* Added support for expected fail test cases with example client/server and suites unit test.

* Added test for certificate with bad alt name containing a null character mid byte stream.
* Fix for issue with suites unit test where last arg in file doesn't conain data for a param, causing it to skip test.
* Fix for last test in tests/test.conf not being run for `TLSv1.2 RSA 3072-bit DH 3072-bit`.
* Moved the `tls-cert-fail.test` tests into the new expected failure suite test (`./tests/test-fails.conf`). Now it explicilty checks RSA and ECC for the no signer and no sig tests.

certs/test/gen-badaltnamenull.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+echo "step 1 create key"
+openssl genrsa -out server-badaltnamenull.key 2048
+
+echo "step 2 create csr"
+echo "US\nMontana\nBozeman\nEngineering\nlocalhost\n.\n" | openssl req -new -sha256 -out server-badaltnamenull.csr -key server-badaltnamenull.key -config server-badaltnamenull.conf
+
+echo "step 3 check csr"
+openssl req -text -noout -in server-badaltnamenull.csr
+
+echo "step 4 create cert"
+openssl x509 -req -days 1000 -in server-badaltnamenull.csr -signkey server-badaltnamenull.key \
+             -out server-badaltnamenull.pem -extensions req_ext -extfile server-badaltnamenull.conf
+
+echo "step 5 make human reviewable"
+openssl x509 -inform pem -in server-badaltnamenull.pem -text > tmp.pem
+mv tmp.pem server-badaltnamenull.pem
+
+openssl x509 -inform pem -in server-badaltnamenull.pem -outform der -out server-badaltnamenull.der

certs/test/include.am

@@ -17,3 +17,12 @@ EXTRA_DIST += \
          certs/test/server-cert-rsa-badsig.pem \
 		 certs/test/server-cert-ecc-badsig.der \
          certs/test/server-cert-ecc-badsig.pem
+
+
+EXTRA_DIST += \
+		 certs/test/gen-badaltnamenull.sh \
+         certs/test/server-badaltnamenull.conf \
+         certs/test/server-badaltnamenull.csr \
+         certs/test/server-badaltnamenull.key \
+         certs/test/server-badaltnamenull.pem \
+         certs/test/server-badaltnamenull.der

certs/test/server-badaltnamenull.conf

@@ -0,0 +1,17 @@
+[ req ]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+
+[ req_distinguished_name ]
+countryName                 = US
+stateOrProvinceName         = Montana
+localityName                = Bozeman
+organizationName            = Engineering
+commonName                  = www.wolfssl.com
+commonName_max              = 64
+commonName_default          = localhost
+
+[ req_ext ]
+#subjectAltName   = localhost\0h
+subjectAltName    = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68

certs/test/server-badaltnamenull.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICyTCCAbECAQAwWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
+BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAls
+b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBWOI9sH7D
+UouzlAgOLJgVQEyrHw9nwxeIEqmxfU2kZZcD95DWBzExpT0mbluER8yoj6E3//LY
+58aDdASC+x/gxTLWuCNIgF9GWIOfP2TaWj9AHT6mIeklP2z9qJm3Md7UT52xOLkz
+0wblZzSjcqEY61c1MGH6xAtfYfWZgmkxej4aAKd7jR1LAXCSIx+EO2WvvA8c5fiS
+ozQgftXSM/5437VVSwu4dH4ptRNou/6nXi74cYzO4+/Unh7j/4ggwuvegNdEqeRg
+CtASpQalRN+xrqghQaj786t/kBkqH6L0KKzzcsfLi4oE6dJXn4e7SFWgzbRayp5y
+a7jal5x/6U+5AgMBAAGgKTAnBgkqhkiG9w0BCQ4xGjAYMBYGA1UdEQQPMA2CC2xv
+Y2FsaG9zdABoMA0GCSqGSIb3DQEBCwUAA4IBAQCHfMbbmvXJGKjO6Z6UOkF3f7sa
+cB8gEyjm9+Aa8gMQnaWOH8Sw6nGhGNSOVTQUIqt8EohqNCd/jrjZF34mecaJ3ycw
+ryt7AGQzQX5uutBLVr55jszVVC8EDKuPzO3jXH6h6ptvSebG/0KL0P+JHL5JvzZ1
+wAsTBtnnnrnxCQO3a2SFC4zVyH+LCP+EWehH7Sjt9FtrCIoP+xoM6AJ2tCxb4CHH
+A8WGuw36lG78DH6rs4kbh0iCP/pKYrYeG9EBOj6+Bw7WF4ee6QhL0VzHXUcIFjkp
+YlVLGBTL6KVjPW4uim1az5F1+HxZTvbAbnPU7f81M2ePmqbFfODYO1KPXycg
+-----END CERTIFICATE REQUEST-----

certs/test/server-badaltnamenull.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAwVjiPbB+w1KLs5QIDiyYFUBMqx8PZ8MXiBKpsX1NpGWXA/eQ
+1gcxMaU9Jm5bhEfMqI+hN//y2OfGg3QEgvsf4MUy1rgjSIBfRliDnz9k2lo/QB0+
+piHpJT9s/aiZtzHe1E+dsTi5M9MG5Wc0o3KhGOtXNTBh+sQLX2H1mYJpMXo+GgCn
+e40dSwFwkiMfhDtlr7wPHOX4kqM0IH7V0jP+eN+1VUsLuHR+KbUTaLv+p14u+HGM
+zuPv1J4e4/+IIMLr3oDXRKnkYArQEqUGpUTfsa6oIUGo+/Orf5AZKh+i9Cis83LH
+y4uKBOnSV5+Hu0hVoM20Wsqecmu42pecf+lPuQIDAQABAoIBAEL0a8xfHVa4dCZo
+4e0+ph/d127+34/YMILvq5IKSWPfxk8aYS6s6O0/QpDXcJu7XXUV4AeLe+Z/RPBq
+sdFF84Eb6QIQXC+UPOoYZuQzyNIQpIyoU/SmE53RfAXPaAPXokm1lG81rHT05BN3
+DPR5Eq6VeOqzaYq0bxfFzY4uag02pITGuYMIxuBkJ+q9mu9XTaBWY1mGlD0zqxUZ
+LC0dgrWklJFNHNWddrsMl0LDXFRfuxdFmoZT5NBLh+DWgKq/IW+TAqe3lZGVCPFs
+cctR3WevykigH5TZmK3gsT98kqe5y9xO+pOpAvNAKeiXVYEREzE+PbsdiLiXbaEy
+X1pUB70CgYEA7BSSQqa5duNNwOFp9DcNmMj1VKE2ixhRZi+R7jxHquiyh6IQv7tf
+865f8ZA55mPwy5h/Gqin6YdswvkwHUqbEstnQ+BXmcXaI0EY6iZAkSSKbC0ygr3o
+yVuRSCJmkCdmb8KIz0yguEjOmbNcavaH9ivE7KS6DhYb65PwyGuCxqsCgYEA0alC
+a84cpN59zFTaW85gpq1zeWMbXmkBees8xnygJ4kZw2MkqQSZw+zUFdb9WbltSAsU
+Y8eF0SAaShoXfa7BwB2Bnrs7NZMQzZfVmSG5QLF45v+087guN7pgWnmkUQ0G9ijc
+oLI5Mn3oMy9UrJ48JUVwYysaacgRa73tMsGZ0ysCgYALrbDWjzzZfsEX6468QATy
+K+7G8vqpwtgz/+JuMJkzATPjtcayVWiXu2aPopzaotMEn1SaUwGLceGVe5I/wLMP
+KPTAzNZIixsRZ2T+IEpNY8tdMpcvFInxfBAhy2Hbe7d7i9oMtzO0KhXeUJsfx3ZO
+XTfupO93Ruy2qKjeoULk5QKBgCDD9O9oHK3fX4WJVT63t/8UaFF2HZbZjjOBgdP7
+MgQ7tt0EJ3yKjYVDA7oOCTX2do+lu6AEVHNkMveVsEoh/4GImvM1i4FJ5Hxc2DLA
+RHVJxv1CxQK5q+9lnx1EmVtZT9c0d5Zdg/bSGnG1WeRILlocyf2VhOE3NRHDcshV
+3TZVAoGAXP0SDgRcA544d0zdw07f9/KgHlYcsJuPGt2F7UzjIZiBivr3yh+EXBw2
+xMqRwFnsBeOgvW/i3Je01RjeWZL6M9Lq1ywk2HZtDPnN6dP15LwSS33OBRca5Fk+
+CyKDfZHd+8c2wj8hNsxd/D4N7ZVDrU3UNvMslHwGh0PbIaQxcQM=
+-----END RSA PRIVATE KEY-----

certs/test/server-badaltnamenull.pem

@@ -0,0 +1,72 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15650401360786530715 (0xd931651e45f8a19b)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=localhost
+        Validity
+            Not Before: May  3 16:02:13 2018 GMT
+            Not After : Jan 27 16:02:13 2021 GMT
+        Subject: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:58:e2:3d:b0:7e:c3:52:8b:b3:94:08:0e:2c:
+                    98:15:40:4c:ab:1f:0f:67:c3:17:88:12:a9:b1:7d:
+                    4d:a4:65:97:03:f7:90:d6:07:31:31:a5:3d:26:6e:
+                    5b:84:47:cc:a8:8f:a1:37:ff:f2:d8:e7:c6:83:74:
+                    04:82:fb:1f:e0:c5:32:d6:b8:23:48:80:5f:46:58:
+                    83:9f:3f:64:da:5a:3f:40:1d:3e:a6:21:e9:25:3f:
+                    6c:fd:a8:99:b7:31:de:d4:4f:9d:b1:38:b9:33:d3:
+                    06:e5:67:34:a3:72:a1:18:eb:57:35:30:61:fa:c4:
+                    0b:5f:61:f5:99:82:69:31:7a:3e:1a:00:a7:7b:8d:
+                    1d:4b:01:70:92:23:1f:84:3b:65:af:bc:0f:1c:e5:
+                    f8:92:a3:34:20:7e:d5:d2:33:fe:78:df:b5:55:4b:
+                    0b:b8:74:7e:29:b5:13:68:bb:fe:a7:5e:2e:f8:71:
+                    8c:ce:e3:ef:d4:9e:1e:e3:ff:88:20:c2:eb:de:80:
+                    d7:44:a9:e4:60:0a:d0:12:a5:06:a5:44:df:b1:ae:
+                    a8:21:41:a8:fb:f3:ab:7f:90:19:2a:1f:a2:f4:28:
+                    ac:f3:72:c7:cb:8b:8a:04:e9:d2:57:9f:87:bb:48:
+                    55:a0:cd:b4:5a:ca:9e:72:6b:b8:da:97:9c:7f:e9:
+                    4f:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:localhost
+    Signature Algorithm: sha1WithRSAEncryption
+         ae:76:ea:5e:33:2c:cf:16:c8:ec:a2:27:2a:19:b9:22:bb:69:
+         b4:96:35:f7:25:1c:dd:8b:fb:c4:a8:32:17:89:73:a0:bc:23:
+         a3:49:d4:fd:1a:d7:fc:bf:87:5d:42:12:4b:20:20:74:47:7e:
+         7c:97:89:c1:f1:a3:82:3a:58:0b:b4:05:0b:c1:02:da:a6:dc:
+         ca:6c:60:58:fe:83:1c:fc:ed:c7:bc:96:df:b2:af:31:f5:28:
+         45:2d:d5:c0:5a:42:95:c3:64:c5:46:5c:cd:8e:d6:7b:fd:9c:
+         f5:75:44:cc:d6:7e:d8:96:55:5c:00:9f:1f:ac:f1:0a:07:29:
+         0c:ba:ab:7d:1f:ac:8d:40:55:86:e4:35:1d:11:89:10:8b:c2:
+         67:ff:99:32:66:f3:5d:4a:c3:37:5e:37:32:40:7b:29:50:25:
+         e5:c1:d8:df:7b:64:3e:f7:c4:1e:01:88:fe:24:f6:0c:ea:f7:
+         72:df:1e:72:0c:9b:64:c3:6b:ec:ce:99:b1:75:61:f2:ac:d5:
+         6f:7b:7d:06:7b:6c:a8:6c:ac:46:37:dd:af:e6:cb:8f:70:d7:
+         57:e2:38:d9:e6:9a:93:da:53:06:e6:39:c5:79:6a:0a:ac:49:
+         da:04:a1:60:2f:5f:96:ef:ca:6c:34:62:6c:ac:25:1c:d5:e0:
+         f7:8e:7c:df
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAjugAwIBAgIJANkxZR5F+KGbMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQKDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE4MDUwMzE2
+MDIxM1oXDTIxMDEyNzE2MDIxM1owWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01v
+bnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRIw
+EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDBWOI9sH7DUouzlAgOLJgVQEyrHw9nwxeIEqmxfU2kZZcD95DWBzExpT0mbluE
+R8yoj6E3//LY58aDdASC+x/gxTLWuCNIgF9GWIOfP2TaWj9AHT6mIeklP2z9qJm3
+Md7UT52xOLkz0wblZzSjcqEY61c1MGH6xAtfYfWZgmkxej4aAKd7jR1LAXCSIx+E
+O2WvvA8c5fiSozQgftXSM/5437VVSwu4dH4ptRNou/6nXi74cYzO4+/Unh7j/4gg
+wuvegNdEqeRgCtASpQalRN+xrqghQaj786t/kBkqH6L0KKzzcsfLi4oE6dJXn4e7
+SFWgzbRayp5ya7jal5x/6U+5AgMBAAGjGjAYMBYGA1UdEQQPMA2CC2xvY2FsaG9z
+dABoMA0GCSqGSIb3DQEBBQUAA4IBAQCudupeMyzPFsjsoicqGbkiu2m0ljX3JRzd
+i/vEqDIXiXOgvCOjSdT9Gtf8v4ddQhJLICB0R358l4nB8aOCOlgLtAULwQLaptzK
+bGBY/oMc/O3HvJbfsq8x9ShFLdXAWkKVw2TFRlzNjtZ7/Zz1dUTM1n7YllVcAJ8f
+rPEKBykMuqt9H6yNQFWG5DUdEYkQi8Jn/5kyZvNdSsM3XjcyQHspUCXlwdjfe2Q+
+98QeAYj+JPYM6vdy3x5yDJtkw2vszpmxdWHyrNVve30Ge2yobKxGN92v5suPcNdX
+4jjZ5pqT2lMG5jnFeWoKrEnaBKFgL1+W78psNGJsrCUc1eD3jnzf
+-----END CERTIFICATE-----

examples/client/client.c

@@ -796,7 +796,7 @@ static void Usage(void)
 #ifdef HAVE_WNR
     printf("-q <file>   Whitewood config file,      default %s\n", wnrConfig);
 #endif
-    printf("-H <arg>    Internal tests [defCipherList, badCert]\n");
+    printf("-H <arg>    Internal tests [defCipherList, skipExit]\n");
 #ifdef WOLFSSL_TLS13
     printf("-J          Use HelloRetryRequest to choose group for KE\n");
     printf("-K          Key Exchange for PSK not using (EC)DHE\n");
@@ -887,7 +887,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     int    useDefCipherList = 0;
-    int    useBadCert = 0;
     const char* verifyCert = caCertFile;
     const char* ourCert    = cliCertFile;
     const char* ourKey     = cliKeyFile;
@@ -937,6 +936,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     char*  ocspUrl  = NULL;
 #endif
     int useX25519 = 0;
+    int skipExit = 0;
 
 #ifdef HAVE_WNR
     const char* wnrConfigFile = wnrConfig;
@@ -988,7 +988,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     (void)useX25519;
     (void)helloRetry;
     (void)onlyKeyShare;
-    (void)useBadCert;
 
     StackTrap();
 
@@ -1113,9 +1112,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                     printf("Using default cipher list for testing\n");
                     useDefCipherList = 1;
                 }
-                else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) {
-                    printf("Using bad certificate for testing\n");
-                    useBadCert = 1;
+                else if (XSTRNCMP(myoptarg, "skipExit", 7) == 0) {
+                    printf("Skip exit() for testing\n");
+                    skipExit = 1;
                 }
                 else {
                     Usage();
@@ -1712,15 +1711,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     #endif
     }
 
-    /* for testing only - use client cert as CA to force no signer error */
-    if (useBadCert) {
-    #if !defined(NO_RSA)
-        verifyCert = "./certs/client-cert.pem";
-    #elif defined(HAVE_ECC)
-        verifyCert = "./certs/client-ecc-cert.pem";
-    #endif
-    }
-
     if (!usePsk && !useAnon && !useVerifyCb) {
     #if !defined(NO_FILESYSTEM)
         if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0)
@@ -2114,9 +2104,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             wolfSSL_ERR_error_string(err, buffer));
         wolfSSL_free(ssl);
         wolfSSL_CTX_free(ctx);
-        err_sys("wolfSSL_connect failed");
+        CloseSocket(sockfd);
+
+        if (!skipExit)
+            err_sys("wolfSSL_connect failed");
         /* see note at top of README */
         /* if you're getting an error here  */
+
+        err = wolfSSL_get_error(ssl, 0);
+        ((func_args*)args)->return_code = err;
+        return 0;
     }
 
     showPeer(ssl);

examples/server/server.c

@@ -413,7 +413,7 @@ static void Usage(void)
 #endif
     printf("-g          Return basic HTML web page\n");
     printf("-C <num>    The number of connections to accept, default: 1\n");
-    printf("-H <arg>    Internal tests [defCipherList, badCert]\n");
+    printf("-H <arg>    Internal tests [defCipherList, skipExit]\n");
 #ifdef WOLFSSL_TLS13
     printf("-U          Update keys and IVs before sending\n");
     printf("-K          Key Exchange for PSK not using (EC)DHE\n");
@@ -500,7 +500,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     unsigned char alpn_opt = 0;
     char*  cipherList = NULL;
     int    useDefCipherList = 0;
-    int    useBadCert = 0;
     const char* verifyCert = cliCertFile;
     const char* ourCert    = svrCertFile;
     const char* ourKey     = svrKeyFile;
@@ -564,6 +563,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     int noTicket = 0;
 #endif
     int useX25519 = 0;
+    int skipExit = 0;
 
     ((func_args*)args)->return_code = -1; /* error state */
 
@@ -589,7 +589,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     (void)readySignal;
     (void)updateKeysIVs;
     (void)mcastID;
-    (void)useBadCert;
     (void)useX25519;
 
 #ifdef CYASSL_TIRTOS
@@ -694,9 +693,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                     printf("Using default cipher list for testing\n");
                     useDefCipherList = 1;
                 }
-                else if (XSTRNCMP(myoptarg, "badCert", 7) == 0) {
-                    printf("Using bad certificate for testing\n");
-                    useBadCert = 1;
+                else if (XSTRNCMP(myoptarg, "skipExit", 7) == 0) {
+                    printf("Skip exit() for testing\n");
+                    skipExit = 1;
                 }
                 else {
                     Usage();
@@ -1051,15 +1050,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif
 
 #if !defined(NO_CERTS)
-    /* for testing only - use bad cert as server cert for sig confirm err */
-    if (useBadCert) {
-    #if !defined(NO_RSA)
-        ourCert = "./certs/test/server-cert-rsa-badsig.pem";
-    #elif defined(HAVE_ECC)
-        ourCert = "./certs/test/server-cert-ecc-badsig.pem";
-    #endif
-    }
-
     if ((!usePsk || usePskPlus) && !useAnon) {
     #if !defined(NO_FILESYSTEM)
         if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
@@ -1490,7 +1480,17 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
             err = SSL_get_error(ssl, 0);
             printf("SSL_accept error %d, %s\n", err,
                                                 ERR_error_string(err, buffer));
-            err_sys_ex(runWithErrors, "SSL_accept failed");
+
+            if (!skipExit)
+                err_sys_ex(runWithErrors, "SSL_accept failed");
+
+            /* cleanup and return */
+            SSL_free(ssl);
+            SSL_CTX_free(ctx);
+            CloseSocket(clientfd);
+            CloseSocket(sockfd);
+            ((func_args*)args)->return_code = err;
+            return 0;
         }
 
         showPeer(ssl);

scripts/include.am

@@ -12,11 +12,6 @@ if BUILD_EXAMPLE_SERVERS
 
 dist_noinst_SCRIPTS+= scripts/resume.test
 
-# only run this test if we have the ability to support cert validation
-if BUILD_PKI
-dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test
-endif
-
 EXTRA_DIST+= scripts/benchmark.test
 
 if BUILD_CRL

scripts/tls-cert-fail.test

@@ -1,173 +0,0 @@
-#!/bin/sh
-
-#tls-cert-fail.test
-
-asn_no_signer_e="-188"
-asn_sig_confirm_e="-155"
-exit_code=1
-counter=0
-
-# need a unique resume port since may run the same time as testsuite
-# use server port zero hack to get one
-tls_port=0
-
-#no_pid tells us process was never started if -1
-no_pid=-1
-
-#server_pid captured on startup, stores the id of the server process
-server_pid=$no_pid
-
-# let's use absolute path to a local dir (make distcheck may be in sub dir)
-# also let's add some randomness by adding pid in case multiple 'make check's
-# per source tree
-ready_file=`pwd`/wolfssl_tls_ready$$
-
-remove_ready_file() {
-    if test -e $ready_file; then
-        echo -e "removing existing ready file"
-        rm $ready_file
-    fi
-}
-
-# trap this function so if user aborts with ^C or other kill signal we still
-# get an exit that will in turn clean up the file system
-abort_trap() {
-    echo "script aborted"
-
-    if  [ $server_pid != $no_pid ]
-    then
-        echo "killing server"
-        kill -9 $server_pid
-    fi
-
-    exit_code=2 #different exit code in case of user interrupt
-
-    echo "got abort signal, exiting with $exit_code"
-    exit $exit_code
-}
-trap abort_trap INT TERM
-
-
-# trap this function so that if we exit on an error the file system will still
-# be restored and the other tests may still pass. Never call this function
-# instead use "exit <some value>" and this function will run automatically
-restore_file_system() {
-    remove_ready_file
-}
-trap restore_file_system EXIT
-
-run_tls_no_signer_test() {
-    echo -e "\nStarting example server for tls no signer fail test...\n"
-
-    remove_ready_file
-
-    # starts the server on tls_port, -R generates ready file to be used as a
-    # mutex lock. We capture the processid into the variable server_pid
-    ./examples/server/server -R $ready_file -p $tls_port &
-    server_pid=$!
-
-    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
-        echo -e "waiting for ready file..."
-        sleep 0.1
-        counter=$((counter+ 1))
-    done
-
-    if test -e $ready_file; then
-        echo -e "found ready file, starting client..."
-    else
-        echo -e "NO ready file ending test..."
-        exit 1
-    fi
-
-    # get created port 0 ephemeral port
-    tls_port=`cat $ready_file`
-
-    # starts client on tls_port and captures the output from client
-    capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1)
-    client_result=$?
-
-    wait $server_pid
-    server_result=$?
-
-    case  "$capture_out" in
-    *$asn_no_signer_e*)
-        # only exit with zero on detection of the expected error code
-        echo ""
-        echo "$capture_out"
-        echo ""
-        echo "No signer error as expected! Test pass"
-        echo ""
-        exit_code=0
-        ;;
-    *)
-        echo ""
-        echo "Client did not return asn_no_signer_e as expected: $capture_out"
-        echo ""
-        exit_code=1
-    esac
-}
-
-run_tls_sig_confirm_test() {
-    echo -e "\nStarting example server for tls sig confirm fail test...\n"
-
-    remove_ready_file
-
-    # starts the server on tls_port, -R generates ready file to be used as a
-    # mutex lock. We capture the processid into the variable server_pid
-    ./examples/server/server -R $ready_file -p $tls_port -H badCert &
-    server_pid=$!
-
-    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
-        echo -e "waiting for ready file..."
-        sleep 0.1
-        counter=$((counter+ 1))
-    done
-
-    if test -e $ready_file; then
-        echo -e "found ready file, starting client..."
-    else
-        echo -e "NO ready file ending test..."
-        exit 1
-    fi
-
-    # get created port 0 ephemeral port
-    tls_port=`cat $ready_file`
-
-    # starts client on tls_port and captures the output from client
-    capture_out=$(./examples/client/client -p $tls_port 2>&1)
-    client_result=$?
-
-    wait $server_pid
-    server_result=$?
-
-    case  "$capture_out" in
-    *$asn_sig_confirm_e*)
-        # only exit with zero on detection of the expected error code
-        echo ""
-        echo "$capture_out"
-        echo ""
-        echo "Sig confirm error as expected! Test pass"
-        echo ""
-        exit_code=0
-        ;;
-    *)
-        echo ""
-        echo "Client did not return asn_sig_confirm_e as expected: $capture_out"
-        echo ""
-        exit_code=1
-    esac
-}
-
-
-######### begin program #########
-
-# run the test
-run_tls_no_signer_test
-
-tls_port=0
-run_tls_sig_confirm_test
-
-echo "exiting with $exit_code"
-exit $exit_code
-########## end program ##########
-

tests/include.am

@@ -28,5 +28,6 @@ EXTRA_DIST += tests/test.conf \
               tests/test-sctp.conf \
               tests/test-sig.conf \
               tests/test-ed25519.conf \
-              tests/test-enckeys.conf
+              tests/test-enckeys.conf \
+              tests/test-fails.conf
 DISTCLEANFILES+= tests/.libs/unit.test

tests/suites.c

@@ -56,6 +56,7 @@ static char flagSep[] = " ";
     static char svrPort[] = "0";
 #endif
 static char forceDefCipherListFlag[] = "-HdefCipherList";
+static char skipExitFlag[] = "-HskipExit";
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     static int devId = INVALID_DEVID;
@@ -161,7 +162,7 @@ static int execute_test_case(int svr_argc, char** svr_argv,
                               int cli_argc, char** cli_argv,
                               int addNoVerify, int addNonBlocking,
                               int addDisableEMS, int forceSrvDefCipherList,
-                              int forceCliDefCipherList)
+                              int forceCliDefCipherList, int testShouldFail)
 {
 #ifdef WOLFSSL_TIRTOS
     func_args cliArgs = {0};
@@ -264,6 +265,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
 #ifdef TEST_PK_PRIVKEY
     svr_argv[svrArgs.argc++] = (char*)"-P";
 #endif
+    if (testShouldFail) {
+        svr_argv[svrArgs.argc++] = skipExitFlag;
+    }
 
     /* update server flags list */
     commandLine[0] = '\0';
@@ -327,6 +331,9 @@ static int execute_test_case(int svr_argc, char** svr_argv,
 #ifdef TEST_PK_PRIVKEY
     cli_argv[cliArgs.argc++] = (char*)"-P";
 #endif
+    if (testShouldFail) {
+        cli_argv[cliArgs.argc++] = skipExitFlag;
+    }
 
     commandLine[0] = '\0';
     added = 0;
@@ -345,13 +352,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
     client_test(&cliArgs);
 
     /* verify results */
-    if (cliArgs.return_code != 0) {
+    if ((cliArgs.return_code != 0 && testShouldFail == 0) ||
+        (cliArgs.return_code == 0 && testShouldFail != 0)) {
         printf("client_test failed\n");
         exit(EXIT_FAILURE);
     }
 
     join_thread(serverThread);
-    if (svrArgs.return_code != 0) {
+    if ((svrArgs.return_code != 0 && testShouldFail == 0) ||
+        (svrArgs.return_code == 0 && testShouldFail != 0)) {
         printf("server_test failed\n");
         exit(EXIT_FAILURE);
     }
@@ -361,6 +370,11 @@ static int execute_test_case(int svr_argc, char** svr_argv,
 #endif
     FreeTcpReady(&ready);
 
+    /* only run the first test for failure cases */
+    if (testShouldFail) {
+        return NOT_BUILT_IN;
+    }
+
     return 0;
 }
 
@@ -379,18 +393,23 @@ static void test_harness(void* vargs)
     char* cursor;
     char* comment;
     const char* fname = "tests/test.conf";
+    int   testShouldFail = 0;
 
     if (args->argc == 1) {
         printf("notice: using default file %s\n", fname);
     }
-    else if(args->argc != 2) {
-        printf("usage: harness [FILE]\n");
+    else if(args->argc > 3) {
+        printf("usage: harness [FILE] [ARG]\n");
         args->return_code = 1;
         return;
     }
-    else {
+
+    if (args->argc >= 2) {
         fname = args->argv[1];
     }
+    if (args->argc == 3) {
+        testShouldFail = 1;
+    }
 
     file = fopen(fname, "rb");
     if (file == NULL) {
@@ -463,6 +482,8 @@ static void test_harness(void* vargs)
                     cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n");
                 else
                     svrArgs[svrArgsSz++] = XSTRSEP(&cursor, " \n");
+                if (*cursor == 0)  /* eof */
+                    do_it = 1;
                 break;
             default:
                 /* Anything from cursor until end of line that isn't the above
@@ -474,6 +495,7 @@ static void test_harness(void* vargs)
                     svrArgs[svrArgsSz++] = XSTRSEP(&cursor, "\n");
                 if (*cursor == 0)  /* eof */
                     do_it = 1;
+                break;
         }
 
         if (svrArgsSz == MAX_ARGS || cliArgsSz == MAX_ARGS) {
@@ -483,31 +505,41 @@ static void test_harness(void* vargs)
 
         if (do_it) {
             ret = execute_test_case(svrArgsSz, svrArgs,
-                                    cliArgsSz, cliArgs, 0, 0, 0, 0, 0);
+                                    cliArgsSz, cliArgs, 0, 0, 0, 0, 0,
+                                    testShouldFail);
             /* don't repeat if not supported in build */
             if (ret == 0) {
                 /* test with default cipher list on server side */
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 0, 0, 0, 1, 0);
+                                  cliArgsSz, cliArgs, 0, 0, 0, 1, 0,
+                                  testShouldFail);
                 /* test with default cipher list on client side */
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 0, 0, 0, 0, 1);
+                                  cliArgsSz, cliArgs, 0, 0, 0, 0, 1,
+                                  testShouldFail);
 
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 0, 1, 0, 0, 0);
+                                  cliArgsSz, cliArgs, 0, 1, 0, 0, 0,
+                                  testShouldFail);
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 1, 0, 0, 0, 0);
+                                  cliArgsSz, cliArgs, 1, 0, 0, 0, 0,
+                                  testShouldFail);
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 1, 1, 0, 0, 0);
+                                  cliArgsSz, cliArgs, 1, 1, 0, 0, 0,
+                                  testShouldFail);
 #ifdef HAVE_EXTENDED_MASTER
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 0, 0, 1, 0, 0);
+                                  cliArgsSz, cliArgs, 0, 0, 1, 0, 0,
+                                  testShouldFail);
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 0, 1, 1, 0, 0);
+                                  cliArgsSz, cliArgs, 0, 1, 1, 0, 0,
+                                  testShouldFail);
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 1, 0, 1, 0, 0);
+                                  cliArgsSz, cliArgs, 1, 0, 1, 0, 0,
+                                  testShouldFail);
                 execute_test_case(svrArgsSz, svrArgs,
-                                  cliArgsSz, cliArgs, 1, 1, 1, 0, 0);
+                                  cliArgsSz, cliArgs, 1, 1, 1, 0, 0,
+                                  testShouldFail);
 #endif
             }
             svrArgsSz = 1;
@@ -526,14 +558,15 @@ int SuiteTest(void)
 {
 #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT)
     func_args args;
-    char argv0[2][80];
-    char* myArgv[2];
+    char argv0[3][80];
+    char* myArgv[3];
 
     printf(" Begin Cipher Suite Tests\n");
 
     /* setup */
     myArgv[0] = argv0[0];
     myArgv[1] = argv0[1];
+    myArgv[2] = argv0[2];
     args.argv = myArgv;
     strcpy(argv0[0], "SuiteTest");
 
@@ -681,6 +714,18 @@ int SuiteTest(void)
     }
 #endif
 
+    /* failure tests */
+    args.argc = 3;
+    strcpy(argv0[1], "tests/test-fails.conf");
+    strcpy(argv0[2], "-f");
+    printf("starting tests that expect failure\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+
 exit:
     printf(" End Cipher Suite Tests\n");
 

tests/test-dtls.conf

@@ -959,4 +959,3 @@
 -a
 -v 2
 -l ADH-AES128-SHA
-

tests/test-ed25519.conf

@@ -53,4 +53,3 @@
 #-k ./certs/ed25519/client-ed25519-key.pem
 #-A ./certs/ed25519/root-ed25519.pem
 #-C
-

tests/test-fails.conf

@@ -0,0 +1,50 @@
+# server bad certificate alt name
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-k ./certs/test/server-badaltnamenull.key
+-c ./certs/test/server-badaltnamenull.pem
+-d
+
+# client bad certificate alt name
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-h localhost
+-A ./certs/test/server-badaltnamenull.pem
+-m
+-x
+
+# server RSA no signer error
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+
+# client RSA no signer error
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-A ./certs/client-cert.pem
+
+# server ECC no signer error
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+
+# client ECC no signer error
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/client-ecc-cert.pem
+
+# server RSA bad sig error
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-c ./certs/test/server-cert-rsa-badsig.pem
+
+# client RSA bad sig error
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+
+# server ECC bad sig error
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-c ./certs/test/server-cert-ecc-badsig.pem
+
+# client ECC bad sig error
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256

tests/test-psk-no-id.conf

@@ -300,4 +300,3 @@
 -l TLS13-AES128-GCM-SHA256
 -r
 -s
-

tests/test-qsh.conf

@@ -2152,4 +2152,3 @@
 # client TLSv1.2 NTRU_AES128
 -v 3
 -l QSH:NTRU-AES128-SHA
-

tests/test-sctp.conf

@@ -1108,4 +1108,3 @@
 -a
 -v 2
 -l ADH-AES128-SHA
-

tests/test-sig.conf

@@ -217,4 +217,3 @@
 -v 3
 -l ECDHE-ECDSA-AES128-CCM-8
 -A ./certs/ca-cert.pem
-

tests/test-tls13-ecc.conf

@@ -78,4 +78,3 @@
 -l TLS13-AES128-GCM-SHA256
 -A ./certs/ca-ecc-cert.pem
 -y
-

tests/test-tls13.conf

@@ -71,4 +71,3 @@
 -v 4
 -l TLS13-AES128-GCM-SHA256
 -r
-

tests/test.conf

@@ -2240,9 +2240,9 @@
 -v 3
 -D certs/dh3072.pem
 -A certs/client-cert-3072.pem
+
 # client TLSv1.2 RSA 3072-bit DH 3072-bit
 -v 3
 -D certs/dh3072.pem
 -c certs/client-cert-3072.pem
 -k certs/client-key-3072.pem
-

wolfssl/test.h

@@ -1478,7 +1478,7 @@ static INLINE void CRL_CallBack(const char* url)
 static INLINE void SetDH(WOLFSSL* ssl)
 {
     /* dh1024 p */
-    static unsigned char p[] =
+    static const unsigned char p[] =
     {
         0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
         0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
@@ -1494,7 +1494,7 @@ static INLINE void SetDH(WOLFSSL* ssl)
     };
 
     /* dh1024 g */
-    static unsigned char g[] =
+    static const unsigned char g[] =
     {
       0x02,
     };
@@ -1505,7 +1505,7 @@ static INLINE void SetDH(WOLFSSL* ssl)
 static INLINE void SetDHCtx(WOLFSSL_CTX* ctx)
 {
     /* dh1024 p */
-    static unsigned char p[] =
+    static const unsigned char p[] =
     {
         0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
         0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
@@ -1521,7 +1521,7 @@ static INLINE void SetDHCtx(WOLFSSL_CTX* ctx)
     };
 
     /* dh1024 g */
-    static unsigned char g[] =
+    static const unsigned char g[] =
     {
       0x02,
     };