Rewrite tests into python scripts for easier portability

- Add shared test helper and cross-platform test runner
- Extract binary lookup and run_wolfssl() into tests/wolfclu_test.py so all test files share the same logic for finding the wolfssl binary across Linux (./wolfssl) and Windows (x64/Debug/wolfssl.exe etc.).
- Add tests/run_tests.py which discovers and runs all *-test.py files, intended for Windows where `make check` is not available.
- Enable PKCS7 and CRL in MSVC
- Fix three Windows bugs uncovered by the test:
  - Add StartTCP() (WSAStartup) in client and server setup so Winsock is initialized before gethostbyname/connect calls
  - Pass SNI hostname (-S flag) to the underlying client_test so modern TLS servers accept the connection
  - Implement checkStdin() for Windows using WaitForSingleObject so s_client exits promptly when stdin is a closed pipe
- Update user_settings.h with defines required for TLS 1.3 and full wolfCLU functionality: WOLFSSL_TLS13, HAVE_HKDF, WC_RSA_PSS, HAVE_SUPPORTED_CURVES, HAVE_FFDHE_2048, HAVE_SNI.
- Fix run_wolfssl() to use stdin=DEVNULL when no input is provided, preventing subprocesses from blocking on inherited stdin (e.g. over SSH/network sessions on Windows).
- Also add WOLFCLU_SKIP_SLOW_TESTS env var to skip slow tests on Windows, and optimize large file creation to a single write.
- Add HAVE_PKCS12 to Windows user_settings.h. Skip binary DER stdin test on Windows where pipe binary mode is unreliable.
- Combine ocsp-test.sh and ocsp-interop-test.sh into a single Python test module that tests all client/responder combinations (wolfssl and openssl).
- Add StartTCP() in OCSP setup for Winsock initialization on Windows.
- Add HAVE_OCSP and HAVE_OCSP_RESPONDER to Windows user_settings.h.
- Rewrite base64 test from bash to Python unittest
- Rewrite bench test from bash to Python unittest
- Rewrite client test to Python and fix Windows networking bugs
- Replace tests/client/client-test.sh with a cross-platform Python unittest.
- Rewrite dgst test from bash to Python unittest
- Rewrite dh test from bash to Python unittest
- Rewrite dsa test from bash to Python unittest
- Rewrite enc test from bash to Python unittest
- Rewrite genkey sign/verify test from bash to Python unittest
- Rewrite hash test from bash to Python unittest
- Rewrite pkcs7/pkcs8/pkcs12 tests from bash to Python unittest
- Rewrite pkey/rsa/ecparam tests from bash to Python unittest
- Rewrite rand test from bash to Python unittest
- Rewrite server test from bash to Python unittest
- Rewrite encdec test from bash to Python unittest
- Rewrite x509/CRL tests from bash to Python unittest
- Rewrite OCSP tests from bash to Python unittest
- Rewrite OCSP SCGI test from bash to Python, drop nginx dependency
- Replace nginx + bash with a pure-Python HTTP-to-SCGI proxy using stdlib http.server and raw sockets for the SCGI netstring protocol. No external dependencies needed.
- Remove nginx from CI apt-get installs since it is no longer required for testing.

Author: julek-wolfssl

.github/workflows/fsanitize-check.yml

@@ -67,8 +67,8 @@ jobs:
           # Don't prompt for anything
           export DEBIAN_FRONTEND=noninteractive
           sudo apt-get update
-          # openssl and nginx used for ocsp testing
-          sudo apt-get install -y openssl nginx
+          # openssl used for ocsp interop testing
+          sudo apt-get install -y openssl
 
       - name: Checking cache for wolfssl
         uses: actions/cache@v4

.github/workflows/ubuntu-check.yml

@@ -17,8 +17,8 @@ jobs:
         # Don't prompt for anything
         export DEBIAN_FRONTEND=noninteractive
         sudo apt-get update
-        # openssl and nginx used for ocsp testing
-        sudo apt-get install -y openssl nginx
+        # openssl used for ocsp interop testing
+        sudo apt-get install -y openssl
     - uses: actions/checkout@master
       with:
         repository: wolfssl/wolfssl

.gitignore

@@ -43,5 +43,5 @@ AGENTS.md
 Win32/
 x64/
 .vs/
-
+__pycache__/
 CLAUDE.md

Makefile.am

@@ -19,6 +19,9 @@ dist_doc_DATA=
 check_SCRIPTS=
 dist_noinst_SCRIPTS=
 
+TEST_EXTENSIONS = .sh .py
+PY_LOG_COMPILER = $(PYTHON)
+
 #includes additional rules from aminclude.am
 @INC_AMINCLUDE@
 DISTCLEANFILES+= aminclude.am
@@ -61,6 +64,7 @@ include tests/hash/include.am
 include tests/bench/include.am
 include tests/client/include.am
 include tests/server/include.am
+include tests/testEncDec/include.am
 include ide/include.am
 #####include data/include.am
 

configure.ac

@@ -55,6 +55,8 @@ AC_PROG_INSTALL
 AC_PROG_LN_S
 AC_PROG_MAKE_SET
 AM_PROG_CC_C_O
+AM_PATH_PYTHON([3.0],, [:])
+AC_SUBST([PYTHON])
 
 # Checks for headers/libraries
 AC_CHECK_HEADERS([sys/time.h string.h termios.h unistd.h])

ide/winvs/user_settings.h

@@ -25,7 +25,18 @@
 #define WOLFSSL_SHA512
 
 #define HAVE_TLS_EXTENSIONS
+#define HAVE_SNI
+#define WOLFSSL_TLS13
+#define HAVE_HKDF
+#define WC_RSA_PSS
+#define HAVE_SUPPORTED_CURVES
+#define HAVE_FFDHE_2048
 #define OPENSSL_ALL
 #define OPENSSL_EXTRA
+#define HAVE_PKCS7
+#define HAVE_PKCS12
+#define HAVE_CRL
+#define HAVE_OCSP
+#define HAVE_OCSP_RESPONDER
 
 #endif /* _WIN_USER_SETTINGS_H_ */

src/client/client.c

@@ -2091,10 +2091,21 @@ static void Usage(void)
 #endif
 }
 
-#ifndef USE_WINDOWS_API
 int checkStdin(void)
 {
     int stop = 0;
+#ifdef USE_WINDOWS_API
+    HANDLE stdinHandle = GetStdHandle(STD_INPUT_HANDLE);
+    if (stdinHandle == INVALID_HANDLE_VALUE || stdinHandle == NULL) {
+        stop = 1; /* no stdin available */
+    }
+    else {
+        DWORD waitResult = WaitForSingleObject(stdinHandle, 0);
+        if (waitResult == WAIT_OBJECT_0) {
+            stop = 1; /* stdin has data or is closed */
+        }
+    }
+#else
     fd_set readfds;
     struct timeval timeout;
     timeout.tv_sec = 0;
@@ -2107,11 +2118,9 @@ int checkStdin(void)
     if (select(1, &readfds, NULL, NULL, &timeout)){
         stop = 1;
     }
-
+#endif
     return stop;
-
 }
-#endif
 
 static int AlwaysAllow(int preverify, WOLFSSL_X509_STORE_CTX* store)
 {
@@ -4224,7 +4233,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         goto exit;
     }
 
-#ifndef USE_WINDOWS_API
     if (!disable_stdin_chk) {
         int stop = checkStdin();
 
@@ -4234,7 +4242,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             goto exit;
         }
     }
-#endif
 
     err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet);
     if (exitWithRet && (err != 0)) {

src/client/clu_client_setup.c

@@ -65,11 +65,12 @@ static const char caFileFlag[]     = "-A";
 static const char noClientCert[]   = "-x";
 static const char startTLSFlag[]   = "-M";
 static const char disableCRLFlag[] = "-C";
+static const char sniFlag[]       = "-S";
 
 int myoptind = 0;
 char* myoptarg = NULL;
 
-#define MAX_CLIENT_ARGS 15
+#define MAX_CLIENT_ARGS 17
 
 /* return WOLFCLU_SUCCESS on success */
 static int _addClientArg(const char** args, const char* in, int* idx)
@@ -193,6 +194,14 @@ int wolfCLU_Client(int argc, char** argv)
                                 &clientArgc);
                     }
                 }
+
+                /* Set SNI hostname so modern servers accept the connection */
+                if (ret == WOLFCLU_SUCCESS && host != NULL) {
+                    ret = _addClientArg(clientArgv, sniFlag, &clientArgc);
+                    if (ret == WOLFCLU_SUCCESS) {
+                        ret = _addClientArg(clientArgv, host, &clientArgc);
+                    }
+                }
                 break;
 
             case WOLFCLU_STARTTLS:
@@ -264,6 +273,7 @@ int wolfCLU_Client(int argc, char** argv)
     }
 
     if (ret == WOLFCLU_SUCCESS) {
+        StartTCP();
         args.argv = (char**)clientArgv;
         args.argc = clientArgc;
 

src/ocsp/clu_ocsp.c

@@ -1307,6 +1307,8 @@ int wolfCLU_OcspSetup(int argc, char** argv)
         return ret;
     }
 
+    StartTCP();
+
     if (!(isClientMode ^ isResponderMode)) {
         wolfCLU_LogError("Can't detect side (client vs responder) or multiple sides specified");
         wolfCLU_OcspHelp();

src/server/clu_server_setup.c

@@ -190,6 +190,7 @@ int wolfCLU_Server(int argc, char** argv)
     }
 
     if (ret == WOLFCLU_SUCCESS) {
+        StartTCP();
         args.argv = (char**)serverArgv;
         args.argc = serverArgc;
         server_test(&args);