From 839044d9e11c4897b0f5c9c3ec50f9ceee3417cb Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 23 Jul 2020 12:26:49 -0700 Subject: [PATCH] 1. Remove dead assignment from client test. 2. Fix memory leak in example server test. 3. Use verify callback on certificates to allow callback to fail them. 4. Restore the forced failure test cases. 5. Make the verify action thread local. --- examples/client/client.c | 1 - examples/server/server.c | 7 +++++-- src/internal.c | 2 ++ tests/test-fails.conf | 9 +-------- wolfssl/test.h | 2 +- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index c87429b77..486508629 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -593,7 +593,6 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, printf("SSL_write bench error %d!\n", err); if (!exitWithRet) err_sys("SSL_write failed"); - ret = err; goto doExit; } tx_time += current_time(0) - start; diff --git a/examples/server/server.c b/examples/server/server.c index 5394c1681..44bc31348 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -381,8 +381,10 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, err_sys_ex(runWithErrors, "SSL_read failed"); break; } - if (err == WOLFSSL_ERROR_ZERO_RETURN) + if (err == WOLFSSL_ERROR_ZERO_RETURN) { + free(buffer); return WOLFSSL_ERROR_ZERO_RETURN; + } } else { rx_pos += ret; @@ -1813,7 +1815,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER | (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK : WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), - myVerifyAction == VERIFY_OVERRIDE_DATE_ERR ? myVerify : NULL); + (myVerifyAction == VERIFY_OVERRIDE_DATE_ERR || + myVerifyAction == VERIFY_FORCE_FAIL) ? myVerify : NULL); #ifdef TEST_BEFORE_DATE verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY; diff --git a/src/internal.c b/src/internal.c index 39af97f69..29d9a5748 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10007,6 +10007,8 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret, /* Determine if verify was okay */ if (ret == 0) { verify_ok = 1; + use_cb = 1; /* use verify callback on success, in case callback + * could force fail a cert */ } /* Determine if verify callback should be used */ diff --git a/tests/test-fails.conf b/tests/test-fails.conf index 40afb54e0..d1dd44417 100644 --- a/tests/test-fails.conf +++ b/tests/test-fails.conf @@ -114,7 +114,6 @@ # server -v 3 -l ECDHE-RSA-AES128-GCM-SHA256 --H verifyFail # client verify should fail -v 3 @@ -129,12 +128,10 @@ # client -v 3 -l ECDHE-RSA-AES128-GCM-SHA256 --H verifyFail # server -v 3 -l ECDHE-ECDSA-AES128-GCM-SHA256 --H verifyFail # client verify should fail -v 3 @@ -149,7 +146,6 @@ # client -v 3 -l ECDHE-ECDSA-AES128-GCM-SHA256 --H verifyFail # error going into callback, return error # server @@ -157,7 +153,6 @@ -l ECDHE-RSA-AES128-GCM-SHA256 -c ./certs/test/server-cert-rsa-badsig.pem -k ./certs/server-key.pem --H verifyFail # client verify should fail -v 3 @@ -169,7 +164,6 @@ -l ECDHE-ECDSA-AES128-GCM-SHA256 -c ./certs/test/server-cert-ecc-badsig.pem -k ./certs/ecc-key.pem --H verifyFail # client verify should fail -v 3 @@ -179,12 +173,10 @@ # server send alert on no mutual authentication -v 3 -F --H verifyFail # client send alert on no mutual authentication -v 3 -x --H verifyFail # server TLSv1.3 fail on no client certificate # server always sets WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT unless using -d @@ -195,3 +187,4 @@ -v 4 -l TLS13-AES128-GCM-SHA256 -x + diff --git a/wolfssl/test.h b/wolfssl/test.h index 385a3be21..aff5c4d65 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1684,7 +1684,7 @@ enum { VERIFY_USE_PREVERFIY, VERIFY_OVERRIDE_DATE_ERR, }; -static int myVerifyAction = VERIFY_OVERRIDE_ERROR; +static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR; /* The verify callback is called for every certificate only when * --enable-opensslextra is defined because it sets WOLFSSL_ALWAYS_VERIFY_CB and