Require HAVE_SECURE_RENEGOTIATION for API that perform SCR (not just indication)

julek-wolfssl · julek-wolfssl · commit 907a0201e7ce · 2023-08-03T11:32:42.000+02:00
diff --git a/src/ssl.c b/src/ssl.c
@@ -4004,7 +4004,7 @@ int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx)
     return WOLFSSL_SUCCESS;
 }
 
-
+#ifdef HAVE_SECURE_RENEGOTIATION
 /* do a secure renegotiation handshake, user forced, we discourage */
 static int _Rehandshake(WOLFSSL* ssl)
 {
@@ -4069,15 +4069,15 @@ static int _Rehandshake(WOLFSSL* ssl)
 
         ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;
 
-#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SECURE_RENEGOTIATION)
+#if !defined(NO_WOLFSSL_SERVER)
         if (ssl->options.side == WOLFSSL_SERVER_END) {
             ret = SendHelloRequest(ssl);
             if (ret != 0) {
                 ssl->error = ret;
                 return WOLFSSL_FATAL_ERROR;
             }
         }
-#endif /* !NO_WOLFSSL_SERVER && HAVE_SECURE_RENEGOTIATION */
+#endif /* !NO_WOLFSSL_SERVER */
 
         ret = InitHandshakeHashes(ssl);
         if (ret != 0) {
@@ -4151,6 +4151,8 @@ int wolfSSL_SecureResume(WOLFSSL* ssl)
 
 #endif /* NO_WOLFSSL_CLIENT */
 
+#endif /* HAVE_SECURE_RENEGOTIATION */
+
 long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl)
 {
     WOLFSSL_ENTER("wolfSSL_SSL_get_secure_renegotiation_support");
diff --git a/tests/api.c b/tests/api.c
@@ -6367,7 +6367,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
             if (ret < 0) { break; } else if (ret == 0) { continue; }
         }
     #endif
-        ret = wolfSSL_accept(ssl);
+        ret = wolfSSL_negotiate(ssl);
         err = wolfSSL_get_error(ssl, 0);
     } while (err == WC_PENDING_E);
     if (ret != WOLFSSL_SUCCESS) {
@@ -63162,8 +63162,8 @@ static int test_dtls_1_0_hvr_downgrade(void)
     XMEMSET(&func_cb_server, 0, sizeof(callback_functions));
 
     func_cb_client.doUdp = func_cb_server.doUdp = 1;
-    func_cb_server.method = wolfDTLSv1_2_server_method;
     func_cb_client.method = wolfDTLS_client_method;
+    func_cb_server.method = wolfDTLSv1_2_server_method;
     func_cb_client.ctx_ready = test_dtls_1_0_hvr_downgrade_ctx_ready;
 
     test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server);
@@ -63251,6 +63251,71 @@ static int test_session_ticket_no_id(void)
 }
 #endif
 
+#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \
+    defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_SECURE_RENEGOTIATION)
+static void test_dtls_downgrade_scr_server_ctx_ready_server(WOLFSSL_CTX* ctx)
+{
+    AssertIntEQ(wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_DTLSV1_2),
+                WOLFSSL_SUCCESS);
+    AssertIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx), WOLFSSL_SUCCESS);
+}
+
+static void test_dtls_downgrade_scr_server_ctx_ready(WOLFSSL_CTX* ctx)
+{
+    AssertIntEQ(wolfSSL_CTX_UseSecureRenegotiation(ctx), WOLFSSL_SUCCESS);
+}
+
+static void test_dtls_downgrade_scr_server_on_result(WOLFSSL* ssl)
+{
+    char testMsg[] = "Message after SCR";
+    char msgBuf[sizeof(testMsg)];
+    if (wolfSSL_is_server(ssl)) {
+        AssertIntEQ(wolfSSL_Rehandshake(ssl), WOLFSSL_FATAL_ERROR);
+        AssertIntEQ(wolfSSL_get_error(ssl, -1), APP_DATA_READY);
+        AssertIntEQ(wolfSSL_read(ssl, msgBuf, sizeof(msgBuf)), sizeof(msgBuf));
+        AssertIntEQ(wolfSSL_Rehandshake(ssl), WOLFSSL_SUCCESS);
+        AssertIntEQ(wolfSSL_write(ssl, testMsg, sizeof(testMsg)),
+                    sizeof(testMsg));
+    }
+    else {
+        AssertIntEQ(wolfSSL_write(ssl, testMsg, sizeof(testMsg)),
+                    sizeof(testMsg));
+        AssertIntEQ(wolfSSL_read(ssl, msgBuf, sizeof(msgBuf)), sizeof(msgBuf));
+    }
+}
+
+static int test_dtls_downgrade_scr_server(void)
+{
+    EXPECT_DECLS;
+    callback_functions func_cb_client;
+    callback_functions func_cb_server;
+
+    XMEMSET(&func_cb_client, 0, sizeof(callback_functions));
+    XMEMSET(&func_cb_server, 0, sizeof(callback_functions));
+
+    func_cb_client.doUdp = func_cb_server.doUdp = 1;
+    func_cb_client.method = wolfDTLSv1_2_client_method;
+    func_cb_server.method = wolfDTLS_server_method;
+    func_cb_client.ctx_ready = test_dtls_downgrade_scr_server_ctx_ready;
+    func_cb_server.ctx_ready = test_dtls_downgrade_scr_server_ctx_ready_server;
+    func_cb_client.on_result = test_dtls_downgrade_scr_server_on_result;
+    func_cb_server.on_result = test_dtls_downgrade_scr_server_on_result;
+
+    test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server);
+
+    ExpectIntEQ(func_cb_client.return_code, TEST_SUCCESS);
+    ExpectIntEQ(func_cb_server.return_code, TEST_SUCCESS);
+
+    return EXPECT_RESULT();
+}
+#else
+static int test_dtls_downgrade_scr_server(void)
+{
+    EXPECT_DECLS;
+    return EXPECT_RESULT();
+}
+#endif
+
 #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \
     defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_SECURE_RENEGOTIATION)
 static void test_dtls_downgrade_scr_ctx_ready(WOLFSSL_CTX* ctx)
@@ -63289,8 +63354,8 @@ static int test_dtls_downgrade_scr(void)
     XMEMSET(&func_cb_server, 0, sizeof(callback_functions));
 
     func_cb_client.doUdp = func_cb_server.doUdp = 1;
-    func_cb_server.method = wolfDTLSv1_2_server_method;
     func_cb_client.method = wolfDTLS_client_method;
+    func_cb_server.method = wolfDTLSv1_2_server_method;
     func_cb_client.ctx_ready = test_dtls_downgrade_scr_ctx_ready;
     func_cb_client.on_result = test_dtls_downgrade_scr_on_result;
     func_cb_server.on_result = test_dtls_downgrade_scr_on_result;
@@ -64564,6 +64629,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_TLSX_CA_NAMES_bad_extension),
     TEST_DECL(test_dtls_1_0_hvr_downgrade),
     TEST_DECL(test_session_ticket_no_id),
+    TEST_DECL(test_dtls_downgrade_scr_server),
     TEST_DECL(test_dtls_downgrade_scr),
     /* This test needs to stay at the end to clean up any caches allocated. */
     TEST_DECL(test_wolfSSL_Cleanup)
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -3984,8 +3984,10 @@ WOLFSSL_API int wolfSSL_NoKeyShares(WOLFSSL* ssl);
 
 WOLFSSL_API int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl);
 WOLFSSL_API int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx);
+#ifdef HAVE_SECURE_RENEGOTIATION
 WOLFSSL_API int wolfSSL_Rehandshake(WOLFSSL* ssl);
 WOLFSSL_API int wolfSSL_SecureResume(WOLFSSL* ssl);
+#endif
 WOLFSSL_API long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl);
 
 #endif

Original file line number	Diff line number	Diff line change
`@@ -4004,7 +4004,7 @@ int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx)`
`4004`	`4004`	`return WOLFSSL_SUCCESS;`
`4005`	`4005`	`}`
`4006`	`4006`
`4007`		`-`
	`4007`	`+#ifdef HAVE_SECURE_RENEGOTIATION`
`4008`	`4008`	`/* do a secure renegotiation handshake, user forced, we discourage */`
`4009`	`4009`	`static int _Rehandshake(WOLFSSL* ssl)`
`4010`	`4010`	`{`
`@@ -4069,15 +4069,15 @@ static int _Rehandshake(WOLFSSL* ssl)`
`4069`	`4069`
`4070`	`4070`	`ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;`
`4071`	`4071`
`4072`		`-#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SECURE_RENEGOTIATION)`
	`4072`	`+#if !defined(NO_WOLFSSL_SERVER)`
`4073`	`4073`	`if (ssl->options.side == WOLFSSL_SERVER_END) {`
`4074`	`4074`	`ret = SendHelloRequest(ssl);`
`4075`	`4075`	`if (ret != 0) {`
`4076`	`4076`	`ssl->error = ret;`
`4077`	`4077`	`return WOLFSSL_FATAL_ERROR;`
`4078`	`4078`	`}`
`4079`	`4079`	`}`
`4080`		`-#endif /* !NO_WOLFSSL_SERVER && HAVE_SECURE_RENEGOTIATION */`
	`4080`	`+#endif /* !NO_WOLFSSL_SERVER */`
`4081`	`4081`
`4082`	`4082`	`ret = InitHandshakeHashes(ssl);`
`4083`	`4083`	`if (ret != 0) {`
`@@ -4151,6 +4151,8 @@ int wolfSSL_SecureResume(WOLFSSL* ssl)`
`4151`	`4151`
`4152`	`4152`	`#endif /* NO_WOLFSSL_CLIENT */`
`4153`	`4153`
	`4154`	`+#endif /* HAVE_SECURE_RENEGOTIATION */`
	`4155`	`+`
`4154`	`4156`	`long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl)`
`4155`	`4157`	`{`
`4156`	`4158`	`WOLFSSL_ENTER("wolfSSL_SSL_get_secure_renegotiation_support");`