mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 05:30:50 +02:00
Make test scripts work in sandboxed/restricted environments
multi-msg-record.py: auto-detect the CA cert format the wolfSSL client
build accepts (PEM or DER) from the default shown in client -? help.
OPENSSL_EXTRA-style builds need PEM; NO_CODING builds need DER.
ocsp-stapling.test: skip the external login.live.com connection unless
WOLFSSL_EXTERNAL_TEST is explicitly enabled (matches external.test /
google.test convention). Local OCSP tests still run.
ocsp-responder-openssl-interop.test: use ${TMPDIR:-/tmp} for mktemp
templates so the test works when /tmp is not writable.
This commit is contained in:
@@ -44,6 +44,10 @@ WOLFSSL_DIR = os.path.dirname(SCRIPT_DIR)
|
||||
WOLF_CLIENT = os.path.join(WOLFSSL_DIR, "examples", "client", "client")
|
||||
CERT_DIR = os.path.join(WOLFSSL_DIR, "certs")
|
||||
|
||||
# CA cert path passed to the wolfSSL client via -A. Set in main() after
|
||||
# detect_wolf_features() determines whether the build accepts PEM or DER.
|
||||
WOLF_CA_CERT = os.path.join(CERT_DIR, "ca-cert.pem")
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Bypass a strict tlslite-ng validation that rejects wolfSSL's ClientHello
|
||||
# when the client advertises FFDHE groups in a TLS-1.3-only hello.
|
||||
@@ -106,10 +110,11 @@ def detect_wolf_features():
|
||||
compiled in. Used to decide which test phases to run.
|
||||
|
||||
Returns dict with keys: tls12 (bool), tls13 (bool),
|
||||
secure_reneg (bool), ciphers (set[str]).
|
||||
secure_reneg (bool), ciphers (set[str]), ca_cert (str).
|
||||
"""
|
||||
feats = {"tls12": False, "tls13": False, "secure_reneg": False,
|
||||
"ciphers": set()}
|
||||
"ciphers": set(),
|
||||
"ca_cert": os.path.join(CERT_DIR, "ca-cert.pem")}
|
||||
|
||||
# ./client -V -> e.g. "3:4:d(downgrade):e(either):"
|
||||
try:
|
||||
@@ -122,12 +127,16 @@ def detect_wolf_features():
|
||||
pass
|
||||
|
||||
# ./client -? -> help text includes "-R" only when
|
||||
# HAVE_SECURE_RENEGOTIATION is defined.
|
||||
# HAVE_SECURE_RENEGOTIATION is defined. The default -A path
|
||||
# ("ca-cert.pem" vs "ca-cert.der") also tells us which CA file
|
||||
# format the build can load.
|
||||
try:
|
||||
r = subprocess.run([WOLF_CLIENT, "-?"],
|
||||
capture_output=True, timeout=5)
|
||||
htxt = r.stdout.decode("utf-8", errors="replace")
|
||||
feats["secure_reneg"] = ("Allow Secure Renegotiation" in htxt)
|
||||
if "ca-cert.der" in htxt and "ca-cert.pem" not in htxt:
|
||||
feats["ca_cert"] = os.path.join(CERT_DIR, "ca-cert.der")
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
@@ -188,11 +197,11 @@ def _listen_socket():
|
||||
def _run_wolf_client(port, version, cipher, extra=()):
|
||||
"""Invoke the wolfSSL example client against 127.0.0.1:port.
|
||||
|
||||
Uses the DER-encoded CA cert so the test works with wolfSSL builds
|
||||
configured with NO_CODING (base64 decode disabled, no PEM support).
|
||||
WOLF_CA_CERT is PEM or DER depending on the build (NO_CODING /
|
||||
OPENSSL_EXTRA builds don't both support PEM).
|
||||
"""
|
||||
cmd = [WOLF_CLIENT, "-h", "127.0.0.1", "-p", str(port),
|
||||
"-v", version, "-A", os.path.join(CERT_DIR, "ca-cert.der"),
|
||||
"-v", version, "-A", WOLF_CA_CERT,
|
||||
"-g", *extra]
|
||||
if cipher:
|
||||
cmd.extend(["-l", cipher])
|
||||
@@ -522,6 +531,8 @@ def main():
|
||||
# Probe the client to see which features are compiled in so each
|
||||
# phase of the test is only run when it can succeed.
|
||||
feats = detect_wolf_features()
|
||||
global WOLF_CA_CERT
|
||||
WOLF_CA_CERT = feats["ca_cert"]
|
||||
|
||||
# Load certificate / key pairs
|
||||
rsa_chain = _load_chain(os.path.join(CERT_DIR, "server-cert.pem"))
|
||||
|
||||
@@ -219,9 +219,9 @@ port4=$(get_first_free_port $((port3 + 1))) # OCSP responder: root-ca
|
||||
port5=$(get_first_free_port $((port4 + 1))) # TLS server
|
||||
|
||||
# Responder 1: intermediate1-ca (server1=valid, server2=revoked)
|
||||
log1=$(mktemp /tmp/ocsp_resp1.XXXXXX)
|
||||
log1=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp1.XXXXXX")
|
||||
resp_logs="$resp_logs $log1"
|
||||
ready1=$(mktemp /tmp/ocsp_ready1.XXXXXX)
|
||||
ready1=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready1.XXXXXX")
|
||||
ready_files="$ready_files $ready1"
|
||||
$OCSP_RESPONDER -p $port1 -v -R "$ready1" \
|
||||
-c $OCSP_DIR/intermediate1-ca-cert.pem \
|
||||
@@ -232,9 +232,9 @@ pid1=$!
|
||||
resp_pids="$resp_pids $pid1"
|
||||
|
||||
# Responder 2: intermediate2-ca (server3=valid, server4=revoked)
|
||||
log2=$(mktemp /tmp/ocsp_resp2.XXXXXX)
|
||||
log2=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp2.XXXXXX")
|
||||
resp_logs="$resp_logs $log2"
|
||||
ready2=$(mktemp /tmp/ocsp_ready2.XXXXXX)
|
||||
ready2=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready2.XXXXXX")
|
||||
ready_files="$ready_files $ready2"
|
||||
$OCSP_RESPONDER -p $port2 -v -R "$ready2" \
|
||||
-c $OCSP_DIR/intermediate2-ca-cert.pem \
|
||||
@@ -245,9 +245,9 @@ pid2=$!
|
||||
resp_pids="$resp_pids $pid2"
|
||||
|
||||
# Responder 3: intermediate3-ca (server5=valid)
|
||||
log3=$(mktemp /tmp/ocsp_resp3.XXXXXX)
|
||||
log3=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp3.XXXXXX")
|
||||
resp_logs="$resp_logs $log3"
|
||||
ready3=$(mktemp /tmp/ocsp_ready3.XXXXXX)
|
||||
ready3=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready3.XXXXXX")
|
||||
ready_files="$ready_files $ready3"
|
||||
$OCSP_RESPONDER -p $port3 -v -R "$ready3" \
|
||||
-c $OCSP_DIR/intermediate3-ca-cert.pem \
|
||||
@@ -258,9 +258,9 @@ pid3=$!
|
||||
resp_pids="$resp_pids $pid3"
|
||||
|
||||
# Responder 4: root-ca (intermediate CAs: 1=valid, 2=valid, 3=revoked)
|
||||
log4=$(mktemp /tmp/ocsp_resp4.XXXXXX)
|
||||
log4=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp4.XXXXXX")
|
||||
resp_logs="$resp_logs $log4"
|
||||
ready4=$(mktemp /tmp/ocsp_ready4.XXXXXX)
|
||||
ready4=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready4.XXXXXX")
|
||||
ready_files="$ready_files $ready4"
|
||||
$OCSP_RESPONDER -p $port4 -v -R "$ready4" \
|
||||
-c $OCSP_DIR/root-ca-cert.pem \
|
||||
@@ -271,9 +271,9 @@ pid4=$!
|
||||
resp_pids="$resp_pids $pid4"
|
||||
|
||||
# Responder 5: authorized responder (delegated OCSP signer with id-kp-OCSPSigning)
|
||||
log5=$(mktemp /tmp/ocsp_resp5.XXXXXX)
|
||||
log5=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp5.XXXXXX")
|
||||
resp_logs="$resp_logs $log5"
|
||||
ready5=$(mktemp /tmp/ocsp_ready5.XXXXXX)
|
||||
ready5=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready5.XXXXXX")
|
||||
ready_files="$ready_files $ready5"
|
||||
$OCSP_RESPONDER -p $port5 -v -R "$ready5" \
|
||||
-c $OCSP_DIR/root-ca-cert.pem \
|
||||
|
||||
@@ -341,7 +341,9 @@ server=login.live.com
|
||||
#ca=certs/external/DigiCertGlobalRootCA.pem
|
||||
ca=./certs/external/ca_collection.pem
|
||||
|
||||
if [[ "$V4V6" == "4" ]]; then
|
||||
if [[ -z "${WOLFSSL_EXTERNAL_TEST-}" || "$WOLFSSL_EXTERNAL_TEST" == "0" ]]; then
|
||||
echo "Skipping OCSP test on $server (set WOLFSSL_EXTERNAL_TEST=1 to run)"
|
||||
elif [[ "$V4V6" == "4" ]]; then
|
||||
retry_with_backoff 3 ./examples/client/client -C -h "$server" -p 443 -A "$ca" -g -W 1
|
||||
RESULT=$?
|
||||
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
|
||||
|
||||
Reference in New Issue
Block a user