From 1e9971f64c41579c3ff4804b3ab211a5621f9f53 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 11 Sep 2020 18:19:04 -0500
Subject: [PATCH] scripts/ocsp-stapling*.test: add bwrap attempt at top, to
 isolate network namespace.

---
 scripts/ocsp-stapling-with-ca-as-responder.test | 16 ++++++++++++++++
 scripts/ocsp-stapling.test                      | 16 ++++++++++++++++
 scripts/ocsp-stapling2.test                     | 16 ++++++++++++++++
 3 files changed, 48 insertions(+)

diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test
index b045e674c..ac9027f30 100755
--- a/scripts/ocsp-stapling-with-ca-as-responder.test
+++ b/scripts/ocsp-stapling-with-ca-as-responder.test
@@ -2,6 +2,22 @@
 
 # ocsp-stapling-with-ca-as-responder.test
 
+# if we can, isolate the network namespace to eliminate port collisions
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -z "$bwrap_path" ]]; then
+	echo "couldn't find bwrap -- not isolating network namespace."
+    elif [[ ! -u "$bwrap_path" ]]; then
+	echo "$bwrap_path isn't setuid -- not isolating network namespace."
+    else
+	echo "isolating network namespace..."
+	export AM_BWRAPPED=yes
+	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
+	unset AM_BWRAPPED
+	echo "not isolating network namespace."
+    fi
+fi
+
 if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi
diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test
index 073cb0352..707158290 100755
--- a/scripts/ocsp-stapling.test
+++ b/scripts/ocsp-stapling.test
@@ -3,6 +3,22 @@
 # ocsp-stapling.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
 
+# if we can, isolate the network namespace to eliminate port collisions
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -z "$bwrap_path" ]]; then
+	echo "couldn't find bwrap -- not isolating network namespace."
+    elif [[ ! -u "$bwrap_path" ]]; then
+	echo "$bwrap_path isn't setuid -- not isolating network namespace."
+    else
+	echo "isolating network namespace..."
+	export AM_BWRAPPED=yes
+	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
+	unset AM_BWRAPPED
+	echo "not isolating network namespace."
+    fi
+fi
+
 if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi
diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test
index d3a5df214..8d31890bb 100755
--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@@ -3,6 +3,22 @@
 # ocsp-stapling2.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
 
+# if we can, isolate the network namespace to eliminate port collisions
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -z "$bwrap_path" ]]; then
+	echo "couldn't find bwrap -- not isolating network namespace."
+    elif [[ ! -u "$bwrap_path" ]]; then
+	echo "$bwrap_path isn't setuid -- not isolating network namespace."
+    else
+	echo "isolating network namespace..."
+	export AM_BWRAPPED=yes
+	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
+	unset AM_BWRAPPED
+	echo "not isolating network namespace."
+    fi
+fi
+
 if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi