diff --git a/examples/tls_backend_testcases.sh b/examples/tls_backend_testcases.sh index f3fd502570..8def4269cd 100755 --- a/examples/tls_backend_testcases.sh +++ b/examples/tls_backend_testcases.sh @@ -1583,6 +1583,34 @@ run_pki_cn_fallback () { fi } +run_pki_bad_cn_or_san () { + case_name=pki_bad_cn_or_san + echo -n "PKI bad returned CN or SAN - " + pki_dir=$LOGDIR/pki + + if ! generate_pki_files "$case_name"; then + fail_case "$case_name" "certificate generation failed" + return + fi + if ! start_pki_server "$case_name" "$pki_dir/alt_server.pem" \ + "$pki_dir/alt_server.key"; then + fail_case "$case_name" "server did not start" + return + fi + + run_pki_client "$case_name" "$pki_dir/ca.pem" "$CLIENT_TIMEOUT" + + if assert_not_contains "$LOGDIR/$case_name.client" "COAP_EVENT_DTLS_CONNECTED" && + assert_not_contains "$LOGDIR/$case_name.client" "2\\.05" && + assert_contains "$LOGDIR/$case_name.client" "CN 'default.invalid' presented by server" && + assert_not_contains "$LOGDIR/$case_name.server" "call handler for pseudo resource '.well-known/core'"; then + pass_case + else + fail_case "$case_name" "PKI CN or SAN not rejected" + fi +} + + run_pki_sni () { case_name=pki_sni echo -n "PKI SNI certificate selection - " @@ -1671,6 +1699,7 @@ run_psk_pki_dual_mode run_pki_missing_client_cert run_pki_san_preferred_over_cn run_pki_cn_fallback +run_pki_bad_cn_or_san run_pki_sni run_wrong_pki_ca diff --git a/src/coap_netif.c b/src/coap_netif.c index 91b6b3100b..83c39dd4a5 100644 --- a/src/coap_netif.c +++ b/src/coap_netif.c @@ -225,7 +225,7 @@ coap_netif_strm_read(coap_session_t *session, uint8_t *data, size_t datalen) { int keep_errno = errno; if (bytes_read >= 0) { - coap_log_debug("* %s: netif: recv %4" PRIdS " bytes\n", + coap_log_debug("* %s: netif: read %4" PRIdS " bytes\n", coap_session_str(session), bytes_read); } else if (bytes_read == -1 && errno != EAGAIN) { coap_log_debug("* %s: netif: failed to receive any bytes (%s) state %d\n", diff --git a/src/coap_openssl.c b/src/coap_openssl.c index 9564046e12..72909d78bf 100644 --- a/src/coap_openssl.c +++ b/src/coap_openssl.c @@ -1003,6 +1003,11 @@ coap_dtls_info_callback(const SSL *ssl, int where, int ret) { coap_session_str(session), ERR_reason_error_string(e), ssl_function_definition(e)); } + } else { + long e; + + while ((e = ERR_get_error())) { + } } } } @@ -1042,6 +1047,7 @@ coap_sock_read(BIO *a, char *out, int outl) { if (ret == 0) { BIO_set_retry_read(a); ret = -1; + errno = EAGAIN; } else { BIO_clear_retry_flags(a); } @@ -1073,6 +1079,7 @@ coap_sock_write(BIO *a, const char *in, int inl) { if (ret == 0) { BIO_set_retry_read(a); ret = -1; + errno = EAGAIN; } else { BIO_clear_retry_flags(a); if (ret == -1) { diff --git a/src/coap_wolfssl.c b/src/coap_wolfssl.c index 46aa2f9f0f..cf6f135a88 100644 --- a/src/coap_wolfssl.c +++ b/src/coap_wolfssl.c @@ -2119,6 +2119,9 @@ setup_client_ssl_session(coap_session_t *session, WOLFSSL *ssl) { #endif /* !COAP_DISABLE_TCP */ coap_log_debug("CoAP Client restricted to (D)TLS1.2 with Identity Hint callback\n"); } + if (COAP_PROTO_NOT_RELIABLE(session->proto)) { + set_ciphersuites(ssl, COAP_ENC_PSK); + } /* Issue SNI if requested */ if (setup_data->client_sni &&