WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing 

Fix build for no client or server and no client auth.
Fix tests to detect when no client auth compiled and test is trying to
do client auth.
pull/3267/head
Sean Parkinson 2020-09-01 15:27:46 +10:00
parent d2802f2d15
commit 89b9a77eca
7 changed files with 91 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/tls13.test
View File

@ -112,7 +112,10 @@ do_cleanup
echo ""
cat ./wolfssl/options.h | grep -- 'NO_CERTS'
if [ $? -ne 0 ]; then
NO_CERTS=$?
cat ./wolfssl/options.h | grep -- 'WOLFSSL_NO_CLIENT_AUTH'
NO_CLIENT_AUTH=$?
if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
# TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail"
port=0

3
src/internal.c
View File

@ -3556,8 +3556,7 @@ static word32 MacSize(WOLFSSL* ssl)
#ifndef NO_RSA
#ifndef WOLFSSL_NO_TLS12
#if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \
!defined(WOLFSSL_NO_CLIENT_AUTH))
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
static int TypeHash(int hashAlgo)
{
switch (hashAlgo) {

9
src/ssl.c
View File

@ -5777,7 +5777,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
if (done == 1) {
#ifndef NO_WOLFSSL_CM_VERIFY
#if !defined(NO_WOLFSSL_CM_VERIFY) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
if ((type == CA_TYPE) || (type == CERT_TYPE)) {
/* Call to over-ride status */
if ((ctx != NULL) && (ctx->cm != NULL) &&
@ -6066,6 +6067,7 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc)
}
#endif /* NO_WOLFSSL_CM_VERIFY */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */
int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
long sz, int format, int err_val)
@ -6172,6 +6174,8 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
{
return CM_VerifyBuffer_ex(cm, buff, sz, format, 0);
}
#endif /* !NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH */
/* turn on OCSP if off and compiled in, set options */
int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options)
{
@ -6746,6 +6750,7 @@ int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type)
#endif /* WOLFSSL_TRUST_PEER_CERT */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */
int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
int format)
@ -6798,7 +6803,7 @@ int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
return ret;
}
#endif
/* like load verify locations, 1 for success, < 0 for error */
int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file,

15
src/tls13.c
View File

@ -5047,8 +5047,9 @@ static int SendTls13Certificate(WOLFSSL* ssl)
return ret;
}
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
typedef struct Scv13Args {
byte* output; /* not allocated */
byte* verify; /* not allocated */
@ -5435,6 +5436,7 @@ exit_scv:
}
#endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* handle processing TLS v1.3 certificate (11) */
/* Parse and handle a TLS v1.3 Certificate message.
*
@ -5475,6 +5477,7 @@ static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return ret;
}
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
@ -7104,7 +7107,8 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* !NO_WOLFSSL_SERVER */
/* Messages received by both client and server. */
#ifndef NO_CERTS
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
case certificate:
WOLFSSL_MSG("processing certificate");
ret = DoTls13Certificate(ssl, input, inOutIdx, size);
@ -7529,8 +7533,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
FALL_THROUGH;
case FIRST_REPLY_THIRD:
#if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
defined(HAVE_ED25519) || defined(HAVE_ED448))
#if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
defined(HAVE_ED25519) || defined(HAVE_ED448))) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13CertificateVerify(ssl);
if (ssl->error != 0) {

19
tests/api.c
View File

@ -1168,7 +1168,8 @@ static int test_wolfSSL_CertManagerSetVerify(void)
{
int ret = 0;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA)
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
WOLFSSL_CERT_MANAGER* cm;
int tmp = myVerifyAction;
const char* ca_cert = "./certs/ca-cert.pem";
@ -25948,7 +25949,8 @@ static void test_wolfSSL_X509_STORE_set_flags(void)
static void test_wolfSSL_X509_LOOKUP_load_file(void)
{
#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
!defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
WOLFSSL_X509_STORE* store;
WOLFSSL_X509_LOOKUP* lookup;
@ -33811,7 +33813,8 @@ static void test_wolfSSL_PEM_write_bio_PKCS7(void)
/*----------------------------------------------------------------------------*
| Certificate Failure Checks
*----------------------------------------------------------------------------*/
#ifndef NO_CERTS
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
int type)
@ -36051,7 +36054,8 @@ static void test_wolfSSL_dtls_set_mtu(void)
}
#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \
!defined(NO_CERTS)
!defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
{
int ret;
@ -36629,7 +36633,9 @@ void ApiTest(void)
test_tls13_apis();
#endif
#ifndef NO_CERTS
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
/* Bad certificate signature tests */
AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E);
AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E);
@ -36932,7 +36938,8 @@ void ApiTest(void)
AssertIntEQ(test_wolfSSL_Cleanup(), WOLFSSL_SUCCESS);
#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \
!defined(NO_CERTS)
!defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
AssertIntEQ(test_various_pathlen_chains(), WOLFSSL_SUCCESS);
#endif

55
tests/suites.c
View File

@ -249,6 +249,40 @@ static int IsValidCA(const char* line)
return ret;
}
#ifdef WOLFSSL_NO_CLIENT_AUTH
static int IsClientAuth(const char* line, int* reqClientCert)
{
const char* begin;
begin = XSTRSTR(line, "-H verifyFail");
if (begin != NULL) {
return 1;
}
begin = XSTRSTR(line, "-d");
if (begin != NULL) {
*reqClientCert = 0;
}
else {
*reqClientCert = 1;
}
return 0;
}
static int IsNoClientCert(const char* line)
{
const char* begin;
begin = XSTRSTR(line, "-x");
if (begin != NULL) {
return 1;
}
return 0;
}
#endif
static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking,
@ -278,6 +312,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
char portNumber[8];
#endif
int cliTestShouldFail = 0, svrTestShouldFail = 0;
#ifdef WOLFSSL_NO_CLIENT_AUTH
int reqClientCert;
#endif
/* Is Valid Cipher and Version Checks */
/* build command list for the Is checks below */
@ -329,6 +366,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return VERSION_TOO_OLD;
}
#endif
#ifdef WOLFSSL_NO_CLIENT_AUTH
if (IsClientAuth(commandLine, &reqClientCert)) {
#ifdef DEBUG_SUITE_TESTS
printf("client auth on line %s not supported in build\n",
commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
/* Build Server Command */
if (addNoVerify) {
@ -454,6 +500,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#endif
return NOT_BUILT_IN;
}
#ifdef WOLFSSL_NO_CLIENT_AUTH
if (reqClientCert && IsNoClientCert(commandLine)) {
#ifdef DEBUG_SUITE_TESTS
printf("client auth on line %s not supported in build\n",
commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
printf("trying client command line[%d]: %s\n", tests, commandLine);
tests++;

3
wolfssl/internal.h
View File

@ -2022,8 +2022,7 @@ WOLFSSL_LOCAL int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
#ifndef NO_CERTS
#if !defined NOCERTS &&\
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
typedef struct ProcPeerCertArgs {
buffer* certs;
#ifdef WOLFSSL_TLS13