1
0

tls13.test 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358
  1. #!/bin/bash
  2. # tls13.test
  3. # Copyright wolfSSL 2016-2021
  4. # if we can, isolate the network namespace to eliminate port collisions.
  5. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  6. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  7. export NETWORK_UNSHARE_HELPER_CALLED=yes
  8. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  9. fi
  10. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  11. bwrap_path="$(command -v bwrap)"
  12. if [ -n "$bwrap_path" ]; then
  13. export AM_BWRAPPED=yes
  14. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  15. fi
  16. unset AM_BWRAPPED
  17. fi
  18. # retries to mitigate race on early data:
  19. early_data_try_max=10
  20. # getting unique port is modeled after resume.test script
  21. # need a unique port since may run the same time as testsuite
  22. # use server port zero hack to get one
  23. port=0
  24. no_pid=-1
  25. server_pid=$no_pid
  26. counter=0
  27. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  28. # also let's add some randomness by adding pid in case multiple 'make check's
  29. # per source tree
  30. ready_file="$(pwd)/wolfssl_tls13_ready$$"
  31. client_file="$(pwd)/wolfssl_tls13_client$$"
  32. # Server output
  33. server_out_file="$(pwd)/wolfssl_tls13_server_out$$"
  34. # Client output
  35. client_out_file="$(pwd)/wolfssl_tls13_client_out$$"
  36. echo "ready file \"$ready_file\""
  37. create_port() {
  38. while [ ! -s "$ready_file" ]; do
  39. if [ "$counter" -gt 50 ]; then
  40. break
  41. fi
  42. echo -e "waiting for ready file..."
  43. sleep 0.1
  44. counter=$((counter+ 1))
  45. done
  46. if [ -e "$ready_file" ]; then
  47. echo -e "found ready file, starting client..."
  48. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  49. sleep 0.1
  50. # get created port 0 ephemeral port
  51. port="$(cat "$ready_file")"
  52. else
  53. echo -e "NO ready file ending test..."
  54. do_cleanup
  55. fi
  56. }
  57. remove_ready_file() {
  58. if [ -e "$ready_file" ]; then
  59. echo -e "removing existing ready file"
  60. rm "$ready_file"
  61. fi
  62. }
  63. do_cleanup() {
  64. echo "in cleanup"
  65. if [ $server_pid != $no_pid ]
  66. then
  67. echo "killing server"
  68. kill -9 $server_pid 2>/dev/null
  69. server_pid=$no_pid
  70. fi
  71. remove_ready_file
  72. if [ -e "$client_file" ]; then
  73. echo -e "removing existing client file"
  74. rm "$client_file"
  75. fi
  76. if [ -e "$server_out_file" ]; then
  77. echo -e "removing existing server output file"
  78. rm "$server_out_file"
  79. fi
  80. if [ -e "$client_out_file" ]; then
  81. echo -e "removing existing client output file"
  82. rm "$client_out_file"
  83. fi
  84. }
  85. do_trap() {
  86. echo "got trap"
  87. do_cleanup
  88. exit 1
  89. }
  90. trap do_trap INT TERM
  91. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  92. ./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
  93. if [ $? -eq 0 ]; then
  94. exit 0
  95. fi
  96. ./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
  97. if [ $? -eq 0 ]; then
  98. exit 0
  99. fi
  100. # Usual TLS v1.3 server / TLS v1.3 client.
  101. echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
  102. port=0
  103. ./examples/server/server -v 4 -R "$ready_file" -p $port &
  104. server_pid=$!
  105. create_port
  106. ./examples/client/client -v 4 -p $port | tee "$client_file"
  107. RESULT=$?
  108. remove_ready_file
  109. if [ $RESULT -ne 0 ]; then
  110. echo -e "\n\nTLS v1.3 not enabled"
  111. do_cleanup
  112. exit 1
  113. fi
  114. echo ""
  115. # TLS 1.3 cipher suites server / client.
  116. echo -e "\n\nTLS v1.3 cipher suite mismatch"
  117. port=0
  118. ./examples/server/server -v 4 -R "$ready_file" -p $port -l TLS13-AES128-GCM-SHA256 &
  119. server_pid=$!
  120. create_port
  121. ./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
  122. RESULT=$?
  123. remove_ready_file
  124. if [ $RESULT -eq 0 ]; then
  125. echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
  126. do_cleanup
  127. exit 1
  128. fi
  129. do_cleanup
  130. echo ""
  131. grep -F -e 'NO_CERTS' ./wolfssl/options.h
  132. NO_CERTS=$?
  133. grep -F -e 'WOLFSSL_NO_CLIENT_AUTH' ./wolfssl/options.h
  134. NO_CLIENT_AUTH=$?
  135. if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
  136. # TLS 1.3 mutual auth required but client doesn't send certificates.
  137. echo -e "\n\nTLS v1.3 mutual auth fail"
  138. port=0
  139. ./examples/server/server -v 4 -F -R "$ready_file" -p $port &
  140. server_pid=$!
  141. create_port
  142. ./examples/client/client -v 4 -x -p $port
  143. RESULT=$?
  144. remove_ready_file
  145. if [ $RESULT -eq 0 ]; then
  146. echo -e "\n\nIssue with requiring mutual authentication"
  147. do_cleanup
  148. exit 1
  149. fi
  150. do_cleanup
  151. echo ""
  152. fi
  153. # Check for TLS 1.2 support
  154. ./examples/client/client -v 3 2>&1 | grep -F -e 'Bad SSL version'
  155. if [ $? -ne 0 ]; then
  156. # TLS 1.3 server / TLS 1.2 client.
  157. echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
  158. port=0
  159. ./examples/server/server -v 4 -R "$ready_file" -p $port &
  160. server_pid=$!
  161. create_port
  162. ./examples/client/client -v 3 -p $port
  163. RESULT=$?
  164. remove_ready_file
  165. if [ $RESULT -eq 0 ]; then
  166. echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
  167. do_cleanup
  168. exit 1
  169. fi
  170. do_cleanup
  171. echo ""
  172. # TLS 1.2 server / TLS 1.3 client.
  173. echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
  174. port=0
  175. ./examples/server/server -v 3 -R "$ready_file" -p $port &
  176. server_pid=$!
  177. create_port
  178. ./examples/client/client -v 4 -p $port
  179. RESULT=$?
  180. remove_ready_file
  181. if [ $RESULT -eq 0 ]; then
  182. echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
  183. do_cleanup
  184. exit 1
  185. fi
  186. do_cleanup
  187. echo ""
  188. echo "Find usable TLS 1.2 cipher suite"
  189. for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
  190. do
  191. echo $CS
  192. ./examples/client/client -e | grep -F -e "$CS" >/dev/null
  193. if [ "$?" = "0" ]; then
  194. TLS12_CS=$CS
  195. break
  196. fi
  197. do_cleanup
  198. done
  199. if [ "$TLS12_CS" != "" ]; then
  200. # TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
  201. echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
  202. port=0
  203. SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
  204. CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
  205. ./examples/server/server -v d -l $SERVER_CS -R "$ready_file" -p $port &
  206. server_pid=$!
  207. create_port
  208. ./examples/client/client -v d -l $CLIENT_CS -p $port
  209. RESULT=$?
  210. remove_ready_file
  211. if [ $RESULT -eq 0 ]; then
  212. echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
  213. do_cleanup
  214. exit 1
  215. fi
  216. do_cleanup
  217. echo ""
  218. else
  219. echo "No usable TLS 1.2 cipher suite found"
  220. fi
  221. fi
  222. # Check for EarlyData support
  223. ./examples/client/client -? 2>&1 | grep -F -e 'Early data'
  224. if [ $? -eq 0 ]; then
  225. early_data=yes
  226. fi
  227. ./examples/client/client -? 2>&1 | grep -F -e 'Shared keys'
  228. if [ $? -eq 0 ]; then
  229. psk=yes
  230. fi
  231. if [ "$early_data" = "yes" ]; then
  232. early_data_try_num=1
  233. while :; do
  234. echo -e "\n\nTLS v1.3 Early Data - session ticket"
  235. port=0
  236. (./examples/server/server -v 4 -r -0 -R "$ready_file" -p $port 2>&1 | \
  237. tee "$server_out_file") &
  238. server_pid=$!
  239. create_port
  240. ./examples/client/client -v 4 -r -0 -p $port >"$client_out_file" 2>&1
  241. RESULT=$?
  242. cat "$client_out_file"
  243. remove_ready_file
  244. grep -F -e 'Session Ticket' "$client_out_file"
  245. session_ticket=$?
  246. # wait for the server to quit and write output
  247. wait $server_pid
  248. ed_srv_msg_cnt="$(grep -c -F -e 'Early Data Client message' "$server_out_file")"
  249. ed_srv_status_cnt="$(grep -c -F -e 'Early Data was' "$server_out_file")"
  250. echo "earlydata: session_ticket=${session_ticket} ed_srv_msg_cnt=${ed_srv_msg_cnt} ed_srv_status_cnt=${ed_srv_status_cnt}"
  251. if [ $session_ticket -eq 0 -a $ed_srv_msg_cnt -ne 2 \
  252. -a $ed_srv_status_cnt -ne 2 ]; then
  253. RESULT=1
  254. fi
  255. if [ $RESULT -ne 0 ]; then
  256. echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"
  257. if [ $early_data_try_num -lt $early_data_try_max ]; then
  258. echo -e "retry #${early_data_try_num}...\n"
  259. : $((++early_data_try_num))
  260. continue
  261. fi
  262. do_cleanup
  263. exit 1
  264. fi
  265. do_cleanup
  266. break
  267. done
  268. echo ""
  269. fi
  270. if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
  271. echo -e "\n\nTLS v1.3 Early Data - PSK"
  272. port=0
  273. early_data_try_num=1
  274. while :; do
  275. (./examples/server/server -v 4 -s -0 -R "$ready_file" -p $port 2>&1 | \
  276. tee "$server_out_file") &
  277. server_pid=$!
  278. create_port
  279. ./examples/client/client -v 4 -s -0 -p $port
  280. RESULT=$?
  281. remove_ready_file
  282. # wait for the server to quit and write output
  283. wait $server_pid
  284. ed_srv_msg_cnt="$(grep -c -F -e 'Early Data Client message' "$server_out_file")"
  285. ed_srv_status_cnt="$(grep -c -F -e 'Early Data was' "$server_out_file")"
  286. echo "PSK earlydata: ed_srv_msg_cnt=${ed_srv_msg_cnt} ed_srv_status_cnt=${ed_srv_status_cnt}"
  287. if [ $ed_srv_msg_cnt -ne 2 -a $ed_srv_status_cnt -ne 1 ]; then
  288. echo
  289. echo "Server out file"
  290. cat "$server_out_file"
  291. echo
  292. echo "Found lines"
  293. grep -F -e 'Early Data' "$server_out_file"
  294. echo -e "\n\nUnexpected 'Early Data' lines."
  295. RESULT=1
  296. fi
  297. if [ $RESULT -ne 0 ]; then
  298. echo -e "\n\nIssue with TLS v1.3 Early Data - PSK"
  299. if [ $early_data_try_num -lt $early_data_try_max ]; then
  300. echo -e "retry #${early_data_try_num}...\n"
  301. : $((++early_data_try_num))
  302. continue
  303. fi
  304. do_cleanup
  305. exit 1
  306. fi
  307. break
  308. done
  309. else
  310. echo "Early Data not available"
  311. fi
  312. do_cleanup
  313. echo -e "\nALL Tests Passed"
  314. exit 0