#!/usr/bin/env bash # openssl.test # Environment variables used: # OPENSSL (openssl app to use) # OPENSSL_ENGINE_ID (engine id if any i.e. "wolfengine") CERT_DIR="$PWD/$(dirname "$0")/../certs" if ! test -n "$WOLFSSL_OPENSSL_TEST"; then echo "WOLFSSL_OPENSSL_TEST NOT set, won't run" exit 77 fi # if we can, isolate the network namespace to eliminate port collisions. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then export NETWORK_UNSHARE_HELPER_CALLED=yes exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $? fi elif [ "${AM_BWRAPPED-}" != "yes" ]; then bwrap_path="$(command -v bwrap)" if [ -n "$bwrap_path" ]; then export AM_BWRAPPED=yes exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@" fi unset AM_BWRAPPED fi echo "WOLFSSL_OPENSSL_TEST set, running test..." # need a unique port since may run the same time as testsuite generate_port() { #-------------------------------------------------------------------------# # Generate a random port number #-------------------------------------------------------------------------# if [[ "$OSTYPE" == "linux"* ]]; then port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) elif [[ "$OSTYPE" == "darwin"* ]]; then port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) else echo "Unknown OS TYPE" exit 1 fi } no_pid=-1 servers="" openssl_pid=$no_pid ecdh_openssl_pid=$no_pid ecdsa_openssl_pid=$no_pid ed25519_openssl_pid=$no_pid ed448_openssl_pid=$no_pid tls13_psk_openssl_pid=$no_pid wolfssl_pid=$no_pid ecdh_wolfssl_pid=$no_pid ecdsa_wolfssl_pid=$no_pid ed25519_wolfssl_pid=$no_pid ed448_wolfssl_pid=$no_pid tls13_psk_wolfssl_pid=$no_pid anon_wolfssl_pid=$no_pid wolf_cases_tested=0 wolf_cases_total=0 counter=0 wolfssl_no_resume="" testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n" versionName="Invalid" if [ "$OPENSSL" = "" ]; then OPENSSL=openssl fi WOLFSSL_SERVER=./examples/server/server WOLFSSL_CLIENT=./examples/client/client version_name() { case $version in "0") versionName="SSLv3" ;; "1") versionName="TLSv1" ;; "2") versionName="TLSv1.1" ;; "3") versionName="TLSv1.2" ;; "4") versionName="TLSv1.3" ;; "d") versionName="Down" ;; "") versionName="Def" ;; "5") versionName="ALL" ;; esac } do_cleanup() { echo "in cleanup" IFS=$OIFS #restore separator for s in $servers do f2=${s%:*} sname=${f2%:*} pid=${f2##*:} port=${s##*:} echo "killing server: $sname ($port)" kill -9 $pid done } do_trap() { echo "got trap" do_cleanup exit 1 } trap do_trap INT TERM check_process_running() { if [ "$ps_grep" = "" ] then ps -p $server_pid > /dev/null PS_EXIT=$? else ps | grep "^ *$server_pid " > /dev/null PS_EXIT=$? fi } # # Start an OpenSSL server # start_openssl_server() { if [ "$wolfssl_client_avail" = "" ] then return fi generate_port server_port=$port found_free_port=0 counter=0 # If OPENSSL_ENGINE_ID has been set then check that the desired engine can # be loaded successfully and error out if not. Otherwise the OpenSSL app # will fall back to default engine. if [ ! -z "${OPENSSL_ENGINE_ID}" ]; then OUTPUT=`$OPENSSL engine -tt $OPENSSL_ENGINE_ID` if [ $? != 0 ]; then printf "not able to load engine\n" printf "$OPENSSL engine -tt $OPENSSL_ENGINE_ID\n" do_cleanup exit 1 else echo $OUTPUT | grep "available" if [ $? != 0 ]; then printf "engine not available\n" do_cleanup exit 1 fi fi OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}" fi while [ "$counter" -lt 20 ]; do echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..." echo "#" if [ "$cert_file" != "" ] then echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe & else echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe & fi server_pid=$! # wait to see if s_server successfully starts before continuing sleep 0.1 check_process_running if [ "$PS_EXIT" = "0" ] then echo "s_server started successfully on port $server_port" found_free_port=1 break else #port already started, try a different port counter=$((counter+ 1)) generate_port server_port=$port fi done if [ $found_free_port = 0 ] then echo -e "Couldn't find free port for server" do_cleanup exit 1 fi servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port" } # # Start a wolfSSL server # start_wolfssl_server() { if [ "$wolfssl_server_avail" = "" ] then echo "# wolfSSL server not available" return fi wolfssl_cert="" wolfssl_key="" wolfssl_caCert="" if [ "$cert_file" != "" ] then wolfssl_cert="-c$cert_file" fi if [ "$key_file" != "" ] then wolfssl_key="-k$key_file" fi if [ "$ca_file" != "" ] then wolfssl_caCert="-A$ca_file" fi generate_port server_port=$port found_free_port=0 counter=0 while [ "$counter" -lt 20 ]; do echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..." echo "#" echo "# $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\"" $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" & server_pid=$! # wait to see if server successfully starts before continuing sleep 0.1 check_process_running if [ "$PS_EXIT" = "0" ] then echo "wolfSSL server started successfully on port $server_port" found_free_port=1 break else #port already started, try a different port counter=$((counter+ 1)) generate_port server_port=$port fi done if [ $found_free_port = 0 ] then echo -e "Couldn't find free port for server" do_cleanup exit 1 fi servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port" } check_server_ready() { # server should be ready, let's make sure server_ready=0 while [ "$counter" -lt 20 ]; do echo -e "waiting for $server_name ready..." echo -e Checking | nc -w 5 localhost $server_port nc_result=$? if [ $nc_result = 0 ] then echo -e "$server_name ready!" server_ready=1 break fi sleep 0.1 counter=$((counter+ 1)) done if [ $server_ready = 0 ] then echo -e "Couldn't verify $server_name is running, timeout error" do_cleanup exit 1 fi } # # Run wolfSSL client against OpenSSL server # do_wolfssl_client() { if [ "$wolfssl_client_avail" = "" ] then return fi wolfssl_cert="" wolfssl_key="" wolfssl_caCert="" if [ "$cert" != "" ] then wolfssl_cert="-c$cert" fi if [ "$key" != "" ] then wolfssl_key="-k$key" fi if [ "$caCert" != "" ] then wolfssl_caCert="-A$caCert" fi wolfssl_resume="-r" if [ "$openssl_psk_resume_bug" != "" -a "$tls13_suite" != "" ] then wolfssl_resume= fi if [ "$wolfssl_no_resume" = "yes" ] then wolfssl_resume= fi if [ "$version" != "5" -a "$version" != "" ] then echo "#" echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl" $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl else echo "#" echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl" # do all versions $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl fi client_result=$? if [ $client_result != 0 ] then echo -e "client failed! Suite = $wolfSuite version = $version" do_cleanup exit 1 fi wolf_temp_cases_tested=$((wolf_temp_cases_tested+1)) } # # Run OpenSSL client against wolfSSL server # do_openssl_client() { if [ "$wolfssl_server_avail" = "" ] then return fi if [ "$version" = "" -o "$version" = "5" ] then if [ "$tls13_cipher" = "" -a "$openssl_tls13" != "" ] then openssl_version="-no_tls1_3" fi fi if [ "$cert" != "" ] then openssl_cert1="-cert" openssl_cert2="$cert" fi if [ "$key" != "" ] then openssl_key1="-key" openssl_key2="$key" fi if [ "$caCert" != "" ] then openssl_caCert1="-CAfile" openssl_caCert2="$caCert" fi if [ "$tls13_cipher" = "" ] then echo "#" echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" else echo "#" echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" fi client_result=$? if [ $client_result != 0 ] then echo -e "client failed! Suite = $wolfSuite version = $version" do_cleanup exit 1 fi open_temp_cases_tested=$((open_temp_cases_tested+1)) } OIFS=$IFS # store old separator to reset # # Start # echo echo "wolfSSL configuration:" ./config.status --config echo echo "OpenSSL version:" $OPENSSL version -a echo ps -p $PPID >/dev/null 2>&1 if [ "$?" = "1" ] then ps_grep="yes" echo "ps -p not working, using ps and grep" fi echo -e "\nTesting existence of openssl command...\n" command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; } echo -e "\nTesting for _build directory as part of distcheck, different paths" currentDir=`pwd` case "$currentDir" in *_build) echo -e "_build directory detected, moving a directory back" cd .. ;; esac echo -e "\nChecking for wolfSSL client - needed for cipher list" wolfssl_client_avail=`$WOLFSSL_CLIENT -?` case $wolfssl_client_avail in *"Client not compiled in!"*) wolfssl_client_avail= echo >&2 "Requires wolfSSL client, but it's not built. Ending." do_cleanup exit 0 ;; esac echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket" openssl_version=`$OPENSSL version` case $openssl_version in "OpenSSL 1.1.1 "*) openssl_psk_resume_bug=yes ;; "OpenSSL 1.0.2"*) openssl_adh_reneg_bug=yes ;; esac # check for wolfssl server wolfssl_server_avail=`$WOLFSSL_SERVER -?` case $wolfssl_server_avail in *"Server not compiled in!"*) wolfssl_server_avail= ;; esac # get wolfssl ciphers wolf_ciphers=`$WOLFSSL_CLIENT -e` # get wolfssl supported versions wolf_versions=`$WOLFSSL_CLIENT -V` wolf_versions="${wolf_versions}:5" #5 will test without -v flag OIFS="$IFS" # store old separator to reset IFS=: # set delimiter for version in $wolf_versions do case $version in 1|2|3) wolf_tls=yes ;; 4) wolf_tls13=yes ;; esac done IFS="$OIFS" #restore separator # # Start OpenSSL servers # # Check for certificate support in wolfSSL wolf_certs=`$WOLFSSL_CLIENT -? 2>&1` case $wolf_certs in *"cert"*) ;; *) wolf_certs="" ;; esac if [ "$wolf_certs" != "" ] then echo # Check if RSA certificates supported in wolfSSL wolf_rsa=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ca-cert.pem" 2>&1` case $wolf_rsa in *"ca file"*) echo "wolfSSL does not support RSA" wolf_rsa="" ;; *) ;; esac if [ "$wolf_rsa" != "" ]; then echo "wolfSSL supports RSA" fi # Check if RSA-PSS certificates supported in wolfSSL wolf_rsapss=`$WOLFSSL_CLIENT -A "${CERT_DIR}/rsapss/ca-rsapss.pem" 2>&1` case $wolf_rsapss in *"ca file"*) echo "wolfSSL does not support RSA-PSS" wolf_rsapss="" ;; *) ;; esac if [ "$wolf_rsapss" != "" ]; then echo "wolfSSL supports RSA-PSS" fi # Check if ECC certificates supported in wolfSSL wolf_ecc=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ca-ecc-cert.pem" 2>&1` case $wolf_ecc in *"ca file"*) echo "wolfSSL does not support ECDSA" wolf_ecc="" ;; *) ;; esac if [ "$wolf_ecc" != "" ]; then echo "wolfSSL supports ECDSA" fi # Check if Ed25519 certificates supported in wolfSSL wolf_ed25519=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1` case $wolf_ed25519 in *"ca file"*) echo "wolfSSL does not support Ed25519" wolf_ed25519="" ;; *) ;; esac if [ "$wolf_ed25519" != "" ]; then echo "wolfSSL supports Ed25519" fi # Check if Ed25519 certificates supported in OpenSSL openssl_ed25519=`$OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1` case $openssl_ed25519 in *"unable to load"*) echo "OpenSSL does not support Ed25519" wolf_ed25519="" ;; *) ;; esac if [ "$wolf_ed25519" != "" ]; then echo "OpenSSL supports Ed25519" fi # Check if Ed448 certificates supported in wolfSSL wolf_ed448=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1` case $wolf_ed448 in *"ca file"*) echo "wolfSSL does not support Ed448" wolf_ed448="" ;; *) ;; esac if [ "$wolf_ed448" != "" ]; then echo "wolfSSL supports Ed448" fi # Check if Ed448 certificates supported in OpenSSL openssl_ed448=`$OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1` case $openssl_ed448 in *"unable to load"*) echo "OpenSSL does not support Ed448" wolf_ed448="" ;; *) ;; esac if [ "$wolf_ed448" != "" ]; then echo "OpenSSL supports Ed448" fi echo fi openssl_tls13=`$OPENSSL s_client -help 2>&1` case $openssl_tls13 in *no_tls1_3*) ;; *) openssl_tls13= ;; esac # Not all openssl versions support -allow_no_dhe_kex openssl_nodhe=`$OPENSSL s_client -help 2>&1` case $openssl_nodhe in *allow_no_dhe_kex*) openssl_nodhe=-allow_no_dhe_kex ;; *) openssl_nodhe= ;; esac # Check suites to determine support in wolfSSL OIFS="$IFS" # store old separator to reset IFS=: # set delimiter for wolfSuite in $wolf_ciphers; do case $wolfSuite in *ECDHE-RSA-*) ecdhe_avail=yes wolf_rsa=yes ;; *DHE-RSA-*) wolf_rsa=yes ;; *ECDH-RSA*) wolf_ecdh_rsa=yes ;; *ECDHE-ECDSA*|*ECDH-ECDSA*) wolf_ecdsa=yes ;; *ADH*) wolf_anon=yes ;; *PSK*) if [ "$wolf_psk" = "" ] then echo "Testing PSK" wolf_psk=1 fi if [ "$wolf_tls" != "" ] then wolf_tls_psk=yes fi ;; *TLS13*) ;; *) wolf_rsa=yes esac done IFS="$OIFS" #restore separator openssl_ciphers=`$OPENSSL ciphers ALL 2>&1` case $openssl_ciphers in *ADH*) openssl_anon=yes ;; esac # TLSv1 -> TLSv1.2 PSK secret psk_hex="1a2b3c4d" # If RSA cipher suites supported in wolfSSL then start servers if [ "$wolf_rsa" != "" -o "$wolf_tls_psk" != "" ] then if [ "$wolf_rsa" != "" ] then cert_file="${CERT_DIR}/server-cert.pem" key_file="${CERT_DIR}/server-key.pem" ca_file="${CERT_DIR}/client-ca.pem" else cert_file= key_file= ca_file= fi openssl_suite="RSA" start_openssl_server openssl_port=$server_port openssl_pid=$server_pid wolfssl_suite="RSA" if [ "$wolf_tls_psk" != "" ] then psk="-j" fi echo "cert_file=$cert_file" start_wolfssl_server psk= wolfssl_port=$server_port wolfssl_pid=$server_pid fi # If ECDH-RSA cipher suites supported in wolfSSL then start servers if [ "$wolf_ecdh_rsa" != "" ] then cert_file="${CERT_DIR}/server-ecc-rsa.pem" key_file="${CERT_DIR}/ecc-key.pem" ca_file="${CERT_DIR}/client-ca.pem" openssl_suite="ECDH-RSA" start_openssl_server ecdh_openssl_port=$server_port ecdh_openssl_pid=$server_pid wolfssl_suite="ECDH-RSA" start_wolfssl_server ecdh_wolfssl_port=$server_port ecdh_wolfssl_pid=$server_pid fi if [ "$wolf_ecdsa" != "" -a "$wolf_ecc" != "" ] then cert_file="${CERT_DIR}/server-ecc.pem" key_file="${CERT_DIR}/ecc-key.pem" ca_file="${CERT_DIR}/client-ecc-cert.pem" openssl_suite="ECDH[E]-ECDSA" start_openssl_server ecdsa_openssl_port=$server_port ecdsa_openssl_pid=$server_pid wolfssl_suite="ECDH[E]-ECDSA" start_wolfssl_server ecdsa_wolfssl_port=$server_port ecdsa_wolfssl_pid=$server_pid fi # If Ed25519 certificates supported in wolfSSL then start servers if [ "$wolf_ed25519" != "" ]; then cert_file="${CERT_DIR}/ed25519/server-ed25519.pem" key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem" ca_file="${CERT_DIR}/ed25519/client-ed25519.pem" openssl_suite="Ed25519" start_openssl_server ed25519_openssl_port=$server_port ed25519_openssl_pid=$server_pid crl="-V" wolfssl_suite="Ed25519" start_wolfssl_server ed25519_wolfssl_port=$server_port ed25519_wolfssl_pid=$server_pid crl= fi # If Ed448 certificates supported in wolfSSL then start servers if [ "$wolf_ed448" != "" ]; then cert_file="${CERT_DIR}/ed448/server-ed448.pem" key_file="${CERT_DIR}/ed448/server-ed448-priv.pem" ca_file="${CERT_DIR}/ed448/client-ed448.pem" openssl_suite="Ed448" start_openssl_server ed448_openssl_port=$server_port ed448_openssl_pid=$server_pid crl="-V" wolfssl_suite="Ed448" start_wolfssl_server ed448_wolfssl_port=$server_port ed448_wolfssl_pid=$server_pid crl= fi if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ] then cert_file= psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" openssl_suite="TLSv1.3_PSK" start_openssl_server tls13_psk_openssl_port=$server_port tls13_psk_openssl_pid=$server_pid psk="-s --openssl-psk" wolfssl_suite="TLSv1.3_PSK" start_wolfssl_server tls13_psk_wolfssl_port=$server_port tls13_psk_wolfssl_pid=$server_pid fi if [ "$wolf_anon" != "" -a "$openssl_anon" ] then cert_file="" key_file="" ca_file="" wolfssl_suite="Anon" psk="-a" # anonymous not psk start_wolfssl_server anon_wolfssl_port=$server_port anon_wolfssl_pid=$server_pid fi for s in $servers do f2=${s%:*} server_name=${f2%:*} server_port=${s##*:} check_server_ready done OIFS="$IFS" # store old separator to reset IFS=: # set delimiter set -f # no globbing wolf_temp_cases_total=0 wolf_temp_cases_tested=0 # Testing of OpenSSL support for version requires a running OpenSSL server for version in $wolf_versions; do echo -e "version = $version" # get openssl ciphers depending on version # -s flag for only supported ciphers case $version in "0") openssl_ciphers=`$OPENSSL ciphers "SSLv3" 2>&1` # double check that can actually do a sslv3 connection using # client-cert.pem to send but any file with EOF works $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < "${CERT_DIR}/client-cert.pem" sslv3_sup=$? if [ $sslv3_sup != 0 ] then echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier" testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-ssl3" ;; "1") proto_check=`echo "hell" | $OPENSSL s_client -connect localhost:$openssl_port -tls1 2>&1` tlsv1_sup=$? if [ $tlsv1_sup != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n" continue fi openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1` tlsv1_sup=$? if [ $tlsv1_sup != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-tls1" ;; "2") # Same ciphers for TLSv1.1 as TLSv1 proto_check=`echo "hello" | $OPENSSL s_client -connect localhost:$openssl_port -tls1_1 2>&1` tlsv1_1_sup=$? if [ $tlsv1_1_sup != 0 ] then echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier" testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1` tlsv1_sup=$? if [ $tlsv1_sup != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-tls1_1" ;; "3") openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2" 2>&1` tlsv1_2_sup=$? if [ $tlsv1_2_sup != 0 ] then echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier" testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-tls1_2" ;; "4") openssl_ciphers=`$OPENSSL ciphers -tls1_3 2>&1` tlsv1_3_sup=$? if [ $tlsv1_3_sup != 0 ] then echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier" testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi ecc_support=`$WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups'` openssl_version="-tls1_3" ;; "d(downgrade)") version="d" openssl_version="" ;; "e(either)") continue ;; "5") #test all suites openssl_ciphers=`$OPENSSL ciphers -s "ALL" 2>&1` all_sup=$? if [ $all_sup != 0 ] then echo -e "Not testing ALL. No OpenSSL support for ALL modifier" testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="" ;; "") openssl_ciphers=`$OPENSSL ciphers 2>&1` all_sup=$? if [ $all_sup != 0 ] then echo -e "Not testing ALL. No OpenSSL support for ALL modifier" testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="" ;; esac for wolfSuite in $wolf_ciphers; do echo -e "trying wolfSSL cipher suite $wolfSuite" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) open_temp_cases_total=$((open_temp_cases_total + 1)) matchSuite=0; tls13_suite= case $wolfSuite in "TLS13-AES128-GCM-SHA256") cmpSuite="TLS_AES_128_GCM_SHA256" tls13_suite="yes" ;; "TLS13-AES256-GCM-SHA384") cmpSuite="TLS_AES_256_GCM_SHA384" tls13_suite="yes" ;; "TLS13-CHACHA20-POLY1305-SHA256") cmpSuite="TLS_CHACHA20_POLY1305_SHA256" tls13_suite="yes" ;; "TLS13-AES128-CCM-SHA256") cmpSuite="TLS_AES_128_CCM_SHA256" tls13_suite="yes" ;; "TLS13-AES128-CCM-8-SHA256"|"TLS13-AES128-CCM8-SHA256") cmpSuite="TLS_AES_128_CCM_8_SHA256" tls13_suite="yes" ;; "TLS13-SHA256-SHA256") continue ;; "TLS13-SHA384-SHA384") continue ;; "TLS13-"*) echo -e "Suite = $wolfSuite not recognized!" echo -e "Add translation of wolfSSL name to OpenSSL" do_cleanup exit 1 ;; *) cmpSuite=$wolfSuite ;; esac case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases case "$cmpSuite" in "TLS_"*) if [ "$version" != "4" -a "$version" != "d" ] then echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol" matchSuite=0 else echo -e "Matched to OpenSSL suite support" matchSuite=1 fi ;; *) if [ "$version" = "d" -a "$wolfdowngrade" = "4" ] then echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade" matchSuite=0 elif [ "$version" != "4" ] then echo -e "Matched to OpenSSL suite support" matchSuite=1 else echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol" matchSuite=0 fi ;; esac ;; esac if [ $matchSuite = 0 ] then echo -e "Couldn't match suite, continuing..." continue fi # check for psk suite and turn on client psk if so psk="" adh="" crl="" cert="" key="" caCert="" case $wolfSuite in *ECDH-RSA*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$ecdh_openssl_port do_wolfssl_client port=$ecdh_wolfssl_port do_openssl_client ;; *ECDHE-ECDSA*|*ECDH-ECDSA*) if [ "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" caCert="${CERT_DIR}/ca-ecc-cert.pem" port=$ecdsa_openssl_port do_wolfssl_client port=$ecdsa_wolfssl_port do_openssl_client else wolf_temp_cases_total=$((wolf_temp_cases_total - 1)) fi if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ] then cert="${CERT_DIR}/ed25519/client-ed25519.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem" caCert="${CERT_DIR}/ed25519/server-ed25519.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed25519_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed25519_wolfssl_port do_openssl_client fi if [ $ed448_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ] then cert="${CERT_DIR}/ed448/client-ed448.pem" key="${CERT_DIR}/ed448/client-ed448-priv.pem" caCert="${CERT_DIR}/ed448/server-ed448.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed448_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed448_wolfssl_port do_openssl_client fi ;; *DHE-PSK*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port psk="-s" do_wolfssl_client # Skip when no RSA as some versions of OpenSSL can't handle no # signature if [ "$wolf_rsa" != "" ] then port=$wolfssl_port openssl_psk="-psk 1a2b3c4d" do_openssl_client fi ;; *PSK*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port psk="-s" do_wolfssl_client port=$wolfssl_port openssl_psk="-psk 1a2b3c4d" do_openssl_client ;; *ADH*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" if [ "$version" != "0" -a "$version" != "1" -a "$version" != "2" -a "$openssl_adh_reneg_bug" != "" ] then continue fi port=$openssl_port adh="-a" do_wolfssl_client port=$anon_wolfssl_port do_openssl_client ;; TLS13*) if [ $version != "4" -a $version != "d" -a $version != " " -a $version != "5" ] then continue fi tls13_cipher=yes # RSA if [ $openssl_pid != $no_pid -a "$ecdhe_avail" = "yes" ] then cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port do_wolfssl_client port=$wolfssl_port do_openssl_client fi # PSK if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" -a "$wolf_ecc" != "" -a $openssl_nodhe != "" ] then cert="" key="" caCert="" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$tls13_psk_openssl_port psk="-s --openssl-psk" # OpenSSL doesn't support DH for key exchange so do no PSK # DHE when ECC not supported if [ "$wolf_ecc" = "" ] then adh="-K" fi do_wolfssl_client psk="" adh="" openssl_psk="-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" open_temp_cases_total=$((open_temp_cases_total + 1)) port=$wolfssl_port do_openssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$tls13_psk_wolfssl_port do_openssl_client openssl_psk="" fi # ECDSA if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" caCert="${CERT_DIR}/ca-ecc-cert.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ecdsa_openssl_port caCert="${CERT_DIR}/ca-ecc-cert.pem" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ecdsa_wolfssl_port caCert="${CERT_DIR}/ca-ecc-cert.pem" do_openssl_client fi # Ed25519 if [ $ed25519_openssl_pid != $no_pid ] then cert="${CERT_DIR}/ed25519/client-ed25519.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem" caCert="${CERT_DIR}/ed25519/server-ed25519.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed25519_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed25519_wolfssl_port do_openssl_client fi # Ed448 if [ $ed448_openssl_pid != $no_pid ] then cert="${CERT_DIR}/ed448/client-ed448.pem" key="${CERT_DIR}/ed448/client-ed448-priv.pem" caCert="${CERT_DIR}/ed448/server-ed448.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed448_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed448_wolfssl_port do_openssl_client fi tls13_cipher= ;; *) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port do_wolfssl_client port=$wolfssl_port do_openssl_client ;; esac done wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested)) wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total)) echo -e "wolfSSL cases tested with version:$version $wolf_temp_cases_tested" open_cases_tested=$((open_temp_cases_tested+open_cases_tested)) open_cases_total=$((open_temp_cases_total+open_cases_total)) echo -e "OpenSSL cases tested with version:$version $open_temp_cases_tested" version_name testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n" wolf_temp_cases_total=0 wolf_temp_cases_tested=0 open_temp_cases_total=0 open_temp_cases_tested=0 wolfdowngrade="$version" done IFS="$OIFS" #restore separator # Skip RSA-PSS interop test when RSA-PSS is not supported if [ "$wolf_rsapss" != "" -a "$ecdhe_avail" = "yes" -a "$wolf_rsa" = "yes" ] then # Test for RSA-PSS certs interop # Was running into alert sent by openssl server with version 1.1.1 released # in Sep 2018. To avoid this issue check that openssl version 3.0.0 or later # is used. $OPENSSL version | awk '{print $2}' | \ awk -F. '{if ($1 >= 3) exit 1; else exit 0;}' RESULT=$? if [ "$RESULT" = "0" ]; then echo -e "Old version of openssl detected, skipping interop RSA-PSS test" else echo -e "Doing interop RSA-PSS test" key_file=${CERT_DIR}/rsapss/server-rsapss-priv.pem cert_file=${CERT_DIR}/rsapss/server-rsapss.pem ca_file=${CERT_DIR}/client-cert.pem openssl_suite="RSAPSS" start_openssl_server cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/rsapss/ca-rsapss.pem" crl="-C" wolfSuite="ALL" wolfssl_no_resume="yes" port=$server_port if [ "$wolf_tls13" != "" ] then version="4" do_wolfssl_client fi if [ "$wolf_tls" != "" ] then version="3" do_wolfssl_client fi fi fi do_cleanup echo -e "wolfSSL total cases $wolf_cases_total" echo -e "wolfSSL cases tested $wolf_cases_tested" echo -e "OpenSSL total cases $open_cases_total" echo -e "OpenSSL cases tested $open_cases_tested" echo -e "\nSuccess!\n\n\n\n" echo -e "$testing_summary" exit 0