wolfssl-sys 4.0.0

System bindings for WolfSSL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

#!/usr/bin/env bash

[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
                                  && exit 1

if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
    exit 77
fi

if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
    echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
    exit 77
fi

#crl.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
         export NETWORK_UNSHARE_HELPER_CALLED=yes
         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
     fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

# Workaround to not pollute the certs folder with our files that can impact other tests
RUNNING_DIR=$(mktemp -d)
cp -rp . $RUNNING_DIR/.
cd $RUNNING_DIR

revocation_code="-361"
revocation_code_openssl="23"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
crl_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_crl_ready$$
CERT_DIR=certs

remove_ready_file() {
    if test -e "$ready_file"; then
        echo -e "removing existing ready file"
        rm "$ready_file"
    fi
}

# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
    echo "script aborted"

    if  [ $server_pid != $no_pid ]
    then
        echo "killing server"
        kill -9 $server_pid
    fi

    exit_code=2 #different exit code in case of user interrupt

    echo "got abort signal, exiting with $exit_code"
    exit $exit_code
}
trap abort_trap INT TERM


# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
    remove_ready_file
    cd / && rm -rf "$RUNNING_DIR"
}
trap restore_file_system EXIT

run_test() {
    echo -e "\nStarting example server for crl test...\n"

    remove_ready_file

    # starts the server on crl_port, -R generates ready file to be used as a
    # mutex lock, -c loads the revoked certificate. We capture the processid
    # into the variable server_pid
    ./examples/server/server -R "$ready_file" -p $crl_port \
                             -c ${CERT_DIR}/server-revoked-cert.pem \
                             -k ${CERT_DIR}/server-revoked-key.pem &
    server_pid=$!

    while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
    done

    # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
    sleep 0.1

    if test -e "$ready_file"; then
        echo -e "found ready file, starting client..."
    else
        echo -e "NO ready file ending test..."
        exit 1
    fi

    # get created port 0 ephemeral port
    crl_port="$(cat "$ready_file")"

    # starts client on crl_port and captures the output from client
    capture_out=$(./examples/client/client -p $crl_port 2>&1)
    client_result=$?

    wait $server_pid
    server_result=$?

    case  "$capture_out" in
    *"$revocation_code"*|*"$revocation_code_openssl"*)
        # only exit with zero on detection of the expected error code
        echo ""
        echo "Successful Revocation!!!!"
        echo ""
        if [ $exit_hash_dir_code -ne 0 ]; then
           exit_code=1
        else
           exit_code=0
           echo "exiting with $exit_code"
           exit $exit_code
        fi
        ;;
    *)
        echo ""
        echo "Certificate was not revoked saw this instead: $capture_out"
        echo ""
        echo "configure with --enable-crl and run this script again"
        echo ""
    esac
}

run_hashdir_test() {
  echo -e "\n\nHash dir with CRL and Certificate loading"

  remove_ready_file
  # create hashed cert and crl
  pushd ${CERT_DIR}
  # ca file
  ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
  if [ -f "$ca_hash_name".0 ]; then
     rm "$ca_hash_name".0
  fi
  ln -s ca-cert.pem "$ca_hash_name".0
  # crl file
  crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
  if [ -f "$crl_hash_name".r0 ]; then
     rm "$crl_hash_name".r0
  fi
  ln -s ./crl/crl.pem "$crl_hash_name".r0
  popd

  # starts the server on crl_port, -R generates ready file to be used as a
  # mutex lock, -c loads the revoked certificate. We capture the processid
  # into the variable server_pid
  ./examples/server/server -R "$ready_file" -p $crl_port \
                             -c ${CERT_DIR}/server-revoked-cert.pem \
                             -k ${CERT_DIR}/server-revoked-key.pem &
  server_pid=$!
  while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
  done

  # get created port 0 ephemeral port
  crl_port="$(cat "$ready_file")"

  # starts client on crl_port and captures the output from client
  capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
  client_result=$?

  wait $server_pid
  server_result=$?

  case  "$capture_out" in
    *"$revocation_code"*|*"$revocation_code_openssl"*)
        # only exit with zero on detection of the expected error code
        echo ""
        echo "Successful Revocation!!!! with hash dir"
        echo ""
        exit_hash_dir_code=0
        ;;
    *)
        echo ""
        echo "Certificate was not revoked saw this instead: $capture_out"
        echo ""
        echo "configure with --enable-crl and run this script again"
        echo ""
        exit_hash_dir_code=1
    esac

  # clean up hashed cert and crl
  pushd ${CERT_DIR}
  rm "$ca_hash_name".0
  rm "$crl_hash_name".r0
  popd

}
######### begin program #########

# Check for enabling hash dir feature
./examples/client/client -? 2>&1 | grep -- 'hash dir'
if [ $? -eq 0 ]; then
   hash_dir=yes
   exit_hash_dir_code=1
fi

if [ "$hash_dir" = "yes" ]; then
   run_hashdir_test
else
   exit_hash_dir_code=0
fi

# Check that server is enabled
./examples/server/server -? 2>&1 | grep -- 'Create Ready file'
if [ $? -eq 0 ]; then
    # run the test
    run_test
else
    exit_code=0
fi

# If we get to this exit, exit_code will be a 1 signaling failure
echo "exiting with $exit_code certificate was not revoked"
exit $exit_code
########## end program ##########