wolfssl-sys 4.0.0

System bindings for WolfSSL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

#!/usr/bin/env bash

# rsapss.test

[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
                                  && exit 1

if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
    echo 'skipping rsapss.test because client not compiled in.' 1>&2
    exit 77
fi

if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
    echo 'skipping rsapss.test because server not compiled in.' 1>&2
    exit 77
fi

if ! ./examples/client/client -V | grep -q 4; then
    echo "skipping because TLS 1.3 not enabled in this build"
    exit 0
fi
if ! grep -q -- -DWC_RSA_PSS config.log 2>/dev/null; then
    echo "skipping because WC_RSA_PSS not enabled in this build"
    exit 0
fi
if ! grep -q -- '-DHAVE_ECC\>' config.log 2>/dev/null; then
    echo "skipping because HAVE_ECC not enabled in this build"
    exit 0
fi
if grep -q -- '-DNO_CODING' config.log 2>/dev/null; then
    echo "skipping because NO_CODING is defined in this build"
    exit 0
fi

CERT_DIR="$PWD/$(dirname "$0")/../certs"
if [ "$OPENSSL" = "" ]; then
    OPENSSL=openssl
fi

# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
         export NETWORK_UNSHARE_HELPER_CALLED=yes
         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
     fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

# need a unique port since may run the same time as testsuite
# Track ports already assigned in this script run to prevent intra-run collisions
used_ports=()

generate_port() {
    #-------------------------------------------------------------------------#
    # Generate a random port number, guaranteed unique within this script run.
    # Checks both the intra-run used_ports list and system-level bound ports.
    #-------------------------------------------------------------------------#
    local attempts=0 collision p

    while true; do
        if [[ "$OSTYPE" == "linux"* ]]; then
            p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
        elif [[ "$OSTYPE" == "darwin"* ]]; then
            p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
        else
            echo "skipping due to unsupported OS"
            exit 0
        fi

        # Check against ports already assigned in this run
        collision=0
        for up in "${used_ports[@]}"; do
            if [ "$up" = "$p" ]; then
                collision=1
                break
            fi
        done

        # Also check if the port is already bound on this system
        if [ "$collision" -eq 0 ]; then
            if command -v ss &>/dev/null; then
                ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
            elif command -v netstat &>/dev/null; then
                netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
            fi
        fi

        [ "$collision" -eq 0 ] && break

        ((attempts++))
        if [ "$attempts" -ge 100 ]; then
            echo "ERROR: generate_port could not find a free port after 100 attempts"
            exit 1
        fi
    done

    port=$p
    used_ports+=("$p")
}

WOLFSSL_SERVER=./examples/server/server

start_wolfssl_server() {
    generate_port
    server_port=$port
    $WOLFSSL_SERVER -p "$server_port" -v 4 -c "$CERT_DIR"/rsapss/server-rsapss.pem -k "$CERT_DIR"/rsapss/server-rsapss-priv.pem -A "$CERT_DIR"/rsapss/root-rsapss.pem -d &
}

#
# Run OpenSSL client against wolfSSL server
#
do_openssl_client() {
    echo "test connection" | $OPENSSL s_client -connect 127.0.0.1:"$server_port" -cert "$CERT_DIR"/rsapss/client-rsapss.pem -key "$CERT_DIR"/rsapss/client-rsapss-priv.pem -CAfile "$CERT_DIR"/rsapss/root-rsapss.pem > rsapss.test.log
    result=$?
    cat rsapss.test.log
    if [ "$result" != 0 ]
    then
        echo "$OPENSSL s_client command failed"
        exit 1
    fi
    grep -q "Peer signature type:.*rsa_pss_rsae_sha256" rsapss.test.log
    result=$?
    rm -f rsapss.test.log
    if [ "$result" == 0 ]
    then
        echo "Test failed: Peer signature type identified as rsa_pss_rsae_sha256"
        exit 1
    fi
}

start_wolfssl_server
sleep 1
do_openssl_client
echo -e "\nSuccess!\n\n"
exit 0