Added test cases for ensuring forced error fails on client and server. Added test cases to ensure bad certificate can be overriden.

2025-08-01 03:34:39 +02:00 · 2018-08-29 10:55:12 -07:00
parent 944342b386
commit 3d0d10345a
5 changed files with 65 additions and 6 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -887,7 +887,7 @@ static void Usage(void)
 #ifdef HAVE_WNR
    printf("-q <file>   Whitewood config file,      default %s\n", wnrConfig);
 #endif
-    printf("-H <arg>    Internal tests [defCipherList, exitWithRet]\n");
+    printf("-H <arg>    Internal tests [defCipherList, exitWithRet, verifyFail]\n");
 #ifdef WOLFSSL_TLS13
    printf("-J          Use HelloRetryRequest to choose group for KE\n");
    printf("-K          Key Exchange for PSK not using (EC)DHE\n");
@@ -1211,10 +1211,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                    printf("Using default cipher list for testing\n");
                    useDefCipherList = 1;
                }
-                else if (XSTRNCMP(myoptarg, "exitWithRet", 7) == 0) {
+                else if (XSTRNCMP(myoptarg, "exitWithRet", 11) == 0) {
                    printf("Skip exit() for testing\n");
                    exitWithRet = 1;
                }
+                else if (XSTRNCMP(myoptarg, "verifyFail", 10) == 0) {
+                    printf("Verify should fail\n");
+                    myVerifyFail = 1;
+                }
                else {
                    Usage();
                    XEXIT_T(MY_EX_USAGE);
@@ -1821,9 +1825,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    #endif
    }

-    if (!usePsk && !useAnon && !useVerifyCb) {
+    if (!usePsk && !useAnon && (!useVerifyCb || myVerifyFail)) {
    #if !defined(NO_FILESYSTEM)
-        if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0)
+        if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0)
                                                           != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("can't load ca file, Please run from wolfSSL home dir");
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -416,7 +416,7 @@ static void Usage(void)
 #endif
    printf("-g          Return basic HTML web page\n");
    printf("-C <num>    The number of connections to accept, default: 1\n");
-    printf("-H <arg>    Internal tests [defCipherList, exitWithRet]\n");
+    printf("-H <arg>    Internal tests [defCipherList, exitWithRet, verifyFail]\n");
 #ifdef WOLFSSL_TLS13
    printf("-U          Update keys and IVs before sending\n");
    printf("-K          Key Exchange for PSK not using (EC)DHE\n");
@@ -714,10 +714,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                    printf("Using default cipher list for testing\n");
                    useDefCipherList = 1;
                }
-                else if (XSTRNCMP(myoptarg, "exitWithRet", 7) == 0) {
+                else if (XSTRNCMP(myoptarg, "exitWithRet", 11) == 0) {
                    printf("Skip exit() for testing\n");
                    exitWithRet = 1;
                }
+                else if (XSTRNCMP(myoptarg, "verifyFail", 10) == 0) {
+                    printf("Verify should fail\n");
+                    myVerifyFail = 1;
+                }
                else {
                    Usage();
                    XEXIT_T(MY_EX_USAGE);
--- a/tests/test-fails.conf
+++ b/tests/test-fails.conf
@@ -107,3 +107,39 @@
 -A ./certs/test/server-garbage.pem
 -m

+# Verify Callback Failure Tests
+# server
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+
+# client verify should fail
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-H verifyFail
+
+# server verify should fail
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-H verifyFail
+
+# client
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+
+# server
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+
+# client verify should fail
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-H verifyFail
+
+# server verify should fail
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-H verifyFail
+
+# client
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
--- a/tests/test.conf
+++ b/tests/test.conf
@@ -2202,12 +2202,23 @@
 # server TLSv1.2 verify callback override
 -v 3
 -l ECDHE-RSA-AES128-SHA256
+-c ./certs/test/server-cert-rsa-badsig.pem

 # client TLSv1.2 verify callback override
 -v 3
 -l ECDHE-RSA-AES128-SHA256
 -j

+# server TLSv1.2 verify callback override
+-v 3
+-l ECDHE-ECDSA-AES128-SHA256
+-c ./certs/test/server-cert-ecc-badsig.pem
+
+# client TLSv1.2 verify callback override
+-v 3
+-l ECDHE-ECDSA-AES128-SHA256
+-j
+
 # server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305
 -v 3
 -l ECDHE-ECDSA-CHACHA20-POLY1305
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -1452,6 +1452,7 @@ static WC_INLINE void OCSPRespFreeCb(void* ioCtx, unsigned char* response)
    #endif /* !NO_FILESYSTEM || (NO_FILESYSTEM && FORCE_BUFFER_TEST) */
 #endif /* !NO_CERTS */

+static int myVerifyFail = 0;
 static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 {
    char buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -1505,6 +1506,9 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
    printf("\tAllowing to continue anyway (shouldn't do this)\n");

    /* A non-zero return code indicates failure override */
+    if (myVerifyFail)
+        return 0; /* test failure case */
+
    return 1;
 }