Incorporate review comments

* Move new test to the test_wolfSSL_dtls_stateless_xxx group
* Move cookie parsing to stateful DTLS processing
* Remove unnecessary redundant cookie parsing logic

Author: Frauschi

src/dtls.c

@@ -295,42 +295,6 @@ static int CheckDtlsCookie(const WOLFSSL* ssl, WolfSSL_CH* ch,
     return ret;
 }
 
-#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
-static int ParseCookieExt(WOLFSSL* ssl, WolfSSL_CH* ch)
-{
-    int ret = 0;
-    word16 len;
-    const byte* cookie = NULL;
-
-    if (ch->cookieExt.size < OPAQUE16_LEN + 1)
-        return BUFFER_E;
-    ato16(ch->cookieExt.elements, &len);
-    if (ch->cookieExt.size - OPAQUE16_LEN != len)
-        return BUFFER_E;
-    cookie = ch->cookieExt.elements + OPAQUE16_LEN;
-    ret = TlsCheckCookie(ssl, cookie, len);
-    if (ret < 0)
-        return ret;
-    len = (word16)ret;
-
-    /* Cookie Data = Hash Len | Hash | CS | KeyShare Group (optional) */
-
-    /* Check if the cookie has a key share group */
-    if (len > cookie[0] + 4) {
-        word16 keyShareGroup = 0;
-        ato16(cookie + 3 + cookie[0], &keyShareGroup);
-
-        /* The key share group in the cookie is the group selected by the
-         * server in the HelloRetryRequest. Hence, the client must use this
-         * group in the second ClientHello.
-         */
-        ssl->hrr_keyshare_group = keyShareGroup;
-    }
-
-    return 0;
-}
-#endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
-
 static int ParseClientHello(const byte* input, word32 helloSz, WolfSSL_CH* ch,
         byte isFirstCHFrag)
 {
@@ -1077,10 +1041,6 @@ int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz,
                 e = Dtls13GetEpoch(ssl, ssl->keys.curEpoch64);
                 if (e != NULL)
                     XMEMSET(e->window, 0xFF, sizeof(e->window));
-
-                ret = ParseCookieExt(ssl, &ch);
-                if (ret != 0)
-                    return ret;
             }
             else
 #endif

src/tls.c

@@ -7248,6 +7248,55 @@ static int TLSX_Cookie_Write(Cookie* cookie, byte* output, byte msgType,
     return 0;
 }
 
+#if defined(WOLFSSL_DTLS13) && defined (WOLFSSL_SEND_HRR_COOKIE)
+/* Extract the key share group from the cookie and store it in the
+ * ssl session for later checks.
+ *
+ * ssl    The SSL/TLS object.
+ * returns 0 on success and other values indicate failure.
+ */
+static int TLSX_Cookie_RestoreHrrGroup(WOLFSSL* ssl)
+{
+    TLSX* extension;
+    Cookie* cookie;
+#ifndef NO_SHA256
+    byte macSz = WC_SHA256_DIGEST_SIZE;
+#elif defined(WOLFSSL_SHA384)
+    byte macSz = WC_SHA384_DIGEST_SIZE;
+#elif defined(WOLFSSL_TLS13_SHA512)
+    byte macSz = WC_SHA512_DIGEST_SIZE;
+#elif defined(WOLFSSL_SM3)
+    byte macSz = WC_SM3_DIGEST_SIZE;
+#else
+    #error "No digest to available to use with HMAC for cookies."
+#endif /* NO_SHA */
+
+    extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
+    if (extension == NULL)
+        return 0;
+
+    cookie = (Cookie*)extension->data;
+    if (cookie == NULL)
+        return 0;
+
+    /* Cookie Data = Hash Len | Hash | CS | KeyShare Group (optional) | MAC */
+
+    /* Check if the cookie has a key share group */
+    if (cookie->data[0] + 4 + macSz < cookie->len) {
+        word16 keyShareGroup = 0;
+        ato16(cookie->data + 3 + cookie->data[0], &keyShareGroup);
+
+        /* The key share group in the cookie is the group selected by the
+         * server in the HelloRetryRequest. Hence, the client must use this
+         * group in the second ClientHello.
+         */
+        ssl->hrr_keyshare_group = keyShareGroup;
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
+
 /* Parse the Cookie extension.
  * In messages: ClientHello and HelloRetryRequest.
  *
@@ -7290,12 +7339,21 @@ static int TLSX_Cookie_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
     if (extension == NULL) {
 #ifdef WOLFSSL_DTLS13
-        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version))
+        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
+            int ret = 0;
             /* Allow a cookie extension with DTLS 1.3 because it is possible
              * that a different SSL instance sent the cookie but we are now
              * receiving it. */
-            return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0,
-                                   &ssl->extensions);
+            ret = TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0,
+                                  &ssl->extensions);
+    #if defined(WOLFSSL_SEND_HRR_COOKIE)
+            if (ret == 0 && ssl->options.dtlsStateful) {
+                /* Try to extract a HRR key share group from the cookie */
+                ret = TLSX_Cookie_RestoreHrrGroup(ssl);
+            }
+    #endif
+            return ret;
+        }
         else
 #endif
         {

tests/api.c

@@ -27783,6 +27783,105 @@ static int test_wolfSSL_dtls_stateless_downgrade(void)
 }
 #endif /* !defined(NO_OLD_TLS) */
 
+/* DTLS stateless API handling multiple CHs with different HRR groups */
+static int test_wolfSSL_dtls_stateless_hrr_group(void)
+{
+    EXPECT_DECLS;
+    size_t i;
+    struct {
+        method_provider client_meth;
+        method_provider server_meth;
+    } params[] = {
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DTLS13)
+        { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method },
+#endif
+#if !defined(WOLFSSL_NO_TLS12) && defined(WOLFSSL_DTLS)
+        { wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method },
+#endif
+    };
+    for (i = 0; i < XELEM_CNT(params) && !EXPECT_FAIL(); i++) {
+        WOLFSSL_CTX *ctx_s = NULL, *ctx_c = NULL;
+        WOLFSSL *ssl_s = NULL, *ssl_c = NULL, *ssl_c2 = NULL;
+        struct test_memio_ctx test_ctx;
+        int groups_1[] = {
+            WOLFSSL_ECC_SECP256R1,
+            WOLFSSL_ECC_SECP384R1,
+            WOLFSSL_ECC_SECP521R1
+        };
+        int groups_2[] = {
+            WOLFSSL_ECC_SECP384R1,
+            WOLFSSL_ECC_SECP521R1
+        };
+        char hrrBuf[1000];
+        int hrrSz = sizeof(hrrBuf);
+
+        XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+
+        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+                params[i].client_meth, params[i].server_meth), 0);
+
+        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c2, NULL,
+                params[i].client_meth, params[i].server_meth), 0);
+
+
+        wolfSSL_SetLoggingPrefix("server");
+        wolfSSL_dtls_set_using_nonblock(ssl_s, 1);
+
+        /* Set groups and disable key shares. This ensures that only the given
+         * groups are in the SupportedGroups extension and that an empty key
+         * share extension is sent in the initial ClientHello of each session.
+         * This triggers the server to send a HelloRetryRequest with the first
+         * group in the SupportedGroups extension selected. */
+        wolfSSL_SetLoggingPrefix("client1");
+        ExpectIntEQ(wolfSSL_set_groups(ssl_c, groups_1, 3), WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c), WOLFSSL_SUCCESS);
+
+        wolfSSL_SetLoggingPrefix("client2");
+        ExpectIntEQ(wolfSSL_set_groups(ssl_c2, groups_2, 2), WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c2), WOLFSSL_SUCCESS);
+
+        /* Start handshake, send first ClientHello */
+        wolfSSL_SetLoggingPrefix("client1");
+        ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+        /* Read first ClientHello, send HRR with WOLFSSL_ECC_SECP256R1 */
+        wolfSSL_SetLoggingPrefix("server");
+        ExpectIntEQ(wolfDTLS_accept_stateless(ssl_s), 0);
+        ExpectIntEQ(test_memio_copy_message(&test_ctx, 1, hrrBuf, &hrrSz, 0), 0);
+        ExpectIntGT(hrrSz, 0);
+        test_memio_clear_buffer(&test_ctx, 1);
+
+        /* Send second ClientHello */
+        wolfSSL_SetLoggingPrefix("client2");
+        ExpectIntEQ(wolfSSL_connect(ssl_c2), -1);
+        ExpectIntEQ(wolfSSL_get_error(ssl_c2, -1), WOLFSSL_ERROR_WANT_READ);
+
+        /* Read second ClientHello, send HRR now with WOLFSSL_ECC_SECP384R1 */
+        wolfSSL_SetLoggingPrefix("server");
+        ExpectIntEQ(wolfDTLS_accept_stateless(ssl_s), 0);
+        test_memio_clear_buffer(&test_ctx, 1);
+
+        /* Complete first handshake with WOLFSSL_ECC_SECP256R1 */
+        wolfSSL_SetLoggingPrefix("client1");
+        ExpectIntEQ(test_memio_inject_message(&test_ctx, 1, hrrBuf, hrrSz), 0);
+        ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+        wolfSSL_SetLoggingPrefix("server");
+        ExpectIntEQ(wolfDTLS_accept_stateless(ssl_s), WOLFSSL_SUCCESS);
+
+        ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+        wolfSSL_free(ssl_s);
+        wolfSSL_free(ssl_c);
+        wolfSSL_free(ssl_c2);
+        wolfSSL_CTX_free(ctx_s);
+        wolfSSL_CTX_free(ctx_c);
+    }
+    return EXPECT_RESULT();
+}
+
 #endif /* defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \
     !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)*/
 
@@ -33223,6 +33322,7 @@ TEST_CASE testCases[] = {
 #if !defined(NO_OLD_TLS)
     TEST_DECL(test_wolfSSL_dtls_stateless_downgrade),
 #endif /* !defined(NO_OLD_TLS) */
+    TEST_DECL(test_wolfSSL_dtls_stateless_hrr_group),
 #endif /* ! NO_RSA */
 #endif /* defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) &&     \
         *  !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) */

tests/api/test_dtls.c

@@ -2567,117 +2567,3 @@ int test_dtls13_min_rtx_interval(void)
 #endif
     return EXPECT_RESULT();
 }
-
-/* DTLS stateless API handling multiple CHs with different HRR groups */
-int test_dtls_stateless_hrr_group(void)
-{
-    EXPECT_DECLS;
-#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS)
-    size_t i;
-    struct {
-        method_provider client_meth;
-        method_provider server_meth;
-    } params[] = {
-#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DTLS13)
-        { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method },
-#endif
-#if !defined(WOLFSSL_NO_TLS12) && defined(WOLFSSL_DTLS)
-        { wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method },
-#endif
-    };
-    XMEMSET(&test_memio_wolfio_ctx, 0, sizeof(test_memio_wolfio_ctx));
-    for (i = 0; i < XELEM_CNT(params) && !EXPECT_FAIL(); i++) {
-        WOLFSSL_CTX *ctx_s = NULL, *ctx_c = NULL;
-        WOLFSSL *ssl_s = NULL, *ssl_c1 = NULL, *ssl_c2 = NULL;
-        struct test_memio_ctx test_ctx;
-        int groups_1[] = {
-            WOLFSSL_ECC_SECP256R1,
-            WOLFSSL_ECC_SECP384R1,
-            WOLFSSL_ECC_SECP521R1
-        };
-        int groups_2[] = {
-            WOLFSSL_ECC_SECP384R1,
-            WOLFSSL_ECC_SECP521R1
-        };
-        char hrrBuf[1000];
-        int hrrSz = sizeof(hrrBuf);
-
-        XMEMSET(&test_ctx, 0, sizeof(test_ctx));
-
-        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c1, &ssl_s,
-                params[i].client_meth, params[i].server_meth), 0);
-
-        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c2, NULL,
-                params[i].client_meth, params[i].server_meth), 0);
-
-        test_memio_wolfio_ctx.test_ctx = &test_ctx;
-        test_memio_wolfio_ctx.ssl_s = ssl_s;
-        /* Large number to error out if any syscalls are called with it */
-        test_memio_wolfio_ctx.fd = 6000;
-        XMEMSET(&test_memio_wolfio_ctx.peer_addr, 0,
-                sizeof(test_memio_wolfio_ctx.peer_addr));
-        test_memio_wolfio_ctx.peer_addr.ss_family = AF_INET;
-
-        wolfSSL_SetLoggingPrefix("server");
-        wolfSSL_dtls_set_using_nonblock(ssl_s, 1);
-        wolfSSL_SetRecvFrom(ssl_s, test_memio_wolfio_recvfrom);
-        /* Restore default functions */
-        wolfSSL_SSLSetIORecv(ssl_s, EmbedReceiveFrom);
-        ExpectIntEQ(wolfSSL_set_read_fd(ssl_s, test_memio_wolfio_ctx.fd),
-                    WOLFSSL_SUCCESS);
-
-        /* Set groups and disable key shares. This ensures that only the given
-         * groups are in the SupportedGroups extension and that an empty key
-         * share extension is sent in the initial ClientHello of each session.
-         * This triggers the server to send a HelloRetryRequest with the first
-         * group in the SupportedGroups extension selected. */
-        wolfSSL_SetLoggingPrefix("client1");
-        ExpectIntEQ(wolfSSL_set_groups(ssl_c1, groups_1, 3), WOLFSSL_SUCCESS);
-        ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c1), WOLFSSL_SUCCESS);
-
-        wolfSSL_SetLoggingPrefix("client2");
-        ExpectIntEQ(wolfSSL_set_groups(ssl_c2, groups_2, 2), WOLFSSL_SUCCESS);
-        ExpectIntEQ(wolfSSL_NoKeyShares(ssl_c2), WOLFSSL_SUCCESS);
-
-        /* Start handshake, send first ClientHello */
-        wolfSSL_SetLoggingPrefix("client1");
-        ExpectIntEQ(wolfSSL_connect(ssl_c1), -1);
-        ExpectIntEQ(wolfSSL_get_error(ssl_c1, -1), WOLFSSL_ERROR_WANT_READ);
-
-        /* Read first ClientHello, send HRR with WOLFSSL_ECC_SECP256R1 */
-        wolfSSL_SetLoggingPrefix("server");
-        ExpectIntEQ(wolfDTLS_accept_stateless(ssl_s), 0);
-        ExpectIntEQ(test_memio_copy_message(&test_ctx, 1, hrrBuf, &hrrSz, 0), 0);
-        ExpectIntGT(hrrSz, 0);
-        test_memio_clear_buffer(&test_ctx, 1);
-
-        /* Send second ClientHello */
-        wolfSSL_SetLoggingPrefix("client2");
-        ExpectIntEQ(wolfSSL_connect(ssl_c2), -1);
-        ExpectIntEQ(wolfSSL_get_error(ssl_c2, -1), WOLFSSL_ERROR_WANT_READ);
-
-        /* Read second ClientHello, send HRR now with WOLFSSL_ECC_SECP384R1 */
-        wolfSSL_SetLoggingPrefix("server");
-        ExpectIntEQ(wolfDTLS_accept_stateless(ssl_s), 0);
-        test_memio_clear_buffer(&test_ctx, 1);
-
-        /* Complete first handshake with WOLFSSL_ECC_SECP256R1 */
-        wolfSSL_SetLoggingPrefix("client1");
-        ExpectIntEQ(test_memio_inject_message(&test_ctx, 1, hrrBuf, hrrSz), 0);
-        ExpectIntEQ(wolfSSL_connect(ssl_c1), -1);
-        ExpectIntEQ(wolfSSL_get_error(ssl_c1, -1), WOLFSSL_ERROR_WANT_READ);
-
-        wolfSSL_SetLoggingPrefix("server");
-        ExpectIntEQ(wolfDTLS_accept_stateless(ssl_s), WOLFSSL_SUCCESS);
-
-        ExpectIntEQ(test_memio_do_handshake(ssl_c1, ssl_s, 10, NULL), 0);
-
-        wolfSSL_free(ssl_s);
-        wolfSSL_free(ssl_c1);
-        wolfSSL_free(ssl_c2);
-        wolfSSL_CTX_free(ctx_s);
-        wolfSSL_CTX_free(ctx_c);
-    }
-#endif
-    return EXPECT_RESULT();
-}

tests/api/test_dtls.h

@@ -50,7 +50,6 @@ int test_dtls_memio_wolfio_stateless(void);
 int test_dtls_mtu_fragment_headroom(void);
 int test_dtls_mtu_split_messages(void);
 int test_dtls13_min_rtx_interval(void);
-int test_dtls_stateless_hrr_group(void);
 
 #define TEST_DTLS_DECLS                                                        \
         TEST_DECL_GROUP("dtls", test_dtls12_basic_connection_id),              \
@@ -80,6 +79,5 @@ int test_dtls_stateless_hrr_group(void);
         TEST_DECL_GROUP("dtls", test_dtls_mtu_fragment_headroom),              \
         TEST_DECL_GROUP("dtls", test_dtls_mtu_split_messages),                 \
         TEST_DECL_GROUP("dtls", test_dtls_memio_wolfio_stateless),             \
-        TEST_DECL_GROUP("dtls", test_dtls13_min_rtx_interval),                 \
-        TEST_DECL_GROUP("dtls", test_dtls_stateless_hrr_group)
+        TEST_DECL_GROUP("dtls", test_dtls13_min_rtx_interval)
 #endif /* TESTS_API_DTLS_H */