1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300 |
- #!/usr/bin/env bash
- # openssl.test
- # Environment variables used:
- # OPENSSL (openssl app to use)
- # OPENSSL_ENGINE_ID (engine id if any i.e. "wolfengine")
- CERT_DIR="$PWD/$(dirname "$0")/../certs"
- if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
- echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
- exit 77
- fi
- # if we can, isolate the network namespace to eliminate port collisions.
- if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
- if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
- export NETWORK_UNSHARE_HELPER_CALLED=yes
- exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
- fi
- elif [ "${AM_BWRAPPED-}" != "yes" ]; then
- bwrap_path="$(command -v bwrap)"
- if [ -n "$bwrap_path" ]; then
- export AM_BWRAPPED=yes
- exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
- fi
- unset AM_BWRAPPED
- fi
- echo "WOLFSSL_OPENSSL_TEST set, running test..."
- # need a unique port since may run the same time as testsuite
- generate_port() {
- #-------------------------------------------------------------------------#
- # Generate a random port number
- #-------------------------------------------------------------------------#
- if [[ "$OSTYPE" == "linux"* ]]; then
- port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
- elif [[ "$OSTYPE" == "darwin"* ]]; then
- port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
- else
- echo "Unknown OS TYPE"
- exit 1
- fi
- }
- no_pid=-1
- servers=""
- openssl_pid=$no_pid
- ecdh_openssl_pid=$no_pid
- ecdsa_openssl_pid=$no_pid
- ed25519_openssl_pid=$no_pid
- ed448_openssl_pid=$no_pid
- tls13_psk_openssl_pid=$no_pid
- wolfssl_pid=$no_pid
- ecdh_wolfssl_pid=$no_pid
- ecdsa_wolfssl_pid=$no_pid
- ed25519_wolfssl_pid=$no_pid
- ed448_wolfssl_pid=$no_pid
- tls13_psk_wolfssl_pid=$no_pid
- anon_wolfssl_pid=$no_pid
- wolf_cases_tested=0
- wolf_cases_total=0
- counter=0
- wolfssl_no_resume=""
- testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n"
- versionName="Invalid"
- if [ "$OPENSSL" = "" ]; then
- OPENSSL=openssl
- fi
- WOLFSSL_SERVER=./examples/server/server
- WOLFSSL_CLIENT=./examples/client/client
- version_name() {
- case $version in "0")
- versionName="SSLv3"
- ;;
- "1")
- versionName="TLSv1"
- ;;
- "2")
- versionName="TLSv1.1"
- ;;
- "3")
- versionName="TLSv1.2"
- ;;
- "4")
- versionName="TLSv1.3"
- ;;
- "d")
- versionName="Down"
- ;;
- "")
- versionName="Def"
- ;;
- "5")
- versionName="ALL"
- ;;
- esac
- }
- do_cleanup() {
- echo "in cleanup"
- IFS=$OIFS #restore separator
- for s in $servers
- do
- f2=${s%:*}
- sname=${f2%:*}
- pid=${f2##*:}
- port=${s##*:}
- echo "killing server: $sname ($port)"
- kill -9 $pid
- done
- }
- do_trap() {
- echo "got trap"
- do_cleanup
- exit 1
- }
- trap do_trap INT TERM
- check_process_running() {
- if [ "$ps_grep" = "" ]
- then
- ps -p $server_pid > /dev/null
- PS_EXIT=$?
- else
- ps | grep "^ *$server_pid " > /dev/null
- PS_EXIT=$?
- fi
- }
- #
- # Start an OpenSSL server
- #
- start_openssl_server() {
- if [ "$wolfssl_client_avail" = "" ]
- then
- return
- fi
- generate_port
- server_port=$port
- found_free_port=0
- counter=0
- # If OPENSSL_ENGINE_ID has been set then check that the desired engine can
- # be loaded successfully and error out if not. Otherwise the OpenSSL app
- # will fall back to default engine.
- if [ ! -z "${OPENSSL_ENGINE_ID}" ]; then
- OUTPUT=`$OPENSSL engine -tt $OPENSSL_ENGINE_ID`
- if [ $? != 0 ]; then
- printf "not able to load engine\n"
- printf "$OPENSSL engine -tt $OPENSSL_ENGINE_ID\n"
- do_cleanup
- exit 1
- else
- echo $OUTPUT | grep "available"
- if [ $? != 0 ]; then
- printf "engine not available\n"
- do_cleanup
- exit 1
- fi
- fi
- OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}"
- fi
- while [ "$counter" -lt 20 ]; do
- echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..."
- echo "#"
- if [ "$cert_file" != "" ]
- then
- echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
- $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
- else
- echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
- $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
- fi
- server_pid=$!
- # wait to see if s_server successfully starts before continuing
- sleep 0.1
- check_process_running
- if [ "$PS_EXIT" = "0" ]
- then
- echo "s_server started successfully on port $server_port"
- found_free_port=1
- break
- else
- #port already started, try a different port
- counter=$((counter+ 1))
- generate_port
- server_port=$port
- fi
- done
- if [ $found_free_port = 0 ]
- then
- echo -e "Couldn't find free port for server"
- do_cleanup
- exit 1
- fi
- servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port"
- }
- #
- # Start a wolfSSL server
- #
- start_wolfssl_server() {
- if [ "$wolfssl_server_avail" = "" ]
- then
- echo "# wolfSSL server not available"
- return
- fi
- wolfssl_cert=""
- wolfssl_key=""
- wolfssl_caCert=""
- if [ "$cert_file" != "" ]
- then
- wolfssl_cert="-c$cert_file"
- fi
- if [ "$key_file" != "" ]
- then
- wolfssl_key="-k$key_file"
- fi
- if [ "$ca_file" != "" ]
- then
- wolfssl_caCert="-A$ca_file"
- fi
- generate_port
- server_port=$port
- found_free_port=0
- counter=0
- while [ "$counter" -lt 20 ]; do
- echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..."
- echo "#"
- echo "# $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\""
- $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" &
- server_pid=$!
- # wait to see if server successfully starts before continuing
- sleep 0.1
- check_process_running
- if [ "$PS_EXIT" = "0" ]
- then
- echo "wolfSSL server started successfully on port $server_port"
- found_free_port=1
- break
- else
- #port already started, try a different port
- counter=$((counter+ 1))
- generate_port
- server_port=$port
- fi
- done
- if [ $found_free_port = 0 ]
- then
- echo -e "Couldn't find free port for server"
- do_cleanup
- exit 1
- fi
- servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port"
- }
- check_server_ready() {
- # server should be ready, let's make sure
- server_ready=0
- while [ "$counter" -lt 20 ]; do
- echo -e "waiting for $server_name ready..."
- echo -e Checking | nc -w 5 localhost $server_port
- nc_result=$?
- if [ $nc_result = 0 ]
- then
- echo -e "$server_name ready!"
- server_ready=1
- break
- fi
- sleep 0.1
- counter=$((counter+ 1))
- done
- if [ $server_ready = 0 ]
- then
- echo -e "Couldn't verify $server_name is running, timeout error"
- do_cleanup
- exit 1
- fi
- }
- #
- # Run wolfSSL client against OpenSSL server
- #
- do_wolfssl_client() {
- if [ "$wolfssl_client_avail" = "" ]
- then
- return
- fi
- wolfssl_cert=""
- wolfssl_key=""
- wolfssl_caCert=""
- if [ "$cert" != "" ]
- then
- wolfssl_cert="-c$cert"
- fi
- if [ "$key" != "" ]
- then
- wolfssl_key="-k$key"
- fi
- if [ "$caCert" != "" ]
- then
- wolfssl_caCert="-A$caCert"
- fi
- wolfssl_resume="-r"
- if [ "$openssl_psk_resume_bug" != "" -a "$tls13_suite" != "" ]
- then
- wolfssl_resume=
- fi
- if [ "$wolfssl_no_resume" = "yes" ]
- then
- wolfssl_resume=
- fi
- if [ "$version" != "5" -a "$version" != "" ]
- then
- echo "#"
- echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl"
- $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl
- else
- echo "#"
- echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl"
- # do all versions
- $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl
- fi
- client_result=$?
- if [ $client_result != 0 ]
- then
- echo -e "client failed! Suite = $wolfSuite version = $version"
- do_cleanup
- exit 1
- fi
- wolf_temp_cases_tested=$((wolf_temp_cases_tested+1))
- }
- #
- # Run OpenSSL client against wolfSSL server
- #
- do_openssl_client() {
- if [ "$wolfssl_server_avail" = "" ]
- then
- return
- fi
- if [ "$version" = "" -o "$version" = "5" ]
- then
- if [ "$tls13_cipher" = "" -a "$openssl_tls13" != "" ]
- then
- openssl_version="-no_tls1_3"
- fi
- fi
- if [ "$cert" != "" ]
- then
- openssl_cert1="-cert"
- openssl_cert2="$cert"
- fi
- if [ "$key" != "" ]
- then
- openssl_key1="-key"
- openssl_key2="$key"
- fi
- if [ "$caCert" != "" ]
- then
- openssl_caCert1="-CAfile"
- openssl_caCert2="$caCert"
- fi
- if [ "$tls13_cipher" = "" ]
- then
- echo "#"
- echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
- echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
- else
- echo "#"
- echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
- echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
- fi
- client_result=$?
- if [ $client_result != 0 ]
- then
- echo -e "client failed! Suite = $wolfSuite version = $version"
- do_cleanup
- exit 1
- fi
- open_temp_cases_tested=$((open_temp_cases_tested+1))
- }
- OIFS=$IFS # store old separator to reset
- #
- # Start
- #
- echo
- echo "wolfSSL configuration:"
- ./config.status --config
- echo
- echo "OpenSSL version:"
- $OPENSSL version -a
- echo
- ps -p $PPID >/dev/null 2>&1
- if [ "$?" = "1" ]
- then
- ps_grep="yes"
- echo "ps -p not working, using ps and grep"
- fi
- echo -e "\nTesting existence of openssl command...\n"
- command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; }
- echo -e "\nTesting for _build directory as part of distcheck, different paths"
- currentDir=`pwd`
- case "$currentDir" in
- *_build)
- echo -e "_build directory detected, moving a directory back"
- cd ..
- ;;
- esac
- echo -e "\nChecking for wolfSSL client - needed for cipher list"
- wolfssl_client_avail=`$WOLFSSL_CLIENT -?`
- case $wolfssl_client_avail in
- *"Client not compiled in!"*)
- wolfssl_client_avail=
- echo >&2 "Requires wolfSSL client, but it's not built. Ending."
- do_cleanup
- exit 0
- ;;
- esac
- echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket"
- openssl_version=`$OPENSSL version`
- case $openssl_version in
- "OpenSSL 1.1.1 "*)
- openssl_psk_resume_bug=yes
- ;;
- "OpenSSL 1.0.2"*)
- openssl_adh_reneg_bug=yes
- ;;
- esac
- # check for wolfssl server
- wolfssl_server_avail=`$WOLFSSL_SERVER -?`
- case $wolfssl_server_avail in
- *"Server not compiled in!"*)
- wolfssl_server_avail=
- ;;
- esac
- # get wolfssl ciphers
- wolf_ciphers=`$WOLFSSL_CLIENT -e`
- # get wolfssl supported versions
- wolf_versions=`$WOLFSSL_CLIENT -V`
- wolf_versions="${wolf_versions}:5" #5 will test without -v flag
- OIFS="$IFS" # store old separator to reset
- IFS=: # set delimiter
- for version in $wolf_versions
- do
- case $version in
- 1|2|3)
- wolf_tls=yes
- ;;
- 4)
- wolf_tls13=yes
- ;;
- esac
- done
- IFS="$OIFS" #restore separator
- #
- # Start OpenSSL servers
- #
- # Check for certificate support in wolfSSL
- wolf_certs=`$WOLFSSL_CLIENT -? 2>&1`
- case $wolf_certs in
- *"cert"*)
- ;;
- *)
- wolf_certs=""
- ;;
- esac
- if [ "$wolf_certs" != "" ]
- then
- echo
- # Check if RSA certificates supported in wolfSSL
- wolf_rsa=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ca-cert.pem" 2>&1`
- case $wolf_rsa in
- *"ca file"*)
- echo "wolfSSL does not support RSA"
- wolf_rsa=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_rsa" != "" ]; then
- echo "wolfSSL supports RSA"
- fi
- # Check if RSA-PSS certificates supported in wolfSSL
- wolf_rsapss=`$WOLFSSL_CLIENT -A "${CERT_DIR}/rsapss/ca-rsapss.pem" 2>&1`
- case $wolf_rsapss in
- *"ca file"*)
- echo "wolfSSL does not support RSA-PSS"
- wolf_rsapss=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_rsapss" != "" ]; then
- echo "wolfSSL supports RSA-PSS"
- fi
- # Check if ECC certificates supported in wolfSSL
- wolf_ecc=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ca-ecc-cert.pem" 2>&1`
- case $wolf_ecc in
- *"ca file"*)
- echo "wolfSSL does not support ECDSA"
- wolf_ecc=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_ecc" != "" ]; then
- echo "wolfSSL supports ECDSA"
- fi
- # Check if Ed25519 certificates supported in wolfSSL
- wolf_ed25519=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1`
- case $wolf_ed25519 in
- *"ca file"*)
- echo "wolfSSL does not support Ed25519"
- wolf_ed25519=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_ed25519" != "" ]; then
- echo "wolfSSL supports Ed25519"
- fi
- # Check if Ed25519 certificates supported in OpenSSL
- openssl_ed25519=`$OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1`
- case $openssl_ed25519 in
- *"unable to load"*)
- echo "OpenSSL does not support Ed25519"
- wolf_ed25519=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_ed25519" != "" ]; then
- echo "OpenSSL supports Ed25519"
- fi
- # Check if Ed448 certificates supported in wolfSSL
- wolf_ed448=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1`
- case $wolf_ed448 in
- *"ca file"*)
- echo "wolfSSL does not support Ed448"
- wolf_ed448=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_ed448" != "" ]; then
- echo "wolfSSL supports Ed448"
- fi
- # Check if Ed448 certificates supported in OpenSSL
- openssl_ed448=`$OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1`
- case $openssl_ed448 in
- *"unable to load"*)
- echo "OpenSSL does not support Ed448"
- wolf_ed448=""
- ;;
- *)
- ;;
- esac
- if [ "$wolf_ed448" != "" ]; then
- echo "OpenSSL supports Ed448"
- fi
- echo
- fi
- openssl_tls13=`$OPENSSL s_client -help 2>&1`
- case $openssl_tls13 in
- *no_tls1_3*)
- ;;
- *)
- openssl_tls13=
- ;;
- esac
- # Not all openssl versions support -allow_no_dhe_kex
- openssl_nodhe=`$OPENSSL s_client -help 2>&1`
- case $openssl_nodhe in
- *allow_no_dhe_kex*)
- openssl_nodhe=-allow_no_dhe_kex
- ;;
- *)
- openssl_nodhe=
- ;;
- esac
- # Check suites to determine support in wolfSSL
- OIFS="$IFS" # store old separator to reset
- IFS=: # set delimiter
- for wolfSuite in $wolf_ciphers; do
- case $wolfSuite in
- *ECDHE-RSA-*)
- ecdhe_avail=yes
- wolf_rsa=yes
- ;;
- *DHE-RSA-*)
- wolf_rsa=yes
- ;;
- *ECDH-RSA*)
- wolf_ecdh_rsa=yes
- ;;
- *ECDHE-ECDSA*|*ECDH-ECDSA*)
- wolf_ecdsa=yes
- ;;
- *ADH*)
- wolf_anon=yes
- ;;
- *PSK*)
- if [ "$wolf_psk" = "" ]
- then
- echo "Testing PSK"
- wolf_psk=1
- fi
- if [ "$wolf_tls" != "" ]
- then
- wolf_tls_psk=yes
- fi
- ;;
- *TLS13*)
- ;;
- *)
- wolf_rsa=yes
- esac
- done
- IFS="$OIFS" #restore separator
- openssl_ciphers=`$OPENSSL ciphers ALL 2>&1`
- case $openssl_ciphers in
- *ADH*)
- openssl_anon=yes
- ;;
- esac
- # TLSv1 -> TLSv1.2 PSK secret
- psk_hex="1a2b3c4d"
- # If RSA cipher suites supported in wolfSSL then start servers
- if [ "$wolf_rsa" != "" -o "$wolf_tls_psk" != "" ]
- then
- if [ "$wolf_rsa" != "" ]
- then
- cert_file="${CERT_DIR}/server-cert.pem"
- key_file="${CERT_DIR}/server-key.pem"
- ca_file="${CERT_DIR}/client-ca.pem"
- else
- cert_file=
- key_file=
- ca_file=
- fi
- openssl_suite="RSA"
- start_openssl_server
- openssl_port=$server_port
- openssl_pid=$server_pid
- wolfssl_suite="RSA"
- if [ "$wolf_tls_psk" != "" ]
- then
- psk="-j"
- fi
- echo "cert_file=$cert_file"
- start_wolfssl_server
- psk=
- wolfssl_port=$server_port
- wolfssl_pid=$server_pid
- fi
- # If ECDH-RSA cipher suites supported in wolfSSL then start servers
- if [ "$wolf_ecdh_rsa" != "" ]
- then
- cert_file="${CERT_DIR}/server-ecc-rsa.pem"
- key_file="${CERT_DIR}/ecc-key.pem"
- ca_file="${CERT_DIR}/client-ca.pem"
- openssl_suite="ECDH-RSA"
- start_openssl_server
- ecdh_openssl_port=$server_port
- ecdh_openssl_pid=$server_pid
- wolfssl_suite="ECDH-RSA"
- start_wolfssl_server
- ecdh_wolfssl_port=$server_port
- ecdh_wolfssl_pid=$server_pid
- fi
- if [ "$wolf_ecdsa" != "" -a "$wolf_ecc" != "" ]
- then
- cert_file="${CERT_DIR}/server-ecc.pem"
- key_file="${CERT_DIR}/ecc-key.pem"
- ca_file="${CERT_DIR}/client-ecc-cert.pem"
- openssl_suite="ECDH[E]-ECDSA"
- start_openssl_server
- ecdsa_openssl_port=$server_port
- ecdsa_openssl_pid=$server_pid
- wolfssl_suite="ECDH[E]-ECDSA"
- start_wolfssl_server
- ecdsa_wolfssl_port=$server_port
- ecdsa_wolfssl_pid=$server_pid
- fi
- # If Ed25519 certificates supported in wolfSSL then start servers
- if [ "$wolf_ed25519" != "" ];
- then
- cert_file="${CERT_DIR}/ed25519/server-ed25519.pem"
- key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
- ca_file="${CERT_DIR}/ed25519/client-ed25519.pem"
- openssl_suite="Ed25519"
- start_openssl_server
- ed25519_openssl_port=$server_port
- ed25519_openssl_pid=$server_pid
- crl="-V"
- wolfssl_suite="Ed25519"
- start_wolfssl_server
- ed25519_wolfssl_port=$server_port
- ed25519_wolfssl_pid=$server_pid
- crl=
- fi
- # If Ed448 certificates supported in wolfSSL then start servers
- if [ "$wolf_ed448" != "" ];
- then
- cert_file="${CERT_DIR}/ed448/server-ed448.pem"
- key_file="${CERT_DIR}/ed448/server-ed448-priv.pem"
- ca_file="${CERT_DIR}/ed448/client-ed448.pem"
- openssl_suite="Ed448"
- start_openssl_server
- ed448_openssl_port=$server_port
- ed448_openssl_pid=$server_pid
- crl="-V"
- wolfssl_suite="Ed448"
- start_wolfssl_server
- ed448_wolfssl_port=$server_port
- ed448_wolfssl_pid=$server_pid
- crl=
- fi
- if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ]
- then
- cert_file=
- psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
- openssl_suite="TLSv1.3_PSK"
- start_openssl_server
- tls13_psk_openssl_port=$server_port
- tls13_psk_openssl_pid=$server_pid
- psk="-s --openssl-psk"
- wolfssl_suite="TLSv1.3_PSK"
- start_wolfssl_server
- tls13_psk_wolfssl_port=$server_port
- tls13_psk_wolfssl_pid=$server_pid
- fi
- if [ "$wolf_anon" != "" -a "$openssl_anon" ]
- then
- cert_file=""
- key_file=""
- ca_file=""
- wolfssl_suite="Anon"
- psk="-a" # anonymous not psk
- start_wolfssl_server
- anon_wolfssl_port=$server_port
- anon_wolfssl_pid=$server_pid
- fi
- for s in $servers
- do
- f2=${s%:*}
- server_name=${f2%:*}
- server_port=${s##*:}
- check_server_ready
- done
- OIFS="$IFS" # store old separator to reset
- IFS=: # set delimiter
- set -f # no globbing
- wolf_temp_cases_total=0
- wolf_temp_cases_tested=0
- # Testing of OpenSSL support for version requires a running OpenSSL server
- for version in $wolf_versions;
- do
- echo -e "version = $version"
- # get openssl ciphers depending on version
- # -s flag for only supported ciphers
- case $version in
- "0")
- openssl_ciphers=`$OPENSSL ciphers "SSLv3" 2>&1`
- # double check that can actually do a sslv3 connection using
- # client-cert.pem to send but any file with EOF works
- $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < "${CERT_DIR}/client-cert.pem"
- sslv3_sup=$?
- if [ $sslv3_sup != 0 ]
- then
- echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
- testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_version="-ssl3"
- ;;
- "1")
- proto_check=`echo "hell" | $OPENSSL s_client -connect localhost:$openssl_port -tls1 2>&1`
- tlsv1_sup=$?
- if [ $tlsv1_sup != 0 ]
- then
- echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'"
- testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n"
- continue
- fi
- openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
- tlsv1_sup=$?
- if [ $tlsv1_sup != 0 ]
- then
- echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
- testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_version="-tls1"
- ;;
- "2")
- # Same ciphers for TLSv1.1 as TLSv1
- proto_check=`echo "hello" | $OPENSSL s_client -connect localhost:$openssl_port -tls1_1 2>&1`
- tlsv1_1_sup=$?
- if [ $tlsv1_1_sup != 0 ]
- then
- echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier"
- testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
- tlsv1_sup=$?
- if [ $tlsv1_sup != 0 ]
- then
- echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
- testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_version="-tls1_1"
- ;;
- "3")
- openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2" 2>&1`
- tlsv1_2_sup=$?
- if [ $tlsv1_2_sup != 0 ]
- then
- echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier"
- testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_version="-tls1_2"
- ;;
- "4")
- openssl_ciphers=`$OPENSSL ciphers -tls1_3 2>&1`
- tlsv1_3_sup=$?
- if [ $tlsv1_3_sup != 0 ]
- then
- echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier"
- testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- ecc_support=`$WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups'`
- openssl_version="-tls1_3"
- ;;
- "d(downgrade)")
- version="d"
- openssl_version=""
- ;;
- "e(either)")
- continue
- ;;
- "5") #test all suites
- openssl_ciphers=`$OPENSSL ciphers -s "ALL" 2>&1`
- all_sup=$?
- if [ $all_sup != 0 ]
- then
- echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
- testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_version=""
- ;;
- "")
- openssl_ciphers=`$OPENSSL ciphers 2>&1`
- all_sup=$?
- if [ $all_sup != 0 ]
- then
- echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
- testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
- continue
- fi
- openssl_version=""
- ;;
- esac
- for wolfSuite in $wolf_ciphers; do
- echo -e "trying wolfSSL cipher suite $wolfSuite"
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- open_temp_cases_total=$((open_temp_cases_total + 1))
- matchSuite=0;
- tls13_suite=
- case $wolfSuite in
- "TLS13-AES128-GCM-SHA256")
- cmpSuite="TLS_AES_128_GCM_SHA256"
- tls13_suite="yes"
- ;;
- "TLS13-AES256-GCM-SHA384")
- cmpSuite="TLS_AES_256_GCM_SHA384"
- tls13_suite="yes"
- ;;
- "TLS13-CHACHA20-POLY1305-SHA256")
- cmpSuite="TLS_CHACHA20_POLY1305_SHA256"
- tls13_suite="yes"
- ;;
- "TLS13-AES128-CCM-SHA256")
- cmpSuite="TLS_AES_128_CCM_SHA256"
- tls13_suite="yes"
- ;;
- "TLS13-AES128-CCM-8-SHA256"|"TLS13-AES128-CCM8-SHA256")
- cmpSuite="TLS_AES_128_CCM_8_SHA256"
- tls13_suite="yes"
- ;;
- "TLS13-SHA256-SHA256")
- continue
- ;;
- "TLS13-SHA384-SHA384")
- continue
- ;;
- "TLS13-"*)
- echo -e "Suite = $wolfSuite not recognized!"
- echo -e "Add translation of wolfSSL name to OpenSSL"
- do_cleanup
- exit 1
- ;;
- *)
- cmpSuite=$wolfSuite
- ;;
- esac
- case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases
- case "$cmpSuite" in
- "TLS_"*)
- if [ "$version" != "4" -a "$version" != "d" ]
- then
- echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol"
- matchSuite=0
- else
- echo -e "Matched to OpenSSL suite support"
- matchSuite=1
- fi
- ;;
- *)
- if [ "$version" = "d" -a "$wolfdowngrade" = "4" ]
- then
- echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade"
- matchSuite=0
- elif [ "$version" != "4" ]
- then
- echo -e "Matched to OpenSSL suite support"
- matchSuite=1
- else
- echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol"
- matchSuite=0
- fi
- ;;
- esac
- ;;
- esac
- if [ $matchSuite = 0 ]
- then
- echo -e "Couldn't match suite, continuing..."
- continue
- fi
- # check for psk suite and turn on client psk if so
- psk=""
- adh=""
- crl=""
- cert=""
- key=""
- caCert=""
- case $wolfSuite in
- *ECDH-RSA*)
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/ca-cert.pem"
- port=$ecdh_openssl_port
- do_wolfssl_client
- port=$ecdh_wolfssl_port
- do_openssl_client
- ;;
- *ECDHE-ECDSA*|*ECDH-ECDSA*)
- if [ "$wolf_ecc" != "" ]
- then
- cert="${CERT_DIR}/client-ecc-cert.pem"
- key="${CERT_DIR}/ecc-client-key.pem"
- caCert="${CERT_DIR}/ca-ecc-cert.pem"
- port=$ecdsa_openssl_port
- do_wolfssl_client
- port=$ecdsa_wolfssl_port
- do_openssl_client
- else
- wolf_temp_cases_total=$((wolf_temp_cases_total - 1))
- fi
- if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
- then
- cert="${CERT_DIR}/ed25519/client-ed25519.pem"
- key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
- caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- port=$ed25519_openssl_port
- crl="-C"
- do_wolfssl_client
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$ed25519_wolfssl_port
- do_openssl_client
- fi
- if [ $ed448_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
- then
- cert="${CERT_DIR}/ed448/client-ed448.pem"
- key="${CERT_DIR}/ed448/client-ed448-priv.pem"
- caCert="${CERT_DIR}/ed448/server-ed448.pem"
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- port=$ed448_openssl_port
- crl="-C"
- do_wolfssl_client
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$ed448_wolfssl_port
- do_openssl_client
- fi
- ;;
- *DHE-PSK*)
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/ca-cert.pem"
- port=$openssl_port
- psk="-s"
- do_wolfssl_client
- # Skip when no RSA as some versions of OpenSSL can't handle no
- # signature
- if [ "$wolf_rsa" != "" ]
- then
- port=$wolfssl_port
- openssl_psk="-psk 1a2b3c4d"
- do_openssl_client
- fi
- ;;
- *PSK*)
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/ca-cert.pem"
- port=$openssl_port
- psk="-s"
- do_wolfssl_client
- port=$wolfssl_port
- openssl_psk="-psk 1a2b3c4d"
- do_openssl_client
- ;;
- *ADH*)
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/ca-cert.pem"
- if [ "$version" != "0" -a "$version" != "1" -a "$version" != "2" -a "$openssl_adh_reneg_bug" != "" ]
- then
- continue
- fi
- port=$openssl_port
- adh="-a"
- do_wolfssl_client
- port=$anon_wolfssl_port
- do_openssl_client
- ;;
- TLS13*)
- if [ $version != "4" -a $version != "d" -a $version != " " -a $version != "5" ]
- then
- continue
- fi
- tls13_cipher=yes
- # RSA
- if [ $openssl_pid != $no_pid -a "$ecdhe_avail" = "yes" ]
- then
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/ca-cert.pem"
- port=$openssl_port
- do_wolfssl_client
- port=$wolfssl_port
- do_openssl_client
- fi
- # PSK
- if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" -a "$wolf_ecc" != "" -a $openssl_nodhe != "" ]
- then
- cert=""
- key=""
- caCert=""
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- port=$tls13_psk_openssl_port
- psk="-s --openssl-psk"
- # OpenSSL doesn't support DH for key exchange so do no PSK
- # DHE when ECC not supported
- if [ "$wolf_ecc" = "" ]
- then
- adh="-K"
- fi
- do_wolfssl_client
- psk=""
- adh=""
- openssl_psk="-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$wolfssl_port
- do_openssl_client
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$tls13_psk_wolfssl_port
- do_openssl_client
- openssl_psk=""
- fi
- # ECDSA
- if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ]
- then
- cert="${CERT_DIR}/client-ecc-cert.pem"
- key="${CERT_DIR}/ecc-client-key.pem"
- caCert="${CERT_DIR}/ca-ecc-cert.pem"
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- port=$ecdsa_openssl_port
- caCert="${CERT_DIR}/ca-ecc-cert.pem"
- do_wolfssl_client
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$ecdsa_wolfssl_port
- caCert="${CERT_DIR}/ca-ecc-cert.pem"
- do_openssl_client
- fi
- # Ed25519
- if [ $ed25519_openssl_pid != $no_pid ]
- then
- cert="${CERT_DIR}/ed25519/client-ed25519.pem"
- key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
- caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- port=$ed25519_openssl_port
- crl="-C"
- do_wolfssl_client
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$ed25519_wolfssl_port
- do_openssl_client
- fi
- # Ed448
- if [ $ed448_openssl_pid != $no_pid ]
- then
- cert="${CERT_DIR}/ed448/client-ed448.pem"
- key="${CERT_DIR}/ed448/client-ed448-priv.pem"
- caCert="${CERT_DIR}/ed448/server-ed448.pem"
- wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
- port=$ed448_openssl_port
- crl="-C"
- do_wolfssl_client
- open_temp_cases_total=$((open_temp_cases_total + 1))
- port=$ed448_wolfssl_port
- do_openssl_client
- fi
- tls13_cipher=
- ;;
- *)
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/ca-cert.pem"
- port=$openssl_port
- do_wolfssl_client
- port=$wolfssl_port
- do_openssl_client
- ;;
- esac
- done
- wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested))
- wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total))
- echo -e "wolfSSL cases tested with version:$version $wolf_temp_cases_tested"
- open_cases_tested=$((open_temp_cases_tested+open_cases_tested))
- open_cases_total=$((open_temp_cases_total+open_cases_total))
- echo -e "OpenSSL cases tested with version:$version $open_temp_cases_tested"
- version_name
- testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n"
- wolf_temp_cases_total=0
- wolf_temp_cases_tested=0
- open_temp_cases_total=0
- open_temp_cases_tested=0
- wolfdowngrade="$version"
- done
- IFS="$OIFS" #restore separator
- # Skip RSA-PSS interop test when RSA-PSS is not supported
- if [ "$wolf_rsapss" != "" -a "$ecdhe_avail" = "yes" -a "$wolf_rsa" = "yes" ]
- then
- # Test for RSA-PSS certs interop
- # Was running into alert sent by openssl server with version 1.1.1 released
- # in Sep 2018. To avoid this issue check that openssl version 3.0.0 or later
- # is used.
- $OPENSSL version | awk '{print $2}' | \
- awk -F. '{if ($1 >= 3) exit 1; else exit 0;}'
- RESULT=$?
- if [ "$RESULT" = "0" ]; then
- echo -e "Old version of openssl detected, skipping interop RSA-PSS test"
- else
- echo -e "Doing interop RSA-PSS test"
- key_file=${CERT_DIR}/rsapss/server-rsapss-priv.pem
- cert_file=${CERT_DIR}/rsapss/server-rsapss.pem
- ca_file=${CERT_DIR}/client-cert.pem
- openssl_suite="RSAPSS"
- start_openssl_server
- cert="${CERT_DIR}/client-cert.pem"
- key="${CERT_DIR}/client-key.pem"
- caCert="${CERT_DIR}/rsapss/ca-rsapss.pem"
- crl="-C"
- wolfSuite="ALL"
- wolfssl_no_resume="yes"
- port=$server_port
- if [ "$wolf_tls13" != "" ]
- then
- version="4"
- do_wolfssl_client
- fi
- if [ "$wolf_tls" != "" ]
- then
- version="3"
- do_wolfssl_client
- fi
- fi
- fi
- do_cleanup
- echo -e "wolfSSL total cases $wolf_cases_total"
- echo -e "wolfSSL cases tested $wolf_cases_tested"
- echo -e "OpenSSL total cases $open_cases_total"
- echo -e "OpenSSL cases tested $open_cases_tested"
- echo -e "\nSuccess!\n\n\n\n"
- echo -e "$testing_summary"
- exit 0
|