Skip to content

Commit 7afbb81

Browse files
julek-wolfssljulek-wolfssl
committed
Add message order sanity checks
Reorganize test_dtls tests to use TEST_DECL_GROUP Reorganize test_tls tests to use TEST_DECL_GROUP
1 parent 874633d commit 7afbb81

6 files changed

Lines changed: 551 additions & 34 deletions

File tree

src/internal.c

Lines changed: 68 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -17525,6 +17525,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1752517525
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
1752617526
return DUPLICATE_MSG_E;
1752717527
}
17528+
if (!ssl->msgsReceived.got_server_hello ||
17529+
ssl->msgsReceived.got_change_cipher ||
17530+
ssl->msgsReceived.got_finished ||
17531+
(!ssl->options.resuming &&
17532+
!ssl->msgsReceived.got_server_hello_done)) {
17533+
WOLFSSL_MSG("session_ticket received in wrong order");
17534+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17535+
return OUT_OF_ORDER_E;
17536+
}
1752817537
ssl->msgsReceived.got_session_ticket = 1;
1752917538

1753017539
break;
@@ -17540,20 +17549,36 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1754017549

1754117550
#ifndef NO_WOLFSSL_CLIENT
1754217551
if (ssl->options.side == WOLFSSL_CLIENT_END) {
17543-
if ( ssl->msgsReceived.got_server_hello == 0) {
17552+
if (!ssl->msgsReceived.got_server_hello) {
1754417553
WOLFSSL_MSG("No ServerHello before Cert");
1754517554
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1754617555
return OUT_OF_ORDER_E;
1754717556
}
17557+
if (ssl->msgsReceived.got_certificate_status ||
17558+
ssl->msgsReceived.got_server_key_exchange ||
17559+
ssl->msgsReceived.got_certificate_request ||
17560+
ssl->msgsReceived.got_server_hello_done) {
17561+
WOLFSSL_MSG("Cert received in wrong order");
17562+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17563+
return OUT_OF_ORDER_E;
17564+
}
1754817565
}
1754917566
#endif
1755017567
#ifndef NO_WOLFSSL_SERVER
1755117568
if (ssl->options.side == WOLFSSL_SERVER_END) {
17552-
if ( ssl->msgsReceived.got_client_hello == 0) {
17569+
if (!ssl->msgsReceived.got_client_hello) {
1755317570
WOLFSSL_MSG("No ClientHello before Cert");
1755417571
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1755517572
return OUT_OF_ORDER_E;
1755617573
}
17574+
if (ssl->msgsReceived.got_client_key_exchange ||
17575+
ssl->msgsReceived.got_certificate_verify ||
17576+
ssl->msgsReceived.got_change_cipher ||
17577+
ssl->msgsReceived.got_finished) {
17578+
WOLFSSL_MSG("Cert received in wrong order");
17579+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17580+
return OUT_OF_ORDER_E;
17581+
}
1755717582
}
1755817583
#endif
1755917584
break;
@@ -17572,7 +17597,6 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1757217597
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
1757317598
return DUPLICATE_MSG_E;
1757417599
}
17575-
ssl->msgsReceived.got_certificate_status = 1;
1757617600

1757717601
if (ssl->msgsReceived.got_certificate == 0) {
1757817602
WOLFSSL_MSG("No Certificate before CertificateStatus");
@@ -17584,7 +17608,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1758417608
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1758517609
return OUT_OF_ORDER_E;
1758617610
}
17611+
if (ssl->msgsReceived.got_server_key_exchange ||
17612+
ssl->msgsReceived.got_certificate_request ||
17613+
ssl->msgsReceived.got_server_hello_done) {
17614+
WOLFSSL_MSG("CertificateStatus received in wrong order");
17615+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17616+
return OUT_OF_ORDER_E;
17617+
}
1758717618

17619+
ssl->msgsReceived.got_certificate_status = 1;
1758817620
break;
1758917621
#endif
1759017622

@@ -17602,14 +17634,19 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1760217634
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
1760317635
return DUPLICATE_MSG_E;
1760417636
}
17605-
ssl->msgsReceived.got_server_key_exchange = 1;
17606-
1760717637
if (ssl->msgsReceived.got_server_hello == 0) {
1760817638
WOLFSSL_MSG("No ServerHello before ServerKeyExchange");
1760917639
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1761017640
return OUT_OF_ORDER_E;
1761117641
}
17642+
if (ssl->msgsReceived.got_certificate_request ||
17643+
ssl->msgsReceived.got_server_hello_done) {
17644+
WOLFSSL_MSG("ServerKeyExchange received in wrong order");
17645+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17646+
return OUT_OF_ORDER_E;
17647+
}
1761217648

17649+
ssl->msgsReceived.got_server_key_exchange = 1;
1761317650
break;
1761417651
#endif
1761517652

@@ -17627,6 +17664,16 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1762717664
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
1762817665
return DUPLICATE_MSG_E;
1762917666
}
17667+
if (ssl->msgsReceived.got_server_hello == 0) {
17668+
WOLFSSL_MSG("No ServerHello before CertificateRequest");
17669+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17670+
return OUT_OF_ORDER_E;
17671+
}
17672+
if (ssl->msgsReceived.got_server_hello_done) {
17673+
WOLFSSL_MSG("CertificateRequest received in wrong order");
17674+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17675+
return OUT_OF_ORDER_E;
17676+
}
1763017677
ssl->msgsReceived.got_certificate_request = 1;
1763117678

1763217679
break;
@@ -17746,13 +17793,18 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1774617793
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
1774717794
return DUPLICATE_MSG_E;
1774817795
}
17749-
ssl->msgsReceived.got_certificate_verify = 1;
17750-
1775117796
if ( ssl->msgsReceived.got_certificate == 0) {
1775217797
WOLFSSL_MSG("No Cert before CertVerify");
1775317798
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1775417799
return OUT_OF_ORDER_E;
1775517800
}
17801+
if (ssl->msgsReceived.got_change_cipher ||
17802+
ssl->msgsReceived.got_finished) {
17803+
WOLFSSL_MSG("CertVerify received in wrong order");
17804+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17805+
return OUT_OF_ORDER_E;
17806+
}
17807+
ssl->msgsReceived.got_certificate_verify = 1;
1775617808
break;
1775717809
#endif
1775817810

@@ -17770,13 +17822,19 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1777017822
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
1777117823
return DUPLICATE_MSG_E;
1777217824
}
17773-
ssl->msgsReceived.got_client_key_exchange = 1;
17774-
1777517825
if (ssl->msgsReceived.got_client_hello == 0) {
1777617826
WOLFSSL_MSG("No ClientHello before ClientKeyExchange");
1777717827
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1777817828
return OUT_OF_ORDER_E;
1777917829
}
17830+
if (ssl->msgsReceived.got_certificate_verify||
17831+
ssl->msgsReceived.got_change_cipher ||
17832+
ssl->msgsReceived.got_finished) {
17833+
WOLFSSL_MSG("ClientKeyExchange received in wrong order");
17834+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17835+
return OUT_OF_ORDER_E;
17836+
}
17837+
ssl->msgsReceived.got_client_key_exchange = 1;
1778017838
break;
1778117839
#endif
1778217840

@@ -17795,13 +17853,12 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1779517853
}
1779617854
}
1779717855
#endif
17798-
ssl->msgsReceived.got_finished = 1;
17799-
1780017856
if (ssl->msgsReceived.got_change_cipher == 0) {
1780117857
WOLFSSL_MSG("Finished received before ChangeCipher");
1780217858
WOLFSSL_ERROR_VERBOSE(NO_CHANGE_CIPHER_E);
1780317859
return NO_CHANGE_CIPHER_E;
1780417860
}
17861+
ssl->msgsReceived.got_finished = 1;
1780517862
break;
1780617863

1780717864
case change_cipher_hs:

tests/api.c

Lines changed: 2 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -51358,13 +51358,6 @@ TEST_DECL(test_wc_RsaPSS_DigitalSignVerify),
5135851358
/* Can't memory test as client/server hangs. */
5135951359
TEST_DECL(test_dtls_msg_from_other_peer),
5136051360
TEST_DECL(test_dtls_ipv6_check),
51361-
TEST_DECL(test_dtls_short_ciphertext),
51362-
TEST_DECL(test_dtls12_record_length_mismatch),
51363-
TEST_DECL(test_dtls12_short_read),
51364-
TEST_DECL(test_dtls13_longer_length),
51365-
TEST_DECL(test_dtls13_short_read),
51366-
TEST_DECL(test_records_span_network_boundaries),
51367-
TEST_DECL(test_dtls_record_cross_boundaries),
5136851361
TEST_DECL(test_wolfSSL_SCR_after_resumption),
5136951362
TEST_DECL(test_dtls_no_extensions),
5137051363
TEST_DECL(test_tls_alert_no_server_hello),
@@ -51384,12 +51377,10 @@ TEST_DECL(test_wc_RsaPSS_DigitalSignVerify),
5138451377
TEST_DECL(test_dtls13_frag_ch_pq),
5138551378
TEST_DECL(test_dtls_empty_keyshare_with_cookie),
5138651379
TEST_DECL(test_dtls_old_seq_number),
51387-
TEST_DECL(test_dtls12_basic_connection_id),
51388-
TEST_DECL(test_dtls13_basic_connection_id),
5138951380
TEST_DECL(test_dtls12_missing_finished),
5139051381
TEST_DECL(test_dtls13_missing_finished_client),
5139151382
TEST_DECL(test_dtls13_missing_finished_server),
51392-
TEST_DECL(test_wolfSSL_dtls_set_pending_peer),
51383+
TEST_DTLS_DECLS,
5139351384
TEST_DECL(test_tls_multi_handshakes_one_record),
5139451385
TEST_DECL(test_write_dup),
5139551386
TEST_DECL(test_read_write_hs),
@@ -51400,24 +51391,12 @@ TEST_DECL(test_wc_RsaPSS_DigitalSignVerify),
5140051391
TEST_DECL(test_wolfSSL_SendUserCanceled),
5140151392
TEST_DECL(test_wolfSSL_SSLDisableRead),
5140251393
TEST_DECL(test_wolfSSL_inject),
51403-
TEST_DECL(test_wolfSSL_dtls_cid_parse),
51404-
TEST_DECL(test_dtls13_epochs),
51405-
TEST_DECL(test_dtls_rtx_across_epoch_change),
51406-
TEST_DECL(test_dtls_drop_client_ack),
51407-
TEST_DECL(test_dtls_bogus_finished_epoch_zero),
51408-
TEST_DECL(test_dtls_replay),
51409-
TEST_DECL(test_dtls_srtp),
51410-
TEST_DECL(test_dtls13_ack_order),
51411-
TEST_DECL(test_dtls_version_checking),
5141251394
TEST_DECL(test_ocsp_status_callback),
5141351395
TEST_DECL(test_ocsp_basic_verify),
5141451396
TEST_DECL(test_ocsp_response_parsing),
5141551397
TEST_DECL(test_ocsp_certid_enc_dec),
5141651398
TEST_DECL(test_ocsp_tls_cert_cb),
51417-
TEST_DECL(test_tls12_unexpected_ccs),
51418-
TEST_DECL(test_tls13_unexpected_ccs),
51419-
TEST_DECL(test_tls12_curve_intersection),
51420-
TEST_DECL(test_tls13_curve_intersection),
51399+
TEST_TLS_DECLS,
5142151400
TEST_DECL(test_wc_DhSetNamedKey),
5142251401
/* This test needs to stay at the end to clean up any caches allocated. */
5142351402
TEST_DECL(test_wolfSSL_Cleanup)

0 commit comments

Comments
 (0)