wolfssl-sys 4.0.0

#!/usr/bin/env bash

# openssl.test

# Environment variables used:
# OPENSSL            (openssl app to use)
# OPENSSL_ENGINE_ID  (engine id if any i.e. "wolfengine")

CERT_DIR="$PWD/$(dirname "$0")/../certs"

if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
    echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
    exit 77
fi

# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
         export NETWORK_UNSHARE_HELPER_CALLED=yes
         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
     fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

echo "WOLFSSL_OPENSSL_TEST set, running test..."

# need a unique port since may run the same time as testsuite
# Track ports already assigned in this script run to prevent intra-run collisions
used_ports=()

generate_port() {
    #-------------------------------------------------------------------------#
    # Generate a random port number, guaranteed unique within this script run.
    # Checks both the intra-run used_ports list and system-level bound ports.
    #-------------------------------------------------------------------------#
    local attempts=0 collision p

    while true; do
        if [[ "$OSTYPE" == "linux"* ]]; then
            p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
        elif [[ "$OSTYPE" == "darwin"* ]]; then
            p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
        else
            echo "Unknown OS TYPE"
            exit 1
        fi

        # Check against ports already assigned in this run
        collision=0
        for up in "${used_ports[@]}"; do
            if [ "$up" = "$p" ]; then
                collision=1
                break
            fi
        done

        # Also check if the port is already bound on this system
        if [ "$collision" -eq 0 ]; then
            if command -v ss &>/dev/null; then
                ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
            elif command -v netstat &>/dev/null; then
                netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
            fi
        fi

        [ "$collision" -eq 0 ] && break

        ((attempts++))
        if [ "$attempts" -ge 100 ]; then
            echo "ERROR: generate_port could not find a free port after 100 attempts"
            exit 1
        fi
    done

    port=$p
    used_ports+=("$p")
}

no_pid=-1
servers=""
openssl_pid=$no_pid
ecdh_openssl_pid=$no_pid
ecdsa_openssl_pid=$no_pid
ed25519_openssl_pid=$no_pid
ed448_openssl_pid=$no_pid
tls13_psk_openssl_pid=$no_pid
wolfssl_pid=$no_pid
ecdh_wolfssl_pid=$no_pid
ecdsa_wolfssl_pid=$no_pid
ed25519_wolfssl_pid=$no_pid
ed448_wolfssl_pid=$no_pid
tls13_psk_wolfssl_pid=$no_pid
anon_wolfssl_pid=$no_pid
wolf_cases_tested=0
wolf_cases_total=0
counter=0
wolfssl_no_resume=""
testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#wolf\t#Found\t#OpenSSL\n"
versionName="Invalid"
if [ "$OPENSSL" = "" ]; then
    OPENSSL=openssl
fi
WOLFSSL_SERVER=./examples/server/server
WOLFSSL_CLIENT=./examples/client/client

version_name() {
    case $version in "0")
        versionName="SSLv3"
        ;;
    "1")
        versionName="TLSv1"
        ;;
    "2")
        versionName="TLSv1.1"
        ;;
    "3")
        versionName="TLSv1.2"
        ;;
    "4")
        versionName="TLSv1.3"
        ;;
    "d")
        versionName="Down"
        ;;
    "")
        versionName="Def"
        ;;
    "5")
        versionName="ALL"
        ;;
    esac
}

do_cleanup() {
    echo "in cleanup"

    IFS=$OIFS #restore separator
    for s in $servers
    do
        f2=${s%:*}
        sname=${f2%:*}
        pid=${f2##*:}
        port=${s##*:}
        echo "killing server: $sname ($port)"
        kill -9 "$pid"
    done
}

do_trap() {
    echo "got trap"
    do_cleanup
    exit 1
}

trap do_trap INT TERM

#
# Start an OpenSSL server
#
start_openssl_server() {
    if [ "$wolfssl_client_avail" = "" ]
    then
        return
    fi

    generate_port
    server_port=$port
    found_free_port=0
    counter=0

    # If OPENSSL_ENGINE_ID has been set then check that the desired engine can
    # be loaded successfully and error out if not. Otherwise the OpenSSL app
    # will fall back to default engine.
    if [ -n "${OPENSSL_ENGINE_ID}" ]; then
        OUTPUT=$($OPENSSL engine -tt "$OPENSSL_ENGINE_ID")
        if ! echo "$OUTPUT" | grep -q "available"; then
            printf "not able to load engine or engine not available\n"
            printf '%s\n' "$OPENSSL engine -tt $OPENSSL_ENGINE_ID"
            do_cleanup
            exit 1
        fi
        OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}"
    fi

    while [ "$counter" -lt 20 ]; do
        echo -e "\n# Trying to start $openssl_suite OpenSSL server on port $server_port..."
        echo "#"

        if [ "$cert_file" != "" ]
        then
            echo "# $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher \"ALL:eNULL\" $openssl_nodhe"
            # shellcheck disable=SC2086
            $OPENSSL s_server -accept "$server_port" $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk "$psk_hex" -cipher "ALL:eNULL" $openssl_nodhe &
        else
            echo "# $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher \"ALL:eNULL\" $openssl_nodhe"
            # shellcheck disable=SC2086
            $OPENSSL s_server -accept "$server_port" $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk "$psk_hex" -cipher "ALL:eNULL" $openssl_nodhe &
        fi
        server_pid=$!
        # wait to see if s_server successfully starts before continuing
        sleep 0.1

        if kill -0 "$server_pid" 2>/dev/null
        then
            echo "s_server started successfully on port $server_port"
            found_free_port=1
            break
        else
            #port already started, try a different port
            counter=$((counter+ 1))
            generate_port
            server_port=$port
        fi
    done

    if [ "$found_free_port" = 0 ]
    then
        echo -e "Couldn't find free port for server"
        do_cleanup
        exit 1
    fi

    servers="$servers OpenSSL_$openssl_suite:$server_pid:$server_port"
}

#
# Start a wolfSSL server
#
start_wolfssl_server() {
    if [ "$wolfssl_server_avail" = "" ]
    then
        echo "# wolfSSL server not available"
        return
    fi

    wolfssl_cert=""
    wolfssl_key=""
    wolfssl_caCert=""
    if [ "$cert_file" != "" ]
    then
        wolfssl_cert="-c$cert_file"
    fi
    if [ "$key_file" != "" ]
    then
        wolfssl_key="-k$key_file"
    fi
    if [ "$ca_file" != "" ]
    then
        wolfssl_caCert="-A$ca_file"
    fi

    generate_port
    server_port=$port
    found_free_port=0
    counter=0
    while [ "$counter" -lt 20 ]; do
        echo -e "\n# Trying to start $wolfssl_suite wolfSSL server on port $server_port..."

        echo "#"
        echo "# $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\""
        # shellcheck disable=SC2086
        $WOLFSSL_SERVER -p "$server_port" -g -v d -x -i $psk $crl -l ALL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" &
        server_pid=$!
        # wait to see if server successfully starts before continuing
        sleep 0.1

        if kill -0 "$server_pid" 2>/dev/null
        then
            echo "wolfSSL server started successfully on port $server_port"
            found_free_port=1
            break
        else
            #port already started, try a different port
            counter=$((counter+ 1))
            generate_port
            server_port=$port
        fi
    done

    if [ "$found_free_port" = 0 ]
    then
        echo -e "Couldn't find free port for server"
        do_cleanup
        exit 1
    fi

    servers="$servers wolfSSL_$wolfssl_suite:$server_pid:$server_port"
}

check_server_ready() {
    # server should be ready, let's make sure
    server_ready=0
    while [ "$counter" -lt 20 ]; do
        echo -e "waiting for $server_name ready..."
        echo -e Checking | nc -4 -w 1 -z localhost "$server_port"
        nc_result=$?
        if [ "$nc_result" = 0 ]
        then
            echo -e "$server_name ready!"
            server_ready=1
            break
        fi
        sleep 0.1
        counter=$((counter+ 1))
    done

    if [ $server_ready = 0 ]
    then
        echo -e "Couldn't verify $server_name is running, timeout error"
        do_cleanup
        exit 1
    fi
}

#
# Run wolfSSL client against OpenSSL server
#
do_wolfssl_client() {
    if [ "$wolfssl_client_avail" = "" ]
    then
        return
    fi

    wolfssl_cert=""
    wolfssl_key=""
    wolfssl_caCert=""
    if [ "$cert" != "" ]
    then
        wolfssl_cert="-c$cert"
    fi
    if [ "$key" != "" ]
    then
        wolfssl_key="-k$key"
    fi
    if [ "$caCert" != "" ]
    then
        wolfssl_caCert="-A$caCert"
    fi
    wolfssl_resume="-r"
    if [ "$openssl_psk_resume_bug" != "" ] && [ "$tls13_suite" != "" ]
    then
        wolfssl_resume=
    fi
    if [ "$wolfssl_no_resume" = "yes" ]
    then
        wolfssl_resume=
    fi
    if [ "$version" != "5" ] && [ "$version" != "" ]
    then
        echo "#"
        echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl"
        # shellcheck disable=SC2086
        $WOLFSSL_CLIENT -p "$port" -g $wolfssl_resume -l "$wolfSuite" -v "$version" $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl
    else
        echo "#"
        echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl"
        # do all versions
        # shellcheck disable=SC2086
        $WOLFSSL_CLIENT -p "$port" -g $wolfssl_resume -l "$wolfSuite" $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl
    fi

    client_result=$?

    if [ "$client_result" != 0 ]
    then
        echo -e "client failed! Suite = $wolfSuite version = $version"
        do_cleanup
        exit 1
    fi
    wolf_temp_cases_tested=$((wolf_temp_cases_tested+1))
}

#
# Run OpenSSL client against wolfSSL server
#
do_openssl_client() {
    if [ "$wolfssl_server_avail" = "" ]
    then
        return
    fi

    if [ "$version" = "" ] || [ "$version" = "5" ]
    then
        if [ "$tls13_cipher" = "" ] && [ "$openssl_tls13" != "" ]
        then
            openssl_version="-no_tls1_3"
        fi
    fi
    if [ "$cert" != "" ]
    then
        openssl_cert1="-cert"
        openssl_cert2="$cert"
    fi
    if [ "$key" != "" ]
    then
        openssl_key1="-key"
        openssl_key2="$key"
    fi
    if [ "$caCert" != "" ]
    then
        openssl_caCert1="-CAfile"
        openssl_caCert2="$caCert"
    fi
    # Integrity-only cipher suites require SECLEVEL=0 to allow NULL encryption
    openssl_seclevel=""
    if [ "$tls13_integrity_only" = "yes" ]
    then
        openssl_seclevel="-cipher ALL:@SECLEVEL=0"
    fi

    if [ "$tls13_cipher" = "" ]
    then
        echo "#"
        echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
        echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -cipher $cmpSuite $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
    else
        echo "#"
        echo "# $OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_seclevel $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
        echo "Hello" | eval "$OPENSSL s_client -connect localhost:$port -reconnect -legacy_renegotiation -ciphersuites=$cmpSuite $openssl_seclevel $openssl_version $openssl_psk $openssl_cert1 \"$openssl_cert2\" $openssl_key1 \"$openssl_key2\" $openssl_caCert1 \"$openssl_caCert2\""
    fi

    client_result=$?

    if [ "$client_result" != 0 ]
    then
        echo -e "client failed! Suite = $wolfSuite version = $version"
        do_cleanup
        exit 1
    fi
    open_temp_cases_tested=$((open_temp_cases_tested+1))
}

OIFS=$IFS # store old separator to reset

#
# Start
#
echo
echo "wolfSSL configuration:"
./config.status --config
echo
echo "OpenSSL version:"
$OPENSSL version -a
echo

echo -e "\nTesting existence of openssl command...\n"
command -v "$OPENSSL" >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed.  Ending."; do_cleanup; exit 0; }


echo -e "\nTesting for _build directory as part of distcheck, different paths"
currentDir=$(pwd)
case "$currentDir" in
*_build)
    echo -e "_build directory detected, moving a directory back"
    cd .. || exit
    ;;
esac
echo -e "\nChecking for wolfSSL client - needed for cipher list"
wolfssl_client_avail=$($WOLFSSL_CLIENT -?)
case $wolfssl_client_avail in
*"Client not compiled in!"*)
    wolfssl_client_avail=
    echo >&2 "Requires wolfSSL client, but it's not built.  Ending."
    do_cleanup
    exit 0
    ;;
esac

echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket"
openssl_version=$($OPENSSL version)
case $openssl_version in
"OpenSSL 1.1.1 "*)
    openssl_psk_resume_bug=yes
    ;;
"OpenSSL 1.0.2"*)
    openssl_adh_reneg_bug=yes
    ;;
esac

# check for wolfssl server
wolfssl_server_avail=$($WOLFSSL_SERVER -?)
case $wolfssl_server_avail in
*"Server not compiled in!"*)
    wolfssl_server_avail=
    ;;
esac
# get wolfssl ciphers
wolf_ciphers=$($WOLFSSL_CLIENT -e)
# get wolfssl supported versions
wolf_versions=$($WOLFSSL_CLIENT -V)
wolf_versions="${wolf_versions}:5" #5 will test without -v flag

OIFS="$IFS" # store old separator to reset
IFS=: # set delimiter
for version in $wolf_versions
do
    case $version in
    1|2|3)
        wolf_tls=yes
        ;;
    4)
        wolf_tls13=yes
        ;;
    esac
done
IFS="$OIFS" #restore separator

#
# Start OpenSSL servers
#

# Check for certificate support in wolfSSL
wolf_certs=$($WOLFSSL_CLIENT -? 2>&1)
case $wolf_certs in
*"cert"*)
    ;;
*)
    wolf_certs=""
    ;;
esac

if [ "$wolf_certs" != "" ]
then
    echo
    # Check if RSA certificates supported in wolfSSL
    wolf_rsa=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ca-cert.pem" 2>&1)
    case $wolf_rsa in
    *"ca file"*)
        echo "wolfSSL does not support RSA"
        wolf_rsa=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_rsa" != "" ]; then
        echo "wolfSSL supports RSA"
    fi
    # Check if RSA-PSS certificates supported in wolfSSL
    wolf_rsapss=$($WOLFSSL_CLIENT -A "${CERT_DIR}/rsapss/ca-rsapss.pem" 2>&1)
    case $wolf_rsapss in
    *"ca file"*)
        echo "wolfSSL does not support RSA-PSS"
        wolf_rsapss=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_rsapss" != "" ]; then
        echo "wolfSSL supports RSA-PSS"
    fi
    # Check if ECC certificates supported in wolfSSL
    wolf_ecc=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ca-ecc-cert.pem" 2>&1)
    case $wolf_ecc in
    *"ca file"*)
        echo "wolfSSL does not support ECDSA"
        wolf_ecc=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_ecc" != "" ]; then
        echo "wolfSSL supports ECDSA"
    fi
    # Check if Ed25519 certificates supported in wolfSSL
    wolf_ed25519=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1)
    case $wolf_ed25519 in
    *"ca file"*)
        echo "wolfSSL does not support Ed25519"
        wolf_ed25519=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_ed25519" != "" ]; then
        echo "wolfSSL supports Ed25519"
    fi
    # Check if Ed25519 certificates supported in OpenSSL
    openssl_ed25519=$($OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1)
    case $openssl_ed25519 in
    *"unable to load"*)
        echo "OpenSSL does not support Ed25519"
        wolf_ed25519=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_ed25519" != "" ]; then
        echo "OpenSSL supports Ed25519"
    fi
    # Check if Ed448 certificates supported in wolfSSL
    wolf_ed448=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1)
    case $wolf_ed448 in
    *"ca file"*)
        echo "wolfSSL does not support Ed448"
        wolf_ed448=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_ed448" != "" ]; then
        echo "wolfSSL supports Ed448"
    fi
    # Check if Ed448 certificates supported in OpenSSL
    openssl_ed448=$($OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1)
    case $openssl_ed448 in
    *"unable to load"*)
        echo "OpenSSL does not support Ed448"
        wolf_ed448=""
        ;;
    *)
        ;;
    esac
    if [ "$wolf_ed448" != "" ]; then
        echo "OpenSSL supports Ed448"
    fi
    echo
fi

openssl_tls13=$($OPENSSL s_client -help 2>&1)
case $openssl_tls13 in
*no_tls1_3*)
    ;;
*)
    openssl_tls13=
    ;;
esac

# Not all openssl versions support -allow_no_dhe_kex
openssl_nodhe=$($OPENSSL s_client -help 2>&1)
case $openssl_nodhe in
*allow_no_dhe_kex*)
    openssl_nodhe=-allow_no_dhe_kex
    ;;
*)
    openssl_nodhe=
    ;;
esac

# Check suites to determine support in wolfSSL
OIFS="$IFS" # store old separator to reset
IFS=: # set delimiter
for wolfSuite in $wolf_ciphers; do
    case $wolfSuite in
    *ECDHE-RSA-*)
        ecdhe_avail=yes
        wolf_rsa=yes
        ;;
    *DHE-RSA-*)
        wolf_rsa=yes
        ;;
    *ECDH-RSA*)
        wolf_ecdh_rsa=yes
        ;;
    *ECDHE-ECDSA*|*ECDH-ECDSA*)
        wolf_ecdsa=yes
        ;;
    *ADH*)
        wolf_anon=yes
        ;;
    *PSK*)
        if [ "$wolf_psk" = "" ]
        then
            echo "Testing PSK"
            wolf_psk=1
        fi
        if [ "$wolf_tls" != "" ]
        then
            wolf_tls_psk=yes
        fi
        ;;
    *TLS13*)
        ;;
    *)
        wolf_rsa=yes
    esac
done
IFS="$OIFS" #restore separator

openssl_ciphers=$($OPENSSL ciphers ALL 2>&1)
case $openssl_ciphers in
*ADH*)
    openssl_anon=yes
    ;;
esac

# TLSv1 -> TLSv1.2 PSK secret
psk_hex="1a2b3c4d"

# If RSA cipher suites supported in wolfSSL then start servers
if [ "$wolf_rsa" != "" ] || [ "$wolf_tls_psk" != "" ]
then
    if [ "$wolf_rsa" != "" ]
    then
        cert_file="${CERT_DIR}/server-cert.pem"
        key_file="${CERT_DIR}/server-key.pem"
        ca_file="${CERT_DIR}/client-ca.pem"
    else
        cert_file=
        key_file=
        ca_file=
    fi

    openssl_suite="RSA"
    start_openssl_server
    openssl_port=$server_port
    openssl_pid=$server_pid

    wolfssl_suite="RSA"
    if [ "$wolf_tls_psk" != "" ]
    then
        psk="-j"
    fi
echo "cert_file=$cert_file"
    start_wolfssl_server
    psk=
    wolfssl_port=$server_port
    # shellcheck disable=SC2034
    wolfssl_pid=$server_pid
fi

# If ECDH-RSA cipher suites supported in wolfSSL then start servers
if [ "$wolf_ecdh_rsa" != "" ]
then
    cert_file="${CERT_DIR}/server-ecc-rsa.pem"
    key_file="${CERT_DIR}/ecc-key.pem"
    ca_file="${CERT_DIR}/client-ca.pem"

    openssl_suite="ECDH-RSA"
    start_openssl_server
    ecdh_openssl_port=$server_port
    # shellcheck disable=SC2034
    ecdh_openssl_pid=$server_pid

    wolfssl_suite="ECDH-RSA"
    start_wolfssl_server
    ecdh_wolfssl_port=$server_port
    # shellcheck disable=SC2034
    ecdh_wolfssl_pid=$server_pid
fi

if [ "$wolf_ecdsa" != "" ] && [ "$wolf_ecc" != "" ]
then
    cert_file="${CERT_DIR}/server-ecc.pem"
    key_file="${CERT_DIR}/ecc-key.pem"
    ca_file="${CERT_DIR}/client-ecc-cert.pem"

    openssl_suite="ECDH[E]-ECDSA"
    start_openssl_server
    ecdsa_openssl_port=$server_port
    ecdsa_openssl_pid=$server_pid

    wolfssl_suite="ECDH[E]-ECDSA"
    start_wolfssl_server
    ecdsa_wolfssl_port=$server_port
    # shellcheck disable=SC2034
    ecdsa_wolfssl_pid=$server_pid
fi

# If Ed25519 certificates supported in wolfSSL then start servers
if [ "$wolf_ed25519" != "" ];
then
    cert_file="${CERT_DIR}/ed25519/server-ed25519.pem"
    key_file="${CERT_DIR}/ed25519/server-ed25519-priv.pem"
    ca_file="${CERT_DIR}/ed25519/client-ed25519.pem"

    openssl_suite="Ed25519"
    start_openssl_server
    ed25519_openssl_port=$server_port
    ed25519_openssl_pid=$server_pid

    crl="-V"
    wolfssl_suite="Ed25519"
    start_wolfssl_server
    ed25519_wolfssl_port=$server_port
    # shellcheck disable=SC2034
    ed25519_wolfssl_pid=$server_pid
    crl=
fi

# If Ed448 certificates supported in wolfSSL then start servers
if [ "$wolf_ed448" != "" ];
then
    cert_file="${CERT_DIR}/ed448/server-ed448.pem"
    key_file="${CERT_DIR}/ed448/server-ed448-priv.pem"
    ca_file="${CERT_DIR}/ed448/client-ed448.pem"

    openssl_suite="Ed448"
    start_openssl_server
    ed448_openssl_port=$server_port
    ed448_openssl_pid=$server_pid

    crl="-V"
    wolfssl_suite="Ed448"
    start_wolfssl_server
    ed448_wolfssl_port=$server_port
    # shellcheck disable=SC2034
    ed448_wolfssl_pid=$server_pid
    crl=
fi

if [ "$wolf_tls13" != "" ] && [ "$wolf_psk" != "" ]
then
    cert_file=

    psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
    openssl_suite="TLSv1.3_PSK"
    start_openssl_server
    tls13_psk_openssl_port=$server_port
    # shellcheck disable=SC2034
    tls13_psk_openssl_pid=$server_pid

    psk="-s --openssl-psk"
    wolfssl_suite="TLSv1.3_PSK"
    start_wolfssl_server
    tls13_psk_wolfssl_port=$server_port
    # shellcheck disable=SC2034
    tls13_psk_wolfssl_pid=$server_pid
fi
if [ "$wolf_anon" != "" ] && [ "$openssl_anon" ]
then
    cert_file=""
    key_file=""
    ca_file=""

    wolfssl_suite="Anon"
    psk="-a" # anonymous not psk
    start_wolfssl_server
    anon_wolfssl_port=$server_port
    # shellcheck disable=SC2034
    anon_wolfssl_pid=$server_pid
fi

for s in $servers
do
    f2=${s%:*}
    server_name=${f2%:*}
    server_port=${s##*:}
    check_server_ready
done

OIFS="$IFS" # store old separator to reset
IFS=: # set delimiter
set -f # no globbing

wolf_temp_cases_total=0
wolf_temp_cases_tested=0

# Testing of OpenSSL support for version requires a running OpenSSL server
for version in $wolf_versions;
do
    echo -e "version = $version"
    # get openssl ciphers depending on version
    # -s flag for only supported ciphers
    case $version in
    "0")
        openssl_ciphers=$($OPENSSL ciphers "SSLv3" 2>&1)

        # double check that can actually do a sslv3 connection using
        # client-cert.pem to send but any file with EOF works
        $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port "$openssl_port" < "${CERT_DIR}/client-cert.pem"
        sslv3_sup=$?
        if [ "$sslv3_sup" != 0 ]
        then
            echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
            testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_version="-ssl3"
        ;;
    "1")
        proto_check=$(echo "hell" | $OPENSSL s_client -connect localhost:"$openssl_port" -tls1 2>&1)
        tlsv1_sup=$?
        if [ "$tlsv1_sup" != 0 ]
        then
            echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'"
            testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n"
            continue
        fi
        openssl_ciphers=$($OPENSSL ciphers -s "TLSv1" 2>&1)
        tlsv1_sup=$?
        if [ "$tlsv1_sup" != 0 ]
        then
            echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
            testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_version="-tls1"
        ;;
    "2")
        # Same ciphers for TLSv1.1 as TLSv1
        # shellcheck disable=SC2034
        proto_check=$(echo "hello" | $OPENSSL s_client -connect localhost:"$openssl_port" -tls1_1 2>&1)
        tlsv1_1_sup=$?
        if [ "$tlsv1_1_sup" != 0 ]
        then
            echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier"
            testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_ciphers=$($OPENSSL ciphers -s "TLSv1" 2>&1)
        tlsv1_sup=$?
        if [ "$tlsv1_sup" != 0 ]
        then
            echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
            testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_version="-tls1_1"
        ;;
    "3")
        openssl_ciphers=$($OPENSSL ciphers -s "TLSv1.2" 2>&1)
        tlsv1_2_sup=$?
        if [ "$tlsv1_2_sup" != 0 ]
        then
            echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier"
            testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_version="-tls1_2"
        ;;
    "4")
        openssl_ciphers=$($OPENSSL ciphers -tls1_3 2>&1)
        tlsv1_3_sup=$?
        if [ "$tlsv1_3_sup" != 0 ]
        then
            echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier"
            testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        # shellcheck disable=SC2034
        ecc_support=$($WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups')
        openssl_version="-tls1_3"
        ;;
    "d(downgrade)")
        version="d"
        openssl_version=""
        ;;
    "e(either)")
        continue
        ;;
    "5") #test all suites
        openssl_ciphers=$($OPENSSL ciphers -s "ALL" 2>&1)
        all_sup=$?
        if [ "$all_sup" != 0 ]
        then
            echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
            testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_version=""
        ;;
    "")
        openssl_ciphers=$($OPENSSL ciphers 2>&1)
        all_sup=$?
        if [ "$all_sup" != 0 ]
        then
            echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
            testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n"
            continue
        fi
        openssl_version=""
        ;;
    esac

    for wolfSuite in $wolf_ciphers; do
        echo -e "trying wolfSSL cipher suite $wolfSuite"
        wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
        open_temp_cases_total=$((open_temp_cases_total + 1))
        matchSuite=0
        tls13_suite=
        tls13_integrity_only=

        case $wolfSuite in
        "TLS13-AES128-GCM-SHA256")
            cmpSuite="TLS_AES_128_GCM_SHA256"
            tls13_suite="yes"
            ;;
        "TLS13-AES256-GCM-SHA384")
            cmpSuite="TLS_AES_256_GCM_SHA384"
            tls13_suite="yes"
            ;;
        "TLS13-CHACHA20-POLY1305-SHA256")
            cmpSuite="TLS_CHACHA20_POLY1305_SHA256"
            tls13_suite="yes"
            ;;
        "TLS13-AES128-CCM-SHA256")
            cmpSuite="TLS_AES_128_CCM_SHA256"
            tls13_suite="yes"
            ;;
        "TLS13-AES128-CCM-8-SHA256"|"TLS13-AES128-CCM8-SHA256")
            cmpSuite="TLS_AES_128_CCM_8_SHA256"
            tls13_suite="yes"
            ;;
        "TLS13-SHA256-SHA256")
            cmpSuite="TLS_SHA256_SHA256"
            tls13_suite="yes"
            tls13_integrity_only="yes"
            # OpenSSL does not enable TLS_SHA256_SHA256 in openssl ciphers
            # output by default, but it can be specified with -ciphersuite as
            # done in do_openssl_client()
            matchSuite=1
            ;;
        "TLS13-SHA384-SHA384")
            cmpSuite="TLS_SHA384_SHA384"
            tls13_suite="yes"
            tls13_integrity_only="yes"
            # OpenSSL does not enable TLS_SHA256_SHA256 in openssl ciphers
            # output by default, but it can be specified with -ciphersuite as
            # done in do_openssl_client()
            matchSuite=1
            ;;
        "TLS13-"*)
            echo -e "Suite = $wolfSuite not recognized!"
            echo -e "Add translation of wolfSSL name to OpenSSL"
            do_cleanup
            exit 1
            ;;
        *)
            cmpSuite=$wolfSuite
            ;;
        esac

        if [ $matchSuite = 0 ]
        then
            case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases
                case "$cmpSuite" in
                "TLS_"*)
                    if [ "$version" != "4" ] && [ "$version" != "d" ]
                    then
                        echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol"
                        matchSuite=0
                    else
                        echo -e "Matched to OpenSSL suite support"
                        matchSuite=1
                    fi
                    ;;
                *)
                    if [ "$version" = "d" ] && [ "$wolfdowngrade" = "4" ]
                    then
                        echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade"
                        matchSuite=0
                    elif [ "$version" != "4" ]
                    then
                        echo -e "Matched to OpenSSL suite support"
                        matchSuite=1
                    else
                        echo -e "Not TLS 1.3 cipher suite but TLS 1.3 protocol"
                        matchSuite=0
                    fi
                    ;;
                esac
                ;;
            esac
        fi

        if [ $matchSuite = 0 ]
        then
            echo -e "Couldn't match suite, continuing..."
            continue
        fi

        # check for psk suite and turn on client psk if so
        psk=""
        adh=""
        crl=""
        cert=""
        key=""
        caCert=""
        case $wolfSuite in
        *ECDH-RSA*)
            cert="${CERT_DIR}/client-cert.pem"
            key="${CERT_DIR}/client-key.pem"
            caCert="${CERT_DIR}/ca-cert.pem"
            port=$ecdh_openssl_port
            do_wolfssl_client
            port=$ecdh_wolfssl_port
            do_openssl_client
            ;;
        *ECDHE-ECDSA*|*ECDH-ECDSA*)
            if [ "$wolf_ecc" != "" ]
            then
                cert="${CERT_DIR}/client-ecc-cert.pem"
                key="${CERT_DIR}/ecc-client-key.pem"
                caCert="${CERT_DIR}/ca-ecc-cert.pem"

                port=$ecdsa_openssl_port
                do_wolfssl_client
                port=$ecdsa_wolfssl_port
                do_openssl_client
            else
                wolf_temp_cases_total=$((wolf_temp_cases_total - 1))
            fi
            if [ "$ed25519_openssl_pid" != "$no_pid" ] && [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ]
            then
                cert="${CERT_DIR}/ed25519/client-ed25519.pem"
                key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
                caCert="${CERT_DIR}/ed25519/server-ed25519.pem"

                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                port=$ed25519_openssl_port
                crl="-C"
                do_wolfssl_client
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$ed25519_wolfssl_port
                do_openssl_client
            fi
            if [ "$ed448_openssl_pid" != "$no_pid" ] && [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ]
            then
                cert="${CERT_DIR}/ed448/client-ed448.pem"
                key="${CERT_DIR}/ed448/client-ed448-priv.pem"
                caCert="${CERT_DIR}/ed448/server-ed448.pem"

                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                port=$ed448_openssl_port
                crl="-C"
                do_wolfssl_client
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$ed448_wolfssl_port
                do_openssl_client
            fi
            ;;
        *DHE-PSK*)
            cert="${CERT_DIR}/client-cert.pem"
            key="${CERT_DIR}/client-key.pem"
            caCert="${CERT_DIR}/ca-cert.pem"

            port=$openssl_port
            psk="-s"
            do_wolfssl_client

            # Skip when no RSA as some versions of OpenSSL can't handle no
            # signature
            if [ "$wolf_rsa" != "" ]
            then
                port=$wolfssl_port
                openssl_psk="-psk 1a2b3c4d"
                do_openssl_client
            fi
            ;;
        *PSK*)
            cert="${CERT_DIR}/client-cert.pem"
            key="${CERT_DIR}/client-key.pem"
            caCert="${CERT_DIR}/ca-cert.pem"

            port=$openssl_port
            psk="-s"
            do_wolfssl_client
            port=$wolfssl_port
            openssl_psk="-psk 1a2b3c4d"
            do_openssl_client
            ;;
        *ADH*)
            cert="${CERT_DIR}/client-cert.pem"
            key="${CERT_DIR}/client-key.pem"
            caCert="${CERT_DIR}/ca-cert.pem"

            if [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] && [ "$openssl_adh_reneg_bug" != "" ]
            then
                continue
            fi

            port=$openssl_port
            adh="-a"
            do_wolfssl_client
            port=$anon_wolfssl_port
            do_openssl_client
            ;;
        TLS13*)
            if [ "$version" != "4" ] && [ "$version" != "d" ] && [ "$version" != " " ] && [ "$version" != "5" ]
            then
                continue
            fi
            tls13_cipher=yes
            # Integrity-only cipher suites (NULL encryption)
            if [ "$tls13_integrity_only" = "yes" ]
            then
                # Only run integrity-only tests with TLS 1.3 (version 4)
                if [ "$version" != "4" ]
                then
                    tls13_cipher=
                    tls13_integrity_only=
                    continue
                fi

                # Integrity-only cipher suites require OpenSSL 3.4 or later
                if $OPENSSL version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 | \
                    awk -F. '{if ($1 > 3 || ($1 == 3 && $2 >= 4)) exit 1; else exit 0;}'; then
                    echo -e "OpenSSL version too old for integrity-only ciphers, skipping"
                    tls13_cipher=
                    tls13_integrity_only=
                    continue
                fi

                # Test with RSA certs if available
                if [ "$openssl_pid" != "$no_pid" ] && [ "$wolf_rsa" != "" ]
                then
                    cert="${CERT_DIR}/client-cert.pem"
                    key="${CERT_DIR}/client-key.pem"
                    caCert="${CERT_DIR}/ca-cert.pem"

                    # Start a dedicated OpenSSL server for integrity-only tests
                    generate_port
                    integrity_openssl_port=$port
                    $OPENSSL s_server -accept "$integrity_openssl_port" -cert "${CERT_DIR}/server-cert.pem" -key "${CERT_DIR}/server-key.pem" -quiet -CAfile "${CERT_DIR}/client-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error &
                    integrity_openssl_pid=$!
                    sleep 0.1

                    port=$integrity_openssl_port
                    do_wolfssl_client

                    # Kill the dedicated server
                    kill "$integrity_openssl_pid" 2>/dev/null

                    port=$wolfssl_port
                    do_openssl_client
                fi
                # Test with ECC certs if available
                if [ "$ecdsa_openssl_pid" != "$no_pid" ] && [ "$wolf_ecc" != "" ]
                then
                    cert="${CERT_DIR}/client-ecc-cert.pem"
                    key="${CERT_DIR}/ecc-client-key.pem"
                    caCert="${CERT_DIR}/ca-ecc-cert.pem"

                    # Start a dedicated OpenSSL server for integrity-only tests (ECC)
                    generate_port
                    integrity_openssl_port=$port
                    $OPENSSL s_server -accept "$integrity_openssl_port" -cert "${CERT_DIR}/server-ecc.pem" -key "${CERT_DIR}/ecc-key.pem" -quiet -CAfile "${CERT_DIR}/client-ecc-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error &
                    integrity_openssl_pid=$!
                    sleep 0.1

                    wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                    port=$integrity_openssl_port
                    do_wolfssl_client

                    # Kill the dedicated server
                    kill "$integrity_openssl_pid" 2>/dev/null

                    open_temp_cases_total=$((open_temp_cases_total + 1))
                    port=$ecdsa_wolfssl_port
                    do_openssl_client
                fi
                tls13_cipher=
                tls13_integrity_only=
                continue
            fi
            # RSA
            if [ "$openssl_pid" != "$no_pid" ] && [ "$ecdhe_avail" = "yes" ]
            then
                cert="${CERT_DIR}/client-cert.pem"
                key="${CERT_DIR}/client-key.pem"
                caCert="${CERT_DIR}/ca-cert.pem"

                port=$openssl_port
                do_wolfssl_client
                port=$wolfssl_port
                do_openssl_client
            fi
            # PSK
            if [ "$wolf_psk" != "" ] && [ "$wolfSuite" = "TLS13-AES128-GCM-SHA256" ] && [ "$wolf_ecc" != "" ] && [ "$openssl_nodhe" != "" ]
            then
                cert=""
                key=""
                caCert=""

                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                port=$tls13_psk_openssl_port
                psk="-s --openssl-psk"
                # OpenSSL doesn't support DH for key exchange so do no PSK
                # DHE when ECC not supported
                if [ "$wolf_ecc" = "" ]
                then
                    adh="-K"
                fi
                do_wolfssl_client
                psk=""
                adh=""
                openssl_psk="-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$wolfssl_port
                do_openssl_client
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$tls13_psk_wolfssl_port
                do_openssl_client
                openssl_psk=""
            fi
            # ECDSA
            if [ "$ecdsa_openssl_pid" != "$no_pid" ] && [ "$wolf_ecc" != "" ]
            then
                cert="${CERT_DIR}/client-ecc-cert.pem"
                key="${CERT_DIR}/ecc-client-key.pem"
                caCert="${CERT_DIR}/ca-ecc-cert.pem"

                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                port=$ecdsa_openssl_port
                caCert="${CERT_DIR}/ca-ecc-cert.pem"
                do_wolfssl_client
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$ecdsa_wolfssl_port
                caCert="${CERT_DIR}/ca-ecc-cert.pem"
                do_openssl_client
            fi
            # Ed25519
            if [ $ed25519_openssl_pid != $no_pid ]
            then
                cert="${CERT_DIR}/ed25519/client-ed25519.pem"
                key="${CERT_DIR}/ed25519/client-ed25519-priv.pem"
                caCert="${CERT_DIR}/ed25519/server-ed25519.pem"

                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                port=$ed25519_openssl_port
                crl="-C"
                do_wolfssl_client
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$ed25519_wolfssl_port
                do_openssl_client
            fi
            # Ed448
            if [ $ed448_openssl_pid != $no_pid ]
            then
                cert="${CERT_DIR}/ed448/client-ed448.pem"
                key="${CERT_DIR}/ed448/client-ed448-priv.pem"
                caCert="${CERT_DIR}/ed448/server-ed448.pem"

                wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
                port=$ed448_openssl_port
                crl="-C"
                do_wolfssl_client
                open_temp_cases_total=$((open_temp_cases_total + 1))
                port=$ed448_wolfssl_port
                do_openssl_client
            fi
            tls13_cipher=
            ;;
        *)
            cert="${CERT_DIR}/client-cert.pem"
            key="${CERT_DIR}/client-key.pem"
            caCert="${CERT_DIR}/ca-cert.pem"

            port=$openssl_port
            do_wolfssl_client
            port=$wolfssl_port
            do_openssl_client
            ;;
        esac
    done
    wolf_cases_tested=$((wolf_temp_cases_tested+wolf_cases_tested))
    wolf_cases_total=$((wolf_temp_cases_total+wolf_cases_total))
    echo -e "wolfSSL cases tested with version:$version  $wolf_temp_cases_tested"
    open_cases_tested=$((open_temp_cases_tested+open_cases_tested))
    open_cases_total=$((open_temp_cases_total+open_cases_total))
    echo -e "OpenSSL cases tested with version:$version  $open_temp_cases_tested"
    version_name
    testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_cases_total\t$wolf_temp_cases_tested\t$open_temp_cases_total\t$open_temp_cases_tested\n"
    wolf_temp_cases_total=0
    wolf_temp_cases_tested=0
    open_temp_cases_total=0
    open_temp_cases_tested=0
    wolfdowngrade="$version"
done
IFS="$OIFS" #restore separator

# Skip RSA-PSS interop test when RSA-PSS is not supported
if [ "$wolf_rsapss" != "" ] && [ "$ecdhe_avail" = "yes" ] && [ "$wolf_rsa" = "yes" ]
then
    # Test for RSA-PSS certs interop
    # Was running into alert sent by openssl server with version 1.1.1 released
    # in Sep 2018. To avoid this issue check that openssl version 3.0.0 or later
    # is used.

    $OPENSSL version | awk '{print $2}' | \
        awk -F. '{if ($1 >= 3) exit 1; else exit 0;}'
    RESULT=$?
    if [ "$RESULT" = "0" ]; then
        echo -e "Old version of openssl detected, skipping interop RSA-PSS test"
    else
        echo -e "Doing interop RSA-PSS test"

        key_file=${CERT_DIR}/rsapss/server-rsapss-priv.pem
        cert_file=${CERT_DIR}/rsapss/server-rsapss.pem
        ca_file=${CERT_DIR}/client-cert.pem
        openssl_suite="RSAPSS"
        start_openssl_server

        cert="${CERT_DIR}/client-cert.pem"
        key="${CERT_DIR}/client-key.pem"
        caCert="${CERT_DIR}/rsapss/ca-rsapss.pem"
        crl="-C"
        wolfSuite="ALL"
        wolfssl_no_resume="yes"
        port=$server_port

        if [ "$wolf_tls13" != "" ]
        then
            version="4"
            do_wolfssl_client
        fi

        if [ "$wolf_tls" != "" ]
        then
            version="3"
            do_wolfssl_client
        fi
    fi
fi
do_cleanup

echo -e "wolfSSL total cases   $wolf_cases_total"
echo -e "wolfSSL cases tested  $wolf_cases_tested"
echo -e "OpenSSL total cases   $open_cases_total"
echo -e "OpenSSL cases tested  $open_cases_tested"
echo -e "\nSuccess!\n\n\n\n"
echo -e "$testing_summary"
exit 0