#!/usr/bin/env bash # openssl.test # Environment variables used: # OPENSSL (openssl app to use) # OPENSSL_ENGINE_ID (engine id if any i.e. "wolfengine") CERT_DIR="$PWD/$(dirname "$0")/../certs" if ! test -n "$WOLFSSL_OPENSSL_TEST"; then echo "WOLFSSL_OPENSSL_TEST NOT set, won't run" exit 77 fi # if we can, isolate the network namespace to eliminate port collisions. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then export NETWORK_UNSHARE_HELPER_CALLED=yes exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $? fi elif [ "${AM_BWRAPPED-}" != "yes" ]; then bwrap_path="$(command -v bwrap)" if [ -n "$bwrap_path" ]; then export AM_BWRAPPED=yes exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@" fi unset AM_BWRAPPED fi echo "WOLFSSL_OPENSSL_TEST set, running test..." # need a unique port since may run the same time as testsuite # Track ports already assigned in this script run to prevent intra-run collisions used_ports=() generate_port() { #-------------------------------------------------------------------------# # Generate a random port number, guaranteed unique within this script run. # Checks both the intra-run used_ports list and system-level bound ports. #-------------------------------------------------------------------------# local attempts=0 collision p while true; do if [[ "$OSTYPE" == "linux"* ]]; then p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) elif [[ "$OSTYPE" == "darwin"* ]]; then p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) else echo "Unknown OS TYPE" exit 1 fi # Check against ports already assigned in this run collision=0 for up in "${used_ports[@]}"; do if [ "$up" = "$p" ]; then collision=1 break fi done # Also check if the port is already bound on this system if [ "$collision" -eq 0 ]; then if command -v ss &>/dev/null; then ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 elif command -v netstat &>/dev/null; then netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 fi fi [ "$collision" -eq 0 ] && break ((attempts++)) if [ "$attempts" -ge 100 ]; then echo "ERROR: generate_port could not find a free port after 100 attempts" exit 1 fi done port=$p used_ports+=("$p") } no_pid=-1 servers="" openssl_pid=$no_pid ecdh_openssl_pid=$no_pid ecdsa_openssl_pid=$no_pid ed25519_openssl_pid=$no_pid ed448_openssl_pid=$no_pid tls13_psk_openssl_pid=$no_pid wolfssl_pid=$no_pid ecdh_wolfssl_pid=$no_pid ecdsa_wolfssl_pid=$no_pid ed25519_wolfssl_pid=$no_pid ed448_wolfssl_pid=$no_pid tls13_psk_wolfssl_pid=$no_pid anon_wolfssl_pid=$no_pid wolf_cases_tested=0 wolf_cases_total=0 counter=0 wolfssl_no_resume="" testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n" versionName="Invalid" if [ "$OPENSSL" = "" ]; then OPENSSL=openssl fi WOLFSSL_SERVER=./examples/server/server WOLFSSL_CLIENT=./examples/client/client version_name() { case $version in "0") versionName="SSLv3" ;; "1") versionName="TLSv1" ;; "2") versionName="TLSv1.1" ;; "3") versionName="TLSv1.2" ;; "4") versionName="TLSv1.3" ;; "d") versionName="Down" ;; "") versionName="Def" ;; "5") versionName="ALL" ;; esac } do_cleanup() { echo "in cleanup" IFS=$OIFS #restore separator sleepseconds=1 for s in $servers do f2=${s%:*} sname=${f2%:*} pid=${f2##*:} port=${s##*:} if kill -0 "$pid" 2>&- then # sleep to give sanitizers time to dump backtraces. sleep $sleepseconds sleepseconds=0 echo "killing server: $sname ($port)" kill -9 "$pid" fi done } do_trap() { echo "got trap" do_cleanup exit 1 } trap do_trap INT TERM # # Start an OpenSSL server # start_openssl_server() { if [ "$wolfssl_client_avail" = "" ] then return fi generate_port server_port=$port found_free_port=0 counter=0 # If OPENSSL_ENGINE_ID has been set then check that the desired engine can # be loaded successfully and error out if not. Otherwise the OpenSSL app # will fall back to default engine. if [ -n "${OPENSSL_ENGINE_ID}" ]; then OUTPUT=$($OPENSSL engine -tt "$OPENSSL_ENGINE_ID") if ! echo "$OUTPUT" | grep -q "available"; then printf "not able to load engine or engine not available\n" printf '%s\n' "$OPENSSL engine -tt $OPENSSL_ENGINE_ID" do_cleanup exit 1 fi OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}" fi while [ "$counter" -lt 20 ]; do echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..." echo "#" if [ "$cert_file" != "" ] then echo "# $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher \"ALL:eNULL\" $openssl_nodhe" # shellcheck disable=SC2086 $OPENSSL s_server -accept "$server_port" $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk "$psk_hex" -cipher "ALL:eNULL" $openssl_nodhe & else echo "# $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher \"ALL:eNULL\" $openssl_nodhe" # shellcheck disable=SC2086 $OPENSSL s_server -accept "$server_port" $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk "$psk_hex" -cipher "ALL:eNULL" $openssl_nodhe & fi server_pid=$! # wait to see if s_server successfully starts before continuing sleep 0.1 if kill -0 "$server_pid" 2>/dev/null then echo "s_server started successfully on port $server_port" found_free_port=1 break else #port already started, try a different port counter=$((counter+ 1)) generate_port server_port=$port fi done if [ "$found_free_port" = 0 ] then echo -e "Couldn't find free port for server" do_cleanup exit 1 fi servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port" } # # Start a wolfSSL server # start_wolfssl_server() { if [ "$wolfssl_server_avail" = "" ] then echo "# wolfSSL server not available" return fi wolfssl_cert="" wolfssl_key="" wolfssl_caCert="" if [ "$cert_file" != "" ] then wolfssl_cert="-c$cert_file" fi if [ "$key_file" != "" ] then wolfssl_key="-k$key_file" fi if [ "$ca_file" != "" ] then wolfssl_caCert="-A$ca_file" fi generate_port server_port=$port found_free_port=0 counter=0 while [ "$counter" -lt 20 ]; do echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..." echo "#" echo "# $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL:eNULL \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\"" # shellcheck disable=SC2086 $WOLFSSL_SERVER -p "$server_port" -g -v d -x -i $psk $crl -l ALL:eNULL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" & server_pid=$! # wait to see if server successfully starts before continuing sleep 0.1 if kill -0 "$server_pid" 2>/dev/null then echo "wolfSSL server started successfully on port $server_port" found_free_port=1 break else #port already started, try a different port counter=$((counter+ 1)) generate_port server_port=$port fi done if [ "$found_free_port" = 0 ] then echo -e "Couldn't find free port for server" do_cleanup exit 1 fi servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port" } check_server_ready() { # server should be ready, let's make sure server_ready=0 while [ "$counter" -lt 20 ]; do echo -e "waiting for $server_name ready..." echo -e Checking | nc -4 -w 1 -z localhost "$server_port" nc_result=$? if [ "$nc_result" = 0 ] then echo -e "$server_name ready!" server_ready=1 break fi sleep 0.1 counter=$((counter+ 1)) done if [ $server_ready = 0 ] then echo -e "Couldn't verify $server_name is running, timeout error" do_cleanup exit 1 fi } # # Run wolfSSL client against OpenSSL server # do_wolfssl_client() { if [ "$wolfssl_client_avail" = "" ] then return fi wolfssl_cert="" wolfssl_key="" wolfssl_caCert="" if [ "$cert" != "" ] then wolfssl_cert="-c$cert" fi if [ "$key" != "" ] then wolfssl_key="-k$key" fi if [ "$caCert" != "" ] then wolfssl_caCert="-A$caCert" fi wolfssl_resume="-r" if [ "$openssl_psk_resume_bug" != "" ] && [ "$tls13_suite" != "" ] then wolfssl_resume= fi if [ "$wolfssl_no_resume" = "yes" ] then wolfssl_resume= fi if [ "$version" != "5" ] && [ "$version" != "" ] then echo "#" echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl" # shellcheck disable=SC2086 $WOLFSSL_CLIENT -p "$port" -g $wolfssl_resume -l "$wolfSuite" -v "$version" $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl else echo "#" echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl" # do all versions # shellcheck disable=SC2086 $WOLFSSL_CLIENT -p "$port" -g $wolfssl_resume -l "$wolfSuite" $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl fi client_result=$? if [ "$client_result" != 0 ] then echo -e "client failed! Suite = $wolfSuite version = $version" do_cleanup exit 1 fi wolf_temp_cases_tested=$((wolf_temp_cases_tested+1)) } # # Run OpenSSL client against wolfSSL server # do_openssl_client() { if [ "$wolfssl_server_avail" = "" ] then return fi if [ "$version" = "" ] || [ "$version" = "5" ] then if [ "$tls13_cipher" = "" ] && [ "$openssl_tls13" != "" ] then openssl_version="-no_tls1_3" fi fi if [ "$cert" != "" ] then openssl_cert1="-cert" openssl_cert2="$cert" fi if [ "$key" != "" ] then openssl_key1="-key" openssl_key2="$key" fi if [ "$caCert" != "" ] then openssl_caCert1="-CAfile" openssl_caCert2="$caCert" fi # Integrity-only cipher suites require SECLEVEL=0 to allow NULL encryption openssl_seclevel="" if [ "$tls13_integrity_only" = "yes" ] then openssl_seclevel="-cipher ALL:@SECLEVEL=0" fi if [ "$tls13_cipher" = "" ] then echo "#" echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" else echo "#" echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_seclevel $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_seclevel $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\"" fi client_result=$? if [ "$client_result" != 0 ] then echo -e "client failed! Suite = $wolfSuite version = $version" do_cleanup exit 1 fi open_temp_cases_tested=$((open_temp_cases_tested+1)) } OIFS=$IFS # store old separator to reset # # Start # echo echo "wolfSSL configuration:" ./config.status --config echo echo "OpenSSL version:" $OPENSSL version -a echo echo -e "\nTesting existence of openssl command...\n" command -v "$OPENSSL" >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; } echo -e "\nTesting for _build directory as part of distcheck, different paths" currentDir=$(pwd) case "$currentDir" in *_build) echo -e "_build directory detected, moving a directory back" cd .. || exit ;; esac echo -e "\nChecking for wolfSSL client - needed for cipher list" wolfssl_client_avail=$($WOLFSSL_CLIENT -?) case $wolfssl_client_avail in *"Client not compiled in!"*) wolfssl_client_avail= echo >&2 "Requires wolfSSL client, but it's not built. Ending." do_cleanup exit 0 ;; esac echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket" openssl_version=$($OPENSSL version) case $openssl_version in "OpenSSL 1.1.1 "*) openssl_psk_resume_bug=yes ;; "OpenSSL 1.0.2"*) openssl_adh_reneg_bug=yes ;; esac # check for wolfssl server wolfssl_server_avail=$($WOLFSSL_SERVER -?) case $wolfssl_server_avail in *"Server not compiled in!"*) wolfssl_server_avail= ;; esac # get wolfssl ciphers wolf_ciphers=$($WOLFSSL_CLIENT -e) # get wolfssl supported versions wolf_versions=$($WOLFSSL_CLIENT -V) wolf_versions="${wolf_versions}:5" #5 will test without -v flag OIFS="$IFS" # store old separator to reset IFS=: # set delimiter for version in $wolf_versions do case $version in 1|2|3) wolf_tls=yes ;; 4) wolf_tls13=yes ;; esac done IFS="$OIFS" #restore separator # # Start OpenSSL servers # # Check for certificate support in wolfSSL wolf_certs=$($WOLFSSL_CLIENT -? 2>&1) case $wolf_certs in *"cert"*) ;; *) wolf_certs="" ;; esac if [ "$wolf_certs" != "" ] then echo # Check if RSA certificates supported in wolfSSL wolf_rsa=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ca-cert.pem" 2>&1) case $wolf_rsa in *"ca file"*) echo "wolfSSL does not support RSA" wolf_rsa="" ;; *) ;; esac if [ "$wolf_rsa" != "" ]; then echo "wolfSSL supports RSA" fi # Check if RSA-PSS certificates supported in wolfSSL wolf_rsapss=$($WOLFSSL_CLIENT -A "${CERT_DIR}/rsapss/ca-rsapss.pem" 2>&1) case $wolf_rsapss in *"ca file"*) echo "wolfSSL does not support RSA-PSS" wolf_rsapss="" ;; *) ;; esac if [ "$wolf_rsapss" != "" ]; then echo "wolfSSL supports RSA-PSS" fi # Check if ECC certificates supported in wolfSSL wolf_ecc=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ca-ecc-cert.pem" 2>&1) case $wolf_ecc in *"ca file"*) echo "wolfSSL does not support ECDSA" wolf_ecc="" ;; *) ;; esac if [ "$wolf_ecc" != "" ]; then echo "wolfSSL supports ECDSA" fi # Check if Ed25519 certificates supported in wolfSSL wolf_ed25519=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1) case $wolf_ed25519 in *"ca file"*) echo "wolfSSL does not support Ed25519" wolf_ed25519="" ;; *) ;; esac if [ "$wolf_ed25519" != "" ]; then echo "wolfSSL supports Ed25519" fi # Check if Ed25519 certificates supported in OpenSSL openssl_ed25519=$($OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1) case $openssl_ed25519 in *"unable to load"*) echo "OpenSSL does not support Ed25519" wolf_ed25519="" ;; *) ;; esac if [ "$wolf_ed25519" != "" ]; then echo "OpenSSL supports Ed25519" fi # Check if Ed448 certificates supported in wolfSSL wolf_ed448=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1) case $wolf_ed448 in *"ca file"*) echo "wolfSSL does not support Ed448" wolf_ed448="" ;; *) ;; esac if [ "$wolf_ed448" != "" ]; then echo "wolfSSL supports Ed448" fi # Check if Ed448 certificates supported in OpenSSL openssl_ed448=$($OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1) case $openssl_ed448 in *"unable to load"*) echo "OpenSSL does not support Ed448" wolf_ed448="" ;; *) ;; esac if [ "$wolf_ed448" != "" ]; then echo "OpenSSL supports Ed448" fi echo fi openssl_tls13=$($OPENSSL s_client -help 2>&1) case $openssl_tls13 in *no_tls1_3*) ;; *) openssl_tls13= ;; esac # Not all openssl versions support -allow_no_dhe_kex openssl_nodhe=$($OPENSSL s_client -help 2>&1) case $openssl_nodhe in *allow_no_dhe_kex*) openssl_nodhe=-allow_no_dhe_kex ;; *) openssl_nodhe= ;; esac # Check suites to determine support in wolfSSL OIFS="$IFS" # store old separator to reset IFS=: # set delimiter for wolfSuite in $wolf_ciphers; do case $wolfSuite in *ECDHE-RSA-*) ecdhe_avail=yes wolf_rsa=yes ;; *DHE-RSA-*) wolf_rsa=yes ;; *ECDH-RSA*) wolf_ecdh_rsa=yes ;; *ECDHE-ECDSA*|*ECDH-ECDSA*) wolf_ecdsa=yes ;; *ADH*) wolf_anon=yes ;; *PSK*) if [ "$wolf_psk" = "" ] then echo "Testing PSK" wolf_psk=1 fi if [ "$wolf_tls" != "" ] then wolf_tls_psk=yes fi ;; *TLS13*) ;; *) wolf_rsa=yes esac done IFS="$OIFS" #restore separator openssl_ciphers=$($OPENSSL ciphers ALL 2>&1) case $openssl_ciphers in *ADH*) openssl_anon=yes ;; esac # TLSv1 -> TLSv1.2 PSK secret psk_hex="1a2b3c4d" # If RSA cipher suites supported in wolfSSL then start servers if [ "$wolf_rsa" != "" ] || [ "$wolf_tls_psk" != "" ] then if [ "$wolf_rsa" != "" ] then cert_file="${CERT_DIR}/server-cert.pem" key_file="${CERT_DIR}/server-key.pem" ca_file="${CERT_DIR}/client-ca.pem" else cert_file= key_file= ca_file= fi openssl_suite="RSA" start_openssl_server openssl_port=$server_port openssl_pid=$server_pid wolfssl_suite="RSA" if [ "$wolf_tls_psk" != "" ] then psk="-j" fi echo "cert_file=$cert_file" start_wolfssl_server psk= wolfssl_port=$server_port # shellcheck disable=SC2034 wolfssl_pid=$server_pid fi # If ECDH-RSA cipher suites supported in wolfSSL then start servers if [ "$wolf_ecdh_rsa" != "" ] then cert_file="${CERT_DIR}/server-ecc-rsa.pem" key_file="${CERT_DIR}/ecc-key.pem" ca_file="${CERT_DIR}/client-ca.pem" openssl_suite="ECDH-RSA" start_openssl_server ecdh_openssl_port=$server_port # shellcheck disable=SC2034 ecdh_openssl_pid=$server_pid wolfssl_suite="ECDH-RSA" start_wolfssl_server ecdh_wolfssl_port=$server_port # shellcheck disable=SC2034 ecdh_wolfssl_pid=$server_pid fi if [ "$wolf_ecdsa" != "" ] && [ "$wolf_ecc" != "" ] then cert_file="${CERT_DIR}/server-ecc.pem" key_file="${CERT_DIR}/ecc-key.pem" ca_file="${CERT_DIR}/client-ecc-cert.pem" openssl_suite="ECDH[E]-ECDSA" start_openssl_server ecdsa_openssl_port=$server_port ecdsa_openssl_pid=$server_pid wolfssl_suite="ECDH[E]-ECDSA" start_wolfssl_server ecdsa_wolfssl_port=$server_port # shellcheck disable=SC2034 ecdsa_wolfssl_pid=$server_pid fi # If Ed25519 certificates supported in wolfSSL then start servers if [ "$wolf_ed25519" != "" ]; then cert_file="${CERT_DIR}/ed25519/server-ed25519.pem" key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem" ca_file="${CERT_DIR}/ed25519/client-ed25519.pem" openssl_suite="Ed25519" start_openssl_server ed25519_openssl_port=$server_port ed25519_openssl_pid=$server_pid crl="-V" wolfssl_suite="Ed25519" start_wolfssl_server ed25519_wolfssl_port=$server_port # shellcheck disable=SC2034 ed25519_wolfssl_pid=$server_pid crl= fi # If Ed448 certificates supported in wolfSSL then start servers if [ "$wolf_ed448" != "" ]; then cert_file="${CERT_DIR}/ed448/server-ed448.pem" key_file="${CERT_DIR}/ed448/server-ed448-priv.pem" ca_file="${CERT_DIR}/ed448/client-ed448.pem" openssl_suite="Ed448" start_openssl_server ed448_openssl_port=$server_port ed448_openssl_pid=$server_pid crl="-V" wolfssl_suite="Ed448" start_wolfssl_server ed448_wolfssl_port=$server_port # shellcheck disable=SC2034 ed448_wolfssl_pid=$server_pid crl= fi if [ "$wolf_tls13" != "" ] && [ "$wolf_psk" != "" ] then cert_file= psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" openssl_suite="TLSv1.3_PSK" start_openssl_server tls13_psk_openssl_port=$server_port # shellcheck disable=SC2034 tls13_psk_openssl_pid=$server_pid psk="-s --openssl-psk" wolfssl_suite="TLSv1.3_PSK" start_wolfssl_server tls13_psk_wolfssl_port=$server_port # shellcheck disable=SC2034 tls13_psk_wolfssl_pid=$server_pid fi if [ "$wolf_anon" != "" ] && [ "$openssl_anon" ] then cert_file="" key_file="" ca_file="" wolfssl_suite="Anon" psk="-a" # anonymous not psk start_wolfssl_server anon_wolfssl_port=$server_port # shellcheck disable=SC2034 anon_wolfssl_pid=$server_pid fi for s in $servers do f2=${s%:*} server_name=${f2%:*} server_port=${s##*:} check_server_ready done OIFS="$IFS" # store old separator to reset IFS=: # set delimiter set -f # no globbing wolf_temp_cases_total=0 wolf_temp_cases_tested=0 # Testing of OpenSSL support for version requires a running OpenSSL server for version in $wolf_versions; do echo -e "version = $version" # get openssl ciphers depending on version # -s flag for only supported ciphers case $version in "0") openssl_ciphers=$($OPENSSL ciphers "SSLv3" 2>&1) # double check that can actually do a sslv3 connection using # client-cert.pem to send but any file with EOF works $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port "$openssl_port" < "${CERT_DIR}/client-cert.pem" sslv3_sup=$? if [ "$sslv3_sup" != 0 ] then echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier" testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-ssl3" ;; "1") proto_check=$(echo "hell" | $OPENSSL s_client -connect localhost:"$openssl_port" -tls1 2>&1) tlsv1_sup=$? if [ "$tlsv1_sup" != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n" continue fi openssl_ciphers=$($OPENSSL ciphers -s "TLSv1" 2>&1) tlsv1_sup=$? if [ "$tlsv1_sup" != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-tls1" ;; "2") # Same ciphers for TLSv1.1 as TLSv1 # shellcheck disable=SC2034 proto_check=$(echo "hello" | $OPENSSL s_client -connect localhost:"$openssl_port" -tls1_1 2>&1) tlsv1_1_sup=$? if [ "$tlsv1_1_sup" != 0 ] then echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier" testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_ciphers=$($OPENSSL ciphers -s "TLSv1" 2>&1) tlsv1_sup=$? if [ "$tlsv1_sup" != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-tls1_1" ;; "3") openssl_ciphers=$($OPENSSL ciphers -s "TLSv1.2" 2>&1) tlsv1_2_sup=$? if [ "$tlsv1_2_sup" != 0 ] then echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier" testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="-tls1_2" ;; "4") openssl_ciphers=$($OPENSSL ciphers -tls1_3 2>&1) tlsv1_3_sup=$? if [ "$tlsv1_3_sup" != 0 ] then echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier" testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi # shellcheck disable=SC2034 ecc_support=$($WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups') openssl_version="-tls1_3" ;; "d(downgrade)") version="d" openssl_version="" ;; "e(either)") continue ;; "5") #test all suites openssl_ciphers=$($OPENSSL ciphers -s "ALL" 2>&1) all_sup=$? if [ "$all_sup" != 0 ] then echo -e "Not testing ALL. No OpenSSL support for ALL modifier" testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="" ;; "") openssl_ciphers=$($OPENSSL ciphers 2>&1) all_sup=$? if [ "$all_sup" != 0 ] then echo -e "Not testing ALL. No OpenSSL support for ALL modifier" testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi openssl_version="" ;; esac for wolfSuite in $wolf_ciphers; do echo -e "trying wolfSSL cipher suite $wolfSuite" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) open_temp_cases_total=$((open_temp_cases_total + 1)) matchSuite=0 tls13_suite= tls13_integrity_only= case $wolfSuite in "TLS13-AES128-GCM-SHA256") cmpSuite="TLS_AES_128_GCM_SHA256" tls13_suite="yes" ;; "TLS13-AES256-GCM-SHA384") cmpSuite="TLS_AES_256_GCM_SHA384" tls13_suite="yes" ;; "TLS13-CHACHA20-POLY1305-SHA256") cmpSuite="TLS_CHACHA20_POLY1305_SHA256" tls13_suite="yes" ;; "TLS13-AES128-CCM-SHA256") cmpSuite="TLS_AES_128_CCM_SHA256" tls13_suite="yes" ;; "TLS13-AES128-CCM-8-SHA256"|"TLS13-AES128-CCM8-SHA256") cmpSuite="TLS_AES_128_CCM_8_SHA256" tls13_suite="yes" ;; "TLS13-SHA256-SHA256") cmpSuite="TLS_SHA256_SHA256" tls13_suite="yes" tls13_integrity_only="yes" # OpenSSL does not enable TLS_SHA256_SHA256 in openssl ciphers # output by default, but it can be specified with -ciphersuite as # done in do_openssl_client() matchSuite=1 ;; "TLS13-SHA384-SHA384") cmpSuite="TLS_SHA384_SHA384" tls13_suite="yes" tls13_integrity_only="yes" # OpenSSL does not enable TLS_SHA256_SHA256 in openssl ciphers # output by default, but it can be specified with -ciphersuite as # done in do_openssl_client() matchSuite=1 ;; "TLS13-"*) echo -e "Suite = $wolfSuite not recognized!" echo -e "Add translation of wolfSSL name to OpenSSL" do_cleanup exit 1 ;; *) cmpSuite=$wolfSuite ;; esac if [ $matchSuite = 0 ] then case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases case "$cmpSuite" in "TLS_"*) if [ "$version" != "4" ] && [ "$version" != "d" ] then echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol" matchSuite=0 else echo -e "Matched to OpenSSL suite support" matchSuite=1 fi ;; *) if [ "$version" = "d" ] && [ "$wolfdowngrade" = "4" ] then echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade" matchSuite=0 elif [ "$version" != "4" ] then echo -e "Matched to OpenSSL suite support" matchSuite=1 else echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol" matchSuite=0 fi ;; esac ;; esac fi if [ $matchSuite = 0 ] then echo -e "Couldn't match suite, continuing..." continue fi # check for psk suite and turn on client psk if so psk="" adh="" crl="" cert="" key="" caCert="" case $wolfSuite in *ECDH-RSA*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$ecdh_openssl_port do_wolfssl_client port=$ecdh_wolfssl_port do_openssl_client ;; *ECDHE-ECDSA*|*ECDH-ECDSA*) if [ "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" caCert="${CERT_DIR}/ca-ecc-cert.pem" port=$ecdsa_openssl_port do_wolfssl_client port=$ecdsa_wolfssl_port do_openssl_client else wolf_temp_cases_total=$((wolf_temp_cases_total - 1)) fi if [ "$ed25519_openssl_pid" != "$no_pid" ] && [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] then cert="${CERT_DIR}/ed25519/client-ed25519.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem" caCert="${CERT_DIR}/ed25519/server-ed25519.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed25519_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed25519_wolfssl_port do_openssl_client fi if [ "$ed448_openssl_pid" != "$no_pid" ] && [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] then cert="${CERT_DIR}/ed448/client-ed448.pem" key="${CERT_DIR}/ed448/client-ed448-priv.pem" caCert="${CERT_DIR}/ed448/server-ed448.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed448_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed448_wolfssl_port do_openssl_client fi ;; *DHE-PSK*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port psk="-s" do_wolfssl_client # Skip when no RSA as some versions of OpenSSL can't handle no # signature if [ "$wolf_rsa" != "" ] then port=$wolfssl_port openssl_psk="-psk 1a2b3c4d" do_openssl_client fi ;; *PSK*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port psk="-s" do_wolfssl_client port=$wolfssl_port openssl_psk="-psk 1a2b3c4d" do_openssl_client ;; *ADH*) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" if [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] && [ "$openssl_adh_reneg_bug" != "" ] then continue fi port=$openssl_port adh="-a" do_wolfssl_client port=$anon_wolfssl_port do_openssl_client ;; TLS13*) if [ "$version" != "4" ] && [ "$version" != "d" ] && [ "$version" != " " ] && [ "$version" != "5" ] then continue fi tls13_cipher=yes # Integrity-only cipher suites (NULL encryption) if [ "$tls13_integrity_only" = "yes" ] then # Only run integrity-only tests with TLS 1.3 (version 4) if [ "$version" != "4" ] then tls13_cipher= tls13_integrity_only= continue fi # Integrity-only cipher suites require OpenSSL 3.4 or later if $OPENSSL version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 | \ awk -F. '{if ($1 > 3 || ($1 == 3 && $2 >= 4)) exit 1; else exit 0;}'; then echo -e "OpenSSL version too old for integrity-only ciphers, skipping" tls13_cipher= tls13_integrity_only= continue fi # Test with RSA certs if available if [ "$openssl_pid" != "$no_pid" ] && [ "$wolf_rsa" != "" ] then cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" # Start a dedicated OpenSSL server for integrity-only tests generate_port integrity_openssl_port=$port $OPENSSL s_server -accept "$integrity_openssl_port" -cert "${CERT_DIR}/server-cert.pem" -key "${CERT_DIR}/server-key.pem" -quiet -CAfile "${CERT_DIR}/client-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error & integrity_openssl_pid=$! sleep 0.1 port=$integrity_openssl_port do_wolfssl_client # Kill the dedicated server kill "$integrity_openssl_pid" 2>/dev/null port=$wolfssl_port do_openssl_client fi # Test with ECC certs if available if [ "$ecdsa_openssl_pid" != "$no_pid" ] && [ "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" caCert="${CERT_DIR}/ca-ecc-cert.pem" # Start a dedicated OpenSSL server for integrity-only tests (ECC) generate_port integrity_openssl_port=$port $OPENSSL s_server -accept "$integrity_openssl_port" -cert "${CERT_DIR}/server-ecc.pem" -key "${CERT_DIR}/ecc-key.pem" -quiet -CAfile "${CERT_DIR}/client-ecc-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error & integrity_openssl_pid=$! sleep 0.1 wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$integrity_openssl_port do_wolfssl_client # Kill the dedicated server kill "$integrity_openssl_pid" 2>/dev/null open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ecdsa_wolfssl_port do_openssl_client fi tls13_cipher= tls13_integrity_only= continue fi # RSA if [ "$openssl_pid" != "$no_pid" ] && [ "$ecdhe_avail" = "yes" ] then cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port do_wolfssl_client port=$wolfssl_port do_openssl_client fi # PSK if [ "$wolf_psk" != "" ] && [ "$wolfSuite" = "TLS13-AES128-GCM-SHA256" ] && [ "$wolf_ecc" != "" ] && [ "$openssl_nodhe" != "" ] then cert="" key="" caCert="" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$tls13_psk_openssl_port psk="-s --openssl-psk" # OpenSSL doesn't support DH for key exchange so do no PSK # DHE when ECC not supported if [ "$wolf_ecc" = "" ] then adh="-K" fi do_wolfssl_client psk="" adh="" openssl_psk="-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" open_temp_cases_total=$((open_temp_cases_total + 1)) port=$wolfssl_port do_openssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$tls13_psk_wolfssl_port do_openssl_client openssl_psk="" fi # ECDSA if [ "$ecdsa_openssl_pid" != "$no_pid" ] && [ "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" caCert="${CERT_DIR}/ca-ecc-cert.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ecdsa_openssl_port caCert="${CERT_DIR}/ca-ecc-cert.pem" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ecdsa_wolfssl_port caCert="${CERT_DIR}/ca-ecc-cert.pem" do_openssl_client fi # Ed25519 if [ $ed25519_openssl_pid != $no_pid ] then cert="${CERT_DIR}/ed25519/client-ed25519.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem" caCert="${CERT_DIR}/ed25519/server-ed25519.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed25519_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed25519_wolfssl_port do_openssl_client fi # Ed448 if [ $ed448_openssl_pid != $no_pid ] then cert="${CERT_DIR}/ed448/client-ed448.pem" key="${CERT_DIR}/ed448/client-ed448-priv.pem" caCert="${CERT_DIR}/ed448/server-ed448.pem" wolf_temp_cases_total=$((wolf_temp_cases_total + 1)) port=$ed448_openssl_port crl="-C" do_wolfssl_client open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ed448_wolfssl_port do_openssl_client fi tls13_cipher= ;; *) cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" port=$openssl_port do_wolfssl_client port=$wolfssl_port do_openssl_client ;; esac done wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested)) wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total)) echo -e "wolfSSL cases tested with version:$version $wolf_temp_cases_tested" open_cases_tested=$((open_temp_cases_tested+open_cases_tested)) open_cases_total=$((open_temp_cases_total+open_cases_total)) echo -e "OpenSSL cases tested with version:$version $open_temp_cases_tested" version_name testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n" wolf_temp_cases_total=0 wolf_temp_cases_tested=0 open_temp_cases_total=0 open_temp_cases_tested=0 wolfdowngrade="$version" done IFS="$OIFS" #restore separator # Skip RSA-PSS interop test when RSA-PSS is not supported if [ "$wolf_rsapss" != "" ] && [ "$ecdhe_avail" = "yes" ] && [ "$wolf_rsa" = "yes" ] then # Test for RSA-PSS certs interop # Was running into alert sent by openssl server with version 1.1.1 released # in Sep 2018. To avoid this issue check that openssl version 3.0.0 or later # is used. $OPENSSL version | awk '{print $2}' | \ awk -F. '{if ($1 >= 3) exit 1; else exit 0;}' RESULT=$? if [ "$RESULT" = "0" ]; then echo -e "Old version of openssl detected, skipping interop RSA-PSS test" else echo -e "Doing interop RSA-PSS test" key_file=${CERT_DIR}/rsapss/server-rsapss-priv.pem cert_file=${CERT_DIR}/rsapss/server-rsapss.pem ca_file=${CERT_DIR}/client-cert.pem openssl_suite="RSAPSS" start_openssl_server cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/rsapss/ca-rsapss.pem" crl="-C" wolfSuite="ALL" wolfssl_no_resume="yes" port=$server_port if [ "$wolf_tls13" != "" ] then version="4" do_wolfssl_client fi if [ "$wolf_tls" != "" ] then version="3" do_wolfssl_client fi fi fi do_cleanup echo -e "wolfSSL total cases $wolf_cases_total" echo -e "wolfSSL cases tested $wolf_cases_tested" echo -e "OpenSSL total cases $open_cases_total" echo -e "OpenSSL cases tested $open_cases_tested" echo -e "\nSuccess!\n\n\n\n" echo -e "$testing_summary" exit 0