2
0

tls13.test 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
  1. #!/bin/sh
  2. # tls13.test
  3. # Copyright wolfSSL 2016-2021
  4. # if we can, isolate the network namespace to eliminate port collisions.
  5. if [ "${AM_BWRAPPED-}" != "yes" ]; then
  6. bwrap_path="$(command -v bwrap)"
  7. if [ -n "$bwrap_path" ]; then
  8. export AM_BWRAPPED=yes
  9. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  10. fi
  11. unset AM_BWRAPPED
  12. fi
  13. # getting unique port is modeled after resume.test script
  14. # need a unique port since may run the same time as testsuite
  15. # use server port zero hack to get one
  16. port=0
  17. no_pid=-1
  18. server_pid=$no_pid
  19. counter=0
  20. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  21. # also let's add some randomness by adding pid in case multiple 'make check's
  22. # per source tree
  23. ready_file=`pwd`/wolfssl_tls13_ready$$
  24. client_file=`pwd`/wolfssl_tls13_client$$
  25. # Server output
  26. server_out_file=`pwd`/wolfssl_tls13_server_out$$
  27. # Client output
  28. client_out_file=`pwd`/wolfssl_tls13_client_out$$
  29. echo "ready file $ready_file"
  30. create_port() {
  31. while [ ! -s $ready_file ]; do
  32. if [ "$counter" -gt 50 ]; then
  33. break
  34. fi
  35. echo -e "waiting for ready file..."
  36. sleep 0.1
  37. counter=$((counter+ 1))
  38. done
  39. if [ -e $ready_file ]; then
  40. echo -e "found ready file, starting client..."
  41. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  42. sleep 0.1
  43. # get created port 0 ephemeral port
  44. port=`cat $ready_file`
  45. else
  46. echo -e "NO ready file ending test..."
  47. do_cleanup
  48. fi
  49. }
  50. remove_ready_file() {
  51. if [ -e $ready_file ]; then
  52. echo -e "removing existing ready file"
  53. rm $ready_file
  54. fi
  55. }
  56. do_cleanup() {
  57. echo "in cleanup"
  58. if [ $server_pid != $no_pid ]
  59. then
  60. echo "killing server"
  61. kill -9 $server_pid
  62. server_pid=$no_pid
  63. fi
  64. remove_ready_file
  65. if [ -e $client_file ]; then
  66. echo -e "removing existing client file"
  67. rm $client_file
  68. fi
  69. if [ -e $server_out_file ]; then
  70. echo -e "removing existing server output file"
  71. rm $server_out_file
  72. fi
  73. if [ -e $client_out_file ]; then
  74. echo -e "removing existing client output file"
  75. rm $client_out_file
  76. fi
  77. }
  78. do_trap() {
  79. echo "got trap"
  80. do_cleanup
  81. exit -1
  82. }
  83. trap do_trap INT TERM
  84. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  85. ./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
  86. if [ $? -eq 0 ]; then
  87. exit 0
  88. fi
  89. ./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
  90. if [ $? -eq 0 ]; then
  91. exit 0
  92. fi
  93. # Usual TLS v1.3 server / TLS v1.3 client.
  94. echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
  95. port=0
  96. ./examples/server/server -v 4 -R $ready_file -p $port &
  97. server_pid=$!
  98. create_port
  99. ./examples/client/client -v 4 -p $port | tee $client_file
  100. RESULT=$?
  101. remove_ready_file
  102. if [ $RESULT -ne 0 ]; then
  103. echo -e "\n\nTLS v1.3 not enabled"
  104. do_cleanup
  105. exit 1
  106. fi
  107. echo ""
  108. # TLS 1.3 cipher suites server / client.
  109. echo -e "\n\nTLS v1.3 cipher suite mismatch"
  110. port=0
  111. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
  112. server_pid=$!
  113. create_port
  114. ./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
  115. RESULT=$?
  116. remove_ready_file
  117. if [ $RESULT -eq 0 ]; then
  118. echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
  119. do_cleanup
  120. exit 1
  121. fi
  122. do_cleanup
  123. echo ""
  124. cat ./wolfssl/options.h | grep -- 'NO_CERTS'
  125. NO_CERTS=$?
  126. cat ./wolfssl/options.h | grep -- 'WOLFSSL_NO_CLIENT_AUTH'
  127. NO_CLIENT_AUTH=$?
  128. if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
  129. # TLS 1.3 mutual auth required but client doesn't send certificates.
  130. echo -e "\n\nTLS v1.3 mutual auth fail"
  131. port=0
  132. ./examples/server/server -v 4 -F -R $ready_file -p $port &
  133. server_pid=$!
  134. create_port
  135. ./examples/client/client -v 4 -x -p $port
  136. RESULT=$?
  137. remove_ready_file
  138. if [ $RESULT -eq 0 ]; then
  139. echo -e "\n\nIssue with requiring mutual authentication"
  140. do_cleanup
  141. exit 1
  142. fi
  143. do_cleanup
  144. echo ""
  145. fi
  146. # Check for TLS 1.2 support
  147. ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
  148. if [ $? -ne 0 ]; then
  149. # TLS 1.3 server / TLS 1.2 client.
  150. echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
  151. port=0
  152. ./examples/server/server -v 4 -R $ready_file -p $port &
  153. server_pid=$!
  154. create_port
  155. ./examples/client/client -v 3 -p $port
  156. RESULT=$?
  157. remove_ready_file
  158. if [ $RESULT -eq 0 ]; then
  159. echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
  160. do_cleanup
  161. exit 1
  162. fi
  163. do_cleanup
  164. echo ""
  165. # TLS 1.2 server / TLS 1.3 client.
  166. echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
  167. port=0
  168. ./examples/server/server -v 3 -R $ready_file -p $port &
  169. server_pid=$!
  170. create_port
  171. ./examples/client/client -v 4 -p $port
  172. RESULT=$?
  173. remove_ready_file
  174. if [ $RESULT -eq 0 ]; then
  175. echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
  176. do_cleanup
  177. exit 1
  178. fi
  179. do_cleanup
  180. echo ""
  181. echo "Find usable TLS 1.2 cipher suite"
  182. for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
  183. do
  184. echo $CS
  185. ./examples/client/client -e | grep $CS >/dev/null
  186. if [ "$?" = "0" ]; then
  187. TLS12_CS=$CS
  188. break
  189. fi
  190. do_cleanup
  191. done
  192. if [ "$TLS12_CS" != "" ]; then
  193. # TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
  194. echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
  195. port=0
  196. SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
  197. CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
  198. ./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &
  199. server_pid=$!
  200. create_port
  201. ./examples/client/client -v d -l $CLIENT_CS -p $port
  202. RESULT=$?
  203. remove_ready_file
  204. if [ $RESULT -eq 0 ]; then
  205. echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
  206. do_cleanup
  207. exit 1
  208. fi
  209. do_cleanup
  210. echo ""
  211. else
  212. echo "No usable TLS 1.2 cipher suite found"
  213. fi
  214. fi
  215. # Check for EarlyData support
  216. ./examples/client/client -? 2>&1 | grep -- 'Early data'
  217. if [ $? -eq 0 ]; then
  218. early_data=yes
  219. fi
  220. ./examples/client/client -? 2>&1 | grep -- 'Shared keys'
  221. if [ $? -eq 0 ]; then
  222. psk=yes
  223. fi
  224. if [ "$early_data" = "yes" ]; then
  225. echo -e "\n\nTLS v1.3 Early Data - session ticket"
  226. port=0
  227. (./examples/server/server -v 4 -r -0 -R $ready_file -p $port 2>&1 | \
  228. tee $server_out_file) &
  229. server_pid=$!
  230. create_port
  231. ./examples/client/client -v 4 -r -0 -p $port 2>&1 >$client_out_file
  232. RESULT=$?
  233. cat $client_out_file
  234. remove_ready_file
  235. grep 'Session Ticket' $client_out_file
  236. session_ticket=$?
  237. early_data_cnt=`grep 'Early Data' $server_out_file | wc -l`
  238. if [ $session_ticket -eq 0 -a $early_data_cnt -ne 4 ]; then
  239. RESULT=1
  240. fi
  241. if [ $RESULT -ne 0 ]; then
  242. echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"
  243. do_cleanup
  244. exit 1
  245. fi
  246. do_cleanup
  247. echo ""
  248. fi
  249. if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
  250. echo -e "\n\nTLS v1.3 Early Data - PSK"
  251. port=0
  252. (./examples/server/server -v 4 -s -0 -R $ready_file -p $port 2>&1 | \
  253. tee $server_out_file) &
  254. server_pid=$!
  255. create_port
  256. ./examples/client/client -v 4 -s -0 -p $port
  257. RESULT=$?
  258. remove_ready_file
  259. early_data_cnt=`grep 'Early Data' $server_out_file | wc -l`
  260. if [ $early_data_cnt -ne 3 -a $early_data_cnt -ne 4 ]; then
  261. RESULT=1
  262. fi
  263. if [ $RESULT -ne 0 ]; then
  264. echo -e "\n\nIssue with TLS v1.3 Early Data - PSK"
  265. do_cleanup
  266. exit 1
  267. fi
  268. else
  269. echo "Early Data not available"
  270. fi
  271. do_cleanup
  272. echo -e "\nALL Tests Passed"
  273. exit 0