feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #5157 from douzzer/20220519-multi-test-fixes

Browse Source 
20220519-multi-test-fixes
This commit is contained in:
Sean Parkinson
2022-05-20 13:47:09 +10:00
committed by GitHub
parent 4a3ff40eb3 efc8d36aa5
commit b6290f1590
9 changed files with 133 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configure.ac
View File

@ -7788,10 +7788,10 @@ AM_CONDITIONAL([BUILD_OCTEON_SYNC],[test "x$ENABLED_OCTEON_SYNC" = "xyes"])
AM_CONDITIONAL([BUILD_INTEL_QA],[test "x$ENABLED_INTEL_QA" = "xyes"]) AM_CONDITIONAL([BUILD_INTEL_QA],[test "x$ENABLED_INTEL_QA" = "xyes"])
AM_CONDITIONAL([BUILD_INTEL_QA_SYNC],[test "x$ENABLED_INTEL_QA_SYNC" = "xyes"]) AM_CONDITIONAL([BUILD_INTEL_QA_SYNC],[test "x$ENABLED_INTEL_QA_SYNC" = "xyes"])
AM_CONDITIONAL([BUILD_SP],[test "x$ENABLED_SP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SP],[test "x$ENABLED_SP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_C32],[(((test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \ AM_CONDITIONAL([BUILD_SP_C32],[ ( ( (test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \
|| test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \ || test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \
|| test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_64BIT" != "xyes"]) || test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_64BIT" != "xyes"])
AM_CONDITIONAL([BUILD_SP_C64],[(((test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \ AM_CONDITIONAL([BUILD_SP_C64],[ ( ( (test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \
|| test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \ || test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \
|| test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_32BIT" != "xyes"]) || test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_32BIT" != "xyes"])
AM_CONDITIONAL([BUILD_SP_ARM64],[test "x$ENABLED_SP_ARM64_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SP_ARM64],[test "x$ENABLED_SP_ARM64_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])

54
scripts/external.test
View File

@ -10,39 +10,39 @@ ca=./certs/wolfssl-website-ca.pem
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# www.wolfssl.com isn't using RFC 8446 yet but the draft instead. # www.wolfssl.com isn't using RFC 8446 yet but the draft instead.
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if ! ./examples/client/client -V | grep -q 3; then
if [ $? -ne 0 ]; then echo 'skipping external.test because TLS1.2 is not available.' 1>&2
exit 0
fi
# cloudflare seems to change CAs quickly, disabled by default # cloudflare seems to change CAs quickly, disabled by default
if test -n "$WOLFSSL_EXTERNAL_TEST"; then if test -n "$WOLFSSL_EXTERNAL_TEST"; then
BUILD_FLAGS="$(./examples/client/client '-#')" BUILD_FLAGS="$(./examples/client/client '-#')"
if echo "$BUILD_FLAGS" | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then if echo "$BUILD_FLAGS" | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then
echo 'skipping WOLFSSL_EXTERNAL_TEST because -DWOLFSSL_SNIFFER configuration of build is incompatible.' echo 'skipping WOLFSSL_EXTERNAL_TEST because -DWOLFSSL_SNIFFER configuration of build is incompatible.'
exit 0
fi
if echo "$BUILD_FLAGS" | fgrep -v -q -e ' -DHAVE_ECC '; then
echo 'skipping WOLFSSL_EXTERNAL_TEST because -UHAVE_ECC configuration of build is incompatible.'
exit 0
fi
echo "WOLFSSL_EXTERNAL_TEST set, running test..."
else
echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run"
exit 0 exit 0
fi fi
# is our desired server there? if echo "$BUILD_FLAGS" | fgrep -v -q -e ' -DHAVE_ECC '; then
"${SCRIPT_DIR}"/ping.test $server 2 echo 'skipping WOLFSSL_EXTERNAL_TEST because -UHAVE_ECC configuration of build is incompatible.'
RESULT=$? exit 0
[ $RESULT -ne 0 ] && exit 0 fi
# client test against the server
./examples/client/client -X -C -h $server -p 443 -g -A $ca
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
echo "WOLFSSL_EXTERNAL_TEST set, running test..."
else
echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run"
exit 0
fi fi
# is our desired server there?
"${SCRIPT_DIR}"/ping.test $server 2
RESULT=$?
[ $RESULT -ne 0 ] && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -g -A $ca
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
exit 0 exit 0

8
scripts/google.test
View File

@ -6,9 +6,8 @@ server=www.google.com
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if ! ./examples/client/client -V | grep -q 3; then
if [ $? -eq 0 ]; then echo 'skipping google.test because TLS1.2 is not available.' 1>&2
echo -e "\n\nClient doesn't support TLS v1.2"
exit 0 exit 0
fi fi
@ -22,8 +21,7 @@ RESULT=$?
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version' if ./examples/client/client -V | grep -q 4; then
if [ $? -ne 0 ]; then
# client test against the server using TLS v1.3 # client test against the server using TLS v1.3
./examples/client/client -v 4 -X -C -h $server -p 443 -g -d ./examples/client/client -v 4 -X -C -h $server -p 443 -g -d
RESULT=$? RESULT=$?

6
scripts/ocsp-stapling-with-ca-as-responder.test
View File

@ -23,10 +23,8 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2 export RETRIES_REMAINING=2
fi fi
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if ! ./examples/client/client -V | grep -q 3; then
if [ $? -eq 0 ]; then echo 'skipping ocsp-stapling-with-ca-as-responder.test because TLS1.2 is not available.' 1>&2
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0 exit 0
fi fi

29
scripts/ocsp-stapling.test
View File

@ -11,10 +11,8 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2 export RETRIES_REMAINING=2
fi fi
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if ! ./examples/client/client -V | grep -q 3; then
if [ $? -eq 0 ]; then echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0 exit 0
fi fi
@ -331,8 +329,7 @@ RESULT=$?
printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "Test successfully REVOKED!"
./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version' if ./examples/client/client -V | grep -q 4; then
if [ $? -ne 0 ]; then
printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------" printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
# client test against our own server - GOOD CERT # client test against our own server - GOOD CERT
remove_single_rF "$ready_file2" remove_single_rF "$ready_file2"
@ -376,6 +373,8 @@ if [ $? -ne 0 ]; then
printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \ printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \
&& exit 1 && exit 1
printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "Test successfully REVOKED!"
else
echo 'skipping TLS1.3 stapling tests.' 1>&2
fi fi
# need a unique port since may run the same time as testsuite # need a unique port since may run the same time as testsuite
@ -408,9 +407,9 @@ printf '%s\n\n' "Test PASSED!"
openssl ciphers -tls1_3 openssl ciphers -tls1_3
openssl_tls13=$? openssl_tls13=$?
./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version' ./examples/client/client -V | grep -q 4
wolfssl_not_tls13=$? wolfssl_tls13=$?
if [ "$openssl_tls13" = "0" -a "$wolfssl_not_tls13" != "0" ]; then if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then
printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------" printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------"
# client asks for OCSP staple but doesn't fail when none returned # client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1 ./examples/client/client -p $port -g -v 4 -W 1
@ -428,6 +427,18 @@ if [ "$openssl_tls13" = "0" -a "$wolfssl_not_tls13" != "0" ]; then
&& printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \ && printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \
&& exit 1 && exit 1
printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "Test PASSED!"
else
echo -n 'skipping TLS1.3 stapling interoperability test:' 1>&2
if [ "$openssl_tls13" != "0" ]; then
echo -n ' OpenSSL' 1>&2
fi
if [ "$wolfssl_tls13" != "0" ]; then
if [ "$openssl_tls13" != "0" ]; then
echo -n ' and' 1>&2
fi
echo -n ' wolfSSL' 1>&2
fi
echo -n ' missing TLS1.3 support.' 1>&2
fi fi
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"

6
scripts/ocsp-stapling2.test
View File

@ -24,10 +24,8 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2 export RETRIES_REMAINING=2
fi fi
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if ! ./examples/client/client -V | grep -q 3; then
if [ $? -eq 0 ]; then echo 'skipping ocsp-stapling2.test because TLS1.2 is not available.' 1>&2
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0 exit 0
fi fi

6
scripts/ocsp.test
View File

@ -12,10 +12,8 @@ ca=certs/external/ca-globalsign-root.pem
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \ [ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1 && exit 1
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if ! ./examples/client/client -V | grep -q 3; then
if [ $? -eq 0 ]; then echo 'skipping ocsp.test because TLS1.2 is not available.' 1>&2
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0 exit 0
fi fi

16
src/wolfio.c
View File

@ -317,8 +317,12 @@ int EmbedSend(WOLFSSL* ssl, char *buf, int sz, void *ctx)
#include <wolfssl/wolfcrypt/sha.h> #include <wolfssl/wolfcrypt/sha.h>
#define SENDTO_FUNCTION sendto #ifndef DTLS_SENDTO_FUNCTION
#define RECVFROM_FUNCTION recvfrom #define DTLS_SENDTO_FUNCTION sendto
#endif
#ifndef DTLS_RECVFROM_FUNCTION
#define DTLS_RECVFROM_FUNCTION recvfrom
#endif
static int sockAddrEqual( static int sockAddrEqual(
SOCKADDR_S *a, XSOCKLENT aLen, SOCKADDR_S *b, XSOCKLENT bLen) SOCKADDR_S *a, XSOCKLENT aLen, SOCKADDR_S *b, XSOCKLENT bLen)
@ -413,7 +417,9 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx)
} }
#endif /* !NO_ASN_TIME */ #endif /* !NO_ASN_TIME */
recvd = (int)RECVFROM_FUNCTION(sd, buf, sz, ssl->rflags, XMEMSET(&peer, 0, sizeof(peer));
recvd = (int)DTLS_RECVFROM_FUNCTION(sd, buf, sz, ssl->rflags,
(SOCKADDR*)&peer, &peerSz); (SOCKADDR*)&peer, &peerSz);
recvd = TranslateReturnCode(recvd, sd); recvd = TranslateReturnCode(recvd, sd);
@ -455,7 +461,7 @@ int EmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx)
WOLFSSL_ENTER("EmbedSendTo()"); WOLFSSL_ENTER("EmbedSendTo()");
sent = (int)SENDTO_FUNCTION(sd, buf, sz, ssl->wflags, sent = (int)DTLS_SENDTO_FUNCTION(sd, buf, sz, ssl->wflags,
(const SOCKADDR*)dtlsCtx->peer.sa, (const SOCKADDR*)dtlsCtx->peer.sa,
dtlsCtx->peer.sz); dtlsCtx->peer.sz);
@ -483,7 +489,7 @@ int EmbedReceiveFromMcast(WOLFSSL *ssl, char *buf, int sz, void *ctx)
WOLFSSL_ENTER("EmbedReceiveFromMcast()"); WOLFSSL_ENTER("EmbedReceiveFromMcast()");
recvd = (int)RECVFROM_FUNCTION(sd, buf, sz, ssl->rflags, NULL, NULL); recvd = (int)DTLS_RECVFROM_FUNCTION(sd, buf, sz, ssl->rflags, NULL, NULL);
recvd = TranslateReturnCode(recvd, sd); recvd = TranslateReturnCode(recvd, sd);

106
wolfcrypt/src/asn.c
View File

@ -30407,52 +30407,74 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
if (idx < end_index) if (idx < end_index)
{ {
DecodedCert cert; int cert_inited = 0;
#ifdef WOLFSSL_SMALL_STACK
if (DecodeCerts(source, &idx, resp, size) < 0) DecodedCert *cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
return ASN_PARSE_E; DYNAMIC_TYPE_TMP_BUFFER);
if (cert == NULL)
InitDecodedCert(&cert, resp->cert, resp->certSz, heap); return MEMORY_E;
#else
/* Don't verify if we don't have access to Cert Manager. */ DecodedCert cert[1];
ret = ParseCertRelative(&cert, CERT_TYPE,
noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert);
return ret;
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert.subjectHash,
resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer");
}
else {
WOLFSSL_MSG("\tOCSP Responder key usage check failed");
#ifdef OPENSSL_EXTRA
resp->verifyError = OCSP_BAD_ISSUER;
#else
FreeDecodedCert(&cert);
return BAD_OCSP_RESPONDER;
#endif
}
}
#endif #endif
/* ConfirmSignature is blocking here */ do {
ret = ConfirmSignature(&cert.sigCtx, if (DecodeCerts(source, &idx, resp, size) < 0) {
resp->response, resp->responseSz, ret = ASN_PARSE_E;
cert.publicKey, cert.pubKeySize, cert.keyOID, break;
resp->sig, resp->sigSz, resp->sigOID, NULL); }
FreeDecodedCert(&cert); InitDecodedCert(cert, resp->cert, resp->certSz, heap);
cert_inited = 1;
if (ret != 0) { /* Don't verify if we don't have access to Cert Manager. */
WOLFSSL_MSG("\tOCSP Confirm signature failed"); ret = ParseCertRelative(cert, CERT_TYPE,
return ASN_OCSP_CONFIRM_E; noVerify ? NO_VERIFY : VERIFY_OCSP_CERT,
} cm);
if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
break;
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert->extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert->subjectHash,
resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer");
}
else {
WOLFSSL_MSG("\tOCSP Responder key usage check failed");
#ifdef OPENSSL_EXTRA
resp->verifyError = OCSP_BAD_ISSUER;
#else
ret = BAD_OCSP_RESPONDER;
break;
#endif
}
}
#endif
/* ConfirmSignature is blocking here */
ret = ConfirmSignature(
&cert->sigCtx,
resp->response, resp->responseSz,
cert->publicKey, cert->pubKeySize, cert->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL);
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Confirm signature failed");
ret = ASN_OCSP_CONFIRM_E;
break;
}
} while(0);
if (cert_inited)
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (ret != 0)
return ret;
} }
else else
#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */