feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3417 from douzzer/fix-ipv6-ocsp-tests

Browse Source 
Fix ipv6 ocsp tests
This commit is contained in:
toddouska
2020-11-03 14:38:32 -08:00
committed by GitHub
parent f8176dd646 7d177e78d7
commit 9f9901e10e
13 changed files with 197 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CMakeLists.txt
View File

@ -110,7 +110,6 @@ add_library(wolfssl
wolfcrypt/src/cryptocb.c
wolfcrypt/src/curve25519.c
wolfcrypt/src/curve448.c
wolfcrypt/src/debug.c
wolfcrypt/src/des3.c
wolfcrypt/src/dh.c
wolfcrypt/src/dsa.c

14
configure.ac
View File

@ -5783,9 +5783,16 @@ AM_CONDITIONAL([BUILD_PKCS7],[test "x$ENABLED_PKCS7" = "xyes" || test "x$ENABLED
AM_CONDITIONAL([BUILD_HASHFLAGS],[test "x$ENABLED_HASHFLAGS" = "xyes"])
AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"])
AM_CONDITIONAL([BUILD_NO_LIBRARY],[test "$ENABLED_NO_LIBRARY" = "yes"])
AM_CONDITIONAL([BUILD_DEBUG],[test "$ax_enable_debug" = "yes" || test "$ENABLED_STACKSIZE" = "yes"])
AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"])
if test "$ax_enable_debug" = "yes" ||
test "$ENABLED_STACKSIZE" = "yes" ||
(test "$ENABLED_LEANTLS" = "no" &&
test "$ENABLED_LEANPSK" = "no" &&
test "$ENABLED_LOWRESOURCE" = "no")
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION"
fi
CREATE_HEX_VERSION
AC_SUBST([AM_CPPFLAGS])
@ -6091,6 +6098,11 @@ echo " * Crypto callbacks: $ENABLED_CRYPTOCB"
echo ""
echo "---"
echo >> config.h
echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" >> config.h
echo >> config.h
echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\"" >> config.h
################################################################################
# Show warnings at bottom so they are noticed
################################################################################

44
examples/client/client.c
View File

@ -24,6 +24,9 @@
#include <config.h>
#endif
#ifndef WOLFSSL_USER_SETTINGS
#include <wolfssl/options.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
@ -952,7 +955,9 @@ static const char* client_usage_msg[][66] = {
#ifdef NO_RSA
"RSA not supported\n", /* 2 */
#elif defined(WOLFSSL_SP_MATH) /* case of SP math only */
#ifndef WOLFSSL_SP_NO_3072
#ifdef WOLFSSL_SP_4096
"4096\n", /* 2 */
#elif !defined(WOLFSSL_SP_NO_3072)
"3072\n", /* 2 */
#elif !defined(WOLFSSL_SP_NO_2048)
"2048\n", /* 2 */
@ -1655,7 +1660,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
while ((ch = mygetopt(argc, argv, "?:"
"ab:c:defgh:i;jk:l:mnop:q:rstuv:wxyz"
"A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
"01:23:458")) != -1) {
"01:23:458"
"@#")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@ -2122,6 +2128,40 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
break;
case '@' :
{
#ifdef HAVE_WC_INTROSPECTION
const char *conf_args = wolfSSL_configure_args();
if (conf_args) {
puts(conf_args);
XEXIT_T(EXIT_SUCCESS);
} else {
fputs("configure args not compiled in.\n",stderr);
XEXIT_T(MY_EX_USAGE);
}
#else
fputs("compiled without BUILD_INTROSPECTION.\n",stderr);
XEXIT_T(MY_EX_USAGE);
#endif
}
case '#' :
{
#ifdef HAVE_WC_INTROSPECTION
const char *cflags = wolfSSL_global_cflags();
if (cflags) {
puts(cflags);
XEXIT_T(EXIT_SUCCESS);
} else {
fputs("CFLAGS not compiled in.\n",stderr);
XEXIT_T(MY_EX_USAGE);
}
#else
fputs("compiled without BUILD_INTROSPECTION.\n",stderr);
XEXIT_T(MY_EX_USAGE);
#endif
}
default:
Usage();
XEXIT_T(MY_EX_USAGE);

44
examples/server/server.c
View File

@ -23,9 +23,14 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifndef WOLFSSL_USER_SETTINGS
#include <wolfssl/options.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h> /* name change portability layer */
#include <wolfssl/wolfcrypt/settings.h>
#ifdef HAVE_ECC
#include <wolfssl/wolfcrypt/ecc.h> /* wc_ecc_fp_free */
#endif
@ -1152,7 +1157,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
while ((ch = mygetopt(argc, argv, "?:"
"abc:defgijk:l:mnop:q:rstuv:wxy"
"A:B:C:D:E:FGH:IJKL:MNO:PQR:S:TUVYZ:"
"01:23:4:58")) != -1) {
"01:23:4:58"
"@#")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@ -1552,6 +1558,40 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif
break;
case '@' :
{
#ifdef HAVE_WC_INTROSPECTION
const char *conf_args = wolfSSL_configure_args();
if (conf_args) {
puts(conf_args);
XEXIT_T(EXIT_SUCCESS);
} else {
fputs("configure args not compiled in.\n",stderr);
XEXIT_T(MY_EX_USAGE);
}
#else
fputs("compiled without BUILD_INTROSPECTION.\n",stderr);
XEXIT_T(MY_EX_USAGE);
#endif
}
case '#' :
{
#ifdef HAVE_WC_INTROSPECTION
const char *cflags = wolfSSL_global_cflags();
if (cflags) {
puts(cflags);
XEXIT_T(EXIT_SUCCESS);
} else {
fputs("CFLAGS not compiled in.\n",stderr);
XEXIT_T(MY_EX_USAGE);
}
#else
fputs("compiled without BUILD_INTROSPECTION.\n",stderr);
XEXIT_T(MY_EX_USAGE);
#endif
}
default:
Usage();
XEXIT_T(MY_EX_USAGE);

50
scripts/ocsp-stapling.test
View File

@ -16,6 +16,31 @@ if [ $? -eq 0 ]; then
exit 0
fi
if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 0
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='::1'
V4V6=6
V4V6_FLAG=-6
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
if [[ "$IPV6_SUPPORTED" == "yes" ]]; then
V4V6_FLAG=-4
else
V4V6_FLAG=
fi
V4V6=4
fi
PARENTDIR="$PWD"
@ -71,7 +96,7 @@ remove_single_rF(){
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
printf '%s\n' "Random Port Selected: $1"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
@ -183,7 +208,7 @@ get_first_free_port() {
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z 127.0.0.1 "$ret"; then
if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then
break
fi
ret=$((ret+1))
@ -201,7 +226,7 @@ port3=$(get_first_free_port $((port2 + 1)))
# test interop fail case
ready_file=$PWD/wolf_ocsp_readyF$$
printf '%s\n' "ready file: $ready_file"
./examples/server/server -b -p $port1 -o -R $ready_file &
timeout 60 ./examples/server/server -b -p $port1 -o -R $ready_file &
wolf_pid=$!
wait_for_readyFile $ready_file $wolf_pid $port1
if [ ! -f $ready_file ]; then
@ -209,9 +234,9 @@ if [ ! -f $ready_file ]; then
exit 1
else
# should fail if ocspstapling is also enabled
echo "hi" | openssl s_client -status -connect 127.0.0.1:$port1 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
if [ $? -eq 0 ]; then
printf '%s\n' "Succeeded when should have failed"
echo "hi" | openssl s_client -status $V4V6_FLAG -connect ${LOCALHOST}:$port1 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1 | tee /dev/stderr | fgrep -q 'self signed certificate in certificate chain'
if [ $? -neq 0 ]; then
printf '%s\n' "Expected verification error from s_client is missing."
remove_single_rF $ready_file
exit 1
fi
@ -247,10 +272,13 @@ server=login.live.com
#ca=certs/external/baltimore-cybertrust-root.pem
ca=certs/external/ca_collection.pem
./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
if [[ "$V4V6" == "4" ]]; then
./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
else
echo "Skipping OCSP test on $server (IPv6 test client)"
fi
# Test with example server
@ -341,7 +369,7 @@ generate_port() {
# Start OpenSSL server that has no OCSP responses to return
generate_port
openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
openssl_pid=$!
sleep 0.1

26
scripts/ocsp-stapling2.test
View File

@ -24,6 +24,24 @@ if [ $? -eq 0 ]; then
exit 0
fi
if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 0
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='-6 ::1'
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
fi
PARENTDIR="$PWD"
# create a unique workspace directory ending in PID for the script instance ($$)
@ -87,7 +105,7 @@ remove_single_rF(){
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
printf '%s\n' "Random Ports Selected: $1 $2 $3 $4"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
@ -209,7 +227,7 @@ get_first_free_port() {
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z 127.0.0.1 "$ret"; then
if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then
break
fi
ret=$((ret+1))
@ -396,7 +414,7 @@ remove_single_rF $ready_file5
-p $port5 -H loadSSL &
server_pid5=$!
wait_for_readyFile $ready_file5 $server_pid5 $port5
echo "test connection" | openssl s_client -status -connect 127.0.0.1:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
echo "test connection" | openssl s_client -status -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
wait $server_pid5
@ -407,7 +425,7 @@ fi
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout 60 ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 -H loadSSL &
server_pid5=$!

2
scripts/openssl.test
View File

@ -204,7 +204,7 @@ start_wolfssl_server() {
echo "# $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL"
$WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL &
server_pid=$!
# wait to see if s_server successfully starts before continuing
# wait to see if server successfully starts before continuing
sleep 0.1
check_process_running

5
src/include.am
View File

@ -317,11 +317,6 @@ src_libwolfssl_la_SOURCES += \
wolfcrypt/src/wc_port.c \
wolfcrypt/src/error.c
if BUILD_DEBUG
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/debug.c
endif
if !BUILD_FIPS_RAND
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/wc_encrypt.c \

3
wolfcrypt/src/chacha20_poly1305.c
View File

@ -435,7 +435,8 @@ static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot(
out:
XMEMSET(aead, 0, sizeof *aead);
ForceZero(aead, sizeof *aead);
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
XFREE(aead, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

37
wolfcrypt/src/debug.c
View File

@ -1,37 +0,0 @@
/* debug.c
*
* Copyright (C) 2006-2020 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/wc_port.h>
#include <wolfssl/wolfcrypt/types.h>
#ifdef HAVE_STACK_SIZE_VERBOSE
WOLFSSL_API THREAD_LS_T unsigned char *StackSizeCheck_myStack = NULL;
WOLFSSL_API THREAD_LS_T size_t StackSizeCheck_stackSize = 0;
WOLFSSL_API THREAD_LS_T size_t StackSizeCheck_stackSizeHWM = 0;
WOLFSSL_API THREAD_LS_T size_t *StackSizeCheck_stackSizeHWM_ptr = 0;
WOLFSSL_API THREAD_LS_T void *StackSizeCheck_stackOffsetPointer = 0;
#endif

32
wolfcrypt/src/logging.c
View File

@ -111,6 +111,38 @@ static WC_INLINE double current_time(int reset)
}
#endif /* WOLFSSL_FUNC_TIME */
#ifdef HAVE_WC_INTROSPECTION
const char *wolfSSL_configure_args(void) {
#ifdef LIBWOLFSSL_CONFIGURE_ARGS
/* the spaces on either side are to make matching simple and efficient. */
return " " LIBWOLFSSL_CONFIGURE_ARGS " ";
#else
return NULL;
#endif
}
const char *wolfSSL_global_cflags(void) {
#ifdef LIBWOLFSSL_GLOBAL_CFLAGS
/* the spaces on either side are to make matching simple and efficient. */
return " " LIBWOLFSSL_GLOBAL_CFLAGS " ";
#else
return NULL;
#endif
}
#endif /* HAVE_WC_INTROSPECTION */
#ifdef HAVE_STACK_SIZE_VERBOSE
THREAD_LS_T unsigned char *StackSizeCheck_myStack = NULL;
THREAD_LS_T size_t StackSizeCheck_stackSize = 0;
THREAD_LS_T size_t StackSizeCheck_stackSizeHWM = 0;
THREAD_LS_T size_t *StackSizeCheck_stackSizeHWM_ptr = 0;
THREAD_LS_T void *StackSizeCheck_stackOffsetPointer = 0;
#endif /* HAVE_STACK_SIZE_VERBOSE */
#ifdef DEBUG_WOLFSSL
/* Set these to default values initially. */

4
wolfssl/wolfcrypt/logging.h
View File

@ -100,6 +100,10 @@ WOLFSSL_API int wolfSSL_Debugging_ON(void);
/* turn logging off */
WOLFSSL_API void wolfSSL_Debugging_OFF(void);
#ifdef HAVE_WC_INTROSPECTION
WOLFSSL_API const char *wolfSSL_configure_args(void);
WOLFSSL_API const char *wolfSSL_global_cflags(void);
#endif
#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
WOLFSSL_LOCAL int wc_LoggingInit(void);

1
wolfssl/wolfcrypt/settings.h
View File

@ -228,7 +228,6 @@
#include "wolfSSL.wolfSSL_conf.h"
#endif
/* make sure old RNG name is used with CTaoCrypt FIPS */
#ifdef HAVE_FIPS
#if !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)