Regression test fixes

.github/workflows/os-check.yml

@@ -71,6 +71,16 @@ jobs:
           '--enable-sessionexport --enable-dtls --enable-dtls13',
           '--enable-sessionexport',
           '--disable-examples CPPFLAGS=-DWOLFSSL_NO_MALLOC',
+          'CPPFLAGS=-DNO_WOLFSSL_CLIENT',
+          'CPPFLAGS=-DNO_WOLFSSL_SERVER',
+          'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
+          'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
+          'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
+          '--enable-all CPPFLAGS=-DNO_WOLFSSL_CLIENT',
+          '--enable-all CPPFLAGS=-DNO_WOLFSSL_SERVER',
+          '--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
+          '--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
+          '--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

examples/client/client.c

@@ -1209,8 +1209,10 @@ static const char* client_usage_msg[][79] = {
 #endif
         "-l <str>    Cipher suite list (: delimited)\n",                /* 8 */
 #ifndef NO_CERTS
+#ifndef WOLFSSL_NO_CLIENT_AUTH
         "-c <file>   Certificate file,           default",              /* 9 */
         "-k <file>   Key file,                   default",              /* 10 */
+#endif
         "-A <file>   Certificate Authority file, default",              /* 11 */
 #endif
 #ifndef NO_DH
@@ -1261,7 +1263,7 @@ static const char* client_usage_msg[][79] = {
         "            The string parameter is optional.\n",              /* 29 */
 #endif
         "-f          Fewer packets/group messages\n",                   /* 30 */
-#ifndef NO_CERTS
+#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
         "-x          Disable client cert/key loading\n",                /* 31 */
 #endif
         "-X          Driven by eXternal test case\n",                   /* 32 */
@@ -1329,7 +1331,8 @@ static const char* client_usage_msg[][79] = {
 #ifdef HAVE_CURVE25519
         "-t          Use X25519 for key exchange\n",                    /* 56 */
 #endif
-#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
+    !defined(WOLFSSL_NO_CLIENT_AUTH)
         "-Q          Support requesting certificate post-handshake\n",  /* 57 */
 #endif
 #ifdef WOLFSSL_EARLY_DATA
@@ -1467,8 +1470,10 @@ static const char* client_usage_msg[][79] = {
 #endif
         "-l <str>    暗号スイートリスト (区切り文字 :)\n",               /* 8 */
 #ifndef NO_CERTS
+#ifndef WOLFSSL_NO_CLIENT_AUTH
         "-c <file>   証明書ファイル,  既定値",                           /* 9 */
         "-k <file>   鍵ファイル,      既定値",                          /* 10 */
+#endif
         "-A <file>   認証局ファイル,  既定値",                          /* 11 */
 #endif
 #ifndef NO_DH
@@ -1518,7 +1523,7 @@ static const char* client_usage_msg[][79] = {
         "-i <str>    クライアント主導のネゴシエーションを強制する\n",   /* 29 */
 #endif
         "-f          より少ないパケット/グループメッセージを使用する\n",/* 30 */
-#ifndef NO_CERTS
+#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
         "-x          クライアントの証明書/鍵のロードを無効する\n",      /* 31 */
 #endif
         "-X          外部テスト・ケースにより動作する\n",               /* 32 */
@@ -1589,7 +1594,8 @@ static const char* client_usage_msg[][79] = {
 #ifdef HAVE_CURVE25519
         "-t          X25519を鍵交換に使用する\n",                       /* 56 */
 #endif
-#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
+    !defined(WOLFSSL_NO_CLIENT_AUTH)
         "-Q          ポストハンドシェークの証明要求をサポートする\n",   /* 57 */
 #endif
 #ifdef WOLFSSL_EARLY_DATA
@@ -1766,8 +1772,10 @@ static void Usage(void)
 #endif
     printf("%s", msg[++msgid]); /* -l */
 #ifndef NO_CERTS
+#ifndef WOLFSSL_NO_CLIENT_AUTH
     printf("%s %s\n", msg[++msgid], cliCertFile); /* -c */
     printf("%s %s\n", msg[++msgid], cliKeyFile);  /* -k */
+#endif
     printf("%s %s\n", msg[++msgid], caCertFile);  /* -A */
 #endif
 #ifndef NO_DH
@@ -1805,7 +1813,7 @@ static void Usage(void)
     printf("%s", msg[++msgid]); /* -i */
 #endif
     printf("%s", msg[++msgid]); /* -f */
-#ifndef NO_CERTS
+#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
     printf("%s", msg[++msgid]); /* -x */
 #endif
     printf("%s", msg[++msgid]); /* -X */
@@ -1868,7 +1876,8 @@ static void Usage(void)
 #ifdef HAVE_CURVE25519
     printf("%s", msg[++msgid]); /* -t */
 #endif
-#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
+    !defined(WOLFSSL_NO_CLIENT_AUTH)
     printf("%s", msg[++msgid]); /* -Q */
 #endif
 #ifdef WOLFSSL_EARLY_DATA
@@ -2823,7 +2832,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
             case 'Q' :
                 #if defined(WOLFSSL_TLS13) && \
-                                            defined(WOLFSSL_POST_HANDSHAKE_AUTH)
+                    defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
+                    !defined(WOLFSSL_NO_CLIENT_AUTH)
                     postHandAuth = 1;
                 #endif
                 break;

scripts/crl-revoked.test

@@ -1,5 +1,13 @@
 #!/usr/bin/env bash
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 1
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
 #crl.test
 # if we can, isolate the network namespace to eliminate port collisions.
 if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then

scripts/dtlscid.test

@@ -3,6 +3,22 @@
 # dtlscid.test
 # Copyright wolfSSL 2022-2024
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 0
+
+[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
+                                  && exit 0
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
+if ! ./examples/server/server | grep "Server not compiled in!" ; then
+    echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
+    exit 77
+fi
+
 # if we can, isolate the network namespace to eliminate port collisions.
 if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
      if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then

scripts/ocsp-stapling-with-ca-as-responder.test

@@ -23,6 +23,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 1
+
+[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
+                                  && exit 1
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
+if ! ./examples/server/server | grep "Server not compiled in!" ; then
+    echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
+    exit 77
+fi
+
 if ! ./examples/client/client -V | grep -q 3; then
     echo 'skipping ocsp-stapling-with-ca-as-responder.test because TLS1.2 is not available.' 1>&2
     exit 77

scripts/ocsp-stapling.test

@@ -17,6 +17,22 @@ if test "$WOLFSSL_EXTERNAL_TEST" == "0"; then
     exit 77
 fi
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 1
+
+[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
+                                  && exit 1
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
+if ! ./examples/server/server | grep "Server not compiled in!" ; then
+    echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
+    exit 77
+fi
+
 if ! ./examples/client/client -V | grep -q 3; then
     echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
     exit 77

scripts/ocsp-stapling2.test

@@ -24,6 +24,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 1
+
+[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
+                                  && exit 1
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
+if ! ./examples/server/server | grep "Server not compiled in!" ; then
+    echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
+    exit 77
+fi
+
 if ! ./examples/client/client -V | grep -q 3; then
     echo 'skipping ocsp-stapling2.test because TLS1.2 is not available.' 1>&2
     exit 77

scripts/ocsp-stapling_tls13multi.test

@@ -24,6 +24,22 @@ if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 1
+
+[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
+                                  && exit 1
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
+if ! ./examples/server/server | grep "Server not compiled in!" ; then
+    echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
+    exit 77
+fi
+
 if ! ./examples/client/client -V | grep -q 4; then
     tls13=no
 

scripts/pkcallbacks.test

@@ -2,6 +2,14 @@
 
 #pkcallbacks.test
 
+[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
+                                  && exit 1
+
+if ! ./examples/client/client | grep "Client not compiled in!" ; then
+    echo 'skipping pkcallbacks.test because client not compiled in.' 1>&2
+    exit 77
+fi
+
 # if we can, isolate the network namespace to eliminate port collisions.
 if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
      if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then

scripts/psk.test

@@ -88,6 +88,10 @@ fi
 if [ $? -eq 0 ]; then
     exit 0
 fi
+./examples/client/client '-?' 2>&1 | grep -- 'Disable client cert/key loading'
+if [ $? -eq 0 ]; then
+    CLIENT_AUTH_ENABLED=1
+fi
 
 # Usual psk server / psk client. This use case is tested in
 # tests/unit.test and is used here for just checking if PSK is enabled
@@ -144,19 +148,21 @@ if [ $? -ne 0 ]; then
     fi
     echo ""
 
-    # check fail if no auth, psk server with non psk client
-    echo "Checking fail when not sending peer cert"
-    port=0
-    ./examples/server/server -j -R "$ready_file" -p $port &
-    server_pid=$!
-    create_port
-    ./examples/client/client -x -p $port
-    RESULT=$?
-    remove_ready_file
-    if [ $RESULT -eq 0 ]; then
-        echo -e "\n\nClient connected when supposed to fail"
-        do_cleanup
-        exit 1
+    if [ "$CLIENT_AUTH_ENABLED" != "" ]; then
+        # check fail if no auth, psk server with non psk client
+        echo "Checking fail when not sending peer cert"
+        port=0
+        ./examples/server/server -j -R "$ready_file" -p $port &
+        server_pid=$!
+        create_port
+        ./examples/client/client -x -p $port
+        RESULT=$?
+        remove_ready_file
+        if [ $RESULT -eq 0 ]; then
+            echo -e "\n\nClient connected when supposed to fail"
+            do_cleanup
+            exit 1
+        fi
     fi
 fi
 

src/crl.c

@@ -519,7 +519,8 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
 #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
     (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
     !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \
-    !defined(NO_STDIO_FILESYSTEM)
+    !defined(NO_STDIO_FILESYSTEM) && \
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
     /* if not find entry in the CRL list, it looks at the folder that sets  */
     /* by LOOKUP_ctrl because user would want to use hash_dir.              */
     /* Loading <issuer-hash>.rN form CRL file if find at the folder,        */

src/dtls13.c

@@ -1849,7 +1849,7 @@ static int _Dtls13HandshakeRecv(WOLFSSL* ssl, byte* input, word32 size,
     isComplete = isFirst && fragLength == messageLength;
 
     if (!isComplete && !Dtls13AcceptFragmented(ssl, (enum HandShakeType)handshakeType)) {
-#ifdef WOLFSSL_DTLS_CH_FRAG
+#if defined(WOLFSSL_DTLS_CH_FRAG) && !defined(NO_WOLFSSL_SERVER)
         byte tls13 = 0;
         /* check if the first CH fragment contains a valid cookie */
         if (ssl->options.dtls13ChFrag && !ssl->options.dtlsStateful &&