Fix test failures

Author: julek-wolfssl

.gitattributes

@@ -0,0 +1,8 @@
+# Ensure cert/key files always use LF line endings so that hashes
+# remain consistent across platforms.
+*.pem eol=lf
+*.cnf eol=lf
+*.cfg eol=lf
+
+# DER files are binary and must never be transformed.
+*.der binary

.github/workflows/fsanitize-check.yml

@@ -82,7 +82,6 @@ jobs:
         env:
           LD_LIBRARY_PATH: ${{ github.workspace }}/build-dir/lib
         with:
-          repository: wolfssl/wolfclu
           path: wolfclu
           configure: CC="gcc -fsanitize=address" LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include"
           check: true

src/crypto/clu_decrypt.c

@@ -156,7 +156,7 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size,
             }
             else {
                 ret = (int)XFREAD(input, 1, MAX_LEN, inFile);
-                if ((ret > 0 && ret != MAX_LEN) || feof(inFile)) {
+                if (ret > 0) {
                     tempMax = ret;
                     ret = 0; /* success */
                 }

src/x509/clu_x509_sign.c

@@ -1274,21 +1274,11 @@ int wolfCLU_CertSign(WOLFCLU_CERT_SIGN* csign, WOLFSSL_X509* x509)
             case WC_HASH_TYPE_BLAKE2B:
             case WC_HASH_TYPE_BLAKE2S:
 
-    #if LIBWOLFSSL_VERSION_HEX > 0x05001000
-        #ifndef WOLFSSL_NOSHA512_224
             case WC_HASH_TYPE_SHA512_224:
-        #endif
-        #ifndef WOLFSSL_NOSHA512_256
             case WC_HASH_TYPE_SHA512_256:
-        #endif
-        #ifdef WOLFSSL_SHAKE128
             case WC_HASH_TYPE_SHAKE128:
-        #endif
-        #ifdef WOLFSSL_SHAKE256
             case WC_HASH_TYPE_SHAKE256:
-        #endif
             case WC_HASH_TYPE_SM3:
-    #endif
             default:
                 wolfCLU_LogError("Unsupported hash type");
                 ret = WOLFCLU_FATAL_ERROR;

tests/client/client-test.py

@@ -30,12 +30,18 @@ def test_s_client_x509(self):
                         if os.path.exists(tmp_crt) else None)
 
         # Run s_client with empty stdin so it connects then disconnects
-        s_client = subprocess.run(
-            [WOLFSSL_BIN, "s_client", "-connect", "www.google.com:443"],
-            input=b"\n",
-            capture_output=True,
-            timeout=30,
-        )
+        try:
+            s_client = subprocess.run(
+                [WOLFSSL_BIN, "s_client", "-connect", "www.google.com:443"],
+                input=b"\n",
+                capture_output=True,
+                timeout=30,
+            )
+        except (subprocess.TimeoutExpired, OSError):
+            self.skipTest("s_client connection timed out or failed")
+
+        if s_client.returncode != 0 or not s_client.stdout:
+            self.skipTest("s_client could not connect (no network?)")
 
         # Pipe s_client stdout into x509 to extract the cert as PEM
         x509_extract = subprocess.run(

tests/x509/x509-process-test.py

@@ -14,7 +14,7 @@
 HAS_OPENSSL = shutil.which("openssl") is not None
 
 
-def _check_cert_signature(cert_path, digest):
+def _check_cert_signature(cert_path, digest, inform="PEM"):
     """Use OpenSSL to verify the signature on a self-signed certificate.
 
     Returns True on success, raises AssertionError on failure.
@@ -24,10 +24,13 @@ def _check_cert_signature(cert_path, digest):
         raise unittest.SkipTest("openssl not available")
 
     stripped = cert_path + ".stripped.pem"
+    sig_bin = cert_path + ".sig.bin"
+    body_bin = cert_path + ".body.bin"
+    pub_pem = cert_path + ".pub.pem"
     try:
         subprocess.run(
-            ["openssl", "x509", "-in", cert_path, "-out", stripped,
-             "-outform", "PEM"],
+            ["openssl", "x509", "-inform", inform, "-in", cert_path,
+             "-out", stripped, "-outform", "PEM"],
             check=True, capture_output=True, timeout=60)
 
         # Extract signature hex
@@ -48,17 +51,14 @@ def _check_cert_signature(cert_path, digest):
                 lines.append(stripped_line)
         sig_hex = "".join(lines)
 
-        sig_bin = cert_path + ".sig.bin"
         with open(sig_bin, "wb") as f:
             f.write(bytes.fromhex(sig_hex))
 
-        body_bin = cert_path + ".body.bin"
         subprocess.run(
             ["openssl", "asn1parse", "-in", stripped, "-strparse", "4",
              "-out", body_bin, "-noout"],
             check=True, capture_output=True, timeout=60)
 
-        pub_pem = cert_path + ".pub.pem"
         with open(pub_pem, "w") as pub_f:
             subprocess.run(
                 ["openssl", "x509", "-in", stripped, "-noout", "-pubkey"],
@@ -150,7 +150,7 @@ def test_1c_pem_to_der_signature(self):
                         "-in", os.path.join(CERTS_DIR, "ca-cert.pem"),
                         "-out", out)
         self.assertEqual(r.returncode, 0, r.stderr)
-        _check_cert_signature(out, "sha256")
+        _check_cert_signature(out, "sha256", inform="DER")
 
     def test_1d_der_to_pem_stdout(self):
         """DER -> PEM to stdout succeeds."""
@@ -175,7 +175,7 @@ def test_1e_der_to_der_signature(self):
                         "-in", os.path.join(CERTS_DIR, "ca-cert.der"),
                         "-out", out)
         self.assertEqual(r.returncode, 0, r.stderr)
-        _check_cert_signature(out, "sha256")
+        _check_cert_signature(out, "sha256", inform="DER")
 
     def test_1f_der_text_noout(self):
         """DER text/noout succeeds."""