@@ -7920,17 +7920,37 @@ static int test_wolfSSL_UseSNI_params(void)
79207920 ExpectNotNull(ssl);
79217921
79227922 /* invalid [ctx|ssl] */
7923- ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(NULL, 0, "ctx", 3));
7924- ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( NULL, 0, "ssl", 3));
7923+ ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(NULL, WOLFSSL_SNI_HOST_NAME,
7924+ "ctx", 3));
7925+ ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( NULL, WOLFSSL_SNI_HOST_NAME,
7926+ "ssl", 3));
79257927 /* invalid type */
79267928 ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, (byte)-1, "ctx", 3));
79277929 ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, (byte)-1, "ssl", 3));
79287930 /* invalid data */
7929- ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, NULL, 3));
7930- ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, NULL, 3));
7931+ ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME,
7932+ NULL, 3));
7933+ ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, WOLFSSL_SNI_HOST_NAME,
7934+ NULL, 3));
7935+ /* invalid length */
7936+ if (EXPECT_SUCCESS()) {
7937+ /* 300 chars > WOLFSSL_HOST_NAME_MAX (256) */
7938+ char longName[300];
7939+
7940+ XMEMSET(longName, 'a', sizeof(longName) - 1);
7941+ longName[sizeof(longName) - 1] = '\0';
7942+
7943+ /* host name >= WOLFSSL_HOST_NAME_MAX */
7944+ ExpectIntEQ(BAD_LENGTH_E, wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME,
7945+ longName, (word16)XSTRLEN(longName)));
7946+ ExpectIntEQ(BAD_LENGTH_E, wolfSSL_UseSNI( ssl, WOLFSSL_SNI_HOST_NAME,
7947+ longName, (word16)XSTRLEN(longName)));
7948+ }
79317949 /* success case */
7932- ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, "ctx", 3));
7933- ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, "ssl", 3));
7950+ ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME,
7951+ "ctx", 3));
7952+ ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseSNI( ssl, WOLFSSL_SNI_HOST_NAME,
7953+ "ssl", 3));
79347954
79357955 wolfSSL_free(ssl);
79367956 wolfSSL_CTX_free(ctx);
@@ -14490,7 +14510,10 @@ static int test_wolfSSL_Tls13_ECH_bad_configs_ex(int hrr, int sniCb)
1449014510 }
1449114511
1449214512 ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
14493- ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
14513+ ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
14514+ WOLFSSL_ECH_STATUS_REJECTED);
14515+ ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
14516+ WOLFSSL_ECH_STATUS_ACCEPTED);
1449414517
1449514518 test_ssl_memio_cleanup(&test_ctx);
1449614519
@@ -15184,52 +15207,6 @@ static int test_wolfSSL_Tls13_ECH_disable_conn(void)
1518415207 return EXPECT_RESULT();
1518515208}
1518615209
15187- /* Regression test: an inner SNI hostname >= MAX_PUBLIC_NAME_SZ (256) bytes
15188- * must not cause a stack-buffer-overflow in TLSX_EchRestoreSNI. Before the
15189- * fix, the truncated copy omitted the NUL terminator and XSTRLEN read past
15190- * the buffer. */
15191- static int test_wolfSSL_Tls13_ECH_long_SNI(void)
15192- {
15193- EXPECT_DECLS;
15194- #if !defined(NO_WOLFSSL_CLIENT)
15195- test_ssl_memio_ctx test_ctx;
15196- /* 300 chars > MAX_PUBLIC_NAME_SZ (256) to exercise truncation */
15197- char longName[300];
15198-
15199- XMEMSET(longName, 'a', sizeof(longName) - 1);
15200- longName[sizeof(longName) - 1] = '\0';
15201-
15202- XMEMSET(&test_ctx, 0, sizeof(test_ctx));
15203-
15204- test_ctx.s_cb.method = wolfTLSv1_3_server_method;
15205- test_ctx.c_cb.method = wolfTLSv1_3_client_method;
15206-
15207- test_ctx.s_cb.ctx_ready = test_ech_server_ctx_ready;
15208- test_ctx.s_cb.ssl_ready = test_ech_server_ssl_ready;
15209-
15210- ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS);
15211-
15212- /* Set ECH configs on the client */
15213- ExpectIntEQ(wolfSSL_SetEchConfigs(test_ctx.c_ssl, echCbTestConfigs,
15214- echCbTestConfigsLen), WOLFSSL_SUCCESS);
15215-
15216- /* Try to set the over-long SNI as the inner hostname -- after the fix, this
15217- * is expected to fail.
15218- */
15219- ExpectIntEQ(wolfSSL_UseSNI(test_ctx.c_ssl, WOLFSSL_SNI_HOST_NAME,
15220- longName, (word16)XSTRLEN(longName)), BAD_LENGTH_E);
15221-
15222- /* Before the fix, the handshake would trigger TLSX_EchChangeSNI /
15223- * TLSX_EchRestoreSNI, which would then stack-buffer-overflow in XSTRLEN.
15224- */
15225- (void)test_ssl_memio_do_handshake(&test_ctx, 10, NULL);
15226-
15227- test_ssl_memio_cleanup(&test_ctx);
15228- #endif /* !NO_WOLFSSL_CLIENT */
15229-
15230- return EXPECT_RESULT();
15231- }
15232-
1523315210static int ech_seek_extensions(byte* buf, word16* innerExtLen)
1523415211{
1523515212 word16 idx;
@@ -35357,7 +35334,6 @@ TEST_CASE testCases[] = {
3535735334 TEST_DECL(test_wolfSSL_Tls13_ECH_GREASE),
3535835335 TEST_DECL(test_wolfSSL_Tls13_ECH_wire_sni),
3535935336 TEST_DECL(test_wolfSSL_Tls13_ECH_disable_conn),
35360- TEST_DECL(test_wolfSSL_Tls13_ECH_long_SNI),
3536135337 TEST_DECL(test_wolfSSL_Tls13_ECH_HRR_rejection),
3536235338 TEST_DECL(test_wolfSSL_Tls13_ECH_ch2_no_ech),
3536335339 TEST_DECL(test_wolfSSL_Tls13_ECH_ch2_decrypt_error),
0 commit comments