#!/bin/sh # tls13.test # copyright wolfSSL 2016 # getting unique port is modeled after resume.test script # need a unique port since may run the same time as testsuite # use server port zero hack to get one port=0 no_pid=-1 server_pid=$no_pid counter=0 # let's use absolute path to a local dir (make distcheck may be in sub dir) # also let's add some randomness by adding pid in case multiple 'make check's # per source tree ready_file=`pwd`/wolfssl_tls13_ready$$ echo "ready file $ready_file" create_port() { while [ ! -s $ready_file ]; do if [ -a "$counter" -gt 50 ]; then break fi echo -e "waiting for ready file..." sleep 0.1 counter=$((counter+ 1)) done if [ -e $ready_file ]; then echo -e "found ready file, starting client..." # get created port 0 ephemeral port port=`cat $ready_file` else echo -e "NO ready file ending test..." do_cleanup fi } remove_ready_file() { if [ -e $ready_file ]; then echo -e "removing existing ready file" rm $ready_file fi } do_cleanup() { echo "in cleanup" if [ $server_pid != $no_pid ] then echo "killing server" kill -9 $server_pid fi remove_ready_file } do_trap() { echo "got trap" do_cleanup exit -1 } trap do_trap INT TERM [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 # Usual TLS v1.3 server / TLS v1.3 client. echo -e "\n\nTLS v1.3 server with TLS v1.3 client" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 not enabled" do_cleanup exit 1 fi echo "" # Usual TLS v1.3 server / TLS v1.3 client - fragment. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - fragment" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -F 1 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 and fragments not working" do_cleanup exit 1 fi echo "" # Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client. echo -e "\n\nTLS v1.3 HelloRetryRequest" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -J -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 HelloRetryRequest not working" do_cleanup exit 1 fi echo "" # Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client using cookie echo -e "\n\nTLS v1.3 HelloRetryRequest with cookie" port=0 ./examples/server/server -v 4 -J -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -J -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 HelloRetryRequest with cookie not working" do_cleanup exit 1 fi echo "" # Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client - SHA384. echo -e "\n\nTLS v1.3 HelloRetryRequest - SHA384" port=0 ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -J -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 HelloRetryRequest with SHA384 not working" do_cleanup exit 1 fi echo "" # Resumption TLS v1.3 server / TLS v1.3 client. echo -e "\n\nTLS v1.3 resumption" port=0 ./examples/server/server -v 4 -r -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -r -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 resumption not working" do_cleanup exit 1 fi echo "" # Resumption TLS v1.3 server / TLS v1.3 client - SHA384 echo -e "\n\nTLS v1.3 resumption - SHA384" port=0 ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 resumption with SHA384 not working" do_cleanup exit 1 fi echo "" ./examples/client/client -v 4 -e 2>&1 | grep -- '-ECC' if [ $? -eq 0 ]; then # Usual TLS v1.3 server / TLS v1.3 client and ECC certificates. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates" port=0 ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 ECC certificates not working" do_cleanup exit 1 fi echo "" fi # Usual TLS v1.3 server / TLS v1.3 client and no client certificate. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - no client cretificate" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -x -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 and no client certificate not working" do_cleanup exit 1 fi echo "" # Usual TLS v1.3 server / TLS v1.3 client and DH Key. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - DH Key Exchange" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -y -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 DH Key Exchange not working" do_cleanup exit 1 fi echo "" # Usual TLS v1.3 server / TLS v1.3 client and ECC Key. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC Key Exchange" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -Y -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nTLS v1.3 ECDH Key Exchange not working" do_cleanup exit 1 fi echo "" # TLS 1.3 cipher suites server / client. echo -e "\n\nOnly TLS v1.3 cipher suites" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256 & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 cipher suites - only TLS v1.3" do_cleanup exit 1 fi echo "" # TLS 1.3 cipher suites server / client. echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-GCM SHA-256" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256 & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-GCM SHA-256" do_cleanup exit 1 fi echo "" # TLS 1.3 cipher suites server / client. echo -e "\n\nOnly TLS v1.3 cipher suite - AES256-GCM SHA-384" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES256-GCM-SHA384 & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 cipher suites - AES256-GCM SHA-384" do_cleanup exit 1 fi echo "" # TLS 1.3 cipher suites server / client. echo -e "\n\nOnly TLS v1.3 cipher suite - CHACHA20-POLY1305 SHA-256" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 cipher suites - CHACHA20-POLY1305 SHA-256" do_cleanup exit 1 fi echo "" ./examples/client/client -v 4 -e 2>&1 | grep -- '-CCM' if [ $? -eq 0 ]; then # TLS 1.3 cipher suites server / client. echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-CCM SHA-256" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-CCM-SHA256 & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-CCM SHA-256" do_cleanup exit 1 fi echo "" # TLS 1.3 cipher suites server / client. echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-CCM-8 SHA-256" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-CCM-8-SHA256 & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-CCM-8 SHA-256" do_cleanup exit 1 fi echo "" fi # TLS 1.3 cipher suites server / client. echo -e "\n\nTLS v1.3 cipher suite mismatch" port=0 ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 & server_pid=$! create_port ./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384 RESULT=$? remove_ready_file if [ $RESULT -ne 1 ]; then echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites" do_cleanup exit 1 fi echo "" # TLS 1.3 server / TLS 1.2 client. echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2" port=0 ./examples/server/server -v 4 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 3 -p $port RESULT=$? remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2" do_cleanup exit 1 fi echo "" # TLS Downgrade server / TLS 1.2 client. echo -e "\n\nTLS server downgrading to TLS v1.2" port=0 ./examples/server/server -v d -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 3 -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS server downgrading to TLS v1.2" do_cleanup exit 1 fi echo "" # TLS 1.2 server / TLS 1.3 client. echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3" port=0 ./examples/server/server -v 3 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -p $port RESULT=$? remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3" do_cleanup exit 1 fi echo "" # TLS 1.2 server / TLS downgrade client. echo -e "\n\nTLS client downgrading to TLS v1.2" port=0 ./examples/server/server -v 3 -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v d -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS client downgrading to TLS v1.2" do_cleanup exit 1 fi echo "" # TLS Downgrade server / TLS Downgrade client. echo -e "\n\nTLS server and client able to downgrade but don't" port=0 ./examples/server/server -v d -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v d -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS not downgrading" do_cleanup exit 1 fi echo "" # TLS Downgrade server / TLS Downgrade client resumption. echo -e "\n\nTLS server and client able to downgrade but don't and resume" port=0 ./examples/server/server -v d -r -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v d -r -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS not downgrading and resumption" do_cleanup exit 1 fi echo "" # TLS Downgrade server / TLS 1.2 client and resume. echo -e "\n\nTLS server downgrade and resume" port=0 ./examples/server/server -v d -r -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 3 -r -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS server downgrading and resumption" do_cleanup exit 1 fi echo "" # TLS 1.2 server / TLS downgrade client and resume. echo -e "\n\nTLS client downgrade and resume" port=0 ./examples/server/server -v 3 -r -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v d -r -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS client downgrading and resumption" do_cleanup exit 1 fi echo "" # TLS Downgrade server / TLS Downgrade client. # TLS 1.3 server / TLS 1.3 client send KeyUpdate before sending app data. echo -e "\n\nTLS v1.3 KeyUpdate" port=0 ./examples/server/server -v 4 -U -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -I -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 KeyUpdate" do_cleanup exit 1 fi echo "" # TLS 1.3 server / TLS 1.3 client - don't use (EC)DHE with PSK. echo -e "\n\nTLS v1.3 PSK without (EC)DHE" port=0 ./examples/server/server -v 4 -r -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -r -K -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 PSK without (EC)DHE" do_cleanup exit 1 fi echo "" # TLS 1.3 server / TLS 1.3 client and Post-Handshake Authentication. echo -e "\n\nTLS v1.3 Post-Handshake Authentication" port=0 ./examples/server/server -v 4 -Q -R $ready_file -p $port & server_pid=$! create_port ./examples/client/client -v 4 -Q -p $port RESULT=$? remove_ready_file if [ $RESULT -ne 0 ]; then echo -e "\n\nIssue with TLS v1.3 Post-Handshake Auth" do_cleanup exit 1 fi echo "" echo -e "\nALL Tests Passed" exit 0