mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add bwrapping on all other scripts/*.test except those that make Internet connections, and remove test for setuid bit, as some systems are configured to not require setuid/CAP_NET_ADMIN for CLONE_NEWNET.

Browse Source
This commit is contained in:
Daniel Pouzzner 2020-09-12 00:20:38 -05:00
parent 1e9971f64c
commit 51046d45d3
11 changed files with 101 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/crl-revoked.test
View File

@ -1,7 +1,17 @@
#!/bin/sh #!/bin/bash
#crl.test #crl.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
revocation_code="-361" revocation_code="-361"
exit_code=1 exit_code=1
counter=0 counter=0

16
scripts/ocsp-stapling-with-ca-as-responder.test
View File

@ -2,19 +2,13 @@
# ocsp-stapling-with-ca-as-responder.test # ocsp-stapling-with-ca-as-responder.test
# if we can, isolate the network namespace to eliminate port collisions # if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)" bwrap_path="$(command -v bwrap)"
if [[ -z "$bwrap_path" ]]; then if [[ -n "$bwrap_path" ]]; then
echo "couldn't find bwrap -- not isolating network namespace." export AM_BWRAPPED=yes
elif [[ ! -u "$bwrap_path" ]]; then exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
echo "$bwrap_path isn't setuid -- not isolating network namespace." unset AM_BWRAPPED
else
echo "isolating network namespace..."
export AM_BWRAPPED=yes
exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
echo "not isolating network namespace."
fi fi
fi fi

16
scripts/ocsp-stapling.test
View File

@ -3,22 +3,6 @@
# ocsp-stapling.test # ocsp-stapling.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
# if we can, isolate the network namespace to eliminate port collisions
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -z "$bwrap_path" ]]; then
echo "couldn't find bwrap -- not isolating network namespace."
elif [[ ! -u "$bwrap_path" ]]; then
echo "$bwrap_path isn't setuid -- not isolating network namespace."
else
echo "isolating network namespace..."
export AM_BWRAPPED=yes
exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
echo "not isolating network namespace."
fi
fi
if [[ -z "${RETRIES_REMAINING-}" ]]; then if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2 export RETRIES_REMAINING=2
fi fi

16
scripts/ocsp-stapling2.test
View File

@ -3,19 +3,13 @@
# ocsp-stapling2.test # ocsp-stapling2.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
# if we can, isolate the network namespace to eliminate port collisions # if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)" bwrap_path="$(command -v bwrap)"
if [[ -z "$bwrap_path" ]]; then if [[ -n "$bwrap_path" ]]; then
echo "couldn't find bwrap -- not isolating network namespace." export AM_BWRAPPED=yes
elif [[ ! -u "$bwrap_path" ]]; then exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
echo "$bwrap_path isn't setuid -- not isolating network namespace." unset AM_BWRAPPED
else
echo "isolating network namespace..."
export AM_BWRAPPED=yes
exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
echo "not isolating network namespace."
fi fi
fi fi

18
scripts/openssl.test
View File

@ -1,14 +1,24 @@
#!/bin/sh #!/bin/bash
#openssl.test #openssl.test
if test -n "$WOLFSSL_OPENSSL_TEST"; then if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
echo "WOLFSSL_OPENSSL_TEST set, running test..."
else
echo "WOLFSSL_OPENSSL_TEST NOT set, won't run" echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
exit 0 exit 0
fi fi
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
echo "WOLFSSL_OPENSSL_TEST set, running test..."
# need a unique port since may run the same time as testsuite # need a unique port since may run the same time as testsuite
generate_port() { generate_port() {
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))

12
scripts/pkcallbacks.test
View File

@ -1,7 +1,17 @@
#!/bin/sh #!/bin/bash
#pkcallbacks.test #pkcallbacks.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
exit_code=1 exit_code=1
counter=0 counter=0
# need a unique resume port since may run the same time as testsuite # need a unique resume port since may run the same time as testsuite

12
scripts/psk.test
View File

@ -1,8 +1,18 @@
#!/bin/sh #!/bin/bash
# psk.test # psk.test
# copyright wolfSSL 2016 # copyright wolfSSL 2016
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
# getting unique port is modeled after resume.test script # getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite # need a unique port since may run the same time as testsuite
# use server port zero hack to get one # use server port zero hack to get one

12
scripts/resume.test
View File

@ -1,7 +1,17 @@
#!/bin/sh #!/bin/bash
#resume.test #resume.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
# need a unique resume port since may run the same time as testsuite # need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one # use server port zero hack to get one
resume_string="reused" resume_string="reused"

12
scripts/sniffer-testsuite.test
View File

@ -1,7 +1,17 @@
#!/bin/sh #!/bin/bash
#sniffer-testsuite.test #sniffer-testsuite.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
# ./configure --enable-sniffer [--enable-session-ticket] # ./configure --enable-sniffer [--enable-session-ticket]
# Resumption tests require "--enable-session-ticket" # Resumption tests require "--enable-session-ticket"

12
scripts/tls13.test
View File

@ -1,8 +1,18 @@
#!/bin/sh #!/bin/bash
# tls13.test # tls13.test
# copyright wolfSSL 2016 # copyright wolfSSL 2016
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
# getting unique port is modeled after resume.test script # getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite # need a unique port since may run the same time as testsuite
# use server port zero hack to get one # use server port zero hack to get one

12
scripts/trusted_peer.test
View File

@ -1,8 +1,18 @@
#!/bin/sh #!/bin/bash
# trusted_peer.test # trusted_peer.test
# copyright wolfSSL 2016 # copyright wolfSSL 2016
# if we can, isolate the network namespace to eliminate port collisions.
if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
bwrap_path="$(command -v bwrap)"
if [[ -n "$bwrap_path" ]]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
unset AM_BWRAPPED
fi
fi
# getting unique port is modeled after resume.test script # getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite # need a unique port since may run the same time as testsuite
# use server port zero hack to get one # use server port zero hack to get one