1. Remove dead assignment from client test.

2. Fix memory leak in example server test. 3. Use verify callback on certificates to allow callback to fail them. 4. Restore the forced failure test cases. 5. Make the verify action thread local.
2025-07-30 02:37:28 +02:00 · 2020-07-23 12:26:49 -07:00
parent 98ae3a2352
commit 839044d9e1
5 changed files with 9 additions and 12 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -593,7 +593,6 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
                        printf("SSL_write bench error %d!\n", err);
                        if (!exitWithRet)
                            err_sys("SSL_write failed");
-                        ret = err;
                        goto doExit;
                    }
                    tx_time += current_time(0) - start;
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -381,8 +381,10 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
                        err_sys_ex(runWithErrors, "SSL_read failed");
                        break;
                    }
-                    if (err == WOLFSSL_ERROR_ZERO_RETURN)
+                    if (err == WOLFSSL_ERROR_ZERO_RETURN) {
+                        free(buffer);
                        return WOLFSSL_ERROR_ZERO_RETURN;
+                    }
                }
                else {
                    rx_pos += ret;
@ -1813,7 +1815,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
        SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
                            (usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
                                WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT),
-                  myVerifyAction == VERIFY_OVERRIDE_DATE_ERR ? myVerify : NULL);
+                  (myVerifyAction == VERIFY_OVERRIDE_DATE_ERR ||
+                   myVerifyAction == VERIFY_FORCE_FAIL) ? myVerify : NULL);

    #ifdef TEST_BEFORE_DATE
        verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
--- a/src/internal.c
+++ b/src/internal.c
@ -10007,6 +10007,8 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
    /* Determine if verify was okay */
    if (ret == 0) {
        verify_ok = 1;
+        use_cb = 1; /* use verify callback on success, in case callback
+                     * could force fail a cert */
    }

    /* Determine if verify callback should be used */
--- a/tests/test-fails.conf
+++ b/tests/test-fails.conf
@ -114,7 +114,6 @@
 # server
 -v 3
 -l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail

 # client verify should fail
 -v 3
@ -129,12 +128,10 @@
 # client
 -v 3
 -l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail

 # server
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail

 # client verify should fail
 -v 3
@ -149,7 +146,6 @@
 # client
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail

 # error going into callback, return error
 # server
@ -157,7 +153,6 @@
 -l ECDHE-RSA-AES128-GCM-SHA256
 -c ./certs/test/server-cert-rsa-badsig.pem
 -k ./certs/server-key.pem
-H verifyFail

 # client verify should fail
 -v 3
@ -169,7 +164,6 @@
 -l ECDHE-ECDSA-AES128-GCM-SHA256
 -c ./certs/test/server-cert-ecc-badsig.pem
 -k ./certs/ecc-key.pem
-H verifyFail

 # client verify should fail
 -v 3
@ -179,12 +173,10 @@
 # server send alert on no mutual authentication
 -v 3
 -F
-H verifyFail

 # client send alert on no mutual authentication
 -v 3
 -x
-H verifyFail

 # server TLSv1.3 fail on no client certificate
 # server always sets WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT unless using -d
@ -195,3 +187,4 @@
 -v 4
 -l TLS13-AES128-GCM-SHA256
 -x
+
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@ -1684,7 +1684,7 @@ enum {
    VERIFY_USE_PREVERFIY,
    VERIFY_OVERRIDE_DATE_ERR,
 };
-static int myVerifyAction = VERIFY_OVERRIDE_ERROR;
+static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;

 /* The verify callback is called for every certificate only when
 * --enable-opensslextra is defined because it sets WOLFSSL_ALWAYS_VERIFY_CB and