wolfssl-sys 4.0.0

System bindings for WolfSSL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317

#!/usr/bin/env bash

# trusted_peer.test
# copyright wolfSSL 2016

[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
                                  && exit 1

if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
    echo 'skipping trusted_peer.test because client not compiled in.' 1>&2
    exit 77
fi

if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
    echo 'skipping trusted_peer.test because server not compiled in.' 1>&2
    exit 77
fi

# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
         export NETWORK_UNSHARE_HELPER_CALLED=yes
         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
     fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tp_ready$$

# variables for certs so can use RSA or ECC
client_cert=`pwd`/certs/client-cert.pem
client_ca=`pwd`/certs/ca-cert.pem
client_key=`pwd`/certs/client-key.pem
ca_key=`pwd`/certs/ca-key.pem
server_cert=`pwd`/certs/server-cert.pem
server_key=`pwd`/certs/server-key.pem
combined_cert=`pwd`/certs/client_combined.pem
wrong_ca=`pwd`/certs/wolfssl-website-ca.pem
wrong_cert=`pwd`/certs/server-revoked-cert.pem

echo "ready file \"$ready_file\""

create_port() {
    while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
    done

    if test -e "$ready_file"; then
        echo -e "found ready file, starting client..."

        # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
        sleep 0.1

        # get created port 0 ephemeral port
        port=`cat "$ready_file"`
    else
        echo -e "NO ready file ending test..."
        do_cleanup
    fi
}

remove_ready_file() {
    if test -e "$ready_file"; then
        echo -e "removing existing ready file"
    rm "$ready_file"
    fi
}

do_cleanup() {
    echo "in cleanup"

    if  [ $server_pid != $no_pid ]
    then
        echo "killing server"
        kill -9 $server_pid
    fi
    remove_ready_file
}

do_trap() {
    echo "got trap"
    do_cleanup
    exit 1
}

trap do_trap INT TERM

[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1

# Look for if RSA and/or ECC is enabled and adjust certs/keys
ciphers=`./examples/client/client -e`
if [[  "$ciphers" != *"RSA"* ]]; then
    if [[ $ciphers == *"ECDSA"* ]]; then
        client_cert=`pwd`/certs/client-ecc-cert.pem
        client_ca=`pwd`/certs/server-ecc.pem
        client_key=`pwd`/certs/ecc-client-key.pem
        ca_key=`pwd`/certs/ecc-key.pem
        server_cert=`pwd`/certs/server-ecc.pem
        server_key=`pwd`/certs/ecc-key.pem
        wrong_ca=`pwd`/certs/server-ecc-comp.pem
        wrong_cert=`pwd`/certs/server-ecc-comp.pem
    else
        echo "configure options not set up for test. No RSA or ECC"
        exit 0
    fi
fi

# CRL list not set up for tests
crl_test=`./examples/client/client -h`
if [[ "$crl_test" == *"-C "* ]]; then
    echo "test not set up to run with CRL"
    exit 0
fi

# Test for trusted peer certs build
echo ""
echo "Checking built with trusted peer certs "
echo "-----------------------------------------------------"
port=0
remove_ready_file
./examples/server/server -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
    echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
    do_cleanup
    exit 0
fi
echo ""

# Test that using no CA's and only trusted peer certs works
echo "Server and Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A "$wrong_ca" -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$wrong_ca" -E "$server_cert" -c "$client_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\nServer and Client trusted peer cert failed!"
    do_cleanup
    exit 1
fi
echo ""

# Test that using server trusted peer certs works
echo "Server relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A "$wrong_ca" -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -c "$client_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\nServer trusted peer cert test failed!"
    do_cleanup
    exit 1
fi
echo ""

# Test that using client trusted peer certs works
echo "Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$wrong_ca" -E "$server_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\nClient trusted peer cert test failed!"
    do_cleanup
    exit 1
fi
echo ""

# Test that client fall through to CA works
echo "Client fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -E "$wrong_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\nClient trusted peer cert fall through to CA test failed!"
    do_cleanup
    exit 1
fi
echo ""

# Test that client can fail
# check if using ECC client example is hard coded to load correct ECC ca so skip
if [[ $wrong_ca != *"ecc"* ]]; then
echo "Client wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$wrong_ca" -E "$wrong_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
    echo -e "\nClient trusted peer cert test failed!"
    do_cleanup
    exit 1
fi
echo ""
fi

# Test that server can fail
echo "Server wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A "$wrong_ca" -E "$wrong_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
    echo -e "\nServer trusted peer cert test failed!"
    do_cleanup
    exit 1
fi
echo ""

# Test that server fall through to CA works
echo "Server fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -E "$wrong_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\nServer trusted peer cert fall through to CA test failed!"
    do_cleanup
    exit 1
fi
echo ""

# test loading multiple certs
echo "Server loading multiple trusted peer certs"
echo "Test two success cases and one fail case"
echo "-----------------------------------------------------"
port=0
cat "$client_cert" "$client_ca" > "$combined_cert"
./examples/server/server -i -A "$wrong_ca" -E "$combined_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -c "$client_cert" -k "$client_key" -p $port
RESULT=$?
if [ $RESULT -ne 0 ]; then
    echo -e "\nServer load multiple trusted peer certs failed!"
    do_cleanup
    exit 1
fi
./examples/client/client -A "$client_ca" -c "$client_ca" -k "$ca_key"  -p $port
RESULT=$?
if [ $RESULT -ne 0 ]; then
    echo -e "\nServer load multiple trusted peer certs failed!"
    do_cleanup
    exit 1
fi
./examples/client/client -A "$client_ca" -c "$wrong_cert" -k "$client_key" -p $port
RESULT=$?
if [ $RESULT -eq 0 ]; then
    echo -e "\nServer load multiple trusted peer certs failed!"
    do_cleanup
    exit 1
fi

do_cleanup # kill PID of server running in infinite loop
rm "$combined_cert"
remove_ready_file
echo ""

echo "-----------------------------------------------------"
echo "ALL TESTS PASSED"
echo "-----------------------------------------------------"

exit 0