From 3d0d10345a615f6a6d941de79b7f5e00074a3eba Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 29 Aug 2018 10:55:12 -0700 Subject: [PATCH] Added test cases for ensuring forced error fails on client and server. Added test cases to ensure bad certificate can be overriden. --- examples/client/client.c | 12 ++++++++---- examples/server/server.c | 8 ++++++-- tests/test-fails.conf | 36 ++++++++++++++++++++++++++++++++++++ tests/test.conf | 11 +++++++++++ wolfssl/test.h | 4 ++++ 5 files changed, 65 insertions(+), 6 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 4635e49d6..40dae0d3b 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -887,7 +887,7 @@ static void Usage(void) #ifdef HAVE_WNR printf("-q Whitewood config file, default %s\n", wnrConfig); #endif - printf("-H Internal tests [defCipherList, exitWithRet]\n"); + printf("-H Internal tests [defCipherList, exitWithRet, verifyFail]\n"); #ifdef WOLFSSL_TLS13 printf("-J Use HelloRetryRequest to choose group for KE\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n"); @@ -1211,10 +1211,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) printf("Using default cipher list for testing\n"); useDefCipherList = 1; } - else if (XSTRNCMP(myoptarg, "exitWithRet", 7) == 0) { + else if (XSTRNCMP(myoptarg, "exitWithRet", 11) == 0) { printf("Skip exit() for testing\n"); exitWithRet = 1; } + else if (XSTRNCMP(myoptarg, "verifyFail", 10) == 0) { + printf("Verify should fail\n"); + myVerifyFail = 1; + } else { Usage(); XEXIT_T(MY_EX_USAGE); @@ -1821,9 +1825,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif } - if (!usePsk && !useAnon && !useVerifyCb) { + if (!usePsk && !useAnon && (!useVerifyCb || myVerifyFail)) { #if !defined(NO_FILESYSTEM) - if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) + if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); ctx = NULL; err_sys("can't load ca file, Please run from wolfSSL home dir"); diff --git a/examples/server/server.c b/examples/server/server.c index 3574dc3e5..46a54986b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -416,7 +416,7 @@ static void Usage(void) #endif printf("-g Return basic HTML web page\n"); printf("-C The number of connections to accept, default: 1\n"); - printf("-H Internal tests [defCipherList, exitWithRet]\n"); + printf("-H Internal tests [defCipherList, exitWithRet, verifyFail]\n"); #ifdef WOLFSSL_TLS13 printf("-U Update keys and IVs before sending\n"); printf("-K Key Exchange for PSK not using (EC)DHE\n"); @@ -714,10 +714,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) printf("Using default cipher list for testing\n"); useDefCipherList = 1; } - else if (XSTRNCMP(myoptarg, "exitWithRet", 7) == 0) { + else if (XSTRNCMP(myoptarg, "exitWithRet", 11) == 0) { printf("Skip exit() for testing\n"); exitWithRet = 1; } + else if (XSTRNCMP(myoptarg, "verifyFail", 10) == 0) { + printf("Verify should fail\n"); + myVerifyFail = 1; + } else { Usage(); XEXIT_T(MY_EX_USAGE); diff --git a/tests/test-fails.conf b/tests/test-fails.conf index e41fcd35e..953eaa738 100644 --- a/tests/test-fails.conf +++ b/tests/test-fails.conf @@ -107,3 +107,39 @@ -A ./certs/test/server-garbage.pem -m +# Verify Callback Failure Tests +# server +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# client verify should fail +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-H verifyFail + +# server verify should fail +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 +-H verifyFail + +# client +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# server +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 + +# client verify should fail +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-H verifyFail + +# server verify should fail +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-H verifyFail + +# client +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 diff --git a/tests/test.conf b/tests/test.conf index b1b8fe9fb..6a3505cf7 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -2202,12 +2202,23 @@ # server TLSv1.2 verify callback override -v 3 -l ECDHE-RSA-AES128-SHA256 +-c ./certs/test/server-cert-rsa-badsig.pem # client TLSv1.2 verify callback override -v 3 -l ECDHE-RSA-AES128-SHA256 -j +# server TLSv1.2 verify callback override +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-c ./certs/test/server-cert-ecc-badsig.pem + +# client TLSv1.2 verify callback override +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-j + # server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305 -v 3 -l ECDHE-ECDSA-CHACHA20-POLY1305 diff --git a/wolfssl/test.h b/wolfssl/test.h index dc24fb2a6..004c10800 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1452,6 +1452,7 @@ static WC_INLINE void OCSPRespFreeCb(void* ioCtx, unsigned char* response) #endif /* !NO_FILESYSTEM || (NO_FILESYSTEM && FORCE_BUFFER_TEST) */ #endif /* !NO_CERTS */ +static int myVerifyFail = 0; static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) { char buffer[WOLFSSL_MAX_ERROR_SZ]; @@ -1505,6 +1506,9 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) printf("\tAllowing to continue anyway (shouldn't do this)\n"); /* A non-zero return code indicates failure override */ + if (myVerifyFail) + return 0; /* test failure case */ + return 1; }