Make test scripts work in sandboxed/restricted environments

multi-msg-record.py: auto-detect the CA cert format the wolfSSL client
build accepts (PEM or DER) from the default shown in client -? help.
OPENSSL_EXTRA-style builds need PEM; NO_CODING builds need DER.

ocsp-stapling.test: skip the external login.live.com connection unless
WOLFSSL_EXTERNAL_TEST is explicitly enabled (matches external.test /
google.test convention). Local OCSP tests still run.

ocsp-responder-openssl-interop.test: use ${TMPDIR:-/tmp} for mktemp
templates so the test works when /tmp is not writable.
This commit is contained in:
Juliusz Sosinowicz
2026-05-13 14:50:47 +02:00
parent 7cc972d5c7
commit d2f45f614f
3 changed files with 30 additions and 17 deletions
+17 -6
View File
@@ -44,6 +44,10 @@ WOLFSSL_DIR = os.path.dirname(SCRIPT_DIR)
WOLF_CLIENT = os.path.join(WOLFSSL_DIR, "examples", "client", "client")
CERT_DIR = os.path.join(WOLFSSL_DIR, "certs")
# CA cert path passed to the wolfSSL client via -A. Set in main() after
# detect_wolf_features() determines whether the build accepts PEM or DER.
WOLF_CA_CERT = os.path.join(CERT_DIR, "ca-cert.pem")
# ---------------------------------------------------------------------------
# Bypass a strict tlslite-ng validation that rejects wolfSSL's ClientHello
# when the client advertises FFDHE groups in a TLS-1.3-only hello.
@@ -106,10 +110,11 @@ def detect_wolf_features():
compiled in. Used to decide which test phases to run.
Returns dict with keys: tls12 (bool), tls13 (bool),
secure_reneg (bool), ciphers (set[str]).
secure_reneg (bool), ciphers (set[str]), ca_cert (str).
"""
feats = {"tls12": False, "tls13": False, "secure_reneg": False,
"ciphers": set()}
"ciphers": set(),
"ca_cert": os.path.join(CERT_DIR, "ca-cert.pem")}
# ./client -V -> e.g. "3:4:d(downgrade):e(either):"
try:
@@ -122,12 +127,16 @@ def detect_wolf_features():
pass
# ./client -? -> help text includes "-R" only when
# HAVE_SECURE_RENEGOTIATION is defined.
# HAVE_SECURE_RENEGOTIATION is defined. The default -A path
# ("ca-cert.pem" vs "ca-cert.der") also tells us which CA file
# format the build can load.
try:
r = subprocess.run([WOLF_CLIENT, "-?"],
capture_output=True, timeout=5)
htxt = r.stdout.decode("utf-8", errors="replace")
feats["secure_reneg"] = ("Allow Secure Renegotiation" in htxt)
if "ca-cert.der" in htxt and "ca-cert.pem" not in htxt:
feats["ca_cert"] = os.path.join(CERT_DIR, "ca-cert.der")
except Exception:
pass
@@ -188,11 +197,11 @@ def _listen_socket():
def _run_wolf_client(port, version, cipher, extra=()):
"""Invoke the wolfSSL example client against 127.0.0.1:port.
Uses the DER-encoded CA cert so the test works with wolfSSL builds
configured with NO_CODING (base64 decode disabled, no PEM support).
WOLF_CA_CERT is PEM or DER depending on the build (NO_CODING /
OPENSSL_EXTRA builds don't both support PEM).
"""
cmd = [WOLF_CLIENT, "-h", "127.0.0.1", "-p", str(port),
"-v", version, "-A", os.path.join(CERT_DIR, "ca-cert.der"),
"-v", version, "-A", WOLF_CA_CERT,
"-g", *extra]
if cipher:
cmd.extend(["-l", cipher])
@@ -522,6 +531,8 @@ def main():
# Probe the client to see which features are compiled in so each
# phase of the test is only run when it can succeed.
feats = detect_wolf_features()
global WOLF_CA_CERT
WOLF_CA_CERT = feats["ca_cert"]
# Load certificate / key pairs
rsa_chain = _load_chain(os.path.join(CERT_DIR, "server-cert.pem"))
+10 -10
View File
@@ -219,9 +219,9 @@ port4=$(get_first_free_port $((port3 + 1))) # OCSP responder: root-ca
port5=$(get_first_free_port $((port4 + 1))) # TLS server
# Responder 1: intermediate1-ca (server1=valid, server2=revoked)
log1=$(mktemp /tmp/ocsp_resp1.XXXXXX)
log1=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp1.XXXXXX")
resp_logs="$resp_logs $log1"
ready1=$(mktemp /tmp/ocsp_ready1.XXXXXX)
ready1=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready1.XXXXXX")
ready_files="$ready_files $ready1"
$OCSP_RESPONDER -p $port1 -v -R "$ready1" \
-c $OCSP_DIR/intermediate1-ca-cert.pem \
@@ -232,9 +232,9 @@ pid1=$!
resp_pids="$resp_pids $pid1"
# Responder 2: intermediate2-ca (server3=valid, server4=revoked)
log2=$(mktemp /tmp/ocsp_resp2.XXXXXX)
log2=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp2.XXXXXX")
resp_logs="$resp_logs $log2"
ready2=$(mktemp /tmp/ocsp_ready2.XXXXXX)
ready2=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready2.XXXXXX")
ready_files="$ready_files $ready2"
$OCSP_RESPONDER -p $port2 -v -R "$ready2" \
-c $OCSP_DIR/intermediate2-ca-cert.pem \
@@ -245,9 +245,9 @@ pid2=$!
resp_pids="$resp_pids $pid2"
# Responder 3: intermediate3-ca (server5=valid)
log3=$(mktemp /tmp/ocsp_resp3.XXXXXX)
log3=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp3.XXXXXX")
resp_logs="$resp_logs $log3"
ready3=$(mktemp /tmp/ocsp_ready3.XXXXXX)
ready3=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready3.XXXXXX")
ready_files="$ready_files $ready3"
$OCSP_RESPONDER -p $port3 -v -R "$ready3" \
-c $OCSP_DIR/intermediate3-ca-cert.pem \
@@ -258,9 +258,9 @@ pid3=$!
resp_pids="$resp_pids $pid3"
# Responder 4: root-ca (intermediate CAs: 1=valid, 2=valid, 3=revoked)
log4=$(mktemp /tmp/ocsp_resp4.XXXXXX)
log4=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp4.XXXXXX")
resp_logs="$resp_logs $log4"
ready4=$(mktemp /tmp/ocsp_ready4.XXXXXX)
ready4=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready4.XXXXXX")
ready_files="$ready_files $ready4"
$OCSP_RESPONDER -p $port4 -v -R "$ready4" \
-c $OCSP_DIR/root-ca-cert.pem \
@@ -271,9 +271,9 @@ pid4=$!
resp_pids="$resp_pids $pid4"
# Responder 5: authorized responder (delegated OCSP signer with id-kp-OCSPSigning)
log5=$(mktemp /tmp/ocsp_resp5.XXXXXX)
log5=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp5.XXXXXX")
resp_logs="$resp_logs $log5"
ready5=$(mktemp /tmp/ocsp_ready5.XXXXXX)
ready5=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready5.XXXXXX")
ready_files="$ready_files $ready5"
$OCSP_RESPONDER -p $port5 -v -R "$ready5" \
-c $OCSP_DIR/root-ca-cert.pem \
+3 -1
View File
@@ -341,7 +341,9 @@ server=login.live.com
#ca=certs/external/DigiCertGlobalRootCA.pem
ca=./certs/external/ca_collection.pem
if [[ "$V4V6" == "4" ]]; then
if [[ -z "${WOLFSSL_EXTERNAL_TEST-}" || "$WOLFSSL_EXTERNAL_TEST" == "0" ]]; then
echo "Skipping OCSP test on $server (set WOLFSSL_EXTERNAL_TEST=1 to run)"
elif [[ "$V4V6" == "4" ]]; then
retry_with_backoff 3 ./examples/client/client -C -h "$server" -p 443 -A "$ca" -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1