diff --git a/certs/test/gen-badaltnamenull.sh b/certs/test/gen-badaltnamenull.sh new file mode 100755 index 000000000..8ca9d8c7a --- /dev/null +++ b/certs/test/gen-badaltnamenull.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +echo "step 1 create key" +openssl genrsa -out server-badaltnamenull.key 2048 + +echo "step 2 create csr" +echo "US\nMontana\nBozeman\nEngineering\nlocalhost\n.\n" | openssl req -new -sha256 -out server-badaltnamenull.csr -key server-badaltnamenull.key -config server-badaltnamenull.conf + +echo "step 3 check csr" +openssl req -text -noout -in server-badaltnamenull.csr + +echo "step 4 create cert" +openssl x509 -req -days 1000 -in server-badaltnamenull.csr -signkey server-badaltnamenull.key \ + -out server-badaltnamenull.pem -extensions req_ext -extfile server-badaltnamenull.conf + +echo "step 5 make human reviewable" +openssl x509 -inform pem -in server-badaltnamenull.pem -text > tmp.pem +mv tmp.pem server-badaltnamenull.pem + +openssl x509 -inform pem -in server-badaltnamenull.pem -outform der -out server-badaltnamenull.der diff --git a/certs/test/include.am b/certs/test/include.am index 1bc9e8e78..6b9d07d72 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -17,3 +17,12 @@ EXTRA_DIST += \ certs/test/server-cert-rsa-badsig.pem \ certs/test/server-cert-ecc-badsig.der \ certs/test/server-cert-ecc-badsig.pem + + +EXTRA_DIST += \ + certs/test/gen-badaltnamenull.sh \ + certs/test/server-badaltnamenull.conf \ + certs/test/server-badaltnamenull.csr \ + certs/test/server-badaltnamenull.key \ + certs/test/server-badaltnamenull.pem \ + certs/test/server-badaltnamenull.der diff --git a/certs/test/server-badaltnamenull.conf b/certs/test/server-badaltnamenull.conf new file mode 100644 index 000000000..cfca7b7e1 --- /dev/null +++ b/certs/test/server-badaltnamenull.conf @@ -0,0 +1,17 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +req_extensions = req_ext + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = Montana +localityName = Bozeman +organizationName = Engineering +commonName = www.wolfssl.com +commonName_max = 64 +commonName_default = localhost + +[ req_ext ] +#subjectAltName = localhost\0h +subjectAltName = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68 diff --git a/certs/test/server-badaltnamenull.csr b/certs/test/server-badaltnamenull.csr new file mode 100644 index 000000000..7ee5658d6 --- /dev/null +++ b/certs/test/server-badaltnamenull.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICyTCCAbECAQAwWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO +BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAls +b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBWOI9sH7D +UouzlAgOLJgVQEyrHw9nwxeIEqmxfU2kZZcD95DWBzExpT0mbluER8yoj6E3//LY +58aDdASC+x/gxTLWuCNIgF9GWIOfP2TaWj9AHT6mIeklP2z9qJm3Md7UT52xOLkz +0wblZzSjcqEY61c1MGH6xAtfYfWZgmkxej4aAKd7jR1LAXCSIx+EO2WvvA8c5fiS +ozQgftXSM/5437VVSwu4dH4ptRNou/6nXi74cYzO4+/Unh7j/4ggwuvegNdEqeRg +CtASpQalRN+xrqghQaj786t/kBkqH6L0KKzzcsfLi4oE6dJXn4e7SFWgzbRayp5y +a7jal5x/6U+5AgMBAAGgKTAnBgkqhkiG9w0BCQ4xGjAYMBYGA1UdEQQPMA2CC2xv +Y2FsaG9zdABoMA0GCSqGSIb3DQEBCwUAA4IBAQCHfMbbmvXJGKjO6Z6UOkF3f7sa +cB8gEyjm9+Aa8gMQnaWOH8Sw6nGhGNSOVTQUIqt8EohqNCd/jrjZF34mecaJ3ycw +ryt7AGQzQX5uutBLVr55jszVVC8EDKuPzO3jXH6h6ptvSebG/0KL0P+JHL5JvzZ1 +wAsTBtnnnrnxCQO3a2SFC4zVyH+LCP+EWehH7Sjt9FtrCIoP+xoM6AJ2tCxb4CHH +A8WGuw36lG78DH6rs4kbh0iCP/pKYrYeG9EBOj6+Bw7WF4ee6QhL0VzHXUcIFjkp +YlVLGBTL6KVjPW4uim1az5F1+HxZTvbAbnPU7f81M2ePmqbFfODYO1KPXycg +-----END CERTIFICATE REQUEST----- diff --git a/certs/test/server-badaltnamenull.der b/certs/test/server-badaltnamenull.der new file mode 100644 index 000000000..b84405722 Binary files /dev/null and b/certs/test/server-badaltnamenull.der differ diff --git a/certs/test/server-badaltnamenull.key b/certs/test/server-badaltnamenull.key new file mode 100644 index 000000000..b7d71ee2b --- /dev/null +++ b/certs/test/server-badaltnamenull.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwVjiPbB+w1KLs5QIDiyYFUBMqx8PZ8MXiBKpsX1NpGWXA/eQ +1gcxMaU9Jm5bhEfMqI+hN//y2OfGg3QEgvsf4MUy1rgjSIBfRliDnz9k2lo/QB0+ +piHpJT9s/aiZtzHe1E+dsTi5M9MG5Wc0o3KhGOtXNTBh+sQLX2H1mYJpMXo+GgCn +e40dSwFwkiMfhDtlr7wPHOX4kqM0IH7V0jP+eN+1VUsLuHR+KbUTaLv+p14u+HGM +zuPv1J4e4/+IIMLr3oDXRKnkYArQEqUGpUTfsa6oIUGo+/Orf5AZKh+i9Cis83LH +y4uKBOnSV5+Hu0hVoM20Wsqecmu42pecf+lPuQIDAQABAoIBAEL0a8xfHVa4dCZo +4e0+ph/d127+34/YMILvq5IKSWPfxk8aYS6s6O0/QpDXcJu7XXUV4AeLe+Z/RPBq +sdFF84Eb6QIQXC+UPOoYZuQzyNIQpIyoU/SmE53RfAXPaAPXokm1lG81rHT05BN3 +DPR5Eq6VeOqzaYq0bxfFzY4uag02pITGuYMIxuBkJ+q9mu9XTaBWY1mGlD0zqxUZ +LC0dgrWklJFNHNWddrsMl0LDXFRfuxdFmoZT5NBLh+DWgKq/IW+TAqe3lZGVCPFs +cctR3WevykigH5TZmK3gsT98kqe5y9xO+pOpAvNAKeiXVYEREzE+PbsdiLiXbaEy +X1pUB70CgYEA7BSSQqa5duNNwOFp9DcNmMj1VKE2ixhRZi+R7jxHquiyh6IQv7tf +865f8ZA55mPwy5h/Gqin6YdswvkwHUqbEstnQ+BXmcXaI0EY6iZAkSSKbC0ygr3o +yVuRSCJmkCdmb8KIz0yguEjOmbNcavaH9ivE7KS6DhYb65PwyGuCxqsCgYEA0alC +a84cpN59zFTaW85gpq1zeWMbXmkBees8xnygJ4kZw2MkqQSZw+zUFdb9WbltSAsU +Y8eF0SAaShoXfa7BwB2Bnrs7NZMQzZfVmSG5QLF45v+087guN7pgWnmkUQ0G9ijc +oLI5Mn3oMy9UrJ48JUVwYysaacgRa73tMsGZ0ysCgYALrbDWjzzZfsEX6468QATy +K+7G8vqpwtgz/+JuMJkzATPjtcayVWiXu2aPopzaotMEn1SaUwGLceGVe5I/wLMP +KPTAzNZIixsRZ2T+IEpNY8tdMpcvFInxfBAhy2Hbe7d7i9oMtzO0KhXeUJsfx3ZO +XTfupO93Ruy2qKjeoULk5QKBgCDD9O9oHK3fX4WJVT63t/8UaFF2HZbZjjOBgdP7 +MgQ7tt0EJ3yKjYVDA7oOCTX2do+lu6AEVHNkMveVsEoh/4GImvM1i4FJ5Hxc2DLA +RHVJxv1CxQK5q+9lnx1EmVtZT9c0d5Zdg/bSGnG1WeRILlocyf2VhOE3NRHDcshV +3TZVAoGAXP0SDgRcA544d0zdw07f9/KgHlYcsJuPGt2F7UzjIZiBivr3yh+EXBw2 +xMqRwFnsBeOgvW/i3Je01RjeWZL6M9Lq1ywk2HZtDPnN6dP15LwSS33OBRca5Fk+ +CyKDfZHd+8c2wj8hNsxd/D4N7ZVDrU3UNvMslHwGh0PbIaQxcQM= +-----END RSA PRIVATE KEY----- diff --git a/certs/test/server-badaltnamenull.pem b/certs/test/server-badaltnamenull.pem new file mode 100644 index 000000000..61017211c --- /dev/null +++ b/certs/test/server-badaltnamenull.pem @@ -0,0 +1,72 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15650401360786530715 (0xd931651e45f8a19b) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=localhost + Validity + Not Before: May 3 16:02:13 2018 GMT + Not After : Jan 27 16:02:13 2021 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=localhost + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c1:58:e2:3d:b0:7e:c3:52:8b:b3:94:08:0e:2c: + 98:15:40:4c:ab:1f:0f:67:c3:17:88:12:a9:b1:7d: + 4d:a4:65:97:03:f7:90:d6:07:31:31:a5:3d:26:6e: + 5b:84:47:cc:a8:8f:a1:37:ff:f2:d8:e7:c6:83:74: + 04:82:fb:1f:e0:c5:32:d6:b8:23:48:80:5f:46:58: + 83:9f:3f:64:da:5a:3f:40:1d:3e:a6:21:e9:25:3f: + 6c:fd:a8:99:b7:31:de:d4:4f:9d:b1:38:b9:33:d3: + 06:e5:67:34:a3:72:a1:18:eb:57:35:30:61:fa:c4: + 0b:5f:61:f5:99:82:69:31:7a:3e:1a:00:a7:7b:8d: + 1d:4b:01:70:92:23:1f:84:3b:65:af:bc:0f:1c:e5: + f8:92:a3:34:20:7e:d5:d2:33:fe:78:df:b5:55:4b: + 0b:b8:74:7e:29:b5:13:68:bb:fe:a7:5e:2e:f8:71: + 8c:ce:e3:ef:d4:9e:1e:e3:ff:88:20:c2:eb:de:80: + d7:44:a9:e4:60:0a:d0:12:a5:06:a5:44:df:b1:ae: + a8:21:41:a8:fb:f3:ab:7f:90:19:2a:1f:a2:f4:28: + ac:f3:72:c7:cb:8b:8a:04:e9:d2:57:9f:87:bb:48: + 55:a0:cd:b4:5a:ca:9e:72:6b:b8:da:97:9c:7f:e9: + 4f:b9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + Signature Algorithm: sha1WithRSAEncryption + ae:76:ea:5e:33:2c:cf:16:c8:ec:a2:27:2a:19:b9:22:bb:69: + b4:96:35:f7:25:1c:dd:8b:fb:c4:a8:32:17:89:73:a0:bc:23: + a3:49:d4:fd:1a:d7:fc:bf:87:5d:42:12:4b:20:20:74:47:7e: + 7c:97:89:c1:f1:a3:82:3a:58:0b:b4:05:0b:c1:02:da:a6:dc: + ca:6c:60:58:fe:83:1c:fc:ed:c7:bc:96:df:b2:af:31:f5:28: + 45:2d:d5:c0:5a:42:95:c3:64:c5:46:5c:cd:8e:d6:7b:fd:9c: + f5:75:44:cc:d6:7e:d8:96:55:5c:00:9f:1f:ac:f1:0a:07:29: + 0c:ba:ab:7d:1f:ac:8d:40:55:86:e4:35:1d:11:89:10:8b:c2: + 67:ff:99:32:66:f3:5d:4a:c3:37:5e:37:32:40:7b:29:50:25: + e5:c1:d8:df:7b:64:3e:f7:c4:1e:01:88:fe:24:f6:0c:ea:f7: + 72:df:1e:72:0c:9b:64:c3:6b:ec:ce:99:b1:75:61:f2:ac:d5: + 6f:7b:7d:06:7b:6c:a8:6c:ac:46:37:dd:af:e6:cb:8f:70:d7: + 57:e2:38:d9:e6:9a:93:da:53:06:e6:39:c5:79:6a:0a:ac:49: + da:04:a1:60:2f:5f:96:ef:ca:6c:34:62:6c:ac:25:1c:d5:e0: + f7:8e:7c:df +-----BEGIN CERTIFICATE----- +MIIDUzCCAjugAwIBAgIJANkxZR5F+KGbMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD +VQQKDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE4MDUwMzE2 +MDIxM1oXDTIxMDEyNzE2MDIxM1owWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v +bnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRIw +EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDBWOI9sH7DUouzlAgOLJgVQEyrHw9nwxeIEqmxfU2kZZcD95DWBzExpT0mbluE +R8yoj6E3//LY58aDdASC+x/gxTLWuCNIgF9GWIOfP2TaWj9AHT6mIeklP2z9qJm3 +Md7UT52xOLkz0wblZzSjcqEY61c1MGH6xAtfYfWZgmkxej4aAKd7jR1LAXCSIx+E +O2WvvA8c5fiSozQgftXSM/5437VVSwu4dH4ptRNou/6nXi74cYzO4+/Unh7j/4gg +wuvegNdEqeRgCtASpQalRN+xrqghQaj786t/kBkqH6L0KKzzcsfLi4oE6dJXn4e7 +SFWgzbRayp5ya7jal5x/6U+5AgMBAAGjGjAYMBYGA1UdEQQPMA2CC2xvY2FsaG9z +dABoMA0GCSqGSIb3DQEBBQUAA4IBAQCudupeMyzPFsjsoicqGbkiu2m0ljX3JRzd +i/vEqDIXiXOgvCOjSdT9Gtf8v4ddQhJLICB0R358l4nB8aOCOlgLtAULwQLaptzK +bGBY/oMc/O3HvJbfsq8x9ShFLdXAWkKVw2TFRlzNjtZ7/Zz1dUTM1n7YllVcAJ8f +rPEKBykMuqt9H6yNQFWG5DUdEYkQi8Jn/5kyZvNdSsM3XjcyQHspUCXlwdjfe2Q+ +98QeAYj+JPYM6vdy3x5yDJtkw2vszpmxdWHyrNVve30Ge2yobKxGN92v5suPcNdX +4jjZ5pqT2lMG5jnFeWoKrEnaBKFgL1+W78psNGJsrCUc1eD3jnzf +-----END CERTIFICATE----- diff --git a/examples/client/client.c b/examples/client/client.c index d22d6a910..018b91e7c 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -796,7 +796,7 @@ static void Usage(void) #ifdef HAVE_WNR printf("-q Whitewood config file, default %s\n", wnrConfig); #endif - printf("-H Internal tests [defCipherList, badCert]\n"); + printf("-H Internal tests [defCipherList, exitWithRet]\n"); #ifdef WOLFSSL_TLS13 printf("-J Use HelloRetryRequest to choose group for KE\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n"); @@ -887,7 +887,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) unsigned char alpn_opt = 0; char* cipherList = NULL; int useDefCipherList = 0; - int useBadCert = 0; const char* verifyCert = caCertFile; const char* ourCert = cliCertFile; const char* ourKey = cliKeyFile; @@ -937,6 +936,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) char* ocspUrl = NULL; #endif int useX25519 = 0; + int exitWithRet = 0; #ifdef HAVE_WNR const char* wnrConfigFile = wnrConfig; @@ -988,7 +988,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) (void)useX25519; (void)helloRetry; (void)onlyKeyShare; - (void)useBadCert; StackTrap(); @@ -1113,9 +1112,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) printf("Using default cipher list for testing\n"); useDefCipherList = 1; } - else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) { - printf("Using bad certificate for testing\n"); - useBadCert = 1; + else if (XSTRNCMP(myoptarg, "exitWithRet", 7) == 0) { + printf("Skip exit() for testing\n"); + exitWithRet = 1; } else { Usage(); @@ -1712,15 +1711,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif } - /* for testing only - use client cert as CA to force no signer error */ - if (useBadCert) { - #if !defined(NO_RSA) - verifyCert = "./certs/client-cert.pem"; - #elif defined(HAVE_ECC) - verifyCert = "./certs/client-ecc-cert.pem"; - #endif - } - if (!usePsk && !useAnon && !useVerifyCb) { #if !defined(NO_FILESYSTEM) if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) @@ -2110,13 +2100,22 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ret = NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */ #endif if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); printf("wolfSSL_connect error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + + /* cleanup */ wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); - err_sys("wolfSSL_connect failed"); + CloseSocket(sockfd); + + if (!exitWithRet) + err_sys("wolfSSL_connect failed"); /* see note at top of README */ /* if you're getting an error here */ + + ((func_args*)args)->return_code = err; + goto exit; } showPeer(ssl); @@ -2578,6 +2577,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ((func_args*)args)->return_code = 0; +exit: + #ifdef WOLFSSL_ASYNC_CRYPT wolfAsync_DevClose(&devId); #endif diff --git a/examples/server/server.c b/examples/server/server.c index 3d42a04e0..0a44095ed 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -413,7 +413,7 @@ static void Usage(void) #endif printf("-g Return basic HTML web page\n"); printf("-C The number of connections to accept, default: 1\n"); - printf("-H Internal tests [defCipherList, badCert]\n"); + printf("-H Internal tests [defCipherList, exitWithRet]\n"); #ifdef WOLFSSL_TLS13 printf("-U Update keys and IVs before sending\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n"); @@ -500,7 +500,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) unsigned char alpn_opt = 0; char* cipherList = NULL; int useDefCipherList = 0; - int useBadCert = 0; const char* verifyCert = cliCertFile; const char* ourCert = svrCertFile; const char* ourKey = svrKeyFile; @@ -564,6 +563,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int noTicket = 0; #endif int useX25519 = 0; + int exitWithRet = 0; ((func_args*)args)->return_code = -1; /* error state */ @@ -589,7 +589,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) (void)readySignal; (void)updateKeysIVs; (void)mcastID; - (void)useBadCert; (void)useX25519; #ifdef CYASSL_TIRTOS @@ -694,9 +693,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) printf("Using default cipher list for testing\n"); useDefCipherList = 1; } - else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) { - printf("Using bad certificate for testing\n"); - useBadCert = 1; + else if (XSTRNCMP(myoptarg, "exitWithRet", 7) == 0) { + printf("Skip exit() for testing\n"); + exitWithRet = 1; } else { Usage(); @@ -1051,15 +1050,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif #if !defined(NO_CERTS) - /* for testing only - use bad cert as server cert for sig confirm err */ - if (useBadCert) { - #if !defined(NO_RSA) - ourCert = "./certs/test/server-cert-rsa-badsig.pem"; - #elif defined(HAVE_ECC) - ourCert = "./certs/test/server-cert-ecc-badsig.pem"; - #endif - } - if ((!usePsk || usePskPlus) && !useAnon) { #if !defined(NO_FILESYSTEM) if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) @@ -1490,7 +1480,17 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) err = SSL_get_error(ssl, 0); printf("SSL_accept error %d, %s\n", err, ERR_error_string(err, buffer)); - err_sys_ex(runWithErrors, "SSL_accept failed"); + /* cleanup */ + SSL_free(ssl); + SSL_CTX_free(ctx); + CloseSocket(clientfd); + CloseSocket(sockfd); + + if (!exitWithRet) + err_sys_ex(runWithErrors, "SSL_accept failed"); + + ((func_args*)args)->return_code = err; + goto exit; } showPeer(ssl); @@ -1677,6 +1677,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) ((func_args*)args)->return_code = 0; +exit: #if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ && defined(HAVE_THREAD_LS) diff --git a/scripts/include.am b/scripts/include.am index 1a6c3ec23..57c8012db 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -12,11 +12,6 @@ if BUILD_EXAMPLE_SERVERS dist_noinst_SCRIPTS+= scripts/resume.test -# only run this test if we have the ability to support cert validation -if BUILD_PKI -dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test -endif - EXTRA_DIST+= scripts/benchmark.test if BUILD_CRL diff --git a/scripts/tls-cert-fail.test b/scripts/tls-cert-fail.test deleted file mode 100755 index ea7d49177..000000000 --- a/scripts/tls-cert-fail.test +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/sh - -#tls-cert-fail.test - -asn_no_signer_e="-188" -asn_sig_confirm_e="-155" -exit_code=1 -counter=0 - -# need a unique resume port since may run the same time as testsuite -# use server port zero hack to get one -tls_port=0 - -#no_pid tells us process was never started if -1 -no_pid=-1 - -#server_pid captured on startup, stores the id of the server process -server_pid=$no_pid - -# let's use absolute path to a local dir (make distcheck may be in sub dir) -# also let's add some randomness by adding pid in case multiple 'make check's -# per source tree -ready_file=`pwd`/wolfssl_tls_ready$$ - -remove_ready_file() { - if test -e $ready_file; then - echo -e "removing existing ready file" - rm $ready_file - fi -} - -# trap this function so if user aborts with ^C or other kill signal we still -# get an exit that will in turn clean up the file system -abort_trap() { - echo "script aborted" - - if [ $server_pid != $no_pid ] - then - echo "killing server" - kill -9 $server_pid - fi - - exit_code=2 #different exit code in case of user interrupt - - echo "got abort signal, exiting with $exit_code" - exit $exit_code -} -trap abort_trap INT TERM - - -# trap this function so that if we exit on an error the file system will still -# be restored and the other tests may still pass. Never call this function -# instead use "exit " and this function will run automatically -restore_file_system() { - remove_ready_file -} -trap restore_file_system EXIT - -run_tls_no_signer_test() { - echo -e "\nStarting example server for tls no signer fail test...\n" - - remove_ready_file - - # starts the server on tls_port, -R generates ready file to be used as a - # mutex lock. We capture the processid into the variable server_pid - ./examples/server/server -R $ready_file -p $tls_port & - server_pid=$! - - while [ ! -s $ready_file -a "$counter" -lt 20 ]; do - echo -e "waiting for ready file..." - sleep 0.1 - counter=$((counter+ 1)) - done - - if test -e $ready_file; then - echo -e "found ready file, starting client..." - else - echo -e "NO ready file ending test..." - exit 1 - fi - - # get created port 0 ephemeral port - tls_port=`cat $ready_file` - - # starts client on tls_port and captures the output from client - capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1) - client_result=$? - - wait $server_pid - server_result=$? - - case "$capture_out" in - *$asn_no_signer_e*) - # only exit with zero on detection of the expected error code - echo "" - echo "$capture_out" - echo "" - echo "No signer error as expected! Test pass" - echo "" - exit_code=0 - ;; - *) - echo "" - echo "Client did not return asn_no_signer_e as expected: $capture_out" - echo "" - exit_code=1 - esac -} - -run_tls_sig_confirm_test() { - echo -e "\nStarting example server for tls sig confirm fail test...\n" - - remove_ready_file - - # starts the server on tls_port, -R generates ready file to be used as a - # mutex lock. We capture the processid into the variable server_pid - ./examples/server/server -R $ready_file -p $tls_port -H badCert & - server_pid=$! - - while [ ! -s $ready_file -a "$counter" -lt 20 ]; do - echo -e "waiting for ready file..." - sleep 0.1 - counter=$((counter+ 1)) - done - - if test -e $ready_file; then - echo -e "found ready file, starting client..." - else - echo -e "NO ready file ending test..." - exit 1 - fi - - # get created port 0 ephemeral port - tls_port=`cat $ready_file` - - # starts client on tls_port and captures the output from client - capture_out=$(./examples/client/client -p $tls_port 2>&1) - client_result=$? - - wait $server_pid - server_result=$? - - case "$capture_out" in - *$asn_sig_confirm_e*) - # only exit with zero on detection of the expected error code - echo "" - echo "$capture_out" - echo "" - echo "Sig confirm error as expected! Test pass" - echo "" - exit_code=0 - ;; - *) - echo "" - echo "Client did not return asn_sig_confirm_e as expected: $capture_out" - echo "" - exit_code=1 - esac -} - - -######### begin program ######### - -# run the test -run_tls_no_signer_test - -tls_port=0 -run_tls_sig_confirm_test - -echo "exiting with $exit_code" -exit $exit_code -########## end program ########## - diff --git a/src/internal.c b/src/internal.c index c3dfc3495..f912c8c30 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7525,9 +7525,6 @@ int MatchDomainName(const char* pattern, int len, const char* str) return 0; } - if (*str != '\0') - str++; - if (len > 0) len--; } diff --git a/tests/include.am b/tests/include.am index 7453a1793..91100e49a 100644 --- a/tests/include.am +++ b/tests/include.am @@ -28,5 +28,6 @@ EXTRA_DIST += tests/test.conf \ tests/test-sctp.conf \ tests/test-sig.conf \ tests/test-ed25519.conf \ - tests/test-enckeys.conf + tests/test-enckeys.conf \ + tests/test-fails.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/suites.c b/tests/suites.c index f5dda4da1..f6ef5b06b 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -56,6 +56,7 @@ static char flagSep[] = " "; static char svrPort[] = "0"; #endif static char forceDefCipherListFlag[] = "-HdefCipherList"; +static char exitWithRetFlag[] = "-HexitWithRet"; #ifdef WOLFSSL_ASYNC_CRYPT static int devId = INVALID_DEVID; @@ -161,7 +162,7 @@ static int execute_test_case(int svr_argc, char** svr_argv, int cli_argc, char** cli_argv, int addNoVerify, int addNonBlocking, int addDisableEMS, int forceSrvDefCipherList, - int forceCliDefCipherList) + int forceCliDefCipherList, int testShouldFail) { #ifdef WOLFSSL_TIRTOS func_args cliArgs = {0}; @@ -264,6 +265,9 @@ static int execute_test_case(int svr_argc, char** svr_argv, #ifdef TEST_PK_PRIVKEY svr_argv[svrArgs.argc++] = (char*)"-P"; #endif + if (testShouldFail) { + svr_argv[svrArgs.argc++] = exitWithRetFlag; + } /* update server flags list */ commandLine[0] = '\0'; @@ -327,6 +331,9 @@ static int execute_test_case(int svr_argc, char** svr_argv, #ifdef TEST_PK_PRIVKEY cli_argv[cliArgs.argc++] = (char*)"-P"; #endif + if (testShouldFail) { + cli_argv[cliArgs.argc++] = exitWithRetFlag; + } commandLine[0] = '\0'; added = 0; @@ -345,13 +352,15 @@ static int execute_test_case(int svr_argc, char** svr_argv, client_test(&cliArgs); /* verify results */ - if (cliArgs.return_code != 0) { + if ((cliArgs.return_code != 0 && testShouldFail == 0) || + (cliArgs.return_code == 0 && testShouldFail != 0)) { printf("client_test failed\n"); exit(EXIT_FAILURE); } join_thread(serverThread); - if (svrArgs.return_code != 0) { + if ((svrArgs.return_code != 0 && testShouldFail == 0) || + (svrArgs.return_code == 0 && testShouldFail != 0)) { printf("server_test failed\n"); exit(EXIT_FAILURE); } @@ -361,6 +370,11 @@ static int execute_test_case(int svr_argc, char** svr_argv, #endif FreeTcpReady(&ready); + /* only run the first test for failure cases */ + if (testShouldFail) { + return NOT_BUILT_IN; + } + return 0; } @@ -379,18 +393,23 @@ static void test_harness(void* vargs) char* cursor; char* comment; const char* fname = "tests/test.conf"; + int testShouldFail = 0; if (args->argc == 1) { printf("notice: using default file %s\n", fname); } - else if(args->argc != 2) { - printf("usage: harness [FILE]\n"); + else if(args->argc > 3) { + printf("usage: harness [FILE] [ARG]\n"); args->return_code = 1; return; } - else { + + if (args->argc >= 2) { fname = args->argv[1]; } + if (args->argc == 3) { + testShouldFail = 1; + } file = fopen(fname, "rb"); if (file == NULL) { @@ -463,6 +482,8 @@ static void test_harness(void* vargs) cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n"); else svrArgs[svrArgsSz++] = XSTRSEP(&cursor, " \n"); + if (*cursor == 0) /* eof */ + do_it = 1; break; default: /* Anything from cursor until end of line that isn't the above @@ -474,6 +495,7 @@ static void test_harness(void* vargs) svrArgs[svrArgsSz++] = XSTRSEP(&cursor, "\n"); if (*cursor == 0) /* eof */ do_it = 1; + break; } if (svrArgsSz == MAX_ARGS || cliArgsSz == MAX_ARGS) { @@ -483,31 +505,41 @@ static void test_harness(void* vargs) if (do_it) { ret = execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 0, 0, 0); + cliArgsSz, cliArgs, 0, 0, 0, 0, 0, + testShouldFail); /* don't repeat if not supported in build */ if (ret == 0) { /* test with default cipher list on server side */ execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 0, 1, 0); + cliArgsSz, cliArgs, 0, 0, 0, 1, 0, + testShouldFail); /* test with default cipher list on client side */ execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 0, 0, 1); + cliArgsSz, cliArgs, 0, 0, 0, 0, 1, + testShouldFail); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 1, 0, 0, 0); + cliArgsSz, cliArgs, 0, 1, 0, 0, 0, + testShouldFail); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 0, 0, 0, 0); + cliArgsSz, cliArgs, 1, 0, 0, 0, 0, + testShouldFail); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 1, 0, 0, 0); + cliArgsSz, cliArgs, 1, 1, 0, 0, 0, + testShouldFail); #ifdef HAVE_EXTENDED_MASTER execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 1, 0, 0); + cliArgsSz, cliArgs, 0, 0, 1, 0, 0, + testShouldFail); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 1, 1, 0, 0); + cliArgsSz, cliArgs, 0, 1, 1, 0, 0, + testShouldFail); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 0, 1, 0, 0); + cliArgsSz, cliArgs, 1, 0, 1, 0, 0, + testShouldFail); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 1, 1, 0, 0); + cliArgsSz, cliArgs, 1, 1, 1, 0, 0, + testShouldFail); #endif } svrArgsSz = 1; @@ -526,14 +558,15 @@ int SuiteTest(void) { #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) func_args args; - char argv0[2][80]; - char* myArgv[2]; + char argv0[3][80]; + char* myArgv[3]; printf(" Begin Cipher Suite Tests\n"); /* setup */ myArgv[0] = argv0[0]; myArgv[1] = argv0[1]; + myArgv[2] = argv0[2]; args.argv = myArgv; strcpy(argv0[0], "SuiteTest"); @@ -681,6 +714,18 @@ int SuiteTest(void) } #endif + /* failure tests */ + args.argc = 3; + strcpy(argv0[1], "tests/test-fails.conf"); + strcpy(argv0[2], "-f"); + printf("starting tests that expect failure\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } + exit: printf(" End Cipher Suite Tests\n"); diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index 7a124f2a2..1ace19d5f 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -959,4 +959,3 @@ -a -v 2 -l ADH-AES128-SHA - diff --git a/tests/test-ed25519.conf b/tests/test-ed25519.conf index cdd3ade35..cc68ba2d7 100644 --- a/tests/test-ed25519.conf +++ b/tests/test-ed25519.conf @@ -53,4 +53,3 @@ #-k ./certs/ed25519/client-ed25519-key.pem #-A ./certs/ed25519/root-ed25519.pem #-C - diff --git a/tests/test-fails.conf b/tests/test-fails.conf new file mode 100644 index 000000000..3c78cc038 --- /dev/null +++ b/tests/test-fails.conf @@ -0,0 +1,50 @@ +# server bad certificate alt name +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-k ./certs/test/server-badaltnamenull.key +-c ./certs/test/server-badaltnamenull.pem +-d + +# client bad certificate alt name +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-h localhost +-A ./certs/test/server-badaltnamenull.pem +-m +-x + +# server RSA no signer error +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# client RSA no signer error +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-A ./certs/client-cert.pem + +# server ECC no signer error +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 + +# client ECC no signer error +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/client-ecc-cert.pem + +# server RSA bad sig error +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-c ./certs/test/server-cert-rsa-badsig.pem + +# client RSA bad sig error +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# server ECC bad sig error +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/test/server-cert-ecc-badsig.pem + +# client ECC bad sig error +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 diff --git a/tests/test-psk-no-id.conf b/tests/test-psk-no-id.conf index c5c0a190e..d6247b1e4 100644 --- a/tests/test-psk-no-id.conf +++ b/tests/test-psk-no-id.conf @@ -300,4 +300,3 @@ -l TLS13-AES128-GCM-SHA256 -r -s - diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf index d7ed05867..357467465 100644 --- a/tests/test-qsh.conf +++ b/tests/test-qsh.conf @@ -2152,4 +2152,3 @@ # client TLSv1.2 NTRU_AES128 -v 3 -l QSH:NTRU-AES128-SHA - diff --git a/tests/test-sctp.conf b/tests/test-sctp.conf index 8dcd6e800..1f6a303fc 100644 --- a/tests/test-sctp.conf +++ b/tests/test-sctp.conf @@ -1108,4 +1108,3 @@ -a -v 2 -l ADH-AES128-SHA - diff --git a/tests/test-sig.conf b/tests/test-sig.conf index adf0ce952..680eb3506 100644 --- a/tests/test-sig.conf +++ b/tests/test-sig.conf @@ -217,4 +217,3 @@ -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/ca-cert.pem - diff --git a/tests/test-tls13-ecc.conf b/tests/test-tls13-ecc.conf index 04f5022ee..3496eab8c 100644 --- a/tests/test-tls13-ecc.conf +++ b/tests/test-tls13-ecc.conf @@ -78,4 +78,3 @@ -l TLS13-AES128-GCM-SHA256 -A ./certs/ca-ecc-cert.pem -y - diff --git a/tests/test-tls13.conf b/tests/test-tls13.conf index 532934b89..8233626d9 100644 --- a/tests/test-tls13.conf +++ b/tests/test-tls13.conf @@ -71,4 +71,3 @@ -v 4 -l TLS13-AES128-GCM-SHA256 -r - diff --git a/tests/test.conf b/tests/test.conf index ebd0664cc..18cb942e5 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -2240,9 +2240,9 @@ -v 3 -D certs/dh3072.pem -A certs/client-cert-3072.pem + # client TLSv1.2 RSA 3072-bit DH 3072-bit -v 3 -D certs/dh3072.pem -c certs/client-cert-3072.pem -k certs/client-key-3072.pem - diff --git a/wolfssl/test.h b/wolfssl/test.h index c52ff38f0..2c66ee6f5 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1467,7 +1467,7 @@ static INLINE void CRL_CallBack(const char* url) static INLINE void SetDH(WOLFSSL* ssl) { /* dh1024 p */ - static unsigned char p[] = + static const unsigned char p[] = { 0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3, 0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E, @@ -1483,7 +1483,7 @@ static INLINE void SetDH(WOLFSSL* ssl) }; /* dh1024 g */ - static unsigned char g[] = + static const unsigned char g[] = { 0x02, }; @@ -1494,7 +1494,7 @@ static INLINE void SetDH(WOLFSSL* ssl) static INLINE void SetDHCtx(WOLFSSL_CTX* ctx) { /* dh1024 p */ - static unsigned char p[] = + static const unsigned char p[] = { 0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3, 0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E, @@ -1510,7 +1510,7 @@ static INLINE void SetDHCtx(WOLFSSL_CTX* ctx) }; /* dh1024 g */ - static unsigned char g[] = + static const unsigned char g[] = { 0x02, };