)), 0); - wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); - ExpectIntEQ(XSTRNCMP(buf, objs_named[i].numeric, (int)XSTRLEN(buf)), 0); - ASN1_OBJECT_free(obj); - obj = NULL; - } + XFREE(der, NULL, DYNAMIC_TYPE_ASN1); + X509_free(x509); + X509_ALGOR_free(NULL); + X509_ALGOR_free(alg2); + alg2 = NULL; #endif return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_write_bio_X509(void) + +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY) + +static int test_wolfSSL_check_domain_verify_count = 0; + +static WC_INLINE int test_wolfSSL_check_domain_verify_cb(int preverify, + WOLFSSL_X509_STORE_CTX* store) +{ + EXPECT_DECLS; + ExpectIntEQ(X509_STORE_CTX_get_error(store), 0); + ExpectIntEQ(preverify, 1); + ExpectIntGT(++test_wolfSSL_check_domain_verify_count, 0); + return EXPECT_SUCCESS(); +} + +static int test_wolfSSL_check_domain_client_cb(WOLFSSL* ssl) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(OPENSSL_ALL) && \ - defined(WOLFSSL_AKID_NAME) && defined(WOLFSSL_CERT_EXT) && \ - defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) - /* This test contains the hard coded expected - * lengths. Update if necessary */ - XFILE fp = XBADFILE; - WOLFSSL_EVP_PKEY *priv = NULL; - - BIO* input = NULL; - BIO* output = NULL; - X509* x509a = NULL; - X509* x509b = NULL; - X509* empty = NULL; - - ASN1_TIME* notBeforeA = NULL; - ASN1_TIME* notAfterA = NULL; -#ifndef NO_ASN_TIME - ASN1_TIME* notBeforeB = NULL; - ASN1_TIME* notAfterB = NULL; -#endif - int expectedLen; - - ExpectTrue((fp = XFOPEN("certs/server-key.pem", "rb")) != XBADFILE); - ExpectNotNull(priv = wolfSSL_PEM_read_PrivateKey(fp, NULL, NULL, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - - ExpectNotNull(input = BIO_new_file("certs/test/cert-ext-multiple.pem", - "rb")); - ExpectIntEQ(wolfSSL_BIO_get_len(input), 2000); - - /* read PEM into X509 struct, get notBefore / notAfter to verify against */ - ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL)); - ExpectNotNull(notBeforeA = X509_get_notBefore(x509a)); - ExpectNotNull(notAfterA = X509_get_notAfter(x509a)); + X509_VERIFY_PARAM *param = NULL; - /* write X509 back to PEM BIO; no need to sign as nothing changed. */ - ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); - ExpectNotNull(empty = wolfSSL_X509_new()); - ExpectIntEQ(PEM_write_bio_X509(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509(output, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509(NULL, x509a), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509(output, empty), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); - /* compare length against expected */ - expectedLen = 2000; - ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen); - wolfSSL_X509_free(empty); + ExpectNotNull(param = SSL_get0_param(ssl)); -#ifndef NO_ASN_TIME - /* read exported X509 PEM back into struct, sanity check on export, - * make sure notBefore/notAfter are the same and certs are identical. */ - ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL)); - ExpectNotNull(notBeforeB = X509_get_notBefore(x509b)); - ExpectNotNull(notAfterB = X509_get_notAfter(x509b)); - ExpectIntEQ(ASN1_TIME_compare(notBeforeA, notBeforeB), 0); - ExpectIntEQ(ASN1_TIME_compare(notAfterA, notAfterB), 0); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b)); - X509_free(x509b); - x509b = NULL; -#endif - - /* Reset output buffer */ - BIO_free(output); - output = NULL; - ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); - - /* Test forcing the AKID to be generated just from KeyIdentifier */ - if (EXPECT_SUCCESS() && x509a->authKeyIdSrc != NULL) { - XMEMMOVE(x509a->authKeyIdSrc, x509a->authKeyId, x509a->authKeyIdSz); - x509a->authKeyId = x509a->authKeyIdSrc; - x509a->authKeyIdSrc = NULL; - x509a->authKeyIdSrcSz = 0; - } - - /* Resign to re-generate the der */ - ExpectIntGT(wolfSSL_X509_sign(x509a, priv, EVP_sha256()), 0); - - ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); - - /* Check that we generate a smaller output since the AKID will - * only contain the KeyIdentifier without any additional - * information */ - - /* Here we copy the validity struct from the original */ - expectedLen = 1688; - ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen); - - /* Reset buffers and x509 */ - BIO_free(input); - input = NULL; - BIO_free(output); - output = NULL; - X509_free(x509a); - x509a = NULL; - - /* test CA and basicConstSet values are encoded when - * the cert is a CA */ - ExpectNotNull(input = BIO_new_file("certs/server-cert.pem", "rb")); - - /* read PEM into X509 struct */ - ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL)); - - /* write X509 back to PEM BIO; no need to sign as nothing changed */ - ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); - - /* read exported X509 PEM back into struct, ensure isCa and basicConstSet - * values are maintained and certs are identical.*/ - ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL)); - ExpectIntEQ(x509b->isCa, 1); - ExpectIntEQ(x509b->basicConstSet, 1); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b)); - - X509_free(x509a); - x509a = NULL; - X509_free(x509b); - x509b = NULL; - BIO_free(input); - input = NULL; - BIO_free(output); - output = NULL; - - /* test CA and basicConstSet values are encoded when - * the cert is not CA */ - ExpectNotNull(input = BIO_new_file("certs/client-uri-cert.pem", "rb")); - - /* read PEM into X509 struct */ - ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL)); - - /* write X509 back to PEM BIO; no need to sign as nothing changed */ - ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); - - /* read exported X509 PEM back into struct, ensure isCa and - * basicConstSet values are maintained and certs are identical */ - ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL)); - ExpectIntEQ(x509b->isCa, 0); - ExpectIntEQ(x509b->basicConstSet, 1); - ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b)); + /* Domain check should only be done on the leaf cert */ + X509_VERIFY_PARAM_set_hostflags(param, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(param, + "wolfSSL Server Chain", 0), 1); + wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_PEER, + test_wolfSSL_check_domain_verify_cb); + return EXPECT_RESULT(); +} - wolfSSL_EVP_PKEY_free(priv); - X509_free(x509a); - X509_free(x509b); - BIO_free(input); - BIO_free(output); -#endif +static int test_wolfSSL_check_domain_server_cb(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + /* Use a cert with different domains in chain */ + ExpectIntEQ(wolfSSL_CTX_use_certificate_chain_file(ctx, + "certs/intermediate/server-chain.pem"), WOLFSSL_SUCCESS); return EXPECT_RESULT(); } -static int test_wolfSSL_X509_NAME_ENTRY(void) +static int test_wolfSSL_check_domain(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN) - X509* x509 = NULL; -#ifndef NO_BIO - X509* empty = NULL; - BIO* bio = NULL; -#endif - X509_NAME* nm = NULL; - X509_NAME_ENTRY* entry = NULL; - WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* entries = NULL; - unsigned char cn[] = "another name to add"; -#ifdef OPENSSL_ALL - int i; - int names_len = 0; -#endif + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; - ExpectNotNull(x509 = - wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); -#ifndef NO_BIO - ExpectNotNull(empty = wolfSSL_X509_new()); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_AUX(bio, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, x509), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_AUX(bio, empty), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_AUX(bio, x509), SSL_SUCCESS); - wolfSSL_X509_free(empty); -#endif + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); -#ifdef WOLFSSL_CERT_REQ - { - X509_REQ* req = NULL; -#ifndef NO_BIO - X509_REQ* emptyReq = NULL; - BIO* bReq = NULL; -#endif + func_cb_client.ssl_ready = &test_wolfSSL_check_domain_client_cb; + func_cb_server.ctx_ready = &test_wolfSSL_check_domain_server_cb; - ExpectNotNull(req = - wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); -#ifndef NO_BIO - ExpectNotNull(emptyReq = wolfSSL_X509_REQ_new()); - ExpectNotNull(bReq = BIO_new(BIO_s_mem())); - ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, req), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, emptyReq), WOLFSSL_FAILURE); - ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, req), SSL_SUCCESS); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); - BIO_free(bReq); - X509_REQ_free(emptyReq); -#endif - X509_free(req); - } + /* Should have been called once for each cert in sent chain */ +#ifdef WOLFSSL_VERIFY_CB_ALL_CERTS + ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 3); +#else + ExpectIntEQ(test_wolfSSL_check_domain_verify_count, 1); #endif - ExpectNotNull(nm = X509_get_subject_name(x509)); - - /* Test add entry */ - ExpectNotNull(entry = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName, - 0x0c, cn, (int)sizeof(cn))); - ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS); - - /* @TODO the internal name entry set value needs investigated for matching - * behavior with OpenSSL. At the moment the getter function for the set - * value is being tested only in that it succeeds in getting the internal - * value. */ - ExpectIntGT(X509_NAME_ENTRY_set(X509_NAME_get_entry(nm, 1)), 0); - -#ifdef WOLFSSL_CERT_EXT - ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, NULL, MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, NULL, MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, "emailAddress", MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); - ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "emailAddress", MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, 0, 1), WOLFSSL_SUCCESS); - ExpectNull(wolfSSL_X509_NAME_delete_entry(NULL, -1)); - ExpectNull(wolfSSL_X509_NAME_delete_entry(nm, -1)); - ExpectNotNull(wolfSSL_X509_NAME_delete_entry(nm, 0)); -#endif - X509_NAME_ENTRY_free(entry); - entry = NULL; + return EXPECT_RESULT(); +} -#ifdef WOLFSSL_CERT_REQ - { - unsigned char srv_pkcs9p[] = "Server"; - unsigned char rfc822Mlbx[] = "support@wolfssl.com"; - unsigned char fvrtDrnk[] = "tequila"; - unsigned char* der = NULL; - char* subject = NULL; +#else - ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_pkcs9_contentType, - MBSTRING_ASC, srv_pkcs9p, -1, -1, 0), SSL_SUCCESS); +static int test_wolfSSL_check_domain(void) +{ + EXPECT_DECLS; + return EXPECT_RESULT(); +} - ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_rfc822Mailbox, - MBSTRING_ASC, rfc822Mlbx, -1, -1, 0), SSL_SUCCESS); +#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_SHA256) +static const char* dn = NULL; +static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl) +{ + EXPECT_DECLS; - ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_favouriteDrink, - MBSTRING_ASC, fvrtDrnk, -1, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_check_domain_name(ssl, dn), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_i2d_X509_NAME(NULL, &der), BAD_FUNC_ARG); - ExpectIntGT(wolfSSL_i2d_X509_NAME(nm, &der), 0); - ExpectNotNull(der); + return EXPECT_RESULT(); +} +static int test_wolfSSL_check_domain_basic(void) +{ + EXPECT_DECLS; + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; - ExpectNotNull(subject = X509_NAME_oneline(nm, NULL, 0)); - ExpectNotNull(XSTRSTR(subject, "rfc822Mailbox=support@wolfssl.com")); - ExpectNotNull(XSTRSTR(subject, "favouriteDrink=tequila")); - ExpectNotNull(XSTRSTR(subject, "contentType=Server")); - #ifdef DEBUG_WOLFSSL - if (subject != NULL) { - fprintf(stderr, "\n\t%s\n", subject); - } - #endif - XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); - XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL); - } -#endif + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - ExpectNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, NULL, 0x0c, cn, - (int)sizeof(cn))); - /* Test add entry by text */ - ExpectNotNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, "commonName", - 0x0c, cn, (int)sizeof(cn))); - ExpectPtrEq(X509_NAME_ENTRY_create_by_txt(&entry, "commonName", - 0x0c, cn, (int)sizeof(cn)), entry); - #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) \ - || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) - ExpectNull(X509_NAME_ENTRY_create_by_txt(&entry, "unknown", - V_ASN1_UTF8STRING, cn, (int)sizeof(cn))); - #endif - ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS); - X509_NAME_ENTRY_free(entry); - entry = NULL; + dn = "invalid.com"; + func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl; - /* Test add entry by NID */ - ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_commonName, MBSTRING_UTF8, - cn, -1, -1, 0), SSL_SUCCESS); + /* Expect to fail */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), -1001); -#ifdef OPENSSL_ALL - /* stack of name entry */ - ExpectIntGT((names_len = sk_X509_NAME_ENTRY_num(nm->entries)), 0); - for (i = 0; i < names_len; i++) { - ExpectNotNull(entry = sk_X509_NAME_ENTRY_value(nm->entries, i)); - } -#endif + dn = "example.com"; - ExpectNotNull(entries = wolfSSL_sk_X509_NAME_ENTRY_new(NULL)); - ExpectIntEQ(sk_X509_NAME_ENTRY_num(NULL), BAD_FUNC_ARG); - ExpectIntEQ(sk_X509_NAME_ENTRY_num(entries), 0); - ExpectNull(sk_X509_NAME_ENTRY_value(NULL, 0)); - ExpectNull(sk_X509_NAME_ENTRY_value(entries, 0)); - wolfSSL_sk_X509_NAME_ENTRY_free(entries); + /* Expect to succeed */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); -#ifndef NO_BIO - BIO_free(bio); -#endif - X509_free(x509); /* free's nm */ -#endif return EXPECT_RESULT(); } - -/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ -static int test_GENERAL_NAME_set0_othername(void) +#else +static int test_wolfSSL_check_domain_basic(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ - defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ - defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ - defined(WOLFSSL_FPKI) && !defined(NO_RSA) - /* ./configure --enable-opensslall --enable-certgen --enable-certreq - * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID - * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ - const char * cert_fname = "./certs/server-cert.der"; - const char * key_fname = "./certs/server-key.der"; - X509* x509 = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAMES* gns = NULL; - ASN1_OBJECT* upn_oid = NULL; - ASN1_UTF8STRING *utf8str = NULL; - ASN1_TYPE *value = NULL; - X509_EXTENSION * ext = NULL; - - byte* pt = NULL; - byte der[4096]; - int derSz = 0; - EVP_PKEY* priv = NULL; - XFILE f = XBADFILE; - - ExpectTrue((f = XFOPEN(cert_fname, "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_fp(f, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectNotNull(gn = GENERAL_NAME_new()); - ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); - ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); - ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); - ExpectNotNull(value = ASN1_TYPE_new()); - ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); - if ((value == NULL) || (value->value.ptr != (char*)utf8str)) { - wolfSSL_ASN1_STRING_free(utf8str); - } - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , value), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn , upn_oid, NULL ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , value), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, value ), - WOLFSSL_FAILURE); - ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); - if (EXPECT_FAIL()) { - ASN1_TYPE_free(value); - } - ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); - ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); - if (EXPECT_FAIL()) { - GENERAL_NAME_free(gn); - gn = NULL; - } - ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); - ExpectIntEQ(X509_add_ext(x509, ext, -1), 1); - ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); - ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - pt = der; - ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, derSz)); - ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - gns = NULL; - ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); - - ExpectIntEQ(sk_GENERAL_NAME_num(NULL), 0); - ExpectIntEQ(sk_GENERAL_NAME_num(gns), 3); - - ExpectNull(sk_GENERAL_NAME_value(NULL, 0)); - ExpectNull(sk_GENERAL_NAME_value(gns, 20)); - ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 2)); - ExpectIntEQ(gn->type, 0); - - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + return EXPECT_RESULT(); +} +#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ - ASN1_OBJECT_free(upn_oid); - X509_EXTENSION_free(ext); - X509_free(x509); - EVP_PKEY_free(priv); +static int test_wolfSSL_BUF(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + BUF_MEM* buf = NULL; + ExpectNotNull(buf = BUF_MEM_new()); + ExpectIntEQ(BUF_MEM_grow(buf, 10), 10); + ExpectIntEQ(BUF_MEM_grow(buf, -1), 0); + BUF_MEM_free(buf); #endif return EXPECT_RESULT(); } -/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ -static int test_othername_and_SID_ext(void) +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) +static int stub_rand_seed(const void *buf, int num) { - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ - defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ - defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ - defined(WOLFSSL_FPKI) && defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_RSA) - /* ./configure --enable-opensslall --enable-certgen --enable-certreq - * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID - * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ - const char* csr_fname = "./certs/csr.signed.der"; - const char* key_fname = "./certs/server-key.der"; + (void)buf; + (void)num; - byte der[4096]; - int derSz = 0; - byte badDer[2] = { 0x30, 0x00 }; - X509_REQ* x509 = NULL; - STACK_OF(X509_EXTENSION) *exts = NULL; + return 123; +} - X509_EXTENSION * san_ext = NULL; - X509_EXTENSION * ext = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAMES* gns = NULL; - ASN1_OBJECT* upn_oid = NULL; - ASN1_UTF8STRING *utf8str = NULL; - ASN1_TYPE *value = NULL; - ASN1_STRING *extval = NULL; +static int stub_rand_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; - /* SID extension. SID data format explained here: - * https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/ - */ - byte SidExtension[] = { - 48, 64, 160, 62, 6, 10, 43, 6, 1, 4, 1, 130, 55, 25, 2, 1, 160, - 48, 4, 46, 83, 45, 49, 45, 53, 45, 50, 49, 45, 50, 56, 52, 51, 57, - 48, 55, 52, 49, 56, 45, 51, 57, 50, 54, 50, 55, 55, 52, 50, 49, 45, - 51, 56, 49, 53, 57, 57, 51, 57, 55, 50, 45, 52, 54, 48, 49}; + return 456; +} - byte expectedAltName[] = { - 0x30, 0x27, 0xA0, 0x25, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, - 0x37, 0x14, 0x02, 0x03, 0xA0, 0x17, 0x0C, 0x15, 0x6F, 0x74, 0x68, 0x65, - 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D}; +static byte* was_stub_rand_cleanup_called(void) +{ + static byte was_called = 0; - X509_EXTENSION *sid_ext = NULL; - ASN1_OBJECT* sid_oid = NULL; - ASN1_OCTET_STRING *sid_data = NULL; + return &was_called; +} - ASN1_OBJECT* alt_names_oid = NULL; +static void stub_rand_cleanup(void) +{ + byte* was_called = was_stub_rand_cleanup_called(); - EVP_PKEY* priv = NULL; - XFILE f = XBADFILE; - byte* pt = NULL; - BIO* bio = NULL; + *was_called = 1; - ExpectTrue((f = XFOPEN(csr_fname, "rb")) != XBADFILE); - ExpectNotNull(x509 = d2i_X509_REQ_fp(f, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntEQ(X509_REQ_set_version(x509, 2), 1); - ExpectNotNull(gn = GENERAL_NAME_new()); - ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); - ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); - ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); - ExpectNotNull(value = ASN1_TYPE_new()); - ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); - if (EXPECT_FAIL()) { - ASN1_UTF8STRING_free(utf8str); - } - ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); - if (EXPECT_FAIL()) { - ASN1_TYPE_free(value); - GENERAL_NAME_free(gn); - gn = NULL; - } - ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); - ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); - if (EXPECT_FAIL()) { - GENERAL_NAME_free(gn); - } - ExpectNotNull(san_ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); - ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); - ExpectNotNull(sid_data = ASN1_OCTET_STRING_new()); - ASN1_OCTET_STRING_set(sid_data, SidExtension, sizeof(SidExtension)); - ExpectNotNull(sid_ext = X509_EXTENSION_create_by_OBJ(NULL, sid_oid, 0, - sid_data)); - ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); - wolfSSL_sk_X509_EXTENSION_free(exts); - exts = NULL; - ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); - /* Ensure an empty stack doesn't raise an error. */ - ExpectIntEQ(X509_REQ_add_extensions(NULL, NULL), 0); - ExpectIntEQ(X509_REQ_add_extensions(x509, NULL), 0); - ExpectIntEQ(X509_REQ_add_extensions(NULL, exts), 0); - ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); - ExpectIntEQ(sk_X509_EXTENSION_push(exts, san_ext), 1); - if (EXPECT_FAIL()) { - X509_EXTENSION_free(san_ext); - } - ExpectIntEQ(sk_X509_EXTENSION_push(exts, sid_ext), 2); - if (EXPECT_FAIL()) { - X509_EXTENSION_free(sid_ext); - } - ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); - ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); - ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - pt = der; - ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, - (const unsigned char**)&pt, derSz)); - ExpectIntGT(X509_REQ_sign(x509, priv, EVP_sha256()), 0); - pt = der; - ExpectIntGT(derSz = i2d_X509_REQ(x509, &pt), 0); - X509_REQ_free(x509); - x509 = NULL; - ExpectNull(d2i_X509_REQ_INFO(&x509, NULL, derSz)); - pt = badDer; - ExpectNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, - sizeof(badDer))); - pt = der; - ExpectNotNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, derSz)); - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - gns = NULL; - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - exts = NULL; - ASN1_OBJECT_free(upn_oid); - ASN1_OBJECT_free(sid_oid); - sid_oid = NULL; - ASN1_OCTET_STRING_free(sid_data); - X509_REQ_free(x509); - EVP_PKEY_free(priv); + return; +} - /* At this point everything used to generate what is in der is cleaned up. - * We now read back from der to confirm the extensions were inserted - * correctly. */ - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); - ExpectNotNull(bio); +static byte* was_stub_rand_add_called(void) +{ + static byte was_called = 0; - ExpectIntEQ(BIO_write(bio, der, derSz), derSz); /* d2i consumes BIO */ - ExpectNotNull(d2i_X509_REQ_bio(bio, &x509)); - ExpectNotNull(x509); - BIO_free(bio); - ExpectNotNull(exts = (STACK_OF(X509_EXTENSION)*)X509_REQ_get_extensions( - x509)); - ExpectIntEQ(sk_X509_EXTENSION_num(NULL), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(sk_X509_EXTENSION_num(exts), 2); + return &was_called; +} - /* Check the SID extension. */ - ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); - ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, - X509_get_ext_by_OBJ(x509, sid_oid, -1))); - ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); - ExpectIntEQ(extval->length, sizeof(SidExtension)); - ExpectIntEQ(XMEMCMP(SidExtension, extval->data, sizeof(SidExtension)), 0); - ASN1_OBJECT_free(sid_oid); +static int stub_rand_add(const void *buf, int num, double entropy) +{ + byte* was_called = was_stub_rand_add_called(); - /* Check the AltNames extension. */ - ExpectNotNull(alt_names_oid = OBJ_txt2obj("subjectAltName", 0)); - ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, - X509_get_ext_by_OBJ(x509, alt_names_oid, -1))); - ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); - ExpectIntEQ(extval->length, sizeof(expectedAltName)); - ExpectIntEQ(XMEMCMP(expectedAltName, extval->data, sizeof(expectedAltName)), - 0); - ASN1_OBJECT_free(alt_names_oid); + (void)buf; + (void)num; + (void)entropy; - /* Cleanup */ - ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); - ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); - ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 0)); - ExpectIntEQ(gn->type, 0); + *was_called = 1; - sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + return 0; +} - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - X509_REQ_free(x509); -#endif - return EXPECT_RESULT(); +static int stub_rand_pseudo_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 9876; } -static int test_wolfSSL_X509_set_name(void) +static int stub_rand_status(void) +{ + return 5432; +} +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + +static int test_wolfSSL_RAND_set_rand_method(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) - X509* x509 = NULL; - X509_NAME* name = NULL; +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) + RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; + unsigned char* buf = NULL; + int num = 0; + double entropy = 0; + int ret; + byte* was_cleanup_called = was_stub_rand_cleanup_called(); + byte* was_add_called = was_stub_rand_add_called(); - ExpectNotNull(name = X509_NAME_new()); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, - (byte*)"wolfssl.com", 11, 0, 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, - 1), WOLFSSL_SUCCESS); - ExpectNotNull(x509 = X509_new()); + ExpectNotNull(buf = (byte*)XMALLOC(32 * sizeof(byte), NULL, + DYNAMIC_TYPE_TMP_BUFFER)); - ExpectIntEQ(X509_set_subject_name(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_set_subject_name(x509, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_set_subject_name(NULL, name), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_RAND_status(), 5432); + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 0); - ExpectIntEQ(X509_set_issuer_name(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_set_issuer_name(x509, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_set_issuer_name(NULL, name), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); - X509_free(x509); - X509_NAME_free(name); -#endif /* OPENSSL_ALL && !NO_CERTS */ - return EXPECT_RESULT(); -} + rand_methods.seed = &stub_rand_seed; + rand_methods.bytes = &stub_rand_bytes; + rand_methods.cleanup = &stub_rand_cleanup; + rand_methods.add = &stub_rand_add; + rand_methods.pseudorand = &stub_rand_pseudo_bytes; + rand_methods.status = &stub_rand_status; -static int test_wolfSSL_X509_set_notAfter(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) \ - && !defined(NO_ASN_TIME) && !defined(USER_TIME) && \ - !defined(TIME_OVERRIDES) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) &&\ - !defined(TIME_T_NOT_64BIT) && !defined(NO_64BIT) && !defined(NO_BIO) - /* Generalized time will overflow time_t if not long */ - X509* x = NULL; - BIO* bio = NULL; - ASN1_TIME *asn_time = NULL; - ASN1_TIME *time_check = NULL; - const int year = 365*24*60*60; - const int day = 24*60*60; - const int hour = 60*60; - const int mini = 60; - int offset_day; - unsigned char buf[25]; - time_t t; + ExpectIntEQ(RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); + ExpectIntEQ(RAND_seed(buf, num), 123); + ExpectIntEQ(RAND_bytes(buf, num), 456); + ExpectIntEQ(RAND_pseudo_bytes(buf, num), 9876); + ExpectIntEQ(RAND_status(), 5432); + + ExpectIntEQ(*was_add_called, 0); + /* The function pointer for RAND_add returns int, but RAND_add itself + * returns void. */ + RAND_add(buf, num, entropy); + ExpectIntEQ(*was_add_called, 1); + was_add_called = 0; + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 1); + *was_cleanup_called = 0; + + + ret = RAND_set_rand_method(NULL); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntNE(RAND_status(), 5432); + ExpectIntEQ(*was_cleanup_called, 0); + RAND_cleanup(); + ExpectIntEQ(*was_cleanup_called, 0); - /* - * Setup asn_time. APACHE HTTPD uses time(NULL) - */ - t = (time_t)107 * year + 31 * day + 34 * hour + 30 * mini + 7 * day; - offset_day = 7; - /* - * Free these. - */ - asn_time = wolfSSL_ASN1_TIME_adj(NULL, t, offset_day, 0); - ExpectNotNull(asn_time); - ExpectNotNull(x = X509_new()); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - /* - * Tests - */ - ExpectTrue(wolfSSL_X509_set_notAfter(x, asn_time)); - /* time_check is simply (ANS1_TIME*)x->notAfter */ - ExpectNotNull(time_check = X509_get_notAfter(x)); - /* ANS1_TIME_check validates by checking if argument can be parsed */ - ExpectIntEQ(ASN1_TIME_check(time_check), WOLFSSL_SUCCESS); - /* Convert to human readable format and compare to intended date */ - ExpectIntEQ(ASN1_TIME_print(bio, time_check), 1); - ExpectIntEQ(BIO_read(bio, buf, sizeof(buf)), 24); - ExpectIntEQ(XMEMCMP(buf, "Jan 20 10:30:00 2077 GMT", sizeof(buf) - 1), 0); - - ExpectFalse(wolfSSL_X509_set_notAfter(NULL, NULL)); - ExpectFalse(wolfSSL_X509_set_notAfter(x, NULL)); - ExpectFalse(wolfSSL_X509_set_notAfter(NULL, asn_time)); + RAND_set_rand_method(NULL); - /* - * Cleanup - */ - XFREE(asn_time, NULL, DYNAMIC_TYPE_OPENSSL); - X509_free(x); - BIO_free(bio); -#endif + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ return EXPECT_RESULT(); } -static int test_wolfSSL_X509_set_notBefore(void) +static int test_wolfSSL_RAND_bytes(void) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) \ - && !defined(NO_ASN_TIME) && !defined(USER_TIME) && \ - !defined(TIME_OVERRIDES) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_BIO) - X509* x = NULL; - BIO* bio = NULL; - ASN1_TIME *asn_time = NULL; - ASN1_TIME *time_check = NULL; - const int year = 365*24*60*60; - const int day = 24*60*60; - const int hour = 60*60; - const int mini = 60; - int offset_day; - unsigned char buf[25]; - time_t t; - - /* - * Setup asn_time. APACHE HTTPD uses time(NULL) - */ - t = (time_t)49 * year + 125 * day + 20 * hour + 30 * mini + 7 * day; - offset_day = 7; +#if defined(OPENSSL_EXTRA) + const int size1 = RNG_MAX_BLOCK_LEN; /* in bytes */ + const int size2 = RNG_MAX_BLOCK_LEN + 1; /* in bytes */ + const int size3 = RNG_MAX_BLOCK_LEN * 2; /* in bytes */ + const int size4 = RNG_MAX_BLOCK_LEN * 4; /* in bytes */ + int max_bufsize; + byte *my_buf = NULL; +#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ + !defined(__MINGW32__) + byte seed[16] = {0}; + byte randbuf[8] = {0}; + int pipefds[2] = {0}; + pid_t pid = 0; +#endif - /* - * Free these. - */ - asn_time = wolfSSL_ASN1_TIME_adj(NULL, t, offset_day, 0); - ExpectNotNull(asn_time); - ExpectNotNull(x = X509_new()); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(ASN1_TIME_check(asn_time), WOLFSSL_SUCCESS); + /* sanity check */ + ExpectIntEQ(RAND_bytes(NULL, 16), 0); + ExpectIntEQ(RAND_bytes(NULL, 0), 0); - /* - * Main Tests - */ - ExpectTrue(wolfSSL_X509_set_notBefore(x, asn_time)); - /* time_check == (ANS1_TIME*)x->notBefore */ - ExpectNotNull(time_check = X509_get_notBefore(x)); - /* ANS1_TIME_check validates by checking if argument can be parsed */ - ExpectIntEQ(ASN1_TIME_check(time_check), WOLFSSL_SUCCESS); - /* Convert to human readable format and compare to intended date */ - ExpectIntEQ(ASN1_TIME_print(bio, time_check), 1); - ExpectIntEQ(BIO_read(bio, buf, sizeof(buf)), 24); - ExpectIntEQ(XMEMCMP(buf, "May 8 20:30:00 2019 GMT", sizeof(buf) - 1), 0); - - ExpectFalse(wolfSSL_X509_set_notBefore(NULL, NULL)); - ExpectFalse(wolfSSL_X509_set_notBefore(x, NULL)); - ExpectFalse(wolfSSL_X509_set_notBefore(NULL, asn_time)); - - ExpectNull(X509_get_notBefore(NULL)); - ExpectNull(X509_get_notAfter(NULL)); + max_bufsize = size4; - /* - * Cleanup - */ - XFREE(asn_time, NULL, DYNAMIC_TYPE_OPENSSL); - X509_free(x); - BIO_free(bio); -#endif - return EXPECT_RESULT(); -} + ExpectNotNull(my_buf = (byte*)XMALLOC(max_bufsize * sizeof(byte), HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); -static int test_wolfSSL_X509_set_version(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ - !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) - X509* x509 = NULL; - long v = 2L; - long maxInt = INT_MAX; + ExpectIntEQ(RAND_bytes(my_buf, 0), 1); + ExpectIntEQ(RAND_bytes(my_buf, -1), 0); - ExpectNotNull(x509 = X509_new()); - /* These should pass. */ - ExpectTrue(wolfSSL_X509_set_version(x509, v)); - ExpectIntEQ(0, wolfSSL_X509_get_version(NULL)); - ExpectIntEQ(v, wolfSSL_X509_get_version(x509)); - /* Fail Case: When v(long) is greater than x509->version(int). */ - v = maxInt+1; - ExpectFalse(wolfSSL_X509_set_version(x509, v)); - - ExpectIntEQ(wolfSSL_X509_set_version(NULL, -1), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509_set_version(NULL, 1), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509_set_version(x509, -1), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509_set_version(NULL, maxInt+1), WOLFSSL_FAILURE); + ExpectNotNull(XMEMSET(my_buf, 0, max_bufsize)); + ExpectIntEQ(RAND_bytes(my_buf, size1), 1); + ExpectIntEQ(RAND_bytes(my_buf, size2), 1); + ExpectIntEQ(RAND_bytes(my_buf, size3), 1); + ExpectIntEQ(RAND_bytes(my_buf, size4), 1); + XFREE(my_buf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - /* Cleanup */ - X509_free(x509); -#endif - return EXPECT_RESULT(); -} +#if defined(OPENSSL_EXTRA) && defined(HAVE_GETPID) && !defined(__MINGW64__) && \ + !defined(__MINGW32__) + XMEMSET(seed, 0, sizeof(seed)); + RAND_cleanup(); -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); -/* test that the callback arg is correct */ -static int certCbArg = 0; + ExpectIntEQ(pipe(pipefds), 0); + pid = fork(); + ExpectIntGE(pid, 0); + if (pid == 0) { + ssize_t n_written = 0; -static int certCb(WOLFSSL* ssl, void* arg) -{ - if (ssl == NULL || arg != &certCbArg) - return 0; - if (wolfSSL_is_server(ssl)) { - if (wolfSSL_use_certificate_file(ssl, svrCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; + /* Child process. */ + close(pipefds[0]); + RAND_bytes(randbuf, sizeof(randbuf)); + n_written = write(pipefds[1], randbuf, sizeof(randbuf)); + close(pipefds[1]); + exit(n_written == sizeof(randbuf) ? 0 : 1); } else { - if (wolfSSL_use_certificate_file(ssl, cliCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - } - return 1; -} - -static int certSetupCb(WOLFSSL_CTX* ctx) -{ - SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg); - return TEST_SUCCESS; -} - -/** - * This is only done because test_wolfSSL_client_server_nofail_memio has no way - * to stop certificate and key loading - */ -static int certClearCb(WOLFSSL* ssl) -{ - /* Clear the loaded certs to force the callbacks to set them up */ - SSL_certs_clear(ssl); - return TEST_SUCCESS; -} + /* Parent process. */ + byte childrand[8] = {0}; + int waitstatus = 0; + close(pipefds[1]); + ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); + ExpectIntEQ(read(pipefds[0], childrand, sizeof(childrand)), + sizeof(childrand)); + #ifdef WOLFSSL_NO_GETPID + ExpectBufEQ(randbuf, childrand, sizeof(randbuf)); + #else + ExpectBufNE(randbuf, childrand, sizeof(randbuf)); + #endif + close(pipefds[0]); + waitpid(pid, &waitstatus, 0); + } + RAND_cleanup(); #endif +#endif + return EXPECT_RESULT(); +} -static int test_wolfSSL_cert_cb(void) +static int test_wolfSSL_RAND(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - size_t i; - struct { - method_provider client_meth; - method_provider server_meth; - const char* desc; - } test_params[] = { -#ifdef WOLFSSL_TLS13 - {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3"}, -#endif -#ifndef WOLFSSL_NO_TLS12 - {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2"}, -#endif -#ifndef NO_OLD_TLS - {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1"}, -#ifdef WOLFSSL_ALLOW_TLSV10 - {wolfTLSv1_client_method, wolfTLSv1_server_method, "TLS 1.0"}, -#endif -#endif - }; +#if defined(OPENSSL_EXTRA) + byte seed[16]; - for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + XMEMSET(seed, 0, sizeof(seed)); - printf("\tTesting with %s...\n", test_params[i].desc); + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + RAND_cleanup(); - func_cb_client.method = test_params[i].client_meth; - func_cb_server.method = test_params[i].server_meth; - func_cb_client.ctx_ready = certSetupCb; - func_cb_client.ssl_ready = certClearCb; - func_cb_server.ctx_ready = certSetupCb; - func_cb_server.ssl_ready = certClearCb; + ExpectIntEQ(RAND_egd(NULL), -1); +#ifndef NO_FILESYSTEM + { + char fname[100]; - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); + ExpectNotNull(RAND_file_name(fname, (sizeof(fname) - 1))); + ExpectIntEQ(RAND_write_file(NULL), 0); } +#endif #endif return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = NULL; -static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = NULL; -static int test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready(WOLFSSL_CTX* ctx) +#if defined(WC_RNG_SEED_CB) && defined(OPENSSL_EXTRA) +static int wc_DummyGenerateSeed(OS_Seed* os, byte* output, word32 sz) { - EXPECT_DECLS; - ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx, - test_wolfSSL_cert_cb_dyn_ciphers_client_cipher), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, - test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs), WOLFSSL_SUCCESS); - return EXPECT_RESULT(); + word32 i; + for (i = 0; i < sz; i++ ) + output[i] = (byte)i; + + (void)os; + + return 0; } +#endif /* WC_RNG_SEED_CB */ -static int test_wolfSSL_cert_cb_dyn_ciphers_certCB(WOLFSSL* ssl, void* arg) -{ - const byte* suites = NULL; - word16 suiteSz = 0; - const byte* hashSigAlgo = NULL; - word16 hashSigAlgoSz = 0; - word16 idx = 0; - int haveRSA = 0; - int haveECC = 0; - (void)arg; +static int test_wolfSSL_RAND_poll(void) +{ + EXPECT_DECLS; - if (wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo, - &hashSigAlgoSz) != WOLFSSL_SUCCESS) - return 0; - if (suites == NULL || suiteSz == 0 || hashSigAlgo == NULL || - hashSigAlgoSz == 0) - return 0; +#if defined(OPENSSL_EXTRA) + byte seed[16]; + byte rand1[16]; +#ifdef WC_RNG_SEED_CB + byte rand2[16]; +#endif - for (idx = 0; idx < suiteSz; idx += 2) { - WOLFSSL_CIPHERSUITE_INFO info = - wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]); + XMEMSET(seed, 0, sizeof(seed)); + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(rand1, 16), 1); + RAND_cleanup(); - if (info.rsaAuth) - haveRSA = 1; - else if (info.eccAuth) - haveECC = 1; - } +#ifdef WC_RNG_SEED_CB + /* Test with custom seed and poll */ + wc_SetSeed_Cb(wc_DummyGenerateSeed); - if (hashSigAlgoSz > 0) { - /* sigalgs extension takes precedence over ciphersuites */ - haveRSA = 0; - haveECC = 0; - } - for (idx = 0; idx < hashSigAlgoSz; idx += 2) { - int hashAlgo = 0; - int sigAlgo = 0; + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_bytes(rand1, 16), 1); + RAND_cleanup(); - if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], - &hashAlgo, &sigAlgo) != 0) - return 0; + /* test that the same value is generated twice with dummy seed function */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_bytes(rand2, 16), 1); + ExpectIntEQ(XMEMCMP(rand1, rand2, 16), 0); + RAND_cleanup(); - if (sigAlgo == RSAk || sigAlgo == RSAPSSk) - haveRSA = 1; - else if (sigAlgo == ECDSAk) - haveECC = 1; - } + /* test that doing a poll is reseeding RNG */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(rand2, 16), 1); + ExpectIntNE(XMEMCMP(rand1, rand2, 16), 0); - if (haveRSA) { - if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - } - else if (haveECC) { - if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - return 0; - } + /* reset the seed function used */ + wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT); +#endif + RAND_cleanup(); - return 1; -} + ExpectIntEQ(RAND_egd(NULL), -1); +#endif -static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx) -{ - SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL); - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); - return TEST_SUCCESS; + return EXPECT_RESULT(); } -#endif -/* Testing dynamic ciphers offered by client */ -static int test_wolfSSL_cert_cb_dyn_ciphers(void) +static int test_wolfSSL_PKCS8_Compat(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - struct { - method_provider client_meth; - const char* client_ciphers; - const char* client_sigalgs; - const char* client_ca; - method_provider server_meth; - } test_params[] = { -#if !defined(NO_SHA256) && defined(HAVE_AESGCM) -#ifdef WOLFSSL_TLS13 -#if !defined(NO_RSA) && defined(WC_RSA_PSS) - {wolfTLSv1_3_client_method, - "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", - "RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method}, -#endif -#ifdef HAVE_ECC - {wolfTLSv1_3_client_method, - "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", - "ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method}, -#endif -#endif -#ifndef WOLFSSL_NO_TLS12 -#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH) - {wolfTLSv1_2_client_method, - "DHE-RSA-AES128-GCM-SHA256", - "RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method}, -#endif -#ifdef HAVE_ECC - {wolfTLSv1_2_client_method, - "ECDHE-ECDSA-AES128-GCM-SHA256", - "ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method}, -#endif -#endif +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && defined(HAVE_ECC) && \ + !defined(NO_BIO) + PKCS8_PRIV_KEY_INFO* pt = NULL; + PKCS8_PRIV_KEY_INFO* pt2 = NULL; + BIO* bio = NULL; + XFILE f = XBADFILE; + int bytes = 0; + char pkcs8_buffer[512]; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) + EVP_PKEY *pkey = NULL; #endif - }; - size_t i; - size_t testCount = sizeof(test_params)/sizeof(*test_params); - if (testCount > 0) { - for (i = 0; i < testCount; i++) { - printf("\tTesting %s ciphers with %s sigalgs\n", - test_params[i].client_ciphers, - test_params[i].client_sigalgs); + /* file from wolfssl/certs/ directory */ + ExpectTrue((f = XFOPEN("./certs/ecc-keyPkcs8.pem", "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), f)), + 0); + if (f != XBADFILE) + XFCLOSE(f); + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectNotNull(pt = d2i_PKCS8_PRIV_KEY_INFO_bio(bio, NULL)); - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); +#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) + ExpectNotNull(pkey = EVP_PKCS82PKEY(pt)); + ExpectIntEQ(EVP_PKEY_type(pkey->type), EVP_PKEY_EC); - test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = - test_params[i].client_ciphers; - test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = - test_params[i].client_sigalgs; - func_cb_client.method = test_params[i].client_meth; - func_cb_client.caPemFile = test_params[i].client_ca; - func_cb_client.ctx_ready = - test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready; + /* gets PKCS8 pointer to pkey */ + ExpectNotNull(pt2 = EVP_PKEY2PKCS8(pkey)); - func_cb_server.ctx_ready = - test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready; - func_cb_server.ssl_ready = certClearCb; /* Reuse from prev test */ - func_cb_server.method = test_params[i].server_meth; + EVP_PKEY_free(pkey); +#endif - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); - } - } + BIO_free(bio); + PKCS8_PRIV_KEY_INFO_free(pt); + PKCS8_PRIV_KEY_INFO_free(pt2); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_ciphersuite_auth(void) +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_BIO) +static int NoPasswordCallBack(char* passwd, int sz, int rw, void* userdata) { - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - WOLFSSL_CIPHERSUITE_INFO info; - - (void)info; + (void)passwd; + (void)sz; + (void)rw; + (void)userdata; -#ifndef WOLFSSL_NO_TLS12 -#ifdef HAVE_CHACHA - info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); + return -1; +} +#endif - info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 1); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); +static int test_wolfSSL_PKCS8_d2i(void) +{ + EXPECT_DECLS; +#if !defined(HAVE_FIPS) && defined(OPENSSL_EXTRA) + /* This test ends up using HMAC as a part of PBKDF2, and HMAC + * requires a 12 byte password in FIPS mode. This test ends up + * trying to use an 8 byte password. */ - info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, - TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 1); +#ifndef NO_FILESYSTEM + unsigned char pkcs8_buffer[2048]; + const unsigned char* p = NULL; + int bytes = 0; + XFILE file = XBADFILE; + WOLFSSL_EVP_PKEY* pkey = NULL; +#ifndef NO_BIO + BIO* bio = NULL; + #if defined(OPENSSL_ALL) && \ + ((!defined(NO_RSA) && !defined(NO_DES3)) || \ + defined(HAVE_ECC)) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + WOLFSSL_EVP_PKEY* evpPkey = NULL; + #endif #endif -#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) #ifndef NO_RSA - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); - - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 1); - ExpectIntEQ(info.psk, 0); + const char rsaDerPkcs8File[] = "./certs/server-keyPkcs8.der"; + const char rsaPemPkcs8File[] = "./certs/server-keyPkcs8.pem"; + #ifndef NO_DES3 + const char rsaDerPkcs8EncFile[] = "./certs/server-keyPkcs8Enc.der"; + #endif +#endif /* NO_RSA */ +#ifdef HAVE_ECC + const char ecDerPkcs8File[] = "certs/ecc-keyPkcs8.der"; + const char ecPemPkcs8File[] = "certs/ecc-keyPkcs8.pem"; + #ifndef NO_DES3 + const char ecDerPkcs8EncFile[] = "certs/ecc-keyPkcs8Enc.der"; + #endif +#endif /* HAVE_ECC */ +#endif /* !NO_FILESYSTEM */ - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 1); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 1); - ExpectIntEQ(info.psk, 0); +#if defined(OPENSSL_ALL) && (!defined(NO_RSA) || defined(HAVE_ECC)) +#ifndef NO_RSA + #ifdef USE_CERT_BUFFERS_1024 + const unsigned char* rsa = (unsigned char*)server_key_der_1024; + int rsaSz = sizeof_server_key_der_1024; + #else + const unsigned char* rsa = (unsigned char*)server_key_der_2048; + int rsaSz = sizeof_server_key_der_2048; + #endif +#endif +#ifdef HAVE_ECC + const unsigned char* ec = (unsigned char*)ecc_key_der_256; + int ecSz = sizeof_ecc_key_der_256; #endif - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 1); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); +#endif /* OPENSSL_ALL && (!NO_RSA || HAVE_ECC) */ - info = wolfSSL_get_ciphersuite_info(ECC_BYTE, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 1); - ExpectIntEQ(info.eccStatic, 1); - ExpectIntEQ(info.psk, 0); - info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE, - TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 1); +#ifndef NO_FILESYSTEM + (void)pkcs8_buffer; + (void)p; + (void)bytes; + (void)file; +#ifndef NO_BIO + (void)bio; #endif #endif -#ifdef WOLFSSL_TLS13 - info = wolfSSL_get_ciphersuite_info(TLS13_BYTE, - TLS_AES_128_GCM_SHA256); - ExpectIntEQ(info.rsaAuth, 0); - ExpectIntEQ(info.eccAuth, 0); - ExpectIntEQ(info.eccStatic, 0); - ExpectIntEQ(info.psk, 0); +#ifdef OPENSSL_ALL +#ifndef NO_RSA + /* Try to auto-detect normal RSA private key */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &rsa, rsaSz)); + EVP_PKEY_free(pkey); + pkey = NULL; #endif - +#ifdef HAVE_ECC + /* Try to auto-detect normal EC private key */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &ec, ecSz)); + EVP_PKEY_free(pkey); + pkey = NULL; #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_sigalg_info(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; - word16 len = 0; - word16 idx = 0; - int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM; - - InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); - for (idx = 0; idx < len; idx += 2) { - int hashAlgo = 0; - int sigAlgo = 0; +#endif /* OPENSSL_ALL */ - ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], - hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); +#ifndef NO_FILESYSTEM +#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectIntEQ(PEM_write_PKCS8PrivateKey(XBADFILE, pkey, NULL, NULL, 0, NULL, + NULL), 0); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, NULL, NULL, NULL, 0, NULL, + NULL), 0); +#endif - ExpectIntNE(hashAlgo, 0); - ExpectIntNE(sigAlgo, 0); +#ifndef NO_RSA + /* Get DER encoded RSA PKCS#8 data. */ + ExpectTrue((file = XFOPEN(rsaDerPkcs8File, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; } - InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1, - 0xFFFFFFFF, &len); - for (idx = 0; idx < len; idx += 2) { - int hashAlgo = 0; - int sigAlgo = 0; - - ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], - hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); + p = pkcs8_buffer; +#ifdef OPENSSL_ALL + /* Try to decode - auto-detect key type. */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); +#else + ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, bytes)); +#endif - ExpectIntNE(hashAlgo, 0); + /* Get PEM encoded RSA PKCS#8 data. */ + ExpectTrue((file = XFOPEN(rsaPemPkcs8File, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; } - +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(NULL, pkey, NULL, NULL, 0, NULL, + NULL), 0); + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, NULL, NULL, NULL, 0, NULL, + NULL), 0); + /* Write PKCS#8 PEM to BIO. */ + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + /* Write PKCS#8 PEM to stderr. */ + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + /* Compare file and written data */ + ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); + ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); + BIO_free(bio); + bio = NULL; +#if !defined(NO_AES) && defined(HAVE_AESGCM) + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_gcm(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), 0); #endif - return EXPECT_RESULT(); -} +#if !defined(NO_DES3) && !defined(NO_SHA) + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write Encrypted PKCS#8 PEM to BIO. */ + bytes = 1834; + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_des_ede3_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_des_ede3_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(evpPkey); + evpPkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* !NO_DES3 && !NO_SHA */ +#endif /* !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ + EVP_PKEY_free(pkey); + pkey = NULL; -static int test_wolfSSL_SESSION(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && !defined(NO_SHA256) && \ - defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_SESSION_CACHE) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL_SESSION* sess = NULL; - WOLFSSL_SESSION* sess_copy = NULL; -#ifdef OPENSSL_EXTRA -#ifdef HAVE_EXT_CACHE - unsigned char* sessDer = NULL; - unsigned char* ptr = NULL; - int sz = 0; -#endif - const unsigned char context[] = "user app context"; - unsigned int contextSz = (unsigned int)sizeof(context); -#endif - int ret = 0, err = 0; - SOCKET_T sockfd; - tcp_ready ready; - func_args server_args; - THREAD_TYPE serverThread; - char msg[80]; - const char* sendGET = "GET"; + /* PKCS#8 encrypted RSA key */ +#ifndef NO_DES3 + ExpectTrue((file = XFOPEN(rsaDerPkcs8EncFile, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ +#endif /* !NO_DES3 */ +#endif /* NO_RSA */ - /* TLS v1.3 requires session tickets */ - /* CHACHA and POLY1305 required for myTicketEncCb */ -#if !defined(WOLFSSL_NO_TLS12) && (!defined(WOLFSSL_TLS13) || \ - !(defined(HAVE_SESSION_TICKET) && ((defined(HAVE_CHACHA) && \ - defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)))) - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); +#ifdef HAVE_ECC + /* PKCS#8 encode EC key */ + ExpectTrue((file = XFOPEN(ecDerPkcs8File, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } + + p = pkcs8_buffer; +#ifdef OPENSSL_ALL + /* Try to decode - auto-detect key type. */ + ExpectNotNull(pkey = d2i_AutoPrivateKey(NULL, &p, bytes)); #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, bytes)); #endif - ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, - CERT_FILETYPE)); - ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, - CERT_FILETYPE)); - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), - WOLFSSL_SUCCESS); -#ifdef WOLFSSL_ENCRYPTED_KEYS - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif -#ifdef HAVE_SESSION_TICKET - /* Use session tickets, for ticket tests below */ - ExpectIntEQ(wolfSSL_CTX_UseSessionTicket(ctx), WOLFSSL_SUCCESS); -#endif + /* Get PEM encoded RSA PKCS#8 data. */ + ExpectTrue((file = XFOPEN(ecPemPkcs8File, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) && \ + defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write PKCS#8 PEM to BIO. */ + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, NULL, NULL, 0, NULL, + NULL), bytes); + /* Compare file and written data */ + ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); + ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* Write Encrypted PKCS#8 PEM to BIO (test write 0 then 379) */ + bytes = 379; + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), + NULL, 0, NoPasswordCallBack, (void*)"yassl123"), 0); + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, EVP_aes_256_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); - XMEMSET(&server_args, 0, sizeof(func_args)); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif + /* invalid cases to stderr */ + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_128_cbc(), + (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); + #endif + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), + NULL, 0, PasswordCallBack, (void*)"yassl123"), bytes); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, pkey, EVP_aes_256_cbc(), + (char*)"yassl123", 8, PasswordCallBack, NULL), bytes); - StartTCP(); - InitTcpReady(&ready); + /* read/decode private key with password */ + ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(evpPkey); + evpPkey = NULL; + BIO_free(bio); + bio = NULL; -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif + /* https://github.com/wolfSSL/wolfssl/issues/8610 */ + bytes = (int)XSTRLEN((char *)pkcs8_buffer); + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes); + ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0); - server_args.signal = &ready; - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); + ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, + (void*)"yassl123")); + ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, evpPkey, NULL, + NULL, 0, NULL, NULL), bytes); + EVP_PKEY_free(evpPkey); + evpPkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 && HAVE_AES_CBC */ + EVP_PKEY_free(pkey); + pkey = NULL; - /* client connection */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - tcp_connect(&sockfd, wolfSSLIP, ready.port, 0, 0, ssl); - ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); + /* PKCS#8 encrypted EC key */ +#ifndef NO_DES3 + ExpectTrue((file = XFOPEN(ecDerPkcs8EncFile, "rb")) != XBADFILE); + ExpectNotNull(XMEMSET(pkcs8_buffer, 0, sizeof(pkcs8_buffer))); + ExpectIntGT((bytes = (int)XFREAD(pkcs8_buffer, 1, sizeof(pkcs8_buffer), + file)), 0); + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } +#if defined(OPENSSL_ALL) && \ + !defined(NO_BIO) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes)); + ExpectNotNull(pkey = d2i_PKCS8PrivateKey_bio(bio, NULL, PasswordCallBack, + (void*)"yassl123")); + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(bio); + bio = NULL; +#endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 */ +#endif /* !NO_DES3 */ +#endif /* HAVE_ECC */ - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), - ret != WOLFSSL_SUCCESS); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif /* !NO_FILESYSTEM */ +#endif /* HAVE_FIPS && OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} - WOLFSSL_ASYNC_WHILE_PENDING( - ret = wolfSSL_write(ssl, sendGET, (int)XSTRLEN(sendGET)), - ret <= 0); - ExpectIntEQ(ret, (int)XSTRLEN(sendGET)); +#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ + !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) +#define LOGGING_THREADS 5 +#define ERROR_COUNT 10 +/* copied from logging.c since this is not exposed otherwise */ +#ifndef ERROR_QUEUE_MAX +#ifdef ERROR_QUEUE_PER_THREAD + #define ERROR_QUEUE_MAX 16 +#else + /* this breaks from compat of unlimited error queue size */ + #define ERROR_QUEUE_MAX 100 +#endif +#endif - WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_read(ssl, msg, sizeof(msg)), - ret != 23); - ExpectIntEQ(ret, 23); +static volatile int loggingThreadsReady; +static THREAD_RETURN WOLFSSL_THREAD test_logging(void* args) +{ + const char* file; + int line; + unsigned long err; + int errorCount = 0; + int i; - ExpectPtrNE((sess = wolfSSL_get1_session(ssl)), NULL); /* ref count 1 */ - ExpectPtrNE((sess_copy = wolfSSL_get1_session(ssl)), NULL); /* ref count 2 */ - ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1); -#ifdef HAVE_EXT_CACHE - ExpectPtrEq(sess, sess_copy); /* they should be the same pointer but without - * HAVE_EXT_CACHE we get new objects each time */ -#endif - wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; - wolfSSL_SESSION_free(sess); sess = NULL; /* free session ref */ + (void)args; - sess = wolfSSL_get_session(ssl); + while (!loggingThreadsReady); + for (i = 0; i < ERROR_COUNT; i++) + ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); -#ifdef OPENSSL_EXTRA - ExpectIntEQ(SSL_SESSION_is_resumable(NULL), 0); - ExpectIntEQ(SSL_SESSION_is_resumable(sess), 1); + while ((err = ERR_get_error_line(&file, &line))) { + AssertIntEQ(err, 990 + errorCount); + errorCount++; + } + AssertIntEQ(errorCount, ERROR_COUNT); - ExpectIntEQ(wolfSSL_SESSION_has_ticket(NULL), 0); - ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(NULL), 0); - #ifdef HAVE_SESSION_TICKET - ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 1); - ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(sess), - SESSION_TICKET_HINT_DEFAULT); - #else - ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 0); - #endif -#else - (void)sess; -#endif /* OPENSSL_EXTRA */ + /* test max queue behavior, trying to add an arbitrary 3 errors over */ + ERR_clear_error(); /* ERR_get_error_line() does not remove */ + errorCount = 0; + for (i = 0; i < ERROR_QUEUE_MAX + 3; i++) + ERR_put_error(ERR_LIB_PEM, SYS_F_ACCEPT, -990 - i, __FILE__, __LINE__); - /* Retain copy of the session for later testing */ - ExpectNotNull(sess = wolfSSL_get1_session(ssl)); + while ((err = ERR_get_error_line(&file, &line))) { + AssertIntEQ(err, 990 + errorCount); + errorCount++; + } - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); ssl = NULL; + /* test that the 3 errors over the max were dropped */ + AssertIntEQ(errorCount, ERROR_QUEUE_MAX); - CloseSocket(sockfd); + WOLFSSL_RETURN_FROM_THREAD(0); +} +#endif - join_thread(serverThread); +static int test_error_queue_per_thread(void) +{ + int res = TEST_SKIPPED; +#if !defined(SINGLE_THREADED) && defined(ERROR_QUEUE_PER_THREAD) && \ + !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) + THREAD_TYPE loggingThreads[LOGGING_THREADS]; + int i; - FreeTcpReady(&ready); + ERR_clear_error(); /* clear out any error nodes */ -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); + loggingThreadsReady = 0; + for (i = 0; i < LOGGING_THREADS; i++) + start_thread(test_logging, NULL, &loggingThreads[i]); + loggingThreadsReady = 1; + for (i = 0; i < LOGGING_THREADS; i++) + join_thread(loggingThreads[i]); + + res = TEST_SUCCESS; #endif + return res; +} -#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) - { - X509 *x509 = NULL; - char buf[30]; - int bufSz = 0; +static int test_wolfSSL_ERR_put_error(void) +{ + EXPECT_DECLS; +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) + const char* file; + int line; - ExpectNotNull(x509 = SSL_SESSION_get0_peer(sess)); - ExpectIntGT((bufSz = X509_NAME_get_text_by_NID( - X509_get_subject_name(x509), NID_organizationalUnitName, buf, - sizeof(buf))), 0); - ExpectIntNE((bufSz == 7 || bufSz == 16), 0); /* should be one of these*/ - if (bufSz == 7) { - ExpectIntEQ(XMEMCMP(buf, "Support", bufSz), 0); - } - if (bufSz == 16) { - ExpectIntEQ(XMEMCMP(buf, "Programming-2048", bufSz), 0); - } - } + ERR_clear_error(); /* clear out any error nodes */ + ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); + ExpectIntEQ(ERR_get_error_line(&file, &line), 0); + ERR_put_error(0,SYS_F_BIND, 1, "this file", 1); + ExpectIntEQ(ERR_get_error_line(&file, &line), 1); + ERR_put_error(0,SYS_F_CONNECT, 2, "this file", 2); + ExpectIntEQ(ERR_get_error_line(&file, &line), 2); + ERR_put_error(0,SYS_F_FOPEN, 3, "this file", 3); + ExpectIntEQ(ERR_get_error_line(&file, &line), 3); + ERR_put_error(0,SYS_F_FREAD, 4, "this file", 4); + ExpectIntEQ(ERR_get_error_line(&file, &line), 4); + ERR_put_error(0,SYS_F_GETADDRINFO, 5, "this file", 5); + ExpectIntEQ(ERR_get_error_line(&file, &line), 5); + ERR_put_error(0,SYS_F_GETSOCKOPT, 6, "this file", 6); + ExpectIntEQ(ERR_get_error_line(&file, &line), 6); + ERR_put_error(0,SYS_F_GETSOCKNAME, 7, "this file", 7); + ExpectIntEQ(ERR_get_error_line(&file, &line), 7); + ERR_put_error(0,SYS_F_GETHOSTBYNAME, 8, "this file", 8); + ExpectIntEQ(ERR_get_error_line(&file, &line), 8); + ERR_put_error(0,SYS_F_GETNAMEINFO, 9, "this file", 9); + ExpectIntEQ(ERR_get_error_line(&file, &line), 9); + ERR_put_error(0,SYS_F_GETSERVBYNAME, 10, "this file", 10); + ExpectIntEQ(ERR_get_error_line(&file, &line), 10); + ERR_put_error(0,SYS_F_IOCTLSOCKET, 11, "this file", 11); + ExpectIntEQ(ERR_get_error_line(&file, &line), 11); + ERR_put_error(0,SYS_F_LISTEN, 12, "this file", 12); + ExpectIntEQ(ERR_get_error_line(&file, &line), 12); + ERR_put_error(0,SYS_F_OPENDIR, 13, "this file", 13); + ExpectIntEQ(ERR_get_error_line(&file, &line), 13); + ERR_put_error(0,SYS_F_SETSOCKOPT, 14, "this file", 14); + ExpectIntEQ(ERR_get_error_line(&file, &line), 14); + ERR_put_error(0,SYS_F_SOCKET, 15, "this file", 15); + ExpectIntEQ(ERR_get_error_line(&file, &line), 15); + +#if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) + ERR_put_error(ERR_LIB_ASN1, SYS_F_ACCEPT, ASN1_R_HEADER_TOO_LONG, + "this file", 100); + ExpectIntEQ(wolfSSL_ERR_peek_last_error_line(&file, &line), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + ExpectIntEQ(line, 100); + ExpectIntEQ(wolfSSL_ERR_peek_error(), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + ExpectIntEQ(ERR_get_error_line(&file, &line), ASN1_R_HEADER_TOO_LONG); #endif -#ifdef HAVE_EXT_CACHE - ExpectNotNull(sess_copy = wolfSSL_SESSION_dup(sess)); - wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; - sess_copy = NULL; -#endif + /* try reading past end of error queue */ + file = NULL; + ExpectIntEQ(ERR_get_error_line(&file, &line), 0); + ExpectNull(file); + ExpectIntEQ(ERR_get_error_line_data(&file, &line, NULL, NULL), 0); -#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE) - /* get session from DER and update the timeout */ - ExpectIntEQ(wolfSSL_i2d_SSL_SESSION(NULL, &sessDer), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntGT((sz = wolfSSL_i2d_SSL_SESSION(sess, &sessDer)), 0); - wolfSSL_SESSION_free(sess); sess = NULL; - sess = NULL; - ptr = sessDer; - ExpectNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, NULL, sz)); - ExpectNotNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, - (const unsigned char**)&ptr, sz)); - XFREE(sessDer, NULL, DYNAMIC_TYPE_OPENSSL); - sessDer = NULL; + PEMerr(4,4); + ExpectIntEQ(ERR_get_error(), 4); + /* Empty and free up all error nodes */ + ERR_clear_error(); - ExpectIntGT(wolfSSL_SESSION_get_time(sess), 0); - ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); + /* Verify all nodes are cleared */ + ERR_put_error(0,SYS_F_ACCEPT, 0, "this file", 0); + ERR_clear_error(); + ExpectIntEQ(ERR_get_error_line(&file, &line), 0); #endif + return EXPECT_RESULT(); +} - /* successful set session test */ - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_set_session(ssl, sess), WOLFSSL_SUCCESS); - -#ifdef HAVE_SESSION_TICKET - /* Test set/get session ticket */ - { - const char* ticket = "This is a session ticket"; - char buf[64] = {0}; - word32 bufSz = (word32)sizeof(buf); - word32 retSz = 0; +/* + * This is a regression test for a bug where the peek/get error functions were + * drawing from the end of the queue rather than the front. + */ +static int test_wolfSSL_ERR_get_error_order(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_HAVE_ERROR_QUEUE) && defined(OPENSSL_EXTRA) + /* Empty the queue. */ + wolfSSL_ERR_clear_error(); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_set_SessionTicket(ssl, (byte *)ticket, - (word32)XSTRLEN(ticket))); - ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_get_SessionTicket(ssl, (byte *)buf, &bufSz)); - ExpectStrEQ(ticket, buf); + wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_NO_SIGNER_E), "test", 0); + wolfSSL_ERR_put_error(0, 0, WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E), "test", 0); - /* return ticket length if buffer parameter is null */ - wolfSSL_get_SessionTicket(ssl, NULL, &retSz); - ExpectIntEQ(bufSz, retSz); - } -#endif + ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + ExpectIntEQ(wolfSSL_ERR_peek_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); + ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)); +#endif /* WOLFSSL_HAVE_ERROR_QUEUE && OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} -#ifdef OPENSSL_EXTRA - /* session timeout case */ - /* make the session to be expired */ - ExpectIntEQ(SSL_SESSION_set_timeout(sess,1), SSL_SUCCESS); - XSLEEP_MS(1200); +#ifndef NO_BIO - /* SSL_set_session should reject specified session but return success - * if WOLFSSL_ERROR_CODE_OPENSSL macro is defined for OpenSSL compatibility. - */ -#if defined(WOLFSSL_ERROR_CODE_OPENSSL) - ExpectIntEQ(wolfSSL_set_session(ssl,sess), SSL_SUCCESS); -#else - ExpectIntEQ(wolfSSL_set_session(ssl,sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif - ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); +static int test_wolfSSL_ERR_print_errors(void) +{ + EXPECT_DECLS; +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) && !defined(NO_ERROR_STRINGS) + BIO* bio = NULL; + char buf[1024]; -#ifdef WOLFSSL_SESSION_ID_CTX - /* fail case with miss match session context IDs (use compatibility API) */ - ExpectIntEQ(SSL_set_session_id_context(ssl, context, contextSz), - SSL_SUCCESS); - ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_free(ssl); ssl = NULL; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ERR_clear_error(); /* clear out any error nodes */ + ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); + /* Choosing -600 as an unused errno. */ + ERR_put_error(0,SYS_F_BIND, -600, "asn.c", 100); - ExpectIntEQ(SSL_CTX_set_session_id_context(NULL, context, contextSz), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(SSL_CTX_set_session_id_context(ctx, context, contextSz), - SSL_SUCCESS); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif -#endif /* OPENSSL_EXTRA */ + ERR_print_errors(bio); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 56); + ExpectIntEQ(XSTRNCMP( + "error:173:wolfSSL library:Bad function argument:ssl.c:0", + buf, 55), 0); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 57); + ExpectIntEQ(XSTRNCMP( + "error:600:wolfSSL library:unknown error number:asn.c:100", + buf, 56), 0); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 1); + ExpectIntEQ(buf[0], '\0'); + ExpectIntEQ(ERR_get_error_line(NULL, NULL), 0); - wolfSSL_free(ssl); - wolfSSL_SESSION_free(sess); - wolfSSL_CTX_free(ctx); + BIO_free(bio); #endif return EXPECT_RESULT(); } -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ - !defined(WOLFSSL_NO_TLS12) -static WOLFSSL_SESSION* test_wolfSSL_SESSION_expire_sess = NULL; - -static void test_wolfSSL_SESSION_expire_downgrade_ctx_ready(WOLFSSL_CTX* ctx) +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) +static int test_wolfSSL_error_cb(const char *str, size_t len, void *u) { - #ifdef WOLFSSL_ERROR_CODE_OPENSSL - /* returns previous timeout value */ - AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), 500); - #else - AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), WOLFSSL_SUCCESS); - #endif + if (u != NULL) { + wolfSSL_BIO_write((BIO*)u, str, (int)len); + } + return 0; } +#endif - -/* set the session to timeout in a second */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready(WOLFSSL* ssl) +static int test_wolfSSL_ERR_print_errors_cb(void) { - AssertIntEQ(wolfSSL_set_timeout(ssl, 2), 1); -} + EXPECT_DECLS; +#if !defined(NO_ERROR_QUEUE) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_WOLFSSL) + BIO* bio = NULL; + char buf[1024]; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ERR_clear_error(); /* clear out any error nodes */ + ERR_put_error(0,SYS_F_ACCEPT, -173, "ssl.c", 0); + ERR_put_error(0,SYS_F_BIND, -275, "asn.c", 100); -/* store the client side session from the first successful connection */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_result(WOLFSSL* ssl) -{ - AssertPtrNE((test_wolfSSL_SESSION_expire_sess = wolfSSL_get1_session(ssl)), - NULL); /* ref count 1 */ -} + ERR_print_errors_cb(test_wolfSSL_error_cb, bio); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 108); + ExpectIntEQ(XSTRNCMP( + "wolfSSL error occurred, error = 173 line:0 file:ssl.c", + buf, 53), 0); + ExpectIntEQ(XSTRNCMP( + "wolfSSL error occurred, error = 275 line:100 file:asn.c", + buf + 53, 55), 0); + ExpectIntEQ(BIO_gets(bio, buf, sizeof(buf)), 0); + BIO_free(bio); +#endif -/* wait till session is expired then set it in the WOLFSSL struct for use */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait(WOLFSSL* ssl) -{ - AssertIntEQ(wolfSSL_set_timeout(ssl, 1), 1); - AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), - WOLFSSL_SUCCESS); - XSLEEP_MS(2000); /* wait 2 seconds for session to expire */ + return EXPECT_RESULT(); } +/* + * Testing WOLFSSL_ERROR_MSG + */ +static int test_WOLFSSL_ERROR_MSG(void) +{ + int res = TEST_SKIPPED; +#if defined(DEBUG_WOLFSSL) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) ||\ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) + const char* msg = TEST_STRING; + WOLFSSL_ERROR_MSG(msg); -/* set expired session in the WOLFSSL struct for use */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set(WOLFSSL* ssl) + res = TEST_SUCCESS; +#endif + return res; +} /* End test_WOLFSSL_ERROR_MSG */ +/* + * Testing wc_ERR_remove_state + */ +static int test_wc_ERR_remove_state(void) { - XSLEEP_MS(1200); /* wait a second for session to expire */ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) + wc_ERR_remove_state(); - /* set the expired session, call to set session fails but continuing on - after failure should be handled here */ -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) - AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), - WOLFSSL_SUCCESS); -#else - AssertIntNE(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), - WOLFSSL_SUCCESS); + res = TEST_SUCCESS; #endif -} - + return res; +} /* End test_wc_ERR_remove_state */ +/* + * Testing wc_ERR_print_errors_fp + */ +static int test_wc_ERR_print_errors_fp(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) && \ + (!defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)) + long sz; + XFILE fp = XBADFILE; -/* check that the expired session was not reused */ -static void test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse(WOLFSSL* ssl) + WOLFSSL_ERROR(WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectTrue((fp = XFOPEN("./tests/test-log-dump-to-file.txt", "a+")) != + XBADFILE); + wc_ERR_print_errors_fp(fp); +#if defined(DEBUG_WOLFSSL) + ExpectTrue(XFSEEK(fp, 0, XSEEK_END) == 0); + #ifdef NO_ERROR_QUEUE + ExpectIntEQ(sz = XFTELL(fp), 0); + #else + ExpectIntNE(sz = XFTELL(fp), 0); + #endif +#endif + if (fp != XBADFILE) + XFCLOSE(fp); + (void)sz; +#endif + return EXPECT_RESULT(); +} /* End test_wc_ERR_print_errors_fp */ +#ifdef DEBUG_WOLFSSL +static void Logging_cb(const int logLevel, const char *const logMessage) { - /* since the session has expired it should not have been reused */ - AssertIntEQ(wolfSSL_session_reused(ssl), 0); + (void)logLevel; + (void)logMessage; } #endif +/* + * Testing wolfSSL_GetLoggingCb + */ +static int test_wolfSSL_GetLoggingCb(void) +{ + EXPECT_DECLS; +#ifdef DEBUG_WOLFSSL + /* Testing without wolfSSL_SetLoggingCb() */ + ExpectNull(wolfSSL_GetLoggingCb()); + /* Testing with wolfSSL_SetLoggingCb() */ + ExpectIntEQ(wolfSSL_SetLoggingCb(Logging_cb), 0); + ExpectNotNull(wolfSSL_GetLoggingCb()); + ExpectIntEQ(wolfSSL_SetLoggingCb(NULL), 0); +#endif + ExpectNull(wolfSSL_GetLoggingCb()); -static int test_wolfSSL_SESSION_expire_downgrade(void) + return EXPECT_RESULT(); +} /* End test_wolfSSL_GetLoggingCb */ + +#endif /* !NO_BIO */ + +static int test_wolfSSL_OBJ(void) { +/* Password "wolfSSL test" is only 12 (96-bit) too short for testing in FIPS + * mode + */ EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ - !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ - !defined(WOLFSSL_NO_TLS12) - callback_functions server_cbf, client_cbf; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_ASN) && \ + !defined(HAVE_FIPS) && !defined(NO_SHA) && defined(WOLFSSL_CERT_EXT) && \ + defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && \ + !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) + ASN1_OBJECT *obj = NULL; + ASN1_OBJECT *obj2 = NULL; + char buf[50]; - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + XFILE fp = XBADFILE; + X509 *x509 = NULL; + X509_NAME *x509Name = NULL; + X509_NAME_ENTRY *x509NameEntry = NULL; + ASN1_OBJECT *asn1Name = NULL; + int numNames = 0; + BIO *bio = NULL; + int nid; + int i, j; + const char *f[] = { + #ifndef NO_RSA + "./certs/ca-cert.der", + #endif + #ifdef HAVE_ECC + "./certs/ca-ecc-cert.der", + "./certs/ca-ecc384-cert.der", + #endif + NULL}; + ASN1_OBJECT *field_name_obj = NULL; + int lastpos = -1; + int tmp = -1; + ASN1_STRING *asn1 = NULL; + unsigned char *buf_dyn = NULL; - /* force server side to use TLS 1.2 */ - server_cbf.method = wolfTLSv1_2_server_method; + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); + ExpectIntEQ(OBJ_obj2nid(obj), NID_any_policy); + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 11); + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); + ASN1_OBJECT_free(obj); + obj = NULL; - client_cbf.method = wolfSSLv23_client_method; - server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; - client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready; - client_cbf.on_result = test_wolfSSL_SESSION_expire_downgrade_ssl_result; + ExpectNotNull(obj = OBJ_nid2obj(NID_sha256)); + ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256); + ExpectIntEQ(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1), 22); +#ifdef WOLFSSL_CERT_EXT + ExpectIntEQ(OBJ_txt2nid(buf), NID_sha256); +#endif + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0), 0); + ExpectNotNull(obj2 = OBJ_dup(obj)); + ExpectIntEQ(OBJ_cmp(obj, obj2), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + ASN1_OBJECT_free(obj2); + obj2 = NULL; - test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + for (i = 0; f[i] != NULL; i++) + { + ExpectTrue((fp = XFOPEN(f[i], "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectNotNull(x509Name = X509_get_issuer_name(x509)); + ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); - client_cbf.method = wolfSSLv23_client_method; - server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; - client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait; - client_cbf.on_result = - test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; + /* Get the Common Name by using OBJ_txt2obj */ + ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), + WOLFSSL_FATAL_ERROR); + do + { + lastpos = tmp; + tmp = X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, lastpos); + } while (tmp > -1); + ExpectIntNE(lastpos, -1); + ASN1_OBJECT_free(field_name_obj); + field_name_obj = NULL; + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, lastpos)); + ExpectNotNull(asn1 = X509_NAME_ENTRY_get_data(x509NameEntry)); + ExpectIntGE(ASN1_STRING_to_UTF8(&buf_dyn, asn1), 0); + /* + * All Common Names should be www.wolfssl.com + * This makes testing easier as we can test for the expected value. + */ + ExpectStrEQ((char*)buf_dyn, "www.wolfssl.com"); + OPENSSL_free(buf_dyn); + buf_dyn = NULL; + bio = BIO_new(BIO_s_mem()); + ExpectTrue(bio != NULL); + for (j = 0; j < numNames; j++) + { + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + ExpectNotNull(asn1Name = X509_NAME_ENTRY_get_object(x509NameEntry)); + ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + } + BIO_free(bio); + bio = NULL; + X509_free(x509); + x509 = NULL; - test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + } - client_cbf.method = wolfSSLv23_client_method; - server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; - client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set; - client_cbf.on_result = - test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; +#ifdef HAVE_PKCS12 + { + PKCS12 *p12 = NULL; + int boolRet; + EVP_PKEY *pkey = NULL; + const char *p12_f[] = { + /* bundle uses AES-CBC 256 and PKCS7 key uses DES3 */ + #if !defined(NO_DES3) && defined(WOLFSSL_AES_256) && !defined(NO_RSA) + "./certs/test-servercert.p12", + #endif + NULL + }; + + for (i = 0; p12_f[i] != NULL; i++) + { + ExpectTrue((fp = XFOPEN(p12_f[i], "rb")) != XBADFILE); + ExpectNotNull(p12 = d2i_PKCS12_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectTrue((boolRet = PKCS12_parse(p12, "wolfSSL test", + &pkey, &x509, NULL)) > 0); + wc_PKCS12_free(p12); + p12 = NULL; + EVP_PKEY_free(pkey); + x509Name = X509_get_issuer_name(x509); + ExpectNotNull(x509Name); + ExpectIntNE((numNames = X509_NAME_entry_count(x509Name)), 0); + ExpectTrue((bio = BIO_new(BIO_s_mem())) != NULL); + for (j = 0; j < numNames; j++) + { + ExpectNotNull(x509NameEntry = X509_NAME_get_entry(x509Name, j)); + ExpectNotNull(asn1Name = + X509_NAME_ENTRY_get_object(x509NameEntry)); + ExpectTrue((nid = OBJ_obj2nid(asn1Name)) > 0); + } + BIO_free(bio); + bio = NULL; + X509_free(x509); + x509 = NULL; + } + } +#endif /* HAVE_PKCS12 */ +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_OBJ_cmp(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) + ASN1_OBJECT *obj = NULL; + ASN1_OBJECT *obj2 = NULL; + + ExpectNotNull(obj = OBJ_nid2obj(NID_any_policy)); + ExpectNotNull(obj2 = OBJ_nid2obj(NID_sha256)); + + ExpectIntEQ(OBJ_cmp(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(NULL, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, obj2), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(OBJ_cmp(obj, obj), 0); + ExpectIntEQ(OBJ_cmp(obj2, obj2), 0); + + ASN1_OBJECT_free(obj); + ASN1_OBJECT_free(obj2); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_OBJ_txt2nid(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_APACHE_HTTPD) + int i; + static const struct { + const char* sn; + const char* ln; + const char* oid; + int nid; + } testVals[] = { +#ifdef WOLFSSL_APACHE_HTTPD + { "tlsfeature", "TLS Feature", "1.3.6.1.5.5.7.1.24", NID_tlsfeature }, + { "id-on-dnsSRV", "SRVName", "1.3.6.1.5.5.7.8.7", + NID_id_on_dnsSRV }, + { "msUPN", "Microsoft User Principal Name", + "1.3.6.1.4.1.311.20.2.3", NID_ms_upn }, +#endif + { NULL, NULL, NULL, NID_undef } + }; - test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); - ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); - ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + /* Invalid cases */ + ExpectIntEQ(OBJ_txt2nid(NULL), NID_undef); + ExpectIntEQ(OBJ_txt2nid("Bad name"), NID_undef); - wolfSSL_SESSION_free(test_wolfSSL_SESSION_expire_sess); + /* Valid cases */ + for (i = 0; testVals[i].sn != NULL; i++) { + ExpectIntEQ(OBJ_txt2nid(testVals[i].sn), testVals[i].nid); + ExpectIntEQ(OBJ_txt2nid(testVals[i].ln), testVals[i].nid); + ExpectIntEQ(OBJ_txt2nid(testVals[i].oid), testVals[i].nid); + } #endif return EXPECT_RESULT(); } -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) -#ifdef WOLFSSL_ATOMIC_OPS - typedef wolfSSL_Atomic_Int SessRemCounter_t; -#else - typedef int SessRemCounter_t; -#endif -static SessRemCounter_t clientSessRemCountMalloc; -static SessRemCounter_t serverSessRemCountMalloc; -static SessRemCounter_t clientSessRemCountFree; -static SessRemCounter_t serverSessRemCountFree; - -static WOLFSSL_CTX* serverSessCtx = NULL; -static WOLFSSL_SESSION* serverSess = NULL; -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) -static WOLFSSL_CTX* clientSessCtx = NULL; -static WOLFSSL_SESSION* clientSess = NULL; -#endif -static int serverSessRemIdx = 3; -static int sessRemCtx_Server = WOLFSSL_SERVER_END; -static int sessRemCtx_Client = WOLFSSL_CLIENT_END; - -static void SessRemCtxCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) +static int test_wolfSSL_OBJ_txt2obj(void) { - int* side; + EXPECT_DECLS; +#if defined(WOLFSSL_APACHE_HTTPD) || (defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) + int i; + char buf[50]; + ASN1_OBJECT* obj = NULL; + static const struct { + const char* oidStr; + const char* sn; + const char* ln; + } objs_list[] = { + #if defined(WOLFSSL_APACHE_HTTPD) + { "1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature" }, + { "1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName" }, + #endif + { "2.5.29.19", "basicConstraints", "X509v3 Basic Constraints"}, + { NULL, NULL, NULL } + }; + static const struct { + const char* numeric; + const char* name; + } objs_named[] = { + /* In dictionary but not in normal list. */ + { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, + /* Made up OID. */ + { "1.3.5.7", "1.3.5.7" }, + { NULL, NULL } + }; - (void)ctx; + ExpectNull(obj = OBJ_txt2obj("Bad name", 0)); + ASN1_OBJECT_free(obj); + obj = NULL; + ExpectNull(obj = OBJ_txt2obj(NULL, 0)); + ASN1_OBJECT_free(obj); + obj = NULL; - side = (int*)SSL_SESSION_get_ex_data(sess, serverSessRemIdx); - if (side != NULL) { - if (*side == WOLFSSL_CLIENT_END) - (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountFree, 1); - else - (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountFree, 1); + for (i = 0; objs_list[i].oidStr != NULL; i++) { + /* Test numerical value of oid (oidStr) */ + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].oidStr, 1)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); - SSL_SESSION_set_ex_data(sess, serverSessRemIdx, NULL); + /* Test short name (sn) */ + ExpectNull(obj = OBJ_txt2obj(objs_list[i].sn, 1)); + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].sn, 0)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); + + /* Test long name (ln) - should fail when no_name = 1 */ + ExpectNull(obj = OBJ_txt2obj(objs_list[i].ln, 1)); + ExpectNotNull(obj = OBJ_txt2obj(objs_list[i].ln, 0)); + /* Convert object back to text to confirm oid is correct */ + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_list[i].oidStr, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; + XMEMSET(buf, 0, sizeof(buf)); } -} -static int SessRemCtxSetupCb(WOLFSSL_CTX* ctx) -{ - SSL_CTX_sess_set_remove_cb(ctx, SessRemCtxCb); -#if defined(WOLFSSL_TLS13) && !defined(HAVE_SESSION_TICKET) && \ - !defined(NO_SESSION_CACHE_REF) - { - EXPECT_DECLS; - /* Allow downgrade, set min version, and disable TLS 1.3. - * Do this because without NO_SESSION_CACHE_REF we will want to return a - * reference to the session cache. But with WOLFSSL_TLS13 and without - * HAVE_SESSION_TICKET we won't have a session ID to be able to place - * the session in the cache. In this case we need to downgrade to - * previous versions to just use the legacy session ID field. */ - ExpectIntEQ(SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), - SSL_SUCCESS); - ExpectIntEQ(SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION), - SSL_SUCCESS); - return EXPECT_RESULT(); + for (i = 0; objs_named[i].numeric != NULL; i++) { + ExpectNotNull(obj = OBJ_txt2obj(objs_named[i].numeric, 1)); + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 0); + ExpectIntEQ(XSTRNCMP(buf, objs_named[i].name, (int)XSTRLEN(buf)), 0); + wolfSSL_OBJ_obj2txt(buf, (int)sizeof(buf), obj, 1); + ExpectIntEQ(XSTRNCMP(buf, objs_named[i].numeric, (int)XSTRLEN(buf)), 0); + ASN1_OBJECT_free(obj); + obj = NULL; } -#else - return TEST_SUCCESS; #endif + return EXPECT_RESULT(); } -static int SessRemSslSetupCb(WOLFSSL* ssl) +/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ +static int test_GENERAL_NAME_set0_othername(void) { EXPECT_DECLS; - int* side; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ + defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ + defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_FPKI) && !defined(NO_RSA) + /* ./configure --enable-opensslall --enable-certgen --enable-certreq + * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID + * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ + const char * cert_fname = "./certs/server-cert.der"; + const char * key_fname = "./certs/server-key.der"; + X509* x509 = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAMES* gns = NULL; + ASN1_OBJECT* upn_oid = NULL; + ASN1_UTF8STRING *utf8str = NULL; + ASN1_TYPE *value = NULL; + X509_EXTENSION * ext = NULL; - if (SSL_is_server(ssl)) { - side = &sessRemCtx_Server; - (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountMalloc, 1); - ExpectNotNull(serverSess = SSL_get1_session(ssl)); - ExpectIntEQ(SSL_CTX_up_ref(serverSessCtx = SSL_get_SSL_CTX(ssl)), - SSL_SUCCESS); + byte* pt = NULL; + byte der[4096]; + int derSz = 0; + EVP_PKEY* priv = NULL; + XFILE f = XBADFILE; + + ExpectTrue((f = XFOPEN(cert_fname, "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_fp(f, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } - else { - side = &sessRemCtx_Client; - (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1); -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) - ExpectNotNull(clientSess = SSL_get1_session(ssl)); - ExpectIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)), - SSL_SUCCESS); -#endif + ExpectNotNull(gn = GENERAL_NAME_new()); + ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); + ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); + ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); + ExpectNotNull(value = ASN1_TYPE_new()); + ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); + if ((value == NULL) || (value->value.ptr != (char*)utf8str)) { + wolfSSL_ASN1_STRING_free(utf8str); } - ExpectIntEQ(SSL_SESSION_set_ex_data(SSL_get_session(ssl), - serverSessRemIdx, side), SSL_SUCCESS); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , value), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , upn_oid, NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , value), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, value ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); + if (EXPECT_FAIL()) { + ASN1_TYPE_free(value); + } + ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); + ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); + if (EXPECT_FAIL()) { + GENERAL_NAME_free(gn); + gn = NULL; + } + ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); + ExpectIntEQ(X509_add_ext(x509, ext, -1), 1); + ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); + ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + pt = der; + ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, derSz)); + ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + gns = NULL; + ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); + + ExpectIntEQ(sk_GENERAL_NAME_num(NULL), 0); + ExpectIntEQ(sk_GENERAL_NAME_num(gns), 3); + + ExpectNull(sk_GENERAL_NAME_value(NULL, 0)); + ExpectNull(sk_GENERAL_NAME_value(gns, 20)); + ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 2)); + ExpectIntEQ(gn->type, 0); + + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + ASN1_OBJECT_free(upn_oid); + X509_EXTENSION_free(ext); + X509_free(x509); + EVP_PKEY_free(priv); +#endif return EXPECT_RESULT(); } -#endif -static int test_wolfSSL_CTX_sess_set_remove_cb(void) +/* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ +static int test_othername_and_SID_ext(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) - /* Check that the remove callback gets called for external data in a - * session object */ - test_ssl_cbf func_cb; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ + defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ + defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_FPKI) && defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_RSA) + /* ./configure --enable-opensslall --enable-certgen --enable-certreq + * --enable-certext --enable-debug 'CPPFLAGS=-DWOLFSSL_CUSTOM_OID + * -DWOLFSSL_ALT_NAMES -DWOLFSSL_FPKI' */ + const char* csr_fname = "./certs/csr.signed.der"; + const char* key_fname = "./certs/server-key.der"; - wolfSSL_Atomic_Int_Init(&clientSessRemCountMalloc, 0); - wolfSSL_Atomic_Int_Init(&serverSessRemCountMalloc, 0); - wolfSSL_Atomic_Int_Init(&clientSessRemCountFree, 0); - wolfSSL_Atomic_Int_Init(&serverSessRemCountFree, 0); + byte der[4096]; + int derSz = 0; + byte badDer[2] = { 0x30, 0x00 }; + X509_REQ* x509 = NULL; + STACK_OF(X509_EXTENSION) *exts = NULL; - XMEMSET(&func_cb, 0, sizeof(func_cb)); - func_cb.ctx_ready = SessRemCtxSetupCb; - func_cb.on_result = SessRemSslSetupCb; + X509_EXTENSION * san_ext = NULL; + X509_EXTENSION * ext = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAMES* gns = NULL; + ASN1_OBJECT* upn_oid = NULL; + ASN1_UTF8STRING *utf8str = NULL; + ASN1_TYPE *value = NULL; + ASN1_STRING *extval = NULL; - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb, &func_cb, - NULL), TEST_SUCCESS); + /* SID extension. SID data format explained here: + * https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/ + */ + byte SidExtension[] = { + 48, 64, 160, 62, 6, 10, 43, 6, 1, 4, 1, 130, 55, 25, 2, 1, 160, + 48, 4, 46, 83, 45, 49, 45, 53, 45, 50, 49, 45, 50, 56, 52, 51, 57, + 48, 55, 52, 49, 56, 45, 51, 57, 50, 54, 50, 55, 55, 52, 50, 49, 45, + 51, 56, 49, 53, 57, 57, 51, 57, 55, 50, 45, 52, 54, 48, 49}; - /* Both should have been allocated */ - ExpectIntEQ(clientSessRemCountMalloc, 1); - ExpectIntEQ(serverSessRemCountMalloc, 1); + byte expectedAltName[] = { + 0x30, 0x27, 0xA0, 0x25, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, + 0x37, 0x14, 0x02, 0x03, 0xA0, 0x17, 0x0C, 0x15, 0x6F, 0x74, 0x68, 0x65, + 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, + 0x6C, 0x2E, 0x63, 0x6F, 0x6D}; - /* This should not be called yet. Session wasn't evicted from cache yet. */ - ExpectIntEQ(clientSessRemCountFree, 0); -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) - /* Force a cache lookup */ - ExpectNotNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); - /* Force a cache update */ - ExpectNotNull(SSL_SESSION_set_ex_data(clientSess, serverSessRemIdx - 1, 0)); - /* This should set the timeout to 0 and call the remove callback from within - * the session cache. */ - ExpectIntEQ(SSL_CTX_remove_session(clientSessCtx, clientSess), 0); - ExpectNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); - ExpectIntEQ(clientSessRemCountFree, 1); -#endif - /* Server session is in the cache so ex_data isn't free'd with the SSL - * object */ - ExpectIntEQ(serverSessRemCountFree, 0); - /* Force a cache lookup */ - ExpectNotNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); - /* Force a cache update */ - ExpectNotNull(SSL_SESSION_set_ex_data(serverSess, serverSessRemIdx - 1, 0)); - /* This should set the timeout to 0 and call the remove callback from within - * the session cache. */ - ExpectIntEQ(SSL_CTX_remove_session(serverSessCtx, serverSess), 0); - ExpectNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); - ExpectIntEQ(serverSessRemCountFree, 1); - /* Need to free the references that we kept */ - SSL_CTX_free(serverSessCtx); - SSL_SESSION_free(serverSess); -#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) - SSL_CTX_free(clientSessCtx); - SSL_SESSION_free(clientSess); -#endif -#endif - return EXPECT_RESULT(); -} + X509_EXTENSION *sid_ext = NULL; + ASN1_OBJECT* sid_oid = NULL; + ASN1_OCTET_STRING *sid_data = NULL; -static int test_wolfSSL_ticket_keys(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ - !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) - WOLFSSL_CTX* ctx = NULL; - byte keys[WOLFSSL_TICKET_KEYS_SZ]; + ASN1_OBJECT* alt_names_oid = NULL; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + EVP_PKEY* priv = NULL; + XFILE f = XBADFILE; + byte* pt = NULL; + BIO* bio = NULL; - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectTrue((f = XFOPEN(csr_fname, "rb")) != XBADFILE); + ExpectNotNull(x509 = d2i_X509_REQ_fp(f, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectIntEQ(X509_REQ_set_version(x509, 2), 1); + ExpectNotNull(gn = GENERAL_NAME_new()); + ExpectNotNull(upn_oid = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1)); + ExpectNotNull(utf8str = ASN1_UTF8STRING_new()); + ExpectIntEQ(ASN1_STRING_set(utf8str, "othername@wolfssl.com", -1), 1); + ExpectNotNull(value = ASN1_TYPE_new()); + ASN1_TYPE_set(value, V_ASN1_UTF8STRING, utf8str); + if (EXPECT_FAIL()) { + ASN1_UTF8STRING_free(utf8str); + } + ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); + if (EXPECT_FAIL()) { + ASN1_TYPE_free(value); + GENERAL_NAME_free(gn); + gn = NULL; + } + ExpectNotNull(gns = sk_GENERAL_NAME_new(NULL)); + ExpectIntEQ(sk_GENERAL_NAME_push(gns, gn), 1); + if (EXPECT_FAIL()) { + GENERAL_NAME_free(gn); + } + ExpectNotNull(san_ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gns)); + ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); + ExpectNotNull(sid_data = ASN1_OCTET_STRING_new()); + ASN1_OCTET_STRING_set(sid_data, SidExtension, sizeof(SidExtension)); + ExpectNotNull(sid_ext = X509_EXTENSION_create_by_OBJ(NULL, sid_oid, 0, + sid_data)); + ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); + wolfSSL_sk_X509_EXTENSION_free(exts); + exts = NULL; + ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); + /* Ensure an empty stack doesn't raise an error. */ + ExpectIntEQ(X509_REQ_add_extensions(NULL, NULL), 0); + ExpectIntEQ(X509_REQ_add_extensions(x509, NULL), 0); + ExpectIntEQ(X509_REQ_add_extensions(NULL, exts), 0); + ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); + ExpectIntEQ(sk_X509_EXTENSION_push(exts, san_ext), 1); + if (EXPECT_FAIL()) { + X509_EXTENSION_free(san_ext); + } + ExpectIntEQ(sk_X509_EXTENSION_push(exts, sid_ext), 2); + if (EXPECT_FAIL()) { + X509_EXTENSION_free(sid_ext); + } + ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); + ExpectTrue((f = XFOPEN(key_fname, "rb")) != XBADFILE); + ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + pt = der; + ExpectNotNull(priv = d2i_PrivateKey(EVP_PKEY_RSA, NULL, + (const unsigned char**)&pt, derSz)); + ExpectIntGT(X509_REQ_sign(x509, priv, EVP_sha256()), 0); + pt = der; + ExpectIntGT(derSz = i2d_X509_REQ(x509, &pt), 0); + X509_REQ_free(x509); + x509 = NULL; + ExpectNull(d2i_X509_REQ_INFO(&x509, NULL, derSz)); + pt = badDer; + ExpectNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, + sizeof(badDer))); + pt = der; + ExpectNotNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, derSz)); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); + gns = NULL; + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + exts = NULL; + ASN1_OBJECT_free(upn_oid); + ASN1_OBJECT_free(sid_oid); + sid_oid = NULL; + ASN1_OCTET_STRING_free(sid_data); + X509_REQ_free(x509); + EVP_PKEY_free(priv); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, sizeof(keys)), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* At this point everything used to generate what is in der is cleaned up. + * We now read back from der to confirm the extensions were inserted + * correctly. */ + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + ExpectNotNull(bio); + + ExpectIntEQ(BIO_write(bio, der, derSz), derSz); /* d2i consumes BIO */ + ExpectNotNull(d2i_X509_REQ_bio(bio, &x509)); + ExpectNotNull(x509); + BIO_free(bio); + ExpectNotNull(exts = (STACK_OF(X509_EXTENSION)*)X509_REQ_get_extensions( + x509)); + ExpectIntEQ(sk_X509_EXTENSION_num(NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(sk_X509_EXTENSION_num(exts), 2); + + /* Check the SID extension. */ + ExpectNotNull(sid_oid = OBJ_txt2obj("1.3.6.1.4.1.311.25.2", 1)); + ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, + X509_get_ext_by_OBJ(x509, sid_oid, -1))); + ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); + ExpectIntEQ(extval->length, sizeof(SidExtension)); + ExpectIntEQ(XMEMCMP(SidExtension, extval->data, sizeof(SidExtension)), 0); + ASN1_OBJECT_free(sid_oid); + + /* Check the AltNames extension. */ + ExpectNotNull(alt_names_oid = OBJ_txt2obj("subjectAltName", 0)); + ExpectNotNull(ext = sk_X509_EXTENSION_value(exts, + X509_get_ext_by_OBJ(x509, alt_names_oid, -1))); + ExpectNotNull(extval = X509_EXTENSION_get_data(ext)); + ExpectIntEQ(extval->length, sizeof(expectedAltName)); + ExpectIntEQ(XMEMCMP(expectedAltName, extval->data, sizeof(expectedAltName)), + 0); + ASN1_OBJECT_free(alt_names_oid); + + /* Cleanup */ + ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); + ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); + ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 0)); + ExpectIntEQ(gn->type, 0); - ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, sizeof(keys)), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, sizeof(keys)), - WOLFSSL_SUCCESS); + sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); - wolfSSL_CTX_free(ctx); + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(x509); #endif return EXPECT_RESULT(); } -#ifndef NO_BIO - -static int test_wolfSSL_d2i_PUBKEY(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectNull(d2i_PUBKEY_bio(NULL, NULL)); - -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) - /* RSA PUBKEY test */ - ExpectIntGT(BIO_write(bio, client_keypub_der_2048, - sizeof_client_keypub_der_2048), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -#if defined(USE_CERT_BUFFERS_256) && defined(HAVE_ECC) - /* ECC PUBKEY test */ - ExpectIntGT(BIO_write(bio, ecc_clikeypub_der_256, - sizeof_ecc_clikeypub_der_256), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif +/* test that the callback arg is correct */ +static int certCbArg = 0; -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DSA) - /* DSA PUBKEY test */ - ExpectIntGT(BIO_write(bio, dsa_pub_key_der_2048, - sizeof_dsa_pub_key_der_2048), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif +static int certCb(WOLFSSL* ssl, void* arg) +{ + if (ssl == NULL || arg != &certCbArg) + return 0; + if (wolfSSL_is_server(ssl)) { + if (wolfSSL_use_certificate_file(ssl, svrCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + } + else { + if (wolfSSL_use_certificate_file(ssl, cliCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + } + return 1; +} -#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DH) && \ -defined(OPENSSL_EXTRA) && defined(WOLFSSL_DH_EXTRA) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) - /* DH PUBKEY test */ - ExpectIntGT(BIO_write(bio, dh_pub_key_der_2048, - sizeof_dh_pub_key_der_2048), 0); - ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); - EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ -#endif /* USE_CERT_BUFFERS_2048 && !NO_DH && && OPENSSL_EXTRA */ +static int certSetupCb(WOLFSSL_CTX* ctx) +{ + SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg); + return TEST_SUCCESS; +} - BIO_free(bio); +/** + * This is only done because test_wolfSSL_client_server_nofail_memio has no way + * to stop certificate and key loading + */ +static int certClearCb(WOLFSSL* ssl) +{ + /* Clear the loaded certs to force the callbacks to set them up */ + SSL_certs_clear(ssl); + return TEST_SUCCESS; +} - (void)pkey; #endif - return EXPECT_RESULT(); -} - -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) && \ - !defined(NO_TLS) -static int test_wolfSSL_d2i_PrivateKeys_bio(void) +static int test_wolfSSL_cert_cb(void) { EXPECT_DECLS; - BIO* bio = NULL; - EVP_PKEY* pkey = NULL; - WOLFSSL_CTX* ctx = NULL; - -#if defined(WOLFSSL_KEY_GEN) - unsigned char buff[4096]; - unsigned char* bufPtr = buff; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + size_t i; + struct { + method_provider client_meth; + method_provider server_meth; + const char* desc; + } test_params[] = { +#ifdef WOLFSSL_TLS13 + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3"}, #endif - - /* test creating new EVP_PKEY with bad arg */ - ExpectNull((pkey = d2i_PrivateKey_bio(NULL, NULL))); - - /* test loading RSA key using BIO */ -#if !defined(NO_RSA) && !defined(NO_FILESYSTEM) - { - XFILE file = XBADFILE; - const char* fname = "./certs/server-key.der"; - long lsz = 0; - size_t sz = 0; - byte* buf = NULL; - - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectTrue((lsz = XFTELL(file)) > 0); - sz = (size_t)lsz; - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - if (file != XBADFILE) { - XFCLOSE(file); - } - - /* Test using BIO new mem and loading DER private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); - XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); - BIO_free(bio); - bio = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - } +#ifndef WOLFSSL_NO_TLS12 + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2"}, #endif - - /* test loading ECC key using BIO */ -#if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) - { - XFILE file = XBADFILE; - const char* fname = "./certs/ecc-key.der"; - long lsz = 0; - size_t sz = 0; - byte* buf = NULL; - - ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); - ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); - ExpectTrue((lsz = XFTELL(file)) > 0); - sz = (size_t)lsz; - ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); - ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); - ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); - if (file != XBADFILE) - XFCLOSE(file); - - /* Test using BIO new mem and loading DER private key */ - ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); - ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); - XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); - BIO_free(bio); - bio = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; - } +#ifndef NO_OLD_TLS + {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1"}, +#ifdef WOLFSSL_ALLOW_TLSV10 + {wolfTLSv1_client_method, wolfTLSv1_server_method, "TLS 1.0"}, #endif - - ExpectNotNull(bio = BIO_new(BIO_s_mem())); -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif + }; -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) - { - const unsigned char seqOnly[] = { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00 }; - RSA* rsa = NULL; - /* Tests bad parameters */ - ExpectNull(d2i_RSAPrivateKey_bio(NULL, NULL)); - - /* Test using bad data. */ - ExpectIntGT(BIO_write(bio, seqOnly, sizeof(seqOnly)), 0); - ExpectNull(d2i_RSAPrivateKey_bio(bio, NULL)); - - /* RSA not set yet, expecting to fail*/ - rsa = wolfSSL_RSA_new(); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_RSA_free(rsa); - rsa = NULL; - -#if defined(USE_CERT_BUFFERS_2048) && defined(WOLFSSL_KEY_GEN) - /* set RSA using bio*/ - ExpectIntGT(BIO_write(bio, client_key_der_2048, - sizeof_client_key_der_2048), 0); - ExpectNotNull(d2i_RSAPrivateKey_bio(bio, &rsa)); - ExpectNotNull(rsa); - - /* Tests bad parameters */ - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, rsa), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - - ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WOLFSSL_SUCCESS); + for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - /* i2d RSAprivate key tests */ - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 1192); - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), - sizeof_client_key_der_2048); - bufPtr -= sizeof_client_key_der_2048; - ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, - sizeof_client_key_der_2048), 0); - bufPtr = NULL; - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), - sizeof_client_key_der_2048); - ExpectNotNull(bufPtr); - ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, - sizeof_client_key_der_2048), 0); - XFREE(bufPtr, NULL, DYNAMIC_TYPE_OPENSSL); + printf("\tTesting with %s...\n", test_params[i].desc); - RSA_free(rsa); - rsa = NULL; - ExpectIntGT(BIO_write(bio, client_key_der_2048, - sizeof_client_key_der_2048), 0); - ExpectNotNull(d2i_RSA_PUBKEY_bio(bio, &rsa)); - (void)BIO_reset(bio); + func_cb_client.method = test_params[i].client_meth; + func_cb_server.method = test_params[i].server_meth; + func_cb_client.ctx_ready = certSetupCb; + func_cb_client.ssl_ready = certClearCb; + func_cb_server.ctx_ready = certSetupCb; + func_cb_server.ssl_ready = certClearCb; - RSA_free(rsa); - rsa = RSA_new(); - ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 0); -#endif /* USE_CERT_BUFFERS_2048 WOLFSSL_KEY_GEN */ - RSA_free(rsa); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); } -#endif /* WOLFSSL_KEY_GEN && !NO_RSA */ - SSL_CTX_free(ctx); - ctx = NULL; - BIO_free(bio); - bio = NULL; - +#endif return EXPECT_RESULT(); } -#endif /* OPENSSL_ALL || (WOLFSSL_ASIO && !NO_RSA) */ - -#endif /* !NO_BIO */ +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) -static int test_wolfSSL_sk_GENERAL_NAME(void) +static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = NULL; +static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = NULL; +static int test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready(WOLFSSL_CTX* ctx) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) - X509* x509 = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAME* dup_gn = NULL; - unsigned char buf[4096]; - const unsigned char* bufPt = NULL; - int bytes = 0; - int i; - int j; - XFILE f = XBADFILE; - STACK_OF(GENERAL_NAME)* sk = NULL; - - ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); - if (f != XBADFILE) - XFCLOSE(f); + ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx, + test_wolfSSL_cert_cb_dyn_ciphers_client_cipher), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs), WOLFSSL_SUCCESS); + return EXPECT_RESULT(); +} - for (j = 0; j < 2; ++j) { - bufPt = buf; - ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); +static int test_wolfSSL_cert_cb_dyn_ciphers_certCB(WOLFSSL* ssl, void* arg) +{ + const byte* suites = NULL; + word16 suiteSz = 0; + const byte* hashSigAlgo = NULL; + word16 hashSigAlgoSz = 0; + word16 idx = 0; + int haveRSA = 0; + int haveECC = 0; - ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); + (void)arg; - ExpectIntEQ(sk_GENERAL_NAME_num(sk), 1); - for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) { - ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, i)); + if (wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo, + &hashSigAlgoSz) != WOLFSSL_SUCCESS) + return 0; + if (suites == NULL || suiteSz == 0 || hashSigAlgo == NULL || + hashSigAlgoSz == 0) + return 0; - if (gn != NULL) { - switch (gn->type) { - case GEN_DNS: - fprintf(stderr, "found type GEN_DNS\n"); - break; - case GEN_EMAIL: - fprintf(stderr, "found type GEN_EMAIL\n"); - break; - case GEN_URI: - fprintf(stderr, "found type GEN_URI\n"); - break; - } - } + for (idx = 0; idx < suiteSz; idx += 2) { + WOLFSSL_CIPHERSUITE_INFO info = + wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]); - ExpectNotNull(dup_gn = wolfSSL_GENERAL_NAME_dup(gn)); - wolfSSL_GENERAL_NAME_free(dup_gn); - dup_gn = NULL; - } - X509_free(x509); - x509 = NULL; - if (j == 0) { - sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); - } - else { - /* - * We had a bug where GENERAL_NAMES_free didn't free all the memory - * it was supposed to. This is a regression test for that bug. - */ - GENERAL_NAMES_free(sk); - } - sk = NULL; + if (info.rsaAuth) + haveRSA = 1; + else if (info.eccAuth) + haveECC = 1; } - ExpectNull(wolfSSL_GENERAL_NAME_dup(NULL)); - ExpectIntEQ(wolfSSL_GENERAL_NAME_set_type(NULL, WOLFSSL_GEN_IA5), - BAD_FUNC_ARG); - wolfSSL_GENERAL_NAMES_free(NULL); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_GENERAL_NAME_print(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_BIO) && !defined(NO_RSA) - X509* x509 = NULL; - GENERAL_NAME* gn = NULL; - GENERAL_NAME* dup_gn = NULL; - unsigned char buf[4096]; - const unsigned char* bufPt = NULL; - int bytes = 0; - XFILE f = XBADFILE; - STACK_OF(GENERAL_NAME)* sk = NULL; - BIO* out = NULL; - unsigned char outbuf[128]; - - X509_EXTENSION* ext = NULL; - AUTHORITY_INFO_ACCESS* aia = NULL; - ACCESS_DESCRIPTION* ad = NULL; - ASN1_IA5STRING *dnsname = NULL; - ASN1_OBJECT* ridObj = NULL; + if (hashSigAlgoSz > 0) { + /* sigalgs extension takes precedence over ciphersuites */ + haveRSA = 0; + haveECC = 0; + } + for (idx = 0; idx < hashSigAlgoSz; idx += 2) { + int hashAlgo = 0; + int sigAlgo = 0; - const unsigned char v4Addr[] = {192,168,53,1}; - const unsigned char v6Addr[] = - {0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77}; - const unsigned char email[] = - {'i', 'n', 'f', 'o', '@', 'w', 'o', 'l', - 'f', 's', 's', 'l', '.', 'c', 'o', 'm'}; - const unsigned char ridData[] = { 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05 }; - const unsigned char* p; - unsigned long len; + if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], + &hashAlgo, &sigAlgo) != 0) + return 0; - const char* dnsStr = "DNS:example.com"; - const char* uriStr = "URI:http://127.0.0.1:22220"; - const char* v4addStr = "IP Address:192.168.53.1"; - const char* v6addStr = "IP Address:2021:DB8:0:0:0:FF00:42:7777"; - const char* emailStr = "email:info@wolfssl.com"; - const char* othrStr = "othername:"; - const char* x400Str = "X400Name:"; - const char* ediStr = "EdiPartyName:"; - const char* dirNameStr = "DirName:"; - const char* ridStr = "Registered ID:1.2.3.4.5"; + if (sigAlgo == RSAk || sigAlgo == RSAPSSk) + haveRSA = 1; + else if (sigAlgo == ECDSAk) + haveECC = 1; + } - /* BIO to output */ - ExpectNotNull(out = BIO_new(BIO_s_mem())); + if (haveRSA) { + if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + } + else if (haveECC) { + if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + } - /* test for NULL param */ - gn = NULL; + return 1; +} - ExpectIntEQ(GENERAL_NAME_print(NULL, NULL), 0); - ExpectIntEQ(GENERAL_NAME_print(NULL, gn), 0); - ExpectIntEQ(GENERAL_NAME_print(out, NULL), 0); +static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx) +{ + SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); + return TEST_SUCCESS; +} +#endif - /* test for GEN_DNS */ - ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } +/* Testing dynamic ciphers offered by client */ +static int test_wolfSSL_cert_cb_dyn_ciphers(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + struct { + method_provider client_meth; + const char* client_ciphers; + const char* client_sigalgs; + const char* client_ca; + method_provider server_meth; + } test_params[] = { +#if !defined(NO_SHA256) && defined(HAVE_AESGCM) +#ifdef WOLFSSL_TLS13 +#if !defined(NO_RSA) && defined(WC_RSA_PSS) + {wolfTLSv1_3_client_method, + "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", + "RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method}, +#endif +#ifdef HAVE_ECC + {wolfTLSv1_3_client_method, + "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", + "ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method}, +#endif +#endif +#ifndef WOLFSSL_NO_TLS12 +#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH) + {wolfTLSv1_2_client_method, + "DHE-RSA-AES128-GCM-SHA256", + "RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method}, +#endif +#ifdef HAVE_ECC + {wolfTLSv1_2_client_method, + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method}, +#endif +#endif +#endif + }; + size_t i; + size_t testCount = sizeof(test_params)/sizeof(*test_params); - bufPt = buf; - ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); - ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_subject_alt_name, NULL, NULL)); + if (testCount > 0) { + for (i = 0; i < testCount; i++) { + printf("\tTesting %s ciphers with %s sigalgs\n", + test_params[i].client_ciphers, + test_params[i].client_sigalgs); - ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, 0)); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - XMEMSET(outbuf, 0, sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); + test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = + test_params[i].client_ciphers; + test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = + test_params[i].client_sigalgs; + func_cb_client.method = test_params[i].client_meth; + func_cb_client.caPemFile = test_params[i].client_ca; + func_cb_client.ctx_ready = + test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready; - sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); - gn = NULL; - sk = NULL; - X509_free(x509); - x509 = NULL; + func_cb_server.ctx_ready = + test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready; + func_cb_server.ssl_ready = certClearCb; /* Reuse from prev test */ + func_cb_server.method = test_params[i].server_meth; - /* Lets test for setting as well. */ - ExpectNotNull(gn = GENERAL_NAME_new()); - ExpectNotNull(dnsname = ASN1_IA5STRING_new()); - ExpectIntEQ(ASN1_STRING_set(dnsname, "example.com", -1), 1); - GENERAL_NAME_set0_value(gn, GEN_DNS, dnsname); - dnsname = NULL; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf, 0, sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, NULL); - wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, NULL); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, NULL); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, outbuf); - wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_DNS, NULL); - wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, outbuf); - wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, outbuf); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; - GENERAL_NAME_free(gn); + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); + } + } +#endif + return EXPECT_RESULT(); +} - /* test for GEN_URI */ +static int test_wolfSSL_ciphersuite_auth(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + WOLFSSL_CIPHERSUITE_INFO info; - ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } + (void)info; - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 4)); - ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i( - ext)); - ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION *)wolfSSL_sk_value(aia, 0)); +#ifndef WOLFSSL_NO_TLS12 +#ifdef HAVE_CHACHA + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - if (ad != NULL) { - gn = ad->location; - } - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - gn = NULL; + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, uriStr, XSTRLEN(uriStr)), 0); + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 1); +#endif +#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) +#ifndef NO_RSA + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); - aia = NULL; - aia = (AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i(ext); - ExpectNotNull(aia); - AUTHORITY_INFO_ACCESS_pop_free(aia, NULL); - aia = NULL; - X509_free(x509); - x509 = NULL; + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); - /* test for GEN_IPADD */ + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); +#endif + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); - /* ip v4 address */ - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_IPADD; - if (gn->d.iPAddress != NULL) { - gn->d.iPAddress->length = sizeof(v4Addr); - } - } - ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v4Addr, - sizeof(v4Addr)), 1); + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, v4addStr, XSTRLEN(v4addStr)), 0); + info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE, + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 1); +#endif +#endif - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; +#ifdef WOLFSSL_TLS13 + info = wolfSSL_get_ciphersuite_info(TLS13_BYTE, + TLS_AES_128_GCM_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); +#endif - GENERAL_NAME_free(gn); - gn = NULL; +#endif + return EXPECT_RESULT(); +} - /* ip v6 address */ +static int test_wolfSSL_sigalg_info(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; + word16 len = 0; + word16 idx = 0; + int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM; - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_IPADD; - if (gn->d.iPAddress != NULL) { - gn->d.iPAddress->length = sizeof(v6Addr); - } - } - ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v6Addr, - sizeof(v6Addr)), 1); + InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); + for (idx = 0; idx < len; idx += 2) { + int hashAlgo = 0; + int sigAlgo = 0; - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, v6addStr, XSTRLEN(v6addStr)), 0); + ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], + hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; + ExpectIntNE(hashAlgo, 0); + ExpectIntNE(sigAlgo, 0); + } - GENERAL_NAME_free(gn); - gn = NULL; + InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1, + 0xFFFFFFFF, &len); + for (idx = 0; idx < len; idx += 2) { + int hashAlgo = 0; + int sigAlgo = 0; - /* test for GEN_EMAIL */ + ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], + hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_EMAIL; - if (gn->d.rfc822Name != NULL) { - gn->d.rfc822Name->length = sizeof(email); - } + ExpectIntNE(hashAlgo, 0); } - ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.rfc822Name, email, sizeof(email)), - 1); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, emailStr, XSTRLEN(emailStr)), 0); +#endif + return EXPECT_RESULT(); +} - ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(dup_gn); - dup_gn = NULL; +static int test_wolfSSL_SESSION(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && !defined(NO_SHA256) && \ + defined(HAVE_IO_TESTS_DEPENDENCIES) && !defined(NO_SESSION_CACHE) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL_SESSION* sess = NULL; + WOLFSSL_SESSION* sess_copy = NULL; +#ifdef OPENSSL_EXTRA +#ifdef HAVE_EXT_CACHE + unsigned char* sessDer = NULL; + unsigned char* ptr = NULL; + int sz = 0; +#endif + const unsigned char context[] = "user app context"; + unsigned int contextSz = (unsigned int)sizeof(context); +#endif + int ret = 0, err = 0; + SOCKET_T sockfd; + tcp_ready ready; + func_args server_args; + THREAD_TYPE serverThread; + char msg[80]; + const char* sendGET = "GET"; - GENERAL_NAME_free(gn); - gn = NULL; + /* TLS v1.3 requires session tickets */ + /* CHACHA and POLY1305 required for myTicketEncCb */ +#if !defined(WOLFSSL_NO_TLS12) && (!defined(WOLFSSL_TLS13) || \ + !(defined(HAVE_SESSION_TICKET) && ((defined(HAVE_CHACHA) && \ + defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)))) + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif - /* test for GEN_OTHERNAME */ + ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, + CERT_FILETYPE)); + ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, + CERT_FILETYPE)); + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), + WOLFSSL_SUCCESS); +#ifdef WOLFSSL_ENCRYPTED_KEYS + wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +#endif +#ifdef HAVE_SESSION_TICKET + /* Use session tickets, for ticket tests below */ + ExpectIntEQ(wolfSSL_CTX_UseSessionTicket(ctx), WOLFSSL_SUCCESS); +#endif - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_OTHERNAME; - } + XMEMSET(&server_args, 0, sizeof(func_args)); +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, othrStr, XSTRLEN(othrStr)), 0); + StartTCP(); + InitTcpReady(&ready); - GENERAL_NAME_free(gn); - gn = NULL; +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif - /* test for GEN_X400 */ + server_args.signal = &ready; + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_X400; - } + /* client connection */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + tcp_connect(&sockfd, wolfSSLIP, ready.port, 0, 0, ssl); + ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, x400Str, XSTRLEN(x400Str)), 0); + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_connect(ssl), + ret != WOLFSSL_SUCCESS); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); - /* Restore to GEN_IA5 (default) to avoid memory leak. */ - if (gn != NULL) { - gn->type = GEN_IA5; - } + WOLFSSL_ASYNC_WHILE_PENDING( + ret = wolfSSL_write(ssl, sendGET, (int)XSTRLEN(sendGET)), + ret <= 0); + ExpectIntEQ(ret, (int)XSTRLEN(sendGET)); - /* Duplicating GEN_X400 not supported. */ - ExpectNull(GENERAL_NAME_dup(gn)); + WOLFSSL_ASYNC_WHILE_PENDING(ret = wolfSSL_read(ssl, msg, sizeof(msg)), + ret != 23); + ExpectIntEQ(ret, 23); - GENERAL_NAME_free(gn); - gn = NULL; + ExpectPtrNE((sess = wolfSSL_get1_session(ssl)), NULL); /* ref count 1 */ + ExpectPtrNE((sess_copy = wolfSSL_get1_session(ssl)), NULL); /* ref count 2 */ + ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1); +#ifdef HAVE_EXT_CACHE + ExpectPtrEq(sess, sess_copy); /* they should be the same pointer but without + * HAVE_EXT_CACHE we get new objects each time */ +#endif + wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; + wolfSSL_SESSION_free(sess); sess = NULL; /* free session ref */ - /* test for GEN_EDIPARTY */ + sess = wolfSSL_get_session(ssl); - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_EDIPARTY; - } +#ifdef OPENSSL_EXTRA + ExpectIntEQ(SSL_SESSION_is_resumable(NULL), 0); + ExpectIntEQ(SSL_SESSION_is_resumable(sess), 1); - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, ediStr, XSTRLEN(ediStr)), 0); + ExpectIntEQ(wolfSSL_SESSION_has_ticket(NULL), 0); + ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(NULL), 0); + #ifdef HAVE_SESSION_TICKET + ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 1); + ExpectIntEQ(wolfSSL_SESSION_get_ticket_lifetime_hint(sess), + SESSION_TICKET_HINT_DEFAULT); + #else + ExpectIntEQ(wolfSSL_SESSION_has_ticket(sess), 0); + #endif +#else + (void)sess; +#endif /* OPENSSL_EXTRA */ - /* Restore to GEN_IA5 (default) to avoid memory leak. */ - if (gn != NULL) { - gn->type = GEN_IA5; - } + /* Retain copy of the session for later testing */ + ExpectNotNull(sess = wolfSSL_get1_session(ssl)); - /* Duplicating GEN_EDIPARTY not supported. */ - ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); ssl = NULL; - GENERAL_NAME_free(gn); - gn = NULL; + CloseSocket(sockfd); - /* test for GEN_DIRNAME */ - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_DIRNAME; - } - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, dirNameStr, XSTRLEN(dirNameStr)), - 0); - /* Duplicating GEN_DIRNAME not supported. */ - ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); - /* Restore to GEN_IA5 (default) to avoid memory leak. */ - if (gn != NULL) { - gn->type = GEN_IA5; - } - GENERAL_NAME_free(gn); - gn = NULL; + join_thread(serverThread); - /* test for GEN_RID */ - p = ridData; - len = sizeof(ridData); - ExpectNotNull(ridObj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, len)); - ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); - if (gn != NULL) { - gn->type = GEN_RID; - wolfSSL_ASN1_STRING_free(gn->d.ia5); - gn->d.registeredID = ridObj; - } - else { - wolfSSL_ASN1_OBJECT_free(ridObj); - } - ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - XMEMSET(outbuf,0,sizeof(outbuf)); - ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); - ExpectIntEQ(XSTRNCMP((const char*)outbuf, ridStr, XSTRLEN(ridStr)), 0); - /* Duplicating GEN_DIRNAME not supported. */ - ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); - GENERAL_NAME_free(gn); - gn = NULL; + FreeTcpReady(&ready); - BIO_free(out); -#endif /* OPENSSL_ALL */ - return EXPECT_RESULT(); -} +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif -static int test_wolfSSL_sk_DIST_POINT(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) - X509* x509 = NULL; - unsigned char buf[4096]; - const unsigned char* bufPt; - int bytes = 0; - int i = 0; - int j = 0; - XFILE f = XBADFILE; - DIST_POINT* dp = NULL; - DIST_POINT_NAME* dpn = NULL; - GENERAL_NAME* gn = NULL; - ASN1_IA5STRING* uri = NULL; - STACK_OF(DIST_POINT)* dps = NULL; - STACK_OF(GENERAL_NAME)* gns = NULL; - const char cliCertDerCrlDistPoint[] = "./certs/client-crl-dist.der"; +#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) + { + X509 *x509 = NULL; + char buf[30]; + int bufSz = 0; - ExpectTrue((f = XFOPEN(cliCertDerCrlDistPoint, "rb")) != XBADFILE); - ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); - if (f != XBADFILE) - XFCLOSE(f); + ExpectNotNull(x509 = SSL_SESSION_get0_peer(sess)); + ExpectIntGT((bufSz = X509_NAME_get_text_by_NID( + X509_get_subject_name(x509), NID_organizationalUnitName, buf, + sizeof(buf))), 0); + ExpectIntNE((bufSz == 7 || bufSz == 16), 0); /* should be one of these*/ + if (bufSz == 7) { + ExpectIntEQ(XMEMCMP(buf, "Support", bufSz), 0); + } + if (bufSz == 16) { + ExpectIntEQ(XMEMCMP(buf, "Programming-2048", bufSz), 0); + } + } +#endif - bufPt = buf; - ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); +#ifdef HAVE_EXT_CACHE + ExpectNotNull(sess_copy = wolfSSL_SESSION_dup(sess)); + wolfSSL_SESSION_free(sess_copy); sess_copy = NULL; + sess_copy = NULL; +#endif + +#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE) + /* get session from DER and update the timeout */ + ExpectIntEQ(wolfSSL_i2d_SSL_SESSION(NULL, &sessDer), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntGT((sz = wolfSSL_i2d_SSL_SESSION(sess, &sessDer)), 0); + wolfSSL_SESSION_free(sess); sess = NULL; + sess = NULL; + ptr = sessDer; + ExpectNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, NULL, sz)); + ExpectNotNull(sess = wolfSSL_d2i_SSL_SESSION(NULL, + (const unsigned char**)&ptr, sz)); + XFREE(sessDer, NULL, DYNAMIC_TYPE_OPENSSL); + sessDer = NULL; - ExpectNotNull(dps = (STACK_OF(DIST_POINT)*)X509_get_ext_d2i(x509, - NID_crl_distribution_points, NULL, NULL)); + ExpectIntGT(wolfSSL_SESSION_get_time(sess), 0); + ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); +#endif - ExpectIntEQ(sk_DIST_POINT_num(dps), 1); - for (i = 0; i < sk_DIST_POINT_num(dps); i++) { - ExpectNotNull(dp = sk_DIST_POINT_value(dps, i)); - ExpectNotNull(dpn = dp->distpoint); + /* successful set session test */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_set_session(ssl, sess), WOLFSSL_SUCCESS); - /* this should be type 0, fullname */ - ExpectIntEQ(dpn->type, 0); +#ifdef HAVE_SESSION_TICKET + /* Test set/get session ticket */ + { + const char* ticket = "This is a session ticket"; + char buf[64] = {0}; + word32 bufSz = (word32)sizeof(buf); + word32 retSz = 0; - ExpectNotNull(gns = dp->distpoint->name.fullname); - ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_set_SessionTicket(ssl, (byte *)ticket, + (word32)XSTRLEN(ticket))); + ExpectIntEQ(WOLFSSL_SUCCESS, + wolfSSL_get_SessionTicket(ssl, (byte *)buf, &bufSz)); + ExpectStrEQ(ticket, buf); - for (j = 0; j < sk_GENERAL_NAME_num(gns); j++) { - ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, j)); - ExpectIntEQ(gn->type, GEN_URI); - ExpectNotNull(uri = gn->d.uniformResourceIdentifier); - ExpectNotNull(uri->data); - ExpectIntGT(uri->length, 0); - } + /* return ticket length if buffer parameter is null */ + wolfSSL_get_SessionTicket(ssl, NULL, &retSz); + ExpectIntEQ(bufSz, retSz); } +#endif - ExpectNotNull(dp = wolfSSL_DIST_POINT_new()); - wolfSSL_DIST_POINT_free(NULL); - wolfSSL_DIST_POINTS_free(NULL); - wolfSSL_sk_DIST_POINT_free(NULL); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(dps, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, dp), WOLFSSL_FAILURE); - ExpectNull(wolfSSL_sk_DIST_POINT_value(NULL, 0)); - ExpectIntEQ(wolfSSL_sk_DIST_POINT_num(NULL), WOLFSSL_FATAL_ERROR); - wolfSSL_DIST_POINT_free(dp); +#ifdef OPENSSL_EXTRA + /* session timeout case */ + /* make the session to be expired */ + ExpectIntEQ(SSL_SESSION_set_timeout(sess,1), SSL_SUCCESS); + XSLEEP_MS(1200); - X509_free(x509); - CRL_DIST_POINTS_free(dps); + /* SSL_set_session should reject specified session but return success + * if WOLFSSL_ERROR_CODE_OPENSSL macro is defined for OpenSSL compatibility. + */ +#if defined(WOLFSSL_ERROR_CODE_OPENSSL) + ExpectIntEQ(wolfSSL_set_session(ssl,sess), SSL_SUCCESS); +#else + ExpectIntEQ(wolfSSL_set_session(ssl,sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + ExpectIntEQ(wolfSSL_SSL_SESSION_set_timeout(sess, 500), SSL_SUCCESS); + +#ifdef WOLFSSL_SESSION_ID_CTX + /* fail case with miss match session context IDs (use compatibility API) */ + ExpectIntEQ(SSL_set_session_id_context(ssl, context, contextSz), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_free(ssl); ssl = NULL; + + ExpectIntEQ(SSL_CTX_set_session_id_context(NULL, context, contextSz), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(SSL_CTX_set_session_id_context(ctx, context, contextSz), + SSL_SUCCESS); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_set_session(ssl, sess), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif +#endif /* OPENSSL_EXTRA */ + wolfSSL_free(ssl); + wolfSSL_SESSION_free(sess); + wolfSSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ + !defined(WOLFSSL_NO_TLS12) +static WOLFSSL_SESSION* test_wolfSSL_SESSION_expire_sess = NULL; - -static int test_wolfSSL_verify_mode(void) +static void test_wolfSSL_SESSION_expire_downgrade_ctx_ready(WOLFSSL_CTX* ctx) { - EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_TLS) && (defined(OPENSSL_ALL) || \ - defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ - defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); - SSL_free(ssl); - ssl = NULL; + #ifdef WOLFSSL_ERROR_CODE_OPENSSL + /* returns previous timeout value */ + AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), 500); + #else + AssertIntEQ(wolfSSL_CTX_set_timeout(ctx, 1), WOLFSSL_SUCCESS); + #endif +} - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); - wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); - ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); +/* set the session to timeout in a second */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready(WOLFSSL* ssl) +{ + AssertIntEQ(wolfSSL_set_timeout(ssl, 2), 1); +} - SSL_free(ssl); - ssl = NULL; - wolfSSL_CTX_set_verify(ctx, - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); - ExpectIntEQ(SSL_get_verify_mode(ssl), - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); +/* store the client side session from the first successful connection */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_result(WOLFSSL* ssl) +{ + AssertPtrNE((test_wolfSSL_SESSION_expire_sess = wolfSSL_get1_session(ssl)), + NULL); /* ref count 1 */ +} - wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0); - ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); - wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); +/* wait till session is expired then set it in the WOLFSSL struct for use */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait(WOLFSSL* ssl) +{ + AssertIntEQ(wolfSSL_set_timeout(ssl, 1), 1); + AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), + WOLFSSL_SUCCESS); + XSLEEP_MS(2000); /* wait 2 seconds for session to expire */ +} - wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT); - wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK); +/* set expired session in the WOLFSSL struct for use */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set(WOLFSSL* ssl) +{ + XSLEEP_MS(1200); /* wait a second for session to expire */ -#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) - wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0); - ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE); + /* set the expired session, call to set session fails but continuing on + after failure should be handled here */ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) + AssertIntEQ(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), + WOLFSSL_SUCCESS); +#else + AssertIntNE(wolfSSL_set_session(ssl, test_wolfSSL_SESSION_expire_sess), + WOLFSSL_SUCCESS); #endif +} - ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), - WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); +/* check that the expired session was not reused */ +static void test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse(WOLFSSL* ssl) +{ + /* since the session has expired it should not have been reused */ + AssertIntEQ(wolfSSL_session_reused(ssl), 0); } +#endif - -static int test_wolfSSL_verify_depth(void) +static int test_wolfSSL_SESSION_expire_downgrade(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - long depth = 0; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ + !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ + !defined(WOLFSSL_NO_TLS12) + callback_functions server_cbf, client_cbf; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectIntGT((depth = SSL_CTX_get_verify_depth(ctx)), 0); + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_get_verify_depth(ssl), SSL_CTX_get_verify_depth(ctx)); - SSL_free(ssl); - ssl = NULL; + /* force server side to use TLS 1.2 */ + server_cbf.method = wolfTLSv1_2_server_method; - SSL_CTX_set_verify_depth(ctx, -1); - ExpectIntEQ(depth, SSL_CTX_get_verify_depth(ctx)); + client_cbf.method = wolfSSLv23_client_method; + server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; + client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready; + client_cbf.on_result = test_wolfSSL_SESSION_expire_downgrade_ssl_result; - SSL_CTX_set_verify_depth(ctx, 2); - ExpectIntEQ(2, SSL_CTX_get_verify_depth(ctx)); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(2, SSL_get_verify_depth(ssl)); + test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - SSL_free(ssl); - SSL_CTX_free(ctx); + client_cbf.method = wolfSSLv23_client_method; + server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; + client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait; + client_cbf.on_result = + test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; + + test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + + client_cbf.method = wolfSSLv23_client_method; + server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; + client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set; + client_cbf.on_result = + test_wolfSSL_SESSION_expire_downgrade_ssl_result_reuse; + + test_wolfSSL_client_server_nofail(&client_cbf, &server_cbf); + ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); + ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); + + wolfSSL_SESSION_free(test_wolfSSL_SESSION_expire_sess); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_verify_result(void) -{ - EXPECT_DECLS; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(OPENSSL_ALL)) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - long result = 0xDEADBEEF; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) +#ifdef WOLFSSL_ATOMIC_OPS + typedef wolfSSL_Atomic_Int SessRemCounter_t; +#else + typedef int SessRemCounter_t; +#endif +static SessRemCounter_t clientSessRemCountMalloc; +static SessRemCounter_t serverSessRemCountMalloc; +static SessRemCounter_t clientSessRemCountFree; +static SessRemCounter_t serverSessRemCountFree; - ExpectIntEQ(WC_NO_ERR_TRACE(WOLFSSL_FAILURE), wolfSSL_get_verify_result(ssl)); +static WOLFSSL_CTX* serverSessCtx = NULL; +static WOLFSSL_SESSION* serverSess = NULL; +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) +static WOLFSSL_CTX* clientSessCtx = NULL; +static WOLFSSL_SESSION* clientSess = NULL; +#endif +static int serverSessRemIdx = 3; +static int sessRemCtx_Server = WOLFSSL_SERVER_END; +static int sessRemCtx_Client = WOLFSSL_CLIENT_END; - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = SSL_new(ctx)); +static void SessRemCtxCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) +{ + int* side; - wolfSSL_set_verify_result(ssl, result); - ExpectIntEQ(result, wolfSSL_get_verify_result(ssl)); + (void)ctx; - SSL_free(ssl); - SSL_CTX_free(ctx); -#endif - return EXPECT_RESULT(); + side = (int*)SSL_SESSION_get_ex_data(sess, serverSessRemIdx); + if (side != NULL) { + if (*side == WOLFSSL_CLIENT_END) + (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountFree, 1); + else + (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountFree, 1); + + SSL_SESSION_set_ex_data(sess, serverSessRemIdx, NULL); + } } -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) -static void sslMsgCb(int w, int version, int type, const void* buf, - size_t sz, SSL* ssl, void* arg) +static int SessRemCtxSetupCb(WOLFSSL_CTX* ctx) { - int i; - unsigned char* pt = (unsigned char*)buf; - - fprintf(stderr, "%s %d bytes of version %d , type %d : ", - (w)?"Writing":"Reading", (int)sz, version, type); - for (i = 0; i < (int)sz; i++) fprintf(stderr, "%02X", pt[i]); - fprintf(stderr, "\n"); - (void)ssl; - (void)arg; + SSL_CTX_sess_set_remove_cb(ctx, SessRemCtxCb); +#if defined(WOLFSSL_TLS13) && !defined(HAVE_SESSION_TICKET) && \ + !defined(NO_SESSION_CACHE_REF) + { + EXPECT_DECLS; + /* Allow downgrade, set min version, and disable TLS 1.3. + * Do this because without NO_SESSION_CACHE_REF we will want to return a + * reference to the session cache. But with WOLFSSL_TLS13 and without + * HAVE_SESSION_TICKET we won't have a session ID to be able to place + * the session in the cache. In this case we need to downgrade to + * previous versions to just use the legacy session ID field. */ + ExpectIntEQ(SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), + SSL_SUCCESS); + ExpectIntEQ(SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION), + SSL_SUCCESS); + return EXPECT_RESULT(); + } +#else + return TEST_SUCCESS; +#endif } -#endif /* OPENSSL_EXTRA */ -static int test_wolfSSL_msg_callback(void) +static int SessRemSslSetupCb(WOLFSSL* ssl) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ - !defined(NO_WOLFSSL_CLIENT) - WOLFSSL* ssl = NULL; - WOLFSSL_CTX* ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(ssl = SSL_new(ctx)); - ExpectIntEQ(SSL_set_msg_callback(ssl, NULL), SSL_SUCCESS); - ExpectIntEQ(SSL_set_msg_callback(ssl, &sslMsgCb), SSL_SUCCESS); - ExpectIntEQ(SSL_set_msg_callback(NULL, &sslMsgCb), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + int* side; - SSL_free(ssl); - SSL_CTX_free(ctx); + if (SSL_is_server(ssl)) { + side = &sessRemCtx_Server; + (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountMalloc, 1); + ExpectNotNull(serverSess = SSL_get1_session(ssl)); + ExpectIntEQ(SSL_CTX_up_ref(serverSessCtx = SSL_get_SSL_CTX(ssl)), + SSL_SUCCESS); + } + else { + side = &sessRemCtx_Client; + (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1); +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) + ExpectNotNull(clientSess = SSL_get1_session(ssl)); + ExpectIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)), + SSL_SUCCESS); #endif + } + ExpectIntEQ(SSL_SESSION_set_ex_data(SSL_get_session(ssl), + serverSessRemIdx, side), SSL_SUCCESS); + return EXPECT_RESULT(); } +#endif -/* test_EVP_Cipher_extra, Extra-test on EVP_CipherUpdate/Final. see also test.c */ -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) &&\ - (!defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)) -static void binary_dump(void *ptr, int size) +static int test_wolfSSL_CTX_sess_set_remove_cb(void) { - #ifdef WOLFSSL_EVP_PRINT - int i = 0; - unsigned char *p = (unsigned char *) ptr; - - fprintf(stderr, "{"); - while ((p != NULL) && (i < size)) { - if ((i % 8) == 0) { - fprintf(stderr, "\n"); - fprintf(stderr, " "); - } - fprintf(stderr, "0x%02x, ", p[i]); - i++; - } - fprintf(stderr, "\n};\n"); - #else - (void) ptr; - (void) size; - #endif -} + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE) + /* Check that the remove callback gets called for external data in a + * session object */ + test_ssl_cbf func_cb; -static int last_val = 0x0f; + wolfSSL_Atomic_Int_Init(&clientSessRemCountMalloc, 0); + wolfSSL_Atomic_Int_Init(&serverSessRemCountMalloc, 0); + wolfSSL_Atomic_Int_Init(&clientSessRemCountFree, 0); + wolfSSL_Atomic_Int_Init(&serverSessRemCountFree, 0); -static int check_result(unsigned char *data, int len) -{ - int i; + XMEMSET(&func_cb, 0, sizeof(func_cb)); + func_cb.ctx_ready = SessRemCtxSetupCb; + func_cb.on_result = SessRemSslSetupCb; - for ( ; len; ) { - last_val = (last_val + 1) % 16; - for (i = 0; i < 16; len--, i++, data++) - if (*data != last_val) { - return -1; - } - } - return 0; -} + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb, &func_cb, + NULL), TEST_SUCCESS); -static int r_offset; -static int w_offset; + /* Both should have been allocated */ + ExpectIntEQ(clientSessRemCountMalloc, 1); + ExpectIntEQ(serverSessRemCountMalloc, 1); -static void init_offset(void) -{ - r_offset = 0; - w_offset = 0; -} -static void get_record(unsigned char *data, unsigned char *buf, int len) -{ - XMEMCPY(buf, data+r_offset, len); - r_offset += len; + /* This should not be called yet. Session wasn't evicted from cache yet. */ + ExpectIntEQ(clientSessRemCountFree, 0); +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) + /* Force a cache lookup */ + ExpectNotNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); + /* Force a cache update */ + ExpectNotNull(SSL_SESSION_set_ex_data(clientSess, serverSessRemIdx - 1, 0)); + /* This should set the timeout to 0 and call the remove callback from within + * the session cache. */ + ExpectIntEQ(SSL_CTX_remove_session(clientSessCtx, clientSess), 0); + ExpectNull(SSL_SESSION_get_ex_data(clientSess, serverSessRemIdx)); + ExpectIntEQ(clientSessRemCountFree, 1); +#endif + /* Server session is in the cache so ex_data isn't free'd with the SSL + * object */ + ExpectIntEQ(serverSessRemCountFree, 0); + /* Force a cache lookup */ + ExpectNotNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); + /* Force a cache update */ + ExpectNotNull(SSL_SESSION_set_ex_data(serverSess, serverSessRemIdx - 1, 0)); + /* This should set the timeout to 0 and call the remove callback from within + * the session cache. */ + ExpectIntEQ(SSL_CTX_remove_session(serverSessCtx, serverSess), 0); + ExpectNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); + ExpectIntEQ(serverSessRemCountFree, 1); + /* Need to free the references that we kept */ + SSL_CTX_free(serverSessCtx); + SSL_SESSION_free(serverSess); +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) + SSL_CTX_free(clientSessCtx); + SSL_SESSION_free(clientSess); +#endif +#endif + return EXPECT_RESULT(); } -static void set_record(unsigned char *data, unsigned char *buf, int len) +static int test_wolfSSL_ticket_keys(void) { - XMEMCPY(data+w_offset, buf, len); - w_offset += len; -} + EXPECT_DECLS; +#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ + !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) + WOLFSSL_CTX* ctx = NULL; + byte keys[WOLFSSL_TICKET_KEYS_SZ]; -static void set_plain(unsigned char *plain, int rec) -{ - int i, j; - unsigned char *p = plain; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(NULL, keys, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, NULL, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(NULL, keys, sizeof(keys)), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - #define BLOCKSZ 16 + ExpectIntEQ(wolfSSL_CTX_get_tlsext_ticket_keys(ctx, keys, sizeof(keys)), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set_tlsext_ticket_keys(ctx, keys, sizeof(keys)), + WOLFSSL_SUCCESS); - for (i=0; i<(rec/BLOCKSZ); i++) { - for (j=0; j 2)) + /* DH PUBKEY test */ + ExpectIntGT(BIO_write(bio, dh_pub_key_der_2048, + sizeof_dh_pub_key_der_2048), 0); + ExpectNotNull(pkey = d2i_PUBKEY_bio(bio, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* USE_CERT_BUFFERS_2048 && !NO_DH && && OPENSSL_EXTRA */ - const EVP_CIPHER *type; - byte *iv; - byte *key; - int ivlen; - int keylen; + BIO_free(bio); - #define RECORDS 16 - #define BUFFSZ 512 - byte plain [BUFFSZ * RECORDS]; - byte cipher[BUFFSZ * RECORDS]; + (void)pkey; +#endif - byte inb[BUFFSZ]; - byte outb[BUFFSZ+16]; - int outl = 0; - int inl; + return EXPECT_RESULT(); +} - iv = aes128_cbc_iv; - ivlen = sizeof(aes128_cbc_iv); - key = aes128_cbc_key; - keylen = sizeof(aes128_cbc_key); - type = EVP_aes_128_cbc(); +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA) && \ + !defined(NO_TLS) +static int test_wolfSSL_d2i_PrivateKeys_bio(void) +{ + EXPECT_DECLS; + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + WOLFSSL_CTX* ctx = NULL; - set_plain(plain, BUFFSZ * RECORDS); +#if defined(WOLFSSL_KEY_GEN) + unsigned char buff[4096]; + unsigned char* bufPtr = buff; +#endif - SSL_library_init(); + /* test creating new EVP_PKEY with bad arg */ + ExpectNull((pkey = d2i_PrivateKey_bio(NULL, NULL))); - ExpectNotNull(evp = EVP_CIPHER_CTX_new()); - ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); + /* test loading RSA key using BIO */ +#if !defined(NO_RSA) && !defined(NO_FILESYSTEM) + { + XFILE file = XBADFILE; + const char* fname = "./certs/server-key.der"; + long lsz = 0; + size_t sz = 0; + byte* buf = NULL; - ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectTrue((lsz = XFTELL(file)) > 0); + sz = (size_t)lsz; + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + if (file != XBADFILE) { + XFCLOSE(file); + } - klen = EVP_CIPHER_CTX_key_length(evp); - if (klen > 0 && keylen != klen) { - ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); - } - ilen = EVP_CIPHER_CTX_iv_length(evp); - if (ilen > 0 && ivlen != ilen) { - ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + /* Test using BIO new mem and loading DER private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); + XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); + BIO_free(bio); + bio = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; } +#endif - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); - - for (j = 0; j 0); + sz = (size_t)lsz; + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_FILE)); + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + if (file != XBADFILE) + XFCLOSE(file); - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + /* Test using BIO new mem and loading DER private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = d2i_PrivateKey_bio(bio, NULL))); + XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); + BIO_free(bio); + bio = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif - init_offset(); - test_drive_len[i] = 0; + ExpectNotNull(bio = BIO_new(BIO_s_mem())); +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); +#endif - for (j = 0; test_drive[i][j]; j++) - { - inl = test_drive[i][j]; - test_drive_len[i] += inl; +#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) + { + const unsigned char seqOnly[] = { 0x30, 0x00, 0x00, 0x00, 0x00, 0x00 }; + RSA* rsa = NULL; + /* Tests bad parameters */ + ExpectNull(d2i_RSAPrivateKey_bio(NULL, NULL)); - get_record(plain, inb, inl); - ExpectIntNE((ret = EVP_EncryptUpdate(evp, outb, &outl, inb, inl)), - 0); - /* output to cipher buffer, so that following Dec test can detect - if any error */ - set_record(cipher, outb, outl); - } + /* Test using bad data. */ + ExpectIntGT(BIO_write(bio, seqOnly, sizeof(seqOnly)), 0); + ExpectNull(d2i_RSAPrivateKey_bio(bio, NULL)); - EVP_CipherFinal(evp, outb, &outl); + /* RSA not set yet, expecting to fail*/ + rsa = wolfSSL_RSA_new(); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_RSA_free(rsa); + rsa = NULL; - if (outl > 0) - set_record(cipher, outb, outl); - } +#if defined(USE_CERT_BUFFERS_2048) && defined(WOLFSSL_KEY_GEN) + /* set RSA using bio*/ + ExpectIntGT(BIO_write(bio, client_key_der_2048, + sizeof_client_key_der_2048), 0); + ExpectNotNull(d2i_RSAPrivateKey_bio(bio, &rsa)); + ExpectNotNull(rsa); - for (i = 0; test_drive[i]; i++) { - last_val = 0x0f; + /* Tests bad parameters */ + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(NULL, rsa), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 0)), 0); + ExpectIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), WOLFSSL_SUCCESS); - init_offset(); + /* i2d RSAprivate key tests */ + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 1192); + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), + sizeof_client_key_der_2048); + bufPtr -= sizeof_client_key_der_2048; + ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, + sizeof_client_key_der_2048), 0); + bufPtr = NULL; + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr), + sizeof_client_key_der_2048); + ExpectNotNull(bufPtr); + ExpectIntEQ(XMEMCMP(bufPtr, client_key_der_2048, + sizeof_client_key_der_2048), 0); + XFREE(bufPtr, NULL, DYNAMIC_TYPE_OPENSSL); - for (j = 0; test_drive[i][j]; j++) { - inl = test_drive[i][j]; - get_record(cipher, inb, inl); + RSA_free(rsa); + rsa = NULL; + ExpectIntGT(BIO_write(bio, client_key_der_2048, + sizeof_client_key_der_2048), 0); + ExpectNotNull(d2i_RSA_PUBKEY_bio(bio, &rsa)); + (void)BIO_reset(bio); - ExpectIntNE((ret = EVP_DecryptUpdate(evp, outb, &outl, inb, inl)), - 0); + RSA_free(rsa); + rsa = RSA_new(); + ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 0); +#endif /* USE_CERT_BUFFERS_2048 WOLFSSL_KEY_GEN */ + RSA_free(rsa); + } +#endif /* WOLFSSL_KEY_GEN && !NO_RSA */ + SSL_CTX_free(ctx); + ctx = NULL; + BIO_free(bio); + bio = NULL; - binary_dump(outb, outl); - ExpectIntEQ((ret = check_result(outb, outl)), 0); - ExpectFalse(outl > ((inl/16+1)*16) && outl > 16); - } + return EXPECT_RESULT(); +} +#endif /* OPENSSL_ALL || (WOLFSSL_ASIO && !NO_RSA) */ - ret = EVP_CipherFinal(evp, outb, &outl); +#endif /* !NO_BIO */ - binary_dump(outb, outl); - ret = (((test_drive_len[i] % 16) != 0) && (ret == 0)) || - (((test_drive_len[i] % 16) == 0) && (ret == 1)); - ExpectTrue(ret); - } +static int test_wolfSSL_sk_GENERAL_NAME(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) + X509* x509 = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAME* dup_gn = NULL; + unsigned char buf[4096]; + const unsigned char* bufPt = NULL; + int bytes = 0; + int i; + int j; + XFILE f = XBADFILE; + STACK_OF(GENERAL_NAME)* sk = NULL; - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(evp), WOLFSSL_SUCCESS); + ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); + if (f != XBADFILE) + XFCLOSE(f); - EVP_CIPHER_CTX_free(evp); - evp = NULL; + for (j = 0; j < 2; ++j) { + bufPt = buf; + ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); - /* Do an extra test to verify correct behavior with empty input. */ + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); - ExpectNotNull(evp = EVP_CIPHER_CTX_new()); - ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); + ExpectIntEQ(sk_GENERAL_NAME_num(sk), 1); + for (i = 0; i < sk_GENERAL_NAME_num(sk); i++) { + ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, i)); - ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); + if (gn != NULL) { + switch (gn->type) { + case GEN_DNS: + fprintf(stderr, "found type GEN_DNS\n"); + break; + case GEN_EMAIL: + fprintf(stderr, "found type GEN_EMAIL\n"); + break; + case GEN_URI: + fprintf(stderr, "found type GEN_URI\n"); + break; + } + } - klen = EVP_CIPHER_CTX_key_length(evp); - if (klen > 0 && keylen != klen) { - ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); - } - ilen = EVP_CIPHER_CTX_iv_length(evp); - if (ilen > 0 && ivlen != ilen) { - ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + ExpectNotNull(dup_gn = wolfSSL_GENERAL_NAME_dup(gn)); + wolfSSL_GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + } + X509_free(x509); + x509 = NULL; + if (j == 0) { + sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); + } + else { + /* + * We had a bug where GENERAL_NAMES_free didn't free all the memory + * it was supposed to. This is a regression test for that bug. + */ + GENERAL_NAMES_free(sk); + } + sk = NULL; } - ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); - - /* outl should be set to 0 after passing NULL, 0 for input args. */ - outl = -1; - ExpectIntNE((ret = EVP_CipherUpdate(evp, outb, &outl, NULL, 0)), 0); - ExpectIntEQ(outl, 0); - - EVP_CIPHER_CTX_free(evp); -#endif /* test_EVP_Cipher */ + ExpectNull(wolfSSL_GENERAL_NAME_dup(NULL)); + ExpectIntEQ(wolfSSL_GENERAL_NAME_set_type(NULL, WOLFSSL_GEN_IA5), + BAD_FUNC_ARG); + wolfSSL_GENERAL_NAMES_free(NULL); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_get_serialNumber(void) +static int test_wolfSSL_GENERAL_NAME_print(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) - ASN1_INTEGER* a = NULL; - BIGNUM* bn = NULL; - X509* x509 = NULL; - X509* empty = NULL; - char *serialHex = NULL; - byte serial[3]; - int serialSz; +#if defined(OPENSSL_ALL) && !defined(NO_BIO) && !defined(NO_RSA) + X509* x509 = NULL; + GENERAL_NAME* gn = NULL; + GENERAL_NAME* dup_gn = NULL; + unsigned char buf[4096]; + const unsigned char* bufPt = NULL; + int bytes = 0; + XFILE f = XBADFILE; + STACK_OF(GENERAL_NAME)* sk = NULL; + BIO* out = NULL; + unsigned char outbuf[128]; - ExpectNotNull(empty = wolfSSL_X509_new()); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM)); - ExpectNull(X509_get_serialNumber(NULL)); - ExpectNotNull(X509_get_serialNumber(empty)); - ExpectNotNull(a = X509_get_serialNumber(x509)); + X509_EXTENSION* ext = NULL; + AUTHORITY_INFO_ACCESS* aia = NULL; + ACCESS_DESCRIPTION* ad = NULL; + ASN1_IA5STRING *dnsname = NULL; + ASN1_OBJECT* ridObj = NULL; - /* check on value of ASN1 Integer */ - ExpectNotNull(bn = ASN1_INTEGER_to_BN(a, NULL)); - a = NULL; + const unsigned char v4Addr[] = {192,168,53,1}; + const unsigned char v6Addr[] = + {0x20, 0x21, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x77, 0x77}; + const unsigned char email[] = + {'i', 'n', 'f', 'o', '@', 'w', 'o', 'l', + 'f', 's', 's', 'l', '.', 'c', 'o', 'm'}; + const unsigned char ridData[] = { 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05 }; + const unsigned char* p; + unsigned long len; - /* test setting serial number and then retrieving it */ - ExpectNotNull(a = ASN1_INTEGER_new()); - ExpectIntEQ(ASN1_INTEGER_set(a, 3), 1); - ExpectIntEQ(X509_set_serialNumber(NULL, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(X509_set_serialNumber(x509, NULL), WOLFSSL_FAILURE); - ExpectIntEQ(X509_set_serialNumber(NULL, a), WOLFSSL_FAILURE); - ExpectIntEQ(X509_set_serialNumber(x509, a), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_get_serial_number(NULL, serial, NULL), - BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_X509_get_serial_number(NULL, serial, &serialSz), - BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, NULL), - BAD_FUNC_ARG); - serialSz = 0; - ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), - BUFFER_E); - ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, NULL, &serialSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(serialSz, 1); - serialSz = sizeof(serial); - ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(serialSz, 1); - ExpectIntEQ(serial[0], 3); - ASN1_INTEGER_free(a); - a = NULL; + const char* dnsStr = "DNS:example.com"; + const char* uriStr = "URI:http://127.0.0.1:22220"; + const char* v4addStr = "IP Address:192.168.53.1"; + const char* v6addStr = "IP Address:2021:DB8:0:0:0:FF00:42:7777"; + const char* emailStr = "email:info@wolfssl.com"; + const char* othrStr = "othername:"; + const char* x400Str = "X400Name:"; + const char* ediStr = "EdiPartyName:"; + const char* dirNameStr = "DirName:"; + const char* ridStr = "Registered ID:1.2.3.4.5"; + + /* BIO to output */ + ExpectNotNull(out = BIO_new(BIO_s_mem())); + + /* test for NULL param */ + gn = NULL; + + ExpectIntEQ(GENERAL_NAME_print(NULL, NULL), 0); + ExpectIntEQ(GENERAL_NAME_print(NULL, gn), 0); + ExpectIntEQ(GENERAL_NAME_print(out, NULL), 0); - /* test setting serial number with 0's in it */ - serial[0] = 0x01; - serial[1] = 0x00; - serial[2] = 0x02; - ExpectNotNull(a = wolfSSL_ASN1_INTEGER_new()); - if (a != NULL) { - a->data[0] = ASN_INTEGER; - a->data[1] = sizeof(serial); - XMEMCPY(&a->data[2], serial, sizeof(serial)); - a->length = sizeof(serial) + 2; + /* test for GEN_DNS */ + ExpectTrue((f = XFOPEN(cliCertDerFileExt, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; } - ExpectIntEQ(X509_set_serialNumber(x509, a), WOLFSSL_SUCCESS); - XMEMSET(serial, 0, sizeof(serial)); - serialSz = sizeof(serial); - ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), - WOLFSSL_SUCCESS); - ExpectIntEQ(serialSz, 3); - ExpectIntEQ(serial[0], 0x01); - ExpectIntEQ(serial[1], 0x00); - ExpectIntEQ(serial[2], 0x02); - ASN1_INTEGER_free(a); - a = NULL; + bufPt = buf; + ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_subject_alt_name, NULL, NULL)); - X509_free(x509); /* free's a */ - X509_free(empty); + ExpectNotNull(gn = sk_GENERAL_NAME_value(sk, 0)); + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); - ExpectNotNull(serialHex = BN_bn2hex(bn)); -#ifndef WC_DISABLE_RADIX_ZERO_PAD - ExpectStrEQ(serialHex, "01"); -#else - ExpectStrEQ(serialHex, "1"); -#endif - OPENSSL_free(serialHex); - ExpectIntEQ(BN_get_word(bn), 1); - BN_free(bn); + XMEMSET(outbuf, 0, sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); - /* hard test free'ing with dynamic buffer to make sure there is no leaks */ - ExpectNotNull(a = ASN1_INTEGER_new()); - if (a != NULL) { - ExpectNotNull(a->data = (unsigned char*)XMALLOC(100, NULL, - DYNAMIC_TYPE_OPENSSL)); - a->isDynamic = 1; - ASN1_INTEGER_free(a); - } -#endif - return EXPECT_RESULT(); -} + sk_GENERAL_NAME_pop_free(sk, GENERAL_NAME_free); + gn = NULL; + sk = NULL; + X509_free(x509); + x509 = NULL; -static int test_wolfSSL_X509_ext_get_critical_by_NID(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) - WOLFSSL_X509* x509 = NULL; + /* Lets test for setting as well. */ + ExpectNotNull(gn = GENERAL_NAME_new()); + ExpectNotNull(dnsname = ASN1_IA5STRING_new()); + ExpectIntEQ(ASN1_STRING_set(dnsname, "example.com", -1), 1); + GENERAL_NAME_set0_value(gn, GEN_DNS, dnsname); + dnsname = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf, 0, sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, NULL); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, NULL); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, NULL); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, outbuf); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_DNS, NULL); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, outbuf); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, outbuf); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + GENERAL_NAME_free(gn); - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(NULL, - WC_NID_basic_constraints), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_basic_constraints), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_subject_alt_name), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_authority_key_identifier), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_subject_key_identifier), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_key_usage), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_crl_distribution_points), 0); - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_ext_key_usage), 0); -#ifdef WOLFSSL_SEP - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_certificate_policies), 0); -#endif - ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, - WC_NID_info_access), 0); - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); -} + /* test for GEN_URI */ + + ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 4)); + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i( + ext)); + ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION *)wolfSSL_sk_value(aia, 0)); -static int test_wolfSSL_X509_CRL_distribution_points(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) - WOLFSSL_X509* x509 = NULL; - const char* file = "./certs/client-crl-dist.pem"; + if (ad != NULL) { + gn = ad->location; + } + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + gn = NULL; - ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(NULL, - WC_NID_crl_distribution_points), 0); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, uriStr, XSTRLEN(uriStr)), 0); - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, - WC_NID_crl_distribution_points), 0); - wolfSSL_X509_free(x509); + wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); + aia = NULL; + aia = (AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i(ext); + ExpectNotNull(aia); + AUTHORITY_INFO_ACCESS_pop_free(aia, NULL); + aia = NULL; + X509_free(x509); x509 = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(file, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, - WC_NID_crl_distribution_points), 1); - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); -} + /* test for GEN_IPADD */ -static int test_wolfSSL_X509_SEP(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_SEP) - WOLFSSL_X509* x509 = NULL; -#if 0 - byte* out; -#endif - int outSz; + /* ip v4 address */ + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_IPADD; + if (gn->d.iPAddress != NULL) { + gn->d.iPAddress->length = sizeof(v4Addr); + } + } + ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v4Addr, + sizeof(v4Addr)), 1); - ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, v4addStr, XSTRLEN(v4addStr)), 0); - outSz = 0; - ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, &outSz)); - ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, &outSz)); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; - outSz = 0; - ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, &outSz)); - ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); + GENERAL_NAME_free(gn); + gn = NULL; - outSz = 0; - ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, &outSz)); - ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); + /* ip v6 address */ - ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, - WC_NID_certificate_policies), 0); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_IPADD; + if (gn->d.iPAddress != NULL) { + gn->d.iPAddress->length = sizeof(v6Addr); + } + } + ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.iPAddress, v6Addr, + sizeof(v6Addr)), 1); - wolfSSL_X509_free(x509); - x509 = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, v6addStr, XSTRLEN(v6addStr)), 0); -#if 0 - /* Use certificate with the extension here. */ - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM)); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; - outSz = 0; - ExpectNotNull(out = wolfSSL_X509_get_device_type(x509, NULL, &outSz)); - ExpectIntGT(outSz, 0); - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + GENERAL_NAME_free(gn); + gn = NULL; - outSz = 0; - ExpectNotNull(out = wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); - ExpectIntGT(outSz, 0); - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + /* test for GEN_EMAIL */ - outSz = 0; - ExpectNotNull(out = wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); - ExpectIntGT(outSz, 0); - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_EMAIL; + if (gn->d.rfc822Name != NULL) { + gn->d.rfc822Name->length = sizeof(email); + } + } + ExpectIntEQ(wolfSSL_ASN1_STRING_set(gn->d.rfc822Name, email, sizeof(email)), + 1); - wolfSSL_X509_free(x509); -#endif -#endif - return EXPECT_RESULT(); -} + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, emailStr, XSTRLEN(emailStr)), 0); -static int test_wolfSSL_OpenSSL_add_all_algorithms(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - ExpectIntEQ(wolfSSL_add_all_algorithms(), WOLFSSL_SUCCESS); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; - ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_noconf(), WOLFSSL_SUCCESS); + GENERAL_NAME_free(gn); + gn = NULL; - ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_conf(), WOLFSSL_SUCCESS); -#endif - return EXPECT_RESULT(); -} + /* test for GEN_OTHERNAME */ -static int test_wolfSSL_OPENSSL_hexstr2buf(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - #define MAX_HEXSTR_BUFSZ 9 - #define NUM_CASES 5 - struct Output { - const unsigned char buffer[MAX_HEXSTR_BUFSZ]; - long ret; - }; - int i; - int j; + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_OTHERNAME; + } - const char* inputs[NUM_CASES] = { - "aabcd1357e", - "01:12:23:34:a5:b6:c7:d8:e9", - ":01:02", - "012", - ":ab:ac:d" - }; - struct Output expectedOutputs[NUM_CASES] = { - {{0xaa, 0xbc, 0xd1, 0x35, 0x7e}, 5}, - {{0x01, 0x12, 0x23, 0x34, 0xa5, 0xb6, 0xc7, 0xd8, 0xe9}, 9}, - {{0x01, 0x02}, 2}, - {{0x00}, 0}, - {{0x00}, 0} - }; - long len = 0; - unsigned char* returnedBuf = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, othrStr, XSTRLEN(othrStr)), 0); - for (i = 0; i < NUM_CASES && !EXPECT_FAIL(); ++i) { - returnedBuf = wolfSSL_OPENSSL_hexstr2buf(inputs[i], &len); - if (returnedBuf == NULL) { - ExpectIntEQ(expectedOutputs[i].ret, 0); - continue; - } + GENERAL_NAME_free(gn); + gn = NULL; - ExpectIntEQ(expectedOutputs[i].ret, len); + /* test for GEN_X400 */ - for (j = 0; j < len; ++j) { - ExpectIntEQ(expectedOutputs[i].buffer[j], returnedBuf[j]); - } - OPENSSL_free(returnedBuf); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_X400; } -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_X509_CA_num(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ - defined(HAVE_ECC) && !defined(NO_RSA) - WOLFSSL_X509_STORE *store = NULL; - WOLFSSL_X509 *x509_1 = NULL; - WOLFSSL_X509 *x509_2 = NULL; - int ca_num = 0; - - ExpectNotNull(store = wolfSSL_X509_STORE_new()); - ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_1), 1); - ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 1); + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, x400Str, XSTRLEN(x400Str)), 0); - ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(eccCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_2), 1); - ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 2); + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } - wolfSSL_X509_free(x509_1); - wolfSSL_X509_free(x509_2); - wolfSSL_X509_STORE_free(store); -#endif - return EXPECT_RESULT(); -} + /* Duplicating GEN_X400 not supported. */ + ExpectNull(GENERAL_NAME_dup(gn)); -static int test_wolfSSL_X509_check_ca(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - WOLFSSL_X509 *x509 = NULL; + GENERAL_NAME_free(gn); + gn = NULL; - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ(wolfSSL_X509_check_ca(NULL), 0); - ExpectIntEQ(wolfSSL_X509_check_ca(x509), 1); - wolfSSL_X509_free(x509); + /* test for GEN_EDIPARTY */ - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(wolfSSL_X509_check_ca(x509), 0); - if (x509 != NULL) { - x509->extKeyUsageCrit = 1; + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_EDIPARTY; } - ExpectIntEQ(wolfSSL_X509_check_ca(x509), 4); - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_X509_check_ip_asc(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - WOLFSSL_X509 *x509 = NULL; - WOLFSSL_X509 *empty = NULL; + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, ediStr, XSTRLEN(ediStr)), 0); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(empty = wolfSSL_X509_new()); + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } -#if 0 - /* TODO: add cert gen for testing positive case */ - ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); -#endif - ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "0.0.0.0", 0), 0); - ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, NULL, 0), 0); - ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, NULL, 0), 0); - ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, "0.0.0.0", 0), 0); - ExpectIntEQ(wolfSSL_X509_check_ip_asc(empty, "127.128.0.255", 0), 0); + /* Duplicating GEN_EDIPARTY not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); - wolfSSL_X509_free(empty); - wolfSSL_X509_free(x509); -#endif + GENERAL_NAME_free(gn); + gn = NULL; + + /* test for GEN_DIRNAME */ + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_DIRNAME; + } + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dirNameStr, XSTRLEN(dirNameStr)), + 0); + /* Duplicating GEN_DIRNAME not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } + GENERAL_NAME_free(gn); + gn = NULL; + + /* test for GEN_RID */ + p = ridData; + len = sizeof(ridData); + ExpectNotNull(ridObj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, len)); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_RID; + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.registeredID = ridObj; + } + else { + wolfSSL_ASN1_OBJECT_free(ridObj); + } + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, ridStr, XSTRLEN(ridStr)), 0); + /* Duplicating GEN_DIRNAME not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(gn); + gn = NULL; + + BIO_free(out); +#endif /* OPENSSL_ALL */ return EXPECT_RESULT(); } -static int test_wolfSSL_make_cert(void) +static int test_wolfSSL_sk_DIST_POINT(void) { EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_ASN_TIME) && defined(WOLFSSL_CERT_GEN) && \ - defined(WOLFSSL_CERT_EXT) - int ret = 0; - Cert cert; - CertName name; - RsaKey key; - WC_RNG rng; - byte der[FOURK_BUF]; - word32 idx = 0; - const byte mySerial[8] = {1,2,3,4,5,6,7,8}; - -#ifdef OPENSSL_EXTRA - const unsigned char* pt = NULL; - int certSz = 0; - X509* x509 = NULL; - X509_NAME* x509name = NULL; - X509_NAME_ENTRY* entry = NULL; - ASN1_STRING* entryValue = NULL; -#endif - - XMEMSET(&name, 0, sizeof(CertName)); - - /* set up cert name */ - XMEMCPY(name.country, "US", sizeof("US")); - name.countryEnc = CTC_PRINTABLE; - XMEMCPY(name.state, "Oregon", sizeof("Oregon")); - name.stateEnc = CTC_UTF8; - XMEMCPY(name.locality, "Portland", sizeof("Portland")); - name.localityEnc = CTC_UTF8; - XMEMCPY(name.sur, "Test", sizeof("Test")); - name.surEnc = CTC_UTF8; - XMEMCPY(name.org, "wolfSSL", sizeof("wolfSSL")); - name.orgEnc = CTC_UTF8; - XMEMCPY(name.unit, "Development", sizeof("Development")); - name.unitEnc = CTC_UTF8; - XMEMCPY(name.commonName, "www.wolfssl.com", sizeof("www.wolfssl.com")); - name.commonNameEnc = CTC_UTF8; - XMEMCPY(name.serialDev, "wolfSSL12345", sizeof("wolfSSL12345")); - name.serialDevEnc = CTC_PRINTABLE; - XMEMCPY(name.userId, "TestUserID", sizeof("TestUserID")); - name.userIdEnc = CTC_PRINTABLE; -#ifdef WOLFSSL_MULTI_ATTRIB - #if CTC_MAX_ATTRIB > 2 - { - NameAttrib* n; - n = &name.name[0]; - n->id = ASN_DOMAIN_COMPONENT; - n->type = CTC_UTF8; - n->sz = sizeof("com"); - XMEMCPY(n->value, "com", sizeof("com")); - - n = &name.name[1]; - n->id = ASN_DOMAIN_COMPONENT; - n->type = CTC_UTF8; - n->sz = sizeof("wolfssl"); - XMEMCPY(n->value, "wolfssl", sizeof("wolfssl")); - } - #endif -#endif /* WOLFSSL_MULTI_ATTRIB */ +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + !defined(NO_RSA) + X509* x509 = NULL; + unsigned char buf[4096]; + const unsigned char* bufPt; + int bytes = 0; + int i = 0; + int j = 0; + XFILE f = XBADFILE; + DIST_POINT* dp = NULL; + DIST_POINT_NAME* dpn = NULL; + GENERAL_NAME* gn = NULL; + ASN1_IA5STRING* uri = NULL; + STACK_OF(DIST_POINT)* dps = NULL; + STACK_OF(GENERAL_NAME)* gns = NULL; + const char cliCertDerCrlDistPoint[] = "./certs/client-crl-dist.der"; - ExpectIntEQ(wc_InitRsaKey(&key, HEAP_HINT), 0); -#ifndef HAVE_FIPS - ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0); -#else - ExpectIntEQ(wc_InitRng(&rng), 0); -#endif + ExpectTrue((f = XFOPEN(cliCertDerCrlDistPoint, "rb")) != XBADFILE); + ExpectIntGT((bytes = (int)XFREAD(buf, 1, sizeof(buf), f)), 0); + if (f != XBADFILE) + XFCLOSE(f); - /* load test RSA key */ - idx = 0; -#if defined(USE_CERT_BUFFERS_1024) - ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_1024, &idx, &key, - sizeof_server_key_der_1024), 0); -#elif defined(USE_CERT_BUFFERS_2048) - ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key, - sizeof_server_key_der_2048), 0); -#else - /* error case, no RSA key loaded, happens later */ - (void)idx; -#endif + bufPt = buf; + ExpectNotNull(x509 = d2i_X509(NULL, &bufPt, bytes)); - XMEMSET(&cert, 0 , sizeof(Cert)); - ExpectIntEQ(wc_InitCert(&cert), 0); + ExpectNotNull(dps = (STACK_OF(DIST_POINT)*)X509_get_ext_d2i(x509, + NID_crl_distribution_points, NULL, NULL)); - XMEMCPY(&cert.subject, &name, sizeof(CertName)); - XMEMCPY(cert.serial, mySerial, sizeof(mySerial)); - cert.serialSz = (int)sizeof(mySerial); - cert.isCA = 1; -#ifndef NO_SHA256 - cert.sigType = CTC_SHA256wRSA; -#else - cert.sigType = CTC_SHAwRSA; -#endif + ExpectIntEQ(sk_DIST_POINT_num(dps), 1); + for (i = 0; i < sk_DIST_POINT_num(dps); i++) { + ExpectNotNull(dp = sk_DIST_POINT_value(dps, i)); + ExpectNotNull(dpn = dp->distpoint); - /* add SKID from the Public Key */ - ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey(&cert, &key, NULL), 0); + /* this should be type 0, fullname */ + ExpectIntEQ(dpn->type, 0); - /* add AKID from the Public Key */ - ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey(&cert, &key, NULL), 0); + ExpectNotNull(gns = dp->distpoint->name.fullname); + ExpectIntEQ(sk_GENERAL_NAME_num(gns), 1); - ret = 0; - do { -#if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); -#endif - if (ret >= 0) { - ret = wc_MakeSelfCert(&cert, der, FOURK_BUF, &key, &rng); + for (j = 0; j < sk_GENERAL_NAME_num(gns); j++) { + ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, j)); + ExpectIntEQ(gn->type, GEN_URI); + ExpectNotNull(uri = gn->d.uniformResourceIdentifier); + ExpectNotNull(uri->data); + ExpectIntGT(uri->length, 0); } - } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E)); - ExpectIntGT(ret, 0); + } -#ifdef OPENSSL_EXTRA - /* der holds a certificate with DC's now check X509 parsing of it */ - certSz = ret; - pt = der; - ExpectNotNull(x509 = d2i_X509(NULL, &pt, certSz)); - ExpectNotNull(x509name = X509_get_subject_name(x509)); -#ifdef WOLFSSL_MULTI_ATTRIB - ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, - -1)), 5); - ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, - (int)idx)), 6); - ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, - (int)idx)), -1); -#endif /* WOLFSSL_MULTI_ATTRIB */ - - /* compare DN at index 0 */ - ExpectNotNull(entry = X509_NAME_get_entry(x509name, 0)); - ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); - ExpectIntEQ(ASN1_STRING_length(entryValue), 2); - ExpectStrEQ((const char*)ASN1_STRING_data(entryValue), "US"); - -#ifndef WOLFSSL_MULTI_ATTRIB - /* compare Serial Number */ - ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_serialNumber, - -1)), 7); - ExpectNotNull(entry = X509_NAME_get_entry(x509name, idx)); - ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); - ExpectIntEQ(ASN1_STRING_length(entryValue), XSTRLEN("wolfSSL12345")); - ExpectStrEQ((const char*)ASN1_STRING_data(entryValue), "wolfSSL12345"); -#endif - -#ifdef WOLFSSL_MULTI_ATTRIB - /* get first and second DC and compare result */ - ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, - -1)), 5); - ExpectNotNull(entry = X509_NAME_get_entry(x509name, (int)idx)); - ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); - ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "com"); - - ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, - (int)idx)), 6); - ExpectNotNull(entry = X509_NAME_get_entry(x509name, (int)idx)); - ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); - ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "wolfssl"); -#endif /* WOLFSSL_MULTI_ATTRIB */ - - ExpectNull(X509_NAME_get_entry(NULL, 0)); - /* try invalid index locations for regression test and sanity check */ - ExpectNull(X509_NAME_get_entry(x509name, 11)); - ExpectNull(X509_NAME_get_entry(x509name, 20)); + ExpectNotNull(dp = wolfSSL_DIST_POINT_new()); + wolfSSL_DIST_POINT_free(NULL); + wolfSSL_DIST_POINTS_free(NULL); + wolfSSL_sk_DIST_POINT_free(NULL); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(dps, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, dp), WOLFSSL_FAILURE); + ExpectNull(wolfSSL_sk_DIST_POINT_value(NULL, 0)); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_num(NULL), WOLFSSL_FATAL_ERROR); + wolfSSL_DIST_POINT_free(dp); X509_free(x509); -#endif /* OPENSSL_EXTRA */ + CRL_DIST_POINTS_free(dps); - wc_FreeRsaKey(&key); - wc_FreeRng(&rng); #endif return EXPECT_RESULT(); } -static int test_x509_get_key_id(void) + + +static int test_wolfSSL_verify_mode(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509 *x509 = NULL; - const ASN1_STRING* str = NULL; - byte* keyId = NULL; - byte keyIdData[32]; - int len; +#if !defined(NO_RSA) && !defined(NO_TLS) && (defined(OPENSSL_ALL) || \ + defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; - ExpectNotNull(x509 = wolfSSL_X509_new()); - len = (int)sizeof(keyIdData); - ExpectNull(wolfSSL_X509_get_subjectKeyID(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_subjectKeyID(x509, keyIdData, &len)); - ExpectNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, NULL)); - ExpectNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, &len)); - wolfSSL_X509_free(x509); - x509 = NULL; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - ExpectNotNull(x509 = X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + SSL_free(ssl); + ssl = NULL; - ExpectNotNull(str = X509_get0_subject_key_id(x509)); - ExpectNull(wolfSSL_X509_get_subjectKeyID(NULL, NULL, NULL)); - ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, NULL, NULL)); - ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), - ASN1_STRING_length(str)); - ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, keyIdData, NULL)); - ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), - ASN1_STRING_length(str)); - len = (int)sizeof(keyIdData); - ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, NULL, &len)); - ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), - ASN1_STRING_length(str)); - ExpectNotNull(wolfSSL_X509_get_subjectKeyID(x509, keyIdData, &len)); - ExpectIntEQ(len, ASN1_STRING_length(str)); - ExpectBufEQ(keyIdData, ASN1_STRING_data((ASN1_STRING*)str), - ASN1_STRING_length(str)); - ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), - ASN1_STRING_length(str)); - - ExpectNull(wolfSSL_X509_get_authorityKeyID(NULL, NULL, NULL)); - ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, NULL)); - ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, NULL)); - len = (int)sizeof(keyIdData); - ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, &len)); - ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, &len)); - ExpectIntEQ(len, 20); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); - X509_free(x509); -#endif - return EXPECT_RESULT(); -} + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); + SSL_free(ssl); + ssl = NULL; -static int test_wolfSSL_X509_get_version(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - WOLFSSL_X509 *x509 = NULL; + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + ExpectIntEQ(SSL_get_verify_mode(ssl), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ((int)wolfSSL_X509_get_version(x509), 2); - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); -} + wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0); + ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); -#if defined(OPENSSL_ALL) -static int test_wolfSSL_sk_CIPHER_description(void) -{ - EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_TLS) - const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; - int i; - int numCiphers = 0; - const SSL_METHOD *method = NULL; - const SSL_CIPHER *cipher = NULL; - STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; - SSL_CTX *ctx = NULL; - SSL *ssl = NULL; - char buf[256]; - char test_str[9] = "0000000"; - const char badStr[] = "unknown"; - const char certPath[] = "./certs/client-cert.pem"; - XMEMSET(buf, 0, sizeof(buf)); + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); - ExpectNotNull(method = TLSv1_2_client_method()); - ExpectNotNull(ctx = SSL_CTX_new(method)); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - SSL_CTX_set_verify_depth(ctx, 4); - SSL_CTX_set_options(ctx, flags); - ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), - WOLFSSL_SUCCESS); + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT); - ExpectNotNull(ssl = SSL_new(ctx)); - /* SSL_get_ciphers returns a stack of all configured ciphers - * A flag, getCipherAtOffset, is set to later have SSL_CIPHER_description - */ - ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK); - /* loop through the amount of supportedCiphers */ - numCiphers = sk_num(supportedCiphers); - for (i = 0; i < numCiphers; ++i) { - int j; - /* sk_value increments "sk->data.cipher->cipherOffset". - * wolfSSL_sk_CIPHER_description sets the description for - * the cipher based on the provided offset. - */ - if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) { - SSL_CIPHER_description(cipher, buf, sizeof(buf)); - } +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + wolfSSL_set_verify(ssl, SSL_VERIFY_POST_HANDSHAKE, 0); + ExpectIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_POST_HANDSHAKE); +#endif + + ExpectIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); - /* Search cipher description string for "unknown" descriptor */ - for (j = 0; j < (int)XSTRLEN(buf); j++) { - int k = 0; - while ((k < (int)XSTRLEN(badStr)) && (buf[j] == badStr[k])) { - test_str[k] = badStr[k]; - j++; - k++; - } - } - /* Fail if test_str == badStr == "unknown" */ - ExpectStrNE(test_str,badStr); - } SSL_free(ssl); SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_get_ciphers_compat(void) + +static int test_wolfSSL_verify_depth(void) { EXPECT_DECLS; -#if !defined(NO_RSA) && !defined(NO_TLS) - const SSL_METHOD *method = NULL; - const char certPath[] = "./certs/client-cert.pem"; - STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; - SSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + long depth = 0; - ExpectNotNull(method = SSLv23_client_method()); - ExpectNotNull(ctx = SSL_CTX_new(method)); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); - SSL_CTX_set_verify_depth(ctx, 4); - SSL_CTX_set_options(ctx, flags); - ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), - WOLFSSL_SUCCESS); + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectIntGT((depth = SSL_CTX_get_verify_depth(ctx)), 0); ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_get_verify_depth(ssl), SSL_CTX_get_verify_depth(ctx)); + SSL_free(ssl); + ssl = NULL; - /* Test Bad NULL input */ - ExpectNull(supportedCiphers = SSL_get_ciphers(NULL)); - /* Test for Good input */ - ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); - /* Further usage of SSL_get_ciphers/wolfSSL_get_ciphers_compat is - * tested in test_wolfSSL_sk_CIPHER_description according to Qt usage */ + SSL_CTX_set_verify_depth(ctx, -1); + ExpectIntEQ(depth, SSL_CTX_get_verify_depth(ctx)); + + SSL_CTX_set_verify_depth(ctx, 2); + ExpectIntEQ(2, SSL_CTX_get_verify_depth(ctx)); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(2, SSL_get_verify_depth(ssl)); SSL_free(ssl); SSL_CTX_free(ctx); @@ -30228,3569 +22641,2512 @@ static int test_wolfSSL_get_ciphers_compat(void) return EXPECT_RESULT(); } -static int test_wolfSSL_X509_PUBKEY_get(void) +static int test_wolfSSL_verify_result(void) { EXPECT_DECLS; - WOLFSSL_X509_PUBKEY pubkey; - WOLFSSL_X509_PUBKEY* key; - WOLFSSL_EVP_PKEY evpkey ; - WOLFSSL_EVP_PKEY* evpPkey; - WOLFSSL_EVP_PKEY* retEvpPkey; - - XMEMSET(&pubkey, 0, sizeof(WOLFSSL_X509_PUBKEY)); - XMEMSET(&evpkey, 0, sizeof(WOLFSSL_EVP_PKEY)); +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(OPENSSL_ALL)) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + long result = 0xDEADBEEF; - key = &pubkey; - evpPkey = &evpkey; + ExpectIntEQ(WC_NO_ERR_TRACE(WOLFSSL_FAILURE), wolfSSL_get_verify_result(ssl)); - evpPkey->type = WOLFSSL_SUCCESS; - key->pkey = evpPkey; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = SSL_new(ctx)); - ExpectNotNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(key)); - ExpectIntEQ(retEvpPkey->type, WOLFSSL_SUCCESS); + wolfSSL_set_verify_result(ssl, result); + ExpectIntEQ(result, wolfSSL_get_verify_result(ssl)); - ExpectNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(NULL)); + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} - key->pkey = NULL; - ExpectNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(key)); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) +static void sslMsgCb(int w, int version, int type, const void* buf, + size_t sz, SSL* ssl, void* arg) +{ + int i; + unsigned char* pt = (unsigned char*)buf; - return EXPECT_RESULT(); + fprintf(stderr, "%s %d bytes of version %d , type %d : ", + (w)?"Writing":"Reading", (int)sz, version, type); + for (i = 0; i < (int)sz; i++) fprintf(stderr, "%02X", pt[i]); + fprintf(stderr, "\n"); + (void)ssl; + (void)arg; } +#endif /* OPENSSL_EXTRA */ -static int test_wolfSSL_X509_set_pubkey(void) +static int test_wolfSSL_msg_callback(void) { EXPECT_DECLS; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_new()); +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_CLIENT) + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; -#if !defined(NO_RSA) - { - WOLFSSL_RSA* rsa = NULL; + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + ExpectNotNull(ssl = SSL_new(ctx)); + ExpectIntEQ(SSL_set_msg_callback(ssl, NULL), SSL_SUCCESS); + ExpectIntEQ(SSL_set_msg_callback(ssl, &sslMsgCb), SSL_SUCCESS); + ExpectIntEQ(SSL_set_msg_callback(NULL, &sslMsgCb), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - if (pkey != NULL) { - pkey->type = WC_EVP_PKEY_RSA; - } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); - ExpectNotNull(rsa = wolfSSL_RSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa), - WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_RSA_free(rsa); - } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS); - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - } + SSL_free(ssl); + SSL_CTX_free(ctx); #endif -#if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \ - defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA) - { - WOLFSSL_DSA* dsa = NULL; + return EXPECT_RESULT(); +} - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - if (pkey != NULL) { - pkey->type = WC_EVP_PKEY_DSA; - } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); - ExpectNotNull(dsa = wolfSSL_DSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa), - WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DSA_free(dsa); - } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - } -#endif -#if defined(HAVE_ECC) - { - WOLFSSL_EC_KEY* ec = NULL; +/* test_EVP_Cipher_extra, Extra-test on EVP_CipherUpdate/Final. see also test.c */ +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) &&\ + (!defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)) +static void binary_dump(void *ptr, int size) +{ + #ifdef WOLFSSL_EVP_PRINT + int i = 0; + unsigned char *p = (unsigned char *) ptr; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - if (pkey != NULL) { - pkey->type = WC_EVP_PKEY_EC; - } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); - ExpectNotNull(ec = wolfSSL_EC_KEY_new()); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ec), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec), - WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_EC_KEY_free(ec); + fprintf(stderr, "{"); + while ((p != NULL) && (i < size)) { + if ((i % 8) == 0) { + fprintf(stderr, "\n"); + fprintf(stderr, " "); } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS); - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; - } -#endif -#if !defined(NO_DH) - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - if (pkey != NULL) { - pkey->type = WC_EVP_PKEY_DH; + fprintf(stderr, "0x%02x, ", p[i]); + i++; } - ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif - - wolfSSL_X509_free(x509); - - return EXPECT_RESULT(); + fprintf(stderr, "\n};\n"); + #else + (void) ptr; + (void) size; + #endif } -static int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) -{ - EXPECT_DECLS; -#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) - DSA *dsa = NULL; - DSA *setDsa = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY *set1Pkey = NULL; +static int last_val = 0x0f; - SHA_CTX sha; - byte signature[DSA_SIG_SIZE]; - byte hash[WC_SHA_DIGEST_SIZE]; - word32 bytes; - int answer; -#ifdef USE_CERT_BUFFERS_1024 - const unsigned char* dsaKeyDer = dsa_key_der_1024; - int dsaKeySz = sizeof_dsa_key_der_1024; - byte tmp[ONEK_BUF]; +static int check_result(unsigned char *data, int len) +{ + int i; - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsaKeyDer , dsaKeySz); - bytes = dsaKeySz; -#elif defined(USE_CERT_BUFFERS_2048) - const unsigned char* dsaKeyDer = dsa_key_der_2048; - int dsaKeySz = sizeof_dsa_key_der_2048; - byte tmp[TWOK_BUF]; + for ( ; len; ) { + last_val = (last_val + 1) % 16; + for (i = 0; i < 16; len--, i++, data++) + if (*data != last_val) { + return -1; + } + } + return 0; +} - XMEMSET(tmp, 0, sizeof(tmp)); - XMEMCPY(tmp, dsaKeyDer , dsaKeySz); - bytes = (word32)dsaKeySz; -#else - byte tmp[TWOK_BUF]; - const unsigned char* dsaKeyDer = (const unsigned char*)tmp; - int dsaKeySz; - XFILE fp = XBADFILE; +static int r_offset; +static int w_offset; - XMEMSET(tmp, 0, sizeof(tmp)); - ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); - ExpectIntGT(dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); - if (fp != XBADFILE) - XFCLOSE(fp); -#endif /* END USE_CERT_BUFFERS_1024 */ +static void init_offset(void) +{ + r_offset = 0; + w_offset = 0; +} +static void get_record(unsigned char *data, unsigned char *buf, int len) +{ + XMEMCPY(buf, data+r_offset, len); + r_offset += len; +} - /* Create hash to later Sign and Verify */ - ExpectIntEQ(SHA1_Init(&sha), WOLFSSL_SUCCESS); - ExpectIntEQ(SHA1_Update(&sha, tmp, bytes), WOLFSSL_SUCCESS); - ExpectIntEQ(SHA1_Final(hash,&sha), WOLFSSL_SUCCESS); +static void set_record(unsigned char *data, unsigned char *buf, int len) +{ + XMEMCPY(data+w_offset, buf, len); + w_offset += len; +} - /* Initialize pkey with der format dsa key */ - ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &pkey, &dsaKeyDer, - (long)dsaKeySz)); +static void set_plain(unsigned char *plain, int rec) +{ + int i, j; + unsigned char *p = plain; - /* Test wolfSSL_EVP_PKEY_get1_DSA */ - /* Should Fail: NULL argument */ - ExpectNull(dsa = EVP_PKEY_get0_DSA(NULL)); - ExpectNull(dsa = EVP_PKEY_get1_DSA(NULL)); - /* Should Pass: Initialized pkey argument */ - ExpectNotNull(dsa = EVP_PKEY_get0_DSA(pkey)); - ExpectNotNull(dsa = EVP_PKEY_get1_DSA(pkey)); + #define BLOCKSZ 16 -#ifdef USE_CERT_BUFFERS_1024 - ExpectIntEQ(DSA_bits(dsa), 1024); -#else - ExpectIntEQ(DSA_bits(dsa), 2048); + for (i=0; i<(rec/BLOCKSZ); i++) { + for (j=0; j2)) -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) - DH *dh = NULL; - DH *setDh = NULL; - EVP_PKEY *pkey = NULL; + set_plain(plain, BUFFSZ * RECORDS); - XFILE f = XBADFILE; - unsigned char buf[4096]; - const unsigned char* pt = buf; - const char* dh2048 = "./certs/dh2048.der"; - long len = 0; - int code = -1; + SSL_library_init(); - XMEMSET(buf, 0, sizeof(buf)); + ExpectNotNull(evp = EVP_CIPHER_CTX_new()); + ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); - ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); + ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); - /* Load dh2048.der into DH with internal format */ - ExpectNotNull(setDh = wolfSSL_d2i_DHparams(NULL, &pt, len)); + klen = EVP_CIPHER_CTX_key_length(evp); + if (klen > 0 && keylen != klen) { + ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); + } + ilen = EVP_CIPHER_CTX_iv_length(evp); + if (ilen > 0 && ivlen != ilen) { + ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + } - ExpectIntEQ(wolfSSL_DH_check(setDh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - code = -1; + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + for (j = 0; j 2 */ -#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ - return EXPECT_RESULT(); -} /* END test_EVP_PKEY_set1_get1_DH */ + for (j = 0; test_drive[i][j]; j++) + { + inl = test_drive[i][j]; + test_drive_len[i] += inl; -static int test_wolfSSL_CTX_ctrl(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) - char caFile[] = "./certs/client-ca.pem"; - char clientFile[] = "./certs/client-cert.pem"; - SSL_CTX* ctx = NULL; - X509* x509 = NULL; -#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) - byte buf[6000]; - char file[] = "./certs/dsaparams.pem"; - XFILE f = XBADFILE; - int bytes = 0; - BIO* bio = NULL; - DSA* dsa = NULL; - DH* dh = NULL; -#endif -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; -#endif + get_record(plain, inb, inl); + ExpectIntNE((ret = EVP_EncryptUpdate(evp, outb, &outl, inb, inl)), + 0); + /* output to cipher buffer, so that following Dec test can detect + if any error */ + set_record(cipher, outb, outl); + } - ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + EVP_CipherFinal(evp, outb, &outl); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, - WOLFSSL_FILETYPE_PEM)); - ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_X509_free(x509); + if (outl > 0) + set_record(cipher, outb, outl); } - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, - WOLFSSL_FILETYPE_PEM)); - -#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) - /* Initialize DH */ - ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); - ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); - - ExpectNotNull(dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL)); - - ExpectNotNull(dh = wolfSSL_DSA_dup_DH(dsa)); -#endif -#ifdef HAVE_ECC - /* Initialize WOLFSSL_EC_KEY */ - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); -#endif + for (i = 0; test_drive[i]; i++) { + last_val = 0x0f; - /* additional test of getting EVP_PKEY key size from X509 - * Do not run with user RSA because wolfSSL_RSA_size is not currently - * allowed with user RSA */ - { - EVP_PKEY* pkey = NULL; -#if defined(HAVE_ECC) - X509* ecX509 = NULL; -#endif /* HAVE_ECC */ + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 0)), 0); - ExpectNotNull(pkey = X509_get_pubkey(x509)); - /* current RSA key is 2048 bit (256 bytes) */ - ExpectIntEQ(EVP_PKEY_size(pkey), 256); + init_offset(); - EVP_PKEY_free(pkey); - pkey = NULL; + for (j = 0; test_drive[i][j]; j++) { + inl = test_drive[i][j]; + get_record(cipher, inb, inl); -#if defined(HAVE_ECC) -#if defined(USE_CERT_BUFFERS_256) - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( - cliecc_cert_der_256, sizeof_cliecc_cert_der_256, - SSL_FILETYPE_ASN1)); -#else - ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( - cliEccCertFile, SSL_FILETYPE_PEM)); -#endif - ExpectNotNull(pkey = X509_get_pubkey(ecX509)); - /* current ECC key is 256 bit (32 bytes) */ - ExpectIntGE(EVP_PKEY_size(pkey), 72); + ExpectIntNE((ret = EVP_DecryptUpdate(evp, outb, &outl, inb, inl)), + 0); - X509_free(ecX509); - EVP_PKEY_free(pkey); -#endif /* HAVE_ECC */ - } + binary_dump(outb, outl); + ExpectIntEQ((ret = check_result(outb, outl)), 0); + ExpectFalse(outl > ((inl/16+1)*16) && outl > 16); + } - /* Tests should fail with passed in NULL pointer */ - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#if !defined(NO_DH) && !defined(NO_DSA) - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif -#ifdef HAVE_ECC - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, NULL), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif + ret = EVP_CipherFinal(evp, outb, &outl); - /* Test with SSL_CTRL_EXTRA_CHAIN_CERT - * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_add_extra_chain_cert - */ - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509), - SSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_X509_free(x509); + binary_dump(outb, outl); + + ret = (((test_drive_len[i] % 16) != 0) && (ret == 0)) || + (((test_drive_len[i] % 16) == 0) && (ret == 1)); + ExpectTrue(ret); } - /* Test with SSL_CTRL_OPTIONS - * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_set_options - */ - ExpectTrue(wolfSSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, SSL_OP_NO_TLSv1, - NULL) == SSL_OP_NO_TLSv1); - ExpectTrue(SSL_CTX_get_options(ctx) == SSL_OP_NO_TLSv1); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_cleanup(evp), WOLFSSL_SUCCESS); - /* Test with SSL_CTRL_SET_TMP_DH - * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_dh - */ -#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh), - SSL_SUCCESS); -#endif + EVP_CIPHER_CTX_free(evp); + evp = NULL; - /* Test with SSL_CTRL_SET_TMP_ECDH - * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_ecdh - */ -#ifdef HAVE_ECC - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, ecKey), - SSL_SUCCESS); -#endif + /* Do an extra test to verify correct behavior with empty input. */ -#ifdef WOLFSSL_ENCRYPTED_KEYS - ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); - ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); -#endif + ExpectNotNull(evp = EVP_CIPHER_CTX_new()); + ExpectIntNE((ret = EVP_CipherInit(evp, type, NULL, iv, 0)), 0); - /* Test for min/max proto */ -#ifndef WOLFSSL_NO_TLS12 - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, - 0, NULL), SSL_SUCCESS); - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, - TLS1_2_VERSION, NULL), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); -#endif -#ifdef WOLFSSL_TLS13 - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, - 0, NULL), SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_nid(evp), NID_aes_128_cbc); - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, - TLS1_3_VERSION, NULL), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_3_VERSION); -#ifndef WOLFSSL_NO_TLS12 - ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, - TLS1_2_VERSION, NULL), SSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION); -#endif -#endif - /* Cleanup and Pass */ -#if !defined(NO_DH) && !defined(NO_DSA) -#ifndef NO_BIO - BIO_free(bio); - DSA_free(dsa); - DH_free(dh); - dh = NULL; -#endif -#endif -#ifdef HAVE_ECC - wolfSSL_EC_KEY_free(ecKey); -#endif - SSL_CTX_free(ctx); -#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + klen = EVP_CIPHER_CTX_key_length(evp); + if (klen > 0 && keylen != klen) { + ExpectIntNE(EVP_CIPHER_CTX_set_key_length(evp, keylen), 0); + } + ilen = EVP_CIPHER_CTX_iv_length(evp); + if (ilen > 0 && ivlen != ilen) { + ExpectIntNE(EVP_CIPHER_CTX_set_iv_length(evp, ivlen), 0); + } + + ExpectIntNE((ret = EVP_CipherInit(evp, NULL, key, iv, 1)), 0); + + /* outl should be set to 0 after passing NULL, 0 for input args. */ + outl = -1; + ExpectIntNE((ret = EVP_CipherUpdate(evp, outb, &outl, NULL, 0)), 0); + ExpectIntEQ(outl, 0); + + EVP_CIPHER_CTX_free(evp); +#endif /* test_EVP_Cipher */ return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_assign(void) +static int test_wolfSSL_X509_SEP(void) { EXPECT_DECLS; -#if !defined(NO_RSA) || !defined(NO_DSA) || defined(HAVE_ECC) - int type; - WOLFSSL_EVP_PKEY* pkey = NULL; -#ifndef NO_RSA - WOLFSSL_RSA* rsa = NULL; -#endif -#ifndef NO_DSA - WOLFSSL_DSA* dsa = NULL; -#endif -#ifdef HAVE_ECC - WOLFSSL_EC_KEY* ecKey = NULL; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_SEP) + WOLFSSL_X509* x509 = NULL; +#if 0 + byte* out; #endif + int outSz; -#ifndef NO_RSA - type = EVP_PKEY_RSA; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(rsa = wolfSSL_RSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, rsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_RSA_free(rsa); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* NO_RSA */ + ExpectNotNull(x509 = wolfSSL_X509_new()); -#ifndef NO_DSA - type = EVP_PKEY_DSA; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dsa = wolfSSL_DSA_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, dsa), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DSA_free(dsa); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* NO_DSA */ + outSz = 0; + ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, &outSz)); -#ifdef HAVE_ECC - type = EVP_PKEY_EC; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_EC_KEY_free(ecKey); - } - wolfSSL_EVP_PKEY_free(pkey); - pkey = NULL; -#endif /* HAVE_ECC */ -#endif /* !NO_RSA || !NO_DSA || HAVE_ECC */ - return EXPECT_RESULT(); -} + outSz = 0; + ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); -static int test_wolfSSL_EVP_PKEY_assign_DH(void) -{ - EXPECT_DECLS; -#if !defined(NO_DH) && \ - !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - XFILE f = XBADFILE; - unsigned char buf[4096]; - const unsigned char* pt = buf; - const char* params1 = "./certs/dh2048.der"; - long len = 0; - WOLFSSL_DH* dh = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - XMEMSET(buf, 0, sizeof(buf)); + outSz = 0; + ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); - /* Load DH parameters DER. */ - ExpectTrue((f = XFOPEN(params1, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_certificate_policies), 0); - ExpectNotNull(dh = wolfSSL_d2i_DHparams(NULL, &pt, len)); - ExpectIntEQ(DH_generate_key(dh), WOLFSSL_SUCCESS); + wolfSSL_X509_free(x509); + x509 = NULL; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); +#if 0 + /* Use certificate with the extension here. */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM)); - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, dh), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_device_type(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, dh), WOLFSSL_SUCCESS); - if (EXPECT_FAIL()) { - wolfSSL_DH_free(dh); - } + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); - EVP_PKEY_free(pkey); + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + wolfSSL_X509_free(x509); +#endif #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_base_id(void) +static int test_wolfSSL_OpenSSL_add_all_algorithms(void) { EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; +#if defined(OPENSSL_EXTRA) + ExpectIntEQ(wolfSSL_add_all_algorithms(), WOLFSSL_SUCCESS); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_noconf(), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(NULL), NID_undef); + ExpectIntEQ(wolfSSL_OpenSSL_add_all_algorithms_conf(), WOLFSSL_SUCCESS); +#endif + return EXPECT_RESULT(); +} - ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(pkey), EVP_PKEY_RSA); +static int test_wolfSSL_OPENSSL_hexstr2buf(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + #define MAX_HEXSTR_BUFSZ 9 + #define NUM_CASES 5 + struct Output { + const unsigned char buffer[MAX_HEXSTR_BUFSZ]; + long ret; + }; + int i; + int j; - EVP_PKEY_free(pkey); + const char* inputs[NUM_CASES] = { + "aabcd1357e", + "01:12:23:34:a5:b6:c7:d8:e9", + ":01:02", + "012", + ":ab:ac:d" + }; + struct Output expectedOutputs[NUM_CASES] = { + {{0xaa, 0xbc, 0xd1, 0x35, 0x7e}, 5}, + {{0x01, 0x12, 0x23, 0x34, 0xa5, 0xb6, 0xc7, 0xd8, 0xe9}, 9}, + {{0x01, 0x02}, 2}, + {{0x00}, 0}, + {{0x00}, 0} + }; + long len = 0; + unsigned char* returnedBuf = NULL; + + for (i = 0; i < NUM_CASES && !EXPECT_FAIL(); ++i) { + returnedBuf = wolfSSL_OPENSSL_hexstr2buf(inputs[i], &len); + if (returnedBuf == NULL) { + ExpectIntEQ(expectedOutputs[i].ret, 0); + continue; + } + + ExpectIntEQ(expectedOutputs[i].ret, len); + for (j = 0; j < len; ++j) { + ExpectIntEQ(expectedOutputs[i].buffer[j], returnedBuf[j]); + } + OPENSSL_free(returnedBuf); + } +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_id(void) + +#if defined(OPENSSL_ALL) +static int test_wolfSSL_sk_CIPHER_description(void) { EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); +#if !defined(NO_RSA) && !defined(NO_TLS) + const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; + int i; + int numCiphers = 0; + const SSL_METHOD *method = NULL; + const SSL_CIPHER *cipher = NULL; + STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + char buf[256]; + char test_str[9] = "0000000"; + const char badStr[] = "unknown"; + const char certPath[] = "./certs/client-cert.pem"; + XMEMSET(buf, 0, sizeof(buf)); - ExpectIntEQ(wolfSSL_EVP_PKEY_id(NULL), 0); + ExpectNotNull(method = TLSv1_2_client_method()); + ExpectNotNull(ctx = SSL_CTX_new(method)); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + SSL_CTX_set_verify_depth(ctx, 4); + SSL_CTX_set_options(ctx, flags); + ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), + WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_PKEY_id(pkey), EVP_PKEY_RSA); + ExpectNotNull(ssl = SSL_new(ctx)); + /* SSL_get_ciphers returns a stack of all configured ciphers + * A flag, getCipherAtOffset, is set to later have SSL_CIPHER_description + */ + ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); - EVP_PKEY_free(pkey); + /* loop through the amount of supportedCiphers */ + numCiphers = sk_num(supportedCiphers); + for (i = 0; i < numCiphers; ++i) { + int j; + /* sk_value increments "sk->data.cipher->cipherOffset". + * wolfSSL_sk_CIPHER_description sets the description for + * the cipher based on the provided offset. + */ + if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) { + SSL_CIPHER_description(cipher, buf, sizeof(buf)); + } + /* Search cipher description string for "unknown" descriptor */ + for (j = 0; j < (int)XSTRLEN(buf); j++) { + int k = 0; + while ((k < (int)XSTRLEN(badStr)) && (buf[j] == badStr[k])) { + test_str[k] = badStr[k]; + j++; + k++; + } + } + /* Fail if test_str == badStr == "unknown" */ + ExpectStrNE(test_str,badStr); + } + SSL_free(ssl); + SSL_CTX_free(ctx); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_paramgen(void) +static int test_wolfSSL_get_ciphers_compat(void) { EXPECT_DECLS; - /* ECC check taken from ecc.c. It is the condition that defines ECC256 */ -#if defined(OPENSSL_ALL) && !defined(NO_ECC_SECP) && \ - ((!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ - ECC_MIN_KEY_SZ <= 256) - EVP_PKEY_CTX* ctx = NULL; - EVP_PKEY* pkey = NULL; +#if !defined(NO_RSA) && !defined(NO_TLS) + const SSL_METHOD *method = NULL; + const char certPath[] = "./certs/client-cert.pem"; + STACK_OF(SSL_CIPHER) *supportedCiphers = NULL; + SSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION; - /* Test error conditions. */ - ExpectIntEQ(EVP_PKEY_paramgen(NULL, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(method = SSLv23_client_method()); + ExpectNotNull(ctx = SSL_CTX_new(method)); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + SSL_CTX_set_verify_depth(ctx, 4); + SSL_CTX_set_options(ctx, flags); + ExpectIntEQ(SSL_CTX_load_verify_locations(ctx, certPath, NULL), + WOLFSSL_SUCCESS); -#ifndef NO_RSA - EVP_PKEY_CTX_free(ctx); - /* Parameter generation for RSA not supported yet. */ - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#endif + ExpectNotNull(ssl = SSL_new(ctx)); -#ifdef HAVE_ECC - EVP_PKEY_CTX_free(ctx); - ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); - ExpectIntEQ(EVP_PKEY_paramgen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, - NID_X9_62_prime256v1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE), - WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); -#endif + /* Test Bad NULL input */ + ExpectNull(supportedCiphers = SSL_get_ciphers(NULL)); + /* Test for Good input */ + ExpectNotNull(supportedCiphers = SSL_get_ciphers(ssl)); + /* Further usage of SSL_get_ciphers/wolfSSL_get_ciphers_compat is + * tested in test_wolfSSL_sk_CIPHER_description according to Qt usage */ - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); + SSL_free(ssl); + SSL_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_PKEY_keygen(void) +static int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) { EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; -#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - WOLFSSL_EVP_PKEY* params = NULL; - DH* dh = NULL; - const BIGNUM* pubkey = NULL; - const BIGNUM* privkey = NULL; - ASN1_INTEGER* asn1int = NULL; - unsigned int length = 0; - byte* derBuffer = NULL; -#endif +#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN) + DSA *dsa = NULL; + DSA *setDsa = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *set1Pkey = NULL; - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + SHA_CTX sha; + byte signature[DSA_SIG_SIZE]; + byte hash[WC_SHA_DIGEST_SIZE]; + word32 bytes; + int answer; +#ifdef USE_CERT_BUFFERS_1024 + const unsigned char* dsaKeyDer = dsa_key_der_1024; + int dsaKeySz = sizeof_dsa_key_der_1024; + byte tmp[ONEK_BUF]; - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsaKeyDer , dsaKeySz); + bytes = dsaKeySz; +#elif defined(USE_CERT_BUFFERS_2048) + const unsigned char* dsaKeyDer = dsa_key_der_2048; + int dsaKeySz = sizeof_dsa_key_der_2048; + byte tmp[TWOK_BUF]; - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsaKeyDer , dsaKeySz); + bytes = (word32)dsaKeySz; +#else + byte tmp[TWOK_BUF]; + const unsigned char* dsaKeyDer = (const unsigned char*)tmp; + int dsaKeySz; + XFILE fp = XBADFILE; - EVP_PKEY_CTX_free(ctx); - ctx = NULL; - EVP_PKEY_free(pkey); - pkey = NULL; + XMEMSET(tmp, 0, sizeof(tmp)); + ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); + ExpectIntGT(dsaKeySz = bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); + if (fp != XBADFILE) + XFCLOSE(fp); +#endif /* END USE_CERT_BUFFERS_1024 */ -#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - /* Test DH keygen */ - { - ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_get_2048_256()); - ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(params, NULL)); - ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); + /* Create hash to later Sign and Verify */ + ExpectIntEQ(SHA1_Init(&sha), WOLFSSL_SUCCESS); + ExpectIntEQ(SHA1_Update(&sha, tmp, bytes), WOLFSSL_SUCCESS); + ExpectIntEQ(SHA1_Final(hash,&sha), WOLFSSL_SUCCESS); - DH_free(dh); - dh = NULL; - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(params); + /* Initialize pkey with der format dsa key */ + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &pkey, &dsaKeyDer, + (long)dsaKeySz)); - /* try exporting generated key to DER, to verify */ - ExpectNotNull(dh = EVP_PKEY_get1_DH(pkey)); - DH_get0_key(dh, &pubkey, &privkey); - ExpectNotNull(pubkey); - ExpectNotNull(privkey); - ExpectNotNull(asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)); - ExpectIntGT((length = i2d_ASN1_INTEGER(asn1int, &derBuffer)), 0); + /* Test wolfSSL_EVP_PKEY_get1_DSA */ + /* Should Fail: NULL argument */ + ExpectNull(dsa = EVP_PKEY_get0_DSA(NULL)); + ExpectNull(dsa = EVP_PKEY_get1_DSA(NULL)); + /* Should Pass: Initialized pkey argument */ + ExpectNotNull(dsa = EVP_PKEY_get0_DSA(pkey)); + ExpectNotNull(dsa = EVP_PKEY_get1_DSA(pkey)); - ASN1_INTEGER_free(asn1int); - DH_free(dh); - dh = NULL; - XFREE(derBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#ifdef USE_CERT_BUFFERS_1024 + ExpectIntEQ(DSA_bits(dsa), 1024); +#else + ExpectIntEQ(DSA_bits(dsa), 2048); +#endif + + /* Sign */ + ExpectIntEQ(wolfSSL_DSA_do_sign(hash, signature, dsa), WOLFSSL_SUCCESS); + /* Verify. */ + ExpectIntEQ(wolfSSL_DSA_do_verify(hash, signature, dsa, &answer), + WOLFSSL_SUCCESS); - EVP_PKEY_free(pkey); - } -#endif + /* Test wolfSSL_EVP_PKEY_set1_DSA */ + /* Should Fail: set1Pkey not initialized */ + ExpectIntNE(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_keygen_init(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX *ctx = NULL; + /* Initialize set1Pkey */ + set1Pkey = EVP_PKEY_new(); - ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + /* Should Fail Verify: setDsa not initialized from set1Pkey */ + ExpectIntNE(wolfSSL_DSA_do_verify(hash,signature,setDsa,&answer), + WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(NULL), WOLFSSL_SUCCESS); + /* Should Pass: set dsa into set1Pkey */ + ExpectIntEQ(EVP_PKEY_set1_DSA(set1Pkey, dsa), WOLFSSL_SUCCESS); - EVP_PKEY_CTX_free(ctx); + DSA_free(dsa); + DSA_free(setDsa); EVP_PKEY_free(pkey); - + EVP_PKEY_free(set1Pkey); +#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */ return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_missing_parameters(void) +} /* END test_EVP_PKEY_set1_get1_DSA */ + +static int test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY (void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) - WOLFSSL_EVP_PKEY* pkey = NULL; +#ifdef HAVE_ECC + WOLFSSL_EC_KEY* ecKey = NULL; + WOLFSSL_EC_KEY* ecGet1 = NULL; + EVP_PKEY* pkey = NULL; + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(pkey), 0); - ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(NULL), 0); + /* Test wolfSSL_EVP_PKEY_set1_EC_KEY */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(NULL, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Should fail since ecKey is empty */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_EC_KEY(pkey, ecKey), WOLFSSL_SUCCESS); + + /* Test wolfSSL_EVP_PKEY_get1_EC_KEY */ + ExpectNull(wolfSSL_EVP_PKEY_get1_EC_KEY(NULL)); + ExpectNotNull(ecGet1 = wolfSSL_EVP_PKEY_get1_EC_KEY(pkey)); + wolfSSL_EC_KEY_free(ecKey); + wolfSSL_EC_KEY_free(ecGet1); EVP_PKEY_free(pkey); -#endif +#endif /* HAVE_ECC */ return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_PKEY_copy_parameters(void) +} /* END test_EVP_PKEY_set1_get1_EC_KEY */ + +static int test_wolfSSL_EVP_PKEY_set1_get1_DH (void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_DH) && defined(WOLFSSL_KEY_GEN) && \ - !defined(HAVE_SELFTEST) && (defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ - defined(WOLFSSL_OPENSSH)) && defined(WOLFSSL_DH_EXTRA) && \ - !defined(NO_FILESYSTEM) - WOLFSSL_EVP_PKEY* params = NULL; - WOLFSSL_EVP_PKEY* copy = NULL; - DH* dh = NULL; - BIGNUM* p1; - BIGNUM* g1; - BIGNUM* q1; - BIGNUM* p2; - BIGNUM* g2; - BIGNUM* q2; - - /* create DH with DH_get_2048_256 params */ - ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_get_2048_256()); - ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); - DH_get0_pqg(dh, (const BIGNUM**)&p1, - (const BIGNUM**)&q1, - (const BIGNUM**)&g1); - DH_free(dh); - dh = NULL; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || defined(WOLFSSL_OPENSSH) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) + DH *dh = NULL; + DH *setDh = NULL; + EVP_PKEY *pkey = NULL; - /* create DH with random generated DH params */ - ExpectNotNull(copy = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(dh = DH_generate_parameters(2048, 2, NULL, NULL)); - ExpectIntEQ(EVP_PKEY_set1_DH(copy, dh), WOLFSSL_SUCCESS); - DH_free(dh); - dh = NULL; + XFILE f = XBADFILE; + unsigned char buf[4096]; + const unsigned char* pt = buf; + const char* dh2048 = "./certs/dh2048.der"; + long len = 0; + int code = -1; - ExpectIntEQ(EVP_PKEY_copy_parameters(copy, params), WOLFSSL_SUCCESS); - ExpectNotNull(dh = EVP_PKEY_get1_DH(copy)); - ExpectNotNull(dh->p); - ExpectNotNull(dh->g); - ExpectNotNull(dh->q); - DH_get0_pqg(dh, (const BIGNUM**)&p2, - (const BIGNUM**)&q2, - (const BIGNUM**)&g2); + XMEMSET(buf, 0, sizeof(buf)); - ExpectIntEQ(BN_cmp(p1, p2), 0); - ExpectIntEQ(BN_cmp(q1, q2), 0); - ExpectIntEQ(BN_cmp(g1, g2), 0); + ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); - DH_free(dh); - dh = NULL; - EVP_PKEY_free(copy); - EVP_PKEY_free(params); -#endif - return EXPECT_RESULT(); -} + /* Load dh2048.der into DH with internal format */ + ExpectNotNull(setDh = wolfSSL_d2i_DHparams(NULL, &pt, len)); -static int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - int bits = 2048; + ExpectIntEQ(wolfSSL_DH_check(setDh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + code = -1; ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits), - WOLFSSL_SUCCESS); + /* Set DH into PKEY */ + ExpectIntEQ(wolfSSL_EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); + /* Get DH from PKEY */ + ExpectNotNull(dh = wolfSSL_EVP_PKEY_get1_DH(pkey)); + + ExpectIntEQ(wolfSSL_DH_check(dh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + EVP_PKEY_free(pkey); + DH_free(setDh); + setDh = NULL; + DH_free(dh); + dh = NULL; +#endif /* !NO_DH && WOLFSSL_DH_EXTRA && !NO_FILESYSTEM */ +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* OPENSSL_ALL || WOLFSSL_QT || WOLFSSL_OPENSSH */ return EXPECT_RESULT(); -} +} /* END test_EVP_PKEY_set1_get1_DH */ -static int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void) +static int test_wolfSSL_CTX_ctrl(void) { EXPECT_DECLS; - /* This is large enough to be used for all key sizes */ - byte key[AES_256_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int i; - int nids[] = { - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - NID_aes_128_gcm, - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - }; - int iv_lengths[] = { - #ifdef HAVE_AES_CBC - AES_BLOCK_SIZE, - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - GCM_NONCE_MID_SZ, - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - AES_BLOCK_SIZE, - #endif - #ifndef NO_DES3 - DES_BLOCK_SIZE, - DES_BLOCK_SIZE, - #endif - }; - int nidsLen = (sizeof(nids)/sizeof(int)); - - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER* init = wolfSSL_EVP_get_cipherbynid(nids[i]); - EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); - wolfSSL_EVP_CIPHER_CTX_init(ctx); +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_WOLFSSL_SERVER) + char caFile[] = "./certs/client-ca.pem"; + char clientFile[] = "./certs/client-cert.pem"; + SSL_CTX* ctx = NULL; + X509* x509 = NULL; +#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) + byte buf[6000]; + char file[] = "./certs/dsaparams.pem"; + XFILE f = XBADFILE; + int bytes = 0; + BIO* bio = NULL; + DSA* dsa = NULL; + DH* dh = NULL; +#endif +#ifdef HAVE_ECC + WOLFSSL_EC_KEY* ecKey = NULL; +#endif - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_iv_length(ctx), iv_lengths[i]); + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - EVP_CIPHER_CTX_free(ctx); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caFile, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_X509_free(x509); } - return EXPECT_RESULT(); -} + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(clientFile, + WOLFSSL_FILETYPE_PEM)); -static int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) -{ - EXPECT_DECLS; - byte key[AES_256_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int i; - int nids[] = { - #ifdef HAVE_AES_CBC - NID_aes_128_cbc, - #ifdef WOLFSSL_AES_256 - NID_aes_256_cbc, - #endif - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - NID_aes_128_gcm, - #ifdef WOLFSSL_AES_256 - NID_aes_256_gcm, - #endif - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - NID_aes_128_ctr, - #ifdef WOLFSSL_AES_256 - NID_aes_256_ctr, - #endif - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - }; - int key_lengths[] = { - #ifdef HAVE_AES_CBC - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - AES_128_KEY_SIZE, - #ifdef WOLFSSL_AES_256 - AES_256_KEY_SIZE, - #endif - #endif - #ifndef NO_DES3 - DES_KEY_SIZE, - DES3_KEY_SIZE, - #endif - }; - int nidsLen = (sizeof(nids)/sizeof(int)); +#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) + /* Initialize DH */ + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER *init = wolfSSL_EVP_get_cipherbynid(nids[i]); - EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); - wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectNotNull(bio = BIO_new_mem_buf((void*)buf, bytes)); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_key_length(ctx), key_lengths[i]); + ExpectNotNull(dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, key_lengths[i]), - WOLFSSL_SUCCESS); + ExpectNotNull(dh = wolfSSL_DSA_dup_DH(dsa)); +#endif +#ifdef HAVE_ECC + /* Initialize WOLFSSL_EC_KEY */ + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); +#endif - EVP_CIPHER_CTX_free(ctx); - } + /* additional test of getting EVP_PKEY key size from X509 + * Do not run with user RSA because wolfSSL_RSA_size is not currently + * allowed with user RSA */ + { + EVP_PKEY* pkey = NULL; +#if defined(HAVE_ECC) + X509* ecX509 = NULL; +#endif /* HAVE_ECC */ - return EXPECT_RESULT(); -} + ExpectNotNull(pkey = X509_get_pubkey(x509)); + /* current RSA key is 2048 bit (256 bytes) */ + ExpectIntEQ(EVP_PKEY_size(pkey), 256); -static int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && !defined(NO_DES3) - int ivLen, keyLen; - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); -#ifdef HAVE_AESGCM - byte key[AES_128_KEY_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - const EVP_CIPHER *init = EVP_aes_128_gcm(); + EVP_PKEY_free(pkey); + pkey = NULL; + +#if defined(HAVE_ECC) +#if defined(USE_CERT_BUFFERS_256) + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_buffer( + cliecc_cert_der_256, sizeof_cliecc_cert_der_256, + SSL_FILETYPE_ASN1)); #else - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_BLOCK_SIZE] = {0}; - const EVP_CIPHER *init = EVP_des_ede3_cbc(); + ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( + cliEccCertFile, SSL_FILETYPE_PEM)); #endif + ExpectNotNull(pkey = X509_get_pubkey(ecX509)); + /* current ECC key is 256 bit (32 bytes) */ + ExpectIntGE(EVP_PKEY_size(pkey), 72); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - - ivLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx); - keyLen = wolfSSL_EVP_CIPHER_CTX_key_length(ctx); + X509_free(ecX509); + EVP_PKEY_free(pkey); +#endif /* HAVE_ECC */ + } - /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, iv, ivLen), + /* Tests should fail with passed in NULL pointer */ + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, NULL, ivLen), +#if !defined(NO_DH) && !defined(NO_DSA) + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, keyLen), +#endif +#ifdef HAVE_ECC + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Good case */ - ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, ivLen), 1); - - EVP_CIPHER_CTX_free(ctx); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_PKEY_CTX_new_id(void) -{ - EXPECT_DECLS; - WOLFSSL_ENGINE* e = NULL; - int id = 0; - EVP_PKEY_CTX *ctx = NULL; - - ExpectNotNull(ctx = wolfSSL_EVP_PKEY_CTX_new_id(id, e)); - - EVP_PKEY_CTX_free(ctx); - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_rc4(void) -{ - EXPECT_DECLS; -#if !defined(NO_RC4) - ExpectNotNull(wolfSSL_EVP_rc4()); -#endif - return EXPECT_RESULT(); -} + /* Test with SSL_CTRL_EXTRA_CHAIN_CERT + * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_add_extra_chain_cert + */ + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509), + SSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_X509_free(x509); + } -static int test_wolfSSL_EVP_enc_null(void) -{ - EXPECT_DECLS; - ExpectNotNull(wolfSSL_EVP_enc_null()); - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_rc2_cbc(void) + /* Test with SSL_CTRL_OPTIONS + * wolfSSL_CTX_ctrl should succesffuly call SSL_CTX_set_options + */ + ExpectTrue(wolfSSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, SSL_OP_NO_TLSv1, + NULL) == SSL_OP_NO_TLSv1); + ExpectTrue(SSL_CTX_get_options(ctx) == SSL_OP_NO_TLSv1); -{ - EXPECT_DECLS; -#if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_rc2_cbc()); + /* Test with SSL_CTRL_SET_TMP_DH + * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_dh + */ +#if !defined(NO_DH) && !defined(NO_DSA) && !defined(NO_BIO) + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh), + SSL_SUCCESS); #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_mdc2(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_mdc2()); + /* Test with SSL_CTRL_SET_TMP_ECDH + * wolfSSL_CTX_ctrl should succesffuly call wolfSSL_SSL_CTX_set_tmp_ecdh + */ +#ifdef HAVE_ECC + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, ecKey), + SSL_SUCCESS); #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_md4(void) -{ - EXPECT_DECLS; -#if !defined(NO_MD4) - ExpectNotNull(wolfSSL_EVP_md4()); +#ifdef WOLFSSL_ENCRYPTED_KEYS + ExpectNull(SSL_CTX_get_default_passwd_cb(ctx)); + ExpectNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_EVP_aes_256_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) - ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); + /* Test for min/max proto */ +#ifndef WOLFSSL_NO_TLS12 + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, + 0, NULL), SSL_SUCCESS); + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, + TLS1_2_VERSION, NULL), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); #endif - return EXPECT_RESULT(); -} +#ifdef WOLFSSL_TLS13 + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, + 0, NULL), SSL_SUCCESS); -static int test_wolfSSL_EVP_aes_192_gcm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) - ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, + TLS1_3_VERSION, NULL), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_3_VERSION); +#ifndef WOLFSSL_NO_TLS12 + ExpectIntEQ((int)wolfSSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, + TLS1_2_VERSION, NULL), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_256_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) - ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_192_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) - ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); + /* Cleanup and Pass */ +#if !defined(NO_DH) && !defined(NO_DSA) +#ifndef NO_BIO + BIO_free(bio); + DSA_free(dsa); + DH_free(dh); + dh = NULL; #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_aes_128_ccm(void) -{ - EXPECT_DECLS; -#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) - ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_EVP_ripemd160(void) -{ - EXPECT_DECLS; -#if !defined(NO_WOLFSSL_STUB) - ExpectNull(wolfSSL_EVP_ripemd160()); +#ifdef HAVE_ECC + wolfSSL_EC_KEY_free(ecKey); #endif + SSL_CTX_free(ctx); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_get_digestbynid(void) +static int test_wolfSSL_EVP_PKEY_assign(void) { EXPECT_DECLS; - -#ifndef NO_MD5 - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_md5)); +#if !defined(NO_RSA) || !defined(NO_DSA) || defined(HAVE_ECC) + int type; + WOLFSSL_EVP_PKEY* pkey = NULL; +#ifndef NO_RSA + WOLFSSL_RSA* rsa = NULL; #endif -#ifndef NO_SHA - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1)); +#ifndef NO_DSA + WOLFSSL_DSA* dsa = NULL; #endif -#ifndef NO_SHA256 - ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha256)); +#ifdef HAVE_ECC + WOLFSSL_EC_KEY* ecKey = NULL; #endif - ExpectNull(wolfSSL_EVP_get_digestbynid(0)); +#ifndef NO_RSA + type = EVP_PKEY_RSA; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, rsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, rsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* NO_RSA */ + +#ifndef NO_DSA + type = EVP_PKEY_DSA; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dsa = wolfSSL_DSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, dsa), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, dsa), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DSA_free(dsa); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* NO_DSA */ + +#ifdef HAVE_ECC + type = EVP_PKEY_EC; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ecKey = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(NULL, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, -1, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ecKey), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, type, ecKey), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ecKey); + } + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif /* HAVE_ECC */ +#endif /* !NO_RSA || !NO_DSA || HAVE_ECC */ return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_MD_nid(void) +static int test_wolfSSL_EVP_PKEY_assign_DH(void) { EXPECT_DECLS; +#if !defined(NO_DH) && \ + !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + XFILE f = XBADFILE; + unsigned char buf[4096]; + const unsigned char* pt = buf; + const char* params1 = "./certs/dh2048.der"; + long len = 0; + WOLFSSL_DH* dh = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + XMEMSET(buf, 0, sizeof(buf)); -#ifndef NO_MD5 - ExpectIntEQ(EVP_MD_nid(EVP_md5()), NID_md5); -#endif -#ifndef NO_SHA - ExpectIntEQ(EVP_MD_nid(EVP_sha1()), NID_sha1); -#endif -#ifndef NO_SHA256 - ExpectIntEQ(EVP_MD_nid(EVP_sha256()), NID_sha256); -#endif - ExpectIntEQ(EVP_MD_nid(NULL), NID_undef); + /* Load DH parameters DER. */ + ExpectTrue((f = XFOPEN(params1, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); - return EXPECT_RESULT(); -} + ExpectNotNull(dh = wolfSSL_d2i_DHparams(NULL, &pt, len)); + ExpectIntEQ(DH_generate_key(dh), WOLFSSL_SUCCESS); -static int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void) -{ - EXPECT_DECLS; -#if defined(HAVE_ECC) - WOLFSSL_EVP_PKEY* pkey = NULL; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNull(EVP_PKEY_get0_EC_KEY(NULL)); + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, dh), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_PKEY_assign_DH(pkey, dh), WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DH_free(dh); + } - ExpectNotNull(pkey = EVP_PKEY_new()); - ExpectNull(EVP_PKEY_get0_EC_KEY(pkey)); EVP_PKEY_free(pkey); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_X_STATE(void) +static int test_wolfSSL_EVP_PKEY_base_id(void) { EXPECT_DECLS; -#if !defined(NO_DES3) && !defined(NO_RC4) - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_IV_SIZE] = {0}; - EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *init = NULL; - - /* Bad test cases */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = EVP_des_ede3_cbc()); + WOLFSSL_EVP_PKEY* pkey = NULL; - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNull(wolfSSL_EVP_X_STATE(NULL)); - ExpectNull(wolfSSL_EVP_X_STATE(ctx)); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; + ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(NULL), NID_undef); - /* Good test case */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = wolfSSL_EVP_rc4()); + ExpectIntEQ(wolfSSL_EVP_PKEY_base_id(pkey), EVP_PKEY_RSA); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + EVP_PKEY_free(pkey); - ExpectNotNull(wolfSSL_EVP_X_STATE(ctx)); - EVP_CIPHER_CTX_free(ctx); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_X_STATE_LEN(void) +static int test_wolfSSL_EVP_PKEY_id(void) { EXPECT_DECLS; -#if !defined(NO_DES3) && !defined(NO_RC4) - byte key[DES3_KEY_SIZE] = {0}; - byte iv[DES_IV_SIZE] = {0}; - EVP_CIPHER_CTX *ctx = NULL; - const EVP_CIPHER *init = NULL; - - /* Bad test cases */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = EVP_des_ede3_cbc()); + WOLFSSL_EVP_PKEY* pkey = NULL; - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(NULL), 0); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), 0); - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; + ExpectIntEQ(wolfSSL_EVP_PKEY_id(NULL), 0); - /* Good test case */ - ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); - ExpectNotNull(init = wolfSSL_EVP_rc4()); + ExpectIntEQ(wolfSSL_EVP_PKEY_id(pkey), EVP_PKEY_RSA); - wolfSSL_EVP_CIPHER_CTX_init(ctx); - ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + EVP_PKEY_free(pkey); - ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), sizeof(Arc4)); - EVP_CIPHER_CTX_free(ctx); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_CIPHER_block_size(void) +static int test_wolfSSL_EVP_PKEY_paramgen(void) { EXPECT_DECLS; -#if defined(HAVE_AES_CBC) || defined(HAVE_AESGCM) || \ - defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AES_ECB) || \ - defined(WOLFSSL_AES_OFB) || !defined(NO_RC4) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) - -#ifdef HAVE_AES_CBC - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_cbc()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_cbc()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_cbc()), AES_BLOCK_SIZE); - #endif -#endif - -#ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_gcm()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_gcm()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_gcm()), 1); - #endif -#endif - -#ifdef HAVE_AESCCM - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ccm()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ccm()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ccm()), 1); - #endif -#endif - -#ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ctr()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ctr()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ctr()), 1); - #endif -#endif - -#ifdef HAVE_AES_ECB - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ecb()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ecb()), AES_BLOCK_SIZE); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ecb()), AES_BLOCK_SIZE); - #endif -#endif + /* ECC check taken from ecc.c. It is the condition that defines ECC256 */ +#if defined(OPENSSL_ALL) && !defined(NO_ECC_SECP) && \ + ((!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ + ECC_MIN_KEY_SZ <= 256) + EVP_PKEY_CTX* ctx = NULL; + EVP_PKEY* pkey = NULL; -#ifdef WOLFSSL_AES_OFB - #ifdef WOLFSSL_AES_128 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ofb()), 1); - #endif - #ifdef WOLFSSL_AES_192 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ofb()), 1); - #endif - #ifdef WOLFSSL_AES_256 - ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ofb()), 1); - #endif -#endif + /* Test error conditions. */ + ExpectIntEQ(EVP_PKEY_paramgen(NULL, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#ifndef NO_RC4 - ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_rc4()), 1); +#ifndef NO_RSA + EVP_PKEY_CTX_free(ctx); + /* Parameter generation for RSA not supported yet. */ + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_chacha20_poly1305()), 1); -#endif +#ifdef HAVE_ECC + EVP_PKEY_CTX_free(ctx); + ExpectNotNull(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)); + ExpectIntEQ(EVP_PKEY_paramgen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, + NID_X9_62_prime256v1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_paramgen(ctx, &pkey), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE), + WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); #endif -#ifdef WOLFSSL_SM4_ECB - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ecb()), SM4_BLOCK_SIZE); -#endif -#ifdef WOLFSSL_SM4_CBC - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_cbc()), SM4_BLOCK_SIZE); -#endif -#ifdef WOLFSSL_SM4_CTR - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ctr()), 1); -#endif -#ifdef WOLFSSL_SM4_GCM - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_gcm()), 1); -#endif -#ifdef WOLFSSL_SM4_CCM - ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ccm()), 1); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); #endif - return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_CIPHER_iv_length(void) +static int test_wolfSSL_EVP_PKEY_keygen(void) { EXPECT_DECLS; - int nids[] = { - #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - #ifdef WOLFSSL_AES_128 - NID_aes_128_cbc, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_cbc, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_cbc, - #endif - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - NID_aes_128_gcm, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_gcm, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_gcm, - #endif - #endif /* HAVE_AESGCM */ - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - NID_aes_128_ctr, - #endif - #ifdef WOLFSSL_AES_192 - NID_aes_192_ctr, - #endif - #ifdef WOLFSSL_AES_256 - NID_aes_256_ctr, - #endif - #endif - #ifndef NO_DES3 - NID_des_cbc, - NID_des_ede3_cbc, - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - NID_chacha20_poly1305, - #endif - }; - int iv_lengths[] = { - #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - #ifdef WOLFSSL_AES_128 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_192 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_256 - AES_BLOCK_SIZE, - #endif - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ - #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) - #ifdef HAVE_AESGCM - #ifdef WOLFSSL_AES_128 - GCM_NONCE_MID_SZ, - #endif - #ifdef WOLFSSL_AES_192 - GCM_NONCE_MID_SZ, - #endif - #ifdef WOLFSSL_AES_256 - GCM_NONCE_MID_SZ, - #endif - #endif /* HAVE_AESGCM */ - #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ - #ifdef WOLFSSL_AES_COUNTER - #ifdef WOLFSSL_AES_128 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_192 - AES_BLOCK_SIZE, - #endif - #ifdef WOLFSSL_AES_256 - AES_BLOCK_SIZE, - #endif - #endif - #ifndef NO_DES3 - DES_BLOCK_SIZE, - DES_BLOCK_SIZE, - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - CHACHA20_POLY1305_AEAD_IV_SIZE, - #endif - }; - int i; - int nidsLen = (sizeof(nids)/sizeof(int)); - - for (i = 0; i < nidsLen; i++) { - const EVP_CIPHER *c = EVP_get_cipherbynid(nids[i]); - ExpectIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); - } - - return EXPECT_RESULT(); -} + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; +#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + WOLFSSL_EVP_PKEY* params = NULL; + DH* dh = NULL; + const BIGNUM* pubkey = NULL; + const BIGNUM* privkey = NULL; + ASN1_INTEGER* asn1int = NULL; + unsigned int length = 0; + byte* derBuffer = NULL; +#endif -static int test_wolfSSL_EVP_SignInit_ex(void) -{ - EXPECT_DECLS; - WOLFSSL_EVP_MD_CTX mdCtx; - WOLFSSL_ENGINE* e = 0; - const EVP_MD* md = EVP_sha256(); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_SignInit_ex(&mdCtx, md, e), WOLFSSL_SUCCESS); + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); - return EXPECT_RESULT(); -} + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; -static int test_wolfSSL_EVP_DigestFinalXOF(void) -{ - EXPECT_DECLS; -#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256) && defined(OPENSSL_ALL) - WOLFSSL_EVP_MD_CTX mdCtx; - unsigned char shake[256]; - unsigned char zeros[10]; - unsigned char data[] = "Test data"; - unsigned int sz; +#if !defined(NO_DH) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) + /* Test DH keygen */ + { + ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_get_2048_256()); + ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(params, NULL)); + ExpectIntEQ(EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_keygen(ctx, &pkey), WOLFSSL_SUCCESS); - XMEMSET(zeros, 0, sizeof(zeros)); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_MD_flags(EVP_shake256()), EVP_MD_FLAG_XOF); - ExpectIntEQ(EVP_MD_flags(EVP_sha3_256()), 0); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - XMEMSET(shake, 0, sizeof(shake)); - ExpectIntEQ(EVP_DigestFinalXOF(&mdCtx, shake, 10), WOLFSSL_SUCCESS); + DH_free(dh); + dh = NULL; + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(params); - /* make sure was only size of 10 */ - ExpectIntEQ(XMEMCMP(&shake[11], zeros, 10), 0); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + /* try exporting generated key to DER, to verify */ + ExpectNotNull(dh = EVP_PKEY_get1_DH(pkey)); + DH_get0_key(dh, &pubkey, &privkey); + ExpectNotNull(pubkey); + ExpectNotNull(privkey); + ExpectNotNull(asn1int = BN_to_ASN1_INTEGER(pubkey, NULL)); + ExpectIntGT((length = i2d_ASN1_INTEGER(asn1int, &derBuffer)), 0); - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, 32); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + ASN1_INTEGER_free(asn1int); + DH_free(dh); + dh = NULL; + XFREE(derBuffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #if defined(WOLFSSL_SHAKE128) - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake128()), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); - ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); - ExpectIntEQ(sz, 16); - ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - #endif + EVP_PKEY_free(pkey); + } #endif + return EXPECT_RESULT(); } - -static int test_wolfSSL_EVP_DigestFinal_ex(void) +static int test_wolfSSL_EVP_PKEY_keygen_init(void) { EXPECT_DECLS; -#if !defined(NO_SHA256) - WOLFSSL_EVP_MD_CTX mdCtx; - unsigned int s = 0; - unsigned char md[WC_SHA256_DIGEST_SIZE]; - unsigned char md2[WC_SHA256_DIGEST_SIZE]; + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; - /* Bad Case */ -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), 0); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); -#else - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen_init(NULL), WOLFSSL_SUCCESS); -#endif + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); - /* Good Case */ - wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, EVP_sha256()), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md2, &s), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); -#endif return EXPECT_RESULT(); } - -static int test_wolfSSL_QT_EVP_PKEY_CTX_free(void) +static int test_wolfSSL_EVP_PKEY_missing_parameters(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) - EVP_PKEY* pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; +#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) + WOLFSSL_EVP_PKEY* pkey = NULL; ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); -#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L - /* void */ - EVP_PKEY_CTX_free(ctx); -#else - /* int */ - ExpectIntEQ(EVP_PKEY_CTX_free(ctx), WOLFSSL_SUCCESS); -#endif + ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_missing_parameters(NULL), 0); EVP_PKEY_free(pkey); #endif return EXPECT_RESULT(); } - -static int test_wolfSSL_EVP_PKEY_param_check(void) +static int test_wolfSSL_EVP_PKEY_copy_parameters(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) -#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) - - DH *dh = NULL; - DH *setDh = NULL; - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX* ctx = NULL; - - FILE* f = NULL; - unsigned char buf[512]; - const unsigned char* pt = buf; - const char* dh2048 = "./certs/dh2048.der"; - long len = 0; - int code = -1; - - XMEMSET(buf, 0, sizeof(buf)); +#if defined(OPENSSL_EXTRA) && !defined(NO_DH) && defined(WOLFSSL_KEY_GEN) && \ + !defined(HAVE_SELFTEST) && (defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ + defined(WOLFSSL_OPENSSH)) && defined(WOLFSSL_DH_EXTRA) && \ + !defined(NO_FILESYSTEM) + WOLFSSL_EVP_PKEY* params = NULL; + WOLFSSL_EVP_PKEY* copy = NULL; + DH* dh = NULL; + BIGNUM* p1; + BIGNUM* g1; + BIGNUM* q1; + BIGNUM* p2; + BIGNUM* g2; + BIGNUM* q2; - ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); - ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); - if (f != XBADFILE) - XFCLOSE(f); + /* create DH with DH_get_2048_256 params */ + ExpectNotNull(params = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_get_2048_256()); + ExpectIntEQ(EVP_PKEY_set1_DH(params, dh), WOLFSSL_SUCCESS); + DH_get0_pqg(dh, (const BIGNUM**)&p1, + (const BIGNUM**)&q1, + (const BIGNUM**)&g1); + DH_free(dh); + dh = NULL; - /* Load dh2048.der into DH with internal format */ - ExpectNotNull(setDh = d2i_DHparams(NULL, &pt, len)); - ExpectIntEQ(DH_check(setDh, &code), WOLFSSL_SUCCESS); - ExpectIntEQ(code, 0); - code = -1; + /* create DH with random generated DH params */ + ExpectNotNull(copy = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(dh = DH_generate_parameters(2048, 2, NULL, NULL)); + ExpectIntEQ(EVP_PKEY_set1_DH(copy, dh), WOLFSSL_SUCCESS); + DH_free(dh); + dh = NULL; - pkey = wolfSSL_EVP_PKEY_new(); - /* Set DH into PKEY */ - ExpectIntEQ(EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); - /* create ctx from pkey */ - ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - ExpectIntEQ(EVP_PKEY_param_check(ctx), 1/* valid */); + ExpectIntEQ(EVP_PKEY_copy_parameters(copy, params), WOLFSSL_SUCCESS); + ExpectNotNull(dh = EVP_PKEY_get1_DH(copy)); + ExpectNotNull(dh->p); + ExpectNotNull(dh->g); + ExpectNotNull(dh->q); + DH_get0_pqg(dh, (const BIGNUM**)&p2, + (const BIGNUM**)&q2, + (const BIGNUM**)&g2); - /* TODO: more invalid cases */ - ExpectIntEQ(EVP_PKEY_param_check(NULL), 0); + ExpectIntEQ(BN_cmp(p1, p2), 0); + ExpectIntEQ(BN_cmp(q1, q2), 0); + ExpectIntEQ(BN_cmp(g1, g2), 0); - EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - DH_free(setDh); - setDh = NULL; DH_free(dh); dh = NULL; -#endif + EVP_PKEY_free(copy); + EVP_PKEY_free(params); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_EVP_BytesToKey(void) +static int test_wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(void) { EXPECT_DECLS; -#if !defined(NO_AES) && defined(HAVE_AES_CBC) - byte key[AES_BLOCK_SIZE] = {0}; - byte iv[AES_BLOCK_SIZE] = {0}; - int count = 0; - const EVP_MD* md = EVP_sha256(); - const EVP_CIPHER *type; - const unsigned char *salt = (unsigned char *)"salt1234"; - int sz = 5; - const byte data[] = { - 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, - 0x72,0x6c,0x64 - }; + WOLFSSL_EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; + int bits = 2048; - type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - /* Bad cases */ - ExpectIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), - 0); - ExpectIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), - 16); - md = "2"; - ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits), + WOLFSSL_SUCCESS); + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); - /* Good case */ - md = EVP_sha256(); - ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), - 16); -#endif return EXPECT_RESULT(); } -static int test_evp_cipher_aes_gcm(void) +static int test_wolfSSL_EVP_CIPHER_CTX_iv_length(void) { EXPECT_DECLS; -#if defined(HAVE_AESGCM) && ((!defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) - /* - * This test checks data at various points in the encrypt/decrypt process - * against known values produced using the same test with OpenSSL. This - * interop testing is critical for verifying the correctness of our - * EVP_Cipher implementation with AES-GCM. Specifically, this test exercises - * a flow supported by OpenSSL that uses the control command - * EVP_CTRL_GCM_IV_GEN to increment the IV between cipher operations without - * the need to call EVP_CipherInit. OpenSSH uses this flow, for example. We - * had a bug with OpenSSH where wolfSSL OpenSSH servers could only talk to - * wolfSSL OpenSSH clients because there was a bug in this flow that - * happened to "cancel out" if both sides of the connection had the bug. - */ - enum { - NUM_ENCRYPTIONS = 3, - AAD_SIZE = 4 - }; - static const byte plainText1[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23 - }; - static const byte plainText2[] = { - 0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14, - 0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22, - 0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c - }; - static const byte plainText3[] = { - 0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e, - 0x5b, 0x57, 0x10 - }; - static const byte* plainTexts[NUM_ENCRYPTIONS] = { - plainText1, - plainText2, - plainText3 - }; - static const int plainTextSzs[NUM_ENCRYPTIONS] = { - sizeof(plainText1), - sizeof(plainText2), - sizeof(plainText3) - }; - static const byte aad1[AAD_SIZE] = { - 0x00, 0x00, 0x00, 0x01 - }; - static const byte aad2[AAD_SIZE] = { - 0x00, 0x00, 0x00, 0x10 - }; - static const byte aad3[AAD_SIZE] = { - 0x00, 0x00, 0x01, 0x00 - }; - static const byte* aads[NUM_ENCRYPTIONS] = { - aad1, - aad2, - aad3 - }; - const byte iv[GCM_NONCE_MID_SZ] = { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF - }; - byte currentIv[GCM_NONCE_MID_SZ]; - const byte key[] = { - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, - 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f - }; - const byte expIvs[NUM_ENCRYPTIONS][GCM_NONCE_MID_SZ] = { - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xEF - }, - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xF0 - }, - { - 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, - 0xF1 - } - }; - const byte expTags[NUM_ENCRYPTIONS][AES_BLOCK_SIZE] = { - { - 0x65, 0x4F, 0xF7, 0xA0, 0xBB, 0x7B, 0x90, 0xB7, 0x9C, 0xC8, 0x14, - 0x3D, 0x32, 0x18, 0x34, 0xA9 - }, - { - 0x50, 0x3A, 0x13, 0x8D, 0x91, 0x1D, 0xEC, 0xBB, 0xBA, 0x5B, 0x57, - 0xA2, 0xFD, 0x2D, 0x6B, 0x7F - }, - { - 0x3B, 0xED, 0x18, 0x9C, 0xB3, 0xE3, 0x61, 0x1E, 0x11, 0xEB, 0x13, - 0x5B, 0xEC, 0x52, 0x49, 0x32, - } - }; - static const byte expCipherText1[] = { - 0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15, - 0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51, - 0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE - }; - static const byte expCipherText2[] = { - 0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45, - 0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2, - 0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0 - }; - static const byte expCipherText3[] = { - 0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B, - 0x80, 0x5E, 0x6B, + /* This is large enough to be used for all key sizes */ + byte key[AES_256_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int i; + int nids[] = { + #ifdef HAVE_AES_CBC + NID_aes_128_cbc, + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + NID_aes_128_gcm, + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + NID_aes_128_ctr, + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif }; - static const byte* expCipherTexts[NUM_ENCRYPTIONS] = { - expCipherText1, - expCipherText2, - expCipherText3 + int iv_lengths[] = { + #ifdef HAVE_AES_CBC + AES_BLOCK_SIZE, + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + GCM_NONCE_MID_SZ, + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + AES_BLOCK_SIZE, + #endif + #ifndef NO_DES3 + DES_BLOCK_SIZE, + DES_BLOCK_SIZE, + #endif }; - byte* cipherText = NULL; - byte* calcPlainText = NULL; - byte tag[AES_BLOCK_SIZE]; - EVP_CIPHER_CTX* encCtx = NULL; - EVP_CIPHER_CTX* decCtx = NULL; - int i, j, outl; - - /****************************************************/ - for (i = 0; i < 3; ++i) { - ExpectNotNull(encCtx = EVP_CIPHER_CTX_new()); - ExpectNotNull(decCtx = EVP_CIPHER_CTX_new()); - - /* First iteration, set key before IV. */ - if (i == 0) { - ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), key, NULL, 1), - SSL_SUCCESS); - - /* - * The call to EVP_CipherInit below (with NULL key) should clear the - * authIvGenEnable flag set by EVP_CTRL_GCM_SET_IV_FIXED. As such, a - * subsequent EVP_CTRL_GCM_IV_GEN should fail. This matches OpenSSL - * behavior. - */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(encCtx, NULL, NULL, iv, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), key, NULL, 0), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, NULL, NULL, iv, 0), - SSL_SUCCESS); - } - /* Second iteration, IV before key. */ - else { - ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), NULL, iv, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(encCtx, NULL, key, NULL, 1), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), NULL, iv, 0), - SSL_SUCCESS); - ExpectIntEQ(EVP_CipherInit(decCtx, NULL, key, NULL, 0), - SSL_SUCCESS); - } - - /* - * EVP_CTRL_GCM_IV_GEN should fail if EVP_CTRL_GCM_SET_IV_FIXED hasn't - * been issued first. - */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, - (void*)iv), SSL_SUCCESS); + int nidsLen = (sizeof(nids)/sizeof(int)); - for (j = 0; j < NUM_ENCRYPTIONS; ++j) { - /*************** Encrypt ***************/ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), SSL_SUCCESS); - /* Check current IV against expected. */ - ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER* init = wolfSSL_EVP_get_cipherbynid(nids[i]); + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + wolfSSL_EVP_CIPHER_CTX_init(ctx); - /* Add AAD. */ - if (i == 2) { - /* Test streaming API. */ - ExpectIntEQ(EVP_CipherUpdate(encCtx, NULL, &outl, aads[j], - AAD_SIZE), SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE), - AAD_SIZE); - } + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_iv_length(ctx), iv_lengths[i]); - ExpectNotNull(cipherText = (byte*)XMALLOC(plainTextSzs[j], NULL, - DYNAMIC_TYPE_TMP_BUFFER)); + EVP_CIPHER_CTX_free(ctx); + } - /* Encrypt plaintext. */ - if (i == 2) { - ExpectIntEQ(EVP_CipherUpdate(encCtx, cipherText, &outl, - plainTexts[j], plainTextSzs[j]), - SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(encCtx, cipherText, (byte *)plainTexts[j], - plainTextSzs[j]), plainTextSzs[j]); - } + return EXPECT_RESULT(); +} - if (i == 2) { - ExpectIntEQ(EVP_CipherFinal(encCtx, cipherText, &outl), - SSL_SUCCESS); - } - else { - /* - * Calling EVP_Cipher with NULL input and output for AES-GCM is - * akin to calling EVP_CipherFinal. - */ - ExpectIntGE(EVP_Cipher(encCtx, NULL, NULL, 0), 0); - } +static int test_wolfSSL_EVP_CIPHER_CTX_key_length(void) +{ + EXPECT_DECLS; + byte key[AES_256_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int i; + int nids[] = { + #ifdef HAVE_AES_CBC + NID_aes_128_cbc, + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + NID_aes_128_gcm, + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + NID_aes_128_ctr, + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + }; + int key_lengths[] = { + #ifdef HAVE_AES_CBC + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + AES_128_KEY_SIZE, + #ifdef WOLFSSL_AES_256 + AES_256_KEY_SIZE, + #endif + #endif + #ifndef NO_DES3 + DES_KEY_SIZE, + DES3_KEY_SIZE, + #endif + }; + int nidsLen = (sizeof(nids)/sizeof(int)); - /* Check ciphertext against expected. */ - ExpectIntEQ(XMEMCMP(cipherText, expCipherTexts[j], plainTextSzs[j]), - 0); + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER *init = wolfSSL_EVP_get_cipherbynid(nids[i]); + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + wolfSSL_EVP_CIPHER_CTX_init(ctx); - /* Get and check tag against expected. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, - sizeof(tag), tag), SSL_SUCCESS); - ExpectIntEQ(XMEMCMP(tag, expTags[j], sizeof(tag)), 0); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_key_length(ctx), key_lengths[i]); - /*************** Decrypt ***************/ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, -1, - currentIv), SSL_SUCCESS); - /* Check current IV against expected. */ - ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, key_lengths[i]), + WOLFSSL_SUCCESS); - /* Add AAD. */ - if (i == 2) { - /* Test streaming API. */ - ExpectIntEQ(EVP_CipherUpdate(decCtx, NULL, &outl, aads[j], - AAD_SIZE), SSL_SUCCESS); - } - else { - ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE), - AAD_SIZE); - } + EVP_CIPHER_CTX_free(ctx); + } - /* Set expected tag. */ - ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, - sizeof(tag), tag), SSL_SUCCESS); + return EXPECT_RESULT(); +} - /* Decrypt ciphertext. */ - ExpectNotNull(calcPlainText = (byte*)XMALLOC(plainTextSzs[j], NULL, - DYNAMIC_TYPE_TMP_BUFFER)); - if (i == 2) { - ExpectIntEQ(EVP_CipherUpdate(decCtx, calcPlainText, &outl, - cipherText, plainTextSzs[j]), - SSL_SUCCESS); - } - else { - /* This first EVP_Cipher call will check the tag, too. */ - ExpectIntEQ(EVP_Cipher(decCtx, calcPlainText, cipherText, - plainTextSzs[j]), plainTextSzs[j]); - } +static int test_wolfSSL_EVP_CIPHER_CTX_set_iv(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && !defined(NO_DES3) + int ivLen, keyLen; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); +#ifdef HAVE_AESGCM + byte key[AES_128_KEY_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + const EVP_CIPHER *init = EVP_aes_128_gcm(); +#else + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_BLOCK_SIZE] = {0}; + const EVP_CIPHER *init = EVP_des_ede3_cbc(); +#endif - if (i == 2) { - ExpectIntEQ(EVP_CipherFinal(decCtx, calcPlainText, &outl), - SSL_SUCCESS); - } - else { - ExpectIntGE(EVP_Cipher(decCtx, NULL, NULL, 0), 0); - } + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); - /* Check plaintext against expected. */ - ExpectIntEQ(XMEMCMP(calcPlainText, plainTexts[j], plainTextSzs[j]), - 0); + ivLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx); + keyLen = wolfSSL_EVP_CIPHER_CTX_key_length(ctx); - XFREE(cipherText, NULL, DYNAMIC_TYPE_TMP_BUFFER); - cipherText = NULL; - XFREE(calcPlainText, NULL, DYNAMIC_TYPE_TMP_BUFFER); - calcPlainText = NULL; - } + /* Bad cases */ + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, iv, ivLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, NULL, ivLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(NULL, NULL, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, keyLen), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - EVP_CIPHER_CTX_free(encCtx); - encCtx = NULL; - EVP_CIPHER_CTX_free(decCtx); - decCtx = NULL; - } + /* Good case */ + ExpectIntEQ(wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, iv, ivLen), 1); + + EVP_CIPHER_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_ln(void) + +static int test_wolfSSL_EVP_PKEY_CTX_new_id(void) { EXPECT_DECLS; - const int nid_set[] = { - NID_commonName, - NID_serialNumber, - NID_countryName, - NID_localityName, - NID_stateOrProvinceName, - NID_organizationName, - NID_organizationalUnitName, - NID_domainComponent, - NID_businessCategory, - NID_jurisdictionCountryName, - NID_jurisdictionStateOrProvinceName, - NID_emailAddress - }; - const char* ln_set[] = { - "commonName", - "serialNumber", - "countryName", - "localityName", - "stateOrProvinceName", - "organizationName", - "organizationalUnitName", - "domainComponent", - "businessCategory", - "jurisdictionCountryName", - "jurisdictionStateOrProvinceName", - "emailAddress", - }; - size_t i = 0, maxIdx = sizeof(ln_set)/sizeof(char*); + WOLFSSL_ENGINE* e = NULL; + int id = 0; + EVP_PKEY_CTX *ctx = NULL; - ExpectIntEQ(OBJ_ln2nid(NULL), NID_undef); + ExpectNotNull(ctx = wolfSSL_EVP_PKEY_CTX_new_id(id, e)); -#ifdef HAVE_ECC -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - { - EC_builtin_curve r[27]; - size_t nCurves = sizeof(r) / sizeof(r[0]); - nCurves = EC_get_builtin_curves(r, nCurves); + EVP_PKEY_CTX_free(ctx); - for (i = 0; i < nCurves; i++) { - /* skip ECC_CURVE_INVALID */ - if (r[i].nid != ECC_CURVE_INVALID) { - ExpectIntEQ(OBJ_ln2nid(r[i].comment), r[i].nid); - ExpectStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment); - } - } - } + return EXPECT_RESULT(); +} + +static int test_wolfSSL_EVP_rc4(void) +{ + EXPECT_DECLS; +#if !defined(NO_RC4) + ExpectNotNull(wolfSSL_EVP_rc4()); #endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_EVP_enc_null(void) +{ + EXPECT_DECLS; + ExpectNotNull(wolfSSL_EVP_enc_null()); + return EXPECT_RESULT(); +} +static int test_wolfSSL_EVP_rc2_cbc(void) + +{ + EXPECT_DECLS; +#if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB) + ExpectNull(wolfSSL_EVP_rc2_cbc()); #endif + return EXPECT_RESULT(); +} - for (i = 0; i < maxIdx; i++) { - ExpectIntEQ(OBJ_ln2nid(ln_set[i]), nid_set[i]); - ExpectStrEQ(OBJ_nid2ln(nid_set[i]), ln_set[i]); - } +static int test_wolfSSL_EVP_mdc2(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_STUB) + ExpectNull(wolfSSL_EVP_mdc2()); +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_EVP_md4(void) +{ + EXPECT_DECLS; +#if !defined(NO_MD4) + ExpectNotNull(wolfSSL_EVP_md4()); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_OBJ_sn(void) +static int test_wolfSSL_EVP_aes_256_gcm(void) { EXPECT_DECLS; - int i = 0, maxIdx = 7; - const int nid_set[] = {NID_commonName,NID_countryName,NID_localityName, - NID_stateOrProvinceName,NID_organizationName, - NID_organizationalUnitName,NID_emailAddress}; - const char* sn_open_set[] = {"CN","C","L","ST","O","OU","emailAddress"}; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_256) + ExpectNotNull(wolfSSL_EVP_aes_256_gcm()); +#endif + return EXPECT_RESULT(); +} - ExpectIntEQ(wolfSSL_OBJ_sn2nid(NULL), NID_undef); - for (i = 0; i < maxIdx; i++) { - ExpectIntEQ(wolfSSL_OBJ_sn2nid(sn_open_set[i]), nid_set[i]); - ExpectStrEQ(wolfSSL_OBJ_nid2sn(nid_set[i]), sn_open_set[i]); - } +static int test_wolfSSL_EVP_aes_192_gcm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_192) + ExpectNotNull(wolfSSL_EVP_aes_192_gcm()); +#endif + return EXPECT_RESULT(); +} +static int test_wolfSSL_EVP_aes_256_ccm(void) +{ + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_256) + ExpectNotNull(wolfSSL_EVP_aes_256_ccm()); +#endif return EXPECT_RESULT(); } -#if !defined(NO_BIO) -static word32 TXT_DB_hash(const WOLFSSL_STRING *s) +static int test_wolfSSL_EVP_aes_192_ccm(void) { - return (word32)lh_strhash(s[3]); + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_192) + ExpectNotNull(wolfSSL_EVP_aes_192_ccm()); +#endif + return EXPECT_RESULT(); } -static int TXT_DB_cmp(const WOLFSSL_STRING *a, const WOLFSSL_STRING *b) +static int test_wolfSSL_EVP_aes_128_ccm(void) { - return XSTRCMP(a[3], b[3]); + EXPECT_DECLS; +#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) + ExpectNotNull(wolfSSL_EVP_aes_128_ccm()); +#endif + return EXPECT_RESULT(); } + +static int test_wolfSSL_EVP_ripemd160(void) +{ + EXPECT_DECLS; +#if !defined(NO_WOLFSSL_STUB) + ExpectNull(wolfSSL_EVP_ripemd160()); #endif + return EXPECT_RESULT(); +} -static int test_wolfSSL_TXT_DB(void) +static int test_wolfSSL_EVP_get_digestbynid(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_BIO) - BIO *bio = NULL; - TXT_DB *db = NULL; - const int columns = 6; - const char *fields[6] = { - "V", - "320926161116Z", - "", - "12BD", - "unknown", - "/CN=rsa doe", - }; - char** fields_copy = NULL; - /* Test read */ - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, "./tests/TXT_DB.txt"), 0); - ExpectNotNull(db = TXT_DB_read(bio, columns)); - ExpectNotNull(fields_copy = (char**)XMALLOC(sizeof(fields), NULL, - DYNAMIC_TYPE_OPENSSL)); - if (fields_copy != NULL) { - XMEMCPY(fields_copy, fields, sizeof(fields)); - } - ExpectIntEQ(TXT_DB_insert(db, fields_copy), 1); - if (EXPECT_FAIL()) { - XFREE(fields_copy, NULL, DYNAMIC_TYPE_OPENSSL); - } - BIO_free(bio); - bio = NULL; +#ifndef NO_MD5 + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_md5)); +#endif +#ifndef NO_SHA + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1)); +#endif +#ifndef NO_SHA256 + ExpectNotNull(wolfSSL_EVP_get_digestbynid(NID_sha256)); +#endif + ExpectNull(wolfSSL_EVP_get_digestbynid(0)); - /* Test write */ - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - ExpectIntEQ(TXT_DB_write(bio, db), 1484); - BIO_free(bio); + return EXPECT_RESULT(); +} - /* Test index */ - ExpectIntEQ(TXT_DB_create_index(db, 3, NULL, - (wolf_sk_hash_cb)(wc_ptr_t)TXT_DB_hash, - (wolf_lh_compare_cb)TXT_DB_cmp), 1); - ExpectNotNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); - fields[3] = "12DA"; - ExpectNotNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); - fields[3] = "FFFF"; - ExpectNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); - fields[3] = ""; - ExpectNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); +static int test_wolfSSL_EVP_MD_nid(void) +{ + EXPECT_DECLS; - TXT_DB_free(db); +#ifndef NO_MD5 + ExpectIntEQ(EVP_MD_nid(EVP_md5()), NID_md5); +#endif +#ifndef NO_SHA + ExpectIntEQ(EVP_MD_nid(EVP_sha1()), NID_sha1); #endif +#ifndef NO_SHA256 + ExpectIntEQ(EVP_MD_nid(EVP_sha256()), NID_sha256); +#endif + ExpectIntEQ(EVP_MD_nid(NULL), NID_undef); + return EXPECT_RESULT(); } -static int test_wolfSSL_NCONF(void) +static int test_wolfSSL_EVP_PKEY_get0_EC_KEY(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && !defined(NO_BIO) - const char* confFile = "./tests/NCONF_test.cnf"; - CONF* conf = NULL; - long eline = 0; - long num = 0; - - ExpectNotNull(conf = NCONF_new(NULL)); +#if defined(HAVE_ECC) + WOLFSSL_EVP_PKEY* pkey = NULL; - ExpectIntEQ(NCONF_load(conf, confFile, &eline), 1); - ExpectIntEQ(NCONF_get_number(conf, NULL, "port", &num), 1); - ExpectIntEQ(num, 1234); - ExpectIntEQ(NCONF_get_number(conf, "section2", "port", &num), 1); - ExpectIntEQ(num, 4321); - ExpectStrEQ(NCONF_get_string(conf, NULL, "dir"), "./test-dir"); - ExpectStrEQ(NCONF_get_string(conf, "section1", "file1_copy"), - "./test-dir/file1"); - ExpectStrEQ(NCONF_get_string(conf, "section2", "file_list"), - "./test-dir/file1:./test-dir/file2:./section1:file2"); + ExpectNull(EVP_PKEY_get0_EC_KEY(NULL)); - NCONF_free(conf); + ExpectNotNull(pkey = EVP_PKEY_new()); + ExpectNull(EVP_PKEY_get0_EC_KEY(pkey)); + EVP_PKEY_free(pkey); #endif return EXPECT_RESULT(); } -#endif /* OPENSSL_ALL */ -static int test_wolfSSL_X509V3_set_ctx(void) +static int test_wolfSSL_EVP_X_STATE(void) { EXPECT_DECLS; -#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ - defined(HAVE_CRL) - WOLFSSL_X509V3_CTX ctx; - WOLFSSL_X509* issuer = NULL; - WOLFSSL_X509* subject = NULL; - WOLFSSL_X509 req; - WOLFSSL_X509_CRL crl; - - XMEMSET(&ctx, 0, sizeof(ctx)); - ExpectNotNull(issuer = wolfSSL_X509_new()); - ExpectNotNull(subject = wolfSSL_X509_new()); - XMEMSET(&req, 0, sizeof(req)); - XMEMSET(&crl, 0, sizeof(crl)); - - wolfSSL_X509V3_set_ctx(NULL, NULL, NULL, NULL, NULL, 0); - wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0); - wolfSSL_X509_free(ctx.x509); - ctx.x509 = NULL; - wolfSSL_X509V3_set_ctx(&ctx, issuer, NULL, NULL, NULL, 0); - wolfSSL_X509_free(ctx.x509); - ctx.x509 = NULL; - wolfSSL_X509V3_set_ctx(&ctx, NULL, subject, NULL, NULL, 0); - wolfSSL_X509_free(ctx.x509); - ctx.x509 = NULL; - wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, &req, NULL, 0); - wolfSSL_X509_free(ctx.x509); - ctx.x509 = NULL; - wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, &crl, 0); - wolfSSL_X509_free(ctx.x509); - ctx.x509 = NULL; - wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 1); - /* X509 allocated in context results in 'failure' (but not return). */ - wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0); - wolfSSL_X509_free(ctx.x509); - ctx.x509 = NULL; - - wolfSSL_X509_free(subject); - wolfSSL_X509_free(issuer); +#if !defined(NO_DES3) && !defined(NO_RC4) + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_IV_SIZE] = {0}; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *init = NULL; + + /* Bad test cases */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = EVP_des_ede3_cbc()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectNull(wolfSSL_EVP_X_STATE(NULL)); + ExpectNull(wolfSSL_EVP_X_STATE(ctx)); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Good test case */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = wolfSSL_EVP_rc4()); + + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectNotNull(wolfSSL_EVP_X_STATE(ctx)); + EVP_CIPHER_CTX_free(ctx); #endif return EXPECT_RESULT(); } - -static int test_wolfSSL_X509V3_EXT_get(void) +static int test_wolfSSL_EVP_X_STATE_LEN(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - XFILE f = XBADFILE; - int numOfExt =0; - int extNid = 0; - int i = 0; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - const WOLFSSL_v3_ext_method* method = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - /* No object in extension. */ - ExpectNull(wolfSSL_X509V3_EXT_get(ext)); - ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - /* NID is zero. */ - ExpectNull(wolfSSL_X509V3_EXT_get(ext)); - /* NID is not known. */ - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = 1; - } - ExpectNull(wolfSSL_X509V3_EXT_get(ext)); - - /* NIDs not in certificate. */ - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = NID_certificate_policies; - } - ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); - ExpectIntEQ(method->ext_nid, NID_certificate_policies); - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = NID_crl_distribution_points; - } - ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); - ExpectIntEQ(method->ext_nid, NID_crl_distribution_points); - - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); - ext = NULL; +#if !defined(NO_DES3) && !defined(NO_RC4) + byte key[DES3_KEY_SIZE] = {0}; + byte iv[DES_IV_SIZE] = {0}; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *init = NULL; - ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) - XFCLOSE(f); + /* Bad test cases */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = EVP_des_ede3_cbc()); - /* wolfSSL_X509V3_EXT_get() return struct and nid test */ - ExpectIntEQ((numOfExt = wolfSSL_X509_get_ext_count(x509)), 5); - for (i = 0; i < numOfExt; i++) { - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - ExpectIntNE((extNid = ext->obj->nid), NID_undef); - ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); - ExpectIntEQ(method->ext_nid, extNid); - if (EXPECT_SUCCESS()) { - if (method->ext_nid == NID_subject_key_identifier) { - ExpectNotNull(method->i2s); - } - } - } + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(NULL), 0); + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), 0); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; - /* wolfSSL_X509V3_EXT_get() NULL argument test */ - ExpectNull(method = wolfSSL_X509V3_EXT_get(NULL)); + /* Good test case */ + ExpectNotNull(ctx = EVP_CIPHER_CTX_new()); + ExpectNotNull(init = wolfSSL_EVP_rc4()); - wolfSSL_X509_free(x509); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + ExpectIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_EVP_X_STATE_LEN(ctx), sizeof(Arc4)); + EVP_CIPHER_CTX_free(ctx); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509V3_EXT_nconf(void) +static int test_wolfSSL_EVP_CIPHER_block_size(void) { EXPECT_DECLS; -#ifdef OPENSSL_ALL - const char *ext_names[] = { - "subjectKeyIdentifier", - "authorityKeyIdentifier", - "subjectAltName", - "keyUsage", - "extendedKeyUsage", - }; - size_t ext_names_count = sizeof(ext_names)/sizeof(*ext_names); - int ext_nids[] = { - NID_subject_key_identifier, - NID_authority_key_identifier, - NID_subject_alt_name, - NID_key_usage, - NID_ext_key_usage, - }; - size_t ext_nids_count = sizeof(ext_nids)/sizeof(*ext_nids); - const char *ext_values[] = { - "hash", - "hash", - "DNS:example.com, IP:127.0.0.1", - "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment," - "keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly", - "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping," - "OCSPSigning", - }; - size_t i; - X509_EXTENSION* ext = NULL; - X509* x509 = NULL; - unsigned int keyUsageFlags; - unsigned int extKeyUsageFlags; - WOLFSSL_CONF conf; - WOLFSSL_X509V3_CTX ctx; -#ifndef NO_WOLFSSL_STUB - WOLFSSL_LHASH lhash; +#if defined(HAVE_AES_CBC) || defined(HAVE_AESGCM) || \ + defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AES_ECB) || \ + defined(WOLFSSL_AES_OFB) || !defined(NO_RC4) || \ + (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) + +#ifdef HAVE_AES_CBC + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_cbc()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_cbc()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_cbc()), AES_BLOCK_SIZE); + #endif +#endif + +#ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_gcm()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_gcm()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_gcm()), 1); + #endif +#endif + +#ifdef HAVE_AESCCM + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ccm()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ccm()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ccm()), 1); + #endif +#endif + +#ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ctr()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ctr()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ctr()), 1); + #endif +#endif + +#ifdef HAVE_AES_ECB + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ecb()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ecb()), AES_BLOCK_SIZE); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ecb()), AES_BLOCK_SIZE); + #endif +#endif + +#ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_128_ofb()), 1); + #endif + #ifdef WOLFSSL_AES_192 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_192_ofb()), 1); + #endif + #ifdef WOLFSSL_AES_256 + ExpectIntEQ(EVP_CIPHER_block_size(EVP_aes_256_ofb()), 1); + #endif +#endif + +#ifndef NO_RC4 + ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_rc4()), 1); +#endif + +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + ExpectIntEQ(EVP_CIPHER_block_size(wolfSSL_EVP_chacha20_poly1305()), 1); +#endif #endif - ExpectNotNull(x509 = X509_new()); - ExpectNull(X509V3_EXT_nconf(NULL, NULL, ext_names[0], NULL)); - ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[0], NULL)); - ExpectNull(X509V3_EXT_nconf(NULL, NULL, "", ext_values[0])); - ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, 0, ext_values[0])); - - /* conf and ctx ignored. */ - ExpectNull(X509V3_EXT_nconf_nid(&conf, NULL, 0, ext_values[0])); - ExpectNull(X509V3_EXT_nconf_nid(NULL , &ctx, 0, ext_values[0])); - ExpectNull(X509V3_EXT_nconf_nid(&conf, &ctx, 0, ext_values[0])); - - /* keyUsage / extKeyUsage should match string above */ - keyUsageFlags = KU_DIGITAL_SIGNATURE - | KU_NON_REPUDIATION - | KU_KEY_ENCIPHERMENT - | KU_DATA_ENCIPHERMENT - | KU_KEY_AGREEMENT - | KU_KEY_CERT_SIGN - | KU_CRL_SIGN - | KU_ENCIPHER_ONLY - | KU_DECIPHER_ONLY; - extKeyUsageFlags = XKU_SSL_CLIENT - | XKU_SSL_SERVER - | XKU_CODE_SIGN - | XKU_SMIME - | XKU_TIMESTAMP - | XKU_OCSP_SIGN; - - for (i = 0; i < ext_names_count; i++) { - ExpectNotNull(ext = X509V3_EXT_nconf(NULL, NULL, ext_names[i], - ext_values[i])); - X509_EXTENSION_free(ext); - ext = NULL; - } - - for (i = 0; i < ext_nids_count; i++) { - ExpectNotNull(ext = X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[i], - ext_values[i])); - X509_EXTENSION_free(ext); - ext = NULL; - } - - /* Test adding extension to X509 */ - for (i = 0; i < ext_nids_count; i++) { - ExpectNotNull(ext = X509V3_EXT_nconf(NULL, NULL, ext_names[i], - ext_values[i])); - ExpectIntEQ(X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - - if (ext_nids[i] == NID_key_usage) { - ExpectIntEQ(X509_get_key_usage(x509), keyUsageFlags); - } - else if (ext_nids[i] == NID_ext_key_usage) { - ExpectIntEQ(X509_get_extended_key_usage(x509), extKeyUsageFlags); - } - X509_EXTENSION_free(ext); - ext = NULL; - } - X509_free(x509); - -#ifndef NO_WOLFSSL_STUB - ExpectIntEQ(wolfSSL_X509V3_EXT_add_nconf(NULL, NULL, NULL, NULL), - WOLFSSL_SUCCESS); - ExpectNull(wolfSSL_X509V3_EXT_conf_nid(NULL, NULL, 0, NULL)); - ExpectNull(wolfSSL_X509V3_EXT_conf_nid(&lhash, NULL, 0, NULL)); - wolfSSL_X509V3_set_ctx_nodb(NULL); +#ifdef WOLFSSL_SM4_ECB + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ecb()), SM4_BLOCK_SIZE); +#endif +#ifdef WOLFSSL_SM4_CBC + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_cbc()), SM4_BLOCK_SIZE); +#endif +#ifdef WOLFSSL_SM4_CTR + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ctr()), 1); #endif +#ifdef WOLFSSL_SM4_GCM + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_gcm()), 1); +#endif +#ifdef WOLFSSL_SM4_CCM + ExpectIntEQ(EVP_CIPHER_block_size(EVP_sm4_ccm()), 1); #endif + return EXPECT_RESULT(); } -static int test_wolfSSL_X509V3_EXT_bc(void) +static int test_wolfSSL_EVP_CIPHER_iv_length(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_BASIC_CONSTRAINTS* bc = NULL; - WOLFSSL_ASN1_INTEGER* pathLen = NULL; - - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); - ExpectNotNull(pathLen = wolfSSL_ASN1_INTEGER_new()); - if (pathLen != NULL) { - pathLen->length = 2; - } - - if (obj != NULL) { - obj->type = NID_basic_constraints; - obj->nid = NID_basic_constraints; - } - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); - /* No pathlen set. */ - ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); - wolfSSL_BASIC_CONSTRAINTS_free(bc); - bc = NULL; + int nids[] = { + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + NID_aes_128_cbc, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_cbc, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_cbc, + #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + NID_aes_128_gcm, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_gcm, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_gcm, + #endif + #endif /* HAVE_AESGCM */ + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + NID_aes_128_ctr, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_ctr, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_ctr, + #endif + #endif + #ifndef NO_DES3 + NID_des_cbc, + NID_des_ede3_cbc, + #endif + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + NID_chacha20_poly1305, + #endif + }; + int iv_lengths[] = { + #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */ + #if (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)) + #ifdef HAVE_AESGCM + #ifdef WOLFSSL_AES_128 + GCM_NONCE_MID_SZ, + #endif + #ifdef WOLFSSL_AES_192 + GCM_NONCE_MID_SZ, + #endif + #ifdef WOLFSSL_AES_256 + GCM_NONCE_MID_SZ, + #endif + #endif /* HAVE_AESGCM */ + #endif /* (HAVE_FIPS && !HAVE_SELFTEST) || HAVE_FIPS_VERSION > 2 */ + #ifdef WOLFSSL_AES_COUNTER + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif + #ifndef NO_DES3 + DES_BLOCK_SIZE, + DES_BLOCK_SIZE, + #endif + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + CHACHA20_POLY1305_AEAD_IV_SIZE, + #endif + }; + int i; + int nidsLen = (sizeof(nids)/sizeof(int)); - if ((ext != NULL) && (ext->obj != NULL)) { - ext->obj->pathlen = pathLen; - pathLen = NULL; + for (i = 0; i < nidsLen; i++) { + const EVP_CIPHER *c = EVP_get_cipherbynid(nids[i]); + ExpectIntEQ(EVP_CIPHER_iv_length(c), iv_lengths[i]); } - /* pathlen set. */ - ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); - wolfSSL_ASN1_INTEGER_free(pathLen); - wolfSSL_BASIC_CONSTRAINTS_free(bc); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509V3_EXT_san(void) +static int test_wolfSSL_EVP_SignInit_ex(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_STACK* sk = NULL; - - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + WOLFSSL_EVP_MD_CTX mdCtx; + WOLFSSL_ENGINE* e = 0; + const EVP_MD* md = EVP_sha256(); - if (obj != NULL) { - obj->type = NID_subject_alt_name; - obj->nid = NID_subject_alt_name; - } - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); - /* No extension stack set. */ - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_SignInit_ex(&mdCtx, md, e), WOLFSSL_SUCCESS); - ExpectNotNull(sk = wolfSSL_sk_new_null()); - if (ext != NULL) { - ext->ext_sk = sk; - sk = NULL; - } - /* Extension stack set. */ - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - wolfSSL_sk_free(sk); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509V3_EXT_aia(void) +static int test_wolfSSL_EVP_DigestFinalXOF(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_STACK* sk = NULL; - WOLFSSL_STACK* node = NULL; - WOLFSSL_AUTHORITY_INFO_ACCESS* aia = NULL; - WOLFSSL_ASN1_OBJECT* entry = NULL; - - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); +#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256) && defined(OPENSSL_ALL) + WOLFSSL_EVP_MD_CTX mdCtx; + unsigned char shake[256]; + unsigned char zeros[10]; + unsigned char data[] = "Test data"; + unsigned int sz; - if (obj != NULL) { - obj->type = NID_info_access; - obj->nid = NID_info_access; - } - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); - /* No extension stack set. */ - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + XMEMSET(zeros, 0, sizeof(zeros)); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_MD_flags(EVP_shake256()), EVP_MD_FLAG_XOF); + ExpectIntEQ(EVP_MD_flags(EVP_sha3_256()), 0); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + XMEMSET(shake, 0, sizeof(shake)); + ExpectIntEQ(EVP_DigestFinalXOF(&mdCtx, shake, 10), WOLFSSL_SUCCESS); - ExpectNotNull(sk = wolfSSL_sk_new_null()); - if (ext != NULL) { - ext->ext_sk = sk; - sk = NULL; - } - /* Extension stack set but empty. */ - ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS *)wolfSSL_X509V3_EXT_d2i(ext)); - wolfSSL_AUTHORITY_INFO_ACCESS_free(aia); - aia = NULL; + /* make sure was only size of 10 */ + ExpectIntEQ(XMEMCMP(&shake[11], zeros, 10), 0); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - ExpectNotNull(entry = wolfSSL_ASN1_OBJECT_new()); - if (entry != NULL) { - entry->nid = WC_NID_ad_OCSP; - entry->obj = (const unsigned char*)"http://127.0.0.1"; - entry->objSz = 16; - } - ExpectNotNull(node = wolfSSL_sk_new_node(NULL)); - if ((node != NULL) && (ext != NULL)) { - node->type = STACK_TYPE_OBJ; - node->data.obj = entry; - entry = NULL; - ExpectIntEQ(wolfSSL_sk_push_node(&ext->ext_sk, node), WOLFSSL_SUCCESS); - if (EXPECT_SUCCESS()) { - node = NULL; - } - } - ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS *)wolfSSL_X509V3_EXT_d2i(ext)); - wolfSSL_ACCESS_DESCRIPTION_free(NULL); + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake256()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, 32); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); - wolfSSL_AUTHORITY_INFO_ACCESS_pop_free(aia, - wolfSSL_ACCESS_DESCRIPTION_free); - wolfSSL_ASN1_OBJECT_free(entry); - wolfSSL_sk_free(node); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); + #if defined(WOLFSSL_SHAKE128) + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(EVP_DigestInit(&mdCtx, EVP_shake128()), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestUpdate(&mdCtx, data, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_DigestFinal(&mdCtx, shake, &sz), WOLFSSL_SUCCESS); + ExpectIntEQ(sz, 16); + ExpectIntEQ(EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); + #endif #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509V3_EXT(void) +static int test_wolfSSL_EVP_DigestFinal_ex(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - XFILE f = XBADFILE; - int numOfExt = 0, nid = 0, i = 0, expected, actual = 0; - char* str = NULL; - unsigned char* data = NULL; - const WOLFSSL_v3_ext_method* method = NULL; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_X509_EXTENSION* ext2 = NULL; - WOLFSSL_ASN1_OBJECT *obj = NULL; - WOLFSSL_ASN1_OBJECT *adObj = NULL; - WOLFSSL_ASN1_STRING* asn1str = NULL; - WOLFSSL_AUTHORITY_KEYID* aKeyId = NULL; - WOLFSSL_AUTHORITY_INFO_ACCESS* aia = NULL; - WOLFSSL_BASIC_CONSTRAINTS* bc = NULL; - WOLFSSL_ACCESS_DESCRIPTION* ad = NULL; - WOLFSSL_GENERAL_NAME* gn = NULL; - - /* Check NULL argument */ - ExpectNull(wolfSSL_X509V3_EXT_d2i(NULL)); - - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); - - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = ext->obj->type = NID_ext_key_usage; - } - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = ext->obj->type = NID_certificate_policies; - } - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = ext->obj->type = NID_crl_distribution_points; - } - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = ext->obj->type = NID_subject_alt_name; - } - ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); - - wolfSSL_ASN1_OBJECT_free(obj); - obj = NULL; - wolfSSL_X509_EXTENSION_free(ext); - ext = NULL; - - /* Using OCSP cert with X509V3 extensions */ - ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectIntEQ((numOfExt = wolfSSL_X509_get_ext_count(x509)), 5); - - /* Basic Constraints */ - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_basic_constraints); - ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); +#if !defined(NO_SHA256) + WOLFSSL_EVP_MD_CTX mdCtx; + unsigned int s = 0; + unsigned char md[WC_SHA256_DIGEST_SIZE]; + unsigned char md2[WC_SHA256_DIGEST_SIZE]; - ExpectIntEQ(bc->ca, 1); - ExpectNull(bc->pathlen); - wolfSSL_BASIC_CONSTRAINTS_free(bc); - bc = NULL; - i++; - - /* Subject Key Identifier */ - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_subject_key_identifier); - - ExpectNotNull(asn1str = (WOLFSSL_ASN1_STRING*)wolfSSL_X509V3_EXT_d2i(ext)); - ExpectNotNull(ext2 = wolfSSL_X509V3_EXT_i2d(NID_subject_key_identifier, 0, - asn1str)); - X509_EXTENSION_free(ext2); - ext2 = NULL; - ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); - ExpectNotNull(method->i2s); - ExpectNotNull(str = method->i2s((WOLFSSL_v3_ext_method*)method, asn1str)); - wolfSSL_ASN1_STRING_free(asn1str); - asn1str = NULL; - if (str != NULL) { - actual = strcmp(str, - "73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21"); - } - ExpectIntEQ(actual, 0); - XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); - str = NULL; - i++; - - /* Authority Key Identifier */ - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_authority_key_identifier); - - ExpectNotNull(aKeyId = (WOLFSSL_AUTHORITY_KEYID*)wolfSSL_X509V3_EXT_d2i( - ext)); - ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); - ExpectNotNull(asn1str = aKeyId->keyid); - ExpectNotNull(str = wolfSSL_i2s_ASN1_STRING((WOLFSSL_v3_ext_method*)method, - asn1str)); - asn1str = NULL; - if (str != NULL) { - actual = strcmp(str, - "73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21"); - } - ExpectIntEQ(actual, 0); - XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); - str = NULL; - wolfSSL_AUTHORITY_KEYID_free(aKeyId); - aKeyId = NULL; - i++; - - /* Key Usage */ - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_key_usage); - - ExpectNotNull(asn1str = (WOLFSSL_ASN1_STRING*)wolfSSL_X509V3_EXT_d2i(ext)); -#if defined(WOLFSSL_QT) - ExpectNotNull(data = (unsigned char*)ASN1_STRING_get0_data(asn1str)); -#else - ExpectNotNull(data = wolfSSL_ASN1_STRING_data(asn1str)); -#endif - expected = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN; - if (data != NULL) { - #ifdef BIG_ENDIAN_ORDER - actual = data[1]; - #else - actual = data[0]; - #endif - } - ExpectIntEQ(actual, expected); - wolfSSL_ASN1_STRING_free(asn1str); - asn1str = NULL; - ExpectIntEQ(wolfSSL_X509_get_keyUsage(NULL), 0); - ExpectIntEQ(wolfSSL_X509_get_keyUsage(x509), expected); - i++; + /* Bad Case */ +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); - /* Authority Info Access */ - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_info_access); - ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i( - ext)); -#if defined(WOLFSSL_QT) - ExpectIntEQ(OPENSSL_sk_num(aia), 1); /* Only one URI entry for this cert */ -#else - ExpectIntEQ(wolfSSL_sk_num(aia), 1); /* Only one URI entry for this cert */ -#endif - /* URI entry is an ACCESS_DESCRIPTION type */ -#if defined(WOLFSSL_QT) - ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION*)wolfSSL_sk_value(aia, 0)); #else - ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION*)OPENSSL_sk_value(aia, 0)); -#endif - ExpectNotNull(adObj = ad->method); - /* Make sure nid is OCSP */ - ExpectIntEQ(wolfSSL_OBJ_obj2nid(adObj), NID_ad_OCSP); - - /* GENERAL_NAME stores URI as an ASN1_STRING */ - ExpectNotNull(gn = ad->location); - ExpectIntEQ(gn->type, GEN_URI); /* Type should always be GEN_URI */ - ExpectNotNull(asn1str = gn->d.uniformResourceIdentifier); - ExpectIntEQ(wolfSSL_ASN1_STRING_length(asn1str), 22); -#if defined(WOLFSSL_QT) - ExpectNotNull(str = (char*)ASN1_STRING_get0_data(asn1str)); -#else - ExpectNotNull(str = (char*)wolfSSL_ASN1_STRING_data(asn1str)); -#endif - if (str != NULL) { - actual = strcmp(str, "http://127.0.0.1:22220"); - } - ExpectIntEQ(actual, 0); - - ExpectIntEQ(wolfSSL_sk_ACCESS_DESCRIPTION_num(NULL), WOLFSSL_FATAL_ERROR); - ExpectIntEQ(wolfSSL_sk_ACCESS_DESCRIPTION_num(aia), 1); - ExpectNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(NULL, 0)); - ExpectNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(aia, 1)); - ExpectNotNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(aia, 0)); - wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); - aia = NULL; + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md, &s), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); -#ifndef NO_WOLFSSL_STUB - ExpectNull(wolfSSL_X509_delete_ext(x509, 0)); #endif - wolfSSL_X509_free(x509); + /* Good Case */ + wolfSSL_EVP_MD_CTX_init(&mdCtx); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, EVP_sha256()), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_DigestFinal_ex(&mdCtx, md2, &s), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), WOLFSSL_SUCCESS); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_get_extension_flags(void) +static int test_wolfSSL_QT_EVP_PKEY_CTX_free(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - XFILE f = XBADFILE; - X509* x509 = NULL; - unsigned int extFlags; - unsigned int keyUsageFlags; - unsigned int extKeyUsageFlags; - - ExpectIntEQ(X509_get_extension_flags(NULL), 0); - ExpectIntEQ(X509_get_key_usage(NULL), 0); - ExpectIntEQ(X509_get_extended_key_usage(NULL), 0); - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(X509_get_extension_flags(x509), 0); - ExpectIntEQ(X509_get_key_usage(x509), -1); - ExpectIntEQ(X509_get_extended_key_usage(x509), 0); - wolfSSL_X509_free(x509); - x509 = NULL; - - /* client-int-cert.pem has the following extension flags. */ - extFlags = EXFLAG_KUSAGE | EXFLAG_XKUSAGE; - /* and the following key usage flags. */ - keyUsageFlags = KU_DIGITAL_SIGNATURE - | KU_NON_REPUDIATION - | KU_KEY_ENCIPHERMENT; - /* and the following extended key usage flags. */ - extKeyUsageFlags = XKU_SSL_CLIENT | XKU_SMIME; +#if defined(OPENSSL_EXTRA) + EVP_PKEY* pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; - ExpectTrue((f = XFOPEN("./certs/intermediate/client-int-cert.pem", "rb")) != - XBADFILE); - ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - f = XBADFILE; - } - ExpectIntEQ(X509_get_extension_flags(x509), extFlags); - ExpectIntEQ(X509_get_key_usage(x509), keyUsageFlags); - ExpectIntEQ(X509_get_extended_key_usage(x509), extKeyUsageFlags); - X509_free(x509); - x509 = NULL; + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); - /* client-cert-ext.pem has the following extension flags. */ - extFlags = EXFLAG_KUSAGE; - /* and the following key usage flags. */ - keyUsageFlags = KU_DIGITAL_SIGNATURE - | KU_KEY_CERT_SIGN - | KU_CRL_SIGN; +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L + /* void */ + EVP_PKEY_CTX_free(ctx); +#else + /* int */ + ExpectIntEQ(EVP_PKEY_CTX_free(ctx), WOLFSSL_SUCCESS); +#endif - ExpectTrue((f = fopen("./certs/client-cert-ext.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) - XFCLOSE(f); - ExpectIntEQ(X509_get_extension_flags(x509), extFlags); - ExpectIntEQ(X509_get_key_usage(x509), keyUsageFlags); - X509_free(x509); -#endif /* OPENSSL_ALL */ + EVP_PKEY_free(pkey); +#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_get_ext(void) +static int test_wolfSSL_EVP_PKEY_param_check(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - int ret = 0; - XFILE f = XBADFILE; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* foundExtension; - - ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) - XFCLOSE(f); - ExpectIntEQ((ret = wolfSSL_X509_get_ext_count(x509)), 5); - - /* wolfSSL_X509_get_ext() valid input */ - ExpectNotNull(foundExtension = wolfSSL_X509_get_ext(x509, 0)); - - /* wolfSSL_X509_get_ext() valid x509, idx out of bounds */ - ExpectNull(foundExtension = wolfSSL_X509_get_ext(x509, -1)); - ExpectNull(foundExtension = wolfSSL_X509_get_ext(x509, 100)); - - /* wolfSSL_X509_get_ext() NULL x509, idx out of bounds */ - ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, -1)); - ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, 100)); - - /* wolfSSL_X509_get_ext() NULL x509, valid idx */ - ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, 0)); - - ExpectNull(wolfSSL_X509_get0_extensions(NULL)); +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); -} + DH *dh = NULL; + DH *setDh = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX* ctx = NULL; -static int test_wolfSSL_X509_get_ext_by_NID(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - int rc = 0; - XFILE f = XBADFILE; - WOLFSSL_X509* x509 = NULL; - ASN1_OBJECT* obj = NULL; + FILE* f = NULL; + unsigned char buf[512]; + const unsigned char* pt = buf; + const char* dh2048 = "./certs/dh2048.der"; + long len = 0; + int code = -1; - ExpectNotNull(x509 = wolfSSL_X509_new()); - ExpectIntEQ(wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, -1), - WOLFSSL_FATAL_ERROR); - wolfSSL_X509_free(x509); - x509 = NULL; + XMEMSET(buf, 0, sizeof(buf)); - ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + ExpectTrue((f = XFOPEN(dh2048, "rb")) != XBADFILE); + ExpectTrue((len = (long)XFREAD(buf, 1, sizeof(buf), f)) > 0); if (f != XBADFILE) XFCLOSE(f); - ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, - -1), 0); - ExpectIntGE(wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, 20), - -1); - - /* Start search from last location (should fail) */ - ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, - rc), -1); - - ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, - -2), -1); - - ExpectIntEQ(rc = wolfSSL_X509_get_ext_by_NID(NULL, NID_basic_constraints, - -1), -1); + /* Load dh2048.der into DH with internal format */ + ExpectNotNull(setDh = d2i_DHparams(NULL, &pt, len)); + ExpectIntEQ(DH_check(setDh, &code), WOLFSSL_SUCCESS); + ExpectIntEQ(code, 0); + code = -1; - ExpectIntEQ(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_undef, -1), -1); + pkey = wolfSSL_EVP_PKEY_new(); + /* Set DH into PKEY */ + ExpectIntEQ(EVP_PKEY_set1_DH(pkey, setDh), WOLFSSL_SUCCESS); + /* create ctx from pkey */ + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_param_check(ctx), 1/* valid */); - /* NID_ext_key_usage, check also its nid and oid */ - ExpectIntGT(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_ext_key_usage, -1), - -1); - ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(wolfSSL_X509_get_ext( - x509, rc))); - ExpectIntEQ(obj->nid, NID_ext_key_usage); - ExpectIntEQ(obj->type, EXT_KEY_USAGE_OID); + /* TODO: more invalid cases */ + ExpectIntEQ(EVP_PKEY_param_check(NULL), 0); - wolfSSL_X509_free(x509); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + DH_free(setDh); + setDh = NULL; + DH_free(dh); + dh = NULL; #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_get_ext_subj_alt_name(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - int rc = 0; - XFILE f = XBADFILE; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_STRING* sanString = NULL; - byte* sanDer = NULL; - - const byte expectedDer[] = { - 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, - 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01}; - - ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) - XFCLOSE(f); - - ExpectIntNE(rc = X509_get_ext_by_NID(x509, NID_subject_alt_name, -1), -1); - ExpectNotNull(ext = X509_get_ext(x509, rc)); - ExpectNotNull(sanString = X509_EXTENSION_get_data(ext)); - ExpectIntEQ(ASN1_STRING_length(sanString), sizeof(expectedDer)); - ExpectNotNull(sanDer = ASN1_STRING_data(sanString)); - ExpectIntEQ(XMEMCMP(sanDer, expectedDer, sizeof(expectedDer)), 0); - - X509_free(x509); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_set_ext(void) +static int test_wolfSSL_EVP_BytesToKey(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509* x509 = NULL; - XFILE f = XBADFILE; - int loc; - - ExpectNull(wolfSSL_X509_set_ext(NULL, 0)); +#if !defined(NO_AES) && defined(HAVE_AES_CBC) + byte key[AES_BLOCK_SIZE] = {0}; + byte iv[AES_BLOCK_SIZE] = {0}; + int count = 0; + const EVP_MD* md = EVP_sha256(); + const EVP_CIPHER *type; + const unsigned char *salt = (unsigned char *)"salt1234"; + int sz = 5; + const byte data[] = { + 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, + 0x72,0x6c,0x64 + }; - ExpectNotNull(x509 = wolfSSL_X509_new()); - /* Location too small. */ - ExpectNull(wolfSSL_X509_set_ext(x509, -1)); - /* Location too big. */ - ExpectNull(wolfSSL_X509_set_ext(x509, 1)); - /* No DER encoding. */ - ExpectNull(wolfSSL_X509_set_ext(x509, 0)); - wolfSSL_X509_free(x509); - x509 = NULL; + type = wolfSSL_EVP_get_cipherbynid(NID_aes_128_cbc); - ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) { - XFCLOSE(f); - } - for (loc = 0; loc < wolfSSL_X509_get_ext_count(x509); loc++) { - ExpectNotNull(wolfSSL_X509_set_ext(x509, loc)); - } + /* Bad cases */ + ExpectIntEQ(EVP_BytesToKey(NULL, md, salt, data, sz, count, key, iv), + 0); + ExpectIntEQ(EVP_BytesToKey(type, md, salt, NULL, sz, count, key, iv), + 16); + md = "2"; + ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_X509_free(x509); + /* Good case */ + md = EVP_sha256(); + ExpectIntEQ(EVP_BytesToKey(type, md, salt, data, sz, count, key, iv), + 16); #endif return EXPECT_RESULT(); } -#if defined(OPENSSL_ALL) -static int test_X509_add_basic_constraints(WOLFSSL_X509* x509) +static int test_evp_cipher_aes_gcm(void) { EXPECT_DECLS; - const byte basicConsObj[] = { 0x06, 0x03, 0x55, 0x1d, 0x13 }; - const byte* p; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - ASN1_INTEGER* pathLen = NULL; - - p = basicConsObj; - ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, - sizeof(basicConsObj))); - if (obj != NULL) { - obj->type = NID_basic_constraints; - } - ExpectNotNull(pathLen = wolfSSL_ASN1_INTEGER_new()); - if (pathLen != NULL) { - pathLen->length = 2; - } - if (obj != NULL) { - obj->ca = 0; - } - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - if (ext != NULL && ext->obj != NULL) { - ext->obj->ca = 0; - ext->obj->pathlen = pathLen; - } - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(x509->isCa, 0); - ExpectIntEQ(x509->pathLength, 2); - if (ext != NULL && ext->obj != NULL) { - /* Add second time to without path length. */ - ext->obj->ca = 1; - ext->obj->pathlen = NULL; - } - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(x509->isCa, 1); - ExpectIntEQ(x509->pathLength, 2); - ExpectIntEQ(wolfSSL_X509_get_isSet_pathLength(NULL), 0); - ExpectIntEQ(wolfSSL_X509_get_isSet_pathLength(x509), 1); - ExpectIntEQ(wolfSSL_X509_get_pathLength(NULL), 0); - ExpectIntEQ(wolfSSL_X509_get_pathLength(x509), 2); - - wolfSSL_ASN1_INTEGER_free(pathLen); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); - - return EXPECT_RESULT(); -} +#if defined(HAVE_AESGCM) && ((!defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST)) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION >= 2))) && defined(WOLFSSL_AES_256) + /* + * This test checks data at various points in the encrypt/decrypt process + * against known values produced using the same test with OpenSSL. This + * interop testing is critical for verifying the correctness of our + * EVP_Cipher implementation with AES-GCM. Specifically, this test exercises + * a flow supported by OpenSSL that uses the control command + * EVP_CTRL_GCM_IV_GEN to increment the IV between cipher operations without + * the need to call EVP_CipherInit. OpenSSH uses this flow, for example. We + * had a bug with OpenSSH where wolfSSL OpenSSH servers could only talk to + * wolfSSL OpenSSH clients because there was a bug in this flow that + * happened to "cancel out" if both sides of the connection had the bug. + */ + enum { + NUM_ENCRYPTIONS = 3, + AAD_SIZE = 4 + }; + static const byte plainText1[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23 + }; + static const byte plainText2[] = { + 0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14, + 0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22, + 0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c + }; + static const byte plainText3[] = { + 0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e, + 0x5b, 0x57, 0x10 + }; + static const byte* plainTexts[NUM_ENCRYPTIONS] = { + plainText1, + plainText2, + plainText3 + }; + static const int plainTextSzs[NUM_ENCRYPTIONS] = { + sizeof(plainText1), + sizeof(plainText2), + sizeof(plainText3) + }; + static const byte aad1[AAD_SIZE] = { + 0x00, 0x00, 0x00, 0x01 + }; + static const byte aad2[AAD_SIZE] = { + 0x00, 0x00, 0x00, 0x10 + }; + static const byte aad3[AAD_SIZE] = { + 0x00, 0x00, 0x01, 0x00 + }; + static const byte* aads[NUM_ENCRYPTIONS] = { + aad1, + aad2, + aad3 + }; + const byte iv[GCM_NONCE_MID_SZ] = { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF + }; + byte currentIv[GCM_NONCE_MID_SZ]; + const byte key[] = { + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, + 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f + }; + const byte expIvs[NUM_ENCRYPTIONS][GCM_NONCE_MID_SZ] = { + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xEF + }, + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xF0 + }, + { + 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, + 0xF1 + } + }; + const byte expTags[NUM_ENCRYPTIONS][AES_BLOCK_SIZE] = { + { + 0x65, 0x4F, 0xF7, 0xA0, 0xBB, 0x7B, 0x90, 0xB7, 0x9C, 0xC8, 0x14, + 0x3D, 0x32, 0x18, 0x34, 0xA9 + }, + { + 0x50, 0x3A, 0x13, 0x8D, 0x91, 0x1D, 0xEC, 0xBB, 0xBA, 0x5B, 0x57, + 0xA2, 0xFD, 0x2D, 0x6B, 0x7F + }, + { + 0x3B, 0xED, 0x18, 0x9C, 0xB3, 0xE3, 0x61, 0x1E, 0x11, 0xEB, 0x13, + 0x5B, 0xEC, 0x52, 0x49, 0x32, + } + }; + static const byte expCipherText1[] = { + 0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15, + 0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51, + 0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE + }; + static const byte expCipherText2[] = { + 0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45, + 0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2, + 0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0 + }; + static const byte expCipherText3[] = { + 0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B, + 0x80, 0x5E, 0x6B, + }; + static const byte* expCipherTexts[NUM_ENCRYPTIONS] = { + expCipherText1, + expCipherText2, + expCipherText3 + }; + byte* cipherText = NULL; + byte* calcPlainText = NULL; + byte tag[AES_BLOCK_SIZE]; + EVP_CIPHER_CTX* encCtx = NULL; + EVP_CIPHER_CTX* decCtx = NULL; + int i, j, outl; -static int test_X509_add_key_usage(WOLFSSL_X509* x509) -{ - EXPECT_DECLS; - const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f }; - const byte data[] = { 0x04, 0x02, 0x01, 0x80 }; - const byte emptyData[] = { 0x04, 0x00 }; - const char* strData = "digitalSignature,keyCertSign"; - const byte* p; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_ASN1_STRING* str = NULL; + /****************************************************/ + for (i = 0; i < 3; ++i) { + ExpectNotNull(encCtx = EVP_CIPHER_CTX_new()); + ExpectNotNull(decCtx = EVP_CIPHER_CTX_new()); - p = objData; - ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); - if (obj != NULL) { - obj->type = NID_key_usage; - } - p = data; - ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - /* No Data - no change. */ - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(x509->keyUsage, KEYUSE_DECIPHER_ONLY | KEYUSE_ENCIPHER_ONLY); - - /* Add second time with string to interpret. */ - wolfSSL_ASN1_STRING_free(str); - str = NULL; - ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); - ExpectIntEQ(ASN1_STRING_set(str, strData, (word32)XSTRLEN(strData) + 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(x509->keyUsage, KEYUSE_DIGITAL_SIG | KEYUSE_KEY_CERT_SIGN); + /* First iteration, set key before IV. */ + if (i == 0) { + ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), key, NULL, 1), + SSL_SUCCESS); - /* Empty data. */ - wolfSSL_ASN1_STRING_free(str); - str = NULL; - p = emptyData; - ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, - (long)sizeof(emptyData))); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + /* + * The call to EVP_CipherInit below (with NULL key) should clear the + * authIvGenEnable flag set by EVP_CTRL_GCM_SET_IV_FIXED. As such, a + * subsequent EVP_CTRL_GCM_IV_GEN should fail. This matches OpenSSL + * behavior. + */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(encCtx, NULL, NULL, iv, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - /* Invalid string to parse. */ - wolfSSL_ASN1_STRING_free(str); - str = NULL; - ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); - ExpectIntEQ(ASN1_STRING_set(str, "bad", 4), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), key, NULL, 0), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, NULL, NULL, iv, 0), + SSL_SUCCESS); + } + /* Second iteration, IV before key. */ + else { + ExpectIntEQ(EVP_CipherInit(encCtx, EVP_aes_256_gcm(), NULL, iv, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(encCtx, NULL, key, NULL, 1), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, EVP_aes_256_gcm(), NULL, iv, 0), + SSL_SUCCESS); + ExpectIntEQ(EVP_CipherInit(decCtx, NULL, key, NULL, 0), + SSL_SUCCESS); + } - wolfSSL_ASN1_STRING_free(str); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); + /* + * EVP_CTRL_GCM_IV_GEN should fail if EVP_CTRL_GCM_SET_IV_FIXED hasn't + * been issued first. + */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - return EXPECT_RESULT(); -} + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_IV_FIXED, -1, + (void*)iv), SSL_SUCCESS); -static int test_X509_add_ext_key_usage(WOLFSSL_X509* x509) -{ - EXPECT_DECLS; - const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; - const byte data[] = { 0x04, 0x01, 0x01 }; - const byte emptyData[] = { 0x04, 0x00 }; - const char* strData = "serverAuth,codeSigning"; - const byte* p; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_ASN1_STRING* str = NULL; + for (j = 0; j < NUM_ENCRYPTIONS; ++j) { + /*************** Encrypt ***************/ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), SSL_SUCCESS); + /* Check current IV against expected. */ + ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); - p = objData; - ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); - if (obj != NULL) { - obj->type = NID_ext_key_usage; - } - p = data; - ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - /* No Data - no change. */ - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(x509->extKeyUsage, EXTKEYUSE_ANY); - - /* Add second time with string to interpret. */ - wolfSSL_ASN1_STRING_free(str); - str = NULL; - ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); - ExpectIntEQ(ASN1_STRING_set(str, strData, (word32)XSTRLEN(strData) + 1), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - ExpectIntEQ(x509->extKeyUsage, EXTKEYUSE_SERVER_AUTH | EXTKEYUSE_CODESIGN); + /* Add AAD. */ + if (i == 2) { + /* Test streaming API. */ + ExpectIntEQ(EVP_CipherUpdate(encCtx, NULL, &outl, aads[j], + AAD_SIZE), SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE), + AAD_SIZE); + } - /* Empty data. */ - wolfSSL_ASN1_STRING_free(str); - str = NULL; - p = emptyData; - ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, - (long)sizeof(emptyData))); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + ExpectNotNull(cipherText = (byte*)XMALLOC(plainTextSzs[j], NULL, + DYNAMIC_TYPE_TMP_BUFFER)); - /* Invalid string to parse. */ - wolfSSL_ASN1_STRING_free(str); - str = NULL; - ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); - ExpectIntEQ(ASN1_STRING_set(str, "bad", 4), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + /* Encrypt plaintext. */ + if (i == 2) { + ExpectIntEQ(EVP_CipherUpdate(encCtx, cipherText, &outl, + plainTexts[j], plainTextSzs[j]), + SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(encCtx, cipherText, (byte *)plainTexts[j], + plainTextSzs[j]), plainTextSzs[j]); + } - wolfSSL_ASN1_STRING_free(str); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); + if (i == 2) { + ExpectIntEQ(EVP_CipherFinal(encCtx, cipherText, &outl), + SSL_SUCCESS); + } + else { + /* + * Calling EVP_Cipher with NULL input and output for AES-GCM is + * akin to calling EVP_CipherFinal. + */ + ExpectIntGE(EVP_Cipher(encCtx, NULL, NULL, 0), 0); + } - return EXPECT_RESULT(); -} + /* Check ciphertext against expected. */ + ExpectIntEQ(XMEMCMP(cipherText, expCipherTexts[j], plainTextSzs[j]), + 0); -static int test_x509_add_auth_key_id(WOLFSSL_X509* x509) -{ - EXPECT_DECLS; - const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; - const byte data[] = { - 0x04, 0x81, 0xcc, 0x30, 0x81, 0xc9, 0x80, 0x14, - 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, - 0x3f, 0xed, 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, - 0x30, 0xe5, 0xe8, 0xd5, 0xa1, 0x81, 0x9a, 0xa4, - 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, - 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, - 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, - 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, - 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, - 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, - 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, - 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, - 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, 0x74, - 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, - 0x04, 0x0b, 0x0c, 0x0a, 0x43, 0x6f, 0x6e, 0x73, - 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x18, - 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, - 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, - 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, - 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, - 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, - 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, - 0x6d, 0x82, 0x14, 0x33, 0x44, 0x1a, 0xa8, 0x6c, - 0x01, 0xec, 0xf6, 0x60, 0xf2, 0x70, 0x51, 0x0a, - 0x4c, 0xd1, 0x14, 0xfa, 0xbc, 0xe9, 0x44 - }; - const byte* p; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_ASN1_STRING* str = NULL; + /* Get and check tag against expected. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(encCtx, EVP_CTRL_GCM_GET_TAG, + sizeof(tag), tag), SSL_SUCCESS); + ExpectIntEQ(XMEMCMP(tag, expTags[j], sizeof(tag)), 0); - p = objData; - ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); - if (obj != NULL) { - obj->type = NID_authority_key_identifier; - } - p = data; - ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /*************** Decrypt ***************/ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_IV_GEN, -1, + currentIv), SSL_SUCCESS); + /* Check current IV against expected. */ + ExpectIntEQ(XMEMCMP(currentIv, expIvs[j], GCM_NONCE_MID_SZ), 0); - /* Add second time with string to interpret. */ - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /* Add AAD. */ + if (i == 2) { + /* Test streaming API. */ + ExpectIntEQ(EVP_CipherUpdate(decCtx, NULL, &outl, aads[j], + AAD_SIZE), SSL_SUCCESS); + } + else { + ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE), + AAD_SIZE); + } - wolfSSL_ASN1_STRING_free(str); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); + /* Set expected tag. */ + ExpectIntEQ(EVP_CIPHER_CTX_ctrl(decCtx, EVP_CTRL_GCM_SET_TAG, + sizeof(tag), tag), SSL_SUCCESS); - return EXPECT_RESULT(); -} + /* Decrypt ciphertext. */ + ExpectNotNull(calcPlainText = (byte*)XMALLOC(plainTextSzs[j], NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + if (i == 2) { + ExpectIntEQ(EVP_CipherUpdate(decCtx, calcPlainText, &outl, + cipherText, plainTextSzs[j]), + SSL_SUCCESS); + } + else { + /* This first EVP_Cipher call will check the tag, too. */ + ExpectIntEQ(EVP_Cipher(decCtx, calcPlainText, cipherText, + plainTextSzs[j]), plainTextSzs[j]); + } -static int test_x509_add_subj_key_id(WOLFSSL_X509* x509) -{ - EXPECT_DECLS; - const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e }; - const byte data[] = { - 0x04, 0x16, 0x04, 0x14, 0xb3, 0x11, 0x32, 0xc9, - 0x92, 0x98, 0x84, 0xe2, 0xc9, 0xf8, 0xd0, 0x3b, - 0x6e, 0x03, 0x42, 0xca, 0x1f, 0x0e, 0x8e, 0x3c - }; - const byte* p; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_ASN1_STRING* str = NULL; + if (i == 2) { + ExpectIntEQ(EVP_CipherFinal(decCtx, calcPlainText, &outl), + SSL_SUCCESS); + } + else { + ExpectIntGE(EVP_Cipher(decCtx, NULL, NULL, 0), 0); + } - p = objData; - ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); - if (obj != NULL) { - obj->type = NID_subject_key_identifier; - } - p = data; - ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - /* Add second time with string to interpret. */ - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /* Check plaintext against expected. */ + ExpectIntEQ(XMEMCMP(calcPlainText, plainTexts[j], plainTextSzs[j]), + 0); - wolfSSL_ASN1_STRING_free(str); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_X509_EXTENSION_free(ext); + XFREE(cipherText, NULL, DYNAMIC_TYPE_TMP_BUFFER); + cipherText = NULL; + XFREE(calcPlainText, NULL, DYNAMIC_TYPE_TMP_BUFFER); + calcPlainText = NULL; + } + EVP_CIPHER_CTX_free(encCtx); + encCtx = NULL; + EVP_CIPHER_CTX_free(decCtx); + decCtx = NULL; + } +#endif return EXPECT_RESULT(); } -#endif - -static int test_wolfSSL_X509_add_ext(void) +static int test_wolfSSL_OBJ_ln(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext_empty = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_ASN1_STRING* data = NULL; - const byte* p; - const byte subjAltNameObj[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; - const byte subjAltName[] = { - 0x04, 0x15, 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, - 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01 + const int nid_set[] = { + NID_commonName, + NID_serialNumber, + NID_countryName, + NID_localityName, + NID_stateOrProvinceName, + NID_organizationName, + NID_organizationalUnitName, + NID_domainComponent, + NID_businessCategory, + NID_jurisdictionCountryName, + NID_jurisdictionStateOrProvinceName, + NID_emailAddress }; + const char* ln_set[] = { + "commonName", + "serialNumber", + "countryName", + "localityName", + "stateOrProvinceName", + "organizationName", + "organizationalUnitName", + "domainComponent", + "businessCategory", + "jurisdictionCountryName", + "jurisdictionStateOrProvinceName", + "emailAddress", + }; + size_t i = 0, maxIdx = sizeof(ln_set)/sizeof(char*); - ExpectNotNull(x509 = wolfSSL_X509_new()); - - /* Create extension: Subject Alternative Name */ - ExpectNotNull(ext_empty = wolfSSL_X509_EXTENSION_new()); - p = subjAltName; - ExpectNotNull(data = d2i_ASN1_OCTET_STRING(NULL, &p, - (long)sizeof(subjAltName))); - p = subjAltNameObj; - ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, - sizeof(subjAltNameObj))); - if (obj != NULL) { - obj->type = NID_subject_alt_name; - } - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, data), WOLFSSL_SUCCESS); - - /* Failure cases. */ - ExpectIntEQ(wolfSSL_X509_add_ext(NULL, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, NULL, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(NULL, ext, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(NULL, NULL, -1), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(NULL, ext, -1), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, NULL, -1), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, 0), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext_empty, -1), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - - /* Add: Subject Alternative Name */ - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - /* Add second time to ensure no memory leaks. */ - ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); - - wolfSSL_X509_EXTENSION_free(ext); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_ASN1_STRING_free(data); - wolfSSL_X509_EXTENSION_free(ext_empty); + ExpectIntEQ(OBJ_ln2nid(NULL), NID_undef); - EXPECT_TEST(test_X509_add_basic_constraints(x509)); - EXPECT_TEST(test_X509_add_key_usage(x509)); - EXPECT_TEST(test_X509_add_ext_key_usage(x509)); - EXPECT_TEST(test_x509_add_auth_key_id(x509)); - EXPECT_TEST(test_x509_add_subj_key_id(x509)); +#ifdef HAVE_ECC +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) + { + EC_builtin_curve r[27]; + size_t nCurves = sizeof(r) / sizeof(r[0]); + nCurves = EC_get_builtin_curves(r, nCurves); - wolfSSL_X509_free(x509); + for (i = 0; i < nCurves; i++) { + /* skip ECC_CURVE_INVALID */ + if (r[i].nid != ECC_CURVE_INVALID) { + ExpectIntEQ(OBJ_ln2nid(r[i].comment), r[i].nid); + ExpectStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment); + } + } + } #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_EXTENSION_new(void) -{ - EXPECT_DECLS; -#if defined (OPENSSL_ALL) - WOLFSSL_X509_EXTENSION* ext = NULL; - - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectNotNull(ext->obj = wolfSSL_ASN1_OBJECT_new()); - - wolfSSL_X509_EXTENSION_free(NULL); - wolfSSL_X509_EXTENSION_free(ext); #endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_EXTENSION_dup(void) -{ - EXPECT_DECLS; -#if defined (OPENSSL_ALL) - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_X509_EXTENSION* dup = NULL; - ExpectNull(wolfSSL_X509_EXTENSION_dup(NULL)); - ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); - ExpectNotNull(dup = wolfSSL_X509_EXTENSION_dup(ext)); + for (i = 0; i < maxIdx; i++) { + ExpectIntEQ(OBJ_ln2nid(ln_set[i]), nid_set[i]); + ExpectStrEQ(OBJ_nid2ln(nid_set[i]), ln_set[i]); + } - wolfSSL_X509_EXTENSION_free(dup); - wolfSSL_X509_EXTENSION_free(ext); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_EXTENSION_get_object(void) +static int test_wolfSSL_OBJ_sn(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_X509_EXTENSION* dup = NULL; - WOLFSSL_ASN1_OBJECT* o = NULL; - XFILE file = XBADFILE; - - ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); - if (file != XBADFILE) - XFCLOSE(file); - - /* wolfSSL_X509_EXTENSION_get_object() testing ext idx 0 */ - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); - ExpectNull(wolfSSL_X509_EXTENSION_get_object(NULL)); - ExpectNotNull(o = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ(o->nid, SUBJ_KEY_OID); - ExpectNotNull(dup = wolfSSL_X509_EXTENSION_dup(ext)); - wolfSSL_X509_EXTENSION_free(dup); + int i = 0, maxIdx = 7; + const int nid_set[] = {NID_commonName,NID_countryName,NID_localityName, + NID_stateOrProvinceName,NID_organizationName, + NID_organizationalUnitName,NID_emailAddress}; + const char* sn_open_set[] = {"CN","C","L","ST","O","OU","emailAddress"}; - /* wolfSSL_X509_EXTENSION_get_object() NULL argument */ - ExpectNull(o = wolfSSL_X509_EXTENSION_get_object(NULL)); + ExpectIntEQ(wolfSSL_OBJ_sn2nid(NULL), NID_undef); + for (i = 0; i < maxIdx; i++) { + ExpectIntEQ(wolfSSL_OBJ_sn2nid(sn_open_set[i]), nid_set[i]); + ExpectStrEQ(wolfSSL_OBJ_nid2sn(nid_set[i]), sn_open_set[i]); + } - wolfSSL_X509_free(x509); -#endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_EXTENSION_get_data(void) +#if !defined(NO_BIO) +static word32 TXT_DB_hash(const WOLFSSL_STRING *s) { - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_STRING* str = NULL; - XFILE file = XBADFILE; -#ifndef WOLFSSL_OLD_EXTDATA_FMT - const byte ext_data[] = { - 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98, - 0x84, 0xE2, 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, - 0x42, 0xCA, 0x1F, 0x0E, 0x8E, 0x3C, - }; -#endif - - ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); - if (file != XBADFILE) - XFCLOSE(file); - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); - - ExpectNull(str = wolfSSL_X509_EXTENSION_get_data(NULL)); - ExpectNotNull(str = wolfSSL_X509_EXTENSION_get_data(ext)); - -#ifndef WOLFSSL_OLD_EXTDATA_FMT - ExpectIntEQ(str->length, sizeof (ext_data)); - ExpectBufEQ(str->data, ext_data, sizeof (ext_data)); -#endif - - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); + return (word32)lh_strhash(s[3]); } -static int test_wolfSSL_X509_EXTENSION_get_critical(void) +static int TXT_DB_cmp(const WOLFSSL_STRING *a, const WOLFSSL_STRING *b) { - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - XFILE file = XBADFILE; - int crit = 0; - - ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); - if (file != XBADFILE) - XFCLOSE(file); - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); - - ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(ext), 0); - - wolfSSL_X509_free(x509); -#endif - return EXPECT_RESULT(); + return XSTRCMP(a[3], b[3]); } - -static int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void) -{ - EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) - XFILE file = XBADFILE; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_X509* empty = NULL; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_X509_EXTENSION* ext2 = NULL; - WOLFSSL_X509_EXTENSION* ext3 = NULL; - WOLFSSL_ASN1_OBJECT* o = NULL; - int crit = 0; - WOLFSSL_ASN1_STRING* str = NULL; - - ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); - if (file != XBADFILE) - XFCLOSE(file); - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); - - ExpectNotNull(o = wolfSSL_X509_EXTENSION_get_object(ext)); - ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(ext), 0); - ExpectNotNull(str = wolfSSL_X509_EXTENSION_get_data(ext)); - - ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, NULL, 0, NULL)); - ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, o, 0, NULL)); - ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, NULL, 0, str)); - ExpectNotNull(ext2 = wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, o, crit, - str)); - ExpectNotNull(ext3 = wolfSSL_X509_EXTENSION_create_by_OBJ(ext2, o, crit, - str)); - if (ext3 == NULL) { - wolfSSL_X509_EXTENSION_free(ext2); - } - wolfSSL_X509_EXTENSION_free(ext3); - - ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, NULL, -1), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, o, -1), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectNotNull(empty = wolfSSL_X509_new()); - ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(empty, NULL, -1), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(empty, o, -1), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - wolfSSL_X509_free(empty); - empty = NULL; - ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(x509, o, -2), 0); - ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(x509, o, 0), - WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); - - wolfSSL_X509_free(x509); #endif - return EXPECT_RESULT(); -} -static int test_wolfSSL_X509V3_EXT_print(void) +static int test_wolfSSL_TXT_DB(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_BIO) && \ - !defined(NO_RSA) +#if !defined(NO_FILESYSTEM) && !defined(NO_BIO) + BIO *bio = NULL; + TXT_DB *db = NULL; + const int columns = 6; + const char *fields[6] = { + "V", + "320926161116Z", + "", + "12BD", + "unknown", + "/CN=rsa doe", + }; + char** fields_copy = NULL; - { - XFILE f = XBADFILE; - WOLFSSL_X509* x509 = NULL; - X509_EXTENSION * ext = NULL; - int loc = 0; - BIO *bio = NULL; - - ExpectTrue((f = XFOPEN(svrCertFile, "rb")) != XBADFILE); - ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); - if (f != XBADFILE) - fclose(f); - - ExpectNotNull(bio = wolfSSL_BIO_new(BIO_s_mem())); - - ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, - NID_basic_constraints, -1), -1); - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); - - /* Failure cases. */ - ExpectIntEQ(wolfSSL_X509V3_EXT_print(NULL, NULL, 0, 0), - WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio , NULL, 0, 0), - WOLFSSL_FAILURE); - ExpectIntEQ(wolfSSL_X509V3_EXT_print(NULL, ext , 0, 0), - WOLFSSL_FAILURE); - /* Good case. */ - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); - - ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, - NID_subject_key_identifier, -1), -1); - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); - - ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, - NID_authority_key_identifier, -1), -1); - ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); - - wolfSSL_BIO_free(bio); - wolfSSL_X509_free(x509); + /* Test read */ + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, "./tests/TXT_DB.txt"), 0); + ExpectNotNull(db = TXT_DB_read(bio, columns)); + ExpectNotNull(fields_copy = (char**)XMALLOC(sizeof(fields), NULL, + DYNAMIC_TYPE_OPENSSL)); + if (fields_copy != NULL) { + XMEMCPY(fields_copy, fields, sizeof(fields)); } - - { - X509 *x509 = NULL; - BIO *bio = NULL; - X509_EXTENSION *ext = NULL; - unsigned int i = 0; - unsigned int idx = 0; - /* Some NIDs to test with */ - int nids[] = { - /* NID_key_usage, currently X509_get_ext returns this as a bit - * string, which messes up X509V3_EXT_print */ - /* NID_ext_key_usage, */ - NID_subject_alt_name, - }; - int* n = NULL; - - ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFileExt, - WOLFSSL_FILETYPE_PEM)); - - ExpectIntGT(fprintf(stderr, "\nPrinting extension values:\n"), 0); - - for (i = 0, n = nids; i<(sizeof(nids)/sizeof(int)); i++, n++) { - /* X509_get_ext_by_NID should return 3 for now. If that changes then - * update the index */ - ExpectIntEQ((idx = X509_get_ext_by_NID(x509, *n, -1)), 3); - ExpectNotNull(ext = X509_get_ext(x509, (int)idx)); - ExpectIntEQ(X509V3_EXT_print(bio, ext, 0, 0), 1); - ExpectIntGT(fprintf(stderr, "\n"), 0); - } - - BIO_free(bio); - X509_free(x509); + ExpectIntEQ(TXT_DB_insert(db, fields_copy), 1); + if (EXPECT_FAIL()) { + XFREE(fields_copy, NULL, DYNAMIC_TYPE_OPENSSL); } + BIO_free(bio); + bio = NULL; - { - BIO* bio = NULL; - X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - - ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - ExpectNotNull(ext = X509_EXTENSION_new()); - - /* No object. */ - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_FAILURE); - - ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); - ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), - WOLFSSL_SUCCESS); - - /* NID not supported yet - just doesn't write anything. */ - if (ext != NULL && ext->obj != NULL) { - ext->obj->nid = AUTH_INFO_OID; - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), - WOLFSSL_SUCCESS); - ext->obj->nid = CERT_POLICY_OID; - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), - WOLFSSL_SUCCESS); - ext->obj->nid = CRL_DIST_OID; - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), - WOLFSSL_SUCCESS); - ext->obj->nid = KEY_USAGE_OID; - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), - WOLFSSL_SUCCESS); + /* Test write */ + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(TXT_DB_write(bio, db), 1484); + BIO_free(bio); - ext->obj->nid = EXT_KEY_USAGE_OID; - ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), - WOLFSSL_SUCCESS); - } + /* Test index */ + ExpectIntEQ(TXT_DB_create_index(db, 3, NULL, + (wolf_sk_hash_cb)(wc_ptr_t)TXT_DB_hash, + (wolf_lh_compare_cb)TXT_DB_cmp), 1); + ExpectNotNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); + fields[3] = "12DA"; + ExpectNotNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); + fields[3] = "FFFF"; + ExpectNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); + fields[3] = ""; + ExpectNull(TXT_DB_get_by_index(db, 3, (WOLFSSL_STRING*)fields)); - wolfSSL_ASN1_OBJECT_free(obj); - X509_EXTENSION_free(ext); - BIO_free(bio); - } + TXT_DB_free(db); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509_cmp(void) +static int test_wolfSSL_NCONF(void) { EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - XFILE file1 = XBADFILE; - XFILE file2 = XBADFILE; - WOLFSSL_X509* cert1 = NULL; - WOLFSSL_X509* cert2 = NULL; - WOLFSSL_X509* empty = NULL; - - ExpectTrue((file1 = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); - ExpectTrue((file2 = XFOPEN("./certs/3072/client-cert.pem", "rb")) != - XBADFILE); - - ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); - ExpectNotNull(cert2 = wolfSSL_PEM_read_X509(file2, NULL, NULL, NULL)); - if (file1 != XBADFILE) - fclose(file1); - if (file2 != XBADFILE) - fclose(file2); - - ExpectNotNull(empty = wolfSSL_X509_new()); - - /* wolfSSL_X509_cmp() testing matching certs */ - ExpectIntEQ(0, wolfSSL_X509_cmp(cert1, cert1)); - - /* wolfSSL_X509_cmp() testing mismatched certs */ - ExpectIntEQ(-1, wolfSSL_X509_cmp(cert1, cert2)); - - /* wolfSSL_X509_cmp() testing NULL, valid args */ - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(NULL, cert2)); - - /* wolfSSL_X509_cmp() testing valid, NULL args */ - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(cert1, NULL)); +#if !defined(NO_FILESYSTEM) && !defined(NO_BIO) + const char* confFile = "./tests/NCONF_test.cnf"; + CONF* conf = NULL; + long eline = 0; + long num = 0; - /* wolfSSL_X509_cmp() testing NULL, NULL args */ - ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(NULL, NULL)); + ExpectNotNull(conf = NCONF_new(NULL)); - /* wolfSSL_X509_cmp() testing empty cert */ - ExpectIntEQ(WOLFSSL_FATAL_ERROR, wolfSSL_X509_cmp(empty, cert2)); - ExpectIntEQ(WOLFSSL_FATAL_ERROR, wolfSSL_X509_cmp(cert1, empty)); + ExpectIntEQ(NCONF_load(conf, confFile, &eline), 1); + ExpectIntEQ(NCONF_get_number(conf, NULL, "port", &num), 1); + ExpectIntEQ(num, 1234); + ExpectIntEQ(NCONF_get_number(conf, "section2", "port", &num), 1); + ExpectIntEQ(num, 4321); + ExpectStrEQ(NCONF_get_string(conf, NULL, "dir"), "./test-dir"); + ExpectStrEQ(NCONF_get_string(conf, "section1", "file1_copy"), + "./test-dir/file1"); + ExpectStrEQ(NCONF_get_string(conf, "section2", "file_list"), + "./test-dir/file1:./test-dir/file2:./section1:file2"); - wolfSSL_X509_free(empty); - wolfSSL_X509_free(cert2); - wolfSSL_X509_free(cert1); + NCONF_free(conf); #endif return EXPECT_RESULT(); } +#endif /* OPENSSL_ALL */ static int test_wolfSSL_EVP_PKEY_up_ref(void) { @@ -36379,21 +27735,6 @@ static int test_sk_X509_CRL(void) return EXPECT_RESULT(); } -static int test_X509_get_signature_nid(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509* x509 = NULL; - - ExpectIntEQ(X509_get_signature_nid(NULL), 0); - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM)); - ExpectIntEQ(X509_get_signature_nid(x509), NID_sha256WithRSAEncryption); - X509_free(x509); -#endif - return EXPECT_RESULT(); -} - static int test_X509_REQ(void) { EXPECT_DECLS; @@ -37489,197 +28830,6 @@ static int test_wolfSSL_SMIME_write_PKCS7(void) #endif /* HAVE_SMIME */ #endif /* !NO_BIO */ -/* Test of X509 store use outside of SSL context w/ CRL lookup (ALWAYS - * returns 0) */ -static int test_X509_STORE_No_SSL_CTX(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \ - !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \ - (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \ - defined(HAVE_CRL) && !defined(NO_RSA) - - X509_STORE * store = NULL; - X509_STORE_CTX * storeCtx = NULL; - X509_CRL * crl = NULL; - X509 * ca = NULL; - X509 * cert = NULL; - const char cliCrlPem[] = "./certs/crl/cliCrl.pem"; - const char srvCert[] = "./certs/server-cert.pem"; - const char caCert[] = "./certs/ca-cert.pem"; - const char caDir[] = "./certs/crl/hash_pem"; - XFILE fp = XBADFILE; - X509_LOOKUP * lookup = NULL; - - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - - /* Set up store with CA */ - ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); - - /* Add CRL lookup directory to store - * NOTE: test uses ./certs/crl/hash_pem/0fdb2da4.r0, which is a copy - * of crl.pem */ - ExpectNotNull((lookup = X509_STORE_add_lookup(store, - X509_LOOKUP_hash_dir()))); - ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, caDir, - X509_FILETYPE_PEM, NULL), SSL_SUCCESS); - - ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK), - SSL_SUCCESS); - - /* Add CRL to store NOT containing the verified certificate, which - * forces use of the CRL lookup directory */ - ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE); - ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, - NULL, NULL)); - if (fp != XBADFILE) - XFCLOSE(fp); - ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); - - /* Create verification context outside of an SSL session */ - ExpectNotNull((storeCtx = X509_STORE_CTX_new())); - ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); - - /* Perform verification, which should NOT indicate CRL missing due to the - * store CM's X509 store pointer being NULL */ - ExpectIntNE(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(CRL_MISSING)); - - X509_CRL_free(crl); - X509_STORE_free(store); - X509_STORE_CTX_free(storeCtx); - X509_free(cert); - X509_free(ca); -#endif - return EXPECT_RESULT(); -} - -/* Test of X509 store use outside of SSL context w/ CRL lookup, but - * with X509_LOOKUP_add_dir and X509_FILETYPE_ASN1. */ -static int test_X509_LOOKUP_add_dir(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \ - !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \ - (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \ - defined(HAVE_CRL) && !defined(NO_RSA) - - X509_STORE * store = NULL; - X509_STORE_CTX * storeCtx = NULL; - X509_CRL * crl = NULL; - X509 * ca = NULL; - X509 * cert = NULL; - const char cliCrlPem[] = "./certs/crl/cliCrl.pem"; - const char srvCert[] = "./certs/server-cert.pem"; - const char caCert[] = "./certs/ca-cert.pem"; - const char caDir[] = "./certs/crl/hash_der"; - XFILE fp = XBADFILE; - X509_LOOKUP * lookup = NULL; - - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - - /* Set up store with CA */ - ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); - - /* Add CRL lookup directory to store. - * Test uses ./certs/crl/hash_der/0fdb2da4.r0, which is a copy - * of crl.der */ - ExpectNotNull((lookup = X509_STORE_add_lookup(store, - X509_LOOKUP_hash_dir()))); - - ExpectIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_ASN1), - SSL_SUCCESS); - - ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK), - SSL_SUCCESS); - - /* Add CRL to store NOT containing the verified certificate, which - * forces use of the CRL lookup directory */ - ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE); - ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, - NULL, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); - - /* Create verification context outside of an SSL session */ - ExpectNotNull((storeCtx = X509_STORE_CTX_new())); - ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); - - /* Perform verification, which should NOT return CRL missing */ - ExpectIntNE(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(CRL_MISSING)); - - X509_CRL_free(crl); - crl = NULL; - X509_STORE_free(store); - store = NULL; - X509_STORE_CTX_free(storeCtx); - storeCtx = NULL; - X509_free(cert); - cert = NULL; - X509_free(ca); - ca = NULL; - - /* Now repeat the same, but look for X509_FILETYPE_PEM. - * We should get CRL_MISSING at the end, because the lookup - * dir has only ASN1 CRLs. */ - - ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); - - ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); - - ExpectNotNull((lookup = X509_STORE_add_lookup(store, - X509_LOOKUP_hash_dir()))); - - ExpectIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_PEM), - SSL_SUCCESS); - - ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK), - SSL_SUCCESS); - - ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE); - ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, - NULL, NULL)); - if (fp != XBADFILE) { - XFCLOSE(fp); - fp = XBADFILE; - } - ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); - - ExpectNotNull((storeCtx = X509_STORE_CTX_new())); - ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, - SSL_FILETYPE_PEM))); - ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); - - /* Now we SHOULD get CRL_MISSING, because we looked for PEM - * in dir containing only ASN1/DER. */ - ExpectIntEQ(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), - X509_V_ERR_UNABLE_TO_GET_CRL); - - X509_CRL_free(crl); - X509_STORE_free(store); - X509_STORE_CTX_free(storeCtx); - X509_free(cert); - X509_free(ca); -#endif - return EXPECT_RESULT(); -} - - /*----------------------------------------------------------------------------* | Certificate Failure Checks @@ -38059,146 +29209,6 @@ static int test_wolfSSL_X509_CRL(void) return EXPECT_RESULT(); } -static int test_wolfSSL_X509_load_crl_file(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \ - !defined(NO_STDIO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) && \ - !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) - int i; - char pem[][100] = { - "./certs/crl/crl.pem", - "./certs/crl/crl2.pem", - "./certs/crl/caEccCrl.pem", - "./certs/crl/eccCliCRL.pem", - "./certs/crl/eccSrvCRL.pem", - #ifdef WC_RSA_PSS - "./certs/crl/crl_rsapss.pem", - #endif - "" - }; - char der[][100] = { - "./certs/crl/crl.der", - "./certs/crl/crl2.der", - "" - }; - WOLFSSL_X509_STORE* store = NULL; - WOLFSSL_X509_LOOKUP* lookup = NULL; - - ExpectNotNull(store = wolfSSL_X509_STORE_new()); - ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); - - ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", - X509_FILETYPE_PEM), 1); -#ifdef WC_RSA_PSS - ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/rsapss/ca-rsapss.pem", - X509_FILETYPE_PEM), 1); -#endif - ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", - X509_FILETYPE_PEM), 1); - if (store) { - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, - WOLFSSL_FILETYPE_PEM), 1); - /* since store hasn't yet known the revoked cert*/ - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, - "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1); - } - - ExpectIntEQ(X509_load_crl_file(lookup, pem[0], 0), 0); - for (i = 0; pem[i][0] != '\0'; i++) { - ExpectIntEQ(X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), - 1); - } - - if (store) { - /* since store knows crl list */ - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, - "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); -#ifdef WC_RSA_PSS - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, - "certs/rsapss/server-rsapss-cert.pem", WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); -#endif - } - /* once feeing store */ - X509_STORE_free(store); - store = NULL; - - ExpectNotNull(store = wolfSSL_X509_STORE_new()); - ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); - - ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", - X509_FILETYPE_PEM), 1); - ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", - X509_FILETYPE_PEM), 1); - if (store) { - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, - WOLFSSL_FILETYPE_PEM), 1); - /* since store hasn't yet known the revoked cert*/ - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, - "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1); - } - - for (i = 0; der[i][0] != '\0'; i++) { - ExpectIntEQ(X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1), - 1); - } - - if (store) { - /* since store knows crl list */ - ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, - "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); - } - - /* test for incorrect parameter */ - ExpectIntEQ(X509_load_crl_file(NULL, pem[0], 0), 0); - ExpectIntEQ(X509_load_crl_file(lookup, NULL, 0), 0); - ExpectIntEQ(X509_load_crl_file(NULL, NULL, 0), 0); - - X509_STORE_free(store); - store = NULL; -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_i2d_X509(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) - const unsigned char* cert_buf = server_cert_der_2048; - unsigned char* out = NULL; - unsigned char* tmp = NULL; - const unsigned char* nullPtr = NULL; - const unsigned char notCert[2] = { 0x30, 0x00 }; - const unsigned char* notCertPtr = notCert; - X509* cert = NULL; - - ExpectNull(d2i_X509(NULL, NULL, sizeof_server_cert_der_2048)); - ExpectNull(d2i_X509(NULL, &nullPtr, sizeof_server_cert_der_2048)); - ExpectNull(d2i_X509(NULL, &cert_buf, 0)); - ExpectNull(d2i_X509(NULL, ¬CertPtr, sizeof(notCert))); - ExpectNotNull(d2i_X509(&cert, &cert_buf, sizeof_server_cert_der_2048)); - /* Pointer should be advanced */ - ExpectPtrGT(cert_buf, server_cert_der_2048); - ExpectIntGT(i2d_X509(cert, &out), 0); - ExpectNotNull(out); - tmp = out; - ExpectIntGT(i2d_X509(cert, &tmp), 0); - ExpectPtrGT(tmp, out); -#if defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_FILESYSTEM) - ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, NULL), 0); - ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, cert), 0); - ExpectIntEQ(wolfSSL_PEM_write_X509(stderr, cert), 1); -#endif - - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); - X509_free(cert); -#endif - return EXPECT_RESULT(); -} - static int test_wolfSSL_d2i_X509_REQ(void) { EXPECT_DECLS; @@ -38389,23 +29399,6 @@ static int test_wolfSSL_d2i_X509_REQ(void) return EXPECT_RESULT(); } -static int test_wolfSSL_PEM_read_X509(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \ - !defined(NO_RSA) - X509 *x509 = NULL; - XFILE fp = XBADFILE; - - ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE); - ExpectNotNull(x509 = (X509 *)PEM_read_X509(fp, (X509 **)NULL, NULL, NULL)); - X509_free(x509); - if (fp != XBADFILE) - XFCLOSE(fp); -#endif - return EXPECT_RESULT(); -} - static int test_wolfSSL_PEM_read(void) { EXPECT_DECLS; @@ -39997,328 +30990,6 @@ static int test_wolfSSL_EVP_PKEY_hkdf(void) return EXPECT_RESULT(); } -#ifndef NO_BIO -static int test_wolfSSL_PEM_X509_INFO_read_bio(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - BIO* bio = NULL; - X509_INFO* info = NULL; - STACK_OF(X509_INFO)* sk = NULL; - STACK_OF(X509_INFO)* sk2 = NULL; - char* subject = NULL; - char exp1[] = "/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/" - "CN=www.wolfssl.com/emailAddress=info@wolfssl.com"; - char exp2[] = "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/" - "CN=www.wolfssl.com/emailAddress=info@wolfssl.com"; - - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); - ExpectIntEQ(sk_X509_INFO_num(sk), 2); - - /* using dereference to maintain testing for Apache port*/ - ExpectNull(sk_X509_INFO_pop(NULL)); - ExpectNotNull(info = sk_X509_INFO_pop(sk)); - ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509), - 0, 0)); - - ExpectIntEQ(0, XSTRNCMP(subject, exp1, sizeof(exp1))); - XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); - subject = NULL; - X509_INFO_free(info); - info = NULL; - - ExpectNotNull(info = sk_X509_INFO_pop(sk)); - ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509), - 0, 0)); - - ExpectIntEQ(0, XSTRNCMP(subject, exp2, sizeof(exp2))); - XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); - subject = NULL; - X509_INFO_free(info); - ExpectNull(info = sk_X509_INFO_pop(sk)); - - sk_X509_INFO_pop_free(sk, X509_INFO_free); - sk = NULL; - BIO_free(bio); - bio = NULL; - - ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null()); - ExpectNotNull(bio = BIO_new(BIO_s_file())); - ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); - ExpectNotNull(sk2 = PEM_X509_INFO_read_bio(bio, sk, NULL, NULL)); - ExpectPtrEq(sk, sk2); - if (sk2 != sk) { - sk_X509_INFO_pop_free(sk, X509_INFO_free); - } - sk = NULL; - BIO_free(bio); - sk_X509_INFO_pop_free(sk2, X509_INFO_free); - - ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null()); - sk_X509_INFO_free(sk); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_PEM_X509_INFO_read(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - XFILE fp = XBADFILE; - STACK_OF(X509_INFO)* sk = NULL; - - ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE); - ExpectNull(wolfSSL_PEM_X509_INFO_read(XBADFILE, NULL, NULL, NULL)); - ExpectNotNull(sk = wolfSSL_PEM_X509_INFO_read(fp, NULL, NULL, NULL)); - - sk_X509_INFO_pop_free(sk, X509_INFO_free); - if (fp != XBADFILE) - XFCLOSE(fp); -#endif - return EXPECT_RESULT(); -} -#endif /* !NO_BIO */ - -static int test_wolfSSL_X509_NAME_ENTRY_get_object(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509 *x509 = NULL; - X509_NAME* name = NULL; - int idx = 0; - X509_NAME_ENTRY *ne = NULL; - ASN1_OBJECT *object = NULL; - - ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - WOLFSSL_FILETYPE_PEM)); - ExpectNotNull(name = X509_get_subject_name(x509)); - ExpectIntGE(X509_NAME_get_index_by_NID(NULL, NID_commonName, -1), - BAD_FUNC_ARG); - ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); - ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -2), 0); - - ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); - ExpectNull(X509_NAME_ENTRY_get_object(NULL)); - ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne)); - - X509_free(x509); -#endif - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_get1_certs(void) -{ - EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SIGNER_DER_CERT) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509_STORE_CTX *storeCtx = NULL; - X509_STORE *store = NULL; - X509 *caX509 = NULL; - X509 *svrX509 = NULL; - X509_NAME *subject = NULL; - WOLF_STACK_OF(WOLFSSL_X509) *certs = NULL; - - ExpectNotNull(caX509 = X509_load_certificate_file(caCertFile, - SSL_FILETYPE_PEM)); - ExpectNotNull((svrX509 = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM))); - ExpectNotNull(storeCtx = X509_STORE_CTX_new()); - ExpectNotNull(store = X509_STORE_new()); - ExpectNotNull(subject = X509_get_subject_name(caX509)); - - /* Errors */ - ExpectNull(X509_STORE_get1_certs(storeCtx, subject)); - ExpectNull(X509_STORE_get1_certs(NULL, subject)); - ExpectNull(X509_STORE_get1_certs(storeCtx, NULL)); - - ExpectIntEQ(X509_STORE_add_cert(store, caX509), SSL_SUCCESS); - ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, caX509, NULL), - SSL_SUCCESS); - - /* Should find the cert */ - ExpectNotNull(certs = X509_STORE_get1_certs(storeCtx, subject)); - ExpectIntEQ(1, wolfSSL_sk_X509_num(certs)); - - sk_X509_pop_free(certs, NULL); - certs = NULL; - - /* Should not find the cert */ - ExpectNotNull(subject = X509_get_subject_name(svrX509)); - ExpectNotNull(certs = X509_STORE_get1_certs(storeCtx, subject)); - ExpectIntEQ(0, wolfSSL_sk_X509_num(certs)); - - sk_X509_pop_free(certs, NULL); - certs = NULL; - - X509_STORE_free(store); - X509_STORE_CTX_free(storeCtx); - X509_free(svrX509); - X509_free(caX509); -#endif /* OPENSSL_EXTRA && WOLFSSL_SIGNER_DER_CERT && !NO_FILESYSTEM */ - return EXPECT_RESULT(); -} - -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(WOLFSSL_LOCAL_X509_STORE) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && defined(HAVE_CRL) -static int test_wolfSSL_X509_STORE_set_get_crl_provider(X509_STORE_CTX* ctx, - X509_CRL** crl_out, X509* cert) { - X509_CRL *crl = NULL; - XFILE fp = XBADFILE; - char* cert_issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); - int ret = 0; - - (void)ctx; - - if (cert_issuer == NULL) - return 0; - - if ((fp = XFOPEN("certs/crl/crl.pem", "rb")) != XBADFILE) { - PEM_read_X509_CRL(fp, &crl, NULL, NULL); - XFCLOSE(fp); - if (crl != NULL) { - char* crl_issuer = X509_NAME_oneline( - X509_CRL_get_issuer(crl), NULL, 0); - if ((crl_issuer != NULL) && - (XSTRCMP(cert_issuer, crl_issuer) == 0)) { - *crl_out = X509_CRL_dup(crl); - if (*crl_out != NULL) - ret = 1; - } - OPENSSL_free(crl_issuer); - } - } - - X509_CRL_free(crl); - OPENSSL_free(cert_issuer); - return ret; -} - -static int test_wolfSSL_X509_STORE_set_get_crl_provider2(X509_STORE_CTX* ctx, - X509_CRL** crl_out, X509* cert) { - (void)ctx; - (void)cert; - *crl_out = NULL; - return 1; -} - -#ifndef NO_WOLFSSL_STUB -static int test_wolfSSL_X509_STORE_set_get_crl_check(X509_STORE_CTX* ctx, - X509_CRL* crl) { - (void)ctx; - (void)crl; - return 1; -} -#endif - -static int test_wolfSSL_X509_STORE_set_get_crl_verify(int ok, - X509_STORE_CTX* ctx) { - int cert_error = X509_STORE_CTX_get_error(ctx); - X509_VERIFY_PARAM* param = X509_STORE_CTX_get0_param(ctx); - int flags = X509_VERIFY_PARAM_get_flags(param); - if ((flags & (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL)) != - (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL)) { - /* Make sure the flags are set */ - return 0; - } - /* Ignore CRL missing error */ -#ifndef OPENSSL_COMPATIBLE_DEFAULTS - if (cert_error == WC_NO_ERR_TRACE(CRL_MISSING)) -#else - if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) -#endif - return 1; - return ok; -} - -static int test_wolfSSL_X509_STORE_set_get_crl_ctx_ready(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - X509_STORE* cert_store = NULL; - - ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL), - WOLFSSL_SUCCESS); - ExpectNotNull(cert_store = SSL_CTX_get_cert_store(ctx)); - X509_STORE_set_get_crl(cert_store, - test_wolfSSL_X509_STORE_set_get_crl_provider); -#ifndef NO_WOLFSSL_STUB - X509_STORE_set_check_crl(cert_store, - test_wolfSSL_X509_STORE_set_get_crl_check); -#endif - - return EXPECT_RESULT(); -} - -static int test_wolfSSL_X509_STORE_set_get_crl_ctx_ready2(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - X509_STORE* cert_store = NULL; - X509_VERIFY_PARAM* param = NULL; - - SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL), - WOLFSSL_SUCCESS); - ExpectNotNull(cert_store = SSL_CTX_get_cert_store(ctx)); - X509_STORE_set_get_crl(cert_store, - test_wolfSSL_X509_STORE_set_get_crl_provider2); -#ifndef NO_WOLFSSL_STUB - X509_STORE_set_check_crl(cert_store, - test_wolfSSL_X509_STORE_set_get_crl_check); -#endif - X509_STORE_set_verify_cb(cert_store, - test_wolfSSL_X509_STORE_set_get_crl_verify); - ExpectNotNull(X509_STORE_get0_param(cert_store)); - ExpectNotNull(param = X509_VERIFY_PARAM_new()); - ExpectIntEQ(X509_VERIFY_PARAM_inherit(NULL, NULL) , WOLFSSL_SUCCESS); - ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, NULL) , WOLFSSL_SUCCESS); - ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, - X509_STORE_get0_param(cert_store)), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, - X509_STORE_get0_param(cert_store)), 1); - ExpectIntEQ(X509_VERIFY_PARAM_set_flags( - param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL), 1); - ExpectIntEQ(X509_STORE_set1_param(cert_store, param), 1); - ExpectIntEQ(X509_STORE_set_flags(cert_store, - X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL), 1); - - - X509_VERIFY_PARAM_free(param); - return EXPECT_RESULT(); -} -#endif - -/* This test mimics the usage of the CRL provider in gRPC */ -static int test_wolfSSL_X509_STORE_set_get_crl(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(WOLFSSL_LOCAL_X509_STORE) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && defined(HAVE_CRL) - test_ssl_cbf func_cb_client; - test_ssl_cbf func_cb_server; - - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - func_cb_client.ctx_ready = test_wolfSSL_X509_STORE_set_get_crl_ctx_ready; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); - - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); - - func_cb_client.ctx_ready = test_wolfSSL_X509_STORE_set_get_crl_ctx_ready2; - - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); -#endif - return EXPECT_RESULT(); -} - - static int test_wolfSSL_dup_CA_list(void) { int res = TEST_SKIPPED; @@ -50890,32 +41561,17 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_lhash), - TEST_DECL(test_wolfSSL_certs), - TEST_DECL(test_wolfSSL_X509_ext_d2i), - - TEST_DECL(test_wolfSSL_private_keys), - TEST_DECL(test_wolfSSL_PEM_def_callback), - TEST_DECL(test_wolfSSL_PEM_read_PrivateKey), - TEST_DECL(test_wolfSSL_PEM_read_RSA_PUBKEY), - TEST_DECL(test_wolfSSL_PEM_read_PUBKEY), - TEST_DECL(test_wolfSSL_PEM_PrivateKey_rsa), - TEST_DECL(test_wolfSSL_PEM_PrivateKey_ecc), - TEST_DECL(test_wolfSSL_PEM_PrivateKey_dsa), - TEST_DECL(test_wolfSSL_PEM_PrivateKey_dh), - TEST_DECL(test_wolfSSL_PEM_PrivateKey), - TEST_DECL(test_wolfSSL_PEM_file_RSAKey), - TEST_DECL(test_wolfSSL_PEM_file_RSAPrivateKey), #ifndef NO_BIO TEST_DECL(test_wolfSSL_BIO), TEST_DECL(test_wolfSSL_BIO_BIO_ring_read), - TEST_DECL(test_wolfSSL_PEM_read_bio), - TEST_DECL(test_wolfSSL_PEM_bio_RSAKey), - TEST_DECL(test_wolfSSL_PEM_bio_DSAKey), - TEST_DECL(test_wolfSSL_PEM_bio_ECKey), - TEST_DECL(test_wolfSSL_PEM_bio_RSAPrivateKey), - TEST_DECL(test_wolfSSL_PEM_PUBKEY), #endif + TEST_DECL(test_wolfSSL_certs), + TEST_DECL(test_wolfSSL_X509_ext_d2i), + + TEST_DECL(test_wolfSSL_private_keys), + TEST_SSL_PEM_DECLS, + /* EVP API testing */ TEST_DECL(test_wolfSSL_EVP_ENCODE_CTX_new), TEST_DECL(test_wolfSSL_EVP_ENCODE_CTX_free), @@ -51069,133 +41725,29 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_OtherName), TEST_DECL(test_wolfSSL_FPKI), TEST_DECL(test_wolfSSL_URI), - TEST_DECL(test_wolfSSL_TBS), - - TEST_DECL(test_wolfSSL_X509_STORE_CTX), - TEST_DECL(test_wolfSSL_X509_STORE_CTX_ex), - TEST_DECL(test_X509_STORE_untrusted), -#if defined(OPENSSL_ALL) && !defined(NO_RSA) - TEST_DECL(test_X509_STORE_InvalidCa), -#endif - TEST_DECL(test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup), - TEST_DECL(test_wolfSSL_X509_STORE_CTX_get_issuer), - TEST_DECL(test_wolfSSL_X509_STORE_set_flags), - TEST_DECL(test_wolfSSL_X509_LOOKUP_load_file), - TEST_DECL(test_wolfSSL_X509_Name_canon), - TEST_DECL(test_wolfSSL_X509_LOOKUP_ctrl_file), - TEST_DECL(test_wolfSSL_X509_LOOKUP_ctrl_hash_dir), - TEST_DECL(test_wolfSSL_X509_NID), - TEST_DECL(test_wolfSSL_X509_STORE_CTX_set_time), - TEST_DECL(test_wolfSSL_get0_param), - TEST_DECL(test_wolfSSL_X509_VERIFY_PARAM_set1_host), - TEST_DECL(test_wolfSSL_set1_host), - TEST_DECL(test_wolfSSL_X509_VERIFY_PARAM_set1_ip), - TEST_DECL(test_wolfSSL_X509_STORE_CTX_get0_store), - TEST_DECL(test_wolfSSL_X509_STORE), - TEST_DECL(test_wolfSSL_X509_STORE_load_locations), - TEST_DECL(test_X509_STORE_get0_objects), - TEST_DECL(test_wolfSSL_X509_load_crl_file), - TEST_DECL(test_wolfSSL_X509_STORE_get1_certs), - TEST_DECL(test_wolfSSL_X509_STORE_set_get_crl), - TEST_DECL(test_wolfSSL_X509_NAME_ENTRY_get_object), - TEST_DECL(test_wolfSSL_X509_cmp_time), - TEST_DECL(test_wolfSSL_X509_time_adj), /* X509 tests */ - TEST_DECL(test_wolfSSL_X509_subject_name_hash), - TEST_DECL(test_wolfSSL_X509_issuer_name_hash), - TEST_DECL(test_wolfSSL_X509_check_host), - TEST_DECL(test_wolfSSL_X509_check_email), - TEST_DECL(test_wolfSSL_X509_check_private_key), - TEST_DECL(test_wolfSSL_X509), - TEST_DECL(test_wolfSSL_X509_VERIFY_PARAM), - TEST_DECL(test_wolfSSL_X509_sign), - TEST_DECL(test_wolfSSL_X509_sign2), - TEST_DECL(test_wolfSSL_X509_verify), - TEST_DECL(test_wolfSSL_X509_get0_tbs_sigalg), + TEST_OSSL_X509_DECLS, + TEST_OSSL_X509_NAME_DECLS, + TEST_OSSL_X509_EXT_DECLS, + TEST_OSSL_X509_PK_DECLS, + TEST_OSSL_X509_VFY_PARAMS_DECLS, + TEST_OSSL_X509_IO_DECLS, + TEST_OSSL_X509_CRYPTO_DECLS, + TEST_OSSL_X509_ACERT_DECLS, + TEST_OSSL_X509_INFO_DECLS, + TEST_DECL(test_wolfSSL_X509_ALGOR_get0), - TEST_DECL(test_wolfSSL_X509_get_X509_PUBKEY), - TEST_DECL(test_wolfSSL_X509_PUBKEY_RSA), - TEST_DECL(test_wolfSSL_X509_PUBKEY_EC), - TEST_DECL(test_wolfSSL_X509_PUBKEY_DSA), - TEST_DECL(test_wolfSSL_PEM_write_bio_X509), - TEST_DECL(test_wolfSSL_X509_NAME_get_entry), - TEST_DECL(test_wolfSSL_X509_NAME), - TEST_DECL(test_wolfSSL_X509_NAME_hash), - TEST_DECL(test_wolfSSL_X509_NAME_print_ex), - TEST_DECL(test_wolfSSL_X509_NAME_ENTRY), - TEST_DECL(test_wolfSSL_X509_set_name), - TEST_DECL(test_wolfSSL_X509_set_notAfter), - TEST_DECL(test_wolfSSL_X509_set_notBefore), - TEST_DECL(test_wolfSSL_X509_set_version), - TEST_DECL(test_wolfSSL_X509_get_serialNumber), - TEST_DECL(test_wolfSSL_X509_ext_get_critical_by_NID), - TEST_DECL(test_wolfSSL_X509_CRL_distribution_points), TEST_DECL(test_wolfSSL_X509_SEP), TEST_DECL(test_wolfSSL_X509_CRL), - TEST_DECL(test_wolfSSL_i2d_X509), - TEST_DECL(test_wolfSSL_PEM_read_X509), - TEST_DECL(test_wolfSSL_X509_check_ca), - TEST_DECL(test_wolfSSL_X509_check_ip_asc), - TEST_DECL(test_wolfSSL_X509_bad_altname), - TEST_DECL(test_wolfSSL_X509_name_match), - TEST_DECL(test_wolfSSL_X509_name_match2), - TEST_DECL(test_wolfSSL_X509_name_match3), - TEST_DECL(test_wolfSSL_X509_max_altnames), - TEST_DECL(test_wolfSSL_X509_max_name_constraints), - TEST_DECL(test_wolfSSL_make_cert), - - /* X509 ACERT tests */ - TEST_DECL(test_wolfSSL_X509_ACERT_verify), - TEST_DECL(test_wolfSSL_X509_ACERT_misc_api), - TEST_DECL(test_wolfSSL_X509_ACERT_buffer), - TEST_DECL(test_wolfSSL_X509_ACERT_new_and_sign), - TEST_DECL(test_wolfSSL_X509_ACERT_asn), - -#ifndef NO_BIO - TEST_DECL(test_wolfSSL_X509_INFO_multiple_info), - TEST_DECL(test_wolfSSL_X509_INFO), - TEST_DECL(test_wolfSSL_PEM_X509_INFO_read_bio), - TEST_DECL(test_wolfSSL_PEM_X509_INFO_read), -#endif - -#ifdef OPENSSL_ALL - TEST_DECL(test_wolfSSL_X509_PUBKEY_get), - TEST_DECL(test_wolfSSL_X509_set_pubkey), -#endif - - TEST_DECL(test_wolfSSL_X509_CA_num), - TEST_DECL(test_x509_get_key_id), - TEST_DECL(test_wolfSSL_X509_get_version), #ifndef NO_BIO TEST_DECL(test_wolfSSL_X509_print), TEST_DECL(test_wolfSSL_X509_CRL_print), #endif - TEST_DECL(test_X509_get_signature_nid), - /* X509 extension testing. */ - TEST_DECL(test_wolfSSL_X509_get_extension_flags), - TEST_DECL(test_wolfSSL_X509_get_ext), - TEST_DECL(test_wolfSSL_X509_get_ext_by_NID), - TEST_DECL(test_wolfSSL_X509_get_ext_subj_alt_name), - TEST_DECL(test_wolfSSL_X509_get_ext_count), - TEST_DECL(test_wolfSSL_X509_stack_extensions), - TEST_DECL(test_wolfSSL_X509_set_ext), - TEST_DECL(test_wolfSSL_X509_add_ext), - TEST_DECL(test_wolfSSL_X509_EXTENSION_new), - TEST_DECL(test_wolfSSL_X509_EXTENSION_dup), - TEST_DECL(test_wolfSSL_X509_EXTENSION_get_object), - TEST_DECL(test_wolfSSL_X509_EXTENSION_get_data), - TEST_DECL(test_wolfSSL_X509_EXTENSION_get_critical), - TEST_DECL(test_wolfSSL_X509_EXTENSION_create_by_OBJ), - TEST_DECL(test_wolfSSL_X509V3_set_ctx), - TEST_DECL(test_wolfSSL_X509V3_EXT_get), - TEST_DECL(test_wolfSSL_X509V3_EXT_nconf), - TEST_DECL(test_wolfSSL_X509V3_EXT), - TEST_DECL(test_wolfSSL_X509V3_EXT_bc), - TEST_DECL(test_wolfSSL_X509V3_EXT_san), - TEST_DECL(test_wolfSSL_X509V3_EXT_aia), - TEST_DECL(test_wolfSSL_X509V3_EXT_print), - TEST_DECL(test_wolfSSL_X509_cmp), + + /* X509 Store tests */ + TEST_OSSL_X509_STORE_DECLS, + TEST_OSSL_X509_LOOKUP_DECLS, TEST_DECL(test_GENERAL_NAME_set0_othername), TEST_DECL(test_othername_and_SID_ext), @@ -51210,10 +41762,6 @@ TEST_CASE testCases[] = { TEST_DECL(test_X509_REQ), TEST_DECL(test_wolfSSL_X509_REQ_print), - /* OpenSSL compatibility outside SSL context w/ CRL lookup directory */ - TEST_DECL(test_X509_STORE_No_SSL_CTX), - TEST_DECL(test_X509_LOOKUP_add_dir), - /* RAND compatibility API */ TEST_DECL(test_wolfSSL_RAND_set_rand_method), TEST_DECL(test_wolfSSL_RAND_bytes), @@ -51400,6 +41948,9 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_tmp_dh), TEST_DECL(test_wolfSSL_ctrl), + TEST_DECL(test_wolfSSL_get0_param), + TEST_DECL(test_wolfSSL_set1_host), + #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ @@ -51742,9 +42293,19 @@ void ApiTest_StopOnFail(void) void ApiTest_PrintTestCases(void) { int i; + const char* lastGroup = NULL; printf("All Test Cases:\n"); for (i = 0; i < TEST_CASE_CNT; i++) { + if ((lastGroup != NULL) && ((testCases[i].group == NULL) || + XSTRCMP(testCases[i].group, lastGroup) != 0)) { + printf("End Group : %s\n", lastGroup); + } + if ((testCases[i].group != NULL) && ((lastGroup == NULL) || + XSTRCMP(testCases[i].group, lastGroup) != 0)) { + printf("Begin Group: %s\n", testCases[i].group); + } + lastGroup = testCases[i].group; printf("%3d: %s\n", i + 1, testCases[i].name); } } @@ -51980,11 +42541,11 @@ int ApiTest(void) if ((lastGroup != NULL) && ((testCases[i].group == NULL) || XSTRCMP(testCases[i].group, lastGroup) != 0)) { - printf(" Group %s DONE\n", lastGroup); + printf(" End Group : %s\n", lastGroup); } if ((testCases[i].group != NULL) && ((lastGroup == NULL) || XSTRCMP(testCases[i].group, lastGroup) != 0)) { - printf(" Group %s START\n", testCases[i].group); + printf(" Begin Group: %s\n", testCases[i].group); } lastGroup = testCases[i].group; @@ -52029,7 +42590,7 @@ int ApiTest(void) } } if (lastGroup != NULL) { - printf(" Group %s DONE\n", lastGroup); + printf(" End Group : %s\n", lastGroup); } } diff --git a/tests/api/include.am b/tests/api/include.am index d6274cbff21..79d15c0ef96 100644 --- a/tests/api/include.am +++ b/tests/api/include.am @@ -78,6 +78,21 @@ tests_unit_test_SOURCES += tests/api/test_ossl_ec.c tests_unit_test_SOURCES += tests/api/test_ossl_ecx.c tests_unit_test_SOURCES += tests/api/test_ossl_dsa.c tests_unit_test_SOURCES += tests/api/test_ossl_sk.c +# OpenSSL X509 +tests_unit_test_SOURCES += tests/api/test_ossl_x509.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_ext.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_name.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_pk.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_vp.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_io.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_crypto.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_acert.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_info.c +# OpenSSL X509 Store +tests_unit_test_SOURCES += tests/api/test_ossl_x509_str.c +tests_unit_test_SOURCES += tests/api/test_ossl_x509_lu.c +# SSL PEM +tests_unit_test_SOURCES += tests/api/test_ossl_pem.c # TLS 1.3 specific tests_unit_test_SOURCES += tests/api/test_tls13.c endif @@ -147,5 +162,17 @@ EXTRA_DIST += tests/api/test_ossl_ec.h EXTRA_DIST += tests/api/test_ossl_ecx.h EXTRA_DIST += tests/api/test_ossl_dsa.h EXTRA_DIST += tests/api/test_ossl_sk.h +EXTRA_DIST += tests/api/test_ossl_x509.h +EXTRA_DIST += tests/api/test_ossl_x509_ext.h +EXTRA_DIST += tests/api/test_ossl_x509_name.h +EXTRA_DIST += tests/api/test_ossl_x509_pk.h +EXTRA_DIST += tests/api/test_ossl_x509_vp.h +EXTRA_DIST += tests/api/test_ossl_x509_io.h +EXTRA_DIST += tests/api/test_ossl_x509_crypto.h +EXTRA_DIST += tests/api/test_ossl_x509_acert.h +EXTRA_DIST += tests/api/test_ossl_x509_info.h +EXTRA_DIST += tests/api/test_ossl_x509_str.h +EXTRA_DIST += tests/api/test_ossl_x509_lu.h +EXTRA_DIST += tests/api/test_ossl_pem.h EXTRA_DIST += tests/api/test_tls13.h diff --git a/tests/api/test_ossl_pem.c b/tests/api/test_ossl_pem.c new file mode 100644 index 00000000000..82dc63367be --- /dev/null +++ b/tests/api/test_ossl_pem.c @@ -0,0 +1,1261 @@ +/* test_ossl_pem.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#ifdef OPENSSL_EXTRA + #include +#endif +#include +#include + + +int test_wolfSSL_PEM_def_callback(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_EXTRA + char buf[10]; + const char* defpwd = "DEF PWD"; + int defpwdLen = (int)XSTRLEN(defpwd); + int smallLen = 1; + + /* Bad parameters. */ + ExpectIntEQ(wolfSSL_PEM_def_callback(NULL, sizeof(buf), 0, NULL), 0); + ExpectIntEQ(wolfSSL_PEM_def_callback(NULL, sizeof(buf), 0, (void*)defpwd), + 0); + ExpectIntEQ(wolfSSL_PEM_def_callback(buf, sizeof(buf), 0, NULL), 0); + + XMEMSET(buf, 0, sizeof(buf)); + ExpectIntEQ(wolfSSL_PEM_def_callback(buf, sizeof(buf), 0, (void*)defpwd), + defpwdLen); + ExpectIntEQ(XMEMCMP(buf, defpwd, defpwdLen), 0); + ExpectIntEQ(buf[defpwdLen], 0); + /* Size of buffer is smaller than default password. */ + XMEMSET(buf, 0, sizeof(buf)); + ExpectIntEQ(wolfSSL_PEM_def_callback(buf, smallLen, 0, (void*)defpwd), + smallLen); + ExpectIntEQ(XMEMCMP(buf, defpwd, smallLen), 0); + ExpectIntEQ(buf[smallLen], 0); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_read_PrivateKey(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && (!defined(NO_RSA) || \ + !defined(NO_DSA) || defined(HAVE_ECC) || !defined(NO_DH)) + XFILE file = XBADFILE; +#if !defined(NO_RSA) + const char* fname_rsa = "./certs/server-key.pem"; + RSA* rsa = NULL; + WOLFSSL_EVP_PKEY_CTX* ctx = NULL; + unsigned char* sig = NULL; + size_t sigLen = 0; + const unsigned char tbs[] = {0, 1, 2, 3, 4, 5, 6, 7}; + size_t tbsLen = sizeof(tbs); +#endif +#if !defined(NO_DSA) + const char* fname_dsa = "./certs/dsa2048.pem"; +#endif +#if defined(HAVE_ECC) + const char* fname_ec = "./certs/ecc-key.pem"; +#endif +#if !defined(NO_DH) + const char* fname_dh = "./certs/dh-priv-2048.pem"; +#endif + EVP_PKEY* pkey = NULL; + + /* Check error case. */ + ExpectNull(pkey = PEM_read_PrivateKey(NULL, NULL, NULL, NULL)); + + /* not a PEM key. */ + ExpectTrue((file = XFOPEN("./certs/ecc-key.der", "rb")) != XBADFILE); + ExpectNull(PEM_read_PrivateKey(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + file = XBADFILE; + +#ifndef NO_RSA + /* Read in an RSA key. */ + ExpectTrue((file = XFOPEN(fname_rsa, "rb")) != XBADFILE); + ExpectNotNull(pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + file = XBADFILE; + + /* Make sure the key is usable by signing some data with it. */ + ExpectNotNull(rsa = EVP_PKEY_get0_RSA(pkey)); + ExpectIntGT((sigLen = RSA_size(rsa)), 0); + ExpectNotNull(sig = (unsigned char*)XMALLOC(sigLen, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); + ExpectIntEQ(EVP_PKEY_sign_init(ctx), WOLFSSL_SUCCESS); + ExpectIntEQ(EVP_PKEY_sign(ctx, sig, &sigLen, tbs, tbsLen), + WOLFSSL_SUCCESS); + + XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + pkey = NULL; +#endif + +#ifndef NO_DSA + /* Read in a DSA key. */ + ExpectTrue((file = XFOPEN(fname_dsa, "rb")) != XBADFILE); +#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH) + ExpectNotNull(pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; +#else + ExpectNull(PEM_read_PrivateKey(file, NULL, NULL, NULL)); +#endif + if (file != XBADFILE) + XFCLOSE(file); + file = XBADFILE; +#endif + +#ifdef HAVE_ECC + /* Read in an EC key. */ + ExpectTrue((file = XFOPEN(fname_ec, "rb")) != XBADFILE); + ExpectNotNull(pkey = EVP_PKEY_new()); + ExpectPtrEq(PEM_read_PrivateKey(file, &pkey, NULL, NULL), pkey); + if (file != XBADFILE) + XFCLOSE(file); + file = XBADFILE; + EVP_PKEY_free(pkey); + pkey = NULL; +#endif + +#ifndef NO_DH + /* Read in a DH key. */ + ExpectTrue((file = XFOPEN(fname_dh, "rb")) != XBADFILE); +#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_OPENSSH)) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + ExpectNotNull(pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; +#else + ExpectNull(PEM_read_PrivateKey(file, NULL, NULL, NULL)); +#endif + if (file != XBADFILE) + XFCLOSE(file); + file = XBADFILE; +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_read_PUBKEY(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) \ + && !defined(NO_FILESYSTEM) + XFILE file = XBADFILE; + const char* fname = "./certs/client-keyPub.pem"; + EVP_PKEY* pkey = NULL; + + /* Check error case. */ + ExpectNull(pkey = PEM_read_PUBKEY(NULL, NULL, NULL, NULL)); + + /* Read in an RSA key. */ + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectNotNull(pkey = PEM_read_PUBKEY(file, NULL, NULL, NULL)); + EVP_PKEY_free(pkey); + pkey = NULL; + if (file != XBADFILE) + XFCLOSE(file); + file = XBADFILE; + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectNotNull(pkey = EVP_PKEY_new()); + ExpectPtrEq(PEM_read_PUBKEY(file, &pkey, NULL, NULL), pkey); + EVP_PKEY_free(pkey); + if (file != XBADFILE) + XFCLOSE(file); +#endif + return EXPECT_RESULT(); +} + +/* test loading RSA key using BIO */ +int test_wolfSSL_PEM_PrivateKey_rsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + defined(USE_CERT_BUFFERS_2048) && !defined(NO_FILESYSTEM) && \ + !defined(NO_BIO) + BIO* bio = NULL; + XFILE file = XBADFILE; + const char* fname = "./certs/server-key.pem"; + const char* fname_rsa_p8 = "./certs/server-keyPkcs8.pem"; + EVP_PKEY* pkey = NULL; + size_t sz = 0; + byte* buf = NULL; + EVP_PKEY* pkey2 = NULL; + EVP_PKEY* pkey3 = NULL; + RSA* rsa_key = NULL; +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) + unsigned char extra[10]; + int i; + BIO* pub_bio = NULL; + const unsigned char* server_key = (const unsigned char*)server_key_der_2048; +#endif + + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectIntGT(sz = XFTELL(file), 0); + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); + if (buf != NULL) { + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + } + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } + + /* Test using BIO new mem and loading PEM private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); + XFREE(buf, NULL, DYNAMIC_TYPE_FILE); + buf = NULL; + BIO_free(bio); + bio = NULL; + + /* New empty EVP_PKEY */ + ExpectNotNull(pkey2 = EVP_PKEY_new()); + if (pkey2 != NULL) { + pkey2->type = EVP_PKEY_RSA; + } + /* Test parameter copy */ + ExpectIntEQ(EVP_PKEY_copy_parameters(pkey2, pkey), 0); + EVP_PKEY_free(pkey2); + EVP_PKEY_free(pkey); + pkey = NULL; + + /* Qt unit test case : rsa pkcs8 key */ + ExpectTrue((file = XFOPEN(fname_rsa_p8, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectIntGT(sz = XFTELL(file), 0); + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); + if (buf) { + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + } + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } + + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); + XFREE(buf, NULL, DYNAMIC_TYPE_FILE); + buf = NULL; + BIO_free(bio); + bio = NULL; + ExpectNotNull(pkey3 = EVP_PKEY_new()); + + ExpectNotNull(rsa_key = EVP_PKEY_get1_RSA(pkey)); + ExpectIntEQ(EVP_PKEY_set1_RSA(pkey3, rsa_key), WOLFSSL_SUCCESS); + +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 1/* match */); +#else + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 0); +#endif + + RSA_free(rsa_key); + EVP_PKEY_free(pkey3); + EVP_PKEY_free(pkey); + pkey = NULL; + pkey2 = NULL; + +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) + #define BIO_PEM_TEST_CHAR 'a' + XMEMSET(extra, BIO_PEM_TEST_CHAR, sizeof(extra)); + + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(BIO_set_write_buf_size(bio, 4096), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(pub_bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(BIO_set_write_buf_size(pub_bio, 4096), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectNull(d2i_PrivateKey(EVP_PKEY_EC, &pkey, &server_key, + (long)sizeof_server_key_der_2048)); + ExpectNull(pkey); + + ExpectNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &server_key, + (long)sizeof_server_key_der_2048)); + ExpectIntEQ(PEM_write_bio_PrivateKey(NULL, pkey, NULL, NULL, 0, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, NULL, NULL, NULL, 0, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntGT(BIO_pending(bio), 0); + ExpectIntEQ(BIO_pending(bio), 1679); + /* Check if the pubkey API writes only the public key */ +#ifdef WOLFSSL_KEY_GEN + ExpectIntEQ(PEM_write_bio_PUBKEY(NULL, pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, pkey), WOLFSSL_SUCCESS); + ExpectIntGT(BIO_pending(pub_bio), 0); + /* Previously both the private key and the pubkey calls would write + * out the private key and the PEM header was the only difference. + * The public PEM should be significantly shorter than the + * private key versison. */ + ExpectIntEQ(BIO_pending(pub_bio), 451); +#else + /* Not supported. */ + ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, pkey), 0); +#endif + + /* test creating new EVP_PKEY with good args */ + ExpectNotNull((pkey2 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); + if (pkey && pkey->pkey.ptr && pkey2 && pkey2->pkey.ptr) { + ExpectIntEQ((int)XMEMCMP(pkey->pkey.ptr, pkey2->pkey.ptr, + pkey->pkey_sz), 0); + } + + /* test of reuse of EVP_PKEY */ + ExpectNull(PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)); + ExpectIntEQ(BIO_pending(bio), 0); + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + SSL_SUCCESS); + /* add 10 extra bytes after PEM */ + ExpectIntEQ(BIO_write(bio, extra, 10), 10); + ExpectNotNull(PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)); + ExpectNotNull(pkey); + if (pkey && pkey->pkey.ptr && pkey2 && pkey2->pkey.ptr) { + ExpectIntEQ((int)XMEMCMP(pkey->pkey.ptr, pkey2->pkey.ptr, + pkey->pkey_sz), 0); + } + /* check 10 extra bytes still there */ + ExpectIntEQ(BIO_pending(bio), 10); + ExpectIntEQ(BIO_read(bio, extra, 10), 10); + for (i = 0; i < 10; i++) { + ExpectIntEQ(extra[i], BIO_PEM_TEST_CHAR); + } + + BIO_free(pub_bio); + BIO_free(bio); + bio = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + EVP_PKEY_free(pkey2); +#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ +#endif /* OPENSSL_EXTRA && !NO_CERTS && !NO_RSA && USE_CERT_BUFFERS_2048 && + * !NO_FILESYSTEM && !NO_BIO */ + return EXPECT_RESULT(); +} + +/* test loading ECC key using BIO */ +int test_wolfSSL_PEM_PrivateKey_ecc(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(HAVE_ECC) && \ + !defined(NO_FILESYSTEM) && !defined(NO_BIO) + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + XFILE file = XBADFILE; + const char* fname = "./certs/ecc-key.pem"; + const char* fname_ecc_p8 = "./certs/ecc-keyPkcs8.pem"; + + size_t sz = 0; + byte* buf = NULL; + EVP_PKEY* pkey2 = NULL; + EVP_PKEY* pkey3 = NULL; + EC_KEY* ec_key = NULL; + int nid = 0; + BIO* pub_bio = NULL; + + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectIntGT(sz = XFTELL(file), 0); + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); + if (buf) { + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + } + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } + + /* Test using BIO new mem and loading PEM private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); + BIO_free(bio); + bio = NULL; + XFREE(buf, NULL, DYNAMIC_TYPE_FILE); + buf = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectNotNull(pub_bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectIntGT(BIO_pending(bio), 0); + /* No parameters. */ + ExpectIntEQ(BIO_pending(bio), 227); + /* Check if the pubkey API writes only the public key */ +#ifdef WOLFSSL_KEY_GEN + ExpectIntEQ(PEM_write_bio_PUBKEY(pub_bio, pkey), WOLFSSL_SUCCESS); + ExpectIntGT(BIO_pending(pub_bio), 0); + /* Previously both the private key and the pubkey calls would write + * out the private key and the PEM header was the only difference. + * The public PEM should be significantly shorter than the + * private key versison. */ + ExpectIntEQ(BIO_pending(pub_bio), 178); +#endif + BIO_free(pub_bio); + BIO_free(bio); + bio = NULL; + ExpectNotNull(pkey2 = EVP_PKEY_new()); + ExpectNotNull(pkey3 = EVP_PKEY_new()); + if (pkey2 != NULL) { + pkey2->type = EVP_PKEY_EC; + } + /* Test parameter copy */ + ExpectIntEQ(EVP_PKEY_copy_parameters(pkey2, pkey), 1); + + + /* Qt unit test case 1*/ + ExpectNotNull(ec_key = EVP_PKEY_get1_EC_KEY(pkey)); + ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey3, ec_key), WOLFSSL_SUCCESS); + #ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 1/* match */); + #else + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 0); + #endif + /* Test default digest */ + ExpectIntEQ(EVP_PKEY_get_default_digest_nid(pkey, &nid), 1); + ExpectIntEQ(nid, NID_sha256); + EC_KEY_free(ec_key); + ec_key = NULL; + EVP_PKEY_free(pkey3); + pkey3 = NULL; + EVP_PKEY_free(pkey2); + pkey2 = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + + /* Qt unit test case ec pkcs8 key */ + ExpectTrue((file = XFOPEN(fname_ecc_p8, "rb")) != XBADFILE); + ExpectTrue(XFSEEK(file, 0, XSEEK_END) == 0); + ExpectIntGT(sz = XFTELL(file), 0); + ExpectTrue(XFSEEK(file, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); + if (buf) { + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + } + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } + + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL))); + XFREE(buf, NULL, DYNAMIC_TYPE_FILE); + buf = NULL; + BIO_free(bio); + bio = NULL; + ExpectNotNull(pkey3 = EVP_PKEY_new()); + /* Qt unit test case */ + ExpectNotNull(ec_key = EVP_PKEY_get1_EC_KEY(pkey)); + ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey3, ec_key), WOLFSSL_SUCCESS); +#ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 1/* match */); +#else + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey3), 0); +#endif + EC_KEY_free(ec_key); + EVP_PKEY_free(pkey3); + EVP_PKEY_free(pkey); + pkey = NULL; +#endif + return EXPECT_RESULT(); +} + +/* test loading DSA key using BIO */ +int test_wolfSSL_PEM_PrivateKey_dsa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_DSA) && \ + !defined(NO_FILESYSTEM) && !defined(NO_BIO) +#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + + ExpectNotNull(bio = BIO_new_file("./certs/dsa2048.pem", "rb")); + /* Private DSA EVP_PKEY */ + ExpectNotNull(pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, NULL, + NULL)); + BIO_free(bio); + bio = NULL; + + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); +#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) +#ifdef WOLFSSL_ASN_TEMPLATE + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), 1216); +#else + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), 1212); +#endif +#endif + +#ifdef WOLFSSL_KEY_GEN + ExpectIntEQ(PEM_write_bio_PUBKEY(bio, pkey), 1); +#ifdef WOLFSSL_ASN_TEMPLATE + ExpectIntEQ(BIO_pending(bio), 2394); +#else + ExpectIntEQ(BIO_pending(bio), 2390); +#endif + BIO_reset(bio); +#endif + + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + 1); + ExpectIntEQ(BIO_pending(bio), 1196); + + BIO_free(bio); + bio = NULL; + + EVP_PKEY_free(pkey); + pkey = NULL; +#endif +#endif + return EXPECT_RESULT(); +} + +/* test loading DH key using BIO */ +int test_wolfSSL_PEM_PrivateKey_dh(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_DH) && \ + !defined(NO_FILESYSTEM) && !defined(NO_BIO) +#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_OPENSSH)) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + int expectedBytes = 0; + + ExpectNotNull(bio = BIO_new_file("./certs/dh-priv-2048.pem", "rb")); + /* Private DH EVP_PKEY */ + ExpectNotNull(pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, NULL, + NULL)); + BIO_free(bio); + bio = NULL; + + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + +#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + expectedBytes += 806; + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), expectedBytes); +#endif +#ifdef WOLFSSL_KEY_GEN + ExpectIntEQ(PEM_write_bio_PUBKEY(bio, pkey), 0); +#endif + + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + 1); + expectedBytes += 806; + ExpectIntEQ(BIO_pending(bio), expectedBytes); + + BIO_free(bio); + bio = NULL; + + EVP_PKEY_free(pkey); + pkey = NULL; +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_PrivateKey(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + (!defined(NO_RSA) || defined(HAVE_ECC)) && defined(USE_CERT_BUFFERS_2048) +#ifndef NO_BIO + BIO* bio = NULL; +#endif + EVP_PKEY* pkey = NULL; + const unsigned char* server_key = (const unsigned char*)server_key_der_2048; + +#ifndef NO_BIO + + /* test creating new EVP_PKEY with bad arg */ + ExpectNull((pkey = PEM_read_bio_PrivateKey(NULL, NULL, NULL, NULL))); + + /* Test bad EVP_PKEY type. */ + /* New HMAC EVP_PKEY */ + ExpectNotNull(bio = BIO_new_mem_buf("", 1)); + ExpectNotNull(pkey = EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = EVP_PKEY_HMAC; + } + ExpectIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + 0); +#if defined(OPENSSL_ALL) && !defined(NO_PWDBASED) && defined(HAVE_PKCS8) + ExpectIntEQ(PEM_write_bio_PKCS8PrivateKey(bio, pkey, NULL, NULL, 0, NULL, + NULL), 0); +#endif +#ifdef WOLFSSL_KEY_GEN + ExpectIntEQ(PEM_write_bio_PUBKEY(bio, pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(bio); + bio = NULL; + + + /* key is DES encrypted */ + #if !defined(NO_DES3) && defined(WOLFSSL_ENCRYPTED_KEYS) && \ + !defined(NO_RSA) && !defined(NO_BIO) && !defined(NO_FILESYSTEM) && \ + !defined(NO_MD5) && defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) + { + XFILE f = XBADFILE; + wc_pem_password_cb* passwd_cb = NULL; + void* passwd_cb_userdata; + SSL_CTX* ctx = NULL; + char passwd[] = "bad password"; + + #ifndef WOLFSSL_NO_TLS12 + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_client_method())); + #endif + #else + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(TLSv1_3_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(TLSv1_3_client_method())); + #endif + #endif + + ExpectNotNull(bio = BIO_new_file("./certs/server-keyEnc.pem", "rb")); + SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); + ExpectNotNull(passwd_cb = SSL_CTX_get_default_passwd_cb(ctx)); + ExpectNull(passwd_cb_userdata = + SSL_CTX_get_default_passwd_cb_userdata(ctx)); + + /* fail case with password call back */ + ExpectNull(pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, + (void*)passwd)); + BIO_free(bio); + ExpectNotNull(bio = BIO_new_file("./certs/server-keyEnc.pem", "rb")); + ExpectNull(pkey = PEM_read_bio_PrivateKey(bio, NULL, passwd_cb, + (void*)passwd)); + BIO_free(bio); + + ExpectTrue((f = XFOPEN("./certs/server-keyEnc.pem", "rb")) != XBADFILE); + ExpectNotNull(bio = BIO_new_fp(f, BIO_CLOSE)); + if ((bio == NULL) && (f != XBADFILE)) { + XFCLOSE(f); + } + + /* use callback that works */ + ExpectNotNull(pkey = PEM_read_bio_PrivateKey(bio, NULL, passwd_cb, + (void*)"yassl123")); + + ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), SSL_SUCCESS); + + EVP_PKEY_free(pkey); + pkey = NULL; + BIO_free(bio); + bio = NULL; + SSL_CTX_free(ctx); + } + #endif /* !defined(NO_DES3) */ + +#endif /* !NO_BIO */ + + #if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) + { + unsigned char buf[2048]; + size_t bytes = 0; + XFILE f = XBADFILE; + SSL_CTX* ctx = NULL; + + #ifndef WOLFSSL_NO_TLS12 + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(TLSv1_2_client_method())); + #endif + #else + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfTLSv1_3_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(wolfTLSv1_3_client_method())); + #endif + #endif + + ExpectTrue((f = XFOPEN("./certs/ecc-key.der", "rb")) != XBADFILE); + ExpectIntGT(bytes = (size_t)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + server_key = buf; + pkey = NULL; + ExpectNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &server_key, + (long int)bytes)); + ExpectNull(pkey); + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_EC, &pkey, &server_key, + (long int)bytes)); + ExpectIntEQ(SSL_CTX_use_PrivateKey(ctx, pkey), SSL_SUCCESS); + + EVP_PKEY_free(pkey); + pkey = NULL; + SSL_CTX_free(ctx); + server_key = NULL; + } + #endif + +#ifndef NO_BIO + (void)bio; +#endif + (void)pkey; + (void)server_key; +#endif /* OPENSSL_EXTRA && !NO_CERTS && !NO_RSA && USE_CERT_BUFFERS_2048 */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_file_RSAKey(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ + defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ + !defined(NO_FILESYSTEM) && !defined(NO_CERTS) + RSA* rsa = NULL; + XFILE fp = XBADFILE; + + ExpectTrue((fp = XFOPEN("./certs/rsa-pub-2048.pem", "rb")) != XBADFILE); + ExpectNotNull((rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL))); + if (fp != XBADFILE) + XFCLOSE(fp); + ExpectIntEQ(RSA_size(rsa), 256); + + ExpectIntEQ(PEM_write_RSAPublicKey(XBADFILE, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_RSAPublicKey(stderr, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_RSAPublicKey(stderr, rsa), WOLFSSL_SUCCESS); + + ExpectIntEQ(PEM_write_RSA_PUBKEY(XBADFILE, rsa), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_RSA_PUBKEY(stderr, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_RSA_PUBKEY(stderr, rsa), WOLFSSL_SUCCESS); + + RSA_free(rsa); +#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ + (defined(WOLFSSL_KEY_GEN) || WOLFSSL_CERT_GEN) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_CERTS) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_file_RSAPrivateKey(void) +{ + EXPECT_DECLS; +#if !defined(NO_RSA) && defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN) && \ + !defined(NO_FILESYSTEM) && \ + (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) + RSA* rsa = NULL; + XFILE f = NULL; + + ExpectTrue((f = XFOPEN(svrKeyFile, "rb")) != XBADFILE); + ExpectNotNull((rsa = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL))); + ExpectIntEQ(RSA_size(rsa), 256); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + + ExpectIntEQ(PEM_write_RSAPrivateKey(XBADFILE, rsa, NULL, NULL, 0, NULL, + NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_RSAPrivateKey(stderr, NULL, NULL, NULL, 0, NULL, + NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_RSAPrivateKey(stderr, rsa, NULL, NULL, 0, NULL, NULL), + WOLFSSL_SUCCESS); + + RSA_free(rsa); + +#ifdef HAVE_ECC + ExpectTrue((f = XFOPEN(eccKeyFile, "rb")) != XBADFILE); + ExpectNull((rsa = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL))); + if (f != XBADFILE) + XFCLOSE(f); +#endif /* HAVE_ECC */ +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_read_RSA_PUBKEY(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + XFILE file = XBADFILE; + const char* fname = "./certs/client-keyPub.pem"; + RSA *rsa = NULL; + + ExpectNull(wolfSSL_PEM_read_RSA_PUBKEY(XBADFILE, NULL, NULL, NULL)); + + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectNotNull((rsa = PEM_read_RSA_PUBKEY(file, NULL, NULL, NULL))); + ExpectIntEQ(RSA_size(rsa), 256); + RSA_free(rsa); + if (file != XBADFILE) + XFCLOSE(file); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_read_bio(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) + byte buff[6000]; + XFILE f = XBADFILE; + int bytes = 0; + X509* x509 = NULL; + BIO* bio = NULL; + BUF_MEM* buf = NULL; + + ExpectTrue((f = XFOPEN(cliCertFile, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buff, 1, sizeof(buff), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); + ExpectNotNull(bio = BIO_new_mem_buf((void*)buff, bytes)); + ExpectIntEQ(BIO_set_mem_eof_return(bio, -0xDEAD), 1); + ExpectNotNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); + ExpectIntEQ((int)BIO_set_fd(bio, 0, BIO_CLOSE), 1); + /* BIO should return the set EOF value */ + ExpectIntEQ(BIO_read(bio, buff, sizeof(buff)), -0xDEAD); + ExpectIntEQ(BIO_set_close(bio, BIO_NOCLOSE), 1); + ExpectIntEQ(BIO_set_close(NULL, BIO_NOCLOSE), 1); + ExpectIntEQ(SSL_SUCCESS, BIO_get_mem_ptr(bio, &buf)); + + BIO_free(bio); + BUF_MEM_free(buf); + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_bio_RSAKey(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ + defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && \ + !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_BIO) + RSA* rsa = NULL; + BIO* bio = NULL; + + /* PrivateKey */ + ExpectNotNull(bio = BIO_new_file(svrKeyFile, "rb")); + ExpectNull((rsa = PEM_read_bio_RSAPrivateKey(NULL, NULL, NULL, NULL))); + ExpectNotNull(PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL)); + ExpectNotNull(rsa); + ExpectIntEQ(RSA_size(rsa), 256); + ExpectIntEQ(PEM_write_bio_RSAPrivateKey(NULL, NULL, NULL, NULL, 0, NULL, + NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_RSAPrivateKey(bio, rsa, NULL, NULL, 0, NULL, + NULL), WOLFSSL_SUCCESS); + BIO_free(bio); + bio = NULL; + RSA_free(rsa); + rsa = NULL; + + /* PUBKEY */ + ExpectNotNull(bio = BIO_new_file("./certs/rsa-pub-2048.pem", "rb")); + ExpectNull((rsa = PEM_read_bio_RSA_PUBKEY(NULL, NULL, NULL, NULL))); + ExpectNotNull((rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL))); + ExpectIntEQ(RSA_size(rsa), 256); + ExpectIntEQ(PEM_write_bio_RSA_PUBKEY(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_RSA_PUBKEY(bio, rsa), WOLFSSL_SUCCESS); + BIO_free(bio); + bio = NULL; + + RSA_free(rsa); + rsa = NULL; + + /* Ensure that keys beginning with BEGIN RSA PUBLIC KEY can be read, too. */ + ExpectNotNull(bio = BIO_new_file("./certs/server-keyPub.pem", "rb")); + ExpectNotNull((rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL))); + BIO_free(bio); + bio = NULL; + RSA_free(rsa); + rsa = NULL; + + #ifdef HAVE_ECC + /* ensure that non-rsa keys do not work */ + ExpectNotNull(bio = BIO_new_file(eccKeyFile, "rb")); /* ecc key */ + ExpectNull((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL))); + ExpectNull((rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL))); + BIO_free(bio); + bio = NULL; + RSA_free(rsa); + rsa = NULL; + #endif /* HAVE_ECC */ +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_bio_RSAPrivateKey(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) + RSA* rsa = NULL; + RSA* rsa_dup = NULL; + BIO* bio = NULL; + + ExpectNotNull(bio = BIO_new_file(svrKeyFile, "rb")); + ExpectNotNull((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL))); + ExpectIntEQ(RSA_size(rsa), 256); + +#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) + ExpectNull(rsa_dup = RSAPublicKey_dup(NULL)); + /* Test duplicating empty key. */ + ExpectNotNull(rsa_dup = RSA_new()); + ExpectNull(RSAPublicKey_dup(rsa_dup)); + RSA_free(rsa_dup); + rsa_dup = NULL; + ExpectNotNull(rsa_dup = RSAPublicKey_dup(rsa)); + ExpectPtrNE(rsa_dup, rsa); +#endif + + /* test if valgrind complains about unreleased memory */ + RSA_up_ref(rsa); + RSA_free(rsa); + + BIO_free(bio); + bio = NULL; + RSA_free(rsa); + rsa = NULL; + RSA_free(rsa_dup); + rsa_dup = NULL; + +#ifdef HAVE_ECC + ExpectNotNull(bio = BIO_new_file(eccKeyFile, "rb")); + ExpectNull((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL))); + + BIO_free(bio); +#endif /* HAVE_ECC */ +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_bio_DSAKey(void) +{ + EXPECT_DECLS; +#ifndef HAVE_SELFTEST +#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) && !defined(NO_CERTS) && \ + defined(WOLFSSL_KEY_GEN) && !defined(NO_FILESYSTEM) && \ + !defined(NO_DSA) && !defined(NO_BIO) + DSA* dsa = NULL; + BIO* bio = NULL; + + /* PrivateKey */ + ExpectNotNull(bio = BIO_new_file("./certs/1024/dsa1024.pem", "rb")); + ExpectNull((dsa = PEM_read_bio_DSAPrivateKey(NULL, NULL, NULL, NULL))); + ExpectNotNull((dsa = PEM_read_bio_DSAPrivateKey(bio, NULL, NULL, NULL))); + ExpectIntEQ(BN_num_bytes(dsa->g), 128); + ExpectIntEQ(PEM_write_bio_DSAPrivateKey(NULL, NULL, NULL, NULL, 0, NULL, + NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_DSAPrivateKey(bio, dsa, NULL, NULL, 0, NULL, + NULL), WOLFSSL_SUCCESS); + BIO_free(bio); + bio = NULL; + DSA_free(dsa); + dsa = NULL; + + /* PUBKEY */ + ExpectNotNull(bio = BIO_new_file("./certs/1024/dsa-pub-1024.pem", "rb")); + ExpectNull((dsa = PEM_read_bio_DSA_PUBKEY(NULL, NULL, NULL, NULL))); + ExpectNotNull((dsa = PEM_read_bio_DSA_PUBKEY(bio, NULL, NULL, NULL))); + ExpectIntEQ(BN_num_bytes(dsa->g), 128); + ExpectIntEQ(PEM_write_bio_DSA_PUBKEY(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_DSA_PUBKEY(bio, dsa), WOLFSSL_SUCCESS); + BIO_free(bio); + bio = NULL; + DSA_free(dsa); + dsa = NULL; + + #ifdef HAVE_ECC + /* ensure that non-dsa keys do not work */ + ExpectNotNull(bio = BIO_new_file(eccKeyFile, "rb")); /* ecc key */ + ExpectNull((dsa = PEM_read_bio_DSAPrivateKey(bio, NULL, NULL, NULL))); + ExpectNull((dsa = PEM_read_bio_DSA_PUBKEY(bio, NULL, NULL, NULL))); + BIO_free(bio); + bio = NULL; + DSA_free(dsa); + dsa = NULL; + #endif /* HAVE_ECC */ +#endif +#endif /* HAVE_SELFTEST */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_bio_ECKey(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && \ + defined(WOLFSSL_KEY_GEN) && !defined(NO_FILESYSTEM) && \ + defined(HAVE_ECC) && !defined(NO_BIO) + EC_KEY* ec = NULL; + EC_KEY* ec2; + BIO* bio = NULL; +#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) + unsigned char* pem = NULL; + int pLen; +#endif + static char ec_key_bad_1[] = "-----BEGIN PUBLIC KEY-----\n" + "MAA=\n" + "-----END PUBLIC KEY-----"; + static char ec_priv_key_bad_1[] = "-----BEGIN EC PRIVATE KEY-----\n" + "MAA=\n" + "-----END EC PRIVATE KEY-----"; + + /* PrivateKey */ + ExpectNotNull(bio = BIO_new_file("./certs/ecc-key.pem", "rb")); + ExpectNull((ec = PEM_read_bio_ECPrivateKey(NULL, NULL, NULL, NULL))); + ec2 = NULL; + ExpectNotNull((ec = PEM_read_bio_ECPrivateKey(bio, &ec2, NULL, NULL))); + ExpectIntEQ(ec == ec2, 1); + ExpectIntEQ(wc_ecc_size((ecc_key*)ec->internal), 32); + ExpectIntEQ(PEM_write_bio_ECPrivateKey(NULL, NULL, NULL, NULL, 0, NULL, + NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_bio_ECPrivateKey(bio, NULL, NULL, NULL, 0, NULL, + NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_bio_ECPrivateKey(NULL, ec, NULL, NULL, 0, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio); + bio = NULL; + /* Public key data - fail. */ + ExpectNotNull(bio = BIO_new_file("./certs/ecc-client-keyPub.pem", "rb")); + ExpectNull(PEM_read_bio_ECPrivateKey(bio, NULL, NULL, NULL)); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_ECPrivateKey(bio, ec, NULL, NULL, 0, NULL, \ + NULL), WOLFSSL_SUCCESS); + BIO_free(bio); + bio = NULL; + + ExpectIntEQ(PEM_write_ECPrivateKey(XBADFILE, NULL, NULL, NULL, 0, NULL, + NULL),WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_ECPrivateKey(stderr, NULL, NULL, NULL, 0, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_ECPrivateKey(XBADFILE, ec, NULL, NULL, 0, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_ECPrivateKey(stderr, ec, NULL, NULL, 0, NULL, NULL), + WOLFSSL_SUCCESS); + + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, NULL, + NULL), 0); +#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, NULL, + NULL), 0); + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, &pem, + NULL), 0); + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, NULL, + &pLen), 0); + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(NULL, NULL, NULL, 0, &pem, + &pLen), 0); + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, NULL, + &pLen), 0); + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, &pem, + NULL), 0); + ExpectIntEQ(wolfSSL_PEM_write_mem_ECPrivateKey(ec, NULL, NULL, 0, &pem, + &pLen), 1); + ExpectIntGT(pLen, 0); + XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + EC_KEY_free(ec); + ec = NULL; + + /* PUBKEY */ + ExpectNotNull(bio = BIO_new_file("./certs/ecc-client-keyPub.pem", "rb")); + ExpectNull((ec = PEM_read_bio_EC_PUBKEY(NULL, NULL, NULL, NULL))); + ec2 = NULL; + ExpectNotNull((ec = PEM_read_bio_EC_PUBKEY(bio, &ec2, NULL, NULL))); + ExpectIntEQ(ec == ec2, 1); + ExpectIntEQ(wc_ecc_size((ecc_key*)ec->internal), 32); + ExpectIntEQ(PEM_write_bio_EC_PUBKEY(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + BIO_free(bio); + bio = NULL; + /* Test 0x30, 0x00 fails. */ + ExpectNotNull(bio = BIO_new_mem_buf((unsigned char*)ec_key_bad_1, + sizeof(ec_key_bad_1))); + ExpectNull(PEM_read_bio_EC_PUBKEY(bio, NULL, NULL, NULL)); + BIO_free(bio); + bio = NULL; + + /* Private key data - fail. */ + ExpectNotNull(bio = BIO_new_file("./certs/ecc-key.pem", "rb")); + ExpectNull(PEM_read_bio_EC_PUBKEY(bio, NULL, NULL, NULL)); + BIO_free(bio); + bio = NULL; + ExpectNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_EC_PUBKEY(bio, ec), WOLFSSL_SUCCESS); + BIO_free(bio); + bio = NULL; + + /* Same test as above, but with a file pointer rather than a BIO. */ + ExpectIntEQ(PEM_write_EC_PUBKEY(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_EC_PUBKEY(NULL, ec), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_EC_PUBKEY(stderr, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(PEM_write_EC_PUBKEY(stderr, ec), WOLFSSL_SUCCESS); + + EC_KEY_free(ec); + ec = NULL; + + #ifndef NO_RSA + /* ensure that non-ec keys do not work */ + ExpectNotNull(bio = BIO_new_file(svrKeyFile, "rb")); /* rsa key */ + ExpectNull((ec = PEM_read_bio_ECPrivateKey(bio, NULL, NULL, NULL))); + ExpectNull((ec = PEM_read_bio_EC_PUBKEY(bio, NULL, NULL, NULL))); + BIO_free(bio); + bio = NULL; + EC_KEY_free(ec); + ec = NULL; + #endif /* !NO_RSA */ + /* Test 0x30, 0x00 fails. */ + ExpectNotNull(bio = BIO_new_mem_buf((unsigned char*)ec_priv_key_bad_1, + sizeof(ec_priv_key_bad_1))); + ExpectNull(PEM_read_bio_ECPrivateKey(bio, NULL, NULL, NULL)); + BIO_free(bio); + bio = NULL; +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_PUBKEY(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(NO_BIO) + BIO* bio = NULL; + EVP_PKEY* pkey = NULL; + + /* test creating new EVP_PKEY with bad arg */ + ExpectNull((pkey = PEM_read_bio_PUBKEY(NULL, NULL, NULL, NULL))); + + /* test loading ECC key using BIO */ +#if defined(HAVE_ECC) && !defined(NO_FILESYSTEM) + { + XFILE file = XBADFILE; + const char* fname = "./certs/ecc-client-keyPub.pem"; + size_t sz = 0; + byte* buf = NULL; + + EVP_PKEY* pkey2 = NULL; + EC_KEY* ec_key = NULL; + + ExpectTrue((file = XFOPEN(fname, "rb")) != XBADFILE); + ExpectIntEQ(XFSEEK(file, 0, XSEEK_END), 0); + ExpectIntGT(sz = XFTELL(file), 0); + ExpectIntEQ(XFSEEK(file, 0, XSEEK_SET), 0); + ExpectNotNull(buf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)); + if (buf != NULL) { + ExpectIntEQ(XFREAD(buf, 1, sz, file), sz); + } + if (file != XBADFILE) { + XFCLOSE(file); + } + + /* Test using BIO new mem and loading PEM private key */ + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull((pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL))); + BIO_free(bio); + bio = NULL; + EVP_PKEY_free(pkey); + pkey = NULL; + ExpectNotNull(bio = BIO_new_mem_buf(buf, (int)sz)); + ExpectNotNull(pkey = EVP_PKEY_new()); + ExpectPtrEq(PEM_read_bio_PUBKEY(bio, &pkey, NULL, NULL), pkey); + XFREE(buf, NULL, DYNAMIC_TYPE_FILE); + BIO_free(bio); + bio = NULL; + + /* Qt unit test case*/ + ExpectNotNull(pkey2 = EVP_PKEY_new()); + ExpectNotNull(ec_key = EVP_PKEY_get1_EC_KEY(pkey)); + ExpectIntEQ(EVP_PKEY_set1_EC_KEY(pkey2, ec_key), WOLFSSL_SUCCESS); + #ifdef WOLFSSL_ERROR_CODE_OPENSSL + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey2), 1/* match */); + #else + ExpectIntEQ(EVP_PKEY_cmp(pkey, pkey2), 0); + #endif + + EC_KEY_free(ec_key); + EVP_PKEY_free(pkey2); + EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif + + (void)bio; + (void)pkey; +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_pem.h b/tests/api/test_ossl_pem.h new file mode 100644 index 00000000000..0f0539824c7 --- /dev/null +++ b/tests/api/test_ossl_pem.h @@ -0,0 +1,65 @@ +/* test_ossl_pem.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_SSL_PEM_H +#define WOLFCRYPT_TEST_SSL_PEM_H + +#include + +int test_wolfSSL_PEM_def_callback(void); +int test_wolfSSL_PEM_read_PrivateKey(void); +int test_wolfSSL_PEM_read_PUBKEY(void); +int test_wolfSSL_PEM_PrivateKey_rsa(void); +int test_wolfSSL_PEM_PrivateKey_ecc(void); +int test_wolfSSL_PEM_PrivateKey_dsa(void); +int test_wolfSSL_PEM_PrivateKey_dh(void); +int test_wolfSSL_PEM_PrivateKey(void); +int test_wolfSSL_PEM_file_RSAKey(void); +int test_wolfSSL_PEM_file_RSAPrivateKey(void); +int test_wolfSSL_PEM_read_RSA_PUBKEY(void); +int test_wolfSSL_PEM_read_bio(void); +int test_wolfSSL_PEM_bio_RSAKey(void); +int test_wolfSSL_PEM_bio_RSAPrivateKey(void); +int test_wolfSSL_PEM_bio_DSAKey(void); +int test_wolfSSL_PEM_bio_ECKey(void); +int test_wolfSSL_PEM_PUBKEY(void); + + +#define TEST_SSL_PEM_DECLS \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_def_callback), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_PrivateKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_PUBKEY), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_rsa), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_ecc), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_dsa), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_dh), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_file_RSAKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_file_RSAPrivateKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_RSA_PUBKEY), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_bio), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_RSAKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_RSAPrivateKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_DSAKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_ECKey), \ + TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PUBKEY) + +#endif /* WOLFCRYPT_TEST_SSL_PEM_H */ diff --git a/tests/api/test_ossl_x509.c b/tests/api/test_ossl_x509.c new file mode 100644 index 00000000000..b198da11d9a --- /dev/null +++ b/tests/api/test_ossl_x509.c @@ -0,0 +1,1690 @@ +/* test_ossl_x509.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + +int test_x509_get_key_id(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509 *x509 = NULL; + const ASN1_STRING* str = NULL; + byte* keyId = NULL; + byte keyIdData[32]; + int len; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + len = (int)sizeof(keyIdData); + ExpectNull(wolfSSL_X509_get_subjectKeyID(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_subjectKeyID(x509, keyIdData, &len)); + ExpectNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, &len)); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); + + ExpectNotNull(str = X509_get0_subject_key_id(x509)); + ExpectNull(wolfSSL_X509_get_subjectKeyID(NULL, NULL, NULL)); + ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, NULL, NULL)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, keyIdData, NULL)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + len = (int)sizeof(keyIdData); + ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, NULL, &len)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + ExpectNotNull(wolfSSL_X509_get_subjectKeyID(x509, keyIdData, &len)); + ExpectIntEQ(len, ASN1_STRING_length(str)); + ExpectBufEQ(keyIdData, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + + ExpectNull(wolfSSL_X509_get_authorityKeyID(NULL, NULL, NULL)); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, NULL)); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, NULL)); + len = (int)sizeof(keyIdData); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, &len)); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, &len)); + ExpectIntEQ(len, 20); + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get_version(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + WOLFSSL_X509 *x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ((int)wolfSSL_X509_get_version(x509), 2); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_cmp_time(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) \ +&& !defined(USER_TIME) && !defined(TIME_OVERRIDES) + WOLFSSL_ASN1_TIME asn_time; + time_t t; + + ExpectIntEQ(0, wolfSSL_X509_cmp_time(NULL, &t)); + XMEMSET(&asn_time, 0, sizeof(WOLFSSL_ASN1_TIME)); + ExpectIntEQ(0, wolfSSL_X509_cmp_time(&asn_time, &t)); + + ExpectIntEQ(ASN1_TIME_set_string(&asn_time, "000222211515Z"), 1); + ExpectIntEQ(-1, wolfSSL_X509_cmp_time(&asn_time, NULL)); + ExpectIntEQ(-1, wolfSSL_X509_cmp_current_time(&asn_time)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_time_adj(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) && \ + !defined(USER_TIME) && !defined(TIME_OVERRIDES) && \ + defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) && \ + !defined(NO_ASN_TIME) + X509* x509 = NULL; + time_t t; + time_t not_before; + time_t not_after; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + client_cert_der_2048, sizeof_client_cert_der_2048, + WOLFSSL_FILETYPE_ASN1)); + + t = 0; + not_before = wc_Time(0); + not_after = wc_Time(0) + (60 * 24 * 30); /* 30 days after */ + ExpectNotNull(X509_time_adj(X509_get_notBefore(x509), not_before, &t)); + ExpectNotNull(X509_time_adj(X509_get_notAfter(x509), not_after, &t)); + /* Check X509_gmtime_adj, too. */ + ExpectNotNull(X509_gmtime_adj(X509_get_notAfter(x509), not_after)); + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_NID(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_ASN) + int sigType; + int nameSz = 0; + + X509* cert = NULL; + EVP_PKEY* pubKeyTmp = NULL; + X509_NAME* name = NULL; + + char commonName[80]; + char countryName[80]; + char localityName[80]; + char stateName[80]; + char orgName[80]; + char orgUnit[80]; + + /* ------ PARSE ORIGINAL SELF-SIGNED CERTIFICATE ------ */ + + /* convert cert from DER to internal WOLFSSL_X509 struct */ + ExpectNotNull(cert = wolfSSL_X509_d2i_ex(&cert, client_cert_der_2048, + sizeof_client_cert_der_2048, HEAP_HINT)); + + /* ------ EXTRACT CERTIFICATE ELEMENTS ------ */ + + /* extract PUBLIC KEY from cert */ + ExpectNotNull(pubKeyTmp = X509_get_pubkey(cert)); + + /* extract signatureType */ + ExpectIntEQ(wolfSSL_X509_get_signature_type(NULL), 0); + ExpectIntNE((sigType = wolfSSL_X509_get_signature_type(cert)), 0); + + /* extract subjectName info */ + ExpectNotNull(name = X509_get_subject_name(cert)); + ExpectIntEQ(X509_NAME_get_text_by_NID(name, -1, NULL, 0), -1); + ExpectIntEQ(X509_NAME_get_text_by_NID(NULL, NID_commonName, NULL, 0), -1); + ExpectIntEQ(X509_NAME_get_text_by_NID(name, NID_commonName, + commonName, -2), 0); + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, + NULL, 0)), 0); + ExpectIntEQ(nameSz, 15); + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, + commonName, sizeof(commonName))), 0); + ExpectIntEQ(nameSz, 15); + ExpectIntEQ(XMEMCMP(commonName, "www.wolfssl.com", nameSz), 0); + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, + commonName, 9)), 0); + ExpectIntEQ(nameSz, 8); + ExpectIntEQ(XMEMCMP(commonName, "www.wolf", nameSz), 0); + + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_countryName, + countryName, sizeof(countryName))), 0); + ExpectIntEQ(XMEMCMP(countryName, "US", nameSz), 0); + + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_localityName, + localityName, sizeof(localityName))), 0); + ExpectIntEQ(XMEMCMP(localityName, "Bozeman", nameSz), 0); + + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, + NID_stateOrProvinceName, stateName, sizeof(stateName))), 0); + ExpectIntEQ(XMEMCMP(stateName, "Montana", nameSz), 0); + + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_organizationName, + orgName, sizeof(orgName))), 0); + ExpectIntEQ(XMEMCMP(orgName, "wolfSSL_2048", nameSz), 0); + + ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, + NID_organizationalUnitName, orgUnit, sizeof(orgUnit))), 0); + ExpectIntEQ(XMEMCMP(orgUnit, "Programming-2048", nameSz), 0); + + EVP_PKEY_free(pubKeyTmp); + X509_free(cert); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_i2d_X509_NAME_canon(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_SHA) && \ + defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && !defined(NO_RSA) + const long ex_hash1 = 0x0fdb2da4; + const long ex_hash2 = 0x9f3e8c9e; + X509_NAME *name = NULL; + X509 *x509 = NULL; + XFILE file = XBADFILE; + unsigned long hash = 0; + byte digest[WC_MAX_DIGEST_SIZE] = {0}; + byte *pbuf = NULL; + word32 len = 0; + (void) ex_hash2; + + ExpectTrue((file = XFOPEN(caCertFile, "rb")) != XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(file, NULL, NULL, NULL)); + ExpectNotNull(name = X509_get_issuer_name(x509)); + + /* When output buffer is NULL, should return necessary output buffer + * length.*/ + ExpectIntEQ(wolfSSL_i2d_X509_NAME_canon(NULL, NULL), BAD_FUNC_ARG); + ExpectIntGT(wolfSSL_i2d_X509_NAME_canon(name, NULL), 0); + ExpectIntGT((len = (word32)wolfSSL_i2d_X509_NAME_canon(name, &pbuf)), 0); + ExpectIntEQ(wc_ShaHash((const byte*)pbuf, (word32)len, digest), 0); + + hash = (((unsigned long)digest[3] << 24) | + ((unsigned long)digest[2] << 16) | + ((unsigned long)digest[1] << 8) | + ((unsigned long)digest[0])); + ExpectIntEQ(hash, ex_hash1); + + if (file != XBADFILE) { + XFCLOSE(file); + file = XBADFILE; + } + X509_free(x509); + x509 = NULL; + XFREE(pbuf, NULL, DYNAMIC_TYPE_OPENSSL); + pbuf = NULL; + + ExpectTrue((file = XFOPEN(cliCertFile, "rb")) != XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(file, NULL, NULL, NULL)); + ExpectNotNull(name = X509_get_issuer_name(x509)); + + ExpectIntGT((len = (word32)wolfSSL_i2d_X509_NAME_canon(name, &pbuf)), 0); + ExpectIntEQ(wc_ShaHash((const byte*)pbuf, (word32)len, digest), 0); + + hash = (((unsigned long)digest[3] << 24) | + ((unsigned long)digest[2] << 16) | + ((unsigned long)digest[1] << 8) | + ((unsigned long)digest[0])); + + ExpectIntEQ(hash, ex_hash2); + + if (file != XBADFILE) + XFCLOSE(file); + X509_free(x509); + XFREE(pbuf, NULL, DYNAMIC_TYPE_OPENSSL); +#endif + return EXPECT_RESULT(); +} + + +int test_wolfSSL_X509_subject_name_hash(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256)) + X509* x509 = NULL; + X509_NAME* subjectName = NULL; + unsigned long ret1 = 0; + unsigned long ret2 = 0; + + ExpectNotNull(x509 = X509_new()); + ExpectIntEQ(X509_subject_name_hash(NULL), 0); + ExpectIntEQ(X509_subject_name_hash(x509), 0); + X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(subjectName = wolfSSL_X509_get_subject_name(x509)); + + /* These two + * - X509_subject_name_hash(x509) + * - X509_NAME_hash(X509_get_subject_name(x509)) + * should give the same hash, if !defined(NO_SHA) is true. */ + + ret1 = X509_subject_name_hash(x509); + ExpectIntNE(ret1, 0); + +#if !defined(NO_SHA) + ret2 = X509_NAME_hash(X509_get_subject_name(x509)); + ExpectIntNE(ret2, 0); + + ExpectIntEQ(ret1, ret2); +#else + (void) ret2; +#endif + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_issuer_name_hash(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ + && !defined(NO_RSA) && (!defined(NO_SHA) || !defined(NO_SHA256)) + X509* x509 = NULL; + X509_NAME* issuertName = NULL; + unsigned long ret1 = 0; + unsigned long ret2 = 0; + + ExpectNotNull(x509 = X509_new()); + ExpectIntEQ(X509_issuer_name_hash(NULL), 0); + ExpectIntEQ(X509_issuer_name_hash(x509), 0); + X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(issuertName = wolfSSL_X509_get_issuer_name(x509)); + + /* These two + * - X509_issuer_name_hash(x509) + * - X509_NAME_hash(X509_get_issuer_name(x509)) + * should give the same hash, if !defined(NO_SHA) is true. */ + + ret1 = X509_issuer_name_hash(x509); + ExpectIntNE(ret1, 0); + +#if !defined(NO_SHA) + ret2 = X509_NAME_hash(X509_get_issuer_name(x509)); + ExpectIntNE(ret2, 0); + + ExpectIntEQ(ret1, ret2); +#else + (void) ret2; +#endif + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_check_host(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ + && !defined(NO_SHA) && !defined(NO_RSA) + X509* x509 = NULL; + const char altName[] = "example.com"; + const char badAltName[] = "a.example.com"; + + ExpectIntEQ(X509_check_host(NULL, NULL, XSTRLEN(altName), 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* cliCertFile has subjectAltName set to 'example.com', '127.0.0.1' */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + + ExpectIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL), + WOLFSSL_SUCCESS); + + ExpectIntEQ(X509_check_host(x509, badAltName, XSTRLEN(badAltName), 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(X509_check_host(x509, NULL, 0, 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Check WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag set */ + ExpectIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), WOLFSSL_SUCCESS); + + ExpectIntEQ(X509_check_host(x509, NULL, 0, + WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(X509_check_host(x509, badAltName, XSTRLEN(badAltName), + WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_NO_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_NO_PARTIAL_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_MULTI_LABEL_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + X509_free(x509); + + ExpectIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Check again with WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag set */ + ExpectIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), + WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_check_email(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) + X509* x509 = NULL; + X509* empty = NULL; + const char goodEmail[] = "info@wolfssl.com"; + const char badEmail[] = "disinfo@wolfssl.com"; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(empty = wolfSSL_X509_new()); + + ExpectIntEQ(wolfSSL_X509_check_email(NULL, NULL, 0, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_email(x509, NULL, 0, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_email(NULL, goodEmail, XSTRLEN(goodEmail), + 0), 0); + ExpectIntEQ(wolfSSL_X509_check_email(empty, goodEmail, XSTRLEN(goodEmail), + 0), 0); + + /* Should fail on non-matching email address */ + ExpectIntEQ(wolfSSL_X509_check_email(x509, badEmail, XSTRLEN(badEmail), 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* Should succeed on matching email address */ + ExpectIntEQ(wolfSSL_X509_check_email(x509, goodEmail, XSTRLEN(goodEmail), + 0), WOLFSSL_SUCCESS); + /* Should compute length internally when not provided */ + ExpectIntEQ(wolfSSL_X509_check_email(x509, goodEmail, 0, 0), + WOLFSSL_SUCCESS); + /* Should fail when email address is NULL */ + ExpectIntEQ(wolfSSL_X509_check_email(x509, NULL, 0, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + X509_free(empty); + X509_free(x509); + + /* Should fail when x509 is NULL */ + ExpectIntEQ(wolfSSL_X509_check_email(NULL, goodEmail, 0, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif /* OPENSSL_EXTRA && WOLFSSL_CERT_GEN */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) + X509* x509 = NULL; +#ifndef NO_BIO + BIO* bio = NULL; + X509_STORE_CTX* ctx = NULL; + X509_STORE* store = NULL; +#endif + char der[] = "certs/ca-cert.der"; + XFILE fp = XBADFILE; + int derSz = 0; + +#ifndef NO_BIO + ExpectNotNull(bio = BIO_new(BIO_s_mem())); +#endif + + ExpectNotNull(x509 = X509_new()); + ExpectNull(wolfSSL_X509_get_der(x509, &derSz)); +#if !defined(NO_BIO) && defined(WOLFSSL_CERT_GEN) + ExpectIntEQ(i2d_X509_bio(bio, x509), WOLFSSL_FAILURE); +#endif + ExpectNull(wolfSSL_X509_dup(x509)); + X509_free(x509); + x509 = NULL; + +#ifndef NO_BIO + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + +#ifdef WOLFSSL_CERT_GEN + ExpectIntEQ(i2d_X509_bio(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(i2d_X509_bio(bio, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(i2d_X509_bio(NULL, x509), WOLFSSL_FAILURE); + ExpectIntEQ(i2d_X509_bio(bio, x509), SSL_SUCCESS); +#endif + + ExpectNotNull(ctx = X509_STORE_CTX_new()); + + ExpectIntEQ(X509_verify_cert(ctx), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectNotNull(wolfSSL_X509_verify_cert_error_string(CRL_MISSING)); + + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, x509, NULL), SSL_SUCCESS); + ExpectIntEQ(X509_verify_cert(ctx), SSL_SUCCESS); + +#ifndef NO_WOLFSSL_STUB + ExpectNull(X509_get_default_cert_file_env()); + ExpectNull(X509_get_default_cert_file()); + ExpectNull(X509_get_default_cert_dir_env()); + ExpectNull(X509_get_default_cert_dir()); +#endif + + ExpectNull(wolfSSL_X509_get_der(NULL, NULL)); + ExpectNull(wolfSSL_X509_get_der(x509, NULL)); + ExpectNull(wolfSSL_X509_get_der(NULL, &derSz)); + + ExpectIntEQ(wolfSSL_X509_version(NULL), 0); + ExpectIntEQ(wolfSSL_X509_version(x509), 3); + + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + X509_free(x509); + x509 = NULL; + BIO_free(bio); + bio = NULL; +#endif + + /** d2i_X509_fp test **/ + ExpectTrue((fp = XFOPEN(der, "rb")) != XBADFILE); + ExpectNotNull(x509 = (X509 *)d2i_X509_fp(fp, (X509 **)NULL)); + ExpectNotNull(x509); + +#ifdef HAVE_EX_DATA_CRYPTO + ExpectIntEQ(wolfSSL_X509_get_ex_new_index(1, NULL, NULL, NULL, NULL), 0); +#endif + ExpectNull(wolfSSL_X509_get_ex_data(NULL, 1)); + ExpectNull(wolfSSL_X509_get_ex_data(x509, 1)); +#ifdef HAVE_EX_DATA + ExpectIntEQ(wolfSSL_X509_set_ex_data(NULL, 1, der), 0); + ExpectIntEQ(wolfSSL_X509_set_ex_data(x509, 1, der), 1); + ExpectPtrEq(wolfSSL_X509_get_ex_data(x509, 1), der); +#else + ExpectIntEQ(wolfSSL_X509_set_ex_data(NULL, 1, der), 0); + ExpectIntEQ(wolfSSL_X509_set_ex_data(x509, 1, der), 0); + ExpectNull(wolfSSL_X509_get_ex_data(x509, 1)); +#endif + + X509_free(x509); + x509 = NULL; + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectTrue((fp = XFOPEN(der, "rb")) != XBADFILE); + ExpectNull((X509 *)d2i_X509_fp(XBADFILE, (X509 **)&x509)); + ExpectNotNull((X509 *)d2i_X509_fp(fp, (X509 **)&x509)); + ExpectNotNull(x509); + X509_free(x509); + x509 = NULL; + if (fp != XBADFILE) + XFCLOSE(fp); + +#ifndef NO_BIO + ExpectNotNull(bio = BIO_new_file(der, "rb")); + ExpectNull(d2i_X509_bio(NULL, &x509)); + ExpectNotNull(x509 = d2i_X509_bio(bio, NULL)); + ExpectNotNull(x509); + X509_free(x509); + BIO_free(bio); + bio = NULL; +#endif + + /* X509_up_ref test */ + ExpectIntEQ(X509_up_ref(NULL), 0); + ExpectNotNull(x509 = X509_new()); /* refCount = 1 */ + ExpectIntEQ(X509_up_ref(x509), 1); /* refCount = 2 */ + ExpectIntEQ(X509_up_ref(x509), 1); /* refCount = 3 */ + X509_free(x509); /* refCount = 2 */ + X509_free(x509); /* refCount = 1 */ + X509_free(x509); /* refCount = 0, free */ + +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get0_tbs_sigalg(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) + X509* x509 = NULL; + const X509_ALGOR* alg; + + ExpectNotNull(x509 = X509_new()); + + ExpectNull(alg = X509_get0_tbs_sigalg(NULL)); + ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_set_name(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) + X509* x509 = NULL; + X509_NAME* name = NULL; + + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, 0, 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, + 1), WOLFSSL_SUCCESS); + ExpectNotNull(x509 = X509_new()); + + ExpectIntEQ(X509_set_subject_name(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_set_subject_name(x509, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_set_subject_name(NULL, name), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_set_subject_name(x509, name), WOLFSSL_SUCCESS); + + ExpectIntEQ(X509_set_issuer_name(NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_set_issuer_name(x509, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_set_issuer_name(NULL, name), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + + X509_free(x509); + X509_NAME_free(name); +#endif /* OPENSSL_ALL && !NO_CERTS */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_set_notAfter(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) \ + && !defined(NO_ASN_TIME) && !defined(USER_TIME) && \ + !defined(TIME_OVERRIDES) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) &&\ + !defined(TIME_T_NOT_64BIT) && !defined(NO_64BIT) && !defined(NO_BIO) + /* Generalized time will overflow time_t if not long */ + X509* x = NULL; + BIO* bio = NULL; + ASN1_TIME *asn_time = NULL; + ASN1_TIME *time_check = NULL; + const int year = 365*24*60*60; + const int day = 24*60*60; + const int hour = 60*60; + const int mini = 60; + int offset_day; + unsigned char buf[25]; + time_t t; + + /* + * Setup asn_time. APACHE HTTPD uses time(NULL) + */ + t = (time_t)107 * year + 31 * day + 34 * hour + 30 * mini + 7 * day; + offset_day = 7; + /* + * Free these. + */ + asn_time = wolfSSL_ASN1_TIME_adj(NULL, t, offset_day, 0); + ExpectNotNull(asn_time); + ExpectNotNull(x = X509_new()); + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + /* + * Tests + */ + ExpectTrue(wolfSSL_X509_set_notAfter(x, asn_time)); + /* time_check is simply (ANS1_TIME*)x->notAfter */ + ExpectNotNull(time_check = X509_get_notAfter(x)); + /* ANS1_TIME_check validates by checking if argument can be parsed */ + ExpectIntEQ(ASN1_TIME_check(time_check), WOLFSSL_SUCCESS); + /* Convert to human readable format and compare to intended date */ + ExpectIntEQ(ASN1_TIME_print(bio, time_check), 1); + ExpectIntEQ(BIO_read(bio, buf, sizeof(buf)), 24); + ExpectIntEQ(XMEMCMP(buf, "Jan 20 10:30:00 2077 GMT", sizeof(buf) - 1), 0); + + ExpectFalse(wolfSSL_X509_set_notAfter(NULL, NULL)); + ExpectFalse(wolfSSL_X509_set_notAfter(x, NULL)); + ExpectFalse(wolfSSL_X509_set_notAfter(NULL, asn_time)); + + /* + * Cleanup + */ + XFREE(asn_time, NULL, DYNAMIC_TYPE_OPENSSL); + X509_free(x); + BIO_free(bio); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_set_notBefore(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) \ + && !defined(NO_ASN_TIME) && !defined(USER_TIME) && \ + !defined(TIME_OVERRIDES) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_BIO) + X509* x = NULL; + BIO* bio = NULL; + ASN1_TIME *asn_time = NULL; + ASN1_TIME *time_check = NULL; + const int year = 365*24*60*60; + const int day = 24*60*60; + const int hour = 60*60; + const int mini = 60; + int offset_day; + unsigned char buf[25]; + time_t t; + + /* + * Setup asn_time. APACHE HTTPD uses time(NULL) + */ + t = (time_t)49 * year + 125 * day + 20 * hour + 30 * mini + 7 * day; + offset_day = 7; + + /* + * Free these. + */ + asn_time = wolfSSL_ASN1_TIME_adj(NULL, t, offset_day, 0); + ExpectNotNull(asn_time); + ExpectNotNull(x = X509_new()); + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(ASN1_TIME_check(asn_time), WOLFSSL_SUCCESS); + + /* + * Main Tests + */ + ExpectTrue(wolfSSL_X509_set_notBefore(x, asn_time)); + /* time_check == (ANS1_TIME*)x->notBefore */ + ExpectNotNull(time_check = X509_get_notBefore(x)); + /* ANS1_TIME_check validates by checking if argument can be parsed */ + ExpectIntEQ(ASN1_TIME_check(time_check), WOLFSSL_SUCCESS); + /* Convert to human readable format and compare to intended date */ + ExpectIntEQ(ASN1_TIME_print(bio, time_check), 1); + ExpectIntEQ(BIO_read(bio, buf, sizeof(buf)), 24); + ExpectIntEQ(XMEMCMP(buf, "May 8 20:30:00 2019 GMT", sizeof(buf) - 1), 0); + + ExpectFalse(wolfSSL_X509_set_notBefore(NULL, NULL)); + ExpectFalse(wolfSSL_X509_set_notBefore(x, NULL)); + ExpectFalse(wolfSSL_X509_set_notBefore(NULL, asn_time)); + + ExpectNull(X509_get_notBefore(NULL)); + ExpectNull(X509_get_notAfter(NULL)); + + /* + * Cleanup + */ + XFREE(asn_time, NULL, DYNAMIC_TYPE_OPENSSL); + X509_free(x); + BIO_free(bio); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_set_version(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ + !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) + X509* x509 = NULL; + long v = 2L; + long maxInt = INT_MAX; + + ExpectNotNull(x509 = X509_new()); + /* These should pass. */ + ExpectTrue(wolfSSL_X509_set_version(x509, v)); + ExpectIntEQ(0, wolfSSL_X509_get_version(NULL)); + ExpectIntEQ(v, wolfSSL_X509_get_version(x509)); + /* Fail Case: When v(long) is greater than x509->version(int). */ + v = maxInt+1; + ExpectFalse(wolfSSL_X509_set_version(x509, v)); + + ExpectIntEQ(wolfSSL_X509_set_version(NULL, -1), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_set_version(NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_set_version(x509, -1), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_set_version(NULL, maxInt+1), WOLFSSL_FAILURE); + + /* Cleanup */ + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get_serialNumber(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + !defined(NO_FILESYSTEM) + ASN1_INTEGER* a = NULL; + BIGNUM* bn = NULL; + X509* x509 = NULL; + X509* empty = NULL; + char *serialHex = NULL; + byte serial[3]; + int serialSz; + + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM)); + ExpectNull(X509_get_serialNumber(NULL)); + ExpectNotNull(X509_get_serialNumber(empty)); + ExpectNotNull(a = X509_get_serialNumber(x509)); + + /* check on value of ASN1 Integer */ + ExpectNotNull(bn = ASN1_INTEGER_to_BN(a, NULL)); + a = NULL; + + /* test setting serial number and then retrieving it */ + ExpectNotNull(a = ASN1_INTEGER_new()); + ExpectIntEQ(ASN1_INTEGER_set(a, 3), 1); + ExpectIntEQ(X509_set_serialNumber(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(X509_set_serialNumber(x509, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(X509_set_serialNumber(NULL, a), WOLFSSL_FAILURE); + ExpectIntEQ(X509_set_serialNumber(x509, a), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_get_serial_number(NULL, serial, NULL), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_get_serial_number(NULL, serial, &serialSz), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, NULL), + BAD_FUNC_ARG); + serialSz = 0; + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), + BUFFER_E); + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, NULL, &serialSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(serialSz, 1); + serialSz = sizeof(serial); + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(serialSz, 1); + ExpectIntEQ(serial[0], 3); + ASN1_INTEGER_free(a); + a = NULL; + + /* test setting serial number with 0's in it */ + serial[0] = 0x01; + serial[1] = 0x00; + serial[2] = 0x02; + + ExpectNotNull(a = wolfSSL_ASN1_INTEGER_new()); + if (a != NULL) { + a->data[0] = ASN_INTEGER; + a->data[1] = sizeof(serial); + XMEMCPY(&a->data[2], serial, sizeof(serial)); + a->length = sizeof(serial) + 2; + } + ExpectIntEQ(X509_set_serialNumber(x509, a), WOLFSSL_SUCCESS); + + XMEMSET(serial, 0, sizeof(serial)); + serialSz = sizeof(serial); + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(serialSz, 3); + ExpectIntEQ(serial[0], 0x01); + ExpectIntEQ(serial[1], 0x00); + ExpectIntEQ(serial[2], 0x02); + ASN1_INTEGER_free(a); + a = NULL; + + X509_free(x509); /* free's a */ + X509_free(empty); + + ExpectNotNull(serialHex = BN_bn2hex(bn)); +#ifndef WC_DISABLE_RADIX_ZERO_PAD + ExpectStrEQ(serialHex, "01"); +#else + ExpectStrEQ(serialHex, "1"); +#endif + OPENSSL_free(serialHex); + ExpectIntEQ(BN_get_word(bn), 1); + BN_free(bn); + /* hard test free'ing with dynamic buffer to make sure there is no leaks */ + ExpectNotNull(a = ASN1_INTEGER_new()); + if (a != NULL) { + ExpectNotNull(a->data = (unsigned char*)XMALLOC(100, NULL, + DYNAMIC_TYPE_OPENSSL)); + a->isDynamic = 1; + ASN1_INTEGER_free(a); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_get_tbs(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \ + && defined(OPENSSL_EXTRA) + WOLFSSL_X509* x509 = NULL; + const unsigned char* tbs; + int tbsSz; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectNull(tbs = wolfSSL_X509_get_tbs(x509, &tbsSz)); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caCertFile, + WOLFSSL_FILETYPE_PEM)); + + ExpectNull(tbs = wolfSSL_X509_get_tbs(NULL, &tbsSz)); + ExpectNull(tbs = wolfSSL_X509_get_tbs(x509, NULL)); + ExpectNotNull(tbs = wolfSSL_X509_get_tbs(x509, &tbsSz)); + ExpectIntEQ(tbsSz, 1003); + + wolfSSL_FreeX509(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_ext_get_critical_by_NID(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) + WOLFSSL_X509* x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(NULL, + WC_NID_basic_constraints), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_basic_constraints), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_subject_alt_name), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_authority_key_identifier), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_subject_key_identifier), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_key_usage), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_crl_distribution_points), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_ext_key_usage), 0); +#ifdef WOLFSSL_SEP + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_certificate_policies), 0); +#endif + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_info_access), 0); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_CRL_distribution_points(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + !defined(NO_FILESYSTEM) + WOLFSSL_X509* x509 = NULL; + const char* file = "./certs/client-crl-dist.pem"; + + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(NULL, + WC_NID_crl_distribution_points), 0); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_crl_distribution_points), 0); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(file, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_crl_distribution_points), 1); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_check_ip_asc(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *empty = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(empty = wolfSSL_X509_new()); + +#if 0 + /* TODO: add cert gen for testing positive case */ + ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); +#endif + ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "0.0.0.0", 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, NULL, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, NULL, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, "0.0.0.0", 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(empty, "127.128.0.255", 0), 0); + + wolfSSL_X509_free(empty); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_bad_altname(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + const unsigned char malformed_alt_name_cert[] = { + 0x30, 0x82, 0x02, 0xf9, 0x30, 0x82, 0x01, 0xe1, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x02, 0x10, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0f, 0x31, 0x0d, + 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x61, 0x61, 0x31, + 0x31, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x32, 0x30, 0x37, 0x31, + 0x37, 0x32, 0x34, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x34, 0x30, 0x32, + 0x31, 0x34, 0x30, 0x36, 0x32, 0x36, 0x35, 0x33, 0x5a, 0x30, 0x0f, 0x31, + 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x61, 0x61, + 0x61, 0x61, 0x30, 0x82, 0x01, 0x20, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0d, 0x00, 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa8, + 0x8a, 0x5e, 0x26, 0x23, 0x1b, 0x31, 0xd3, 0x37, 0x1a, 0x70, 0xb2, 0xec, + 0x3f, 0x74, 0xd4, 0xb4, 0x44, 0xe3, 0x7a, 0xa5, 0xc0, 0xf5, 0xaa, 0x97, + 0x26, 0x9a, 0x04, 0xff, 0xda, 0xbe, 0xe5, 0x09, 0x03, 0x98, 0x3d, 0xb5, + 0xbf, 0x01, 0x2c, 0x9a, 0x0a, 0x3a, 0xfb, 0xbc, 0x3c, 0xe7, 0xbe, 0x83, + 0x5c, 0xb3, 0x70, 0xe8, 0x5c, 0xe3, 0xd1, 0x83, 0xc3, 0x94, 0x08, 0xcd, + 0x1a, 0x87, 0xe5, 0xe0, 0x5b, 0x9c, 0x5c, 0x6e, 0xb0, 0x7d, 0xe2, 0x58, + 0x6c, 0xc3, 0xb5, 0xc8, 0x9d, 0x11, 0xf1, 0x5d, 0x96, 0x0d, 0x66, 0x1e, + 0x56, 0x7f, 0x8f, 0x59, 0xa7, 0xa5, 0xe1, 0xc5, 0xe7, 0x81, 0x4c, 0x09, + 0x9d, 0x5e, 0x96, 0xf0, 0x9a, 0xc2, 0x8b, 0x70, 0xd5, 0xab, 0x79, 0x58, + 0x5d, 0xb7, 0x58, 0xaa, 0xfd, 0x75, 0x52, 0xaa, 0x4b, 0xa7, 0x25, 0x68, + 0x76, 0x59, 0x00, 0xee, 0x78, 0x2b, 0x91, 0xc6, 0x59, 0x91, 0x99, 0x38, + 0x3e, 0xa1, 0x76, 0xc3, 0xf5, 0x23, 0x6b, 0xe6, 0x07, 0xea, 0x63, 0x1c, + 0x97, 0x49, 0xef, 0xa0, 0xfe, 0xfd, 0x13, 0xc9, 0xa9, 0x9f, 0xc2, 0x0b, + 0xe6, 0x87, 0x92, 0x5b, 0xcc, 0xf5, 0x42, 0x95, 0x4a, 0xa4, 0x6d, 0x64, + 0xba, 0x7d, 0xce, 0xcb, 0x04, 0xd0, 0xf8, 0xe7, 0xe3, 0xda, 0x75, 0x60, + 0xd3, 0x8b, 0x6a, 0x64, 0xfc, 0x78, 0x56, 0x21, 0x69, 0x5a, 0xe8, 0xa7, + 0x8f, 0xfb, 0x8f, 0x82, 0xe3, 0xae, 0x36, 0xa2, 0x93, 0x66, 0x92, 0xcb, + 0x82, 0xa3, 0xbe, 0x84, 0x00, 0x86, 0xdc, 0x7e, 0x6d, 0x53, 0x77, 0x84, + 0x17, 0xb9, 0x55, 0x43, 0x0d, 0xf1, 0x16, 0x1f, 0xd5, 0x43, 0x75, 0x99, + 0x66, 0x19, 0x52, 0xd0, 0xac, 0x5f, 0x74, 0xad, 0xb2, 0x90, 0x15, 0x50, + 0x04, 0x74, 0x43, 0xdf, 0x6c, 0x35, 0xd0, 0xfd, 0x32, 0x37, 0xb3, 0x8d, + 0xf5, 0xe5, 0x09, 0x02, 0x01, 0x03, 0xa3, 0x61, 0x30, 0x5f, 0x30, 0x0c, + 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82, + 0x04, 0x61, 0x2a, 0x00, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, + 0x04, 0x16, 0x04, 0x14, 0x92, 0x6a, 0x1e, 0x52, 0x3a, 0x1a, 0x57, 0x9f, + 0xc9, 0x82, 0x9a, 0xce, 0xc8, 0xc0, 0xa9, 0x51, 0x9d, 0x2f, 0xc7, 0x72, + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0x6b, 0xf9, 0xa4, 0x2d, 0xa5, 0xe9, 0x39, 0x89, 0xa8, 0x24, 0x58, + 0x79, 0x87, 0x11, 0xfc, 0x6f, 0x07, 0x91, 0xef, 0xa6, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x3f, 0xd5, 0x37, 0x2f, 0xc7, 0xf8, 0x8b, + 0x39, 0x1c, 0xe3, 0xdf, 0x77, 0xee, 0xc6, 0x4b, 0x5f, 0x84, 0xcf, 0xfa, + 0x33, 0x2c, 0xb2, 0xb5, 0x4b, 0x09, 0xee, 0x56, 0xc0, 0xf2, 0xf0, 0xeb, + 0xad, 0x1c, 0x02, 0xef, 0xae, 0x09, 0x53, 0xc0, 0x06, 0xad, 0x4e, 0xfd, + 0x3e, 0x8c, 0x13, 0xb3, 0xbf, 0x80, 0x05, 0x36, 0xb5, 0x3f, 0x2b, 0xc7, + 0x60, 0x53, 0x14, 0xbf, 0x33, 0x63, 0x47, 0xc3, 0xc6, 0x28, 0xda, 0x10, + 0x12, 0xe2, 0xc4, 0xeb, 0xc5, 0x64, 0x66, 0xc0, 0xcc, 0x6b, 0x84, 0xda, + 0x0c, 0xe9, 0xf6, 0xe3, 0xf8, 0x8e, 0x3d, 0x95, 0x5f, 0xba, 0x9f, 0xe1, + 0xc7, 0xed, 0x6e, 0x97, 0xcc, 0xbd, 0x7d, 0xe5, 0x4e, 0xab, 0xbc, 0x1b, + 0xf1, 0x3a, 0x09, 0x33, 0x09, 0xe1, 0xcc, 0xec, 0x21, 0x16, 0x8e, 0xb1, + 0x74, 0x9e, 0xc8, 0x13, 0x7c, 0xdf, 0x07, 0xaa, 0xeb, 0x70, 0xd7, 0x91, + 0x5c, 0xc4, 0xef, 0x83, 0x88, 0xc3, 0xe4, 0x97, 0xfa, 0xe4, 0xdf, 0xd7, + 0x0d, 0xff, 0xba, 0x78, 0x22, 0xfc, 0x3f, 0xdc, 0xd8, 0x02, 0x8d, 0x93, + 0x57, 0xf9, 0x9e, 0x39, 0x3a, 0x77, 0x00, 0xd9, 0x19, 0xaa, 0x68, 0xa1, + 0xe6, 0x9e, 0x13, 0xeb, 0x37, 0x16, 0xf5, 0x77, 0xa4, 0x0b, 0x40, 0x04, + 0xd3, 0xa5, 0x49, 0x78, 0x35, 0xfa, 0x3b, 0xf6, 0x02, 0xab, 0x85, 0xee, + 0xcb, 0x9b, 0x62, 0xda, 0x05, 0x00, 0x22, 0x2f, 0xf8, 0xbd, 0x0b, 0xe5, + 0x2c, 0xb2, 0x53, 0x78, 0x0a, 0xcb, 0x69, 0xc0, 0xb6, 0x9f, 0x96, 0xff, + 0x58, 0x22, 0x70, 0x9c, 0x01, 0x2e, 0x56, 0x60, 0x5d, 0x37, 0xe3, 0x40, + 0x25, 0xc9, 0x90, 0xc8, 0x0f, 0x41, 0x68, 0xb4, 0xfd, 0x10, 0xe2, 0x09, + 0x99, 0x08, 0x5d, 0x7b, 0xc9, 0xe3, 0x29, 0xd4, 0x5a, 0xcf, 0xc9, 0x34, + 0x55, 0xa1, 0x40, 0x44, 0xd6, 0x88, 0x16, 0xbb, 0xdd + }; + + X509* x509 = NULL; + int certSize = (int)sizeof(malformed_alt_name_cert) / sizeof(unsigned char); + const char *name = "aaaaa"; + int nameLen = (int)XSTRLEN(name); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + malformed_alt_name_cert, certSize, SSL_FILETYPE_ASN1)); + + /* malformed_alt_name_cert has a malformed alternative + * name of "a*\0*". Ensure that it does not match "aaaaa" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name, nameLen, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), 1); + + /* Also make sure WOLFSSL_LEFT_MOST_WILDCARD_ONLY fails too */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name, nameLen, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), 1); + + X509_free(x509); + +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_name_match1(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + /* A certificate with the subject alternative name a* */ + const unsigned char cert_der[] = { + 0x30, 0x82, 0x03, 0xac, 0x30, 0x82, 0x02, 0x94, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x0f, 0xa5, 0x10, 0x85, 0xef, 0x58, 0x10, 0x59, 0xfc, + 0x0f, 0x20, 0x1f, 0x53, 0xf5, 0x30, 0x39, 0x34, 0x49, 0x54, 0x05, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, + 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, + 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, + 0x30, 0x32, 0x30, 0x31, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x34, + 0x30, 0x35, 0x32, 0x38, 0x32, 0x30, 0x31, 0x35, 0x35, 0x38, 0x5a, 0x30, + 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, + 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf4, 0xca, 0x3d, + 0xd4, 0xbc, 0x9b, 0xea, 0x74, 0xfe, 0x73, 0xf4, 0x16, 0x23, 0x0b, 0x4a, + 0x09, 0x54, 0xf6, 0x7b, 0x10, 0x99, 0x11, 0x93, 0xb2, 0xdb, 0x4d, 0x7d, + 0x23, 0xab, 0xf9, 0xcd, 0xf6, 0x54, 0xd4, 0xf6, 0x39, 0x57, 0xee, 0x97, + 0xb2, 0xb9, 0xfc, 0x7e, 0x9c, 0xb3, 0xfb, 0x56, 0xb6, 0x84, 0xd6, 0x2d, + 0x59, 0x1c, 0xed, 0xda, 0x9b, 0x19, 0xf5, 0x8a, 0xa7, 0x8a, 0x89, 0xd6, + 0xa1, 0xc0, 0xe6, 0x16, 0xad, 0x04, 0xcf, 0x5a, 0x1f, 0xdf, 0x62, 0x6c, + 0x68, 0x45, 0xe9, 0x55, 0x2e, 0x42, 0xa3, 0x1b, 0x3b, 0x86, 0x23, 0x22, + 0xa1, 0x20, 0x48, 0xd1, 0x52, 0xc0, 0x8b, 0xab, 0xe2, 0x8a, 0x15, 0x68, + 0xbd, 0x89, 0x6f, 0x9f, 0x45, 0x75, 0xb4, 0x27, 0xc1, 0x72, 0x41, 0xfd, + 0x79, 0x89, 0xb0, 0x74, 0xa2, 0xe9, 0x61, 0x48, 0x4c, 0x54, 0xad, 0x6b, + 0x61, 0xbf, 0x0e, 0x27, 0x58, 0xb4, 0xf6, 0x9c, 0x2c, 0x9f, 0xc2, 0x3e, + 0x3b, 0xb3, 0x90, 0x41, 0xbc, 0x61, 0xcd, 0x01, 0x57, 0x90, 0x82, 0xec, + 0x46, 0xba, 0x4f, 0x89, 0x8e, 0x7f, 0x49, 0x4f, 0x46, 0x69, 0x37, 0x8b, + 0xa0, 0xba, 0x85, 0xe8, 0x42, 0xff, 0x9a, 0xa1, 0x53, 0x81, 0x5c, 0xf3, + 0x8e, 0x85, 0x1c, 0xd4, 0x90, 0x60, 0xa0, 0x37, 0x59, 0x04, 0x65, 0xa6, + 0xb5, 0x12, 0x00, 0xc3, 0x04, 0x51, 0xa7, 0x83, 0x96, 0x62, 0x3d, 0x49, + 0x97, 0xe8, 0x6b, 0x9a, 0x5d, 0x51, 0x24, 0xee, 0xad, 0x45, 0x18, 0x0f, + 0x3f, 0x97, 0xec, 0xdf, 0xcf, 0x42, 0x8a, 0x96, 0xc7, 0xd8, 0x82, 0x87, + 0x7f, 0x57, 0x70, 0x22, 0xfb, 0x29, 0x3e, 0x3c, 0xa3, 0xc1, 0xd5, 0x71, + 0xb3, 0x84, 0x06, 0x53, 0xa3, 0x86, 0x20, 0x35, 0xe3, 0x41, 0xb9, 0xd8, + 0x00, 0x22, 0x4f, 0x6d, 0xe6, 0xfd, 0xf0, 0xf4, 0xa2, 0x39, 0x0a, 0x1a, + 0x23, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x30, 0x30, 0x2e, 0x30, 0x0d, + 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x06, 0x30, 0x04, 0x82, 0x02, 0x61, + 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, + 0x45, 0x05, 0xf3, 0x4d, 0x3e, 0x7e, 0x9c, 0xf5, 0x08, 0xee, 0x2c, 0x13, + 0x32, 0xe3, 0xf2, 0x14, 0xe8, 0x0e, 0x71, 0x21, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0xa8, 0x28, 0xe5, 0x22, 0x65, 0xcf, 0x47, 0xfe, + 0x82, 0x17, 0x99, 0x20, 0xdb, 0xb1, 0x57, 0xd4, 0x91, 0x1a, 0x83, 0xde, + 0xc1, 0xaf, 0xc4, 0x1f, 0xfb, 0xa4, 0x6a, 0xad, 0xdc, 0x58, 0x72, 0xd9, + 0x9b, 0xab, 0xa5, 0xbb, 0xf4, 0x98, 0xd4, 0xdf, 0x36, 0xcb, 0xb5, 0x78, + 0xce, 0x4b, 0x25, 0x5b, 0x24, 0x92, 0xfe, 0xe8, 0xd4, 0xe4, 0xbd, 0x6f, + 0x71, 0x1a, 0x81, 0x2a, 0x6f, 0x35, 0x93, 0xf7, 0xcc, 0xed, 0xe5, 0x06, + 0xd2, 0x96, 0x41, 0xb5, 0xa9, 0x8a, 0xc0, 0xc9, 0x17, 0xe3, 0x13, 0x5e, + 0x94, 0x5e, 0xfa, 0xfc, 0xf0, 0x00, 0x2e, 0xe1, 0xd8, 0x1b, 0x23, 0x3f, + 0x7c, 0x4d, 0x9f, 0xfb, 0xb7, 0x95, 0xc1, 0x94, 0x7f, 0x7f, 0xb5, 0x4f, + 0x93, 0x6d, 0xc3, 0x2b, 0xb2, 0x28, 0x36, 0xd2, 0x7c, 0x01, 0x3c, 0xae, + 0x35, 0xdb, 0xc8, 0x95, 0x1b, 0x5f, 0x6c, 0x0f, 0x57, 0xb3, 0xcc, 0x97, + 0x98, 0x80, 0x06, 0xaa, 0xe4, 0x93, 0x1f, 0xb7, 0xa0, 0x54, 0xf1, 0x4f, + 0x6f, 0x11, 0xdf, 0xab, 0xd3, 0xbf, 0xf0, 0x3a, 0x81, 0x60, 0xaf, 0x7a, + 0xf7, 0x09, 0xd5, 0xae, 0x0c, 0x7d, 0xae, 0x8d, 0x47, 0x06, 0xbe, 0x11, + 0x6e, 0xf8, 0x7e, 0x49, 0xf8, 0xac, 0x24, 0x0a, 0x4b, 0xc2, 0xf6, 0xe8, + 0x2c, 0xec, 0x35, 0xef, 0xa9, 0x13, 0xb8, 0xd2, 0x9c, 0x92, 0x61, 0x91, + 0xec, 0x7b, 0x0c, 0xea, 0x9a, 0x71, 0x36, 0x15, 0x34, 0x2b, 0x7a, 0x25, + 0xac, 0xfe, 0xc7, 0x26, 0x89, 0x70, 0x3e, 0x64, 0x68, 0x97, 0x4b, 0xaa, + 0xc1, 0x24, 0x14, 0xbd, 0x45, 0x2f, 0xe0, 0xfe, 0xf4, 0x2b, 0x8e, 0x08, + 0x3e, 0xe4, 0xb5, 0x3d, 0x5d, 0xf4, 0xc3, 0xd6, 0x9c, 0xb5, 0x33, 0x1b, + 0x3b, 0xda, 0x6e, 0x99, 0x7b, 0x09, 0xd1, 0x30, 0x97, 0x23, 0x52, 0x6d, + 0x1b, 0x71, 0x3a, 0xf4, 0x54, 0xf0, 0xe5, 0x9e + }; + + WOLFSSL_X509* x509 = NULL; + int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); + const char *name1 = "aaaaa"; + int nameLen1 = (int)(XSTRLEN(name1)); + const char *name2 = "a"; + int nameLen2 = (int)(XSTRLEN(name2)); + const char *name3 = "abbbb"; + int nameLen3 = (int)(XSTRLEN(name3)); + const char *name4 = "bbb"; + int nameLen4 = (int)(XSTRLEN(name4)); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); + + /* Ensure that "a*" matches "aaaaa" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" matches "a" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" matches "abbbb" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" does not match "bbb" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), 1); + + /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag should fail on all cases, since + * 'a*' alt name does not have wildcard left-most */ + + /* Ensure that "a*" does not match "aaaaa" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" does not match "a" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" does not match "abbbb" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*" does not match "bbb" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + + wolfSSL_X509_free(x509); + +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_name_match2(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + /* A certificate with the subject alternative name a*b* */ + const unsigned char cert_der[] = { + 0x30, 0x82, 0x03, 0xae, 0x30, 0x82, 0x02, 0x96, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x41, 0x8c, 0x8b, 0xaa, 0x0e, 0xd8, 0x5a, 0xc0, 0x52, + 0x46, 0x0e, 0xe5, 0xd8, 0xb9, 0x48, 0x93, 0x7e, 0x8a, 0x7c, 0x65, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, + 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, + 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, + 0x30, 0x32, 0x30, 0x34, 0x33, 0x34, 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x34, + 0x30, 0x35, 0x32, 0x38, 0x32, 0x30, 0x34, 0x33, 0x34, 0x30, 0x5a, 0x30, + 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, + 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x60, 0x80, + 0xf3, 0xee, 0x19, 0xd2, 0xe4, 0x15, 0x94, 0x54, 0x12, 0x88, 0xee, 0xda, + 0x11, 0x11, 0x87, 0x99, 0x88, 0xb3, 0x71, 0xc7, 0x97, 0x78, 0x1b, 0x57, + 0x37, 0x1d, 0x0b, 0x1f, 0x2f, 0x2c, 0x35, 0x13, 0x75, 0xd3, 0x31, 0x3e, + 0x6f, 0x80, 0x21, 0xa5, 0xa3, 0xad, 0x10, 0x81, 0xb6, 0x37, 0xd4, 0x55, + 0x2e, 0xc1, 0xb8, 0x37, 0xa3, 0x3c, 0xe8, 0x81, 0x03, 0x3c, 0xda, 0x5f, + 0x6f, 0x45, 0x32, 0x2b, 0x0e, 0x99, 0x27, 0xfd, 0xe5, 0x6c, 0x07, 0xd9, + 0x4e, 0x0a, 0x8b, 0x23, 0x74, 0x96, 0x25, 0x97, 0xae, 0x6d, 0x19, 0xba, + 0xbf, 0x0f, 0xc8, 0xa1, 0xe5, 0xea, 0xa8, 0x00, 0x09, 0xc3, 0x9a, 0xef, + 0x09, 0x33, 0xc1, 0x33, 0x2e, 0x7b, 0x6d, 0xa7, 0x66, 0x87, 0xb6, 0x3a, + 0xb9, 0xdb, 0x4c, 0x5e, 0xb5, 0x55, 0x69, 0x37, 0x17, 0x92, 0x1f, 0xe3, + 0x53, 0x1a, 0x2d, 0x25, 0xd0, 0xcf, 0x72, 0x37, 0xc2, 0x89, 0x83, 0x78, + 0xcf, 0xac, 0x2e, 0x46, 0x92, 0x5c, 0x4a, 0xba, 0x7d, 0xa0, 0x22, 0x34, + 0xb1, 0x22, 0x26, 0x99, 0xda, 0xe8, 0x97, 0xe2, 0x0c, 0xd3, 0xbc, 0x97, + 0x7e, 0xa8, 0xb9, 0xe3, 0xe2, 0x7f, 0x56, 0xef, 0x22, 0xee, 0x15, 0x95, + 0xa6, 0xd1, 0xf4, 0xa7, 0xac, 0x4a, 0xab, 0xc1, 0x1a, 0xda, 0xc5, 0x5f, + 0xa5, 0x5e, 0x2f, 0x15, 0x9c, 0x36, 0xbe, 0xd3, 0x47, 0xb6, 0x86, 0xb9, + 0xc6, 0x59, 0x39, 0x36, 0xad, 0x84, 0x53, 0x95, 0x72, 0x91, 0x89, 0x51, + 0x32, 0x77, 0xf1, 0xa5, 0x93, 0xfe, 0xf0, 0x41, 0x7c, 0x64, 0xf1, 0xb0, + 0x8b, 0x81, 0x8d, 0x3a, 0x2c, 0x9e, 0xbe, 0x2e, 0x8b, 0xf7, 0x80, 0x63, + 0x35, 0x32, 0xfa, 0x26, 0xe0, 0x63, 0xbf, 0x5e, 0xaf, 0xf0, 0x08, 0xe0, + 0x80, 0x65, 0x38, 0xfa, 0x21, 0xaa, 0x91, 0x34, 0x48, 0x3d, 0x32, 0x5c, + 0xbf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x32, 0x30, 0x30, 0x30, 0x0f, + 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82, 0x04, 0x61, + 0x2a, 0x62, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0x3d, 0x55, 0x74, 0xf8, 0x3a, 0x26, 0x03, 0x8c, 0x6a, 0x2e, + 0x91, 0x0e, 0x18, 0x70, 0xb4, 0xa4, 0xcc, 0x04, 0x00, 0xd3, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0x3b, 0xff, 0x46, 0x0c, 0xb5, + 0x21, 0xdc, 0xcf, 0x61, 0x9a, 0x25, 0x93, 0x99, 0x68, 0x2f, 0x16, 0x71, + 0x15, 0x00, 0x5f, 0xb0, 0x9b, 0x43, 0x5c, 0x47, 0xe2, 0x8e, 0xc8, 0xea, + 0xb3, 0x30, 0x4d, 0x87, 0x90, 0xcf, 0x24, 0x37, 0x5c, 0xfd, 0xc8, 0xc6, + 0x09, 0x36, 0xb2, 0xfb, 0xfd, 0xc1, 0x82, 0x92, 0x77, 0x5b, 0x9d, 0xeb, + 0xac, 0x47, 0xbc, 0xda, 0x7c, 0x89, 0x19, 0x03, 0x9e, 0xcd, 0x96, 0x2a, + 0x90, 0x55, 0x23, 0x19, 0xac, 0x9d, 0x49, 0xfb, 0xa0, 0x31, 0x7d, 0x6b, + 0x1a, 0x16, 0x13, 0xb1, 0xa9, 0xc9, 0xc4, 0xaf, 0xf1, 0xb4, 0xa7, 0x9b, + 0x08, 0x64, 0x6a, 0x09, 0xcd, 0x4a, 0x03, 0x4c, 0x93, 0xb6, 0xcf, 0x29, + 0xdb, 0x56, 0x88, 0x8e, 0xed, 0x08, 0x6d, 0x8d, 0x76, 0xa3, 0xd7, 0xc6, + 0x69, 0xa1, 0xf5, 0xd2, 0xd0, 0x0a, 0x4b, 0xfa, 0x88, 0x66, 0x6c, 0xe5, + 0x4a, 0xee, 0x13, 0xad, 0xad, 0x22, 0x25, 0x73, 0x39, 0x56, 0x74, 0x0e, + 0xda, 0xcd, 0x35, 0x67, 0xe3, 0x81, 0x5c, 0xc5, 0xae, 0x3c, 0x4f, 0x47, + 0x3e, 0x97, 0xde, 0xac, 0xf6, 0xe1, 0x26, 0xe2, 0xe0, 0x66, 0x48, 0x20, + 0x7c, 0x02, 0x81, 0x3e, 0x7d, 0x34, 0xb7, 0x73, 0x3e, 0x2e, 0xd6, 0x20, + 0x1c, 0xdf, 0xf1, 0xae, 0x86, 0x8b, 0xb2, 0xc2, 0x9b, 0x68, 0x9c, 0xf6, + 0x1a, 0x5e, 0x30, 0x06, 0x39, 0x0a, 0x1f, 0x7b, 0xd7, 0x18, 0x4b, 0x06, + 0x9d, 0xff, 0x84, 0x57, 0xcc, 0x92, 0xad, 0x81, 0x0a, 0x19, 0x11, 0xc4, + 0xac, 0x59, 0x00, 0xe8, 0x5a, 0x70, 0x78, 0xd6, 0x9f, 0xe0, 0x82, 0x2a, + 0x1f, 0x09, 0x36, 0x1c, 0x52, 0x98, 0xf7, 0x95, 0x8f, 0xf9, 0x48, 0x4f, + 0x30, 0x52, 0xb5, 0xf3, 0x8d, 0x13, 0x93, 0x27, 0xbe, 0xb4, 0x75, 0x39, + 0x65, 0xc6, 0x48, 0x4e, 0x32, 0xd7, 0xf4, 0xc3, 0x26, 0x8d + }; + + WOLFSSL_X509* x509 = NULL; + int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); + const char *name1 = "ab"; + int nameLen1 = (int)(XSTRLEN(name1)); + const char *name2 = "acccbccc"; + int nameLen2 = (int)(XSTRLEN(name2)); + const char *name3 = "accb"; + int nameLen3 = (int)(XSTRLEN(name3)); + const char *name4 = "accda"; + int nameLen4 = (int)(XSTRLEN(name4)); + const char *name5 = "acc\0bcc"; + int nameLen5 = 7; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); + + /* Ensure that "a*b*" matches "ab" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*b*" matches "acccbccc" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*b*" matches "accb" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "a*b*" does not match "accda" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name4, nameLen4, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + + /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY flag should fail on all cases, since + * 'a*b*' alt name does not have wildcard left-most */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_check_host(x509, name4, nameLen4, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_FAILURE); + + /* Ensure that "a*b*" matches "ab", testing openssl behavior replication + * on check len input handling, 0 for len is OK as it should then use + * strlen(name1) */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, 0, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Openssl also allows for len to include NULL terminator */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1 + 1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that check string with NULL terminator in middle is + * rejected */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name5, nameLen5, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + + wolfSSL_X509_free(x509); + +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_name_match3(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + /* A certificate with the subject alternative name *.example.com */ + const unsigned char cert_der[] = { + 0x30, 0x82, 0x03, 0xb7, 0x30, 0x82, 0x02, 0x9f, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x59, 0xbb, 0xf6, 0xde, 0xb8, 0x3d, 0x0e, 0x8c, 0xe4, + 0xbd, 0x98, 0xa3, 0xbe, 0x3e, 0x8f, 0xdc, 0xbd, 0x7f, 0xcc, 0xae, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, + 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x0c, 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, + 0x49, 0x6e, 0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x30, 0x35, 0x33, + 0x31, 0x30, 0x30, 0x33, 0x37, 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x33, 0x34, + 0x30, 0x35, 0x32, 0x39, 0x30, 0x30, 0x33, 0x37, 0x34, 0x39, 0x5a, 0x30, + 0x77, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0b, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x49, 0x6e, 0x63, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, + 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xda, 0x78, 0x16, + 0x05, 0x65, 0xf2, 0x85, 0xf2, 0x61, 0x7f, 0xb1, 0x4d, 0x73, 0xe2, 0x82, + 0xb5, 0x3d, 0xf7, 0x9d, 0x05, 0x65, 0xed, 0x9d, 0xc3, 0x29, 0x7a, 0x92, + 0x2c, 0x06, 0x5f, 0xc8, 0x13, 0x55, 0x42, 0x4e, 0xbd, 0xe2, 0x56, 0x2a, + 0x4b, 0xac, 0xe6, 0x1b, 0x10, 0xc9, 0xdb, 0x9a, 0x45, 0x36, 0xed, 0xf3, + 0x26, 0x8c, 0x22, 0x88, 0x1e, 0x6d, 0x2b, 0x41, 0xfa, 0x0d, 0x43, 0x88, + 0x88, 0xde, 0x8d, 0x2e, 0xca, 0x6e, 0x7c, 0x62, 0x66, 0x3e, 0xfa, 0x4e, + 0x71, 0xea, 0x7d, 0x3b, 0x32, 0x33, 0x5c, 0x7a, 0x7e, 0xea, 0x74, 0xbd, + 0xb6, 0x8f, 0x4c, 0x1c, 0x7a, 0x79, 0x94, 0xf1, 0xe8, 0x02, 0x67, 0x98, + 0x25, 0xb4, 0x31, 0x80, 0xc1, 0xae, 0xbf, 0xef, 0xf2, 0x6c, 0x78, 0x42, + 0xef, 0xb5, 0xc6, 0x01, 0x47, 0x79, 0x8d, 0x92, 0xce, 0xc1, 0xb5, 0x98, + 0x76, 0xf0, 0x84, 0xa2, 0x53, 0x90, 0xe5, 0x39, 0xc7, 0xbd, 0xf2, 0xbb, + 0xe3, 0x3f, 0x00, 0xf6, 0xf0, 0x46, 0x86, 0xee, 0x55, 0xbd, 0x2c, 0x1f, + 0x97, 0x24, 0x7c, 0xbc, 0xda, 0x2f, 0x1b, 0x53, 0xef, 0x26, 0x56, 0xcc, + 0xb7, 0xd8, 0xca, 0x17, 0x20, 0x4e, 0x62, 0x03, 0x66, 0x32, 0xb3, 0xd1, + 0x71, 0x26, 0x6c, 0xff, 0xd1, 0x9e, 0x44, 0x86, 0x2a, 0xae, 0xba, 0x43, + 0x00, 0x13, 0x7e, 0x50, 0xdd, 0x3e, 0x27, 0x39, 0x70, 0x1c, 0x0c, 0x0b, + 0xe8, 0xa2, 0xae, 0x03, 0x09, 0x2e, 0xd8, 0x71, 0xee, 0x7b, 0x1a, 0x09, + 0x2d, 0xe1, 0xd5, 0xde, 0xf5, 0xa3, 0x36, 0x77, 0x90, 0x97, 0x99, 0xd7, + 0x6c, 0xb7, 0x5c, 0x9d, 0xf7, 0x7e, 0x41, 0x89, 0xfe, 0xe4, 0x08, 0xc6, + 0x0b, 0xe4, 0x9b, 0x5f, 0x51, 0xa6, 0x08, 0xb8, 0x99, 0x81, 0xe9, 0xce, + 0xb4, 0x2d, 0xb2, 0x92, 0x9f, 0xe5, 0x1a, 0x98, 0x76, 0x20, 0x70, 0x54, + 0x93, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x3b, 0x30, 0x39, 0x30, 0x18, + 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x11, 0x30, 0x0f, 0x82, 0x0d, 0x2a, + 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x60, + 0xd4, 0x26, 0xbb, 0xcc, 0x7c, 0x29, 0xa2, 0x88, 0x3c, 0x76, 0x7d, 0xb4, + 0x86, 0x8b, 0x47, 0x64, 0x5b, 0x87, 0xe0, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x01, 0x00, 0xc3, 0x0d, 0x03, 0x67, 0xbb, 0x47, 0x8b, 0xf3, 0x20, + 0xdc, 0x7d, 0x2e, 0xe1, 0xd9, 0xf0, 0x01, 0xc4, 0x66, 0xc2, 0xe1, 0xcd, + 0xc3, 0x4a, 0x72, 0xf0, 0x6e, 0x38, 0xcf, 0x63, 0x01, 0x96, 0x9e, 0x84, + 0xb9, 0xce, 0x1d, 0xba, 0x4b, 0xe0, 0x70, 0x86, 0x2b, 0x5a, 0xab, 0xec, + 0xbf, 0xc2, 0xaa, 0x64, 0xa2, 0x6c, 0xd2, 0x42, 0x52, 0xd4, 0xbe, 0x8a, + 0xca, 0x9c, 0x03, 0xf3, 0xd6, 0x5f, 0xcd, 0x23, 0x9f, 0xf5, 0xa9, 0x04, + 0x40, 0x5b, 0x66, 0x78, 0xc0, 0xac, 0xa1, 0xdb, 0x5d, 0xd1, 0x94, 0xfc, + 0x47, 0x94, 0xf5, 0x45, 0xe3, 0x70, 0x13, 0x3f, 0x66, 0x6d, 0xdd, 0x73, + 0x68, 0x68, 0xe2, 0xd2, 0x89, 0xcb, 0x7f, 0xc6, 0xca, 0xd6, 0x96, 0x0b, + 0xcc, 0xdd, 0xa1, 0x74, 0xda, 0x33, 0xe8, 0x9e, 0xda, 0xb7, 0xd9, 0x12, + 0xab, 0x85, 0x9d, 0x0c, 0xde, 0xa0, 0x7d, 0x7e, 0xa1, 0x91, 0xed, 0xe5, + 0x32, 0x7c, 0xc5, 0xea, 0x1d, 0x4a, 0xb5, 0x38, 0x63, 0x17, 0xf3, 0x4f, + 0x2c, 0x4a, 0x58, 0x86, 0x09, 0x33, 0x86, 0xc4, 0xe7, 0x56, 0x6f, 0x32, + 0x71, 0xb7, 0xd0, 0x83, 0x12, 0x9e, 0x26, 0x0a, 0x3a, 0x45, 0xcb, 0xd7, + 0x4e, 0xab, 0xa4, 0xc3, 0xee, 0x4c, 0xc0, 0x38, 0xa1, 0xfa, 0xba, 0xfa, + 0xb7, 0x80, 0x69, 0x67, 0xa3, 0xef, 0x89, 0xba, 0xce, 0x89, 0x91, 0x3d, + 0x6a, 0x76, 0xe9, 0x3b, 0x32, 0x86, 0x76, 0x85, 0x6b, 0x4f, 0x7f, 0xbc, + 0x7a, 0x5b, 0x31, 0x92, 0x79, 0x35, 0xf8, 0xb9, 0xb1, 0xd7, 0xdb, 0xa9, + 0x6a, 0x8a, 0x91, 0x60, 0x65, 0xd4, 0x76, 0x54, 0x55, 0x57, 0xb9, 0x35, + 0xe0, 0xf5, 0xbb, 0x8f, 0xd4, 0x40, 0x75, 0xbb, 0x47, 0xa8, 0xf9, 0x0f, + 0xea, 0xc9, 0x6e, 0x84, 0xd5, 0xf5, 0x58, 0x2d, 0xe5, 0x76, 0x7b, 0xdf, + 0x97, 0x05, 0x5e, 0xaf, 0x50, 0xf5, 0x48 + }; + + WOLFSSL_X509* x509 = NULL; + int certSize = (int)(sizeof(cert_der) / sizeof(unsigned char)); + const char *name1 = "foo.example.com"; + int nameLen1 = (int)(XSTRLEN(name1)); + const char *name2 = "x.y.example.com"; + int nameLen2 = (int)(XSTRLEN(name2)); + const char *name3 = "example.com"; + int nameLen3 = (int)(XSTRLEN(name3)); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer( + cert_der, certSize, WOLFSSL_FILETYPE_ASN1)); + + /* Ensure that "*.example.com" matches "foo.example.com" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "*.example.com" does NOT match "x.y.example.com" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + /* Ensure that "*.example.com" does NOT match "example.com" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), WOLFSSL_SUCCESS); + + /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY, should match "foo.example.com" */ + ExpectIntEQ(wolfSSL_X509_check_host(x509, name1, nameLen1, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY, should NOT match "x.y.example.com" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name2, nameLen2, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + /* WOLFSSL_LEFT_MOST_WILDCARD_ONLY, should NOT match "example.com" */ + ExpectIntNE(wolfSSL_X509_check_host(x509, name3, nameLen3, + WOLFSSL_ALWAYS_CHECK_SUBJECT | WOLFSSL_LEFT_MOST_WILDCARD_ONLY, + NULL), WOLFSSL_SUCCESS); + + wolfSSL_X509_free(x509); + +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_max_altnames(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) + + /* Only test if max alt names has not been modified */ +#if WOLFSSL_MAX_ALT_NAMES <= 1024 + + WOLFSSL_CTX* ctx = NULL; + /* File contains a certificate encoded with 130 subject alternative names */ + const char* over_max_altnames_cert = \ + "./certs/test/cert-over-max-altnames.pem"; + +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif + + ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, + over_max_altnames_cert, NULL, WOLFSSL_LOAD_FLAG_NONE), + WOLFSSL_SUCCESS); + wolfSSL_CTX_free(ctx); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_max_name_constraints(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) && !defined(IGNORE_NAME_CONSTRAINTS) + + /* Only test if max name constraints has not been modified */ +#if WOLFSSL_MAX_NAME_CONSTRAINTS == 128 + + WOLFSSL_CTX* ctx = NULL; + /* File contains a certificate with 130 name constraints */ + const char* over_max_nc = "./certs/test/cert-over-max-nc.pem"; + +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif + + ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, over_max_nc, + NULL, WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); + wolfSSL_CTX_free(ctx); +#endif + +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_check_ca(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + WOLFSSL_X509 *x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_check_ca(NULL), 0); + ExpectIntEQ(wolfSSL_X509_check_ca(x509), 1); + wolfSSL_X509_free(x509); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_check_ca(x509), 0); + if (x509 != NULL) { + x509->extKeyUsageCrit = 1; + } + ExpectIntEQ(wolfSSL_X509_check_ca(x509), 4); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_X509_get_signature_nid(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509* x509 = NULL; + + ExpectIntEQ(X509_get_signature_nid(NULL), 0); + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(X509_get_signature_nid(x509), NID_sha256WithRSAEncryption); + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_cmp(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) + XFILE file1 = XBADFILE; + XFILE file2 = XBADFILE; + WOLFSSL_X509* cert1 = NULL; + WOLFSSL_X509* cert2 = NULL; + WOLFSSL_X509* empty = NULL; + + ExpectTrue((file1 = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectTrue((file2 = XFOPEN("./certs/3072/client-cert.pem", "rb")) != + XBADFILE); + + ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); + ExpectNotNull(cert2 = wolfSSL_PEM_read_X509(file2, NULL, NULL, NULL)); + if (file1 != XBADFILE) + fclose(file1); + if (file2 != XBADFILE) + fclose(file2); + + ExpectNotNull(empty = wolfSSL_X509_new()); + + /* wolfSSL_X509_cmp() testing matching certs */ + ExpectIntEQ(0, wolfSSL_X509_cmp(cert1, cert1)); + + /* wolfSSL_X509_cmp() testing mismatched certs */ + ExpectIntEQ(-1, wolfSSL_X509_cmp(cert1, cert2)); + + /* wolfSSL_X509_cmp() testing NULL, valid args */ + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(NULL, cert2)); + + /* wolfSSL_X509_cmp() testing valid, NULL args */ + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(cert1, NULL)); + + /* wolfSSL_X509_cmp() testing NULL, NULL args */ + ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(NULL, NULL)); + + /* wolfSSL_X509_cmp() testing empty cert */ + ExpectIntEQ(WOLFSSL_FATAL_ERROR, wolfSSL_X509_cmp(empty, cert2)); + ExpectIntEQ(WOLFSSL_FATAL_ERROR, wolfSSL_X509_cmp(cert1, empty)); + + wolfSSL_X509_free(empty); + wolfSSL_X509_free(cert2); + wolfSSL_X509_free(cert1); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509.h b/tests/api/test_ossl_x509.h new file mode 100644 index 00000000000..b3f0faff8da --- /dev/null +++ b/tests/api/test_ossl_x509.h @@ -0,0 +1,90 @@ +/* test_ossl_x509.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_H +#define WOLFCRYPT_TEST_OSSL_X509_H + +#include + +int test_x509_get_key_id(void); +int test_wolfSSL_X509_get_version(void); +int test_wolfSSL_X509_cmp_time(void); +int test_wolfSSL_X509_time_adj(void); +int test_wolfSSL_X509_NID(void); +int test_wolfSSL_i2d_X509_NAME_canon(void); +int test_wolfSSL_X509_subject_name_hash(void); +int test_wolfSSL_X509_issuer_name_hash(void); +int test_wolfSSL_X509_check_host(void); +int test_wolfSSL_X509_check_email(void); +int test_wolfSSL_X509(void); +int test_wolfSSL_X509_get0_tbs_sigalg(void); +int test_wolfSSL_X509_set_name(void); +int test_wolfSSL_X509_set_notAfter(void); +int test_wolfSSL_X509_set_notBefore(void); +int test_wolfSSL_X509_set_version(void); +int test_wolfSSL_X509_get_serialNumber(void); +int test_wolfSSL_get_tbs(void); +int test_wolfSSL_X509_ext_get_critical_by_NID(void); +int test_wolfSSL_X509_CRL_distribution_points(void); +int test_wolfSSL_X509_check_ip_asc(void); +int test_wolfSSL_X509_bad_altname(void); +int test_wolfSSL_X509_name_match1(void); +int test_wolfSSL_X509_name_match2(void); +int test_wolfSSL_X509_name_match3(void); +int test_wolfSSL_X509_max_altnames(void); +int test_wolfSSL_X509_max_name_constraints(void); +int test_wolfSSL_X509_check_ca(void); +int test_X509_get_signature_nid(void); +int test_wolfSSL_X509_cmp(void); + +#define TEST_OSSL_X509_DECLS \ + TEST_DECL_GROUP("ossl_x509", test_x509_get_key_id), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_get_version), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_cmp_time), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_time_adj), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_NID), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_i2d_X509_NAME_canon), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_subject_name_hash), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_issuer_name_hash), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_host), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_email), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_get0_tbs_sigalg), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_name), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_notAfter), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_notBefore), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_version), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_get_serialNumber), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_get_tbs), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_ext_get_critical_by_NID), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_CRL_distribution_points), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_ip_asc), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_bad_altname), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_name_match1), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_name_match2), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_name_match3), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_max_altnames), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_max_name_constraints), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_ca), \ + TEST_DECL_GROUP("ossl_x509", test_X509_get_signature_nid), \ + TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_cmp) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_H */ diff --git a/tests/api/test_ossl_x509_acert.c b/tests/api/test_ossl_x509_acert.c new file mode 100644 index 00000000000..5b16f848818 --- /dev/null +++ b/tests/api/test_ossl_x509_acert.c @@ -0,0 +1,535 @@ +/* test_ossl_x509_acert.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#ifdef OPENSSL_EXTRA + #include +#endif +#include +#include + +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) +/* Given acert file and its pubkey file, read them and then + * attempt to verify signed acert. + * + * If expect_pass is true, then verification should pass. + * If expect_pass is false, then verification should fail. + * */ +static int do_acert_verify_test(const char * acert_file, + const char * pkey_file, + size_t expect_pass) +{ + X509_ACERT * x509 = NULL; + EVP_PKEY * pkey = NULL; + BIO * bp = NULL; + int verify_rc = 0; + + /* First read the attribute certificate. */ + bp = BIO_new_file(acert_file, "r"); + if (bp == NULL) { + return -1; + } + + x509 = PEM_read_bio_X509_ACERT(bp, NULL, NULL, NULL); + BIO_free(bp); + bp = NULL; + + if (x509 == NULL) { + return -1; + } + + /* Next read the associated pub key. */ + bp = BIO_new_file(pkey_file, "r"); + + if (bp == NULL) { + X509_ACERT_free(x509); + x509 = NULL; + return -1; + } + + pkey = PEM_read_bio_PUBKEY(bp, &pkey, NULL, NULL); + BIO_free(bp); + bp = NULL; + + if (pkey == NULL) { + X509_ACERT_free(x509); + x509 = NULL; + return -1; + } + + /* Finally, do verification. */ + verify_rc = X509_ACERT_verify(x509, pkey); + + X509_ACERT_free(x509); + x509 = NULL; + + EVP_PKEY_free(pkey); + pkey = NULL; + + if (expect_pass && verify_rc != 1) { + return -1; + } + + if (!expect_pass && verify_rc == 1) { + return -1; + } + + return 0; +} +#endif + +int test_wolfSSL_X509_ACERT_verify(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + /* Walk over list of signed ACERTs and their pubkeys. + * All should load and pass verification. */ + const char * acerts[4] = {"certs/acert/acert.pem", + "certs/acert/acert_ietf.pem", + "certs/acert/rsa_pss/acert.pem", + "certs/acert/rsa_pss/acert_ietf.pem"}; + const char * pkeys[4] = {"certs/acert/acert_pubkey.pem", + "certs/acert/acert_ietf_pubkey.pem", + "certs/acert/rsa_pss/acert_pubkey.pem", + "certs/acert/rsa_pss/acert_ietf_pubkey.pem"}; + int rc = 0; + size_t i = 0; + size_t j = 0; + + for (i = 0; i < 4; ++i) { + for (j = i; j < 4; ++j) { + rc = do_acert_verify_test(acerts[i], pkeys[j], i == j); + + if (rc) { + fprintf(stderr, "error: %s: i = %zu, j = %zu, rc = %d\n", + "do_acert_verify_test", i, j, rc); + break; + } + } + + if (rc) { break; } + } + + ExpectIntEQ(rc, 0); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_ACERT_misc_api(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + const char * acerts[4] = {"certs/acert/acert.pem", + "certs/acert/acert_ietf.pem", + "certs/acert/rsa_pss/acert.pem", + "certs/acert/rsa_pss/acert_ietf.pem"}; + int rc = 0; + X509_ACERT * x509 = NULL; + BIO * bp = NULL; + long ver_long = 0; + int ver = 0; + int nid = 0; + const byte * raw_attr = NULL; + word32 attr_len = 0; + size_t i = 0; + int buf_len = 0; + byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, + 0xa2, 0xaa, 0xb5, 0x40, 0x21, + 0x44, 0xb8, 0x2c, 0x4f, 0xd9, + 0x80, 0x1b, 0x5f, 0x57, 0xc2}; + + for (i = 0; i < 4; ++i) { + const char * acert_file = acerts[i]; + int is_rsa_pss = 0; + int is_ietf_acert = 0; + byte serial[64]; + int serial_len = sizeof(serial); + + XMEMSET(serial, 0, sizeof(serial)); + + is_rsa_pss = XSTRSTR(acert_file, "rsa_pss") != NULL ? 1 : 0; + is_ietf_acert = XSTRSTR(acert_file, "ietf.pem") != NULL ? 1 : 0; + + /* First read the attribute certificate. */ + bp = BIO_new_file(acert_file, "r"); + ExpectNotNull(bp); + + x509 = PEM_read_bio_X509_ACERT(bp, NULL, NULL, NULL); + ExpectNotNull(x509); + + /* We're done with the bio for now. */ + if (bp != NULL) { + BIO_free(bp); + bp = NULL; + } + + /* Check version and signature NID. */ + ver_long = X509_ACERT_get_version(x509); + ExpectIntEQ(ver_long, 1); + + ver = wolfSSL_X509_ACERT_version(x509); + ExpectIntEQ(ver, 2); + + nid = X509_ACERT_get_signature_nid(x509); + + if (is_rsa_pss) { + ExpectIntEQ(nid, NID_rsassaPss); + } + else { + ExpectIntEQ(nid, NID_sha256WithRSAEncryption); + } + + /* Get the serial number buffer. + * The ietf acert example has a 20 byte serial number. */ + rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, &serial_len); + ExpectIntEQ(rc, SSL_SUCCESS); + + if (is_ietf_acert) { + ExpectIntEQ(serial_len, 20); + ExpectIntEQ(XMEMCMP(serial, ietf_serial, sizeof(ietf_serial)), 0); + } + else { + ExpectIntEQ(serial_len, 1); + ExpectTrue(serial[0] == 0x01); + } + + /* Repeat the same but with null serial buffer. This is ok. */ + rc = wolfSSL_X509_ACERT_get_serial_number(x509, NULL, &serial_len); + ExpectIntEQ(rc, SSL_SUCCESS); + + if (is_ietf_acert) { + ExpectIntEQ(serial_len, 20); + } + else { + ExpectIntEQ(serial_len, 1); + ExpectTrue(serial[0] == 0x01); + } + + /* Get the attributes buffer. */ + rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, &attr_len); + ExpectIntEQ(rc, SSL_SUCCESS); + + if (is_ietf_acert) { + /* This cert has a 65 byte attributes field. */ + ExpectNotNull(raw_attr); + ExpectIntEQ(attr_len, 65); + } + else { + /* This cert has a 237 byte attributes field. */ + ExpectNotNull(raw_attr); + ExpectIntEQ(attr_len, 237); + } + + /* Test printing acert to memory bio. */ + ExpectNotNull(bp = BIO_new(BIO_s_mem())); + rc = X509_ACERT_print(bp, x509); + ExpectIntEQ(rc, SSL_SUCCESS); + + /* Now do a bunch of invalid stuff with partially valid inputs. */ + rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, NULL); + ExpectIntEQ(rc, BAD_FUNC_ARG); + + rc = wolfSSL_X509_ACERT_get_attr_buf(x509, NULL, &attr_len); + ExpectIntEQ(rc, BAD_FUNC_ARG); + + rc = wolfSSL_X509_ACERT_get_attr_buf(NULL, &raw_attr, &attr_len); + ExpectIntEQ(rc, BAD_FUNC_ARG); + + ver_long = X509_ACERT_get_version(NULL); + ExpectIntEQ(ver_long, 0); + + ver = wolfSSL_X509_ACERT_version(NULL); + ExpectIntEQ(ver, 0); + + rc = wolfSSL_X509_ACERT_get_signature(x509, NULL, NULL); + ExpectIntEQ(rc, WOLFSSL_FATAL_ERROR); + + rc = wolfSSL_X509_ACERT_get_signature(x509, NULL, &buf_len); + ExpectIntEQ(rc, SSL_SUCCESS); + ExpectIntEQ(buf_len, 256); + + rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, NULL); + ExpectIntEQ(rc, BAD_FUNC_ARG); + + rc = X509_ACERT_print(bp, NULL); + ExpectIntEQ(rc, WOLFSSL_FAILURE); + + rc = X509_ACERT_print(NULL, x509); + ExpectIntEQ(rc, WOLFSSL_FAILURE); + + /* Finally free the acert and bio, we're done with them. */ + if (x509 != NULL) { + X509_ACERT_free(x509); + x509 = NULL; + } + + if (bp != NULL) { + BIO_free(bp); + bp = NULL; + } + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_ACERT_buffer(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(WC_RSA_PSS) && \ + (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)) + const byte acert_ietf[] = \ + "-----BEGIN ATTRIBUTE CERTIFICATE-----\n" + "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n" + "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n" + "IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4\n" + "LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj\n" + "BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP\n" + "gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI\n" + "i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs\n" + "GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn\n" + "ERw2bQMmw/""/nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+\n" + "mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6\n" + "coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8\n" + "d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A\n" + "Bw==\n" + "-----END ATTRIBUTE CERTIFICATE-----\n"; + X509_ACERT * x509 = NULL; + int rc = 0; + byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, + 0xa2, 0xaa, 0xb5, 0x40, 0x21, + 0x44, 0xb8, 0x2c, 0x4f, 0xd9, + 0x80, 0x1b, 0x5f, 0x57, 0xc2}; + byte serial[64]; + int serial_len = sizeof(serial); + const byte * raw_attr = NULL; + word32 attr_len = 0; + + x509 = wolfSSL_X509_ACERT_load_certificate_buffer_ex(acert_ietf, + sizeof(acert_ietf), + WOLFSSL_FILETYPE_PEM, + HEAP_HINT); + + rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, &serial_len); + ExpectIntEQ(rc, SSL_SUCCESS); + + ExpectIntEQ(serial_len, 20); + ExpectIntEQ(XMEMCMP(serial, ietf_serial, sizeof(ietf_serial)), 0); + + /* Get the attributes buffer. */ + rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, &attr_len); + ExpectIntEQ(rc, SSL_SUCCESS); + + /* This cert has a 65 byte attributes field. */ + ExpectNotNull(raw_attr); + ExpectIntEQ(attr_len, 65); + + ExpectNotNull(x509); + + if (x509 != NULL) { + wolfSSL_X509_ACERT_free(x509); + x509 = NULL; + } +#endif + return EXPECT_RESULT(); +} + +/* note: when ACERT generation and signing are implemented, + * this test will be filled out appropriately. + * */ +int test_wolfSSL_X509_ACERT_new_and_sign(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(WC_RSA_PSS) && \ + (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)) + X509_ACERT * x509 = NULL; + int rc = 0; + + x509 = X509_ACERT_new(); + ExpectNotNull(x509); + + if (x509 != NULL) { + wolfSSL_X509_ACERT_free(x509); + x509 = NULL; + } + + /* Same but with static memory hint. */ + x509 = wolfSSL_X509_ACERT_new_ex(HEAP_HINT); + ExpectNotNull(x509); + + #ifndef NO_WOLFSSL_STUB + /* ACERT sign not implemented yet. */ + if (x509 != NULL) { + rc = wolfSSL_X509_ACERT_sign(x509, NULL, NULL); + ExpectIntEQ(rc, WOLFSSL_NOT_IMPLEMENTED); + } + #else + (void) rc; + #endif /* NO_WOLFSSL_STUB */ + + if (x509 != NULL) { + wolfSSL_X509_ACERT_free(x509); + x509 = NULL; + } + +#endif + return EXPECT_RESULT(); +} + +/* Test ACERT support, but with ASN functions only. + * + * This example acert_ietf has both Holder IssuerSerial + * and Holder entityName fields. + * */ +int test_wolfSSL_X509_ACERT_asn(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) + const byte acert_ietf[] = \ + "-----BEGIN ATTRIBUTE CERTIFICATE-----\n" + "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n" + "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n" + "IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4\n" + "LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj\n" + "BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP\n" + "gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI\n" + "i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs\n" + "GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn\n" + "ERw2bQMmw/""/nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+\n" + "mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6\n" + "coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8\n" + "d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A\n" + "Bw==\n" + "-----END ATTRIBUTE CERTIFICATE-----\n"; + int rc = 0; + int n_diff = 0; + byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, + 0xa2, 0xaa, 0xb5, 0x40, 0x21, + 0x44, 0xb8, 0x2c, 0x4f, 0xd9, + 0x80, 0x1b, 0x5f, 0x57, 0xc2}; + byte holderIssuerName[] = {0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x02, 0x43, 0x41}; + byte holderEntityName[] = {0x31, 0x17, 0x30, 0x15, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x0e, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x2e, 0x65, 0x78, + 0x61, 0x6d, 0x70, 0x6c, 0x65}; + DerBuffer * der = NULL; + WC_DECLARE_VAR(acert, DecodedAcert, 1, 0); + + rc = wc_PemToDer(acert_ietf, sizeof(acert_ietf), ACERT_TYPE, &der, + HEAP_HINT, NULL, NULL); + + ExpectIntEQ(rc, 0); + ExpectNotNull(der); + + if (der != NULL) { + ExpectNotNull(der->buffer); + } + +#ifdef WOLFSSL_SMALL_STACK + acert = (DecodedAcert*)XMALLOC(sizeof(DecodedAcert), HEAP_HINT, + DYNAMIC_TYPE_DCERT); + ExpectNotNull(acert); +#else + XMEMSET(acert, 0, sizeof(DecodedAcert)); +#endif + + if (der != NULL && der->buffer != NULL +#ifdef WOLFSSL_SMALL_STACK + && acert != NULL +#endif + ) { + wc_InitDecodedAcert(acert, der->buffer, der->length, HEAP_HINT); + rc = wc_ParseX509Acert(acert, VERIFY_SKIP_DATE); + ExpectIntEQ(rc, 0); + + ExpectIntEQ(acert->serialSz, 20); + ExpectIntEQ(XMEMCMP(acert->serial, ietf_serial, sizeof(ietf_serial)), + 0); + + /* This cert has a 65 byte attributes field. */ + ExpectNotNull(acert->rawAttr); + ExpectIntEQ(acert->rawAttrLen, 65); + + ExpectNotNull(acert->holderIssuerName); + ExpectNotNull(acert->holderEntityName); + + if ((acert->holderIssuerName != NULL) && + (acert->holderEntityName != NULL)) { + ExpectNotNull(acert->holderEntityName->name); + ExpectNotNull(acert->holderIssuerName->name); + } + if ((acert->holderIssuerName != NULL) && + (acert->holderEntityName != NULL) && + (acert->holderIssuerName->name != NULL) && + (acert->holderEntityName->name != NULL)) { + ExpectIntEQ(acert->holderIssuerName->len, + sizeof(holderIssuerName)); + ExpectIntEQ(acert->holderEntityName->len, + sizeof(holderEntityName)); + + ExpectIntEQ(acert->holderIssuerName->type, ASN_DIR_TYPE); + ExpectIntEQ(acert->holderEntityName->type, ASN_DIR_TYPE); + + n_diff = XMEMCMP(acert->holderIssuerName->name, holderIssuerName, + sizeof(holderIssuerName)); + ExpectIntEQ(n_diff, 0); + + n_diff = XMEMCMP(acert->holderEntityName->name, holderEntityName, + sizeof(holderEntityName)); + ExpectIntEQ(n_diff, 0); + } + + wc_FreeDecodedAcert(acert); + } + +#ifdef WOLFSSL_SMALL_STACK + if (acert != NULL) { + XFREE(acert, HEAP_HINT, DYNAMIC_TYPE_DCERT); + acert = NULL; + } +#endif + + if (der != NULL) { + wc_FreeDer(&der); + der = NULL; + } + +#endif + return EXPECT_RESULT(); +} + + diff --git a/tests/api/test_ossl_x509_acert.h b/tests/api/test_ossl_x509_acert.h new file mode 100644 index 00000000000..0a2041b02a4 --- /dev/null +++ b/tests/api/test_ossl_x509_acert.h @@ -0,0 +1,40 @@ +/* test_ossl_x509_acert.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_ACERT_H +#define WOLFCRYPT_TEST_OSSL_X509_ACERT_H + +#include + +int test_wolfSSL_X509_ACERT_verify(void); +int test_wolfSSL_X509_ACERT_misc_api(void); +int test_wolfSSL_X509_ACERT_buffer(void); +int test_wolfSSL_X509_ACERT_new_and_sign(void); +int test_wolfSSL_X509_ACERT_asn(void); + +#define TEST_OSSL_X509_ACERT_DECLS \ + TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_verify), \ + TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_misc_api), \ + TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_buffer), \ + TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_new_and_sign), \ + TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_new_and_sign) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_ACERT_H */ diff --git a/tests/api/test_ossl_x509_crypto.c b/tests/api/test_ossl_x509_crypto.c new file mode 100644 index 00000000000..11c918c7886 --- /dev/null +++ b/tests/api/test_ossl_x509_crypto.c @@ -0,0 +1,782 @@ +/* test_ossl_x509_crypto.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include +#include + +int test_wolfSSL_X509_check_private_key(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \ + defined(USE_CERT_BUFFERS_2048) && !defined(NO_CHECK_PRIVATE_KEY) && \ + !defined(NO_FILESYSTEM) + X509* x509 = NULL; + EVP_PKEY* pkey = NULL; + const byte* key; + + /* Check with correct key */ + ExpectNotNull((x509 = X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM))); + key = client_key_der_2048; + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &key, + (long)sizeof_client_key_der_2048)); + ExpectIntEQ(X509_check_private_key(x509, pkey), 1); + EVP_PKEY_free(pkey); + pkey = NULL; + + /* Check with wrong key */ + key = server_key_der_2048; + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &key, + (long)sizeof_server_key_der_2048)); + ExpectIntEQ(X509_check_private_key(x509, pkey), 0); + + /* test for incorrect parameter */ + ExpectIntEQ(X509_check_private_key(NULL, pkey), 0); + ExpectIntEQ(X509_check_private_key(x509, NULL), 0); + ExpectIntEQ(X509_check_private_key(NULL, NULL), 0); + + EVP_PKEY_free(pkey); + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_verify(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ + defined(OPENSSL_EXTRA) + WOLFSSL_X509* ca = NULL; + WOLFSSL_X509* serv = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + unsigned char buf[2048]; + const unsigned char* pt = NULL; + int bufSz = 0; + + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile, + WOLFSSL_FILETYPE_PEM)); + + ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, NULL), + WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, &bufSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, NULL, &bufSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(bufSz, 294); + + bufSz--; + ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz), + WOLFSSL_SUCCESS); + bufSz = 2048; + ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_get_pubkey_type(NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_get_pubkey_type(ca), RSAk); + + + ExpectNotNull(serv = wolfSSL_X509_load_certificate_file(svrCertFile, + WOLFSSL_FILETYPE_PEM)); + + /* success case */ + pt = buf; + ExpectNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz)); + + ExpectIntEQ(i2d_PUBKEY(pkey, NULL), bufSz); + + ExpectIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_SUCCESS); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + + /* fail case */ + bufSz = 2048; + ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(serv, buf, &bufSz), + WOLFSSL_SUCCESS); + pt = buf; + ExpectNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz)); + ExpectIntEQ(wolfSSL_X509_verify(serv, pkey), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + ExpectIntEQ(wolfSSL_X509_verify(NULL, pkey), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_X509_verify(serv, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + +#ifndef NO_WOLFSSL_STUB + ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(NULL)); + ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(serv)); +#endif + + wolfSSL_EVP_PKEY_free(pkey); + + wolfSSL_FreeX509(ca); + wolfSSL_FreeX509(serv); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_sign(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_ASN_TIME) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_RSA) + int ret = 0; + char *cn = NULL; + word32 cnSz = 0; + X509_NAME *name = NULL; + X509_NAME *emptyName = NULL; + X509 *x509 = NULL; + X509 *ca = NULL; + DecodedCert dCert; + EVP_PKEY *pub = NULL; + EVP_PKEY *priv = NULL; + EVP_MD_CTX *mctx = NULL; +#if defined(USE_CERT_BUFFERS_1024) + const unsigned char* rsaPriv = client_key_der_1024; + const unsigned char* rsaPub = client_keypub_der_1024; + const unsigned char* certIssuer = client_cert_der_1024; + long clientKeySz = (long)sizeof_client_key_der_1024; + long clientPubKeySz = (long)sizeof_client_keypub_der_1024; + long certIssuerSz = (long)sizeof_client_cert_der_1024; +#elif defined(USE_CERT_BUFFERS_2048) + const unsigned char* rsaPriv = client_key_der_2048; + const unsigned char* rsaPub = client_keypub_der_2048; + const unsigned char* certIssuer = client_cert_der_2048; + long clientKeySz = (long)sizeof_client_key_der_2048; + long clientPubKeySz = (long)sizeof_client_keypub_der_2048; + long certIssuerSz = (long)sizeof_client_cert_der_2048; +#endif + byte sn[16]; + int snSz = sizeof(sn); + int sigSz = 0; +#ifndef NO_WOLFSSL_STUB + const WOLFSSL_ASN1_BIT_STRING* sig = NULL; + const WOLFSSL_X509_ALGOR* alg = NULL; +#endif + + /* Set X509_NAME fields */ + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8, + (byte*)"US", 2, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 0), SSL_SUCCESS); + + /* Get private and public keys */ + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &rsaPriv, + clientKeySz)); + ExpectNotNull(pub = wolfSSL_d2i_PUBKEY(NULL, &rsaPub, clientPubKeySz)); + ExpectNotNull(x509 = X509_new()); + ExpectIntEQ(X509_sign(x509, priv, EVP_sha256()), 0); + /* Set version 3 */ + ExpectIntNE(X509_set_version(x509, 2L), 0); + /* Set subject name, add pubkey, and sign certificate */ + ExpectIntEQ(X509_set_subject_name(x509, name), SSL_SUCCESS); + X509_NAME_free(name); + name = NULL; + ExpectIntEQ(X509_set_pubkey(x509, pub), SSL_SUCCESS); +#ifdef WOLFSSL_ALT_NAMES + ExpectNull(wolfSSL_X509_get_next_altname(NULL)); + ExpectNull(wolfSSL_X509_get_next_altname(x509)); + + /* Add some subject alt names */ + ExpectIntNE(wolfSSL_X509_add_altname(NULL, + "ipsum", ASN_DNS_TYPE), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, + NULL, ASN_DNS_TYPE), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, + "sphygmomanometer", + ASN_DNS_TYPE), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, + "supercalifragilisticexpialidocious", + ASN_DNS_TYPE), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, + "Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch", + ASN_DNS_TYPE), SSL_SUCCESS); +#ifdef WOLFSSL_IP_ALT_NAME + { + unsigned char ip4_type[] = {127,128,0,255}; + unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab, + 0xff, 0xee, 0x99, 0x88, + 0x77, 0x66, 0x55, 0x44, + 0x00, 0x33, 0x22, 0x11}; + ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip4_type, + sizeof(ip4_type), ASN_IP_TYPE), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip6_type, + sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS); + } +#endif + + { + int i; + + if (x509 != NULL) { + x509->altNamesNext = x509->altNames; + } +#ifdef WOLFSSL_IP_ALT_NAME + /* No names in IP address. */ + ExpectNull(wolfSSL_X509_get_next_altname(x509)); + ExpectNull(wolfSSL_X509_get_next_altname(x509)); +#endif + for (i = 0; i < 3; i++) { + ExpectNotNull(wolfSSL_X509_get_next_altname(x509)); + } + ExpectNull(wolfSSL_X509_get_next_altname(x509)); +#ifdef WOLFSSL_MULTICIRCULATE_ALTNAMELIST + ExpectNotNull(wolfSSL_X509_get_next_altname(x509)); +#endif + } +#endif /* WOLFSSL_ALT_NAMES */ + + { + ASN1_UTCTIME* infinite_past = NULL; + ExpectNotNull(infinite_past = ASN1_UTCTIME_set(NULL, 0)); + ExpectIntEQ(X509_set1_notBefore(x509, infinite_past), 1); + ASN1_UTCTIME_free(infinite_past); + } + + /* test valid sign case */ + ExpectIntGT(ret = X509_sign(x509, priv, EVP_sha256()), 0); + /* test getting signature */ +#ifndef NO_WOLFSSL_STUB + wolfSSL_X509_get0_signature(&sig, &alg, x509); +#endif + ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, &sigSz), + WOLFSSL_SUCCESS); + ExpectIntGT(sigSz, 0); + ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, NULL), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, NULL), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, &sigSz), + WOLFSSL_FATAL_ERROR); + sigSz = 0; + ExpectIntEQ(wolfSSL_X509_get_signature(x509, sn, &sigSz), + WOLFSSL_FATAL_ERROR); + + /* test valid X509_sign_ctx case */ + ExpectNotNull(mctx = EVP_MD_CTX_new()); + ExpectIntEQ(EVP_DigestSignInit(mctx, NULL, EVP_sha256(), NULL, priv), 1); + ExpectIntGT(X509_sign_ctx(x509, mctx), 0); + +#if defined(OPENSSL_ALL) && defined(WOLFSSL_ALT_NAMES) + ExpectIntEQ(X509_get_ext_count(x509), 1); +#endif +#if defined(WOLFSSL_ALT_NAMES) && defined(WOLFSSL_IP_ALT_NAME) + ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, + "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1); +#endif + + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz), + WOLFSSL_SUCCESS); + DEBUG_WRITE_CERT_X509(x509, "signed.pem"); + + /* Variation in size depends on ASN.1 encoding when MSB is set. + * WOLFSSL_ASN_TEMPLATE code does not generate a serial number + * with the MSB set. See GenerateInteger in asn.c */ +#ifndef USE_CERT_BUFFERS_1024 +#ifndef WOLFSSL_ALT_NAMES + /* Valid case - size should be 781-786 with 16 byte serial number */ + ExpectTrue((781 + snSz <= ret) && (ret <= 781 + 5 + snSz)); +#elif defined(WOLFSSL_IP_ALT_NAME) + /* Valid case - size should be 955-960 with 16 byte serial number */ + ExpectTrue((939 + snSz <= ret) && (ret <= 939 + 5 + snSz)); +#else + /* Valid case - size should be 926-931 with 16 byte serial number */ + ExpectTrue((910 + snSz <= ret) && (ret <= 910 + 5 + snSz)); +#endif +#else +#ifndef WOLFSSL_ALT_NAMES + /* Valid case - size should be 537-542 with 16 byte serial number */ + ExpectTrue((521 + snSz <= ret) && (ret <= 521 + 5 + snSz)); +#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) + /* Valid case - size should be 695-670 with 16 byte serial number */ + ExpectTrue((679 + snSz <= ret) && (ret <= 679 + 5 + snSz)); +#else + /* Valid case - size should be 666-671 with 16 byte serial number */ + ExpectTrue((650 + snSz <= ret) && (ret <= 650 + 5 + snSz)); +#endif +#endif + /* check that issuer name is as expected after signature */ + InitDecodedCert(&dCert, certIssuer, (word32)certIssuerSz, 0); + ExpectIntEQ(ParseCert(&dCert, CERT_TYPE, NO_VERIFY, NULL), 0); + + ExpectNotNull(emptyName = X509_NAME_new()); + ExpectNotNull(ca = d2i_X509(NULL, &certIssuer, (int)certIssuerSz)); + ExpectIntEQ(wolfSSL_X509_get_isCA(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_isCA(ca), 1); + ExpectNotNull(name = X509_get_subject_name(ca)); + ExpectIntEQ(X509_NAME_get_sz(NULL), WOLFSSL_FATAL_ERROR); + ExpectIntGT(cnSz = X509_NAME_get_sz(name), 0); + ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); + ExpectNull(X509_NAME_oneline(NULL, cn, (int)cnSz)); + ExpectPtrEq(X509_NAME_oneline(name, cn, 0), cn); + ExpectPtrEq(X509_NAME_oneline(emptyName, cn, (int)cnSz), cn); + ExpectNull(X509_NAME_oneline(emptyName, NULL, 0)); + ExpectPtrEq(X509_NAME_oneline(name, cn, (int)cnSz), cn); + ExpectIntEQ(0, XSTRNCMP(cn, dCert.subject, XSTRLEN(cn))); + XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + cn = NULL; + +#if defined(XSNPRINTF) + ExpectNull(wolfSSL_X509_get_name_oneline(NULL, NULL, 0)); + ExpectNotNull(cn = wolfSSL_X509_get_name_oneline(name, NULL, 0)); + ExpectIntGT((int)(cnSz = (word32)XSTRLEN(cn) + 1), 0); + ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn); + ExpectNull(wolfSSL_X509_get_name_oneline(NULL, cn, (int)cnSz)); + ExpectNull(wolfSSL_X509_get_name_oneline(name, cn, cnSz - 1)); + ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn); + ExpectPtrEq(wolfSSL_X509_get_name_oneline(emptyName, cn, (int)cnSz), cn); + XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + cn = NULL; +#endif + X509_NAME_free(emptyName); + +#ifdef WOLFSSL_MULTI_ATTRIB + /* test adding multiple OU's to the signer */ + ExpectNotNull(name = X509_get_subject_name(ca)); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, + (byte*)"OU1", 3, -1, 0), SSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, + (byte*)"OU2", 3, -1, 0), SSL_SUCCESS); + ExpectIntGT(X509_sign(ca, priv, EVP_sha256()), 0); +#endif + + ExpectNotNull(name = X509_get_subject_name(ca)); + ExpectIntEQ(X509_set_issuer_name(x509, name), SSL_SUCCESS); + + ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); + ExpectNotNull(name = X509_get_issuer_name(x509)); + cnSz = X509_NAME_get_sz(name); + ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); + ExpectNotNull(cn = X509_NAME_oneline(name, cn, (int)cnSz)); + /* compare and don't include the multi-attrib "/OU=OU1/OU=OU2" above */ + ExpectIntEQ(0, XSTRNCMP(cn, dCert.issuer, XSTRLEN(dCert.issuer))); + XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + cn = NULL; + + FreeDecodedCert(&dCert); + + /* Test invalid parameters */ + ExpectIntEQ(X509_sign(NULL, priv, EVP_sha256()), 0); + ExpectIntEQ(X509_sign(x509, NULL, EVP_sha256()), 0); + ExpectIntEQ(X509_sign(x509, priv, NULL), 0); + + ExpectIntEQ(X509_sign_ctx(NULL, mctx), 0); + EVP_MD_CTX_free(mctx); + mctx = NULL; + ExpectNotNull(mctx = EVP_MD_CTX_new()); + ExpectIntEQ(X509_sign_ctx(x509, mctx), 0); + ExpectIntEQ(X509_sign_ctx(x509, NULL), 0); + + /* test invalid version number */ +#if defined(OPENSSL_ALL) + ExpectIntNE(X509_set_version(x509, 6L), 0); + ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0); + + /* uses ParseCert which fails on bad version number */ + ExpectIntEQ(X509_get_ext_count(x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif + + EVP_MD_CTX_free(mctx); + EVP_PKEY_free(priv); + EVP_PKEY_free(pub); + X509_free(x509); + X509_free(ca); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_sign2(void) +{ + EXPECT_DECLS; + /* test requires WOLFSSL_AKID_NAME to match expected output */ +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_AKID_NAME) && \ + (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_IP_ALT_NAME)) + WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *ca = NULL; + const unsigned char *der = NULL; + const unsigned char *pt = NULL; + WOLFSSL_EVP_PKEY *priv = NULL; + WOLFSSL_X509_NAME *name = NULL; + int derSz; +#ifndef NO_ASN_TIME + WOLFSSL_ASN1_TIME *notBefore = NULL; + WOLFSSL_ASN1_TIME *notAfter = NULL; + + const int year = 365*24*60*60; + const int day = 24*60*60; + const int hour = 60*60; + const int mini = 60; + time_t t; +#endif + + const unsigned char expected[] = { + 0x30, 0x82, 0x05, 0x13, 0x30, 0x82, 0x03, 0xFB, 0xA0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x6B, 0x61, 0x49, 0x45, 0xFF, 0x4A, 0xD1, 0x54, 0x16, + 0xB4, 0x35, 0x37, 0xC4, 0x98, 0x5D, 0xA9, 0xF6, 0x67, 0x60, 0x91, 0x30, + 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, + 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, + 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, + 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, + 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, + 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, + 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, + 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, + 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, + 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17, + 0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, 0x30, + 0x30, 0x5A, 0x17, 0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, 0x30, + 0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, + 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, + 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30, + 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66, + 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, 0x17, + 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72, + 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, 0x30, 0x34, 0x38, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, + 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, + 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, + 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, + 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC3, 0x03, 0xD1, 0x2B, 0xFE, + 0x39, 0xA4, 0x32, 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C, 0x74, + 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47, 0xD6, 0xA6, 0x36, 0xB2, 0x07, + 0x32, 0x8E, 0xD0, 0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, 0x81, + 0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67, 0xBB, 0xA1, 0x75, 0xC8, 0x36, + 0x2C, 0x4A, 0xD2, 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF, 0xEC, + 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, 0x9A, 0xBF, 0x65, 0xCC, 0x7F, + 0x65, 0x24, 0x69, 0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7, 0xC5, + 0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A, 0x7A, 0x78, 0xE1, 0x01, 0x56, + 0x56, 0x91, 0xA6, 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, 0xEF, + 0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, 0xA1, 0x3B, 0xF5, 0xF1, 0xA3, + 0x4A, 0x35, 0xE4, 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E, 0x97, + 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81, 0xAF, 0x20, 0x0B, 0x43, 0x14, + 0xC5, 0x74, 0x67, 0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, 0x40, + 0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72, 0x22, 0x17, 0xD7, 0x52, 0x65, + 0x24, 0x73, 0xB0, 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C, 0x7B, + 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, 0x50, 0x6D, 0x3B, 0xA3, 0x3B, + 0xA3, 0x99, 0x5E, 0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A, 0xD9, + 0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB, 0xFF, 0x25, 0x4C, 0xC4, 0xD1, + 0x79, 0xF4, 0x71, 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, 0x72, + 0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7, 0x15, 0xF7, + 0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4F, 0x30, 0x82, 0x01, 0x4B, + 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30, + 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, + 0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03, + 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, + 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7, + 0x85, 0x65, 0xC0, 0x30, 0x81, 0xDE, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04, + 0x81, 0xD6, 0x30, 0x81, 0xD3, 0x80, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, + 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7, + 0x85, 0x65, 0xC0, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E, + 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, + 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, + 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, + 0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, + 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, + 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, + 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, + 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, + 0x6F, 0x6D, 0x82, 0x14, 0x6B, 0x61, 0x49, 0x45, 0xFF, 0x4A, 0xD1, 0x54, + 0x16, 0xB4, 0x35, 0x37, 0xC4, 0x98, 0x5D, 0xA9, 0xF6, 0x67, 0x60, 0x91, + 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, + 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B, + 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x01, 0x00, 0x2F, 0x9F, 0x83, 0x05, 0x15, 0x1E, 0x5D, 0x7C, 0x22, + 0x12, 0x20, 0xEE, 0x07, 0x35, 0x25, 0x39, 0xDD, 0x34, 0x06, 0xD3, 0x89, + 0x31, 0x51, 0x8B, 0x9A, 0xE5, 0xE8, 0x60, 0x30, 0x07, 0x7A, 0xBB, 0x17, + 0xB9, 0x54, 0x72, 0x83, 0xA2, 0x1F, 0x62, 0xE0, 0x18, 0xAC, 0x93, 0x5E, + 0x63, 0xC7, 0xDD, 0x12, 0x58, 0x96, 0xC7, 0x90, 0x8B, 0x12, 0x50, 0xD2, + 0x60, 0x0E, 0x24, 0x07, 0x53, 0x55, 0xD7, 0x8E, 0xC9, 0x56, 0x12, 0x28, + 0xD8, 0xFD, 0x47, 0xE3, 0x13, 0xFB, 0x3C, 0xD6, 0x3D, 0x82, 0x09, 0x7E, + 0x10, 0x19, 0xE1, 0xCD, 0xCC, 0x4C, 0x78, 0xDF, 0xE5, 0xFB, 0x2C, 0x8C, + 0x88, 0xF7, 0x5B, 0x99, 0x93, 0xC6, 0xC7, 0x22, 0xA5, 0xFA, 0x76, 0x6C, + 0xE9, 0xBC, 0x69, 0xBA, 0x02, 0x82, 0x18, 0xAF, 0x47, 0xD0, 0x9C, 0x5F, + 0xED, 0xAE, 0x5A, 0x95, 0x59, 0x78, 0x86, 0x24, 0x22, 0xB6, 0x81, 0x03, + 0x58, 0x9A, 0x14, 0x93, 0xDC, 0x24, 0x58, 0xF3, 0xD2, 0x6C, 0x8E, 0xD2, + 0x6D, 0x8B, 0xE8, 0x4E, 0xC6, 0xA0, 0x2B, 0x0D, 0xDB, 0x1A, 0x76, 0x28, + 0xA9, 0x8D, 0xFB, 0x51, 0xA6, 0xF0, 0x82, 0x30, 0xEE, 0x78, 0x1C, 0x71, + 0xA8, 0x11, 0x8A, 0xA5, 0xC3, 0x91, 0xAB, 0x9A, 0x46, 0xFF, 0x8D, 0xCD, + 0x82, 0x3F, 0x5D, 0xB6, 0x28, 0x46, 0x6D, 0x66, 0xE2, 0xEE, 0x1E, 0x82, + 0x0D, 0x1A, 0x74, 0x87, 0xFB, 0xFD, 0x96, 0x26, 0x50, 0x09, 0xEC, 0xA7, + 0x73, 0x89, 0x43, 0x3B, 0x42, 0x2D, 0xA9, 0x6B, 0x0F, 0x61, 0x81, 0x97, + 0x11, 0x71, 0xF9, 0xDB, 0x9B, 0x69, 0x4B, 0x6E, 0xD3, 0x7D, 0xDA, 0xC6, + 0x61, 0x9F, 0x39, 0x87, 0x53, 0x52, 0xA8, 0x4D, 0xAD, 0x80, 0x29, 0x6C, + 0x19, 0xF0, 0x8D, 0xB1, 0x0D, 0x4E, 0xFB, 0x1B, 0xB7, 0xF1, 0x85, 0x49, + 0x08, 0x2A, 0x94, 0xD0, 0x4E, 0x0B, 0x8F + }; + + pt = ca_key_der_2048; + ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt, + sizeof_ca_key_der_2048)); + + pt = client_cert_der_2048; + ExpectNotNull(x509 = wolfSSL_d2i_X509(NULL, &pt, + sizeof_client_cert_der_2048)); + + pt = ca_cert_der_2048; + ExpectNotNull(ca = wolfSSL_d2i_X509(NULL, &pt, sizeof_ca_cert_der_2048)); + ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca)); + ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS); + +#ifndef NO_ASN_TIME + t = (time_t)30 * year + 45 * day + 20 * hour + 30 * mini + 7 * day; + ExpectNotNull(notBefore = wolfSSL_ASN1_TIME_adj(NULL, t, 0, 0)); + ExpectNotNull(notAfter = wolfSSL_ASN1_TIME_adj(NULL, t, 365, 0)); + ExpectIntEQ(notAfter->length, 13); + + ExpectTrue(wolfSSL_X509_set_notBefore(x509, notBefore)); + ExpectTrue(wolfSSL_X509_set1_notBefore(x509, notBefore)); + ExpectTrue(wolfSSL_X509_set_notAfter(x509, notAfter)); + ExpectTrue(wolfSSL_X509_set1_notAfter(x509, notAfter)); +#endif + + ExpectNull(wolfSSL_X509_notBefore(NULL)); + ExpectNotNull(wolfSSL_X509_notBefore(x509)); + ExpectNull(wolfSSL_X509_notAfter(NULL)); + ExpectNotNull(wolfSSL_X509_notAfter(x509)); + + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); + ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); + + ExpectIntEQ(derSz, sizeof(expected)); +#ifndef NO_ASN_TIME + ExpectIntEQ(XMEMCMP(der, expected, derSz), 0); +#endif + wolfSSL_X509_free(ca); + wolfSSL_X509_free(x509); + wolfSSL_EVP_PKEY_free(priv); +#ifndef NO_ASN_TIME + wolfSSL_ASN1_TIME_free(notBefore); + wolfSSL_ASN1_TIME_free(notAfter); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_make_cert(void) +{ + EXPECT_DECLS; +#if !defined(NO_RSA) && !defined(NO_ASN_TIME) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_CERT_EXT) + int ret = 0; + Cert cert; + CertName name; + RsaKey key; + WC_RNG rng; + byte der[FOURK_BUF]; + word32 idx = 0; + const byte mySerial[8] = {1,2,3,4,5,6,7,8}; + +#ifdef OPENSSL_EXTRA + const unsigned char* pt = NULL; + int certSz = 0; + X509* x509 = NULL; + X509_NAME* x509name = NULL; + X509_NAME_ENTRY* entry = NULL; + ASN1_STRING* entryValue = NULL; +#endif + + XMEMSET(&name, 0, sizeof(CertName)); + + /* set up cert name */ + XMEMCPY(name.country, "US", sizeof("US")); + name.countryEnc = CTC_PRINTABLE; + XMEMCPY(name.state, "Oregon", sizeof("Oregon")); + name.stateEnc = CTC_UTF8; + XMEMCPY(name.locality, "Portland", sizeof("Portland")); + name.localityEnc = CTC_UTF8; + XMEMCPY(name.sur, "Test", sizeof("Test")); + name.surEnc = CTC_UTF8; + XMEMCPY(name.org, "wolfSSL", sizeof("wolfSSL")); + name.orgEnc = CTC_UTF8; + XMEMCPY(name.unit, "Development", sizeof("Development")); + name.unitEnc = CTC_UTF8; + XMEMCPY(name.commonName, "www.wolfssl.com", sizeof("www.wolfssl.com")); + name.commonNameEnc = CTC_UTF8; + XMEMCPY(name.serialDev, "wolfSSL12345", sizeof("wolfSSL12345")); + name.serialDevEnc = CTC_PRINTABLE; + XMEMCPY(name.userId, "TestUserID", sizeof("TestUserID")); + name.userIdEnc = CTC_PRINTABLE; +#ifdef WOLFSSL_MULTI_ATTRIB + #if CTC_MAX_ATTRIB > 2 + { + NameAttrib* n; + n = &name.name[0]; + n->id = ASN_DOMAIN_COMPONENT; + n->type = CTC_UTF8; + n->sz = sizeof("com"); + XMEMCPY(n->value, "com", sizeof("com")); + + n = &name.name[1]; + n->id = ASN_DOMAIN_COMPONENT; + n->type = CTC_UTF8; + n->sz = sizeof("wolfssl"); + XMEMCPY(n->value, "wolfssl", sizeof("wolfssl")); + } + #endif +#endif /* WOLFSSL_MULTI_ATTRIB */ + + ExpectIntEQ(wc_InitRsaKey(&key, HEAP_HINT), 0); +#ifndef HAVE_FIPS + ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0); +#else + ExpectIntEQ(wc_InitRng(&rng), 0); +#endif + + /* load test RSA key */ + idx = 0; +#if defined(USE_CERT_BUFFERS_1024) + ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_1024, &idx, &key, + sizeof_server_key_der_1024), 0); +#elif defined(USE_CERT_BUFFERS_2048) + ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key, + sizeof_server_key_der_2048), 0); +#else + /* error case, no RSA key loaded, happens later */ + (void)idx; +#endif + + XMEMSET(&cert, 0 , sizeof(Cert)); + ExpectIntEQ(wc_InitCert(&cert), 0); + + XMEMCPY(&cert.subject, &name, sizeof(CertName)); + XMEMCPY(cert.serial, mySerial, sizeof(mySerial)); + cert.serialSz = (int)sizeof(mySerial); + cert.isCA = 1; +#ifndef NO_SHA256 + cert.sigType = CTC_SHA256wRSA; +#else + cert.sigType = CTC_SHAwRSA; +#endif + + /* add SKID from the Public Key */ + ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey(&cert, &key, NULL), 0); + + /* add AKID from the Public Key */ + ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey(&cert, &key, NULL), 0); + + ret = 0; + do { +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); +#endif + if (ret >= 0) { + ret = wc_MakeSelfCert(&cert, der, FOURK_BUF, &key, &rng); + } + } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E)); + ExpectIntGT(ret, 0); + +#ifdef OPENSSL_EXTRA + /* der holds a certificate with DC's now check X509 parsing of it */ + certSz = ret; + pt = der; + ExpectNotNull(x509 = d2i_X509(NULL, &pt, certSz)); + ExpectNotNull(x509name = X509_get_subject_name(x509)); +#ifdef WOLFSSL_MULTI_ATTRIB + ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + -1)), 5); + ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + (int)idx)), 6); + ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + (int)idx)), -1); +#endif /* WOLFSSL_MULTI_ATTRIB */ + + /* compare DN at index 0 */ + ExpectNotNull(entry = X509_NAME_get_entry(x509name, 0)); + ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + ExpectIntEQ(ASN1_STRING_length(entryValue), 2); + ExpectStrEQ((const char*)ASN1_STRING_data(entryValue), "US"); + +#ifndef WOLFSSL_MULTI_ATTRIB + /* compare Serial Number */ + ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_serialNumber, + -1)), 7); + ExpectNotNull(entry = X509_NAME_get_entry(x509name, idx)); + ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + ExpectIntEQ(ASN1_STRING_length(entryValue), XSTRLEN("wolfSSL12345")); + ExpectStrEQ((const char*)ASN1_STRING_data(entryValue), "wolfSSL12345"); +#endif + +#ifdef WOLFSSL_MULTI_ATTRIB + /* get first and second DC and compare result */ + ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + -1)), 5); + ExpectNotNull(entry = X509_NAME_get_entry(x509name, (int)idx)); + ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "com"); + + ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + (int)idx)), 6); + ExpectNotNull(entry = X509_NAME_get_entry(x509name, (int)idx)); + ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "wolfssl"); +#endif /* WOLFSSL_MULTI_ATTRIB */ + + ExpectNull(X509_NAME_get_entry(NULL, 0)); + /* try invalid index locations for regression test and sanity check */ + ExpectNull(X509_NAME_get_entry(x509name, 11)); + ExpectNull(X509_NAME_get_entry(x509name, 20)); + + X509_free(x509); +#endif /* OPENSSL_EXTRA */ + + wc_FreeRsaKey(&key); + wc_FreeRng(&rng); +#endif + return EXPECT_RESULT(); +} + + diff --git a/tests/api/test_ossl_x509_crypto.h b/tests/api/test_ossl_x509_crypto.h new file mode 100644 index 00000000000..68fd391081d --- /dev/null +++ b/tests/api/test_ossl_x509_crypto.h @@ -0,0 +1,40 @@ +/* test_ossl_x509_crypto.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_CRYPTO_H +#define WOLFCRYPT_TEST_OSSL_X509_CRYPTO_H + +#include + +int test_wolfSSL_X509_check_private_key(void); +int test_wolfSSL_X509_verify(void); +int test_wolfSSL_X509_sign(void); +int test_wolfSSL_X509_sign2(void); +int test_wolfSSL_make_cert(void); + +#define TEST_OSSL_X509_CRYPTO_DECLS \ + TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_check_private_key), \ + TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_verify), \ + TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_sign), \ + TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_sign2), \ + TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_make_cert) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_CRYPTO_H */ diff --git a/tests/api/test_ossl_x509_ext.c b/tests/api/test_ossl_x509_ext.c new file mode 100644 index 00000000000..0a12186507e --- /dev/null +++ b/tests/api/test_ossl_x509_ext.c @@ -0,0 +1,1551 @@ +/* test_ossl_x509_ext.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#ifdef OPENSSL_EXTRA + #include +#endif +#include +#include + + +int test_wolfSSL_X509_get_extension_flags(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) + XFILE f = XBADFILE; + X509* x509 = NULL; + unsigned int extFlags; + unsigned int keyUsageFlags; + unsigned int extKeyUsageFlags; + + ExpectIntEQ(X509_get_extension_flags(NULL), 0); + ExpectIntEQ(X509_get_key_usage(NULL), 0); + ExpectIntEQ(X509_get_extended_key_usage(NULL), 0); + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(X509_get_extension_flags(x509), 0); + ExpectIntEQ(X509_get_key_usage(x509), -1); + ExpectIntEQ(X509_get_extended_key_usage(x509), 0); + wolfSSL_X509_free(x509); + x509 = NULL; + + /* client-int-cert.pem has the following extension flags. */ + extFlags = EXFLAG_KUSAGE | EXFLAG_XKUSAGE; + /* and the following key usage flags. */ + keyUsageFlags = KU_DIGITAL_SIGNATURE + | KU_NON_REPUDIATION + | KU_KEY_ENCIPHERMENT; + /* and the following extended key usage flags. */ + extKeyUsageFlags = XKU_SSL_CLIENT | XKU_SMIME; + + ExpectTrue((f = XFOPEN("./certs/intermediate/client-int-cert.pem", "rb")) != + XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + ExpectIntEQ(X509_get_extension_flags(x509), extFlags); + ExpectIntEQ(X509_get_key_usage(x509), keyUsageFlags); + ExpectIntEQ(X509_get_extended_key_usage(x509), extKeyUsageFlags); + X509_free(x509); + x509 = NULL; + + /* client-cert-ext.pem has the following extension flags. */ + extFlags = EXFLAG_KUSAGE; + /* and the following key usage flags. */ + keyUsageFlags = KU_DIGITAL_SIGNATURE + | KU_KEY_CERT_SIGN + | KU_CRL_SIGN; + + ExpectTrue((f = fopen("./certs/client-cert-ext.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + ExpectIntEQ(X509_get_extension_flags(x509), extFlags); + ExpectIntEQ(X509_get_key_usage(x509), keyUsageFlags); + X509_free(x509); +#endif /* OPENSSL_ALL */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get_ext(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + int ret = 0; + XFILE f = XBADFILE; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* foundExtension; + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + ExpectIntEQ((ret = wolfSSL_X509_get_ext_count(x509)), 5); + + /* wolfSSL_X509_get_ext() valid input */ + ExpectNotNull(foundExtension = wolfSSL_X509_get_ext(x509, 0)); + + /* wolfSSL_X509_get_ext() valid x509, idx out of bounds */ + ExpectNull(foundExtension = wolfSSL_X509_get_ext(x509, -1)); + ExpectNull(foundExtension = wolfSSL_X509_get_ext(x509, 100)); + + /* wolfSSL_X509_get_ext() NULL x509, idx out of bounds */ + ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, -1)); + ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, 100)); + + /* wolfSSL_X509_get_ext() NULL x509, valid idx */ + ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, 0)); + + ExpectNull(wolfSSL_X509_get0_extensions(NULL)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get_ext_by_NID(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) + int rc = 0; + XFILE f = XBADFILE; + WOLFSSL_X509* x509 = NULL; + ASN1_OBJECT* obj = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, -1), + WOLFSSL_FATAL_ERROR); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, + -1), 0); + ExpectIntGE(wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, 20), + -1); + + /* Start search from last location (should fail) */ + ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, + rc), -1); + + ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, + -2), -1); + + ExpectIntEQ(rc = wolfSSL_X509_get_ext_by_NID(NULL, NID_basic_constraints, + -1), -1); + + ExpectIntEQ(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_undef, -1), -1); + + /* NID_ext_key_usage, check also its nid and oid */ + ExpectIntGT(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_ext_key_usage, -1), + -1); + ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(wolfSSL_X509_get_ext( + x509, rc))); + ExpectIntEQ(obj->nid, NID_ext_key_usage); + ExpectIntEQ(obj->type, EXT_KEY_USAGE_OID); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get_ext_subj_alt_name(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) + int rc = 0; + XFILE f = XBADFILE; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_STRING* sanString = NULL; + byte* sanDer = NULL; + + const byte expectedDer[] = { + 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, + 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01}; + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectIntNE(rc = X509_get_ext_by_NID(x509, NID_subject_alt_name, -1), -1); + ExpectNotNull(ext = X509_get_ext(x509, rc)); + ExpectNotNull(sanString = X509_EXTENSION_get_data(ext)); + ExpectIntEQ(ASN1_STRING_length(sanString), sizeof(expectedDer)); + ExpectNotNull(sanDer = ASN1_STRING_data(sanString)); + ExpectIntEQ(XMEMCMP(sanDer, expectedDer, sizeof(expectedDer)), 0); + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_set_ext(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + XFILE f = XBADFILE; + int loc; + + ExpectNull(wolfSSL_X509_set_ext(NULL, 0)); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + /* Location too small. */ + ExpectNull(wolfSSL_X509_set_ext(x509, -1)); + /* Location too big. */ + ExpectNull(wolfSSL_X509_set_ext(x509, 1)); + /* No DER encoding. */ + ExpectNull(wolfSSL_X509_set_ext(x509, 0)); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + } + for (loc = 0; loc < wolfSSL_X509_get_ext_count(x509); loc++) { + ExpectNotNull(wolfSSL_X509_set_ext(x509, loc)); + } + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_ALL) +static int test_X509_add_basic_constraints(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte basicConsObj[] = { 0x06, 0x03, 0x55, 0x1d, 0x13 }; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + ASN1_INTEGER* pathLen = NULL; + + p = basicConsObj; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, + sizeof(basicConsObj))); + if (obj != NULL) { + obj->type = NID_basic_constraints; + } + ExpectNotNull(pathLen = wolfSSL_ASN1_INTEGER_new()); + if (pathLen != NULL) { + pathLen->length = 2; + } + if (obj != NULL) { + obj->ca = 0; + } + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + if (ext != NULL && ext->obj != NULL) { + ext->obj->ca = 0; + ext->obj->pathlen = pathLen; + } + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->isCa, 0); + ExpectIntEQ(x509->pathLength, 2); + if (ext != NULL && ext->obj != NULL) { + /* Add second time to without path length. */ + ext->obj->ca = 1; + ext->obj->pathlen = NULL; + } + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->isCa, 1); + ExpectIntEQ(x509->pathLength, 2); + ExpectIntEQ(wolfSSL_X509_get_isSet_pathLength(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_isSet_pathLength(x509), 1); + ExpectIntEQ(wolfSSL_X509_get_pathLength(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_pathLength(x509), 2); + + wolfSSL_ASN1_INTEGER_free(pathLen); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_X509_add_key_usage(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f }; + const byte data[] = { 0x04, 0x02, 0x01, 0x80 }; + const byte emptyData[] = { 0x04, 0x00 }; + const char* strData = "digitalSignature,keyCertSign"; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_key_usage; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + /* No Data - no change. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->keyUsage, KEYUSE_DECIPHER_ONLY | KEYUSE_ENCIPHER_ONLY); + + /* Add second time with string to interpret. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, strData, (word32)XSTRLEN(strData) + 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->keyUsage, KEYUSE_DIGITAL_SIG | KEYUSE_KEY_CERT_SIGN); + + /* Empty data. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + p = emptyData; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, + (long)sizeof(emptyData))); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + /* Invalid string to parse. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, "bad", 4), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_X509_add_ext_key_usage(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; + const byte data[] = { 0x04, 0x01, 0x01 }; + const byte emptyData[] = { 0x04, 0x00 }; + const char* strData = "serverAuth,codeSigning"; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_ext_key_usage; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + /* No Data - no change. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->extKeyUsage, EXTKEYUSE_ANY); + + /* Add second time with string to interpret. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, strData, (word32)XSTRLEN(strData) + 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->extKeyUsage, EXTKEYUSE_SERVER_AUTH | EXTKEYUSE_CODESIGN); + + /* Empty data. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + p = emptyData; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, + (long)sizeof(emptyData))); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + /* Invalid string to parse. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, "bad", 4), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_x509_add_auth_key_id(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; + const byte data[] = { + 0x04, 0x81, 0xcc, 0x30, 0x81, 0xc9, 0x80, 0x14, + 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, + 0x3f, 0xed, 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, + 0x30, 0xe5, 0xe8, 0xd5, 0xa1, 0x81, 0x9a, 0xa4, + 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, + 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, 0x74, + 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x0c, 0x0a, 0x43, 0x6f, 0x6e, 0x73, + 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, + 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, + 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x82, 0x14, 0x33, 0x44, 0x1a, 0xa8, 0x6c, + 0x01, 0xec, 0xf6, 0x60, 0xf2, 0x70, 0x51, 0x0a, + 0x4c, 0xd1, 0x14, 0xfa, 0xbc, 0xe9, 0x44 + }; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_authority_key_identifier; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + /* Add second time with string to interpret. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_x509_add_subj_key_id(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e }; + const byte data[] = { + 0x04, 0x16, 0x04, 0x14, 0xb3, 0x11, 0x32, 0xc9, + 0x92, 0x98, 0x84, 0xe2, 0xc9, 0xf8, 0xd0, 0x3b, + 0x6e, 0x03, 0x42, 0xca, 0x1f, 0x0e, 0x8e, 0x3c + }; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_subject_key_identifier; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /* Add second time with string to interpret. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} +#endif + +int test_wolfSSL_X509_add_ext(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext_empty = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* data = NULL; + const byte* p; + const byte subjAltNameObj[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; + const byte subjAltName[] = { + 0x04, 0x15, 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, + 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01 + }; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + + /* Create extension: Subject Alternative Name */ + ExpectNotNull(ext_empty = wolfSSL_X509_EXTENSION_new()); + p = subjAltName; + ExpectNotNull(data = d2i_ASN1_OCTET_STRING(NULL, &p, + (long)sizeof(subjAltName))); + p = subjAltNameObj; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, + sizeof(subjAltNameObj))); + if (obj != NULL) { + obj->type = NID_subject_alt_name; + } + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, data), WOLFSSL_SUCCESS); + + /* Failure cases. */ + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, ext, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, ext, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext_empty, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Add: Subject Alternative Name */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /* Add second time to ensure no memory leaks. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + wolfSSL_X509_EXTENSION_free(ext); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_ASN1_STRING_free(data); + wolfSSL_X509_EXTENSION_free(ext_empty); + + EXPECT_TEST(test_X509_add_basic_constraints(x509)); + EXPECT_TEST(test_X509_add_key_usage(x509)); + EXPECT_TEST(test_X509_add_ext_key_usage(x509)); + EXPECT_TEST(test_x509_add_auth_key_id(x509)); + EXPECT_TEST(test_x509_add_subj_key_id(x509)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_get_ext_count(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) + int ret = 0; + WOLFSSL_X509* x509 = NULL; + const char ocspRootCaFile[] = "./certs/ocsp/root-ca-cert.pem"; + XFILE f = XBADFILE; + + /* NULL parameter check */ + ExpectIntEQ(X509_get_ext_count(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(X509_get_ext_count(x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(X509_get_ext_count(x509), 5); + wolfSSL_X509_free(x509); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(ocspRootCaFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(X509_get_ext_count(x509), 5); + wolfSSL_X509_free(x509); + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + /* wolfSSL_X509_get_ext_count() valid input */ + ExpectIntEQ((ret = wolfSSL_X509_get_ext_count(x509)), 5); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +/* Tests X509v3_get_ext_count, X509v3_get_ext_by_NID, and X509v3_get_ext + * working with a stack retrieved from wolfSSL_X509_get0_extensions(). + */ +int test_wolfSSL_X509_stack_extensions(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + const WOLFSSL_STACK* ext_stack = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + int idx = -1; + int count = 0; + XFILE f = XBADFILE; + + /* Load a certificate */ + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + /* Get the stack of extensions */ + ExpectNotNull(ext_stack = wolfSSL_X509_get0_extensions(x509)); + + /* Test X509v3_get_ext_count */ + ExpectIntGT((count = X509v3_get_ext_count(ext_stack)), 0); + + /* Test X509v3_get_ext_by_NID - find Basic Constraints extension */ + ExpectIntGE((idx = X509v3_get_ext_by_NID(ext_stack, NID_basic_constraints, + -1)), 0); + + /* Test X509v3_get_ext - get extension by index */ + ExpectNotNull(ext = X509v3_get_ext(ext_stack, idx)); + + /* Verify that the extension is the correct one */ + ExpectIntEQ(wolfSSL_OBJ_obj2nid(wolfSSL_X509_EXTENSION_get_object(ext)), + NID_basic_constraints); + + /* Test negative cases */ + ExpectIntEQ(X509v3_get_ext_by_NID(NULL, NID_basic_constraints, -1), + WOLFSSL_FATAL_ERROR); + ExpectNull(X509v3_get_ext(NULL, 0)); + ExpectNull(X509v3_get_ext(ext_stack, -1)); + ExpectNull(X509v3_get_ext(ext_stack, count)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_EXTENSION_new(void) +{ + EXPECT_DECLS; +#if defined (OPENSSL_ALL) + WOLFSSL_X509_EXTENSION* ext = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(ext->obj = wolfSSL_ASN1_OBJECT_new()); + + wolfSSL_X509_EXTENSION_free(NULL); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_EXTENSION_dup(void) +{ + EXPECT_DECLS; +#if defined (OPENSSL_ALL) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* dup = NULL; + + ExpectNull(wolfSSL_X509_EXTENSION_dup(NULL)); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(dup = wolfSSL_X509_EXTENSION_dup(ext)); + + wolfSSL_X509_EXTENSION_free(dup); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_EXTENSION_get_object(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* dup = NULL; + WOLFSSL_ASN1_OBJECT* o = NULL; + XFILE file = XBADFILE; + + ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + + /* wolfSSL_X509_EXTENSION_get_object() testing ext idx 0 */ + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); + ExpectNull(wolfSSL_X509_EXTENSION_get_object(NULL)); + ExpectNotNull(o = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ(o->nid, SUBJ_KEY_OID); + ExpectNotNull(dup = wolfSSL_X509_EXTENSION_dup(ext)); + wolfSSL_X509_EXTENSION_free(dup); + + /* wolfSSL_X509_EXTENSION_get_object() NULL argument */ + ExpectNull(o = wolfSSL_X509_EXTENSION_get_object(NULL)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_EXTENSION_get_data(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + XFILE file = XBADFILE; +#ifndef WOLFSSL_OLD_EXTDATA_FMT + const byte ext_data[] = { + 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98, + 0x84, 0xE2, 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, + 0x42, 0xCA, 0x1F, 0x0E, 0x8E, 0x3C, + }; +#endif + + ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); + + ExpectNull(str = wolfSSL_X509_EXTENSION_get_data(NULL)); + ExpectNotNull(str = wolfSSL_X509_EXTENSION_get_data(ext)); + +#ifndef WOLFSSL_OLD_EXTDATA_FMT + ExpectIntEQ(str->length, sizeof (ext_data)); + ExpectBufEQ(str->data, ext_data, sizeof (ext_data)); +#endif + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_EXTENSION_get_critical(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + XFILE file = XBADFILE; + int crit = 0; + + ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); + + ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(NULL), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(ext), 0); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + XFILE file = XBADFILE; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509* empty = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* ext2 = NULL; + WOLFSSL_X509_EXTENSION* ext3 = NULL; + WOLFSSL_ASN1_OBJECT* o = NULL; + int crit = 0; + WOLFSSL_ASN1_STRING* str = NULL; + + ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); + + ExpectNotNull(o = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(ext), 0); + ExpectNotNull(str = wolfSSL_X509_EXTENSION_get_data(ext)); + + ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, NULL, 0, NULL)); + ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, o, 0, NULL)); + ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, NULL, 0, str)); + ExpectNotNull(ext2 = wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, o, crit, + str)); + ExpectNotNull(ext3 = wolfSSL_X509_EXTENSION_create_by_OBJ(ext2, o, crit, + str)); + if (ext3 == NULL) { + wolfSSL_X509_EXTENSION_free(ext2); + } + wolfSSL_X509_EXTENSION_free(ext3); + + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, o, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(empty, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(empty, o, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + wolfSSL_X509_free(empty); + empty = NULL; + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(x509, o, -2), 0); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(x509, o, 0), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_set_ctx(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ + defined(HAVE_CRL) + WOLFSSL_X509V3_CTX ctx; + WOLFSSL_X509* issuer = NULL; + WOLFSSL_X509* subject = NULL; + WOLFSSL_X509 req; + WOLFSSL_X509_CRL crl; + + XMEMSET(&ctx, 0, sizeof(ctx)); + ExpectNotNull(issuer = wolfSSL_X509_new()); + ExpectNotNull(subject = wolfSSL_X509_new()); + XMEMSET(&req, 0, sizeof(req)); + XMEMSET(&crl, 0, sizeof(crl)); + + wolfSSL_X509V3_set_ctx(NULL, NULL, NULL, NULL, NULL, 0); + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, issuer, NULL, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, subject, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, &req, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, &crl, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 1); + /* X509 allocated in context results in 'failure' (but not return). */ + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + + wolfSSL_X509_free(subject); + wolfSSL_X509_free(issuer); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT_get(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + XFILE f = XBADFILE; + int numOfExt =0; + int extNid = 0; + int i = 0; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + const WOLFSSL_v3_ext_method* method = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + /* No object in extension. */ + ExpectNull(wolfSSL_X509V3_EXT_get(ext)); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + /* NID is zero. */ + ExpectNull(wolfSSL_X509V3_EXT_get(ext)); + /* NID is not known. */ + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = 1; + } + ExpectNull(wolfSSL_X509V3_EXT_get(ext)); + + /* NIDs not in certificate. */ + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = NID_certificate_policies; + } + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectIntEQ(method->ext_nid, NID_certificate_policies); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = NID_crl_distribution_points; + } + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectIntEQ(method->ext_nid, NID_crl_distribution_points); + + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + ext = NULL; + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + /* wolfSSL_X509V3_EXT_get() return struct and nid test */ + ExpectIntEQ((numOfExt = wolfSSL_X509_get_ext_count(x509)), 5); + for (i = 0; i < numOfExt; i++) { + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); + ExpectIntNE((extNid = ext->obj->nid), NID_undef); + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectIntEQ(method->ext_nid, extNid); + if (EXPECT_SUCCESS()) { + if (method->ext_nid == NID_subject_key_identifier) { + ExpectNotNull(method->i2s); + } + } + } + + /* wolfSSL_X509V3_EXT_get() NULL argument test */ + ExpectNull(method = wolfSSL_X509V3_EXT_get(NULL)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT_nconf(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + const char *ext_names[] = { + "subjectKeyIdentifier", + "authorityKeyIdentifier", + "subjectAltName", + "keyUsage", + "extendedKeyUsage", + }; + size_t ext_names_count = sizeof(ext_names)/sizeof(*ext_names); + int ext_nids[] = { + NID_subject_key_identifier, + NID_authority_key_identifier, + NID_subject_alt_name, + NID_key_usage, + NID_ext_key_usage, + }; + size_t ext_nids_count = sizeof(ext_nids)/sizeof(*ext_nids); + const char *ext_values[] = { + "hash", + "hash", + "DNS:example.com, IP:127.0.0.1", + "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment," + "keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly", + "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping," + "OCSPSigning", + }; + size_t i; + X509_EXTENSION* ext = NULL; + X509* x509 = NULL; + unsigned int keyUsageFlags; + unsigned int extKeyUsageFlags; + WOLFSSL_CONF conf; + WOLFSSL_X509V3_CTX ctx; +#ifndef NO_WOLFSSL_STUB + WOLFSSL_LHASH lhash; +#endif + + ExpectNotNull(x509 = X509_new()); + ExpectNull(X509V3_EXT_nconf(NULL, NULL, ext_names[0], NULL)); + ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[0], NULL)); + ExpectNull(X509V3_EXT_nconf(NULL, NULL, "", ext_values[0])); + ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, 0, ext_values[0])); + + /* conf and ctx ignored. */ + ExpectNull(X509V3_EXT_nconf_nid(&conf, NULL, 0, ext_values[0])); + ExpectNull(X509V3_EXT_nconf_nid(NULL , &ctx, 0, ext_values[0])); + ExpectNull(X509V3_EXT_nconf_nid(&conf, &ctx, 0, ext_values[0])); + + /* keyUsage / extKeyUsage should match string above */ + keyUsageFlags = KU_DIGITAL_SIGNATURE + | KU_NON_REPUDIATION + | KU_KEY_ENCIPHERMENT + | KU_DATA_ENCIPHERMENT + | KU_KEY_AGREEMENT + | KU_KEY_CERT_SIGN + | KU_CRL_SIGN + | KU_ENCIPHER_ONLY + | KU_DECIPHER_ONLY; + extKeyUsageFlags = XKU_SSL_CLIENT + | XKU_SSL_SERVER + | XKU_CODE_SIGN + | XKU_SMIME + | XKU_TIMESTAMP + | XKU_OCSP_SIGN; + + for (i = 0; i < ext_names_count; i++) { + ExpectNotNull(ext = X509V3_EXT_nconf(NULL, NULL, ext_names[i], + ext_values[i])); + X509_EXTENSION_free(ext); + ext = NULL; + } + + for (i = 0; i < ext_nids_count; i++) { + ExpectNotNull(ext = X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[i], + ext_values[i])); + X509_EXTENSION_free(ext); + ext = NULL; + } + + /* Test adding extension to X509 */ + for (i = 0; i < ext_nids_count; i++) { + ExpectNotNull(ext = X509V3_EXT_nconf(NULL, NULL, ext_names[i], + ext_values[i])); + ExpectIntEQ(X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + if (ext_nids[i] == NID_key_usage) { + ExpectIntEQ(X509_get_key_usage(x509), keyUsageFlags); + } + else if (ext_nids[i] == NID_ext_key_usage) { + ExpectIntEQ(X509_get_extended_key_usage(x509), extKeyUsageFlags); + } + X509_EXTENSION_free(ext); + ext = NULL; + } + X509_free(x509); + +#ifndef NO_WOLFSSL_STUB + ExpectIntEQ(wolfSSL_X509V3_EXT_add_nconf(NULL, NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectNull(wolfSSL_X509V3_EXT_conf_nid(NULL, NULL, 0, NULL)); + ExpectNull(wolfSSL_X509V3_EXT_conf_nid(&lhash, NULL, 0, NULL)); + wolfSSL_X509V3_set_ctx_nodb(NULL); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT_bc(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_BASIC_CONSTRAINTS* bc = NULL; + WOLFSSL_ASN1_INTEGER* pathLen = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + ExpectNotNull(pathLen = wolfSSL_ASN1_INTEGER_new()); + if (pathLen != NULL) { + pathLen->length = 2; + } + + if (obj != NULL) { + obj->type = NID_basic_constraints; + obj->nid = NID_basic_constraints; + } + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); + /* No pathlen set. */ + ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_BASIC_CONSTRAINTS_free(bc); + bc = NULL; + + if ((ext != NULL) && (ext->obj != NULL)) { + ext->obj->pathlen = pathLen; + pathLen = NULL; + } + /* pathlen set. */ + ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); + + wolfSSL_ASN1_INTEGER_free(pathLen); + wolfSSL_BASIC_CONSTRAINTS_free(bc); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT_san(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_STACK* sk = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + + if (obj != NULL) { + obj->type = NID_subject_alt_name; + obj->nid = NID_subject_alt_name; + } + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); + /* No extension stack set. */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + ExpectNotNull(sk = wolfSSL_sk_new_null()); + if (ext != NULL) { + ext->ext_sk = sk; + sk = NULL; + } + /* Extension stack set. */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + wolfSSL_sk_free(sk); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT_aia(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_STACK* sk = NULL; + WOLFSSL_STACK* node = NULL; + WOLFSSL_AUTHORITY_INFO_ACCESS* aia = NULL; + WOLFSSL_ASN1_OBJECT* entry = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + + if (obj != NULL) { + obj->type = NID_info_access; + obj->nid = NID_info_access; + } + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); + /* No extension stack set. */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + ExpectNotNull(sk = wolfSSL_sk_new_null()); + if (ext != NULL) { + ext->ext_sk = sk; + sk = NULL; + } + /* Extension stack set but empty. */ + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS *) + wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_AUTHORITY_INFO_ACCESS_free(aia); + aia = NULL; + + ExpectNotNull(entry = wolfSSL_ASN1_OBJECT_new()); + if (entry != NULL) { + entry->nid = WC_NID_ad_OCSP; + entry->obj = (const unsigned char*)"http://127.0.0.1"; + entry->objSz = 16; + } + ExpectNotNull(node = wolfSSL_sk_new_node(NULL)); + if ((node != NULL) && (ext != NULL)) { + node->type = STACK_TYPE_OBJ; + node->data.obj = entry; + entry = NULL; + ExpectIntEQ(wolfSSL_sk_push_node(&ext->ext_sk, node), WOLFSSL_SUCCESS); + if (EXPECT_SUCCESS()) { + node = NULL; + } + } + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS *) + wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_ACCESS_DESCRIPTION_free(NULL); + + wolfSSL_AUTHORITY_INFO_ACCESS_pop_free(aia, + wolfSSL_ACCESS_DESCRIPTION_free); + wolfSSL_ASN1_OBJECT_free(entry); + wolfSSL_sk_free(node); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + XFILE f = XBADFILE; + int numOfExt = 0, nid = 0, i = 0, expected, actual = 0; + char* str = NULL; + unsigned char* data = NULL; + const WOLFSSL_v3_ext_method* method = NULL; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* ext2 = NULL; + WOLFSSL_ASN1_OBJECT *obj = NULL; + WOLFSSL_ASN1_OBJECT *adObj = NULL; + WOLFSSL_ASN1_STRING* asn1str = NULL; + WOLFSSL_AUTHORITY_KEYID* aKeyId = NULL; + WOLFSSL_AUTHORITY_INFO_ACCESS* aia = NULL; + WOLFSSL_BASIC_CONSTRAINTS* bc = NULL; + WOLFSSL_ACCESS_DESCRIPTION* ad = NULL; + WOLFSSL_GENERAL_NAME* gn = NULL; + + /* Check NULL argument */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(NULL)); + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_ext_key_usage; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_certificate_policies; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_crl_distribution_points; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_subject_alt_name; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + wolfSSL_ASN1_OBJECT_free(obj); + obj = NULL; + wolfSSL_X509_EXTENSION_free(ext); + ext = NULL; + + /* Using OCSP cert with X509V3 extensions */ + ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + XFCLOSE(f); + + ExpectIntEQ((numOfExt = wolfSSL_X509_get_ext_count(x509)), 5); + + /* Basic Constraints */ + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); + ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_basic_constraints); + ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); + + ExpectIntEQ(bc->ca, 1); + ExpectNull(bc->pathlen); + wolfSSL_BASIC_CONSTRAINTS_free(bc); + bc = NULL; + i++; + + /* Subject Key Identifier */ + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); + ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_subject_key_identifier); + + ExpectNotNull(asn1str = (WOLFSSL_ASN1_STRING*)wolfSSL_X509V3_EXT_d2i(ext)); + ExpectNotNull(ext2 = wolfSSL_X509V3_EXT_i2d(NID_subject_key_identifier, 0, + asn1str)); + X509_EXTENSION_free(ext2); + ext2 = NULL; + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectNotNull(method->i2s); + ExpectNotNull(str = method->i2s((WOLFSSL_v3_ext_method*)method, asn1str)); + wolfSSL_ASN1_STRING_free(asn1str); + asn1str = NULL; + if (str != NULL) { + actual = strcmp(str, + "73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21"); + } + ExpectIntEQ(actual, 0); + XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); + str = NULL; + i++; + + /* Authority Key Identifier */ + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); + ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_authority_key_identifier); + + ExpectNotNull(aKeyId = (WOLFSSL_AUTHORITY_KEYID*)wolfSSL_X509V3_EXT_d2i( + ext)); + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectNotNull(asn1str = aKeyId->keyid); + ExpectNotNull(str = wolfSSL_i2s_ASN1_STRING((WOLFSSL_v3_ext_method*)method, + asn1str)); + asn1str = NULL; + if (str != NULL) { + actual = strcmp(str, + "73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21"); + } + ExpectIntEQ(actual, 0); + XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); + str = NULL; + wolfSSL_AUTHORITY_KEYID_free(aKeyId); + aKeyId = NULL; + i++; + + /* Key Usage */ + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); + ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_key_usage); + + ExpectNotNull(asn1str = (WOLFSSL_ASN1_STRING*)wolfSSL_X509V3_EXT_d2i(ext)); +#if defined(WOLFSSL_QT) + ExpectNotNull(data = (unsigned char*)ASN1_STRING_get0_data(asn1str)); +#else + ExpectNotNull(data = wolfSSL_ASN1_STRING_data(asn1str)); +#endif + expected = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN; + if (data != NULL) { + #ifdef BIG_ENDIAN_ORDER + actual = data[1]; + #else + actual = data[0]; + #endif + } + ExpectIntEQ(actual, expected); + wolfSSL_ASN1_STRING_free(asn1str); + asn1str = NULL; + ExpectIntEQ(wolfSSL_X509_get_keyUsage(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_keyUsage(x509), expected); + i++; + + /* Authority Info Access */ + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, i)); + ExpectNotNull(obj = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_info_access); + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS*)wolfSSL_X509V3_EXT_d2i( + ext)); +#if defined(WOLFSSL_QT) + ExpectIntEQ(OPENSSL_sk_num(aia), 1); /* Only one URI entry for this cert */ +#else + ExpectIntEQ(wolfSSL_sk_num(aia), 1); /* Only one URI entry for this cert */ +#endif + /* URI entry is an ACCESS_DESCRIPTION type */ +#if defined(WOLFSSL_QT) + ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION*)wolfSSL_sk_value(aia, 0)); +#else + ExpectNotNull(ad = (WOLFSSL_ACCESS_DESCRIPTION*)OPENSSL_sk_value(aia, 0)); +#endif + ExpectNotNull(adObj = ad->method); + /* Make sure nid is OCSP */ + ExpectIntEQ(wolfSSL_OBJ_obj2nid(adObj), NID_ad_OCSP); + + /* GENERAL_NAME stores URI as an ASN1_STRING */ + ExpectNotNull(gn = ad->location); + ExpectIntEQ(gn->type, GEN_URI); /* Type should always be GEN_URI */ + ExpectNotNull(asn1str = gn->d.uniformResourceIdentifier); + ExpectIntEQ(wolfSSL_ASN1_STRING_length(asn1str), 22); +#if defined(WOLFSSL_QT) + ExpectNotNull(str = (char*)ASN1_STRING_get0_data(asn1str)); +#else + ExpectNotNull(str = (char*)wolfSSL_ASN1_STRING_data(asn1str)); +#endif + if (str != NULL) { + actual = strcmp(str, "http://127.0.0.1:22220"); + } + ExpectIntEQ(actual, 0); + + ExpectIntEQ(wolfSSL_sk_ACCESS_DESCRIPTION_num(NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_sk_ACCESS_DESCRIPTION_num(aia), 1); + ExpectNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(NULL, 0)); + ExpectNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(aia, 1)); + ExpectNotNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(aia, 0)); + wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); + aia = NULL; + +#ifndef NO_WOLFSSL_STUB + ExpectNull(wolfSSL_X509_delete_ext(x509, 0)); +#endif + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509V3_EXT_print(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_BIO) && \ + !defined(NO_RSA) + + { + XFILE f = XBADFILE; + WOLFSSL_X509* x509 = NULL; + X509_EXTENSION * ext = NULL; + int loc = 0; + BIO *bio = NULL; + + ExpectTrue((f = XFOPEN(svrCertFile, "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) + fclose(f); + + ExpectNotNull(bio = wolfSSL_BIO_new(BIO_s_mem())); + + ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, + NID_basic_constraints, -1), -1); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); + + /* Failure cases. */ + ExpectIntEQ(wolfSSL_X509V3_EXT_print(NULL, NULL, 0, 0), + WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio , NULL, 0, 0), + WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509V3_EXT_print(NULL, ext , 0, 0), + WOLFSSL_FAILURE); + /* Good case. */ + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); + + ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, + NID_subject_key_identifier, -1), -1); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); + + ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, + NID_authority_key_identifier, -1), -1); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); + + wolfSSL_BIO_free(bio); + wolfSSL_X509_free(x509); + } + + { + X509 *x509 = NULL; + BIO *bio = NULL; + X509_EXTENSION *ext = NULL; + unsigned int i = 0; + unsigned int idx = 0; + /* Some NIDs to test with */ + int nids[] = { + /* NID_key_usage, currently X509_get_ext returns this as a bit + * string, which messes up X509V3_EXT_print */ + /* NID_ext_key_usage, */ + NID_subject_alt_name, + }; + int* n = NULL; + + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFileExt, + WOLFSSL_FILETYPE_PEM)); + + ExpectIntGT(fprintf(stderr, "\nPrinting extension values:\n"), 0); + + for (i = 0, n = nids; i<(sizeof(nids)/sizeof(int)); i++, n++) { + /* X509_get_ext_by_NID should return 3 for now. If that changes then + * update the index */ + ExpectIntEQ((idx = X509_get_ext_by_NID(x509, *n, -1)), 3); + ExpectNotNull(ext = X509_get_ext(x509, (int)idx)); + ExpectIntEQ(X509V3_EXT_print(bio, ext, 0, 0), 1); + ExpectIntGT(fprintf(stderr, "\n"), 0); + } + + BIO_free(bio); + X509_free(x509); + } + + { + BIO* bio = NULL; + X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + ExpectNotNull(ext = X509_EXTENSION_new()); + + /* No object. */ + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_FAILURE); + + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), + WOLFSSL_SUCCESS); + + /* NID not supported yet - just doesn't write anything. */ + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = AUTH_INFO_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + ext->obj->nid = CERT_POLICY_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + ext->obj->nid = CRL_DIST_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + ext->obj->nid = KEY_USAGE_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + + ext->obj->nid = EXT_KEY_USAGE_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + } + + wolfSSL_ASN1_OBJECT_free(obj); + X509_EXTENSION_free(ext); + BIO_free(bio); + } +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_ext.h b/tests/api/test_ossl_x509_ext.h new file mode 100644 index 00000000000..3a0ea0d42b1 --- /dev/null +++ b/tests/api/test_ossl_x509_ext.h @@ -0,0 +1,76 @@ +/* test_ossl_x509_ext.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_EXT_H +#define WOLFCRYPT_TEST_OSSL_X509_EXT_H + +#include + +int test_wolfSSL_X509_get_extension_flags(void); +int test_wolfSSL_X509_get_ext(void); +int test_wolfSSL_X509_get_ext_by_NID(void); +int test_wolfSSL_X509_get_ext_subj_alt_name(void); +int test_wolfSSL_X509_set_ext(void); +int test_wolfSSL_X509_add_ext(void); +int test_wolfSSL_X509_get_ext_count(void); +int test_wolfSSL_X509_stack_extensions(void); +int test_wolfSSL_X509_EXTENSION_new(void); +int test_wolfSSL_X509_EXTENSION_dup(void); +int test_wolfSSL_X509_EXTENSION_get_object(void); +int test_wolfSSL_X509_EXTENSION_get_data(void); +int test_wolfSSL_X509_EXTENSION_get_critical(void); +int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void); +int test_wolfSSL_X509V3_set_ctx(void); +int test_wolfSSL_X509V3_EXT_get(void); +int test_wolfSSL_X509V3_EXT_nconf(void); +int test_wolfSSL_X509V3_EXT_bc(void); +int test_wolfSSL_X509V3_EXT_san(void); +int test_wolfSSL_X509V3_EXT_aia(void); +int test_wolfSSL_X509V3_EXT(void); +int test_wolfSSL_X509V3_EXT_print(void); + +#define TEST_OSSL_X509_EXT_DECLS \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_extension_flags), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext_by_NID), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext_subj_alt_name), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_set_ext), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_add_ext), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext_count), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_stack_extensions), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_new), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_dup), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_get_object), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_get_data), \ + TEST_DECL_GROUP("ossl_x509_ext", \ + test_wolfSSL_X509_EXTENSION_get_critical), \ + TEST_DECL_GROUP("ossl_x509_ext", \ + test_wolfSSL_X509_EXTENSION_create_by_OBJ), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_set_ctx), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_get), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_nconf), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_bc), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_san), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_aia), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT), \ + TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_print) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_EXT_H */ diff --git a/tests/api/test_ossl_x509_info.c b/tests/api/test_ossl_x509_info.c new file mode 100644 index 00000000000..95188e36386 --- /dev/null +++ b/tests/api/test_ossl_x509_info.c @@ -0,0 +1,248 @@ +/* test_ossl_x509_info.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include + +int test_wolfSSL_X509_INFO_multiple_info(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_BIO) + STACK_OF(X509_INFO) *info_stack = NULL; + X509_INFO *info = NULL; + int len; + int i; + const char* files[] = { + cliCertFile, + cliKeyFile, + /* This needs to be the order as svrCertFile contains the + * intermediate cert as well. */ + svrKeyFile, + svrCertFile, + NULL, + }; + const char** curFile; + BIO *fileBIO = NULL; + BIO *concatBIO = NULL; + byte tmp[FOURK_BUF]; + + /* concatenate the cert and the key file to force PEM_X509_INFO_read_bio + * to group objects together. */ + ExpectNotNull(concatBIO = BIO_new(BIO_s_mem())); + for (curFile = files; EXPECT_SUCCESS() && *curFile != NULL; curFile++) { + int fileLen = 0; + ExpectNotNull(fileBIO = BIO_new_file(*curFile, "rb")); + ExpectIntGT(fileLen = wolfSSL_BIO_get_len(fileBIO), 0); + if (EXPECT_SUCCESS()) { + while ((len = BIO_read(fileBIO, tmp, sizeof(tmp))) > 0) { + ExpectIntEQ(BIO_write(concatBIO, tmp, len), len); + fileLen -= len; + if (EXPECT_FAIL()) + break; + } + /* Make sure we read the entire file */ + ExpectIntEQ(fileLen, 0); + } + BIO_free(fileBIO); + fileBIO = NULL; + } + + ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(concatBIO, NULL, NULL, + NULL)); + ExpectIntEQ(sk_X509_INFO_num(info_stack), 3); + for (i = 0; i < sk_X509_INFO_num(info_stack); i++) { + ExpectNotNull(info = sk_X509_INFO_value(info_stack, i)); + ExpectNotNull(info->x509); + ExpectNull(info->crl); + if (i != 2) { + ExpectNotNull(info->x_pkey); + ExpectIntEQ(X509_check_private_key(info->x509, + info->x_pkey->dec_pkey), 1); + } + else { + ExpectNull(info->x_pkey); + } + } + + sk_X509_INFO_pop_free(info_stack, X509_INFO_free); + BIO_free(concatBIO); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_INFO(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_BIO) + STACK_OF(X509_INFO) *info_stack = NULL; + X509_INFO *info = NULL; + BIO *cert = NULL; + int i; + /* PEM in hex format to avoid null terminator */ + byte data[] = { + 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, + 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x63, 0x2d, 0x2d, 0x2d, 0x2d, + 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x44, 0x4d, 0x54, 0x42, 0x75, 0x51, 0x3d, + 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x2d, 0x2d, + 0x2d, 0x2d, 0x2d + }; + /* PEM in hex format to avoid null terminator */ + byte data2[] = { + 0x41, 0x53, 0x4e, 0x31, 0x20, 0x4f, 0x49, 0x44, 0x3a, 0x20, 0x70, 0x72, + 0x69, 0x6d, 0x65, 0x32, 0x35, 0x36, 0x76, 0x31, 0x0a, 0x2d, 0x2d, 0x2d, + 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x45, 0x43, 0x20, 0x50, + 0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x2d, 0x2d, 0x2d, + 0x2d, 0x43, 0x65, 0x72, 0x74, 0x69, 0x2d, 0x0a, 0x42, 0x67, 0x67, 0x71, + 0x68, 0x6b, 0x6a, 0x4f, 0x50, 0x51, 0x4d, 0x42, 0x42, 0x77, 0x3d, 0x3d, + 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d + }; + + ExpectNotNull(cert = BIO_new_file(cliCertFileExt, "rb")); + ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); + for (i = 0; i < sk_X509_INFO_num(info_stack); i++) { + ExpectNotNull(info = sk_X509_INFO_value(info_stack, i)); + ExpectNotNull(info->x509); + ExpectNull(info->crl); + ExpectNull(info->x_pkey); + } + sk_X509_INFO_pop_free(info_stack, X509_INFO_free); + info_stack = NULL; + BIO_free(cert); + cert = NULL; + + ExpectNotNull(cert = BIO_new_file(cliCertFileExt, "rb")); + ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); + sk_X509_INFO_pop_free(info_stack, X509_INFO_free); + info_stack = NULL; + BIO_free(cert); + cert = NULL; + + /* This case should fail due to invalid input. */ + ExpectNotNull(cert = BIO_new(BIO_s_mem())); + ExpectIntEQ(BIO_write(cert, data, sizeof(data)), sizeof(data)); + ExpectNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); + sk_X509_INFO_pop_free(info_stack, X509_INFO_free); + info_stack = NULL; + BIO_free(cert); + cert = NULL; + ExpectNotNull(cert = BIO_new(BIO_s_mem())); + ExpectIntEQ(BIO_write(cert, data2, sizeof(data2)), sizeof(data2)); + ExpectNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL)); + sk_X509_INFO_pop_free(info_stack, X509_INFO_free); + BIO_free(cert); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_X509_INFO_read_bio(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + !defined(NO_BIO) + BIO* bio = NULL; + X509_INFO* info = NULL; + STACK_OF(X509_INFO)* sk = NULL; + STACK_OF(X509_INFO)* sk2 = NULL; + char* subject = NULL; + char exp1[] = "/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/" + "CN=www.wolfssl.com/emailAddress=info@wolfssl.com"; + char exp2[] = "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/" + "CN=www.wolfssl.com/emailAddress=info@wolfssl.com"; + + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)); + ExpectIntEQ(sk_X509_INFO_num(sk), 2); + + /* using dereference to maintain testing for Apache port*/ + ExpectNull(sk_X509_INFO_pop(NULL)); + ExpectNotNull(info = sk_X509_INFO_pop(sk)); + ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509), + 0, 0)); + + ExpectIntEQ(0, XSTRNCMP(subject, exp1, sizeof(exp1))); + XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); + subject = NULL; + X509_INFO_free(info); + info = NULL; + + ExpectNotNull(info = sk_X509_INFO_pop(sk)); + ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509), + 0, 0)); + + ExpectIntEQ(0, XSTRNCMP(subject, exp2, sizeof(exp2))); + XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); + subject = NULL; + X509_INFO_free(info); + ExpectNull(info = sk_X509_INFO_pop(sk)); + + sk_X509_INFO_pop_free(sk, X509_INFO_free); + sk = NULL; + BIO_free(bio); + bio = NULL; + + ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null()); + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(sk2 = PEM_X509_INFO_read_bio(bio, sk, NULL, NULL)); + ExpectPtrEq(sk, sk2); + if (sk2 != sk) { + sk_X509_INFO_pop_free(sk, X509_INFO_free); + } + sk = NULL; + BIO_free(bio); + sk_X509_INFO_pop_free(sk2, X509_INFO_free); + + ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null()); + sk_X509_INFO_free(sk); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_X509_INFO_read(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + !defined(NO_BIO) + XFILE fp = XBADFILE; + STACK_OF(X509_INFO)* sk = NULL; + + ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE); + ExpectNull(wolfSSL_PEM_X509_INFO_read(XBADFILE, NULL, NULL, NULL)); + ExpectNotNull(sk = wolfSSL_PEM_X509_INFO_read(fp, NULL, NULL, NULL)); + + sk_X509_INFO_pop_free(sk, X509_INFO_free); + if (fp != XBADFILE) + XFCLOSE(fp); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_info.h b/tests/api/test_ossl_x509_info.h new file mode 100644 index 00000000000..16c17fcd4aa --- /dev/null +++ b/tests/api/test_ossl_x509_info.h @@ -0,0 +1,38 @@ +/* test_ossl_x509_info.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_INFO_H +#define WOLFCRYPT_TEST_OSSL_X509_INFO_H + +#include + +int test_wolfSSL_X509_INFO_multiple_info(void); +int test_wolfSSL_X509_INFO(void); +int test_wolfSSL_PEM_X509_INFO_read_bio(void); +int test_wolfSSL_PEM_X509_INFO_read(void); + +#define TEST_OSSL_X509_INFO_DECLS \ + TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_X509_INFO_multiple_info), \ + TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_X509_INFO), \ + TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_PEM_X509_INFO_read_bio), \ + TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_PEM_X509_INFO_read) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_INFO_H */ diff --git a/tests/api/test_ossl_x509_io.c b/tests/api/test_ossl_x509_io.c new file mode 100644 index 00000000000..70c0f68436e --- /dev/null +++ b/tests/api/test_ossl_x509_io.c @@ -0,0 +1,247 @@ +/* test_ossl_x509_io.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#ifdef OPENSSL_EXTRA + #include +#endif +#include +#include + +int test_wolfSSL_i2d_X509(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) + const unsigned char* cert_buf = server_cert_der_2048; + unsigned char* out = NULL; + unsigned char* tmp = NULL; + const unsigned char* nullPtr = NULL; + const unsigned char notCert[2] = { 0x30, 0x00 }; + const unsigned char* notCertPtr = notCert; + X509* cert = NULL; + + ExpectNull(d2i_X509(NULL, NULL, sizeof_server_cert_der_2048)); + ExpectNull(d2i_X509(NULL, &nullPtr, sizeof_server_cert_der_2048)); + ExpectNull(d2i_X509(NULL, &cert_buf, 0)); + ExpectNull(d2i_X509(NULL, ¬CertPtr, sizeof(notCert))); + ExpectNotNull(d2i_X509(&cert, &cert_buf, sizeof_server_cert_der_2048)); + /* Pointer should be advanced */ + ExpectPtrGT(cert_buf, server_cert_der_2048); + ExpectIntGT(i2d_X509(cert, &out), 0); + ExpectNotNull(out); + tmp = out; + ExpectIntGT(i2d_X509(cert, &tmp), 0); + ExpectPtrGT(tmp, out); +#if defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_FILESYSTEM) + ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, NULL), 0); + ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, cert), 0); + ExpectIntEQ(wolfSSL_PEM_write_X509(stderr, cert), 1); +#endif + + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + X509_free(cert); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_read_X509(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) + X509 *x509 = NULL; + XFILE fp = XBADFILE; + + ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE); + ExpectNotNull(x509 = (X509 *)PEM_read_X509(fp, (X509 **)NULL, NULL, NULL)); + X509_free(x509); + if (fp != XBADFILE) + XFCLOSE(fp); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_PEM_write_bio_X509(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(OPENSSL_ALL) && \ + defined(WOLFSSL_AKID_NAME) && defined(WOLFSSL_CERT_EXT) && \ + defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_RSA) && \ + !defined(NO_FILESYSTEM) + /* This test contains the hard coded expected + * lengths. Update if necessary */ + XFILE fp = XBADFILE; + WOLFSSL_EVP_PKEY *priv = NULL; + + BIO* input = NULL; + BIO* output = NULL; + X509* x509a = NULL; + X509* x509b = NULL; + X509* empty = NULL; + + ASN1_TIME* notBeforeA = NULL; + ASN1_TIME* notAfterA = NULL; +#ifndef NO_ASN_TIME + ASN1_TIME* notBeforeB = NULL; + ASN1_TIME* notAfterB = NULL; +#endif + int expectedLen; + + ExpectTrue((fp = XFOPEN("certs/server-key.pem", "rb")) != XBADFILE); + ExpectNotNull(priv = wolfSSL_PEM_read_PrivateKey(fp, NULL, NULL, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectNotNull(input = BIO_new_file("certs/test/cert-ext-multiple.pem", + "rb")); + ExpectIntEQ(wolfSSL_BIO_get_len(input), 2000); + + /* read PEM into X509 struct, get notBefore / notAfter to verify against */ + ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL)); + ExpectNotNull(notBeforeA = X509_get_notBefore(x509a)); + ExpectNotNull(notAfterA = X509_get_notAfter(x509a)); + + /* write X509 back to PEM BIO; no need to sign as nothing changed. */ + ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectIntEQ(PEM_write_bio_X509(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(output, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(NULL, x509a), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(output, empty), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); + /* compare length against expected */ + expectedLen = 2000; + ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen); + wolfSSL_X509_free(empty); + +#ifndef NO_ASN_TIME + /* read exported X509 PEM back into struct, sanity check on export, + * make sure notBefore/notAfter are the same and certs are identical. */ + ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL)); + ExpectNotNull(notBeforeB = X509_get_notBefore(x509b)); + ExpectNotNull(notAfterB = X509_get_notAfter(x509b)); + ExpectIntEQ(ASN1_TIME_compare(notBeforeA, notBeforeB), 0); + ExpectIntEQ(ASN1_TIME_compare(notAfterA, notAfterB), 0); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b)); + X509_free(x509b); + x509b = NULL; +#endif + + /* Reset output buffer */ + BIO_free(output); + output = NULL; + ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + /* Test forcing the AKID to be generated just from KeyIdentifier */ + if (EXPECT_SUCCESS() && x509a->authKeyIdSrc != NULL) { + XMEMMOVE(x509a->authKeyIdSrc, x509a->authKeyId, x509a->authKeyIdSz); + x509a->authKeyId = x509a->authKeyIdSrc; + x509a->authKeyIdSrc = NULL; + x509a->authKeyIdSrcSz = 0; + } + + /* Resign to re-generate the der */ + ExpectIntGT(wolfSSL_X509_sign(x509a, priv, EVP_sha256()), 0); + + ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); + + /* Check that we generate a smaller output since the AKID will + * only contain the KeyIdentifier without any additional + * information */ + + /* Here we copy the validity struct from the original */ + expectedLen = 1688; + ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen); + + /* Reset buffers and x509 */ + BIO_free(input); + input = NULL; + BIO_free(output); + output = NULL; + X509_free(x509a); + x509a = NULL; + + /* test CA and basicConstSet values are encoded when + * the cert is a CA */ + ExpectNotNull(input = BIO_new_file("certs/server-cert.pem", "rb")); + + /* read PEM into X509 struct */ + ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL)); + + /* write X509 back to PEM BIO; no need to sign as nothing changed */ + ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); + + /* read exported X509 PEM back into struct, ensure isCa and basicConstSet + * values are maintained and certs are identical.*/ + ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL)); + ExpectIntEQ(x509b->isCa, 1); + ExpectIntEQ(x509b->basicConstSet, 1); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b)); + + X509_free(x509a); + x509a = NULL; + X509_free(x509b); + x509b = NULL; + BIO_free(input); + input = NULL; + BIO_free(output); + output = NULL; + + /* test CA and basicConstSet values are encoded when + * the cert is not CA */ + ExpectNotNull(input = BIO_new_file("certs/client-uri-cert.pem", "rb")); + + /* read PEM into X509 struct */ + ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL)); + + /* write X509 back to PEM BIO; no need to sign as nothing changed */ + ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); + + /* read exported X509 PEM back into struct, ensure isCa and + * basicConstSet values are maintained and certs are identical */ + ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL)); + ExpectIntEQ(x509b->isCa, 0); + ExpectIntEQ(x509b->basicConstSet, 1); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b)); + + wolfSSL_EVP_PKEY_free(priv); + X509_free(x509a); + X509_free(x509b); + BIO_free(input); + BIO_free(output); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_io.h b/tests/api/test_ossl_x509_io.h new file mode 100644 index 00000000000..93e9f90ac4c --- /dev/null +++ b/tests/api/test_ossl_x509_io.h @@ -0,0 +1,36 @@ +/* test_ossl_x509_io.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_IO_H +#define WOLFCRYPT_TEST_OSSL_X509_IO_H + +#include + +int test_wolfSSL_i2d_X509(void); +int test_wolfSSL_PEM_read_X509(void); +int test_wolfSSL_PEM_write_bio_X509(void); + +#define TEST_OSSL_X509_IO_DECLS \ + TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_i2d_X509), \ + TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_PEM_read_X509), \ + TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_PEM_write_bio_X509) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_IO_H */ diff --git a/tests/api/test_ossl_x509_lu.c b/tests/api/test_ossl_x509_lu.c new file mode 100644 index 00000000000..0b9aa42d450 --- /dev/null +++ b/tests/api/test_ossl_x509_lu.c @@ -0,0 +1,518 @@ +/* test_ossl_x509_lu.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include + +int test_wolfSSL_X509_LOOKUP_load_file(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_ECC) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) + WOLFSSL_X509_STORE* store = NULL; + WOLFSSL_X509_LOOKUP* lookup = NULL; + + ExpectNotNull(store = wolfSSL_X509_STORE_new()); + ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + /* One RSA and one ECC certificate in file. */ + ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/client-ca.pem", + X509_FILETYPE_PEM), 1); + ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/crl/crl2.pem", + X509_FILETYPE_PEM), 1); + + if (store != NULL) { + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, cliCertFile, + WOLFSSL_FILETYPE_PEM), 1); + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); + } + ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + if (store != NULL) { + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + } + + wolfSSL_X509_STORE_free(store); +#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_LOOKUP_ctrl_file(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_SIGNER_DER_CERT) + X509_STORE_CTX* ctx = NULL; + X509_STORE* str = NULL; + X509_LOOKUP* lookup = NULL; + + X509* cert1 = NULL; + X509* x509Ca = NULL; + X509* x509Svr = NULL; + X509* issuer = NULL; + + WOLFSSL_STACK* sk = NULL; + X509_NAME* caName = NULL; + X509_NAME* issuerName = NULL; + + XFILE file1 = XBADFILE; + int i; + int cert_count = 0; + int cmp; + + char der[] = "certs/ca-cert.der"; + +#ifdef HAVE_CRL + char pem[][100] = { + "./certs/crl/crl.pem", + "./certs/crl/crl2.pem", + "./certs/crl/caEccCrl.pem", + "./certs/crl/eccCliCRL.pem", + "./certs/crl/eccSrvCRL.pem", + "" + }; +#endif + ExpectTrue((file1 = XFOPEN("./certs/ca-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL)); + if (file1 != XBADFILE) + XFCLOSE(file1); + + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, NULL, + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(lookup, NULL, + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, caCertFile, + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, der , + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile, + SSL_FILETYPE_PEM,NULL), 1); + ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm)); + ExpectIntEQ((cert_count = sk_X509_num(sk)), 1); + + /* check if CA cert is loaded into the store */ + for (i = 0; i < cert_count; i++) { + x509Ca = sk_X509_value(sk, i); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1)); + } + + ExpectNotNull((x509Svr = + wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); + + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509Svr, NULL), SSL_SUCCESS); + + ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL)); + issuer = X509_STORE_CTX_get0_current_issuer(ctx); + ExpectNull(issuer); + + ExpectIntEQ(X509_verify_cert(ctx), 1); + + issuer = X509_STORE_CTX_get0_current_issuer(ctx); + ExpectNotNull(issuer); + caName = X509_get_subject_name(x509Ca); + ExpectNotNull(caName); + issuerName = X509_get_subject_name(issuer); + ExpectNotNull(issuerName); + cmp = X509_NAME_cmp(caName, issuerName); + ExpectIntEQ(cmp, 0); + /* load der format */ + issuer = NULL; + X509_STORE_CTX_free(ctx); + ctx = NULL; + X509_STORE_free(str); + str = NULL; + sk_X509_pop_free(sk, NULL); + sk = NULL; + X509_free(x509Svr); + x509Svr = NULL; + + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, der, + SSL_FILETYPE_ASN1,NULL), 1); + ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm)); + ExpectIntEQ((cert_count = sk_X509_num(sk)), 1); + /* check if CA cert is loaded into the store */ + for (i = 0; i < cert_count; i++) { + x509Ca = sk_X509_value(sk, i); + ExpectIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1)); + } + + X509_STORE_free(str); + str = NULL; + sk_X509_pop_free(sk, NULL); + sk = NULL; + X509_free(cert1); + cert1 = NULL; + +#ifdef HAVE_CRL + ExpectNotNull(str = wolfSSL_X509_STORE_new()); + ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile, + SSL_FILETYPE_PEM,NULL), 1); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, + "certs/server-revoked-cert.pem", + SSL_FILETYPE_PEM,NULL), 1); + if (str) { + ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, + "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + for (i = 0; pem[i][0] != '\0'; i++) + { + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, pem[i], + SSL_FILETYPE_PEM, NULL), 1); + } + + if (str) { + /* since store knows crl list */ + ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, + "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); + } + + ExpectIntEQ(X509_LOOKUP_ctrl(NULL, 0, NULL, 0, NULL), 0); + X509_STORE_free(str); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) + const int MAX_DIR = 4; + const char paths[][32] = { + "./certs/ed25519", + "./certs/ecc", + "./certs/crl", + "./certs/", + }; + + char CertCrl_path[MAX_FILENAME_SZ]; + char *p; + X509_STORE* str = NULL; + X509_LOOKUP* lookup = NULL; + WOLFSSL_STACK* sk = NULL; + int len, total_len, i; + + (void)sk; + + XMEMSET(CertCrl_path, 0, MAX_FILENAME_SZ); + + /* illegal string */ + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "", + SSL_FILETYPE_PEM, NULL), 0); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_STORE, "", + SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_LOAD_STORE, "", + SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, 0, "", + SSL_FILETYPE_PEM, NULL), WOLFSSL_FAILURE); + + /* free store */ + X509_STORE_free(str); + str = NULL; + + /* short folder string */ + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "./", + SSL_FILETYPE_PEM,NULL), 1); + #if defined(WOLFSSL_INT_H) + /* only available when including internal.h */ + ExpectNotNull(sk = lookup->dirs->dir_entry); + #endif + /* free store */ + X509_STORE_free(str); + str = NULL; + + /* typical function check */ + p = &CertCrl_path[0]; + total_len = 0; + + for (i = MAX_DIR - 1; i>=0 && total_len < MAX_FILENAME_SZ; i--) { + len = (int)XSTRLEN((const char*)&paths[i]); + total_len += len; + XSTRNCPY(p, paths[i], MAX_FILENAME_SZ - total_len); + p += len; + if (i != 0) *(p++) = SEPARATOR_CHAR; + } + + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, CertCrl_path, + SSL_FILETYPE_PEM,NULL), 1); + #if defined(WOLFSSL_INT_H) + /* only available when including internal.h */ + ExpectNotNull(sk = lookup->dirs->dir_entry); + #endif + + X509_STORE_free(str); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_load_crl_file(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \ + !defined(NO_STDIO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) && \ + !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) + int i; + char pem[][100] = { + "./certs/crl/crl.pem", + "./certs/crl/crl2.pem", + "./certs/crl/caEccCrl.pem", + "./certs/crl/eccCliCRL.pem", + "./certs/crl/eccSrvCRL.pem", + #ifdef WC_RSA_PSS + "./certs/crl/crl_rsapss.pem", + #endif + "" + }; + char der[][100] = { + "./certs/crl/crl.der", + "./certs/crl/crl2.der", + "" + }; + WOLFSSL_X509_STORE* store = NULL; + WOLFSSL_X509_LOOKUP* lookup = NULL; + + ExpectNotNull(store = wolfSSL_X509_STORE_new()); + ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); +#ifdef WC_RSA_PSS + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/rsapss/ca-rsapss.pem", + X509_FILETYPE_PEM), 1); +#endif + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1); + } + + ExpectIntEQ(X509_load_crl_file(lookup, pem[0], 0), 0); + for (i = 0; pem[i][0] != '\0'; i++) { + ExpectIntEQ(X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), + 1); + } + + if (store) { + /* since store knows crl list */ + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); +#ifdef WC_RSA_PSS + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/rsapss/server-rsapss-cert.pem", WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); +#endif + } + /* once feeing store */ + X509_STORE_free(store); + store = NULL; + + ExpectNotNull(store = wolfSSL_X509_STORE_new()); + ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; der[i][0] != '\0'; i++) { + ExpectIntEQ(X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1), + 1); + } + + if (store) { + /* since store knows crl list */ + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), + WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); + } + + /* test for incorrect parameter */ + ExpectIntEQ(X509_load_crl_file(NULL, pem[0], 0), 0); + ExpectIntEQ(X509_load_crl_file(lookup, NULL, 0), 0); + ExpectIntEQ(X509_load_crl_file(NULL, NULL, 0), 0); + + X509_STORE_free(store); + store = NULL; +#endif + return EXPECT_RESULT(); +} + +int test_X509_LOOKUP_add_dir(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \ + (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \ + defined(HAVE_CRL) && !defined(NO_RSA) + + X509_STORE * store = NULL; + X509_STORE_CTX * storeCtx = NULL; + X509_CRL * crl = NULL; + X509 * ca = NULL; + X509 * cert = NULL; + const char cliCrlPem[] = "./certs/crl/cliCrl.pem"; + const char srvCert[] = "./certs/server-cert.pem"; + const char caCert[] = "./certs/ca-cert.pem"; + const char caDir[] = "./certs/crl/hash_der"; + XFILE fp = XBADFILE; + X509_LOOKUP * lookup = NULL; + + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + + /* Set up store with CA */ + ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); + + /* Add CRL lookup directory to store. + * Test uses ./certs/crl/hash_der/0fdb2da4.r0, which is a copy + * of crl.der */ + ExpectNotNull((lookup = X509_STORE_add_lookup(store, + X509_LOOKUP_hash_dir()))); + + ExpectIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_ASN1), + SSL_SUCCESS); + + ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK), + SSL_SUCCESS); + + /* Add CRL to store NOT containing the verified certificate, which + * forces use of the CRL lookup directory */ + ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE); + ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, + NULL, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); + + /* Create verification context outside of an SSL session */ + ExpectNotNull((storeCtx = X509_STORE_CTX_new())); + ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); + + /* Perform verification, which should NOT return CRL missing */ + ExpectIntNE(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(CRL_MISSING)); + + X509_CRL_free(crl); + crl = NULL; + X509_STORE_free(store); + store = NULL; + X509_STORE_CTX_free(storeCtx); + storeCtx = NULL; + X509_free(cert); + cert = NULL; + X509_free(ca); + ca = NULL; + + /* Now repeat the same, but look for X509_FILETYPE_PEM. + * We should get CRL_MISSING at the end, because the lookup + * dir has only ASN1 CRLs. */ + + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + + ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); + + ExpectNotNull((lookup = X509_STORE_add_lookup(store, + X509_LOOKUP_hash_dir()))); + + ExpectIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_PEM), + SSL_SUCCESS); + + ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK), + SSL_SUCCESS); + ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE); + ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, + NULL, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); + + ExpectNotNull((storeCtx = X509_STORE_CTX_new())); + ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); + + /* Now we SHOULD get CRL_MISSING, because we looked for PEM + * in dir containing only ASN1/DER. */ + ExpectIntEQ(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), + X509_V_ERR_UNABLE_TO_GET_CRL); + + X509_CRL_free(crl); + X509_STORE_free(store); + X509_STORE_CTX_free(storeCtx); + X509_free(cert); + X509_free(ca); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_lu.h b/tests/api/test_ossl_x509_lu.h new file mode 100644 index 00000000000..61e8454f982 --- /dev/null +++ b/tests/api/test_ossl_x509_lu.h @@ -0,0 +1,40 @@ +/* test_ossl_x509_lu.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_LU_H +#define WOLFCRYPT_TEST_OSSL_X509_LU_H + +#include + +int test_wolfSSL_X509_LOOKUP_load_file(void); +int test_wolfSSL_X509_LOOKUP_ctrl_file(void); +int test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void); +int test_wolfSSL_X509_load_crl_file(void); +int test_X509_LOOKUP_add_dir(void); + +#define TEST_OSSL_X509_LOOKUP_DECLS \ + TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_load_file), \ + TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_ctrl_file), \ + TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_ctrl_hash_dir), \ + TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_ctrl_hash_dir), \ + TEST_DECL_GROUP("ossl_x509_lu", test_X509_LOOKUP_add_dir) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_LU_H */ diff --git a/tests/api/test_ossl_x509_name.c b/tests/api/test_ossl_x509_name.c new file mode 100644 index 00000000000..2d4482f0dac --- /dev/null +++ b/tests/api/test_ossl_x509_name.c @@ -0,0 +1,717 @@ +/* test_ossl_x509_name.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + +int test_wolfSSL_X509_NAME_get_entry(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) +#if defined(OPENSSL_ALL) || \ + (defined(OPENSSL_EXTRA) && \ + (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS))) + /* use openssl like name to test mapping */ + X509_NAME_ENTRY* ne = NULL; + X509_NAME* name = NULL; + X509* x509 = NULL; + ASN1_STRING* asn = NULL; + char* subCN = NULL; + int idx = 0; + ASN1_OBJECT *object = NULL; +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) +#ifndef NO_BIO + BIO* bio = NULL; +#endif +#endif + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = X509_get_subject_name(x509)); + ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); + ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); + ExpectNull(X509_NAME_ENTRY_get_data(NULL)); + ExpectNotNull(asn = X509_NAME_ENTRY_get_data(ne)); + ExpectNotNull(subCN = (char*)ASN1_STRING_data(asn)); + wolfSSL_FreeX509(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = X509_get_subject_name(x509)); + ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); + +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) +#ifndef NO_BIO + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(bio, name, 4, + (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_print_ex_fp(XBADFILE, name, 4, + (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex_fp(stderr, name, 4, + (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); + BIO_free(bio); +#endif +#endif + + ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); + ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne)); + wolfSSL_FreeX509(x509); +#endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (KEEP_PEER_CERT || SESSION_CERTS) */ +#endif /* !NO_CERTS && !NO_RSA && !NO_FILESYSTEM */ + + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_NAME(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ + defined(OPENSSL_EXTRA)) + X509* x509 = NULL; +#ifndef OPENSSL_EXTRA + const unsigned char* c = NULL; + int bytes = 0; +#endif + unsigned char buf[4096]; + XFILE f = XBADFILE; + const X509_NAME* a = NULL; + const X509_NAME* b = NULL; + X509_NAME* d2i_name = NULL; + int sz = 0; + unsigned char* tmp = NULL; + char file[] = "./certs/ca-cert.der"; +#ifndef OPENSSL_EXTRA_X509_SMALL + byte empty[] = { /* CN=empty emailAddress= */ + 0x30, 0x21, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x05, 0x65, 0x6D, 0x70, + 0x74, 0x79, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, + 0x01, 0x16, 0x00 + }; +#endif +#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED) + byte digest[64]; /* max digest size */ + word32 digestSz; +#endif + +#ifndef OPENSSL_EXTRA_X509_SMALL + /* test compile of deprecated function, returns 0 */ + ExpectIntEQ(CRYPTO_thread_id(), 0); +#endif + + ExpectNotNull(a = X509_NAME_new()); + ExpectNotNull(b = X509_NAME_new()); +#ifndef OPENSSL_EXTRA_X509_SMALL + ExpectIntEQ(X509_NAME_cmp(a, b), 0); +#endif + X509_NAME_free((X509_NAME*)b); + X509_NAME_free((X509_NAME*)a); + a = NULL; + + ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); +#ifndef OPENSSL_EXTRA + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + c = buf; + ExpectNotNull(x509 = wolfSSL_X509_d2i_ex(NULL, c, bytes, HEAP_HINT)); +#else + ExpectNull(wolfSSL_X509_d2i_fp(NULL, XBADFILE)); + ExpectNotNull(wolfSSL_X509_d2i_fp(&x509, f)); + if (f != XBADFILE) + XFCLOSE(f); +#endif + + /* test cmp function */ + ExpectNull(X509_get_issuer_name(NULL)); + ExpectNotNull(a = X509_get_issuer_name(x509)); + ExpectNull(X509_get_subject_name(NULL)); + ExpectNotNull(b = X509_get_subject_name(x509)); +#ifdef KEEP_PEER_CERT + ExpectNull(wolfSSL_X509_get_subjectCN(NULL)); + ExpectNotNull(wolfSSL_X509_get_subjectCN(x509)); +#endif + +#if defined(OPENSSL_EXTRA) + ExpectIntEQ(X509_check_issued(NULL, NULL), + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); + ExpectIntEQ(X509_check_issued(x509, NULL), + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); + ExpectIntEQ(X509_check_issued(NULL, x509), + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); + ExpectIntEQ(X509_check_issued(x509, x509), WOLFSSL_X509_V_OK); + ExpectIntEQ(X509_NAME_cmp(NULL, NULL), -2); + ExpectIntEQ(X509_NAME_cmp(NULL, b), -2); + ExpectIntEQ(X509_NAME_cmp(a, NULL), -2); + ExpectIntEQ(X509_NAME_cmp(a, b), 0); /* self signed should be 0 */ + +#if !defined(NO_PWDBASED) + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, NULL, NULL), 0); +#ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), NULL, + NULL), 0); +#endif + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, digest, NULL), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, &digestSz), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, digest, + &digestSz), 0); +#ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), digest, + &digestSz), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), NULL, + &digestSz), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest, + NULL), 1); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest, + &digestSz), 1); + ExpectTrue(digestSz == 32); +#endif +#else + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), + NOT_COMPILED_IN); +#endif +#endif /* OPENSSL_EXTRA */ + + tmp = buf; + ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)a, &tmp)), 0); + if (sz > 0 && tmp == buf) { + fprintf(stderr, "\nERROR - %s line %d failed with:", __FILE__, + __LINE__); + fprintf(stderr, " Expected pointer to be incremented\n"); + abort(); + } + +#ifndef OPENSSL_EXTRA_X509_SMALL + tmp = buf; + ExpectNotNull(d2i_name = d2i_X509_NAME(NULL, &tmp, sz)); +#endif + + /* if output parameter is NULL, should still return required size. */ + ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, NULL)), 0); + /* retry but with the function creating a buffer */ + tmp = NULL; + ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, &tmp)), 0); + XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); + tmp = NULL; + +#ifdef WOLFSSL_CERT_NAME_ALL + /* test for givenName and name */ + { + WOLFSSL_X509_NAME_ENTRY* entry = NULL; + WOLFSSL_X509_NAME_ENTRY empty; + const byte gName[] = "test-given-name"; + const byte name[] = "test-name"; + + XMEMSET(&empty, 0, sizeof(empty)); + + ExpectNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, + NID_givenName, ASN_UTF8STRING, NULL, sizeof(gName))); + ExpectNotNull(entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, + NID_givenName, ASN_UTF8STRING, gName, sizeof(gName))); + ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry, + NID_givenName, ASN_UTF8STRING, gName, sizeof(gName))); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL , NULL , -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, NULL , -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL , entry , -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, &empty, -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , 99, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , -1, 0), + 1); + wolfSSL_X509_NAME_ENTRY_free(entry); + entry = NULL; + + ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry, + NID_name, ASN_UTF8STRING, name, sizeof(name))); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry, -1, 0), + 1); + wolfSSL_X509_NAME_ENTRY_free(entry); + + tmp = NULL; + ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, &tmp)), 0); + XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); + } +#endif + + b = NULL; + ExpectNull(X509_NAME_dup(NULL)); + ExpectNotNull(b = X509_NAME_dup((X509_NAME*)a)); +#ifndef OPENSSL_EXTRA_X509_SMALL + ExpectIntEQ(X509_NAME_cmp(a, b), 0); +#endif + ExpectIntEQ(X509_NAME_entry_count(NULL), 0); + ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7); + X509_NAME_free((X509_NAME*)b); + ExpectNotNull(b = wolfSSL_X509_NAME_new()); + ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 0); + ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, (X509_NAME*)b), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, (X509_NAME*)b), 1); + ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7); + X509_NAME_free((X509_NAME*)b); + X509_NAME_free(d2i_name); + d2i_name = NULL; + X509_free(x509); + +#ifndef OPENSSL_EXTRA_X509_SMALL + /* test with an empty domain component */ + tmp = empty; + sz = sizeof(empty); + ExpectNotNull(d2i_name = d2i_X509_NAME(NULL, &tmp, sz)); + ExpectIntEQ(X509_NAME_entry_count(d2i_name), 2); + + /* size of empty emailAddress will be 0 */ + tmp = buf; + ExpectIntEQ(X509_NAME_get_text_by_NID(d2i_name, NID_emailAddress, + (char*)tmp, sizeof(buf)), 0); + + /* should contain no organization name */ + tmp = buf; + ExpectIntEQ(X509_NAME_get_text_by_NID(d2i_name, NID_organizationName, + (char*)tmp, sizeof(buf)), -1); + X509_NAME_free(d2i_name); +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_NAME_hash(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_BIO) + BIO* bio = NULL; + X509* x509 = NULL; + X509_NAME* name = NULL; + + ExpectIntEQ(X509_NAME_hash(NULL), 0); + ExpectNotNull(name = wolfSSL_X509_NAME_new_ex(NULL)); + ExpectIntEQ(X509_NAME_hash(name), 0); + X509_NAME_free(name); + + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); + ExpectIntEQ(X509_NAME_hash(X509_get_subject_name(x509)), 0x137DC03F); + ExpectIntEQ(X509_NAME_hash(X509_get_issuer_name(x509)), 0xFDB2DA4); + X509_free(x509); + BIO_free(bio); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_NAME_print_ex(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ + (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ + defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ + defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) && \ + !defined(NO_BIO) && !defined(NO_RSA) + int memSz = 0; + byte* mem = NULL; + BIO* bio = NULL; + BIO* membio = NULL; + X509* x509 = NULL; + X509_NAME* name = NULL; + X509_NAME* empty = NULL; + + const char* expNormal = "C=US, CN=wolfssl.com"; + const char* expEqSpace = "C = US, CN = wolfssl.com"; + const char* expReverse = "CN=wolfssl.com, C=US"; + + const char* expNotEscaped = "C= US,+\"\\ , CN=#wolfssl.com<>;"; + const char* expNotEscapedRev = "CN=#wolfssl.com<>;, C= US,+\"\\ "; + const char* expRFC5523 = + "CN=\\#wolfssl.com\\<\\>\\;, C=\\ US\\,\\+\\\"\\\\\\ "; + + /* Test with real cert (svrCertFile) first */ + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); + ExpectNotNull(name = X509_get_subject_name(x509)); + + /* Test without flags */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectNotNull(empty = wolfSSL_X509_NAME_new()); + ExpectIntEQ(X509_NAME_print_ex(NULL, NULL, 0, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex(membio, NULL, 0, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex(NULL, name, 0, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex(membio, empty, 0, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); + wolfSSL_X509_NAME_free(empty); + BIO_free(membio); + membio = NULL; + + /* Test flag: XN_FLAG_RFC2253 */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, + XN_FLAG_RFC2253), WOLFSSL_SUCCESS); + BIO_free(membio); + membio = NULL; + + /* Test flag: XN_FLAG_RFC2253 | XN_FLAG_DN_REV */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, + XN_FLAG_RFC2253 | XN_FLAG_DN_REV), WOLFSSL_SUCCESS); + BIO_free(membio); + membio = NULL; + + X509_free(x509); + BIO_free(bio); + name = NULL; + + /* Test with empty issuer cert empty-issuer-cert.pem. + * See notes in certs/test/gen-testcerts.sh for how it was generated. */ + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, noIssuerCertFile), 0); + ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); + ExpectNotNull(name = X509_get_subject_name(x509)); + + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); + /* Should be empty string "" */ + ExpectIntEQ((memSz = BIO_get_mem_data(membio, &mem)), 0); + + BIO_free(membio); + membio = NULL; + X509_free(x509); + BIO_free(bio); + name = NULL; + + /* Test normal case without escaped characters */ + { + /* Create name: "/C=US/CN=wolfssl.com" */ + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", + MBSTRING_UTF8, (byte*)"US", 2, -1, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", + MBSTRING_UTF8, (byte*)"wolfssl.com", 11, -1, 0), + WOLFSSL_SUCCESS); + + /* Test without flags */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expNormal)); + ExpectIntEQ(XSTRNCMP((char*)mem, expNormal, XSTRLEN(expNormal)), 0); + BIO_free(membio); + membio = NULL; + + /* Test with XN_FLAG_ONELINE which should enable XN_FLAG_SPC_EQ for + spaces around '=' */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, XN_FLAG_ONELINE), + WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expEqSpace)); + ExpectIntEQ(XSTRNCMP((char*)mem, expEqSpace, XSTRLEN(expEqSpace)), 0); + BIO_free(membio); + membio = NULL; + + /* Test flags: XN_FLAG_RFC2253 - should be reversed */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, + XN_FLAG_RFC2253), WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expReverse)); + BIO_free(membio); + membio = NULL; + + /* Test flags: XN_FLAG_DN_REV - reversed */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, + XN_FLAG_DN_REV), WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expReverse)); + ExpectIntEQ(XSTRNCMP((char*)mem, expReverse, XSTRLEN(expReverse)), 0); + BIO_free(membio); + membio = NULL; + + X509_NAME_free(name); + name = NULL; + } + + /* Test RFC2253 characters are escaped with backslashes */ + { + ExpectNotNull(name = X509_NAME_new()); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", + /* space at beginning and end, and: ,+"\ */ + MBSTRING_UTF8, (byte*)" US,+\"\\ ", 8, -1, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", + /* # at beginning, and: <>;*/ + MBSTRING_UTF8, (byte*)"#wolfssl.com<>;", 15, -1, 0), + WOLFSSL_SUCCESS); + /* Test without flags */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expNotEscaped)); + ExpectIntEQ(XSTRNCMP((char*)mem, expNotEscaped, + XSTRLEN(expNotEscaped)), 0); + BIO_free(membio); + membio = NULL; + + /* Test flags: XN_FLAG_RFC5523 - should be reversed and escaped */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, + XN_FLAG_RFC2253), WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expRFC5523)); + ExpectIntEQ(XSTRNCMP((char*)mem, expRFC5523, XSTRLEN(expRFC5523)), 0); + BIO_free(membio); + membio = NULL; + + /* Test flags: XN_FLAG_DN_REV - reversed but not escaped */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, + XN_FLAG_DN_REV), WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expNotEscapedRev)); + ExpectIntEQ(XSTRNCMP((char*)mem, expNotEscapedRev, + XSTRLEN(expNotEscapedRev)), 0); + BIO_free(membio); + + X509_NAME_free(name); + } +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_NAME_ENTRY(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN) + X509* x509 = NULL; +#ifndef NO_BIO + X509* empty = NULL; + BIO* bio = NULL; +#endif + X509_NAME* nm = NULL; + X509_NAME_ENTRY* entry = NULL; + WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* entries = NULL; + unsigned char cn[] = "another name to add"; +#ifdef OPENSSL_ALL + int i; + int names_len = 0; +#endif + + ExpectNotNull(x509 = + wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); +#ifndef NO_BIO + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(bio, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, x509), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(bio, empty), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(bio, x509), SSL_SUCCESS); + wolfSSL_X509_free(empty); +#endif + +#ifdef WOLFSSL_CERT_REQ + { + X509_REQ* req = NULL; +#ifndef NO_BIO + X509_REQ* emptyReq = NULL; + BIO* bReq = NULL; +#endif + + ExpectNotNull(req = + wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); +#ifndef NO_BIO + ExpectNotNull(emptyReq = wolfSSL_X509_REQ_new()); + ExpectNotNull(bReq = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, req), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, emptyReq), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, req), SSL_SUCCESS); + + BIO_free(bReq); + X509_REQ_free(emptyReq); +#endif + X509_free(req); + } +#endif + + ExpectNotNull(nm = X509_get_subject_name(x509)); + + /* Test add entry */ + ExpectNotNull(entry = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName, + 0x0c, cn, (int)sizeof(cn))); + ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS); + + /* @TODO the internal name entry set value needs investigated for matching + * behavior with OpenSSL. At the moment the getter function for the set + * value is being tested only in that it succeeds in getting the internal + * value. */ + ExpectIntGT(X509_NAME_ENTRY_set(X509_NAME_get_entry(nm, 1)), 0); + +#ifdef WOLFSSL_CERT_EXT + ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, NULL, MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, NULL, MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, "emailAddress", MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "emailAddress", MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, 0, 1), WOLFSSL_SUCCESS); + ExpectNull(wolfSSL_X509_NAME_delete_entry(NULL, -1)); + ExpectNull(wolfSSL_X509_NAME_delete_entry(nm, -1)); + ExpectNotNull(wolfSSL_X509_NAME_delete_entry(nm, 0)); +#endif + X509_NAME_ENTRY_free(entry); + entry = NULL; + +#ifdef WOLFSSL_CERT_REQ + { + unsigned char srv_pkcs9p[] = "Server"; + unsigned char rfc822Mlbx[] = "support@wolfssl.com"; + unsigned char fvrtDrnk[] = "tequila"; + unsigned char* der = NULL; + char* subject = NULL; + + ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_pkcs9_contentType, + MBSTRING_ASC, srv_pkcs9p, -1, -1, 0), SSL_SUCCESS); + + ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_rfc822Mailbox, + MBSTRING_ASC, rfc822Mlbx, -1, -1, 0), SSL_SUCCESS); + + ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_favouriteDrink, + MBSTRING_ASC, fvrtDrnk, -1, -1, 0), SSL_SUCCESS); + + ExpectIntEQ(wolfSSL_i2d_X509_NAME(NULL, &der), BAD_FUNC_ARG); + ExpectIntGT(wolfSSL_i2d_X509_NAME(nm, &der), 0); + ExpectNotNull(der); + + ExpectNotNull(subject = X509_NAME_oneline(nm, NULL, 0)); + ExpectNotNull(XSTRSTR(subject, "rfc822Mailbox=support@wolfssl.com")); + ExpectNotNull(XSTRSTR(subject, "favouriteDrink=tequila")); + ExpectNotNull(XSTRSTR(subject, "contentType=Server")); + #ifdef DEBUG_WOLFSSL + if (subject != NULL) { + fprintf(stderr, "\n\t%s\n", subject); + } + #endif + XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); + XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL); + } +#endif + + ExpectNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, NULL, 0x0c, cn, + (int)sizeof(cn))); + /* Test add entry by text */ + ExpectNotNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, "commonName", + 0x0c, cn, (int)sizeof(cn))); + ExpectPtrEq(X509_NAME_ENTRY_create_by_txt(&entry, "commonName", + 0x0c, cn, (int)sizeof(cn)), entry); + #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) \ + || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) + ExpectNull(X509_NAME_ENTRY_create_by_txt(&entry, "unknown", + V_ASN1_UTF8STRING, cn, (int)sizeof(cn))); + #endif + ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS); + X509_NAME_ENTRY_free(entry); + entry = NULL; + + /* Test add entry by NID */ + ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_commonName, MBSTRING_UTF8, + cn, -1, -1, 0), SSL_SUCCESS); + +#ifdef OPENSSL_ALL + /* stack of name entry */ + ExpectIntGT((names_len = sk_X509_NAME_ENTRY_num(nm->entries)), 0); + for (i = 0; i < names_len; i++) { + ExpectNotNull(entry = sk_X509_NAME_ENTRY_value(nm->entries, i)); + } +#endif + + ExpectNotNull(entries = wolfSSL_sk_X509_NAME_ENTRY_new(NULL)); + ExpectIntEQ(sk_X509_NAME_ENTRY_num(NULL), BAD_FUNC_ARG); + ExpectIntEQ(sk_X509_NAME_ENTRY_num(entries), 0); + ExpectNull(sk_X509_NAME_ENTRY_value(NULL, 0)); + ExpectNull(sk_X509_NAME_ENTRY_value(entries, 0)); + wolfSSL_sk_X509_NAME_ENTRY_free(entries); +#ifndef NO_BIO + BIO_free(bio); +#endif + X509_free(x509); /* free's nm */ +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_NAME_ENTRY_get_object(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509 *x509 = NULL; + X509_NAME* name = NULL; + int idx = 0; + X509_NAME_ENTRY *ne = NULL; + ASN1_OBJECT *object = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(name = X509_get_subject_name(x509)); + ExpectIntGE(X509_NAME_get_index_by_NID(NULL, NID_commonName, -1), + BAD_FUNC_ARG); + ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); + ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -2), 0); + + ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); + ExpectNull(X509_NAME_ENTRY_get_object(NULL)); + ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne)); + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_name.h b/tests/api/test_ossl_x509_name.h new file mode 100644 index 00000000000..130f7fa87c7 --- /dev/null +++ b/tests/api/test_ossl_x509_name.h @@ -0,0 +1,42 @@ +/* test_ossl_x509_name.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_NAME_H +#define WOLFCRYPT_TEST_OSSL_X509_NAME_H + +#include + +int test_wolfSSL_X509_NAME_get_entry(void); +int test_wolfSSL_X509_NAME(void); +int test_wolfSSL_X509_NAME_hash(void); +int test_wolfSSL_X509_NAME_print_ex(void); +int test_wolfSSL_X509_NAME_ENTRY(void); +int test_wolfSSL_X509_NAME_ENTRY_get_object(void); + +#define TEST_OSSL_X509_NAME_DECLS \ + TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_get_entry), \ + TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME), \ + TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_hash), \ + TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_print_ex), \ + TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_ENTRY), \ + TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_ENTRY_get_object) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_NAME_H */ diff --git a/tests/api/test_ossl_x509_pk.c b/tests/api/test_ossl_x509_pk.c new file mode 100644 index 00000000000..6e978d3be4a --- /dev/null +++ b/tests/api/test_ossl_x509_pk.c @@ -0,0 +1,350 @@ +/* test_ossl_x509_pk.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include +#include + +int test_wolfSSL_X509_get_X509_PUBKEY(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) + X509* x509 = NULL; + X509_PUBKEY* pubKey; + + ExpectNotNull(x509 = X509_new()); + + ExpectNull(pubKey = wolfSSL_X509_get_X509_PUBKEY(NULL)); + ExpectNotNull(pubKey = wolfSSL_X509_get_X509_PUBKEY(x509)); + + X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_PUBKEY_RSA(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ + !defined(NO_SHA256) && !defined(NO_RSA) + X509* x509 = NULL; + ASN1_OBJECT* obj = NULL; + const ASN1_OBJECT* pa_oid = NULL; + X509_PUBKEY* pubKey = NULL; + X509_PUBKEY* pubKey2 = NULL; + EVP_PKEY* evpKey = NULL; + byte buf[1024]; + byte* tmp; + + const unsigned char *pk = NULL; + int ppklen; + int pptype; + X509_ALGOR *pa = NULL; + const void *pval; + + ExpectNotNull(x509 = X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + + ExpectNotNull(pubKey = X509_get_X509_PUBKEY(x509)); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey), 1); + ExpectNotNull(pk); + ExpectNotNull(pa); + ExpectNotNull(pubKey); + ExpectIntGT(ppklen, 0); + + tmp = buf; + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, &tmp), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, NULL), 294); + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, &tmp), 294); + + ExpectIntEQ(OBJ_obj2nid(obj), NID_rsaEncryption); + + ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey)); + ExpectNotNull(pubKey2 = X509_PUBKEY_new()); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, NULL), 0); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 0); + ExpectIntEQ(X509_PUBKEY_set(NULL, NULL), 0); + ExpectIntEQ(X509_PUBKEY_set(&pubKey2, NULL), 0); + ExpectIntEQ(X509_PUBKEY_set(NULL, evpKey), 0); + ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1); + ExpectIntEQ(X509_PUBKEY_get0_param(NULL, NULL, NULL, NULL, pubKey2), 1); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1); + ExpectNotNull(pk); + ExpectNotNull(pa); + ExpectIntGT(ppklen, 0); + X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa); + ExpectNotNull(pa_oid); + ExpectNull(pval); + ExpectIntEQ(pptype, V_ASN1_NULL); + ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_RSA); + + X509_PUBKEY_free(NULL); + X509_PUBKEY_free(pubKey2); + X509_free(x509); + EVP_PKEY_free(evpKey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_PUBKEY_EC(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && defined(HAVE_ECC) + X509* x509 = NULL; + ASN1_OBJECT* obj = NULL; + ASN1_OBJECT* poid = NULL; + const ASN1_OBJECT* pa_oid = NULL; + X509_PUBKEY* pubKey = NULL; + X509_PUBKEY* pubKey2 = NULL; + EVP_PKEY* evpKey = NULL; + + const unsigned char *pk = NULL; + int ppklen; + int pptype; + X509_ALGOR *pa = NULL; + const void *pval; + char buf[50]; + + ExpectNotNull(x509 = X509_load_certificate_file(cliEccCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull(pubKey = X509_get_X509_PUBKEY(x509)); + ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey)); + ExpectNotNull(pubKey2 = X509_PUBKEY_new()); + ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1); + ExpectNotNull(pk); + ExpectNotNull(pa); + ExpectIntGT(ppklen, 0); + X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa); + ExpectNotNull(pa_oid); + ExpectNotNull(pval); + ExpectIntEQ(pptype, V_ASN1_OBJECT); + ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_EC); + poid = (ASN1_OBJECT *)pval; + ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), poid, 0), 0); + ExpectIntEQ(OBJ_txt2nid(buf), NID_X9_62_prime256v1); + + X509_PUBKEY_free(pubKey2); + X509_free(x509); + EVP_PKEY_free(evpKey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_PUBKEY_DSA(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && !defined(NO_DSA) + word32 bytes; +#ifdef USE_CERT_BUFFERS_1024 + byte tmp[ONEK_BUF]; +#elif defined(USE_CERT_BUFFERS_2048) + byte tmp[TWOK_BUF]; +#else + byte tmp[TWOK_BUF]; +#endif /* END USE_CERT_BUFFERS_1024 */ + const unsigned char* dsaKeyDer = tmp; + + ASN1_OBJECT* obj = NULL; + ASN1_STRING* str; + const ASN1_OBJECT* pa_oid = NULL; + X509_PUBKEY* pubKey = NULL; + EVP_PKEY* evpKey = NULL; + + const unsigned char *pk = NULL; + int ppklen, pptype; + X509_ALGOR *pa = NULL; + const void *pval; + +#ifdef USE_CERT_BUFFERS_1024 + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsa_key_der_1024, sizeof_dsa_key_der_1024); + bytes = sizeof_dsa_key_der_1024; +#elif defined(USE_CERT_BUFFERS_2048) + XMEMSET(tmp, 0, sizeof(tmp)); + XMEMCPY(tmp, dsa_key_der_2048, sizeof_dsa_key_der_2048); + bytes = sizeof_dsa_key_der_2048; +#else + { + XFILE fp = XBADFILE; + XMEMSET(tmp, 0, sizeof(tmp)); + ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE); + ExpectIntGT(bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0); + if (fp != XBADFILE) + XFCLOSE(fp); + } +#endif + + /* Initialize pkey with der format dsa key */ + ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &evpKey, &dsaKeyDer, bytes)); + + ExpectNotNull(pubKey = X509_PUBKEY_new()); + ExpectIntEQ(X509_PUBKEY_set(&pubKey, evpKey), 1); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey), 1); + ExpectNotNull(pk); + ExpectNotNull(pa); + ExpectIntGT(ppklen, 0); + X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa); + ExpectNotNull(pa_oid); + ExpectNotNull(pval); + ExpectIntEQ(pptype, V_ASN1_SEQUENCE); + ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_DSA); + str = (ASN1_STRING *)pval; + DEBUG_WRITE_DER(ASN1_STRING_data(str), ASN1_STRING_length(str), "str.der"); +#ifdef USE_CERT_BUFFERS_1024 + ExpectIntEQ(ASN1_STRING_length(str), 291); +#else + ExpectIntEQ(ASN1_STRING_length(str), 549); +#endif /* END USE_CERT_BUFFERS_1024 */ + + X509_PUBKEY_free(pubKey); + EVP_PKEY_free(evpKey); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_PUBKEY_get(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_X509_PUBKEY pubkey; + WOLFSSL_X509_PUBKEY* key; + WOLFSSL_EVP_PKEY evpkey ; + WOLFSSL_EVP_PKEY* evpPkey; + WOLFSSL_EVP_PKEY* retEvpPkey; + + XMEMSET(&pubkey, 0, sizeof(WOLFSSL_X509_PUBKEY)); + XMEMSET(&evpkey, 0, sizeof(WOLFSSL_EVP_PKEY)); + + key = &pubkey; + evpPkey = &evpkey; + + evpPkey->type = WOLFSSL_SUCCESS; + key->pkey = evpPkey; + + ExpectNotNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(key)); + ExpectIntEQ(retEvpPkey->type, WOLFSSL_SUCCESS); + + ExpectNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(NULL)); + + key->pkey = NULL; + ExpectNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(key)); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_set_pubkey(void) +{ + EXPECT_DECLS; +#ifdef OPENSSL_ALL + WOLFSSL_X509* x509 = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + +#if !defined(NO_RSA) + { + WOLFSSL_RSA* rsa = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_RSA; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa), + WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif +#if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \ + defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA) + { + WOLFSSL_DSA* dsa = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_DSA; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + ExpectNotNull(dsa = wolfSSL_DSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa), + WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DSA_free(dsa); + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif +#if defined(HAVE_ECC) + { + WOLFSSL_EC_KEY* ec = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_EC; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + ExpectNotNull(ec = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ec), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec), + WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ec); + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif +#if !defined(NO_DH) + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_DH; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_pk.h b/tests/api/test_ossl_x509_pk.h new file mode 100644 index 00000000000..77b37859ce9 --- /dev/null +++ b/tests/api/test_ossl_x509_pk.h @@ -0,0 +1,42 @@ +/* test_ossl_x509_pk.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_PK_H +#define WOLFCRYPT_TEST_OSSL_X509_PK_H + +#include + +int test_wolfSSL_X509_get_X509_PUBKEY(void); +int test_wolfSSL_X509_PUBKEY_RSA(void); +int test_wolfSSL_X509_PUBKEY_EC(void); +int test_wolfSSL_X509_PUBKEY_DSA(void); +int test_wolfSSL_X509_PUBKEY_get(void); +int test_wolfSSL_X509_set_pubkey(void); + +#define TEST_OSSL_X509_PK_DECLS \ + TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_get_X509_PUBKEY), \ + TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_RSA), \ + TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_EC), \ + TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_DSA), \ + TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_get), \ + TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_set_pubkey) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_PK_H */ diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c new file mode 100644 index 00000000000..e0c481b5012 --- /dev/null +++ b/tests/api/test_ossl_x509_str.c @@ -0,0 +1,1590 @@ +/* test_ossl_x509_str.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#ifdef OPENSSL_EXTRA + #include + #include +#endif +#include +#include + +int test_wolfSSL_X509_STORE_CTX_set_time(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + WOLFSSL_X509_STORE_CTX* ctx = NULL; + time_t c_time; + + ExpectNotNull(ctx = wolfSSL_X509_STORE_CTX_new()); + c_time = 365*24*60*60; + wolfSSL_X509_STORE_CTX_set_time(ctx, 0, c_time); + ExpectTrue((ctx->param->flags & WOLFSSL_USE_CHECK_TIME) == + WOLFSSL_USE_CHECK_TIME); + ExpectTrue(ctx->param->check_time == c_time); + wolfSSL_X509_STORE_CTX_free(ctx); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_STORE_CTX_get0_store(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + X509_STORE_CTX* ctx_no_init = NULL; + + ExpectNotNull((store = X509_STORE_new())); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(ctx_no_init = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, NULL, NULL), SSL_SUCCESS); + + ExpectNull(X509_STORE_CTX_get0_store(NULL)); + /* should return NULL if ctx has not bee initialized */ + ExpectNull(X509_STORE_CTX_get0_store(ctx_no_init)); + ExpectNotNull(X509_STORE_CTX_get0_store(ctx)); + + wolfSSL_X509_STORE_CTX_free(ctx); + wolfSSL_X509_STORE_CTX_free(ctx_no_init); + X509_STORE_free(store); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) +static int verify_cb(int ok, X509_STORE_CTX *ctx) +{ + (void) ok; + (void) ctx; + fprintf(stderr, "ENTER verify_cb\n"); + return SSL_SUCCESS; +} +#endif + +int test_wolfSSL_X509_STORE_CTX(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509_STORE_CTX* ctx = NULL; + X509_STORE* str = NULL; + X509* x509 = NULL; +#ifdef OPENSSL_ALL + X509* x5092 = NULL; + STACK_OF(X509) *sk = NULL; + STACK_OF(X509) *sk2 = NULL; + STACK_OF(X509) *sk3 = NULL; +#endif + + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull((x509 = + wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(str, x509), SSL_SUCCESS); +#ifdef OPENSSL_ALL + /* sk_X509_new only in OPENSSL_ALL */ + sk = sk_X509_new_null(); + ExpectNotNull(sk); + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509, sk), SSL_SUCCESS); +#else + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509, NULL), SSL_SUCCESS); +#endif + ExpectIntEQ(SSL_get_ex_data_X509_STORE_CTX_idx(), 0); + X509_STORE_CTX_set_error(ctx, -5); + X509_STORE_CTX_set_error(NULL, -5); + + X509_STORE_CTX_free(ctx); + ctx = NULL; +#ifdef OPENSSL_ALL + sk_X509_pop_free(sk, NULL); + sk = NULL; +#endif + X509_STORE_free(str); + str = NULL; + X509_free(x509); + x509 = NULL; + + ExpectNotNull(ctx = X509_STORE_CTX_new()); + X509_STORE_CTX_set_verify_cb(ctx, verify_cb); + X509_STORE_CTX_free(ctx); + ctx = NULL; + +#ifdef OPENSSL_ALL + /* test X509_STORE_CTX_get(1)_chain */ + ExpectNotNull((x509 = X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM))); + ExpectNotNull((x5092 = X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM))); + ExpectNotNull((sk = sk_X509_new_null())); + ExpectIntEQ(sk_X509_push(sk, x509), 1); + if (EXPECT_FAIL()) { + X509_free(x509); + x509 = NULL; + } + ExpectNotNull((str = X509_STORE_new())); + ExpectNotNull((ctx = X509_STORE_CTX_new())); + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x5092, sk), 1); + ExpectNull((sk2 = X509_STORE_CTX_get_chain(NULL))); + ExpectNull((sk2 = X509_STORE_CTX_get_chain(ctx))); + ExpectNull((sk3 = X509_STORE_CTX_get1_chain(NULL))); + ExpectNull((sk3 = X509_STORE_CTX_get1_chain(ctx))); + X509_STORE_CTX_free(ctx); + ctx = NULL; + X509_STORE_free(str); + str = NULL; + /* CTX certs not freed yet */ + X509_free(x5092); + x5092 = NULL; + sk_X509_pop_free(sk, NULL); + sk = NULL; + /* sk3 is dup so free here */ + sk_X509_pop_free(sk3, NULL); + sk3 = NULL; +#endif + + /* test X509_STORE_CTX_get/set_ex_data */ + { + int i = 0, tmpData = 5; + void* tmpDataRet; + ExpectNotNull(ctx = X509_STORE_CTX_new()); + #ifdef HAVE_EX_DATA + for (i = 0; i < MAX_EX_DATA; i++) { + ExpectIntEQ(X509_STORE_CTX_set_ex_data(ctx, i, &tmpData), + WOLFSSL_SUCCESS); + tmpDataRet = (int*)X509_STORE_CTX_get_ex_data(ctx, i); + ExpectNotNull(tmpDataRet); + ExpectIntEQ(tmpData, *(int*)tmpDataRet); + } + #else + ExpectIntEQ(X509_STORE_CTX_set_ex_data(ctx, i, &tmpData), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + tmpDataRet = (int*)X509_STORE_CTX_get_ex_data(ctx, i); + ExpectNull(tmpDataRet); + #endif + X509_STORE_CTX_free(ctx); + ctx = NULL; + } + + /* test X509_STORE_get/set_ex_data */ + { + int i = 0, tmpData = 99; + void* tmpDataRet; + ExpectNotNull(str = X509_STORE_new()); + #ifdef HAVE_EX_DATA + for (i = 0; i < MAX_EX_DATA; i++) { + ExpectIntEQ(X509_STORE_set_ex_data(str, i, &tmpData), + WOLFSSL_SUCCESS); + tmpDataRet = (int*)X509_STORE_get_ex_data(str, i); + ExpectNotNull(tmpDataRet); + ExpectIntEQ(tmpData, *(int*)tmpDataRet); + } + #else + ExpectIntEQ(X509_STORE_set_ex_data(str, i, &tmpData), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + tmpDataRet = (int*)X509_STORE_get_ex_data(str, i); + ExpectNull(tmpDataRet); + #endif + X509_STORE_free(str); + str = NULL; + } + +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + +typedef struct { + const char *caFile; + const char *caIntFile; + const char *caInt2File; + const char *leafFile; + X509 *x509Ca; + X509 *x509CaInt; + X509 *x509CaInt2; + X509 *x509Leaf; + STACK_OF(X509)* expectedChain; +} X509_STORE_test_data; + +static X509 * test_wolfSSL_X509_STORE_CTX_ex_helper(const char *file) +{ + XFILE fp = XBADFILE; + X509 *x = NULL; + + fp = XFOPEN(file, "rb"); + if (fp == NULL) { + return NULL; + } + x = PEM_read_X509(fp, 0, 0, 0); + XFCLOSE(fp); + + return x; +} + +static int test_wolfSSL_X509_STORE_CTX_ex1(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 1, add X509 certs to store and verify */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex2(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 2, add certs by filename to store and verify */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caFile, NULL), 1); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caIntFile, NULL), 1); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caInt2File, NULL), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex3(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 3, mix and match X509 with files */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caFile, NULL), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex4(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + STACK_OF(X509)* inter = NULL; + int i = 0; + + /* Test case 4, CA loaded by file, intermediates passed on init */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caFile, NULL), 1); + ExpectNotNull(inter = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, inter), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + sk_X509_free(inter); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex5(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + STACK_OF(X509)* trusted = NULL; + int i = 0; + + /* Test case 5, manually set trusted stack */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(trusted = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + X509_STORE_CTX_trusted_stack(ctx, trusted); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + sk_X509_free(trusted); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex6(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + STACK_OF(X509)* trusted = NULL; + STACK_OF(X509)* inter = NULL; + int i = 0; + + /* Test case 6, manually set trusted stack will be unified with + * any intermediates provided on init */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(trusted = sk_X509_new_null()); + ExpectNotNull(inter = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, inter), 1); + X509_STORE_CTX_trusted_stack(ctx, trusted); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + sk_X509_free(trusted); + sk_X509_free(inter); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex7(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 7, certs added to store after ctx init are still used */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex8(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 8, Only full chain verifies */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex9(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + X509_STORE_CTX* ctx2 = NULL; + STACK_OF(X509)* trusted = NULL; + + /* Test case 9, certs added to store should not be reflected in ctx that + * has been manually set with a trusted stack, but are reflected in ctx + * that has not set trusted stack */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(ctx2 = X509_STORE_CTX_new()); + ExpectNotNull(trusted = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt2), 1); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_STORE_CTX_init(ctx2, store, testData->x509Leaf, NULL), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntNE(X509_verify_cert(ctx2), 1); + X509_STORE_CTX_trusted_stack(ctx, trusted); + /* CTX1 should now verify */ + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectIntNE(X509_verify_cert(ctx2), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + /* CTX2 should now verify */ + ExpectIntEQ(X509_verify_cert(ctx2), 1); + X509_STORE_CTX_free(ctx); + X509_STORE_CTX_free(ctx2); + X509_STORE_free(store); + sk_X509_free(trusted); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex10(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + + /* Test case 10, ensure partial chain flag works */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + /* Fails because chain is incomplete */ + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN), 1); + /* Partial chain now OK */ + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex11(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + + /* Test case 11, test partial chain flag on ctx itself */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + /* Fails because chain is incomplete */ + ExpectIntNE(X509_verify_cert(ctx), 1); + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_PARTIAL_CHAIN); + /* Partial chain now OK */ + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +#ifdef HAVE_ECC +static int test_wolfSSL_X509_STORE_CTX_ex12(void) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + X509* rootEccX509 = NULL; + X509* badAkiX509 = NULL; + X509* ca1X509 = NULL; + + const char* intCARootECCFile = "./certs/ca-ecc-cert.pem"; + const char* intCA1ECCFile = "./certs/intermediate/ca-int-ecc-cert.pem"; + const char* intCABadAKIECCFile = "./certs/intermediate/ca-ecc-bad-aki.pem"; + + /* Test case 12, multiple CAs with the same SKI including 1 with + intentionally bad/unregistered AKI. x509_verify_cert should still form a + valid chain using the valid CA, ignoring the bad CA. Developed from + customer provided reproducer. */ + + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(rootEccX509 = test_wolfSSL_X509_STORE_CTX_ex_helper( + intCARootECCFile)); + ExpectIntEQ(X509_STORE_add_cert(store, rootEccX509), 1); + ExpectNotNull(badAkiX509 = test_wolfSSL_X509_STORE_CTX_ex_helper( + intCABadAKIECCFile)); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, badAkiX509, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 0); + X509_STORE_CTX_cleanup(ctx); + + ExpectIntEQ(X509_STORE_add_cert(store, badAkiX509), 1); + ExpectNotNull(ca1X509 = test_wolfSSL_X509_STORE_CTX_ex_helper( + intCA1ECCFile)); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, ca1X509, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + X509_free(rootEccX509); + X509_free(badAkiX509); + X509_free(ca1X509); + return EXPECT_RESULT(); +} +#endif +#endif + +int test_wolfSSL_X509_STORE_CTX_ex(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509_STORE_test_data testData; + XMEMSET((void *)&testData, 0, sizeof(X509_STORE_test_data)); + testData.caFile = "./certs/ca-cert.pem"; + testData.caIntFile = "./certs/intermediate/ca-int-cert.pem"; + testData.caInt2File = "./certs/intermediate/ca-int2-cert.pem"; + testData.leafFile = "./certs/intermediate/server-chain.pem"; + + ExpectNotNull(testData.x509Ca = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caFile)); + ExpectNotNull(testData.x509CaInt = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caIntFile)); + ExpectNotNull(testData.x509CaInt2 = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caInt2File)); + ExpectNotNull(testData.x509Leaf = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.leafFile)); + ExpectNotNull(testData.expectedChain = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509Leaf), 1); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509CaInt2), 1); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509CaInt), 1); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509Ca), 1); + + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex1(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex2(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex3(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex4(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex5(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex6(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex7(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex8(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex9(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex10(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex11(&testData), 1); +#ifdef HAVE_ECC + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex12(), 1); +#endif + + if(testData.x509Ca) { + X509_free(testData.x509Ca); + } + if(testData.x509CaInt) { + X509_free(testData.x509CaInt); + } + if(testData.x509CaInt2) { + X509_free(testData.x509CaInt2); + } + if(testData.x509Leaf) { + X509_free(testData.x509Leaf); + } + if (testData.expectedChain) { + sk_X509_free(testData.expectedChain); + } + +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) +static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename, + STACK_OF(X509)* chain) +{ + EXPECT_DECLS; + XFILE fp = XBADFILE; + X509* cert = NULL; + + ExpectTrue((fp = XFOPEN(filename, "rb")) + != XBADFILE); + ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectIntGT(sk_X509_push(chain, cert), 0); + if (EXPECT_FAIL()) + X509_free(cert); + + return EXPECT_RESULT(); +} + +static int test_X509_STORE_untrusted_certs(const char** filenames, int ret, + int err, int loadCA) +{ + EXPECT_DECLS; + X509_STORE_CTX* ctx = NULL; + X509_STORE* str = NULL; + XFILE fp = XBADFILE; + X509* cert = NULL; + STACK_OF(X509)* untrusted = NULL; + + ExpectTrue((fp = XFOPEN("./certs/intermediate/server-int-cert.pem", "rb")) + != XBADFILE); + ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectNotNull(str = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(untrusted = sk_X509_new_null()); + + ExpectIntEQ(X509_STORE_set_flags(str, 0), 1); + if (loadCA) { + ExpectIntEQ(X509_STORE_load_locations(str, "./certs/ca-cert.pem", NULL), + 1); + } + for (; *filenames; filenames++) { + ExpectIntEQ(test_X509_STORE_untrusted_load_cert_to_stack(*filenames, + untrusted), TEST_SUCCESS); + } + + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); + ExpectIntEQ(X509_verify_cert(ctx), ret); + ExpectIntEQ(X509_STORE_CTX_get_error(ctx), err); + + X509_free(cert); + X509_STORE_free(str); + X509_STORE_CTX_free(ctx); + sk_X509_pop_free(untrusted, NULL); + + return EXPECT_RESULT(); +} +#endif + +int test_X509_STORE_untrusted(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + const char* untrusted1[] = { + "./certs/intermediate/ca-int2-cert.pem", + NULL + }; + const char* untrusted2[] = { + "./certs/intermediate/ca-int-cert.pem", + "./certs/intermediate/ca-int2-cert.pem", + NULL + }; + const char* untrusted3[] = { + "./certs/intermediate/ca-int-cert.pem", + "./certs/intermediate/ca-int2-cert.pem", + "./certs/ca-cert.pem", + NULL + }; + /* Adding unrelated certs that should be ignored */ + const char* untrusted4[] = { + "./certs/client-ca.pem", + "./certs/intermediate/ca-int-cert.pem", + "./certs/server-cert.pem", + "./certs/intermediate/ca-int2-cert.pem", + NULL + }; + + /* Only immediate issuer in untrusted chain. Fails since can't build chain + * to loaded CA. */ + ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 1), TEST_SUCCESS); + /* Succeeds because path to loaded CA is available. */ + ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted2, 1, 0, 1), + TEST_SUCCESS); + /* Root CA in untrusted chain is OK so long as CA has been loaded + * properly */ + ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1), + TEST_SUCCESS); + /* Still needs properly loaded CA, while including it in untrusted + * list is not an error, it also doesn't count for verify */ + ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0), + TEST_SUCCESS); + /* Succeeds because path to loaded CA is available. */ + ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1), + TEST_SUCCESS); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + +static int last_errcode; +static int last_errdepth; + +static int X509Callback(int ok, X509_STORE_CTX *ctx) +{ + + if (!ok) { + last_errcode = X509_STORE_CTX_get_error(ctx); + last_errdepth = X509_STORE_CTX_get_error_depth(ctx); + } + /* Always return OK to allow verification to continue.*/ + return 1; +} + +#endif + +int test_X509_STORE_InvalidCa(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + const char* filename = "./certs/intermediate/ca_false_intermediate/" + "test_int_not_cacert.pem"; + const char* srvfile = "./certs/intermediate/ca_false_intermediate/" + "test_sign_bynoca_srv.pem"; + X509_STORE_CTX* ctx = NULL; + X509_STORE* str = NULL; + XFILE fp = XBADFILE; + X509* cert = NULL; + STACK_OF(X509)* untrusted = NULL; + + last_errcode = 0; + last_errdepth = 0; + + ExpectTrue((fp = XFOPEN(srvfile, "rb")) + != XBADFILE); + ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectNotNull(str = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(untrusted = sk_X509_new_null()); + + /* create cert chain stack */ + ExpectIntEQ(test_X509_STORE_untrusted_load_cert_to_stack(filename, + untrusted), TEST_SUCCESS); + + X509_STORE_set_verify_cb(str, X509Callback); + + ExpectIntEQ(X509_STORE_load_locations(str, + "./certs/intermediate/ca_false_intermediate/test_ca.pem", + NULL), 1); + + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA); + + X509_free(cert); + X509_STORE_free(str); + X509_STORE_CTX_free(ctx); + sk_X509_pop_free(untrusted, NULL); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_EXTRA) + X509_STORE_CTX_cleanup(NULL); + X509_STORE_CTX_trusted_stack(NULL, NULL); + + res = TEST_SUCCESS; +#endif + return res; +} + +int test_wolfSSL_X509_STORE_CTX_get_issuer(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + X509_STORE_CTX* ctx = NULL; + X509_STORE* str = NULL; + X509* x509Ca = NULL; + X509* x509Svr = NULL; + X509* issuer = NULL; + X509_NAME* caName = NULL; + X509_NAME* issuerName = NULL; + + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull((str = wolfSSL_X509_STORE_new())); + ExpectNotNull((x509Ca = + wolfSSL_X509_load_certificate_file(caCertFile, SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(str, x509Ca), SSL_SUCCESS); + ExpectNotNull((x509Svr = + wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); + + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509Svr, NULL), SSL_SUCCESS); + + /* Issuer0 is not set until chain is built for verification */ + ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL)); + ExpectNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); + + /* Issuer1 will use the store to make a new issuer */ + ExpectIntEQ(X509_STORE_CTX_get1_issuer(&issuer, ctx, x509Svr), 1); + ExpectNotNull(issuer); + X509_free(issuer); + + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); + ExpectNotNull(caName = X509_get_subject_name(x509Ca)); + ExpectNotNull(issuerName = X509_get_subject_name(issuer)); +#ifdef WOLFSSL_SIGNER_DER_CERT + ExpectIntEQ(X509_NAME_cmp(caName, issuerName), 0); +#endif + + X509_STORE_CTX_free(ctx); + X509_free(x509Svr); + X509_STORE_free(str); + X509_free(x509Ca); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_STORE_set_flags(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509_STORE* store = NULL; + X509* x509 = NULL; + + ExpectNotNull((store = wolfSSL_X509_STORE_new())); + ExpectNotNull((x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + WOLFSSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(store, x509), WOLFSSL_SUCCESS); + +#ifdef HAVE_CRL + ExpectIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), + WOLFSSL_SUCCESS); +#else + ExpectIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), + WC_NO_ERR_TRACE(NOT_COMPILED_IN)); +#endif + + wolfSSL_X509_free(x509); + wolfSSL_X509_STORE_free(store); +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_STORE(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \ + !defined(NO_FILESYSTEM) + X509_STORE *store = NULL; + +#ifdef HAVE_CRL + X509_STORE_CTX *storeCtx = NULL; + X509 *ca = NULL; + X509 *cert = NULL; + const char srvCert[] = "./certs/server-revoked-cert.pem"; + const char caCert[] = "./certs/ca-cert.pem"; +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP + X509_CRL *crl = NULL; + const char crlPem[] = "./certs/crl/crl.revoked"; + XFILE fp = XBADFILE; +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ + + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); + ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, + SSL_FILETYPE_PEM))); + ExpectNotNull((storeCtx = X509_STORE_CTX_new())); + ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); + ExpectIntEQ(X509_verify_cert(storeCtx), SSL_SUCCESS); + X509_STORE_free(store); + store = NULL; + X509_STORE_CTX_free(storeCtx); + storeCtx = NULL; + X509_free(cert); + cert = NULL; + X509_free(ca); + ca = NULL; + +#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP + /* should fail to verify now after adding in CRL */ + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); + ExpectTrue((fp = XFOPEN(crlPem, "rb")) != XBADFILE); + ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, + NULL, NULL)); + if (fp != XBADFILE) + XFCLOSE(fp); + ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); + ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),SSL_SUCCESS); + ExpectNotNull((storeCtx = X509_STORE_CTX_new())); + ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); + ExpectIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS); + ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), + WOLFSSL_X509_V_ERR_CERT_REVOKED); + X509_CRL_free(crl); + crl = NULL; + X509_STORE_free(store); + store = NULL; + X509_STORE_CTX_free(storeCtx); + storeCtx = NULL; + X509_free(cert); + cert = NULL; + X509_free(ca); + ca = NULL; +#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */ +#endif /* HAVE_CRL */ + +#if !defined(WOLFCRYPT_ONLY) && !defined(NO_FILESYSTEM) + { + #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) + SSL_CTX* ctx = NULL; + SSL* ssl = NULL; + int i; + for (i = 0; i < 2; i++) { + #ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + SSL_CTX_set_cert_store(ctx, store); + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + SSL_CTX_set_cert_store(ctx, store); + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + ExpectIntEQ(SSL_CTX_use_certificate_file(ctx, svrCertFile, + SSL_FILETYPE_PEM), SSL_SUCCESS); + ExpectIntEQ(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + SSL_FILETYPE_PEM), SSL_SUCCESS); + ExpectNotNull(ssl = SSL_new(ctx)); + if (i == 0) { + ExpectIntEQ(SSL_set0_verify_cert_store(ssl, store), + SSL_SUCCESS); + } + else { + ExpectIntEQ(SSL_set1_verify_cert_store(ssl, store), + SSL_SUCCESS); + #ifdef OPENSSL_ALL + ExpectIntEQ(SSL_CTX_set1_verify_cert_store(ctx, store), + SSL_SUCCESS); + #endif + } + if (EXPECT_FAIL() || (i == 1)) { + X509_STORE_free(store); + store = NULL; + } + SSL_free(ssl); + ssl = NULL; + SSL_CTX_free(ctx); + ctx = NULL; + } + #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ + } +#endif +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_STORE_load_locations(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && !defined(NO_RSA) && \ + !defined(NO_TLS) + SSL_CTX *ctx = NULL; + X509_STORE *store = NULL; + + const char ca_file[] = "./certs/ca-cert.pem"; + const char client_pem_file[] = "./certs/client-cert.pem"; + const char client_der_file[] = "./certs/client-cert.der"; + const char ecc_file[] = "./certs/ecc-key.pem"; + const char certs_path[] = "./certs/"; + const char bad_path[] = "./bad-path/"; +#ifdef HAVE_CRL + const char crl_path[] = "./certs/crl/"; + const char crl_file[] = "./certs/crl/crl.pem"; +#endif + +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(SSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(SSLv23_client_method())); +#endif + ExpectNotNull(store = SSL_CTX_get_cert_store(ctx)); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(store->cm, ca_file, NULL), + WOLFSSL_SUCCESS); + + /* Test bad arguments */ + ExpectIntEQ(X509_STORE_load_locations(NULL, ca_file, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_STORE_load_locations(store, NULL, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_STORE_load_locations(store, client_der_file, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_STORE_load_locations(store, ecc_file, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(X509_STORE_load_locations(store, NULL, bad_path), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + +#ifdef HAVE_CRL + /* Test with CRL */ + ExpectIntEQ(X509_STORE_load_locations(store, crl_file, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_STORE_load_locations(store, NULL, crl_path), + WOLFSSL_SUCCESS); +#endif + + /* Test with CA */ + ExpectIntEQ(X509_STORE_load_locations(store, ca_file, NULL), + WOLFSSL_SUCCESS); + + /* Test with client_cert and certs path */ + ExpectIntEQ(X509_STORE_load_locations(store, client_pem_file, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_STORE_load_locations(store, NULL, certs_path), + WOLFSSL_SUCCESS); + +#if defined(XGETENV) && !defined(NO_GETENV) && defined(_POSIX_C_SOURCE) && \ + _POSIX_C_SOURCE >= 200112L + ExpectIntEQ(wolfSSL_CTX_UnloadCAs(ctx), WOLFSSL_SUCCESS); + /* Test with env vars */ + ExpectIntEQ(setenv("SSL_CERT_FILE", client_pem_file, 1), 0); + ExpectIntEQ(setenv("SSL_CERT_DIR", certs_path, 1), 0); + ExpectIntEQ(X509_STORE_set_default_paths(store), WOLFSSL_SUCCESS); +#endif + +#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) + /* Clear nodes */ + ERR_clear_error(); +#endif + + SSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +int test_X509_STORE_get0_objects(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_TLS) && \ + !defined(NO_WOLFSSL_DIR) && !defined(NO_RSA) + X509_STORE *store = NULL; + X509_STORE *store_cpy = NULL; + SSL_CTX *ctx = NULL; + X509_OBJECT *obj = NULL; +#ifdef HAVE_CRL + X509_OBJECT *objCopy = NULL; +#endif + STACK_OF(X509_OBJECT) *objs = NULL; + STACK_OF(X509_OBJECT) *objsCopy = NULL; + int i; + + /* Setup store */ +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = SSL_CTX_new(SSLv23_server_method())); +#else + ExpectNotNull(ctx = SSL_CTX_new(SSLv23_client_method())); +#endif + ExpectNotNull(store_cpy = X509_STORE_new()); + ExpectNotNull(store = SSL_CTX_get_cert_store(ctx)); + ExpectIntEQ(X509_STORE_load_locations(store, cliCertFile, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_STORE_load_locations(store, caCertFile, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(X509_STORE_load_locations(store, svrCertFile, NULL), + WOLFSSL_SUCCESS); +#ifdef HAVE_CRL + ExpectIntEQ(X509_STORE_load_locations(store, NULL, crlPemDir), + WOLFSSL_SUCCESS); +#endif + /* Store ready */ + + /* Similar to HaProxy ssl_set_cert_crl_file use case */ + ExpectNotNull(objs = X509_STORE_get0_objects(store)); +#ifdef HAVE_CRL +#ifdef WOLFSSL_SIGNER_DER_CERT + ExpectIntEQ(sk_X509_OBJECT_num(objs), 4); +#else + ExpectIntEQ(sk_X509_OBJECT_num(objs), 1); +#endif +#else +#ifdef WOLFSSL_SIGNER_DER_CERT + ExpectIntEQ(sk_X509_OBJECT_num(objs), 3); +#else + ExpectIntEQ(sk_X509_OBJECT_num(objs), 0); +#endif +#endif + ExpectIntEQ(sk_X509_OBJECT_num(NULL), 0); + ExpectNull(sk_X509_OBJECT_value(NULL, 0)); + ExpectNull(sk_X509_OBJECT_value(NULL, 1)); + ExpectNull(sk_X509_OBJECT_value(objs, sk_X509_OBJECT_num(objs))); + ExpectNull(sk_X509_OBJECT_value(objs, sk_X509_OBJECT_num(objs) + 1)); +#ifndef NO_WOLFSSL_STUB + ExpectNull(sk_X509_OBJECT_delete(objs, 0)); +#endif + ExpectNotNull(objsCopy = sk_X509_OBJECT_deep_copy(objs, NULL, NULL)); + ExpectIntEQ(sk_X509_OBJECT_num(objs), sk_X509_OBJECT_num(objsCopy)); + for (i = 0; i < sk_X509_OBJECT_num(objs) && EXPECT_SUCCESS(); i++) { + obj = (X509_OBJECT*)sk_X509_OBJECT_value(objs, i); + #ifdef HAVE_CRL + objCopy = (X509_OBJECT*)sk_X509_OBJECT_value(objsCopy, i); + #endif + switch (X509_OBJECT_get_type(obj)) { + case X509_LU_X509: + { + X509* x509 = NULL; + X509_NAME *subj_name = NULL; + ExpectNull(X509_OBJECT_get0_X509_CRL(NULL)); + ExpectNull(X509_OBJECT_get0_X509_CRL(obj)); + ExpectNotNull(x509 = X509_OBJECT_get0_X509(obj)); + ExpectIntEQ(X509_STORE_add_cert(store_cpy, x509), WOLFSSL_SUCCESS); + ExpectNotNull(subj_name = X509_get_subject_name(x509)); + ExpectPtrEq(obj, X509_OBJECT_retrieve_by_subject(objs, X509_LU_X509, + subj_name)); + + break; + } + case X509_LU_CRL: +#ifdef HAVE_CRL + { + X509_CRL* crl = NULL; + ExpectNull(X509_OBJECT_get0_X509(NULL)); + ExpectNull(X509_OBJECT_get0_X509(obj)); + ExpectNotNull(crl = X509_OBJECT_get0_X509_CRL(obj)); + ExpectIntEQ(X509_STORE_add_crl(store_cpy, crl), WOLFSSL_SUCCESS); + ExpectNotNull(crl = X509_OBJECT_get0_X509_CRL(objCopy)); + break; + } +#endif + case X509_LU_NONE: + default: + Fail(("X509_OBJECT_get_type should return x509 or crl " + "(when built with crl support)"), + ("Unrecognized X509_OBJECT type or none")); + } + } + + X509_STORE_free(store_cpy); + SSL_CTX_free(ctx); + + wolfSSL_sk_X509_OBJECT_free(NULL); + objs = NULL; + wolfSSL_sk_pop_free(objsCopy, NULL); + objsCopy = NULL; + ExpectNotNull(objs = wolfSSL_sk_X509_OBJECT_new()); + ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(objs, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(NULL, obj), WOLFSSL_FAILURE); + ExpectNotNull(objsCopy = sk_X509_OBJECT_deep_copy(objs, NULL, NULL)); + wolfSSL_sk_X509_OBJECT_free(objsCopy); + wolfSSL_sk_X509_OBJECT_free(objs); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_STORE_get1_certs(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SIGNER_DER_CERT) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509_STORE_CTX *storeCtx = NULL; + X509_STORE *store = NULL; + X509 *caX509 = NULL; + X509 *svrX509 = NULL; + X509_NAME *subject = NULL; + WOLF_STACK_OF(WOLFSSL_X509) *certs = NULL; + + ExpectNotNull(caX509 = X509_load_certificate_file(caCertFile, + SSL_FILETYPE_PEM)); + ExpectNotNull((svrX509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM))); + ExpectNotNull(storeCtx = X509_STORE_CTX_new()); + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(subject = X509_get_subject_name(caX509)); + + /* Errors */ + ExpectNull(X509_STORE_get1_certs(storeCtx, subject)); + ExpectNull(X509_STORE_get1_certs(NULL, subject)); + ExpectNull(X509_STORE_get1_certs(storeCtx, NULL)); + + ExpectIntEQ(X509_STORE_add_cert(store, caX509), SSL_SUCCESS); + ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, caX509, NULL), + SSL_SUCCESS); + + /* Should find the cert */ + ExpectNotNull(certs = X509_STORE_get1_certs(storeCtx, subject)); + ExpectIntEQ(1, wolfSSL_sk_X509_num(certs)); + + sk_X509_pop_free(certs, NULL); + certs = NULL; + + /* Should not find the cert */ + ExpectNotNull(subject = X509_get_subject_name(svrX509)); + ExpectNotNull(certs = X509_STORE_get1_certs(storeCtx, subject)); + ExpectIntEQ(0, wolfSSL_sk_X509_num(certs)); + + sk_X509_pop_free(certs, NULL); + certs = NULL; + + X509_STORE_free(store); + X509_STORE_CTX_free(storeCtx); + X509_free(svrX509); + X509_free(caX509); +#endif /* OPENSSL_EXTRA && WOLFSSL_SIGNER_DER_CERT && !NO_FILESYSTEM */ + return EXPECT_RESULT(); +} + +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_LOCAL_X509_STORE) && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && defined(HAVE_CRL) +static int test_wolfSSL_X509_STORE_set_get_crl_provider(X509_STORE_CTX* ctx, + X509_CRL** crl_out, X509* cert) { + X509_CRL *crl = NULL; + XFILE fp = XBADFILE; + char* cert_issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); + int ret = 0; + + (void)ctx; + + if (cert_issuer == NULL) + return 0; + + if ((fp = XFOPEN("certs/crl/crl.pem", "rb")) != XBADFILE) { + PEM_read_X509_CRL(fp, &crl, NULL, NULL); + XFCLOSE(fp); + if (crl != NULL) { + char* crl_issuer = X509_NAME_oneline( + X509_CRL_get_issuer(crl), NULL, 0); + if ((crl_issuer != NULL) && + (XSTRCMP(cert_issuer, crl_issuer) == 0)) { + *crl_out = X509_CRL_dup(crl); + if (*crl_out != NULL) + ret = 1; + } + OPENSSL_free(crl_issuer); + } + } + + X509_CRL_free(crl); + OPENSSL_free(cert_issuer); + return ret; +} + +static int test_wolfSSL_X509_STORE_set_get_crl_provider2(X509_STORE_CTX* ctx, + X509_CRL** crl_out, X509* cert) { + (void)ctx; + (void)cert; + *crl_out = NULL; + return 1; +} + +#ifndef NO_WOLFSSL_STUB +static int test_wolfSSL_X509_STORE_set_get_crl_check(X509_STORE_CTX* ctx, + X509_CRL* crl) { + (void)ctx; + (void)crl; + return 1; +} +#endif + +static int test_wolfSSL_X509_STORE_set_get_crl_verify(int ok, + X509_STORE_CTX* ctx) { + int cert_error = X509_STORE_CTX_get_error(ctx); + X509_VERIFY_PARAM* param = X509_STORE_CTX_get0_param(ctx); + int flags = X509_VERIFY_PARAM_get_flags(param); + if ((flags & (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL)) != + (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL)) { + /* Make sure the flags are set */ + return 0; + } + /* Ignore CRL missing error */ +#ifndef OPENSSL_COMPATIBLE_DEFAULTS + if (cert_error == WC_NO_ERR_TRACE(CRL_MISSING)) +#else + if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) +#endif + return 1; + return ok; +} + +static int test_wolfSSL_X509_STORE_set_get_crl_ctx_ready(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + X509_STORE* cert_store = NULL; + + ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL), + WOLFSSL_SUCCESS); + ExpectNotNull(cert_store = SSL_CTX_get_cert_store(ctx)); + X509_STORE_set_get_crl(cert_store, + test_wolfSSL_X509_STORE_set_get_crl_provider); +#ifndef NO_WOLFSSL_STUB + X509_STORE_set_check_crl(cert_store, + test_wolfSSL_X509_STORE_set_get_crl_check); +#endif + + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_set_get_crl_ctx_ready2(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + X509_STORE* cert_store = NULL; + X509_VERIFY_PARAM* param = NULL; + + SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL), + WOLFSSL_SUCCESS); + ExpectNotNull(cert_store = SSL_CTX_get_cert_store(ctx)); + X509_STORE_set_get_crl(cert_store, + test_wolfSSL_X509_STORE_set_get_crl_provider2); +#ifndef NO_WOLFSSL_STUB + X509_STORE_set_check_crl(cert_store, + test_wolfSSL_X509_STORE_set_get_crl_check); +#endif + X509_STORE_set_verify_cb(cert_store, + test_wolfSSL_X509_STORE_set_get_crl_verify); + ExpectNotNull(X509_STORE_get0_param(cert_store)); + ExpectNotNull(param = X509_VERIFY_PARAM_new()); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(NULL, NULL) , WOLFSSL_SUCCESS); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, NULL) , WOLFSSL_SUCCESS); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, + X509_STORE_get0_param(cert_store)), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, + X509_STORE_get0_param(cert_store)), 1); + ExpectIntEQ(X509_VERIFY_PARAM_set_flags( + param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL), 1); + ExpectIntEQ(X509_STORE_set1_param(cert_store, param), 1); + ExpectIntEQ(X509_STORE_set_flags(cert_store, + X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL), 1); + + + X509_VERIFY_PARAM_free(param); + return EXPECT_RESULT(); +} +#endif + +/* This test mimics the usage of the CRL provider in gRPC */ +int test_wolfSSL_X509_STORE_set_get_crl(void) +{ + EXPECT_DECLS; +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_LOCAL_X509_STORE) && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && defined(HAVE_CRL) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + func_cb_client.ctx_ready = test_wolfSSL_X509_STORE_set_get_crl_ctx_ready; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); + + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + func_cb_client.ctx_ready = test_wolfSSL_X509_STORE_set_get_crl_ctx_ready2; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_CA_num(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ + defined(HAVE_ECC) && !defined(NO_RSA) + WOLFSSL_X509_STORE *store = NULL; + WOLFSSL_X509 *x509_1 = NULL; + WOLFSSL_X509 *x509_2 = NULL; + int ca_num = 0; + + ExpectNotNull(store = wolfSSL_X509_STORE_new()); + ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(svrCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_1), 1); + ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 1); + + ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(eccCertFile, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_2), 1); + ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 2); + + wolfSSL_X509_free(x509_1); + wolfSSL_X509_free(x509_2); + wolfSSL_X509_STORE_free(store); +#endif + return EXPECT_RESULT(); +} + +/* Test of X509 store use outside of SSL context w/ CRL lookup (ALWAYS + * returns 0) */ +int test_X509_STORE_No_SSL_CTX(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \ + (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \ + defined(HAVE_CRL) && !defined(NO_RSA) + + X509_STORE * store = NULL; + X509_STORE_CTX * storeCtx = NULL; + X509_CRL * crl = NULL; + X509 * ca = NULL; + X509 * cert = NULL; + const char cliCrlPem[] = "./certs/crl/cliCrl.pem"; + const char srvCert[] = "./certs/server-cert.pem"; + const char caCert[] = "./certs/ca-cert.pem"; + const char caDir[] = "./certs/crl/hash_pem"; + XFILE fp = XBADFILE; + X509_LOOKUP * lookup = NULL; + + ExpectNotNull(store = (X509_STORE *)X509_STORE_new()); + + /* Set up store with CA */ + ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); + + /* Add CRL lookup directory to store + * NOTE: test uses ./certs/crl/hash_pem/0fdb2da4.r0, which is a copy + * of crl.pem */ + ExpectNotNull((lookup = X509_STORE_add_lookup(store, + X509_LOOKUP_hash_dir()))); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, caDir, + X509_FILETYPE_PEM, NULL), SSL_SUCCESS); + + ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK), + SSL_SUCCESS); + + /* Add CRL to store NOT containing the verified certificate, which + * forces use of the CRL lookup directory */ + ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE); + ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, + NULL, NULL)); + if (fp != XBADFILE) + XFCLOSE(fp); + ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); + + /* Create verification context outside of an SSL session */ + ExpectNotNull((storeCtx = X509_STORE_CTX_new())); + ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, + SSL_FILETYPE_PEM))); + ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); + + /* Perform verification, which should NOT indicate CRL missing due to the + * store CM's X509 store pointer being NULL */ + ExpectIntNE(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(CRL_MISSING)); + + X509_CRL_free(crl); + X509_STORE_free(store); + X509_STORE_CTX_free(storeCtx); + X509_free(cert); + X509_free(ca); +#endif + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_str.h b/tests/api/test_ossl_x509_str.h new file mode 100644 index 00000000000..3337141a6c5 --- /dev/null +++ b/tests/api/test_ossl_x509_str.h @@ -0,0 +1,66 @@ +/* test_ossl_x509_str.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_STR_H +#define WOLFCRYPT_TEST_OSSL_X509_STR_H + +#include + +int test_wolfSSL_X509_STORE_CTX_set_time(void); +int test_wolfSSL_X509_STORE_CTX_get0_store(void); +int test_wolfSSL_X509_STORE_CTX(void); +int test_wolfSSL_X509_STORE_CTX_ex(void); +int test_X509_STORE_untrusted(void); +int test_X509_STORE_InvalidCa(void); +int test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup(void); +int test_wolfSSL_X509_STORE_CTX_get_issuer(void); +int test_wolfSSL_X509_STORE_set_flags(void); +int test_wolfSSL_X509_STORE(void); +int test_wolfSSL_X509_STORE_load_locations(void); +int test_X509_STORE_get0_objects(void); +int test_wolfSSL_X509_STORE_get1_certs(void); +int test_wolfSSL_X509_STORE_set_get_crl(void); +int test_wolfSSL_X509_CA_num(void); +int test_X509_STORE_No_SSL_CTX(void); + +#define TEST_OSSL_X509_STORE_DECLS \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_CTX_set_time), \ + TEST_DECL_GROUP("ossl_x509_store", \ + test_wolfSSL_X509_STORE_CTX_get0_store), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_CTX), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_CTX_ex), \ + TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_untrusted), \ + TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_InvalidCa), \ + TEST_DECL_GROUP("ossl_x509_store", \ + test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup), \ + TEST_DECL_GROUP("ossl_x509_store", \ + test_wolfSSL_X509_STORE_CTX_get_issuer), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_set_flags), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE), \ + TEST_DECL_GROUP("ossl_x509_store", \ + test_wolfSSL_X509_STORE_load_locations), \ + TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_get0_objects), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_get1_certs), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_set_get_crl), \ + TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_CA_num), \ + TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_No_SSL_CTX) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_STR_H */ diff --git a/tests/api/test_ossl_x509_vp.c b/tests/api/test_ossl_x509_vp.c new file mode 100644 index 00000000000..1ed80fee64f --- /dev/null +++ b/tests/api/test_ossl_x509_vp.c @@ -0,0 +1,276 @@ +/* test_ossl_x509_vp.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#include +#include +#include + +int test_wolfSSL_X509_VERIFY_PARAM(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + X509_VERIFY_PARAM *paramTo = NULL; + X509_VERIFY_PARAM *paramFrom = NULL; + char testIPv4[] = "127.0.0.1"; + char testIPv6[] = "0001:0000:0000:0000:0000:0000:0000:0000/32"; + char testhostName1[] = "foo.hoge.com"; + char testhostName2[] = "foobar.hoge.com"; + + ExpectNotNull(paramTo = X509_VERIFY_PARAM_new()); + ExpectNotNull(XMEMSET(paramTo, 0, sizeof(X509_VERIFY_PARAM))); + + ExpectNotNull(paramFrom = X509_VERIFY_PARAM_new()); + ExpectNotNull(XMEMSET(paramFrom, 0, sizeof(X509_VERIFY_PARAM))); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1, + (int)XSTRLEN(testhostName1)), 1); + ExpectIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + + X509_VERIFY_PARAM_set_hostflags(NULL, 0x00); + + X509_VERIFY_PARAM_set_hostflags(paramFrom, 0x01); + ExpectIntEQ(0x01, paramFrom->hostFlags); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(NULL, testIPv4), 0); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv4), 1); + ExpectIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, NULL), 1); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv6), 1); + ExpectIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* null pointer */ + ExpectIntEQ(X509_VERIFY_PARAM_set1(NULL, paramFrom), 0); + /* in the case of "from" null, returns success */ + ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, NULL), 1); + + ExpectIntEQ(X509_VERIFY_PARAM_set1(NULL, NULL), 0); + + /* inherit flags test : VPARAM_DEFAULT */ + ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); + ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + ExpectIntEQ(0x01, paramTo->hostFlags); + ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM OVERWRITE */ + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)), 1); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1); + X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + if (paramTo != NULL) { + paramTo->inherit_flags = X509_VP_FLAG_OVERWRITE; + } + + ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); + ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + ExpectIntEQ(0x01, paramTo->hostFlags); + ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_RESET_FLAGS */ + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)), 1); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1); + X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10); + + if (paramTo != NULL) { + paramTo->inherit_flags = X509_VP_FLAG_RESET_FLAGS; + } + + ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); + ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + ExpectIntEQ(0x01, paramTo->hostFlags); + ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_LOCKED */ + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)), 1); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1); + X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + if (paramTo != NULL) { + paramTo->inherit_flags = X509_VP_FLAG_LOCKED; + } + + ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1); + ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2, + (int)XSTRLEN(testhostName2))); + ExpectIntEQ(0x00, paramTo->hostFlags); + ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + /* test for incorrect parameters */ + ExpectIntEQ(X509_VERIFY_PARAM_set_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL), + 0); + + ExpectIntEQ(X509_VERIFY_PARAM_set_flags(NULL, 0), 0); + + /* inherit flags test : VPARAM_ONCE, not testable yet */ + + ExpectIntEQ(X509_VERIFY_PARAM_set_flags(paramTo, X509_V_FLAG_CRL_CHECK_ALL), + 1); + + ExpectIntEQ(X509_VERIFY_PARAM_get_flags(NULL), 0); + ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), + X509_V_FLAG_CRL_CHECK_ALL); + + ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(paramTo, + X509_V_FLAG_CRL_CHECK_ALL), 1); + + ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), 0); + + ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup(NULL)); + ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup("")); + ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_client")); + ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_server")); + + X509_VERIFY_PARAM_free(paramTo); + X509_VERIFY_PARAM_free(paramFrom); + X509_VERIFY_PARAM_free(NULL); /* to confirm NULL parameter gives no harm */ +#endif + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) + unsigned char buf[16] = {0}; + WOLFSSL_X509_VERIFY_PARAM* param = NULL; + + ExpectNotNull(param = X509_VERIFY_PARAM_new()); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 16), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 4), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, buf, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 16), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 4), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 16), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 4), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 0), WOLFSSL_FAILURE); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 0), WOLFSSL_SUCCESS); + + /* test 127.0.0.1 */ + buf[0] =0x7f; buf[1] = 0; buf[2] = 0; buf[3] = 1; + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 4), SSL_SUCCESS); + ExpectIntEQ(XSTRNCMP(param->ipasc, "127.0.0.1", sizeof(param->ipasc)), 0); + + /* test 2001:db8:3333:4444:5555:6666:7777:8888 */ + buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; + buf[4]=51;buf[5]=51;buf[6]=68;buf[7]=68; + buf[8]=85;buf[9]=85;buf[10]=102;buf[11]=102; + buf[12]=119;buf[13]=119;buf[14]=136;buf[15]=136; + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); + ExpectIntEQ(XSTRNCMP(param->ipasc, + "2001:db8:3333:4444:5555:6666:7777:8888", sizeof(param->ipasc)), 0); + + /* test 2001:db8:: */ + buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; + buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0; + buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0; + buf[12]=0;buf[13]=0;buf[14]=0;buf[15]=0; + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); + ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8::", sizeof(param->ipasc)), 0); + + /* test ::1234:5678 */ + buf[0]=0;buf[1]=0;buf[2]=0;buf[3]=0; + buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0; + buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0; + buf[12]=18;buf[13]=52;buf[14]=86;buf[15]=120; + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); + ExpectIntEQ(XSTRNCMP(param->ipasc, "::1234:5678", sizeof(param->ipasc)), 0); + + + /* test 2001:db8::1234:5678 */ + buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; + buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0; + buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0; + buf[12]=18;buf[13]=52;buf[14]=86;buf[15]=120; + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); + ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8::1234:5678", + sizeof(param->ipasc)), 0); + + /* test 2001:0db8:0001:0000:0000:0ab9:c0a8:0102*/ + /* 2001:db8:1::ab9:c0a8:102 */ + buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184; + buf[4]=0;buf[5]=1;buf[6]=0;buf[7]=0; + buf[8]=0;buf[9]=0;buf[10]=10;buf[11]=185; + buf[12]=192;buf[13]=168;buf[14]=1;buf[15]=2; + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS); + ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8:1::ab9:c0a8:102", + sizeof(param->ipasc)), 0); + + XFREE(param, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + +int test_wolfSSL_X509_VERIFY_PARAM_set1_host(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) + const char host[] = "www.example.com"; + WOLFSSL_X509_VERIFY_PARAM* pParam = NULL; + + ExpectNotNull(pParam = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); + if (pParam != NULL) { + XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(NULL, host, sizeof(host)), + WOLFSSL_FAILURE); + + X509_VERIFY_PARAM_set1_host(pParam, host, sizeof(host)); + + ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); + + XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + ExpectIntNE(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); + + XFREE(pParam, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + } +#endif /* OPENSSL_EXTRA */ + return EXPECT_RESULT(); +} + diff --git a/tests/api/test_ossl_x509_vp.h b/tests/api/test_ossl_x509_vp.h new file mode 100644 index 00000000000..dc3737955a3 --- /dev/null +++ b/tests/api/test_ossl_x509_vp.h @@ -0,0 +1,36 @@ +/* test_ossl_x509_vp.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFCRYPT_TEST_OSSL_X509_VP_H +#define WOLFCRYPT_TEST_OSSL_X509_VP_H + +#include + +int test_wolfSSL_X509_VERIFY_PARAM(void); +int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void); +int test_wolfSSL_X509_VERIFY_PARAM_set1_host(void); + +#define TEST_OSSL_X509_VFY_PARAMS_DECLS \ + TEST_DECL_GROUP("ossl_x509_vp", test_wolfSSL_X509_VERIFY_PARAM), \ + TEST_DECL_GROUP("ossl_x509_vp", test_wolfSSL_X509_VERIFY_PARAM_set1_ip), \ + TEST_DECL_GROUP("ossl_x509_vp", test_wolfSSL_X509_VERIFY_PARAM_set1_host) + +#endif /* WOLFCRYPT_TEST_OSSL_X509_VP_H */ diff --git a/tests/utils.c b/tests/utils.c index 08150c3e358..3ad6e673508 100644 --- a/tests/utils.c +++ b/tests/utils.c @@ -770,3 +770,26 @@ int test_memio_setup(struct test_memio_ctx *ctx, } #endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES */ + +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_UNIT_TEST_CERTS) +/* Used when debugging name constraint tests. Not static to allow use in + * multiple locations with complex define guards. */ +void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName) +{ + BIO* out = BIO_new_file(fileName, "wb"); + if (out != NULL) { + PEM_write_bio_X509(out, x509); + BIO_free(out); + } +} +void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName) +{ + BIO* out = BIO_new_file(fileName, "wb"); + if (out != NULL) { + BIO_write(out, der, derSz); + BIO_free(out); + } +} +#endif + diff --git a/tests/utils.h b/tests/utils.h index aa5c2d436ab..34ba47d3483 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -82,4 +82,13 @@ int test_memio_modify_message_len(struct test_memio_ctx *ctx, int client, int ms int test_memio_remove_from_buffer(struct test_memio_ctx *ctx, int client, int off, int sz); #endif +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ + defined(DEBUG_UNIT_TEST_CERTS) +void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName); +void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName); +#else +#define DEBUG_WRITE_CERT_X509(x509, fileName) WC_DO_NOTHING +#define DEBUG_WRITE_DER(der, derSz, fileName) WC_DO_NOTHING +#endif + #endif /* TESTS_UTILS_H */