cjson
fuzzing
inputs
test1 test10 test11 test2 test3 test3.bu test3.uf test3.uu test4 test5 test6 test7 test8 test9library_config
cJSONConfig.cmake.in cJSONConfigVersion.cmake.in libcjson.pc.in libcjson_utils.pc.in uninstall.cmaketests
inputs
test1 test1.expected test10 test10.expected test11 test11.expected test2 test2.expected test3 test3.expected test4 test4.expected test5 test5.expected test6 test7 test7.expected test8 test8.expected test9 test9.expectedjson-patch-tests
.editorconfig .gitignore .npmignore README.md cjson-utils-tests.json package.json spec_tests.json tests.jsonunity
auto
colour_prompt.rb colour_reporter.rb generate_config.yml generate_module.rb generate_test_runner.rb parse_output.rb stylize_as_junit.rb test_file_filter.rb type_sanitizer.rb unity_test_summary.py unity_test_summary.rb unity_to_junit.pydocs
ThrowTheSwitchCodingStandard.md UnityAssertionsCheatSheetSuitableforPrintingandPossiblyFraming.pdf UnityAssertionsReference.md UnityConfigurationGuide.md UnityGettingStartedGuide.md UnityHelperScriptsGuide.md license.txtexamples
unity_config.hcurl
.github
scripts
cleancmd.pl cmp-config.pl cmp-pkg-config.sh codespell-ignore.words codespell.sh distfiles.sh pyspelling.words pyspelling.yaml randcurl.pl requirements-docs.txt requirements-proselint.txt requirements.txt shellcheck-ci.sh shellcheck.sh spellcheck.curl trimmarkdownheader.pl typos.sh typos.toml verify-examples.pl verify-synopsis.pl yamlcheck.sh yamlcheck.yamlworkflows
appveyor-status.yml checkdocs.yml checksrc.yml checkurls.yml codeql.yml configure-vs-cmake.yml curl-for-win.yml distcheck.yml fuzz.yml http3-linux.yml label.yml linux-old.yml linux.yml macos.yml non-native.yml windows.ymlCMake
CurlSymbolHiding.cmake CurlTests.c FindBrotli.cmake FindCares.cmake FindGSS.cmake FindGnuTLS.cmake FindLDAP.cmake FindLibbacktrace.cmake FindLibgsasl.cmake FindLibidn2.cmake FindLibpsl.cmake FindLibssh.cmake FindLibssh2.cmake FindLibuv.cmake FindMbedTLS.cmake FindNGHTTP2.cmake FindNGHTTP3.cmake FindNGTCP2.cmake FindNettle.cmake FindQuiche.cmake FindRustls.cmake FindWolfSSL.cmake FindZstd.cmake Macros.cmake OtherTests.cmake PickyWarnings.cmake Utilities.cmake cmake_uninstall.in.cmake curl-config.in.cmake unix-cache.cmake win32-cache.cmakedocs
cmdline-opts
.gitignore CMakeLists.txt MANPAGE.md Makefile.am Makefile.inc _AUTHORS.md _BUGS.md _DESCRIPTION.md _ENVIRONMENT.md _EXITCODES.md _FILES.md _GLOBBING.md _NAME.md _OPTIONS.md _OUTPUT.md _PROGRESS.md _PROTOCOLS.md _PROXYPREFIX.md _SEEALSO.md _SYNOPSIS.md _URL.md _VARIABLES.md _VERSION.md _WWW.md abstract-unix-socket.md alt-svc.md anyauth.md append.md aws-sigv4.md basic.md ca-native.md cacert.md capath.md cert-status.md cert-type.md cert.md ciphers.md compressed-ssh.md compressed.md config.md connect-timeout.md connect-to.md continue-at.md cookie-jar.md cookie.md create-dirs.md create-file-mode.md crlf.md crlfile.md curves.md data-ascii.md data-binary.md data-raw.md data-urlencode.md data.md delegation.md digest.md disable-eprt.md disable-epsv.md disable.md disallow-username-in-url.md dns-interface.md dns-ipv4-addr.md dns-ipv6-addr.md dns-servers.md doh-cert-status.md doh-insecure.md doh-url.md dump-ca-embed.md dump-header.md ech.md egd-file.md engine.md etag-compare.md etag-save.md expect100-timeout.md fail-early.md fail-with-body.md fail.md false-start.md follow.md form-escape.md form-string.md form.md ftp-account.md ftp-alternative-to-user.md ftp-create-dirs.md ftp-method.md ftp-pasv.md ftp-port.md ftp-pret.md ftp-skip-pasv-ip.md ftp-ssl-ccc-mode.md ftp-ssl-ccc.md ftp-ssl-control.md get.md globoff.md happy-eyeballs-timeout-ms.md haproxy-clientip.md haproxy-protocol.md head.md header.md help.md hostpubmd5.md hostpubsha256.md hsts.md http0.9.md http1.0.md http1.1.md http2-prior-knowledge.md http2.md http3-only.md http3.md ignore-content-length.md insecure.md interface.md ip-tos.md ipfs-gateway.md ipv4.md ipv6.md json.md junk-session-cookies.md keepalive-cnt.md keepalive-time.md key-type.md key.md knownhosts.md krb.md libcurl.md limit-rate.md list-only.md local-port.md location-trusted.md location.md login-options.md mail-auth.md mail-from.md mail-rcpt-allowfails.md mail-rcpt.md mainpage.idx manual.md max-filesize.md max-redirs.md max-time.md metalink.md mptcp.md negotiate.md netrc-file.md netrc-optional.md netrc.md next.md no-alpn.md no-buffer.md no-clobber.md no-keepalive.md no-npn.md no-progress-meter.md no-sessionid.md noproxy.md ntlm-wb.md ntlm.md oauth2-bearer.md out-null.md output-dir.md output.md parallel-immediate.md parallel-max-host.md parallel-max.md parallel.md pass.md path-as-is.md pinnedpubkey.md post301.md post302.md post303.md preproxy.md progress-bar.md proto-default.md proto-redir.md proto.md proxy-anyauth.md proxy-basic.md proxy-ca-native.md proxy-cacert.md proxy-capath.md proxy-cert-type.md proxy-cert.md proxy-ciphers.md proxy-crlfile.md proxy-digest.md proxy-header.md proxy-http2.md proxy-insecure.md proxy-key-type.md proxy-key.md proxy-negotiate.md proxy-ntlm.md proxy-pass.md proxy-pinnedpubkey.md proxy-service-name.md proxy-ssl-allow-beast.md proxy-ssl-auto-client-cert.md proxy-tls13-ciphers.md proxy-tlsauthtype.md proxy-tlspassword.md proxy-tlsuser.md proxy-tlsv1.md proxy-user.md proxy.md proxy1.0.md proxytunnel.md pubkey.md quote.md random-file.md range.md rate.md raw.md referer.md remote-header-name.md remote-name-all.md remote-name.md remote-time.md remove-on-error.md request-target.md request.md resolve.md retry-all-errors.md retry-connrefused.md retry-delay.md retry-max-time.md retry.md sasl-authzid.md sasl-ir.md service-name.md show-error.md show-headers.md sigalgs.md silent.md skip-existing.md socks4.md socks4a.md socks5-basic.md socks5-gssapi-nec.md socks5-gssapi-service.md socks5-gssapi.md socks5-hostname.md socks5.md speed-limit.md speed-time.md ssl-allow-beast.md ssl-auto-client-cert.md ssl-no-revoke.md ssl-reqd.md ssl-revoke-best-effort.md ssl-sessions.md ssl.md sslv2.md sslv3.md stderr.md styled-output.md suppress-connect-headers.md tcp-fastopen.md tcp-nodelay.md telnet-option.md tftp-blksize.md tftp-no-options.md time-cond.md tls-earlydata.md tls-max.md tls13-ciphers.md tlsauthtype.md tlspassword.md tlsuser.md tlsv1.0.md tlsv1.1.md tlsv1.2.md tlsv1.3.md tlsv1.md tr-encoding.md trace-ascii.md trace-config.md trace-ids.md trace-time.md trace.md unix-socket.md upload-file.md upload-flags.md url-query.md url.md use-ascii.md user-agent.md user.md variable.md verbose.md version.md vlan-priority.md write-out.md xattr.mdexamples
.checksrc .gitignore 10-at-a-time.c CMakeLists.txt Makefile.am Makefile.example Makefile.inc README.md adddocsref.pl address-scope.c altsvc.c anyauthput.c block_ip.c cacertinmem.c certinfo.c chkspeed.c connect-to.c cookie_interface.c crawler.c debug.c default-scheme.c ephiperfifo.c evhiperfifo.c externalsocket.c fileupload.c ftp-delete.c ftp-wildcard.c ftpget.c ftpgetinfo.c ftpgetresp.c ftpsget.c ftpupload.c ftpuploadfrommem.c ftpuploadresume.c getinfo.c getinmemory.c getredirect.c getreferrer.c ghiper.c headerapi.c hiperfifo.c hsts-preload.c htmltidy.c htmltitle.cpp http-options.c http-post.c http2-download.c http2-pushinmemory.c http2-serverpush.c http2-upload.c http3-present.c http3.c httpcustomheader.c httpput-postfields.c httpput.c https.c imap-append.c imap-authzid.c imap-copy.c imap-create.c imap-delete.c imap-examine.c imap-fetch.c imap-list.c imap-lsub.c imap-multi.c imap-noop.c imap-search.c imap-ssl.c imap-store.c imap-tls.c interface.c ipv6.c keepalive.c localport.c log_failed_transfers.c maxconnects.c multi-app.c multi-debugcallback.c multi-double.c multi-event.c multi-formadd.c multi-legacy.c multi-post.c multi-single.c multi-uv.c netrc.c parseurl.c persistent.c pop3-authzid.c pop3-dele.c pop3-list.c pop3-multi.c pop3-noop.c pop3-retr.c pop3-ssl.c pop3-stat.c pop3-tls.c pop3-top.c pop3-uidl.c post-callback.c postinmemory.c postit2-formadd.c postit2.c progressfunc.c protofeats.c range.c resolve.c rtsp-options.c sendrecv.c sepheaders.c sessioninfo.c sftpget.c sftpuploadresume.c shared-connection-cache.c simple.c simplepost.c simplessl.c smooth-gtk-thread.c smtp-authzid.c smtp-expn.c smtp-mail.c smtp-mime.c smtp-multi.c smtp-ssl.c smtp-tls.c smtp-vrfy.c sslbackend.c synctime.c threaded.c unixsocket.c url2file.c urlapi.c usercertinmem.c version-check.pl websocket-cb.c websocket-updown.c websocket.c xmlstream.cinternals
BUFQ.md BUFREF.md CHECKSRC.md CLIENT-READERS.md CLIENT-WRITERS.md CODE_STYLE.md CONNECTION-FILTERS.md CREDENTIALS.md CURLX.md DYNBUF.md HASH.md LLIST.md MID.md MQTT.md MULTI-EV.md NEW-PROTOCOL.md PEERS.md PORTING.md RATELIMITS.md README.md SCORECARD.md SPLAY.md STRPARSE.md THRDPOOL-AND-QUEUE.md TIME-KEEPING.md TLS-SESSIONS.md UINT_SETS.md WEBSOCKET.mdlibcurl
opts
CMakeLists.txt CURLINFO_ACTIVESOCKET.md CURLINFO_APPCONNECT_TIME.md CURLINFO_APPCONNECT_TIME_T.md CURLINFO_CAINFO.md CURLINFO_CAPATH.md CURLINFO_CERTINFO.md CURLINFO_CONDITION_UNMET.md CURLINFO_CONNECT_TIME.md CURLINFO_CONNECT_TIME_T.md CURLINFO_CONN_ID.md CURLINFO_CONTENT_LENGTH_DOWNLOAD.md CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md CURLINFO_CONTENT_LENGTH_UPLOAD.md CURLINFO_CONTENT_LENGTH_UPLOAD_T.md CURLINFO_CONTENT_TYPE.md CURLINFO_COOKIELIST.md CURLINFO_EARLYDATA_SENT_T.md CURLINFO_EFFECTIVE_METHOD.md CURLINFO_EFFECTIVE_URL.md CURLINFO_FILETIME.md CURLINFO_FILETIME_T.md CURLINFO_FTP_ENTRY_PATH.md CURLINFO_HEADER_SIZE.md CURLINFO_HTTPAUTH_AVAIL.md CURLINFO_HTTPAUTH_USED.md CURLINFO_HTTP_CONNECTCODE.md CURLINFO_HTTP_VERSION.md CURLINFO_LASTSOCKET.md CURLINFO_LOCAL_IP.md CURLINFO_LOCAL_PORT.md CURLINFO_NAMELOOKUP_TIME.md CURLINFO_NAMELOOKUP_TIME_T.md CURLINFO_NUM_CONNECTS.md CURLINFO_OS_ERRNO.md CURLINFO_POSTTRANSFER_TIME_T.md CURLINFO_PRETRANSFER_TIME.md CURLINFO_PRETRANSFER_TIME_T.md CURLINFO_PRIMARY_IP.md CURLINFO_PRIMARY_PORT.md CURLINFO_PRIVATE.md CURLINFO_PROTOCOL.md CURLINFO_PROXYAUTH_AVAIL.md CURLINFO_PROXYAUTH_USED.md CURLINFO_PROXY_ERROR.md CURLINFO_PROXY_SSL_VERIFYRESULT.md CURLINFO_QUEUE_TIME_T.md CURLINFO_REDIRECT_COUNT.md CURLINFO_REDIRECT_TIME.md CURLINFO_REDIRECT_TIME_T.md CURLINFO_REDIRECT_URL.md CURLINFO_REFERER.md CURLINFO_REQUEST_SIZE.md CURLINFO_RESPONSE_CODE.md CURLINFO_RETRY_AFTER.md CURLINFO_RTSP_CLIENT_CSEQ.md CURLINFO_RTSP_CSEQ_RECV.md CURLINFO_RTSP_SERVER_CSEQ.md CURLINFO_RTSP_SESSION_ID.md CURLINFO_SCHEME.md CURLINFO_SIZE_DELIVERED.md CURLINFO_SIZE_DOWNLOAD.md CURLINFO_SIZE_DOWNLOAD_T.md CURLINFO_SIZE_UPLOAD.md CURLINFO_SIZE_UPLOAD_T.md CURLINFO_SPEED_DOWNLOAD.md CURLINFO_SPEED_DOWNLOAD_T.md CURLINFO_SPEED_UPLOAD.md CURLINFO_SPEED_UPLOAD_T.md CURLINFO_SSL_ENGINES.md CURLINFO_SSL_VERIFYRESULT.md CURLINFO_STARTTRANSFER_TIME.md CURLINFO_STARTTRANSFER_TIME_T.md CURLINFO_TLS_SESSION.md CURLINFO_TLS_SSL_PTR.md CURLINFO_TOTAL_TIME.md CURLINFO_TOTAL_TIME_T.md CURLINFO_USED_PROXY.md CURLINFO_XFER_ID.md CURLMINFO_XFERS_ADDED.md CURLMINFO_XFERS_CURRENT.md CURLMINFO_XFERS_DONE.md CURLMINFO_XFERS_PENDING.md CURLMINFO_XFERS_RUNNING.md CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.md CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE.md CURLMOPT_MAXCONNECTS.md CURLMOPT_MAX_CONCURRENT_STREAMS.md CURLMOPT_MAX_HOST_CONNECTIONS.md CURLMOPT_MAX_PIPELINE_LENGTH.md CURLMOPT_MAX_TOTAL_CONNECTIONS.md CURLMOPT_NETWORK_CHANGED.md CURLMOPT_NOTIFYDATA.md CURLMOPT_NOTIFYFUNCTION.md CURLMOPT_PIPELINING.md CURLMOPT_PIPELINING_SERVER_BL.md CURLMOPT_PIPELINING_SITE_BL.md CURLMOPT_PUSHDATA.md CURLMOPT_PUSHFUNCTION.md CURLMOPT_QUICK_EXIT.md CURLMOPT_RESOLVE_THREADS_MAX.md CURLMOPT_SOCKETDATA.md CURLMOPT_SOCKETFUNCTION.md CURLMOPT_TIMERDATA.md CURLMOPT_TIMERFUNCTION.md CURLOPT_ABSTRACT_UNIX_SOCKET.md CURLOPT_ACCEPTTIMEOUT_MS.md CURLOPT_ACCEPT_ENCODING.md CURLOPT_ADDRESS_SCOPE.md CURLOPT_ALTSVC.md CURLOPT_ALTSVC_CTRL.md CURLOPT_APPEND.md CURLOPT_AUTOREFERER.md CURLOPT_AWS_SIGV4.md CURLOPT_BUFFERSIZE.md CURLOPT_CAINFO.md CURLOPT_CAINFO_BLOB.md CURLOPT_CAPATH.md CURLOPT_CA_CACHE_TIMEOUT.md CURLOPT_CERTINFO.md CURLOPT_CHUNK_BGN_FUNCTION.md CURLOPT_CHUNK_DATA.md CURLOPT_CHUNK_END_FUNCTION.md CURLOPT_CLOSESOCKETDATA.md CURLOPT_CLOSESOCKETFUNCTION.md CURLOPT_CONNECTTIMEOUT.md CURLOPT_CONNECTTIMEOUT_MS.md CURLOPT_CONNECT_ONLY.md CURLOPT_CONNECT_TO.md CURLOPT_CONV_FROM_NETWORK_FUNCTION.md CURLOPT_CONV_FROM_UTF8_FUNCTION.md CURLOPT_CONV_TO_NETWORK_FUNCTION.md CURLOPT_COOKIE.md CURLOPT_COOKIEFILE.md CURLOPT_COOKIEJAR.md CURLOPT_COOKIELIST.md CURLOPT_COOKIESESSION.md CURLOPT_COPYPOSTFIELDS.md CURLOPT_CRLF.md CURLOPT_CRLFILE.md CURLOPT_CURLU.md CURLOPT_CUSTOMREQUEST.md CURLOPT_DEBUGDATA.md CURLOPT_DEBUGFUNCTION.md CURLOPT_DEFAULT_PROTOCOL.md CURLOPT_DIRLISTONLY.md CURLOPT_DISALLOW_USERNAME_IN_URL.md CURLOPT_DNS_CACHE_TIMEOUT.md CURLOPT_DNS_INTERFACE.md CURLOPT_DNS_LOCAL_IP4.md CURLOPT_DNS_LOCAL_IP6.md CURLOPT_DNS_SERVERS.md CURLOPT_DNS_SHUFFLE_ADDRESSES.md CURLOPT_DNS_USE_GLOBAL_CACHE.md CURLOPT_DOH_SSL_VERIFYHOST.md CURLOPT_DOH_SSL_VERIFYPEER.md CURLOPT_DOH_SSL_VERIFYSTATUS.md CURLOPT_DOH_URL.md CURLOPT_ECH.md CURLOPT_EGDSOCKET.md CURLOPT_ERRORBUFFER.md CURLOPT_EXPECT_100_TIMEOUT_MS.md CURLOPT_FAILONERROR.md CURLOPT_FILETIME.md CURLOPT_FNMATCH_DATA.md CURLOPT_FNMATCH_FUNCTION.md CURLOPT_FOLLOWLOCATION.md CURLOPT_FORBID_REUSE.md CURLOPT_FRESH_CONNECT.md CURLOPT_FTPPORT.md CURLOPT_FTPSSLAUTH.md CURLOPT_FTP_ACCOUNT.md CURLOPT_FTP_ALTERNATIVE_TO_USER.md CURLOPT_FTP_CREATE_MISSING_DIRS.md CURLOPT_FTP_FILEMETHOD.md CURLOPT_FTP_SKIP_PASV_IP.md CURLOPT_FTP_SSL_CCC.md CURLOPT_FTP_USE_EPRT.md CURLOPT_FTP_USE_EPSV.md CURLOPT_FTP_USE_PRET.md CURLOPT_GSSAPI_DELEGATION.md CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.md CURLOPT_HAPROXYPROTOCOL.md CURLOPT_HAPROXY_CLIENT_IP.md CURLOPT_HEADER.md CURLOPT_HEADERDATA.md CURLOPT_HEADERFUNCTION.md CURLOPT_HEADEROPT.md CURLOPT_HSTS.md CURLOPT_HSTSREADDATA.md CURLOPT_HSTSREADFUNCTION.md CURLOPT_HSTSWRITEDATA.md CURLOPT_HSTSWRITEFUNCTION.md CURLOPT_HSTS_CTRL.md CURLOPT_HTTP09_ALLOWED.md CURLOPT_HTTP200ALIASES.md CURLOPT_HTTPAUTH.md CURLOPT_HTTPGET.md CURLOPT_HTTPHEADER.md CURLOPT_HTTPPOST.md CURLOPT_HTTPPROXYTUNNEL.md CURLOPT_HTTP_CONTENT_DECODING.md CURLOPT_HTTP_TRANSFER_DECODING.md CURLOPT_HTTP_VERSION.md CURLOPT_IGNORE_CONTENT_LENGTH.md CURLOPT_INFILESIZE.md CURLOPT_INFILESIZE_LARGE.md CURLOPT_INTERFACE.md CURLOPT_INTERLEAVEDATA.md CURLOPT_INTERLEAVEFUNCTION.md CURLOPT_IOCTLDATA.md CURLOPT_IOCTLFUNCTION.md CURLOPT_IPRESOLVE.md CURLOPT_ISSUERCERT.md CURLOPT_ISSUERCERT_BLOB.md CURLOPT_KEEP_SENDING_ON_ERROR.md CURLOPT_KEYPASSWD.md CURLOPT_KRBLEVEL.md CURLOPT_LOCALPORT.md CURLOPT_LOCALPORTRANGE.md CURLOPT_LOGIN_OPTIONS.md CURLOPT_LOW_SPEED_LIMIT.md CURLOPT_LOW_SPEED_TIME.md CURLOPT_MAIL_AUTH.md CURLOPT_MAIL_FROM.md CURLOPT_MAIL_RCPT.md CURLOPT_MAIL_RCPT_ALLOWFAILS.md CURLOPT_MAXAGE_CONN.md CURLOPT_MAXCONNECTS.md CURLOPT_MAXFILESIZE.md CURLOPT_MAXFILESIZE_LARGE.md CURLOPT_MAXLIFETIME_CONN.md CURLOPT_MAXREDIRS.md CURLOPT_MAX_RECV_SPEED_LARGE.md CURLOPT_MAX_SEND_SPEED_LARGE.md CURLOPT_MIMEPOST.md CURLOPT_MIME_OPTIONS.md CURLOPT_NETRC.md CURLOPT_NETRC_FILE.md CURLOPT_NEW_DIRECTORY_PERMS.md CURLOPT_NEW_FILE_PERMS.md CURLOPT_NOBODY.md CURLOPT_NOPROGRESS.md CURLOPT_NOPROXY.md CURLOPT_NOSIGNAL.md CURLOPT_OPENSOCKETDATA.md CURLOPT_OPENSOCKETFUNCTION.md CURLOPT_PASSWORD.md CURLOPT_PATH_AS_IS.md CURLOPT_PINNEDPUBLICKEY.md CURLOPT_PIPEWAIT.md CURLOPT_PORT.md CURLOPT_POST.md CURLOPT_POSTFIELDS.md CURLOPT_POSTFIELDSIZE.md CURLOPT_POSTFIELDSIZE_LARGE.md CURLOPT_POSTQUOTE.md CURLOPT_POSTREDIR.md CURLOPT_PREQUOTE.md CURLOPT_PREREQDATA.md CURLOPT_PREREQFUNCTION.md CURLOPT_PRE_PROXY.md CURLOPT_PRIVATE.md CURLOPT_PROGRESSDATA.md CURLOPT_PROGRESSFUNCTION.md CURLOPT_PROTOCOLS.md CURLOPT_PROTOCOLS_STR.md CURLOPT_PROXY.md CURLOPT_PROXYAUTH.md CURLOPT_PROXYHEADER.md CURLOPT_PROXYPASSWORD.md CURLOPT_PROXYPORT.md CURLOPT_PROXYTYPE.md CURLOPT_PROXYUSERNAME.md CURLOPT_PROXYUSERPWD.md CURLOPT_PROXY_CAINFO.md CURLOPT_PROXY_CAINFO_BLOB.md CURLOPT_PROXY_CAPATH.md CURLOPT_PROXY_CRLFILE.md CURLOPT_PROXY_ISSUERCERT.md CURLOPT_PROXY_ISSUERCERT_BLOB.md CURLOPT_PROXY_KEYPASSWD.md CURLOPT_PROXY_PINNEDPUBLICKEY.md CURLOPT_PROXY_SERVICE_NAME.md CURLOPT_PROXY_SSLCERT.md CURLOPT_PROXY_SSLCERTTYPE.md CURLOPT_PROXY_SSLCERT_BLOB.md CURLOPT_PROXY_SSLKEY.md CURLOPT_PROXY_SSLKEYTYPE.md CURLOPT_PROXY_SSLKEY_BLOB.md CURLOPT_PROXY_SSLVERSION.md CURLOPT_PROXY_SSL_CIPHER_LIST.md CURLOPT_PROXY_SSL_OPTIONS.md CURLOPT_PROXY_SSL_VERIFYHOST.md CURLOPT_PROXY_SSL_VERIFYPEER.md CURLOPT_PROXY_TLS13_CIPHERS.md CURLOPT_PROXY_TLSAUTH_PASSWORD.md CURLOPT_PROXY_TLSAUTH_TYPE.md CURLOPT_PROXY_TLSAUTH_USERNAME.md CURLOPT_PROXY_TRANSFER_MODE.md CURLOPT_PUT.md CURLOPT_QUICK_EXIT.md CURLOPT_QUOTE.md CURLOPT_RANDOM_FILE.md CURLOPT_RANGE.md CURLOPT_READDATA.md CURLOPT_READFUNCTION.md CURLOPT_REDIR_PROTOCOLS.md CURLOPT_REDIR_PROTOCOLS_STR.md CURLOPT_REFERER.md CURLOPT_REQUEST_TARGET.md CURLOPT_RESOLVE.md CURLOPT_RESOLVER_START_DATA.md CURLOPT_RESOLVER_START_FUNCTION.md CURLOPT_RESUME_FROM.md CURLOPT_RESUME_FROM_LARGE.md CURLOPT_RTSP_CLIENT_CSEQ.md CURLOPT_RTSP_REQUEST.md CURLOPT_RTSP_SERVER_CSEQ.md CURLOPT_RTSP_SESSION_ID.md CURLOPT_RTSP_STREAM_URI.md CURLOPT_RTSP_TRANSPORT.md CURLOPT_SASL_AUTHZID.md CURLOPT_SASL_IR.md CURLOPT_SEEKDATA.md CURLOPT_SEEKFUNCTION.md CURLOPT_SERVER_RESPONSE_TIMEOUT.md CURLOPT_SERVER_RESPONSE_TIMEOUT_MS.md CURLOPT_SERVICE_NAME.md CURLOPT_SHARE.md CURLOPT_SOCKOPTDATA.md CURLOPT_SOCKOPTFUNCTION.md CURLOPT_SOCKS5_AUTH.md CURLOPT_SOCKS5_GSSAPI_NEC.md CURLOPT_SOCKS5_GSSAPI_SERVICE.md CURLOPT_SSH_AUTH_TYPES.md CURLOPT_SSH_COMPRESSION.md CURLOPT_SSH_HOSTKEYDATA.md CURLOPT_SSH_HOSTKEYFUNCTION.md CURLOPT_SSH_HOST_PUBLIC_KEY_MD5.md CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256.md CURLOPT_SSH_KEYDATA.md CURLOPT_SSH_KEYFUNCTION.md CURLOPT_SSH_KNOWNHOSTS.md CURLOPT_SSH_PRIVATE_KEYFILE.md CURLOPT_SSH_PUBLIC_KEYFILE.md CURLOPT_SSLCERT.md CURLOPT_SSLCERTTYPE.md CURLOPT_SSLCERT_BLOB.md CURLOPT_SSLENGINE.md CURLOPT_SSLENGINE_DEFAULT.md CURLOPT_SSLKEY.md CURLOPT_SSLKEYTYPE.md CURLOPT_SSLKEY_BLOB.md CURLOPT_SSLVERSION.md CURLOPT_SSL_CIPHER_LIST.md CURLOPT_SSL_CTX_DATA.md CURLOPT_SSL_CTX_FUNCTION.md CURLOPT_SSL_EC_CURVES.md CURLOPT_SSL_ENABLE_ALPN.md CURLOPT_SSL_ENABLE_NPN.md CURLOPT_SSL_FALSESTART.md CURLOPT_SSL_OPTIONS.md CURLOPT_SSL_SESSIONID_CACHE.md CURLOPT_SSL_SIGNATURE_ALGORITHMS.md CURLOPT_SSL_VERIFYHOST.md CURLOPT_SSL_VERIFYPEER.md CURLOPT_SSL_VERIFYSTATUS.md CURLOPT_STDERR.md CURLOPT_STREAM_DEPENDS.md CURLOPT_STREAM_DEPENDS_E.md CURLOPT_STREAM_WEIGHT.md CURLOPT_SUPPRESS_CONNECT_HEADERS.md CURLOPT_TCP_FASTOPEN.md CURLOPT_TCP_KEEPALIVE.md CURLOPT_TCP_KEEPCNT.md CURLOPT_TCP_KEEPIDLE.md CURLOPT_TCP_KEEPINTVL.md CURLOPT_TCP_NODELAY.md CURLOPT_TELNETOPTIONS.md CURLOPT_TFTP_BLKSIZE.md CURLOPT_TFTP_NO_OPTIONS.md CURLOPT_TIMECONDITION.md CURLOPT_TIMEOUT.md CURLOPT_TIMEOUT_MS.md CURLOPT_TIMEVALUE.md CURLOPT_TIMEVALUE_LARGE.md CURLOPT_TLS13_CIPHERS.md CURLOPT_TLSAUTH_PASSWORD.md CURLOPT_TLSAUTH_TYPE.md CURLOPT_TLSAUTH_USERNAME.md CURLOPT_TRAILERDATA.md CURLOPT_TRAILERFUNCTION.md CURLOPT_TRANSFERTEXT.md CURLOPT_TRANSFER_ENCODING.md CURLOPT_UNIX_SOCKET_PATH.md CURLOPT_UNRESTRICTED_AUTH.md CURLOPT_UPKEEP_INTERVAL_MS.md CURLOPT_UPLOAD.md CURLOPT_UPLOAD_BUFFERSIZE.md CURLOPT_UPLOAD_FLAGS.md CURLOPT_URL.md CURLOPT_USERAGENT.md CURLOPT_USERNAME.md CURLOPT_USERPWD.md CURLOPT_USE_SSL.md CURLOPT_VERBOSE.md CURLOPT_WILDCARDMATCH.md CURLOPT_WRITEDATA.md CURLOPT_WRITEFUNCTION.md CURLOPT_WS_OPTIONS.md CURLOPT_XFERINFODATA.md CURLOPT_XFERINFOFUNCTION.md CURLOPT_XOAUTH2_BEARER.md CURLSHOPT_LOCKFUNC.md CURLSHOPT_SHARE.md CURLSHOPT_UNLOCKFUNC.md CURLSHOPT_UNSHARE.md CURLSHOPT_USERDATA.md Makefile.am Makefile.incinclude
curl
Makefile.am curl.h curlver.h easy.h header.h mprintf.h multi.h options.h stdcheaders.h system.h typecheck-gcc.h urlapi.h websockets.hlib
curlx
base64.c base64.h basename.c basename.h dynbuf.c dynbuf.h fopen.c fopen.h inet_ntop.c inet_ntop.h inet_pton.c inet_pton.h multibyte.c multibyte.h nonblock.c nonblock.h snprintf.c snprintf.h strcopy.c strcopy.h strdup.c strdup.h strerr.c strerr.h strparse.c strparse.h timediff.c timediff.h timeval.c timeval.h version_win32.c version_win32.h wait.c wait.h warnless.c warnless.h winapi.c winapi.hvauth
cleartext.c cram.c digest.c digest.h digest_sspi.c gsasl.c krb5_gssapi.c krb5_sspi.c ntlm.c ntlm_sspi.c oauth2.c spnego_gssapi.c spnego_sspi.c vauth.c vauth.hvquic
curl_ngtcp2.c curl_ngtcp2.h curl_quiche.c curl_quiche.h vquic-tls.c vquic-tls.h vquic.c vquic.h vquic_int.hvtls
apple.c apple.h cipher_suite.c cipher_suite.h gtls.c gtls.h hostcheck.c hostcheck.h keylog.c keylog.h mbedtls.c mbedtls.h openssl.c openssl.h rustls.c rustls.h schannel.c schannel.h schannel_int.h schannel_verify.c vtls.c vtls.h vtls_int.h vtls_scache.c vtls_scache.h vtls_spack.c vtls_spack.h wolfssl.c wolfssl.h x509asn1.c x509asn1.hm4
.gitignore curl-amissl.m4 curl-apple-sectrust.m4 curl-compilers.m4 curl-confopts.m4 curl-functions.m4 curl-gnutls.m4 curl-mbedtls.m4 curl-openssl.m4 curl-override.m4 curl-reentrant.m4 curl-rustls.m4 curl-schannel.m4 curl-sysconfig.m4 curl-wolfssl.m4 xc-am-iface.m4 xc-cc-check.m4 xc-lt-iface.m4 xc-val-flgs.m4 zz40-xc-ovr.m4 zz50-xc-ovr.m4projects
OS400
.checksrc README.OS400 ccsidcurl.c ccsidcurl.h config400.default curl.cmd curl.inc.in curlcl.c curlmain.c initscript.sh make-docs.sh make-include.sh make-lib.sh make-src.sh make-tests.sh makefile.sh os400sys.c os400sys.hWindows
tmpl
.gitattributes README.txt curl-all.sln curl.sln curl.vcxproj curl.vcxproj.filters libcurl.sln libcurl.vcxproj libcurl.vcxproj.filtersvms
Makefile.am backup_gnv_curl_src.com build_curl-config_script.com build_gnv_curl.com build_gnv_curl_pcsi_desc.com build_gnv_curl_pcsi_text.com build_gnv_curl_release_notes.com build_libcurl_pc.com build_vms.com clean_gnv_curl.com compare_curl_source.com config_h.com curl_crtl_init.c curl_gnv_build_steps.txt curl_release_note_start.txt curl_startup.com curlmsg.h curlmsg.msg curlmsg.sdl curlmsg_vms.h generate_config_vms_h_curl.com generate_vax_transfer.com gnv_conftest.c_first gnv_curl_configure.sh gnv_libcurl_symbols.opt gnv_link_curl.com macro32_exactcase.patch make_gnv_curl_install.sh make_pcsi_curl_kit_name.com pcsi_gnv_curl_file_list.txt pcsi_product_gnv_curl.com readme report_openssl_version.c setup_gnv_curl_build.com stage_curl_install.com vms_eco_level.hscripts
.checksrc CMakeLists.txt Makefile.am badwords badwords-all badwords.txt cd2cd cd2nroff cdall checksrc-all.pl checksrc.pl cmakelint.sh completion.pl contributors.sh contrithanks.sh coverage.sh delta dmaketgz extract-unit-protos firefox-db2pem.sh installcheck.sh maketgz managen mdlinkcheck mk-ca-bundle.pl mk-unity.pl nroff2cd perlcheck.sh pythonlint.sh randdisable release-notes.pl release-tools.sh schemetable.c singleuse.pl spacecheck.pl top-complexity top-length verify-release wcurlsrc
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc config2setopts.c config2setopts.h curl.rc curlinfo.c mk-file-embed.pl mkhelp.pl slist_wc.c slist_wc.h terminal.c terminal.h tool_cb_dbg.c tool_cb_dbg.h tool_cb_hdr.c tool_cb_hdr.h tool_cb_prg.c tool_cb_prg.h tool_cb_rea.c tool_cb_rea.h tool_cb_see.c tool_cb_see.h tool_cb_soc.c tool_cb_soc.h tool_cb_wrt.c tool_cb_wrt.h tool_cfgable.c tool_cfgable.h tool_dirhie.c tool_dirhie.h tool_doswin.c tool_doswin.h tool_easysrc.c tool_easysrc.h tool_filetime.c tool_filetime.h tool_findfile.c tool_findfile.h tool_formparse.c tool_formparse.h tool_getparam.c tool_getparam.h tool_getpass.c tool_getpass.h tool_help.c tool_help.h tool_helpers.c tool_helpers.h tool_hugehelp.h tool_ipfs.c tool_ipfs.h tool_libinfo.c tool_libinfo.h tool_listhelp.c tool_main.c tool_main.h tool_msgs.c tool_msgs.h tool_operate.c tool_operate.h tool_operhlp.c tool_operhlp.h tool_paramhlp.c tool_paramhlp.h tool_parsecfg.c tool_parsecfg.h tool_progress.c tool_progress.h tool_sdecls.h tool_setopt.c tool_setopt.h tool_setup.h tool_ssls.c tool_ssls.h tool_stderr.c tool_stderr.h tool_urlglob.c tool_urlglob.h tool_util.c tool_util.h tool_version.h tool_vms.c tool_vms.h tool_writeout.c tool_writeout.h tool_writeout_json.c tool_writeout_json.h tool_xattr.c tool_xattr.h var.c var.htests
certs
.gitignore CMakeLists.txt Makefile.am Makefile.inc genserv.pl srp-verifier-conf srp-verifier-db test-ca.cnf test-ca.prm test-client-cert.prm test-client-eku-only.prm test-localhost-san-first.prm test-localhost-san-last.prm test-localhost.nn.prm test-localhost.prm test-localhost0h.prmdata
.gitignore DISABLED Makefile.am data-xml1 data1400.c data1401.c data1402.c data1403.c data1404.c data1405.c data1406.c data1407.c data1420.c data1461.txt data1463.txt data1465.c data1481.c data1705-1.md data1705-2.md data1705-3.md data1705-4.md data1705-stdout.1 data1706-1.md data1706-2.md data1706-3.md data1706-4.md data1706-stdout.txt data320.html test1 test10 test100 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 test1008 test1009 test101 test1010 test1011 test1012 test1013 test1014 test1015 test1016 test1017 test1018 test1019 test102 test1020 test1021 test1022 test1023 test1024 test1025 test1026 test1027 test1028 test1029 test103 test1030 test1031 test1032 test1033 test1034 test1035 test1036 test1037 test1038 test1039 test104 test1040 test1041 test1042 test1043 test1044 test1045 test1046 test1047 test1048 test1049 test105 test1050 test1051 test1052 test1053 test1054 test1055 test1056 test1057 test1058 test1059 test106 test1060 test1061 test1062 test1063 test1064 test1065 test1066 test1067 test1068 test1069 test107 test1070 test1071 test1072 test1073 test1074 test1075 test1076 test1077 test1078 test1079 test108 test1080 test1081 test1082 test1083 test1084 test1085 test1086 test1087 test1088 test1089 test109 test1090 test1091 test1092 test1093 test1094 test1095 test1096 test1097 test1098 test1099 test11 test110 test1100 test1101 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 test111 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 test112 test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 test1128 test1129 test113 test1130 test1131 test1132 test1133 test1134 test1135 test1136 test1137 test1138 test1139 test114 test1140 test1141 test1142 test1143 test1144 test1145 test1146 test1147 test1148 test1149 test115 test1150 test1151 test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 test116 test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 test1168 test1169 test117 test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 test1178 test1179 test118 test1180 test1181 test1182 test1183 test1184 test1185 test1186 test1187 test1188 test1189 test119 test1190 test1191 test1192 test1193 test1194 test1195 test1196 test1197 test1198 test1199 test12 test120 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 test1208 test1209 test121 test1210 test1211 test1212 test1213 test1214 test1215 test1216 test1217 test1218 test1219 test122 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 test1228 test1229 test123 test1230 test1231 test1232 test1233 test1234 test1235 test1236 test1237 test1238 test1239 test124 test1240 test1241 test1242 test1243 test1244 test1245 test1246 test1247 test1248 test1249 test125 test1250 test1251 test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 test126 test1260 test1261 test1262 test1263 test1264 test1265 test1266 test1267 test1268 test1269 test127 test1270 test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 test1279 test128 test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 test1288 test1289 test129 test1290 test1291 test1292 test1293 test1294 test1295 test1296 test1297 test1298 test1299 test13 test130 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 test1309 test131 test1310 test1311 test1312 test1313 test1314 test1315 test1316 test1317 test1318 test1319 test132 test1320 test1321 test1322 test1323 test1324 test1325 test1326 test1327 test1328 test1329 test133 test1330 test1331 test1332 test1333 test1334 test1335 test1336 test1337 test1338 test1339 test134 test1340 test1341 test1342 test1343 test1344 test1345 test1346 test1347 test1348 test1349 test135 test1350 test1351 test1352 test1353 test1354 test1355 test1356 test1357 test1358 test1359 test136 test1360 test1361 test1362 test1363 test1364 test1365 test1366 test1367 test1368 test1369 test137 test1370 test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 test1379 test138 test1380 test1381 test1382 test1383 test1384 test1385 test1386 test1387 test1388 test1389 test139 test1390 test1391 test1392 test1393 test1394 test1395 test1396 test1397 test1398 test1399 test14 test140 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 test1408 test1409 test141 test1410 test1411 test1412 test1413 test1414 test1415 test1416 test1417 test1418 test1419 test142 test1420 test1421 test1422 test1423 test1424 test1425 test1426 test1427 test1428 test1429 test143 test1430 test1431 test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 test144 test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 test1448 test1449 test145 test1450 test1451 test1452 test1453 test1454 test1455 test1456 test1457 test1458 test1459 test146 test1460 test1461 test1462 test1463 test1464 test1465 test1466 test1467 test1468 test1469 test147 test1470 test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 test1479 test148 test1480 test1481 test1482 test1483 test1484 test1485 test1486 test1487 test1488 test1489 test149 test1490 test1491 test1492 test1493 test1494 test1495 test1496 test1497 test1498 test1499 test15 test150 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 test1508 test1509 test151 test1510 test1511 test1512 test1513 test1514 test1515 test1516 test1517 test1518 test1519 test152 test1520 test1521 test1522 test1523 test1524 test1525 test1526 test1527 test1528 test1529 test153 test1530 test1531 test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 test154 test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 test1548 test1549 test155 test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 test1558 test1559 test156 test1560 test1561 test1562 test1563 test1564 test1565 test1566 test1567 test1568 test1569 test157 test1570 test1571 test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 test158 test1580 test1581 test1582 test1583 test1584 test1585 test1586 test1587 test1588 test1589 test159 test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 test1598 test1599 test16 test160 test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 test1608 test1609 test161 test1610 test1611 test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 test162 test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 test1628 test1629 test163 test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 test1638 test1639 test164 test1640 test1641 test1642 test1643 test1644 test1645 test165 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 test1658 test1659 test166 test1660 test1661 test1662 test1663 test1664 test1665 test1666 test1667 test1668 test1669 test167 test1670 test1671 test1672 test1673 test1674 test1675 test1676 test168 test1680 test1681 test1682 test1683 test1684 test1685 test169 test17 test170 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 test1708 test1709 test171 test1710 test1711 test1712 test1713 test1714 test1715 test172 test1720 test1721 test173 test174 test175 test176 test177 test178 test179 test18 test180 test1800 test1801 test1802 test181 test182 test183 test184 test1847 test1848 test1849 test185 test1850 test1851 test186 test187 test188 test189 test19 test190 test1900 test1901 test1902 test1903 test1904 test1905 test1906 test1907 test1908 test1909 test191 test1910 test1911 test1912 test1913 test1914 test1915 test1916 test1917 test1918 test1919 test192 test1920 test1921 test193 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test194 test1940 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 test195 test1955 test1956 test1957 test1958 test1959 test196 test1960 test1964 test1965 test1966 test197 test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 test1978 test1979 test198 test1980 test1981 test1982 test1983 test1984 test199 test2 test20 test200 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 test2008 test2009 test201 test2010 test2011 test2012 test2013 test2014 test202 test2023 test2024 test2025 test2026 test2027 test2028 test2029 test203 test2030 test2031 test2032 test2033 test2034 test2035 test2037 test2038 test2039 test204 test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 test2048 test2049 test205 test2050 test2051 test2052 test2053 test2054 test2055 test2056 test2057 test2058 test2059 test206 test2060 test2061 test2062 test2063 test2064 test2065 test2066 test2067 test2068 test2069 test207 test2070 test2071 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 test208 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 test2088 test2089 test209 test2090 test2091 test2092 test21 test210 test2100 test2101 test2102 test2103 test2104 test211 test212 test213 test214 test215 test216 test217 test218 test219 test22 test220 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 test221 test222 test223 test224 test225 test226 test227 test228 test229 test23 test230 test2300 test2301 test2302 test2303 test2304 test2306 test2307 test2308 test2309 test231 test232 test233 test234 test235 test236 test237 test238 test239 test24 test240 test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 test2408 test2409 test241 test2410 test2411 test242 test243 test244 test245 test246 test247 test248 test249 test25 test250 test2500 test2501 test2502 test2503 test2504 test2505 test2506 test251 test252 test253 test254 test255 test256 test257 test258 test259 test26 test260 test2600 test2601 test2602 test2603 test2604 test2605 test261 test262 test263 test264 test265 test266 test267 test268 test269 test27 test270 test2700 test2701 test2702 test2703 test2704 test2705 test2706 test2707 test2708 test2709 test271 test2710 test2711 test2712 test2713 test2714 test2715 test2716 test2717 test2718 test2719 test272 test2720 test2721 test2722 test2723 test273 test274 test275 test276 test277 test278 test279 test28 test280 test281 test282 test283 test284 test285 test286 test287 test288 test289 test29 test290 test291 test292 test293 test294 test295 test296 test297 test298 test299 test3 test30 test300 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 test3008 test3009 test301 test3010 test3011 test3012 test3013 test3014 test3015 test3016 test3017 test3018 test3019 test302 test3020 test3021 test3022 test3023 test3024 test3025 test3026 test3027 test3028 test3029 test303 test3030 test3031 test3032 test3033 test3034 test3035 test3036 test304 test305 test306 test307 test308 test309 test31 test310 test3100 test3101 test3102 test3103 test3104 test3105 test3106 test311 test312 test313 test314 test315 test316 test317 test318 test319 test32 test320 test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 test3208 test3209 test321 test3210 test3211 test3212 test3213 test3214 test3215 test3216 test3217 test3218 test3219 test322 test3220 test323 test324 test325 test326 test327 test328 test329 test33 test330 test3300 test3301 test3302 test331 test332 test333 test334 test335 test336 test337 test338 test339 test34 test340 test341 test342 test343 test344 test345 test346 test347 test348 test349 test35 test350 test351 test352 test353 test354 test355 test356 test357 test358 test359 test36 test360 test361 test362 test363 test364 test365 test366 test367 test368 test369 test37 test370 test371 test372 test373 test374 test375 test376 test378 test379 test38 test380 test381 test383 test384 test385 test386 test387 test388 test389 test39 test390 test391 test392 test393 test394 test395 test396 test397 test398 test399 test4 test40 test400 test4000 test4001 test401 test402 test403 test404 test405 test406 test407 test408 test409 test41 test410 test411 test412 test413 test414 test415 test416 test417 test418 test419 test42 test420 test421 test422 test423 test424 test425 test426 test427 test428 test429 test43 test430 test431 test432 test433 test434 test435 test436 test437 test438 test439 test44 test440 test441 test442 test443 test444 test445 test446 test447 test448 test449 test45 test450 test451 test452 test453 test454 test455 test456 test457 test458 test459 test46 test460 test461 test462 test463 test467 test468 test469 test47 test470 test471 test472 test473 test474 test475 test476 test477 test478 test479 test48 test480 test481 test482 test483 test484 test485 test486 test487 test488 test489 test49 test490 test491 test492 test493 test494 test495 test496 test497 test498 test499 test5 test50 test500 test501 test502 test503 test504 test505 test506 test507 test508 test509 test51 test510 test511 test512 test513 test514 test515 test516 test517 test518 test519 test52 test520 test521 test522 test523 test524 test525 test526 test527 test528 test529 test53 test530 test531 test532 test533 test534 test535 test536 test537 test538 test539 test54 test540 test541 test542 test543 test544 test545 test546 test547 test548 test549 test55 test550 test551 test552 test553 test554 test555 test556 test557 test558 test559 test56 test560 test561 test562 test563 test564 test565 test566 test567 test568 test569 test57 test570 test571 test572 test573 test574 test575 test576 test577 test578 test579 test58 test580 test581 test582 test583 test584 test585 test586 test587 test588 test589 test59 test590 test591 test592 test593 test594 test595 test596 test597 test598 test599 test6 test60 test600 test601 test602 test603 test604 test605 test606 test607 test608 test609 test61 test610 test611 test612 test613 test614 test615 test616 test617 test618 test619 test62 test620 test621 test622 test623 test624 test625 test626 test627 test628 test629 test63 test630 test631 test632 test633 test634 test635 test636 test637 test638 test639 test64 test640 test641 test642 test643 test644 test645 test646 test647 test648 test649 test65 test650 test651 test652 test653 test654 test655 test656 test658 test659 test66 test660 test661 test662 test663 test664 test665 test666 test667 test668 test669 test67 test670 test671 test672 test673 test674 test675 test676 test677 test678 test679 test68 test680 test681 test682 test683 test684 test685 test686 test687 test688 test689 test69 test690 test691 test692 test693 test694 test695 test696 test697 test698 test699 test7 test70 test700 test701 test702 test703 test704 test705 test706 test707 test708 test709 test71 test710 test711 test712 test713 test714 test715 test716 test717 test718 test719 test72 test720 test721 test722 test723 test724 test725 test726 test727 test728 test729 test73 test730 test731 test732 test733 test734 test735 test736 test737 test738 test739 test74 test740 test741 test742 test743 test744 test745 test746 test747 test748 test749 test75 test750 test751 test752 test753 test754 test755 test756 test757 test758 test759 test76 test760 test761 test762 test763 test764 test765 test766 test767 test768 test769 test77 test770 test771 test772 test773 test774 test775 test776 test777 test778 test779 test78 test780 test781 test782 test783 test784 test785 test786 test787 test788 test789 test79 test790 test791 test792 test793 test794 test795 test796 test797 test798 test799 test8 test80 test800 test801 test802 test803 test804 test805 test806 test807 test808 test809 test81 test810 test811 test812 test813 test814 test815 test816 test817 test818 test819 test82 test820 test821 test822 test823 test824 test825 test826 test827 test828 test829 test83 test830 test831 test832 test833 test834 test835 test836 test837 test838 test839 test84 test840 test841 test842 test843 test844 test845 test846 test847 test848 test849 test85 test850 test851 test852 test853 test854 test855 test856 test857 test858 test859 test86 test860 test861 test862 test863 test864 test865 test866 test867 test868 test869 test87 test870 test871 test872 test873 test874 test875 test876 test877 test878 test879 test88 test880 test881 test882 test883 test884 test885 test886 test887 test888 test889 test89 test890 test891 test892 test893 test894 test895 test896 test897 test898 test899 test9 test90 test900 test901 test902 test903 test904 test905 test906 test907 test908 test909 test91 test910 test911 test912 test913 test914 test915 test916 test917 test918 test919 test92 test920 test921 test922 test923 test924 test925 test926 test927 test928 test929 test93 test930 test931 test932 test933 test934 test935 test936 test937 test938 test939 test94 test940 test941 test942 test943 test944 test945 test946 test947 test948 test949 test95 test950 test951 test952 test953 test954 test955 test956 test957 test958 test959 test96 test960 test961 test962 test963 test964 test965 test966 test967 test968 test969 test97 test970 test971 test972 test973 test974 test975 test976 test977 test978 test979 test98 test980 test981 test982 test983 test984 test985 test986 test987 test988 test989 test99 test990 test991 test992 test993 test994 test995 test996 test997 test998 test999http
testenv
__init__.py caddy.py certs.py client.py curl.py dante.py dnsd.py env.py httpd.py nghttpx.py ports.py sshd.py vsftpd.py ws_echo_server.pylibtest
.gitignore CMakeLists.txt Makefile.am Makefile.inc cli_ftp_upload.c cli_h2_pausing.c cli_h2_serverpush.c cli_h2_upgrade_extreme.c cli_hx_download.c cli_hx_upload.c cli_tls_session_reuse.c cli_upload_pausing.c cli_ws_data.c cli_ws_pingpong.c first.c first.h lib1156.c lib1301.c lib1308.c lib1485.c lib1500.c lib1501.c lib1502.c lib1506.c lib1507.c lib1508.c lib1509.c lib1510.c lib1511.c lib1512.c lib1513.c lib1514.c lib1515.c lib1517.c lib1518.c lib1520.c lib1522.c lib1523.c lib1525.c lib1526.c lib1527.c lib1528.c lib1529.c lib1530.c lib1531.c lib1532.c lib1533.c lib1534.c lib1535.c lib1536.c lib1537.c lib1538.c lib1540.c lib1541.c lib1542.c lib1545.c lib1549.c lib1550.c lib1551.c lib1552.c lib1553.c lib1554.c lib1555.c lib1556.c lib1557.c lib1558.c lib1559.c lib1560.c lib1564.c lib1565.c lib1567.c lib1568.c lib1569.c lib1571.c lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c lib1598.c lib1599.c lib1662.c lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c lib1908.c lib1910.c lib1911.c lib1912.c lib1913.c lib1915.c lib1916.c lib1918.c lib1919.c lib1920.c lib1921.c lib1933.c lib1934.c lib1935.c lib1936.c lib1937.c lib1938.c lib1939.c lib1940.c lib1945.c lib1947.c lib1948.c lib1955.c lib1956.c lib1957.c lib1958.c lib1959.c lib1960.c lib1964.c lib1965.c lib1970.c lib1971.c lib1972.c lib1973.c lib1974.c lib1975.c lib1977.c lib1978.c lib2023.c lib2032.c lib2082.c lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c lib2402.c lib2404.c lib2405.c lib2502.c lib2504.c lib2505.c lib2506.c lib2700.c lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c lib3207.c lib3208.c lib500.c lib501.c lib502.c lib503.c lib504.c lib505.c lib506.c lib507.c lib508.c lib509.c lib510.c lib511.c lib512.c lib513.c lib514.c lib515.c lib516.c lib517.c lib518.c lib519.c lib520.c lib521.c lib523.c lib524.c lib525.c lib526.c lib530.c lib533.c lib536.c lib537.c lib539.c lib540.c lib541.c lib542.c lib543.c lib544.c lib547.c lib549.c lib552.c lib553.c lib554.c lib555.c lib556.c lib557.c lib558.c lib559.c lib560.c lib562.c lib564.c lib566.c lib567.c lib568.c lib569.c lib570.c lib571.c lib572.c lib573.c lib574.c lib575.c lib576.c lib578.c lib579.c lib582.c lib583.c lib586.c lib589.c lib590.c lib591.c lib597.c lib598.c lib599.c lib643.c lib650.c lib651.c lib652.c lib653.c lib654.c lib655.c lib658.c lib659.c lib661.c lib666.c lib667.c lib668.c lib670.c lib674.c lib676.c lib677.c lib678.c lib694.c lib695.c lib751.c lib753.c lib757.c lib758.c lib766.c memptr.c mk-lib1521.pl test1013.pl test1022.pl test307.pl test610.pl test613.pl testtrace.c testtrace.h testutil.c testutil.h unitcheck.hserver
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc dnsd.c first.c first.h getpart.c mqttd.c resolve.c rtspd.c sockfilt.c socksd.c sws.c tftpd.c util.ctunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md tool1394.c tool1604.c tool1621.c tool1622.c tool1623.c tool1720.cunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md unit1300.c unit1302.c unit1303.c unit1304.c unit1305.c unit1307.c unit1309.c unit1323.c unit1330.c unit1395.c unit1396.c unit1397.c unit1398.c unit1399.c unit1600.c unit1601.c unit1602.c unit1603.c unit1605.c unit1606.c unit1607.c unit1608.c unit1609.c unit1610.c unit1611.c unit1612.c unit1614.c unit1615.c unit1616.c unit1620.c unit1625.c unit1626.c unit1627.c unit1636.c unit1650.c unit1651.c unit1652.c unit1653.c unit1654.c unit1655.c unit1656.c unit1657.c unit1658.c unit1660.c unit1661.c unit1663.c unit1664.c unit1666.c unit1667.c unit1668.c unit1669.c unit1674.c unit1675.c unit1676.c unit1979.c unit1980.c unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c unit3200.c unit3205.c unit3211.c unit3212.c unit3213.c unit3214.c unit3216.c unit3219.c unit3300.c unit3301.c unit3302.cexamples
.env config.ini crypto_test.lua env_test.lua fs_example.lua http_server.lua https_test.lua ini_example.lua json.lua log.lua path_fs_example.lua process_example.lua request_download.lua request_test.lua run_all.lua sqlite_example.lua sqlite_http_template.lua stash_test.lua template_test.lua timer.lua websocket.luainiparser
example
iniexample.c iniwrite.c parse.c twisted-errors.ini twisted-genhuge.py twisted-ofkey.ini twisted-ofval.ini twisted.initest
CMakeLists.txt test_dictionary.c test_iniparser.c unity-config.yml unity_config.hjinjac
libjinjac
src
CMakeLists.txt ast.c ast.h block_statement.c block_statement.h buffer.c buffer.h buildin.c buildin.h common.h convert.c convert.h flex_decl.h jfunction.c jfunction.h jinja_expression.l jinja_expression.y jinjac_parse.c jinjac_parse.h jinjac_stream.c jinjac_stream.h jlist.c jlist.h jobject.c jobject.h parameter.c parameter.h str_obj.c str_obj.h trace.c trace.htest
.gitignore CMakeLists.txt autotest.rb test_01.expected test_01.jinja test_01b.expected test_01b.jinja test_01c.expected test_01c.jinja test_01d.expected test_01d.jinja test_02.expected test_02.jinja test_03.expected test_03.jinja test_04.expected test_04.jinja test_05.expected test_05.jinja test_06.expected test_06.jinja test_07.expected test_07.jinja test_08.expected test_08.jinja test_08b.expected test_08b.jinja test_09.expected test_09.jinja test_10.expected test_10.jinja test_11.expected test_11.jinja test_12.expected test_12.jinja test_13.expected test_13.jinja test_14.expected test_14.jinja test_15.expected test_15.jinja test_16.expected test_16.jinja test_17.expected test_17.jinja test_18.expected test_18.jinja test_18b.expected test_18b.jinja test_18c.expected test_18c.jinja test_19.expected test_19.jinja test_19b.expected test_19b.jinja test_19c.expected test_19c.jinja test_19d.expected test_19d.jinja test_19e.expected test_19e.jinja test_19f.expected test_19f.jinja test_20.expected test_20.jinja test_21.expected test_21.jinja test_22.expected test_22.jinja test_22a.expected test_22a.jinja test_22b.expected test_22b.jinja test_23.expected test_23.jinja test_24.expected test_24.jinjalibev
Changes LICENSE Makefile Makefile.am Makefile.in README Symbols.ev Symbols.event aclocal.m4 autogen.sh compile config.guess config.h config.h.in config.status config.sub configure configure.ac depcomp ev++.h ev.3 ev.c ev.h ev.pod ev_epoll.c ev_kqueue.c ev_poll.c ev_port.c ev_select.c ev_vars.h ev_win32.c ev_wrap.h event.c event.h install-sh libev.m4 libtool ltmain.sh missing mkinstalldirs stamp-h1luajit
doc
bluequad-print.css bluequad.css contact.html ext_buffer.html ext_c_api.html ext_ffi.html ext_ffi_api.html ext_ffi_semantics.html ext_ffi_tutorial.html ext_jit.html ext_profiler.html extensions.html install.html luajit.html running.html
dynasm
dasm_arm.h dasm_arm.lua dasm_arm64.h dasm_arm64.lua dasm_mips.h dasm_mips.lua dasm_mips64.lua dasm_ppc.h dasm_ppc.lua dasm_proto.h dasm_x64.lua dasm_x86.h dasm_x86.lua dynasm.luasrc
host
.gitignore README buildvm.c buildvm.h buildvm_asm.c buildvm_fold.c buildvm_lib.c buildvm_libbc.h buildvm_peobj.c genlibbc.lua genminilua.lua genversion.lua minilua.cjit
.gitignore bc.lua bcsave.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_mips.lua dis_mips64.lua dis_mips64el.lua dis_mips64r6.lua dis_mips64r6el.lua dis_mipsel.lua dis_ppc.lua dis_x64.lua dis_x86.lua dump.lua p.lua v.lua zone.luawolfssl
.github
workflows
ada.yml arduino.yml async-examples.yml async.yml atecc608-sim.yml bind.yml cmake-autoconf.yml cmake.yml codespell.yml coverity-scan-fixes.yml cryptocb-only.yml curl.yml cyrus-sasl.yml disable-pk-algs.yml docker-Espressif.yml docker-OpenWrt.yml emnet-nonblock.yml fil-c.yml freertos-mem-track.yml gencertbuf.yml grpc.yml haproxy.yml hostap-vm.yml intelasm-c-fallback.yml ipmitool.yml jwt-cpp.yml krb5.yml libspdm.yml libssh2.yml libvncserver.yml linuxkm.yml macos-apple-native-cert-validation.yml mbedtls.sh mbedtls.yml membrowse-comment.yml membrowse-onboard.yml membrowse-report.yml memcached.sh memcached.yml mono.yml mosquitto.yml msmtp.yml msys2.yml multi-arch.yml multi-compiler.yml net-snmp.yml nginx.yml no-malloc.yml no-tls.yml nss.sh nss.yml ntp.yml ocsp.yml openldap.yml openssh.yml openssl-ech.yml opensslcoexist.yml openvpn.yml os-check.yml packaging.yml pam-ipmi.yml pq-all.yml pr-commit-check.yml psk.yml puf.yml python.yml rng-tools.yml rust-wrapper.yml se050-sim.yml smallStackSize.yml socat.yml softhsm.yml sssd.yml stm32-sim.yml stsafe-a120-sim.yml stunnel.yml symbol-prefixes.yml threadx.yml tls-anvil.yml trackmemory.yml watcomc.yml win-csharp-test.yml wolfCrypt-Wconversion.yml wolfboot-integration.yml wolfsm.yml xcode.yml zephyr-4.x.yml zephyr.ymlIDE
ARDUINO
Arduino_README_prepend.md README.md include.am keywords.txt library.properties.template wolfssl-arduino.cpp wolfssl-arduino.sh wolfssl.hECLIPSE
Espressif
ESP-IDF
examples
template
CMakeLists.txt Makefile README.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp8266wolfssl_benchmark
VisualGDB
wolfssl_benchmark_IDF_v4.4_ESP32.sln wolfssl_benchmark_IDF_v4.4_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32.sln wolfssl_benchmark_IDF_v5_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32C3.sln wolfssl_benchmark_IDF_v5_ESP32C3.vgdbproj wolfssl_benchmark_IDF_v5_ESP32S3.sln wolfssl_benchmark_IDF_v5_ESP32S3.vgdbprojwolfssl_client
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_client_ESP8266.vgdbprojwolfssl_server
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_server_ESP8266.vgdbprojwolfssl_test
VisualGDB
wolfssl_test-IDF_v5_ESP32.sln wolfssl_test-IDF_v5_ESP32.vgdbproj wolfssl_test-IDF_v5_ESP32C3.sln wolfssl_test-IDF_v5_ESP32C3.vgdbproj wolfssl_test-IDF_v5_ESP32C6.sln wolfssl_test-IDF_v5_ESP32C6.vgdbproj wolfssl_test_IDF_v5_ESP32S3.sln wolfssl_test_IDF_v5_ESP32S3.vgdbprojGCC-ARM
Makefile Makefile.bench Makefile.client Makefile.common Makefile.server Makefile.static Makefile.test README.md include.am linker.ld linker_fips.ldIAR-EWARM
embOS
SAMV71_XULT
embOS_SAMV71_XULT_user_settings
user_settings.h user_settings_simple_example.h user_settings_verbose_example.hembOS_wolfcrypt_benchmark_SAMV71_XULT
README_wolfcrypt_benchmark wolfcrypt_benchmark.ewd wolfcrypt_benchmark.ewpINTIME-RTOS
Makefile README.md include.am libwolfssl.c libwolfssl.vcxproj user_settings.h wolfExamples.c wolfExamples.h wolfExamples.sln wolfExamples.vcxproj wolfssl-lib.sln wolfssl-lib.vcxprojMQX
Makefile README-jp.md README.md client-tls.c include.am server-tls.c user_config.h user_settings.hMSVS-2019-AZSPHERE
wolfssl_new_azsphere
.gitignore CMakeLists.txt CMakeSettings.json app_manifest.json applibs_versions.h launch.vs.json main.cNETOS
Makefile.wolfcrypt.inc README.md include.am user_settings.h user_settings.h-cert2425 user_settings.h-cert3389 wolfssl_netos_custom.cPlatformIO
examples
wolfssl_benchmark
CMakeLists.txt README.md platformio.ini sdkconfig.defaults wolfssl_benchmark.code-workspaceROWLEY-CROSSWORKS-ARM
Kinetis_FlashPlacement.xml README.md arm_startup.c benchmark_main.c hw.h include.am kinetis_hw.c retarget.c test_main.c user_settings.h wolfssl.hzp wolfssl_ltc.hzpRenesas
e2studio
RA6M3
README.md README_APRA6M_en.md README_APRA6M_jp.md include.amRX72N
EnvisionKit
Simple
README_EN.md README_JP.mdwolfssl_demo
key_data.c key_data.h user_settings.h wolfssl_demo.c wolfssl_demo.h wolfssl_tsip_unit_test.cSTM32Cube
README.md STM32_Benchmarks.md default_conf.ftl include.am main.c wolfssl_example.c wolfssl_example.hWIN
README.txt include.am test.vcxproj user_settings.h user_settings_dtls.h wolfssl-fips.sln wolfssl-fips.vcxprojWIN-SRTP-KDF-140-3
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojWIN10
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojXCODE
Benchmark
include.amXilinxSDK
README.md bench.sh combine.sh eclipse_formatter_profile.xml graph.sh include.am user_settings.h wolfssl_example.capple-universal
wolfssl-multiplatform
iotsafe
Makefile README.md ca-cert.c devices.c devices.h include.am main.c memory-tls.c startup.c target.ld user_settings.hmynewt
README.md apps.wolfcrypttest.pkg.yml crypto.wolfssl.pkg.yml crypto.wolfssl.syscfg.yml include.am setup.shcerts
1024
ca-cert.der ca-cert.pem ca-key.der ca-key.pem client-cert.der client-cert.pem client-key.der client-key.pem client-keyPub.der dh1024.der dh1024.pem dsa-pub-1024.pem dsa1024.der dsa1024.pem include.am rsa1024.der server-cert.der server-cert.pem server-key.der server-key.pemcrl
extra-crls
ca-int-cert-revoked.pem claim-root.pem crl_critical_entry.pem crlnum_57oct.pem crlnum_64oct.pem general-server-crl.pem large_crlnum.pem large_crlnum2.pemdilithium
bench_dilithium_level2_key.der bench_dilithium_level3_key.der bench_dilithium_level5_key.der include.amecc
bp256r1-key.der bp256r1-key.pem ca-secp256k1-cert.pem ca-secp256k1-key.pem client-bp256r1-cert.der client-bp256r1-cert.pem client-secp256k1-cert.der client-secp256k1-cert.pem genecc.sh include.am secp256k1-key.der secp256k1-key.pem secp256k1-param.pem secp256k1-privkey.der secp256k1-privkey.pem server-bp256r1-cert.der server-bp256r1-cert.pem server-secp256k1-cert.der server-secp256k1-cert.pem server2-secp256k1-cert.der server2-secp256k1-cert.pem wolfssl.cnf wolfssl_384.cnfed25519
ca-ed25519-key.der ca-ed25519-key.pem ca-ed25519-priv.der ca-ed25519-priv.pem ca-ed25519.der ca-ed25519.pem client-ed25519-key.der client-ed25519-key.pem client-ed25519-priv.der client-ed25519-priv.pem client-ed25519.der client-ed25519.pem eddsa-ed25519.der eddsa-ed25519.pem gen-ed25519-certs.sh gen-ed25519-keys.sh gen-ed25519.sh include.am root-ed25519-key.der root-ed25519-key.pem root-ed25519-priv.der root-ed25519-priv.pem root-ed25519.der root-ed25519.pem server-ed25519-cert.pem server-ed25519-key.der server-ed25519-key.pem server-ed25519-priv.der server-ed25519-priv.pem server-ed25519.der server-ed25519.pemed448
ca-ed448-key.der ca-ed448-key.pem ca-ed448-priv.der ca-ed448-priv.pem ca-ed448.der ca-ed448.pem client-ed448-key.der client-ed448-key.pem client-ed448-priv.der client-ed448-priv.pem client-ed448.der client-ed448.pem gen-ed448-certs.sh gen-ed448-keys.sh include.am root-ed448-key.der root-ed448-key.pem root-ed448-priv.der root-ed448-priv.pem root-ed448.der root-ed448.pem server-ed448-cert.pem server-ed448-key.der server-ed448-key.pem server-ed448-priv.der server-ed448-priv.pem server-ed448.der server-ed448.pemexternal
DigiCertGlobalRootCA.pem README.txt ca-digicert-ev.pem ca-globalsign-root.pem ca-google-root.pem ca_collection.pem include.amintermediate
ca_false_intermediate
gentestcert.sh int_ca.key server.key test_ca.key test_ca.pem test_int_not_cacert.pem test_sign_bynoca_srv.pem wolfssl_base.conf wolfssl_srv.conflms
bc_hss_L2_H5_W8_root.der bc_hss_L3_H5_W4_root.der bc_lms_chain_ca.der bc_lms_chain_leaf.der bc_lms_native_bc_root.der bc_lms_sha256_h10_w8_root.der bc_lms_sha256_h5_w4_root.der include.ammldsa
README.txt include.am mldsa44-cert.der mldsa44-cert.pem mldsa44-key.pem mldsa44_bare-priv.der mldsa44_bare-seed.der mldsa44_oqskeypair.der mldsa44_priv-only.der mldsa44_pub-spki.der mldsa44_seed-only.der mldsa44_seed-priv.der mldsa65-cert.der mldsa65-cert.pem mldsa65-key.pem mldsa65_bare-priv.der mldsa65_bare-seed.der mldsa65_oqskeypair.der mldsa65_priv-only.der mldsa65_pub-spki.der mldsa65_seed-only.der mldsa65_seed-priv.der mldsa87-cert.der mldsa87-cert.pem mldsa87-key.pem mldsa87_bare-priv.der mldsa87_bare-seed.der mldsa87_oqskeypair.der mldsa87_priv-only.der mldsa87_pub-spki.der mldsa87_seed-only.der mldsa87_seed-priv.derocsp
imposter-root-ca-cert.der imposter-root-ca-cert.pem imposter-root-ca-key.der imposter-root-ca-key.pem include.am index-ca-and-intermediate-cas.txt index-ca-and-intermediate-cas.txt.attr index-intermediate1-ca-issued-certs.txt index-intermediate1-ca-issued-certs.txt.attr index-intermediate2-ca-issued-certs.txt index-intermediate2-ca-issued-certs.txt.attr index-intermediate3-ca-issued-certs.txt index-intermediate3-ca-issued-certs.txt.attr intermediate1-ca-cert.der intermediate1-ca-cert.pem intermediate1-ca-key.der intermediate1-ca-key.pem intermediate2-ca-cert.der intermediate2-ca-cert.pem intermediate2-ca-key.der intermediate2-ca-key.pem intermediate3-ca-cert.der intermediate3-ca-cert.pem intermediate3-ca-key.der intermediate3-ca-key.pem ocsp-responder-cert.der ocsp-responder-cert.pem ocsp-responder-key.der ocsp-responder-key.pem openssl.cnf renewcerts-for-test.sh renewcerts.sh root-ca-cert.der root-ca-cert.pem root-ca-crl.pem root-ca-key.der root-ca-key.pem server1-cert.der server1-cert.pem server1-chain-noroot.pem server1-key.der server1-key.pem server2-cert.der server2-cert.pem server2-key.der server2-key.pem server3-cert.der server3-cert.pem server3-key.der server3-key.pem server4-cert.der server4-cert.pem server4-key.der server4-key.pem server5-cert.der server5-cert.pem server5-key.der server5-key.pem test-leaf-response.der test-multi-response.der test-response-nointern.der test-response-rsapss.der test-response.derp521
ca-p521-key.der ca-p521-key.pem ca-p521-priv.der ca-p521-priv.pem ca-p521.der ca-p521.pem client-p521-key.der client-p521-key.pem client-p521-priv.der client-p521-priv.pem client-p521.der client-p521.pem gen-p521-certs.sh gen-p521-keys.sh include.am root-p521-key.der root-p521-key.pem root-p521-priv.der root-p521-priv.pem root-p521.der root-p521.pem server-p521-cert.pem server-p521-key.der server-p521-key.pem server-p521-priv.der server-p521-priv.pem server-p521.der server-p521.pemrpk
client-cert-rpk.der client-ecc-cert-rpk.der include.am server-cert-rpk.der server-ecc-cert-rpk.derrsapss
ca-3072-rsapss-key.der ca-3072-rsapss-key.pem ca-3072-rsapss-priv.der ca-3072-rsapss-priv.pem ca-3072-rsapss.der ca-3072-rsapss.pem ca-rsapss-key.der ca-rsapss-key.pem ca-rsapss-priv.der ca-rsapss-priv.pem ca-rsapss.der ca-rsapss.pem client-3072-rsapss-key.der client-3072-rsapss-key.pem client-3072-rsapss-priv.der client-3072-rsapss-priv.pem client-3072-rsapss.der client-3072-rsapss.pem client-rsapss-key.der client-rsapss-key.pem client-rsapss-priv.der client-rsapss-priv.pem client-rsapss.der client-rsapss.pem gen-rsapss-keys.sh include.am renew-rsapss-certs.sh root-3072-rsapss-key.der root-3072-rsapss-key.pem root-3072-rsapss-priv.der root-3072-rsapss-priv.pem root-3072-rsapss.der root-3072-rsapss.pem root-rsapss-key.der root-rsapss-key.pem root-rsapss-priv.der root-rsapss-priv.pem root-rsapss.der root-rsapss.pem server-3072-rsapss-cert.pem server-3072-rsapss-key.der server-3072-rsapss-key.pem server-3072-rsapss-priv.der server-3072-rsapss-priv.pem server-3072-rsapss.der server-3072-rsapss.pem server-mix-rsapss-cert.pem server-rsapss-cert.pem server-rsapss-key.der server-rsapss-key.pem server-rsapss-priv.der server-rsapss-priv.pem server-rsapss.der server-rsapss.pemslhdsa
bench_slhdsa_sha2_128f_key.der bench_slhdsa_sha2_128s_key.der bench_slhdsa_sha2_192f_key.der bench_slhdsa_sha2_192s_key.der bench_slhdsa_sha2_256f_key.der bench_slhdsa_sha2_256s_key.der bench_slhdsa_shake128f_key.der bench_slhdsa_shake128s_key.der bench_slhdsa_shake192f_key.der bench_slhdsa_shake192s_key.der bench_slhdsa_shake256f_key.der bench_slhdsa_shake256s_key.der client-mldsa44-priv.pem client-mldsa44-sha2.der client-mldsa44-sha2.pem client-mldsa44-shake.der client-mldsa44-shake.pem gen-slhdsa-mldsa-certs.sh include.am root-slhdsa-sha2-128s-priv.der root-slhdsa-sha2-128s-priv.pem root-slhdsa-sha2-128s.der root-slhdsa-sha2-128s.pem root-slhdsa-shake-128s-priv.der root-slhdsa-shake-128s-priv.pem root-slhdsa-shake-128s.der root-slhdsa-shake-128s.pem server-mldsa44-priv.pem server-mldsa44-sha2.der server-mldsa44-sha2.pem server-mldsa44-shake.der server-mldsa44-shake.pemsm2
ca-sm2-key.der ca-sm2-key.pem ca-sm2-priv.der ca-sm2-priv.pem ca-sm2.der ca-sm2.pem client-sm2-key.der client-sm2-key.pem client-sm2-priv.der client-sm2-priv.pem client-sm2.der client-sm2.pem fix_sm2_spki.py gen-sm2-certs.sh gen-sm2-keys.sh include.am root-sm2-key.der root-sm2-key.pem root-sm2-priv.der root-sm2-priv.pem root-sm2.der root-sm2.pem self-sm2-cert.pem self-sm2-key.pem self-sm2-priv.pem server-sm2-cert.der server-sm2-cert.pem server-sm2-key.der server-sm2-key.pem server-sm2-priv.der server-sm2-priv.pem server-sm2.der server-sm2.pemstatickeys
dh-ffdhe2048-params.pem dh-ffdhe2048-pub.der dh-ffdhe2048-pub.pem dh-ffdhe2048.der dh-ffdhe2048.pem ecc-secp256r1.der ecc-secp256r1.pem gen-static.sh include.am x25519-pub.der x25519-pub.pem x25519.der x25519.pemtest
catalog.txt cert-bad-neg-int.der cert-bad-oid.der cert-bad-utf8.der cert-ext-ia.cfg cert-ext-ia.der cert-ext-ia.pem cert-ext-joi.cfg cert-ext-joi.der cert-ext-joi.pem cert-ext-mnc.der cert-ext-multiple.cfg cert-ext-multiple.der cert-ext-multiple.pem cert-ext-nc-combined.der cert-ext-nc-combined.pem cert-ext-nc.cfg cert-ext-nc.der cert-ext-nc.pem cert-ext-ncdns.der cert-ext-ncdns.pem cert-ext-ncip.der cert-ext-ncip.pem cert-ext-ncmixed.der cert-ext-ncmulti.der cert-ext-ncmulti.pem cert-ext-ncrid.der cert-ext-ncrid.pem cert-ext-nct.cfg cert-ext-nct.der cert-ext-nct.pem cert-ext-ndir-exc.cfg cert-ext-ndir-exc.der cert-ext-ndir-exc.pem cert-ext-ndir.cfg cert-ext-ndir.der cert-ext-ndir.pem cert-ext-ns.der cert-over-max-altnames.cfg cert-over-max-altnames.der cert-over-max-altnames.pem cert-over-max-nc.cfg cert-over-max-nc.der cert-over-max-nc.pem client-ecc-cert-ski.hex cn-ip-literal.der cn-ip-wildcard.der crit-cert.pem crit-key.pem dh1024.der dh1024.pem dh512.der dh512.pem digsigku.pem encrypteddata.msg gen-badsig.sh gen-ext-certs.sh gen-testcerts.sh include.am kari-keyid-cms.msg ktri-keyid-cms.msg ossl-trusted-cert.pem server-badaltname.der server-badaltname.pem server-badaltnull.der server-badaltnull.pem server-badcn.der server-badcn.pem server-badcnnull.der server-badcnnull.pem server-cert-ecc-badsig.der server-cert-ecc-badsig.pem server-cert-rsa-badsig.der server-cert-rsa-badsig.pem server-duplicate-policy.pem server-garbage.der server-garbage.pem server-goodalt.der server-goodalt.pem server-goodaltwild.der server-goodaltwild.pem server-goodcn.der server-goodcn.pem server-goodcnwild.der server-goodcnwild.pem server-localhost.der server-localhost.pem smime-test-canon.p7s smime-test-multipart-badsig.p7s smime-test-multipart.p7s smime-test.p7stest-pathlen
assemble-chains.sh chainA-ICA1-key.pem chainA-ICA1-pathlen0.pem chainA-assembled.pem chainA-entity-key.pem chainA-entity.pem chainB-ICA1-key.pem chainB-ICA1-pathlen0.pem chainB-ICA2-key.pem chainB-ICA2-pathlen1.pem chainB-assembled.pem chainB-entity-key.pem chainB-entity.pem chainC-ICA1-key.pem chainC-ICA1-pathlen1.pem chainC-assembled.pem chainC-entity-key.pem chainC-entity.pem chainD-ICA1-key.pem chainD-ICA1-pathlen127.pem chainD-assembled.pem chainD-entity-key.pem chainD-entity.pem chainE-ICA1-key.pem chainE-ICA1-pathlen128.pem chainE-assembled.pem chainE-entity-key.pem chainE-entity.pem chainF-ICA1-key.pem chainF-ICA1-pathlen1.pem chainF-ICA2-key.pem chainF-ICA2-pathlen0.pem chainF-assembled.pem chainF-entity-key.pem chainF-entity.pem chainG-ICA1-key.pem chainG-ICA1-pathlen0.pem chainG-ICA2-key.pem chainG-ICA2-pathlen1.pem chainG-ICA3-key.pem chainG-ICA3-pathlen99.pem chainG-ICA4-key.pem chainG-ICA4-pathlen5.pem chainG-ICA5-key.pem chainG-ICA5-pathlen20.pem chainG-ICA6-key.pem chainG-ICA6-pathlen10.pem chainG-ICA7-key.pem chainG-ICA7-pathlen100.pem chainG-assembled.pem chainG-entity-key.pem chainG-entity.pem chainH-ICA1-key.pem chainH-ICA1-pathlen0.pem chainH-ICA2-key.pem chainH-ICA2-pathlen2.pem chainH-ICA3-key.pem chainH-ICA3-pathlen2.pem chainH-ICA4-key.pem chainH-ICA4-pathlen2.pem chainH-assembled.pem chainH-entity-key.pem chainH-entity.pem chainI-ICA1-key.pem chainI-ICA1-no_pathlen.pem chainI-ICA2-key.pem chainI-ICA2-no_pathlen.pem chainI-ICA3-key.pem chainI-ICA3-pathlen2.pem chainI-assembled.pem chainI-entity-key.pem chainI-entity.pem chainJ-ICA1-key.pem chainJ-ICA1-no_pathlen.pem chainJ-ICA2-key.pem chainJ-ICA2-no_pathlen.pem chainJ-ICA3-key.pem chainJ-ICA3-no_pathlen.pem chainJ-ICA4-key.pem chainJ-ICA4-pathlen2.pem chainJ-assembled.pem chainJ-entity-key.pem chainJ-entity.pem include.am refreshkeys.shtest-serial0
ee_normal.pem ee_serial0.pem generate_certs.sh include.am intermediate_serial0.pem root_serial0.pem root_serial0_key.pem selfsigned_nonca_serial0.pemxmss
bc_xmss_chain_ca.der bc_xmss_chain_leaf.der bc_xmss_sha2_10_256_root.der bc_xmss_sha2_16_256_root.der bc_xmssmt_sha2_20_2_256_root.der bc_xmssmt_sha2_20_4_256_root.der bc_xmssmt_sha2_40_8_256_root.der include.amcmake
Config.cmake.in README.md config.in functions.cmake include.am options.h.in wolfssl-config-version.cmake.in wolfssl-targets.cmake.indebian
changelog.in control.in copyright include.am libwolfssl-dev.install libwolfssl.install rules.indoc
dox_comments
header_files
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h puf.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wc_she.h wc_slhdsa.h wolfio.hheader_files-ja
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wolfio.h
examples
async
Makefile README.md async_client.c async_server.c async_tls.c async_tls.h include.am user_settings.hconfigs
README.md include.am user_settings_EBSnet.h user_settings_all.h user_settings_arduino.h user_settings_baremetal.h user_settings_ca.h user_settings_curve25519nonblock.h user_settings_dtls13.h user_settings_eccnonblock.h user_settings_espressif.h user_settings_fipsv2.h user_settings_fipsv5.h user_settings_min_ecc.h user_settings_openssl_compat.h user_settings_pkcs7.h user_settings_platformio.h user_settings_pq.h user_settings_rsa_only.h user_settings_stm32.h user_settings_template.h user_settings_tls12.h user_settings_tls13.h user_settings_wolfboot_keytools.h user_settings_wolfssh.h user_settings_wolftpm.hechoclient
echoclient.c echoclient.h echoclient.sln echoclient.vcproj echoclient.vcxproj include.am quitlinuxkm
Kbuild Makefile README.md get_thread_size.c include.am linuxkm-fips-hash-wrapper.sh linuxkm-fips-hash.c linuxkm_memory.c linuxkm_memory.h linuxkm_wc_port.h lkcapi_aes_glue.c lkcapi_dh_glue.c lkcapi_ecdh_glue.c lkcapi_ecdsa_glue.c lkcapi_glue.c lkcapi_rsa_glue.c lkcapi_sha_glue.c module_exports.c.template module_hooks.c pie_redirect_table.c wolfcrypt.lds x86_vector_register_glue.cm4
ax_add_am_macro.m4 ax_am_jobserver.m4 ax_am_macros.m4 ax_append_compile_flags.m4 ax_append_flag.m4 ax_append_link_flags.m4 ax_append_to_file.m4 ax_atomic.m4 ax_bsdkm.m4 ax_check_compile_flag.m4 ax_check_link_flag.m4 ax_compiler_version.m4 ax_count_cpus.m4 ax_create_generic_config.m4 ax_debug.m4 ax_file_escapes.m4 ax_harden_compiler_flags.m4 ax_linuxkm.m4 ax_print_to_file.m4 ax_pthread.m4 ax_require_defined.m4 ax_tls.m4 ax_vcs_checkout.m4 hexversion.m4 lib_socket_nsl.m4 visibility.m4mqx
wolfcrypt_benchmark
ReferencedRSESystems.xml wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfcrypt_test
ReferencedRSESystems.xml wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfssl_client
ReferencedRSESystems.xml wolfssl_client_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchscripts
aria-cmake-build-test.sh asn1_oid_sum.pl benchmark.test benchmark_compare.sh cleanup_testfiles.sh crl-gen-openssl.test crl-revoked.test dertoc.pl dtls.test dtlscid.test external.test google.test include.am makedistsmall.sh memtest.sh ocsp-responder-openssl-interop.test ocsp-stapling-with-ca-as-responder.test ocsp-stapling-with-wolfssl-responder.test ocsp-stapling.test ocsp-stapling2.test ocsp-stapling_tls13multi.test ocsp.test openssl.test openssl_srtp.test pem.test ping.test pkcallbacks.test psk.test resume.test rsapss.test sniffer-gen.sh sniffer-ipv6.pcap sniffer-static-rsa.pcap sniffer-testsuite.test sniffer-tls12-keylog.out sniffer-tls12-keylog.pcap sniffer-tls12-keylog.sslkeylog sniffer-tls13-dh-resume.pcap sniffer-tls13-dh.pcap sniffer-tls13-ecc-resume.pcap sniffer-tls13-ecc.pcap sniffer-tls13-hrr.pcap sniffer-tls13-keylog.out sniffer-tls13-keylog.pcap sniffer-tls13-keylog.sslkeylog sniffer-tls13-x25519-resume.pcap sniffer-tls13-x25519.pcap stm32l4-v4_0_1_build.sh tls13.test trusted_peer.test unit.test.in user_settings_asm.shsrc
bio.c conf.c crl.c dtls.c dtls13.c include.am internal.c keys.c ocsp.c pk.c pk_ec.c pk_rsa.c quic.c sniffer.c ssl.c ssl_api_cert.c ssl_api_crl_ocsp.c ssl_api_pk.c ssl_asn1.c ssl_bn.c ssl_certman.c ssl_crypto.c ssl_ech.c ssl_load.c ssl_misc.c ssl_p7p12.c ssl_sess.c ssl_sk.c tls.c tls13.c wolfio.c x509.c x509_str.ctests
api
api.h api_decl.h create_ocsp_test_blobs.py include.am test_aes.c test_aes.h test_arc4.c test_arc4.h test_ascon.c test_ascon.h test_ascon_kats.h test_asn.c test_asn.h test_blake2.c test_blake2.h test_camellia.c test_camellia.h test_certman.c test_certman.h test_chacha.c test_chacha.h test_chacha20_poly1305.c test_chacha20_poly1305.h test_cmac.c test_cmac.h test_curve25519.c test_curve25519.h test_curve448.c test_curve448.h test_des3.c test_des3.h test_dh.c test_dh.h test_digest.h test_dsa.c test_dsa.h test_dtls.c test_dtls.h test_ecc.c test_ecc.h test_ed25519.c test_ed25519.h test_ed448.c test_ed448.h test_evp.c test_evp.h test_evp_cipher.c test_evp_cipher.h test_evp_digest.c test_evp_digest.h test_evp_pkey.c test_evp_pkey.h test_hash.c test_hash.h test_hmac.c test_hmac.h test_md2.c test_md2.h test_md4.c test_md4.h test_md5.c test_md5.h test_mldsa.c test_mldsa.h test_mlkem.c test_mlkem.h test_ocsp.c test_ocsp.h test_ocsp_test_blobs.h test_ossl_asn1.c test_ossl_asn1.h test_ossl_bio.c test_ossl_bio.h test_ossl_bn.c test_ossl_bn.h test_ossl_cipher.c test_ossl_cipher.h test_ossl_dgst.c test_ossl_dgst.h test_ossl_dh.c test_ossl_dh.h test_ossl_dsa.c test_ossl_dsa.h test_ossl_ec.c test_ossl_ec.h test_ossl_ecx.c test_ossl_ecx.h test_ossl_mac.c test_ossl_mac.h test_ossl_obj.c test_ossl_obj.h test_ossl_p7p12.c test_ossl_p7p12.h test_ossl_pem.c test_ossl_pem.h test_ossl_rand.c test_ossl_rand.h test_ossl_rsa.c test_ossl_rsa.h test_ossl_sk.c test_ossl_sk.h test_ossl_x509.c test_ossl_x509.h test_ossl_x509_acert.c test_ossl_x509_acert.h test_ossl_x509_crypto.c test_ossl_x509_crypto.h test_ossl_x509_ext.c test_ossl_x509_ext.h test_ossl_x509_info.c test_ossl_x509_info.h test_ossl_x509_io.c test_ossl_x509_io.h test_ossl_x509_lu.c test_ossl_x509_lu.h test_ossl_x509_name.c test_ossl_x509_name.h test_ossl_x509_pk.c test_ossl_x509_pk.h test_ossl_x509_str.c test_ossl_x509_str.h test_ossl_x509_vp.c test_ossl_x509_vp.h test_pkcs12.c test_pkcs12.h test_pkcs7.c test_pkcs7.h test_poly1305.c test_poly1305.h test_random.c test_random.h test_rc2.c test_rc2.h test_ripemd.c test_ripemd.h test_rsa.c test_rsa.h test_sha.c test_sha.h test_sha256.c test_sha256.h test_sha3.c test_sha3.h test_sha512.c test_sha512.h test_she.c test_she.h test_signature.c test_signature.h test_slhdsa.c test_slhdsa.h test_sm2.c test_sm2.h test_sm3.c test_sm3.h test_sm4.c test_sm4.h test_tls.c test_tls.h test_tls13.c test_tls13.h test_tls_ext.c test_tls_ext.h test_wc_encrypt.c test_wc_encrypt.h test_wolfmath.c test_wolfmath.h test_x509.c test_x509.hwolfcrypt
benchmark
README.md benchmark-VS2022.sln benchmark-VS2022.vcxproj benchmark-VS2022.vcxproj.user benchmark.c benchmark.h benchmark.sln benchmark.vcproj benchmark.vcxproj include.amsrc
port
Espressif
esp_crt_bundle
README.md cacrt_all.pem cacrt_deprecated.pem cacrt_local.pem esp_crt_bundle.c gen_crt_bundle.py pio_install_cryptography.pyRenesas
README.md renesas_common.c renesas_fspsm_aes.c renesas_fspsm_rsa.c renesas_fspsm_sha.c renesas_fspsm_util.c renesas_rx64_hw_sha.c renesas_rx64_hw_util.c renesas_tsip_aes.c renesas_tsip_rsa.c renesas_tsip_sha.c renesas_tsip_util.carm
armv8-32-aes-asm.S armv8-32-aes-asm_c.c armv8-32-chacha-asm.S armv8-32-chacha-asm_c.c armv8-32-curve25519.S armv8-32-curve25519_c.c armv8-32-mlkem-asm.S armv8-32-mlkem-asm_c.c armv8-32-poly1305-asm.S armv8-32-poly1305-asm_c.c armv8-32-sha256-asm.S armv8-32-sha256-asm_c.c armv8-32-sha3-asm.S armv8-32-sha3-asm_c.c armv8-32-sha512-asm.S armv8-32-sha512-asm_c.c armv8-aes-asm.S armv8-aes-asm_c.c armv8-aes.c armv8-chacha-asm.S armv8-chacha-asm_c.c armv8-curve25519.S armv8-curve25519_c.c armv8-mlkem-asm.S armv8-mlkem-asm_c.c armv8-poly1305-asm.S armv8-poly1305-asm_c.c armv8-sha256-asm.S armv8-sha256-asm_c.c armv8-sha256.c armv8-sha3-asm.S armv8-sha3-asm_c.c armv8-sha512-asm.S armv8-sha512-asm_c.c armv8-sha512.c cryptoCell.c cryptoCellHash.c thumb2-aes-asm.S thumb2-aes-asm_c.c thumb2-chacha-asm.S thumb2-chacha-asm_c.c thumb2-curve25519.S thumb2-curve25519_c.c thumb2-mlkem-asm.S thumb2-mlkem-asm_c.c thumb2-poly1305-asm.S thumb2-poly1305-asm_c.c thumb2-sha256-asm.S thumb2-sha256-asm_c.c thumb2-sha3-asm.S thumb2-sha3-asm_c.c thumb2-sha512-asm.S thumb2-sha512-asm_c.ccaam
README.md caam_aes.c caam_doc.pdf caam_driver.c caam_error.c caam_integrity.c caam_qnx.c caam_sha.c wolfcaam_aes.c wolfcaam_cmac.c wolfcaam_ecdsa.c wolfcaam_fsl_nxp.c wolfcaam_hash.c wolfcaam_hmac.c wolfcaam_init.c wolfcaam_qnx.c wolfcaam_rsa.c wolfcaam_seco.c wolfcaam_x25519.cdevcrypto
README.md devcrypto_aes.c devcrypto_ecdsa.c devcrypto_hash.c devcrypto_hmac.c devcrypto_rsa.c devcrypto_x25519.c wc_devcrypto.criscv
riscv-64-aes.c riscv-64-chacha.c riscv-64-poly1305.c riscv-64-sha256.c riscv-64-sha3.c riscv-64-sha512.cwolfssl
openssl
aes.h asn1.h asn1t.h bio.h bn.h buffer.h camellia.h cmac.h cms.h compat_types.h conf.h crypto.h des.h dh.h dsa.h ec.h ec25519.h ec448.h ecdh.h ecdsa.h ed25519.h ed448.h engine.h err.h evp.h fips_rand.h hmac.h include.am kdf.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h ocsp.h opensslconf.h opensslv.h ossl_typ.h pem.h pkcs12.h pkcs7.h rand.h rc4.h ripemd.h rsa.h safestack.h sha.h sha3.h srp.h ssl.h ssl23.h stack.h tls1.h txt_db.h ui.h x509.h x509_vfy.h x509v3.hwolfcrypt
port
Renesas
renesas-fspsm-crypt.h renesas-fspsm-types.h renesas-rx64-hw-crypt.h renesas-tsip-crypt.h renesas_cmn.h renesas_fspsm_internal.h renesas_sync.h renesas_tsip_internal.h renesas_tsip_types.hcaam
caam_driver.h caam_error.h caam_qnx.h wolfcaam.h wolfcaam_aes.h wolfcaam_cmac.h wolfcaam_ecdsa.h wolfcaam_fsl_nxp.h wolfcaam_hash.h wolfcaam_qnx.h wolfcaam_rsa.h wolfcaam_seco.h wolfcaam_sha.h wolfcaam_x25519.hwrapper
Ada
examples
src
aes_verify_main.adb rsa_verify_main.adb sha256_main.adb spark_sockets.adb spark_sockets.ads spark_terminal.adb spark_terminal.ads tls_client.adb tls_client.ads tls_client_main.adb tls_server.adb tls_server.ads tls_server_main.adbtests
src
aes_bindings_tests.adb aes_bindings_tests.ads rsa_verify_bindings_tests.adb rsa_verify_bindings_tests.ads sha256_bindings_tests.adb sha256_bindings_tests.ads tests.adbCSharp
wolfSSL-Example-IOCallbacks
App.config wolfSSL-Example-IOCallbacks.cs wolfSSL-Example-IOCallbacks.csprojwolfSSL-TLS-ServerThreaded
App.config wolfSSL-TLS-ServerThreaded.cs wolfSSL-TLS-ServerThreaded.csprojrust
wolfssl-wolfcrypt
src
aes.rs blake2.rs chacha20_poly1305.rs cmac.rs cmac_mac.rs curve25519.rs dh.rs dilithium.rs ecc.rs ecdsa.rs ed25519.rs ed448.rs fips.rs hkdf.rs hmac.rs hmac_mac.rs kdf.rs lib.rs lms.rs mlkem.rs mlkem_kem.rs pbkdf2_password_hash.rs prf.rs random.rs rsa.rs rsa_pkcs1v15.rs sha.rs sha_digest.rs sys.rstests
test_aes.rs test_blake2.rs test_chacha20_poly1305.rs test_cmac.rs test_cmac_mac.rs test_curve25519.rs test_dh.rs test_dilithium.rs test_ecc.rs test_ecdsa.rs test_ed25519.rs test_ed448.rs test_hkdf.rs test_hmac.rs test_hmac_mac.rs test_kdf.rs test_lms.rs test_mlkem.rs test_mlkem_kem.rs test_pbkdf2_password_hash.rs test_prf.rs test_random.rs test_rsa.rs test_rsa_pkcs1v15.rs test_sha.rs test_sha_digest.rs test_wolfcrypt.rszephyr
samples
wolfssl_benchmark
CMakeLists.txt README install_test.sh prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.confwolfssl_test
CMakeLists.txt README install_test.sh prj-no-malloc.conf prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.conf
wolfssl/tests/api/test_tls13.c
raw
1/* test_tls13.c
2 *
3 * Copyright (C) 2006-2026 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22#include <tests/unit.h>
23
24#ifdef NO_INLINE
25 #include <wolfssl/wolfcrypt/misc.h>
26#else
27 #define WOLFSSL_MISC_INCLUDED
28 #include <wolfcrypt/src/misc.c>
29#endif
30
31#include <wolfssl/ssl.h>
32#include <wolfssl/internal.h>
33#include <tests/api/api.h>
34#include <tests/utils.h>
35#include <tests/api/test_tls13.h>
36
37#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
38#ifdef WC_SHA384_DIGEST_SIZE
39 WC_MAYBE_UNUSED static byte fixedKey[WC_SHA384_DIGEST_SIZE] = { 0, };
40#else
41 WC_MAYBE_UNUSED static byte fixedKey[WC_SHA256_DIGEST_SIZE] = { 0, };
42#endif
43#endif
44#ifdef WOLFSSL_EARLY_DATA
45static const char earlyData[] = "Early Data";
46static char earlyDataBuffer[1];
47#endif
48
49int test_tls13_apis(void)
50{
51 EXPECT_DECLS;
52#ifdef WOLFSSL_TLS13
53#if defined(HAVE_SUPPORTED_CURVES) && defined(HAVE_ECC) && \
54 (!defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT))
55 int ret;
56#endif
57#ifndef WOLFSSL_NO_TLS12
58#ifndef NO_WOLFSSL_CLIENT
59 WOLFSSL_CTX* clientTls12Ctx = NULL;
60 WOLFSSL* clientTls12Ssl = NULL;
61#endif
62#ifndef NO_WOLFSSL_SERVER
63 WOLFSSL_CTX* serverTls12Ctx = NULL;
64 WOLFSSL* serverTls12Ssl = NULL;
65#endif
66#endif
67#ifndef NO_WOLFSSL_CLIENT
68 WOLFSSL_CTX* clientCtx = NULL;
69 WOLFSSL* clientSsl = NULL;
70#endif
71#ifndef NO_WOLFSSL_SERVER
72 WOLFSSL_CTX* serverCtx = NULL;
73 WOLFSSL* serverSsl = NULL;
74#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM)
75#ifndef NO_RSA
76 const char* ourCert = svrCertFile;
77 const char* ourKey = svrKeyFile;
78#elif defined(HAVE_ECC)
79 const char* ourCert = eccCertFile;
80 const char* ourKey = eccKeyFile;
81#elif defined(HAVE_ED25519)
82 const char* ourCert = edCertFile;
83 const char* ourKey = edKeyFile;
84#elif defined(HAVE_ED448)
85 const char* ourCert = ed448CertFile;
86 const char* ourKey = ed448KeyFile;
87#endif
88#endif
89#endif
90 int required;
91#ifdef WOLFSSL_EARLY_DATA
92 int outSz;
93#endif
94#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
95 int groups[2] = { WOLFSSL_ECC_SECP256R1,
96#ifdef WOLFSSL_HAVE_MLKEM
97#ifdef WOLFSSL_MLKEM_KYBER
98 #ifndef WOLFSSL_NO_KYBER512
99 WOLFSSL_KYBER_LEVEL1
100 #elif !defined(WOLFSSL_NO_KYBER768)
101 WOLFSSL_KYBER_LEVEL3
102 #else
103 WOLFSSL_KYBER_LEVEL5
104 #endif
105#elif !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
106 #ifndef WOLFSSL_NO_ML_KEM_512
107 WOLFSSL_ML_KEM_512
108 #elif !defined(WOLFSSL_NO_ML_KEM_768)
109 WOLFSSL_ML_KEM_768
110 #else
111 WOLFSSL_ML_KEM_1024
112 #endif
113#else
114 #ifndef WOLFSSL_NO_ML_KEM_768
115 WOLFSSL_SECP256R1MLKEM768
116 #else
117 WOLFSSL_ECC_SECP256R1
118 #endif
119#endif
120#else
121 WOLFSSL_ECC_SECP256R1
122#endif
123 };
124#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
125 int bad_groups[2] = { 0xDEAD, 0xBEEF };
126#endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
127 int numGroups = 2;
128#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_CLIENT)
129 int too_many_groups[WOLFSSL_MAX_GROUP_COUNT + 1];
130#endif
131#endif
132#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
133 char groupList[] =
134#ifdef HAVE_CURVE25519
135 "X25519:"
136#endif
137#ifdef HAVE_CURVE448
138 "X448:"
139#endif
140#ifndef NO_ECC_SECP
141#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
142 "P-521:secp521r1:"
143#endif
144#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
145 "P-384:secp384r1:"
146#endif
147#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
148 "P-256:secp256r1"
149#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MALLOC) && \
150 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
151 !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
152 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
153#ifdef WOLFSSL_MLKEM_KYBER
154 #ifndef WOLFSSL_NO_KYBER512
155 ":P256_KYBER_LEVEL1"
156 #elif !defined(WOLFSSL_NO_KYBER768)
157 ":P256_KYBER_LEVEL3"
158 #elif !defined(WOLFSSL_NO_KYBER1024)
159 ":P256_KYBER_LEVEL5"
160 #endif
161#else
162 #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS)
163 ":SecP256r1MLKEM512"
164 #elif !defined(WOLFSSL_NO_ML_KEM_768) && defined(WOLFSSL_PQC_HYBRIDS)
165 ":SecP256r1MLKEM768"
166 #elif !defined(WOLFSSL_NO_ML_KEM_1024) && defined(WOLFSSL_PQC_HYBRIDS)
167 ":SecP384r1MLKEM1024"
168 #elif !defined(WOLFSSL_NO_ML_KEM_1024) && \
169 !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
170 ":ML_KEM_1024"
171 #elif !defined(WOLFSSL_NO_ML_KEM_768) && \
172 !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
173 ":ML_KEM_768"
174 #endif
175#endif
176#endif
177#endif
178#endif /* !defined(NO_ECC_SECP) */
179#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MALLOC) && \
180 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
181 !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
182 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
183#ifdef WOLFSSL_MLKEM_KYBER
184 #ifndef WOLFSSL_NO_KYBER512
185 ":KYBER_LEVEL1"
186 #elif !defined(WOLFSSL_NO_KYBER768)
187 ":KYBER_LEVEL3"
188 #elif !defined(WOLFSSL_NO_KYBER1024)
189 ":KYBER_LEVEL5"
190 #endif
191#elif !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
192 #if !defined(WOLFSSL_NO_ML_KEM_512)
193 ":ML_KEM_512"
194 #elif !defined(WOLFSSL_NO_ML_KEM_768)
195 ":ML_KEM_768"
196 #elif !defined(WOLFSSL_NO_ML_KEM_1024)
197 ":ML_KEM_1024"
198 #endif
199#endif
200#endif
201 "";
202#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */
203#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MALLOC) && \
204 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
205 !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
206 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
207 defined(HAVE_SUPPORTED_CURVES) && \
208 (!defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) || \
209 (defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768)) || \
210 (defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768)))
211 int mlkemLevel;
212#endif
213
214#ifndef WOLFSSL_NO_TLS12
215#ifndef NO_WOLFSSL_CLIENT
216 clientTls12Ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
217 clientTls12Ssl = wolfSSL_new(clientTls12Ctx);
218#endif
219#ifndef NO_WOLFSSL_SERVER
220 serverTls12Ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method());
221#if !defined(NO_CERTS)
222 #if !defined(NO_FILESYSTEM)
223 wolfSSL_CTX_use_certificate_chain_file(serverTls12Ctx, ourCert);
224 wolfSSL_CTX_use_PrivateKey_file(serverTls12Ctx, ourKey,
225 CERT_FILETYPE);
226 #elif defined(USE_CERT_BUFFERS_2048)
227 wolfSSL_CTX_use_certificate_chain_buffer_format(serverTls12Ctx,
228 server_cert_der_2048, sizeof_server_cert_der_2048,
229 WOLFSSL_FILETYPE_ASN1);
230 wolfSSL_CTX_use_PrivateKey_buffer(serverTls12Ctx, server_key_der_2048,
231 sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1);
232 #elif defined(USE_CERT_BUFFERS_256)
233 wolfSSL_CTX_use_certificate_chain_buffer_format(serverTls12Ctx,
234 serv_ecc_der_256, sizeof_serv_ecc_der_256, WOLFSSL_FILETYPE_ASN1);
235 wolfSSL_CTX_use_PrivateKey_buffer(serverTls12Ctx, ecc_key_der_256,
236 sizeof_ecc_key_der_256, WOLFSSL_FILETYPE_ASN1);
237 #endif
238#endif
239 serverTls12Ssl = wolfSSL_new(serverTls12Ctx);
240#endif
241#endif
242
243#ifndef NO_WOLFSSL_CLIENT
244 clientCtx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
245 clientSsl = wolfSSL_new(clientCtx);
246#endif
247#ifndef NO_WOLFSSL_SERVER
248 serverCtx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
249#if !defined(NO_CERTS)
250 /* ignore load failures, since we just need the server to have a cert set */
251 #if !defined(NO_FILESYSTEM)
252 wolfSSL_CTX_use_certificate_chain_file(serverCtx, ourCert);
253 wolfSSL_CTX_use_PrivateKey_file(serverCtx, ourKey, CERT_FILETYPE);
254 #elif defined(USE_CERT_BUFFERS_2048)
255 wolfSSL_CTX_use_certificate_chain_buffer_format(serverCtx,
256 server_cert_der_2048, sizeof_server_cert_der_2048,
257 WOLFSSL_FILETYPE_ASN1);
258 wolfSSL_CTX_use_PrivateKey_buffer(serverCtx, server_key_der_2048,
259 sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1);
260 #elif defined(USE_CERT_BUFFERS_256)
261 wolfSSL_CTX_use_certificate_chain_buffer_format(serverCtx, serv_ecc_der_256,
262 sizeof_serv_ecc_der_256, WOLFSSL_FILETYPE_ASN1);
263 wolfSSL_CTX_use_PrivateKey_buffer(serverCtx, ecc_key_der_256,
264 sizeof_ecc_key_der_256, WOLFSSL_FILETYPE_ASN1);
265 #endif
266#endif
267 serverSsl = wolfSSL_new(serverCtx);
268 ExpectNotNull(serverSsl);
269#endif
270
271#ifdef WOLFSSL_SEND_HRR_COOKIE
272 ExpectIntEQ(wolfSSL_send_hrr_cookie(NULL, NULL, 0),
273 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
274#ifndef NO_WOLFSSL_CLIENT
275 ExpectIntEQ(wolfSSL_send_hrr_cookie(clientSsl, NULL, 0),
276 WC_NO_ERR_TRACE(SIDE_ERROR));
277#endif
278#ifndef NO_WOLFSSL_SERVER
279#ifndef WOLFSSL_NO_TLS12
280 ExpectIntEQ(wolfSSL_send_hrr_cookie(serverTls12Ssl, NULL, 0),
281 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
282#endif
283
284 ExpectIntEQ(wolfSSL_send_hrr_cookie(serverSsl, NULL, 0), WOLFSSL_SUCCESS);
285 ExpectIntEQ(wolfSSL_send_hrr_cookie(serverSsl, fixedKey, sizeof(fixedKey)),
286 WOLFSSL_SUCCESS);
287#endif
288#endif
289
290#ifdef HAVE_SUPPORTED_CURVES
291#ifdef HAVE_ECC
292 ExpectIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1),
293 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
294#ifndef NO_WOLFSSL_SERVER
295 do {
296 ret = wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1);
297 #ifdef WOLFSSL_ASYNC_CRYPT
298 if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
299 wolfSSL_AsyncPoll(serverSsl, WOLF_POLL_FLAG_CHECK_HW);
300 #endif
301 }
302 while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
303 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
304#endif
305#ifndef NO_WOLFSSL_CLIENT
306#ifndef WOLFSSL_NO_TLS12
307 do {
308 ret = wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_SECP256R1);
309 #ifdef WOLFSSL_ASYNC_CRYPT
310 if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
311 wolfSSL_AsyncPoll(clientTls12Ssl, WOLF_POLL_FLAG_CHECK_HW);
312 #endif
313 }
314 while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
315 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
316#endif
317 do {
318 ret = wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1);
319 #ifdef WOLFSSL_ASYNC_CRYPT
320 if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
321 wolfSSL_AsyncPoll(clientSsl, WOLF_POLL_FLAG_CHECK_HW);
322 #endif
323 }
324 while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
325 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
326#endif
327#elif defined(HAVE_CURVE25519)
328 ExpectIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_X25519),
329 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
330#ifndef NO_WOLFSSL_SERVER
331 ExpectIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_X25519),
332 WOLFSSL_SUCCESS);
333#endif
334#ifndef NO_WOLFSSL_CLIENT
335#ifndef WOLFSSL_NO_TLS12
336 ExpectIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_X25519),
337 WOLFSSL_SUCCESS);
338#endif
339 ExpectIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_X25519),
340 WOLFSSL_SUCCESS);
341#endif
342#elif defined(HAVE_CURVE448)
343 ExpectIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_X448),
344 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
345#ifndef NO_WOLFSSL_SERVER
346 ExpectIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_X448),
347 WOLFSSL_SUCCESS);
348#endif
349#ifndef NO_WOLFSSL_CLIENT
350#ifndef WOLFSSL_NO_TLS12
351 ExpectIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_X448),
352 WOLFSSL_SUCCESS);
353#endif
354 ExpectIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_X448),
355 WOLFSSL_SUCCESS);
356#endif
357#else
358 ExpectIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1),
359 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
360#ifndef NO_WOLFSSL_CLIENT
361#ifndef WOLFSSL_NO_TLS12
362 ExpectIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_SECP256R1),
363 WC_NO_ERR_TRACE(NOT_COMPILED_IN));
364#endif
365 ExpectIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1),
366 WC_NO_ERR_TRACE(NOT_COMPILED_IN));
367#endif
368#endif
369
370#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MALLOC) && \
371 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
372 !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
373 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
374 (!defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) || \
375 (defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768)) || \
376 (defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768)))
377#ifndef WOLFSSL_NO_ML_KEM
378#ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
379#ifndef WOLFSSL_NO_ML_KEM_768
380 mlkemLevel = WOLFSSL_ML_KEM_768;
381#elif !defined(WOLFSSL_NO_ML_KEM_1024)
382 mlkemLevel = WOLFSSL_ML_KEM_1024;
383#else
384 mlkemLevel = WOLFSSL_ML_KEM_512;
385#endif
386#else
387#if defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768)
388 mlkemLevel = WOLFSSL_X25519MLKEM768;
389#elif defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768)
390 mlkemLevel = WOLFSSL_SECP256R1MLKEM768;
391#endif
392#endif
393#else
394#ifndef WOLFSSL_NO_KYBER768
395 mlkemLevel = WOLFSSL_KYBER_LEVEL3;
396#elif !defined(WOLFSSL_NO_KYBER1024)
397 mlkemLevel = WOLFSSL_KYBER_LEVEL5;
398#else
399 mlkemLevel = WOLFSSL_KYBER_LEVEL1;
400#endif
401#endif
402 ExpectIntEQ(wolfSSL_UseKeyShare(NULL, mlkemLevel),
403 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
404#ifndef NO_WOLFSSL_SERVER
405 ExpectIntEQ(wolfSSL_UseKeyShare(serverSsl, mlkemLevel),
406 WOLFSSL_SUCCESS);
407#endif
408#ifndef NO_WOLFSSL_CLIENT
409#ifndef WOLFSSL_NO_TLS12
410 ExpectIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, mlkemLevel),
411 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
412#endif
413 ExpectIntEQ(wolfSSL_UseKeyShare(clientSsl, mlkemLevel),
414 WOLFSSL_SUCCESS);
415#endif
416#endif
417
418 ExpectIntEQ(wolfSSL_NoKeyShares(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
419#ifndef NO_WOLFSSL_SERVER
420 ExpectIntEQ(wolfSSL_NoKeyShares(serverSsl), WC_NO_ERR_TRACE(SIDE_ERROR));
421#endif
422#ifndef NO_WOLFSSL_CLIENT
423#ifndef WOLFSSL_NO_TLS12
424 ExpectIntEQ(wolfSSL_NoKeyShares(clientTls12Ssl), WOLFSSL_SUCCESS);
425#endif
426 ExpectIntEQ(wolfSSL_NoKeyShares(clientSsl), WOLFSSL_SUCCESS);
427#endif
428#endif /* HAVE_SUPPORTED_CURVES */
429
430 ExpectIntEQ(wolfSSL_CTX_no_ticket_TLSv13(NULL),
431 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
432#ifndef NO_WOLFSSL_CLIENT
433 ExpectIntEQ(wolfSSL_CTX_no_ticket_TLSv13(clientCtx),
434 WC_NO_ERR_TRACE(SIDE_ERROR));
435#endif
436#ifndef NO_WOLFSSL_SERVER
437#ifndef WOLFSSL_NO_TLS12
438 ExpectIntEQ(wolfSSL_CTX_no_ticket_TLSv13(serverTls12Ctx),
439 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
440#endif
441 ExpectIntEQ(wolfSSL_CTX_no_ticket_TLSv13(serverCtx), 0);
442#endif
443
444 ExpectIntEQ(wolfSSL_no_ticket_TLSv13(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
445#ifndef NO_WOLFSSL_CLIENT
446 ExpectIntEQ(wolfSSL_no_ticket_TLSv13(clientSsl),
447 WC_NO_ERR_TRACE(SIDE_ERROR));
448#endif
449#ifndef NO_WOLFSSL_SERVER
450#ifndef WOLFSSL_NO_TLS12
451 ExpectIntEQ(wolfSSL_no_ticket_TLSv13(serverTls12Ssl),
452 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
453#endif
454 ExpectIntEQ(wolfSSL_no_ticket_TLSv13(serverSsl), 0);
455#endif
456
457 ExpectIntEQ(wolfSSL_CTX_no_dhe_psk(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
458#ifndef NO_WOLFSSL_CLIENT
459#ifndef WOLFSSL_NO_TLS12
460 ExpectIntEQ(wolfSSL_CTX_no_dhe_psk(clientTls12Ctx),
461 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
462#endif
463 ExpectIntEQ(wolfSSL_CTX_no_dhe_psk(clientCtx), 0);
464#endif
465#ifndef NO_WOLFSSL_SERVER
466 ExpectIntEQ(wolfSSL_CTX_no_dhe_psk(serverCtx), 0);
467#endif
468
469 ExpectIntEQ(wolfSSL_no_dhe_psk(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
470#ifndef NO_WOLFSSL_CLIENT
471#ifndef WOLFSSL_NO_TLS12
472 ExpectIntEQ(wolfSSL_no_dhe_psk(clientTls12Ssl),
473 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
474#endif
475 ExpectIntEQ(wolfSSL_no_dhe_psk(clientSsl), 0);
476#endif
477#ifndef NO_WOLFSSL_SERVER
478 ExpectIntEQ(wolfSSL_no_dhe_psk(serverSsl), 0);
479#endif
480
481 ExpectIntEQ(wolfSSL_update_keys(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
482#ifndef NO_WOLFSSL_CLIENT
483#ifndef WOLFSSL_NO_TLS12
484 ExpectIntEQ(wolfSSL_update_keys(clientTls12Ssl),
485 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
486#endif
487 ExpectIntEQ(wolfSSL_update_keys(clientSsl),
488 WC_NO_ERR_TRACE(BUILD_MSG_ERROR));
489#endif
490#ifndef NO_WOLFSSL_SERVER
491 ExpectIntEQ(wolfSSL_update_keys(serverSsl),
492 WC_NO_ERR_TRACE(BUILD_MSG_ERROR));
493#endif
494
495 ExpectIntEQ(wolfSSL_key_update_response(NULL, NULL),
496 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
497 ExpectIntEQ(wolfSSL_key_update_response(NULL, &required),
498 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
499#ifndef NO_WOLFSSL_CLIENT
500#ifndef WOLFSSL_NO_TLS12
501 ExpectIntEQ(wolfSSL_key_update_response(clientTls12Ssl, &required),
502 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
503#endif
504 ExpectIntEQ(wolfSSL_key_update_response(clientSsl, NULL),
505 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
506#endif
507#ifndef NO_WOLFSSL_SERVER
508 ExpectIntEQ(wolfSSL_key_update_response(serverSsl, NULL),
509 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
510#endif
511
512#if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
513 ExpectIntEQ(wolfSSL_CTX_allow_post_handshake_auth(NULL),
514 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
515#ifndef NO_WOLFSSL_SERVER
516 ExpectIntEQ(wolfSSL_CTX_allow_post_handshake_auth(serverCtx),
517 WC_NO_ERR_TRACE(SIDE_ERROR));
518#endif
519#ifndef NO_WOLFSSL_CLIENT
520#ifndef WOLFSSL_NO_TLS12
521 ExpectIntEQ(wolfSSL_CTX_allow_post_handshake_auth(clientTls12Ctx),
522 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
523#endif
524 ExpectIntEQ(wolfSSL_CTX_allow_post_handshake_auth(clientCtx), 0);
525#endif
526
527 ExpectIntEQ(wolfSSL_allow_post_handshake_auth(NULL),
528 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
529#ifndef NO_WOLFSSL_SERVER
530 ExpectIntEQ(wolfSSL_allow_post_handshake_auth(serverSsl),
531 WC_NO_ERR_TRACE(SIDE_ERROR));
532#endif
533#ifndef NO_WOLFSSL_CLIENT
534#ifndef WOLFSSL_NO_TLS12
535 ExpectIntEQ(wolfSSL_allow_post_handshake_auth(clientTls12Ssl),
536 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
537#endif
538 ExpectIntEQ(wolfSSL_allow_post_handshake_auth(clientSsl), 0);
539#endif
540
541 ExpectIntEQ(wolfSSL_request_certificate(NULL),
542 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
543#ifndef NO_WOLFSSL_CLIENT
544 ExpectIntEQ(wolfSSL_request_certificate(clientSsl),
545 WC_NO_ERR_TRACE(SIDE_ERROR));
546#endif
547#ifndef NO_WOLFSSL_SERVER
548#ifndef WOLFSSL_NO_TLS12
549 ExpectIntEQ(wolfSSL_request_certificate(serverTls12Ssl),
550 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
551#endif
552 ExpectIntEQ(wolfSSL_request_certificate(serverSsl),
553 WC_NO_ERR_TRACE(NOT_READY_ERROR));
554#endif
555#endif
556
557#ifdef HAVE_ECC
558#ifndef WOLFSSL_NO_SERVER_GROUPS_EXT
559 ExpectIntEQ(wolfSSL_preferred_group(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
560#ifndef NO_WOLFSSL_SERVER
561 ExpectIntEQ(wolfSSL_preferred_group(serverSsl),
562 WC_NO_ERR_TRACE(SIDE_ERROR));
563#endif
564#ifndef NO_WOLFSSL_CLIENT
565#ifndef WOLFSSL_NO_TLS12
566 ExpectIntEQ(wolfSSL_preferred_group(clientTls12Ssl),
567 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
568#endif
569 ExpectIntEQ(wolfSSL_preferred_group(clientSsl),
570 WC_NO_ERR_TRACE(NOT_READY_ERROR));
571#endif
572#endif
573
574#ifdef HAVE_SUPPORTED_CURVES
575 ExpectIntEQ(wolfSSL_CTX_set_groups(NULL, NULL, 0),
576 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
577#ifndef NO_WOLFSSL_CLIENT
578 ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, NULL, 0),
579 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
580#endif
581 ExpectIntEQ(wolfSSL_CTX_set_groups(NULL, groups, numGroups),
582 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
583#ifndef NO_WOLFSSL_CLIENT
584#ifndef WOLFSSL_NO_TLS12
585 ExpectIntEQ(wolfSSL_CTX_set_groups(clientTls12Ctx, groups, numGroups),
586 WOLFSSL_SUCCESS);
587#endif
588 ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups,
589 WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
590 ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, numGroups),
591 WOLFSSL_SUCCESS);
592 ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, bad_groups, numGroups),
593 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
594#endif
595#ifndef NO_WOLFSSL_SERVER
596 ExpectIntEQ(wolfSSL_CTX_set_groups(serverCtx, groups, numGroups),
597 WOLFSSL_SUCCESS);
598 ExpectIntEQ(wolfSSL_CTX_set_groups(serverCtx, bad_groups, numGroups),
599 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
600#endif
601
602 ExpectIntEQ(wolfSSL_set_groups(NULL, NULL, 0),
603 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
604#ifndef NO_WOLFSSL_CLIENT
605 ExpectIntEQ(wolfSSL_set_groups(clientSsl, NULL, 0),
606 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
607#endif
608 ExpectIntEQ(wolfSSL_set_groups(NULL, groups, numGroups),
609 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
610#ifndef NO_WOLFSSL_CLIENT
611#ifndef WOLFSSL_NO_TLS12
612 ExpectIntEQ(wolfSSL_set_groups(clientTls12Ssl, groups, numGroups),
613 WOLFSSL_SUCCESS);
614#endif
615 ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups,
616 WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
617 ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, numGroups),
618 WOLFSSL_SUCCESS);
619 ExpectIntEQ(wolfSSL_set_groups(clientSsl, bad_groups, numGroups),
620 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
621#endif
622#ifndef NO_WOLFSSL_SERVER
623 ExpectIntEQ(wolfSSL_set_groups(serverSsl, groups, numGroups),
624 WOLFSSL_SUCCESS);
625 ExpectIntEQ(wolfSSL_set_groups(serverSsl, bad_groups, numGroups),
626 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
627#endif
628
629#ifdef OPENSSL_EXTRA
630 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(NULL, NULL),
631 WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
632#ifndef NO_WOLFSSL_CLIENT
633 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(clientCtx, NULL),
634 WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
635#endif
636 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(NULL, groupList),
637 WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
638#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_CLIENT)
639 {
640 int idx;
641 for (idx = 0; idx < WOLFSSL_MAX_GROUP_COUNT + 1; idx++)
642 too_many_groups[idx] = WOLFSSL_ECC_SECP256R1;
643 }
644 ExpectIntEQ(wolfSSL_CTX_set1_groups(clientCtx, too_many_groups,
645 WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
646 ExpectIntEQ(wolfSSL_set1_groups(clientSsl, too_many_groups,
647 WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
648#endif
649#ifndef NO_WOLFSSL_CLIENT
650#ifndef WOLFSSL_NO_TLS12
651 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(clientTls12Ctx, groupList),
652 WOLFSSL_SUCCESS);
653#endif
654 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(clientCtx, groupList),
655 WOLFSSL_SUCCESS);
656#endif
657#ifndef NO_WOLFSSL_SERVER
658 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(serverCtx, groupList),
659 WOLFSSL_SUCCESS);
660#endif
661
662 ExpectIntEQ(wolfSSL_set1_groups_list(NULL, NULL),
663 WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
664#ifndef NO_WOLFSSL_CLIENT
665 ExpectIntEQ(wolfSSL_set1_groups_list(clientSsl, NULL),
666 WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
667#endif
668 ExpectIntEQ(wolfSSL_set1_groups_list(NULL, groupList),
669 WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
670#ifndef NO_WOLFSSL_CLIENT
671#ifndef WOLFSSL_NO_TLS12
672 ExpectIntEQ(wolfSSL_set1_groups_list(clientTls12Ssl, groupList),
673 WOLFSSL_SUCCESS);
674#endif
675 ExpectIntEQ(wolfSSL_set1_groups_list(clientSsl, groupList),
676 WOLFSSL_SUCCESS);
677#endif
678#ifndef NO_WOLFSSL_SERVER
679 ExpectIntEQ(wolfSSL_set1_groups_list(serverSsl, groupList),
680 WOLFSSL_SUCCESS);
681#endif
682#endif /* OPENSSL_EXTRA */
683#endif /* HAVE_SUPPORTED_CURVES */
684#endif /* HAVE_ECC */
685
686#ifdef WOLFSSL_EARLY_DATA
687#ifndef OPENSSL_EXTRA
688 ExpectIntEQ(wolfSSL_CTX_set_max_early_data(NULL, 0),
689 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
690 ExpectIntEQ(wolfSSL_CTX_get_max_early_data(NULL),
691 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
692#else
693 ExpectIntEQ(SSL_CTX_set_max_early_data(NULL, 0),
694 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
695 ExpectIntEQ(SSL_CTX_get_max_early_data(NULL),
696 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
697#endif
698#ifndef NO_WOLFSSL_CLIENT
699#ifndef OPENSSL_EXTRA
700 ExpectIntEQ(wolfSSL_CTX_set_max_early_data(clientCtx, 0),
701 WC_NO_ERR_TRACE(SIDE_ERROR));
702 ExpectIntEQ(wolfSSL_CTX_get_max_early_data(clientCtx),
703 WC_NO_ERR_TRACE(SIDE_ERROR));
704#else
705 ExpectIntEQ(SSL_CTX_set_max_early_data(clientCtx, 0),
706 WC_NO_ERR_TRACE(SIDE_ERROR));
707 ExpectIntEQ(SSL_CTX_get_max_early_data(clientCtx),
708 WC_NO_ERR_TRACE(SIDE_ERROR));
709#endif
710#endif
711#ifndef NO_WOLFSSL_SERVER
712#ifndef WOLFSSL_NO_TLS12
713#ifndef OPENSSL_EXTRA
714 ExpectIntEQ(wolfSSL_CTX_set_max_early_data(serverTls12Ctx, 0),
715 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
716 ExpectIntEQ(wolfSSL_CTX_get_max_early_data(serverTls12Ctx),
717 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
718#else
719 ExpectIntEQ(SSL_CTX_set_max_early_data(serverTls12Ctx, 0),
720 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
721 ExpectIntEQ(SSL_CTX_get_max_early_data(serverTls12Ctx),
722 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
723#endif
724#endif
725#ifndef OPENSSL_EXTRA
726#ifdef WOLFSSL_ERROR_CODE_OPENSSL
727 ExpectIntEQ(wolfSSL_CTX_set_max_early_data(serverCtx, 32),
728 WOLFSSL_SUCCESS);
729#else
730 ExpectIntEQ(wolfSSL_CTX_set_max_early_data(serverCtx, 32), 0);
731#endif
732 ExpectIntEQ(wolfSSL_CTX_get_max_early_data(serverCtx), 32);
733#else
734 ExpectIntEQ(SSL_CTX_set_max_early_data(serverCtx, 32), 1);
735 ExpectIntEQ(SSL_CTX_get_max_early_data(serverCtx), 32);
736#endif
737#endif
738
739#ifndef OPENSSL_EXTRA
740 ExpectIntEQ(wolfSSL_set_max_early_data(NULL, 0),
741 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
742 ExpectIntEQ(wolfSSL_get_max_early_data(NULL),
743 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
744#else
745 ExpectIntEQ(SSL_set_max_early_data(NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
746 ExpectIntEQ(SSL_get_max_early_data(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
747#endif
748#ifndef NO_WOLFSSL_CLIENT
749#ifndef OPENSSL_EXTRA
750#ifdef WOLFSSL_ERROR_CODE_OPENSSL
751 ExpectIntEQ(wolfSSL_set_max_early_data(clientSsl, 17), WOLFSSL_SUCCESS);
752#else
753 ExpectIntEQ(wolfSSL_set_max_early_data(clientSsl, 17), 0);
754#endif
755 ExpectIntEQ(wolfSSL_get_max_early_data(clientSsl), 17);
756#else
757 ExpectIntEQ(SSL_set_max_early_data(clientSsl, 17), WOLFSSL_SUCCESS);
758 ExpectIntEQ(SSL_get_max_early_data(clientSsl), 17);
759#endif
760#endif
761#ifndef NO_WOLFSSL_SERVER
762#ifndef WOLFSSL_NO_TLS12
763#ifndef OPENSSL_EXTRA
764 ExpectIntEQ(wolfSSL_set_max_early_data(serverTls12Ssl, 0),
765 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
766 ExpectIntEQ(wolfSSL_get_max_early_data(serverTls12Ssl),
767 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
768#else
769 ExpectIntEQ(SSL_set_max_early_data(serverTls12Ssl, 0),
770 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
771 ExpectIntEQ(SSL_get_max_early_data(serverTls12Ssl),
772 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
773#endif
774#endif
775#ifndef OPENSSL_EXTRA
776#ifdef WOLFSSL_ERROR_CODE_OPENSSL
777 ExpectIntEQ(wolfSSL_set_max_early_data(serverSsl, 16), WOLFSSL_SUCCESS);
778#else
779 ExpectIntEQ(wolfSSL_set_max_early_data(serverSsl, 16), 0);
780#endif
781 ExpectIntEQ(wolfSSL_get_max_early_data(serverSsl), 16);
782#else
783 ExpectIntEQ(SSL_set_max_early_data(serverSsl, 16), 1);
784 ExpectIntEQ(SSL_get_max_early_data(serverSsl), 16);
785#endif
786#endif
787
788
789 ExpectIntEQ(wolfSSL_write_early_data(NULL, earlyData, sizeof(earlyData),
790 &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
791#ifndef NO_WOLFSSL_CLIENT
792 ExpectIntEQ(wolfSSL_write_early_data(clientSsl, NULL, sizeof(earlyData),
793 &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
794 ExpectIntEQ(wolfSSL_write_early_data(clientSsl, earlyData, -1, &outSz),
795 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
796 ExpectIntEQ(wolfSSL_write_early_data(clientSsl, earlyData,
797 sizeof(earlyData), NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
798#endif
799#ifndef NO_WOLFSSL_SERVER
800 ExpectIntEQ(wolfSSL_write_early_data(serverSsl, earlyData,
801 sizeof(earlyData), &outSz), WC_NO_ERR_TRACE(SIDE_ERROR));
802#endif
803#ifndef NO_WOLFSSL_CLIENT
804#ifndef WOLFSSL_NO_TLS12
805 ExpectIntEQ(wolfSSL_write_early_data(clientTls12Ssl, earlyData,
806 sizeof(earlyData), &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
807#endif
808 /* invoking without session or psk cbs */
809 ExpectIntEQ(wolfSSL_write_early_data(clientSsl, earlyData,
810 sizeof(earlyData), &outSz), WC_NO_ERR_TRACE(BAD_STATE_E));
811 /* verify *outSz is initialized to 0 even on non-success paths */
812 outSz = 42;
813 ExpectIntEQ(wolfSSL_write_early_data(clientSsl, earlyData,
814 sizeof(earlyData), &outSz), WC_NO_ERR_TRACE(BAD_STATE_E));
815 ExpectIntEQ(outSz, 0);
816#endif
817
818 ExpectIntEQ(wolfSSL_read_early_data(NULL, earlyDataBuffer,
819 sizeof(earlyDataBuffer), &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
820#ifndef NO_WOLFSSL_SERVER
821 ExpectIntEQ(wolfSSL_read_early_data(serverSsl, NULL,
822 sizeof(earlyDataBuffer), &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
823 ExpectIntEQ(wolfSSL_read_early_data(serverSsl, earlyDataBuffer, -1,
824 &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
825 ExpectIntEQ(wolfSSL_read_early_data(serverSsl, earlyDataBuffer,
826 sizeof(earlyDataBuffer), NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
827#endif
828#ifndef NO_WOLFSSL_CLIENT
829 ExpectIntEQ(wolfSSL_read_early_data(clientSsl, earlyDataBuffer,
830 sizeof(earlyDataBuffer), &outSz), WC_NO_ERR_TRACE(SIDE_ERROR));
831#endif
832#ifndef NO_WOLFSSL_SERVER
833#ifndef WOLFSSL_NO_TLS12
834 ExpectIntEQ(wolfSSL_read_early_data(serverTls12Ssl, earlyDataBuffer,
835 sizeof(earlyDataBuffer), &outSz), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
836#endif
837 ExpectIntEQ(wolfSSL_read_early_data(serverSsl, earlyDataBuffer,
838 sizeof(earlyDataBuffer), &outSz), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
839#endif
840#endif
841
842#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_EARLY_DATA)
843 ExpectIntLT(SSL_get_early_data_status(NULL), 0);
844#endif
845
846
847#ifndef NO_WOLFSSL_SERVER
848 wolfSSL_free(serverSsl);
849 wolfSSL_CTX_free(serverCtx);
850#endif
851#ifndef NO_WOLFSSL_CLIENT
852 wolfSSL_free(clientSsl);
853 wolfSSL_CTX_free(clientCtx);
854#endif
855
856#ifndef WOLFSSL_NO_TLS12
857#ifndef NO_WOLFSSL_SERVER
858 wolfSSL_free(serverTls12Ssl);
859 wolfSSL_CTX_free(serverTls12Ctx);
860#endif
861#ifndef NO_WOLFSSL_CLIENT
862 wolfSSL_free(clientTls12Ssl);
863 wolfSSL_CTX_free(clientTls12Ctx);
864#endif
865#endif
866#endif /* WOLFSSL_TLS13 */
867
868 return EXPECT_RESULT();
869}
870
871#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
872 !defined(NO_PSK)
873int test_tls13_cert_with_extern_psk_apis(void)
874{
875 EXPECT_DECLS;
876 WOLFSSL_CTX* ctx = NULL;
877 WOLFSSL* ssl = NULL;
878
879 ExpectIntEQ(wolfSSL_CTX_set_cert_with_extern_psk(NULL, 0), WOLFSSL_FAILURE);
880 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(NULL, 0), WOLFSSL_FAILURE);
881
882 ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
883 ExpectNotNull(ctx);
884 ssl = wolfSSL_new(ctx);
885 ExpectNotNull(ssl);
886
887 if (EXPECT_SUCCESS()) {
888 /* Any non-zero value enables cert_with_extern_psk. */
889 ExpectIntEQ(wolfSSL_CTX_set_cert_with_extern_psk(ctx, -1),
890 WOLFSSL_SUCCESS);
891 ExpectIntEQ(wolfSSL_CTX_set_cert_with_extern_psk(ctx, 2),
892 WOLFSSL_SUCCESS);
893 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl, -1), WOLFSSL_SUCCESS);
894 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl, 2), WOLFSSL_SUCCESS);
895 ExpectIntEQ(wolfSSL_CTX_set_cert_with_extern_psk(ctx, 1),
896 WOLFSSL_SUCCESS);
897 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl, 0), WOLFSSL_SUCCESS);
898 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl, 1), WOLFSSL_SUCCESS);
899 }
900
901 wolfSSL_free(ssl);
902 wolfSSL_CTX_free(ctx);
903
904 return EXPECT_RESULT();
905}
906#else
907int test_tls13_cert_with_extern_psk_apis(void)
908{
909 return TEST_SKIPPED;
910}
911#endif
912
913#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
914 !defined(NO_PSK) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
915 defined(HAVE_SUPPORTED_CURVES) && \
916 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
917/* 32-byte external PSK (SHA-256 digest size) used by cwep test callbacks. */
918static const unsigned char test_tls13_cwep_psk[32] = {
919 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
920 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
921 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
922 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A
923};
924
925static unsigned int test_tls13_cwep_client_cb(WOLFSSL* ssl, const char* hint,
926 char* identity, unsigned int id_max_len, unsigned char* key,
927 unsigned int key_max_len)
928{
929 (void)ssl;
930 (void)hint;
931 if (id_max_len == 0 || key_max_len < sizeof(test_tls13_cwep_psk))
932 return 0;
933 XSTRNCPY(identity, "cwep_client", id_max_len);
934 XMEMCPY(key, test_tls13_cwep_psk, sizeof(test_tls13_cwep_psk));
935 return (unsigned int)sizeof(test_tls13_cwep_psk);
936}
937
938static unsigned int test_tls13_cwep_server_cb(WOLFSSL* ssl, const char* id,
939 unsigned char* key, unsigned int key_max_len)
940{
941 (void)ssl;
942 if (key_max_len < sizeof(test_tls13_cwep_psk) || id == NULL)
943 return 0;
944 if (XSTRCMP(id, "cwep_client") != 0)
945 return 0;
946 XMEMCPY(key, test_tls13_cwep_psk, sizeof(test_tls13_cwep_psk));
947 return (unsigned int)sizeof(test_tls13_cwep_psk);
948}
949#endif
950
951int test_tls13_cert_with_extern_psk_handshake(void)
952{
953 EXPECT_DECLS;
954#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
955 !defined(NO_PSK) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
956 defined(HAVE_SUPPORTED_CURVES) && \
957 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
958 WOLFSSL_CTX *ctx_c = NULL;
959 WOLFSSL_CTX *ctx_s = NULL;
960 WOLFSSL *ssl_c = NULL;
961 WOLFSSL *ssl_s = NULL;
962 struct test_memio_ctx test_ctx;
963 const char appMsg[] = "cert_with_extern_psk test";
964 char readBuf[sizeof(appMsg)];
965 int readSz;
966
967 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
968 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
969 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
970
971 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_PEER, NULL);
972 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
973#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM)
974#if defined(HAVE_ECC)
975 ExpectTrue(wolfSSL_use_certificate_file(ssl_s, eccCertFile,
976 CERT_FILETYPE) == WOLFSSL_SUCCESS);
977 ExpectTrue(wolfSSL_use_PrivateKey_file(ssl_s, eccKeyFile,
978 CERT_FILETYPE) == WOLFSSL_SUCCESS);
979 ExpectTrue(wolfSSL_CTX_load_verify_locations(ctx_c, caEccCertFile,
980 NULL) == WOLFSSL_SUCCESS);
981#elif !defined(NO_RSA)
982 ExpectTrue(wolfSSL_use_certificate_file(ssl_s, svrCertFile,
983 CERT_FILETYPE) == WOLFSSL_SUCCESS);
984 ExpectTrue(wolfSSL_use_PrivateKey_file(ssl_s, svrKeyFile,
985 CERT_FILETYPE) == WOLFSSL_SUCCESS);
986 ExpectTrue(wolfSSL_CTX_load_verify_locations(ctx_c, caCertFile,
987 NULL) == WOLFSSL_SUCCESS);
988#endif
989#endif
990 wolfSSL_set_psk_client_callback(ssl_c, test_tls13_cwep_client_cb);
991 wolfSSL_set_psk_server_callback(ssl_s, test_tls13_cwep_server_cb);
992 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_c, 1), WOLFSSL_SUCCESS);
993 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_s, 1), WOLFSSL_SUCCESS);
994
995 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 20, NULL), 0);
996 ExpectIntEQ(ssl_c->options.pskNegotiated, 1);
997 ExpectIntEQ(ssl_s->options.pskNegotiated, 1);
998 ExpectIntEQ(ssl_c->options.certWithExternPsk, 1);
999 ExpectIntEQ(ssl_s->options.certWithExternPsk, 1);
1000 ExpectIntEQ(ssl_c->msgsReceived.got_certificate, 1);
1001 ExpectIntEQ(ssl_c->msgsReceived.got_certificate_verify, 1);
1002
1003 /* Verify application data exchange works with the derived keys. */
1004 ExpectIntEQ(wolfSSL_write(ssl_c, appMsg, (int)XSTRLEN(appMsg)),
1005 (int)XSTRLEN(appMsg));
1006 readSz = wolfSSL_read(ssl_s, readBuf, sizeof(readBuf));
1007 ExpectIntEQ(readSz, (int)XSTRLEN(appMsg));
1008 ExpectIntEQ(XMEMCMP(readBuf, appMsg, (size_t)readSz), 0);
1009
1010 wolfSSL_free(ssl_c);
1011 wolfSSL_CTX_free(ctx_c);
1012 wolfSSL_free(ssl_s);
1013 wolfSSL_CTX_free(ctx_s);
1014#endif
1015 return EXPECT_RESULT();
1016}
1017
1018int test_tls13_cert_with_extern_psk_requires_key_share(void)
1019{
1020 EXPECT_DECLS;
1021#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
1022 !defined(NO_PSK) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
1023 defined(HAVE_SUPPORTED_CURVES) && \
1024 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
1025 WOLFSSL_CTX *ctx_c = NULL;
1026 WOLFSSL_CTX *ctx_s = NULL;
1027 WOLFSSL *ssl_c = NULL;
1028 WOLFSSL *ssl_s = NULL;
1029 struct test_memio_ctx test_ctx;
1030
1031 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1032 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1033 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1034
1035 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
1036 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
1037#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM)
1038#if defined(HAVE_ECC)
1039 ExpectTrue(wolfSSL_use_certificate_file(ssl_s, eccCertFile,
1040 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1041 ExpectTrue(wolfSSL_use_PrivateKey_file(ssl_s, eccKeyFile,
1042 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1043#elif !defined(NO_RSA)
1044 ExpectTrue(wolfSSL_use_certificate_file(ssl_s, svrCertFile,
1045 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1046 ExpectTrue(wolfSSL_use_PrivateKey_file(ssl_s, svrKeyFile,
1047 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1048#endif
1049#endif
1050 wolfSSL_set_psk_client_callback(ssl_c, test_tls13_cwep_client_cb);
1051 wolfSSL_set_psk_server_callback(ssl_s, test_tls13_cwep_server_cb);
1052 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_c, 1), WOLFSSL_SUCCESS);
1053 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_s, 1), WOLFSSL_SUCCESS);
1054 /* Omit key_share in CH1 to force the server to send an HRR. */
1055 ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c), WOLFSSL_SUCCESS);
1056
1057 /* CH1: client -> server (no key_share). */
1058 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1059 ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1060 WOLFSSL_ERROR_WANT_READ);
1061
1062 /* HRR: server reads CH1, sends HRR requesting a key_share group. */
1063 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
1064 ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1065 WOLFSSL_ERROR_WANT_READ);
1066 ExpectIntEQ(ssl_s->options.serverState,
1067 SERVER_HELLO_RETRY_REQUEST_COMPLETE);
1068
1069 /* Complete the handshake: client sends CH2 (with key_share), server
1070 * responds with SH + cert + cert-verify + Finished, client finishes. */
1071 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 20, NULL), 0);
1072
1073 /* Verify that cert_with_extern_psk was negotiated end-to-end. */
1074 ExpectIntEQ(ssl_c->options.pskNegotiated, 1);
1075 ExpectIntEQ(ssl_s->options.pskNegotiated, 1);
1076 ExpectIntEQ(ssl_c->options.certWithExternPsk, 1);
1077 ExpectIntEQ(ssl_s->options.certWithExternPsk, 1);
1078 ExpectIntEQ(ssl_c->msgsReceived.got_certificate, 1);
1079 ExpectIntEQ(ssl_c->msgsReceived.got_certificate_verify, 1);
1080
1081 wolfSSL_free(ssl_c);
1082 wolfSSL_CTX_free(ctx_c);
1083 wolfSSL_free(ssl_s);
1084 wolfSSL_CTX_free(ctx_s);
1085#endif
1086 return EXPECT_RESULT();
1087}
1088
1089int test_tls13_cert_with_extern_psk_rejects_resumption(void)
1090{
1091 EXPECT_DECLS;
1092#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
1093 !defined(NO_PSK) && defined(HAVE_SESSION_TICKET) && \
1094 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
1095 defined(HAVE_SUPPORTED_CURVES) && \
1096 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
1097 !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
1098 (defined(HAVE_ECC) || !defined(NO_RSA))
1099 WOLFSSL_CTX *ctx_c = NULL;
1100 WOLFSSL_CTX *ctx_s = NULL;
1101 WOLFSSL *ssl_c = NULL;
1102 WOLFSSL *ssl_s = NULL;
1103 WOLFSSL_SESSION *sess = NULL;
1104 struct test_memio_ctx test_ctx;
1105 byte readBuf[16];
1106
1107 /* Step 1: plain TLS 1.3 handshake to obtain a session ticket. The same
1108 * server CTX is reused below so the ticket encryption key matches. */
1109 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1110 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1111 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1112
1113 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
1114 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
1115#if defined(HAVE_ECC)
1116 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx_s, eccCertFile,
1117 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1118 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, eccKeyFile,
1119 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1120#else
1121 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile,
1122 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1123 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile,
1124 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1125#endif
1126
1127 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
1128 /* Drain the NewSessionTicket post-handshake message. */
1129 ExpectIntEQ(wolfSSL_read(ssl_c, readBuf, sizeof(readBuf)), -1);
1130 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
1131 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
1132
1133 wolfSSL_free(ssl_c);
1134 ssl_c = NULL;
1135 wolfSSL_free(ssl_s);
1136 ssl_s = NULL;
1137
1138 /* Step 2: attempt to resume while also offering cert_with_extern_psk.
1139 * RFC 8773bis Sect. 5.1 requires all PSKs offered alongside
1140 * cert_with_extern_psk to be external PSKs. The client MUST therefore
1141 * suppress the resumption ticket identity from the pre_shared_key
1142 * extension. The handshake succeeds as a cert_with_extern_psk handshake
1143 * using only the external PSK. */
1144 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1145 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1146 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1147
1148 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
1149 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
1150 wolfSSL_set_psk_client_callback(ssl_c, test_tls13_cwep_client_cb);
1151 wolfSSL_set_psk_server_callback(ssl_s, test_tls13_cwep_server_cb);
1152 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_c, 1), WOLFSSL_SUCCESS);
1153 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_s, 1), WOLFSSL_SUCCESS);
1154 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
1155
1156 /* Handshake succeeds; the client correctly omits the resumption ticket. */
1157 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 20, NULL), 0);
1158 /* Verify we got a cert_with_extern_psk handshake, not a resumption. */
1159 ExpectIntEQ(ssl_c->options.certWithExternPsk, 1);
1160 ExpectIntEQ(ssl_s->options.certWithExternPsk, 1);
1161
1162 wolfSSL_SESSION_free(sess);
1163 wolfSSL_free(ssl_c);
1164 wolfSSL_free(ssl_s);
1165 wolfSSL_CTX_free(ctx_c);
1166 wolfSSL_CTX_free(ctx_s);
1167#endif
1168 return EXPECT_RESULT();
1169}
1170
1171#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
1172 !defined(NO_PSK) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
1173 defined(HAVE_SUPPORTED_CURVES) && \
1174 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
1175/* Locate the extensions block of a TLS 1.3 ServerHello record. On success,
1176 * writes the offset of the 2-byte extensions_length field into *ext_len_off
1177 * and returns 0. Returns -1 on malformed input. Only the plaintext SH
1178 * record (type 0x16, handshake subtype 0x02) is supported. */
1179static int test_cwep_sh_find_ext_block(const byte* sh, int sh_len,
1180 int* ext_len_off)
1181{
1182 int idx;
1183 int sid_len;
1184
1185 /* 5 byte record hdr + 4 byte handshake hdr + 2 byte legacy_version
1186 * + 32 byte random + 1 byte legacy_session_id length. */
1187 if (sh_len < 5 + 4 + 2 + 32 + 1)
1188 return -1;
1189 if (sh[0] != 0x16 || sh[5] != 0x02)
1190 return -1;
1191 idx = 5 + 4 + 2 + 32;
1192 sid_len = sh[idx];
1193 idx += 1 + sid_len + 2 + 1; /* skip sid + cipher_suite + compression */
1194 if (idx + 2 > sh_len)
1195 return -1;
1196 *ext_len_off = idx;
1197 return 0;
1198}
1199
1200/* Apply a delta to the record, handshake and extensions length fields of a
1201 * TLS 1.3 SH record. Negative values shrink the message. */
1202static void test_cwep_sh_adjust_lengths(byte* sh, int ext_len_off, int delta)
1203{
1204 int v;
1205
1206 v = (int)(((word32)sh[3] << 8) | sh[4]) + delta;
1207 sh[3] = (byte)(v >> 8);
1208 sh[4] = (byte)v;
1209 v = (int)(((word32)sh[6] << 16) | ((word32)sh[7] << 8) | sh[8]) + delta;
1210 sh[6] = (byte)(v >> 16);
1211 sh[7] = (byte)(v >> 8);
1212 sh[8] = (byte)v;
1213 v = (int)(((word32)sh[ext_len_off] << 8) | sh[ext_len_off + 1]) + delta;
1214 sh[ext_len_off] = (byte)(v >> 8);
1215 sh[ext_len_off + 1] = (byte)v;
1216}
1217
1218/* Remove the first extension of the given type from a TLS 1.3 SH record.
1219 * Returns the new record length, or -1 if the extension was not present. */
1220static int test_cwep_sh_strip_extension(byte* sh, int sh_len, word16 ext_type)
1221{
1222 int ext_len_off;
1223 int ext_base, ext_end;
1224 int p;
1225 word16 ext_total;
1226
1227 if (test_cwep_sh_find_ext_block(sh, sh_len, &ext_len_off) != 0)
1228 return -1;
1229 ext_total = (word16)(((word16)sh[ext_len_off] << 8) | sh[ext_len_off + 1]);
1230 ext_base = ext_len_off + 2;
1231 ext_end = ext_base + ext_total;
1232 if (ext_end > sh_len)
1233 return -1;
1234
1235 p = ext_base;
1236 while (p + 4 <= ext_end) {
1237 word16 t = (word16)(((word16)sh[p] << 8) | sh[p + 1]);
1238 word16 l = (word16)(((word16)sh[p + 2] << 8) | sh[p + 3]);
1239 int entry = 4 + (int)l;
1240 if (p + entry > ext_end)
1241 return -1;
1242 if (t == ext_type) {
1243 XMEMMOVE(sh + p, sh + p + entry,
1244 (size_t)(sh_len - p - entry));
1245 test_cwep_sh_adjust_lengths(sh, ext_len_off, -entry);
1246 return sh_len - entry;
1247 }
1248 p += entry;
1249 }
1250 return -1;
1251}
1252
1253#if defined(HAVE_SESSION_TICKET)
1254/* Append a zero-length extension of the given type to a TLS 1.3 SH record.
1255 * The SH body must be the tail of the record, which is the normal case. */
1256static int test_cwep_sh_append_empty_extension(byte* sh, int sh_len,
1257 int sh_cap, word16 ext_type)
1258{
1259 int ext_len_off;
1260 int ext_base, ext_end;
1261 word16 ext_total;
1262
1263 if (test_cwep_sh_find_ext_block(sh, sh_len, &ext_len_off) != 0)
1264 return -1;
1265 ext_total = (word16)(((word16)sh[ext_len_off] << 8) | sh[ext_len_off + 1]);
1266 ext_base = ext_len_off + 2;
1267 ext_end = ext_base + ext_total;
1268 if (ext_end != sh_len)
1269 return -1;
1270 if (sh_len + 4 > sh_cap)
1271 return -1;
1272
1273 sh[sh_len + 0] = (byte)(ext_type >> 8);
1274 sh[sh_len + 1] = (byte)ext_type;
1275 sh[sh_len + 2] = 0;
1276 sh[sh_len + 3] = 0;
1277 test_cwep_sh_adjust_lengths(sh, ext_len_off, 4);
1278 return sh_len + 4;
1279}
1280#endif /* HAVE_SESSION_TICKET */
1281#endif
1282
1283int test_tls13_cert_with_extern_psk_sh_missing_key_share(void)
1284{
1285 EXPECT_DECLS;
1286#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
1287 !defined(NO_PSK) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
1288 defined(HAVE_SUPPORTED_CURVES) && \
1289 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
1290 !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
1291 (defined(HAVE_ECC) || !defined(NO_RSA))
1292 WOLFSSL_CTX *ctx_c = NULL;
1293 WOLFSSL_CTX *ctx_s = NULL;
1294 WOLFSSL *ssl_c = NULL;
1295 WOLFSSL *ssl_s = NULL;
1296 struct test_memio_ctx test_ctx;
1297 byte sh_buf[4096];
1298 const char* sh_bytes = NULL;
1299 int sh_sz = 0;
1300 int new_sz;
1301
1302 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1303 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1304 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1305
1306 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
1307 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
1308#if defined(HAVE_ECC)
1309 ExpectTrue(wolfSSL_use_certificate_file(ssl_s, eccCertFile,
1310 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1311 ExpectTrue(wolfSSL_use_PrivateKey_file(ssl_s, eccKeyFile,
1312 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1313#else
1314 ExpectTrue(wolfSSL_use_certificate_file(ssl_s, svrCertFile,
1315 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1316 ExpectTrue(wolfSSL_use_PrivateKey_file(ssl_s, svrKeyFile,
1317 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1318#endif
1319 wolfSSL_set_psk_client_callback(ssl_c, test_tls13_cwep_client_cb);
1320 wolfSSL_set_psk_server_callback(ssl_s, test_tls13_cwep_server_cb);
1321 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_c, 1), WOLFSSL_SUCCESS);
1322 ExpectIntEQ(wolfSSL_set_cert_with_extern_psk(ssl_s, 1), WOLFSSL_SUCCESS);
1323
1324 /* Drive the client to emit the ClientHello, then let the server produce
1325 * its flight. */
1326 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1327 ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1328 WOLFSSL_ERROR_WANT_READ);
1329 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
1330 ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1331 WOLFSSL_ERROR_WANT_READ);
1332
1333 /* The first "message" recorded by memio may contain several concatenated
1334 * records (SH + CCS + first encrypted handshake record). Slice the
1335 * plaintext SH record out using its own length field. */
1336 ExpectIntEQ(test_memio_get_message(&test_ctx, 1, &sh_bytes, &sh_sz, 0), 0);
1337 if (sh_sz >= 5 && (byte)sh_bytes[0] == 0x16) {
1338 int rec_body = ((int)(byte)sh_bytes[3] << 8) | (byte)sh_bytes[4];
1339 sh_sz = 5 + rec_body;
1340 }
1341 ExpectTrue(sh_sz > 0 && sh_sz <= (int)sizeof(sh_buf));
1342 if (sh_sz > 0 && sh_sz <= (int)sizeof(sh_buf)) {
1343 XMEMCPY(sh_buf, sh_bytes, (size_t)sh_sz);
1344 /* Strip the key_share extension from the SH so the resulting SH
1345 * confirms cert_with_extern_psk without negotiating (EC)DHE. */
1346 new_sz = test_cwep_sh_strip_extension(sh_buf, sh_sz, 0x0033);
1347 ExpectIntGT(new_sz, 0);
1348 }
1349 else {
1350 new_sz = -1;
1351 }
1352
1353 /* Throw away the entire server flight and feed only the tampered SH. */
1354 test_memio_clear_buffer(&test_ctx, 1);
1355 if (new_sz > 0) {
1356 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1,
1357 (const char*)sh_buf, new_sz), 0);
1358 }
1359
1360 /* Client must reject the SH with EXT_MISSING. */
1361 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1362 ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1363 EXT_MISSING);
1364
1365 wolfSSL_free(ssl_c);
1366 wolfSSL_CTX_free(ctx_c);
1367 wolfSSL_free(ssl_s);
1368 wolfSSL_CTX_free(ctx_s);
1369#endif
1370 return EXPECT_RESULT();
1371}
1372
1373int test_tls13_cert_with_extern_psk_sh_confirms_resumption(void)
1374{
1375 EXPECT_DECLS;
1376#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
1377 !defined(NO_PSK) && defined(HAVE_SESSION_TICKET) && \
1378 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
1379 defined(HAVE_SUPPORTED_CURVES) && \
1380 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
1381 !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
1382 (defined(HAVE_ECC) || !defined(NO_RSA))
1383 WOLFSSL_CTX *ctx_c = NULL;
1384 WOLFSSL_CTX *ctx_s = NULL;
1385 WOLFSSL *ssl_c = NULL;
1386 WOLFSSL *ssl_s = NULL;
1387 WOLFSSL_SESSION *sess = NULL;
1388 struct test_memio_ctx test_ctx;
1389 byte sh_buf[4096];
1390 const char* sh_bytes = NULL;
1391 byte drain[16];
1392 int sh_sz = 0;
1393 int new_sz;
1394
1395 /* Phase 1: plain handshake so the client gets a session ticket. The
1396 * server CTX is reused below to keep the ticket encryption key. */
1397 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1398 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1399 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1400
1401 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
1402 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
1403#if defined(HAVE_ECC)
1404 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx_s, eccCertFile,
1405 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1406 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, eccKeyFile,
1407 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1408#else
1409 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile,
1410 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1411 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile,
1412 CERT_FILETYPE) == WOLFSSL_SUCCESS);
1413#endif
1414
1415 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
1416 /* Drain the NewSessionTicket post-handshake message. */
1417 ExpectIntEQ(wolfSSL_read(ssl_c, drain, sizeof(drain)), -1);
1418 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
1419 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
1420
1421 wolfSSL_free(ssl_c);
1422 ssl_c = NULL;
1423 wolfSSL_free(ssl_s);
1424 ssl_s = NULL;
1425
1426 /* Phase 2: client resumes WITHOUT cert_with_extern_psk. The server
1427 * performs a normal resumption. We then tamper the SH to inject an
1428 * unsolicited cert_with_extern_psk extension. The client must reject
1429 * it because it never offered the extension. */
1430 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1431 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1432 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1433
1434 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
1435 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
1436 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
1437
1438 /* Run client CH then server flight. */
1439 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1440 ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1441 WOLFSSL_ERROR_WANT_READ);
1442 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
1443 ExpectIntEQ(wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1444 WOLFSSL_ERROR_WANT_READ);
1445
1446 ExpectIntEQ(test_memio_get_message(&test_ctx, 1, &sh_bytes, &sh_sz, 0), 0);
1447 if (sh_sz >= 5 && (byte)sh_bytes[0] == 0x16) {
1448 int rec_body = ((int)(byte)sh_bytes[3] << 8) | (byte)sh_bytes[4];
1449 sh_sz = 5 + rec_body;
1450 }
1451 ExpectTrue(sh_sz > 0 && sh_sz <= (int)sizeof(sh_buf));
1452 if (sh_sz > 0 && sh_sz <= (int)sizeof(sh_buf)) {
1453 XMEMCPY(sh_buf, sh_bytes, (size_t)sh_sz);
1454 /* Append an unsolicited cert_with_extern_psk (0x0021) extension.
1455 * The client never offered this extension, so it must be rejected. */
1456 new_sz = test_cwep_sh_append_empty_extension(sh_buf, sh_sz,
1457 (int)sizeof(sh_buf), 0x0021);
1458 ExpectIntGT(new_sz, 0);
1459 }
1460 else {
1461 new_sz = -1;
1462 }
1463
1464 test_memio_clear_buffer(&test_ctx, 1);
1465 if (new_sz > 0) {
1466 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1,
1467 (const char*)sh_buf, new_sz), 0);
1468 }
1469
1470 /* Client must reject the unsolicited extension. */
1471 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1472
1473 wolfSSL_SESSION_free(sess);
1474 wolfSSL_free(ssl_c);
1475 wolfSSL_free(ssl_s);
1476 wolfSSL_CTX_free(ctx_c);
1477 wolfSSL_CTX_free(ctx_s);
1478#endif
1479 return EXPECT_RESULT();
1480}
1481
1482#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && \
1483 !defined(NO_WOLFSSL_SERVER) && defined(HAVE_ECC) && \
1484 defined(BUILD_TLS_AES_128_GCM_SHA256) && \
1485 defined(BUILD_TLS_AES_256_GCM_SHA384)
1486/* Called when writing. */
1487static int CsSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
1488{
1489 (void)ssl;
1490 (void)buf;
1491 (void)sz;
1492 (void)ctx;
1493
1494 /* Force error return from wolfSSL_accept_TLSv13(). */
1495 return WANT_WRITE;
1496}
1497/* Called when reading. */
1498static int CsRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
1499{
1500 WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
1501 int len = (int)msg->length;
1502
1503 (void)ssl;
1504 (void)sz;
1505
1506 /* Pass back as much of message as will fit in buffer. */
1507 if (len > sz)
1508 len = sz;
1509 XMEMCPY(buf, msg->buffer, len);
1510 /* Move over returned data. */
1511 msg->buffer += len;
1512 msg->length -= len;
1513
1514 /* Amount actually copied. */
1515 return len;
1516}
1517#endif
1518
1519int test_tls13_cipher_suites(void)
1520{
1521 EXPECT_DECLS;
1522#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && \
1523 !defined(NO_WOLFSSL_SERVER) && defined(HAVE_ECC) && \
1524 defined(BUILD_TLS_AES_128_GCM_SHA256) && \
1525 defined(BUILD_TLS_AES_256_GCM_SHA384)
1526 WOLFSSL_CTX* ctx = NULL;
1527 WOLFSSL *ssl = NULL;
1528 int i;
1529 byte clientHello[] = {
1530 0x16, 0x03, 0x03, 0x01, 0x9b, 0x01, 0x00, 0x01,
1531 0x97, 0x03, 0x03, 0xf4, 0x65, 0xbd, 0x22, 0xfe,
1532 0x6e, 0xab, 0x66, 0xdd, 0xcf, 0xe9, 0x65, 0x55,
1533 0xe8, 0xdf, 0xc3, 0x8e, 0x4b, 0x00, 0xbc, 0xf8,
1534 0x23, 0x57, 0x1b, 0xa0, 0xc8, 0xa9, 0xe2, 0x8c,
1535 0x91, 0x6e, 0xf9, 0x20, 0xf7, 0x5c, 0xc5, 0x5b,
1536 0x75, 0x8c, 0x47, 0x0a, 0x0e, 0xc4, 0x1a, 0xda,
1537 0xef, 0x75, 0xe5, 0x21, 0x00, 0x00, 0x00, 0x00,
1538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1539 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1540 /* Cipher suites: 0x13, 0x01 = TLS13-AES128-GCM-SHA256, twice. */
1541 0x13, 0x01,
1542 0x13, 0x01, 0x01, 0x00, 0x01, 0x4a, 0x00, 0x2d,
1543 0x00, 0x03, 0x02, 0x00, 0x01, 0x00, 0x33, 0x00,
1544 0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04,
1545 0x90, 0xfc, 0xe2, 0x97, 0x05, 0x7c, 0xb5, 0x23,
1546 0x5d, 0x5f, 0x5b, 0xcd, 0x0c, 0x1e, 0xe0, 0xe9,
1547 0xab, 0x38, 0x6b, 0x1e, 0x20, 0x5c, 0x1c, 0x90,
1548 0x2a, 0x9e, 0x68, 0x8e, 0x70, 0x05, 0x10, 0xa8,
1549 0x02, 0x1b, 0xf9, 0x5c, 0xef, 0xc9, 0xaf, 0xca,
1550 0x1a, 0x3b, 0x16, 0x8b, 0xe4, 0x1b, 0x3c, 0x15,
1551 0xb8, 0x0d, 0xbd, 0xaf, 0x62, 0x8d, 0xa7, 0x13,
1552 0xa0, 0x7c, 0xe0, 0x59, 0x0c, 0x4f, 0x8a, 0x6d,
1553 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04, 0x00,
1554 0x0d, 0x00, 0x20, 0x00, 0x1e, 0x06, 0x03, 0x05,
1555 0x03, 0x04, 0x03, 0x02, 0x03, 0x08, 0x06, 0x08,
1556 0x0b, 0x08, 0x05, 0x08, 0x0a, 0x08, 0x04, 0x08,
1557 0x09, 0x06, 0x01, 0x05, 0x01, 0x04, 0x01, 0x03,
1558 0x01, 0x02, 0x01, 0x00, 0x0a, 0x00, 0x04, 0x00,
1559 0x02, 0x00, 0x17, 0x00, 0x16, 0x00, 0x00, 0x00,
1560 0x23, 0x00, 0x00, 0x00, 0x29, 0x00, 0xb9, 0x00,
1561 0x94, 0x00, 0x8e, 0x0f, 0x12, 0xfa, 0x84, 0x1f,
1562 0x76, 0x94, 0xd7, 0x09, 0x5e, 0xad, 0x08, 0x51,
1563 0xb6, 0x80, 0x28, 0x31, 0x8b, 0xfd, 0xc6, 0xbd,
1564 0x9e, 0xf5, 0x3b, 0x4d, 0x02, 0xbe, 0x1d, 0x73,
1565 0xea, 0x13, 0x68, 0x00, 0x4c, 0xfd, 0x3d, 0x48,
1566 0x51, 0xf9, 0x06, 0xbb, 0x92, 0xed, 0x42, 0x9f,
1567 0x7f, 0x2c, 0x73, 0x9f, 0xd9, 0xb4, 0xef, 0x05,
1568 0x26, 0x5b, 0x60, 0x5c, 0x0a, 0xfc, 0xa3, 0xbd,
1569 0x2d, 0x2d, 0x8b, 0xf9, 0xaa, 0x5c, 0x96, 0x3a,
1570 0xf2, 0xec, 0xfa, 0xe5, 0x57, 0x2e, 0x87, 0xbe,
1571 0x27, 0xc5, 0x3d, 0x4f, 0x5d, 0xdd, 0xde, 0x1c,
1572 0x1b, 0xb3, 0xcc, 0x27, 0x27, 0x57, 0x5a, 0xd9,
1573 0xea, 0x99, 0x27, 0x23, 0xa6, 0x0e, 0xea, 0x9c,
1574 0x0d, 0x85, 0xcb, 0x72, 0xeb, 0xd7, 0x93, 0xe3,
1575 0xfe, 0xf7, 0x5c, 0xc5, 0x5b, 0x75, 0x8c, 0x47,
1576 0x0a, 0x0e, 0xc4, 0x1a, 0xda, 0xef, 0x75, 0xe5,
1577 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0xfb, 0x92, 0xce, 0xaa, 0x00, 0x21, 0x20,
1580 0xcb, 0x73, 0x25, 0x80, 0x46, 0x78, 0x4f, 0xe5,
1581 0x34, 0xf6, 0x91, 0x13, 0x7f, 0xc8, 0x8d, 0xdc,
1582 0x81, 0x04, 0xb7, 0x0d, 0x49, 0x85, 0x2e, 0x12,
1583 0x7a, 0x07, 0x23, 0xe9, 0x13, 0xa4, 0x6d, 0x8c
1584 };
1585 WOLFSSL_BUFFER_INFO msg;
1586 /* Offset into ClientHello message data of first cipher suite. */
1587 const int csOff = 78;
1588 /* Server cipher list. */
1589 const char* serverCs = "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256";
1590 /* Suite list with duplicates. */
1591 const char* dupCs = "TLS13-AES128-GCM-SHA256:"
1592 "TLS13-AES128-GCM-SHA256:"
1593 "TLS13-AES256-GCM-SHA384:"
1594 "TLS13-AES256-GCM-SHA384:"
1595 "TLS13-AES128-GCM-SHA256";
1596#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SET_CIPHER_BYTES)
1597 const byte dupCsBytes[] = { TLS13_BYTE, TLS_AES_256_GCM_SHA384,
1598 TLS13_BYTE, TLS_AES_256_GCM_SHA384,
1599 TLS13_BYTE, TLS_AES_128_GCM_SHA256,
1600 TLS13_BYTE, TLS_AES_128_GCM_SHA256,
1601 TLS13_BYTE, TLS_AES_256_GCM_SHA384 };
1602#endif
1603
1604 /* Set up wolfSSL context. */
1605 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
1606 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile,
1607 CERT_FILETYPE));
1608 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile,
1609 CERT_FILETYPE));
1610 /* Read from 'msg'. */
1611 wolfSSL_SetIORecv(ctx, CsRecv);
1612 /* No where to send to - dummy sender. */
1613 wolfSSL_SetIOSend(ctx, CsSend);
1614
1615 /* Test cipher suite list with many copies of a cipher suite. */
1616 ExpectNotNull(ssl = wolfSSL_new(ctx));
1617 msg.buffer = clientHello;
1618 msg.length = (unsigned int)sizeof(clientHello);
1619 wolfSSL_SetIOReadCtx(ssl, &msg);
1620 /* Force server to have as many occurrences of same cipher suite as
1621 * possible. */
1622 if (ssl != NULL) {
1623 Suites* suites = (Suites*)WOLFSSL_SUITES(ssl);
1624 suites->suiteSz = WOLFSSL_MAX_SUITE_SZ;
1625 for (i = 0; i < suites->suiteSz; i += 2) {
1626 suites->suites[i + 0] = TLS13_BYTE;
1627 suites->suites[i + 1] = TLS_AES_128_GCM_SHA256;
1628 }
1629 }
1630 /* Test multiple occurrences of same cipher suite. */
1631 ExpectIntEQ(wolfSSL_accept_TLSv13(ssl),
1632 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
1633 wolfSSL_free(ssl);
1634 ssl = NULL;
1635
1636 /* Set client order opposite to server order:
1637 * TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384 */
1638 clientHello[csOff + 0] = TLS13_BYTE;
1639 clientHello[csOff + 1] = TLS_AES_128_GCM_SHA256;
1640 clientHello[csOff + 2] = TLS13_BYTE;
1641 clientHello[csOff + 3] = TLS_AES_256_GCM_SHA384;
1642
1643 /* Test server order negotiation. */
1644 ExpectNotNull(ssl = wolfSSL_new(ctx));
1645 msg.buffer = clientHello;
1646 msg.length = (unsigned int)sizeof(clientHello);
1647 wolfSSL_SetIOReadCtx(ssl, &msg);
1648 /* Server order: TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 */
1649 ExpectIntEQ(wolfSSL_set_cipher_list(ssl, serverCs), WOLFSSL_SUCCESS);
1650 /* Negotiate cipher suites in server order: TLS13-AES256-GCM-SHA384 */
1651 ExpectIntEQ(wolfSSL_accept_TLSv13(ssl),
1652 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
1653 /* Check refined order - server order. */
1654 ExpectIntEQ(ssl->suites->suiteSz, 4);
1655 ExpectIntEQ(ssl->suites->suites[0], TLS13_BYTE);
1656 ExpectIntEQ(ssl->suites->suites[1], TLS_AES_256_GCM_SHA384);
1657 ExpectIntEQ(ssl->suites->suites[2], TLS13_BYTE);
1658 ExpectIntEQ(ssl->suites->suites[3], TLS_AES_128_GCM_SHA256);
1659 wolfSSL_free(ssl);
1660 ssl = NULL;
1661
1662 /* Test client order negotiation. */
1663 ExpectNotNull(ssl = wolfSSL_new(ctx));
1664 msg.buffer = clientHello;
1665 msg.length = (unsigned int)sizeof(clientHello);
1666 wolfSSL_SetIOReadCtx(ssl, &msg);
1667 /* Server order: TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 */
1668 ExpectIntEQ(wolfSSL_set_cipher_list(ssl, serverCs), WOLFSSL_SUCCESS);
1669 ExpectIntEQ(wolfSSL_UseClientSuites(ssl), 0);
1670 /* Negotiate cipher suites in client order: TLS13-AES128-GCM-SHA256 */
1671 ExpectIntEQ(wolfSSL_accept_TLSv13(ssl),
1672 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
1673 /* Check refined order - client order. */
1674 ExpectIntEQ(ssl->suites->suiteSz, 4);
1675 ExpectIntEQ(ssl->suites->suites[0], TLS13_BYTE);
1676 ExpectIntEQ(ssl->suites->suites[1], TLS_AES_128_GCM_SHA256);
1677 ExpectIntEQ(ssl->suites->suites[2], TLS13_BYTE);
1678 ExpectIntEQ(ssl->suites->suites[3], TLS_AES_256_GCM_SHA384);
1679 wolfSSL_free(ssl);
1680 ssl = NULL;
1681
1682 /* Check duplicate detection is working. */
1683 ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx, dupCs), WOLFSSL_SUCCESS);
1684 ExpectIntEQ(ctx->suites->suiteSz, 4);
1685 ExpectIntEQ(ctx->suites->suites[0], TLS13_BYTE);
1686 ExpectIntEQ(ctx->suites->suites[1], TLS_AES_128_GCM_SHA256);
1687 ExpectIntEQ(ctx->suites->suites[2], TLS13_BYTE);
1688 ExpectIntEQ(ctx->suites->suites[3], TLS_AES_256_GCM_SHA384);
1689
1690#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SET_CIPHER_BYTES)
1691 ExpectIntEQ(wolfSSL_CTX_set_cipher_list_bytes(ctx, dupCsBytes,
1692 sizeof(dupCsBytes)), WOLFSSL_SUCCESS);
1693 ExpectIntEQ(ctx->suites->suiteSz, 4);
1694 ExpectIntEQ(ctx->suites->suites[0], TLS13_BYTE);
1695 ExpectIntEQ(ctx->suites->suites[1], TLS_AES_256_GCM_SHA384);
1696 ExpectIntEQ(ctx->suites->suites[2], TLS13_BYTE);
1697 ExpectIntEQ(ctx->suites->suites[3], TLS_AES_128_GCM_SHA256);
1698#endif
1699
1700 wolfSSL_CTX_free(ctx);
1701#endif
1702 return EXPECT_RESULT();
1703}
1704
1705
1706#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)\
1707 && !defined(NO_PSK)
1708static unsigned int test_tls13_bad_psk_binder_client_cb(WOLFSSL* ssl,
1709 const char* hint, char* identity, unsigned int id_max_len,
1710 unsigned char* key, unsigned int key_max_len)
1711{
1712 (void)ssl;
1713 (void)hint;
1714 (void)key_max_len;
1715
1716 /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
1717 XSTRNCPY(identity, "Client_identity", id_max_len);
1718
1719 key[0] = 0x20;
1720 return 1;
1721}
1722
1723static unsigned int test_tls13_bad_psk_binder_server_cb(WOLFSSL* ssl,
1724 const char* id, unsigned char* key, unsigned int key_max_len)
1725{
1726 (void)ssl;
1727 (void)id;
1728 (void)key_max_len;
1729 /* zero means error */
1730 key[0] = 0x10;
1731 return 1;
1732}
1733#endif
1734
1735int test_tls13_bad_psk_binder(void)
1736{
1737 EXPECT_DECLS;
1738#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)\
1739 && !defined(NO_PSK)
1740 WOLFSSL_CTX *ctx_c = NULL;
1741 WOLFSSL_CTX *ctx_s = NULL;
1742 WOLFSSL *ssl_c = NULL;
1743 WOLFSSL *ssl_s = NULL;
1744 struct test_memio_ctx test_ctx;
1745 WOLFSSL_ALERT_HISTORY h;
1746
1747 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1748 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1749 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
1750
1751 wolfSSL_set_psk_client_callback(ssl_c, test_tls13_bad_psk_binder_client_cb);
1752 wolfSSL_set_psk_server_callback(ssl_s, test_tls13_bad_psk_binder_server_cb);
1753
1754 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1755 ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1756 WOLFSSL_ERROR_WANT_READ);
1757
1758 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
1759 ExpectIntEQ( wolfSSL_get_error(ssl_s, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1760 WC_NO_ERR_TRACE(BAD_BINDER));
1761
1762 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
1763 ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
1764 WC_NO_ERR_TRACE(FATAL_ERROR));
1765 ExpectIntEQ(wolfSSL_get_alert_history(ssl_c, &h), WOLFSSL_SUCCESS);
1766 ExpectIntEQ(h.last_rx.code, illegal_parameter);
1767 ExpectIntEQ(h.last_rx.level, alert_fatal);
1768
1769 wolfSSL_free(ssl_c);
1770 wolfSSL_CTX_free(ctx_c);
1771 wolfSSL_free(ssl_s);
1772 wolfSSL_CTX_free(ctx_s);
1773#endif
1774 return EXPECT_RESULT();
1775}
1776
1777
1778#if defined(HAVE_RPK) && !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT) && \
1779 !defined(NO_WOLFSSL_SERVER)
1780
1781#define svrRpkCertFile "./certs/rpk/server-cert-rpk.der"
1782#define clntRpkCertFile "./certs/rpk/client-cert-rpk.der"
1783
1784#if defined(WOLFSSL_ALWAYS_VERIFY_CB) && defined(WOLFSSL_TLS13)
1785static int MyRpkVerifyCb(int mode, WOLFSSL_X509_STORE_CTX* strctx)
1786{
1787 int ret = WOLFSSL_SUCCESS;
1788 (void)mode;
1789 (void)strctx;
1790 WOLFSSL_ENTER("MyRpkVerifyCb");
1791 return ret;
1792}
1793#endif /* WOLFSSL_ALWAYS_VERIFY_CB && WOLFSSL_TLS13 */
1794
1795static WC_INLINE int test_rpk_memio_setup(
1796 struct test_memio_ctx *ctx,
1797 WOLFSSL_CTX **ctx_c,
1798 WOLFSSL_CTX **ctx_s,
1799 WOLFSSL **ssl_c,
1800 WOLFSSL **ssl_s,
1801 method_provider method_c,
1802 method_provider method_s,
1803 const char* certfile_c, int fmt_cc, /* client cert file path and format */
1804 const char* certfile_s, int fmt_cs, /* server cert file path and format */
1805 const char* pkey_c, int fmt_kc, /* client private key and format */
1806 const char* pkey_s, int fmt_ks /* server private key and format */
1807 )
1808{
1809 int ret;
1810 if (ctx_c != NULL && *ctx_c == NULL) {
1811 *ctx_c = wolfSSL_CTX_new(method_c());
1812 if (*ctx_c == NULL) {
1813 return -1;
1814 }
1815 wolfSSL_CTX_set_verify(*ctx_c, WOLFSSL_VERIFY_PEER, NULL);
1816
1817 ret = wolfSSL_CTX_load_verify_locations(*ctx_c, caCertFile, 0);
1818 if (ret != WOLFSSL_SUCCESS) {
1819 return -1;
1820 }
1821 wolfSSL_SetIORecv(*ctx_c, test_memio_read_cb);
1822 wolfSSL_SetIOSend(*ctx_c, test_memio_write_cb);
1823
1824 ret = wolfSSL_CTX_use_certificate_file(*ctx_c, certfile_c, fmt_cc);
1825 if (ret != WOLFSSL_SUCCESS) {
1826 return -1;
1827 }
1828 ret = wolfSSL_CTX_use_PrivateKey_file(*ctx_c, pkey_c, fmt_kc);
1829 if (ret != WOLFSSL_SUCCESS) {
1830 return -1;
1831 }
1832 }
1833
1834 if (ctx_s != NULL && *ctx_s == NULL) {
1835 *ctx_s = wolfSSL_CTX_new(method_s());
1836 if (*ctx_s == NULL) {
1837 return -1;
1838 }
1839 wolfSSL_CTX_set_verify(*ctx_s, WOLFSSL_VERIFY_PEER, NULL);
1840
1841 ret = wolfSSL_CTX_load_verify_locations(*ctx_s, cliCertFile, 0);
1842 if (ret != WOLFSSL_SUCCESS) {
1843 return -1;
1844 }
1845
1846 ret = wolfSSL_CTX_use_PrivateKey_file(*ctx_s, pkey_s, fmt_ks);
1847 if (ret != WOLFSSL_SUCCESS) {
1848 return -1;
1849 }
1850 ret = wolfSSL_CTX_use_certificate_file(*ctx_s, certfile_s, fmt_cs);
1851 if (ret != WOLFSSL_SUCCESS) {
1852 return -1;
1853 }
1854 wolfSSL_SetIORecv(*ctx_s, test_memio_read_cb);
1855 wolfSSL_SetIOSend(*ctx_s, test_memio_write_cb);
1856 if (ctx->s_ciphers != NULL) {
1857 ret = wolfSSL_CTX_set_cipher_list(*ctx_s, ctx->s_ciphers);
1858 if (ret != WOLFSSL_SUCCESS) {
1859 return -1;
1860 }
1861 }
1862 }
1863
1864 if (ctx_c != NULL && ssl_c != NULL) {
1865 *ssl_c = wolfSSL_new(*ctx_c);
1866 if (*ssl_c == NULL) {
1867 return -1;
1868 }
1869 wolfSSL_SetIOWriteCtx(*ssl_c, ctx);
1870 wolfSSL_SetIOReadCtx(*ssl_c, ctx);
1871 }
1872 if (ctx_s != NULL && ssl_s != NULL) {
1873 *ssl_s = wolfSSL_new(*ctx_s);
1874 if (*ssl_s == NULL) {
1875 return -1;
1876 }
1877 wolfSSL_SetIOWriteCtx(*ssl_s, ctx);
1878 wolfSSL_SetIOReadCtx(*ssl_s, ctx);
1879#if !defined(NO_DH)
1880 SetDH(*ssl_s);
1881#endif
1882 }
1883
1884 return 0;
1885}
1886#endif /* HAVE_RPK && !NO_TLS && !NO_WOLFSSL_CLIENT && !NO_WOLFSSL_SERVER */
1887
1888
1889int test_tls13_rpk_handshake(void)
1890{
1891 EXPECT_DECLS;
1892#if defined(HAVE_RPK) && \
1893 (!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)) && \
1894 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
1895#ifdef WOLFSSL_TLS13
1896 int ret = 0;
1897#endif
1898 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
1899 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
1900 struct test_memio_ctx test_ctx;
1901 int err;
1902 char certType_c[MAX_CLIENT_CERT_TYPE_CNT];
1903 char certType_s[MAX_CLIENT_CERT_TYPE_CNT];
1904 int typeCnt_c;
1905 int typeCnt_s;
1906 int tp = 0;
1907#if defined(WOLFSSL_ALWAYS_VERIFY_CB) && defined(WOLFSSL_TLS13)
1908 int isServer;
1909#endif
1910
1911 (void)err;
1912 (void)typeCnt_c;
1913 (void)typeCnt_s;
1914 (void)certType_c;
1915 (void)certType_s;
1916
1917#ifndef WOLFSSL_NO_TLS12
1918 /* TLS1.2
1919 * Both client and server load x509 cert and start handshaking.
1920 * Check no negotiation occurred.
1921 */
1922 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1923
1924 ExpectIntEQ(
1925 test_rpk_memio_setup(
1926 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1927 wolfTLSv1_2_client_method, wolfTLSv1_2_server_method,
1928 cliCertFile, CERT_FILETYPE,
1929 svrCertFile, CERT_FILETYPE,
1930 cliKeyFile, CERT_FILETYPE,
1931 svrKeyFile, CERT_FILETYPE)
1932 , 0);
1933
1934
1935 /* set client certificate type in client end */
1936 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
1937 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
1938 typeCnt_c = 2;
1939
1940 certType_s[0] = WOLFSSL_CERT_TYPE_RPK;
1941 certType_s[1] = WOLFSSL_CERT_TYPE_X509;
1942 typeCnt_s = 2;
1943
1944 /* both client and server do not call client/server_cert_type APIs,
1945 * expecting default settings works and no negotiation performed.
1946 */
1947
1948 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
1949
1950 /* confirm no negotiation occurred */
1951 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
1952 WOLFSSL_SUCCESS);
1953 ExpectIntEQ((int)tp, WOLFSSL_CERT_TYPE_UNKNOWN);
1954 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
1955 WOLFSSL_SUCCESS);
1956 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
1957 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
1958 WOLFSSL_SUCCESS);
1959 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
1960
1961 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
1962 WOLFSSL_SUCCESS);
1963 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
1964
1965 (void)typeCnt_c;
1966 (void)typeCnt_s;
1967
1968 wolfSSL_free(ssl_c);
1969 wolfSSL_CTX_free(ctx_c);
1970 wolfSSL_free(ssl_s);
1971 wolfSSL_CTX_free(ctx_s);
1972 ssl_c = ssl_s = NULL;
1973 ctx_c = ctx_s = NULL;
1974#endif
1975
1976#ifdef WOLFSSL_TLS13
1977 /* Both client and server load x509 cert and start handshaking.
1978 * Check no negotiation occurred.
1979 */
1980 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
1981
1982 ExpectIntEQ(
1983 test_rpk_memio_setup(
1984 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
1985 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
1986 cliCertFile, CERT_FILETYPE,
1987 svrCertFile, CERT_FILETYPE,
1988 cliKeyFile, CERT_FILETYPE,
1989 svrKeyFile, CERT_FILETYPE )
1990 , 0);
1991
1992 /* set client certificate type in client end */
1993 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
1994 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
1995 typeCnt_c = 2;
1996
1997 certType_s[0] = WOLFSSL_CERT_TYPE_RPK;
1998 certType_s[1] = WOLFSSL_CERT_TYPE_X509;
1999 typeCnt_s = 2;
2000
2001 /* both client and server do not call client/server_cert_type APIs,
2002 * expecting default settings works and no negotiation performed.
2003 */
2004
2005 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
2006
2007 /* confirm no negotiation occurred */
2008 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2009 WOLFSSL_SUCCESS);
2010 ExpectIntEQ((int)tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2011
2012 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2013 WOLFSSL_SUCCESS);
2014 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2015
2016 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2017 WOLFSSL_SUCCESS);
2018 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2019
2020 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2021 WOLFSSL_SUCCESS);
2022 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2023
2024 (void)typeCnt_c;
2025 (void)typeCnt_s;
2026
2027 wolfSSL_free(ssl_c);
2028 wolfSSL_CTX_free(ctx_c);
2029 wolfSSL_free(ssl_s);
2030 wolfSSL_CTX_free(ctx_s);
2031 ssl_c = ssl_s = NULL;
2032 ctx_c = ctx_s = NULL;
2033
2034
2035 /* Both client and server load RPK cert and start handshaking.
2036 * Confirm negotiated cert types match as expected.
2037 */
2038 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2039
2040 ExpectIntEQ(
2041 test_rpk_memio_setup(
2042 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2043 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2044 clntRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2045 svrRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2046 cliKeyFile, CERT_FILETYPE,
2047 svrKeyFile, CERT_FILETYPE )
2048 , 0);
2049
2050 /* set client certificate type in client end */
2051 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2052 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
2053 typeCnt_c = 2;
2054
2055 certType_s[0] = WOLFSSL_CERT_TYPE_RPK;
2056 certType_s[1] = WOLFSSL_CERT_TYPE_X509;
2057 typeCnt_s = 2;
2058
2059 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2060 WOLFSSL_SUCCESS);
2061
2062 /* set server certificate type in client end */
2063 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2064 WOLFSSL_SUCCESS);
2065
2066 /* set client certificate type in server end */
2067 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2068 WOLFSSL_SUCCESS);
2069
2070 /* set server certificate type in server end */
2071 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_s, certType_s, typeCnt_s),
2072 WOLFSSL_SUCCESS);
2073
2074 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
2075
2076 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2077 WOLFSSL_SUCCESS);
2078 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2079
2080 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2081 WOLFSSL_SUCCESS);
2082 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2083
2084 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2085 WOLFSSL_SUCCESS);
2086 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2087
2088 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2089 WOLFSSL_SUCCESS);
2090 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2091
2092 wolfSSL_free(ssl_c);
2093 wolfSSL_CTX_free(ctx_c);
2094 wolfSSL_free(ssl_s);
2095 wolfSSL_CTX_free(ctx_s);
2096 ssl_c = ssl_s = NULL;
2097 ctx_c = ctx_s = NULL;
2098#endif
2099
2100
2101#ifndef WOLFSSL_NO_TLS12
2102 /* TLS1.2
2103 * Both client and server load RPK cert and start handshaking.
2104 * Confirm negotiated cert types match as expected.
2105 */
2106 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2107
2108 ExpectIntEQ(
2109 test_rpk_memio_setup(
2110 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2111 wolfTLSv1_2_client_method, wolfTLSv1_2_server_method,
2112 clntRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2113 svrRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2114 cliKeyFile, CERT_FILETYPE,
2115 svrKeyFile, CERT_FILETYPE )
2116 , 0);
2117
2118 /* set client certificate type in client end */
2119 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2120 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
2121 typeCnt_c = 2;
2122
2123 certType_s[0] = WOLFSSL_CERT_TYPE_RPK;
2124 certType_s[1] = WOLFSSL_CERT_TYPE_X509;
2125 typeCnt_s = 2;
2126
2127 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2128 WOLFSSL_SUCCESS);
2129
2130 /* set server certificate type in client end */
2131 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2132 WOLFSSL_SUCCESS);
2133
2134 /* set client certificate type in server end */
2135 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2136 WOLFSSL_SUCCESS);
2137
2138 /* set server certificate type in server end */
2139 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_s, certType_s, typeCnt_s),
2140 WOLFSSL_SUCCESS);
2141
2142 if (test_memio_do_handshake(ssl_c, ssl_s, 10, NULL) != 0)
2143 return TEST_FAIL;
2144
2145 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2146 WOLFSSL_SUCCESS);
2147 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2148
2149 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2150 WOLFSSL_SUCCESS);
2151 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2152
2153 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2154 WOLFSSL_SUCCESS);
2155 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2156
2157 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2158 WOLFSSL_SUCCESS);
2159 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2160
2161 wolfSSL_free(ssl_c);
2162 wolfSSL_CTX_free(ctx_c);
2163 wolfSSL_free(ssl_s);
2164 wolfSSL_CTX_free(ctx_s);
2165 ssl_c = ssl_s = NULL;
2166 ctx_c = ctx_s = NULL;
2167#endif
2168
2169
2170#ifdef WOLFSSL_TLS13
2171 /* Both client and server load x509 cert.
2172 * Have client call set_client_cert_type with both RPK and x509.
2173 * This doesn't makes client add client cert type extension to ClientHello,
2174 * since it does not load RPK cert actually.
2175 */
2176 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2177
2178 ExpectIntEQ(
2179 test_rpk_memio_setup(
2180 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2181 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2182 cliCertFile, CERT_FILETYPE,
2183 svrCertFile, CERT_FILETYPE,
2184 cliKeyFile, CERT_FILETYPE,
2185 svrKeyFile, CERT_FILETYPE )
2186 , 0);
2187
2188 /* set client certificate type in client end
2189 *
2190 * client indicates both RPK and x509 certs are available but loaded RPK
2191 * cert only. It does not have client add client-cert-type extension in CH.
2192 */
2193 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2194 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
2195 typeCnt_c = 2;
2196
2197 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2198 WOLFSSL_SUCCESS);
2199
2200 /* client indicates both RPK and x509 certs are acceptable */
2201 certType_s[0] = WOLFSSL_CERT_TYPE_RPK;
2202 certType_s[1] = WOLFSSL_CERT_TYPE_X509;
2203 typeCnt_s = 2;
2204
2205 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2206 WOLFSSL_SUCCESS);
2207
2208 /* server indicates both RPK and x509 certs are acceptable */
2209 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2210 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
2211 typeCnt_c = 2;
2212
2213 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2214 WOLFSSL_SUCCESS);
2215
2216 /* server should indicate only RPK cert is available */
2217 certType_s[0] = WOLFSSL_CERT_TYPE_X509;
2218 certType_s[1] = -1;
2219 typeCnt_s = 1;
2220
2221 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_s, certType_s, typeCnt_s),
2222 WOLFSSL_SUCCESS);
2223
2224 if (test_memio_do_handshake(ssl_c, ssl_s, 10, NULL) != 0)
2225 return TEST_FAIL;
2226
2227 /* Negotiation for client-cert-type should NOT happen. Therefore -1 should
2228 * be returned as cert type.
2229 */
2230 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2231 WOLFSSL_SUCCESS);
2232 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2233
2234 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2235 WOLFSSL_SUCCESS);
2236 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2237
2238 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2239 WOLFSSL_SUCCESS);
2240 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2241
2242 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2243 WOLFSSL_SUCCESS);
2244 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2245
2246 wolfSSL_free(ssl_c);
2247 wolfSSL_CTX_free(ctx_c);
2248 wolfSSL_free(ssl_s);
2249 wolfSSL_CTX_free(ctx_s);
2250 ssl_c = ssl_s = NULL;
2251 ctx_c = ctx_s = NULL;
2252
2253
2254 /* Have client load RPK cert and have server load x509 cert.
2255 * Check the negotiation result from both ends.
2256 */
2257 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2258
2259 ExpectIntEQ(
2260 test_rpk_memio_setup(
2261 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2262 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2263 clntRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2264 svrCertFile, CERT_FILETYPE,
2265 cliKeyFile, CERT_FILETYPE,
2266 svrKeyFile, CERT_FILETYPE )
2267 , 0);
2268
2269 /* have client tell to use RPK cert */
2270 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2271 certType_c[1] = -1;
2272 typeCnt_c = 1;
2273
2274 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2275 WOLFSSL_SUCCESS);
2276
2277 /* have client tell to accept both RPK and x509 cert */
2278 certType_s[0] = WOLFSSL_CERT_TYPE_X509;
2279 certType_s[1] = WOLFSSL_CERT_TYPE_RPK;
2280 typeCnt_s = 2;
2281
2282 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2283 WOLFSSL_SUCCESS);
2284
2285 /* have server accept to both RPK and x509 cert */
2286 certType_c[0] = WOLFSSL_CERT_TYPE_X509;
2287 certType_c[1] = WOLFSSL_CERT_TYPE_RPK;
2288 typeCnt_c = 2;
2289
2290 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2291 WOLFSSL_SUCCESS);
2292
2293 /* does not call wolfSSL_set_server_cert_type intentionally in sesrver
2294 * end, expecting the default setting works.
2295 */
2296
2297
2298 if (test_memio_do_handshake(ssl_c, ssl_s, 10, NULL) != 0)
2299 return TEST_FAIL;
2300
2301 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2302 WOLFSSL_SUCCESS);
2303 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2304
2305 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2306 WOLFSSL_SUCCESS);
2307 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2308
2309 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2310 WOLFSSL_SUCCESS);
2311 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2312
2313 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2314 WOLFSSL_SUCCESS);
2315 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2316
2317 wolfSSL_free(ssl_c);
2318 wolfSSL_CTX_free(ctx_c);
2319 wolfSSL_free(ssl_s);
2320 wolfSSL_CTX_free(ctx_s);
2321 ssl_c = ssl_s = NULL;
2322 ctx_c = ctx_s = NULL;
2323
2324
2325 /* Have both client and server load RPK cert, however, have server
2326 * indicate its cert type x509.
2327 * Client is expected to detect the cert type mismatch then to send alert
2328 * with "unsupported_certificate".
2329 */
2330 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2331
2332 ExpectIntEQ(
2333 test_rpk_memio_setup(
2334 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2335 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2336 clntRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2337 svrRpkCertFile, WOLFSSL_FILETYPE_ASN1, /* server sends RPK cert */
2338 cliKeyFile, CERT_FILETYPE,
2339 svrKeyFile, CERT_FILETYPE )
2340 , 0);
2341
2342 /* have client tell to use RPK cert */
2343 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2344 certType_c[1] = -1;
2345 typeCnt_c = 1;
2346
2347 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2348 WOLFSSL_SUCCESS);
2349
2350 /* have client tell to accept both RPK and x509 cert */
2351 certType_s[0] = WOLFSSL_CERT_TYPE_X509;
2352 certType_s[1] = WOLFSSL_CERT_TYPE_RPK;
2353 typeCnt_s = 2;
2354
2355 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2356 WOLFSSL_SUCCESS);
2357
2358 /* have server accept to both RPK and x509 cert */
2359 certType_c[0] = WOLFSSL_CERT_TYPE_X509;
2360 certType_c[1] = WOLFSSL_CERT_TYPE_RPK;
2361 typeCnt_c = 2;
2362
2363 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2364 WOLFSSL_SUCCESS);
2365
2366 /* have server tell to use x509 cert intentionally. This will bring
2367 * certificate type mismatch in client side.
2368 */
2369 certType_s[0] = WOLFSSL_CERT_TYPE_X509;
2370 certType_s[1] = -1;
2371 typeCnt_s = 1;
2372
2373 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_s, certType_s, typeCnt_s),
2374 WOLFSSL_SUCCESS);
2375
2376 /* expect client detect cert type mismatch then send Alert */
2377 ret = test_memio_do_handshake(ssl_c, ssl_s, 10, NULL);
2378 if (ret != -1)
2379 return TEST_FAIL;
2380
2381 ExpectIntEQ(wolfSSL_get_error(ssl_c, ret),
2382 WC_NO_ERR_TRACE(UNSUPPORTED_CERTIFICATE));
2383
2384 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2385 WOLFSSL_SUCCESS);
2386 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2387
2388 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2389 WOLFSSL_SUCCESS);
2390 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2391
2392 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2393 WOLFSSL_SUCCESS);
2394 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2395
2396 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2397 WOLFSSL_SUCCESS);
2398 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2399
2400 wolfSSL_free(ssl_c);
2401 wolfSSL_CTX_free(ctx_c);
2402 wolfSSL_free(ssl_s);
2403 wolfSSL_CTX_free(ctx_s);
2404 ssl_c = ssl_s = NULL;
2405 ctx_c = ctx_s = NULL;
2406
2407
2408 /* Have client load x509 cert and server load RPK cert,
2409 * however, have client indicate its cert type RPK.
2410 * Server is expected to detect the cert type mismatch then to send alert
2411 * with "unsupported_certificate".
2412 */
2413 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2414
2415 ExpectIntEQ(
2416 test_rpk_memio_setup(
2417 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2418 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2419 cliCertFile, CERT_FILETYPE,
2420 svrRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2421 cliKeyFile, CERT_FILETYPE,
2422 svrKeyFile, CERT_FILETYPE )
2423 , 0);
2424
2425 /* have client tell to use RPK cert intentionally */
2426 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2427 certType_c[1] = -1;
2428 typeCnt_c = 1;
2429
2430 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2431 WOLFSSL_SUCCESS);
2432
2433 /* have client tell to accept both RPK and x509 cert */
2434 certType_s[0] = WOLFSSL_CERT_TYPE_X509;
2435 certType_s[1] = WOLFSSL_CERT_TYPE_RPK;
2436 typeCnt_s = 2;
2437
2438 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2439 WOLFSSL_SUCCESS);
2440
2441 /* have server accept to both RPK and x509 cert */
2442 certType_c[0] = WOLFSSL_CERT_TYPE_X509;
2443 certType_c[1] = WOLFSSL_CERT_TYPE_RPK;
2444 typeCnt_c = 2;
2445
2446 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2447 WOLFSSL_SUCCESS);
2448
2449 /* have server tell to use x509 cert intentionally. This will bring
2450 * certificate type mismatch in client side.
2451 */
2452 certType_s[0] = WOLFSSL_CERT_TYPE_X509;
2453 certType_s[1] = -1;
2454 typeCnt_s = 1;
2455
2456 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_s, certType_s, typeCnt_s),
2457 WOLFSSL_SUCCESS);
2458
2459 ret = test_memio_do_handshake(ssl_c, ssl_s, 10, NULL);
2460
2461 /* expect server detect cert type mismatch then send Alert */
2462 ExpectIntNE(ret, 0);
2463 err = wolfSSL_get_error(ssl_c, ret);
2464 ExpectIntEQ(err, WC_NO_ERR_TRACE(UNSUPPORTED_CERTIFICATE));
2465
2466 /* client did not load RPK cert actually, so negotiation did not happen */
2467 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2468 WOLFSSL_SUCCESS);
2469 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2470
2471 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2472 WOLFSSL_SUCCESS);
2473 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2474
2475 /* client did not load RPK cert actually, so negotiation did not happen */
2476 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2477 WOLFSSL_SUCCESS);
2478 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
2479
2480 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2481 WOLFSSL_SUCCESS);
2482 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_X509);
2483
2484 wolfSSL_free(ssl_c);
2485 wolfSSL_CTX_free(ctx_c);
2486 wolfSSL_free(ssl_s);
2487 wolfSSL_CTX_free(ctx_s);
2488 ssl_c = ssl_s = NULL;
2489 ctx_c = ctx_s = NULL;
2490
2491
2492#if defined(WOLFSSL_ALWAYS_VERIFY_CB)
2493 /* Both client and server load RPK cert and set certificate verify
2494 * callbacks then start handshaking.
2495 * Confirm both side can refer the peer's cert.
2496 */
2497 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2498
2499 ExpectIntEQ(
2500 test_rpk_memio_setup(
2501 &test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2502 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2503 clntRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2504 svrRpkCertFile, WOLFSSL_FILETYPE_ASN1,
2505 cliKeyFile, CERT_FILETYPE,
2506 svrKeyFile, CERT_FILETYPE )
2507 , 0);
2508
2509 /* set client certificate type in client end */
2510 certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
2511 certType_c[1] = WOLFSSL_CERT_TYPE_X509;
2512 typeCnt_c = 2;
2513
2514 certType_s[0] = WOLFSSL_CERT_TYPE_RPK;
2515 certType_s[1] = WOLFSSL_CERT_TYPE_X509;
2516 typeCnt_s = 2;
2517
2518 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_c, certType_c, typeCnt_c),
2519 WOLFSSL_SUCCESS);
2520
2521 /* set server certificate type in client end */
2522 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_c, certType_s, typeCnt_s),
2523 WOLFSSL_SUCCESS);
2524
2525 /* set client certificate type in server end */
2526 ExpectIntEQ(wolfSSL_set_client_cert_type(ssl_s, certType_c, typeCnt_c),
2527 WOLFSSL_SUCCESS);
2528
2529 /* set server certificate type in server end */
2530 ExpectIntEQ(wolfSSL_set_server_cert_type(ssl_s, certType_s, typeCnt_s),
2531 WOLFSSL_SUCCESS);
2532
2533 /* set certificate verify callback to both client and server */
2534 isServer = 0;
2535 wolfSSL_SetCertCbCtx(ssl_c, &isServer);
2536 wolfSSL_set_verify(ssl_c, SSL_VERIFY_PEER, MyRpkVerifyCb);
2537
2538 isServer = 1;
2539 wolfSSL_SetCertCbCtx(ssl_c, &isServer);
2540 wolfSSL_set_verify(ssl_s, SSL_VERIFY_PEER, MyRpkVerifyCb);
2541
2542 ret = test_memio_do_handshake(ssl_c, ssl_s, 10, NULL);
2543 if (ret != 0)
2544 return TEST_FAIL;
2545
2546 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_c, &tp),
2547 WOLFSSL_SUCCESS);
2548 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2549
2550 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_c, &tp),
2551 WOLFSSL_SUCCESS);
2552 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2553
2554 ExpectIntEQ(wolfSSL_get_negotiated_client_cert_type(ssl_s, &tp),
2555 WOLFSSL_SUCCESS);
2556 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2557
2558 ExpectIntEQ(wolfSSL_get_negotiated_server_cert_type(ssl_s, &tp),
2559 WOLFSSL_SUCCESS);
2560 ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
2561
2562 wolfSSL_free(ssl_c);
2563 wolfSSL_CTX_free(ctx_c);
2564 wolfSSL_free(ssl_s);
2565 wolfSSL_CTX_free(ctx_s);
2566 ssl_c = ssl_s = NULL;
2567 ctx_c = ctx_s = NULL;
2568#endif /* WOLFSSL_ALWAYS_VERIFY_CB */
2569#endif /* WOLFSSL_TLS13 */
2570
2571#endif /* HAVE_RPK && (!WOLFSSL_NO_TLS12 || WOLFSSL_TLS13) */
2572 return EXPECT_RESULT();
2573}
2574
2575
2576#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \
2577 defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
2578 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
2579 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
2580 (!defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) || \
2581 (defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768)) || \
2582 (defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768)))
2583static void test_tls13_pq_groups_ctx_ready(WOLFSSL_CTX* ctx)
2584{
2585#ifdef WOLFSSL_MLKEM_KYBER
2586 #if !defined(WOLFSSL_NO_KYBER1024)
2587 int group = WOLFSSL_KYBER_LEVEL5;
2588 #elif !defined(WOLFSSL_NO_KYBER768)
2589 int group = WOLFSSL_KYBER_LEVEL3;
2590 #else
2591 int group = WOLFSSL_KYBER_LEVEL1;
2592 #endif
2593#elif !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
2594 #if !defined(WOLFSSL_NO_ML_KEM_1024)
2595 int group = WOLFSSL_ML_KEM_1024;
2596 #elif !defined(WOLFSSL_NO_ML_KEM_768)
2597 int group = WOLFSSL_ML_KEM_768;
2598 #else
2599 int group = WOLFSSL_ML_KEM_512;
2600 #endif
2601#elif defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768) && \
2602 defined(WOLFSSL_PQC_HYBRIDS)
2603 int group = WOLFSSL_SECP256R1MLKEM768;
2604#elif defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768) && \
2605 defined(WOLFSSL_PQC_HYBRIDS)
2606 int group = WOLFSSL_X25519MLKEM768;
2607#endif
2608
2609 AssertIntEQ(wolfSSL_CTX_set_groups(ctx, &group, 1), WOLFSSL_SUCCESS);
2610}
2611
2612static void test_tls13_pq_groups_on_result(WOLFSSL* ssl)
2613{
2614#ifdef WOLFSSL_MLKEM_KYBER
2615 #if !defined(WOLFSSL_NO_KYBER1024)
2616 AssertStrEQ(wolfSSL_get_curve_name(ssl), "KYBER_LEVEL5");
2617 #elif !defined(WOLFSSL_NO_KYBER768)
2618 AssertStrEQ(wolfSSL_get_curve_name(ssl), "KYBER_LEVEL3");
2619 #else
2620 AssertStrEQ(wolfSSL_get_curve_name(ssl), "KYBER_LEVEL1");
2621 #endif
2622#elif !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
2623 #if !defined(WOLFSSL_NO_ML_KEM_1024)
2624 AssertStrEQ(wolfSSL_get_curve_name(ssl), "ML_KEM_1024");
2625 #elif !defined(WOLFSSL_NO_ML_KEM_768)
2626 AssertStrEQ(wolfSSL_get_curve_name(ssl), "ML_KEM_768");
2627 #else
2628 AssertStrEQ(wolfSSL_get_curve_name(ssl), "ML_KEM_512");
2629 #endif
2630#elif defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768) && \
2631 defined(WOLFSSL_PQC_HYBRIDS)
2632 AssertStrEQ(wolfSSL_get_curve_name(ssl), "SecP256r1MLKEM768");
2633#elif defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768) && \
2634 defined(WOLFSSL_PQC_HYBRIDS)
2635 AssertStrEQ(wolfSSL_get_curve_name(ssl), "X25519MLKEM768");
2636#endif
2637}
2638#endif
2639
2640int test_tls13_pq_groups(void)
2641{
2642 EXPECT_DECLS;
2643#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \
2644 defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
2645 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
2646 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
2647 (!defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) || \
2648 (defined(HAVE_CURVE25519) && !defined(WOLFSSL_NO_ML_KEM_768)) || \
2649 (defined(HAVE_ECC) && !defined(WOLFSSL_NO_ML_KEM_768)))
2650 callback_functions func_cb_client;
2651 callback_functions func_cb_server;
2652
2653 XMEMSET(&func_cb_client, 0, sizeof(callback_functions));
2654 XMEMSET(&func_cb_server, 0, sizeof(callback_functions));
2655
2656 func_cb_client.method = wolfTLSv1_3_client_method;
2657 func_cb_server.method = wolfTLSv1_3_server_method;
2658 func_cb_client.ctx_ready = test_tls13_pq_groups_ctx_ready;
2659 func_cb_client.on_result = test_tls13_pq_groups_on_result;
2660 func_cb_server.on_result = test_tls13_pq_groups_on_result;
2661
2662 test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server);
2663
2664 ExpectIntEQ(func_cb_client.return_code, TEST_SUCCESS);
2665 ExpectIntEQ(func_cb_server.return_code, TEST_SUCCESS);
2666#endif
2667 return EXPECT_RESULT();
2668}
2669
2670/* Regression test handling multiple PQC key shares in the ClientHello.
2671 *
2672 * Previously, the server eagerly ran KEM encapsulation on every PQC/hybrid
2673 * key_share entry while parsing the ClientHello, clobbering
2674 * ssl->arrays->preMasterSecret with whichever entry was parsed last.
2675 * When the ClientHello offers both SecP384R1_MLKEM1024 and pure
2676 * ML_KEM_1024, the resulting handshake either produces keys that the
2677 * client cannot decrypt (hybrid chosen, pure-ML-KEM secret written) or
2678 * trips a BUFFER_E inside the second encapsulation. Either ordering
2679 * causes the handshake to fail.
2680 *
2681 * The test runs a memio TLS 1.3 handshake for both orderings and
2682 * expects the handshake to complete successfully with the hybrid group
2683 * selected (higher server preference rank). */
2684#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
2685 defined(WOLFSSL_HAVE_MLKEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
2686 !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) && \
2687 !defined(WOLFSSL_NO_ML_KEM_1024) && \
2688 !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) && \
2689 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
2690 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
2691 defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
2692 ECC_MIN_KEY_SZ <= 384 && \
2693 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
2694#define TEST_TLS13_MULTI_PQC_KEY_SHARE_ENABLED
2695
2696/* Run one TLS 1.3 memio handshake where the client offers both
2697 * WOLFSSL_SECP384R1MLKEM1024 and WOLFSSL_ML_KEM_1024 in the key_share
2698 * extension, in the order dictated by `hybridFirst`. */
2699static int test_tls13_multi_pqc_key_share_once(int hybridFirst)
2700{
2701 EXPECT_DECLS;
2702 WOLFSSL_CTX *ctx_c = NULL;
2703 WOLFSSL_CTX *ctx_s = NULL;
2704 WOLFSSL *ssl_c = NULL;
2705 WOLFSSL *ssl_s = NULL;
2706 struct test_memio_ctx test_ctx;
2707
2708 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2709 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
2710 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
2711
2712 wolfSSL_set_verify(ssl_c, WOLFSSL_VERIFY_NONE, NULL);
2713 wolfSSL_set_verify(ssl_s, WOLFSSL_VERIFY_NONE, NULL);
2714
2715 /* Force the client to include both PQC key shares in the ClientHello
2716 * by calling UseKeyShare twice. The order of the UseKeyShare calls
2717 * determines the order of the entries in the key_share extension. */
2718 if (hybridFirst) {
2719 ExpectIntEQ(wolfSSL_UseKeyShare(ssl_c, WOLFSSL_SECP384R1MLKEM1024),
2720 WOLFSSL_SUCCESS);
2721 ExpectIntEQ(wolfSSL_UseKeyShare(ssl_c, WOLFSSL_ML_KEM_1024),
2722 WOLFSSL_SUCCESS);
2723 }
2724 else {
2725 ExpectIntEQ(wolfSSL_UseKeyShare(ssl_c, WOLFSSL_ML_KEM_1024),
2726 WOLFSSL_SUCCESS);
2727 ExpectIntEQ(wolfSSL_UseKeyShare(ssl_c, WOLFSSL_SECP384R1MLKEM1024),
2728 WOLFSSL_SUCCESS);
2729 }
2730
2731 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
2732
2733 /* The server ranks SecP384R1_MLKEM1024 higher than ML_KEM_1024, so
2734 * the hybrid group must be selected regardless of client ordering. */
2735 ExpectStrEQ(wolfSSL_get_curve_name(ssl_s), "SecP384r1MLKEM1024");
2736 ExpectStrEQ(wolfSSL_get_curve_name(ssl_c), "SecP384r1MLKEM1024");
2737
2738 wolfSSL_free(ssl_c);
2739 wolfSSL_free(ssl_s);
2740 wolfSSL_CTX_free(ctx_c);
2741 wolfSSL_CTX_free(ctx_s);
2742 return EXPECT_RESULT();
2743}
2744#endif /* TEST_TLS13_MULTI_PQC_KEY_SHARE_ENABLED */
2745
2746int test_tls13_multi_pqc_key_share(void)
2747{
2748 EXPECT_DECLS;
2749#ifdef TEST_TLS13_MULTI_PQC_KEY_SHARE_ENABLED
2750 /* Hybrid first, then pure ML-KEM: pre-fix the server selected the
2751 * hybrid but had overwritten preMasterSecret with the pure-KEM
2752 * result, producing 32-byte KE Secret instead of 80 and causing the
2753 * client to fail to decrypt the server's first encrypted record. */
2754 ExpectIntEQ(test_tls13_multi_pqc_key_share_once(1), TEST_SUCCESS);
2755
2756 /* Pure ML-KEM first, then hybrid: pre-fix the server tripped
2757 * BUFFER_E inside the second encapsulation because preMasterSz was
2758 * left at 32 from the first call, and the hybrid handler then
2759 * overflowed the preMasterSecret buffer. */
2760 ExpectIntEQ(test_tls13_multi_pqc_key_share_once(0), TEST_SUCCESS);
2761#endif
2762 return EXPECT_RESULT();
2763}
2764
2765#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
2766 defined(WOLFSSL_EARLY_DATA) && defined(HAVE_SESSION_TICKET)
2767static int test_tls13_read_until_write_ok(WOLFSSL* ssl, void* buf, int bufLen)
2768{
2769 int ret, err;
2770 int tries = 5;
2771
2772 err = 0;
2773 do {
2774 ret = wolfSSL_read(ssl, buf, bufLen);
2775 if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) {
2776 err = wolfSSL_get_error(ssl, ret);
2777 }
2778 } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) &&
2779 err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE));
2780 return ret;
2781}
2782static int test_tls13_connect_until_write_ok(WOLFSSL* ssl)
2783{
2784 int ret, err;
2785 int tries = 5;
2786
2787 err = 0;
2788 do {
2789 ret = wolfSSL_connect(ssl);
2790 if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) {
2791 err = wolfSSL_get_error(ssl, ret);
2792 }
2793 } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) &&
2794 err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE));
2795 return ret;
2796}
2797static int test_tls13_write_until_write_ok(WOLFSSL* ssl, const void* msg,
2798 int msgLen)
2799{
2800 int ret, err;
2801 int tries = 5;
2802
2803 err = 0;
2804 do {
2805 ret = wolfSSL_write(ssl, msg, msgLen);
2806 if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) {
2807 err = wolfSSL_get_error(ssl, ret);
2808 }
2809 } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) &&
2810 err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE));
2811 return ret;
2812}
2813static int test_tls13_early_data_read_until_write_ok(WOLFSSL* ssl, void* buf,
2814 int bufLen, int* read)
2815{
2816 int ret, err;
2817 int tries = 5;
2818
2819 err = 0;
2820 do {
2821 ret = wolfSSL_read_early_data(ssl, buf, bufLen, read);
2822 if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) {
2823 err = wolfSSL_get_error(ssl, ret);
2824 }
2825 } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) &&
2826 err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE));
2827 return ret;
2828}
2829static int test_tls13_early_data_write_until_write_ok(WOLFSSL* ssl,
2830 const void* msg, int msgLen, int* written)
2831{
2832 int ret, err;
2833 int tries = 5;
2834
2835 err = 0;
2836 do {
2837 ret = wolfSSL_write_early_data(ssl, msg, msgLen, written);
2838 if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) {
2839 err = wolfSSL_get_error(ssl, ret);
2840 }
2841 } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) &&
2842 err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE));
2843 return ret;
2844}
2845struct test_tls13_wwrite_ctx {
2846 int want_write;
2847 struct test_memio_ctx *test_ctx;
2848};
2849static int test_tls13_mock_wantwrite_cb(WOLFSSL* ssl, char* data, int sz,
2850 void* ctx)
2851{
2852 struct test_tls13_wwrite_ctx *wwctx = (struct test_tls13_wwrite_ctx *)ctx;
2853#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
2854 /* Write ChangeCipherSpec message. */
2855 if (data[0] != 0x14)
2856#endif
2857 {
2858 wwctx->want_write = !wwctx->want_write;
2859 if (wwctx->want_write) {
2860 return WOLFSSL_CBIO_ERR_WANT_WRITE;
2861 }
2862 }
2863 return test_memio_write_cb(ssl, data, sz, wwctx->test_ctx);
2864}
2865#endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_EARLY_DATA */
2866int test_tls13_early_data(void)
2867{
2868 EXPECT_DECLS;
2869#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
2870 defined(WOLFSSL_EARLY_DATA) && defined(HAVE_SESSION_TICKET)
2871 int written = 0;
2872 int read = 0;
2873 size_t i;
2874 char msg[] = "This is early data";
2875 char msg2[] = "This is client data";
2876 char msg3[] = "This is server data";
2877 char msg4[] = "This is server immediate data";
2878 char msgBuf[50];
2879 struct {
2880 method_provider client_meth;
2881 method_provider server_meth;
2882 const char* tls_version;
2883 int isUdp;
2884 int splitEarlyData;
2885 int everyWriteWantWrite;
2886 } params[] = {
2887#ifdef WOLFSSL_TLS13
2888 { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2889 "TLS 1.3", 0, 0, 0 },
2890 { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2891 "TLS 1.3", 0, 1, 0 },
2892 { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2893 "TLS 1.3", 0, 0, 1 },
2894 { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method,
2895 "TLS 1.3", 0, 1, 1 },
2896#endif
2897#ifdef WOLFSSL_DTLS13
2898 { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method,
2899 "DTLS 1.3", 1, 0, 0 },
2900 { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method,
2901 "DTLS 1.3", 1, 1, 0 },
2902 { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method,
2903 "DTLS 1.3", 1, 0, 1 },
2904 { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method,
2905 "DTLS 1.3", 1, 1, 1 },
2906#endif
2907 };
2908
2909 for (i = 0; i < sizeof(params)/sizeof(*params) && !EXPECT_FAIL(); i++) {
2910 struct test_memio_ctx test_ctx;
2911 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
2912 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
2913 WOLFSSL_SESSION *sess = NULL;
2914 int splitEarlyData = params[i].splitEarlyData;
2915 int everyWriteWantWrite = params[i].everyWriteWantWrite;
2916 struct test_tls13_wwrite_ctx wwrite_ctx_s, wwrite_ctx_c;
2917
2918 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2919 XMEMSET(&wwrite_ctx_c, 0, sizeof(wwrite_ctx_c));
2920 XMEMSET(&wwrite_ctx_s, 0, sizeof(wwrite_ctx_s));
2921
2922 fprintf(stderr, "\tEarly data with %s%s%s\n", params[i].tls_version,
2923 splitEarlyData ? " (split early data)" : "",
2924 everyWriteWantWrite ? " (every write WANT_WRITE)" : "");
2925
2926 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
2927 &ssl_s, params[i].client_meth, params[i].server_meth), 0);
2928
2929 /* Opt the server into 0-RTT (off by default per RFC 8446 E.5). */
2930 ExpectIntGE(wolfSSL_CTX_set_max_early_data(ctx_s, MAX_EARLY_DATA_SZ),
2931 0);
2932 ExpectIntGE(wolfSSL_set_max_early_data(ssl_s, MAX_EARLY_DATA_SZ), 0);
2933
2934 if (params[i].isUdp) {
2935 /* Early data is incompatible with HRR usage. Hence, we have to make
2936 * sure a group is negotiated that does not cause a fragemented CH.
2937 */
2938 int group[1] = {
2939 #ifdef HAVE_ECC
2940 WOLFSSL_ECC_SECP256R1,
2941 #elif defined(HAVE_CURVE25519)
2942 WOLFSSL_ECC_X25519,
2943 #elif defined(HAVE_CURVE448)
2944 WOLFSSL_ECC_X448,
2945 #elif defined(HAVE_FFDHE_2048)
2946 WOLFSSL_FFDHE_2048,
2947 #endif
2948 };
2949 ExpectIntEQ(wolfSSL_set_groups(ssl_c, group, 1), WOLFSSL_SUCCESS);
2950 ExpectIntEQ(wolfSSL_set_groups(ssl_s, group, 1), WOLFSSL_SUCCESS);
2951 }
2952
2953 /* Get a ticket so that we can do 0-RTT on the next connection */
2954 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
2955 /* Make sure we read the ticket */
2956 ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), -1);
2957 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
2958 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
2959
2960 wolfSSL_free(ssl_c);
2961 ssl_c = NULL;
2962 wolfSSL_free(ssl_s);
2963 ssl_s = NULL;
2964 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
2965 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
2966 &ssl_s, params[i].client_meth, params[i].server_meth), 0);
2967 wolfSSL_SetLoggingPrefix("client");
2968 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
2969#ifdef WOLFSSL_DTLS13
2970 if (params[i].isUdp) {
2971 wolfSSL_SetLoggingPrefix("server");
2972#ifdef WOLFSSL_DTLS13_NO_HRR_ON_RESUME
2973 ExpectIntEQ(wolfSSL_dtls13_no_hrr_on_resume(ssl_s, 1),
2974 WOLFSSL_SUCCESS);
2975#else
2976 /* Let's test this but we generally don't recommend turning off
2977 * the cookie exchange */
2978 ExpectIntEQ(wolfSSL_disable_hrr_cookie(ssl_s), WOLFSSL_SUCCESS);
2979#endif
2980 }
2981#endif
2982
2983 if (everyWriteWantWrite) {
2984 wwrite_ctx_c.test_ctx = &test_ctx;
2985 wwrite_ctx_s.test_ctx = &test_ctx;
2986 wolfSSL_SetIOWriteCtx(ssl_c, &wwrite_ctx_c);
2987 wolfSSL_SSLSetIOSend(ssl_c, test_tls13_mock_wantwrite_cb);
2988 wolfSSL_SetIOWriteCtx(ssl_s, &wwrite_ctx_s);
2989 wolfSSL_SSLSetIOSend(ssl_s, test_tls13_mock_wantwrite_cb);
2990 }
2991 /* Test 0-RTT data */
2992 wolfSSL_SetLoggingPrefix("client");
2993
2994 ExpectIntEQ(test_tls13_early_data_write_until_write_ok(ssl_c, msg,
2995 sizeof(msg), &written),
2996 sizeof(msg));
2997 ExpectIntEQ(written, sizeof(msg));
2998
2999 if (splitEarlyData) {
3000 ExpectIntEQ(test_tls13_early_data_write_until_write_ok(ssl_c, msg,
3001 sizeof(msg), &written),
3002 sizeof(msg));
3003 ExpectIntEQ(written, sizeof(msg));
3004 }
3005
3006 /* Read first 0-RTT data (if split otherwise entire data) */
3007 wolfSSL_SetLoggingPrefix("server");
3008 ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf,
3009 sizeof(msgBuf), &read),
3010 sizeof(msg));
3011 ExpectIntEQ(read, sizeof(msg));
3012 ExpectStrEQ(msg, msgBuf);
3013
3014 /* Test 0.5-RTT data */
3015 ExpectIntEQ(test_tls13_write_until_write_ok(ssl_s, msg4, sizeof(msg4)),
3016 sizeof(msg4));
3017
3018 if (splitEarlyData) {
3019 /* Read second 0-RTT data */
3020 ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf,
3021 sizeof(msgBuf), &read),
3022 sizeof(msg));
3023 ExpectIntEQ(read, sizeof(msg));
3024 ExpectStrEQ(msg, msgBuf);
3025 }
3026
3027 if (params[i].isUdp) {
3028 wolfSSL_SetLoggingPrefix("client");
3029 ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c), -1);
3030 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1),
3031 WC_NO_ERR_TRACE(APP_DATA_READY));
3032
3033 /* Read server 0.5-RTT data */
3034 ExpectIntEQ(
3035 test_tls13_read_until_write_ok(ssl_c, msgBuf, sizeof(msgBuf)),
3036 sizeof(msg4));
3037 ExpectStrEQ(msg4, msgBuf);
3038
3039 /* Complete handshake */
3040 ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c), -1);
3041 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1),
3042 WOLFSSL_ERROR_WANT_READ);
3043 /* Use wolfSSL_is_init_finished to check if handshake is
3044 * complete. Normally a user would loop until it is true but
3045 * here we control both sides so we just assert the expected
3046 * value. wolfSSL_read_early_data does not provide handshake
3047 * status to us with non-blocking IO and we can't use
3048 * wolfSSL_accept as TLS layer may return ZERO_RETURN due to
3049 * early data parsing logic. */
3050 wolfSSL_SetLoggingPrefix("server");
3051 ExpectFalse(wolfSSL_is_init_finished(ssl_s));
3052 ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf,
3053 sizeof(msgBuf), &read),
3054 0);
3055 ExpectIntEQ(read, 0);
3056 ExpectTrue(wolfSSL_is_init_finished(ssl_s));
3057
3058 wolfSSL_SetLoggingPrefix("client");
3059 ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c),
3060 WOLFSSL_SUCCESS);
3061 }
3062 else {
3063 wolfSSL_SetLoggingPrefix("client");
3064 ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c),
3065 WOLFSSL_SUCCESS);
3066
3067 wolfSSL_SetLoggingPrefix("server");
3068 ExpectFalse(wolfSSL_is_init_finished(ssl_s));
3069 ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf,
3070 sizeof(msgBuf), &read),
3071 0);
3072 ExpectIntEQ(read, 0);
3073 ExpectTrue(wolfSSL_is_init_finished(ssl_s));
3074
3075 /* Read server 0.5-RTT data */
3076 wolfSSL_SetLoggingPrefix("client");
3077 ExpectIntEQ(
3078 test_tls13_read_until_write_ok(ssl_c, msgBuf, sizeof(msgBuf)),
3079 sizeof(msg4));
3080 ExpectStrEQ(msg4, msgBuf);
3081 }
3082
3083 /* Test bi-directional write */
3084 wolfSSL_SetLoggingPrefix("client");
3085 ExpectIntEQ(test_tls13_write_until_write_ok(ssl_c, msg2, sizeof(msg2)),
3086 sizeof(msg2));
3087 wolfSSL_SetLoggingPrefix("server");
3088 ExpectIntEQ(
3089 test_tls13_read_until_write_ok(ssl_s, msgBuf, sizeof(msgBuf)),
3090 sizeof(msg2));
3091 ExpectStrEQ(msg2, msgBuf);
3092 ExpectIntEQ(test_tls13_write_until_write_ok(ssl_s, msg3, sizeof(msg3)),
3093 sizeof(msg3));
3094 wolfSSL_SetLoggingPrefix("client");
3095 ExpectIntEQ(
3096 test_tls13_read_until_write_ok(ssl_c, msgBuf, sizeof(msgBuf)),
3097 sizeof(msg3));
3098 ExpectStrEQ(msg3, msgBuf);
3099
3100 wolfSSL_SetLoggingPrefix(NULL);
3101 ExpectTrue(wolfSSL_session_reused(ssl_c));
3102 ExpectTrue(wolfSSL_session_reused(ssl_s));
3103
3104 wolfSSL_SESSION_free(sess);
3105 wolfSSL_free(ssl_c);
3106 wolfSSL_free(ssl_s);
3107 wolfSSL_CTX_free(ctx_c);
3108 wolfSSL_CTX_free(ctx_s);
3109 }
3110#endif
3111 return EXPECT_RESULT();
3112}
3113
3114
3115#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3116 defined(WOLFSSL_TLS13) && defined(WOLFSSL_EARLY_DATA) && \
3117 defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) && \
3118 !defined(NO_SESSION_CACHE) && defined(HAVE_EXT_CACHE)
3119/* Single-slot external session cache keyed by altSessionID, used by
3120 * test_tls13_early_data_0rtt_replay to assert the 0-RTT anti-replay
3121 * fix clears both caches. */
3122static struct {
3123 byte id[ID_LEN];
3124 byte has_entry;
3125 WOLFSSL_SESSION* sess;
3126 int new_calls;
3127 int get_calls;
3128 int rem_calls;
3129} test_tls13_0rtt_replay_cache;
3130
3131static void test_tls13_0rtt_replay_cache_reset(void)
3132{
3133 /* wolfSSL_SESSION_free is NULL-safe, so unconditionally drop any
3134 * stored session without touching has_entry first. */
3135 wolfSSL_SESSION_free(test_tls13_0rtt_replay_cache.sess);
3136 XMEMSET(&test_tls13_0rtt_replay_cache, 0,
3137 sizeof(test_tls13_0rtt_replay_cache));
3138}
3139
3140/* Stateful-ticket sessions always have haveAltSessionID set, so key the
3141 * cache on altSessionID directly (wolfSSL_SESSION_get_id is only
3142 * declared under the OpenSSL compatibility layer). */
3143static int test_tls13_0rtt_replay_new_cb(WOLFSSL* ssl, WOLFSSL_SESSION* s)
3144{
3145 (void)ssl;
3146 test_tls13_0rtt_replay_cache.new_calls++;
3147 if (s == NULL || !s->haveAltSessionID)
3148 return 0;
3149 wolfSSL_SESSION_free(test_tls13_0rtt_replay_cache.sess);
3150 XMEMCPY(test_tls13_0rtt_replay_cache.id, s->altSessionID, ID_LEN);
3151 test_tls13_0rtt_replay_cache.sess = s;
3152 test_tls13_0rtt_replay_cache.has_entry = 1;
3153 return 1; /* retain the reference; freed in the rem callback */
3154}
3155
3156static WOLFSSL_SESSION* test_tls13_0rtt_replay_get_cb(WOLFSSL* ssl,
3157 const byte* id, int idLen, int* ref)
3158{
3159 (void)ssl;
3160 test_tls13_0rtt_replay_cache.get_calls++;
3161 *ref = 1; /* keep ownership; wolfSSL duplicates from us */
3162 if (!test_tls13_0rtt_replay_cache.has_entry || idLen != ID_LEN)
3163 return NULL;
3164 if (XMEMCMP(test_tls13_0rtt_replay_cache.id, id, ID_LEN) != 0)
3165 return NULL;
3166 return test_tls13_0rtt_replay_cache.sess;
3167}
3168
3169static void test_tls13_0rtt_replay_rem_cb(WOLFSSL_CTX* ctx,
3170 WOLFSSL_SESSION* s)
3171{
3172 const byte* id;
3173 (void)ctx;
3174 if (!test_tls13_0rtt_replay_cache.has_entry || s == NULL)
3175 return;
3176 /* Internal-cache-evicted sessions have haveAltSessionID cleared
3177 * (that field sits before the DupSession copy offset), so fall
3178 * back to sessionID when altSessionID is not set. Both carry the
3179 * ID_LEN lookup key. */
3180 if (s->haveAltSessionID)
3181 id = s->altSessionID;
3182 else if (s->sessionIDSz == ID_LEN)
3183 id = s->sessionID;
3184 else
3185 return;
3186 if (XMEMCMP(test_tls13_0rtt_replay_cache.id, id, ID_LEN) != 0)
3187 return;
3188 wolfSSL_SESSION_free(test_tls13_0rtt_replay_cache.sess);
3189 test_tls13_0rtt_replay_cache.sess = NULL;
3190 test_tls13_0rtt_replay_cache.has_entry = 0;
3191 test_tls13_0rtt_replay_cache.rem_calls++;
3192}
3193
3194/* RFC 8446 section 8 anti-replay: a 0-RTT-eligible session must be
3195 * evicted from both the internal and external caches on resumption so
3196 * the same ClientHello cannot replay early data. */
3197int test_tls13_early_data_0rtt_replay(void)
3198{
3199 EXPECT_DECLS;
3200 struct test_memio_ctx test_ctx;
3201 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
3202 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
3203 WOLFSSL_SESSION *sess = NULL;
3204 char buf[64];
3205 int round;
3206
3207 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3208 test_tls13_0rtt_replay_cache_reset();
3209
3210 /* Step 1: full handshake populates both caches. */
3211 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
3212 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method),
3213 0);
3214 /* Stateful tickets + 0-RTT enabled. */
3215 ExpectTrue(wolfSSL_set_options(ssl_s, WOLFSSL_OP_NO_TICKET) != 0);
3216#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
3217 ExpectIntEQ(wolfSSL_set_max_early_data(ssl_s, 128), WOLFSSL_SUCCESS);
3218#else
3219 ExpectIntEQ(wolfSSL_set_max_early_data(ssl_s, 128), 0);
3220#endif
3221 wolfSSL_CTX_sess_set_new_cb(ctx_s, test_tls13_0rtt_replay_new_cb);
3222 wolfSSL_CTX_sess_set_get_cb(ctx_s, test_tls13_0rtt_replay_get_cb);
3223 wolfSSL_CTX_sess_set_remove_cb(ctx_s, test_tls13_0rtt_replay_rem_cb);
3224
3225 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3226 /* Let the client consume NewSessionTicket. */
3227 ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
3228 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3229 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
3230 ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1);
3231 /* Stateful (ID-only) ticket on the client side. */
3232 ExpectIntEQ(sess->ticketLen, ID_LEN);
3233 ExpectIntEQ((int)sess->maxEarlyDataSz, 128);
3234 /* External cache saw the add. */
3235 ExpectIntGT(test_tls13_0rtt_replay_cache.new_calls, 0);
3236 ExpectIntEQ(test_tls13_0rtt_replay_cache.has_entry, 1);
3237
3238 wolfSSL_free(ssl_c); ssl_c = NULL;
3239 wolfSSL_free(ssl_s); ssl_s = NULL;
3240
3241 /* Resume the same session twice, offering 0-RTT each time. */
3242 for (round = 0; round < 2 && !EXPECT_FAIL(); round++) {
3243 const char earlyMsg[] = "early-data-0rtt";
3244 int written = 0;
3245 int earlyRead = 0;
3246 char earlyBuf[sizeof(earlyMsg)];
3247
3248 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3249 XMEMSET(earlyBuf, 0, sizeof(earlyBuf));
3250 /* Reuse the CTXs so both caches survive (test_memio_setup
3251 * leaves *ctx alone when non-NULL). */
3252 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
3253 &ssl_s, wolfTLSv1_3_client_method,
3254 wolfTLSv1_3_server_method), 0);
3255 ExpectTrue(wolfSSL_set_options(ssl_s, WOLFSSL_OP_NO_TICKET) != 0);
3256#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
3257 ExpectIntEQ(wolfSSL_set_max_early_data(ssl_s, 128),
3258 WOLFSSL_SUCCESS);
3259#else
3260 ExpectIntEQ(wolfSSL_set_max_early_data(ssl_s, 128), 0);
3261#endif
3262 ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1);
3263 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
3264
3265 ExpectIntEQ(test_tls13_early_data_write_until_write_ok(ssl_c,
3266 earlyMsg, (int)sizeof(earlyMsg), &written),
3267 sizeof(earlyMsg));
3268 ExpectIntEQ(written, sizeof(earlyMsg));
3269
3270 (void)test_tls13_early_data_read_until_write_ok(ssl_s, earlyBuf,
3271 sizeof(earlyBuf), &earlyRead);
3272 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3273
3274 if (round == 0) {
3275 ExpectTrue(wolfSSL_session_reused(ssl_s));
3276 ExpectIntEQ(earlyRead, sizeof(earlyMsg));
3277 ExpectStrEQ(earlyMsg, earlyBuf);
3278 /* Fix fired exactly once to evict the cached entry. */
3279 ExpectIntEQ(test_tls13_0rtt_replay_cache.rem_calls, 1);
3280 }
3281 else {
3282 ExpectFalse(wolfSSL_session_reused(ssl_s));
3283 ExpectIntEQ(earlyRead, 0);
3284 /* No additional eviction in the replay round. */
3285 ExpectIntEQ(test_tls13_0rtt_replay_cache.rem_calls, 1);
3286 }
3287
3288 wolfSSL_free(ssl_c); ssl_c = NULL;
3289 wolfSSL_free(ssl_s); ssl_s = NULL;
3290 }
3291
3292 wolfSSL_SESSION_free(sess);
3293 wolfSSL_CTX_free(ctx_c);
3294 wolfSSL_CTX_free(ctx_s);
3295 test_tls13_0rtt_replay_cache_reset();
3296 return EXPECT_RESULT();
3297}
3298#else
3299int test_tls13_early_data_0rtt_replay(void)
3300{
3301 EXPECT_DECLS;
3302 return EXPECT_RESULT();
3303}
3304#endif
3305
3306/* Verify that maxEarlyDataSz defaults to 0 (RFC 8446 E.5): a server that
3307 * has not called wolfSSL_set_max_early_data must not advertise 0-RTT in its
3308 * NewSessionTicket. Fails without the ctx->maxEarlyDataSz=0 default fix
3309 * because the old default was MAX_EARLY_DATA_SZ (4096). */
3310int test_tls13_0rtt_default_off(void)
3311{
3312 EXPECT_DECLS;
3313#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3314 defined(WOLFSSL_TLS13) && defined(WOLFSSL_EARLY_DATA) && \
3315 defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
3316 struct test_memio_ctx test_ctx;
3317 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
3318 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
3319 WOLFSSL_SESSION *sess = NULL;
3320 char buf[64];
3321 int written = 0;
3322
3323 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3324
3325 /* Step 1: handshake WITHOUT opting into 0-RTT on the server. */
3326 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
3327 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method),
3328 0);
3329 /* Deliberately do NOT call wolfSSL_set_max_early_data. */
3330
3331 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3332 /* Consume NewSessionTicket. */
3333 ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
3334 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3335 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
3336 wolfSSL_free(ssl_c); ssl_c = NULL;
3337 wolfSSL_free(ssl_s); ssl_s = NULL;
3338
3339 /* Step 2: resume - early data write must fail because the ticket
3340 * was issued without max_early_data_size. Without the default-to-0
3341 * fix the old default (4096) would let this succeed. */
3342 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3343 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
3344 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method),
3345 0);
3346 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
3347 ExpectIntEQ(wolfSSL_write_early_data(ssl_c, "test", 4, &written),
3348 WOLFSSL_FATAL_ERROR);
3349
3350 wolfSSL_SESSION_free(sess);
3351 wolfSSL_free(ssl_c);
3352 wolfSSL_free(ssl_s);
3353 wolfSSL_CTX_free(ctx_c);
3354 wolfSSL_CTX_free(ctx_s);
3355#endif
3356 return EXPECT_RESULT();
3357}
3358
3359/* Verify that a stateless self-encrypted ticket can carry 0-RTT exactly
3360 * once: the first resumption succeeds with early data, the second (replay)
3361 * refuses it because wolfSSL_SSL_CTX_remove_session evicted the cache entry.
3362 * Fails without the WOLFSSL_TICKET_HAVE_ID implication + the
3363 * remove_session-based gate because the old code either never populated
3364 * the cache for stateless tickets or never checked the return value. */
3365int test_tls13_0rtt_stateless_replay(void)
3366{
3367 EXPECT_DECLS;
3368#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3369 defined(WOLFSSL_TLS13) && defined(WOLFSSL_EARLY_DATA) && \
3370 defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) && \
3371 !defined(NO_SESSION_CACHE) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
3372 struct test_memio_ctx test_ctx;
3373 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
3374 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
3375 WOLFSSL_SESSION *sess = NULL;
3376 char buf[64];
3377 int round;
3378
3379 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3380
3381 /* Step 1: full handshake to get a stateless ticket with 0-RTT. */
3382 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
3383 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method),
3384 0);
3385 /* Do NOT set WOLFSSL_OP_NO_TICKET - keep stateless tickets. */
3386 ExpectIntGE(wolfSSL_CTX_set_max_early_data(ctx_s, MAX_EARLY_DATA_SZ), 0);
3387 ExpectIntGE(wolfSSL_set_max_early_data(ssl_s, MAX_EARLY_DATA_SZ), 0);
3388
3389 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3390 ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
3391 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3392 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
3393 ExpectIntEQ(wolfSSL_SessionIsSetup(sess), 1);
3394
3395 wolfSSL_free(ssl_c); ssl_c = NULL;
3396 wolfSSL_free(ssl_s); ssl_s = NULL;
3397
3398 /* Suppress ticket reissuance on resume so the eviction from round 0
3399 * is not undone by AddSession from a new NewSessionTicket. */
3400 ExpectIntEQ(wolfSSL_CTX_set_num_tickets(ctx_s, 0), WOLFSSL_SUCCESS);
3401
3402 /* Step 2: resume twice. Round 0 = first use, round 1 = replay. */
3403 for (round = 0; round < 2 && !EXPECT_FAIL(); round++) {
3404 const char earlyMsg[] = "stateless-0rtt";
3405 int written = 0;
3406 int earlyRead = 0;
3407 char earlyBuf[sizeof(earlyMsg)];
3408
3409 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3410 XMEMSET(earlyBuf, 0, sizeof(earlyBuf));
3411 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
3412 &ssl_s, wolfTLSv1_3_client_method,
3413 wolfTLSv1_3_server_method), 0);
3414 ExpectIntGE(wolfSSL_set_max_early_data(ssl_s, MAX_EARLY_DATA_SZ), 0);
3415 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
3416
3417 ExpectIntEQ(test_tls13_early_data_write_until_write_ok(ssl_c,
3418 earlyMsg, (int)sizeof(earlyMsg), &written),
3419 sizeof(earlyMsg));
3420 ExpectIntEQ(written, sizeof(earlyMsg));
3421
3422 (void)test_tls13_early_data_read_until_write_ok(ssl_s, earlyBuf,
3423 sizeof(earlyBuf), &earlyRead);
3424 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3425
3426 if (round == 0) {
3427 /* First use: 0-RTT accepted. */
3428 ExpectIntEQ(earlyRead, sizeof(earlyMsg));
3429 ExpectStrEQ(earlyMsg, earlyBuf);
3430 }
3431 else {
3432 /* Replay: 0-RTT refused, handshake still completes (1-RTT). */
3433 ExpectIntEQ(earlyRead, 0);
3434 }
3435
3436 wolfSSL_free(ssl_c); ssl_c = NULL;
3437 wolfSSL_free(ssl_s); ssl_s = NULL;
3438 }
3439
3440 wolfSSL_SESSION_free(sess);
3441 wolfSSL_CTX_free(ctx_c);
3442 wolfSSL_CTX_free(ctx_s);
3443#endif
3444 return EXPECT_RESULT();
3445}
3446
3447/* Verify wolfSSL_SSL_CTX_remove_session returns OpenSSL-compatible values:
3448 * 1 when the session was in the cache and removed, 0 otherwise.
3449 * Fails without the return-value fix because the old code returned 0/
3450 * BAD_FUNC_ARG. */
3451int test_tls13_remove_session_return(void)
3452{
3453 EXPECT_DECLS;
3454#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3455 defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && \
3456 defined(WOLFSSL_TICKET_HAVE_ID) && !defined(NO_SESSION_CACHE) && \
3457 !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
3458 struct test_memio_ctx test_ctx;
3459 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
3460 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
3461 WOLFSSL_SESSION *sess = NULL;
3462 char buf[64];
3463
3464 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3465
3466 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
3467 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method),
3468 0);
3469
3470 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3471 /* Consume NewSessionTicket so the cache is populated (AddSession fires
3472 * because WOLFSSL_TICKET_HAVE_ID is defined). */
3473 ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
3474 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3475
3476 ExpectNotNull(sess = wolfSSL_get1_session(ssl_s));
3477 /* Session is in the cache - first remove returns 1. */
3478 ExpectIntEQ(wolfSSL_SSL_CTX_remove_session(ctx_s, sess), 1);
3479 /* Already removed - second remove returns 0. */
3480 ExpectIntEQ(wolfSSL_SSL_CTX_remove_session(ctx_s, sess), 0);
3481 /* NULL args - returns 0 (not BAD_FUNC_ARG). */
3482 ExpectIntEQ(wolfSSL_SSL_CTX_remove_session(NULL, sess), 0);
3483 ExpectIntEQ(wolfSSL_SSL_CTX_remove_session(ctx_s, NULL), 0);
3484
3485 wolfSSL_SESSION_free(sess);
3486 wolfSSL_free(ssl_c);
3487 wolfSSL_free(ssl_s);
3488 wolfSSL_CTX_free(ctx_c);
3489 wolfSSL_CTX_free(ctx_s);
3490#endif
3491 return EXPECT_RESULT();
3492}
3493
3494#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3495 defined(WOLFSSL_TLS13) && defined(WOLFSSL_EARLY_DATA) && \
3496 defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) && \
3497 !defined(NO_SESSION_CACHE) && defined(HAVE_EXT_CACHE)
3498/* Thin external cache: only tracks rem_calls to verify that
3499 * wolfSSL_SSL_CTX_remove_session counts the callback as "found". */
3500static int test_0rtt_ext_only_rem_calls;
3501
3502static int test_0rtt_ext_only_new_cb(WOLFSSL* ssl, WOLFSSL_SESSION* s)
3503{
3504 (void)ssl; (void)s;
3505 return 0; /* don't retain */
3506}
3507
3508static WOLFSSL_SESSION* test_0rtt_ext_only_get_cb(WOLFSSL* ssl,
3509 const byte* id, int idLen, int* ref)
3510{
3511 (void)ssl; (void)id; (void)idLen;
3512 *ref = 0;
3513 return NULL;
3514}
3515
3516static void test_0rtt_ext_only_rem_cb(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* s)
3517{
3518 (void)ctx; (void)s;
3519 test_0rtt_ext_only_rem_calls++;
3520}
3521#endif
3522
3523/* Verify that when the internal cache is off but an external cache callback
3524 * is registered, wolfSSL_SSL_CTX_remove_session returns 1 (the ext callback
3525 * fired, so we assume the session was present). Fails without the fix
3526 * because the old code only set found=1 on an internal-cache hit. */
3527int test_tls13_0rtt_ext_cache_eviction(void)
3528{
3529 EXPECT_DECLS;
3530#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3531 defined(WOLFSSL_TLS13) && defined(WOLFSSL_EARLY_DATA) && \
3532 defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_HAVE_ID) && \
3533 !defined(NO_SESSION_CACHE) && defined(HAVE_EXT_CACHE) && \
3534 !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
3535 struct test_memio_ctx test_ctx;
3536 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
3537 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
3538 WOLFSSL_SESSION *sess = NULL;
3539 char buf[64];
3540
3541 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3542 test_0rtt_ext_only_rem_calls = 0;
3543
3544 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
3545 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method),
3546 0);
3547 /* Turn off internal cache; rely on external callbacks only. */
3548 ExpectIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx_s,
3549 WOLFSSL_SESS_CACHE_NO_INTERNAL), WOLFSSL_SUCCESS);
3550 wolfSSL_CTX_sess_set_new_cb(ctx_s, test_0rtt_ext_only_new_cb);
3551 wolfSSL_CTX_sess_set_get_cb(ctx_s, test_0rtt_ext_only_get_cb);
3552 wolfSSL_CTX_sess_set_remove_cb(ctx_s, test_0rtt_ext_only_rem_cb);
3553
3554 ExpectTrue(wolfSSL_set_options(ssl_s, WOLFSSL_OP_NO_TICKET) != 0);
3555 ExpectIntGE(wolfSSL_set_max_early_data(ssl_s, MAX_EARLY_DATA_SZ), 0);
3556
3557 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
3558 ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
3559 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3560
3561 /* remove_session on an ext-cache-only server: rem_cb should fire and
3562 * the function should return 1 (assumes the ext cache had it). */
3563 ExpectNotNull(sess = wolfSSL_get1_session(ssl_s));
3564 ExpectIntEQ(wolfSSL_SSL_CTX_remove_session(ctx_s, sess), 1);
3565 ExpectIntGT(test_0rtt_ext_only_rem_calls, 0);
3566
3567 wolfSSL_SESSION_free(sess);
3568 wolfSSL_free(ssl_c);
3569 wolfSSL_free(ssl_s);
3570 wolfSSL_CTX_free(ctx_c);
3571 wolfSSL_CTX_free(ctx_s);
3572#endif
3573 return EXPECT_RESULT();
3574}
3575
3576
3577/* Check that the client won't send the same CH after a HRR. An HRR without
3578 * a KeyShare or a Cookie extension will trigger the error. */
3579int test_tls13_same_ch(void)
3580{
3581 EXPECT_DECLS;
3582#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3583 defined(WOLFSSL_TLS13) && defined(WOLFSSL_AES_128) && \
3584 defined(HAVE_AESGCM) && !defined(NO_SHA256) && \
3585 /* middlebox compat requires that the session ID is echoed */ \
3586 !defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
3587 WOLFSSL_CTX *ctx_c = NULL;
3588 WOLFSSL *ssl_c = NULL;
3589 struct test_memio_ctx test_ctx;
3590 /* Transport Layer Security
3591 * TLSv1.3 Record Layer: Handshake Protocol: Hello Retry Request
3592 * Content Type: Handshake (22)
3593 * Version: TLS 1.2 (0x0303)
3594 * Length: 50
3595 * Handshake Protocol: Hello Retry Request
3596 * Handshake Type: Server Hello (2)
3597 * Length: 46
3598 * Version: TLS 1.2 (0x0303)
3599 * Random: cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c (HelloRetryRequest magic)
3600 * Session ID Length: 0
3601 * Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
3602 * Compression Method: null (0)
3603 * Extensions Length: 6
3604 * Extension: supported_versions (len=2) TLS 1.3 */
3605 unsigned char hrr[] = {
3606 0x16, 0x03, 0x03, 0x00, 0x32, 0x02, 0x00, 0x00, 0x2e, 0x03, 0x03, 0xcf,
3607 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e,
3608 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07,
3609 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 0x00, 0x13, 0x01, 0x00, 0x00,
3610 0x06, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04
3611 };
3612
3613 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3614 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c, NULL,
3615 wolfTLSv1_3_client_method, NULL), 0);
3616 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1, (char*)hrr,
3617 sizeof(hrr)), 0);
3618 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
3619 /* issue 9653: use a more appropriate error than DUPLICATE_MSG_E.
3620 * Since the cause of this is missing extension, return that. */
3621 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), EXT_MISSING);
3622
3623 wolfSSL_free(ssl_c);
3624 wolfSSL_CTX_free(ctx_c);
3625#endif
3626 return EXPECT_RESULT();
3627}
3628
3629int test_tls13_hrr_different_cs(void)
3630{
3631 EXPECT_DECLS;
3632#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3633 defined(WOLFSSL_TLS13) && \
3634 defined(BUILD_TLS_AES_256_GCM_SHA384) && \
3635 defined(BUILD_TLS_CHACHA20_POLY1305_SHA256) && \
3636 defined(HAVE_ECC) && defined(HAVE_ECC384) && \
3637 !defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
3638 /*
3639 * TLSv1.3 Record Layer: Handshake Protocol: Hello Retry Request
3640 * Content Type: Handshake (22)
3641 * Version: TLS 1.2 (0x0303)
3642 * Length: 56
3643 * Handshake Protocol: Hello Retry Request
3644 * Handshake Type: Server Hello (2)
3645 * Length: 52
3646 * Version: TLS 1.2 (0x0303)
3647 * Random: cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c (HelloRetryRequest magic)
3648 * Session ID Length: 0
3649 * Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
3650 * Compression Method: null (0)
3651 * Extensions Length: 12
3652 * Extension: supported_versions (len=2) TLS 1.3
3653 * Extension: key_share (len=2) secp384r1
3654 *
3655 */
3656 unsigned char hrr[] = {
3657 0x16, 0x03, 0x03, 0x00, 0x38, 0x02, 0x00, 0x00, 0x34, 0x03, 0x03, 0xcf,
3658 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e,
3659 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07,
3660 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 0x00, 0x13, 0x02, 0x00, 0x00,
3661 0x0c, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, 0x00, 0x33, 0x00, 0x02, 0x00,
3662 0x18
3663 };
3664 /*
3665 * TLSv1.3 Record Layer: Handshake Protocol: Server Hello
3666 * Content Type: Handshake (22)
3667 * Version: TLS 1.2 (0x0303)
3668 * Length: 155
3669 * Handshake Protocol: Server Hello
3670 * Handshake Type: Server Hello (2)
3671 * Length: 151
3672 * Version: TLS 1.2 (0x0303)
3673 * Random: 0101010101010101010101010101010101010101010101010101010101010101
3674 * Session ID Length: 0
3675 * Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
3676 * Compression Method: null (0)
3677 * Extensions Length: 111
3678 * Extension: key_share (len=101) secp384r1
3679 * Extension: supported_versions (len=2) TLS 1.3
3680 *
3681 */
3682 unsigned char sh[] = {
3683 0x16, 0x03, 0x03, 0x00, 0x9b, 0x02, 0x00, 0x00, 0x97, 0x03, 0x03, 0x01,
3684 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3685 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3686 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x13, 0x03, 0x00, 0x00,
3687 0x6f, 0x00, 0x33, 0x00, 0x65, 0x00, 0x18, 0x00, 0x61, 0x04, 0x53, 0x3e,
3688 0xe5, 0xbf, 0x40, 0xec, 0x2d, 0x67, 0x98, 0x8b, 0x77, 0xf3, 0x17, 0x48,
3689 0x9b, 0xb6, 0xdf, 0x95, 0x29, 0x25, 0xc7, 0x09, 0xfc, 0x03, 0x81, 0x11,
3690 0x1a, 0x59, 0x56, 0xf2, 0xd7, 0x58, 0x11, 0x0e, 0x59, 0xd3, 0xd7, 0xc1,
3691 0x72, 0x9e, 0x2c, 0x0d, 0x70, 0xea, 0xf7, 0x73, 0xe6, 0x12, 0x01, 0x16,
3692 0x42, 0x6d, 0xe2, 0x43, 0x6a, 0x2f, 0x5f, 0xdd, 0x7f, 0xe5, 0x4f, 0xaf,
3693 0x95, 0x2b, 0x04, 0xfd, 0x13, 0xf5, 0x16, 0xce, 0x62, 0x7f, 0x89, 0xd2,
3694 0x01, 0x9d, 0x4c, 0x87, 0x96, 0x95, 0x9e, 0x43, 0x33, 0xc7, 0x06, 0x5b,
3695 0x49, 0x6c, 0xa6, 0x34, 0xd5, 0xdc, 0x63, 0xbd, 0xe9, 0x1f, 0x00, 0x2b,
3696 0x00, 0x02, 0x03, 0x04
3697 };
3698 WOLFSSL_CTX *ctx_c = NULL;
3699 WOLFSSL *ssl_c = NULL;
3700 struct test_memio_ctx test_ctx;
3701
3702 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3703 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c, NULL,
3704 wolfTLSv1_3_client_method, NULL), 0);
3705
3706 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
3707 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3708 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1, (char*)hrr,
3709 sizeof(hrr)), 0);
3710 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
3711 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
3712 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1, (char*)sh,
3713 sizeof(sh)), 0);
3714 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
3715 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), INVALID_PARAMETER);
3716
3717 wolfSSL_free(ssl_c);
3718 wolfSSL_CTX_free(ctx_c);
3719#endif
3720 return EXPECT_RESULT();
3721}
3722
3723/* Server-side complement to test_tls13_hrr_different_cs: the client sends a
3724 * different cipher suite in CH2 than what the server selected in the HRR. */
3725int test_tls13_ch2_different_cs(void)
3726{
3727 EXPECT_DECLS;
3728#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
3729 defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) && \
3730 defined(BUILD_TLS_AES_256_GCM_SHA384) && \
3731 defined(BUILD_TLS_AES_128_GCM_SHA256) && \
3732 defined(HAVE_ECC) && defined(HAVE_ECC384)
3733 /*
3734 * First ClientHello: cipher suite TLS_AES_256_GCM_SHA384 (0x1302),
3735 * empty key_share, secp384r1 in supported_groups. This triggers the
3736 * server to send a HelloRetryRequest selecting TLS_AES_256_GCM_SHA384
3737 * and requesting a secp384r1 key share.
3738 */
3739 /*
3740 * TLSv1.3 Record Layer: Handshake Protocol: Client Hello
3741 * Content Type: Handshake (22)
3742 * Version: TLS 1.2 (0x0303)
3743 * Length: 110
3744 * Handshake Protocol: Client Hello
3745 * Handshake Type: Client Hello (1)
3746 * Length: 106
3747 * Version: TLS 1.2 (0x0303)
3748 * Random: 0101010101010101010101010101010101010101010101010101010101010101
3749 * Session ID Length: 32
3750 * Session ID: 0303030303030303030303030303030303030303030303030303030303030303
3751 * Cipher Suites Length: 2
3752 * Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
3753 * Compression Methods Length: 1
3754 * Compression Method: null (0)
3755 * Extensions Length: 31
3756 * Extension: supported_groups (len=4) secp384r1 (0x0018)
3757 * Extension: signature_algorithms (len=6) rsa_pkcs1_sha256 (0x0401),
3758 * rsa_pss_rsae_sha256 (0x0804)
3759 * Extension: key_share (len=2) client_shares length=0 (empty)
3760 * Extension: supported_versions (len=3) TLS 1.3 (0x0304)
3761 */
3762 unsigned char ch1[] = {
3763 0x16, 0x03, 0x03, 0x00, 0x6e, 0x01, 0x00, 0x00, 0x6a, 0x03, 0x03, 0x01,
3764 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3765 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3766 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x20, 0x03, 0x03, 0x03, 0x03,
3767 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3768 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3769 0x03, 0x03, 0x03, 0x03, 0x00, 0x02, 0x13, 0x02, 0x01, 0x00, 0x00, 0x1f,
3770 0x00, 0x0a, 0x00, 0x04, 0x00, 0x02, 0x00, 0x18, 0x00, 0x0d, 0x00, 0x06,
3771 0x00, 0x04, 0x04, 0x01, 0x08, 0x04, 0x00, 0x33, 0x00, 0x02, 0x00, 0x00,
3772 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04
3773 };
3774 /*
3775 * TLSv1.3 Record Layer: Handshake Protocol: Client Hello
3776 * Content Type: Handshake (22)
3777 * Version: TLS 1.2 (0x0303)
3778 * Length: 211
3779 * Handshake Protocol: Client Hello
3780 * Handshake Type: Client Hello (1)
3781 * Length: 207
3782 * Version: TLS 1.2 (0x0303)
3783 * Random: 0101010101010101010101010101010101010101010101010101010101010101
3784 * Session ID Length: 32
3785 * Session ID: 0303030303030303030303030303030303030303030303030303030303030303
3786 * Cipher Suites Length: 2
3787 * Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
3788 * Compression Methods Length: 1
3789 * Compression Method: null (0)
3790 * Extensions Length: 132
3791 * Extension: supported_groups (len=4) secp384r1 (0x0018)
3792 * Extension: signature_algorithms (len=6) rsa_pkcs1_sha256 (0x0401),
3793 * rsa_pss_rsae_sha256 (0x0804)
3794 * Extension: key_share (len=103)
3795 * client_shares length: 101
3796 * KeyShareEntry: group secp384r1 (0x0018), key_exchange length: 97
3797 * key_exchange: 04 || X(48) || Y(48) (uncompressed P-384 point)
3798 * Extension: supported_versions (len=3) TLS 1.3 (0x0304)
3799 */
3800 unsigned char ch2[] = {
3801 0x16, 0x03, 0x03, 0x00, 0xd3, 0x01, 0x00, 0x00, 0xcf, 0x03, 0x03, 0x01,
3802 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3803 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3804 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x20, 0x03, 0x03, 0x03, 0x03,
3805 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3806 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3807 0x03, 0x03, 0x03, 0x03, 0x00, 0x02, 0x13, 0x01, 0x01, 0x00, 0x00, 0x84,
3808 0x00, 0x0a, 0x00, 0x04, 0x00, 0x02, 0x00, 0x18, 0x00, 0x0d, 0x00, 0x06,
3809 0x00, 0x04, 0x04, 0x01, 0x08, 0x04, 0x00, 0x33, 0x00, 0x67, 0x00, 0x65,
3810 0x00, 0x18, 0x00, 0x61, 0x04, 0x53, 0x3e, 0xe5, 0xbf, 0x40, 0xec, 0x2d,
3811 0x67, 0x98, 0x8b, 0x77, 0xf3, 0x17, 0x48, 0x9b, 0xb6, 0xdf, 0x95, 0x29,
3812 0x25, 0xc7, 0x09, 0xfc, 0x03, 0x81, 0x11, 0x1a, 0x59, 0x56, 0xf2, 0xd7,
3813 0x58, 0x11, 0x0e, 0x59, 0xd3, 0xd7, 0xc1, 0x72, 0x9e, 0x2c, 0x0d, 0x70,
3814 0xea, 0xf7, 0x73, 0xe6, 0x12, 0x01, 0x16, 0x42, 0x6d, 0xe2, 0x43, 0x6a,
3815 0x2f, 0x5f, 0xdd, 0x7f, 0xe5, 0x4f, 0xaf, 0x95, 0x2b, 0x04, 0xfd, 0x13,
3816 0xf5, 0x16, 0xce, 0x62, 0x7f, 0x89, 0xd2, 0x01, 0x9d, 0x4c, 0x87, 0x96,
3817 0x95, 0x9e, 0x43, 0x33, 0xc7, 0x06, 0x5b, 0x49, 0x6c, 0xa6, 0x34, 0xd5,
3818 0xdc, 0x63, 0xbd, 0xe9, 0x1f, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04
3819 };
3820 WOLFSSL_CTX *ctx_s = NULL;
3821 WOLFSSL *ssl_s = NULL;
3822 struct test_memio_ctx test_ctx;
3823
3824 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
3825 ExpectIntEQ(test_memio_setup(&test_ctx, NULL, &ctx_s, NULL, &ssl_s,
3826 NULL, wolfTLSv1_3_server_method), 0);
3827
3828 /* Server reads CH1, sends HRR, then waits for CH2 */
3829 ExpectIntEQ(test_memio_inject_message(&test_ctx, 0, (char*)ch1,
3830 sizeof(ch1)), 0);
3831 ExpectIntEQ(wolfSSL_accept(ssl_s), -1);
3832 ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
3833
3834 /* Server must reject CH2 because the cipher suite changed from the HRR */
3835 ExpectIntEQ(test_memio_inject_message(&test_ctx, 0, (char*)ch2,
3836 sizeof(ch2)), 0);
3837 ExpectIntEQ(wolfSSL_accept(ssl_s), -1);
3838 ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), INVALID_PARAMETER);
3839
3840 wolfSSL_free(ssl_s);
3841 wolfSSL_CTX_free(ctx_s);
3842#endif
3843 return EXPECT_RESULT();
3844}
3845
3846#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) && \
3847 defined(HAVE_ECC)
3848/* Called when writing. */
3849static int MESend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
3850{
3851 (void)ssl;
3852 (void)buf;
3853 (void)sz;
3854 (void)ctx;
3855
3856 /* Force error return from wolfSSL_accept_TLSv13(). */
3857 return WANT_WRITE;
3858}
3859/* Called when reading. */
3860static int MERecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
3861{
3862 WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
3863 int len = (int)msg->length;
3864
3865 (void)ssl;
3866
3867 /* Pass back as much of message as will fit in buffer. */
3868 if (len > sz)
3869 len = sz;
3870 XMEMCPY(buf, msg->buffer, len);
3871 /* Move over returned data. */
3872 msg->buffer += len;
3873 msg->length -= len;
3874
3875 /* Amount actually copied. */
3876 return len;
3877}
3878#endif
3879
3880int test_tls13_sg_missing(void)
3881{
3882 EXPECT_DECLS;
3883#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) && \
3884 defined(HAVE_ECC)
3885 WOLFSSL_CTX *ctx = NULL;
3886 WOLFSSL *ssl = NULL;
3887 byte clientHello[] = {
3888 0x16, 0x03, 0x03, 0x00, 0xcb, 0x01, 0x00, 0x00,
3889 0xc7, 0x03, 0x03, 0x01, 0x01, 0x01, 0x01, 0x01,
3890 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3891 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3892 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3893 0x01, 0x01, 0x01, 0x20, 0x03, 0x03, 0x03, 0x03,
3894 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3895 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3896 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3897 0x03, 0x03, 0x03, 0x03, 0x00, 0x02, 0x13, 0x01,
3898 0x01, 0x00, 0x00, 0x7c, 0x00, 0x0d, 0x00, 0x06,
3899 0x00, 0x04, 0x04, 0x01, 0x08, 0x04,
3900 /* KeyShare */
3901 0x00, 0x33,
3902 0x00, 0x67, 0x00, 0x65, 0x00, 0x18, 0x00, 0x61,
3903 0x04, 0x53, 0x3e, 0xe5, 0xbf, 0x40, 0xec, 0x2d,
3904 0x67, 0x98, 0x8b, 0x77, 0xf3, 0x17, 0x48, 0x9b,
3905 0xb6, 0xdf, 0x95, 0x29, 0x25, 0xc7, 0x09, 0xfc,
3906 0x03, 0x81, 0x11, 0x1a, 0x59, 0x56, 0xf2, 0xd7,
3907 0x58, 0x11, 0x0e, 0x59, 0xd3, 0xd7, 0xc1, 0x72,
3908 0x9e, 0x2c, 0x0d, 0x70, 0xea, 0xf7, 0x73, 0xe6,
3909 0x12, 0x01, 0x16, 0x42, 0x6d, 0xe2, 0x43, 0x6a,
3910 0x2f, 0x5f, 0xdd, 0x7f, 0xe5, 0x4f, 0xaf, 0x95,
3911 0x2b, 0x04, 0xfd, 0x13, 0xf5, 0x16, 0xce, 0x62,
3912 0x7f, 0x89, 0xd2, 0x01, 0x9d, 0x4c, 0x87, 0x96,
3913 0x95, 0x9e, 0x43, 0x33, 0xc7, 0x06, 0x5b, 0x49,
3914 0x6c, 0xa6, 0x34, 0xd5, 0xdc, 0x63, 0xbd, 0xe9,
3915 0x1f,
3916 /* SupportedVersions */
3917 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04
3918 /* Missing SupportedGroups. */
3919 };
3920 WOLFSSL_BUFFER_INFO msg;
3921 WOLFSSL_ALERT_HISTORY h;
3922
3923 /* Set up wolfSSL context. */
3924 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
3925 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile,
3926 CERT_FILETYPE));
3927 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile,
3928 CERT_FILETYPE));
3929 /* Read from 'msg'. */
3930 wolfSSL_SetIORecv(ctx, MERecv);
3931 /* No where to send to - dummy sender. */
3932 wolfSSL_SetIOSend(ctx, MESend);
3933
3934 /* Test cipher suite list with many copies of a cipher suite. */
3935 ExpectNotNull(ssl = wolfSSL_new(ctx));
3936 msg.buffer = clientHello;
3937 msg.length = (unsigned int)sizeof(clientHello);
3938 wolfSSL_SetIOReadCtx(ssl, &msg);
3939
3940 ExpectIntEQ(wolfSSL_accept_TLSv13(ssl),
3941 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
3942 ExpectIntEQ(wolfSSL_get_alert_history(ssl, &h), WOLFSSL_SUCCESS);
3943 ExpectIntEQ(h.last_tx.code, missing_extension);
3944 ExpectIntEQ(h.last_tx.level, alert_fatal);
3945 wolfSSL_free(ssl);
3946 wolfSSL_CTX_free(ctx);
3947#endif
3948 return EXPECT_RESULT();
3949}
3950
3951int test_tls13_ks_missing(void)
3952{
3953 EXPECT_DECLS;
3954#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) && \
3955 defined(HAVE_ECC)
3956 WOLFSSL_CTX *ctx = NULL;
3957 WOLFSSL *ssl = NULL;
3958 byte clientHello[] = {
3959 0x16, 0x03, 0x03, 0x00, 0x66, 0x01, 0x00, 0x00,
3960 0x62, 0x03, 0x03, 0x01, 0x01, 0x01, 0x01, 0x01,
3961 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3962 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3963 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
3964 0x01, 0x01, 0x01, 0x20, 0x03, 0x03, 0x03, 0x03,
3965 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3966 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3967 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
3968 0x03, 0x03, 0x03, 0x03, 0x00, 0x02, 0x13, 0x01,
3969 0x01, 0x00, 0x00, 0x17, 0x00, 0x0d, 0x00, 0x06,
3970 0x00, 0x04, 0x04, 0x01, 0x08, 0x04,
3971 /* SupportedGroups */
3972 0x00, 0x0a,
3973 0x00, 0x02, 0x00, 0x18,
3974 /* SupportedVersions */
3975 0x00, 0x2b, 0x00, 0x03,
3976 0x02, 0x03, 0x04
3977 /* Missing KeyShare. */
3978 };
3979 WOLFSSL_BUFFER_INFO msg;
3980 WOLFSSL_ALERT_HISTORY h;
3981
3982 /* Set up wolfSSL context. */
3983 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
3984 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile,
3985 CERT_FILETYPE));
3986 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile,
3987 CERT_FILETYPE));
3988 /* Read from 'msg'. */
3989 wolfSSL_SetIORecv(ctx, MERecv);
3990 /* No where to send to - dummy sender. */
3991 wolfSSL_SetIOSend(ctx, MESend);
3992
3993 /* Test cipher suite list with many copies of a cipher suite. */
3994 ExpectNotNull(ssl = wolfSSL_new(ctx));
3995 msg.buffer = clientHello;
3996 msg.length = (unsigned int)sizeof(clientHello);
3997 wolfSSL_SetIOReadCtx(ssl, &msg);
3998
3999 ExpectIntEQ(wolfSSL_accept_TLSv13(ssl),
4000 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
4001 ExpectIntEQ(wolfSSL_get_alert_history(ssl, &h), WOLFSSL_SUCCESS);
4002 ExpectIntEQ(h.last_tx.code, missing_extension);
4003 ExpectIntEQ(h.last_tx.level, alert_fatal);
4004 wolfSSL_free(ssl);
4005 wolfSSL_CTX_free(ctx);
4006#endif
4007 return EXPECT_RESULT();
4008}
4009
4010#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) && \
4011 defined(HAVE_ECC)
4012/* Called when writing. */
4013static int DESend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4014{
4015 (void)ssl;
4016 (void)buf;
4017 (void)sz;
4018 (void)ctx;
4019
4020 return sz;
4021}
4022/* Called when reading. */
4023static int DERecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4024{
4025 WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
4026 int len = (int)msg->length;
4027
4028 (void)ssl;
4029 (void)sz;
4030
4031 /* Pass back as much of message as will fit in buffer. */
4032 if (len > sz)
4033 len = sz;
4034 XMEMCPY(buf, msg->buffer, len);
4035 /* Move over returned data. */
4036 msg->buffer += len;
4037 msg->length -= len;
4038
4039 /* Amount actually copied. */
4040 return len;
4041}
4042
4043#endif
4044
4045int test_tls13_duplicate_extension(void)
4046{
4047 EXPECT_DECLS;
4048#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) && \
4049 defined(HAVE_ECC)
4050 WOLFSSL_CTX *ctx = NULL;
4051 WOLFSSL *ssl = NULL;
4052 byte serverHello[] = {
4053 0x16, 0x03, 0x03, 0x00, 0x81, 0x02, 0x00, 0x00,
4054 0x7d, 0x03, 0x03, 0x01, 0x01, 0x01, 0x01, 0x01,
4055 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4056 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4057 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4058 0x01, 0x01, 0x01, 0x00, 0x13, 0x01, 0x00, 0x00,
4059 0x55, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04, 0x00,
4060 0x33, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04,
4061 0x0c, 0x90, 0x1d, 0x42, 0x3c, 0x83, 0x1c, 0xa8,
4062 0x5e, 0x27, 0xc7, 0x3c, 0x26, 0x3b, 0xa1, 0x32,
4063 0x72, 0x1b, 0xb9, 0xd7, 0xa8, 0x4c, 0x4f, 0x03,
4064 0x80, 0xb2, 0xa6, 0x75, 0x6f, 0xd6, 0x01, 0x33,
4065 0x1c, 0x88, 0x70, 0x23, 0x4d, 0xec, 0x87, 0x85,
4066 0x04, 0xc1, 0x74, 0x14, 0x4f, 0xa4, 0xb1, 0x4b,
4067 0x66, 0xa6, 0x51, 0x69, 0x16, 0x06, 0xd8, 0x17,
4068 0x3e, 0x55, 0xbd, 0x37, 0xe3, 0x81, 0x56, 0x9e,
4069 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04
4070 };
4071 WOLFSSL_BUFFER_INFO msg;
4072 WOLFSSL_ALERT_HISTORY h;
4073
4074 /* Set up wolfSSL context. */
4075 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
4076 /* Read from 'msg'. */
4077 wolfSSL_SetIORecv(ctx, DERecv);
4078 /* No where to send to - dummy sender. */
4079 wolfSSL_SetIOSend(ctx, DESend);
4080
4081 /* Test cipher suite list with many copies of a cipher suite. */
4082 ExpectNotNull(ssl = wolfSSL_new(ctx));
4083 msg.buffer = serverHello;
4084 msg.length = (unsigned int)sizeof(serverHello);
4085 wolfSSL_SetIOReadCtx(ssl, &msg);
4086
4087 ExpectIntEQ(wolfSSL_connect_TLSv13(ssl),
4088 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
4089 ExpectIntEQ(wolfSSL_get_alert_history(ssl, &h), WOLFSSL_SUCCESS);
4090 ExpectIntEQ(h.last_tx.code, illegal_parameter);
4091 ExpectIntEQ(h.last_tx.level, alert_fatal);
4092 wolfSSL_free(ssl);
4093 wolfSSL_CTX_free(ctx);
4094#endif
4095 return EXPECT_RESULT();
4096}
4097
4098
4099#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \
4100 !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM) && \
4101 (!defined(NO_RSA) || defined(HAVE_ECC))
4102static int DupEchSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4103{
4104 (void)ssl;
4105 (void)buf;
4106 (void)sz;
4107 (void)ctx;
4108
4109 return sz;
4110}
4111static int DupEchRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4112{
4113 WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
4114 int len = (int)msg->length;
4115
4116 (void)ssl;
4117 (void)sz;
4118
4119 if (len > sz)
4120 len = sz;
4121 XMEMCPY(buf, msg->buffer, len);
4122 msg->buffer += len;
4123 msg->length -= len;
4124
4125 return len;
4126}
4127#endif
4128
4129/* Test detection of duplicate ECH extension (type 0xfe0d) in ClientHello.
4130 * ECH has a semaphore mapping in TLSX_ToSemaphore() and needs to be included
4131 * in the duplicate-detection gate in TLSX_Parse(). RFC 8446 section 4.2
4132 * requires rejecting messages with duplicate extensions.
4133 */
4134int test_tls13_duplicate_ech_extension(void)
4135{
4136 EXPECT_DECLS;
4137#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \
4138 !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM) && \
4139 (!defined(NO_RSA) || defined(HAVE_ECC))
4140 /* TLS 1.3 ClientHello with two ECH extensions (type 0xfe0d).
4141 * Extensions block contains: supported_versions + ECH + ECH (dup). */
4142 const unsigned char clientHelloDupEch[] = {
4143 0x16, 0x03, 0x03, 0x00, 0x40, 0x01, 0x00, 0x00,
4144 0x3c, 0x03, 0x03, 0x01, 0x01, 0x01, 0x01, 0x01,
4145 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4146 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4147 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4148 0x01, 0x01, 0x01, 0x00, 0x00, 0x02, 0x13, 0x01,
4149 0x01, 0x00, 0x00, 0x11, 0x00, 0x2b, 0x00, 0x03,
4150 0x02, 0x03, 0x04, 0xfe, 0x0d, 0x00, 0x01, 0x00,
4151 0xfe, 0x0d, 0x00, 0x01, 0x00
4152 };
4153 WOLFSSL_BUFFER_INFO msg;
4154 const char* testCertFile;
4155 const char* testKeyFile;
4156 WOLFSSL_CTX *ctx = NULL;
4157 WOLFSSL *ssl = NULL;
4158
4159#ifndef NO_RSA
4160 testCertFile = svrCertFile;
4161 testKeyFile = svrKeyFile;
4162#elif defined(HAVE_ECC)
4163 testCertFile = eccCertFile;
4164 testKeyFile = eccKeyFile;
4165#endif
4166
4167 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
4168
4169 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile,
4170 CERT_FILETYPE));
4171 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, testKeyFile,
4172 CERT_FILETYPE));
4173
4174 /* Read from 'msg'. */
4175 wolfSSL_SetIORecv(ctx, DupEchRecv);
4176 /* No where to send to - dummy sender. */
4177 wolfSSL_SetIOSend(ctx, DupEchSend);
4178
4179 ssl = wolfSSL_new(ctx);
4180 ExpectNotNull(ssl);
4181
4182 msg.buffer = (unsigned char*)clientHelloDupEch;
4183 msg.length = (unsigned int)sizeof(clientHelloDupEch);
4184 wolfSSL_SetIOReadCtx(ssl, &msg);
4185
4186 ExpectIntNE(wolfSSL_accept(ssl), WOLFSSL_SUCCESS);
4187 /* Can return duplicate ext error or socket error if the peer closed
4188 * down while sending alert. */
4189 if (wolfSSL_get_error(ssl, 0) != WC_NO_ERR_TRACE(SOCKET_ERROR_E)) {
4190 ExpectIntEQ(wolfSSL_get_error(ssl, 0),
4191 WC_NO_ERR_TRACE(DUPLICATE_TLS_EXT_E));
4192 }
4193
4194 wolfSSL_free(ssl);
4195 wolfSSL_CTX_free(ctx);
4196#endif
4197 return EXPECT_RESULT();
4198}
4199
4200
4201int test_key_share_mismatch(void)
4202{
4203 EXPECT_DECLS;
4204#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \
4205 defined(HAVE_SUPPORTED_CURVES) && defined(HAVE_ECC) && \
4206 defined(BUILD_TLS_AES_128_GCM_SHA256) && (!defined(WOLFSSL_SP_MATH) || \
4207 (defined(WOLFSSL_SP_521) && !defined(WOLFSSL_SP_NO_256) && \
4208 defined(WOLFSSL_SP_384)))
4209 /* Taken from payload in https://github.com/wolfSSL/wolfssl/issues/9362 */
4210 const byte ch1_bin[] = {
4211 0x16, 0x03, 0x03, 0x00, 0x96, 0x01, 0x00, 0x00, 0x92, 0x03, 0x03, 0x01,
4212 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4213 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4214 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x20, 0x03, 0x03, 0x03, 0x03,
4215 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
4216 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
4217 0x03, 0x03, 0x03, 0x03, 0x00, 0x02, 0x13, 0x01, 0x01, 0x00, 0x00, 0x47,
4218 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x18, 0x00, 0x17, 0x00, 0x1d,
4219 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x08, 0x04, 0x00, 0x33,
4220 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x07, 0xaa, 0xff, 0x3e,
4221 0x9f, 0xc1, 0x67, 0x27, 0x55, 0x44, 0xf4, 0xc3, 0xa6, 0xa1, 0x7c, 0xd8,
4222 0x37, 0xf2, 0xec, 0x6e, 0x78, 0xcd, 0x8a, 0x57, 0xb1, 0xe3, 0xdf, 0xb3,
4223 0xcc, 0x03, 0x5a, 0x76, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04
4224 };
4225 const byte ch2_bin[] = {
4226 0x16, 0x03, 0x03, 0x00, 0xb7, 0x01, 0x00, 0x00, 0xb3, 0x03, 0x03, 0x01,
4227 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4228 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4229 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x20, 0x03, 0x03, 0x03, 0x03,
4230 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
4231 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
4232 0x03, 0x03, 0x03, 0x03, 0x00, 0x02, 0x13, 0x01, 0x01, 0x00, 0x00, 0x68,
4233 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x18, 0x00, 0x17, 0x00, 0x1d,
4234 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x08, 0x04, 0x00, 0x33,
4235 0x00, 0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x0c, 0x90, 0x1d,
4236 0x42, 0x3c, 0x83, 0x1c, 0xa8, 0x5e, 0x27, 0xc7, 0x3c, 0x26, 0x3b, 0xa1,
4237 0x32, 0x72, 0x1b, 0xb9, 0xd7, 0xa8, 0x4c, 0x4f, 0x03, 0x80, 0xb2, 0xa6,
4238 0x75, 0x6f, 0xd6, 0x01, 0x33, 0x1c, 0x88, 0x70, 0x23, 0x4d, 0xec, 0x87,
4239 0x85, 0x04, 0xc1, 0x74, 0x14, 0x4f, 0xa4, 0xb1, 0x4b, 0x66, 0xa6, 0x51,
4240 0x69, 0x16, 0x06, 0xd8, 0x17, 0x3e, 0x55, 0xbd, 0x37, 0xe3, 0x81, 0x56,
4241 0x9e, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04
4242 };
4243 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
4244 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
4245 struct test_memio_ctx test_ctx;
4246 int client_group[] = {WOLFSSL_ECC_SECP521R1};
4247 int server_group[] = {WOLFSSL_ECC_SECP384R1, WOLFSSL_ECC_SECP256R1};
4248
4249 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4250 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
4251 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
4252 ExpectIntEQ(wolfSSL_set_groups(ssl_c,
4253 client_group, XELEM_CNT(client_group)), WOLFSSL_SUCCESS);
4254 ExpectIntEQ(wolfSSL_set_groups(ssl_s,
4255 server_group, XELEM_CNT(server_group)), WOLFSSL_SUCCESS);
4256 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), -1);
4257 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), BAD_KEY_SHARE_DATA);
4258
4259 wolfSSL_free(ssl_s);
4260 ssl_s = NULL;
4261 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4262 ExpectIntEQ(test_memio_setup(&test_ctx, NULL, &ctx_s, NULL, &ssl_s,
4263 NULL, wolfTLSv1_3_server_method), 0);
4264 ExpectIntEQ(wolfSSL_set_groups(ssl_s,
4265 server_group, XELEM_CNT(server_group)), WOLFSSL_SUCCESS);
4266 ExpectIntEQ(test_memio_inject_message(&test_ctx, 0, (const char*)ch1_bin,
4267 sizeof(ch1_bin)), 0);
4268 ExpectIntEQ(wolfSSL_accept(ssl_s), -1);
4269 ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
4270 ExpectIntEQ(test_memio_inject_message(&test_ctx, 0, (const char*)ch2_bin,
4271 sizeof(ch2_bin)), 0);
4272 ExpectIntEQ(wolfSSL_accept(ssl_s), -1);
4273 ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), BAD_KEY_SHARE_DATA);
4274
4275 wolfSSL_free(ssl_c);
4276 wolfSSL_free(ssl_s);
4277 wolfSSL_CTX_free(ctx_c);
4278 wolfSSL_CTX_free(ctx_s);
4279#endif
4280 return EXPECT_RESULT();
4281}
4282
4283
4284#if defined(WOLFSSL_TLS13) && !defined(NO_RSA) && defined(HAVE_ECC) && \
4285 defined(HAVE_AESGCM) && !defined(NO_WOLFSSL_SERVER)
4286/* Called when writing. */
4287static int Tls13PTASend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4288{
4289 (void)ssl;
4290 (void)buf;
4291 (void)ctx;
4292
4293 return sz;
4294}
4295static int Tls13PTARecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4296{
4297 WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
4298 int len;
4299
4300 (void)ssl;
4301
4302 if (msg->length == 0) {
4303 /* Only do as many alerts as required to get to max alert count. */
4304 msg->buffer[0]--;
4305 if (msg->buffer[0] > 0) {
4306 msg->buffer -= 7;
4307 msg->length += 7;
4308 }
4309 else {
4310 return -1;
4311 }
4312 }
4313
4314 len = (int)msg->length;
4315 /* Pass back as much of message as will fit in buffer. */
4316 if (len > sz)
4317 len = sz;
4318 XMEMCPY(buf, msg->buffer, len);
4319 /* Move over returned data. */
4320 msg->buffer += len;
4321 msg->length -= len;
4322
4323 /* Amount actually copied. */
4324 return len;
4325}
4326#endif
4327
4328/* Test that when a TLS 1.3 client sends a ClientHello with an empty
4329 * legacy_session_id (indicating no middlebox compatibility), the server
4330 * should NOT send a ChangeCipherSpec message. Per RFC 8446 Appendix D.4,
4331 * the server only sends CCS if the client's ClientHello contains a
4332 * non-empty session_id.
4333 *
4334 * This test reproduces the bug reported in GitHub issue #9156 where
4335 * wolfSSL server always sends CCS when compiled with
4336 * WOLFSSL_TLS13_MIDDLEBOX_COMPAT, regardless of the client's session_id.
4337 */
4338int test_tls13_middlebox_compat_empty_session_id(void)
4339{
4340 EXPECT_DECLS;
4341#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) && \
4342 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
4343 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
4344 WOLFSSL_CTX *ctx_c = NULL;
4345 WOLFSSL_CTX *ctx_s = NULL;
4346 WOLFSSL *ssl_c = NULL;
4347 WOLFSSL *ssl_s = NULL;
4348 struct test_memio_ctx test_ctx;
4349 int i;
4350 int found_ccs = 0;
4351
4352 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4353 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
4354 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
4355
4356 /* Disable middlebox compatibility on the client so it sends an empty
4357 * legacy_session_id in ClientHello. The server should respect this and
4358 * NOT send a ChangeCipherSpec. */
4359 if (EXPECT_SUCCESS()) {
4360 ssl_c->options.tls13MiddleBoxCompat = 0;
4361 }
4362
4363 /* Client sends ClientHello with empty session ID */
4364 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
4365 ExpectIntEQ(wolfSSL_get_error(ssl_c,
4366 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)), WOLFSSL_ERROR_WANT_READ);
4367
4368 /* Server processes ClientHello and sends its flight:
4369 * ServerHello, EncryptedExtensions, Certificate, CertVerify, Finished
4370 * (and potentially an unwanted CCS) */
4371 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
4372 ExpectIntEQ(wolfSSL_get_error(ssl_s,
4373 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)), WOLFSSL_ERROR_WANT_READ);
4374
4375 /* Now examine the server's output (stored in c_buff, since the server
4376 * writes to the client's read buffer). Scan through TLS records looking
4377 * for a ChangeCipherSpec record (content type 0x14 = 20). */
4378 if (EXPECT_SUCCESS()) {
4379 i = 0;
4380 while (i + 5 <= test_ctx.c_len) {
4381 byte content_type = test_ctx.c_buff[i];
4382 int record_len = (test_ctx.c_buff[i + 3] << 8) |
4383 test_ctx.c_buff[i + 4];
4384
4385 if (content_type == 20) { /* change_cipher_spec */
4386 found_ccs = 1;
4387 break;
4388 }
4389
4390 /* Move to next TLS record: 5 byte header + payload */
4391 i += 5 + record_len;
4392 }
4393 }
4394
4395 /* The server should NOT have sent CCS since the client's ClientHello
4396 * had an empty legacy_session_id. If found_ccs is 1, this demonstrates
4397 * the bug from issue #9156. */
4398 ExpectIntEQ(found_ccs, 0);
4399
4400 wolfSSL_free(ssl_c);
4401 wolfSSL_free(ssl_s);
4402 wolfSSL_CTX_free(ctx_c);
4403 wolfSSL_CTX_free(ctx_s);
4404#endif
4405 return EXPECT_RESULT();
4406}
4407
4408int test_tls13_plaintext_alert(void)
4409{
4410 EXPECT_DECLS;
4411
4412#if defined(WOLFSSL_TLS13) && !defined(NO_RSA) && defined(HAVE_ECC) && \
4413 defined(HAVE_AESGCM) && !defined(NO_WOLFSSL_SERVER)
4414 byte clientMsgs[] = {
4415 /* Client Hello */
4416 0x16, 0x03, 0x03, 0x01, 0x9b, 0x01, 0x00, 0x01,
4417 0x97, 0x03, 0x03, 0xf4, 0x65, 0xbd, 0x22, 0xfe,
4418 0x6e, 0xab, 0x66, 0xdd, 0xcf, 0xe9, 0x65, 0x55,
4419 0xe8, 0xdf, 0xc3, 0x8e, 0x4b, 0x00, 0xbc, 0xf8,
4420 0x23, 0x57, 0x1b, 0xa0, 0xc8, 0xa9, 0xe2, 0x8c,
4421 0x91, 0x6e, 0xf9, 0x20, 0xf7, 0x5c, 0xc5, 0x5b,
4422 0x75, 0x8c, 0x47, 0x0a, 0x0e, 0xc4, 0x1a, 0xda,
4423 0xef, 0x75, 0xe5, 0x21, 0x00, 0x00, 0x00, 0x00,
4424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4425 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x13, 0x01,
4426 0x13, 0x02, 0x01, 0x00, 0x01, 0x4a, 0x00, 0x2d,
4427 0x00, 0x03, 0x02, 0x00, 0x01, 0x00, 0x33, 0x00,
4428 0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04,
4429 0x90, 0xfc, 0xe2, 0x97, 0x05, 0x7c, 0xb5, 0x23,
4430 0x5d, 0x5f, 0x5b, 0xcd, 0x0c, 0x1e, 0xe0, 0xe9,
4431 0xab, 0x38, 0x6b, 0x1e, 0x20, 0x5c, 0x1c, 0x90,
4432 0x2a, 0x9e, 0x68, 0x8e, 0x70, 0x05, 0x10, 0xa8,
4433 0x02, 0x1b, 0xf9, 0x5c, 0xef, 0xc9, 0xaf, 0xca,
4434 0x1a, 0x3b, 0x16, 0x8b, 0xe4, 0x1b, 0x3c, 0x15,
4435 0xb8, 0x0d, 0xbd, 0xaf, 0x62, 0x8d, 0xa7, 0x13,
4436 0xa0, 0x7c, 0xe0, 0x59, 0x0c, 0x4f, 0x8a, 0x6d,
4437 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04, 0x00,
4438 0x0d, 0x00, 0x20, 0x00, 0x1e, 0x06, 0x03, 0x05,
4439 0x03, 0x04, 0x03, 0x02, 0x03, 0x08, 0x06, 0x08,
4440 0x0b, 0x08, 0x05, 0x08, 0x0a, 0x08, 0x04, 0x08,
4441 0x09, 0x06, 0x01, 0x05, 0x01, 0x04, 0x01, 0x03,
4442 0x01, 0x02, 0x01, 0x00, 0x0a, 0x00, 0x04, 0x00,
4443 0x02, 0x00, 0x17, 0x00, 0x16, 0x00, 0x00, 0x00,
4444 0x23, 0x00, 0x00, 0x00, 0x29, 0x00, 0xb9, 0x00,
4445 0x94, 0x00, 0x8e, 0x0f, 0x12, 0xfa, 0x84, 0x1f,
4446 0x76, 0x94, 0xd7, 0x09, 0x5e, 0xad, 0x08, 0x51,
4447 0xb6, 0x80, 0x28, 0x31, 0x8b, 0xfd, 0xc6, 0xbd,
4448 0x9e, 0xf5, 0x3b, 0x4d, 0x02, 0xbe, 0x1d, 0x73,
4449 0xea, 0x13, 0x68, 0x00, 0x4c, 0xfd, 0x3d, 0x48,
4450 0x51, 0xf9, 0x06, 0xbb, 0x92, 0xed, 0x42, 0x9f,
4451 0x7f, 0x2c, 0x73, 0x9f, 0xd9, 0xb4, 0xef, 0x05,
4452 0x26, 0x5b, 0x60, 0x5c, 0x0a, 0xfc, 0xa3, 0xbd,
4453 0x2d, 0x2d, 0x8b, 0xf9, 0xaa, 0x5c, 0x96, 0x3a,
4454 0xf2, 0xec, 0xfa, 0xe5, 0x57, 0x2e, 0x87, 0xbe,
4455 0x27, 0xc5, 0x3d, 0x4f, 0x5d, 0xdd, 0xde, 0x1c,
4456 0x1b, 0xb3, 0xcc, 0x27, 0x27, 0x57, 0x5a, 0xd9,
4457 0xea, 0x99, 0x27, 0x23, 0xa6, 0x0e, 0xea, 0x9c,
4458 0x0d, 0x85, 0xcb, 0x72, 0xeb, 0xd7, 0x93, 0xe3,
4459 0xfe, 0xf7, 0x5c, 0xc5, 0x5b, 0x75, 0x8c, 0x47,
4460 0x0a, 0x0e, 0xc4, 0x1a, 0xda, 0xef, 0x75, 0xe5,
4461 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4463 0x00, 0xfb, 0x92, 0xce, 0xaa, 0x00, 0x21, 0x20,
4464 0xcb, 0x73, 0x25, 0x80, 0x46, 0x78, 0x4f, 0xe5,
4465 0x34, 0xf6, 0x91, 0x13, 0x7f, 0xc8, 0x8d, 0xdc,
4466 0x81, 0x04, 0xb7, 0x0d, 0x49, 0x85, 0x2e, 0x12,
4467 0x7a, 0x07, 0x23, 0xe9, 0x13, 0xa4, 0x6d, 0x8c,
4468 0x15, 0x03, 0x03, 0x00, 0x02, 0x01, 0x00, 0x00
4469 };
4470
4471 WOLFSSL_CTX* ctx = NULL;
4472 WOLFSSL* ssl = NULL;
4473 WOLFSSL_BUFFER_INFO msg;
4474
4475#ifdef WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC
4476 /* We fail on WOLFSSL_ALERT_COUNT_MAX alerts. */
4477
4478 /* Set up wolfSSL context. */
4479 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
4480 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
4481 CERT_FILETYPE));
4482 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
4483 CERT_FILETYPE));
4484 if (EXPECT_SUCCESS()) {
4485 wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
4486 }
4487 /* Read from 'msg'. */
4488 wolfSSL_SetIORecv(ctx, Tls13PTARecv);
4489 /* No where to send to - dummy sender. */
4490 wolfSSL_SetIOSend(ctx, Tls13PTASend);
4491
4492 ExpectNotNull(ssl = wolfSSL_new(ctx));
4493 msg.buffer = clientMsgs;
4494 msg.length = (unsigned int)sizeof(clientMsgs) - 1;
4495 clientMsgs[sizeof(clientMsgs) - 1] = WOLFSSL_ALERT_COUNT_MAX;
4496 if (EXPECT_SUCCESS()) {
4497 wolfSSL_SetIOReadCtx(ssl, &msg);
4498 }
4499 /* Alert will be ignored until too many. */
4500 /* Read all message include CertificateVerify with invalid signature
4501 * algorithm. */
4502 ExpectIntEQ(wolfSSL_accept(ssl), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
4503 /* Expect an invalid parameter error. */
4504 ExpectIntEQ(wolfSSL_get_error(ssl, WOLFSSL_FATAL_ERROR),
4505 WC_NO_ERR_TRACE(ALERT_COUNT_E));
4506
4507 wolfSSL_free(ssl);
4508 ssl = NULL;
4509 wolfSSL_CTX_free(ctx);
4510 ctx = NULL;
4511
4512 /* Set up wolfSSL context. */
4513 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
4514 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
4515 CERT_FILETYPE));
4516 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
4517 CERT_FILETYPE));
4518 if (EXPECT_SUCCESS()) {
4519 wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
4520 }
4521 /* Read from 'msg'. */
4522 wolfSSL_SetIORecv(ctx, Tls13PTARecv);
4523 /* No where to send to - dummy sender. */
4524 wolfSSL_SetIOSend(ctx, Tls13PTASend);
4525
4526 ExpectNotNull(ssl = wolfSSL_new(ctx));
4527 msg.buffer = clientMsgs;
4528 msg.length = (unsigned int)sizeof(clientMsgs) - 1;
4529 clientMsgs[sizeof(clientMsgs) - 1] = WOLFSSL_ALERT_COUNT_MAX - 1;
4530 if (EXPECT_SUCCESS()) {
4531 wolfSSL_SetIOReadCtx(ssl, &msg);
4532 }
4533 /* Alert will be ignored until too many. */
4534 /* Read all message include CertificateVerify with invalid signature
4535 * algorithm. */
4536 ExpectIntEQ(wolfSSL_accept(ssl), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
4537 /* Expect an invalid parameter error. */
4538 ExpectIntEQ(wolfSSL_get_error(ssl, WOLFSSL_FATAL_ERROR),
4539 WC_NO_ERR_TRACE(SOCKET_ERROR_E));
4540
4541 wolfSSL_free(ssl);
4542 wolfSSL_CTX_free(ctx);
4543#else
4544 /* Fail on plaintext alert when encryption keys on. */
4545
4546 /* Set up wolfSSL context. */
4547 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
4548 ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
4549 CERT_FILETYPE));
4550 ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
4551 CERT_FILETYPE));
4552 if (EXPECT_SUCCESS()) {
4553 wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
4554 }
4555 /* Read from 'msg'. */
4556 wolfSSL_SetIORecv(ctx, Tls13PTARecv);
4557 /* No where to send to - dummy sender. */
4558 wolfSSL_SetIOSend(ctx, Tls13PTASend);
4559
4560 ExpectNotNull(ssl = wolfSSL_new(ctx));
4561 msg.buffer = clientMsgs;
4562 msg.length = (unsigned int)sizeof(clientMsgs) - 1;
4563 clientMsgs[sizeof(clientMsgs) - 1] = 1;
4564 if (EXPECT_SUCCESS()) {
4565 wolfSSL_SetIOReadCtx(ssl, &msg);
4566 }
4567 /* Alert will be ignored until too many. */
4568 /* Read all message include CertificateVerify with invalid signature
4569 * algorithm. */
4570 ExpectIntEQ(wolfSSL_accept(ssl), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
4571 /* Expect an invalid parameter error. */
4572 ExpectIntEQ(wolfSSL_get_error(ssl, WOLFSSL_FATAL_ERROR),
4573 WC_NO_ERR_TRACE(PARSE_ERROR));
4574
4575 wolfSSL_free(ssl);
4576 wolfSSL_CTX_free(ctx);
4577#endif
4578#endif
4579
4580 return EXPECT_RESULT();
4581}
4582
4583/* Test that TLS 1.3 warning-level alerts are treated as fatal (RFC 8446
4584 * Section 6.2).
4585 * A peer sending e.g. {alert_warning, handshake_failure} must still cause the
4586 * connection to be terminated, not silently continued.
4587 */
4588int test_tls13_warning_alert_is_fatal(void)
4589{
4590 EXPECT_DECLS;
4591#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
4592 !defined(NO_WOLFSSL_CLIENT)
4593 WOLFSSL_CTX *ctx_c = NULL;
4594 WOLFSSL *ssl_c = NULL;
4595 struct test_memio_ctx test_ctx;
4596 WOLFSSL_ALERT_HISTORY h;
4597 /* TLS record: content_type=alert(0x15), version=TLS1.2(0x0303), len=2,
4598 * level=warning(0x01), code=handshake_failure(0x28=40) */
4599 static const unsigned char warn_alert[] =
4600 { 0x15, 0x03, 0x03, 0x00, 0x02, 0x01, 0x28 };
4601
4602 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4603 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c, NULL,
4604 wolfTLSv1_3_client_method, NULL), 0);
4605
4606 /* Client sends ClientHello, then waits for the server response. */
4607 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
4608 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
4609
4610 /* Inject a warning-level handshake_failure alert as if from the server.
4611 * RFC 8446 Section 6.2: In TLS 1.3, all error alerts MUST be treated as
4612 * fatalregardless of the AlertLevel byte. */
4613 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1,
4614 (const char *)warn_alert, sizeof(warn_alert)), 0);
4615
4616 /* Expect the connection to be terminated, not silently continued. */
4617 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
4618 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(FATAL_ERROR));
4619
4620 /* The alert details should be recorded correctly. */
4621 ExpectIntEQ(wolfSSL_get_alert_history(ssl_c, &h), WOLFSSL_SUCCESS);
4622 ExpectIntEQ(h.last_rx.code, handshake_failure);
4623 ExpectIntEQ(h.last_rx.level, alert_warning);
4624
4625 wolfSSL_free(ssl_c);
4626 wolfSSL_CTX_free(ctx_c);
4627#endif
4628 return EXPECT_RESULT();
4629}
4630
4631/* Test that an unknown extension in a TLS 1.3 server-to-client message is
4632 * rejected with unsupported_extension (RFC 8446 Sec. 4.2). The client MUST
4633 * abort the handshake when it receives an extension it did not advertise.
4634 */
4635 int test_tls13_unknown_ext_rejected(void)
4636 {
4637 EXPECT_DECLS;
4638 #if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
4639 !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_AES_128) && \
4640 defined(HAVE_AESGCM) && !defined(NO_SHA256) && \
4641 !defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
4642 WOLFSSL_CTX *ctx_c = NULL;
4643 WOLFSSL *ssl_c = NULL;
4644 struct test_memio_ctx test_ctx;
4645 /* HelloRetryRequest carrying TLS_AES_128_GCM_SHA256, supported_versions
4646 * (TLS 1.3), and an extra unknown extension type 0xFABC.
4647 *
4648 * The base HRR (from test_tls13_same_ch) extended with 4 bytes:
4649 * extensions length: 6 -> 10 (0x00,0x0a)
4650 * handshake body length: 46 -> 50 (0x00,0x00,0x32)
4651 * record body length: 50 -> 54 (0x00,0x36)
4652 * appended: 0xfa,0xbc,0x00,0x00 (unknown type, zero-length value)
4653 */
4654 static const unsigned char hrr_unknown_ext[] = {
4655 /* TLS record header: handshake, TLS 1.2 compat, len=54 */
4656 0x16, 0x03, 0x03, 0x00, 0x36,
4657 /* Handshake header: ServerHello, len=50 */
4658 0x02, 0x00, 0x00, 0x32,
4659 /* legacy_version: TLS 1.2 */
4660 0x03, 0x03,
4661 /* HelloRetryRequest magic random */
4662 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
4663 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
4664 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
4665 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
4666 /* session ID length: 0 */
4667 0x00,
4668 /* cipher suite: TLS_AES_128_GCM_SHA256 */
4669 0x13, 0x01,
4670 /* compression: null */
4671 0x00,
4672 /* extensions length: 10 */
4673 0x00, 0x0a,
4674 /* supported_versions: TLS 1.3 (0x0304) */
4675 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04,
4676 /* unknown extension type 0xFABC, zero-length value */
4677 0xfa, 0xbc, 0x00, 0x00
4678 };
4679
4680 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4681 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c, NULL,
4682 wolfTLSv1_3_client_method, NULL), 0);
4683
4684 /* Inject the crafted HRR before the client starts the handshake.
4685 * wolfSSL_connect will send the ClientHello and then read this message. */
4686 ExpectIntEQ(test_memio_inject_message(&test_ctx, 1,
4687 (const char *)hrr_unknown_ext, sizeof(hrr_unknown_ext)), 0);
4688
4689 /* RFC 8446 Sec. 4.2: the client MUST abort with unsupported_extension. */
4690 ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
4691 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1),
4692 WC_NO_ERR_TRACE(UNSUPPORTED_EXTENSION));
4693
4694 /* The client MUST also transmit the fatal unsupported_extension alert
4695 * on the wire, not merely surface a local error. The client's outgoing
4696 * data lands in test_ctx.s_buff; at this point in the handshake no
4697 * traffic keys are derived yet, so the alert record is plaintext.
4698 * Expected record: type=alert(0x15), version=TLS1.2(0x0303), len=2,
4699 * level=fatal(0x02), description=unsupported_extension(0x6e=110). */
4700 {
4701 static const unsigned char expected_alert[] =
4702 { 0x15, 0x03, 0x03, 0x00, 0x02, 0x02, 0x6e };
4703 int found = 0;
4704 int i;
4705 for (i = 0;
4706 i + (int)sizeof(expected_alert) <= test_ctx.s_len;
4707 i++) {
4708 if (XMEMCMP(test_ctx.s_buff + i, expected_alert,
4709 sizeof(expected_alert)) == 0) {
4710 found = 1;
4711 break;
4712 }
4713 }
4714 ExpectIntEQ(found, 1);
4715 }
4716
4717 wolfSSL_free(ssl_c);
4718 wolfSSL_CTX_free(ctx_c);
4719 #endif
4720 return EXPECT_RESULT();
4721 }
4722
4723/* Test that wolfSSL_set1_sigalgs_list() is honored in TLS 1.3
4724 */
4725int test_tls13_cert_req_sigalgs(void)
4726{
4727 EXPECT_DECLS;
4728#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
4729 !defined(NO_CERTS) && !defined(NO_RSA) && defined(WC_RSA_PSS) && \
4730 defined(HAVE_ECC) && !defined(NO_WOLFSSL_CLIENT) && \
4731 !defined(NO_WOLFSSL_SERVER) && defined(OPENSSL_EXTRA) && \
4732 !defined(NO_FILESYSTEM)
4733 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
4734 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
4735 struct test_memio_ctx test_ctx;
4736
4737 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4738 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
4739 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
4740
4741 /* Server: require client cert and load ECC client cert for verification */
4742 if (EXPECT_SUCCESS()) {
4743 wolfSSL_set_verify(ssl_s,
4744 WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
4745 ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s,
4746 cliEccCertFile, 0), WOLFSSL_SUCCESS);
4747 }
4748
4749 /* Server: restrict CertificateRequest to RSA-PSS+SHA256 only */
4750 if (EXPECT_SUCCESS()) {
4751 ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl_s, "RSA-PSS+SHA256"),
4752 WOLFSSL_SUCCESS);
4753 }
4754
4755 /* Client: load ECC cert/key */
4756 if (EXPECT_SUCCESS()) {
4757 ExpectIntEQ(wolfSSL_use_certificate_file(ssl_c, cliEccCertFile,
4758 CERT_FILETYPE), WOLFSSL_SUCCESS);
4759 ExpectIntEQ(wolfSSL_use_PrivateKey_file(ssl_c, cliEccKeyFile,
4760 CERT_FILETYPE), WOLFSSL_SUCCESS);
4761 }
4762
4763 /* Handshake must fail: ECC client cannot match RSA-PSS+SHA256 */
4764 ExpectIntNE(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
4765
4766 wolfSSL_free(ssl_c); ssl_c = NULL;
4767 wolfSSL_free(ssl_s); ssl_s = NULL;
4768 wolfSSL_CTX_free(ctx_c); ctx_c = NULL;
4769 wolfSSL_CTX_free(ctx_s); ctx_s = NULL;
4770
4771 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4772 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
4773 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
4774
4775 /* Server: require client cert and load RSA client cert for verification */
4776 if (EXPECT_SUCCESS()) {
4777 wolfSSL_set_verify(ssl_s,
4778 WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
4779 ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s,
4780 cliCertFile, 0), WOLFSSL_SUCCESS);
4781 }
4782
4783 /* Server: restrict CertificateRequest to RSA-PSS+SHA256 only */
4784 if (EXPECT_SUCCESS()) {
4785 ExpectIntEQ(wolfSSL_set1_sigalgs_list(ssl_s, "RSA-PSS+SHA256"),
4786 WOLFSSL_SUCCESS);
4787 }
4788
4789 /* Client: load RSA cert/key */
4790 if (EXPECT_SUCCESS()) {
4791 ExpectIntEQ(wolfSSL_use_certificate_file(ssl_c, cliCertFile,
4792 CERT_FILETYPE), WOLFSSL_SUCCESS);
4793 ExpectIntEQ(wolfSSL_use_PrivateKey_file(ssl_c, cliKeyFile,
4794 CERT_FILETYPE), WOLFSSL_SUCCESS);
4795 }
4796
4797 /* Handshake must succeed: RSA client satisfies RSA-PSS+SHA256 */
4798 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
4799
4800 wolfSSL_free(ssl_c); ssl_c = NULL;
4801 wolfSSL_free(ssl_s); ssl_s = NULL;
4802 wolfSSL_CTX_free(ctx_c); ctx_c = NULL;
4803 wolfSSL_CTX_free(ctx_s); ctx_s = NULL;
4804#endif
4805
4806 return EXPECT_RESULT();
4807}
4808
4809int test_tls13_derive_keys_no_key(void)
4810{
4811 EXPECT_DECLS;
4812#if defined(WOLFSSL_TLS13) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
4813 struct test_memio_ctx test_ctx;
4814 WOLFSSL_CTX *ctx_c = NULL;
4815 WOLFSSL_CTX *ctx_s = NULL;
4816 WOLFSSL *ssl_c = NULL;
4817 WOLFSSL *ssl_s = NULL;
4818
4819 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
4820 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
4821 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
4822
4823 /* DeriveTls13Keys with no_key should succeed (skip secret derivation,
4824 * only derive keys/IVs from existing secrets). This is used with early
4825 * data to derive keys without re-deriving the secrets. */
4826 ExpectIntEQ(DeriveTls13Keys(ssl_s, no_key, DECRYPT_SIDE_ONLY, 0), 0);
4827 ExpectIntEQ(DeriveTls13Keys(ssl_s, no_key, ENCRYPT_SIDE_ONLY, 0), 0);
4828 ExpectIntEQ(DeriveTls13Keys(ssl_c, no_key, ENCRYPT_AND_DECRYPT_SIDE, 0),
4829 0);
4830
4831 /* Unknown secret type should return BAD_FUNC_ARG */
4832 ExpectIntEQ(DeriveTls13Keys(ssl_c, -1, ENCRYPT_SIDE_ONLY, 0),
4833 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
4834
4835 wolfSSL_free(ssl_c);
4836 wolfSSL_free(ssl_s);
4837 wolfSSL_CTX_free(ctx_c);
4838 wolfSSL_CTX_free(ctx_s);
4839#endif
4840
4841 return EXPECT_RESULT();
4842}
4843
4844/* Test that a truncated PQC hybrid KeyShare in a ServerHello does not cause a
4845 * heap use-after-free during cleanup. A malicious server sends
4846 * SECP256R1MLKEM768 with only 10 bytes of key exchange data (expected: 1120+).
4847 * This exercises the error path in TLSX_KeyShare_ProcessPqcHybridClient().
4848 * Under ASAN the UAF manifests as ForceZero writing to freed KyberKey memory
4849 * during wolfSSL_free -> TLSX_FreeAll -> TLSX_KeyShare_FreeAll. */
4850#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) && \
4851 defined(WOLFSSL_HAVE_MLKEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
4852 !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
4853 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
4854 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY)
4855/* Called when writing - discard output. */
4856static int PqcHybridUafSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4857{
4858 (void)ssl;
4859 (void)buf;
4860 (void)ctx;
4861 return sz;
4862}
4863/* Called when reading - feed from buffer. */
4864static int PqcHybridUafRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
4865{
4866 WOLFSSL_BUFFER_INFO* msg = (WOLFSSL_BUFFER_INFO*)ctx;
4867 int len = (int)msg->length;
4868
4869 (void)ssl;
4870
4871 if (len > sz)
4872 len = sz;
4873 XMEMCPY(buf, msg->buffer, len);
4874 msg->buffer += len;
4875 msg->length -= len;
4876 return len;
4877}
4878#endif
4879
4880int test_tls13_pqc_hybrid_truncated_keyshare(void)
4881{
4882 EXPECT_DECLS;
4883#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) && \
4884 defined(WOLFSSL_HAVE_MLKEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
4885 !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
4886 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
4887 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY)
4888 WOLFSSL_CTX *ctx = NULL;
4889 WOLFSSL *ssl = NULL;
4890 /* Crafted TLS 1.3 ServerHello with SECP256R1MLKEM768 (0x11EB) key_share
4891 * containing only 10 bytes of key exchange data instead of the expected
4892 * ~1120 bytes. This triggers the error cleanup path. */
4893 byte serverHello[] = {
4894 /* TLS record: Handshake, TLS 1.2 compat, length 68 */
4895 0x16, 0x03, 0x03, 0x00, 0x44,
4896 /* Handshake: ServerHello (0x02), length 64 */
4897 0x02, 0x00, 0x00, 0x40,
4898 /* legacy_version */
4899 0x03, 0x03,
4900 /* random (32 bytes) */
4901 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
4902 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
4903 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
4904 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
4905 /* legacy_session_id_echo length: 0 */
4906 0x00,
4907 /* cipher_suite: TLS_AES_128_GCM_SHA256 */
4908 0x13, 0x01,
4909 /* legacy_compression_method: null */
4910 0x00,
4911 /* extensions length: 24 */
4912 0x00, 0x18,
4913 /* extension: supported_versions -> TLS 1.3 */
4914 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04,
4915 /* extension: key_share (truncated hybrid data) */
4916 0x00, 0x33, /* type */
4917 0x00, 0x0e, /* length: 14 */
4918 0x11, 0xeb, /* named_group: SECP256R1MLKEM768 (4587) */
4919 0x00, 0x0a, /* key_exchange length: 10 (truncated!) */
4920 0x41, 0x41, 0x41, 0x41, 0x41, /* bogus key data */
4921 0x41, 0x41, 0x41, 0x41, 0x41
4922 };
4923 WOLFSSL_BUFFER_INFO msg;
4924
4925 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
4926 wolfSSL_SetIORecv(ctx, PqcHybridUafRecv);
4927 wolfSSL_SetIOSend(ctx, PqcHybridUafSend);
4928
4929 ExpectNotNull(ssl = wolfSSL_new(ctx));
4930
4931 /* Generate the client-side PQC hybrid key share so the truncated
4932 * ServerHello key_share will be processed (group must match). */
4933 ExpectIntEQ(wolfSSL_UseKeyShare(ssl, WOLFSSL_SECP256R1MLKEM768),
4934 WOLFSSL_SUCCESS);
4935
4936 msg.buffer = serverHello;
4937 msg.length = (unsigned int)sizeof(serverHello);
4938 wolfSSL_SetIOReadCtx(ssl, &msg);
4939
4940 /* Connect should fail gracefully on the truncated key share. */
4941 ExpectIntEQ(wolfSSL_connect_TLSv13(ssl),
4942 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
4943
4944 /* The UAF, if present, triggers here: wolfSSL_free -> TLSX_FreeAll ->
4945 * TLSX_KeyShare_FreeAll -> ForceZero on already-freed KyberKey. */
4946 wolfSSL_free(ssl);
4947 wolfSSL_CTX_free(ctx);
4948#endif
4949 return EXPECT_RESULT();
4950}
4951
4952/* Test that a malformed ECDH portion in a correctly-sized PQC hybrid
4953 * KeyShare does not leave a dangling pointer in keyShareEntry->key.
4954 *
4955 * The earlier truncated-keyshare test is rejected by the keLen <= ctSz
4956 * check before TLSX_KeyShare_ProcessPqcHybridClient sets up the
4957 * ecc_kse->key = keyShareEntry->key alias, so it does not exercise the
4958 * dangling-pointer path. This test sends a SECP256R1MLKEM768 key_share
4959 * whose total length is correct (65-byte ECDH point + 1088-byte ML-KEM
4960 * ciphertext = 1153 bytes) but whose ECDH leading byte (0x05) is not a
4961 * valid X9.63 marker. ProcessEcc_ex then fails at wc_ecc_import_x963
4962 * AFTER its unconditional cleanup at the end of the function frees the
4963 * aliased key. Without the fix, the outer keyShareEntry->key still
4964 * holds the freed pointer; wolfSSL_free -> TLSX_KeyShare_FreeAll calls
4965 * wc_ecc_free + XFREE on it, producing a use-after-free and a double
4966 * free that ASAN flags. */
4967int test_tls13_pqc_hybrid_malformed_ecdh(void)
4968{
4969 EXPECT_DECLS;
4970#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT) && \
4971 defined(WOLFSSL_HAVE_MLKEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
4972 !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
4973 !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
4974 !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
4975 (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
4976 !defined(NO_ECC_SECP)
4977 WOLFSSL_CTX *ctx = NULL;
4978 WOLFSSL *ssl = NULL;
4979 /* 5 (record) + 4 (HS) + 1207 (ServerHello body) = 1216 bytes. */
4980 static byte serverHello[1216];
4981 word32 i = 0;
4982 WOLFSSL_BUFFER_INFO msg;
4983
4984 XMEMSET(serverHello, 0, sizeof(serverHello));
4985
4986 /* Record: handshake, TLS 1.2 compat, length 1211 (0x04bb). */
4987 serverHello[i++] = 0x16; serverHello[i++] = 0x03; serverHello[i++] = 0x03;
4988 serverHello[i++] = 0x04; serverHello[i++] = 0xbb;
4989 /* Handshake: ServerHello (0x02), length 1207 (0x0004b7). */
4990 serverHello[i++] = 0x02;
4991 serverHello[i++] = 0x00; serverHello[i++] = 0x04; serverHello[i++] = 0xb7;
4992 /* legacy_version */
4993 serverHello[i++] = 0x03; serverHello[i++] = 0x03;
4994 /* random (32 bytes) */
4995 XMEMSET(&serverHello[i], 0x42, 32); i += 32;
4996 /* legacy_session_id_echo length: 0 */
4997 serverHello[i++] = 0x00;
4998 /* cipher_suite: TLS_AES_128_GCM_SHA256 */
4999 serverHello[i++] = 0x13; serverHello[i++] = 0x01;
5000 /* legacy_compression_method: null */
5001 serverHello[i++] = 0x00;
5002 /* extensions length: 1167 (0x048f) */
5003 serverHello[i++] = 0x04; serverHello[i++] = 0x8f;
5004 /* extension: supported_versions -> TLS 1.3 */
5005 serverHello[i++] = 0x00; serverHello[i++] = 0x2b;
5006 serverHello[i++] = 0x00; serverHello[i++] = 0x02;
5007 serverHello[i++] = 0x03; serverHello[i++] = 0x04;
5008 /* extension: key_share, extension_data length 1157 (0x0485) */
5009 serverHello[i++] = 0x00; serverHello[i++] = 0x33;
5010 serverHello[i++] = 0x04; serverHello[i++] = 0x85;
5011 /* server_share.group: SECP256R1MLKEM768 (0x11eb) */
5012 serverHello[i++] = 0x11; serverHello[i++] = 0xeb;
5013 /* key_exchange length: 1153 (0x0481) */
5014 serverHello[i++] = 0x04; serverHello[i++] = 0x81;
5015 /* ECDH portion (65 bytes): leading 0x05 is not a valid X9.63 marker
5016 * (valid markers: 0x04, 0x06, 0x07). The remaining 64 bytes stay zero
5017 * from the initial XMEMSET. */
5018 serverHello[i++] = 0x05;
5019 i += 64;
5020 /* PQC portion (1088 bytes): all zero from the initial XMEMSET. */
5021 i += 1088;
5022 AssertIntEQ((int)i, (int)sizeof(serverHello));
5023
5024 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
5025 wolfSSL_SetIORecv(ctx, PqcHybridUafRecv);
5026 wolfSSL_SetIOSend(ctx, PqcHybridUafSend);
5027
5028 ExpectNotNull(ssl = wolfSSL_new(ctx));
5029
5030 /* Match the server's offered group so this key_share is processed. */
5031 ExpectIntEQ(wolfSSL_UseKeyShare(ssl, WOLFSSL_SECP256R1MLKEM768),
5032 WOLFSSL_SUCCESS);
5033
5034 msg.buffer = serverHello;
5035 msg.length = (unsigned int)sizeof(serverHello);
5036 wolfSSL_SetIOReadCtx(ssl, &msg);
5037
5038 /* Connect should fail gracefully on the malformed ECDH point. */
5039 ExpectIntEQ(wolfSSL_connect_TLSv13(ssl),
5040 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
5041
5042 /* Without the fix, this triggers UAF + double-free in
5043 * TLSX_KeyShare_FreeAll. */
5044 wolfSSL_free(ssl);
5045 wolfSSL_CTX_free(ctx);
5046#endif
5047 return EXPECT_RESULT();
5048}
5049
5050/* Test that a TLS 1.3 NewSessionTicket with a ticket shorter than ID_LEN
5051 * (32 bytes) does not cause an unsigned integer underflow / OOB read in
5052 * SetTicket. Uses a full memio handshake, then injects a crafted
5053 * NewSessionTicket with a 5-byte ticket into the client's read path. */
5054int test_tls13_empty_record_limit(void)
5055{
5056 EXPECT_DECLS;
5057#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13)
5058 struct test_memio_ctx test_ctx;
5059 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
5060 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
5061 int recSz = 0;
5062 /* Send exactly WOLFSSL_MAX_EMPTY_RECORDS to pin the boundary check.
5063 * The Nth record increments the counter to N, and `N >= N` triggers
5064 * the error. Sending one more would let a `>=` -> `>` mutation survive
5065 * (the extra record would still trip the mutated check). */
5066 int numRecs = WOLFSSL_MAX_EMPTY_RECORDS;
5067 byte rec[128]; /* buffer for one encrypted record */
5068 byte *allRecs = NULL;
5069 int i;
5070 char buf[64];
5071
5072 /* Test 1: Exceeding the empty record limit returns an error. */
5073 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5074 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5075 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5076
5077 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
5078
5079 if (EXPECT_SUCCESS()) {
5080 /* Consume any post-handshake messages (e.g. NewSessionTicket). */
5081 wolfSSL_read(ssl_c, buf, sizeof(buf));
5082 test_memio_clear_buffer(&test_ctx, 0);
5083 test_memio_clear_buffer(&test_ctx, 1);
5084
5085 /* Get the size of an encrypted zero-length app data record. */
5086 recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
5087 application_data, 0, 1, 0);
5088 ExpectIntGT(recSz, 0);
5089 ExpectIntLE(recSz, (int)sizeof(rec));
5090 }
5091
5092 /* Build all empty records into one contiguous buffer. */
5093 if (EXPECT_SUCCESS()) {
5094 allRecs = (byte*)XMALLOC((size_t)(recSz * numRecs), NULL,
5095 DYNAMIC_TYPE_TMP_BUFFER);
5096 ExpectNotNull(allRecs);
5097 }
5098
5099 for (i = 0; i < numRecs && EXPECT_SUCCESS(); i++) {
5100 XMEMSET(rec, 0, sizeof(rec));
5101 ExpectIntEQ(BuildTls13Message(ssl_c, rec, (int)sizeof(rec), rec +
5102 RECORD_HEADER_SZ, 0, application_data, 0, 0, 0),
5103 recSz);
5104 XMEMCPY(allRecs + i * recSz, rec, (size_t)recSz);
5105 }
5106
5107 /* Inject all records as a single message. */
5108 if (EXPECT_SUCCESS()) {
5109 ExpectIntEQ(test_memio_inject_message(&test_ctx, 0,
5110 (const char*)allRecs, recSz * numRecs), 0);
5111 }
5112
5113 /* The server's wolfSSL_read should fail with EMPTY_RECORD_LIMIT_E. */
5114 if (EXPECT_SUCCESS()) {
5115 ExpectIntEQ(wolfSSL_read(ssl_s, buf, sizeof(buf)),
5116 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
5117 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5118 WC_NO_ERR_TRACE(EMPTY_RECORD_LIMIT_E));
5119 }
5120
5121 XFREE(allRecs, NULL, DYNAMIC_TYPE_TMP_BUFFER);
5122 allRecs = NULL;
5123 wolfSSL_free(ssl_c);
5124 ssl_c = NULL;
5125 wolfSSL_free(ssl_s);
5126 ssl_s = NULL;
5127 wolfSSL_CTX_free(ctx_c);
5128 ctx_c = NULL;
5129 wolfSSL_CTX_free(ctx_s);
5130 ctx_s = NULL;
5131
5132 /* Test 2: Counter resets on non-empty record.
5133 * Send (limit - 1) empty records, then 1 non-empty, then (limit - 1)
5134 * more empty records. Should succeed without hitting the limit. */
5135 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5136 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5137 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5138
5139 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
5140
5141 if (EXPECT_SUCCESS()) {
5142 wolfSSL_read(ssl_c, buf, sizeof(buf));
5143 test_memio_clear_buffer(&test_ctx, 0);
5144 test_memio_clear_buffer(&test_ctx, 1);
5145
5146 recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
5147 application_data, 0, 1, 0);
5148 ExpectIntGT(recSz, 0);
5149 }
5150
5151 if (EXPECT_SUCCESS()) {
5152 int emptyBefore = WOLFSSL_MAX_EMPTY_RECORDS - 1;
5153 int emptyAfter = WOLFSSL_MAX_EMPTY_RECORDS - 1;
5154 int dataRecSz = 0;
5155 byte dataRec[128];
5156 byte payload[1] = { 'a' };
5157 int totalSz = 0;
5158
5159 if (EXPECT_SUCCESS()) {
5160 dataRecSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 1,
5161 application_data, 0, 1, 0);
5162 ExpectIntGT(dataRecSz, 0);
5163 }
5164
5165 if (EXPECT_SUCCESS()) {
5166 totalSz = recSz * (emptyBefore + emptyAfter) + dataRecSz;
5167 allRecs = (byte*)XMALLOC((size_t)totalSz, NULL,
5168 DYNAMIC_TYPE_TMP_BUFFER);
5169 ExpectNotNull(allRecs);
5170 }
5171
5172 /* Build (limit - 1) empty records */
5173 for (i = 0; i < emptyBefore && EXPECT_SUCCESS(); i++) {
5174 XMEMSET(rec, 0, sizeof(rec));
5175 ExpectIntEQ(BuildTls13Message(ssl_c, rec, (int)sizeof(rec),
5176 rec + RECORD_HEADER_SZ, 0, application_data,
5177 0, 0, 0), recSz);
5178 XMEMCPY(allRecs + i * recSz, rec, (size_t)recSz);
5179 }
5180
5181 /* Build 1 non-empty record */
5182 if (EXPECT_SUCCESS()) {
5183 XMEMSET(dataRec, 0, sizeof(dataRec));
5184 XMEMCPY(dataRec + RECORD_HEADER_SZ, payload, sizeof(payload));
5185 ExpectIntEQ(BuildTls13Message(ssl_c, dataRec, (int)sizeof(dataRec),
5186 dataRec + RECORD_HEADER_SZ, 1, application_data,
5187 0, 0, 0), dataRecSz);
5188 XMEMCPY(allRecs + emptyBefore * recSz, dataRec,
5189 (size_t)dataRecSz);
5190 }
5191
5192 /* Build (limit - 1) more empty records */
5193 for (i = 0; i < emptyAfter && EXPECT_SUCCESS(); i++) {
5194 XMEMSET(rec, 0, sizeof(rec));
5195 ExpectIntEQ(BuildTls13Message(ssl_c, rec, (int)sizeof(rec),
5196 rec + RECORD_HEADER_SZ, 0, application_data,
5197 0, 0, 0), recSz);
5198 XMEMCPY(allRecs + emptyBefore * recSz + dataRecSz + i * recSz,
5199 rec, (size_t)recSz);
5200 }
5201
5202 if (EXPECT_SUCCESS()) {
5203 ExpectIntEQ(test_memio_inject_message(&test_ctx, 0,
5204 (const char*)allRecs, totalSz), 0);
5205 }
5206 }
5207
5208 /* wolfSSL_read should return the 1-byte payload. The counter resets
5209 * on the non-empty record so neither batch of (limit - 1) empties
5210 * triggers the error. */
5211 if (EXPECT_SUCCESS()) {
5212 ExpectIntEQ(wolfSSL_read(ssl_s, buf, sizeof(buf)), 1);
5213 ExpectIntEQ(buf[0], 'a');
5214 }
5215
5216 XFREE(allRecs, NULL, DYNAMIC_TYPE_TMP_BUFFER);
5217 wolfSSL_free(ssl_c);
5218 wolfSSL_free(ssl_s);
5219 wolfSSL_CTX_free(ctx_c);
5220 wolfSSL_CTX_free(ctx_s);
5221#endif
5222 return EXPECT_RESULT();
5223}
5224
5225/* Test that a TLS 1.3 NewSessionTicket with a ticket shorter than ID_LEN
5226 * (32 bytes) does not cause an unsigned integer underflow / OOB read in
5227 * SetTicket. Uses a full memio handshake, then injects a crafted
5228 * NewSessionTicket with a 5-byte ticket into the client's read path. */
5229
5230int test_tls13_short_session_ticket(void)
5231{
5232 EXPECT_DECLS;
5233#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5234 defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
5235 struct test_memio_ctx test_ctx;
5236 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
5237 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
5238 char buf[64];
5239
5240 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5241 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5242 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5243
5244 /* Complete a TLS 1.3 handshake. The server will send a
5245 * NewSessionTicket as part of post-handshake messages. */
5246 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
5247
5248 /* Read on client to consume the server's NewSessionTicket. */
5249 ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
5250 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
5251
5252 /* Now directly test SetTicket with a short ticket by poking the
5253 * session. The session object is accessible; replicate the exact
5254 * vulnerable arithmetic: ticket + length - ID_LEN with length=5.
5255 * With the fix, sessIdLen is capped to length so no underflow. */
5256 {
5257 byte shortTicket[5] = { 0xBB, 0xCC, 0xDD, 0xEE, 0xFF };
5258 word32 length = sizeof(shortTicket);
5259 word32 sessIdLen = ID_LEN;
5260
5261 if (length < ID_LEN)
5262 sessIdLen = length;
5263
5264 XMEMCPY(ssl_c->session->staticTicket, shortTicket, length);
5265 ssl_c->session->ticketLen = (word16)length;
5266 ssl_c->session->ticket = ssl_c->session->staticTicket;
5267
5268 /* This is the exact code from SetTicket. Before the fix,
5269 * sessIdLen would be ID_LEN (32), causing: ticket + 5 - 32
5270 * to underflow and read OOB. */
5271 XMEMSET(ssl_c->session->sessionID, 0, ID_LEN);
5272 XMEMCPY(ssl_c->session->sessionID,
5273 ssl_c->session->ticket + length - sessIdLen,
5274 sessIdLen);
5275 ssl_c->session->sessionIDSz = ID_LEN;
5276
5277 /* Verify: sessionID should contain only the 5 ticket bytes,
5278 * zero-padded, not garbage from an OOB read. */
5279 ExpectBufEQ(ssl_c->session->sessionID, shortTicket, 5);
5280 }
5281
5282 wolfSSL_free(ssl_c);
5283 wolfSSL_free(ssl_s);
5284 wolfSSL_CTX_free(ctx_c);
5285 wolfSSL_CTX_free(ctx_s);
5286#endif
5287 return EXPECT_RESULT();
5288}
5289
5290
5291/* Test that a corrupted TLS 1.3 Finished verify_data is properly rejected
5292 * with VERIFY_FINISHED_ERROR. We run the handshake step-by-step and corrupt
5293 * the server's client_write_MAC_secret before it processes the client's
5294 * Finished, causing the HMAC comparison to fail.
5295 */
5296int test_tls13_corrupted_finished(void)
5297{
5298 EXPECT_DECLS;
5299#if defined(WOLFSSL_TLS13) && \
5300 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5301 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
5302 WOLFSSL_CTX *ctx_c = NULL;
5303 WOLFSSL_CTX *ctx_s = NULL;
5304 WOLFSSL *ssl_c = NULL;
5305 WOLFSSL *ssl_s = NULL;
5306 struct test_memio_ctx test_ctx;
5307
5308 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5309 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5310 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5311
5312 /* Step 1: Client sends ClientHello */
5313 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5314 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5315 WOLFSSL_ERROR_WANT_READ);
5316
5317 /* Step 2: Server processes CH, sends SH + EE + Cert + CV + Finished */
5318 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5319 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5320 WOLFSSL_ERROR_WANT_READ);
5321
5322 /* Step 3: Client processes server flight, verifies server Finished,
5323 * sends client Finished */
5324 ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5325
5326 /* Corrupt the server's client_write_MAC_secret so that when it computes
5327 * the expected Finished HMAC, the result won't match the client's actual
5328 * Finished message. */
5329 if (EXPECT_SUCCESS()) {
5330 XMEMSET(ssl_s->keys.client_write_MAC_secret, 0xFF,
5331 sizeof(ssl_s->keys.client_write_MAC_secret));
5332 }
5333
5334 /* Step 4: Server processes client Finished - should fail */
5335 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5336 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5337 WC_NO_ERR_TRACE(VERIFY_FINISHED_ERROR));
5338
5339 wolfSSL_free(ssl_c);
5340 wolfSSL_CTX_free(ctx_c);
5341 wolfSSL_free(ssl_s);
5342 wolfSSL_CTX_free(ctx_s);
5343#endif
5344 return EXPECT_RESULT();
5345}
5346
5347
5348/* Test the TLS 1.3 peerAuthGood fail-safe checks on both sides.
5349 * The client branch queues a real server flight before forcing
5350 * FIRST_REPLY_SECOND on a live handshake object, and the server branch clears
5351 * peerAuthGood just before processing the client's Finished.
5352 */
5353int test_tls13_peerauth_failsafe(void)
5354{
5355 EXPECT_DECLS;
5356#if defined(WOLFSSL_TLS13) && \
5357 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5358 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
5359 WOLFSSL_CTX *ctx_c = NULL;
5360 WOLFSSL_CTX *ctx_s = NULL;
5361 WOLFSSL *ssl_c = NULL;
5362 WOLFSSL *ssl_s = NULL;
5363 struct test_memio_ctx test_ctx;
5364 int ret;
5365
5366 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5367 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5368 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5369
5370 if (EXPECT_SUCCESS()) {
5371 /* Queue ClientHello and server flight. */
5372 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5373 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5374 WOLFSSL_ERROR_WANT_READ);
5375 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5376 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5377 WOLFSSL_ERROR_WANT_READ);
5378
5379 ssl_c->options.peerAuthGood = 0;
5380 ssl_c->options.sendVerify = 0;
5381 ssl_c->options.connectState = FIRST_REPLY_SECOND;
5382 ret = wolfSSL_connect(ssl_c);
5383 ExpectIntEQ(ret, WOLFSSL_FATAL_ERROR);
5384 ExpectIntEQ(ssl_c->options.connectState, FIRST_REPLY_SECOND);
5385 }
5386
5387 wolfSSL_free(ssl_c);
5388 wolfSSL_CTX_free(ctx_c);
5389 wolfSSL_free(ssl_s);
5390 wolfSSL_CTX_free(ctx_s);
5391
5392 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5393 ctx_c = NULL;
5394 ctx_s = NULL;
5395 ssl_c = NULL;
5396 ssl_s = NULL;
5397 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5398 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5399
5400 if (EXPECT_SUCCESS()) {
5401 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5402 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5403 WOLFSSL_ERROR_WANT_READ);
5404 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5405 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5406 WOLFSSL_ERROR_WANT_READ);
5407 ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5408
5409 ssl_s->options.peerAuthGood = 0;
5410 ret = wolfSSL_accept(ssl_s);
5411 ExpectIntEQ(ret, WOLFSSL_FATAL_ERROR);
5412 ExpectIntEQ(ssl_s->options.peerAuthGood, 0);
5413 }
5414
5415 wolfSSL_free(ssl_c);
5416 wolfSSL_CTX_free(ctx_c);
5417 wolfSSL_free(ssl_s);
5418 wolfSSL_CTX_free(ctx_s);
5419#endif
5420 return EXPECT_RESULT();
5421}
5422
5423
5424/* Test that a corrupted HRR cookie HMAC is rejected with HRR_COOKIE_ERROR. */
5425int test_tls13_hrr_bad_cookie(void)
5426{
5427 EXPECT_DECLS;
5428#if defined(WOLFSSL_TLS13) && \
5429 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5430 defined(WOLFSSL_SEND_HRR_COOKIE) && \
5431 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
5432 WOLFSSL_CTX *ctx_c = NULL;
5433 WOLFSSL_CTX *ctx_s = NULL;
5434 WOLFSSL *ssl_c = NULL;
5435 WOLFSSL *ssl_s = NULL;
5436 struct test_memio_ctx test_ctx;
5437
5438 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5439 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5440 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5441
5442 ExpectIntEQ(wolfSSL_send_hrr_cookie(ssl_s, NULL, 0), WOLFSSL_SUCCESS);
5443 ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c), WOLFSSL_SUCCESS);
5444
5445 /* Step 1: Client sends CH1 (no key shares) */
5446 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5447 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5448 WOLFSSL_ERROR_WANT_READ);
5449
5450 /* Step 2: Server sends HRR with cookie */
5451 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5452 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5453 WOLFSSL_ERROR_WANT_READ);
5454
5455 /* Step 3: Client processes HRR, sends CH2 with cookie */
5456 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5457 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5458 WOLFSSL_ERROR_WANT_READ);
5459
5460 /* Corrupt the server-side cookie secret after HRR so CH2's cookie no longer
5461 * verifies in TlsCheckCookie(). */
5462 if (EXPECT_SUCCESS()) {
5463 ExpectNotNull(ssl_s->buffers.tls13CookieSecret.buffer);
5464 ExpectIntGT(ssl_s->buffers.tls13CookieSecret.length, 0);
5465 ssl_s->buffers.tls13CookieSecret.buffer[
5466 ssl_s->buffers.tls13CookieSecret.length - 1] ^= 0xFF;
5467 }
5468
5469 /* Step 4: Server processes corrupted CH2 - should fail */
5470 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5471 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5472 WC_NO_ERR_TRACE(HRR_COOKIE_ERROR));
5473
5474 wolfSSL_free(ssl_c);
5475 wolfSSL_CTX_free(ctx_c);
5476 wolfSSL_free(ssl_s);
5477 wolfSSL_CTX_free(ctx_s);
5478#endif
5479 return EXPECT_RESULT();
5480}
5481
5482/* Test that a TLS 1.3 encrypted record whose inner content type resolves to
5483 * zero is rejected in removeMsgInnerPadding() with PARSE_ERROR and an
5484 * unexpected_message alert. */
5485int test_tls13_zero_inner_content_type(void)
5486{
5487 EXPECT_DECLS;
5488#if defined(WOLFSSL_TLS13) && \
5489 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5490 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
5491 WOLFSSL_CTX *ctx_c = NULL;
5492 WOLFSSL_CTX *ctx_s = NULL;
5493 WOLFSSL *ssl_c = NULL;
5494 WOLFSSL *ssl_s = NULL;
5495 struct test_memio_ctx test_ctx;
5496 WOLFSSL_ALERT_HISTORY h;
5497 byte record[64];
5498 byte dummy = 0;
5499 char readBuf[8];
5500 int recordSz;
5501
5502 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5503 XMEMSET(&h, 0, sizeof(h));
5504 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5505 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5506 ExpectIntEQ(wolfSSL_no_ticket_TLSv13(ssl_s), 0);
5507
5508 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
5509
5510 if (EXPECT_SUCCESS()) {
5511 ExpectIntEQ(test_ctx.c_len, 0);
5512 ExpectIntEQ(test_ctx.s_len, 0);
5513
5514 recordSz = BuildTls13Message(ssl_c, record, (int)sizeof(record), &dummy,
5515 0, no_type, 0, 0, 0);
5516 ExpectIntGT(recordSz, 0);
5517 ExpectIntEQ(wolfSSL_inject(ssl_s, record, recordSz), WOLFSSL_SUCCESS);
5518 }
5519
5520 ExpectIntEQ(wolfSSL_read(ssl_s, readBuf, (int)sizeof(readBuf)), -1);
5521 ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WC_NO_ERR_TRACE(PARSE_ERROR));
5522 ExpectIntEQ(wolfSSL_get_alert_history(ssl_s, &h), WOLFSSL_SUCCESS);
5523 ExpectIntEQ(h.last_tx.code, unexpected_message);
5524 ExpectIntEQ(h.last_tx.level, alert_fatal);
5525
5526 wolfSSL_free(ssl_c);
5527 wolfSSL_CTX_free(ctx_c);
5528 wolfSSL_free(ssl_s);
5529 wolfSSL_CTX_free(ctx_s);
5530#endif
5531 return EXPECT_RESULT();
5532}
5533
5534/* Test that a TLS 1.3-capable client rejects downgrade sentinels in a
5535 * downgraded ServerHello random for both TLS 1.2 and TLS 1.1-or-lower. */
5536int test_tls13_downgrade_sentinel(void)
5537{
5538 EXPECT_DECLS;
5539#if defined(WOLFSSL_TLS13) && \
5540 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5541 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
5542 WOLFSSL_CTX *ctx_c = NULL;
5543 WOLFSSL_CTX *ctx_s = NULL;
5544 WOLFSSL *ssl_c = NULL;
5545 WOLFSSL *ssl_s = NULL;
5546 struct test_memio_ctx test_ctx;
5547 WOLFSSL_ALERT_HISTORY h;
5548 int randomOff = 11 + 24;
5549 static const byte downgradeTls12[8] = {
5550 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
5551 };
5552#ifndef NO_OLD_TLS
5553 static const byte downgradeTls11[8] = {
5554 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
5555 };
5556#endif
5557
5558 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5559 XMEMSET(&h, 0, sizeof(h));
5560 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5561 wolfTLS_client_method, wolfTLSv1_2_server_method), 0);
5562 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5563 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5564 WOLFSSL_ERROR_WANT_READ);
5565 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5566 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5567 WOLFSSL_ERROR_WANT_READ);
5568
5569 if (EXPECT_SUCCESS()) {
5570 ExpectIntGT(test_ctx.c_len, randomOff + (int)sizeof(downgradeTls12));
5571 XMEMCPY(test_ctx.c_buff + randomOff, downgradeTls12,
5572 sizeof(downgradeTls12));
5573 }
5574
5575 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5576 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5577 WC_NO_ERR_TRACE(VERSION_ERROR));
5578 ExpectIntEQ(wolfSSL_get_alert_history(ssl_c, &h), WOLFSSL_SUCCESS);
5579 ExpectTrue(h.last_tx.code == illegal_parameter ||
5580 h.last_tx.code == wolfssl_alert_protocol_version);
5581 ExpectIntEQ(h.last_tx.level, alert_fatal);
5582
5583 wolfSSL_free(ssl_c);
5584 wolfSSL_CTX_free(ctx_c);
5585 wolfSSL_free(ssl_s);
5586 wolfSSL_CTX_free(ctx_s);
5587
5588#ifndef NO_OLD_TLS
5589 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5590 XMEMSET(&h, 0, sizeof(h));
5591 ctx_c = NULL;
5592 ctx_s = NULL;
5593 ssl_c = NULL;
5594 ssl_s = NULL;
5595 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5596 wolfTLS_client_method, wolfTLSv1_1_server_method), 0);
5597 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5598 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5599 WOLFSSL_ERROR_WANT_READ);
5600 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5601 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5602 WOLFSSL_ERROR_WANT_READ);
5603
5604 if (EXPECT_SUCCESS()) {
5605 ExpectIntGT(test_ctx.c_len, randomOff + (int)sizeof(downgradeTls11));
5606 XMEMCPY(test_ctx.c_buff + randomOff, downgradeTls11,
5607 sizeof(downgradeTls11));
5608 }
5609
5610 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5611 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5612 WC_NO_ERR_TRACE(VERSION_ERROR));
5613 ExpectIntEQ(wolfSSL_get_alert_history(ssl_c, &h), WOLFSSL_SUCCESS);
5614 ExpectTrue(h.last_tx.code == illegal_parameter ||
5615 h.last_tx.code == wolfssl_alert_protocol_version);
5616 ExpectIntEQ(h.last_tx.level, alert_fatal);
5617
5618 wolfSSL_free(ssl_c);
5619 wolfSSL_CTX_free(ctx_c);
5620 wolfSSL_free(ssl_s);
5621 wolfSSL_CTX_free(ctx_s);
5622#endif
5623#endif
5624 return EXPECT_RESULT();
5625}
5626
5627/* Test that a TLS 1.3 client rejects ServerHello cipher suites that are not
5628 * TLS 1.3 suites or were not offered by the client. */
5629int test_tls13_serverhello_bad_cipher_suites(void)
5630{
5631 EXPECT_DECLS;
5632#if defined(WOLFSSL_TLS13) && \
5633 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5634 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
5635 !defined(WOLFSSL_NO_TLS12) && \
5636 defined(BUILD_TLS_AES_128_GCM_SHA256) && \
5637 defined(BUILD_TLS_AES_256_GCM_SHA384)
5638 WOLFSSL_CTX *ctx_c = NULL;
5639 WOLFSSL_CTX *ctx_s = NULL;
5640 WOLFSSL *ssl_c = NULL;
5641 WOLFSSL *ssl_s = NULL;
5642 struct test_memio_ctx test_ctx;
5643 WOLFSSL_CTX *ctx12_c = NULL;
5644 WOLFSSL_CTX *ctx12_s = NULL;
5645 WOLFSSL *ssl12_c = NULL;
5646 WOLFSSL *ssl12_s = NULL;
5647 struct test_memio_ctx test_ctx12;
5648 int suiteOff;
5649 byte tls12Suite0 = 0;
5650 byte tls12Suite = 0;
5651
5652 XMEMSET(&test_ctx12, 0, sizeof(test_ctx12));
5653 ExpectIntEQ(test_memio_setup(&test_ctx12, &ctx12_c, &ctx12_s, &ssl12_c,
5654 &ssl12_s, wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0);
5655 ExpectIntEQ(test_memio_do_handshake(ssl12_c, ssl12_s, 10, NULL), 0);
5656 if (EXPECT_SUCCESS()) {
5657 tls12Suite0 = ssl12_c->options.cipherSuite0;
5658 tls12Suite = ssl12_c->options.cipherSuite;
5659 ExpectIntNE(tls12Suite0, TLS13_BYTE);
5660 }
5661 wolfSSL_free(ssl12_c);
5662 wolfSSL_CTX_free(ctx12_c);
5663 wolfSSL_free(ssl12_s);
5664 wolfSSL_CTX_free(ctx12_s);
5665
5666 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5667 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5668 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5669
5670 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_c, "TLS13-AES128-GCM-SHA256"),
5671 WOLFSSL_SUCCESS);
5672 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_s, "TLS13-AES128-GCM-SHA256"),
5673 WOLFSSL_SUCCESS);
5674
5675 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5676 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5677 WOLFSSL_ERROR_WANT_READ);
5678 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5679 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5680 WOLFSSL_ERROR_WANT_READ);
5681
5682 suiteOff = 44 + (byte)test_ctx.c_buff[43];
5683 if (EXPECT_SUCCESS()) {
5684 ExpectIntGT(test_ctx.c_len, suiteOff + 1);
5685 ExpectNotNull(ssl_c->suites);
5686 ssl_c->suites->suiteSz = 2;
5687 ssl_c->suites->suites[0] = tls12Suite0;
5688 ssl_c->suites->suites[1] = tls12Suite;
5689 test_ctx.c_buff[suiteOff + 0] = tls12Suite0;
5690 test_ctx.c_buff[suiteOff + 1] = tls12Suite;
5691 }
5692
5693 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5694 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5695 WC_NO_ERR_TRACE(INVALID_PARAMETER));
5696
5697 wolfSSL_free(ssl_c);
5698 wolfSSL_CTX_free(ctx_c);
5699 wolfSSL_free(ssl_s);
5700 wolfSSL_CTX_free(ctx_s);
5701
5702 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5703 ctx_c = NULL;
5704 ctx_s = NULL;
5705 ssl_c = NULL;
5706 ssl_s = NULL;
5707 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5708 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5709
5710 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_c, "TLS13-AES128-GCM-SHA256"),
5711 WOLFSSL_SUCCESS);
5712 ExpectIntEQ(wolfSSL_set_cipher_list(ssl_s, "TLS13-AES128-GCM-SHA256"),
5713 WOLFSSL_SUCCESS);
5714
5715 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5716 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5717 WOLFSSL_ERROR_WANT_READ);
5718 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5719 ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
5720 WOLFSSL_ERROR_WANT_READ);
5721
5722 suiteOff = 44 + (byte)test_ctx.c_buff[43];
5723 if (EXPECT_SUCCESS()) {
5724 ExpectIntGT(test_ctx.c_len, suiteOff + 1);
5725 test_ctx.c_buff[suiteOff + 0] = TLS13_BYTE;
5726 test_ctx.c_buff[suiteOff + 1] = TLS_AES_256_GCM_SHA384;
5727 }
5728
5729 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5730 ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
5731 WC_NO_ERR_TRACE(INVALID_PARAMETER));
5732
5733 wolfSSL_free(ssl_c);
5734 wolfSSL_CTX_free(ctx_c);
5735 wolfSSL_free(ssl_s);
5736 wolfSSL_CTX_free(ctx_s);
5737#endif
5738 return EXPECT_RESULT();
5739}
5740
5741/* Verify that a peer certificate restored from a session ticket is re-verified
5742 * against the current trust store. After CA removal, the cert must not be
5743 * installed into ssl->peerCert even though the ticket itself decrypts fine. */
5744int test_tls13_ticket_peer_cert_reverify(void)
5745{
5746 EXPECT_DECLS;
5747#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5748 defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && \
5749 defined(OPENSSL_ALL) && defined(KEEP_PEER_CERT) && \
5750 !defined(NO_CERT_IN_TICKET) && !defined(WOLFSSL_NO_TLS12) && \
5751 !defined(NO_RSA) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
5752 struct test_memio_ctx test_ctx;
5753 WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
5754 WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
5755 WOLFSSL_SESSION *sess = NULL;
5756 WOLFSSL_X509 *peer = NULL;
5757 char readBuf[64];
5758
5759 /* --- Step 1: mTLS handshake, obtain a session ticket --- */
5760 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5761
5762 /* Set up CTXs manually so we can configure mTLS before SSL creation */
5763 ExpectNotNull(ctx_c = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
5764 ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_c, caCertFile, 0),
5765 WOLFSSL_SUCCESS);
5766 ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx_c, cliCertFile,
5767 WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
5768 ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx_c, cliKeyFile,
5769 WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
5770 wolfSSL_SetIORecv(ctx_c, test_memio_read_cb);
5771 wolfSSL_SetIOSend(ctx_c, test_memio_write_cb);
5772
5773 ExpectNotNull(ctx_s = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
5774 ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx_s, svrCertFile,
5775 WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
5776 ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx_s, svrKeyFile,
5777 WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
5778 /* Server trusts both its own CA and the client CA for mTLS */
5779 ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s, caCertFile, 0),
5780 WOLFSSL_SUCCESS);
5781 ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s,
5782 "certs/client-ca.pem", 0), WOLFSSL_SUCCESS);
5783 wolfSSL_CTX_set_verify(ctx_s, WOLFSSL_VERIFY_PEER |
5784 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
5785 wolfSSL_SetIORecv(ctx_s, test_memio_read_cb);
5786 wolfSSL_SetIOSend(ctx_s, test_memio_write_cb);
5787
5788 /* Create SSL objects from fully-configured CTXs */
5789 ExpectNotNull(ssl_c = wolfSSL_new(ctx_c));
5790 wolfSSL_SetIOReadCtx(ssl_c, &test_ctx);
5791 wolfSSL_SetIOWriteCtx(ssl_c, &test_ctx);
5792 ExpectNotNull(ssl_s = wolfSSL_new(ctx_s));
5793 wolfSSL_SetIOReadCtx(ssl_s, &test_ctx);
5794 wolfSSL_SetIOWriteCtx(ssl_s, &test_ctx);
5795
5796 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
5797
5798 /* Drain post-handshake NewSessionTicket */
5799 ExpectIntEQ(wolfSSL_read(ssl_c, readBuf, sizeof(readBuf)), -1);
5800 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
5801
5802 /* Peer cert should be available after initial handshake */
5803 ExpectNotNull(peer = wolfSSL_get_peer_certificate(ssl_s));
5804 wolfSSL_X509_free(peer);
5805 peer = NULL;
5806
5807 ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
5808
5809 wolfSSL_free(ssl_c);
5810 ssl_c = NULL;
5811 wolfSSL_free(ssl_s);
5812 ssl_s = NULL;
5813
5814 /* --- Step 2: remove the client CA from the server trust store --- */
5815 ExpectIntEQ(wolfSSL_CTX_UnloadCAs(ctx_s), WOLFSSL_SUCCESS);
5816 /* Re-load only the server's own CA so TLS works, but not the client CA */
5817 ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx_s, caCertFile, 0),
5818 WOLFSSL_SUCCESS);
5819
5820 /* --- Step 3: resume with the old ticket --- */
5821 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5822 ExpectNotNull(ssl_c = wolfSSL_new(ctx_c));
5823 wolfSSL_SetIOReadCtx(ssl_c, &test_ctx);
5824 wolfSSL_SetIOWriteCtx(ssl_c, &test_ctx);
5825 ExpectNotNull(ssl_s = wolfSSL_new(ctx_s));
5826 wolfSSL_SetIOReadCtx(ssl_s, &test_ctx);
5827 wolfSSL_SetIOWriteCtx(ssl_s, &test_ctx);
5828
5829 ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
5830
5831 /* Resumption handshake succeeds (the ticket master secret is fine) */
5832 ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
5833
5834 /* The session should have been resumed via PSK. */
5835 ExpectIntEQ(wolfSSL_session_reused(ssl_s), 1);
5836 /* But the peer cert must NOT be restored because the issuing CA is
5837 * no longer in the trust store. Check the peerCert directly rather
5838 * than wolfSSL_get_peer_certificate which has a session-chain
5839 * fallback that may see stale cache state. */
5840 ExpectIntEQ(ssl_s->peerCert.issuer.sz, 0);
5841
5842 wolfSSL_SESSION_free(sess);
5843 wolfSSL_free(ssl_c);
5844 wolfSSL_free(ssl_s);
5845 wolfSSL_CTX_free(ctx_c);
5846 wolfSSL_CTX_free(ctx_s);
5847#endif
5848 return EXPECT_RESULT();
5849}
5850
5851int test_tls13_clear_preserves_psk_dhe(void)
5852{
5853 EXPECT_DECLS;
5854#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \
5855 defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) && \
5856 (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
5857 !defined(NO_WOLFSSL_CLIENT)
5858 WOLFSSL_CTX* ctx = NULL;
5859 WOLFSSL* ssl = NULL;
5860
5861 ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
5862 ExpectIntEQ(wolfSSL_CTX_no_dhe_psk(ctx), 0);
5863 ExpectNotNull(ssl = wolfSSL_new(ctx));
5864 ExpectIntEQ(ssl->options.noPskDheKe, 1);
5865
5866 /* SSL reuse must preserve the CTX-level noPskDheKe; resetting to 0
5867 * would silently re-enable psk_dhe_ke for the next handshake. */
5868 ExpectIntEQ(wolfSSL_clear(ssl), WOLFSSL_SUCCESS);
5869 ExpectIntEQ(ssl->options.noPskDheKe, 1);
5870
5871 wolfSSL_free(ssl);
5872 wolfSSL_CTX_free(ctx);
5873#endif
5874 return EXPECT_RESULT();
5875}
5876
5877#if defined(WOLFSSL_TLS13) && \
5878 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
5879 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
5880 (defined(BUILD_TLS_AES_128_GCM_SHA256) || \
5881 defined(BUILD_TLS_AES_256_GCM_SHA384) || \
5882 defined(BUILD_TLS_CHACHA20_POLY1305_SHA256) || \
5883 defined(BUILD_TLS_AES_128_CCM_SHA256) || \
5884 defined(BUILD_TLS_AES_128_CCM_8_SHA256))
5885/* One iteration of the AEAD fuzz test: run a fresh handshake
5886 * up to the point where the first AEAD-protected record from the side under
5887 * test sits in the receiver's input buffer, flip one random byte of the
5888 * encrypted payload to a random non-zero value, and confirm the receiver
5889 * fails with VERIFY_MAC_ERROR. side==0 fuzzes the server's first encrypted
5890 * record (EncryptedExtensions, read by the client). side==1 fuzzes the
5891 * client's first encrypted record (Finished, read by the server). */
5892static int test_tls13_cipher_fuzz_once(WC_RNG* rng,
5893 const char* cipher, int side)
5894{
5895 EXPECT_DECLS;
5896 WOLFSSL_CTX *ctx_c = NULL;
5897 WOLFSSL_CTX *ctx_s = NULL;
5898 WOLFSSL *ssl_c = NULL;
5899 WOLFSSL *ssl_s = NULL;
5900 struct test_memio_ctx test_ctx;
5901 byte *buf = NULL;
5902 int buf_len = 0;
5903 int rec_off = 0;
5904 int rec_len = 0;
5905 int fuzz_off;
5906 byte fuzz_xor;
5907 word32 rand32;
5908 int ret;
5909 int err;
5910
5911 XMEMSET(&test_ctx, 0, sizeof(test_ctx));
5912 test_ctx.c_ciphers = cipher;
5913 test_ctx.s_ciphers = cipher;
5914 ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
5915 wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
5916
5917 /* Drive the handshake forward until the side being fuzzed has written
5918 * its first AEAD-encrypted record into the peer's read buffer. The
5919 * server's first encrypted record is queued after its first
5920 * wolfSSL_accept() (EncryptedExtensions, immediately following
5921 * ServerHello). The client's first encrypted record is queued once
5922 * wolfSSL_connect() returns success and the client has sent its
5923 * Finished. */
5924 ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5925 ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
5926 ExpectIntNE(wolfSSL_accept(ssl_s), WOLFSSL_SUCCESS);
5927 ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
5928 if (side == 1) {
5929 ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
5930 buf = test_ctx.s_buff;
5931 buf_len = test_ctx.s_len;
5932 }
5933 else {
5934 buf = test_ctx.c_buff;
5935 buf_len = test_ctx.c_len;
5936 }
5937
5938 /* Walk the TLS records in the target buffer and locate the first
5939 * application_data record (content type 0x17), which holds the first
5940 * encrypted handshake message. Plaintext records (ServerHello,
5941 * ChangeCipherSpec for middlebox compatibility) precede it and must be
5942 * skipped over. */
5943 if (EXPECT_SUCCESS()) {
5944 int off = 0;
5945 while (off + 5 <= buf_len) {
5946 int this_len = ((int)buf[off + 3] << 8) | (int)buf[off + 4];
5947 if (buf[off] == 0x17) {
5948 rec_off = off;
5949 rec_len = this_len;
5950 break;
5951 }
5952 off += 5 + this_len;
5953 }
5954 }
5955 ExpectIntGT(rec_len, 0);
5956 ExpectIntLE(rec_off + 5 + rec_len, buf_len);
5957
5958 /* Pick a random offset within the encrypted payload (skipping the
5959 * 5-byte record header) and XOR it with a non-zero value so the byte
5960 * is guaranteed to change. */
5961 if (EXPECT_SUCCESS()) {
5962 rand32 = 0;
5963 fuzz_off = 0;
5964 ExpectIntEQ(wc_RNG_GenerateBlock(rng, (byte*)&rand32,
5965 sizeof(rand32)), 0);
5966 if (EXPECT_SUCCESS()) {
5967 fuzz_off = rec_off + 5 + (int)(rand32 % (word32)rec_len);
5968 }
5969 do {
5970 ExpectIntEQ(wc_RNG_GenerateByte(rng, &fuzz_xor), 0);
5971 } while (EXPECT_SUCCESS() && fuzz_xor == 0);
5972 if (EXPECT_SUCCESS()) {
5973 buf[fuzz_off] ^= fuzz_xor;
5974 }
5975 }
5976
5977 /* Drive the receiving side. It must report VERIFY_MAC_ERROR - the
5978 * corrupted cipher text or tag must surface as a hard error. */
5979 if (EXPECT_SUCCESS()) {
5980 if (side == 1) {
5981 ret = wolfSSL_accept(ssl_s);
5982 err = wolfSSL_get_error(ssl_s, ret);
5983 }
5984 else {
5985 ret = wolfSSL_connect(ssl_c);
5986 err = wolfSSL_get_error(ssl_c, ret);
5987 }
5988 ExpectIntEQ(ret, WOLFSSL_FATAL_ERROR);
5989 ExpectTrue((err == WC_NO_ERR_TRACE(VERIFY_MAC_ERROR)) ||
5990 (err == WC_NO_ERR_TRACE(AES_GCM_AUTH_E)) ||
5991 (err == WC_NO_ERR_TRACE(AES_CCM_AUTH_E)));
5992 }
5993
5994 wolfSSL_free(ssl_c);
5995 wolfSSL_CTX_free(ctx_c);
5996 wolfSSL_free(ssl_s);
5997 wolfSSL_CTX_free(ctx_s);
5998 return EXPECT_RESULT();
5999}
6000
6001/* Run 5 fuzz iterations per side for a single cipher suite. */
6002static int test_tls13_cipher_fuzz_cs(WC_RNG* rng, const char* cipher)
6003{
6004 EXPECT_DECLS;
6005 int side;
6006 int iter;
6007
6008 for (side = 0; side < 2 && EXPECT_SUCCESS(); side++) {
6009 for (iter = 0; iter < 5 && EXPECT_SUCCESS(); iter++) {
6010 int _r = test_tls13_cipher_fuzz_once(rng, cipher, side);
6011 if (_r != TEST_SUCCESS) {
6012 fprintf(stderr, "FAIL cipher=%s side=%d iter=%d\n",
6013 cipher, side, iter);
6014 }
6015 ExpectIntEQ(_r, TEST_SUCCESS);
6016 }
6017 }
6018 return EXPECT_RESULT();
6019}
6020#endif
6021
6022/* Each per-cipher-suite test below runs the fuzz body (test_tls13_cipher_fuzz_cs)
6023 * against a single AEAD cipher: it flips a random byte of the first encrypted
6024 * record on each side of a TLS 1.3 handshake and expects the receiver to fail
6025 * authentication. AEAD authentication makes it cryptographically infeasible
6026 * for any single-byte change in the ciphertext or tag to leave authentication
6027 * intact, so the receiver must report a hard auth error. */
6028
6029int test_tls13_cipher_fuzz_aes128_gcm_sha256(void)
6030{
6031 EXPECT_DECLS;
6032#if defined(WOLFSSL_TLS13) && \
6033 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
6034 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
6035 defined(BUILD_TLS_AES_128_GCM_SHA256)
6036 WC_RNG rng;
6037 int rngInit = 0;
6038
6039 XMEMSET(&rng, 0, sizeof(rng));
6040 ExpectIntEQ(wc_InitRng(&rng), 0);
6041 if (EXPECT_SUCCESS())
6042 rngInit = 1;
6043
6044 ExpectIntEQ(test_tls13_cipher_fuzz_cs(&rng, "TLS13-AES128-GCM-SHA256"),
6045 TEST_SUCCESS);
6046
6047 if (rngInit)
6048 wc_FreeRng(&rng);
6049#endif
6050 return EXPECT_RESULT();
6051}
6052
6053int test_tls13_cipher_fuzz_aes256_gcm_sha384(void)
6054{
6055 EXPECT_DECLS;
6056#if defined(WOLFSSL_TLS13) && \
6057 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
6058 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
6059 defined(BUILD_TLS_AES_256_GCM_SHA384)
6060 WC_RNG rng;
6061 int rngInit = 0;
6062
6063 XMEMSET(&rng, 0, sizeof(rng));
6064 ExpectIntEQ(wc_InitRng(&rng), 0);
6065 if (EXPECT_SUCCESS())
6066 rngInit = 1;
6067
6068 ExpectIntEQ(test_tls13_cipher_fuzz_cs(&rng, "TLS13-AES256-GCM-SHA384"),
6069 TEST_SUCCESS);
6070
6071 if (rngInit)
6072 wc_FreeRng(&rng);
6073#endif
6074 return EXPECT_RESULT();
6075}
6076
6077int test_tls13_cipher_fuzz_chacha20_poly1305_sha256(void)
6078{
6079 EXPECT_DECLS;
6080#if defined(WOLFSSL_TLS13) && \
6081 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
6082 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
6083 defined(BUILD_TLS_CHACHA20_POLY1305_SHA256)
6084 WC_RNG rng;
6085 int rngInit = 0;
6086
6087 XMEMSET(&rng, 0, sizeof(rng));
6088 ExpectIntEQ(wc_InitRng(&rng), 0);
6089 if (EXPECT_SUCCESS())
6090 rngInit = 1;
6091
6092 ExpectIntEQ(test_tls13_cipher_fuzz_cs(&rng,
6093 "TLS13-CHACHA20-POLY1305-SHA256"), TEST_SUCCESS);
6094
6095 if (rngInit)
6096 wc_FreeRng(&rng);
6097#endif
6098 return EXPECT_RESULT();
6099}
6100
6101int test_tls13_cipher_fuzz_aes128_ccm_sha256(void)
6102{
6103 EXPECT_DECLS;
6104#if defined(WOLFSSL_TLS13) && \
6105 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
6106 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
6107 defined(BUILD_TLS_AES_128_CCM_SHA256)
6108 WC_RNG rng;
6109 int rngInit = 0;
6110
6111 XMEMSET(&rng, 0, sizeof(rng));
6112 ExpectIntEQ(wc_InitRng(&rng), 0);
6113 if (EXPECT_SUCCESS())
6114 rngInit = 1;
6115
6116 ExpectIntEQ(test_tls13_cipher_fuzz_cs(&rng, "TLS13-AES128-CCM-SHA256"),
6117 TEST_SUCCESS);
6118
6119 if (rngInit)
6120 wc_FreeRng(&rng);
6121#endif
6122 return EXPECT_RESULT();
6123}
6124
6125int test_tls13_cipher_fuzz_aes128_ccm_8_sha256(void)
6126{
6127 EXPECT_DECLS;
6128#if defined(WOLFSSL_TLS13) && \
6129 defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
6130 !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
6131 defined(BUILD_TLS_AES_128_CCM_8_SHA256)
6132 WC_RNG rng;
6133 int rngInit = 0;
6134
6135 XMEMSET(&rng, 0, sizeof(rng));
6136 ExpectIntEQ(wc_InitRng(&rng), 0);
6137 if (EXPECT_SUCCESS())
6138 rngInit = 1;
6139
6140 ExpectIntEQ(test_tls13_cipher_fuzz_cs(&rng, "TLS13-AES128-CCM-8-SHA256"),
6141 TEST_SUCCESS);
6142
6143 if (rngInit)
6144 wc_FreeRng(&rng);
6145#endif
6146 return EXPECT_RESULT();
6147}