fd17fa3e9c
Do leaf CRL check by default Correct wolfSSL_sk_X509_NAME_push return check Update OpenSSL compatibility errors for HAProxy Change X509_V to literal constant values Fix the compat layer with TLS session ticket reuse Fix for tls1_2 session resume and cache miss Save intitial wolfSSL ctx Check for OpenSSL CRL error code 23
227 lines
6.3 KiB
Bash
Executable File
227 lines
6.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
#crl.test
|
|
# if we can, isolate the network namespace to eliminate port collisions.
|
|
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
|
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
|
|
export NETWORK_UNSHARE_HELPER_CALLED=yes
|
|
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
|
|
fi
|
|
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
|
|
bwrap_path="$(command -v bwrap)"
|
|
if [ -n "$bwrap_path" ]; then
|
|
export AM_BWRAPPED=yes
|
|
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
|
|
fi
|
|
unset AM_BWRAPPED
|
|
fi
|
|
|
|
# Workaround to not pollute the certs folder with our files that can impact other tests
|
|
RUNNING_DIR=$(mktemp -d)
|
|
cp -rp . $RUNNING_DIR/.
|
|
cd $RUNNING_DIR
|
|
|
|
revocation_code="-361"
|
|
revocation_code_openssl="23"
|
|
exit_code=1
|
|
counter=0
|
|
# need a unique resume port since may run the same time as testsuite
|
|
# use server port zero hack to get one
|
|
crl_port=0
|
|
#no_pid tells us process was never started if -1
|
|
no_pid=-1
|
|
#server_pid captured on startup, stores the id of the server process
|
|
server_pid=$no_pid
|
|
# let's use absolute path to a local dir (make distcheck may be in sub dir)
|
|
# also let's add some randomness by adding pid in case multiple 'make check's
|
|
# per source tree
|
|
ready_file=`pwd`/wolfssl_crl_ready$$
|
|
CERT_DIR=certs
|
|
|
|
remove_ready_file() {
|
|
if test -e "$ready_file"; then
|
|
echo -e "removing existing ready file"
|
|
rm "$ready_file"
|
|
fi
|
|
}
|
|
|
|
# trap this function so if user aborts with ^C or other kill signal we still
|
|
# get an exit that will in turn clean up the file system
|
|
abort_trap() {
|
|
echo "script aborted"
|
|
|
|
if [ $server_pid != $no_pid ]
|
|
then
|
|
echo "killing server"
|
|
kill -9 $server_pid
|
|
fi
|
|
|
|
exit_code=2 #different exit code in case of user interrupt
|
|
|
|
echo "got abort signal, exiting with $exit_code"
|
|
exit $exit_code
|
|
}
|
|
trap abort_trap INT TERM
|
|
|
|
|
|
# trap this function so that if we exit on an error the file system will still
|
|
# be restored and the other tests may still pass. Never call this function
|
|
# instead use "exit <some value>" and this function will run automatically
|
|
restore_file_system() {
|
|
remove_ready_file
|
|
cd / && rm -rf "$RUNNING_DIR"
|
|
}
|
|
trap restore_file_system EXIT
|
|
|
|
run_test() {
|
|
echo -e "\nStarting example server for crl test...\n"
|
|
|
|
remove_ready_file
|
|
|
|
# starts the server on crl_port, -R generates ready file to be used as a
|
|
# mutex lock, -c loads the revoked certificate. We capture the processid
|
|
# into the variable server_pid
|
|
./examples/server/server -R "$ready_file" -p $crl_port \
|
|
-c ${CERT_DIR}/server-revoked-cert.pem \
|
|
-k ${CERT_DIR}/server-revoked-key.pem &
|
|
server_pid=$!
|
|
|
|
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
|
|
echo -e "waiting for ready file..."
|
|
sleep 0.1
|
|
counter=$((counter+ 1))
|
|
done
|
|
|
|
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
|
|
sleep 0.1
|
|
|
|
if test -e "$ready_file"; then
|
|
echo -e "found ready file, starting client..."
|
|
else
|
|
echo -e "NO ready file ending test..."
|
|
exit 1
|
|
fi
|
|
|
|
# get created port 0 ephemeral port
|
|
crl_port="$(cat "$ready_file")"
|
|
|
|
# starts client on crl_port and captures the output from client
|
|
capture_out=$(./examples/client/client -p $crl_port 2>&1)
|
|
client_result=$?
|
|
|
|
wait $server_pid
|
|
server_result=$?
|
|
|
|
case "$capture_out" in
|
|
*"$revocation_code"*|*"$revocation_code_openssl"*)
|
|
# only exit with zero on detection of the expected error code
|
|
echo ""
|
|
echo "Successful Revocation!!!!"
|
|
echo ""
|
|
if [ $exit_hash_dir_code -ne 0 ]; then
|
|
exit_code=1
|
|
else
|
|
exit_code=0
|
|
echo "exiting with $exit_code"
|
|
exit $exit_code
|
|
fi
|
|
;;
|
|
*)
|
|
echo ""
|
|
echo "Certificate was not revoked saw this instead: $capture_out"
|
|
echo ""
|
|
echo "configure with --enable-crl and run this script again"
|
|
echo ""
|
|
esac
|
|
}
|
|
|
|
run_hashdir_test() {
|
|
echo -e "\n\nHash dir with CRL and Certificate loading"
|
|
|
|
remove_ready_file
|
|
# create hashed cert and crl
|
|
pushd ${CERT_DIR}
|
|
# ca file
|
|
ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
|
|
if [ -f "$ca_hash_name".0 ]; then
|
|
rm "$ca_hash_name".0
|
|
fi
|
|
ln -s ca-cert.pem "$ca_hash_name".0
|
|
# crl file
|
|
crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
|
|
if [ -f "$crl_hash_name".r0 ]; then
|
|
rm "$crl_hash_name".r0
|
|
fi
|
|
ln -s ./crl/crl.pem "$crl_hash_name".r0
|
|
popd
|
|
|
|
# starts the server on crl_port, -R generates ready file to be used as a
|
|
# mutex lock, -c loads the revoked certificate. We capture the processid
|
|
# into the variable server_pid
|
|
./examples/server/server -R "$ready_file" -p $crl_port \
|
|
-c ${CERT_DIR}/server-revoked-cert.pem \
|
|
-k ${CERT_DIR}/server-revoked-key.pem &
|
|
server_pid=$!
|
|
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
|
|
echo -e "waiting for ready file..."
|
|
sleep 0.1
|
|
counter=$((counter+ 1))
|
|
done
|
|
|
|
# get created port 0 ephemeral port
|
|
crl_port="$(cat "$ready_file")"
|
|
|
|
# starts client on crl_port and captures the output from client
|
|
capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
|
|
client_result=$?
|
|
|
|
wait $server_pid
|
|
server_result=$?
|
|
|
|
case "$capture_out" in
|
|
*"$revocation_code"*|*"$revocation_code_openssl"*)
|
|
# only exit with zero on detection of the expected error code
|
|
echo ""
|
|
echo "Successful Revocation!!!! with hash dir"
|
|
echo ""
|
|
exit_hash_dir_code=0
|
|
;;
|
|
*)
|
|
echo ""
|
|
echo "Certificate was not revoked saw this instead: $capture_out"
|
|
echo ""
|
|
echo "configure with --enable-crl and run this script again"
|
|
echo ""
|
|
exit_hash_dir_code=1
|
|
esac
|
|
|
|
# clean up hashed cert and crl
|
|
pushd ${CERT_DIR}
|
|
rm "$ca_hash_name".0
|
|
rm "$crl_hash_name".r0
|
|
popd
|
|
|
|
}
|
|
######### begin program #########
|
|
|
|
# Check for enabling hash dir feature
|
|
./examples/client/client -? 2>&1 | grep -- 'hash dir'
|
|
if [ $? -eq 0 ]; then
|
|
hash_dir=yes
|
|
exit_hash_dir_code=1
|
|
fi
|
|
|
|
if [ "$hash_dir" = "yes" ]; then
|
|
run_hashdir_test
|
|
else
|
|
exit_hash_dir_code=0
|
|
fi
|
|
|
|
# run the test
|
|
run_test
|
|
|
|
# If we get to this exit, exit_code will be a 1 signaling failure
|
|
echo "exiting with $exit_code certificate was not revoked"
|
|
exit $exit_code
|
|
########## end program ##########
|