1
0

tls13.test 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543
  1. #!/bin/sh
  2. # tls13.test
  3. # copyright wolfSSL 2016
  4. # getting unique port is modeled after resume.test script
  5. # need a unique port since may run the same time as testsuite
  6. # use server port zero hack to get one
  7. port=0
  8. no_pid=-1
  9. server_pid=$no_pid
  10. counter=0
  11. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  12. # also let's add some randomness by adding pid in case multiple 'make check's
  13. # per source tree
  14. ready_file=`pwd`/wolfssl_tls13_ready$$
  15. echo "ready file $ready_file"
  16. create_port() {
  17. while [ ! -s $ready_file ]; do
  18. if [ -a "$counter" -gt 50 ]; then
  19. break
  20. fi
  21. echo -e "waiting for ready file..."
  22. sleep 0.1
  23. counter=$((counter+ 1))
  24. done
  25. if [ -e $ready_file ]; then
  26. echo -e "found ready file, starting client..."
  27. # get created port 0 ephemeral port
  28. port=`cat $ready_file`
  29. else
  30. echo -e "NO ready file ending test..."
  31. do_cleanup
  32. fi
  33. }
  34. remove_ready_file() {
  35. if [ -e $ready_file ]; then
  36. echo -e "removing existing ready file"
  37. rm $ready_file
  38. fi
  39. }
  40. do_cleanup() {
  41. echo "in cleanup"
  42. if [ $server_pid != $no_pid ]
  43. then
  44. echo "killing server"
  45. kill -9 $server_pid
  46. fi
  47. remove_ready_file
  48. }
  49. do_trap() {
  50. echo "got trap"
  51. do_cleanup
  52. exit -1
  53. }
  54. trap do_trap INT TERM
  55. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  56. # Usual TLS v1.3 server / TLS v1.3 client.
  57. echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
  58. port=0
  59. ./examples/server/server -v 4 -R $ready_file -p $port &
  60. server_pid=$!
  61. create_port
  62. ./examples/client/client -v 4 -p $port
  63. RESULT=$?
  64. remove_ready_file
  65. if [ $RESULT -ne 0 ]; then
  66. echo -e "\n\nTLS v1.3 not enabled"
  67. do_cleanup
  68. exit 1
  69. fi
  70. echo ""
  71. # Usual TLS v1.3 server / TLS v1.3 client - fragment.
  72. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - fragment"
  73. port=0
  74. ./examples/server/server -v 4 -R $ready_file -p $port &
  75. server_pid=$!
  76. create_port
  77. ./examples/client/client -v 4 -F 1 -p $port
  78. RESULT=$?
  79. remove_ready_file
  80. if [ $RESULT -ne 0 ]; then
  81. echo -e "\n\nTLS v1.3 and fragments not working"
  82. do_cleanup
  83. exit 1
  84. fi
  85. echo ""
  86. # Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client.
  87. echo -e "\n\nTLS v1.3 HelloRetryRequest"
  88. port=0
  89. ./examples/server/server -v 4 -R $ready_file -p $port &
  90. server_pid=$!
  91. create_port
  92. ./examples/client/client -v 4 -J -p $port
  93. RESULT=$?
  94. remove_ready_file
  95. if [ $RESULT -ne 0 ]; then
  96. echo -e "\n\nTLS v1.3 HelloRetryRequest not working"
  97. do_cleanup
  98. exit 1
  99. fi
  100. echo ""
  101. # Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client using cookie
  102. echo -e "\n\nTLS v1.3 HelloRetryRequest with cookie"
  103. port=0
  104. ./examples/server/server -v 4 -J -R $ready_file -p $port &
  105. server_pid=$!
  106. create_port
  107. ./examples/client/client -v 4 -J -p $port
  108. RESULT=$?
  109. remove_ready_file
  110. if [ $RESULT -ne 0 ]; then
  111. echo -e "\n\nTLS v1.3 HelloRetryRequest with cookie not working"
  112. do_cleanup
  113. exit 1
  114. fi
  115. echo ""
  116. # Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client - SHA384.
  117. echo -e "\n\nTLS v1.3 HelloRetryRequest - SHA384"
  118. port=0
  119. ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -R $ready_file -p $port &
  120. server_pid=$!
  121. create_port
  122. ./examples/client/client -v 4 -J -p $port
  123. RESULT=$?
  124. remove_ready_file
  125. if [ $RESULT -ne 0 ]; then
  126. echo -e "\n\nTLS v1.3 HelloRetryRequest with SHA384 not working"
  127. do_cleanup
  128. exit 1
  129. fi
  130. echo ""
  131. # Resumption TLS v1.3 server / TLS v1.3 client.
  132. echo -e "\n\nTLS v1.3 resumption"
  133. port=0
  134. ./examples/server/server -v 4 -r -R $ready_file -p $port &
  135. server_pid=$!
  136. create_port
  137. ./examples/client/client -v 4 -r -p $port
  138. RESULT=$?
  139. remove_ready_file
  140. if [ $RESULT -ne 0 ]; then
  141. echo -e "\n\nTLS v1.3 resumption not working"
  142. do_cleanup
  143. exit 1
  144. fi
  145. echo ""
  146. # Resumption TLS v1.3 server / TLS v1.3 client - SHA384
  147. echo -e "\n\nTLS v1.3 resumption - SHA384"
  148. port=0
  149. ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -R $ready_file -p $port &
  150. server_pid=$!
  151. create_port
  152. ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -p $port
  153. RESULT=$?
  154. remove_ready_file
  155. if [ $RESULT -ne 0 ]; then
  156. echo -e "\n\nTLS v1.3 resumption with SHA384 not working"
  157. do_cleanup
  158. exit 1
  159. fi
  160. echo ""
  161. ./examples/client/client -v 4 -e 2>&1 | grep -- '-ECC'
  162. if [ $? -eq 0 ]; then
  163. # Usual TLS v1.3 server / TLS v1.3 client and ECC certificates.
  164. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates"
  165. port=0
  166. ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
  167. server_pid=$!
  168. create_port
  169. ./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
  170. RESULT=$?
  171. remove_ready_file
  172. if [ $RESULT -ne 0 ]; then
  173. echo -e "\n\nTLS v1.3 ECC certificates not working"
  174. do_cleanup
  175. exit 1
  176. fi
  177. echo ""
  178. fi
  179. # Usual TLS v1.3 server / TLS v1.3 client and no client certificate.
  180. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - no client cretificate"
  181. port=0
  182. ./examples/server/server -v 4 -R $ready_file -p $port &
  183. server_pid=$!
  184. create_port
  185. ./examples/client/client -v 4 -x -p $port
  186. RESULT=$?
  187. remove_ready_file
  188. if [ $RESULT -ne 0 ]; then
  189. echo -e "\n\nTLS v1.3 and no client certificate not working"
  190. do_cleanup
  191. exit 1
  192. fi
  193. echo ""
  194. # Usual TLS v1.3 server / TLS v1.3 client and DH Key.
  195. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - DH Key Exchange"
  196. port=0
  197. ./examples/server/server -v 4 -R $ready_file -p $port &
  198. server_pid=$!
  199. create_port
  200. ./examples/client/client -v 4 -y -p $port
  201. RESULT=$?
  202. remove_ready_file
  203. if [ $RESULT -ne 0 ]; then
  204. echo -e "\n\nTLS v1.3 DH Key Exchange not working"
  205. do_cleanup
  206. exit 1
  207. fi
  208. echo ""
  209. # Usual TLS v1.3 server / TLS v1.3 client and ECC Key.
  210. echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC Key Exchange"
  211. port=0
  212. ./examples/server/server -v 4 -R $ready_file -p $port &
  213. server_pid=$!
  214. create_port
  215. ./examples/client/client -v 4 -Y -p $port
  216. RESULT=$?
  217. remove_ready_file
  218. if [ $RESULT -ne 0 ]; then
  219. echo -e "\n\nTLS v1.3 ECDH Key Exchange not working"
  220. do_cleanup
  221. exit 1
  222. fi
  223. echo ""
  224. # TLS 1.3 cipher suites server / client.
  225. echo -e "\n\nOnly TLS v1.3 cipher suites"
  226. port=0
  227. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256 &
  228. server_pid=$!
  229. create_port
  230. ./examples/client/client -v 4 -p $port
  231. RESULT=$?
  232. remove_ready_file
  233. if [ $RESULT -ne 0 ]; then
  234. echo -e "\n\nIssue with TLS v1.3 cipher suites - only TLS v1.3"
  235. do_cleanup
  236. exit 1
  237. fi
  238. echo ""
  239. # TLS 1.3 cipher suites server / client.
  240. echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-GCM SHA-256"
  241. port=0
  242. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256 &
  243. server_pid=$!
  244. create_port
  245. ./examples/client/client -v 4 -p $port
  246. RESULT=$?
  247. remove_ready_file
  248. if [ $RESULT -ne 0 ]; then
  249. echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-GCM SHA-256"
  250. do_cleanup
  251. exit 1
  252. fi
  253. echo ""
  254. # TLS 1.3 cipher suites server / client.
  255. echo -e "\n\nOnly TLS v1.3 cipher suite - AES256-GCM SHA-384"
  256. port=0
  257. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES256-GCM-SHA384 &
  258. server_pid=$!
  259. create_port
  260. ./examples/client/client -v 4 -p $port
  261. RESULT=$?
  262. remove_ready_file
  263. if [ $RESULT -ne 0 ]; then
  264. echo -e "\n\nIssue with TLS v1.3 cipher suites - AES256-GCM SHA-384"
  265. do_cleanup
  266. exit 1
  267. fi
  268. echo ""
  269. # TLS 1.3 cipher suites server / client.
  270. echo -e "\n\nOnly TLS v1.3 cipher suite - CHACHA20-POLY1305 SHA-256"
  271. port=0
  272. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
  273. server_pid=$!
  274. create_port
  275. ./examples/client/client -v 4 -p $port
  276. RESULT=$?
  277. remove_ready_file
  278. if [ $RESULT -ne 0 ]; then
  279. echo -e "\n\nIssue with TLS v1.3 cipher suites - CHACHA20-POLY1305 SHA-256"
  280. do_cleanup
  281. exit 1
  282. fi
  283. echo ""
  284. ./examples/client/client -v 4 -e 2>&1 | grep -- '-CCM'
  285. if [ $? -eq 0 ]; then
  286. # TLS 1.3 cipher suites server / client.
  287. echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-CCM SHA-256"
  288. port=0
  289. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-CCM-SHA256 &
  290. server_pid=$!
  291. create_port
  292. ./examples/client/client -v 4 -p $port
  293. RESULT=$?
  294. remove_ready_file
  295. if [ $RESULT -ne 0 ]; then
  296. echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-CCM SHA-256"
  297. do_cleanup
  298. exit 1
  299. fi
  300. echo ""
  301. # TLS 1.3 cipher suites server / client.
  302. echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-CCM-8 SHA-256"
  303. port=0
  304. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-CCM-8-SHA256 &
  305. server_pid=$!
  306. create_port
  307. ./examples/client/client -v 4 -p $port
  308. RESULT=$?
  309. remove_ready_file
  310. if [ $RESULT -ne 0 ]; then
  311. echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-CCM-8 SHA-256"
  312. do_cleanup
  313. exit 1
  314. fi
  315. echo ""
  316. fi
  317. # TLS 1.3 cipher suites server / client.
  318. echo -e "\n\nTLS v1.3 cipher suite mismatch"
  319. port=0
  320. ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
  321. server_pid=$!
  322. create_port
  323. ./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
  324. RESULT=$?
  325. remove_ready_file
  326. if [ $RESULT -ne 1 ]; then
  327. echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
  328. do_cleanup
  329. exit 1
  330. fi
  331. echo ""
  332. # TLS 1.3 server / TLS 1.2 client.
  333. echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
  334. port=0
  335. ./examples/server/server -v 4 -R $ready_file -p $port &
  336. server_pid=$!
  337. create_port
  338. ./examples/client/client -v 3 -p $port
  339. RESULT=$?
  340. remove_ready_file
  341. if [ $RESULT -eq 0 ]; then
  342. echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
  343. do_cleanup
  344. exit 1
  345. fi
  346. echo ""
  347. # TLS Downgrade server / TLS 1.2 client.
  348. echo -e "\n\nTLS server downgrading to TLS v1.2"
  349. port=0
  350. ./examples/server/server -v d -R $ready_file -p $port &
  351. server_pid=$!
  352. create_port
  353. ./examples/client/client -v 3 -p $port
  354. RESULT=$?
  355. remove_ready_file
  356. if [ $RESULT -ne 0 ]; then
  357. echo -e "\n\nIssue with TLS server downgrading to TLS v1.2"
  358. do_cleanup
  359. exit 1
  360. fi
  361. echo ""
  362. # TLS 1.2 server / TLS 1.3 client.
  363. echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
  364. port=0
  365. ./examples/server/server -v 3 -R $ready_file -p $port &
  366. server_pid=$!
  367. create_port
  368. ./examples/client/client -v 4 -p $port
  369. RESULT=$?
  370. remove_ready_file
  371. if [ $RESULT -eq 0 ]; then
  372. echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
  373. do_cleanup
  374. exit 1
  375. fi
  376. echo ""
  377. # TLS 1.2 server / TLS downgrade client.
  378. echo -e "\n\nTLS client downgrading to TLS v1.2"
  379. port=0
  380. ./examples/server/server -v 3 -R $ready_file -p $port &
  381. server_pid=$!
  382. create_port
  383. ./examples/client/client -v d -p $port
  384. RESULT=$?
  385. remove_ready_file
  386. if [ $RESULT -ne 0 ]; then
  387. echo -e "\n\nIssue with TLS client downgrading to TLS v1.2"
  388. do_cleanup
  389. exit 1
  390. fi
  391. echo ""
  392. # TLS Downgrade server / TLS Downgrade client.
  393. echo -e "\n\nTLS server and client able to downgrade but don't"
  394. port=0
  395. ./examples/server/server -v d -R $ready_file -p $port &
  396. server_pid=$!
  397. create_port
  398. ./examples/client/client -v d -p $port
  399. RESULT=$?
  400. remove_ready_file
  401. if [ $RESULT -ne 0 ]; then
  402. echo -e "\n\nIssue with TLS not downgrading"
  403. do_cleanup
  404. exit 1
  405. fi
  406. echo ""
  407. # TLS Downgrade server / TLS Downgrade client resumption.
  408. echo -e "\n\nTLS server and client able to downgrade but don't and resume"
  409. port=0
  410. ./examples/server/server -v d -r -R $ready_file -p $port &
  411. server_pid=$!
  412. create_port
  413. ./examples/client/client -v d -r -p $port
  414. RESULT=$?
  415. remove_ready_file
  416. if [ $RESULT -ne 0 ]; then
  417. echo -e "\n\nIssue with TLS not downgrading and resumption"
  418. do_cleanup
  419. exit 1
  420. fi
  421. echo ""
  422. # TLS Downgrade server / TLS 1.2 client and resume.
  423. echo -e "\n\nTLS server downgrade and resume"
  424. port=0
  425. ./examples/server/server -v d -r -R $ready_file -p $port &
  426. server_pid=$!
  427. create_port
  428. ./examples/client/client -v 3 -r -p $port
  429. RESULT=$?
  430. remove_ready_file
  431. if [ $RESULT -ne 0 ]; then
  432. echo -e "\n\nIssue with TLS server downgrading and resumption"
  433. do_cleanup
  434. exit 1
  435. fi
  436. echo ""
  437. # TLS 1.2 server / TLS downgrade client and resume.
  438. echo -e "\n\nTLS client downgrade and resume"
  439. port=0
  440. ./examples/server/server -v 3 -r -R $ready_file -p $port &
  441. server_pid=$!
  442. create_port
  443. ./examples/client/client -v d -r -p $port
  444. RESULT=$?
  445. remove_ready_file
  446. if [ $RESULT -ne 0 ]; then
  447. echo -e "\n\nIssue with TLS client downgrading and resumption"
  448. do_cleanup
  449. exit 1
  450. fi
  451. echo ""
  452. # TLS Downgrade server / TLS Downgrade client.
  453. # TLS 1.3 server / TLS 1.3 client send KeyUpdate before sending app data.
  454. echo -e "\n\nTLS v1.3 KeyUpdate"
  455. port=0
  456. ./examples/server/server -v 4 -U -R $ready_file -p $port &
  457. server_pid=$!
  458. create_port
  459. ./examples/client/client -v 4 -I -p $port
  460. RESULT=$?
  461. remove_ready_file
  462. if [ $RESULT -ne 0 ]; then
  463. echo -e "\n\nIssue with TLS v1.3 KeyUpdate"
  464. do_cleanup
  465. exit 1
  466. fi
  467. echo ""
  468. # TLS 1.3 server / TLS 1.3 client - don't use (EC)DHE with PSK.
  469. echo -e "\n\nTLS v1.3 PSK without (EC)DHE"
  470. port=0
  471. ./examples/server/server -v 4 -r -R $ready_file -p $port &
  472. server_pid=$!
  473. create_port
  474. ./examples/client/client -v 4 -r -K -p $port
  475. RESULT=$?
  476. remove_ready_file
  477. if [ $RESULT -ne 0 ]; then
  478. echo -e "\n\nIssue with TLS v1.3 PSK without (EC)DHE"
  479. do_cleanup
  480. exit 1
  481. fi
  482. echo ""
  483. # TLS 1.3 server / TLS 1.3 client and Post-Handshake Authentication.
  484. echo -e "\n\nTLS v1.3 Post-Handshake Authentication"
  485. port=0
  486. ./examples/server/server -v 4 -Q -R $ready_file -p $port &
  487. server_pid=$!
  488. create_port
  489. ./examples/client/client -v 4 -Q -p $port
  490. RESULT=$?
  491. remove_ready_file
  492. if [ $RESULT -ne 0 ]; then
  493. echo -e "\n\nIssue with TLS v1.3 Post-Handshake Auth"
  494. do_cleanup
  495. exit 1
  496. fi
  497. echo ""
  498. echo -e "\nALL Tests Passed"
  499. exit 0