Add regress test for independent algo negotiation

yosuke-wolfssl · yosuke-wolfssl · commit 5cc90fad5859 · 2026-04-24T09:43:05.000+09:00
diff --git a/tests/regress.c b/tests/regress.c
@@ -1989,6 +1989,36 @@ static word32 BuildKexInitPayload(WOLFSSH* ssh, const char* kexList,
     return idx;
 }
 
+#if !defined(WOLFSSH_NO_AES_CBC) && !defined(WOLFSSH_NO_AES_CTR) \
+    && !defined(WOLFSSH_NO_HMAC_SHA1) && !defined(WOLFSSH_NO_HMAC_SHA2_256)
+/* Like BuildKexInitPayload but with explicit per-direction cipher/MAC lists. */
+static word32 BuildKexInitPayloadFull(const char* kexList,
+        const char* keyList, const char* encC2S, const char* encS2C,
+        const char* macC2S, const char* macS2C,
+        byte firstPacketFollows, byte* out, word32 outSz)
+{
+    word32 idx = 0;
+
+    AssertTrue(idx + COOKIE_SZ <= outSz);
+    WMEMSET(out + idx, 0, COOKIE_SZ);
+    idx += COOKIE_SZ;
+    idx = AppendString(out, outSz, idx, kexList);
+    idx = AppendString(out, outSz, idx, keyList);
+    idx = AppendString(out, outSz, idx, encC2S);
+    idx = AppendString(out, outSz, idx, encS2C);
+    idx = AppendString(out, outSz, idx, macC2S);
+    idx = AppendString(out, outSz, idx, macS2C);
+    idx = AppendString(out, outSz, idx, "none");
+    idx = AppendString(out, outSz, idx, "none");
+    idx = AppendString(out, outSz, idx, "");
+    idx = AppendString(out, outSz, idx, "");
+    idx = AppendByte(out, outSz, idx, firstPacketFollows);
+    idx = AppendUint32(out, outSz, idx, 0); /* reserved */
+
+    return idx;
+}
+#endif /* AES_CBC + AES_CTR + HMAC guards (BuildKexInitPayloadFull) */
+
 typedef struct {
     const char* description;
     const char* kexList;
@@ -2107,6 +2137,79 @@ static void TestFirstPacketFollows(void)
     TestFirstPacketFollowsSkipped();
 }
 
+#if !defined(WOLFSSH_NO_AES_CBC) && !defined(WOLFSSH_NO_AES_CTR) \
+    && !defined(WOLFSSH_NO_HMAC_SHA1) && !defined(WOLFSSH_NO_HMAC_SHA2_256)
+static void TestIndependentAlgoNegotiation(void)
+{
+    WOLFSSH_CTX* ctx;
+    WOLFSSH* ssh;
+    byte payload[512];
+    word32 payloadSz;
+    word32 idx;
+
+    ctx = wolfSSH_CTX_new(WOLFSSH_ENDPOINT_SERVER, NULL);
+    AssertNotNull(ctx);
+
+    /* Sub-test A: different non-AEAD cipher and MAC per direction */
+    ssh = wolfSSH_new(ctx);
+    AssertNotNull(ssh);
+    AssertIntEQ(wolfSSH_SetAlgoListKex(ssh, FPF_KEX_GOOD), WS_SUCCESS);
+    AssertIntEQ(wolfSSH_SetAlgoListKey(ssh, FPF_KEY_GOOD), WS_SUCCESS);
+    AssertIntEQ(wolfSSH_SetAlgoListCipher(ssh,
+            "aes128-cbc,aes256-ctr"), WS_SUCCESS);
+    AssertIntEQ(wolfSSH_SetAlgoListMac(ssh,
+            "hmac-sha1,hmac-sha2-256"), WS_SUCCESS);
+    idx = 0;
+    payloadSz = BuildKexInitPayloadFull(
+            FPF_KEX_GOOD, FPF_KEY_GOOD,
+            "aes128-cbc",    /* C2S enc */
+            "aes256-ctr",    /* S2C enc */
+            "hmac-sha1",     /* C2S MAC */
+            "hmac-sha2-256", /* S2C MAC */
+            0, payload, (word32)sizeof(payload));
+    (void)wolfSSH_TestDoKexInit(ssh, payload, payloadSz, &idx);
+    AssertNotNull(ssh->handshake);
+    AssertIntEQ(ssh->handshake->peerEncryptId, ID_AES128_CBC);
+    AssertIntEQ(ssh->handshake->encryptId,     ID_AES256_CTR);
+    AssertIntEQ(ssh->handshake->peerMacId,     ID_HMAC_SHA1);
+    AssertIntEQ(ssh->handshake->macId,         ID_HMAC_SHA2_256);
+    AssertIntEQ(ssh->handshake->peerAeadMode,  0);
+    AssertIntEQ(ssh->handshake->aeadMode,      0);
+    wolfSSH_free(ssh);
+
+#ifndef WOLFSSH_NO_AES_GCM
+    /* Sub-test B: AEAD S2C, non-AEAD C2S — MAC only negotiated for C2S */
+    ssh = wolfSSH_new(ctx);
+    AssertNotNull(ssh);
+    AssertIntEQ(wolfSSH_SetAlgoListKex(ssh, FPF_KEX_GOOD), WS_SUCCESS);
+    AssertIntEQ(wolfSSH_SetAlgoListKey(ssh, FPF_KEY_GOOD), WS_SUCCESS);
+    AssertIntEQ(wolfSSH_SetAlgoListCipher(ssh,
+            "aes128-cbc,aes256-gcm@openssh.com"), WS_SUCCESS);
+    AssertIntEQ(wolfSSH_SetAlgoListMac(ssh,
+            "hmac-sha1,hmac-sha2-256"), WS_SUCCESS);
+    idx = 0;
+    payloadSz = BuildKexInitPayloadFull(
+            FPF_KEX_GOOD, FPF_KEY_GOOD,
+            "aes128-cbc",             /* C2S enc: non-AEAD */
+            "aes256-gcm@openssh.com", /* S2C enc: AEAD */
+            "hmac-sha1",              /* C2S MAC: negotiated */
+            "hmac-sha2-256",          /* S2C MAC: skipped (aeadMode) */
+            0, payload, (word32)sizeof(payload));
+    (void)wolfSSH_TestDoKexInit(ssh, payload, payloadSz, &idx);
+    AssertNotNull(ssh->handshake);
+    AssertIntEQ(ssh->handshake->peerEncryptId, ID_AES128_CBC);
+    AssertIntEQ(ssh->handshake->encryptId,     ID_AES256_GCM);
+    AssertIntEQ(ssh->handshake->peerAeadMode,  0);
+    AssertIntEQ(ssh->handshake->aeadMode,      1);
+    AssertIntEQ(ssh->handshake->peerMacId,     ID_HMAC_SHA1);
+    AssertIntEQ(ssh->handshake->macId,         ID_NONE);
+    wolfSSH_free(ssh);
+#endif /* !WOLFSSH_NO_AES_GCM */
+
+    wolfSSH_CTX_free(ctx);
+}
+#endif /* AES_CBC + AES_CTR + HMAC guards */
+
 #endif /* first_packet_follows coverage guard */
 
 
@@ -2155,6 +2258,13 @@ int main(int argc, char** argv)
     && !defined(WOLFSSH_NO_CURVE25519_SHA256) \
     && !defined(WOLFSSH_NO_RSA_SHA2_256)
     TestFirstPacketFollows();
+#endif
+#if !defined(WOLFSSH_NO_ECDH_SHA2_NISTP256) && !defined(WOLFSSH_NO_RSA) \
+    && !defined(WOLFSSH_NO_CURVE25519_SHA256) \
+    && !defined(WOLFSSH_NO_RSA_SHA2_256) \
+    && !defined(WOLFSSH_NO_AES_CBC) && !defined(WOLFSSH_NO_AES_CTR) \
+    && !defined(WOLFSSH_NO_HMAC_SHA1) && !defined(WOLFSSH_NO_HMAC_SHA2_256)
+    TestIndependentAlgoNegotiation();
 #endif
     TestDisconnectSetsDisconnectError();
     TestClientBuffersIdempotent();
