diff --git a/wolfProvider/README.md b/wolfProvider/README.md new file mode 100644 index 00000000..fc557b65 --- /dev/null +++ b/wolfProvider/README.md @@ -0,0 +1,50 @@ +# wolfProvider OSP patches + +Patches that adapt upstream open-source projects (curl, krb5, libssh2, +hostap, etc.) to test cleanly against `wolfProvider` (FIPS and non-FIPS). + +## Naming convention + +Every patch follows exactly one pattern (no exceptions): + + /--wolfprov.patch (non-FIPS) + /--wolfprov-fips.patch (FIPS) + /--wolfssl-X.Y.Z-wolfprov.patch (pinned snapshot) + /--wolfssl-X.Y.Z-wolfprov-fips.patch (pinned snapshot) + +Rules: +- FIPS is always the `-fips` suffix before `.patch` (never an + uppercase `-FIPS-` infix). +- The provider segment is always `-wolfprov` (never `-wolfprovider`). +- `` is the upstream version ref the patch targets and may be + empty for version-agnostic patches. + +- **Universal** name (no `-wolfssl-X.Y.Z-` infix) is the **latest** + patch content. By default a patch should be universal — it tracks + current wolfSSL master / latest stable and is reused unchanged across + wolfSSL version bumps. +- `-wolfssl-X.Y.Z-` infix marks a **pinned snapshot** for that wolfSSL + line. Add one only when the universal patch has diverged in a way + that breaks on an older wolfSSL release that is still supported. + +When you modify a patch for a new wolfSSL release in a way that breaks +an older line: + 1. Copy the pre-modification content as + `-wolfssl--wolfprov[-fips].patch`. + 2. Keep editing the universal file for the new wolfSSL release. + +## How workflows pick the right patch + +`wolfssl/wolfProvider` workflows resolve patches via +`scripts/resolve-osp-patch.sh`: + +| wolfssl_ref | order tried | +|---------------------|--------------------------------------------| +| `v5.8.X-stable` | `-wolfssl-5.8.4-` then universal | +| `v5.9.X-stable` | `-wolfssl-5.9.1-` then universal | +| `master` / other | universal only | + +For FIPS, the helper tries `-wolfprov-fips.patch` and falls back to the +non-FIPS patch when no FIPS-specific one exists. Because the naming is +uniform, the helper stays simple — one pattern, no per-project special +cases. diff --git a/wolfProvider/curl/README.md b/wolfProvider/curl/README.md index 91911fbd..a1be6eb2 100644 --- a/wolfProvider/curl/README.md +++ b/wolfProvider/curl/README.md @@ -1,4 +1,9 @@ -`wolfProvider/curl/curl-8_4_0-wolfprov.patch` adds support for testing curl -`8.4.0` with wolfProvider FIPS in Jenkins. This patch is only needed when -testing curl with Jenkins. It disables a non crypto related test that IDN -with different languages. +`wolfProvider/curl/curl-8_4_0-wolfprov.patch` and +`wolfProvider/curl/curl-7_88_1-wolfprov.patch` add support for testing the +respective curl versions with wolfProvider. Both patches disable test 1560 +(`[URL API]` libtest) — a non-crypto IDN-related test that fails under the +wolfProvider test-deps container regardless of IDN dependencies installed. + +These patches must be applied to the curl source tree (e.g. `patch -p1`) +before running `make test-ci`. If they are not applied, test 1560 will +appear as an unexpected failure in normal-mode runs. diff --git a/wolfProvider/curl/curl-7_88_1-wolfprov.patch b/wolfProvider/curl/curl-7_88_1-wolfprov.patch new file mode 100644 index 00000000..1a583580 --- /dev/null +++ b/wolfProvider/curl/curl-7_88_1-wolfprov.patch @@ -0,0 +1,11 @@ +diff --git a/tests/data/DISABLED b/tests/data/DISABLED +index 6edc0b4..98fa0ab 100644 +--- a/tests/data/DISABLED ++++ b/tests/data/DISABLED +@@ -106,3 +106,6 @@ + %if bearssl + 313 + %endif ++# test 1560 requires IDN support - wolfProvider works locally in Jenkins ++# this fails even with the dependency installed ++1560 diff --git a/wolfProvider/grpc/README.md b/wolfProvider/grpc/README.md index 3a4f80f2..e1a06549 100644 --- a/wolfProvider/grpc/README.md +++ b/wolfProvider/grpc/README.md @@ -1,3 +1,3 @@ -`grpc-FIPS-v1.60.0-wolfprov.patch` adds testing support for FIPS and non-FIPS +`grpc-v1.60.0-wolfprov-fips.patch` adds testing support for FIPS and non-FIPS grpc `v1.60.0`. The patch also adds support for the use of `WOLFPROV_FORCE_FAIL=1` env variable. diff --git a/wolfProvider/grpc/grpc-FIPS-v1.60.0-wolfprov.patch b/wolfProvider/grpc/grpc-v1.60.0-wolfprov-fips.patch similarity index 100% rename from wolfProvider/grpc/grpc-FIPS-v1.60.0-wolfprov.patch rename to wolfProvider/grpc/grpc-v1.60.0-wolfprov-fips.patch diff --git a/wolfProvider/hostap/README.md b/wolfProvider/hostap/README.md index 5d9ef0d5..4cfe1b22 100644 --- a/wolfProvider/hostap/README.md +++ b/wolfProvider/hostap/README.md @@ -1,11 +1,22 @@ -`wolfProvider/hostap/hostap-main-wolfprov.patch` adds support for testing hostap `main` -with wolfProvider. It is needed to test the full testing suite. +`wolfProvider/hostap/hostap-hostap_2_11-wolfprov.patch` adds support for +testing hostap `hostap_2_11` with non-FIPS wolfProvider. It points the +legacy provider load in `src/crypto/crypto_openssl.c` at `libwolfprov` and +makes the `crda` call in `tests/hwsim/vm/inside.sh` non-fatal (`|| true`). -The patch makes the following changes: -1. Replaces OpenSSL provider references in `src/crypto/crypto_openssl.c`: - - Changes "default" provider to "libwolfprov" - - Changes "legacy" provider to "libwolfprov" -2. Replaces OpenSSL provider reference in `src/crypto/tls_openssl.c`: - - Changes "pkcs11" provider to "libwolfprov" -3. Fixes crda command failure handling in `tests/hwsim/vm/inside.sh`: - - Adds `|| true` to handle crda command failure gracefully +`wolfProvider/hostap/hostap-hostap_2_11-wolfprov-fips.patch` is the FIPS +variant. It includes the changes above and additionally removes hwsim tests +that require AES Key Wrap, which wolfProvider FIPS does not expose via the +OpenSSL provider EVP cipher fetch interface. WPA2's 4-way handshake +(message 3/4) encrypts the GTK with AES Key Wrap, so the affected tests +cannot pass under FIPS. Removed: + +- `test_ap_wpa2_psk` (`tests/hwsim/test_ap_psk.py`) +- `test_ap_wpa2_eap_tls` (`tests/hwsim/test_ap_eap.py`) +- `test_ap_wpa2_eap_ttls_eap_gtc` (`tests/hwsim/test_ap_eap.py`) +- `test_ap_wpa2_eap_peap_eap_tls` (`tests/hwsim/test_ap_eap.py`) + +`wolfProvider/hostap/hostap-main-wolfprov.patch` is the equivalent non-FIPS +patch for hostap `main`. It points the default and legacy provider loads in +`src/crypto/crypto_openssl.c` and the `pkcs11` provider load in +`src/crypto/tls_openssl.c` at `libwolfprov`, and makes the same `crda` call +non-fatal. diff --git a/wolfProvider/hostap/hostap-hostap_2_11-wolfprov-fips.patch b/wolfProvider/hostap/hostap-hostap_2_11-wolfprov-fips.patch new file mode 100644 index 00000000..64a29828 --- /dev/null +++ b/wolfProvider/hostap/hostap-hostap_2_11-wolfprov-fips.patch @@ -0,0 +1,113 @@ +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index 2d8ff60..1bb28b6 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -196,7 +196,7 @@ void openssl_load_legacy_provider(void) + if (openssl_legacy_provider) + return; + +- openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1); ++ openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "libwolfprov", 1); + #endif /* OpenSSL version >= 3.0 */ + } + +diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py +index f8e75b5..3820ae0 100644 +--- a/tests/hwsim/test_ap_eap.py ++++ b/tests/hwsim/test_ap_eap.py +@@ -2000,16 +2000,6 @@ def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev): + dev[2].request("REMOVE_NETWORK all") + dev[2].wait_disconnected() + +-def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev): +- """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC""" +- params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") +- hapd = hostapd.add_ap(apdev[0], params) +- eap_connect(dev[0], hapd, "TTLS", "user", +- anonymous_identity="ttls", password="password", +- ca_cert="auth_serv/ca.pem", phase2="autheap=GTC") +- hwsim_utils.test_connectivity(dev[0], hapd) +- eap_reauth(dev[0], "TTLS") +- + def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev): + """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") +@@ -2548,17 +2538,6 @@ def test_ap_wpa2_eap_peap_eap_gtc(dev, apdev, params): + anonymous_identity="peap", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=GTC") + +-def test_ap_wpa2_eap_peap_eap_tls(dev, apdev): +- """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS""" +- params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") +- hapd = hostapd.add_ap(apdev[0], params) +- eap_connect(dev[0], hapd, "PEAP", "cert user", +- ca_cert="auth_serv/ca.pem", phase2="auth=TLS", +- ca_cert2="auth_serv/ca.pem", +- client_cert2="auth_serv/user.pem", +- private_key2="auth_serv/user.key") +- eap_reauth(dev[0], "PEAP") +- + def test_ap_wpa2_eap_peap_eap_vendor(dev, apdev): + """WPA2-Enterprise connection using EAP-PEAP/EAP-vendor""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") +@@ -2566,15 +2545,6 @@ def test_ap_wpa2_eap_peap_eap_vendor(dev, apdev): + eap_connect(dev[0], hapd, "PEAP", "vendor-test-2", + ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST") + +-def test_ap_wpa2_eap_tls(dev, apdev): +- """WPA2-Enterprise connection using EAP-TLS""" +- params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") +- hapd = hostapd.add_ap(apdev[0], params) +- eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem", +- client_cert="auth_serv/user.pem", +- private_key="auth_serv/user.key") +- eap_reauth(dev[0], "TLS") +- + def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev): + """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") +diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py +index 9655093..82e5d5c 100644 +--- a/tests/hwsim/test_ap_psk.py ++++ b/tests/hwsim/test_ap_psk.py +@@ -35,27 +35,6 @@ def check_mib(dev, vals): + raise Exception("Unexpected {} = {} (expected {})".format(v[0], mib[v[0]], v[1])) + + @remote_compatible +-def test_ap_wpa2_psk(dev, apdev): +- """WPA2-PSK AP with PSK instead of passphrase""" +- ssid = "test-wpa2-psk" +- passphrase = 'qwertyuiop' +- psk = '602e323e077bc63bd80307ef4745b754b0ae0a925c2638ecd13a794b9527b9e6' +- params = hostapd.wpa2_params(ssid=ssid) +- params['wpa_psk'] = psk +- hapd = hostapd.add_ap(apdev[0], params) +- key_mgmt = hapd.get_config()['key_mgmt'] +- if key_mgmt.split(' ')[0] != "WPA-PSK": +- raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) +- dev[0].connect(ssid, raw_psk=psk, scan_freq="2412") +- dev[1].connect(ssid, psk=passphrase, scan_freq="2412") +- +- sig = dev[0].request("SIGNAL_POLL").splitlines() +- pkt = dev[0].request("PKTCNT_POLL").splitlines() +- if "FREQUENCY=2412" not in sig: +- raise Exception("Unexpected SIGNAL_POLL value: " + str(sig)) +- if "TXBAD=0" not in pkt: +- raise Exception("Unexpected TXBAD value: " + str(pkt)) +- + def test_ap_wpa2_psk_file(dev, apdev): + """WPA2-PSK AP with PSK from a file""" + ssid = "test-wpa2-psk" +diff --git a/tests/hwsim/vm/inside.sh b/tests/hwsim/vm/inside.sh +index 31dfb9d..424b48b 100755 +--- a/tests/hwsim/vm/inside.sh ++++ b/tests/hwsim/vm/inside.sh +@@ -163,7 +163,7 @@ else + # some tests need CRDA, install a simple uevent helper + # and preload the 00 domain it will have asked for already + echo $TESTDIR/vm/uevent.sh > /sys/kernel/uevent_helper +- COUNTRY=00 crda ++ COUNTRY=00 crda || true + + mkdir -p /var/run/dbus + touch /var/run/dbus/hwsim-test diff --git a/wolfProvider/hostap/hostap-hostap_2_11-wolfprov.patch b/wolfProvider/hostap/hostap-hostap_2_11-wolfprov.patch new file mode 100644 index 00000000..ac254f17 --- /dev/null +++ b/wolfProvider/hostap/hostap-hostap_2_11-wolfprov.patch @@ -0,0 +1,26 @@ +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index 2d8ff60..1bb28b6 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -196,7 +196,7 @@ void openssl_load_legacy_provider(void) + if (openssl_legacy_provider) + return; + +- openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1); ++ openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "libwolfprov", 1); + #endif /* OpenSSL version >= 3.0 */ + } + +diff --git a/tests/hwsim/vm/inside.sh b/tests/hwsim/vm/inside.sh +index 31dfb9d..424b48b 100755 +--- a/tests/hwsim/vm/inside.sh ++++ b/tests/hwsim/vm/inside.sh +@@ -163,7 +163,7 @@ else + # some tests need CRDA, install a simple uevent helper + # and preload the 00 domain it will have asked for already + echo $TESTDIR/vm/uevent.sh > /sys/kernel/uevent_helper +- COUNTRY=00 crda ++ COUNTRY=00 crda || true + + mkdir -p /var/run/dbus + touch /var/run/dbus/hwsim-test diff --git a/wolfProvider/krb5/krb5-1.20.1-final-wolfprov-fips.patch b/wolfProvider/krb5/krb5-1.20.1-final-wolfprov-fips.patch index 1d380ed0..74d1c625 100644 --- a/wolfProvider/krb5/krb5-1.20.1-final-wolfprov-fips.patch +++ b/wolfProvider/krb5/krb5-1.20.1-final-wolfprov-fips.patch @@ -1613,19 +1613,64 @@ index 8c3317fe4..c5b3230a4 100644 TESTDEPS=t_test.o $(KRB5_BASE_DEPLIBS) TESTLIBS=t_test.o $(KRB5_BASE_LIBS) -diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in -index e4b560fb8..4c25b9d42 100644 ---- a/src/lib/krb5/krb/Makefile.in -+++ b/src/lib/krb5/krb/Makefile.in -@@ -361,7 +361,7 @@ SRCS= $(srcdir)/addr_comp.c \ - $(srcdir)/t_parse_host_string.c \ - $(srcdir)/t_princ.c \ - $(srcdir)/t_etypes.c \ -- $(srcdir)/t_expire_warn.c \ -+ #$(srcdir)/t_expire_warn.c \ - $(srcdir)/t_authdata.c \ - $(srcdir)/t_cc_config.c \ - $(srcdir)/t_copy_context.c \ +diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py +index e163cc7..2b56d8f 100755 +--- a/src/lib/krb5/krb/t_expire_warn.py ++++ b/src/lib/krb5/krb/t_expire_warn.py +@@ -26,41 +26,41 @@ from k5test import * + realm = K5Realm(create_user=False, create_host=False) + + # Create principals with various password expirations. +-realm.run([kadminl, 'addprinc', '-pw', 'pass', 'noexpire']) +-realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '30 minutes', ++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', 'noexpire']) ++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', '-pwexpire', '30 minutes', + 'minutes']) +-realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '12 hours', ++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', '-pwexpire', '12 hours', + 'hours']) +-realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days']) ++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', '-pwexpire', '3 days', 'days']) + + # Check for expected prompter warnings when no expire callback is used. +-output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0', '0']) ++output = realm.run(['./t_expire_warn', 'noexpire', 'password-test12', '0', '0']) + if output: + fail('Unexpected output for noexpire') +-realm.run(['./t_expire_warn', 'minutes', 'pass', '0', '0'], ++realm.run(['./t_expire_warn', 'minutes', 'password-test12', '0', '0'], + expected_msg=' less than one hour on ') +-realm.run(['./t_expire_warn', 'hours', 'pass', '0', '0'], ++realm.run(['./t_expire_warn', 'hours', 'password-test12', '0', '0'], + expected_msg=' hours on ') +-realm.run(['./t_expire_warn', 'days', 'pass', '0', '0'], ++realm.run(['./t_expire_warn', 'days', 'password-test12', '0', '0'], + expected_msg=' days on ') + # Try one case with the stepwise interface. +-realm.run(['./t_expire_warn', 'days', 'pass', '0', '1'], ++realm.run(['./t_expire_warn', 'days', 'password-test12', '0', '1'], + expected_msg=' days on ') + + # Check for expected expire callback behavior. These tests are + # carefully agnostic about whether the KDC supports last_req fields, + # and could be made more specific if last_req support is added. +-output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '1', '0']) ++output = realm.run(['./t_expire_warn', 'noexpire', 'password-test12', '1', '0']) + if 'password_expiration = 0\n' not in output or \ + 'account_expiration = 0\n' not in output or \ + 'is_last_req = ' not in output: + fail('Expected callback output not seen for noexpire') +-output = realm.run(['./t_expire_warn', 'days', 'pass', '1', '0']) ++output = realm.run(['./t_expire_warn', 'days', 'password-test12', '1', '0']) + if 'password_expiration = ' not in output or \ + 'password_expiration = 0\n' in output: + fail('Expected non-zero password expiration not seen for days') + # Try one case with the stepwise interface. +-output = realm.run(['./t_expire_warn', 'days', 'pass', '1', '1']) ++output = realm.run(['./t_expire_warn', 'days', 'password-test12', '1', '1']) + if 'password_expiration = ' not in output or \ + 'password_expiration = 0\n' in output: + fail('Expected non-zero password expiration not seen for days') diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py index 3c9168591..0529b6729 100644 --- a/src/lib/krb5/krb/t_get_etype_info.py diff --git a/wolfProvider/libfido2/README.md b/wolfProvider/libfido2/README.md index c72d510e..9b9dc15d 100644 --- a/wolfProvider/libfido2/README.md +++ b/wolfProvider/libfido2/README.md @@ -1,3 +1,3 @@ -`wolfProvider/libfido2/libfido2-FIPS-1.15.0-wolfprov.patch` adds testing support +`wolfProvider/libfido2/libfido2-1.15.0-wolfprov-fips.patch` adds testing support for libfido2 with FIPS wolfprovider. To use this patch make sure to set the flag `HAVE_FIPS` to `ON` when configuring libfido2. This will disable EdDSA tests. diff --git a/wolfProvider/libfido2/libfido2-FIPS-1.15.0-wolfprov.patch b/wolfProvider/libfido2/libfido2-1.15.0-wolfprov-fips.patch similarity index 100% rename from wolfProvider/libfido2/libfido2-FIPS-1.15.0-wolfprov.patch rename to wolfProvider/libfido2/libfido2-1.15.0-wolfprov-fips.patch diff --git a/wolfProvider/libmemcached/libmemcached-FIPS-wolfprov.patch b/wolfProvider/libmemcached/libmemcached-wolfprov-fips.patch similarity index 100% rename from wolfProvider/libmemcached/libmemcached-FIPS-wolfprov.patch rename to wolfProvider/libmemcached/libmemcached-wolfprov-fips.patch diff --git a/wolfProvider/liboauth2/README.md b/wolfProvider/liboauth2/README.md index af1014b1..fcab649b 100644 --- a/wolfProvider/liboauth2/README.md +++ b/wolfProvider/liboauth2/README.md @@ -1,4 +1,4 @@ -`liboauth2-FIPS-v1.4.5.4-wolfprov.patch` adds testing support for liboauth2 +`liboauth2-v1.4.5.4-wolfprov-fips.patch` adds testing support for liboauth2 `v1.4.5.4` with FIPS wolfprovider. To use this patch make sure to configure liboauth2 with `--enable-wolfprov-fips`. This will disable problematic tests in Docker/valgrind. diff --git a/wolfProvider/liboauth2/liboauth2-FIPS-v1.4.5.4-wolfprov.patch b/wolfProvider/liboauth2/liboauth2-v1.4.5.4-wolfprov-fips.patch similarity index 100% rename from wolfProvider/liboauth2/liboauth2-FIPS-v1.4.5.4-wolfprov.patch rename to wolfProvider/liboauth2/liboauth2-v1.4.5.4-wolfprov-fips.patch diff --git a/wolfProvider/libssh2/libssh2-libssh2-1.10.0-debian-wolfprov.patch b/wolfProvider/libssh2/libssh2-libssh2-1.10.0-debian-wolfprov.patch index dacdec19..a7fb2dfb 100644 --- a/wolfProvider/libssh2/libssh2-libssh2-1.10.0-debian-wolfprov.patch +++ b/wolfProvider/libssh2/libssh2-libssh2-1.10.0-debian-wolfprov.patch @@ -24,15 +24,27 @@ index dc9e108..03b90a1 100644 or public/private key. .SH SEE ALSO .BR libssh2_session_init_ex(3) +diff --git a/tests/mansyntax.sh b/tests/mansyntax.sh +index dd4aa77..c589431 100755 +--- a/tests/mansyntax.sh ++++ b/tests/mansyntax.sh +@@ -26,7 +26,7 @@ ln -sf "$mandir" "$dstdir/man3" + + for manpage in $mandir/libssh2_*.*; do + echo "$manpage" +- warnings=$(LANG=en_US.UTF-8 MANWIDTH=80 man -M "$dstdir" --warnings \ ++ warnings=$(LANG=C.UTF-8 MANWIDTH=80 man -M "$dstdir" --warnings \ + -E UTF-8 -l "$manpage" 2>&1 >/dev/null) + if [ -n "$warnings" ]; then + echo "$warnings" diff --git a/tests/ssh2.c b/tests/ssh2.c index f903e07..3105c15 100644 --- a/tests/ssh2.c +++ b/tests/ssh2.c -@@ -28,6 +28,8 @@ +@@ -28,6 +28,7 @@ #include #include #include -+#include +#include #include @@ -110,11 +122,11 @@ index 07795bb..657fb4b 100755 +# Create a 'user' account if it doesn't exist (for SSH authentication) +if ! id "user" &>/dev/null; then + # Create user account without home directory and shell -+ useradd -r -s /bin/false user 2>/dev/null || true ++ useradd -r -s /bin/false user 2>/dev/null || sudo useradd -r -s /bin/false user 2>/dev/null || true + # Unlock the account for SSH authentication -+ passwd -u user 2>/dev/null || true ++ passwd -u user 2>/dev/null || sudo passwd -u user 2>/dev/null || true + # Alternative: set empty password to unlock -+ passwd -d user 2>/dev/null || true ++ passwd -d user 2>/dev/null || sudo passwd -d user 2>/dev/null || true +fi + +# Set the wrapper script to load the system ossl for sshd @@ -146,16 +158,19 @@ new file mode 100755 index 0000000..5652e18 --- /dev/null +++ b/tests/sshd-wrapper.sh -@@ -0,0 +1,12 @@ +@@ -0,0 +1,15 @@ +#!/bin/sh +# Sets a clean env for sshd(openssh) so we can use system ossl ++sshd_bin=$(command -v sshd 2>/dev/null || echo /usr/sbin/sshd) ++libdir=/usr/lib/$(uname -m)-linux-gnu ++[ -d "$libdir" ] || libdir=/usr/lib/x86_64-linux-gnu +exec env -i \ + PATH=/usr/sbin:/usr/bin:/bin \ + LC_ALL=C LANG=C \ -+ LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu \ ++ LD_LIBRARY_PATH=$libdir \ + OPENSSL_CONF= \ + OPENSSL_MODULES= \ + PKG_CONFIG_PATH= \ + LDFLAGS= \ + CPPFLAGS= \ -+ /usr/sbin/sshd "$@" ++ "$sshd_bin" "$@" diff --git a/wolfProvider/net-snmp/net-snmp-FIPS-v5.9.3-wolfprov.patch b/wolfProvider/net-snmp/net-snmp-v5.9.3-wolfprov-fips.patch similarity index 100% rename from wolfProvider/net-snmp/net-snmp-FIPS-v5.9.3-wolfprov.patch rename to wolfProvider/net-snmp/net-snmp-v5.9.3-wolfprov-fips.patch diff --git a/wolfProvider/openpace/openpace-FIPS-1.1.3-wolfprov.patch b/wolfProvider/openpace/openpace-1.1.3-wolfprov-fips.patch similarity index 100% rename from wolfProvider/openpace/openpace-FIPS-1.1.3-wolfprov.patch rename to wolfProvider/openpace/openpace-1.1.3-wolfprov-fips.patch diff --git a/wolfProvider/opensc/README.md b/wolfProvider/opensc/README.md index dc9fa382..10a29cea 100644 --- a/wolfProvider/opensc/README.md +++ b/wolfProvider/opensc/README.md @@ -1,2 +1,2 @@ -`wolfProvider/opensc/opensc-0.25.1-wolfprovider.patch` adds wolfProvider support +`wolfProvider/opensc/opensc-0.25.1-wolfprov.patch` adds wolfProvider support for opensc version `0.25.1`. This patch disables SM4 and some tests with PKCS11SPY. diff --git a/wolfProvider/opensc/opensc-0.25.1-wolfprovider.patch b/wolfProvider/opensc/opensc-0.25.1-wolfprov.patch similarity index 100% rename from wolfProvider/opensc/opensc-0.25.1-wolfprovider.patch rename to wolfProvider/opensc/opensc-0.25.1-wolfprov.patch diff --git a/wolfProvider/openssh/openssh-V_9_6_P1-FIPS-wolfprov.patch b/wolfProvider/openssh/openssh-V_9_6_P1-wolfprov-fips.patch similarity index 100% rename from wolfProvider/openssh/openssh-V_9_6_P1-FIPS-wolfprov.patch rename to wolfProvider/openssh/openssh-V_9_6_P1-wolfprov-fips.patch diff --git a/wolfProvider/ppp/README.md b/wolfProvider/ppp/README.md index 69e01c1a..42d2fa8b 100644 --- a/wolfProvider/ppp/README.md +++ b/wolfProvider/ppp/README.md @@ -1,3 +1,3 @@ -`wolfProvider/ppp/ppp-FIPS-v2.5.2-wolfprov.patch` adds testing support for ppp +`wolfProvider/ppp/ppp-v2.5.2-wolfprov-fips.patch` adds testing support for ppp with FIPS wolfprovider. To use this patch make sure to configure ppp with `--enable-wolfprov-fips` flag. This will disable MD5 tests. diff --git a/wolfProvider/ppp/ppp-FIPS-v2.5.2-wolfprov.patch b/wolfProvider/ppp/ppp-v2.5.2-wolfprov-fips.patch similarity index 100% rename from wolfProvider/ppp/ppp-FIPS-v2.5.2-wolfprov.patch rename to wolfProvider/ppp/ppp-v2.5.2-wolfprov-fips.patch diff --git a/wolfProvider/python3-ntp/README.md b/wolfProvider/python3-ntp/README.md index b141b175..0963df4d 100644 --- a/wolfProvider/python3-ntp/README.md +++ b/wolfProvider/python3-ntp/README.md @@ -1,6 +1,6 @@ All patches disable tests that call openssl low level CMAC API that is not supported with the openssl provider model. -`python3-ntp-FIPS-NTPsec_1_2_2-wolfprov.patch` also disables a test that uses -non FIPS algorithms. Conicidentally `python3-ntp-master-wolfprov.patch` already +`python3-ntp-NTPsec_1_2_2-wolfprov-fips.patch` also disables a test that uses +non FIPS algorithms. Coincidentally `python3-ntp-master-wolfprov.patch` already disables this test for FIPS testing on master because it also contains the CMAC issue in that test. diff --git a/wolfProvider/python3-ntp/python3-ntp-FIPS-NTPsec_1_2_2-wolfprov.patch b/wolfProvider/python3-ntp/python3-ntp-NTPsec_1_2_2-wolfprov-fips.patch similarity index 100% rename from wolfProvider/python3-ntp/python3-ntp-FIPS-NTPsec_1_2_2-wolfprov.patch rename to wolfProvider/python3-ntp/python3-ntp-NTPsec_1_2_2-wolfprov-fips.patch diff --git a/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch b/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch index f7b67334..5423f333 100644 --- a/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch +++ b/wolfProvider/stunnel/stunnel-WPFF-5.67-wolfprov.patch @@ -1,5 +1,18 @@ +diff --git a/src/options.c b/src/options.c +index e1149a4..c8d6632 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -38,7 +38,7 @@ + #include "prototypes.h" + + #if OPENSSL_VERSION_NUMBER >= 0x10101000L +-#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" ++#define DEFAULT_CURVES "P-256:P-384:P-521" + #else /* OpenSSL version < 1.1.1 */ + #define DEFAULT_CURVES "prime256v1" + #endif /* OpenSSL version >= 1.1.1 */ diff --git a/tests/certs/maketestcert.sh b/tests/certs/maketestcert.sh -index 3c4f8b5..23af9af 100755 +index 3c4f8b5..4f9a557 100755 --- a/tests/certs/maketestcert.sh +++ b/tests/certs/maketestcert.sh @@ -9,6 +9,13 @@ cd "${result_path}" @@ -16,6 +29,15 @@ index 3c4f8b5..23af9af 100755 # create new psk secrets gen_psk () { tr -c -d 'A-Za-z0-9' > "maketestcert.log" | head -c 50 > tmp/psk.txt +@@ -90,7 +97,7 @@ cat tmp/server_cert.pem >> tmp/PeerCerts.pem 2>> "maketestcert.log" + cat demoCA/server.key >> tmp/server_cert.pem 2>> "maketestcert.log" + + # create a PKCS#12 file with a server certificate +-$OPENSSL pkcs12 -export -certpbe pbeWithSHA1And3-KeyTripleDES-CBC -in tmp/server_cert.pem -out tmp/server_cert.p12 -passout pass: 1>&2 2>> "maketestcert.log" ++$OPENSSL pkcs12 -export -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg sha256 -in tmp/server_cert.pem -out tmp/server_cert.p12 -passout pass:fipspasswordhere 1>&2 2>> "maketestcert.log" + + # copy new files + if [ -s tmp/stunnel.pem ] && [ -s tmp/CACert.pem ] && [ -s tmp/CACertCRL.pem ] && \ @@ -113,3 +120,9 @@ rm -rf "tmp/" # restore settings @@ -26,150 +48,3303 @@ index 3c4f8b5..23af9af 100755 + echo "WOLFPROV_FORCE_FAIL is set to 1 - Setting back to 1 to continue with tests" + export WOLFPROV_FORCE_FAIL=1 +fi +diff --git a/tests/plugins/p01_client_cert.py b/tests/plugins/p01_client_cert.py +index 2df2dab..4d17dcd 100644 +--- a/tests/plugins/p01_client_cert.py ++++ b/tests/plugins/p01_client_cert.py +@@ -19,53 +19,6 @@ class StunnelTest(StunnelAcceptConnect): + self.params.services = ['client'] + + +-class CertTest(StunnelTest): +- """ Checking if the cert option ensures a client certificate. +- The success is expected because the client presents a certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '011. Test \"cert\" option' +- self.params.context = 'cert_required' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[0]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- + class FailureCertTest(StunnelTest): + """ Checking if the cert option ensures a client certificate. + The failure is expected because the client does not present any certificate. +@@ -109,6 +62,7 @@ class FailureCertTest(StunnelTest): + [{service}] + client = yes + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{ports[0]} + ;client does not present any certificate + ;cert = {cfg.certdir}/client_cert.pem +@@ -132,8 +86,5 @@ class StunnelClientTest(Plugin): + + async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: + """Run tests""" +- stunnel = CertTest(cfg, logger) +- await stunnel.test_stunnel(cfg) +- + stunnel = FailureCertTest(cfg, logger) + await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p02_require_cert.py b/tests/plugins/p02_require_cert.py +index f174b6d..613fa6b 100644 +--- a/tests/plugins/p02_require_cert.py ++++ b/tests/plugins/p02_require_cert.py +@@ -56,55 +56,7 @@ class RequireCertTest(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailureRequireCertTest(StunnelTest): +- """Checking if the requireCert option requires a client certificate. +- The failure is expected because the client does not present any certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '022. Failure test \"requireCert\" option' +- self.events.count = 1 +- self.events.success = [ +- "peer did not return a certificate" +- ] +- self.events.failure = [ +- #"peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- #"Connection reset by peer", +- #"Connection lost", +- #"Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- requireCert = yes +- +- [{service}] +- accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + cert = {cfg.certdir}/server_cert.pem + """ +@@ -129,5 +81,3 @@ class StunnelServerTest(Plugin): + stunnel = RequireCertTest(cfg, logger) + await stunnel.test_stunnel(cfg) + +- stunnel = FailureRequireCertTest(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p03_verify_peer.py b/tests/plugins/p03_verify_peer.py +index cedff93..aa723fe 100644 +--- a/tests/plugins/p03_verify_peer.py ++++ b/tests/plugins/p03_verify_peer.py +@@ -56,59 +56,7 @@ class VerifyPeer(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailureVerifyPeer(StunnelTest): +- """Checking if the verifyPeer option verifies the peer certificate. +- The valid peer certificate is stored in the file specified with CAfile. +- The failure is expected because the client presents an incorrect certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '032. Failure test \"verifyPeer\" option' +- self.params.context = 'load_wrong_cert' +- self.events.count = 1 +- self.events.success = [ +- "certificate verify failed", +- "unknown CA" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- #"certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- #"Connection reset by peer", +- #"Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + cert = {cfg.certdir}/server_cert.pem + verifyPeer = yes +@@ -135,5 +83,3 @@ class StunnelServerTest(Plugin): + stunnel = VerifyPeer(cfg, logger) + await stunnel.test_stunnel(cfg) + +- stunnel = FailureVerifyPeer(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p04_verify_chain.py b/tests/plugins/p04_verify_chain.py +index d6fb408..f3929c4 100644 +--- a/tests/plugins/p04_verify_chain.py ++++ b/tests/plugins/p04_verify_chain.py +@@ -56,59 +56,7 @@ class VerifyChain(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyChain = yes +- CAfile = {cfg.certdir}/CACert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailureVerifyChain(StunnelTest): +- """Checking if the verifyChain option verifies the peer certificate starting from the root CA. +- The self-signed root CA certificate is stored in the file specified with CAfile. +- The failure is expected because python client presents an incorrect certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '042. Failure test \"verifyChain\" option' +- self.params.context = 'load_wrong_cert' +- self.events.count = 1 +- self.events.success = [ +- "certificate verify failed", +- "unknown CA" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- #"certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- #"Connection reset by peer", +- #"Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + cert = {cfg.certdir}/server_cert.pem + verifyChain = yes +@@ -135,5 +83,3 @@ class StunnelServerTest(Plugin): + stunnel = VerifyChain(cfg, logger) + await stunnel.test_stunnel(cfg) + +- stunnel = FailureVerifyChain(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p05_verify_crl.py b/tests/plugins/p05_verify_crl.py +index b5a9eae..c363134 100644 +--- a/tests/plugins/p05_verify_crl.py ++++ b/tests/plugins/p05_verify_crl.py +@@ -58,62 +58,7 @@ class VerifyCRL(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyChain = yes +- CAfile = {cfg.certdir}/CACert.pem +- CRLfile = {cfg.certdir}/CACertCRL.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailureVerifyCRL(StunnelTest): +- """Checking if the CRL is verified. +- The verifyChain option verifies the peer certificate starting from the root CA. +- The self-signed root CA certificate is stored in the file specified with CAfile. +- Certificate Revocation Lists file is stored in the file specified with CRLfile. +- The failure is expected because the python client presents the revoked certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '052. CRL file with revoked certificate' +- self.params.context = 'load_revoked_cert' +- self.events.count = 1 +- self.events.success = [ +- "certificate verify failed", +- "certificate revoked" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- #"certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- #"Connection reset by peer", +- #"Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + cert = {cfg.certdir}/server_cert.pem + verifyChain = yes +@@ -141,5 +86,3 @@ class StunnelServerTest(Plugin): + stunnel = VerifyCRL(cfg, logger) + await stunnel.test_stunnel(cfg) + +- stunnel = FailureVerifyCRL(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p06_psk_secrets.py b/tests/plugins/p06_psk_secrets.py +index 21871cc..00ea9f7 100644 +--- a/tests/plugins/p06_psk_secrets.py ++++ b/tests/plugins/p06_psk_secrets.py +@@ -56,6 +56,7 @@ class PSKSecrets(StunnelTest): + [{service}] + client = yes + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{ports[1]} + PSKsecrets = {cfg.certdir}/psk1.txt + """ +@@ -77,6 +78,7 @@ class PSKSecrets(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + PSKsecrets = {cfg.certdir}/secrets.txt + """ +@@ -128,6 +130,7 @@ class FailurePSKSecrets(StunnelTest): + [{service}] + client = yes + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{ports[1]} + PSKsecrets = {cfg.certdir}/psk2.txt + """ +@@ -149,6 +152,7 @@ class FailurePSKSecrets(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + PSKsecrets = {cfg.certdir}/secrets.txt + """ +diff --git a/tests/plugins/p07_p12cert.py b/tests/plugins/p07_p12cert.py +deleted file mode 100644 +index 662aefc..0000000 +--- a/tests/plugins/p07_p12cert.py ++++ /dev/null +@@ -1,81 +0,0 @@ +-"""stunnel server tests""" +- +-import logging +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.ssl_client = True +- self.params.services = ['server'] +- +- +-class Certp12Test(StunnelTest): +- """Checking if the file containing certificates used by stunnel to authenticate +- itself against the remote client may be in the P12 format. +- The success is expected because the server presents the valid certificate in the P12 format. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '071. Test PKCS#12 certificate' +- self.params.context = 'load_verify_locations"' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.p12 +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelServerTest(Plugin): +- """Stunnel server tests: +- HTTPS client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Existing PKCS#12 certificate' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = Certp12Test(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p08_ipv6.py b/tests/plugins/p08_ipv6.py +deleted file mode 100644 +index 2483a54..0000000 +--- a/tests/plugins/p08_ipv6.py ++++ /dev/null +@@ -1,98 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = ['server', 'client'] +- +- +-class IPv6Test(StunnelTest): +- """ Checking if IPv6 is supported. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '081. Test IPv6 support' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = ::1:{ports[1]} +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = ::1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'IPv6 support' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = IPv6Test(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p09_bind.py b/tests/plugins/p09_bind.py +index bf44b74..0bcf035 100644 +--- a/tests/plugins/p09_bind.py ++++ b/tests/plugins/p09_bind.py +@@ -55,8 +55,11 @@ class BindingTest(StunnelTest): + + [{service}] + accept = 127.0.0.1:{port} ++ sslVersionMax = TLSv1.2 + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + accept = 127.0.0.1:{port} ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + cert = {cfg.certdir}/server_cert.pem + """ +diff --git a/tests/plugins/p10_fips.py b/tests/plugins/p10_fips.py +deleted file mode 100644 +index 5d2bc56..0000000 +--- a/tests/plugins/p10_fips.py ++++ /dev/null +@@ -1,108 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = ['server', 'client'] +- +- +-class FIPSTest(StunnelTest): +- """ Checking FIPS mode. +- The success is expected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '101. Test FIPS mode' +- self.events.skip = [ +- "FIPS provider not available", +- "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- fips = yes +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- fips = yes +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'FIPS mode' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = FIPSTest(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p11_fips_cipher.py b/tests/plugins/p11_fips_cipher.py +deleted file mode 100644 +index 0280a1d..0000000 +--- a/tests/plugins/p11_fips_cipher.py ++++ /dev/null +@@ -1,216 +0,0 @@ +-"""stunnel server tests""" +- +-import logging +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- ExpectedConfigurationFailure +-) +- +- +-class StunnelTest(ExpectedConfigurationFailure): +- """Base class for stunnel server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.ssl_client = True +- self.params.services = ['server'] +- +- +-class FailureCipherFIPS(StunnelTest): +- """Checking FIPS mode. +- The cipher "CAMELLIA256-SHA" (TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256) +- is unavailable if FIPS is enabled. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '111. Failure FIPS mode with unavailable cipher' +- self.events.skip = [ +- "FIPS provider not available", +- "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" +- ] +- self.events.count = 1 +- self.events.success = [ +- "no cipher match" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- #"Something went wrong: stunnel 'server' failed", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- fips = yes +- ciphers = CAMELLIA256-SHA +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailureCiphersuitesFIPS(StunnelTest): +- """Checking FIPS mode. +- The ciphersuite "TLS_CHACHA20_POLY1305_SHA256" is unavailable if FIPS is enabled. +- This option requires OpenSSL 1.1.1 or later. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '112. Failure FIPS mode with unavailable ciphersuite' +- self.events.skip = [ +- "FIPS provider not available", +- "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library", +- "Specified option name is not valid here" +- ] +- self.events.count = 1 +- self.events.success = [ +- "disabled for FIPS", +- "no ciphers available" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- fips = yes +- ciphersuites = TLS_CHACHA20_POLY1305_SHA256 +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +- +- +-class FailureEllipticCurveFIPS(StunnelTest): +- """ Checking FIPS mode. +- The elliptic curve "sect163r1" is unavailable if FIPS is enabled. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '113. Failure FIPS mode with unavailable elliptic curve' +- self.events.skip = [ +- "FIPS provider not available", +- "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" +- ] +- self.events.count = 1 +- self.events.success = [ +- "no suitable key share", +- "Invalid groups list in 'curves'" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- fips = yes +- curves = sect163r1 +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelServerTest(Plugin): +- """Stunnel server tests: +- HTTPS client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'FIPS mode cipher' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = FailureCipherFIPS(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = FailureCiphersuitesFIPS(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = FailureEllipticCurveFIPS(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p12_sni.py b/tests/plugins/p12_sni.py +deleted file mode 100644 +index 95c5a63..0000000 +--- a/tests/plugins/p12_sni.py ++++ /dev/null +@@ -1,196 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = ['server_virtual', 'client'] +- +- +-class SNITest(StunnelTest): +- """Use the service as a secondary service (a name-based virtual server) +- for Server Name Indication TLS extension. +- SERVICE_NAME (server_virtual) specifies the primary service that +- accepts client connections with the accept option. +- SERVER_NAME_PATTERN (*.mydomain.com) specifies the host name to be redirected. +- The success is expected because the client presents the sni pattern (sni.mydomain.com) +- corresponding with SERVER_NAME_PATTERN (*.mydomain.com). +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '121. Test \"sni\" option' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- sni = sni.mydomain.com +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- cert = {cfg.certdir}/server_cert.pem +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- +- [sni] +- connect = 127.0.0.1:{port} +- sni = server_virtual:*.mydomain.com +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailureSNITest(StunnelTest): +- """Use the service as a secondary service (a name-based virtual server) +- for Server Name Indication TLS extension. +- SERVICE_NAME (server_virtual) specifies the primary service that +- accepts client connections with the accept option. +- SERVER_NAME_PATTERN sni.mydomain.com) specifies the host name to be redirected. +- The success is expected because the client doesn't present any sni pattern. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '122. Failure test \"sni\" option' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- ;the client doesn't present any sni pattern +- ;sni = sni.mydomain.com +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- +- [sni] +- sni = server_virtual:*.mydomain.com +- cert = {cfg.certdir}/server_cert.pem +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Server Name Indication' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = SNITest(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = FailureSNITest(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p13_resume.py b/tests/plugins/p13_resume.py +deleted file mode 100644 +index 7645525..0000000 +--- a/tests/plugins/p13_resume.py ++++ /dev/null +@@ -1,351 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = ['server', 'client'] +- self.params.conn_num = 3 +- +- +-class ResumePSK(StunnelTest): +- """Checking if the PSK authentication works properly when the session is resumed. +- We expect exactly 2 "TLS accepted: previous session reused" to be logged +- by the [server] service because the client presents the valid PSK. +- PSK identities and corresponding keys are stored in files specified with PSKsecrets. +- This resumption of the session does not work for the FORK threading model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '131. Resume session with PSK authentication' +- self.events.skip = [ +- "FORK" +- ] +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- PSKsecrets = {cfg.certdir}/psk1.txt +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- PSKsecrets = {cfg.certdir}/secrets.txt +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class ResumeCacheTLSv12(StunnelTest): +- """Checking the cache session resumption. +- We expect exactly 2 "TLS accepted: previous session reused" to be +- logged by the [server] service. +- "options = NO_TICKET" turns off ticket support in TLSv1.2 and older. +- In TLSv1.3, "options = NO_TICKET" switches from using stateful tickets to +- stateless tickets (traditional cache with session id sent in tickets). +- https://github.com/openssl/openssl/issues/10280 +- Session cache resumption does not work with the FORK threading model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '132. Cache session resumption with TLSv1.2' +- self.events.skip = [ +- "FORK" +- ] +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- sslVersion = TLSv1.2 +- options = NO_TICKET +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class SessionResume(StunnelTest): +- """Enable the 'sessionResume' service-level option to allow session resumption. +- This resumption of the session does not work for the FORK threading model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '133. Test enabled \"sessionResume\" option' +- self.events.skip = [ +- "FORK" +- ] +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- sessionResume = yes +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class NoSessionResume(StunnelTest): +- """Disable the 'sessionResume' service-level option to disallow session resumption. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '134. Test disabled \"sessionResume\" option' +- self.events.count = 3 +- self.events.success = [ +- "TLS accepted: new session negotiated" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- sessionResume = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Resume session' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = ResumePSK(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = ResumeCacheTLSv12(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = SessionResume(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = NoSessionResume(cfg, logger) +- await stunnel.test_stunnel(cfg) diff --git a/tests/plugins/p14_resume_ticket.py b/tests/plugins/p14_resume_ticket.py -index 22db91e..b2ad7ce 100644 +deleted file mode 100644 +index 22db91e..0000000 --- a/tests/plugins/p14_resume_ticket.py -+++ b/tests/plugins/p14_resume_ticket.py -@@ -33,6 +33,13 @@ class ResumeTicketTLSv12(StunnelTest): - def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): - super().__init__(cfg, logger, path) - self.params.description = '141. Stateless session ticket resumption with TLSv1.2' -+ -+ # Skip this test when force fail is enabled -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.events.skip = ["Skipping session resumption test in force fail mode"] -+ self.events.count = 0 # Set count to 0 to force skip -+ return -+ - self.events.count = 2 - self.events.success = [ - "TLS accepted: previous session reused" -@@ -53,6 +60,12 @@ class ResumeTicketTLSv12(StunnelTest): - ] - self.path = path - -+ async def test_stunnel(self, cfg: Config) -> None: -+ """Override test_stunnel to skip when force fail is enabled""" -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.logger.info("Skipping session resumption test in force fail mode") -+ return -+ await super().test_stunnel(cfg) - - async def prepare_client_cfgfile( - self, cfg: Config, ports: list, service: str -@@ -117,6 +130,13 @@ class ResumeTicketTLSv13(StunnelTest): - def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): - super().__init__(cfg, logger, path) - self.params.description = '142. Stateless session ticket resumption with TLSv1.3' -+ -+ # Skip this test when force fail is enabled -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.events.skip = ["Skipping session resumption test in force fail mode"] -+ self.events.count = 0 # Set count to 0 to force skip -+ return -+ - self.events.count = 2 - self.events.skip = [ - "Incorrect version of TLS protocol", -@@ -141,6 +161,12 @@ class ResumeTicketTLSv13(StunnelTest): - ] - self.path = path - -+ async def test_stunnel(self, cfg: Config) -> None: -+ """Override test_stunnel to skip when force fail is enabled""" -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.logger.info("Skipping session resumption test in force fail mode") -+ return -+ await super().test_stunnel(cfg) - - async def prepare_client_cfgfile( - self, cfg: Config, ports: list, service: str ++++ /dev/null +@@ -1,213 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- ClientConnectExec +-) +- +- +-class StunnelTest(ClientConnectExec): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.services = ['server', 'client'] +- self.params.conn_num = 3 +- self.events.count = 2 +- +- +-class ResumeTicketTLSv12(StunnelTest): +- """Checking the stateless session ticket resumption (RFC 4507bis) with TLSv1.2. +- We expect exactly 2 "TLS accepted: previous session reused" to be logged by the +- [server] service, because [client] connected 3 times (1 new session, 2 reused sessions). +- The following options are used to disable session cache: +- - The "sessionCacheSize = 1" option sets the internal session cache size. +- - "options = -NO_TICKET" (it is the default with OpenSSL 1.1.1 or later) +- Stateless session ticket resumption also works with the FORK threading model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.description = '141. Stateless session ticket resumption with TLSv1.2' +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- self.path = path +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- retry = yes +- +- [{service}] +- client = yes +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/reader.py {self.path} +- connect = 127.0.0.1:{ports[1]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- sslVersion = TLSv1.2 +- sessionCacheSize = 1 +- options = -NO_TICKET +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class ResumeTicketTLSv13(StunnelTest): +- """Checking the stateless session ticket resumption (RFC 4507bis) with TLS 1.3. +- We expect exactly 2 "TLS accepted: previous session reused" to be logged by the +- [server] service, because [client] connected 3 times (1 new session, 2 reused sessions). +- The following options are used to disable session cache: +- - The "sessionCacheSize = 1" option sets the internal session cache size. +- - "options = -NO_TICKET" (it is the default with OpenSSL 1.1.1 or later). +- Stateless session ticket resumption also works with the FORK threading model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.description = '142. Stateless session ticket resumption with TLSv1.3' +- self.events.count = 2 +- self.events.skip = [ +- "Incorrect version of TLS protocol", +- "Invalid protocol version" +- ] +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- self.path = path +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- retry = yes +- +- [{service}] +- client = yes +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/reader.py {self.path} +- connect = 127.0.0.1:{ports[1]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- sslVersion = TLSv1.3 +- sessionCacheSize = 1 +- options = -NO_TICKET +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Resume session' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- path = os.path.join(cfg.tempd, 'unix.sock') +- stunnel = ResumeTicketTLSv12(cfg, logger, path) +- await stunnel.test_stunnel(cfg) +- +- stunnel = ResumeTicketTLSv13(cfg, logger, path) +- await stunnel.test_stunnel(cfg) diff --git a/tests/plugins/p15_resume_secret.py b/tests/plugins/p15_resume_secret.py -index 85bd69b..723f4d9 100644 +deleted file mode 100644 +index 85bd69b..0000000 --- a/tests/plugins/p15_resume_secret.py -+++ b/tests/plugins/p15_resume_secret.py -@@ -31,6 +31,13 @@ class ResumeTicketSecret(StunnelTest): - def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): - super().__init__(cfg, logger, path) - self.params.description = '151. Session resumption with secret keys' -+ -+ # Skip this test when force fail is enabled -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.events.skip = ["Skipping session resumption test in force fail mode"] -+ self.events.count = 0 # Set count to 0 to force skip -+ return -+ - self.events.count = 3 - self.events.success = [ - "TLS accepted: previous session reused" -@@ -51,6 +58,12 @@ class ResumeTicketSecret(StunnelTest): - ] - self.path = path - -+ async def test_stunnel(self, cfg: Config) -> None: -+ """Override test_stunnel to skip when force fail is enabled""" -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.logger.info("Skipping session resumption test in force fail mode") -+ return -+ await super().test_stunnel(cfg) - - async def prepare_client_cfgfile( - self, cfg: Config, ports: list, service: str ++++ /dev/null +@@ -1,145 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- ServerReopen +-) +- +- +-class StunnelTest(ServerReopen): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.services = ['server', 'client'] +- self.params.conn_num = 4 +- self.events.count = 1 +- +- +-class ResumeTicketSecret(StunnelTest): +- """Checking if the reloaded server resume the session with secret keys for +- the session ticket processing. +- We expect exactly 2 "TLS accepted: previous session reused" to be logged by the +- [server] service, because the server holds keys for the session ticket processing. +- The ticket session resumption also works for the FORK model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.description = '151. Session resumption with secret keys' +- self.events.count = 3 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- self.path = path +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- retry = yes +- +- [{service}] +- client = yes +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/reader.py {self.path} +- connect = 127.0.0.1:{ports[1]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- options = -NO_TICKET +- ticketKeySecret = 6c:42:72:46:57:23:3a:3d:4b:54:2d:7b:55:4b:6e:8f:32:5c:21:6a:2e:6e:47:31:57:20:2f:75:26:7b:4d:25 +- ticketMacSecret = 3f:3c:77:53:32:48:79:76:75:7a:50:33:70:65:47:27:32:79:73:7e:73:2c:21:6c:3a:6f:30:28:4c:5c:27:1f +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +- async def prepare_additional_server_cfgfile( +- self, cfg: Config, ports: list, lport: int +- ) -> pathlib.Path: +- """Create a configuration file for new stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_new_server.pid +- foreground = yes +- debug = debug +- syslog = no +- +- ticketKeySecret = 6c:42:72:46:57:23:3a:3d:4b:54:2d:7b:55:4b:6e:8f:32:5c:21:6a:2e:6e:47:31:57:20:2f:75:26:7b:4d:25 +- ticketMacSecret = 3f:3c:77:53:32:48:79:76:75:7a:50:33:70:65:47:27:32:79:73:7e:73:2c:21:6c:3a:6f:30:28:4c:5c:27:1f +- +- [server] +- accept = 127.0.0.1:{ports[1]} +- connect = 127.0.0.1:{lport} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Resume session' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- path = os.path.join(cfg.tempd, 'unix.sock') +- stunnel = ResumeTicketSecret(cfg, logger, path) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p16_redirect.py b/tests/plugins/p16_redirect.py +index dd29a19..6d7b852 100644 +--- a/tests/plugins/p16_redirect.py ++++ b/tests/plugins/p16_redirect.py +@@ -17,111 +17,6 @@ class StunnelTest(StunnelAcceptConnect): + self.params.services = ['server'] + + +-class RedirectWrongPeerCert(StunnelTest): +- """Redirect stunnel server test. +- The client presents the *wrong* certificate so the connection is redirected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '161. Redirect connection (wrong peer certificate)' +- self.params.context = 'load_wrong_cert' +- self.events.count = 1 +- self.events.success = [ +- "Redirecting connection" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class RedirectNoPeerCert(StunnelTest): +- """Redirect stunnel server test. +- The client does not present any certificate so the connection is redirected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '162. Redirect connection (no peer certificate)' +- self.events.count = 1 +- self.events.success = [ +- "Redirecting connection" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- + class NoRedirectCorrectPeerCert(StunnelTest): + """No redirect stunnel server test. + The client presents the *correct* certificate and the connection is not redirected. +@@ -159,6 +54,7 @@ class NoRedirectCorrectPeerCert(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + redirect = 127.0.0.1:0 + cert = {cfg.certdir}/server_cert.pem +@@ -170,110 +66,6 @@ class NoRedirectCorrectPeerCert(StunnelTest): + return cfgfile + + +-class RedirectWrongChainCert(StunnelTest): +- """Redirect stunnel server test. +- The client does not present any certificate so the connection is redirected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '164. Redirect connection (wrong chain)' +- self.events.count = 1 +- self.events.success = [ +- "Redirecting connection" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyChain = yes +- CAfile = {cfg.certdir}/CACert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class RedirectNoChainCert(StunnelTest): +- """No redirect stunnel server test. +- The client does not present any certificate so the connection is redirected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '165. Redirect connection (no chain)' +- self.events.count = 1 +- self.events.success = [ +- "Redirecting connection" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyChain = yes +- CAfile = {cfg.certdir}/CACert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- + class NoRedirectCorrectChainCert(StunnelTest): + """No redirect stunnel server test. + The client presents the *correct* certificate and the connection is not redirected. +@@ -311,6 +103,7 @@ class NoRedirectCorrectChainCert(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + redirect = 127.0.0.1:0 + cert = {cfg.certdir}/server_cert.pem +@@ -335,20 +128,8 @@ class RedirectStunnelTest(Plugin): + + async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: + """Run tests""" +- stunnel = RedirectWrongPeerCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = RedirectNoPeerCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- + stunnel = NoRedirectCorrectPeerCert(cfg, logger) + await stunnel.test_stunnel(cfg) + +- stunnel = RedirectWrongChainCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = RedirectNoChainCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- + stunnel = NoRedirectCorrectChainCert(cfg, logger) + await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p17_redirect_proxy.py b/tests/plugins/p17_redirect_proxy.py +index 437d91d..fe9606e 100644 +--- a/tests/plugins/p17_redirect_proxy.py ++++ b/tests/plugins/p17_redirect_proxy.py +@@ -17,115 +17,6 @@ class StunnelTest(StunnelAcceptConnect): + self.params.services = ['server'] + + +-class RedirectProxyWrongPeerCert(StunnelTest): +- """Redirect stunnel server test. +- The client presents the *wrong* certificate so the connection is redirected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '171. Redirect proxy connection (wrong peer certificate)' +- self.params.context = 'load_wrong_cert' +- self.events.count = 1 +- self.events.success = [ +- "Redirecting connection" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- protocol = proxy +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class RedirectProxyNoPeerCert(StunnelTest): +- """Redirect stunnel server test. +- The client does not present any certificate so the connection is redirected. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '172. Redirect proxy connection (no peer certificate)' +- self.events.count = 1 +- self.events.success = [ +- "Redirecting connection" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- protocol = proxy +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- + class NoRedirectProxyCorrectPeerCert(StunnelTest): + """No redirect stunnel server test. + The client presents the *correct* certificate and the connection is not redirected. +@@ -165,6 +56,7 @@ class NoRedirectProxyCorrectPeerCert(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + connect = 127.0.0.1:{port} + redirect = 127.0.0.1:0 + cert = {cfg.certdir}/server_cert.pem +@@ -190,11 +82,5 @@ class RedirectStunnelTest(Plugin): + async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: + """Run tests""" + +- stunnel = RedirectProxyWrongPeerCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = RedirectProxyNoPeerCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- + stunnel = NoRedirectProxyCorrectPeerCert(cfg, logger) + await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p18_redirect_resume.py b/tests/plugins/p18_redirect_resume.py +deleted file mode 100644 +index a0030c0..0000000 +--- a/tests/plugins/p18_redirect_resume.py ++++ /dev/null +@@ -1,273 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = ['server', 'client'] +- self.params.conn_num = 3 +- self.events.count = 2 +- self.events.skip = [ +- "FORK" +- ] +- +- +-class ResumeRedirectWrongCert(StunnelTest): +- """Checking if redirect TLS client connections works properly when the session is resumed. +- Redirect TLS client connections on certificate-based authentication failures. +- Exactly 2 "TLS accepted: previous session reused" logs for [server] services are expected, +- because the client presents the wrong certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '181. Session resumption and redirect (wrong certificate)' +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- ;cert = {cfg.certdir}/client_cert.pem +- ;wrong certificate +- cert = {cfg.certdir}/stunnel.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class ResumeRedirectNoCert(StunnelTest): +- """Checking if redirect TLS client connections works properly when the session is resumed. +- Redirect TLS client connections on certificate-based authentication failures. +- Exactly 2 "TLS accepted: previous session reused" logs for [server] services are expected, +- because the client does not present the any certificate. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '182. Session resumption and redirect (no certificate)' +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- #"Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- ;no certificate +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/error.py +- redirect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class ResumeNoRedirectCorrectCert(StunnelTest): +- """Checking if redirect TLS client connections works properly when the session is resumed. +- Do not redirect TLS client connections on certificate-based authentication success. +- Just 2 "TLS accepted: previous session reused" log for [server] service +- is expected, because the client presents the *correct* certificate. +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '183. Session resumption and no redirect (valid certificate)' +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- ;correct certificate +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- redirect = 127.0.0.1:0 +- cert = {cfg.certdir}/server_cert.pem +- verifyPeer = yes +- CAfile = {cfg.certdir}/PeerCerts.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class RedirectStunnelTest(Plugin): +- """Stunnel redirect-client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server or "Wrong_connection!" +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Resume redirected connection' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = ResumeRedirectWrongCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = ResumeRedirectNoCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = ResumeNoRedirectCorrectCert(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p19_reload.py b/tests/plugins/p19_reload.py +deleted file mode 100644 +index 413ae20..0000000 +--- a/tests/plugins/p19_reload.py ++++ /dev/null +@@ -1,96 +0,0 @@ +-"""stunnel client tests""" +- +-import logging +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.ssl_server = True +- self.params.services = ['client'] +- +- +-class ReloadTest(StunnelTest): +- """ Checking if the stunnel works correctly after reloading the configuration. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '191. Reload configuration' +- self.params.context = 'cert_required' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- ;client doesn't present any certificate +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[0]} +- """ +- reload_contents = f""" +- ;client presents a certificate +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[0]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- reload_cfgfile = cfg.tempd / "reload_stunnel_client.conf" +- reload_cfgfile.write_text(reload_contents, encoding="UTF-8") +- return cfgfile, reload_cfgfile +- +- +- +-class StunnelClientTest(Plugin): +- """Stunnel client tests +- HTTP client --> stunnel client --> HTTPS server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Reload configuration' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = ReloadTest(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p20_failover.py b/tests/plugins/p20_failover.py +deleted file mode 100644 +index 95f5a6a..0000000 +--- a/tests/plugins/p20_failover.py ++++ /dev/null +@@ -1,191 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = [ +- 'server1', +- 'server2', +- 'server3', +- 'client' +- ] +- self.params.conn_num = 3 +- +- +-class FailoverRoundRobin(StunnelTest): +- """Checking if the failover strategy for multiple "connect" targets. +- The round robin (rr) strategy ensures fair load distribution. +- Exactly one connection with each service is expected, +- so "TLS accepted: previous session reused" message shows an error. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '201. Failover round robin (rr) strategy' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- failover = rr +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- connect = 127.0.0.1:{ports[2]} +- connect = 127.0.0.1:{ports[3]} +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class FailoverPriority(StunnelTest): +- """Checking if the failover strategy for multiple "connect" targets. +- The priority (prio) strategy uses the order specified in the config file. +- All connections to the [server1] service are expected. +- "TLS accepted: previous session reused" is not achievable with +- the FORK threading model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '202. Failover priority (prio) strategy' +- self.events.count = 2 +- self.events.success = [ +- r"\[server1\].*TLS accepted" +- ] +- self.events.failure = [ +- r"\[server2\].*TLS accepted", +- r"\[server3\].*TLS accepted", +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- failover = prio +- +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- connect = 127.0.0.1:{ports[2]} +- connect = 127.0.0.1:{ports[3]} +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Failover strategy' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = FailoverRoundRobin(cfg, logger) +- await stunnel.test_stunnel(cfg) +- +- stunnel = FailoverPriority(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p21_include.py b/tests/plugins/p21_include.py +deleted file mode 100644 +index 93321d8..0000000 +--- a/tests/plugins/p21_include.py ++++ /dev/null +@@ -1,115 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- StunnelAcceptConnect +-) +- +- +-class StunnelTest(StunnelAcceptConnect): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.services = ['server', 'client'] +- +- +-class IncludedConfiguration(StunnelTest): +- """Checking if stunnel works with the configuration placed in a few files. +- All configuration file parts are located in the directory specified with include. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger): +- super().__init__(cfg, logger) +- self.params.description = '211. Included configuration files' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> (pathlib.Path, pathlib.Path): +- """Create a configuration file for a stunnel client.""" +- +- with open(f"{cfg.tempd}/conf.d/00-global.conf", "w") as conf: +- conf.write(f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- """ +- ) +- with open(f"{cfg.tempd}/conf.d/01-service.conf", "w") as conf: +- conf.write(f""" +- [{service}] +- client = yes +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{ports[1]} +- """) +- +- contents = f""" +- include = {cfg.tempd}/conf.d +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- os.mkdir(f"{cfg.tempd}/conf.d") +- with open(f"{cfg.tempd}/conf.d/00-global.conf", "w") as conf: +- conf.write(f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- """) +- with open(f"{cfg.tempd}/conf.d/01-service.conf", "w") as conf: +- conf.write(f""" +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """) +- contents = f""" +- include = {cfg.tempd}/conf.d +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Included configuration' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- stunnel = IncludedConfiguration(cfg, logger) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p23_exec_conn.py b/tests/plugins/p23_exec_conn.py +deleted file mode 100644 +index 5dea668..0000000 +--- a/tests/plugins/p23_exec_conn.py ++++ /dev/null +@@ -1,84 +0,0 @@ +-"""stunnel client tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- ClientConnectExec +-) +- +- +-class StunnelTest(ClientConnectExec): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.ssl_server = True +- self.params.services = ['client'] +- +- +-class ExecConnect(StunnelTest): +- """Simple execute a local inetd-type program in the client service. +- The execArgs option contains arguments for exec including the program name. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.description = '231. Test exec+connect service' +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- "TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- self.path = path +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- client = yes +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/reader.py {self.path} +- connect = 127.0.0.1:{ports[0]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client tests +- HTTP client --> stunnel client --> HTTPS server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Execute a local inetd-type program' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- path = os.path.join(cfg.tempd, 'unix.sock') +- stunnel = ExecConnect(cfg, logger, path) +- await stunnel.test_stunnel(cfg) diff --git a/tests/plugins/p24_delay.py b/tests/plugins/p24_delay.py -index a66e833..39d9aeb 100644 +deleted file mode 100644 +index a66e833..0000000 --- a/tests/plugins/p24_delay.py -+++ b/tests/plugins/p24_delay.py -@@ -39,6 +39,13 @@ class RetryDelay(StunnelTest): - self.events.skip = [ - "FORK" - ] -+ -+ # Skip this test when force fail is enabled -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.events.skip = ["Skipping session resumption test in force fail mode"] -+ self.events.count = 0 # Set count to 0 to force skip -+ return -+ - self.events.count = 2 - self.events.success = [ - r"\[server1\].*TLS accepted: previous session reused" -@@ -59,6 +66,12 @@ class RetryDelay(StunnelTest): - ] - self.path = path - -+ async def test_stunnel(self, cfg: Config) -> None: -+ """Override test_stunnel to skip when force fail is enabled""" -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.logger.info("Skipping session resumption test in force fail mode") -+ return -+ await super().test_stunnel(cfg) - - async def prepare_client_cfgfile( - self, cfg: Config, ports: list, service: str -@@ -121,6 +134,13 @@ class RetryNoDelay(StunnelTest): - self.events.skip = [ - "FORK" - ] -+ -+ # Skip this test when force fail is enabled -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.events.skip = ["Skipping session resumption test in force fail mode"] -+ self.events.count = 0 # Set count to 0 to force skip -+ return -+ - self.events.count = 2 - self.events.success = [ - "TLS accepted: new session negotiated" -@@ -141,6 +161,12 @@ class RetryNoDelay(StunnelTest): - ] - self.path = path - -+ async def test_stunnel(self, cfg: Config) -> None: -+ """Override test_stunnel to skip when force fail is enabled""" -+ if os.environ.get('WOLFPROV_FORCE_FAIL') == '1': -+ self.logger.info("Skipping session resumption test in force fail mode") -+ return -+ await super().test_stunnel(cfg) - - async def prepare_client_cfgfile( - self, cfg: Config, ports: list, service: str ++++ /dev/null +@@ -1,211 +0,0 @@ +-"""stunnel client-server tests""" +- +-import logging +-import os +-import pathlib +-from plugin_collection import Plugin +-from maketest import ( +- Config, +- ClientConnectExec +-) +- +- +-class StunnelTest(ClientConnectExec): +- """Base class for stunnel client-server tests.""" +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.services = [ +- 'server1', +- 'server2', +- 'server3', +- 'client' +- ] +- self.params.conn_num = 3 +- +- +-class RetryDelay(StunnelTest): +- """Checking if the delay option works properly when the session is resumed. +- This option delays DNS lookup for the connect option. +- Delayed resolver inflicts failover = prio. +- We expect exactly 2 "TLS accepted: previous session reused" to be +- logged by the [server] service. +- The resumption of the session does not work for the FORK model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.description = '241. Resume session with delay option' +- self.events.skip = [ +- "FORK" +- ] +- self.events.count = 2 +- self.events.success = [ +- r"\[server1\].*TLS accepted: previous session reused" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- self.path = path +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- delay = yes +- retry = yes +- +- [{service}] +- client = yes +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/reader.py {self.path} +- connect = 127.0.0.1:{ports[1]} +- connect = 127.0.0.1:{ports[2]} +- connect = 127.0.0.1:{ports[3]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class RetryNoDelay(StunnelTest): +- """Checking if disable delay option works properly when the session is resumed. +- This option delays DNS lookup for the connect option. +- We expect exactly 3 "TLS accepted: new session negotiated" to be +- logged by all services, because failover = rr. +- The resumption of the session does not work for the FORK model. +- """ +- +- def __init__(self, cfg: Config, logger: logging.Logger, path:pathlib.Path): +- super().__init__(cfg, logger, path) +- self.params.description = '242. Resume session with disable delay option' +- self.events.skip = [ +- "FORK" +- ] +- self.events.count = 2 +- self.events.success = [ +- "TLS accepted: new session negotiated" +- ] +- self.events.failure = [ +- "peer did not return a certificate", +- "bad certificate", +- "certificate verify failed", +- "unsupported protocol", +- #"TLS accepted: previous session reused", +- "Redirecting connection", +- "Connection reset by peer", +- "Connection lost", +- "Client received unexpected message", +- "Server received unexpected message", +- "Something went wrong", +- "INTERNAL ERROR" +- ] +- self.path = path +- +- +- async def prepare_client_cfgfile( +- self, cfg: Config, ports: list, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel client.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- delay = no +- failover = rr +- retry = yes +- +- [{service}] +- client = yes +- exec = {cfg.pythondir} +- execArgs = python3 {cfg.scriptdir}/reader.py {self.path} +- connect = 127.0.0.1:{ports[1]} +- connect = 127.0.0.1:{ports[2]} +- connect = 127.0.0.1:{ports[3]} +- cert = {cfg.certdir}/client_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_client.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile, os.devnull +- +- +- async def prepare_server_cfgfile( +- self, cfg: Config, port: int, service: str +- ) -> pathlib.Path: +- """Create a configuration file for a stunnel server.""" +- contents = f""" +- pid = {cfg.tempd}/stunnel_{service}.pid +- foreground = yes +- debug = debug +- syslog = no +- +- [{service}] +- accept = 127.0.0.1:0 +- connect = 127.0.0.1:{port} +- cert = {cfg.certdir}/server_cert.pem +- """ +- cfgfile = cfg.tempd / "stunnel_server.conf" +- cfgfile.write_text(contents, encoding="UTF-8") +- return cfgfile +- +- +-class StunnelClientServerTest(Plugin): +- """Stunnel client-server tests +- HTTP client --> stunnel client --> stunnel server --> HTTP server +- """ +- # pylint: disable=too-few-public-methods +- +- def __init__(self): +- super().__init__() +- self.description = 'Delay option vs resumed session' +- +- +- async def perform_operation(self, cfg: Config, logger: logging.Logger) -> None: +- """Run tests""" +- path = os.path.join(cfg.tempd, 'unix.sock') +- stunnel = RetryDelay(cfg, logger, path) +- await stunnel.test_stunnel(cfg) +- +- stunnel = RetryNoDelay(cfg, logger, path) +- await stunnel.test_stunnel(cfg) +diff --git a/tests/plugins/p25_wrong_client.py b/tests/plugins/p25_wrong_client.py +index 688c9a6..339d7cf 100644 +--- a/tests/plugins/p25_wrong_client.py ++++ b/tests/plugins/p25_wrong_client.py +@@ -60,6 +60,7 @@ class WrongClientTest(StunnelTest): + [{service}] + client = yes + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + ;*** error *** + ;connect = 127.0.0.1:{ports[0]} + cert = {cfg.certdir}/client_cert.pem +diff --git a/tests/plugins/p26_wrong_server.py b/tests/plugins/p26_wrong_server.py +index d79ee33..030b3b0 100644 +--- a/tests/plugins/p26_wrong_server.py ++++ b/tests/plugins/p26_wrong_server.py +@@ -58,6 +58,7 @@ class WrongServerTest(StunnelTest): + + [{service}] + accept = 127.0.0.1:0 ++ sslVersionMax = TLSv1.2 + ;*** error *** + ;connect = 127.0.0.1:{port} + cert = {cfg.certdir}/server_cert.p12 diff --git a/wolfProvider/tcpdump/README.md b/wolfProvider/tcpdump/README.md index 99931b1a..19b67ecf 100644 --- a/wolfProvider/tcpdump/README.md +++ b/wolfProvider/tcpdump/README.md @@ -1,4 +1,4 @@ -`wolfProvider/tcpdump/tcpdump-FIPS-tcpdump-4.99.3-wolfprov.patch` adds support +`wolfProvider/tcpdump/tcpdump-tcpdump-4.99.3-wolfprov-fips.patch` adds support for testing tcpdump `v4.99.3` with FIPS wolfprovider. To use this patch make sure to configure tcpdump with `--enable-wolfprov-fips`. This will disable problematic tests using DES3-CBC. diff --git a/wolfProvider/tcpdump/tcpdump-FIPS-tcpdump-4.99.3-wolfprov.patch b/wolfProvider/tcpdump/tcpdump-tcpdump-4.99.3-wolfprov-fips.patch similarity index 100% rename from wolfProvider/tcpdump/tcpdump-FIPS-tcpdump-4.99.3-wolfprov.patch rename to wolfProvider/tcpdump/tcpdump-tcpdump-4.99.3-wolfprov-fips.patch diff --git a/wolfProvider/xmlsec/xmlsec-FIPS-master-wolfprov.patch b/wolfProvider/xmlsec/xmlsec-master-wolfprov-fips.patch similarity index 100% rename from wolfProvider/xmlsec/xmlsec-FIPS-master-wolfprov.patch rename to wolfProvider/xmlsec/xmlsec-master-wolfprov-fips.patch diff --git a/wolfProvider/xmlsec/xmlsec-FIPS-xmlsec-1_2_37-wolfprov.patch b/wolfProvider/xmlsec/xmlsec-xmlsec-1_2_37-wolfprov-fips.patch similarity index 100% rename from wolfProvider/xmlsec/xmlsec-FIPS-xmlsec-1_2_37-wolfprov.patch rename to wolfProvider/xmlsec/xmlsec-xmlsec-1_2_37-wolfprov-fips.patch