Commit Graph

72 Commits

Author SHA1 Message Date
Ruby Martin 5c3100ed5c Remove non-RFC-compliant OCSP responder chain walk. The chain walk
authorized any responder issued by an ancestor of the target's issuer;
  RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
  request.

    - Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
    - Drop now-unused vp parameter from CheckOcspResponder() and the
      OcspRespCheck() helper; cascade through template and non-template
      paths.

  OCSP test blobs:

    - Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
    - Add resp_server1_cert_ancestor_responder for the negative test.
    - Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
      runs under NO_FILESYSTEM; matching entry added to
      create_ocsp_test_blobs.py.
    - Regenerate response[] in test_certman.c with intermediate1-ca as
      signer; recipe switched from Wireshark export to openssl -respout
      + xxd -i for reproducibility.
    - Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
      serial byte actually flips (^= 0xFF).

  Live OCSP coverage:

    - Add ocsp-responder-int1 (delegated responder issued directly by
      intermediate1-ca, with id-kp-OCSPSigning EKU) for the
      responder->intermediate->root chain.
    - scripts/ocsp-stapling.test: intermediate1 responder switched to
      ocsp-responder-int1 (delegated path).
    - scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
      intermediate2 and intermediate3 sign their OCSP responses with
      their own CA keys (CA-direct path); root block unchanged
      (ocsp-responder-cert is still RFC-compliant for root-issued certs).
    - .github/workflows/ocsp.yml: server1 OCSP responder switched to
      ocsp-responder-int1 to match the cert chain.
    - New test_ocsp_ancestor_responder_rejected confirms the
      ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
2026-06-02 16:20:37 -06:00
Juliusz Sosinowicz d2f45f614f Make test scripts work in sandboxed/restricted environments
multi-msg-record.py: auto-detect the CA cert format the wolfSSL client
build accepts (PEM or DER) from the default shown in client -? help.
OPENSSL_EXTRA-style builds need PEM; NO_CODING builds need DER.

ocsp-stapling.test: skip the external login.live.com connection unless
WOLFSSL_EXTERNAL_TEST is explicitly enabled (matches external.test /
google.test convention). Local OCSP tests still run.

ocsp-responder-openssl-interop.test: use ${TMPDIR:-/tmp} for mktemp
templates so the test works when /tmp is not writable.
2026-05-14 13:10:13 +02:00
Lealem Amedie 49003f8e54 Fix hang in OCSP test 2026-03-27 14:41:24 -06:00
kaleb-himes b807595932 Fix all shellcheck items 2026-03-04 15:06:55 -07:00
kaleb-himes 10874aec82 Nth attempt to resolve port collisions once-and-for-all 2026-03-02 14:05:42 -07:00
Juliusz Sosinowicz 5f755f6bd5 Fix compilation checks in test scripts
Correct the logic for checking if the client and server examples are compiled
in the test scripts. The previous logic was inverted, causing the tests to
always skip if the examples *were* compiled.
2026-02-10 13:14:55 +01:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
Paul Adelsbach 2325c68d4e Address connection issues in ocsp-stapling test 2026-01-20 09:46:35 -08:00
Daniel Pouzzner 9d722b3a6c purge baltimore-cybertrust-root.pem from certs/external/include.am and scripts/. 2025-05-13 20:52:08 -05:00
Ruby Martin 6fed2fe447 include cygwin and msys2 ostypes to oscp-stapling tests 2025-02-26 09:05:53 -07:00
Ruby Martin 57646a88ff check if clientfd != SOCKET_INVALID not 0, add check if USE_WINDOWS_API
not defined
2025-02-26 09:03:55 -07:00
Hideki Miyazaki 69e390f8b9 works OCSP Stapling with TLS1.3 like OCSPv2Multi 2024-10-05 15:25:03 +09:00
Colton Willey 9ad4e565fe Restore original comments 2024-09-05 15:10:50 -07:00
Colton Willey f749ca387d Rewrite to use test to make old mac sh versions happy 2024-09-04 16:34:09 -07:00
Colton Willey 8661cf6fee Update no network test option to overload meaning of existing WOLFSSL_EXTERNAL_TEST instead of using new flag 2024-09-04 16:09:16 -07:00
Colton Willey 8aa5f463b1 Add option to skip all tests requiring an internet connection. 2024-09-04 14:48:25 -07:00
Daniel Pouzzner 1c68da282c portability enhancement: use "#!/usr/bin/env <interpreter>" on all perl scripts and shell scripts that use bash extensions, and use "#!/bin/sh" on the rest. 2024-08-20 13:48:33 -05:00
Hideki Miyazaki ac5b81edd1 fix unit test 2024-06-21 13:22:00 +09:00
Hideki Miyazaki 30eb558d58 fix ocsp response when using DTLS 2024-06-21 09:57:59 +09:00
Juliusz Sosinowicz 51ba745214 ocsp: don't error out if we can't verify our certificate
We can omit either the CeritificateStatus message or the appropriate extension when we can not provide the OCSP staple that the peer is asking for. Let peer decide if it requires stapling and error out if we don't send it.
2023-12-12 14:49:52 +01:00
JacobBarthelmeh f1aa43dc48 Merge pull request #6230 from bandi13/zd15855
Fix for variable server startup time
2023-03-28 09:13:52 -06:00
Lealem Amedie 591089664d Fixes for sniffer with enable all 2023-03-27 16:37:14 -06:00
Andras Fekete d57d6d2b78 Fix for variable server startup time 2023-03-23 15:03:26 -04:00
Andras Fekete fdb0338473 Be more aggressive in killing processes 2023-02-16 09:55:52 -05:00
kaleb-himes 9a193a3e02 Address Issue pointed out in (now deleted) comment on an old merge 2022-09-18 08:45:18 -06:00
kaleb-himes 77dec16b3b Supplemental fix in addition to #5470 2022-08-22 08:00:40 -06:00
kaleb-himes 8efc8b0819 Fix up other test scripts using the same logic 2022-08-11 06:26:43 -06:00
Lealem Amedie 40d9473e6a Display SKIP instead of PASS when tests skipped for make check 2022-06-21 13:11:08 -07:00
kaleb-himes f5bbad185f Supplement to @julek-wolfssl's fantastic find, just allow for proper expansion 2022-05-27 13:52:26 -06:00
Juliusz Sosinowicz b664cea735 Typo in testing script 2022-05-25 12:10:27 +02:00
Daniel Pouzzner 6984cf83b2 scripts/ocsp-stapling.test: fix whitespace. 2022-05-19 16:45:50 -05:00
Daniel Pouzzner 368854b243 scripts/: refactor TLS version support tests to use -V, rather than -v (which makes frivolous connection attempts). 2022-05-19 11:18:34 -05:00
Daniel Pouzzner abfc788389 script cleanup: use #!/bin/bash on all scripts that use "echo -e" (/bin/sh is sometimes a non-Bourne/non-POSIX shell, e.g. dash/ash, with no support for "echo -e"); fix whitespace. 2022-03-09 12:28:22 -06:00
Elms 21db484f50 tests: fix test scripts for paths with spaces 2021-06-13 21:37:07 -07:00
Elms 12eddee104 scripts: fix tests for out of tree distcheck
Copying or using certs from directory relative to scripts source directory.
2021-02-08 10:43:31 -08:00
Sean Parkinson fa86c1aa91 Configuration: enable all, disable TLS 1.3 - turn off TLS 1.3 only options
configuration: --enable-all --disable-tls13
Post-handshake authentication and HRR cookie are enable with
'--enable-all' but disabling TLS 1.3 caused configure to fail.
Don't enable these TLS 1.3 only options when TLS 1.3 is disabled.

Also fix up tests that don't work without TLS 1.3 enabled.
2021-01-06 14:19:57 +10:00
John Safranek c482d16029 Merge pull request #3544 from haydenroche5/ocsp_stapling_bug
Fix bug where OCSP stapling wasn't happening even when requested by client
2020-12-29 14:23:10 -08:00
Daniel Pouzzner eeefe043ec scripts/: nix timeout wrappers in ocsp-stapling.test and ocsp-stapling2.test, for portability. 2020-12-16 17:31:53 -06:00
Hayden Roche 801aa18b9e Fix bug where OCSP stapling wasn't happening even when requested by client.
The OCSP request that we created didn't have a URL for the OCSP responder, so
the server couldn't reach out to the responder for its cert status.
2020-12-15 16:56:21 -06:00
Daniel Pouzzner 139b0431cb ocsp-stapling*.test: prefix waited servers with "timeout 60" to avoid deadlock failure modes; grep output from "openssl s_client" in "test interop fail case" for expected error message ("self signed certificate in certificate chain"). 2020-10-28 17:28:05 -05:00
Daniel Pouzzner 0568ec304f pass -4 flag to openssl and nc only when IPV6_SUPPORTED. 2020-10-28 17:28:05 -05:00
Daniel Pouzzner 94a3f86dcd scripts/ocsp-stapling*.test: check if IPv6 is supported by the installed openssl and nc executables, and if not, don't attempt to wrestle the version. with no IPv6 support, and an --enable-ipv6 wolfssl build, skip the test entirely. also, restore a couple -b (bind-all-interfaces) flags to examples/server/server recipes in case that's useful. 2020-10-28 17:28:05 -05:00
Daniel Pouzzner 7a5cbaa9bc fix scripts/ocsp-stapling*.test to accommodate IPv6 examples/ client/server build. 2020-10-28 17:28:05 -05:00
Sean Parkinson 60b0b0170b TLS OCSP Stapling: MUST staple option
Can enable OCSP Must Staple option to mean that if the client sends a
request for an OCSP Staple then it must receive a response.
2020-10-16 09:03:27 +10:00
Daniel Pouzzner 5ed2fe8092 scripts/: more race elimination/mitigation. 2020-09-17 12:03:44 -05:00
Daniel Pouzzner b669f8eeb9 scripts/: tweak scripts/include.am to run ocsp tests before rather than after testsuite and unit.test; revert POSIXish scripts/*.test to use /bin/sh. 2020-09-14 16:06:45 -05:00
Daniel Pouzzner 51046d45d3 add bwrapping on all other scripts/*.test except those that make Internet connections, and remove test for setuid bit, as some systems are configured to not require setuid/CAP_NET_ADMIN for CLONE_NEWNET. 2020-09-12 00:20:38 -05:00
Daniel Pouzzner 1e9971f64c scripts/ocsp-stapling*.test: add bwrap attempt at top, to isolate network namespace. 2020-09-11 18:20:27 -05:00
Daniel Pouzzner 8f25456f86 scripts/ocsp-stapling*.test, wolfssl/test.h: refactor scripts/ocsp-stapling*.test for orthogonality and robustness, with retries and early failure detection. also, reduce sleeps in ocsp-stapling-with-ca-as-responder.test to 0.1, matching sleeps in other 2 scripts. finally, in wolfssl/test.h, #ifdef SO_REUSEPORT do that when binding ports, and add optional rendering of errno strings for failed syscalls using err_sys_with_errno() when -DDEBUG_TEST_ERR_SYS_WITH_ERRNO. 2020-09-11 15:30:37 -05:00
David Garske 6a984da53f Fixes and Improvements to OCSP scripts. Fix for OCSP test with IPV6 enabled (use -b bind to any on server). Fix to use random port number for the oscp-stapling.test script. Reduce delay times in scripts. 2020-08-25 10:55:41 -07:00