openssl.test 34 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180
  1. #!/bin/sh
  2. #openssl.test
  3. # Enviornment variables used:
  4. # OPENSSL (openssl app to use)
  5. # OPENSSL_ENGINE_ID (engine id if any i.e. "wolfengine")
  6. CERT_DIR="$PWD/$(dirname "$0")/../certs"
  7. if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
  8. echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
  9. exit 0
  10. fi
  11. # if we can, isolate the network namespace to eliminate port collisions.
  12. if [ "${AM_BWRAPPED-}" != "yes" ]; then
  13. bwrap_path="$(command -v bwrap)"
  14. if [ -n "$bwrap_path" ]; then
  15. export AM_BWRAPPED=yes
  16. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  17. fi
  18. unset AM_BWRAPPED
  19. fi
  20. echo "WOLFSSL_OPENSSL_TEST set, running test..."
  21. # need a unique port since may run the same time as testsuite
  22. generate_port() {
  23. port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
  24. }
  25. no_pid=-1
  26. servers=""
  27. openssl_pid=$no_pid
  28. ecdh_openssl_pid=$no_pid
  29. ecdsa_openssl_pid=$no_pid
  30. ed25519_openssl_pid=$no_pid
  31. ed448_openssl_pid=$no_pid
  32. tls13_psk_openssl_pid=$no_pid
  33. wolfssl_pid=$no_pid
  34. ecdh_wolfssl_pid=$no_pid
  35. ecdsa_wolfssl_pid=$no_pid
  36. ed25519_wolfssl_pid=$no_pid
  37. ed448_wolfssl_pid=$no_pid
  38. tls13_psk_wolfssl_pid=$no_pid
  39. anon_wolfssl_pid=$no_pid
  40. wolf_cases_tested=0
  41. wolf_cases_total=0
  42. counter=0
  43. testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n"
  44. versionName="Invalid"
  45. if [ "$OPENSSL" = "" ]; then
  46. OPENSSL=openssl
  47. fi
  48. WOLFSSL_SERVER=./examples/server/server
  49. WOLFSSL_CLIENT=./examples/client/client
  50. version_name() {
  51. case $version in "0")
  52. versionName="SSLv3"
  53. ;;
  54. "1")
  55. versionName="TLSv1"
  56. ;;
  57. "2")
  58. versionName="TLSv1.1"
  59. ;;
  60. "3")
  61. versionName="TLSv1.2"
  62. ;;
  63. "4")
  64. versionName="TLSv1.3"
  65. ;;
  66. "d")
  67. versionName="Down"
  68. ;;
  69. "")
  70. versionName="Def"
  71. ;;
  72. "5")
  73. versionName="ALL"
  74. ;;
  75. esac
  76. }
  77. do_cleanup() {
  78. echo "in cleanup"
  79. IFS=$OIFS #restore separator
  80. for s in $servers
  81. do
  82. f2=${s%:*}
  83. sname=${f2%:*}
  84. pid=${f2##*:}
  85. port=${s##*:}
  86. echo "killing server: $sname ($port)"
  87. kill -9 $pid
  88. done
  89. }
  90. do_trap() {
  91. echo "got trap"
  92. do_cleanup
  93. exit 1
  94. }
  95. trap do_trap INT TERM
  96. check_process_running() {
  97. if [ "$ps_grep" = "" ]
  98. then
  99. ps -p $server_pid > /dev/null
  100. PS_EXIT=$?
  101. else
  102. ps | grep "^ *$server_pid " > /dev/null
  103. PS_EXIT=$?
  104. fi
  105. }
  106. #
  107. # Start an OpenSSL server
  108. #
  109. start_openssl_server() {
  110. if [ "$wolfssl_client_avail" = "" ]
  111. then
  112. return
  113. fi
  114. generate_port
  115. server_port=$port
  116. found_free_port=0
  117. counter=0
  118. # If OPENSSL_ENGINE_ID has been set then check that the desired engine can
  119. # be loaded successfully and error out if not. Otherwise the OpenSSL app
  120. # will fall back to default engine.
  121. if [ ! -z "${OPENSSL_ENGINE_ID}" ]; then
  122. OUTPUT=`$OPENSSL engine -tt $OPENSSL_ENGINE_ID`
  123. if [ $? != 0 ]; then
  124. printf "not able to load engine\n"
  125. printf "$OPENSSL engine -tt $OPENSSL_ENGINE_ID\n"
  126. do_cleanup
  127. exit 1
  128. else
  129. echo $OUTPUT | grep "available"
  130. if [ $? != 0 ]; then
  131. printf "engine not available\n"
  132. do_cleanup
  133. exit 1
  134. fi
  135. fi
  136. OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}"
  137. fi
  138. while [ "$counter" -lt 20 ]; do
  139. echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..."
  140. echo "#"
  141. if [ "$cert_file" != "" ]
  142. then
  143. echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert $cert_file -key $key_file -quiet -CAfile $ca_file -www -dhparam ${CERT_DIR}/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
  144. $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert $cert_file -key $key_file -quiet -CAfile $ca_file -www -dhparam ${CERT_DIR}/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
  145. else
  146. echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam ${CERT_DIR}/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
  147. $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam ${CERT_DIR}/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
  148. fi
  149. server_pid=$!
  150. # wait to see if s_server successfully starts before continuing
  151. sleep 0.1
  152. check_process_running
  153. if [ "$PS_EXIT" = "0" ]
  154. then
  155. echo "s_server started successfully on port $server_port"
  156. found_free_port=1
  157. break
  158. else
  159. #port already started, try a different port
  160. counter=$((counter+ 1))
  161. generate_port
  162. server_port=$port
  163. fi
  164. done
  165. if [ $found_free_port = 0 ]
  166. then
  167. echo -e "Couldn't find free port for server"
  168. do_cleanup
  169. exit 1
  170. fi
  171. servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port"
  172. }
  173. #
  174. # Start a wolfSSL server
  175. #
  176. start_wolfssl_server() {
  177. if [ "$wolfssl_server_avail" = "" ]
  178. then
  179. echo "# wolfSSL server not available"
  180. return
  181. fi
  182. wolfssl_cert=""
  183. wolfssl_key=""
  184. wolfssl_caCert=""
  185. if [ "$cert_file" != "" ]
  186. then
  187. wolfssl_cert="-c$cert_file"
  188. fi
  189. if [ "$key_file" != "" ]
  190. then
  191. wolfssl_key="-k$key_file"
  192. fi
  193. if [ "$ca_file" != "" ]
  194. then
  195. wolfssl_caCert="-A$ca_file"
  196. fi
  197. generate_port
  198. server_port=$port
  199. found_free_port=0
  200. counter=0
  201. while [ "$counter" -lt 20 ]; do
  202. echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..."
  203. echo "#"
  204. echo "# $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL"
  205. $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL &
  206. server_pid=$!
  207. # wait to see if server successfully starts before continuing
  208. sleep 0.1
  209. check_process_running
  210. if [ "$PS_EXIT" = "0" ]
  211. then
  212. echo "wolfSSL server started successfully on port $server_port"
  213. found_free_port=1
  214. break
  215. else
  216. #port already started, try a different port
  217. counter=$((counter+ 1))
  218. generate_port
  219. server_port=$port
  220. fi
  221. done
  222. if [ $found_free_port = 0 ]
  223. then
  224. echo -e "Couldn't find free port for server"
  225. do_cleanup
  226. exit 1
  227. fi
  228. servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port"
  229. }
  230. check_server_ready() {
  231. # server should be ready, let's make sure
  232. server_ready=0
  233. while [ "$counter" -lt 20 ]; do
  234. echo -e "waiting for $server_name ready..."
  235. echo -e Checking | nc localhost $server_port
  236. nc_result=$?
  237. if [ $nc_result = 0 ]
  238. then
  239. echo -e "$server_name ready!"
  240. server_ready=1
  241. break
  242. fi
  243. sleep 0.1
  244. counter=$((counter+ 1))
  245. done
  246. if [ $server_ready = 0 ]
  247. then
  248. echo -e "Couldn't verify $server_name is running, timeout error"
  249. do_cleanup
  250. exit 1
  251. fi
  252. }
  253. #
  254. # Run wolfSSL client against OpenSSL server
  255. #
  256. do_wolfssl_client() {
  257. if [ "$wolfssl_client_avail" = "" ]
  258. then
  259. return
  260. fi
  261. wolfssl_cert=""
  262. wolfssl_key=""
  263. wolfssl_caCert=""
  264. if [ "$cert" != "" ]
  265. then
  266. wolfssl_cert="-c$cert"
  267. fi
  268. if [ "$key" != "" ]
  269. then
  270. wolfssl_key="-k$key"
  271. fi
  272. if [ "$caCert" != "" ]
  273. then
  274. wolfssl_caCert="-A$caCert"
  275. fi
  276. wolfssl_resume="-r"
  277. if [ "$openssl_psk_resume_bug" != "" -a "$tls13_suite" != "" ]
  278. then
  279. wolfssl_resume=
  280. fi
  281. if [ "$version" != "5" -a "$version" != "" ]
  282. then
  283. echo "#"
  284. echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl"
  285. $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl
  286. else
  287. echo "#"
  288. echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl"
  289. # do all versions
  290. $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh $wolfssl_cert $wolfssl_key $wolfssl_caCert $crl
  291. fi
  292. client_result=$?
  293. if [ $client_result != 0 ]
  294. then
  295. echo -e "client failed! Suite = $wolfSuite version = $version"
  296. do_cleanup
  297. exit 1
  298. fi
  299. wolf_temp_cases_tested=$((wolf_temp_cases_tested+1))
  300. }
  301. #
  302. # Run OpenSSL client against wolfSSL server
  303. #
  304. do_openssl_client() {
  305. if [ "$wolfssl_server_avail" = "" ]
  306. then
  307. return
  308. fi
  309. if [ "$version" = "" -o "$version" = "5" ]
  310. then
  311. if [ "$tls13_cipher" = "" -a "$openssl_tls13" != "" ]
  312. then
  313. openssl_version="-no_tls1_3"
  314. fi
  315. fi
  316. if [ "$cert" != "" ]
  317. then
  318. openssl_cert1="-cert"
  319. openssl_cert2="$cert"
  320. fi
  321. if [ "$key" != "" ]
  322. then
  323. openssl_key1="-key"
  324. openssl_key2="$key"
  325. fi
  326. if [ "$caCert" != "" ]
  327. then
  328. openssl_caCert1="-CAfile"
  329. openssl_caCert2="$caCert"
  330. fi
  331. if [ "$tls13_cipher" = "" ]
  332. then
  333. echo "#"
  334. echo "# $OPENSSL s_client -connect localhost:$port -reconnect -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2"
  335. echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2"
  336. else
  337. echo "#"
  338. echo "# $OPENSSL s_client -connect localhost:$port -reconnect -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2"
  339. echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 $openssl_cert2 $openssl_key1 $openssl_key2 $openssl_caCert1 $openssl_caCert2"
  340. fi
  341. client_result=$?
  342. if [ $client_result != 0 ]
  343. then
  344. echo -e "client failed! Suite = $wolfSuite version = $version"
  345. do_cleanup
  346. exit 1
  347. fi
  348. open_temp_cases_tested=$((open_temp_cases_tested+1))
  349. }
  350. OIFS=$IFS # store old separator to reset
  351. #
  352. # Start
  353. #
  354. ps -p $PPID >/dev/null 2>&1
  355. if [ "$?" = "1" ]
  356. then
  357. ps_grep="yes"
  358. echo "ps -p not working, using ps and grep"
  359. fi
  360. echo -e "\nTesting existence of openssl command...\n"
  361. command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; }
  362. echo -e "\nTesting for _build directory as part of distcheck, different paths"
  363. currentDir=`pwd`
  364. if [ $currentDir = *"_build" ]
  365. then
  366. echo -e "_build directory detected, moving a directory back"
  367. cd ..
  368. fi
  369. echo -e "\nChecking for wolfSSL client - needed for cipher list"
  370. wolfssl_client_avail=`$WOLFSSL_CLIENT -?`
  371. case $wolfssl_client_avail in
  372. *"Client not compiled in!"*)
  373. wolfssl_client_avail=
  374. echo >&2 "Requires wolfSSL client, but it's not built. Ending."
  375. do_cleanup
  376. exit 0
  377. ;;
  378. esac
  379. echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket"
  380. openssl_version=`$OPENSSL version`
  381. case $openssl_version in
  382. "OpenSSL 1.1.1 "*)
  383. openssl_psk_resume_bug=yes
  384. ;;
  385. "OpenSSL 1.0.2"*)
  386. openssl_adh_reneg_bug=yes
  387. ;;
  388. esac
  389. # check for wolfssl server
  390. wolfssl_server_avail=`$WOLFSSL_SERVER -?`
  391. case $wolfssl_server_avail in
  392. *"Server not compiled in!"*)
  393. wolfssl_server_avail=
  394. ;;
  395. esac
  396. # get wolfssl ciphers
  397. wolf_ciphers=`$WOLFSSL_CLIENT -e`
  398. # get wolfssl supported versions
  399. wolf_versions=`$WOLFSSL_CLIENT -V`
  400. wolf_versions="$wolf_versions:5" #5 will test without -v flag
  401. OIFS=$IFS # store old separator to reset
  402. IFS=$'\:' # set delimiter
  403. for version in $wolf_versions
  404. do
  405. case $version in
  406. 1|2|3)
  407. wolf_tls=yes
  408. ;;
  409. 4)
  410. wolf_tls13=yes
  411. ;;
  412. esac
  413. done
  414. IFS=$OIFS #restore separator
  415. #
  416. # Start OpenSSL servers
  417. #
  418. # Check for cerificate support in wolfSSL
  419. wolf_certs=`$WOLFSSL_CLIENT -help 2>&1`
  420. case $wolf_certs in
  421. *"cert"*)
  422. ;;
  423. *)
  424. wolf_certs=""
  425. ;;
  426. esac
  427. if [ "$wolf_certs" != "" ]
  428. then
  429. # Check if ECC certificates supported in wolfSSL
  430. wolf_ecc=`$WOLFSSL_CLIENT -A ${CERT_DIR}/ed25519/ca-ecc-cert.pem 2>&1`
  431. case $wolf_ecc in
  432. *"ca file"*)
  433. wolf_ecc=""
  434. ;;
  435. *)
  436. ;;
  437. esac
  438. # Check if Ed25519 certificates supported in wolfSSL
  439. wolf_ed25519=`$WOLFSSL_CLIENT -A ${CERT_DIR}/ed25519/root-ed25519.pem 2>&1`
  440. case $wolf_ed25519 in
  441. *"ca file"*)
  442. wolf_ed25519=""
  443. ;;
  444. *)
  445. ;;
  446. esac
  447. # Check if Ed25519 certificates supported in OpenSSL
  448. openssl_ed25519=`$OPENSSL s_client -cert ${CERT_DIR}/ed25519/client-ed25519.pem -key ${CERT_DIR}/ed25519/client-ed25519-priv.pem 2>&1`
  449. case $openssl_ed25519 in
  450. *"unable to load"*)
  451. wolf_ed25519=""
  452. ;;
  453. *)
  454. ;;
  455. esac
  456. # Check if Ed448 certificates supported in wolfSSL
  457. wolf_ed448=`$WOLFSSL_CLIENT -A ${CERT_DIR}/ed448/root-ed448.pem 2>&1`
  458. case $wolf_ed448 in
  459. *"ca file"*)
  460. wolf_ed448=""
  461. ;;
  462. *)
  463. ;;
  464. esac
  465. # Check if Ed448 certificates supported in OpenSSL
  466. openssl_ed448=`$OPENSSL s_client -cert ${CERT_DIR}/ed448/client-ed448.pem -key ${CERT_DIR}/ed448/client-ed448-priv.pem 2>&1`
  467. case $openssl_ed448 in
  468. *"unable to load"*)
  469. wolf_ed448=""
  470. ;;
  471. *)
  472. ;;
  473. esac
  474. fi
  475. openssl_tls13=`$OPENSSL s_client -help 2>&1`
  476. case $openssl_tls13 in
  477. *no_tls1_3*)
  478. ;;
  479. *)
  480. openssl_tls13=
  481. ;;
  482. esac
  483. # Not all openssl versions support -allow_no_dhe_kex
  484. openssl_nodhe=`$OPENSSL s_client -help 2>&1`
  485. case $openssl_nodhe in
  486. *allow_no_dhe_kex*)
  487. openssl_nodhe=-allow_no_dhe_kex
  488. ;;
  489. *)
  490. openssl_nodhe=
  491. ;;
  492. esac
  493. # Check suites to determine support in wolfSSL
  494. OIFS=$IFS # store old separator to reset
  495. IFS=$'\:' # set delimiter
  496. for wolfSuite in $wolf_ciphers; do
  497. case $wolfSuite in
  498. *ECDHE-RSA-*)
  499. ecdhe_avail=yes
  500. wolf_rsa=yes
  501. ;;
  502. *DHE-RSA-*)
  503. wolf_rsa=yes
  504. ;;
  505. *ECDH-RSA*)
  506. wolf_ecdh_rsa=yes
  507. ;;
  508. *ECDHE-ECDSA*|*ECDH-ECDSA*)
  509. wolf_ecdsa=yes
  510. ;;
  511. *ADH*)
  512. wolf_anon=yes
  513. ;;
  514. *PSK*)
  515. if [ "$wolf_psk" = "" ]
  516. then
  517. echo "Testing PSK"
  518. wolf_psk=1
  519. fi
  520. if [ "$wolf_tls" != "" ]
  521. then
  522. wolf_tls_psk=yes
  523. fi
  524. ;;
  525. *TLS13*)
  526. ;;
  527. *)
  528. wolf_rsa=yes
  529. esac
  530. done
  531. IFS=$OIFS #restore separator
  532. openssl_ciphers=`$OPENSSL ciphers ALL 2>&1`
  533. case $openssl_ciphers in
  534. *ADH*)
  535. openssl_anon=yes
  536. ;;
  537. esac
  538. # TLSv1 -> TLSv1.2 PSK secret
  539. psk_hex="1a2b3c4d"
  540. # If RSA cipher suites supported in wolfSSL then start servers
  541. if [ "$wolf_rsa" != "" -o "$wolf_tls_psk" != "" ]
  542. then
  543. if [ "$wolf_rsa" != "" ]
  544. then
  545. cert_file="${CERT_DIR}/server-cert.pem"
  546. key_file="${CERT_DIR}/server-key.pem"
  547. ca_file="${CERT_DIR}/client-ca.pem"
  548. else
  549. cert_file=
  550. key_file=
  551. ca_file=
  552. fi
  553. openssl_suite="RSA"
  554. start_openssl_server
  555. openssl_port=$server_port
  556. openssl_pid=$server_pid
  557. wolfssl_suite="RSA"
  558. if [ "$wolf_tls_psk" != "" ]
  559. then
  560. psk="-j"
  561. fi
  562. echo "cert_file=$cert_file"
  563. start_wolfssl_server
  564. psk=
  565. wolfssl_port=$server_port
  566. wolfssl_pid=$server_pid
  567. fi
  568. # If ECDH-RSA cipher suites supported in wolfSSL then start servers
  569. if [ "$wolf_ecdh_rsa" != "" ]
  570. then
  571. cert_file="${CERT_DIR}/server-ecc-rsa.pem"
  572. key_file="${CERT_DIR}/ecc-key.pem"
  573. ca_file="${CERT_DIR}/client-ca.pem"
  574. openssl_suite="ECDH-RSA"
  575. start_openssl_server
  576. ecdh_openssl_port=$server_port
  577. ecdh_openssl_pid=$server_pid
  578. wolfssl_suite="ECDH-RSA"
  579. start_wolfssl_server
  580. ecdh_wolfssl_port=$server_port
  581. ecdh_wolfssl_pid=$server_pid
  582. fi
  583. if [ "$wolf_ecdsa" != "" -a "$wolf_ecc" != "" ]
  584. then
  585. cert_file="${CERT_DIR}/server-ecc.pem"
  586. key_file="${CERT_DIR}/ecc-key.pem"
  587. ca_file="${CERT_DIR}/client-ca.pem"
  588. openssl_suite="ECDH[E]-ECDSA"
  589. start_openssl_server
  590. ecdsa_openssl_port=$server_port
  591. ecdsa_openssl_pid=$server_pid
  592. wolfssl_suite="ECDH[E]-ECDSA"
  593. start_wolfssl_server
  594. ecdsa_wolfssl_port=$server_port
  595. ecdsa_wolfssl_pid=$server_pid
  596. fi
  597. # If Ed25519 certificates supported in wolfSSL then start servers
  598. if [ "$wolf_ed25519" != "" ];
  599. then
  600. cert_file="${CERT_DIR}/ed25519/server-ed25519.pem"
  601. key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
  602. ca_file="${CERT_DIR}/ed25519/root-ed25519.pem"
  603. openssl_suite="Ed25519"
  604. start_openssl_server
  605. ed25519_openssl_port=$server_port
  606. ed25519_openssl_pid=$server_pid
  607. crl="-V"
  608. wolfssl_suite="Ed25519"
  609. start_wolfssl_server
  610. ed25519_wolfssl_port=$server_port
  611. ed25519_wolfssl_pid=$server_pid
  612. crl=
  613. fi
  614. # If Ed448 certificates supported in wolfSSL then start servers
  615. if [ "$wolf_ed448" != "" ];
  616. then
  617. cert_file="${CERT_DIR}/ed448/server-ed448.pem"
  618. key_file="${CERT_DIR}/ed448/server-ed448-priv.pem"
  619. ca_file="${CERT_DIR}/ed448/client-ed448.pem"
  620. openssl_suite="Ed448"
  621. start_openssl_server
  622. ed448_openssl_port=$server_port
  623. ed448_openssl_pid=$server_pid
  624. crl="-V"
  625. wolfssl_suite="Ed448"
  626. start_wolfssl_server
  627. ed448_wolfssl_port=$server_port
  628. ed448_wolfssl_pid=$server_pid
  629. crl=
  630. fi
  631. if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ]
  632. then
  633. cert_file=
  634. psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
  635. openssl_suite="TLSv1.3_PSK"
  636. start_openssl_server
  637. tls13_psk_openssl_port=$server_port
  638. tls13_psk_openssl_pid=$server_pid
  639. psk="-s"
  640. wolfssl_suite="TLSv1.3_PSK"
  641. start_wolfssl_server
  642. tls13_psk_wolfssl_port=$server_port
  643. tls13_psk_wolfssl_pid=$server_pid
  644. fi
  645. if [ "$wolf_anon" != "" -a "$openssl_anon" ]
  646. then
  647. cert_file=""
  648. key_file=""
  649. ca_file=""
  650. wolfssl_suite="Anon"
  651. psk="-a" # anonymous not psk
  652. start_wolfssl_server
  653. anon_wolfssl_port=$server_port
  654. anon_wolfssl_pid=$server_pid
  655. fi
  656. for s in $servers
  657. do
  658. f2=${s%:*}
  659. server_name=${f2%:*}
  660. server_port=${s##*:}
  661. check_server_ready
  662. done
  663. OIFS=$IFS # store old separator to reset
  664. IFS=$'\:' # set delimiter
  665. set -f # no globbing
  666. wolf_temp_cases_total=0
  667. wolf_temp_cases_tested=0
  668. # Testing of OpenSSL support for version requires a running OpenSSL server
  669. for version in $wolf_versions;
  670. do
  671. echo -e "version = $version"
  672. # get openssl ciphers depending on version
  673. # -s flag for only supported ciphers
  674. case $version in
  675. "0")
  676. openssl_ciphers=`$OPENSSL ciphers "SSLv3" 2>&1`
  677. # double check that can actually do a sslv3 connection using
  678. # client-cert.pem to send but any file with EOF works
  679. $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < ${CERT_DIR}/client-cert.pem
  680. sslv3_sup=$?
  681. if [ $sslv3_sup != 0 ]
  682. then
  683. echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
  684. testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  685. continue
  686. fi
  687. openssl_version="-ssl3"
  688. ;;
  689. "1")
  690. proto_check=`echo "hell" | $OPENSSL s_client -connect localhost:$openssl_port -tls1 2>&1`
  691. tlsv1_sup=$?
  692. if [ $tlsv1_sup != 0 ]
  693. then
  694. echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'"
  695. testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n"
  696. continue
  697. fi
  698. openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
  699. tlsv1_sup=$?
  700. if [ $tlsv1_sup != 0 ]
  701. then
  702. echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
  703. testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  704. continue
  705. fi
  706. openssl_version="-tls1"
  707. ;;
  708. "2")
  709. # Same ciphers for TLSv1.1 as TLSv1
  710. proto_check=`echo "hello" | $OPENSSL s_client -connect localhost:$openssl_port -tls1_1 2>&1`
  711. tlsv1_1_sup=$?
  712. if [ $tlsv1_1_sup != 0 ]
  713. then
  714. echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier"
  715. testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  716. continue
  717. fi
  718. openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
  719. tlsv1_sup=$?
  720. if [ $tlsv1_sup != 0 ]
  721. then
  722. echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
  723. testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  724. continue
  725. fi
  726. openssl_version="-tls1_1"
  727. ;;
  728. "3")
  729. openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2" 2>&1`
  730. tlsv1_2_sup=$?
  731. if [ $tlsv1_2_sup != 0 ]
  732. then
  733. echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier"
  734. testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  735. continue
  736. fi
  737. openssl_version="-tls1_2"
  738. ;;
  739. "4")
  740. openssl_ciphers=`$OPENSSL ciphers -tls1_3 2>&1`
  741. tlsv1_3_sup=$?
  742. if [ $tlsv1_3_sup != 0 ]
  743. then
  744. echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier"
  745. testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  746. continue
  747. fi
  748. ecc_support=`$WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups'`
  749. openssl_version="-tls1_3"
  750. ;;
  751. "d(downgrade)")
  752. version="d"
  753. openssl_version=""
  754. ;;
  755. "e(either)")
  756. continue
  757. ;;
  758. "5") #test all suites
  759. openssl_ciphers=`$OPENSSL ciphers -s "ALL" 2>&1`
  760. all_sup=$?
  761. if [ $all_sup != 0 ]
  762. then
  763. echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
  764. testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  765. continue
  766. fi
  767. openssl_version=""
  768. ;;
  769. "")
  770. openssl_ciphers=`$OPENSSL ciphers 2>&1`
  771. all_sup=$?
  772. if [ $all_sup != 0 ]
  773. then
  774. echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
  775. testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  776. continue
  777. fi
  778. openssl_version=""
  779. ;;
  780. esac
  781. for wolfSuite in $wolf_ciphers; do
  782. echo -e "trying wolfSSL cipher suite $wolfSuite"
  783. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  784. open_temp_cases_total=$((open_temp_cases_total + 1))
  785. matchSuite=0;
  786. tls13_suite=
  787. case $wolfSuite in
  788. "TLS13-AES128-GCM-SHA256")
  789. cmpSuite="TLS_AES_128_GCM_SHA256"
  790. tls13_suite="yes"
  791. ;;
  792. "TLS13-AES256-GCM-SHA384")
  793. cmpSuite="TLS_AES_256_GCM_SHA384"
  794. tls13_suite="yes"
  795. ;;
  796. "TLS13-CHACHA20-POLY1305-SHA256")
  797. cmpSuite="TLS_CHACHA20_POLY1305_SHA256"
  798. tls13_suite="yes"
  799. ;;
  800. "TLS13-AES128-CCM-SHA256")
  801. cmpSuite="TLS_AES_128_CCM_SHA256"
  802. tls13_suite="yes"
  803. ;;
  804. "TLS13-AES128-CCM-8-SHA256"|"TLS13-AES128-CCM8-SHA256")
  805. cmpSuite="TLS_AES_128_CCM_8_SHA256"
  806. tls13_suite="yes"
  807. ;;
  808. "TLS13-SHA256-SHA256")
  809. continue
  810. ;;
  811. "TLS13-SHA384-SHA384")
  812. continue
  813. ;;
  814. "TLS13-"*)
  815. echo -e "Suite = $wolfSuite not recognized!"
  816. echo -e "Add translation of wolfSSL name to OpenSSL"
  817. do_cleanup
  818. exit 1
  819. ;;
  820. *)
  821. cmpSuite=$wolfSuite
  822. ;;
  823. esac
  824. case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases
  825. case "$cmpSuite" in
  826. "TLS_"*)
  827. if [ "$version" != "4" -a "$version" != "d" ]
  828. then
  829. echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol"
  830. matchSuite=0
  831. else
  832. echo -e "Matched to OpenSSL suite support"
  833. matchSuite=1
  834. fi
  835. ;;
  836. *)
  837. if [ "$version" = "d" -a "$wolfdowngrade" = "4" ]
  838. then
  839. echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade"
  840. matchSuite=0
  841. elif [ "$version" != "4" ]
  842. then
  843. echo -e "Matched to OpenSSL suite support"
  844. matchSuite=1
  845. else
  846. echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol"
  847. matchSuite=0
  848. fi
  849. ;;
  850. esac
  851. ;;
  852. esac
  853. if [ $matchSuite = 0 ]
  854. then
  855. echo -e "Couldn't match suite, continuing..."
  856. continue
  857. fi
  858. # check for psk suite and turn on client psk if so
  859. psk=""
  860. adh=""
  861. crl=""
  862. cert=""
  863. key=""
  864. caCert=""
  865. case $wolfSuite in
  866. *ECDH-RSA*)
  867. cert="${CERT_DIR}/client-cert.pem"
  868. key="${CERT_DIR}/client-key.pem"
  869. caCert="${CERT_DIR}/ca-cert.pem"
  870. port=$ecdh_openssl_port
  871. do_wolfssl_client
  872. port=$ecdh_wolfssl_port
  873. do_openssl_client
  874. ;;
  875. *ECDHE-ECDSA*|*ECDH-ECDSA*)
  876. if [ "$wolf_ecc" != "" ]
  877. then
  878. cert="${CERT_DIR}/client-cert.pem"
  879. key="${CERT_DIR}/client-key.pem"
  880. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  881. port=$ecdsa_openssl_port
  882. do_wolfssl_client
  883. port=$ecdsa_wolfssl_port
  884. do_openssl_client
  885. else
  886. wolf_temp_cases_total=$((wolf_temp_cases_total - 1))
  887. fi
  888. if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
  889. then
  890. cert="${CERT_DIR}/ed25519/server-ed25519.pem"
  891. key="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
  892. caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
  893. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  894. port=$ed25519_openssl_port
  895. crl="-C"
  896. do_wolfssl_client
  897. open_temp_cases_total=$((open_temp_cases_total + 1))
  898. port=$ed25519_wolfssl_port
  899. do_openssl_client
  900. fi
  901. if [ $ed448_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
  902. then
  903. cert="${CERT_DIR}/ed448/client-ed448.pem"
  904. key="${CERT_DIR}/ed448/client-ed448-priv.pem"
  905. caCert="${CERT_DIR}/ed448/server-ed448.pem"
  906. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  907. port=$ed448_openssl_port
  908. crl="-C"
  909. do_wolfssl_client
  910. open_temp_cases_total=$((open_temp_cases_total + 1))
  911. port=$ed448_wolfssl_port
  912. do_openssl_client
  913. fi
  914. ;;
  915. *DHE-PSK*)
  916. cert="${CERT_DIR}/client-cert.pem"
  917. key="${CERT_DIR}/client-key.pem"
  918. caCert="${CERT_DIR}/ca-cert.pem"
  919. port=$openssl_port
  920. psk="-s"
  921. do_wolfssl_client
  922. # Skip when no RSA as some versions of OpenSSL can't handle no
  923. # signature
  924. if [ "$wolf_rsa" != "" ]
  925. then
  926. port=$wolfssl_port
  927. openssl_psk="-psk 1a2b3c4d"
  928. do_openssl_client
  929. fi
  930. ;;
  931. *PSK*)
  932. cert="${CERT_DIR}/client-cert.pem"
  933. key="${CERT_DIR}/client-key.pem"
  934. caCert="${CERT_DIR}/ca-cert.pem"
  935. port=$openssl_port
  936. psk="-s"
  937. do_wolfssl_client
  938. port=$wolfssl_port
  939. openssl_psk="-psk 1a2b3c4d"
  940. do_openssl_client
  941. ;;
  942. *ADH*)
  943. cert="${CERT_DIR}/client-cert.pem"
  944. key="${CERT_DIR}/client-key.pem"
  945. caCert="${CERT_DIR}/ca-cert.pem"
  946. if [ "$version" != "0" -a "$version" != "1" -a "$version" != "2" -a "$openssl_adh_reneg_bug" != "" ]
  947. then
  948. continue
  949. fi
  950. port=$openssl_port
  951. adh="-a"
  952. do_wolfssl_client
  953. port=$anon_wolfssl_port
  954. do_openssl_client
  955. ;;
  956. TLS13*)
  957. if [ $version != "4" -a $version != "d" -a $version != " " -a $version != "5" ]
  958. then
  959. continue
  960. fi
  961. tls13_cipher=yes
  962. # RSA
  963. if [ $openssl_pid != $no_pid -a "$ecdhe_avail" = "yes" ]
  964. then
  965. cert="${CERT_DIR}/client-cert.pem"
  966. key="${CERT_DIR}/client-key.pem"
  967. caCert="${CERT_DIR}/ca-cert.pem"
  968. port=$openssl_port
  969. do_wolfssl_client
  970. port=$wolfssl_port
  971. do_openssl_client
  972. fi
  973. # PSK
  974. if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" -a "$wolf_ecc" != "" -a $openssl_nodhe != "" ]
  975. then
  976. cert=""
  977. key=""
  978. caCert=""
  979. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  980. port=$tls13_psk_openssl_port
  981. psk="-s"
  982. # OpenSSL doesn't support DH for key exchange so do no PSK
  983. # DHE when ECC not supported
  984. if [ "$wolf_ecc" = "" ]
  985. then
  986. adh="-K"
  987. fi
  988. do_wolfssl_client
  989. psk=""
  990. adh=""
  991. openssl_psk="-psk 0123456789abcdef0123456789abcdef"
  992. open_temp_cases_total=$((open_temp_cases_total + 1))
  993. port=$wolfssl_port
  994. do_openssl_client
  995. open_temp_cases_total=$((open_temp_cases_total + 1))
  996. port=$tls13_psk_wolfssl_port
  997. do_openssl_client
  998. openssl_psk=""
  999. fi
  1000. # ECDSA
  1001. if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ]
  1002. then
  1003. cert="${CERT_DIR}/client-ecc-cert.pem"
  1004. key="${CERT_DIR}/ecc-client-key.pem"
  1005. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  1006. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  1007. port=$ecdsa_openssl_port
  1008. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  1009. do_wolfssl_client
  1010. open_temp_cases_total=$((open_temp_cases_total + 1))
  1011. port=$ecdsa_wolfssl_port
  1012. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  1013. do_openssl_client
  1014. fi
  1015. # Ed25519
  1016. if [ $ed25519_openssl_pid != $no_pid ]
  1017. then
  1018. cert="${CERT_DIR}/ed25519/server-ed25519.pem"
  1019. key="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
  1020. caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
  1021. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  1022. port=$ed25519_openssl_port
  1023. crl="-C"
  1024. do_wolfssl_client
  1025. open_temp_cases_total=$((open_temp_cases_total + 1))
  1026. port=$ed25519_wolfssl_port
  1027. do_openssl_client
  1028. fi
  1029. # Ed448
  1030. if [ $ed448_openssl_pid != $no_pid ]
  1031. then
  1032. cert="${CERT_DIR}/ed448/client-ed448.pem"
  1033. key="${CERT_DIR}/ed448/client-ed448-priv.pem"
  1034. caCert="${CERT_DIR}/ed448/server-ed448.pem"
  1035. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  1036. port=$ed448_openssl_port
  1037. crl="-C"
  1038. do_wolfssl_client
  1039. open_temp_cases_total=$((open_temp_cases_total + 1))
  1040. port=$ed448_wolfssl_port
  1041. do_openssl_client
  1042. fi
  1043. tls13_cipher=
  1044. ;;
  1045. *)
  1046. cert="${CERT_DIR}/client-cert.pem"
  1047. key="${CERT_DIR}/client-key.pem"
  1048. caCert="${CERT_DIR}/ca-cert.pem"
  1049. port=$openssl_port
  1050. do_wolfssl_client
  1051. port=$wolfssl_port
  1052. do_openssl_client
  1053. ;;
  1054. esac
  1055. done
  1056. wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested))
  1057. wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total))
  1058. echo -e "wolfSSL cases tested with version:$version $wolf_temp_cases_tested"
  1059. open_cases_tested=$((open_temp_cases_tested+open_cases_tested))
  1060. open_cases_total=$((open_temp_cases_total+open_cases_total))
  1061. echo -e "OpenSSL cases tested with version:$version $open_temp_cases_tested"
  1062. version_name
  1063. testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n"
  1064. wolf_temp_cases_total=0
  1065. wolf_temp_cases_tested=0
  1066. open_temp_cases_total=0
  1067. open_temp_cases_tested=0
  1068. wolfdowngrade="$version"
  1069. done
  1070. IFS=$OIFS #restore separator
  1071. do_cleanup
  1072. echo -e "wolfSSL total cases $wolf_cases_total"
  1073. echo -e "wolfSSL cases tested $wolf_cases_tested"
  1074. echo -e "OpenSSL total cases $open_cases_total"
  1075. echo -e "OpenSSL cases tested $open_cases_tested"
  1076. echo -e "\nSuccess!\n\n\n\n"
  1077. echo -e "$testing_summary"
  1078. exit 0