2
0

sniffer-testsuite.test 7.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. #!/usr/bin/env bash
  2. #sniffer-testsuite.test
  3. # if we can, isolate the network namespace to eliminate port collisions.
  4. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  5. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  6. export NETWORK_UNSHARE_HELPER_CALLED=yes
  7. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  8. fi
  9. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  10. bwrap_path="$(command -v bwrap)"
  11. if [ -n "$bwrap_path" ]; then
  12. export AM_BWRAPPED=yes
  13. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  14. fi
  15. unset AM_BWRAPPED
  16. fi
  17. has_tlsv13=no
  18. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 '
  19. if [ $? -eq 0 ]; then
  20. has_tlsv13=yes
  21. fi
  22. has_tlsv12=no
  23. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 '
  24. if [ $? -eq 0 ]; then
  25. has_tlsv12=yes
  26. fi
  27. has_rsa=no
  28. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
  29. if [ $? -eq 0 ]; then
  30. has_rsa=yes
  31. fi
  32. has_ecc=no
  33. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc '
  34. if [ $? -eq 0 ]; then
  35. has_ecc=yes
  36. fi
  37. has_x25519=no
  38. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 '
  39. if [ $? -eq 0 ]; then
  40. has_x25519=yes
  41. fi
  42. has_dh=no
  43. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh '
  44. if [ $? -eq 0 ]; then
  45. has_dh=yes
  46. fi
  47. # ./configure --enable-sniffer [--enable-session-ticket]
  48. # Resumption tests require "--enable-session-ticket"
  49. session_ticket=no
  50. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'session_ticket '
  51. if [ $? -eq 0 ]; then
  52. session_ticket=yes
  53. fi
  54. has_static_rsa=no
  55. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static '
  56. if [ $? -eq 0 ]; then
  57. has_static_rsa=yes
  58. fi
  59. # ./configure --enable-sniffer CFLAGS="-DWOLFSSL_SNIFFER_KEYLOGFILE"
  60. has_keylog=no
  61. ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ssl_keylog_file'
  62. if [ $? -eq 0 ]; then
  63. has_keylog=yes
  64. fi
  65. RESULT=0
  66. # TLS v1.2 Static RSA Test
  67. if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
  68. then
  69. echo -e "\nStarting snifftest on sniffer-static-rsa.pcap...\n"
  70. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-static-rsa.pcap -key ./certs/server-key.pem -server 127.0.0.1 -port 11111
  71. RESULT=$?
  72. [ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1
  73. fi
  74. # TLS v1.2 Static RSA Test (IPv6)
  75. if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
  76. then
  77. echo -e "\nStarting snifftest on sniffer-ipv6.pcap...\n"
  78. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-ipv6.pcap -key ./certs/server-key.pem -server ::1 -port 11111
  79. RESULT=$?
  80. [ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
  81. fi
  82. # TLS v1.2 and v1.3 sniffer keylog file test: runs sniffer on pcap and associated keylog file and compares decrypted traffic with known good output.
  83. # To regenerate the known good output, run `scripts/sniffer-gen.sh` to regenerate the pcap and keylog file, then run the sniffer on it
  84. # with the same arguments as in the test below, but redirect output to `./scripts/sniffer-tls12-keylog.out`.
  85. if test $RESULT -eq 0 && test $has_keylog == yes
  86. then
  87. for tlsver in tls12 tls13
  88. do
  89. # skip tls versions we don't have compiled-in support for
  90. [[ $tlsver == "tls12" && $has_tlsv12 == "no" ]] && continue
  91. [[ $tlsver == "tls13" && $has_tlsv13 == "no" ]] && continue
  92. echo -e "\nStarting snifftest on sniffer-$tlsver-keylog.pcap...\n"
  93. TMPFILE=$(mktemp)
  94. RESULT=$?
  95. [ $RESULT -ne 0 ] && echo -e "\n$tlsver snifftest keylog test failed: unable to create tmpfile\n" && rm $TMPFILE && exit 1
  96. ./sslSniffer/sslSnifferTest/snifftest \
  97. -pcap scripts/sniffer-$tlsver-keylog.pcap \
  98. -keylogfile scripts/sniffer-$tlsver-keylog.sslkeylog \
  99. -server 127.0.0.1 -port 11111 | tee $TMPFILE
  100. RESULT=$?
  101. [ $RESULT -ne 0 ] && echo -e "\n$tlsver snifftest keylog test failed: snifftest returned $RESULT\n" && rm $TMPFILE && exit 1
  102. # use grep to only compare against decrypted output
  103. SEARCH_STRING="SSL App Data"
  104. grep "$SEARCH_STRING" $TMPFILE | diff - <(grep "$SEARCH_STRING" scripts/sniffer-$tlsver-keylog.out)
  105. RESULT=$?
  106. [ $RESULT -ne 0 ] && echo -e "\n$tlsver snifftest keylog test failed: snifftest diff returned $RESULT\n" && rm $TMPFILE && exit 1
  107. rm $TMPFILE
  108. done
  109. fi
  110. # TLS v1.3 sniffer test ECC
  111. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
  112. then
  113. echo -e "\nStarting snifftest on sniffer-tls13-ecc.pcap...\n"
  114. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-ecc.pcap -key ./certs/statickeys/ecc-secp256r1.pem -server 127.0.0.1 -port 11111
  115. RESULT=$?
  116. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
  117. fi
  118. # TLS v1.3 sniffer test DH
  119. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes
  120. then
  121. echo -e "\nStarting snifftest on sniffer-tls13-dh.pcap...\n"
  122. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-dh.pcap -key ./certs/statickeys/dh-ffdhe2048.pem -server 127.0.0.1 -port 11111
  123. RESULT=$?
  124. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
  125. fi
  126. # TLS v1.3 sniffer test X25519
  127. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes
  128. then
  129. echo -e "\nStarting snifftest on sniffer-tls13-x25519.pcap...\n"
  130. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-x25519.pcap -key ./certs/statickeys/x25519.pem -server 127.0.0.1 -port 11111
  131. RESULT=$?
  132. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
  133. fi
  134. # TLS v1.3 sniffer test ECC resumption
  135. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes
  136. then
  137. echo -e "\nStarting snifftest on sniffer-tls13-ecc-resume.pcap...\n"
  138. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-ecc-resume.pcap -key ./certs/statickeys/ecc-secp256r1.pem -server 127.0.0.1 -port 11111
  139. RESULT=$?
  140. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
  141. fi
  142. # TLS v1.3 sniffer test DH
  143. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes
  144. then
  145. echo -e "\nStarting snifftest on sniffer-tls13-dh-resume.pcap...\n"
  146. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-dh-resume.pcap -key ./certs/statickeys/dh-ffdhe2048.pem -server 127.0.0.1 -port 11111
  147. RESULT=$?
  148. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
  149. fi
  150. # TLS v1.3 sniffer test X25519
  151. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes
  152. then
  153. echo -e "\nStarting snifftest on sniffer-tls13-x25519-resume.pcap...\n"
  154. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-x25519-resume.pcap -key ./certs/statickeys/x25519.pem -server 127.0.0.1 -port 11111
  155. RESULT=$?
  156. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
  157. fi
  158. # TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
  159. if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
  160. then
  161. echo -e "\nStarting snifftest on sniffer-tls13-hrr.pcap...\n"
  162. ./sslSniffer/sslSnifferTest/snifftest -pcap ./scripts/sniffer-tls13-hrr.pcap -key ./certs/statickeys/ecc-secp256r1.pem -server 127.0.0.1 -port 11111
  163. RESULT=$?
  164. [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
  165. fi
  166. echo -e "\nSuccess!\n"
  167. exit 0