diff --git a/scripts/multi-msg-record.py b/scripts/multi-msg-record.py index 017934deb2..a1216d8e3d 100755 --- a/scripts/multi-msg-record.py +++ b/scripts/multi-msg-record.py @@ -44,6 +44,10 @@ WOLFSSL_DIR = os.path.dirname(SCRIPT_DIR) WOLF_CLIENT = os.path.join(WOLFSSL_DIR, "examples", "client", "client") CERT_DIR = os.path.join(WOLFSSL_DIR, "certs") +# CA cert path passed to the wolfSSL client via -A. Set in main() after +# detect_wolf_features() determines whether the build accepts PEM or DER. +WOLF_CA_CERT = os.path.join(CERT_DIR, "ca-cert.pem") + # --------------------------------------------------------------------------- # Bypass a strict tlslite-ng validation that rejects wolfSSL's ClientHello # when the client advertises FFDHE groups in a TLS-1.3-only hello. @@ -106,10 +110,11 @@ def detect_wolf_features(): compiled in. Used to decide which test phases to run. Returns dict with keys: tls12 (bool), tls13 (bool), - secure_reneg (bool), ciphers (set[str]). + secure_reneg (bool), ciphers (set[str]), ca_cert (str). """ feats = {"tls12": False, "tls13": False, "secure_reneg": False, - "ciphers": set()} + "ciphers": set(), + "ca_cert": os.path.join(CERT_DIR, "ca-cert.pem")} # ./client -V -> e.g. "3:4:d(downgrade):e(either):" try: @@ -122,12 +127,16 @@ def detect_wolf_features(): pass # ./client -? -> help text includes "-R" only when - # HAVE_SECURE_RENEGOTIATION is defined. + # HAVE_SECURE_RENEGOTIATION is defined. The default -A path + # ("ca-cert.pem" vs "ca-cert.der") also tells us which CA file + # format the build can load. try: r = subprocess.run([WOLF_CLIENT, "-?"], capture_output=True, timeout=5) htxt = r.stdout.decode("utf-8", errors="replace") feats["secure_reneg"] = ("Allow Secure Renegotiation" in htxt) + if "ca-cert.der" in htxt and "ca-cert.pem" not in htxt: + feats["ca_cert"] = os.path.join(CERT_DIR, "ca-cert.der") except Exception: pass @@ -188,11 +197,11 @@ def _listen_socket(): def _run_wolf_client(port, version, cipher, extra=()): """Invoke the wolfSSL example client against 127.0.0.1:port. - Uses the DER-encoded CA cert so the test works with wolfSSL builds - configured with NO_CODING (base64 decode disabled, no PEM support). + WOLF_CA_CERT is PEM or DER depending on the build (NO_CODING / + OPENSSL_EXTRA builds don't both support PEM). """ cmd = [WOLF_CLIENT, "-h", "127.0.0.1", "-p", str(port), - "-v", version, "-A", os.path.join(CERT_DIR, "ca-cert.der"), + "-v", version, "-A", WOLF_CA_CERT, "-g", *extra] if cipher: cmd.extend(["-l", cipher]) @@ -522,6 +531,8 @@ def main(): # Probe the client to see which features are compiled in so each # phase of the test is only run when it can succeed. feats = detect_wolf_features() + global WOLF_CA_CERT + WOLF_CA_CERT = feats["ca_cert"] # Load certificate / key pairs rsa_chain = _load_chain(os.path.join(CERT_DIR, "server-cert.pem")) diff --git a/scripts/ocsp-responder-openssl-interop.test b/scripts/ocsp-responder-openssl-interop.test index ed62c19951..8e0bd3ac25 100755 --- a/scripts/ocsp-responder-openssl-interop.test +++ b/scripts/ocsp-responder-openssl-interop.test @@ -219,9 +219,9 @@ port4=$(get_first_free_port $((port3 + 1))) # OCSP responder: root-ca port5=$(get_first_free_port $((port4 + 1))) # TLS server # Responder 1: intermediate1-ca (server1=valid, server2=revoked) -log1=$(mktemp /tmp/ocsp_resp1.XXXXXX) +log1=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp1.XXXXXX") resp_logs="$resp_logs $log1" -ready1=$(mktemp /tmp/ocsp_ready1.XXXXXX) +ready1=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready1.XXXXXX") ready_files="$ready_files $ready1" $OCSP_RESPONDER -p $port1 -v -R "$ready1" \ -c $OCSP_DIR/intermediate1-ca-cert.pem \ @@ -232,9 +232,9 @@ pid1=$! resp_pids="$resp_pids $pid1" # Responder 2: intermediate2-ca (server3=valid, server4=revoked) -log2=$(mktemp /tmp/ocsp_resp2.XXXXXX) +log2=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp2.XXXXXX") resp_logs="$resp_logs $log2" -ready2=$(mktemp /tmp/ocsp_ready2.XXXXXX) +ready2=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready2.XXXXXX") ready_files="$ready_files $ready2" $OCSP_RESPONDER -p $port2 -v -R "$ready2" \ -c $OCSP_DIR/intermediate2-ca-cert.pem \ @@ -245,9 +245,9 @@ pid2=$! resp_pids="$resp_pids $pid2" # Responder 3: intermediate3-ca (server5=valid) -log3=$(mktemp /tmp/ocsp_resp3.XXXXXX) +log3=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp3.XXXXXX") resp_logs="$resp_logs $log3" -ready3=$(mktemp /tmp/ocsp_ready3.XXXXXX) +ready3=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready3.XXXXXX") ready_files="$ready_files $ready3" $OCSP_RESPONDER -p $port3 -v -R "$ready3" \ -c $OCSP_DIR/intermediate3-ca-cert.pem \ @@ -258,9 +258,9 @@ pid3=$! resp_pids="$resp_pids $pid3" # Responder 4: root-ca (intermediate CAs: 1=valid, 2=valid, 3=revoked) -log4=$(mktemp /tmp/ocsp_resp4.XXXXXX) +log4=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp4.XXXXXX") resp_logs="$resp_logs $log4" -ready4=$(mktemp /tmp/ocsp_ready4.XXXXXX) +ready4=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready4.XXXXXX") ready_files="$ready_files $ready4" $OCSP_RESPONDER -p $port4 -v -R "$ready4" \ -c $OCSP_DIR/root-ca-cert.pem \ @@ -271,9 +271,9 @@ pid4=$! resp_pids="$resp_pids $pid4" # Responder 5: authorized responder (delegated OCSP signer with id-kp-OCSPSigning) -log5=$(mktemp /tmp/ocsp_resp5.XXXXXX) +log5=$(mktemp "${TMPDIR:-/tmp}/ocsp_resp5.XXXXXX") resp_logs="$resp_logs $log5" -ready5=$(mktemp /tmp/ocsp_ready5.XXXXXX) +ready5=$(mktemp "${TMPDIR:-/tmp}/ocsp_ready5.XXXXXX") ready_files="$ready_files $ready5" $OCSP_RESPONDER -p $port5 -v -R "$ready5" \ -c $OCSP_DIR/root-ca-cert.pem \ diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 8f6ed717cf..55ead3e27f 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -341,7 +341,9 @@ server=login.live.com #ca=certs/external/DigiCertGlobalRootCA.pem ca=./certs/external/ca_collection.pem -if [[ "$V4V6" == "4" ]]; then +if [[ -z "${WOLFSSL_EXTERNAL_TEST-}" || "$WOLFSSL_EXTERNAL_TEST" == "0" ]]; then + echo "Skipping OCSP test on $server (set WOLFSSL_EXTERNAL_TEST=1 to run)" +elif [[ "$V4V6" == "4" ]]; then retry_with_backoff 3 ./examples/client/client -C -h "$server" -p 443 -A "$ca" -g -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1