feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

* Added support for expected fail test cases with example client/server and suites unit test.

Browse Source 
* Added test for certificate with bad alt name containing a null character mid byte stream.
* Fix for issue with suites unit test where last arg in file doesn't conain data for a param, causing it to skip test.
* Fix for last test in tests/test.conf not being run for `TLSv1.2 RSA 3072-bit DH 3072-bit`.
* Moved the `tls-cert-fail.test` tests into the new expected failure suite test (`./tests/test-fails.conf`). Now it explicilty checks RSA and ECC for the no signer and no sig tests.
This commit is contained in:
David Garske
2018-05-03 09:40:51 -07:00
parent d43aa37041
commit 89a4c98670
24 changed files with 311 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
certs/test/gen-badaltnamenull.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
echo "step 1 create key"
openssl genrsa -out server-badaltnamenull.key 2048
echo "step 2 create csr"
echo "US\nMontana\nBozeman\nEngineering\nlocalhost\n.\n" | openssl req -new -sha256 -out server-badaltnamenull.csr -key server-badaltnamenull.key -config server-badaltnamenull.conf
echo "step 3 check csr"
openssl req -text -noout -in server-badaltnamenull.csr
echo "step 4 create cert"
openssl x509 -req -days 1000 -in server-badaltnamenull.csr -signkey server-badaltnamenull.key \
-out server-badaltnamenull.pem -extensions req_ext -extfile server-badaltnamenull.conf
echo "step 5 make human reviewable"
openssl x509 -inform pem -in server-badaltnamenull.pem -text > tmp.pem
mv tmp.pem server-badaltnamenull.pem
openssl x509 -inform pem -in server-badaltnamenull.pem -outform der -out server-badaltnamenull.der

9
certs/test/include.am
View File

@ -17,3 +17,12 @@ EXTRA_DIST += \
certs/test/server-cert-rsa-badsig.pem \ certs/test/server-cert-rsa-badsig.pem \
certs/test/server-cert-ecc-badsig.der \ certs/test/server-cert-ecc-badsig.der \
certs/test/server-cert-ecc-badsig.pem certs/test/server-cert-ecc-badsig.pem
EXTRA_DIST += \
certs/test/gen-badaltnamenull.sh \
certs/test/server-badaltnamenull.conf \
certs/test/server-badaltnamenull.csr \
certs/test/server-badaltnamenull.key \
certs/test/server-badaltnamenull.pem \
certs/test/server-badaltnamenull.der

17
certs/test/server-badaltnamenull.conf Normal file
View File

@ -0,0 +1,17 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Montana
localityName = Bozeman
organizationName = Engineering
commonName = www.wolfssl.com
commonName_max = 64
commonName_default = localhost
[ req_ext ]
#subjectAltName = localhost\0h
subjectAltName = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68

17
certs/test/server-badaltnamenull.csr Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICyTCCAbECAQAwWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAls
b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBWOI9sH7D
UouzlAgOLJgVQEyrHw9nwxeIEqmxfU2kZZcD95DWBzExpT0mbluER8yoj6E3//LY
58aDdASC+x/gxTLWuCNIgF9GWIOfP2TaWj9AHT6mIeklP2z9qJm3Md7UT52xOLkz
0wblZzSjcqEY61c1MGH6xAtfYfWZgmkxej4aAKd7jR1LAXCSIx+EO2WvvA8c5fiS
ozQgftXSM/5437VVSwu4dH4ptRNou/6nXi74cYzO4+/Unh7j/4ggwuvegNdEqeRg
CtASpQalRN+xrqghQaj786t/kBkqH6L0KKzzcsfLi4oE6dJXn4e7SFWgzbRayp5y
a7jal5x/6U+5AgMBAAGgKTAnBgkqhkiG9w0BCQ4xGjAYMBYGA1UdEQQPMA2CC2xv
Y2FsaG9zdABoMA0GCSqGSIb3DQEBCwUAA4IBAQCHfMbbmvXJGKjO6Z6UOkF3f7sa
cB8gEyjm9+Aa8gMQnaWOH8Sw6nGhGNSOVTQUIqt8EohqNCd/jrjZF34mecaJ3ycw
ryt7AGQzQX5uutBLVr55jszVVC8EDKuPzO3jXH6h6ptvSebG/0KL0P+JHL5JvzZ1
wAsTBtnnnrnxCQO3a2SFC4zVyH+LCP+EWehH7Sjt9FtrCIoP+xoM6AJ2tCxb4CHH
A8WGuw36lG78DH6rs4kbh0iCP/pKYrYeG9EBOj6+Bw7WF4ee6QhL0VzHXUcIFjkp
YlVLGBTL6KVjPW4uim1az5F1+HxZTvbAbnPU7f81M2ePmqbFfODYO1KPXycg
-----END CERTIFICATE REQUEST-----

BIN
certs/test/server-badaltnamenull.der Normal file
View File

Binary file not shown.

27
certs/test/server-badaltnamenull.key Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwVjiPbB+w1KLs5QIDiyYFUBMqx8PZ8MXiBKpsX1NpGWXA/eQ
1gcxMaU9Jm5bhEfMqI+hN//y2OfGg3QEgvsf4MUy1rgjSIBfRliDnz9k2lo/QB0+
piHpJT9s/aiZtzHe1E+dsTi5M9MG5Wc0o3KhGOtXNTBh+sQLX2H1mYJpMXo+GgCn
e40dSwFwkiMfhDtlr7wPHOX4kqM0IH7V0jP+eN+1VUsLuHR+KbUTaLv+p14u+HGM
zuPv1J4e4/+IIMLr3oDXRKnkYArQEqUGpUTfsa6oIUGo+/Orf5AZKh+i9Cis83LH
y4uKBOnSV5+Hu0hVoM20Wsqecmu42pecf+lPuQIDAQABAoIBAEL0a8xfHVa4dCZo
4e0+ph/d127+34/YMILvq5IKSWPfxk8aYS6s6O0/QpDXcJu7XXUV4AeLe+Z/RPBq
sdFF84Eb6QIQXC+UPOoYZuQzyNIQpIyoU/SmE53RfAXPaAPXokm1lG81rHT05BN3
DPR5Eq6VeOqzaYq0bxfFzY4uag02pITGuYMIxuBkJ+q9mu9XTaBWY1mGlD0zqxUZ
LC0dgrWklJFNHNWddrsMl0LDXFRfuxdFmoZT5NBLh+DWgKq/IW+TAqe3lZGVCPFs
cctR3WevykigH5TZmK3gsT98kqe5y9xO+pOpAvNAKeiXVYEREzE+PbsdiLiXbaEy
X1pUB70CgYEA7BSSQqa5duNNwOFp9DcNmMj1VKE2ixhRZi+R7jxHquiyh6IQv7tf
865f8ZA55mPwy5h/Gqin6YdswvkwHUqbEstnQ+BXmcXaI0EY6iZAkSSKbC0ygr3o
yVuRSCJmkCdmb8KIz0yguEjOmbNcavaH9ivE7KS6DhYb65PwyGuCxqsCgYEA0alC
a84cpN59zFTaW85gpq1zeWMbXmkBees8xnygJ4kZw2MkqQSZw+zUFdb9WbltSAsU
Y8eF0SAaShoXfa7BwB2Bnrs7NZMQzZfVmSG5QLF45v+087guN7pgWnmkUQ0G9ijc
oLI5Mn3oMy9UrJ48JUVwYysaacgRa73tMsGZ0ysCgYALrbDWjzzZfsEX6468QATy
K+7G8vqpwtgz/+JuMJkzATPjtcayVWiXu2aPopzaotMEn1SaUwGLceGVe5I/wLMP
KPTAzNZIixsRZ2T+IEpNY8tdMpcvFInxfBAhy2Hbe7d7i9oMtzO0KhXeUJsfx3ZO
XTfupO93Ruy2qKjeoULk5QKBgCDD9O9oHK3fX4WJVT63t/8UaFF2HZbZjjOBgdP7
MgQ7tt0EJ3yKjYVDA7oOCTX2do+lu6AEVHNkMveVsEoh/4GImvM1i4FJ5Hxc2DLA
RHVJxv1CxQK5q+9lnx1EmVtZT9c0d5Zdg/bSGnG1WeRILlocyf2VhOE3NRHDcshV
3TZVAoGAXP0SDgRcA544d0zdw07f9/KgHlYcsJuPGt2F7UzjIZiBivr3yh+EXBw2
xMqRwFnsBeOgvW/i3Je01RjeWZL6M9Lq1ywk2HZtDPnN6dP15LwSS33OBRca5Fk+
CyKDfZHd+8c2wj8hNsxd/D4N7ZVDrU3UNvMslHwGh0PbIaQxcQM=
-----END RSA PRIVATE KEY-----

72
certs/test/server-badaltnamenull.pem Normal file
View File

@ -0,0 +1,72 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15650401360786530715 (0xd931651e45f8a19b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=localhost
Validity
Not Before: May 3 16:02:13 2018 GMT
Not After : Jan 27 16:02:13 2021 GMT
Subject: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c1:58:e2:3d:b0:7e:c3:52:8b:b3:94:08:0e:2c:
98:15:40:4c:ab:1f:0f:67:c3:17:88:12:a9:b1:7d:
4d:a4:65:97:03:f7:90:d6:07:31:31:a5:3d:26:6e:
5b:84:47:cc:a8:8f:a1:37:ff:f2:d8:e7:c6:83:74:
04:82:fb:1f:e0:c5:32:d6:b8:23:48:80:5f:46:58:
83:9f:3f:64:da:5a:3f:40:1d:3e:a6:21:e9:25:3f:
6c:fd:a8:99:b7:31:de:d4:4f:9d:b1:38:b9:33:d3:
06:e5:67:34:a3:72:a1:18:eb:57:35:30:61:fa:c4:
0b:5f:61:f5:99:82:69:31:7a:3e:1a:00:a7:7b:8d:
1d:4b:01:70:92:23:1f:84:3b:65:af:bc:0f:1c:e5:
f8:92:a3:34:20:7e:d5:d2:33:fe:78:df:b5:55:4b:
0b:b8:74:7e:29:b5:13:68:bb:fe:a7:5e:2e:f8:71:
8c:ce:e3:ef:d4:9e:1e:e3:ff:88:20:c2:eb:de:80:
d7:44:a9:e4:60:0a:d0:12:a5:06:a5:44:df:b1:ae:
a8:21:41:a8:fb:f3:ab:7f:90:19:2a:1f:a2:f4:28:
ac:f3:72:c7:cb:8b:8a:04:e9:d2:57:9f:87:bb:48:
55:a0:cd:b4:5a:ca:9e:72:6b:b8:da:97:9c:7f:e9:
4f:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost
Signature Algorithm: sha1WithRSAEncryption
ae:76:ea:5e:33:2c:cf:16:c8:ec:a2:27:2a:19:b9:22:bb:69:
b4:96:35:f7:25:1c:dd:8b:fb:c4:a8:32:17:89:73:a0:bc:23:
a3:49:d4:fd:1a:d7:fc:bf:87:5d:42:12:4b:20:20:74:47:7e:
7c:97:89:c1:f1:a3:82:3a:58:0b:b4:05:0b:c1:02:da:a6:dc:
ca:6c:60:58:fe:83:1c:fc:ed:c7:bc:96:df:b2:af:31:f5:28:
45:2d:d5:c0:5a:42:95:c3:64:c5:46:5c:cd:8e:d6:7b:fd:9c:
f5:75:44:cc:d6:7e:d8:96:55:5c:00:9f:1f:ac:f1:0a:07:29:
0c:ba:ab:7d:1f:ac:8d:40:55:86:e4:35:1d:11:89:10:8b:c2:
67:ff:99:32:66:f3:5d:4a:c3:37:5e:37:32:40:7b:29:50:25:
e5:c1:d8:df:7b:64:3e:f7:c4:1e:01:88:fe:24:f6:0c:ea:f7:
72:df:1e:72:0c:9b:64:c3:6b:ec:ce:99:b1:75:61:f2:ac:d5:
6f:7b:7d:06:7b:6c:a8:6c:ac:46:37:dd:af:e6:cb:8f:70:d7:
57:e2:38:d9:e6:9a:93:da:53:06:e6:39:c5:79:6a:0a:ac:49:
da:04:a1:60:2f:5f:96:ef:ca:6c:34:62:6c:ac:25:1c:d5:e0:
f7:8e:7c:df
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJANkxZR5F+KGbMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
VQQKDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE4MDUwMzE2
MDIxM1oXDTIxMDEyNzE2MDIxM1owWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v
bnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRIw
EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDBWOI9sH7DUouzlAgOLJgVQEyrHw9nwxeIEqmxfU2kZZcD95DWBzExpT0mbluE
R8yoj6E3//LY58aDdASC+x/gxTLWuCNIgF9GWIOfP2TaWj9AHT6mIeklP2z9qJm3
Md7UT52xOLkz0wblZzSjcqEY61c1MGH6xAtfYfWZgmkxej4aAKd7jR1LAXCSIx+E
O2WvvA8c5fiSozQgftXSM/5437VVSwu4dH4ptRNou/6nXi74cYzO4+/Unh7j/4gg
wuvegNdEqeRgCtASpQalRN+xrqghQaj786t/kBkqH6L0KKzzcsfLi4oE6dJXn4e7
SFWgzbRayp5ya7jal5x/6U+5AgMBAAGjGjAYMBYGA1UdEQQPMA2CC2xvY2FsaG9z
dABoMA0GCSqGSIb3DQEBBQUAA4IBAQCudupeMyzPFsjsoicqGbkiu2m0ljX3JRzd
i/vEqDIXiXOgvCOjSdT9Gtf8v4ddQhJLICB0R358l4nB8aOCOlgLtAULwQLaptzK
bGBY/oMc/O3HvJbfsq8x9ShFLdXAWkKVw2TFRlzNjtZ7/Zz1dUTM1n7YllVcAJ8f
rPEKBykMuqt9H6yNQFWG5DUdEYkQi8Jn/5kyZvNdSsM3XjcyQHspUCXlwdjfe2Q+
98QeAYj+JPYM6vdy3x5yDJtkw2vszpmxdWHyrNVve30Ge2yobKxGN92v5suPcNdX
4jjZ5pqT2lMG5jnFeWoKrEnaBKFgL1+W78psNGJsrCUc1eD3jnzf
-----END CERTIFICATE-----

29
examples/client/client.c
View File

@ -796,7 +796,7 @@ static void Usage(void)
#ifdef HAVE_WNR #ifdef HAVE_WNR
printf("-q <file> Whitewood config file, default %s\n", wnrConfig); printf("-q <file> Whitewood config file, default %s\n", wnrConfig);
#endif #endif
printf("-H <arg> Internal tests [defCipherList, badCert]\n"); printf("-H <arg> Internal tests [defCipherList, skipExit]\n");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
printf("-J Use HelloRetryRequest to choose group for KE\n"); printf("-J Use HelloRetryRequest to choose group for KE\n");
printf("-K Key Exchange for PSK not using (EC)DHE\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n");
@ -887,7 +887,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
unsigned char alpn_opt = 0; unsigned char alpn_opt = 0;
char* cipherList = NULL; char* cipherList = NULL;
int useDefCipherList = 0; int useDefCipherList = 0;
int useBadCert = 0;
const char* verifyCert = caCertFile; const char* verifyCert = caCertFile;
const char* ourCert = cliCertFile; const char* ourCert = cliCertFile;
const char* ourKey = cliKeyFile; const char* ourKey = cliKeyFile;
@ -937,6 +936,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
char* ocspUrl = NULL; char* ocspUrl = NULL;
#endif #endif
int useX25519 = 0; int useX25519 = 0;
int skipExit = 0;
#ifdef HAVE_WNR #ifdef HAVE_WNR
const char* wnrConfigFile = wnrConfig; const char* wnrConfigFile = wnrConfig;
@ -988,7 +988,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
(void)useX25519; (void)useX25519;
(void)helloRetry; (void)helloRetry;
(void)onlyKeyShare; (void)onlyKeyShare;
(void)useBadCert;
StackTrap(); StackTrap();
@ -1113,9 +1112,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
printf("Using default cipher list for testing\n"); printf("Using default cipher list for testing\n");
useDefCipherList = 1; useDefCipherList = 1;
} }
else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) { else if (XSTRNCMP(myoptarg, "skipExit", 7) == 0) {
printf("Using bad certificate for testing\n"); printf("Skip exit() for testing\n");
useBadCert = 1; skipExit = 1;
} }
else { else {
Usage(); Usage();
@ -1712,15 +1711,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif #endif
} }
/* for testing only - use client cert as CA to force no signer error */
if (useBadCert) {
#if !defined(NO_RSA)
verifyCert = "./certs/client-cert.pem";
#elif defined(HAVE_ECC)
verifyCert = "./certs/client-ecc-cert.pem";
#endif
}
if (!usePsk && !useAnon && !useVerifyCb) { if (!usePsk && !useAnon && !useVerifyCb) {
#if !defined(NO_FILESYSTEM) #if !defined(NO_FILESYSTEM)
if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0)
@ -2114,9 +2104,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_ERR_error_string(err, buffer)); wolfSSL_ERR_error_string(err, buffer));
wolfSSL_free(ssl); wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
err_sys("wolfSSL_connect failed"); CloseSocket(sockfd);
if (!skipExit)
err_sys("wolfSSL_connect failed");
/* see note at top of README */ /* see note at top of README */
/* if you're getting an error here */ /* if you're getting an error here */
err = wolfSSL_get_error(ssl, 0);
((func_args*)args)->return_code = err;
return 0;
} }
showPeer(ssl); showPeer(ssl);

32
examples/server/server.c
View File

@ -413,7 +413,7 @@ static void Usage(void)
#endif #endif
printf("-g Return basic HTML web page\n"); printf("-g Return basic HTML web page\n");
printf("-C <num> The number of connections to accept, default: 1\n"); printf("-C <num> The number of connections to accept, default: 1\n");
printf("-H <arg> Internal tests [defCipherList, badCert]\n"); printf("-H <arg> Internal tests [defCipherList, skipExit]\n");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
printf("-U Update keys and IVs before sending\n"); printf("-U Update keys and IVs before sending\n");
printf("-K Key Exchange for PSK not using (EC)DHE\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n");
@ -500,7 +500,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
unsigned char alpn_opt = 0; unsigned char alpn_opt = 0;
char* cipherList = NULL; char* cipherList = NULL;
int useDefCipherList = 0; int useDefCipherList = 0;
int useBadCert = 0;
const char* verifyCert = cliCertFile; const char* verifyCert = cliCertFile;
const char* ourCert = svrCertFile; const char* ourCert = svrCertFile;
const char* ourKey = svrKeyFile; const char* ourKey = svrKeyFile;
@ -564,6 +563,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int noTicket = 0; int noTicket = 0;
#endif #endif
int useX25519 = 0; int useX25519 = 0;
int skipExit = 0;
((func_args*)args)->return_code = -1; /* error state */ ((func_args*)args)->return_code = -1; /* error state */
@ -589,7 +589,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
(void)readySignal; (void)readySignal;
(void)updateKeysIVs; (void)updateKeysIVs;
(void)mcastID; (void)mcastID;
(void)useBadCert;
(void)useX25519; (void)useX25519;
#ifdef CYASSL_TIRTOS #ifdef CYASSL_TIRTOS
@ -694,9 +693,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
printf("Using default cipher list for testing\n"); printf("Using default cipher list for testing\n");
useDefCipherList = 1; useDefCipherList = 1;
} }
else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) { else if (XSTRNCMP(myoptarg, "skipExit", 7) == 0) {
printf("Using bad certificate for testing\n"); printf("Skip exit() for testing\n");
useBadCert = 1; skipExit = 1;
} }
else { else {
Usage(); Usage();
@ -1051,15 +1050,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif #endif
#if !defined(NO_CERTS) #if !defined(NO_CERTS)
/* for testing only - use bad cert as server cert for sig confirm err */
if (useBadCert) {
#if !defined(NO_RSA)
ourCert = "./certs/test/server-cert-rsa-badsig.pem";
#elif defined(HAVE_ECC)
ourCert = "./certs/test/server-cert-ecc-badsig.pem";
#endif
}
if ((!usePsk || usePskPlus) && !useAnon) { if ((!usePsk || usePskPlus) && !useAnon) {
#if !defined(NO_FILESYSTEM) #if !defined(NO_FILESYSTEM)
if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
@ -1490,7 +1480,17 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
err = SSL_get_error(ssl, 0); err = SSL_get_error(ssl, 0);
printf("SSL_accept error %d, %s\n", err, printf("SSL_accept error %d, %s\n", err,
ERR_error_string(err, buffer)); ERR_error_string(err, buffer));
err_sys_ex(runWithErrors, "SSL_accept failed");
if (!skipExit)
err_sys_ex(runWithErrors, "SSL_accept failed");
/* cleanup and return */
SSL_free(ssl);
SSL_CTX_free(ctx);
CloseSocket(clientfd);
CloseSocket(sockfd);
((func_args*)args)->return_code = err;
return 0;
} }
showPeer(ssl); showPeer(ssl);

5
scripts/include.am
View File

@ -12,11 +12,6 @@ if BUILD_EXAMPLE_SERVERS
dist_noinst_SCRIPTS+= scripts/resume.test dist_noinst_SCRIPTS+= scripts/resume.test
# only run this test if we have the ability to support cert validation
if BUILD_PKI
dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test
endif
EXTRA_DIST+= scripts/benchmark.test EXTRA_DIST+= scripts/benchmark.test
if BUILD_CRL if BUILD_CRL

173
scripts/tls-cert-fail.test
View File

@ -1,173 +0,0 @@
#!/bin/sh
#tls-cert-fail.test
asn_no_signer_e="-188"
asn_sig_confirm_e="-155"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
tls_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tls_ready$$
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
echo "script aborted"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
exit_code=2 #different exit code in case of user interrupt
echo "got abort signal, exiting with $exit_code"
exit $exit_code
}
trap abort_trap INT TERM
# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
}
trap restore_file_system EXIT
run_tls_no_signer_test() {
echo -e "\nStarting example server for tls no signer fail test...\n"
remove_ready_file
# starts the server on tls_port, -R generates ready file to be used as a
# mutex lock. We capture the processid into the variable server_pid
./examples/server/server -R $ready_file -p $tls_port &
server_pid=$!
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# get created port 0 ephemeral port
tls_port=`cat $ready_file`
# starts client on tls_port and captures the output from client
capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*$asn_no_signer_e*)
# only exit with zero on detection of the expected error code
echo ""
echo "$capture_out"
echo ""
echo "No signer error as expected! Test pass"
echo ""
exit_code=0
;;
*)
echo ""
echo "Client did not return asn_no_signer_e as expected: $capture_out"
echo ""
exit_code=1
esac
}
run_tls_sig_confirm_test() {
echo -e "\nStarting example server for tls sig confirm fail test...\n"
remove_ready_file
# starts the server on tls_port, -R generates ready file to be used as a
# mutex lock. We capture the processid into the variable server_pid
./examples/server/server -R $ready_file -p $tls_port -H badCert &
server_pid=$!
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# get created port 0 ephemeral port
tls_port=`cat $ready_file`
# starts client on tls_port and captures the output from client
capture_out=$(./examples/client/client -p $tls_port 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*$asn_sig_confirm_e*)
# only exit with zero on detection of the expected error code
echo ""
echo "$capture_out"
echo ""
echo "Sig confirm error as expected! Test pass"
echo ""
exit_code=0
;;
*)
echo ""
echo "Client did not return asn_sig_confirm_e as expected: $capture_out"
echo ""
exit_code=1
esac
}
######### begin program #########
# run the test
run_tls_no_signer_test
tls_port=0
run_tls_sig_confirm_test
echo "exiting with $exit_code"
exit $exit_code
########## end program ##########

3
tests/include.am
View File

@ -28,5 +28,6 @@ EXTRA_DIST += tests/test.conf \
tests/test-sctp.conf \ tests/test-sctp.conf \
tests/test-sig.conf \ tests/test-sig.conf \
tests/test-ed25519.conf \ tests/test-ed25519.conf \
tests/test-enckeys.conf tests/test-enckeys.conf \
tests/test-fails.conf
DISTCLEANFILES+= tests/.libs/unit.test DISTCLEANFILES+= tests/.libs/unit.test

81
tests/suites.c
View File

@ -56,6 +56,7 @@ static char flagSep[] = " ";
static char svrPort[] = "0"; static char svrPort[] = "0";
#endif #endif
static char forceDefCipherListFlag[] = "-HdefCipherList"; static char forceDefCipherListFlag[] = "-HdefCipherList";
static char skipExitFlag[] = "-HskipExit";
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
static int devId = INVALID_DEVID; static int devId = INVALID_DEVID;
@ -161,7 +162,7 @@ static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv, int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking, int addNoVerify, int addNonBlocking,
int addDisableEMS, int forceSrvDefCipherList, int addDisableEMS, int forceSrvDefCipherList,
int forceCliDefCipherList) int forceCliDefCipherList, int testShouldFail)
{ {
#ifdef WOLFSSL_TIRTOS #ifdef WOLFSSL_TIRTOS
func_args cliArgs = {0}; func_args cliArgs = {0};
@ -264,6 +265,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#ifdef TEST_PK_PRIVKEY #ifdef TEST_PK_PRIVKEY
svr_argv[svrArgs.argc++] = (char*)"-P"; svr_argv[svrArgs.argc++] = (char*)"-P";
#endif #endif
if (testShouldFail) {
svr_argv[svrArgs.argc++] = skipExitFlag;
}
/* update server flags list */ /* update server flags list */
commandLine[0] = '\0'; commandLine[0] = '\0';
@ -327,6 +331,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#ifdef TEST_PK_PRIVKEY #ifdef TEST_PK_PRIVKEY
cli_argv[cliArgs.argc++] = (char*)"-P"; cli_argv[cliArgs.argc++] = (char*)"-P";
#endif #endif
if (testShouldFail) {
cli_argv[cliArgs.argc++] = skipExitFlag;
}
commandLine[0] = '\0'; commandLine[0] = '\0';
added = 0; added = 0;
@ -345,13 +352,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
client_test(&cliArgs); client_test(&cliArgs);
/* verify results */ /* verify results */
if (cliArgs.return_code != 0) { if ((cliArgs.return_code != 0 && testShouldFail == 0) ||
(cliArgs.return_code == 0 && testShouldFail != 0)) {
printf("client_test failed\n"); printf("client_test failed\n");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
join_thread(serverThread); join_thread(serverThread);
if (svrArgs.return_code != 0) { if ((svrArgs.return_code != 0 && testShouldFail == 0) ||
(svrArgs.return_code == 0 && testShouldFail != 0)) {
printf("server_test failed\n"); printf("server_test failed\n");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
@ -361,6 +370,11 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#endif #endif
FreeTcpReady(&ready); FreeTcpReady(&ready);
/* only run the first test for failure cases */
if (testShouldFail) {
return NOT_BUILT_IN;
}
return 0; return 0;
} }
@ -379,18 +393,23 @@ static void test_harness(void* vargs)
char* cursor; char* cursor;
char* comment; char* comment;
const char* fname = "tests/test.conf"; const char* fname = "tests/test.conf";
int testShouldFail = 0;
if (args->argc == 1) { if (args->argc == 1) {
printf("notice: using default file %s\n", fname); printf("notice: using default file %s\n", fname);
} }
else if(args->argc != 2) { else if(args->argc > 3) {
printf("usage: harness [FILE]\n"); printf("usage: harness [FILE] [ARG]\n");
args->return_code = 1; args->return_code = 1;
return; return;
} }
else {
if (args->argc >= 2) {
fname = args->argv[1]; fname = args->argv[1];
} }
if (args->argc == 3) {
testShouldFail = 1;
}
file = fopen(fname, "rb"); file = fopen(fname, "rb");
if (file == NULL) { if (file == NULL) {
@ -463,6 +482,8 @@ static void test_harness(void* vargs)
cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n"); cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n");
else else
svrArgs[svrArgsSz++] = XSTRSEP(&cursor, " \n"); svrArgs[svrArgsSz++] = XSTRSEP(&cursor, " \n");
if (*cursor == 0) /* eof */
do_it = 1;
break; break;
default: default:
/* Anything from cursor until end of line that isn't the above /* Anything from cursor until end of line that isn't the above
@ -474,6 +495,7 @@ static void test_harness(void* vargs)
svrArgs[svrArgsSz++] = XSTRSEP(&cursor, "\n"); svrArgs[svrArgsSz++] = XSTRSEP(&cursor, "\n");
if (*cursor == 0) /* eof */ if (*cursor == 0) /* eof */
do_it = 1; do_it = 1;
break;
} }
if (svrArgsSz == MAX_ARGS || cliArgsSz == MAX_ARGS) { if (svrArgsSz == MAX_ARGS || cliArgsSz == MAX_ARGS) {
@ -483,31 +505,41 @@ static void test_harness(void* vargs)
if (do_it) { if (do_it) {
ret = execute_test_case(svrArgsSz, svrArgs, ret = execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0, 0, 0); cliArgsSz, cliArgs, 0, 0, 0, 0, 0,
testShouldFail);
/* don't repeat if not supported in build */ /* don't repeat if not supported in build */
if (ret == 0) { if (ret == 0) {
/* test with default cipher list on server side */ /* test with default cipher list on server side */
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0, 1, 0); cliArgsSz, cliArgs, 0, 0, 0, 1, 0,
testShouldFail);
/* test with default cipher list on client side */ /* test with default cipher list on client side */
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0, 0, 1); cliArgsSz, cliArgs, 0, 0, 0, 0, 1,
testShouldFail);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 0, 0, 0); cliArgsSz, cliArgs, 0, 1, 0, 0, 0,
testShouldFail);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 0, 0, 0); cliArgsSz, cliArgs, 1, 0, 0, 0, 0,
testShouldFail);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 0, 0, 0); cliArgsSz, cliArgs, 1, 1, 0, 0, 0,
testShouldFail);
#ifdef HAVE_EXTENDED_MASTER #ifdef HAVE_EXTENDED_MASTER
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 1, 0, 0); cliArgsSz, cliArgs, 0, 0, 1, 0, 0,
testShouldFail);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 1, 0, 0); cliArgsSz, cliArgs, 0, 1, 1, 0, 0,
testShouldFail);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 1, 0, 0); cliArgsSz, cliArgs, 1, 0, 1, 0, 0,
testShouldFail);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 1, 0, 0); cliArgsSz, cliArgs, 1, 1, 1, 0, 0,
testShouldFail);
#endif #endif
} }
svrArgsSz = 1; svrArgsSz = 1;
@ -526,14 +558,15 @@ int SuiteTest(void)
{ {
#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT)
func_args args; func_args args;
char argv0[2][80]; char argv0[3][80];
char* myArgv[2]; char* myArgv[3];
printf(" Begin Cipher Suite Tests\n"); printf(" Begin Cipher Suite Tests\n");
/* setup */ /* setup */
myArgv[0] = argv0[0]; myArgv[0] = argv0[0];
myArgv[1] = argv0[1]; myArgv[1] = argv0[1];
myArgv[2] = argv0[2];
args.argv = myArgv; args.argv = myArgv;
strcpy(argv0[0], "SuiteTest"); strcpy(argv0[0], "SuiteTest");
@ -681,6 +714,18 @@ int SuiteTest(void)
} }
#endif #endif
/* failure tests */
args.argc = 3;
strcpy(argv0[1], "tests/test-fails.conf");
strcpy(argv0[2], "-f");
printf("starting tests that expect failure\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
exit: exit:
printf(" End Cipher Suite Tests\n"); printf(" End Cipher Suite Tests\n");

1
tests/test-dtls.conf
View File

@ -959,4 +959,3 @@
-a -a
-v 2 -v 2
-l ADH-AES128-SHA -l ADH-AES128-SHA

1
tests/test-ed25519.conf
View File

@ -53,4 +53,3 @@
#-k ./certs/ed25519/client-ed25519-key.pem #-k ./certs/ed25519/client-ed25519-key.pem
#-A ./certs/ed25519/root-ed25519.pem #-A ./certs/ed25519/root-ed25519.pem
#-C #-C

50
tests/test-fails.conf Normal file
View File

@ -0,0 +1,50 @@
# server bad certificate alt name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-k ./certs/test/server-badaltnamenull.key
-c ./certs/test/server-badaltnamenull.pem
-d
# client bad certificate alt name
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-h localhost
-A ./certs/test/server-badaltnamenull.pem
-m
-x
# server RSA no signer error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
# client RSA no signer error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/client-cert.pem
# server ECC no signer error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
# client ECC no signer error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/client-ecc-cert.pem
# server RSA bad sig error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-rsa-badsig.pem
# client RSA bad sig error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
# server ECC bad sig error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-ecc-badsig.pem
# client ECC bad sig error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256

1
tests/test-psk-no-id.conf
View File

@ -300,4 +300,3 @@
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-r -r
-s -s

1
tests/test-qsh.conf
View File

@ -2152,4 +2152,3 @@
# client TLSv1.2 NTRU_AES128 # client TLSv1.2 NTRU_AES128
-v 3 -v 3
-l QSH:NTRU-AES128-SHA -l QSH:NTRU-AES128-SHA

1
tests/test-sctp.conf
View File

@ -1108,4 +1108,3 @@
-a -a
-v 2 -v 2
-l ADH-AES128-SHA -l ADH-AES128-SHA

1
tests/test-sig.conf
View File

@ -217,4 +217,3 @@
-v 3 -v 3
-l ECDHE-ECDSA-AES128-CCM-8 -l ECDHE-ECDSA-AES128-CCM-8
-A ./certs/ca-cert.pem -A ./certs/ca-cert.pem

1
tests/test-tls13-ecc.conf
View File

@ -78,4 +78,3 @@
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem -A ./certs/ca-ecc-cert.pem
-y -y

1
tests/test-tls13.conf
View File

@ -71,4 +71,3 @@
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256
-r -r

2
tests/test.conf
View File

@ -2240,9 +2240,9 @@
-v 3 -v 3
-D certs/dh3072.pem -D certs/dh3072.pem
-A certs/client-cert-3072.pem -A certs/client-cert-3072.pem
# client TLSv1.2 RSA 3072-bit DH 3072-bit # client TLSv1.2 RSA 3072-bit DH 3072-bit
-v 3 -v 3
-D certs/dh3072.pem -D certs/dh3072.pem
-c certs/client-cert-3072.pem -c certs/client-cert-3072.pem
-k certs/client-key-3072.pem -k certs/client-key-3072.pem

8
wolfssl/test.h
View File

@ -1478,7 +1478,7 @@ static INLINE void CRL_CallBack(const char* url)
static INLINE void SetDH(WOLFSSL* ssl) static INLINE void SetDH(WOLFSSL* ssl)
{ {
/* dh1024 p */ /* dh1024 p */
static unsigned char p[] = static const unsigned char p[] =
{ {
0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3, 0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E, 0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
@ -1494,7 +1494,7 @@ static INLINE void SetDH(WOLFSSL* ssl)
}; };
/* dh1024 g */ /* dh1024 g */
static unsigned char g[] = static const unsigned char g[] =
{ {
0x02, 0x02,
}; };
@ -1505,7 +1505,7 @@ static INLINE void SetDH(WOLFSSL* ssl)
static INLINE void SetDHCtx(WOLFSSL_CTX* ctx) static INLINE void SetDHCtx(WOLFSSL_CTX* ctx)
{ {
/* dh1024 p */ /* dh1024 p */
static unsigned char p[] = static const unsigned char p[] =
{ {
0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3, 0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E, 0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
@ -1521,7 +1521,7 @@ static INLINE void SetDHCtx(WOLFSSL_CTX* ctx)
}; };
/* dh1024 g */ /* dh1024 g */
static unsigned char g[] = static const unsigned char g[] =
{ {
0x02, 0x02,
}; };