From d969e2ba1152767d74e8d38e876f58c396bc6ff4 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 1 Mar 2016 16:35:32 -0700 Subject: [PATCH] automated test for trusted peer certs --- configure.ac | 12 +++ examples/client/client.c | 23 ++++- examples/server/server.c | 23 ++++- scripts/include.am | 4 + scripts/trusted_peer.test | 210 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 264 insertions(+), 8 deletions(-) create mode 100755 scripts/trusted_peer.test diff --git a/configure.ac b/configure.ac index 2301a64ce..6c5041040 100644 --- a/configure.ac +++ b/configure.ac @@ -2501,6 +2501,18 @@ AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"]) # check if PSK was enabled for conditionally running psk.test script AM_CONDITIONAL([BUILD_PSK], [test "x$ENABLED_PSK" = "xyes"]) + +# check if should run the trusted peer certs test +case $C_EXTRA_FLAGS in + *WOLFSSL_TRUST_PEER_CERT*) + have_tp=yes + break;; + *) + have_tp=no ;; +esac +AM_CONDITIONAL([BUILD_TRUST_PEER_CERT], [test "x$have_tp" = "xyes"]) + + ################################################################################ # Check for build-type conflicts # ################################################################################ diff --git a/examples/client/client.c b/examples/client/client.c index 417b3267f..32e4edc07 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -380,6 +380,9 @@ static void Usage(void) #ifdef HAVE_CRL printf("-C Disable CRL\n"); #endif +#ifdef WOLFSSL_TRUST_PEER_CERT + printf("-T Path to load trusted peer cert\n"); +#endif } THREAD_RETURN WOLFSSL_THREAD client_test(void* args) @@ -438,6 +441,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) const char* ourCert = cliCert; const char* ourKey = cliKey; +#ifdef WOLFSSL_TRUST_PEER_CERT + const char* trustCert = NULL; +#endif + #ifdef HAVE_SNI char* sniHostName = NULL; #endif @@ -490,7 +497,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:E:")) != -1) { switch (ch) { case '?' : Usage(); @@ -532,6 +539,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif break; + #ifdef WOLFSSL_TRUST_PEER_CERT + case 'E' : + trustCert = myoptarg; + break; + #endif + case 'm' : matchName = 1; break; @@ -978,9 +991,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); #endif /* HAVE_ECC */ #ifdef WOLFSSL_TRUST_PEER_CERT - if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, svrCert, SSL_FILETYPE_PEM)) - != SSL_SUCCESS) { - err_sys("can't load trusted peer cert file"); + if (trustCert) { + if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, + SSL_FILETYPE_PEM)) != SSL_SUCCESS) { + err_sys("can't load trusted peer cert file"); + } } #endif /* WOLFSSL_TRUST_PEER_CERT */ } diff --git a/examples/server/server.c b/examples/server/server.c index adfb895a3..d3ab1cb95 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -238,6 +238,9 @@ static void Usage(void) printf("-n Use NTRU key (needed for NTRU suites)\n"); #endif printf("-B Benchmark throughput using bytes and print stats\n"); +#ifdef WOLFSSL_TRUST_PEER_CERT + printf("-E Path to load trusted peer cert\n"); +#endif } THREAD_RETURN CYASSL_THREAD server_test(void* args) @@ -288,6 +291,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int argc = ((func_args*)args)->argc; char** argv = ((func_args*)args)->argv; +#ifdef WOLFSSL_TRUST_PEER_CERT + const char* trustCert = NULL; +#endif + #ifndef NO_PSK int sendPskIdentityHint = 1; #endif @@ -330,7 +337,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef WOLFSSL_VXWORKS useAnyAddr = 1; #else - while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j")) + while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j:E:")) != -1) { switch (ch) { case '?' : @@ -507,6 +514,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } break; + #ifdef WOLFSSL_TRUST_PEER_CERT + case 'E' : + trustCert = myoptarg; + break; + #endif + default: Usage(); exit(MY_EX_USAGE); @@ -686,9 +699,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); #ifdef WOLFSSL_TRUST_PEER_CERT - if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, cliCert, SSL_FILETYPE_PEM)) - != SSL_SUCCESS) { - err_sys("can't load trusted peer cert file"); + if (trustCert) { + if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, + SSL_FILETYPE_PEM)) != SSL_SUCCESS) { + err_sys("can't load trusted peer cert file"); + } } #endif /* WOLFSSL_TRUST_PEER_CERT */ } diff --git a/scripts/include.am b/scripts/include.am index 5866a554e..2d9ea0346 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -51,6 +51,10 @@ if BUILD_PSK dist_noinst_SCRIPTS+= scripts/psk.test endif +if BUILD_TRUST_PEER_CERT +dist_noinst_SCRIPTS+= scripts/trusted_peer.test +endif + EXTRA_DIST += scripts/testsuite.pcap # leave openssl.test as extra until non bash works EXTRA_DIST += scripts/openssl.test diff --git a/scripts/trusted_peer.test b/scripts/trusted_peer.test new file mode 100755 index 000000000..a07836280 --- /dev/null +++ b/scripts/trusted_peer.test @@ -0,0 +1,210 @@ +#!/bin/sh + +# trusted_peer.test +# copyright wolfSSL 2016 + +# getting unique port is modeled after resume.test script +# need a unique port since may run the same time as testsuite +# use server port zero hack to get one +port=0 +no_pid=-1 +server_pid=$no_pid +counter=0 +# let's use absolute path to a local dir (make distcheck may be in sub dir) +# also let's add some randomness by adding pid in case multiple 'make check's +# per source tree +ready_file=`pwd`/wolfssl_tp_ready$$ + +echo "ready file $ready_file" + +create_port() { + while [ ! -s $ready_file -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $ready_file; then + echo -e "found ready file, starting client..." + + # get created port 0 ephemeral port + port=`cat $ready_file` + else + echo -e "NO ready file ending test..." + do_cleanup + fi +} + +remove_ready_file() { + if test -e $ready_file; then + echo -e "removing existing ready file" + rm $ready_file + fi +} + +do_cleanup() { + echo "in cleanup" + + if [ $server_pid != $no_pid ] + then + echo "killing server" + kill -9 $server_pid + fi + remove_ready_file +} + +do_trap() { + echo "got trap" + do_cleanup + exit -1 +} + +trap do_trap INT TERM + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# Test for trusted peer certs build +echo "" +echo "Checking built with trusted peer certs " +echo "-----------------------------------------------------" +port=0 +./examples/server/server -E certs/client-cert.pem -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -p $port +RESULT=$? +remove_ready_file +# if fail here then is a settings issue so return 0 +if [ $RESULT -ne 0 ]; then + echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\"" + do_cleanup + exit 0 +fi +echo "" + +# Test that using no CA's and only trusted peer certs works +echo "Server and Client relying on trusted peer cert loaded" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/client-cert.pem -c certs/server-cert.pem -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -A certs/wolfssl-website-ca.pem -E certs/server-cert.pem -c certs/client-cert.pem -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\nServer and Client trusted peer cert failed!" + do_cleanup + exit 1 +fi +echo "" + +# Test that using server trusted peer certs works +echo "Server relying on trusted peer cert loaded" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/client-cert.pem -c certs/server-cert.pem -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -c certs/client-cert.pem -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\nServer trusted peer cert test failed!" + do_cleanup + exit 1 +fi +echo "" + +# Test that using client trusted peer certs works +echo "Client relying on trusted peer cert loaded" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -c certs/server-cert.pem -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -E certs/server-cert.pem -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\nClient trusted peer cert test failed!" + do_cleanup + exit 1 +fi +echo "" + +# Test that client fall through to CA works +echo "Client fall through to loaded CAs" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -E certs/server-revoked-cert.pem -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\nClient trusted peer cert fall through to CA test failed!" + do_cleanup + exit 1 +fi +echo "" + +# Test that client can fail +echo "Client wrong CA and wrong trusted peer cert loaded" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -A certs/wolfssl-website-ca.pem -E certs/server-revoked-cert.pem -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -eq 0 ]; then + echo -e "\nClient trusted peer cert test failed!" + do_cleanup + exit 1 +fi +echo "" + +# Test that server can fail +echo "Server wrong CA and wrong trusted peer cert loaded" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/server-revoked-cert.pem -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -eq 0 ]; then + echo -e "\nServer trusted peer cert test failed!" + do_cleanup + exit 1 +fi +echo "" + +# Test that server fall through to CA works +echo "Server fall through to loaded CAs" +echo "-----------------------------------------------------" +port=0 +./examples/server/server -E certs/server-revoked-cert.pem -R $ready_file -p $port & +server_pid=$! +create_port +./examples/client/client -p $port +RESULT=$? +remove_ready_file +if [ $RESULT -ne 0 ]; then + echo -e "\nServer trusted peer cert fall through to CA test failed!" + do_cleanup + exit 1 +fi +echo "" + +echo "-----------------------------------------------------" +echo "ALL TESTS PASSED" +echo "-----------------------------------------------------" + +exit 0 + +