WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Get builds with WOLFSSL_NO_CLIENT_AUTH compiling and testing 

Fix build for no client or server and no client auth.
Fix tests to detect when no client auth compiled and test is trying to
do client auth.
pull/3267/head
Sean Parkinson 2020-09-01 15:27:46 +10:00
parent d2802f2d15
commit 89b9a77eca
7 changed files with 91 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/tls13.test
View File

@ -112,7 +112,10 @@ do_cleanup
echo "" echo ""
cat ./wolfssl/options.h | grep -- 'NO_CERTS' cat ./wolfssl/options.h | grep -- 'NO_CERTS'
if [ $? -ne 0 ]; then NO_CERTS=$?
cat ./wolfssl/options.h | grep -- 'WOLFSSL_NO_CLIENT_AUTH'
NO_CLIENT_AUTH=$?
if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
# TLS 1.3 mutual auth required but client doesn't send certificates. # TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail" echo -e "\n\nTLS v1.3 mutual auth fail"
port=0 port=0

3
src/internal.c
View File

@ -3556,8 +3556,7 @@ static word32 MacSize(WOLFSSL* ssl)
#ifndef NO_RSA #ifndef NO_RSA
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
#if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \ #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
!defined(WOLFSSL_NO_CLIENT_AUTH))
static int TypeHash(int hashAlgo) static int TypeHash(int hashAlgo)
{ {
switch (hashAlgo) { switch (hashAlgo) {

9
src/ssl.c
View File

@ -5777,7 +5777,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
if (done == 1) { if (done == 1) {
#ifndef NO_WOLFSSL_CM_VERIFY #if !defined(NO_WOLFSSL_CM_VERIFY) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
if ((type == CA_TYPE) || (type == CERT_TYPE)) { if ((type == CA_TYPE) || (type == CERT_TYPE)) {
/* Call to over-ride status */ /* Call to over-ride status */
if ((ctx != NULL) && (ctx->cm != NULL) && if ((ctx != NULL) && (ctx->cm != NULL) &&
@ -6066,6 +6067,7 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc)
} }
#endif /* NO_WOLFSSL_CM_VERIFY */ #endif /* NO_WOLFSSL_CM_VERIFY */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ /* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */
int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff, int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
long sz, int format, int err_val) long sz, int format, int err_val)
@ -6172,6 +6174,8 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
{ {
return CM_VerifyBuffer_ex(cm, buff, sz, format, 0); return CM_VerifyBuffer_ex(cm, buff, sz, format, 0);
} }
#endif /* !NO_WOLFSSL_CLIENT || !WOLFSSL_NO_CLIENT_AUTH */
/* turn on OCSP if off and compiled in, set options */ /* turn on OCSP if off and compiled in, set options */
int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options) int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options)
{ {
@ -6746,6 +6750,7 @@ int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type)
#endif /* WOLFSSL_TRUST_PEER_CERT */ #endif /* WOLFSSL_TRUST_PEER_CERT */
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ /* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */
int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
int format) int format)
@ -6798,7 +6803,7 @@ int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname,
return ret; return ret;
} }
#endif
/* like load verify locations, 1 for success, < 0 for error */ /* like load verify locations, 1 for success, < 0 for error */
int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file,

15
src/tls13.c
View File

@ -5047,8 +5047,9 @@ static int SendTls13Certificate(WOLFSSL* ssl)
return ret; return ret;
} }
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) defined(HAVE_ED448)) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
typedef struct Scv13Args { typedef struct Scv13Args {
byte* output; /* not allocated */ byte* output; /* not allocated */
byte* verify; /* not allocated */ byte* verify; /* not allocated */
@ -5435,6 +5436,7 @@ exit_scv:
} }
#endif #endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
/* handle processing TLS v1.3 certificate (11) */ /* handle processing TLS v1.3 certificate (11) */
/* Parse and handle a TLS v1.3 Certificate message. /* Parse and handle a TLS v1.3 Certificate message.
* *
@ -5475,6 +5477,7 @@ static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return ret; return ret;
} }
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) defined(HAVE_ED448)
@ -7104,7 +7107,8 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* !NO_WOLFSSL_SERVER */ #endif /* !NO_WOLFSSL_SERVER */
/* Messages received by both client and server. */ /* Messages received by both client and server. */
#ifndef NO_CERTS #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
case certificate: case certificate:
WOLFSSL_MSG("processing certificate"); WOLFSSL_MSG("processing certificate");
ret = DoTls13Certificate(ssl, input, inOutIdx, size); ret = DoTls13Certificate(ssl, input, inOutIdx, size);
@ -7529,8 +7533,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
FALL_THROUGH; FALL_THROUGH;
case FIRST_REPLY_THIRD: case FIRST_REPLY_THIRD:
#if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
defined(HAVE_ED25519) || defined(HAVE_ED448)) defined(HAVE_ED25519) || defined(HAVE_ED448))) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
if (!ssl->options.resuming && ssl->options.sendVerify) { if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13CertificateVerify(ssl); ssl->error = SendTls13CertificateVerify(ssl);
if (ssl->error != 0) { if (ssl->error != 0) {

19
tests/api.c
View File

@ -1168,7 +1168,8 @@ static int test_wolfSSL_CertManagerSetVerify(void)
{ {
int ret = 0; int ret = 0;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
!defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
WOLFSSL_CERT_MANAGER* cm; WOLFSSL_CERT_MANAGER* cm;
int tmp = myVerifyAction; int tmp = myVerifyAction;
const char* ca_cert = "./certs/ca-cert.pem"; const char* ca_cert = "./certs/ca-cert.pem";
@ -25948,7 +25949,8 @@ static void test_wolfSSL_X509_STORE_set_flags(void)
static void test_wolfSSL_X509_LOOKUP_load_file(void) static void test_wolfSSL_X509_LOOKUP_load_file(void)
{ {
#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA) !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
WOLFSSL_X509_STORE* store; WOLFSSL_X509_STORE* store;
WOLFSSL_X509_LOOKUP* lookup; WOLFSSL_X509_LOOKUP* lookup;
@ -33811,7 +33813,8 @@ static void test_wolfSSL_PEM_write_bio_PKCS7(void)
/*----------------------------------------------------------------------------* /*----------------------------------------------------------------------------*
| Certificate Failure Checks | Certificate Failure Checks
*----------------------------------------------------------------------------*/ *----------------------------------------------------------------------------*/
#ifndef NO_CERTS #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz, static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
int type) int type)
@ -36051,7 +36054,8 @@ static void test_wolfSSL_dtls_set_mtu(void)
} }
#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \
!defined(NO_CERTS) !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
{ {
int ret; int ret;
@ -36629,7 +36633,9 @@ void ApiTest(void)
test_tls13_apis(); test_tls13_apis();
#endif #endif
#ifndef NO_CERTS #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
/* Bad certificate signature tests */ /* Bad certificate signature tests */
AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E); AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E);
AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E); AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E);
@ -36932,7 +36938,8 @@ void ApiTest(void)
AssertIntEQ(test_wolfSSL_Cleanup(), WOLFSSL_SUCCESS); AssertIntEQ(test_wolfSSL_Cleanup(), WOLFSSL_SUCCESS);
#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \ #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_FILESYSTEM) && \
!defined(NO_CERTS) !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
AssertIntEQ(test_various_pathlen_chains(), WOLFSSL_SUCCESS); AssertIntEQ(test_various_pathlen_chains(), WOLFSSL_SUCCESS);
#endif #endif

55
tests/suites.c
View File

@ -249,6 +249,40 @@ static int IsValidCA(const char* line)
return ret; return ret;
} }
#ifdef WOLFSSL_NO_CLIENT_AUTH
static int IsClientAuth(const char* line, int* reqClientCert)
{
const char* begin;
begin = XSTRSTR(line, "-H verifyFail");
if (begin != NULL) {
return 1;
}
begin = XSTRSTR(line, "-d");
if (begin != NULL) {
*reqClientCert = 0;
}
else {
*reqClientCert = 1;
}
return 0;
}
static int IsNoClientCert(const char* line)
{
const char* begin;
begin = XSTRSTR(line, "-x");
if (begin != NULL) {
return 1;
}
return 0;
}
#endif
static int execute_test_case(int svr_argc, char** svr_argv, static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv, int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking, int addNoVerify, int addNonBlocking,
@ -278,6 +312,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
char portNumber[8]; char portNumber[8];
#endif #endif
int cliTestShouldFail = 0, svrTestShouldFail = 0; int cliTestShouldFail = 0, svrTestShouldFail = 0;
#ifdef WOLFSSL_NO_CLIENT_AUTH
int reqClientCert;
#endif
/* Is Valid Cipher and Version Checks */ /* Is Valid Cipher and Version Checks */
/* build command list for the Is checks below */ /* build command list for the Is checks below */
@ -329,6 +366,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return VERSION_TOO_OLD; return VERSION_TOO_OLD;
} }
#endif #endif
#ifdef WOLFSSL_NO_CLIENT_AUTH
if (IsClientAuth(commandLine, &reqClientCert)) {
#ifdef DEBUG_SUITE_TESTS
printf("client auth on line %s not supported in build\n",
commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
/* Build Server Command */ /* Build Server Command */
if (addNoVerify) { if (addNoVerify) {
@ -454,6 +500,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#endif #endif
return NOT_BUILT_IN; return NOT_BUILT_IN;
} }
#ifdef WOLFSSL_NO_CLIENT_AUTH
if (reqClientCert && IsNoClientCert(commandLine)) {
#ifdef DEBUG_SUITE_TESTS
printf("client auth on line %s not supported in build\n",
commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
printf("trying client command line[%d]: %s\n", tests, commandLine); printf("trying client command line[%d]: %s\n", tests, commandLine);
tests++; tests++;

3
wolfssl/internal.h
View File

@ -2022,8 +2022,7 @@ WOLFSSL_LOCAL int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
#ifndef NO_CERTS #ifndef NO_CERTS
#if !defined NOCERTS &&\ #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
(!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
typedef struct ProcPeerCertArgs { typedef struct ProcPeerCertArgs {
buffer* certs; buffer* certs;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13