openssl.test 34 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186
  1. #!/bin/bash
  2. #openssl.test
  3. # Enviornment variables used:
  4. # OPENSSL (openssl app to use)
  5. # OPENSSL_ENGINE_ID (engine id if any i.e. "wolfengine")
  6. CERT_DIR="$PWD/$(dirname "$0")/../certs"
  7. if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
  8. echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
  9. exit 77
  10. fi
  11. # if we can, isolate the network namespace to eliminate port collisions.
  12. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  13. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  14. export NETWORK_UNSHARE_HELPER_CALLED=yes
  15. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  16. fi
  17. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  18. bwrap_path="$(command -v bwrap)"
  19. if [ -n "$bwrap_path" ]; then
  20. export AM_BWRAPPED=yes
  21. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  22. fi
  23. unset AM_BWRAPPED
  24. fi
  25. echo "WOLFSSL_OPENSSL_TEST set, running test..."
  26. # need a unique port since may run the same time as testsuite
  27. generate_port() {
  28. port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
  29. }
  30. no_pid=-1
  31. servers=""
  32. openssl_pid=$no_pid
  33. ecdh_openssl_pid=$no_pid
  34. ecdsa_openssl_pid=$no_pid
  35. ed25519_openssl_pid=$no_pid
  36. ed448_openssl_pid=$no_pid
  37. tls13_psk_openssl_pid=$no_pid
  38. wolfssl_pid=$no_pid
  39. ecdh_wolfssl_pid=$no_pid
  40. ecdsa_wolfssl_pid=$no_pid
  41. ed25519_wolfssl_pid=$no_pid
  42. ed448_wolfssl_pid=$no_pid
  43. tls13_psk_wolfssl_pid=$no_pid
  44. anon_wolfssl_pid=$no_pid
  45. wolf_cases_tested=0
  46. wolf_cases_total=0
  47. counter=0
  48. testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n"
  49. versionName="Invalid"
  50. if [ "$OPENSSL" = "" ]; then
  51. OPENSSL=openssl
  52. fi
  53. WOLFSSL_SERVER=./examples/server/server
  54. WOLFSSL_CLIENT=./examples/client/client
  55. version_name() {
  56. case $version in "0")
  57. versionName="SSLv3"
  58. ;;
  59. "1")
  60. versionName="TLSv1"
  61. ;;
  62. "2")
  63. versionName="TLSv1.1"
  64. ;;
  65. "3")
  66. versionName="TLSv1.2"
  67. ;;
  68. "4")
  69. versionName="TLSv1.3"
  70. ;;
  71. "d")
  72. versionName="Down"
  73. ;;
  74. "")
  75. versionName="Def"
  76. ;;
  77. "5")
  78. versionName="ALL"
  79. ;;
  80. esac
  81. }
  82. do_cleanup() {
  83. echo "in cleanup"
  84. IFS=$OIFS #restore separator
  85. for s in $servers
  86. do
  87. f2=${s%:*}
  88. sname=${f2%:*}
  89. pid=${f2##*:}
  90. port=${s##*:}
  91. echo "killing server: $sname ($port)"
  92. kill -9 $pid
  93. done
  94. }
  95. do_trap() {
  96. echo "got trap"
  97. do_cleanup
  98. exit 1
  99. }
  100. trap do_trap INT TERM
  101. check_process_running() {
  102. if [ "$ps_grep" = "" ]
  103. then
  104. ps -p $server_pid > /dev/null
  105. PS_EXIT=$?
  106. else
  107. ps | grep "^ *$server_pid " > /dev/null
  108. PS_EXIT=$?
  109. fi
  110. }
  111. #
  112. # Start an OpenSSL server
  113. #
  114. start_openssl_server() {
  115. if [ "$wolfssl_client_avail" = "" ]
  116. then
  117. return
  118. fi
  119. generate_port
  120. server_port=$port
  121. found_free_port=0
  122. counter=0
  123. # If OPENSSL_ENGINE_ID has been set then check that the desired engine can
  124. # be loaded successfully and error out if not. Otherwise the OpenSSL app
  125. # will fall back to default engine.
  126. if [ ! -z "${OPENSSL_ENGINE_ID}" ]; then
  127. OUTPUT=`$OPENSSL engine -tt $OPENSSL_ENGINE_ID`
  128. if [ $? != 0 ]; then
  129. printf "not able to load engine\n"
  130. printf "$OPENSSL engine -tt $OPENSSL_ENGINE_ID\n"
  131. do_cleanup
  132. exit 1
  133. else
  134. echo $OUTPUT | grep "available"
  135. if [ $? != 0 ]; then
  136. printf "engine not available\n"
  137. do_cleanup
  138. exit 1
  139. fi
  140. fi
  141. OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}"
  142. fi
  143. while [ "$counter" -lt 20 ]; do
  144. echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..."
  145. echo "#"
  146. if [ "$cert_file" != "" ]
  147. then
  148. echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
  149. $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
  150. else
  151. echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
  152. $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
  153. fi
  154. server_pid=$!
  155. # wait to see if s_server successfully starts before continuing
  156. sleep 0.1
  157. check_process_running
  158. if [ "$PS_EXIT" = "0" ]
  159. then
  160. echo "s_server started successfully on port $server_port"
  161. found_free_port=1
  162. break
  163. else
  164. #port already started, try a different port
  165. counter=$((counter+ 1))
  166. generate_port
  167. server_port=$port
  168. fi
  169. done
  170. if [ $found_free_port = 0 ]
  171. then
  172. echo -e "Couldn't find free port for server"
  173. do_cleanup
  174. exit 1
  175. fi
  176. servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port"
  177. }
  178. #
  179. # Start a wolfSSL server
  180. #
  181. start_wolfssl_server() {
  182. if [ "$wolfssl_server_avail" = "" ]
  183. then
  184. echo "# wolfSSL server not available"
  185. return
  186. fi
  187. wolfssl_cert=""
  188. wolfssl_key=""
  189. wolfssl_caCert=""
  190. if [ "$cert_file" != "" ]
  191. then
  192. wolfssl_cert="-c$cert_file"
  193. fi
  194. if [ "$key_file" != "" ]
  195. then
  196. wolfssl_key="-k$key_file"
  197. fi
  198. if [ "$ca_file" != "" ]
  199. then
  200. wolfssl_caCert="-A$ca_file"
  201. fi
  202. generate_port
  203. server_port=$port
  204. found_free_port=0
  205. counter=0
  206. while [ "$counter" -lt 20 ]; do
  207. echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..."
  208. echo "#"
  209. echo "# $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\""
  210. $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" &
  211. server_pid=$!
  212. # wait to see if server successfully starts before continuing
  213. sleep 0.1
  214. check_process_running
  215. if [ "$PS_EXIT" = "0" ]
  216. then
  217. echo "wolfSSL server started successfully on port $server_port"
  218. found_free_port=1
  219. break
  220. else
  221. #port already started, try a different port
  222. counter=$((counter+ 1))
  223. generate_port
  224. server_port=$port
  225. fi
  226. done
  227. if [ $found_free_port = 0 ]
  228. then
  229. echo -e "Couldn't find free port for server"
  230. do_cleanup
  231. exit 1
  232. fi
  233. servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port"
  234. }
  235. check_server_ready() {
  236. # server should be ready, let's make sure
  237. server_ready=0
  238. while [ "$counter" -lt 20 ]; do
  239. echo -e "waiting for $server_name ready..."
  240. echo -e Checking | nc localhost $server_port
  241. nc_result=$?
  242. if [ $nc_result = 0 ]
  243. then
  244. echo -e "$server_name ready!"
  245. server_ready=1
  246. break
  247. fi
  248. sleep 0.1
  249. counter=$((counter+ 1))
  250. done
  251. if [ $server_ready = 0 ]
  252. then
  253. echo -e "Couldn't verify $server_name is running, timeout error"
  254. do_cleanup
  255. exit 1
  256. fi
  257. }
  258. #
  259. # Run wolfSSL client against OpenSSL server
  260. #
  261. do_wolfssl_client() {
  262. if [ "$wolfssl_client_avail" = "" ]
  263. then
  264. return
  265. fi
  266. wolfssl_cert=""
  267. wolfssl_key=""
  268. wolfssl_caCert=""
  269. if [ "$cert" != "" ]
  270. then
  271. wolfssl_cert="-c$cert"
  272. fi
  273. if [ "$key" != "" ]
  274. then
  275. wolfssl_key="-k$key"
  276. fi
  277. if [ "$caCert" != "" ]
  278. then
  279. wolfssl_caCert="-A$caCert"
  280. fi
  281. wolfssl_resume="-r"
  282. if [ "$openssl_psk_resume_bug" != "" -a "$tls13_suite" != "" ]
  283. then
  284. wolfssl_resume=
  285. fi
  286. if [ "$version" != "5" -a "$version" != "" ]
  287. then
  288. echo "#"
  289. echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl"
  290. $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl
  291. else
  292. echo "#"
  293. echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl"
  294. # do all versions
  295. $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl
  296. fi
  297. client_result=$?
  298. if [ $client_result != 0 ]
  299. then
  300. echo -e "client failed! Suite = $wolfSuite version = $version"
  301. do_cleanup
  302. exit 1
  303. fi
  304. wolf_temp_cases_tested=$((wolf_temp_cases_tested+1))
  305. }
  306. #
  307. # Run OpenSSL client against wolfSSL server
  308. #
  309. do_openssl_client() {
  310. if [ "$wolfssl_server_avail" = "" ]
  311. then
  312. return
  313. fi
  314. if [ "$version" = "" -o "$version" = "5" ]
  315. then
  316. if [ "$tls13_cipher" = "" -a "$openssl_tls13" != "" ]
  317. then
  318. openssl_version="-no_tls1_3"
  319. fi
  320. fi
  321. if [ "$cert" != "" ]
  322. then
  323. openssl_cert1="-cert"
  324. openssl_cert2="$cert"
  325. fi
  326. if [ "$key" != "" ]
  327. then
  328. openssl_key1="-key"
  329. openssl_key2="$key"
  330. fi
  331. if [ "$caCert" != "" ]
  332. then
  333. openssl_caCert1="-CAfile"
  334. openssl_caCert2="$caCert"
  335. fi
  336. if [ "$tls13_cipher" = "" ]
  337. then
  338. echo "#"
  339. echo "# $OPENSSL s_client -connect localhost:$port -reconnect -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
  340. echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
  341. else
  342. echo "#"
  343. echo "# $OPENSSL s_client -connect localhost:$port -reconnect -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
  344. echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -ciphersuites=$cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
  345. fi
  346. client_result=$?
  347. if [ $client_result != 0 ]
  348. then
  349. echo -e "client failed! Suite = $wolfSuite version = $version"
  350. do_cleanup
  351. exit 1
  352. fi
  353. open_temp_cases_tested=$((open_temp_cases_tested+1))
  354. }
  355. OIFS=$IFS # store old separator to reset
  356. #
  357. # Start
  358. #
  359. ps -p $PPID >/dev/null 2>&1
  360. if [ "$?" = "1" ]
  361. then
  362. ps_grep="yes"
  363. echo "ps -p not working, using ps and grep"
  364. fi
  365. echo -e "\nTesting existence of openssl command...\n"
  366. command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; }
  367. echo -e "\nTesting for _build directory as part of distcheck, different paths"
  368. currentDir=`pwd`
  369. case "$currentDir" in
  370. *_build)
  371. echo -e "_build directory detected, moving a directory back"
  372. cd ..
  373. ;;
  374. esac
  375. echo -e "\nChecking for wolfSSL client - needed for cipher list"
  376. wolfssl_client_avail=`$WOLFSSL_CLIENT -?`
  377. case $wolfssl_client_avail in
  378. *"Client not compiled in!"*)
  379. wolfssl_client_avail=
  380. echo >&2 "Requires wolfSSL client, but it's not built. Ending."
  381. do_cleanup
  382. exit 0
  383. ;;
  384. esac
  385. echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket"
  386. openssl_version=`$OPENSSL version`
  387. case $openssl_version in
  388. "OpenSSL 1.1.1 "*)
  389. openssl_psk_resume_bug=yes
  390. ;;
  391. "OpenSSL 1.0.2"*)
  392. openssl_adh_reneg_bug=yes
  393. ;;
  394. esac
  395. # check for wolfssl server
  396. wolfssl_server_avail=`$WOLFSSL_SERVER -?`
  397. case $wolfssl_server_avail in
  398. *"Server not compiled in!"*)
  399. wolfssl_server_avail=
  400. ;;
  401. esac
  402. # get wolfssl ciphers
  403. wolf_ciphers=`$WOLFSSL_CLIENT -e`
  404. # get wolfssl supported versions
  405. wolf_versions=`$WOLFSSL_CLIENT -V`
  406. wolf_versions="${wolf_versions}:5" #5 will test without -v flag
  407. OIFS="$IFS" # store old separator to reset
  408. IFS=: # set delimiter
  409. for version in $wolf_versions
  410. do
  411. case $version in
  412. 1|2|3)
  413. wolf_tls=yes
  414. ;;
  415. 4)
  416. wolf_tls13=yes
  417. ;;
  418. esac
  419. done
  420. IFS="$OIFS" #restore separator
  421. #
  422. # Start OpenSSL servers
  423. #
  424. # Check for cerificate support in wolfSSL
  425. wolf_certs=`$WOLFSSL_CLIENT -? 2>&1`
  426. case $wolf_certs in
  427. *"cert"*)
  428. ;;
  429. *)
  430. wolf_certs=""
  431. ;;
  432. esac
  433. if [ "$wolf_certs" != "" ]
  434. then
  435. # Check if ECC certificates supported in wolfSSL
  436. wolf_ecc=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/ca-ecc-cert.pem" 2>&1`
  437. case $wolf_ecc in
  438. *"ca file"*)
  439. wolf_ecc=""
  440. ;;
  441. *)
  442. ;;
  443. esac
  444. # Check if Ed25519 certificates supported in wolfSSL
  445. wolf_ed25519=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1`
  446. case $wolf_ed25519 in
  447. *"ca file"*)
  448. wolf_ed25519=""
  449. ;;
  450. *)
  451. ;;
  452. esac
  453. # Check if Ed25519 certificates supported in OpenSSL
  454. openssl_ed25519=`$OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1`
  455. case $openssl_ed25519 in
  456. *"unable to load"*)
  457. wolf_ed25519=""
  458. ;;
  459. *)
  460. ;;
  461. esac
  462. # Check if Ed448 certificates supported in wolfSSL
  463. wolf_ed448=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1`
  464. case $wolf_ed448 in
  465. *"ca file"*)
  466. wolf_ed448=""
  467. ;;
  468. *)
  469. ;;
  470. esac
  471. # Check if Ed448 certificates supported in OpenSSL
  472. openssl_ed448=`$OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1`
  473. case $openssl_ed448 in
  474. *"unable to load"*)
  475. wolf_ed448=""
  476. ;;
  477. *)
  478. ;;
  479. esac
  480. fi
  481. openssl_tls13=`$OPENSSL s_client -help 2>&1`
  482. case $openssl_tls13 in
  483. *no_tls1_3*)
  484. ;;
  485. *)
  486. openssl_tls13=
  487. ;;
  488. esac
  489. # Not all openssl versions support -allow_no_dhe_kex
  490. openssl_nodhe=`$OPENSSL s_client -help 2>&1`
  491. case $openssl_nodhe in
  492. *allow_no_dhe_kex*)
  493. openssl_nodhe=-allow_no_dhe_kex
  494. ;;
  495. *)
  496. openssl_nodhe=
  497. ;;
  498. esac
  499. # Check suites to determine support in wolfSSL
  500. OIFS="$IFS" # store old separator to reset
  501. IFS=: # set delimiter
  502. for wolfSuite in $wolf_ciphers; do
  503. case $wolfSuite in
  504. *ECDHE-RSA-*)
  505. ecdhe_avail=yes
  506. wolf_rsa=yes
  507. ;;
  508. *DHE-RSA-*)
  509. wolf_rsa=yes
  510. ;;
  511. *ECDH-RSA*)
  512. wolf_ecdh_rsa=yes
  513. ;;
  514. *ECDHE-ECDSA*|*ECDH-ECDSA*)
  515. wolf_ecdsa=yes
  516. ;;
  517. *ADH*)
  518. wolf_anon=yes
  519. ;;
  520. *PSK*)
  521. if [ "$wolf_psk" = "" ]
  522. then
  523. echo "Testing PSK"
  524. wolf_psk=1
  525. fi
  526. if [ "$wolf_tls" != "" ]
  527. then
  528. wolf_tls_psk=yes
  529. fi
  530. ;;
  531. *TLS13*)
  532. ;;
  533. *)
  534. wolf_rsa=yes
  535. esac
  536. done
  537. IFS="$OIFS" #restore separator
  538. openssl_ciphers=`$OPENSSL ciphers ALL 2>&1`
  539. case $openssl_ciphers in
  540. *ADH*)
  541. openssl_anon=yes
  542. ;;
  543. esac
  544. # TLSv1 -> TLSv1.2 PSK secret
  545. psk_hex="1a2b3c4d"
  546. # If RSA cipher suites supported in wolfSSL then start servers
  547. if [ "$wolf_rsa" != "" -o "$wolf_tls_psk" != "" ]
  548. then
  549. if [ "$wolf_rsa" != "" ]
  550. then
  551. cert_file="${CERT_DIR}/server-cert.pem"
  552. key_file="${CERT_DIR}/server-key.pem"
  553. ca_file="${CERT_DIR}/client-ca.pem"
  554. else
  555. cert_file=
  556. key_file=
  557. ca_file=
  558. fi
  559. openssl_suite="RSA"
  560. start_openssl_server
  561. openssl_port=$server_port
  562. openssl_pid=$server_pid
  563. wolfssl_suite="RSA"
  564. if [ "$wolf_tls_psk" != "" ]
  565. then
  566. psk="-j"
  567. fi
  568. echo "cert_file=$cert_file"
  569. start_wolfssl_server
  570. psk=
  571. wolfssl_port=$server_port
  572. wolfssl_pid=$server_pid
  573. fi
  574. # If ECDH-RSA cipher suites supported in wolfSSL then start servers
  575. if [ "$wolf_ecdh_rsa" != "" ]
  576. then
  577. cert_file="${CERT_DIR}/server-ecc-rsa.pem"
  578. key_file="${CERT_DIR}/ecc-key.pem"
  579. ca_file="${CERT_DIR}/client-ca.pem"
  580. openssl_suite="ECDH-RSA"
  581. start_openssl_server
  582. ecdh_openssl_port=$server_port
  583. ecdh_openssl_pid=$server_pid
  584. wolfssl_suite="ECDH-RSA"
  585. start_wolfssl_server
  586. ecdh_wolfssl_port=$server_port
  587. ecdh_wolfssl_pid=$server_pid
  588. fi
  589. if [ "$wolf_ecdsa" != "" -a "$wolf_ecc" != "" ]
  590. then
  591. cert_file="${CERT_DIR}/server-ecc.pem"
  592. key_file="${CERT_DIR}/ecc-key.pem"
  593. ca_file="${CERT_DIR}/client-ca.pem"
  594. openssl_suite="ECDH[E]-ECDSA"
  595. start_openssl_server
  596. ecdsa_openssl_port=$server_port
  597. ecdsa_openssl_pid=$server_pid
  598. wolfssl_suite="ECDH[E]-ECDSA"
  599. start_wolfssl_server
  600. ecdsa_wolfssl_port=$server_port
  601. ecdsa_wolfssl_pid=$server_pid
  602. fi
  603. # If Ed25519 certificates supported in wolfSSL then start servers
  604. if [ "$wolf_ed25519" != "" ];
  605. then
  606. cert_file="${CERT_DIR}/ed25519/server-ed25519.pem"
  607. key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
  608. ca_file="${CERT_DIR}/ed25519/client-ed25519.pem"
  609. openssl_suite="Ed25519"
  610. start_openssl_server
  611. ed25519_openssl_port=$server_port
  612. ed25519_openssl_pid=$server_pid
  613. crl="-V"
  614. wolfssl_suite="Ed25519"
  615. start_wolfssl_server
  616. ed25519_wolfssl_port=$server_port
  617. ed25519_wolfssl_pid=$server_pid
  618. crl=
  619. fi
  620. # If Ed448 certificates supported in wolfSSL then start servers
  621. if [ "$wolf_ed448" != "" ];
  622. then
  623. cert_file="${CERT_DIR}/ed448/server-ed448.pem"
  624. key_file="${CERT_DIR}/ed448/server-ed448-priv.pem"
  625. ca_file="${CERT_DIR}/ed448/client-ed448.pem"
  626. openssl_suite="Ed448"
  627. start_openssl_server
  628. ed448_openssl_port=$server_port
  629. ed448_openssl_pid=$server_pid
  630. crl="-V"
  631. wolfssl_suite="Ed448"
  632. start_wolfssl_server
  633. ed448_wolfssl_port=$server_port
  634. ed448_wolfssl_pid=$server_pid
  635. crl=
  636. fi
  637. if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ]
  638. then
  639. cert_file=
  640. psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
  641. openssl_suite="TLSv1.3_PSK"
  642. start_openssl_server
  643. tls13_psk_openssl_port=$server_port
  644. tls13_psk_openssl_pid=$server_pid
  645. psk="-s"
  646. wolfssl_suite="TLSv1.3_PSK"
  647. start_wolfssl_server
  648. tls13_psk_wolfssl_port=$server_port
  649. tls13_psk_wolfssl_pid=$server_pid
  650. fi
  651. if [ "$wolf_anon" != "" -a "$openssl_anon" ]
  652. then
  653. cert_file=""
  654. key_file=""
  655. ca_file=""
  656. wolfssl_suite="Anon"
  657. psk="-a" # anonymous not psk
  658. start_wolfssl_server
  659. anon_wolfssl_port=$server_port
  660. anon_wolfssl_pid=$server_pid
  661. fi
  662. for s in $servers
  663. do
  664. f2=${s%:*}
  665. server_name=${f2%:*}
  666. server_port=${s##*:}
  667. check_server_ready
  668. done
  669. OIFS="$IFS" # store old separator to reset
  670. IFS=: # set delimiter
  671. set -f # no globbing
  672. wolf_temp_cases_total=0
  673. wolf_temp_cases_tested=0
  674. # Testing of OpenSSL support for version requires a running OpenSSL server
  675. for version in $wolf_versions;
  676. do
  677. echo -e "version = $version"
  678. # get openssl ciphers depending on version
  679. # -s flag for only supported ciphers
  680. case $version in
  681. "0")
  682. openssl_ciphers=`$OPENSSL ciphers "SSLv3" 2>&1`
  683. # double check that can actually do a sslv3 connection using
  684. # client-cert.pem to send but any file with EOF works
  685. $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < "${CERT_DIR}/client-cert.pem"
  686. sslv3_sup=$?
  687. if [ $sslv3_sup != 0 ]
  688. then
  689. echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
  690. testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  691. continue
  692. fi
  693. openssl_version="-ssl3"
  694. ;;
  695. "1")
  696. proto_check=`echo "hell" | $OPENSSL s_client -connect localhost:$openssl_port -tls1 2>&1`
  697. tlsv1_sup=$?
  698. if [ $tlsv1_sup != 0 ]
  699. then
  700. echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'"
  701. testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n"
  702. continue
  703. fi
  704. openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
  705. tlsv1_sup=$?
  706. if [ $tlsv1_sup != 0 ]
  707. then
  708. echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
  709. testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  710. continue
  711. fi
  712. openssl_version="-tls1"
  713. ;;
  714. "2")
  715. # Same ciphers for TLSv1.1 as TLSv1
  716. proto_check=`echo "hello" | $OPENSSL s_client -connect localhost:$openssl_port -tls1_1 2>&1`
  717. tlsv1_1_sup=$?
  718. if [ $tlsv1_1_sup != 0 ]
  719. then
  720. echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier"
  721. testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  722. continue
  723. fi
  724. openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1`
  725. tlsv1_sup=$?
  726. if [ $tlsv1_sup != 0 ]
  727. then
  728. echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
  729. testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  730. continue
  731. fi
  732. openssl_version="-tls1_1"
  733. ;;
  734. "3")
  735. openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2" 2>&1`
  736. tlsv1_2_sup=$?
  737. if [ $tlsv1_2_sup != 0 ]
  738. then
  739. echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier"
  740. testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  741. continue
  742. fi
  743. openssl_version="-tls1_2"
  744. ;;
  745. "4")
  746. openssl_ciphers=`$OPENSSL ciphers -tls1_3 2>&1`
  747. tlsv1_3_sup=$?
  748. if [ $tlsv1_3_sup != 0 ]
  749. then
  750. echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier"
  751. testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  752. continue
  753. fi
  754. ecc_support=`$WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups'`
  755. openssl_version="-tls1_3"
  756. ;;
  757. "d(downgrade)")
  758. version="d"
  759. openssl_version=""
  760. ;;
  761. "e(either)")
  762. continue
  763. ;;
  764. "5") #test all suites
  765. openssl_ciphers=`$OPENSSL ciphers -s "ALL" 2>&1`
  766. all_sup=$?
  767. if [ $all_sup != 0 ]
  768. then
  769. echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
  770. testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  771. continue
  772. fi
  773. openssl_version=""
  774. ;;
  775. "")
  776. openssl_ciphers=`$OPENSSL ciphers 2>&1`
  777. all_sup=$?
  778. if [ $all_sup != 0 ]
  779. then
  780. echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
  781. testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
  782. continue
  783. fi
  784. openssl_version=""
  785. ;;
  786. esac
  787. for wolfSuite in $wolf_ciphers; do
  788. echo -e "trying wolfSSL cipher suite $wolfSuite"
  789. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  790. open_temp_cases_total=$((open_temp_cases_total + 1))
  791. matchSuite=0;
  792. tls13_suite=
  793. case $wolfSuite in
  794. "TLS13-AES128-GCM-SHA256")
  795. cmpSuite="TLS_AES_128_GCM_SHA256"
  796. tls13_suite="yes"
  797. ;;
  798. "TLS13-AES256-GCM-SHA384")
  799. cmpSuite="TLS_AES_256_GCM_SHA384"
  800. tls13_suite="yes"
  801. ;;
  802. "TLS13-CHACHA20-POLY1305-SHA256")
  803. cmpSuite="TLS_CHACHA20_POLY1305_SHA256"
  804. tls13_suite="yes"
  805. ;;
  806. "TLS13-AES128-CCM-SHA256")
  807. cmpSuite="TLS_AES_128_CCM_SHA256"
  808. tls13_suite="yes"
  809. ;;
  810. "TLS13-AES128-CCM-8-SHA256"|"TLS13-AES128-CCM8-SHA256")
  811. cmpSuite="TLS_AES_128_CCM_8_SHA256"
  812. tls13_suite="yes"
  813. ;;
  814. "TLS13-SHA256-SHA256")
  815. continue
  816. ;;
  817. "TLS13-SHA384-SHA384")
  818. continue
  819. ;;
  820. "TLS13-"*)
  821. echo -e "Suite = $wolfSuite not recognized!"
  822. echo -e "Add translation of wolfSSL name to OpenSSL"
  823. do_cleanup
  824. exit 1
  825. ;;
  826. *)
  827. cmpSuite=$wolfSuite
  828. ;;
  829. esac
  830. case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases
  831. case "$cmpSuite" in
  832. "TLS_"*)
  833. if [ "$version" != "4" -a "$version" != "d" ]
  834. then
  835. echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol"
  836. matchSuite=0
  837. else
  838. echo -e "Matched to OpenSSL suite support"
  839. matchSuite=1
  840. fi
  841. ;;
  842. *)
  843. if [ "$version" = "d" -a "$wolfdowngrade" = "4" ]
  844. then
  845. echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade"
  846. matchSuite=0
  847. elif [ "$version" != "4" ]
  848. then
  849. echo -e "Matched to OpenSSL suite support"
  850. matchSuite=1
  851. else
  852. echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol"
  853. matchSuite=0
  854. fi
  855. ;;
  856. esac
  857. ;;
  858. esac
  859. if [ $matchSuite = 0 ]
  860. then
  861. echo -e "Couldn't match suite, continuing..."
  862. continue
  863. fi
  864. # check for psk suite and turn on client psk if so
  865. psk=""
  866. adh=""
  867. crl=""
  868. cert=""
  869. key=""
  870. caCert=""
  871. case $wolfSuite in
  872. *ECDH-RSA*)
  873. cert="${CERT_DIR}/client-cert.pem"
  874. key="${CERT_DIR}/client-key.pem"
  875. caCert="${CERT_DIR}/ca-cert.pem"
  876. port=$ecdh_openssl_port
  877. do_wolfssl_client
  878. port=$ecdh_wolfssl_port
  879. do_openssl_client
  880. ;;
  881. *ECDHE-ECDSA*|*ECDH-ECDSA*)
  882. if [ "$wolf_ecc" != "" ]
  883. then
  884. cert="${CERT_DIR}/client-cert.pem"
  885. key="${CERT_DIR}/client-key.pem"
  886. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  887. port=$ecdsa_openssl_port
  888. do_wolfssl_client
  889. port=$ecdsa_wolfssl_port
  890. do_openssl_client
  891. else
  892. wolf_temp_cases_total=$((wolf_temp_cases_total - 1))
  893. fi
  894. if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
  895. then
  896. cert="${CERT_DIR}/ed25519/client-ed25519.pem"
  897. key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
  898. caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
  899. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  900. port=$ed25519_openssl_port
  901. crl="-C"
  902. do_wolfssl_client
  903. open_temp_cases_total=$((open_temp_cases_total + 1))
  904. port=$ed25519_wolfssl_port
  905. do_openssl_client
  906. fi
  907. if [ $ed448_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ]
  908. then
  909. cert="${CERT_DIR}/ed448/client-ed448.pem"
  910. key="${CERT_DIR}/ed448/client-ed448-priv.pem"
  911. caCert="${CERT_DIR}/ed448/server-ed448.pem"
  912. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  913. port=$ed448_openssl_port
  914. crl="-C"
  915. do_wolfssl_client
  916. open_temp_cases_total=$((open_temp_cases_total + 1))
  917. port=$ed448_wolfssl_port
  918. do_openssl_client
  919. fi
  920. ;;
  921. *DHE-PSK*)
  922. cert="${CERT_DIR}/client-cert.pem"
  923. key="${CERT_DIR}/client-key.pem"
  924. caCert="${CERT_DIR}/ca-cert.pem"
  925. port=$openssl_port
  926. psk="-s"
  927. do_wolfssl_client
  928. # Skip when no RSA as some versions of OpenSSL can't handle no
  929. # signature
  930. if [ "$wolf_rsa" != "" ]
  931. then
  932. port=$wolfssl_port
  933. openssl_psk="-psk 1a2b3c4d"
  934. do_openssl_client
  935. fi
  936. ;;
  937. *PSK*)
  938. cert="${CERT_DIR}/client-cert.pem"
  939. key="${CERT_DIR}/client-key.pem"
  940. caCert="${CERT_DIR}/ca-cert.pem"
  941. port=$openssl_port
  942. psk="-s"
  943. do_wolfssl_client
  944. port=$wolfssl_port
  945. openssl_psk="-psk 1a2b3c4d"
  946. do_openssl_client
  947. ;;
  948. *ADH*)
  949. cert="${CERT_DIR}/client-cert.pem"
  950. key="${CERT_DIR}/client-key.pem"
  951. caCert="${CERT_DIR}/ca-cert.pem"
  952. if [ "$version" != "0" -a "$version" != "1" -a "$version" != "2" -a "$openssl_adh_reneg_bug" != "" ]
  953. then
  954. continue
  955. fi
  956. port=$openssl_port
  957. adh="-a"
  958. do_wolfssl_client
  959. port=$anon_wolfssl_port
  960. do_openssl_client
  961. ;;
  962. TLS13*)
  963. if [ $version != "4" -a $version != "d" -a $version != " " -a $version != "5" ]
  964. then
  965. continue
  966. fi
  967. tls13_cipher=yes
  968. # RSA
  969. if [ $openssl_pid != $no_pid -a "$ecdhe_avail" = "yes" ]
  970. then
  971. cert="${CERT_DIR}/client-cert.pem"
  972. key="${CERT_DIR}/client-key.pem"
  973. caCert="${CERT_DIR}/ca-cert.pem"
  974. port=$openssl_port
  975. do_wolfssl_client
  976. port=$wolfssl_port
  977. do_openssl_client
  978. fi
  979. # PSK
  980. if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" -a "$wolf_ecc" != "" -a $openssl_nodhe != "" ]
  981. then
  982. cert=""
  983. key=""
  984. caCert=""
  985. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  986. port=$tls13_psk_openssl_port
  987. psk="-s"
  988. # OpenSSL doesn't support DH for key exchange so do no PSK
  989. # DHE when ECC not supported
  990. if [ "$wolf_ecc" = "" ]
  991. then
  992. adh="-K"
  993. fi
  994. do_wolfssl_client
  995. psk=""
  996. adh=""
  997. openssl_psk="-psk 0123456789abcdef0123456789abcdef"
  998. open_temp_cases_total=$((open_temp_cases_total + 1))
  999. port=$wolfssl_port
  1000. do_openssl_client
  1001. open_temp_cases_total=$((open_temp_cases_total + 1))
  1002. port=$tls13_psk_wolfssl_port
  1003. do_openssl_client
  1004. openssl_psk=""
  1005. fi
  1006. # ECDSA
  1007. if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ]
  1008. then
  1009. cert="${CERT_DIR}/client-ecc-cert.pem"
  1010. key="${CERT_DIR}/ecc-client-key.pem"
  1011. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  1012. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  1013. port=$ecdsa_openssl_port
  1014. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  1015. do_wolfssl_client
  1016. open_temp_cases_total=$((open_temp_cases_total + 1))
  1017. port=$ecdsa_wolfssl_port
  1018. caCert="${CERT_DIR}/ca-ecc-cert.pem"
  1019. do_openssl_client
  1020. fi
  1021. # Ed25519
  1022. if [ $ed25519_openssl_pid != $no_pid ]
  1023. then
  1024. cert="${CERT_DIR}/ed25519/client-ed25519.pem"
  1025. key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
  1026. caCert="${CERT_DIR}/ed25519/server-ed25519.pem"
  1027. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  1028. port=$ed25519_openssl_port
  1029. crl="-C"
  1030. do_wolfssl_client
  1031. open_temp_cases_total=$((open_temp_cases_total + 1))
  1032. port=$ed25519_wolfssl_port
  1033. do_openssl_client
  1034. fi
  1035. # Ed448
  1036. if [ $ed448_openssl_pid != $no_pid ]
  1037. then
  1038. cert="${CERT_DIR}/ed448/client-ed448.pem"
  1039. key="${CERT_DIR}/ed448/client-ed448-priv.pem"
  1040. caCert="${CERT_DIR}/ed448/server-ed448.pem"
  1041. wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
  1042. port=$ed448_openssl_port
  1043. crl="-C"
  1044. do_wolfssl_client
  1045. open_temp_cases_total=$((open_temp_cases_total + 1))
  1046. port=$ed448_wolfssl_port
  1047. do_openssl_client
  1048. fi
  1049. tls13_cipher=
  1050. ;;
  1051. *)
  1052. cert="${CERT_DIR}/client-cert.pem"
  1053. key="${CERT_DIR}/client-key.pem"
  1054. caCert="${CERT_DIR}/ca-cert.pem"
  1055. port=$openssl_port
  1056. do_wolfssl_client
  1057. port=$wolfssl_port
  1058. do_openssl_client
  1059. ;;
  1060. esac
  1061. done
  1062. wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested))
  1063. wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total))
  1064. echo -e "wolfSSL cases tested with version:$version $wolf_temp_cases_tested"
  1065. open_cases_tested=$((open_temp_cases_tested+open_cases_tested))
  1066. open_cases_total=$((open_temp_cases_total+open_cases_total))
  1067. echo -e "OpenSSL cases tested with version:$version $open_temp_cases_tested"
  1068. version_name
  1069. testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n"
  1070. wolf_temp_cases_total=0
  1071. wolf_temp_cases_tested=0
  1072. open_temp_cases_total=0
  1073. open_temp_cases_tested=0
  1074. wolfdowngrade="$version"
  1075. done
  1076. IFS="$OIFS" #restore separator
  1077. do_cleanup
  1078. echo -e "wolfSSL total cases $wolf_cases_total"
  1079. echo -e "wolfSSL cases tested $wolf_cases_tested"
  1080. echo -e "OpenSSL total cases $open_cases_total"
  1081. echo -e "OpenSSL cases tested $open_cases_tested"
  1082. echo -e "\nSuccess!\n\n\n\n"
  1083. echo -e "$testing_summary"
  1084. exit 0