WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #3267 from SparkiDev/no_client_auth 

Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing
pull/3275/head
toddouska 2020-09-03 15:55:38 -07:00 committed by GitHub
parent 8753b5b947 89b9a77eca
commit 7fd51cf9d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 91 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/tls13.test
View File

@ -126,7 +126,10 @@ do_cleanup
echo "" echo ""
cat ./wolfssl/options.h | grep -- 'NO_CERTS' cat ./wolfssl/options.h | grep -- 'NO_CERTS'
if [ $? -ne 0 ]; then NO_CERTS=$?
cat ./wolfssl/options.h | grep -- 'WOLFSSL_NO_CLIENT_AUTH'
NO_CLIENT_AUTH=$?
if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
# TLS 1.3 mutual auth required but client doesn't send certificates. # TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail" echo -e "\n\nTLS v1.3 mutual auth fail"
port=0 port=0

3
src/internal.c
View File

@ -3556,8 +3556,7 @@ static word32 MacSize(WOLFSSL* ssl)
#ifndef NO_RSA #ifndef NO_RSA
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
#if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \ #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
!defined(WOLFSSL_NO_CLIENT_AUTH))
static int TypeHash(int hashAlgo) static int TypeHash(int hashAlgo)
{ {
switch (hashAlgo) { switch (hashAlgo) {

9
src/ssl.c
View File

@ -5777,7 +5777,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
if (done == 1) { if (done == 1) {
#ifndef NO_WOLFSSL_CM_VERIFY #if !defined(NO_WOLFSSL_CM_VERIFY) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
if ((type == CA_TYPE) || (type == CERT_TYPE)) { if ((type == CA_TYPE) || (type == CERT_TYPE)) {
/* Call to over-ride status */ /* Call to over-ride status */
if ((ctx != NULL) && (ctx->cm != NULL) && if ((ctx != NULL) && (ctx->cm != NULL) &&
@ -6066,6 +6067,7 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc)
} }
#endif /* NO_WOLFSSL_CM_VERIFY */ #endif /* NO_WOLFSSL_CM_VERIFY */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ /* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */
int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff, int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
long sz, int format, int err_val) long sz, int format, int err_val)
@ -6172,6 +6174,8 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
{ {
return CM_VerifyBuffer_ex(cm, buff, sz, format, 0); return CM_VerifyBuffer_ex(cm, buff, sz, format, 0);
} }
#endif /* !NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH */
/* turn on OCSP if off and compiled in, set options */ /* turn on OCSP if off and compiled in, set options */
int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options) int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options)
{ {
@ -6746,6 +6750,7 @@ int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type)
#endif /* WOLFSSL_TRUST_PEER_CERT */ #endif /* WOLFSSL_TRUST_PEER_CERT */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ /* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */
int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
int format) int format)
@ -6798,7 +6803,7 @@ int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
return ret; return ret;
} }
#endif
/* like load verify locations, 1 for success, < 0 for error */ /* like load verify locations, 1 for success, < 0 for error */
int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file,

15
src/tls13.c
View File

@ -5047,8 +5047,9 @@ static int SendTls13Certificate(WOLFSSL* ssl)
return ret; return ret;
} }
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) defined(HAVE_ED448)) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
typedef struct Scv13Args { typedef struct Scv13Args {
byte* output; /* not allocated */ byte* output; /* not allocated */
byte* verify; /* not allocated */ byte* verify; /* not allocated */
@ -5435,6 +5436,7 @@ exit_scv:
} }
#endif #endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* handle processing TLS v1.3 certificate (11) */ /* handle processing TLS v1.3 certificate (11) */
/* Parse and handle a TLS v1.3 Certificate message. /* Parse and handle a TLS v1.3 Certificate message.
* *
@ -5475,6 +5477,7 @@ static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return ret; return ret;
} }
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) defined(HAVE_ED448)
@ -7104,7 +7107,8 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* !NO_WOLFSSL_SERVER */ #endif /* !NO_WOLFSSL_SERVER */
/* Messages received by both client and server. */ /* Messages received by both client and server. */
#ifndef NO_CERTS #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
case certificate: case certificate:
WOLFSSL_MSG("processing certificate"); WOLFSSL_MSG("processing certificate");
ret = DoTls13Certificate(ssl, input, inOutIdx, size); ret = DoTls13Certificate(ssl, input, inOutIdx, size);
@ -7529,8 +7533,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
FALL_THROUGH; FALL_THROUGH;
case FIRST_REPLY_THIRD: case FIRST_REPLY_THIRD:
#if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
defined(HAVE_ED25519) || defined(HAVE_ED448)) defined(HAVE_ED25519) || defined(HAVE_ED448))) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
if (!ssl->options.resuming && ssl->options.sendVerify) { if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13CertificateVerify(ssl); ssl->error = SendTls13CertificateVerify(ssl);
if (ssl->error != 0) { if (ssl->error != 0) {

19
tests/api.c
View File

@ -1168,7 +1168,8 @@ static int test_wolfSSL_CertManagerSetVerify(void)
{ {
int ret = 0; int ret = 0;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
WOLFSSL_CERT_MANAGER* cm; WOLFSSL_CERT_MANAGER* cm;
int tmp = myVerifyAction; int tmp = myVerifyAction;
const char* ca_cert = "./certs/ca-cert.pem"; const char* ca_cert = "./certs/ca-cert.pem";
@ -26067,7 +26068,8 @@ static void test_wolfSSL_X509_STORE_set_flags(void)
static void test_wolfSSL_X509_LOOKUP_load_file(void) static void test_wolfSSL_X509_LOOKUP_load_file(void)
{ {
#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA) !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
WOLFSSL_X509_STORE* store; WOLFSSL_X509_STORE* store;
WOLFSSL_X509_LOOKUP* lookup; WOLFSSL_X509_LOOKUP* lookup;
@ -33934,7 +33936,8 @@ static void test_wolfSSL_PEM_write_bio_PKCS7(void)
/*----------------------------------------------------------------------------* /*----------------------------------------------------------------------------*
| Certificate Failure Checks | Certificate Failure Checks
*----------------------------------------------------------------------------*/ *----------------------------------------------------------------------------*/
#ifndef NO_CERTS #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz, static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
int type) int type)
@ -36178,7 +36181,8 @@ static void test_wolfSSL_dtls_set_mtu(void)
} }
#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \
!defined(NO_CERTS) !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
{ {
int ret; int ret;
@ -36757,7 +36761,9 @@ void ApiTest(void)
test_tls13_apis(); test_tls13_apis();
#endif #endif
#ifndef NO_CERTS #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
/* Bad certificate signature tests */ /* Bad certificate signature tests */
AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E); AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E);
AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E); AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E);
@ -37062,7 +37068,8 @@ void ApiTest(void)
AssertIntEQ(test_wolfSSL_Cleanup(), WOLFSSL_SUCCESS); AssertIntEQ(test_wolfSSL_Cleanup(), WOLFSSL_SUCCESS);
#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \
!defined(NO_CERTS) !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
AssertIntEQ(test_various_pathlen_chains(), WOLFSSL_SUCCESS); AssertIntEQ(test_various_pathlen_chains(), WOLFSSL_SUCCESS);
#endif #endif

55
tests/suites.c
View File

@ -249,6 +249,40 @@ static int IsValidCA(const char* line)
return ret; return ret;
} }
#ifdef WOLFSSL_NO_CLIENT_AUTH
static int IsClientAuth(const char* line, int* reqClientCert)
{
const char* begin;
begin = XSTRSTR(line, "-H verifyFail");
if (begin != NULL) {
return 1;
}
begin = XSTRSTR(line, "-d");
if (begin != NULL) {
*reqClientCert = 0;
}
else {
*reqClientCert = 1;
}
return 0;
}
static int IsNoClientCert(const char* line)
{
const char* begin;
begin = XSTRSTR(line, "-x");
if (begin != NULL) {
return 1;
}
return 0;
}
#endif
static int execute_test_case(int svr_argc, char** svr_argv, static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv, int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking, int addNoVerify, int addNonBlocking,
@ -278,6 +312,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
char portNumber[8]; char portNumber[8];
#endif #endif
int cliTestShouldFail = 0, svrTestShouldFail = 0; int cliTestShouldFail = 0, svrTestShouldFail = 0;
#ifdef WOLFSSL_NO_CLIENT_AUTH
int reqClientCert;
#endif
/* Is Valid Cipher and Version Checks */ /* Is Valid Cipher and Version Checks */
/* build command list for the Is checks below */ /* build command list for the Is checks below */
@ -329,6 +366,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return VERSION_TOO_OLD; return VERSION_TOO_OLD;
} }
#endif #endif
#ifdef WOLFSSL_NO_CLIENT_AUTH
if (IsClientAuth(commandLine, &reqClientCert)) {
#ifdef DEBUG_SUITE_TESTS
printf("client auth on line %s not supported in build\n",
commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
/* Build Server Command */ /* Build Server Command */
if (addNoVerify) { if (addNoVerify) {
@ -454,6 +500,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#endif #endif
return NOT_BUILT_IN; return NOT_BUILT_IN;
} }
#ifdef WOLFSSL_NO_CLIENT_AUTH
if (reqClientCert && IsNoClientCert(commandLine)) {
#ifdef DEBUG_SUITE_TESTS
printf("client auth on line %s not supported in build\n",
commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
printf("trying client command line[%d]: %s\n", tests, commandLine); printf("trying client command line[%d]: %s\n", tests, commandLine);
tests++; tests++;

3
wolfssl/internal.h
View File

@ -2024,8 +2024,7 @@ WOLFSSL_LOCAL int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
#ifndef NO_CERTS #ifndef NO_CERTS
#if !defined NOCERTS &&\ #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
typedef struct ProcPeerCertArgs { typedef struct ProcPeerCertArgs {
buffer* certs; buffer* certs;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13