OVMS3/OVMS.V3/components/wolfssl/scripts/tls13.test

#!/bin/sh

# tls13.test
# copyright wolfSSL 2016

# if we can, isolate the network namespace to eliminate port collisions.
if [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tls13_ready$$
client_file=`pwd`/wolfssl_tls13_client$$
# Server output
server_out_file=`pwd`/wolfssl_tls13_server_out$$
# Client output
client_out_file=`pwd`/wolfssl_tls13_client_out$$

echo "ready file $ready_file"

create_port() {
    while [ ! -s $ready_file ]; do
        if [ "$counter" -gt 50 ]; then
            break
        fi
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
    done

    if [ -e $ready_file ]; then
        echo -e "found ready file, starting client..."

        # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
        sleep 0.1

        # get created port 0 ephemeral port
        port=`cat $ready_file`
    else
        echo -e "NO ready file ending test..."
        do_cleanup
    fi
}

remove_ready_file() {
    if [ -e $ready_file ]; then
        echo -e "removing existing ready file"
        rm $ready_file
    fi
}

do_cleanup() {
    echo "in cleanup"

    if  [ $server_pid != $no_pid ]
    then
        echo "killing server"
        kill -9 $server_pid
        server_pid=$no_pid
    fi
    remove_ready_file
    if [ -e $client_file ]; then
        echo -e "removing existing client file"
        rm $client_file
    fi
    if [ -e $server_out_file ]; then
        echo -e "removing existing server output file"
        rm $server_out_file
    fi
    if [ -e $client_out_file ]; then
        echo -e "removing existing client output file"
        rm $client_out_file
    fi
}

do_trap() {
    echo "got trap"
    do_cleanup
    exit -1
}

trap do_trap INT TERM

[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
    exit 0
fi
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
    exit 0
fi

# Usual TLS v1.3 server / TLS v1.3 client.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
port=0
./examples/server/server -v 4 -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port | tee $client_file
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\n\nTLS v1.3 not enabled"
    do_cleanup
    exit 1
fi
echo ""

# TLS 1.3 cipher suites server / client.
echo -e "\n\nTLS v1.3 cipher suite mismatch"
port=0
./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
    echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
    do_cleanup
    exit 1
fi
do_cleanup
echo ""

cat ./wolfssl/options.h | grep -- 'NO_CERTS'
NO_CERTS=$?
cat ./wolfssl/options.h | grep -- 'WOLFSSL_NO_CLIENT_AUTH'
NO_CLIENT_AUTH=$?
if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
    # TLS 1.3 mutual auth required but client doesn't send certificates.
    echo -e "\n\nTLS v1.3 mutual auth fail"
    port=0
    ./examples/server/server -v 4 -F -R $ready_file -p $port &
    server_pid=$!
    create_port
    ./examples/client/client -v 4 -x -p $port
    RESULT=$?
    remove_ready_file
    if [ $RESULT -eq 0 ]; then
        echo -e "\n\nIssue with requiring mutual authentication"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""
fi

# Check for TLS 1.2 support
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
    # TLS 1.3 server / TLS 1.2 client.
    echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
    port=0
    ./examples/server/server -v 4 -R $ready_file -p $port &
    server_pid=$!
    create_port
    ./examples/client/client -v 3 -p $port
    RESULT=$?
    remove_ready_file
    if [ $RESULT -eq 0 ]; then
        echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""

    # TLS 1.2 server / TLS 1.3 client.
    echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
    port=0
    ./examples/server/server -v 3 -R $ready_file -p $port &
    server_pid=$!
    create_port
    ./examples/client/client -v 4 -p $port
    RESULT=$?
    remove_ready_file
    if [ $RESULT -eq 0 ]; then
        echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""

    echo "Find usable TLS 1.2 cipher suite"
    for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
    do
        echo $CS
        ./examples/client/client -e | grep $CS >/dev/null
        if [ "$?" = "0" ]; then
            TLS12_CS=$CS
            break
        fi
        do_cleanup
    done
    if [ "$TLS12_CS" != "" ]; then
        # TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
        echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
        port=0
        SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
        CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
        ./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &
        server_pid=$!
        create_port
        ./examples/client/client -v d -l $CLIENT_CS -p $port
        RESULT=$?
        remove_ready_file
        if [ $RESULT -eq 0 ]; then
            echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
            do_cleanup
            exit 1
        fi
        do_cleanup
        echo ""
    else
        echo "No usable TLS 1.2 cipher suite found"
    fi
fi

# Check for EarlyData support
./examples/client/client -? 2>&1 | grep -- 'Early data'
if [ $? -eq 0 ]; then
    early_data=yes
fi
./examples/client/client -? 2>&1 | grep -- 'Shared keys'
if [ $? -eq 0 ]; then
    psk=yes
fi

if [ "$early_data" = "yes" ]; then
    echo -e "\n\nTLS v1.3 Early Data - session ticket"
    port=0
    (./examples/server/server -v 4 -r -0 -R $ready_file -p $port 2>&1 | \
            tee $server_out_file) &
    server_pid=$!
    create_port
    ./examples/client/client -v 4 -r -0 -p $port 2>&1 >$client_out_file
    RESULT=$?
    cat $client_out_file
    remove_ready_file
    grep 'Session Ticket' $client_out_file
    session_ticket=$?
    early_data_cnt=`grep 'Early Data' $server_out_file | wc -l`
    if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then
        RESULT=1
    fi
    if [ $RESULT -ne 0 ]; then
        echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""
fi

if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
    echo -e "\n\nTLS v1.3 Early Data - PSK"
    port=0
    (./examples/server/server -v 4 -s -0 -R $ready_file -p $port 2>&1 | \
            tee $server_out_file) &
    server_pid=$!
    create_port
    ./examples/client/client -v 4 -s -0 -p $port
    RESULT=$?
    remove_ready_file
    early_data_cnt=`grep 'Early Data' $server_out_file | wc -l`
    if [ $early_data_cnt -ne 2 -a $early_data_cnt -ne 4 ]; then
        RESULT=1
    fi
    if [ $RESULT -ne 0 ]; then
        echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"
        do_cleanup
        exit 1
    fi
else
    echo "Early Data not available"
fi

do_cleanup

echo -e "\nALL Tests Passed"

exit 0
Initial commit, fork from original Project 2022-04-05 22:04:46 +00:00			`#!/bin/sh`

			`# tls13.test`
			`# copyright wolfSSL 2016`

			`# if we can, isolate the network namespace to eliminate port collisions.`
			`if [ "${AM_BWRAPPED-}" != "yes" ]; then`
			`bwrap_path="$(command -v bwrap)"`
			`if [ -n "$bwrap_path" ]; then`
			`export AM_BWRAPPED=yes`
			`exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"`
			`fi`
			`unset AM_BWRAPPED`
			`fi`

			`# getting unique port is modeled after resume.test script`
			`# need a unique port since may run the same time as testsuite`
			`# use server port zero hack to get one`
			`port=0`
			`no_pid=-1`
			`server_pid=$no_pid`
			`counter=0`
			`# let's use absolute path to a local dir (make distcheck may be in sub dir)`
			`# also let's add some randomness by adding pid in case multiple 'make check's`
			`# per source tree`
			ready_file=`pwd`/wolfssl_tls13_ready$$
			client_file=`pwd`/wolfssl_tls13_client$$
			`# Server output`
			server_out_file=`pwd`/wolfssl_tls13_server_out$$
			`# Client output`
			client_out_file=`pwd`/wolfssl_tls13_client_out$$

			`echo "ready file $ready_file"`

			`create_port() {`
			`while [ ! -s $ready_file ]; do`
			`if [ "$counter" -gt 50 ]; then`
			`break`
			`fi`
			`echo -e "waiting for ready file..."`
			`sleep 0.1`
			`counter=$((counter+ 1))`
			`done`

			`if [ -e $ready_file ]; then`
			`echo -e "found ready file, starting client..."`

			`# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:`
			`sleep 0.1`

			`# get created port 0 ephemeral port`
			port=`cat $ready_file`
			`else`
			`echo -e "NO ready file ending test..."`
			`do_cleanup`
			`fi`
			`}`

			`remove_ready_file() {`
			`if [ -e $ready_file ]; then`
			`echo -e "removing existing ready file"`
			`rm $ready_file`
			`fi`
			`}`

			`do_cleanup() {`
			`echo "in cleanup"`

			`if [ $server_pid != $no_pid ]`
			`then`
			`echo "killing server"`
			`kill -9 $server_pid`
			`server_pid=$no_pid`
			`fi`
			`remove_ready_file`
			`if [ -e $client_file ]; then`
			`echo -e "removing existing client file"`
			`rm $client_file`
			`fi`
			`if [ -e $server_out_file ]; then`
			`echo -e "removing existing server output file"`
			`rm $server_out_file`
			`fi`
			`if [ -e $client_out_file ]; then`
			`echo -e "removing existing client output file"`
			`rm $client_out_file`
			`fi`
			`}`

			`do_trap() {`
			`echo "got trap"`
			`do_cleanup`
			`exit -1`
			`}`

			`trap do_trap INT TERM`

			`[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1`
			`./examples/client/client '-?' 2>&1 \| grep -- 'Client not compiled in!'`
			`if [ $? -eq 0 ]; then`
			`exit 0`
			`fi`
			`./examples/server/server '-?' 2>&1 \| grep -- 'Server not compiled in!'`
			`if [ $? -eq 0 ]; then`
			`exit 0`
			`fi`

			`# Usual TLS v1.3 server / TLS v1.3 client.`
			`echo -e "\n\nTLS v1.3 server with TLS v1.3 client"`
			`port=0`
			`./examples/server/server -v 4 -R $ready_file -p $port &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 4 -p $port \| tee $client_file`
			`RESULT=$?`
			`remove_ready_file`
			`if [ $RESULT -ne 0 ]; then`
			`echo -e "\n\nTLS v1.3 not enabled"`
			`do_cleanup`
			`exit 1`
			`fi`
			`echo ""`

			`# TLS 1.3 cipher suites server / client.`
			`echo -e "\n\nTLS v1.3 cipher suite mismatch"`
			`port=0`
			`./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384`
			`RESULT=$?`
			`remove_ready_file`
			`if [ $RESULT -eq 0 ]; then`
			`echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"`
			`do_cleanup`
			`exit 1`
			`fi`
			`do_cleanup`
			`echo ""`

			`cat ./wolfssl/options.h \| grep -- 'NO_CERTS'`
			`NO_CERTS=$?`
			`cat ./wolfssl/options.h \| grep -- 'WOLFSSL_NO_CLIENT_AUTH'`
			`NO_CLIENT_AUTH=$?`
			`if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then`
			`# TLS 1.3 mutual auth required but client doesn't send certificates.`
			`echo -e "\n\nTLS v1.3 mutual auth fail"`
			`port=0`
			`./examples/server/server -v 4 -F -R $ready_file -p $port &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 4 -x -p $port`
			`RESULT=$?`
			`remove_ready_file`
			`if [ $RESULT -eq 0 ]; then`
			`echo -e "\n\nIssue with requiring mutual authentication"`
			`do_cleanup`
			`exit 1`
			`fi`
			`do_cleanup`
			`echo ""`
			`fi`

			`# Check for TLS 1.2 support`
			`./examples/client/client -v 3 2>&1 \| grep -- 'Bad SSL version'`
			`if [ $? -ne 0 ]; then`
			`# TLS 1.3 server / TLS 1.2 client.`
			`echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"`
			`port=0`
			`./examples/server/server -v 4 -R $ready_file -p $port &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 3 -p $port`
			`RESULT=$?`
			`remove_ready_file`
			`if [ $RESULT -eq 0 ]; then`
			`echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"`
			`do_cleanup`
			`exit 1`
			`fi`
			`do_cleanup`
			`echo ""`

			`# TLS 1.2 server / TLS 1.3 client.`
			`echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"`
			`port=0`
			`./examples/server/server -v 3 -R $ready_file -p $port &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 4 -p $port`
			`RESULT=$?`
			`remove_ready_file`
			`if [ $RESULT -eq 0 ]; then`
			`echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"`
			`do_cleanup`
			`exit 1`
			`fi`
			`do_cleanup`
			`echo ""`

			`echo "Find usable TLS 1.2 cipher suite"`
			`for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256`
			`do`
			`echo $CS`
			`./examples/client/client -e \| grep $CS >/dev/null`
			`if [ "$?" = "0" ]; then`
			`TLS12_CS=$CS`
			`break`
			`fi`
			`do_cleanup`
			`done`
			`if [ "$TLS12_CS" != "" ]; then`
			`# TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers`
			`echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"`
			`port=0`
			`SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"`
			`CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"`
			`./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v d -l $CLIENT_CS -p $port`
			`RESULT=$?`
			`remove_ready_file`
			`if [ $RESULT -eq 0 ]; then`
			`echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"`
			`do_cleanup`
			`exit 1`
			`fi`
			`do_cleanup`
			`echo ""`
			`else`
			`echo "No usable TLS 1.2 cipher suite found"`
			`fi`
			`fi`

			`# Check for EarlyData support`
			`./examples/client/client -? 2>&1 \| grep -- 'Early data'`
			`if [ $? -eq 0 ]; then`
			`early_data=yes`
			`fi`
			`./examples/client/client -? 2>&1 \| grep -- 'Shared keys'`
			`if [ $? -eq 0 ]; then`
			`psk=yes`
			`fi`

			`if [ "$early_data" = "yes" ]; then`
			`echo -e "\n\nTLS v1.3 Early Data - session ticket"`
			`port=0`
			`(./examples/server/server -v 4 -r -0 -R $ready_file -p $port 2>&1 \| \`
			`tee $server_out_file) &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 4 -r -0 -p $port 2>&1 >$client_out_file`
			`RESULT=$?`
			`cat $client_out_file`
			`remove_ready_file`
			`grep 'Session Ticket' $client_out_file`
			`session_ticket=$?`
			early_data_cnt=`grep 'Early Data' $server_out_file \| wc -l`
			`if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then`
			`RESULT=1`
			`fi`
			`if [ $RESULT -ne 0 ]; then`
			`echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"`
			`do_cleanup`
			`exit 1`
			`fi`
			`do_cleanup`
			`echo ""`
			`fi`

			`if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then`
			`echo -e "\n\nTLS v1.3 Early Data - PSK"`
			`port=0`
			`(./examples/server/server -v 4 -s -0 -R $ready_file -p $port 2>&1 \| \`
			`tee $server_out_file) &`
			`server_pid=$!`
			`create_port`
			`./examples/client/client -v 4 -s -0 -p $port`
			`RESULT=$?`
			`remove_ready_file`
			early_data_cnt=`grep 'Early Data' $server_out_file \| wc -l`
			`if [ $early_data_cnt -ne 2 -a $early_data_cnt -ne 4 ]; then`
			`RESULT=1`
			`fi`
			`if [ $RESULT -ne 0 ]; then`
			`echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"`
			`do_cleanup`
			`exit 1`
			`fi`
			`else`
			`echo "Early Data not available"`
			`fi`

			`do_cleanup`

			`echo -e "\nALL Tests Passed"`

			`exit 0`