starlight-apk/tiny_computer
1
0
Fork 0
mirror of https://github.com/Cateners/tiny_computer.git synced 2026-05-20 16:35:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update code to v1.0.14 (10)

Browse Source
This commit is contained in:
Caten
2024-02-29 19:35:00 +08:00
parent c2ee3b694c
commit a956d26f6d
3188 changed files with 2317293 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
android/extern/wolfssl/scripts/bench/bench_functions.sh vendored Normal file
View File

@@ -0,0 +1,154 @@
#!/usr/bin/env bash
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# Parametrisation to this script is as follows:
# * `my_path` MUST be set
# * `WC_TTY` can be set to override the default '/dev/ttyUSB2'
# * `csv_path_suffix` can be set to add a suffix to the output path
# * `VERBOSE` can be set to '0' to suppress all output
# or '1' to make the output more verbose
###
# Preamble
###
if (return 0 2>/dev/null); then
[[ -v my_path ]] || { echo "\$my_path must not be empty"; return 1; }
else
echo "This script shall only be sourced"
exit 1
fi
readonly tty="${WC_TTY:-/dev/ttyUSB2}"
fifo="$(mktemp -u)" || exit $?
readonly fifo
readonly csv_path="${my_path}/data/results${csv_path_suffix:-}"
function status_echo() {
[ "$VERBOSE" = "0" ] || echo "$*"
}
function cleanup() {
wait
rm $fifo
}
mkfifo $fifo
trap cleanup EXIT
function error_out() {
exit 1
}
trap error_out INT TERM
mkdir -p $csv_path
status_echo "Writing to folder: $csv_path"
status_echo "Reading from TTY: $tty"
###
# Functions
###
function read_tty() {
while true; do
read -r l
$1 "$l"
$read_tty_ret
done < $tty
}
function wait_until_finished() {
while true; do
read -r ret
[ "$ret" == "finished" ] && break
done < $fifo
}
function process_csv() {
read_tty_ret=
case "$csv_state" in
"0")
case "$1" in
"Algorithm,MB/s,Cycles per byte," | \
"Algorithm,key size,operation,avg ms,ops/sec,")
echo "$1" > $csv
csv_state=1
;;
esac
;;
"1")
if [ "$1" != "Benchmark complete" ]; then
echo "$1" >> $csv
[ "$VERBOSE" = "1" ] && echo "$1"
else
echo "finished" > $fifo
read_tty_ret='return'
fi
;;
esac
}
function csv_start() {
csv_state=0
csv=$csv_path/$1
read_tty process_csv &
}
function bench() {
status_echo "Benchmark ${1^^}$3"
csv_start ${1}${3}.csv
echo "b $2 -csv" > $tty
wait_until_finished
}
###
# Implementation
###
function small_block() {
if [[ ! -v small_block_sizes ]]; then
echo '$small_block_sizes is unset.' 1>&2
return 1
fi
for blocksize in $small_block_sizes
do
status_echo "Benchmark with $blocksize bytes sized blocks"
for mode in $1
do
local opts=${mode}_opts
bench "${mode}" "-aes-${mode} $blocksize ${!opts}" "_${blocksize}"
done
done
}
function large_block() {
if [[ ! -v large_block_ciphers ]]; then
echo '$large_block_ciphers is unset.' 1>&2
return 1
fi
if [[ ! -v large_max_blocksize ]]; then
echo '$large_max_blocksize is unset.' 1>&2
return 1
fi
if [[ ! -v large_num_bytes ]]; then
echo '$large_num_bytes is unset.' 1>&2
return 1
fi
# 1 MiB
local blocksize=$((1024 * 1024))
while [ $blocksize -lt $large_max_blocksize ]
do
local num_blocks=$(($large_num_bytes / $blocksize))
status_echo "Benchmark with $blocksize bytes sized blocks"
for mode in $large_block_ciphers
do
local opts=${mode}_fast_opts
bench "${mode}" "-aes-${mode} ${!opts} $blocksize -blocks $num_blocks" "_${blocksize}"
done
blocksize=$(($blocksize * 2))
done
}
#eof

117
android/extern/wolfssl/scripts/benchmark.test vendored Normal file
View File

@@ -0,0 +1,117 @@
#!/bin/sh
#benchmark.test
if [ "$#" -lt 2 ]; then
echo "Usage: $0 [mode] [num] [clientargs] [serverargs]" >&2
echo " [mode]: 1=Connection Rate (TPS), 2=Throughput Bytes" >&2
echo " [num]: Mode 1=Connection Count, Mode 2=Bytes to TX/RX" >&2
echo " [clientargs]: Passed to client (see \"./example/client/client -?\" for help)" >&2
echo " Example: Use different cipher suite: \"-l DHE-RSA-AES256-SHA\"" >&2
echo " [serverargs]: Passed to server (see \"./example/server/server -?\" for help)" >&2
echo " Example: Disable client certificate check: \"-d\"" >&2
echo "Note: If additional client or server args contains spaces wrap with double quotes" >&2
exit 1
fi
# Use unique benchmark port so it won't conflict with any other tests
bench_port=11113
no_pid=-1
server_pid=$no_pid
counter=0
client_result=-1
remove_ready_file() {
if test -e /tmp/wolfssl_server_ready; then
echo "removing existing server_ready file"
rm /tmp/wolfssl_server_ready
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit 1
}
trap do_trap INT TERM
# Start server in loop continuous mode (-L) with echo data (-e) enabled and non-blocking (-N)
echo "\nStarting example server for benchmark test"
remove_ready_file
# benchmark connections
if [ $1 -eq 1 ]
then
# start server in loop mode with port
./examples/server/server -i -p $bench_port $4 &
server_pid=$!
fi
# benchmark throughput
if [ $1 -eq 2 ]
then
# start server in loop mode, non-blocking, benchmark throughput with port
./examples/server/server -i -N -B $2 -p $bench_port $4 &
server_pid=$!
fi
# NOTE: We sleep for 2 seconds below. If timing the execution of this script
# with "time", bear in mind that those 2 seconds will be reflected in
# the "real" time.
echo "Waiting for server_ready file..."
while [ ! -s /tmp/wolfssl_server_ready -a "$counter" -lt 20 ]; do
sleep 0.1
counter=$((counter+ 1))
done
# benchmark connections
if [ $1 -eq 1 ]
then
echo "Starting example client to benchmark connection average time"
# start client to benchmark average time for each connection using port
./examples/client/client -b $2 -p $bench_port $3
client_result=$?
fi
# benchmark throughput
if [ $1 -eq 2 ]
then
echo "Starting example client to benchmark throughput"
# start client in non-blocking mode, benchmark throughput using port
./examples/client/client -N -B $2 -p $bench_port $3
client_result=$?
fi
if [ $client_result != 0 ]
then
echo "Client failed!"
do_cleanup
exit 1
fi
# End server
kill -6 $server_pid
server_result=$?
remove_ready_file
if [ $server_result != 0 ]
then
echo "Server failed!"
exit 1
fi
echo "\nSuccess!\n"
exit 0

15
android/extern/wolfssl/scripts/cleanup_testfiles.sh vendored Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/sh
# Script to cleanup test files
# This is helpful if running ./tests/unit.test as sudo,
# which creates these files with sudoer permissions and
# will cause issues on subsequent tests without sudo
rm -f ./tests/bio_write_test.txt
rm -f ./test-write-dhparams.pem
rm -f ./certeccrsa.pem
rm -f ./certeccrsa.der
rm -f ./ecc-key.der
rm -f ./ecc-key.pem
rm -f ./ecc-public-key.der
rm -f ./tests/test-log-dump-to-file.txt

220
android/extern/wolfssl/scripts/crl-revoked.test vendored Normal file
View File

@@ -0,0 +1,220 @@
#!/bin/bash
#crl.test
CERT_DIR=certs
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
revocation_code="-361"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
crl_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_crl_ready$$
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
echo "script aborted"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
exit_code=2 #different exit code in case of user interrupt
echo "got abort signal, exiting with $exit_code"
exit $exit_code
}
trap abort_trap INT TERM
# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
}
trap restore_file_system EXIT
run_test() {
echo -e "\nStarting example server for crl test...\n"
remove_ready_file
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R "$ready_file" -p $crl_port \
-c ${CERT_DIR}/server-revoked-cert.pem \
-k ${CERT_DIR}/server-revoked-key.pem &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
if test -e "$ready_file"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# get created port 0 ephemeral port
crl_port="$(cat "$ready_file")"
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*$revocation_code*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!!"
echo ""
if [ $exit_hash_dir_code -ne 0 ]; then
exit_code=1
else
exit_code=0
echo "exiting with $exit_code"
exit $exit_code
fi
;;
*)
echo ""
echo "Certificate was not revoked saw this instead: $capture_out"
echo ""
echo "configure with --enable-crl and run this script again"
echo ""
esac
}
run_hashdir_test() {
echo -e "\n\nHash dir with CRL and Certificate loading"
remove_ready_file
# create hashed cert and crl
pushd ${CERT_DIR}
# ca file
ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
if [ -f "$ca_hash_name".0 ]; then
rm "$ca_hash_name".0
fi
ln -s ca-cert.pem "$ca_hash_name".0
# crl file
crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
if [ -f "$crl_hash_name".r0 ]; then
rm "$crl_hash_name".r0
fi
ln -s ./crl/crl.pem "$crl_hash_name".r0
popd
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R "$ready_file" -p $crl_port \
-c ${CERT_DIR}/server-revoked-cert.pem \
-k ${CERT_DIR}/server-revoked-key.pem &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
# get created port 0 ephemeral port
crl_port="$(cat "$ready_file")"
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*$revocation_code*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!! with hash dir"
echo ""
exit_hash_dir_code=0
;;
*)
echo ""
echo "Certificate was not revoked saw this instead: $capture_out"
echo ""
echo "configure with --enable-crl and run this script again"
echo ""
exit_hash_dir_code=1
esac
# clean up hashed cert and crl
pushd ${CERT_DIR}
rm "$ca_hash_name".0
rm "$crl_hash_name".r0
popd
}
######### begin program #########
# Check for enabling hash dir feature
./examples/client/client -? 2>&1 | grep -- 'hash dir'
if [ $? -eq 0 ]; then
hash_dir=yes
exit_hash_dir_code=1
fi
if [ "$hash_dir" = "yes" ]; then
run_hashdir_test
else
exit_hash_dir_code=0
fi
# run the test
run_test
# If we get to this exit, exit_code will be a 1 signaling failure
echo "exiting with $exit_code certificate was not revoked"
exit $exit_code
########## end program ##########

71
android/extern/wolfssl/scripts/dertoc.pl vendored Normal file
View File

@@ -0,0 +1,71 @@
#!/usr/bin/perl
# dertoc.pl
# version 1.0
# Updated 07/31/2018
#
# Copyright (C) 2006-2018 wolfSSL Inc.
#
use strict;
use warnings;
my $num_args = $#ARGV + 1;
if ($num_args != 3 ) {
print "usage: ./scripts/dertoc.pl ./certs/server-cert.der server_cert_der_2048 dertoc.c\n";
exit;
}
my $inFile = $ARGV[0];
my $outName = $ARGV[1];
my $outputFile = $ARGV[2];
# open our output file, "+>" creates and/or truncates
open OUT_FILE, "+>", $outputFile or die $!;
print OUT_FILE "/* $outputFile */\n\n";
print OUT_FILE "static const unsigned char $outName\[] =\n";
print OUT_FILE "{\n";
file_to_hex($inFile);
print OUT_FILE "};\n";
print OUT_FILE "static const int sizeof_$outName = sizeof($outName);\n\n";
# close file
close OUT_FILE or die $!;
# print file as hex, comma-separated, as needed by C buffer
sub file_to_hex {
my $fileName = $_[0];
open my $fp, "<", $fileName or die $!;
binmode($fp);
my $fileLen = -s $fileName;
my $byte;
for (my $i = 0, my $j = 1; $i < $fileLen; $i++, $j++)
{
if ($j == 1) {
print OUT_FILE "\t";
}
read($fp, $byte, 1) or die "Error reading $fileName";
my $output = sprintf("0x%02X", ord($byte));
print OUT_FILE $output;
if ($i != ($fileLen - 1)) {
print OUT_FILE ", ";
}
if ($j == 10) {
$j = 0;
print OUT_FILE "\n";
}
}
print OUT_FILE "\n";
close($fp);
}

171
android/extern/wolfssl/scripts/dtls13.test vendored Normal file
View File

@@ -0,0 +1,171 @@
#!/bin/bash
set -e
cleanup () {
echo
echo "Cleaning up..."
if [ ! -z "$UDP_PROXY_PID" ];then
echo "Killing udp_proxy $UDP_PROXY_PID"
kill $UDP_PROXY_PID
fi
if [ ! -z "$SERVER_PID" ];then
echo "Killing server $SERVER_PID"
kill $SERVER_PID
fi
}
trap cleanup err exit
WOLFSSL_ROOT=$(pwd)
if [ -z $UDP_PROXY_PATH ];then
UDP_PROXY_PATH=$WOLFSSL_ROOT/../udp-proxy/udp_proxy
fi
PROXY_PORT=12345
SERVER_PORT=11111
NEW_SESSION_TICKET_SIZE=200
KEY_UPDATE_SIZE=35
(killall udp_proxy || true)
(killall lt-server || true)
(killall lt-client || true)
# $WOLFSSL_ROOT/tests/unit.test tests/test-dtls13.conf
test_dropping_packets () {
for i in $(seq 0 11);do
echo -e "\ndropping packet $i\n" | tee -a /tmp/serr | tee -a /tmp/cerr | tee -a /tmp/udp
$UDP_PROXY_PATH -p $PROXY_PORT -s 127.0.0.1:$SERVER_PORT -f $i -u >>/tmp/udp &
UDP_PROXY_PID=$!
$WOLFSSL_ROOT/examples/server/server -v4 -u -Ta 2>>/tmp/serr &
SERVER_PID=$!
sleep 0.2
now=$(date +%s.%N)
$WOLFSSL_ROOT/examples/client/client -v4 -u -p$PROXY_PORT 2>>/tmp/cerr
elapsed=$(echo $(date +%s.%N) - $now | bc)
echo "it took ${elapsed} sec(s)" >> /tmp/udp
wait $SERVER_PID
SERVER_PID=
kill $UDP_PROXY_PID
UDP_PROXY_PID=
done
echo -e "\nTesting WANT_WRITE\n" | tee -a /tmp/serr | tee -a /tmp/cerr | tee -a /tmp/udp
# dropping last ack would be client error as wolfssl_read doesn't support WANT_WRITE as returned error
for i in $(seq 0 10);do
echo -e "\ndropping packet $i\n" | tee -a /tmp/serr | tee -a /tmp/cerr | tee -a /tmp/udp
$UDP_PROXY_PATH -p $PROXY_PORT -s 127.0.0.1:$SERVER_PORT -f $i -u >>/tmp/udp &
UDP_PROXY_PID=$!
$WOLFSSL_ROOT/examples/server/server -v4 -u -Ta -6 2>>/tmp/serr &
SERVER_PID=$!
sleep 0.2
now=$(date +%s.%N)
$WOLFSSL_ROOT/examples/client/client -v4 -u -p$PROXY_PORT -6 2>>/tmp/cerr
elapsed=$(echo $(date +%s.%N) - $now | bc)
echo "it took ${elapsed} sec(s)" >> /tmp/udp
wait $SERVER_PID
SERVER_PID=
kill $UDP_PROXY_PID
UDP_PROXY_PID=
done
}
# this test is based on detecting newSessionTicket message by its size. This is rather fragile.
test_dropping_new_session_ticket() {
echo -e "\ndropping new session ticket packet of size $NEW_SESSION_TICKET_SIZE\n" | tee -a /tmp/serr | tee -a /tmp/cerr | tee -a /tmp/udp
$UDP_PROXY_PATH -p $PROXY_PORT -s 127.0.0.1:$SERVER_PORT -F $NEW_SESSION_TICKET_SIZE -u >>/tmp/udp &
UDP_PROXY_PID=$!
$WOLFSSL_ROOT/examples/server/server -v4 -w -u 2>>/tmp/serr &
SERVER_PID=$!
sleep 0.2
now=$(date +%s.%N)
$WOLFSSL_ROOT/examples/client/client -v4 -u -p$PROXY_PORT -w --waitTicket 2>>/tmp/cerr
elapsed=$(echo $(date +%s.%N) - $now | bc)
echo "it took ${elapsed} sec(s)" >> /tmp/udp
wait $SERVER_PID
SERVER_PID=
kill $UDP_PROXY_PID
UDP_PROXY_PID=
}
test_permutations () {
SIDE=$1
PERMUTATIONS=$(python3 << EOF
import itertools
for p in itertools.permutations("$2"):
print(''.join(p))
EOF
)
echo "Testing $SIDE msg permutations"
for i in $PERMUTATIONS;do
echo -n "Testing $SIDE order $i"
UDP_LOGFILE=/tmp/udp-$SIDE-$i
$UDP_PROXY_PATH -p $PROXY_PORT -s 127.0.0.1:$SERVER_PORT -u -r $i -l $UDP_LOGFILE -S $SIDE &
UDP_PROXY_PID=$!
$WOLFSSL_ROOT/examples/server/server -v4 -u -Ta -w &> /tmp/serr &
SERVER_PID=$!
sleep 0.2
now=$(date +%s.%N)
$WOLFSSL_ROOT/examples/client/client -v4 -u -p$PROXY_PORT -w &> /tmp/cerr
elapsed=$(echo $(date +%s.%N) - $now | bc)
udp_lines=$(grep -P 'client:|server:' $UDP_LOGFILE | wc -l)
echo " took ${elapsed} sec(s) and produced ${udp_lines} messages"
wait $SERVER_PID
SERVER_PID=
kill $UDP_PROXY_PID
UDP_PROXY_PID=
rm $UDP_LOGFILE
done
echo "All $SIDE msg permutations succeeded"
}
test_time_delays () {
DELAYS=$(python3 << EOF
import itertools
t = [0.1, 0.5, 1.1]
tt = []
for i in itertools.product(t, t, t):
tt.append(i * 15)
for i in tt:
print(','.join(map(lambda x: str(x) , i)))
EOF
)
for DELAY in $DELAYS;do
echo -n "Testing delay $DELAY"
UDP_LOGFILE=/tmp/udp-delay-$DELAY
$UDP_PROXY_PATH -p $PROXY_PORT -s 127.0.0.1:$SERVER_PORT -u -l "$UDP_LOGFILE" -t $DELAY &
UDP_PROXY_PID=$!
$WOLFSSL_ROOT/examples/server/server -v4 -u -Ta -w &> /tmp/serr &
SERVER_PID=$!
sleep 0.2
now=$(date +%s.%N)
$WOLFSSL_ROOT/examples/client/client -v4 -u -p$PROXY_PORT -w &> /tmp/cerr
elapsed=$(echo $(date +%s.%N) - $now | bc)
udp_lines=$(grep -P 'client:|server:' "$UDP_LOGFILE" | wc -l)
echo " took ${elapsed} sec(s) and produced ${udp_lines} messages"
wait $SERVER_PID
SERVER_PID=
kill $UDP_PROXY_PID
UDP_PROXY_PID=
rm "$UDP_LOGFILE"
done
}
test_dropping_packets
test_permutations client 012
test_dropping_new_session_ticket
if [ ! -z $DTLS13_DO_SERVER_PERMUTATION_TEST ];then
test_permutations server 0123456
fi
# TODO: fix udp_proxy to not re-order close alert before app data
if [ ! -z $DTLS13_DO_DELAY_TEST ];then
test_time_delays
fi
echo
echo "All tests SUCCEEDED!!!"

51
android/extern/wolfssl/scripts/dtlscid.test vendored Normal file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
set -e
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
cleanup () {
echo "Cleaning up..."
if [ ! -z "$SERVER_PID" ];then
echo "Killing server $SERVER_PID"
kill $SERVER_PID
fi
}
trap cleanup err exit
CCID="AA"
SCID="BB"
HEXCID=$(printf $CCID | od -An -tx1 | tr -d ' \n')
HEXSCID=$(printf $SCID | od -An -tx1 | tr -d ' \n')
WOLFSSL_ROOT=$(pwd)
test_cid () {
echo "Running test_cid"
SERVER_FILE=$(mktemp)
CLIENT_FILE=$(mktemp)
$WOLFSSL_ROOT/examples/server/server -v4 -u --cid $SCID 1> $SERVER_FILE &
SERVER_PID=$!
sleep 0.2
$WOLFSSL_ROOT/examples/client/client -v4 -u --cid $CCID 1> $CLIENT_FILE
wait $SERVER_PID
SERVER_PID=
grep "Sending CID is ${HEXSCID}" $CLIENT_FILE > /dev/null
grep "Sending CID is ${HEXCID}" $SERVER_FILE > /dev/null
echo "test_cid has passed"
}
test_cid

48
android/extern/wolfssl/scripts/external.test vendored Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# external.test
SCRIPT_DIR="$(dirname "$0")"
server=www.wolfssl.com
ca=./certs/wolfssl-website-ca.pem
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# www.wolfssl.com isn't using RFC 8446 yet but the draft instead.
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping external.test because TLS1.2 is not available.' 1>&2
exit 77
fi
# cloudflare seems to change CAs quickly, disabled by default
if test -n "$WOLFSSL_EXTERNAL_TEST"; then
BUILD_FLAGS="$(./examples/client/client '-#')"
if echo "$BUILD_FLAGS" | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then
echo 'skipping WOLFSSL_EXTERNAL_TEST because -DWOLFSSL_SNIFFER configuration of build is incompatible.'
exit 77
fi
if echo "$BUILD_FLAGS" | fgrep -v -q -e ' -DHAVE_ECC '; then
echo 'skipping WOLFSSL_EXTERNAL_TEST because -UHAVE_ECC configuration of build is incompatible.'
exit 77
fi
echo "WOLFSSL_EXTERNAL_TEST set, running test..."
else
echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run"
exit 77
fi
# is our desired server there?
"${SCRIPT_DIR}"/ping.test $server 2
RESULT=$?
[ $RESULT -ne 0 ] && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -g -A $ca
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
exit 0

31
android/extern/wolfssl/scripts/google.test vendored Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
# google.test
server=www.google.com
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping google.test because TLS1.2 is not available.' 1>&2
exit 77
fi
# is our desired server there?
./scripts/ping.test $server 2
RESULT=$?
[ $RESULT -ne 0 ] && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -g -d
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
if ./examples/client/client -V | grep -q 4; then
# client test against the server using TLS v1.3
./examples/client/client -v 4 -X -C -h $server -p 443 -g -d
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nTLSv1.3 Client connection failed" && exit 1
fi
exit 0

128
android/extern/wolfssl/scripts/include.am vendored Normal file
View File

@@ -0,0 +1,128 @@
# vim:ft=automake
# included from Top Level Makefile.am
# All paths should be given relative to the root
if BUILD_SNIFFTEST
dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
endif
if BUILD_EXAMPLE_SERVERS
dist_noinst_SCRIPTS+= scripts/resume.test
# The CRL and OCSP tests use RSA certificates.
if BUILD_RSA
if BUILD_CRL
# make revoked test rely on completion of resume test
dist_noinst_SCRIPTS+= scripts/crl-revoked.test
scripts/crl-revoked.log: scripts/resume.log
endif
# arrange to serialize ocsp.test, ocsp-stapling.test, ocsp-stapling-with-ca-as-responder.test, ocsp-stapling2.test, and testsuite,
# to help mitigate port conflicts among them.
# note that unit.test is gated on testsuite in Makefile.am, which is also helpful for these purposes.
if BUILD_OCSP_STAPLING
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
if !BUILD_OCSP_STAPLING_V2
testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling-with-ca-as-responder.log
endif
scripts/ocsp-stapling.log: scripts/ocsp.log
dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
endif
if BUILD_OCSP_STAPLING_V2
dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
if BUILD_OCSP_STAPLING
testsuite/testsuite.log: scripts/ocsp-stapling2.log
scripts/ocsp-stapling2.log: scripts/ocsp.log
scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log
scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log
else
scripts/ocsp-stapling2.log: scripts/ocsp.log
endif
endif
endif
if BUILD_PSK
dist_noinst_SCRIPTS+= scripts/psk.test
endif
if BUILD_TRUST_PEER_CERT
dist_noinst_SCRIPTS+= scripts/trusted_peer.test
endif
if BUILD_PKCALLBACKS
dist_noinst_SCRIPTS+= scripts/pkcallbacks.test
scripts/pkcallbacks.log: scripts/resume.log
endif
if BUILD_TLS13
dist_noinst_SCRIPTS+= scripts/tls13.test
endif
endif # end of BUILD_EXAMPLE_SERVERS
if BUILD_EXAMPLE_CLIENTS
if !BUILD_IPV6
dist_noinst_SCRIPTS+= scripts/external.test
dist_noinst_SCRIPTS+= scripts/google.test
dist_noinst_SCRIPTS+= scripts/openssl.test
if BUILD_OCSP
dist_noinst_SCRIPTS+= scripts/ocsp.test
endif
dist_noinst_SCRIPTS+= scripts/unit.test
noinst_SCRIPTS+= scripts/unit.test.in
endif
endif
EXTRA_DIST += scripts/sniffer-static-rsa.pcap \
scripts/sniffer-ipv6.pcap \
scripts/sniffer-tls13-dh.pcap \
scripts/sniffer-tls13-dh-resume.pcap \
scripts/sniffer-tls13-ecc.pcap \
scripts/sniffer-tls13-ecc-resume.pcap \
scripts/sniffer-tls13-x25519.pcap \
scripts/sniffer-tls13-x25519-resume.pcap \
scripts/sniffer-tls13-hrr.pcap \
scripts/sniffer-gen.sh \
scripts/ping.test \
scripts/benchmark.test \
scripts/memtest.sh \
scripts/makedistsmall.sh \
scripts/openssl_srtp.test
# leave openssl.test as extra until non bash works
EXTRA_DIST += scripts/openssl.test
EXTRA_DIST += scripts/dertoc.pl
# for use with wolfssl-x.x.x-commercial-fips-stm32l4-v2
EXTRA_DIST += scripts/stm32l4-v4_0_1_build.sh
EXTRA_DIST += scripts/cleanup_testfiles.sh
if BUILD_DTLS13
EXTRA_DIST += scripts/dtls13.test
EXTRA_DIST += scripts/dtlscid.test
endif
if BUILD_DTLS_CID
dist_noinst_SCRIPTS+= scripts/dtlscid.test
endif
EXTRA_DIST += scripts/bench/bench_functions.sh
EXTRA_DIST += scripts/user_settings_asm.sh

133
android/extern/wolfssl/scripts/makedistsmall.sh vendored Normal file
View File

@@ -0,0 +1,133 @@
#!/bin/bash
#set -v
# Script to produce a small source/header only package (with CMake support)
# Run this script from the wolfSSL root as `./scripts/makedistsmall.sh`.
# Package requires building with:
# cmake .. -DWOLFSSL_EXAMPLES=no -DWOLFSSL_FILESYSTEM=no
if [ "$1" == "keep" ]; then KEEP="yes"; else KEEP="no"; fi
WOLFSSL_TEMPDIR=$(mktemp -d) || exit $?
function cleanup_on_exit() {
if [ "$KEEP" == "no" ];
then
echo "Removing tmp directory"
rm -rf "$WOLFSSL_TEMPDIR"
else
echo "tmp directory ${WOLFSSL_TEMPDIR} left in place."
fi
}
trap cleanup_on_exit EXIT
WOLFSSL_VERSION=$(grep -Eo '[0-9]\.[0-9]\.[0-9]+' wolfssl/version.h)
if [ -n "$WOLFSSL_VERSION" ]; then
echo "Detected wolfSSL Version $WOLFSSL_VERSION"
else
echo "Couldn't detect wolfSSL version."
exit 1
fi
# generate a wolfSSL archive with minimum sources
echo "Setting up work directory..."
git clone -q -n --shared . "$WOLFSSL_TEMPDIR" || exit $?
pushd "$WOLFSSL_TEMPDIR" >/dev/null || exit $?
git checkout -q master || exit $?
# cleanup example directories
echo "Removing files not needed..."
rm -rf -- ./.git*
rm -rf ./build-aux
rm -rf ./certs
rm -rf ./ctaocrypt
rm -rf ./cyassl
rm -rf ./doc
# these use test.h, which are not portable
rm -rf ./examples
rm -rf ./IDE
rm -rf ./IPP
rm -rf ./lib
rm -rf ./linuxkm
rm -rf ./m4
rm -rf ./mcapi
rm -rf ./mplabx
rm -rf ./mqx
rm -rf ./rpm
rm -rf ./scripts
rm -rf ./sslSniffer
rm -rf ./swig
rm -rf ./tests
rm -rf ./testsuite
rm -rf ./tirtos
rm -rf ./wolfcrypt/user-crypto
rm -rf ./wrapper
rm -rf ./zephyr
rm -f -- *.rc *.supp *.ac *.am *.conf *.sh *.cproject *.project *.pl
rm -f Vagrantfile SCRIPTS-LIST quit input resource.h
find . -name "*.am" -delete
find . -name "*.vcxproj" -delete
find . -name "*.vcproj" -delete
find . -name "*.sln" -delete
# TLS/Compatiblity layer
#rm -rf ./src
#rm -rf ./wolfssl/openssl
# wolfCrypt
#rm -f ./wolfcrypt/src/*.i
#rm -f ./wolfcrypt/src/*.S
#rm -f ./wolfcrypt/src/*.asm
#rm -f ./wolfcrypt/src/arc4.c
#rm -f ./wolfcrypt/src/async.c
#rm -f ./wolfcrypt/src/blake*
#rm -f ./wolfcrypt/src/camellia.c
#rm -f ./wolfcrypt/src/chacha*
#rm -f ./wolfcrypt/src/compress.c
#rm -f ./wolfcrypt/src/cpuid.c
#rm -f ./wolfcrypt/src/curve*
#rm -f ./wolfcrypt/src/cryptocb.c
#rm -f ./wolfcrypt/src/dsa.c
#rm -f ./wolfcrypt/src/ed*
#rm -f ./wolfcrypt/src/evp.c
#rm -f ./wolfcrypt/src/fe*
#rm -f ./wolfcrypt/src/ge*
#rm -f ./wolfcrypt/src/md*.c
#rm -f ./wolfcrypt/src/pkcs*
#rm -f ./wolfcrypt/src/poly*
#rm -f ./wolfcrypt/src/pwdbased.c
#rm -f ./wolfcrypt/src/rc2.c
#rm -f ./wolfcrypt/src/ripemd.c
#rm -f ./wolfcrypt/src/rabbit.c
#rm -f ./wolfcrypt/src/signature.c
#rm -f ./wolfcrypt/src/srp.c
#rm -f ./wolfcrypt/src/wc_dsp.c
#rm -f ./wolfcrypt/src/wolfevent.c
#rm -f ./wolfcrypt/src/wc_encrypt.c
#rm -f ./wolfcrypt/src/wc_pkcs11.c
# SP Math files
#rm -f ./wolfcrypt/src/sp_arm32.c
#rm -f ./wolfcrypt/src/sp_arm64.c
#rm -f ./wolfcrypt/src/sp_armthumb.c
#rm -f ./wolfcrypt/src/sp_cortexm.c
#rm -f ./wolfcrypt/src/sp_dsp32.c
#rm -f ./wolfcrypt/src/sp_x86_64.c
# wolfCrypt Ports
rm -rf ./wolfcrypt/src/port
rm -rf ./wolfssl/wolfcrypt/port
# Setup blank options.h
cp ./wolfssl/options.h.in ./wolfssl/options.h || exit $?
cp ./wolfcrypt/test/test_paths.h.in ./wolfcrypt/test/test_paths.h || exit $?
popd >/dev/null || exit $?
echo "Generating wolfssl-${WOLFSSL_VERSION}-small.tar.gz..."
tar zcf "wolfssl-${WOLFSSL_VERSION}-small.tar.gz" -C "$WOLFSSL_TEMPDIR" . || exit $?
echo "Done"

24
android/extern/wolfssl/scripts/memtest.sh vendored Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# Run this script from the wolfSSL root as `./scripts/memtest.sh`.
./autogen.sh
./configure --enable-debug --disable-shared --enable-memtest \
--enable-opensslextra --enable-des3 --enable-dh --enable-ecc --enable-aesgcm --enable-aesccm \
--enable-sniffer --enable-psk --enable-camellia --enable-sha512 --enable-crl --enable-ocsp --enable-savesession \
--enable-savecert --enable-atomicuser --enable-pkcallbacks --enable-scep;
#DTLS has issue with trapping client/server failure disconnect since its stateless. Need to find way to communicate failure through file system.
#--enable-dtls
make
for i in {1..1000}
do
echo "Trying $i...\n"
./tests/unit.test > ./scripts/memtest.txt 2>&1
RESULT=$?
[ $RESULT -eq 139 ] && echo "Mem Seg Fault" && exit 1
done
echo "Loop SUCCESS"

270
android/extern/wolfssl/scripts/ocsp-stapling-with-ca-as-responder.test vendored Normal file
View File

@@ -0,0 +1,270 @@
#!/bin/bash
# ocsp-stapling-with-ca-as-responder.test
SCRIPT_DIR="$(dirname "$0")"
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling-with-ca-as-responder.test because TLS1.2 is not available.' 1>&2
exit 77
fi
PARENTDIR="$PWD"
# create a unique workspace directory ending in PID for the script instance ($$)
# to make this instance orthogonal to any others running, even on same repo.
# TCP ports are also carefully formed below from the PID, to minimize conflicts.
WORKSPACE="${PARENTDIR}/workspace.pid$$"
mkdir "${WORKSPACE}" || exit $?
cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
cd "$WORKSPACE" || exit $?
ln -s ../examples
CERT_DIR="certs/ocsp"
ready_file="${WORKSPACE}"/wolf_ocsp_s1_readyF$$
ready_file2="${WORKSPACE}"/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready files: \"$ready_file\" \"$ready_file2\""
test_cnf="ocsp_s_w_ca_a_r.cnf"
wait_for_readyFile(){
counter=0
while [ ! -s "$1" -a "$counter" -lt 20 ]; do
if [[ -n "${2-}" ]]; then
if ! kill -0 $2 2>&-; then
echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
exit 1
fi
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$1"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file at \"$1\" -- ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e "$1"; then
printf '%s\n' "removing ready file: \"$1\""
rm "$1"
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
printf '%s\n' "#" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
printf '%s\n' "[ v3_ca ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# OCSP extensions." >> $test_cnf
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
mv $test_cnf $CERT_DIR/$test_cnf
cd $CERT_DIR
CURR_LOC="$PWD"
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh $test_cnf
cd $WORKSPACE
}
remove_ready_file() {
if test -e "$ready_file"; then
printf '%s\n' "removing ready file"
rm "$ready_file"
fi
if test -e "$ready_file2"; then
printf '%s\n' "removing ready file: \"$ready_file2\""
rm "$ready_file2"
fi
}
cleanup()
{
exit_status=$?
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
remove_ready_file
rm $CERT_DIR/$test_cnf
cd "$PARENTDIR" || return 1
rm -r "$WORKSPACE" || return 1
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
echo "retrying..."
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
exec $0 "$@"
fi
}
trap cleanup EXIT INT TERM HUP
server=login.live.com
ca=certs/external/baltimore-cybertrust-root.pem
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" && exit 1
# choose consecutive ports based on the PID, skipping any that are
# already bound, to avoid the birthday problem in case other
# instances are sharing this host.
get_first_free_port() {
local ret="$1"
while :; do
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z 127.0.0.1 "$ret"; then
break
fi
ret=$((ret+1))
done
echo "$ret"
return 0
}
base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
port1=$(get_first_free_port $base_port)
port2=$(get_first_free_port $((port1 + 1)))
# create a port to use with openssl ocsp responder
./examples/server/server -R "$ready_file" -p $port1 &
wolf_pid=$!
wait_for_readyFile "$ready_file" $wolf_pid $port1
if [ ! -f "$ready_file" ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
printf '%s\n' "Random port selected: $port1"
# Use client connection to shutdown the server cleanly
./examples/client/client -p $port1
create_new_cnf $port1
fi
sleep 0.1
# is our desired server there? - login.live.com doesn't answers PING
#./scripts/ping.test $server 2
# client test against the server
# external test case was never running, disable for now but retain case in event
# we wish to re-activate in the future.
#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
#RESULT=$?
#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# setup ocsp responder
# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $port1 -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/intermediate1-ca-cert.pem \
-rkey certs/ocsp/intermediate1-ca-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
"$@" \
&
sleep 0.1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 1 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R "$ready_file2" \
-p $port2 &
wolf_pid2=$!
wait_for_readyFile "$ready_file2" $wolf_pid2 $port2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
-p $port2
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem -R "$ready_file2" \
-p $port2 &
wolf_pid2=$!
wait_for_readyFile "$ready_file2" $wolf_pid2 $port2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
-p $port2
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
exit 0

461
android/extern/wolfssl/scripts/ocsp-stapling.test vendored Normal file
View File

@@ -0,0 +1,461 @@
#!/bin/bash
# ocsp-stapling.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
# Note, this script makes connection(s) to the public Internet.
SCRIPT_DIR="$(dirname "$0")"
if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
exit 77
fi
if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 77
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='::1'
V4V6=6
V4V6_FLAG=-6
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
if [[ "$IPV6_SUPPORTED" == "yes" ]]; then
V4V6_FLAG=-4
else
V4V6_FLAG=
fi
V4V6=4
fi
PARENTDIR="$PWD"
# create a unique workspace directory ending in PID for the script instance ($$)
# to make this instance orthogonal to any others running, even on same repo.
# TCP ports are also carefully formed below from the PID, to minimize conflicts.
WORKSPACE="${PARENTDIR}/workspace.pid$$"
mkdir "${WORKSPACE}" || exit $?
cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
cd "$WORKSPACE" || exit $?
ln -s ../examples
CERT_DIR="./certs/ocsp"
ready_file="$WORKSPACE"/wolf_ocsp_s1_readyF$$
ready_file2="$WORKSPACE"/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready file: \"$ready_file\""
test_cnf="ocsp_s1.cnf"
wait_for_readyFile(){
counter=0
while [ ! -s "$1" -a "$counter" -lt 20 ]; do
if [[ -n "${2-}" ]]; then
if ! kill -0 $2 2>&-; then
echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
exit 1
fi
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$1"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file at \"$1\" -- ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e "$1"; then
printf '%s\n' "removing ready file: \"$1\""
rm "$1"
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
printf '%s\n' "Random Port Selected: $1"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
printf '%s\n' "#" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
printf '%s\n' "[ v3_ca ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# OCSP extensions." >> $test_cnf
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
mv $test_cnf $CERT_DIR/$test_cnf
cd $CERT_DIR
CURR_LOC="$PWD"
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh $test_cnf
cd "$WORKSPACE"
}
remove_ready_file() {
if test -e "$ready_file"; then
printf '%s\n' "removing ready file"
rm "$ready_file"
fi
if test -e "$ready_file2"; then
printf '%s\n' "removing ready file: \"$ready_file2\""
rm "$ready_file2"
fi
}
cleanup()
{
exit_status=$?
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
remove_ready_file
rm $CERT_DIR/$test_cnf
cd "$PARENTDIR" || return 1
rm -r "$WORKSPACE" || return 1
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
echo "retrying..."
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
exec $0 "$@"
fi
}
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# check if supported key size is large enough to handle 4096 bit RSA
size="$(./examples/client/client '-?' | grep "Max RSA key")"
size="${size//[^0-9]/}"
if [ ! -z "$size" ]; then
printf 'check on max key size of %d ...' $size
if [ $size -lt 4096 ]; then
printf '%s\n' "4096 bit RSA keys not supported"
exit 0
fi
printf 'OK\n'
fi
# choose consecutive ports based on the PID, skipping any that are
# already bound, to avoid the birthday problem in case other
# instances are sharing this host.
get_first_free_port() {
local ret="$1"
while :; do
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then
break
fi
ret=$((ret+1))
done
echo "$ret"
return 0
}
base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
port1=$(get_first_free_port $base_port)
port2=$(get_first_free_port $((port1 + 1)))
port3=$(get_first_free_port $((port2 + 1)))
# test interop fail case
ready_file=$PWD/wolf_ocsp_readyF$$
printf '%s\n' "ready file: \"$ready_file\""
./examples/server/server -b -p $port1 -o -R "$ready_file" &
wolf_pid=$!
wait_for_readyFile "$ready_file" $wolf_pid $port1
if [ ! -f "$ready_file" ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
# should fail if ocspstapling is also enabled
OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status $V4V6_FLAG -legacy_renegotiation -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1)
OPENSSL_RESULT=$?
echo "$OPENSSL_OUTPUT"
fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
FGREP_RESULT=$?
if [ $OPENSSL_RESULT -eq 0 -a $FGREP_RESULT -ne 0 ]; then
printf '%s\n' "Expected verification error from s_client is missing."
remove_single_rF "$ready_file"
exit 1
fi
remove_single_rF "$ready_file"
wait $wolf_pid
if [ $? -ne 1 ]; then
printf '%s\n' "wolfSSL server unexpected fail value"
exit 1
fi
fi
# create a port to use with openssl ocsp responder
./examples/server/server -b -p $port2 -R "$ready_file" &
wolf_pid2=$!
wait_for_readyFile "$ready_file" $wolf_pid2 $port2
if [ ! -f "$ready_file" ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
printf '%s\n' "Random port selected: $port2"
# Use client connection to shutdown the server cleanly
./examples/client/client -p $port2
create_new_cnf $port2
fi
sleep 0.1
# is our desired server there? - login.live.com doesn't answers PING
#./scripts/ping.test $server 2
# client test against the server
server=login.live.com
#ca=certs/external/baltimore-cybertrust-root.pem
ca=./certs/external/ca_collection.pem
if [[ "$V4V6" == "4" ]]; then
./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
else
echo "Skipping OCSP test on $server (IPv6 test client)"
fi
# Test with example server
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# setup ocsp responder
# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $port2 -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
"$@" &
sleep 0.1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 1 ] && \
printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -p $port3 &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
-k certs/ocsp/server2-key.pem -p $port3 &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
if ./examples/client/client -V | grep -q 4; then
printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
# client test against our own server - GOOD CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -v 4 \
-p $port3 &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------"
# client test against our own server, must staple - GOOD CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
-k certs/ocsp/server1-key.pem -v 4 \
-p $port3 &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \
-p $port3
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED CERT
remove_single_rF "$ready_file2"
./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
-k certs/ocsp/server2-key.pem -v 4 \
-p $port3 &
wolf_pid3=$!
wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p $port3
RESULT=$?
[ $RESULT -ne 1 ] && \
printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
else
echo 'skipping TLS1.3 stapling tests.' 1>&2
fi
# need a unique port since may run the same time as testsuite
generate_port() {
#-------------------------------------------------------------------------#
# Generate a random port number
#-------------------------------------------------------------------------#
if [[ "$OSTYPE" == "linux"* ]]; then
port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
elif [[ "$OSTYPE" == "darwin"* ]]; then
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
else
echo "Unknown OS TYPE"
exit 1
fi
}
# Start OpenSSL server that has no OCSP responses to return
generate_port
openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
openssl_pid=$!
sleep 0.1
printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
openssl ciphers -tls1_3
openssl_tls13=$?
./examples/client/client -V | grep -q 4
wolfssl_tls13=$?
if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then
printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] \
&& printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
else
echo -n 'skipping TLS1.3 stapling interoperability test:' 1>&2
if [ "$openssl_tls13" != "0" ]; then
echo -n ' OpenSSL' 1>&2
fi
if [ "$wolfssl_tls13" != "0" ]; then
if [ "$openssl_tls13" != "0" ]; then
echo -n ' and' 1>&2
fi
echo -n ' wolfSSL' 1>&2
fi
echo -n ' missing TLS1.3 support.' 1>&2
fi
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0

491
android/extern/wolfssl/scripts/ocsp-stapling2.test vendored Normal file
View File

@@ -0,0 +1,491 @@
#!/bin/bash
# ocsp-stapling2.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
SCRIPT_DIR="$(dirname "$0")"
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp-stapling2.test because TLS1.2 is not available.' 1>&2
exit 77
fi
if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 0
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='-6 ::1'
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
fi
PARENTDIR="$PWD"
# create a unique workspace directory ending in PID for the script instance ($$)
# to make this instance orthogonal to any others running, even on same repo.
# TCP ports are also carefully formed below from the PID, to minimize conflicts.
WORKSPACE="${PARENTDIR}/workspace.pid$$"
mkdir "${WORKSPACE}" || exit $?
cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
cd "$WORKSPACE" || exit $?
ln -s ../examples
CERT_DIR="certs/ocsp"
ready_file1="$WORKSPACE"/wolf_ocsp_s2_readyF1$$
ready_file2="$WORKSPACE"/wolf_ocsp_s2_readyF2$$
ready_file3="$WORKSPACE"/wolf_ocsp_s2_readyF3$$
ready_file4="$WORKSPACE"/wolf_ocsp_s2_readyF4$$
ready_file5="$WORKSPACE"/wolf_ocsp_s2_readyF5$$
printf '%s\n' "ready file 1: $ready_file1"
printf '%s\n' "ready file 2: $ready_file2"
printf '%s\n' "ready file 3: $ready_file3"
printf '%s\n' "ready file 4: $ready_file4"
printf '%s\n' "ready file 5: $ready_file5"
test_cnf="ocsp_s2.cnf"
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
if [[ -n "${2-}" ]]; then
if ! kill -0 $2 2>&-; then
echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
exit 1
fi
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file at $1 -- ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
printf '%s\n' "Random Ports Selected: $1 $2 $3 $4"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
printf '%s\n' "#" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
printf '%s\n' "[ v3_ca ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# OCSP extensions." >> $test_cnf
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
mv $test_cnf $CERT_DIR/$test_cnf
cd $CERT_DIR
CURR_LOC="$PWD"
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh $test_cnf
cd $WORKSPACE
}
remove_ready_file(){
if test -e $ready_file1; then
printf '%s\n' "removing ready file: $ready_file1"
rm $ready_file1
fi
if test -e $ready_file2; then
printf '%s\n' "removing ready file: $ready_file2"
rm $ready_file2
fi
if test -e $ready_file3; then
printf '%s\n' "removing ready file: $ready_file3"
rm $ready_file3
fi
if test -e $ready_file4; then
printf '%s\n' "removing ready file: $ready_file4"
rm $ready_file4
fi
if test -e $ready_file5; then
printf '%s\n' "removing ready file: $ready_file5"
rm $ready_file5
fi
}
cleanup()
{
exit_status=$?
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
remove_ready_file
rm $CERT_DIR/$test_cnf
cd "$PARENTDIR" || return 1
rm -r "$WORKSPACE" || return 1
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
echo "retrying..."
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
exec $0 "$@"
fi
}
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# check if supported key size is large enough to handle 4096 bit RSA
size="$(./examples/client/client '-?' | grep "Max RSA key")"
size="${size//[^0-9]/}"
if [ ! -z "$size" ]; then
printf 'check on max key size of %d ...' $size
if [ $size -lt 4096 ]; then
printf '%s\n' "4096 bit RSA keys not supported"
exit 0
fi
printf 'OK\n'
fi
#get four unique ports
# choose consecutive ports based on the PID, skipping any that are
# already bound, to avoid the birthday problem in case other
# instances are sharing this host.
get_first_free_port() {
local ret="$1"
while :; do
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then
break
fi
ret=$((ret+1))
done
echo "$ret"
return 0
}
base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
port1=$(get_first_free_port $base_port)
port2=$(get_first_free_port $((port1 + 1)))
port3=$(get_first_free_port $((port2 + 1)))
port4=$(get_first_free_port $((port3 + 1)))
port5=$(get_first_free_port $((port4 + 1)))
# 1:
./examples/server/server -R $ready_file1 -p $port1 &
server_pid1=$!
wait_for_readyFile $ready_file1 $server_pid1 $port1
if [ ! -f $ready_file1 ]; then
printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
exit 1
fi
# 2:
./examples/server/server -R $ready_file2 -p $port2 &
server_pid2=$!
wait_for_readyFile $ready_file2 $server_pid2 $port2
if [ ! -f $ready_file2 ]; then
printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
exit 1
fi
# 3:
./examples/server/server -R $ready_file3 -p $port3 &
server_pid3=$!
wait_for_readyFile $ready_file3 $server_pid3 $port3
if [ ! -f $ready_file3 ]; then
printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
exit 1
fi
# 4:
./examples/server/server -R $ready_file4 -p $port4 &
server_pid4=$!
wait_for_readyFile $ready_file4 $server_pid4 $port4
if [ ! -f $ready_file4 ]; then
printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
exit 1
fi
printf '%s\n' "------------- PORTS ---------------"
printf '%s' "Random ports selected: $port1 $port2"
printf '%s\n' " $port3 $port4"
printf '%s\n' "-----------------------------------"
# Use client connections to cleanly shutdown the servers
./examples/client/client -p $port1
./examples/client/client -p $port2
./examples/client/client -p $port3
./examples/client/client -p $port4
create_new_cnf $port1 $port2 $port3 \
$port4
sleep 0.1
# setup ocsp responders
# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $port1 -nmin 1 \
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
"$@" \
&
# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $port2 -nmin 1 \
-index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate2-ca-cert.pem \
"$@" \
&
# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $port3 -nmin 1 \
-index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate3-ca-cert.pem \
"$@" \
&
sleep 0.1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '\n\n%s\n\n' "All OCSP responders started successfully!"
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
wait_for_readyFile $ready_file5 $server_pid5 $port5
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW"
#printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------"
#remove_single_rF $ready_file5
#./examples/server/server -c certs/ocsp/server3-cert.pem \
# -k certs/ocsp/server3-key.pem -R $ready_file5 \
# -p $port5 &
#wait_for_readyFile $ready_file5 $server_pid5 $port5
#./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
# -p $port5
#RESULT=$?
#[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
#printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
wait_for_readyFile $ready_file5 $server_pid5 $port5
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 &
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
wait_for_readyFile $ready_file5 $server_pid5 $port5
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
wait_for_readyFile $ready_file5 $server_pid5 $port5
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R $ready_file5 \
-p $port5 -H loadSSL &
server_pid5=$!
wait_for_readyFile $ready_file5 $server_pid5 $port5
echo "test connection" | openssl s_client -status -legacy_renegotiation -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
wait $server_pid5
if [ $? -ne 0 ]; then
printf '%s\n' "Unexpected server result"
exit 1
fi
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 -H loadSSL &
server_pid5=$!
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $port5
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
wait $server_pid5
if [ $? -ne 1 ]; then
printf '%s\n' "Unexpected server result"
exit 1
fi
printf '%s\n\n' "Test successfully REVOKED!"
# need a unique port since may run the same time as testsuite
generate_port() {
#-------------------------------------------------------------------------#
# Generate a random port number
#-------------------------------------------------------------------------#
if [[ "$OSTYPE" == "linux"* ]]; then
port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
elif [[ "$OSTYPE" == "darwin"* ]]; then
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
else
echo "Unknown OS TYPE"
exit 1
fi
}
# Start OpenSSL server that has no OCSP responses to return
generate_port
openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
openssl_pid=$!
sleep 0.1
printf '%s\n\n' "------------- TEST CASE 9 SHOULD PASS ----------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 2
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 9 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 10 SHOULD UNKNOWN -------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 2m
RESULT=$?
[ $RESULT -ne 1 ] \
&& printf '\n\n%s\n' "Client connection 10 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0

105
android/extern/wolfssl/scripts/ocsp.test vendored Normal file
View File

@@ -0,0 +1,105 @@
#!/bin/sh
# ocsp.test
# Note, this script makes connection(s) to the public Internet.
SCRIPT_DIR="$(dirname "$0")"
server=www.globalsign.com
ca=certs/external/ca-globalsign-root.pem
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
if ! ./examples/client/client -V | grep -q 3; then
echo 'skipping ocsp.test because TLS1.2 is not available.' 1>&2
exit 77
fi
GL_UNREACHABLE=0
# Global Sign now requires server name indication extension to work, check
# enabled prior to testing
OUTPUT=$(eval "./examples/client/client -S check")
if [ "$OUTPUT" = "SNI is: ON" ]; then
printf '\n\n%s\n\n' "SNI is on, proceed with globalsign test"
if [ "$AM_BWRAPPED" != "yes" ]; then
# is our desired server there?
"${SCRIPT_DIR}/ping.test" $server 2
RESULT=$?
if [ $RESULT -ne 0 ]; then
GL_UNREACHABLE=1
fi
else
RESULT=0
fi
if [ $RESULT -eq 0 ]; then
# client test against the server
echo "./examples/client/client -X -C -h $server -p 443 -A \"$ca\" -g -o -N -v d -S $server"
./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N -v d -S $server
GL_RESULT=$?
[ $GL_RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed"
else
GL_RESULT=1
fi
else
printf '\n\n%s\n\n' "SNI disabled, skipping globalsign test"
GL_RESULT=0
fi
server=www.google.com
ca=${SCRIPT_DIR}/../certs/external/ca-google-root.pem
if [ "$AM_BWRAPPED" != "yes" ]; then
# is our desired server there?
${SCRIPT_DIR}/ping.test $server 2
RESULT=$?
else
RESULT=0
fi
if [ $RESULT -eq 0 ]; then
# client test against the server
echo "./examples/client/client -X -C -h $server -p 443 -A \"$ca\" -g -o -N"
./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N
GR_RESULT=$?
[ $GR_RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed"
else
GR_RESULT=1
fi
if test -n "$WOLFSSL_OCSP_TEST"; then
# check that both passed
if [ $GL_RESULT -eq 0 ] && [ $GR_RESULT -eq 0 ]; then
printf '\n\n%s\n' "Both OCSP connection to globalsign and google passed"
printf '%s\n' "Test Passed!"
exit 0
elif [ $GL_UNREACHABLE -eq 1 ] && [ $GR_RESULT -eq 0 ]; then
printf '%s\n' "Global Sign is currently unreachable. Logging it but if"
printf '%s\n' "this continues to occur should be investigated"
exit 0
else
# Unlike other environment variables the intent of WOLFSSL_OCSP_TEST
# is to indicate a requirement for both tests to pass. If variable is
# set and either tests fail then whole case fails. Do not set the
# variable if either case passing is to be considered a success.
printf '\n\n%s\n' "One of the OCSP connections to either globalsign or"
printf '%s\n' "google failed, however since WOLFSSL_OCSP_TEST is set"
printf '%s\n' "the test is considered to have failed"
printf '%s\n' "Test Failed!"
exit 1
fi
else
# if environment variable is not set then just need one to pass
if [ $GL_RESULT -ne 0 ] && [ $GR_RESULT -ne 0 ]; then
printf '\n\n%s\n' "Both OCSP connection to globalsign and google failed"
printf '%s\n' "Test Failed!"
exit 1
else
printf '\n\n%s\n' "WOLFSSL_OCSP_TEST NOT set, and 1 of the tests passed"
printf '%s\n' "Test Passed!"
exit 0
fi
fi

1196
android/extern/wolfssl/scripts/openssl.test vendored Normal file
View File

File diff suppressed because it is too large Load Diff

150
android/extern/wolfssl/scripts/openssl_srtp.test vendored Normal file
View File

@@ -0,0 +1,150 @@
#!/bin/bash
# Test WolfSSL/OpenSSL srtp interoperability
#
# TODO: add OpenSSL client with WolfSSL server
set -e
if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
exit 0
fi
OPENSSL=${OPENSSL:="openssl"}
WOLFSSL_CLIENT=${WOLFSSL_CLIENT:="./examples/client/client"}
# need a unique port since may run the same time as testsuite
generate_port() {
#-------------------------------------------------------------------------#
# Generate a random port number
#-------------------------------------------------------------------------#
if [[ "$OSTYPE" == "linux"* ]]; then
port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
elif [[ "$OSTYPE" == "darwin"* ]]; then
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
else
echo "Unknown OS TYPE"
exit 1
fi
}
# get size of key material based on the profile
# $1 srtp profile
get_key_material_size() {
case "$1" in
"SRTP_AES128_CM_SHA1_80")
ekm_size=60 ;;
"SRTP_AES128_CM_SHA1_32")
ekm_size=60 ;;
"SRTP_NULL_SHA1_80")
ekm_size=28 ;;
"SRTP_NULL_SHA1_32")
ekm_size=27 ;;
"SRTP_AEAD_AES_128_GCM")
ekm_size=56;;
"SRTP_AEAD_AES_256_GCM")
ekm_size=88;;
*)
echo "SRTP profile $1 unsupported"
exit 1
esac
}
# Start an OpenSSL server dtls with srtp
# $1: dtsl version [1.0, 1.2]
# $2: srtp profile string
start_openssl_server() {
generate_port
server_port=$port
srtp_profile=$2
if [ "$1" = "1.0" ]; then
dtls_version=dtls1
elif [ "$1" = "1.2" ]; then
dtls_version=dtls1_2
fi
get_key_material_size "$srtp_profile"
server_output_file=/tmp/openssl_srtp_out
# hackish but OpenSSL doesn't work if input is fed before handshaking and
# the wolfSSL client needs a reply to stop
(sleep 1;echo -n "I hear you fa shizzle...") | \
${OPENSSL} s_server \
-${dtls_version} \
-port ${server_port} \
-debug \
-use_srtp ${srtp_profile} \
-keymatexport EXTRACTOR-dtls_srtp \
-keymatexportlen $ekm_size \
-cert ./certs/server-cert.pem \
-key ./certs/server-key.pem >$server_output_file &
# make sure the server is up
sleep 0.1
}
# Start an wolfssl client dtls with srtp
# $1: dtsl version [1.0, 1.2]
# $2: srtp profile string
start_wolfssl_client() {
srtp_profile=$2
if [ "$1" = "1.0" ]; then
dtls_version=2
elif [ "$1" = "1.2" ]; then
dtls_version=3
fi
client_output_file=/tmp/wolfssl_srtp_out
${WOLFSSL_CLIENT} -u\
-x \
-v${dtls_version} \
--srtp ${srtp_profile} \
-p${server_port} >$client_output_file
}
# $1 openssl file
# $2 wolfssl file
check_ekm() {
openssl_ekm=$(cat "$1" | grep "Keying material: " | cut -d ':' -f 2)
echo "OPENSSL EKM: $openssl_ekm"
wolfssl_ekm=$(cat "$2" | grep "DTLS SRTP: Exported key material: " | cut -d ':' -f 3)
echo "WOLFSSL EKM: $wolfssl_ekm"
if [ "$openssl_ekm" = "$wolfssl_ekm" ];then
check_ret=0
else
check_ret=1
fi
}
# $1 dtsl version
# $2 srtp profile
check_dtls_srtp() {
start_openssl_server $1 $2
start_wolfssl_client $1 $2
check_ekm $server_output_file $client_output_file
echo -n "check dtls $1 $2... "
if [ $check_ret -ne 0 ];then
echo "failed"
exit 1
else
echo "ok"
fi
}
# SRTP_NULL_SHA1_80" and SRTP_NULL_SHA1_32 aren't supported by OpenSSL
PROFILES="SRTP_AES128_CM_SHA1_80 \
SRTP_AES128_CM_SHA1_32 \
SRTP_AEAD_AES_128_GCM \
SRTP_AEAD_AES_256_GCM"
for DTLS in 1.0 1.2;do
for SRTP_PROF in $PROFILES;do
check_dtls_srtp $DTLS $SRTP_PROF
done
done

29
android/extern/wolfssl/scripts/ping.test vendored Normal file
View File

@@ -0,0 +1,29 @@
#!/bin/bash
# ping.test
# defaults
server=www.wolfssl.com
tries=2
# populate args
if [ "$#" -gt 1 ]; then
tries=$2
fi
if [ "$#" -gt 0 ]; then
server=$1
fi
# determine os
OS="`uname`"
case $OS in
MINGW* | MSYS*) PINGSW=-n ;;
*) PINGSW=-c ;;
esac
# is our desired server there?
ping $PINGSW $tries $server
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 1
exit 0

141
android/extern/wolfssl/scripts/pkcallbacks.test vendored Normal file
View File

@@ -0,0 +1,141 @@
#!/bin/bash
#pkcallbacks.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
pk_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_pk_ready$$
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
echo "script aborted"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
exit_code=2 #different exit code in case of user interrupt
echo "got abort signal, exiting with $exit_code"
exit $exit_code
}
trap abort_trap INT TERM
# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
}
trap restore_file_system EXIT
run_test() {
echo -e "\nStarting example server for pkcallbacks test...\n"
remove_ready_file
# starts the server on pk_port, -R generates ready file to be used as a
# mutex lock, -P does pkcallbacks. We capture the processid
# into the variable server_pid
./examples/server/server -P -R "$ready_file" -p $pk_port &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$ready_file"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
# get created port 0 ephemeral port
pk_port=`cat "$ready_file"`
# starts client on pk_port with pkcallbacks, captures the output from client
capture_out=$(./examples/client/client -P -p $pk_port 2>&1)
client_result=$?
if [ $client_result != 0 ]
then
echo -e "client failed!"
do_cleanup
exit 1
fi
wait $server_pid
server_result=$?
if [ $server_result != 0 ]
then
echo -e "server failed!"
exit 1
fi
}
######### begin program #########
# run the test
run_test
# If we get to this, success
echo "Success!"
exit 0
########## end program ##########

166
android/extern/wolfssl/scripts/psk.test vendored Normal file
View File

@@ -0,0 +1,166 @@
#!/bin/bash
# psk.test
# copyright wolfSSL 2016
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_psk_ready$$
echo "ready file \"$ready_file\""
create_port() {
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$ready_file"; then
echo -e "found ready file, starting client..."
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
# get created port 0 ephemeral port
port=`cat "$ready_file"`
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit 1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# Usual psk server / psk client. This use case is tested in
# tests/unit.test and is used here for just checking if PSK is enabled
port=0
./examples/server/server -s -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -s -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nPSK not enabled"
do_cleanup
exit 0
fi
echo ""
# client test against the server
###############################
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
# Usual server / client. This use case is tested in
# tests/unit.test and is used here for just checking if cipher suite
# is available (one case for example is with disable-asn)
port=0
./examples/server/server -R "$ready_file" -p $port -l DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nIssue with chosen non PSK suites"
do_cleanup
exit 0
fi
echo ""
# psk server with non psk client
port=0
./examples/server/server -j -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nClient connection failed"
do_cleanup
exit 1
fi
echo ""
# check fail if no auth, psk server with non psk client
echo "Checking fail when not sending peer cert"
port=0
./examples/server/server -j -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nClient connected when supposed to fail"
do_cleanup
exit 1
fi
fi
echo -e "\nALL Tests Passed"
exit 0

164
android/extern/wolfssl/scripts/resume.test vendored Normal file
View File

@@ -0,0 +1,164 @@
#!/bin/bash
#resume.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
resume_string="reused"
resume_sup_string="Resume session"
ems_string="Extended\ Master\ Secret"
resume_port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_resume_ready$$
echo "ready file $ready_file"
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit 1
}
do_test() {
echo -e "\nStarting example server for resume test...\n"
#make sure we support session resumption (!NO_SESSION_CACHE)
# Check the client for the extended master secret disable option. If
# present we need to run the test twice.
options_check=`./examples/client/client '-?'`
case "$options_check" in
*$resume_sup_string*)
echo -e "\nResume test supported";;
*)
echo -e "\nResume test not supported with build"
return;;
esac
remove_ready_file
echo "./examples/server/server -r -R \"$ready_file\" -p $resume_port"
./examples/server/server -r -R "$ready_file" -p $resume_port &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$ready_file"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
do_cleanup
exit 1
fi
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
# get created port 0 ephemeral port
resume_port=`cat "$ready_file"`
echo "./examples/client/client $1 -r -p $resume_port"
capture_out=$(./examples/client/client $1 -r -p $resume_port 2>&1)
client_result=$?
if [ $client_result != 0 ]
then
echo -e "client failed!\ncapture_out=$capture_out\nclient_result=$client_result"
do_cleanup
exit 1
fi
wait $server_pid
server_result=$?
remove_ready_file
if [ $server_result != 0 ]
then
echo -e "client failed!"
exit 1
fi
case "$capture_out" in
*$resume_string*)
echo "resumed session" ;;
*)
echo "did NOT resume session as expected"
exit 1
;;
esac
}
trap do_trap INT TERM
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -ne 0 ]; then
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -ne 0 ]; then
RUN_TEST="Y"
fi
fi
./examples/client/client '-?' 2>&1 | grep -- 'Resume session'
if [ $? -ne 0 ]; then
RUN_TEST="Y"
fi
if [ "$RUN_TEST" = "Y" ]; then
do_test
# Check the client for the extended master secret disable option. If
# present we need to run the test twice.
options_check=`./examples/client/client -?`
case "$options_check" in
*$ems_string*)
echo -e "\nRepeating resume test without extended master secret..."
do_test -n ;;
*)
;;
esac
fi
echo -e "\nSuccess!\n"
exit 0

98
android/extern/wolfssl/scripts/sniffer-gen.sh vendored Normal file
View File

@@ -0,0 +1,98 @@
#!/bin/bash
# Run this script from the wolfSSL root
if [ ! -f wolfssl/ssl.h ]; then
echo "Run from the wolfssl root"
exit 1
fi
run_sequence() {
if [ "$1" == "dh" ] || [ "$1" == "ecc" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256
fi
if [ "$1" == "dh-resume" ] || [ "$1" == "ecc-resume" ]; then
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r
fi
if [ "$1" == "x25519" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
fi
# Run: with x25519_resume
if [ "$1" == "x25519-resume" ]; then
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
fi
# TLS v1.3 Hello Retry Request
if [ "$1" == "hrr" ]; then
# TLS v1.3 Hello Retry Request
./examples/server/server -v 4 -i -x -g &
server_pid=$!
sleep 0.1
./examples/client/client -v 4 -J
kill $server_pid
fi
sleep 1
}
run_capture(){
echo -e "\nconfiguring and building wolfssl..."
./configure --enable-sniffer $2 1>/dev/null || exit $?
make 1>/dev/null || exit $?
echo "starting capture"
tcpdump -i lo0 -nn port 11111 -w ./scripts/sniffer-tls13-$1.pcap &
tcpdump_pid=$!
run_sequence $1
kill $tcpdump_pid
}
run_capture "ecc" ""
run_capture "ecc-resume" "--enable-session-ticket"
run_capture "dh" "--disable-ecc"
run_capture "dh-resume" "--disable-ecc --enable-session-ticket"
run_capture "x25519" "--enable-curve25519 --disable-dh --disable-ecc"
run_capture "x25519-resume" "--enable-curve25519 --disable-dh --disable-ecc --enable-session-ticket"
run_capture "hrr" "--disable-dh CFLAGS=-DWOLFSSL_SNIFFER_WATCH"

BIN
android/extern/wolfssl/scripts/sniffer-ipv6.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-static-rsa.pcap vendored Normal file
View File

Binary file not shown.

151
android/extern/wolfssl/scripts/sniffer-testsuite.test vendored Normal file
View File

@@ -0,0 +1,151 @@
#!/bin/bash
#sniffer-testsuite.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
has_tlsv13=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 '
if [ $? -eq 0 ]; then
has_tlsv13=yes
fi
has_tlsv12=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 '
if [ $? -eq 0 ]; then
has_tlsv12=yes
fi
has_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
if [ $? -eq 0 ]; then
has_rsa=yes
fi
has_ecc=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc '
if [ $? -eq 0 ]; then
has_ecc=yes
fi
has_x25519=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 '
if [ $? -eq 0 ]; then
has_x25519=yes
fi
has_dh=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh '
if [ $? -eq 0 ]; then
has_dh=yes
fi
# ./configure --enable-sniffer [--enable-session-ticket]
# Resumption tests require "--enable-session-ticket"
session_ticket=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'session_ticket '
if [ $? -eq 0 ]; then
session_ticket=yes
fi
has_static_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static '
if [ $? -eq 0 ]; then
has_static_rsa=yes
fi
RESULT=0
# TLS v1.2 Static RSA Test
if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
then
echo -e "\nStaring snifftest on testsuite.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-static-rsa.pcap ./certs/server-key.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1
fi
# TLS v1.2 Static RSA Test (IPv6)
if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
then
echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC resumption
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
fi
echo -e "\nSuccess!\n"
exit 0

BIN
android/extern/wolfssl/scripts/sniffer-tls13-dh-resume.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-tls13-dh.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-tls13-ecc-resume.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-tls13-ecc.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-tls13-hrr.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-tls13-x25519-resume.pcap vendored Normal file
View File

Binary file not shown.

BIN
android/extern/wolfssl/scripts/sniffer-tls13-x25519.pcap vendored Normal file
View File

Binary file not shown.

197
android/extern/wolfssl/scripts/stm32l4-v4_0_1_build.sh vendored Normal file
View File

@@ -0,0 +1,197 @@
#!/bin/bash
WOLF_ROOT=$(eval "pwd")
echo "WOLF_ROOT set to: \"$WOLF_ROOT\""
cd ../ || exit 5
APP_ROOT=$(eval "pwd")
echo "APP_ROOT set to: \"$APP_ROOT\""
cd ../../ || exit 5
FIRMWARE_ROOT=$(eval "pwd")
echo "FIRMWARE_ROOT set to: \"$FIRMWARE_ROOT\""
cd "$WOLF_ROOT" || exit 5
WOLFCRYPT_SRC_LIST=(wolfcrypt_first hmac random sha256 rsa ecc aes des3 sha
sha512 sha3 dh cmac fips fips_test wolfcrypt_last asn coding
dsa error hash logging md5 memory signature tfm wc_encrypt
wc_port wolfmath
)
assumptions(){
printf '%s\n' "ASSUMPTIONS:"
printf '%s\n' "It is assumed that the firmware directory layout is as follows:"
printf '%s\n' "firmware-root/"
printf '%s\n' "firmware-root/dir1/"
printf '%s\n' "firmware-root/dir1/app-root/"
printf '%s\n' "firmware-root/dir1/app-root/wolfssl-x.x.x-commercial-fips-stm32l4-v2/"
printf '\n\n%s\n' "It is also assumed this script will be run from the directory:"
printf '%s\n' "firmware-root/dir1/app-root/wolfssl-x.x.x-commercial-fips-stm32l4-v2/"
printf '%s\n' "with the command:"
printf '%s\n' "./scripts/stm32l4-v4_0_2_build.sh"
}
flatten_wolfcrypt_sources(){
if [ -d "$WOLF_ROOT" ]; then
for TARGET_FILE in "${WOLFCRYPT_SRC_LIST[@]}"
do
if [ -f "$APP_ROOT/$TARGET_FILE".c ]; then
printf '%s\n' "Removing: APP_ROOT/$TARGET_FILE.c"
rm "$APP_ROOT/$TARGET_FILE".c
fi
printf '%s\n' "WOLF_ROOT/wolfcrypt/src/$TARGET_FILE.c --> APP_ROOT/$TARGET_FILE.c"
cp "$WOLF_ROOT/wolfcrypt/src/$TARGET_FILE".c "$APP_ROOT/"
done
# uncomment to copy over the test app for testing purposes
#cp "$WOLF_ROOT/wolfcrypt/test/test.c" ./
else
printf '%s\n' "Please update the MY_WOLF_RELEASE_VARIABLE to the name"
printf '%s\n' "of the release you received most recently. Currently"
printf '%s\n' "it is set to \"$MY_WOLF_RELEASE_NAME\""
fi
}
update_user_settings(){
if [ -f user_settings.h ]; then
printf '%s\n' "Removing old user_settings.h"
rm user_settings.h
fi
printf '%s\n' "Generating new user_settings.h..."
touch user_settings.h
printf '%s\n' "#ifndef STM32L4_V_4_0_1_USER_SETTINGS_H" > user_settings.h
{
printf '%s\n' "#define STM32L4_V_4_0_1_USER_SETTINGS_H";
printf '%s\n' "";
printf '%s\n' "/* FIPS SETTINGS - BEGIN */";
printf '%s\n' "#define HAVE_FIPS";
printf '%s\n' "#define HAVE_FIPS_VERSION 2";
printf '%s\n' "#define NO_THREAD_LS";
printf '%s\n' "#define NO_STRICT_ECDSA_LEN";
printf '%s\n' "#define HAVE_ECC";
printf '%s\n' "#define HAVE_HKDF";
printf '%s\n' "#define HAVE_AESCCM";
printf '%s\n' "#define HAVE_AES_ECB";
printf '%s\n' "#define HAVE_ECC_CDH";
printf '%s\n' "#define HAVE_FFDHE_Q";
printf '%s\n' "#define HAVE_FFDHE_2048"; # NEW
printf '%s\n' "#define HAVE_HASHDRBG";
printf '%s\n' "#define WOLFSSL_SHA3";
printf '%s\n' "#define WOLFSSL_CMAC";
printf '%s\n' "#define WOLFSSL_SHA224";
printf '%s\n' "#define WOLFSSL_SHA384";
printf '%s\n' "#define WOLFSSL_SHA512";
printf '%s\n' "#define WOLFSSL_KEY_GEN";
printf '%s\n' "#define WOLFSSL_PUBLIC_MP";
printf '%s\n' "#define WOLFSSL_AES_DIRECT";
printf '%s\n' "#define WOLFSSL_AES_COUNTER";
printf '%s\n' "#define WOLFSSL_BASE64_ENCODE";
printf '%s\n' "#define WOLFSSL_VALIDATE_FFC_IMPORT";
printf '%s\n' "#define WOLFSSL_VALIDATE_ECC_IMPORT";
printf '%s\n' "#define WC_RSA_PSS";
printf '%s\n' "#define WC_RSA_NO_PADDING";
# NEW printf '%s\n' "#define WC_RSA_BLINDING";
printf '%s\n' "#define FP_MAX_BITS 8192";
printf '%s\n' "";
printf '%s\n' "/* For operational testing use only in validation effort */";
# printf '%s\n' "/* #define HAVE_FORCE_FIPS_FAILURE */";
printf '%s\n' "#define HAVE_FORCE_FIPS_FAILURE";
printf '%s\n' "/* FIPS SETTINGS - END */";
printf '%s\n' "";
printf '%s\n' "/* Debugging */";
printf '%s\n' "/* #define WOLFSSL_DEBUG_MEMORY */";
printf '%s\n' "/* #define WOLFSSL_TRACK_MEMORY */";
printf '%s\n' "/* #define WOLFSSL_DEBUG_MEMORY_PRINT */";
printf '%s\n' "/* Debugging */";
printf '%s\n' "";
printf '%s\n' "/* Environment settings */";
printf '%s\n' "#define NO_FILESYSTEM";
printf '%s\n' "#define USE_FAST_MATH";
printf '%s\n' "#define NO_MAIN_DRIVER";
printf '%s\n' "#define WOLFCRYPT_ONLY";
printf '%s\n' "#define WC_RSA_BLINDING";
printf '%s\n' "#define SINGLE_THREADED";
printf '%s\n' "#define TFM_TIMING_RESISTANT";
printf '%s\n' "#define ECC_TIMING_RESISTANT";
printf '%s\n' "#define USE_CERT_BUFFERS_256";
printf '%s\n' "#define USE_CERT_BUFFERS_2048";
printf '%s\n' "#define WOLFSSL_STM32L4";
printf '%s\n' "#define WOLFSSL_STM32_CUBEMX";
printf '%s\n' "#define WOLFSSL_CUBEMX_USE_LL";
printf '%s\n' "#define STM32_RNG";
printf '%s\n' "#define NO_STM32_CRYPTO";
printf '%s\n' "#define NO_STM32_HASH";
printf '%s\n' "#define NO_OLD_RNGNAME";
printf '%s\n' "/* Environment settings */";
printf '%s\n' "";
printf '%s\n' "/* Tuning options */";
printf '%s\n' "#define ALT_ECC_SIZE";
printf '%s\n' "#define NO_RC4";
printf '%s\n' "#define NO_MD4";
printf '%s\n' "#define NO_PSK";
printf '%s\n' "#define GCM_SMALL";
printf '%s\n' "#define TFM_ECC256";
printf '%s\n' "#define ECC_SHAMIR";
printf '%s\n' "#define HAVE_AESGCM";
printf '%s\n' "#define NO_PWDBASED";
printf '%s\n' "/* Tuning options */";
printf '%s\n' "";
printf '%s\n' "/* Non-FIPS related settings */";
printf '%s\n' "#define HAVE_TLS_EXTENSIONS";
printf '%s\n' "#define HAVE_EXTENDED_MASTER";
printf '%s\n' "#define HAVE_SUPPORTED_CURVES";
printf '%s\n' "/* Non-FIPS related settings */";
printf '%s\n' "";
printf '%s\n' "/* Agent harness settings */";
printf '%s\n' "#define USE_NORMAL_PRINTF";
printf '%s\n' "#define STM32L4R9I_DISCO";
printf '%s\n' "#define USE_NORMAL_SCAN";
printf '%s\n' "#define HAVE_FIPS";
printf '%s\n' "#define HAVE_FIPS_VERSION 2";
printf '%s\n' "#define VERIFY_GENERATED_PSS_SIGS";
printf '%s\n' "/* Agent harness settings */";
printf '%s\n' "";
printf '%s\n' "#endif /* STM32L4_V_4_0_1_USER_SETTINGS_H */";
printf '%s\n' "";
} >> user_settings.h
printf '%s\n' "new user_settings.h has been created"
}
assumptions
if [ -f wolfssl/ssl.h ]; then
if [ -f "$FIRMWARE_ROOT"/project.mk ]; then
printf '%s\n' "Found ../../../project.mk, wolfSSL properly placed in"
printf '%s\n' "application root directory"
else
printf '%s\n' "Failed to locate ../../../project.mk, wolfSSL in wrong"
printf '%s\n' "location or assumptions need updated."
fi
else
printf '%s\n' "Run this script from the wolfSSL root directory"
exit 1
fi
flatten_wolfcrypt_sources
# optional test application, remove if not testing
if [ -f "$APP_ROOT/test.c" ]; then
printf '%s\n' "Removing: $APP_ROOT/test.c"
rm "$APP_ROOT/test.c"
fi
printf '%s\n' "WOLF_ROOT/wolfcrypt/test/test.c --> APP_ROOT/test.c"
cp "$WOLF_ROOT/wolfcrypt/test/test.c" "$APP_ROOT/"
# optional test application section end
# used during fips validation only, these will not be in final distribution
#./scripts/flatten-agent-sources.sh
#./scripts/flatten-op-test.sh
# used during fips validation only, these will not be in final distribution
update_user_settings
cd "$FIRMWARE_ROOT"
make clean
make -j 1
cd "$APP_ROOT"
make install-target

358
android/extern/wolfssl/scripts/tls13.test vendored Normal file
View File

@@ -0,0 +1,358 @@
#!/bin/bash
# tls13.test
# Copyright wolfSSL 2016-2021
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
# retries to mitigate race on early data:
early_data_try_max=10
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file="$(pwd)/wolfssl_tls13_ready$$"
client_file="$(pwd)/wolfssl_tls13_client$$"
# Server output
server_out_file="$(pwd)/wolfssl_tls13_server_out$$"
# Client output
client_out_file="$(pwd)/wolfssl_tls13_client_out$$"
echo "ready file \"$ready_file\""
create_port() {
while [ ! -s "$ready_file" ]; do
if [ "$counter" -gt 50 ]; then
break
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if [ -e "$ready_file" ]; then
echo -e "found ready file, starting client..."
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
# get created port 0 ephemeral port
port="$(cat "$ready_file")"
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if [ -e "$ready_file" ]; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid 2>/dev/null
server_pid=$no_pid
fi
remove_ready_file
if [ -e "$client_file" ]; then
echo -e "removing existing client file"
rm "$client_file"
fi
if [ -e "$server_out_file" ]; then
echo -e "removing existing server output file"
rm "$server_out_file"
fi
if [ -e "$client_out_file" ]; then
echo -e "removing existing client output file"
rm "$client_out_file"
fi
}
do_trap() {
echo "got trap"
do_cleanup
exit 1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# Usual TLS v1.3 server / TLS v1.3 client.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
port=0
./examples/server/server -v 4 -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port | tee "$client_file"
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTLS v1.3 not enabled"
do_cleanup
exit 1
fi
echo ""
# TLS 1.3 cipher suites server / client.
echo -e "\n\nTLS v1.3 cipher suite mismatch"
port=0
./examples/server/server -v 4 -R "$ready_file" -p $port -l TLS13-AES128-GCM-SHA256 &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
do_cleanup
exit 1
fi
do_cleanup
echo ""
grep -F -e 'NO_CERTS' ./wolfssl/options.h
NO_CERTS=$?
grep -F -e 'WOLFSSL_NO_CLIENT_AUTH' ./wolfssl/options.h
NO_CLIENT_AUTH=$?
if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
# TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail"
port=0
./examples/server/server -v 4 -F -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with requiring mutual authentication"
do_cleanup
exit 1
fi
do_cleanup
echo ""
fi
# Check for TLS 1.2 support
./examples/client/client -v 3 2>&1 | grep -F -e 'Bad SSL version'
if [ $? -ne 0 ]; then
# TLS 1.3 server / TLS 1.2 client.
echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
port=0
./examples/server/server -v 4 -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -v 3 -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
do_cleanup
exit 1
fi
do_cleanup
echo ""
# TLS 1.2 server / TLS 1.3 client.
echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
port=0
./examples/server/server -v 3 -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
do_cleanup
exit 1
fi
do_cleanup
echo ""
echo "Find usable TLS 1.2 cipher suite"
for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
do
echo $CS
./examples/client/client -e | grep -F -e "$CS" >/dev/null
if [ "$?" = "0" ]; then
TLS12_CS=$CS
break
fi
do_cleanup
done
if [ "$TLS12_CS" != "" ]; then
# TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
port=0
SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
./examples/server/server -v d -l $SERVER_CS -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -v d -l $CLIENT_CS -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
do_cleanup
exit 1
fi
do_cleanup
echo ""
else
echo "No usable TLS 1.2 cipher suite found"
fi
fi
# Check for EarlyData support
./examples/client/client -? 2>&1 | grep -F -e 'Early data'
if [ $? -eq 0 ]; then
early_data=yes
fi
./examples/client/client -? 2>&1 | grep -F -e 'Shared keys'
if [ $? -eq 0 ]; then
psk=yes
fi
if [ "$early_data" = "yes" ]; then
early_data_try_num=1
while :; do
echo -e "\n\nTLS v1.3 Early Data - session ticket"
port=0
(./examples/server/server -v 4 -r -0 -R "$ready_file" -p $port 2>&1 | \
tee "$server_out_file") &
server_pid=$!
create_port
./examples/client/client -v 4 -r -0 -p $port >"$client_out_file" 2>&1
RESULT=$?
cat "$client_out_file"
remove_ready_file
grep -F -e 'Session Ticket' "$client_out_file"
session_ticket=$?
# wait for the server to quit and write output
wait $server_pid
ed_srv_msg_cnt="$(grep -c -F -e 'Early Data Client message' "$server_out_file")"
ed_srv_status_cnt="$(grep -c -F -e 'Early Data was' "$server_out_file")"
echo "earlydata: session_ticket=${session_ticket} ed_srv_msg_cnt=${ed_srv_msg_cnt} ed_srv_status_cnt=${ed_srv_status_cnt}"
if [ $session_ticket -eq 0 -a $ed_srv_msg_cnt -ne 2 \
-a $ed_srv_status_cnt -ne 2 ]; then
RESULT=1
fi
if [ $RESULT -ne 0 ]; then
echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"
if [ $early_data_try_num -lt $early_data_try_max ]; then
echo -e "retry #${early_data_try_num}...\n"
: $((++early_data_try_num))
continue
fi
do_cleanup
exit 1
fi
do_cleanup
break
done
echo ""
fi
if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
echo -e "\n\nTLS v1.3 Early Data - PSK"
port=0
early_data_try_num=1
while :; do
(./examples/server/server -v 4 -s -0 -R "$ready_file" -p $port 2>&1 | \
tee "$server_out_file") &
server_pid=$!
create_port
./examples/client/client -v 4 -s -0 -p $port
RESULT=$?
remove_ready_file
# wait for the server to quit and write output
wait $server_pid
ed_srv_msg_cnt="$(grep -c -F -e 'Early Data Client message' "$server_out_file")"
ed_srv_status_cnt="$(grep -c -F -e 'Early Data was' "$server_out_file")"
echo "PSK earlydata: ed_srv_msg_cnt=${ed_srv_msg_cnt} ed_srv_status_cnt=${ed_srv_status_cnt}"
if [ $ed_srv_msg_cnt -ne 2 -a $ed_srv_status_cnt -ne 1 ]; then
echo
echo "Server out file"
cat "$server_out_file"
echo
echo "Found lines"
grep -F -e 'Early Data' "$server_out_file"
echo -e "\n\nUnexpected 'Early Data' lines."
RESULT=1
fi
if [ $RESULT -ne 0 ]; then
echo -e "\n\nIssue with TLS v1.3 Early Data - PSK"
if [ $early_data_try_num -lt $early_data_try_max ]; then
echo -e "retry #${early_data_try_num}...\n"
: $((++early_data_try_num))
continue
fi
do_cleanup
exit 1
fi
break
done
else
echo "Early Data not available"
fi
do_cleanup
echo -e "\nALL Tests Passed"
exit 0

304
android/extern/wolfssl/scripts/trusted_peer.test vendored Normal file
View File

@@ -0,0 +1,304 @@
#!/bin/bash
# trusted_peer.test
# copyright wolfSSL 2016
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tp_ready$$
# variables for certs so can use RSA or ECC
client_cert=`pwd`/certs/client-cert.pem
client_ca=`pwd`/certs/ca-cert.pem
client_key=`pwd`/certs/client-key.pem
ca_key=`pwd`/certs/ca-key.pem
server_cert=`pwd`/certs/server-cert.pem
server_key=`pwd`/certs/server-key.pem
combined_cert=`pwd`/certs/client_combined.pem
wrong_ca=`pwd`/certs/wolfssl-website-ca.pem
wrong_cert=`pwd`/certs/server-revoked-cert.pem
echo "ready file \"$ready_file\""
create_port() {
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$ready_file"; then
echo -e "found ready file, starting client..."
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
# get created port 0 ephemeral port
port=`cat "$ready_file"`
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit 1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# Look for if RSA and/or ECC is enabled and adjust certs/keys
ciphers=`./examples/client/client -e`
if [[ "$ciphers" != *"RSA"* ]]; then
if [[ $ciphers == *"ECDSA"* ]]; then
client_cert=`pwd`/certs/client-ecc-cert.pem
client_ca=`pwd`/certs/server-ecc.pem
client_key=`pwd`/certs/ecc-client-key.pem
ca_key=`pwd`/certs/ecc-key.pem
server_cert=`pwd`/certs/server-ecc.pem
server_key=`pwd`/certs/ecc-key.pem
wrong_ca=`pwd`/certs/server-ecc-comp.pem
wrong_cert=`pwd`/certs/server-ecc-comp.pem
else
echo "configure options not set up for test. No RSA or ECC"
exit 0
fi
fi
# CRL list not set up for tests
crl_test=`./examples/client/client -h`
if [[ "$crl_test" == *"-C "* ]]; then
echo "test not set up to run with CRL"
exit 0
fi
# Test for trusted peer certs build
echo ""
echo "Checking built with trusted peer certs "
echo "-----------------------------------------------------"
port=0
remove_ready_file
./examples/server/server -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
do_cleanup
exit 0
fi
echo ""
# Test that using no CA's and only trusted peer certs works
echo "Server and Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A "$wrong_ca" -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$wrong_ca" -E "$server_cert" -c "$client_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer and Client trusted peer cert failed!"
do_cleanup
exit 1
fi
echo ""
# Test that using server trusted peer certs works
echo "Server relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A "$wrong_ca" -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -c "$client_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that using client trusted peer certs works
echo "Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$wrong_ca" -E "$server_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nClient trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that client fall through to CA works
echo "Client fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -E "$wrong_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nClient trusted peer cert fall through to CA test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that client can fail
# check if using ECC client example is hard coded to load correct ECC ca so skip
if [[ $wrong_ca != *"ecc"* ]]; then
echo "Client wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$wrong_ca" -E "$wrong_cert" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\nClient trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
fi
# Test that server can fail
echo "Server wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A "$wrong_ca" -E "$wrong_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\nServer trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that server fall through to CA works
echo "Server fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -E "$wrong_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer trusted peer cert fall through to CA test failed!"
do_cleanup
exit 1
fi
echo ""
# test loading multiple certs
echo "Server loading multiple trusted peer certs"
echo "Test two success cases and one fail case"
echo "-----------------------------------------------------"
port=0
cat "$client_cert" "$client_ca" > "$combined_cert"
./examples/server/server -i -A "$wrong_ca" -E "$combined_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -A "$client_ca" -c "$client_cert" -k "$client_key" -p $port
RESULT=$?
if [ $RESULT -ne 0 ]; then
echo -e "\nServer load multiple trusted peer certs failed!"
do_cleanup
exit 1
fi
./examples/client/client -A "$client_ca" -c "$client_ca" -k "$ca_key" -p $port
RESULT=$?
if [ $RESULT -ne 0 ]; then
echo -e "\nServer load multiple trusted peer certs failed!"
do_cleanup
exit 1
fi
./examples/client/client -A "$client_ca" -c "$wrong_cert" -k "$client_key" -p $port
RESULT=$?
if [ $RESULT -eq 0 ]; then
echo -e "\nServer load multiple trusted peer certs failed!"
do_cleanup
exit 1
fi
do_cleanup # kill PID of server running in infinite loop
rm "$combined_cert"
remove_ready_file
echo ""
echo "-----------------------------------------------------"
echo "ALL TESTS PASSED"
echo "-----------------------------------------------------"
exit 0

14
android/extern/wolfssl/scripts/unit.test.in vendored Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
if [ -n "$NETWORK_UNSHARE_HELPER" ]; then
exec "${NETWORK_UNSHARE_HELPER}" "@builddir@/tests/unit.test" "$@" || exit $?
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
exec "$bwrap_path" --unshare-net --dev-bind / / "@builddir@/tests/unit.test" "$@"
else
exec "@builddir@/tests/unit.test" "$@"
fi
else
exec "@builddir@/tests/unit.test" "$@"
fi

49
android/extern/wolfssl/scripts/user_settings_asm.sh vendored Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/sh
if test $# -eq 0; then
echo "user_settings_asm.sh requires one argument specifying compiler flags to pull include directories from." 1>&2
exit 1
fi
# Compress multiple spaces to single spaces, then replace instances of
# "-I " with "-I" (i.e. remove spaces between -I and the include path).
search_string=$(echo "$1" | sed -e 's/ */ /g' -e 's/-I /-I/g')
for token in $search_string
do
case "$token" in
-I*)
# Trim off the leading "-I".
path="${token#-I}"
# Trim off the trailing "/".
path="${path%/}"
if test -e "$path/user_settings.h"; then
user_settings_dir="$path"
user_settings_path="$path/user_settings.h"
break
fi
;;
*)
;;
esac
done
# Fall back to user_settings.h in the current directory.
if test -z "${user_settings_path-}"; then
if test -e "user_settings.h"; then
user_settings_dir="."
user_settings_path="user_settings.h"
fi
fi
if test -z "${user_settings_path-}"; then
echo "Unable to find user_settings.h." 1>&2
exit 1
else
# Strip out anything from user_settings.h that isn't a preprocessor
# directive (i.e. any lines not starting with #). Put the result in
# user_settings_asm.h in the same directory as user_settings.h.
# user_settings_asm.h is safe to include in assembly files (e.g. .S
# files).
sed -e '/^ *#/!d' -e :a -e '$!N;s/\\\n/ /;ta' -e 'P;D' < "$user_settings_path" > "$user_settings_dir/user_settings_asm.h"
fi