392e09c474
Make sure the server is dead after each test. Client may not connect to server if cipher suite not supported and return error as expected.
207 lines
5.1 KiB
Bash
Executable File
207 lines
5.1 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# tls13.test
|
|
# copyright wolfSSL 2016
|
|
|
|
# getting unique port is modeled after resume.test script
|
|
# need a unique port since may run the same time as testsuite
|
|
# use server port zero hack to get one
|
|
port=0
|
|
no_pid=-1
|
|
server_pid=$no_pid
|
|
counter=0
|
|
# let's use absolute path to a local dir (make distcheck may be in sub dir)
|
|
# also let's add some randomness by adding pid in case multiple 'make check's
|
|
# per source tree
|
|
ready_file=`pwd`/wolfssl_tls13_ready$$
|
|
client_file=`pwd`/wolfssl_tls13_client$$
|
|
|
|
echo "ready file $ready_file"
|
|
|
|
create_port() {
|
|
while [ ! -s $ready_file ]; do
|
|
if [ "$counter" -gt 50 ]; then
|
|
break
|
|
fi
|
|
echo -e "waiting for ready file..."
|
|
sleep 0.1
|
|
counter=$((counter+ 1))
|
|
done
|
|
|
|
if [ -e $ready_file ]; then
|
|
echo -e "found ready file, starting client..."
|
|
|
|
# get created port 0 ephemeral port
|
|
port=`cat $ready_file`
|
|
else
|
|
echo -e "NO ready file ending test..."
|
|
do_cleanup
|
|
fi
|
|
}
|
|
|
|
remove_ready_file() {
|
|
if [ -e $ready_file ]; then
|
|
echo -e "removing existing ready file"
|
|
rm $ready_file
|
|
fi
|
|
}
|
|
|
|
do_cleanup() {
|
|
echo "in cleanup"
|
|
|
|
if [ $server_pid != $no_pid ]
|
|
then
|
|
echo "killing server"
|
|
kill -9 $server_pid
|
|
fi
|
|
remove_ready_file
|
|
if [ -e $client_file ]; then
|
|
echo -e "removing existing client file"
|
|
rm $client_file
|
|
fi
|
|
}
|
|
|
|
do_trap() {
|
|
echo "got trap"
|
|
do_cleanup
|
|
exit -1
|
|
}
|
|
|
|
trap do_trap INT TERM
|
|
|
|
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
|
|
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
|
|
if [ $? -eq 0 ]; then
|
|
exit 0
|
|
fi
|
|
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
|
|
if [ $? -eq 0 ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# Usual TLS v1.3 server / TLS v1.3 client.
|
|
echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
|
|
port=0
|
|
./examples/server/server -v 4 -R $ready_file -p $port &
|
|
server_pid=$!
|
|
create_port
|
|
./examples/client/client -v 4 -p $port | tee $client_file
|
|
RESULT=$?
|
|
remove_ready_file
|
|
if [ $RESULT -ne 0 ]; then
|
|
echo -e "\n\nTLS v1.3 not enabled"
|
|
do_cleanup
|
|
exit 1
|
|
fi
|
|
echo ""
|
|
|
|
# TLS 1.3 cipher suites server / client.
|
|
echo -e "\n\nTLS v1.3 cipher suite mismatch"
|
|
port=0
|
|
./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
|
|
server_pid=$!
|
|
create_port
|
|
./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
|
|
RESULT=$?
|
|
remove_ready_file
|
|
if [ $RESULT -eq 0 ]; then
|
|
echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
|
|
exit 1
|
|
fi
|
|
do_cleanup
|
|
echo ""
|
|
|
|
cat ./wolfssl/options.h | grep -- 'NO_CERTS'
|
|
if [ $? -ne 0 ]; then
|
|
# TLS 1.3 mutual auth required but client doesn't send certificates.
|
|
echo -e "\n\nTLS v1.3 mutual auth fail"
|
|
port=0
|
|
./examples/server/server -v 4 -F -R $ready_file -p $port &
|
|
server_pid=$!
|
|
create_port
|
|
./examples/client/client -v 4 -x -p $port
|
|
RESULT=$?
|
|
remove_ready_file
|
|
if [ $RESULT -eq 0 ]; then
|
|
echo -e "\n\nIssue with requiring mutual authentication"
|
|
exit 1
|
|
fi
|
|
do_cleanup
|
|
echo ""
|
|
fi
|
|
|
|
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
|
|
if [ $? -ne 0 ]; then
|
|
# TLS 1.3 server / TLS 1.2 client.
|
|
echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
|
|
port=0
|
|
./examples/server/server -v 4 -R $ready_file -p $port &
|
|
server_pid=$!
|
|
create_port
|
|
./examples/client/client -v 3 -p $port
|
|
RESULT=$?
|
|
remove_ready_file
|
|
if [ $RESULT -eq 0 ]; then
|
|
echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
|
|
exit 1
|
|
fi
|
|
do_cleanup
|
|
echo ""
|
|
|
|
# TLS 1.2 server / TLS 1.3 client.
|
|
echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
|
|
port=0
|
|
./examples/server/server -v 3 -R $ready_file -p $port &
|
|
server_pid=$!
|
|
create_port
|
|
./examples/client/client -v 4 -p $port
|
|
RESULT=$?
|
|
remove_ready_file
|
|
if [ $RESULT -eq 0 ]; then
|
|
echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
|
|
exit 1
|
|
fi
|
|
do_cleanup
|
|
echo ""
|
|
|
|
echo "Find usable TLS 1.2 cipher suite"
|
|
for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
|
|
do
|
|
echo $CS
|
|
./examples/client/client -e | grep $CS >/dev/null
|
|
if [ "$?" = "0" ]; then
|
|
TLS12_CS=$CS
|
|
break
|
|
fi
|
|
do_cleanup
|
|
done
|
|
if [ "$TLS12_CS" != "" ]; then
|
|
# TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
|
|
echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
|
|
port=0
|
|
SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
|
|
CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
|
|
./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &
|
|
server_pid=$!
|
|
create_port
|
|
./examples/client/client -v d -l $CLIENT_CS -p $port
|
|
RESULT=$?
|
|
remove_ready_file
|
|
if [ $RESULT -eq 0 ]; then
|
|
echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
|
|
exit 1
|
|
fi
|
|
do_cleanup
|
|
echo ""
|
|
else
|
|
echo "No usable TLS 1.2 cipher suite found"
|
|
fi
|
|
fi
|
|
|
|
do_cleanup
|
|
|
|
echo -e "\nALL Tests Passed"
|
|
|
|
exit 0
|
|
|