wolfssl-sys 4.0.0

System bindings for WolfSSL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358

#!/usr/bin/env bash

# tls13.test
# Copyright wolfSSL 2016-2021

# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
     if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
         export NETWORK_UNSHARE_HELPER_CALLED=yes
         exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
     fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

# retries to mitigate race on early data:
early_data_try_max=10

# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file="$(pwd)/wolfssl_tls13_ready$$"
client_file="$(pwd)/wolfssl_tls13_client$$"
# Server output
server_out_file="$(pwd)/wolfssl_tls13_server_out$$"
# Client output
client_out_file="$(pwd)/wolfssl_tls13_client_out$$"

echo "ready file \"$ready_file\""

create_port() {
    while [ ! -s "$ready_file" ]; do
        if [ "$counter" -gt 50 ]; then
            break
        fi
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
    done

    if [ -e "$ready_file" ]; then
        echo -e "found ready file, starting client..."

        # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
        sleep 0.1

        # get created port 0 ephemeral port
        port="$(cat "$ready_file")"
    else
        echo -e "NO ready file ending test..."
        do_cleanup
    fi
}

remove_ready_file() {
    if [ -e "$ready_file" ]; then
        echo -e "removing existing ready file"
        rm "$ready_file"
    fi
}

do_cleanup() {
    echo "in cleanup"

    if  [ $server_pid != $no_pid ]
    then
        echo "killing server"
        kill -9 $server_pid 2>/dev/null
        server_pid=$no_pid
    fi
    remove_ready_file
    if [ -e "$client_file" ]; then
        echo -e "removing existing client file"
        rm "$client_file"
    fi
    if [ -e "$server_out_file" ]; then
        echo -e "removing existing server output file"
        rm "$server_out_file"
    fi
    if [ -e "$client_out_file" ]; then
        echo -e "removing existing client output file"
        rm "$client_out_file"
    fi
}

do_trap() {
    echo "got trap"
    do_cleanup
    exit 1
}

trap do_trap INT TERM

[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
    exit 0
fi
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
    exit 0
fi

# Usual TLS v1.3 server / TLS v1.3 client.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
port=0
./examples/server/server -v 4 -R "$ready_file" -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port | tee "$client_file"
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
    echo -e "\n\nTLS v1.3 not enabled"
    do_cleanup
    exit 1
fi
echo ""

# TLS 1.3 cipher suites server / client.
echo -e "\n\nTLS v1.3 cipher suite mismatch"
port=0
./examples/server/server -v 4 -R "$ready_file" -p $port -l TLS13-AES128-GCM-SHA256 &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
    echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
    do_cleanup
    exit 1
fi
do_cleanup
echo ""

grep -F -e 'NO_CERTS' ./wolfssl/options.h
NO_CERTS=$?
grep -F -e 'WOLFSSL_NO_CLIENT_AUTH' ./wolfssl/options.h
NO_CLIENT_AUTH=$?
if [ $NO_CERTS -ne 0 -a $NO_CLIENT_AUTH -ne 0 ]; then
    # TLS 1.3 mutual auth required but client doesn't send certificates.
    echo -e "\n\nTLS v1.3 mutual auth fail"
    port=0
    ./examples/server/server -v 4 -F -R "$ready_file" -p $port &
    server_pid=$!
    create_port
    ./examples/client/client -v 4 -x -p $port
    RESULT=$?
    remove_ready_file
    if [ $RESULT -eq 0 ]; then
        echo -e "\n\nIssue with requiring mutual authentication"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""
fi

# Check for TLS 1.2 support
./examples/client/client -v 3 2>&1 | grep -F -e 'Bad SSL version'
if [ $? -ne 0 ]; then
    # TLS 1.3 server / TLS 1.2 client.
    echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
    port=0
    ./examples/server/server -v 4 -R "$ready_file" -p $port &
    server_pid=$!
    create_port
    ./examples/client/client -v 3 -p $port
    RESULT=$?
    remove_ready_file
    if [ $RESULT -eq 0 ]; then
        echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""

    # TLS 1.2 server / TLS 1.3 client.
    echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
    port=0
    ./examples/server/server -v 3 -R "$ready_file" -p $port &
    server_pid=$!
    create_port
    ./examples/client/client -v 4 -p $port
    RESULT=$?
    remove_ready_file
    if [ $RESULT -eq 0 ]; then
        echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
        do_cleanup
        exit 1
    fi
    do_cleanup
    echo ""

    echo "Find usable TLS 1.2 cipher suite"
    for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
    do
        echo $CS
        ./examples/client/client -e | grep -F -e "$CS" >/dev/null
        if [ "$?" = "0" ]; then
            TLS12_CS=$CS
            break
        fi
        do_cleanup
    done
    if [ "$TLS12_CS" != "" ]; then
        # TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
        echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
        port=0
        SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
        CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
        ./examples/server/server -v d -l $SERVER_CS -R "$ready_file" -p $port &
        server_pid=$!
        create_port
        ./examples/client/client -v d -l $CLIENT_CS -p $port
        RESULT=$?
        remove_ready_file
        if [ $RESULT -eq 0 ]; then
            echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
            do_cleanup
            exit 1
        fi
        do_cleanup
        echo ""
    else
        echo "No usable TLS 1.2 cipher suite found"
    fi
fi

# Check for EarlyData support
./examples/client/client -? 2>&1 | grep -F -e 'Early data'
if [ $? -eq 0 ]; then
    early_data=yes
fi
./examples/client/client -? 2>&1 | grep -F -e 'Shared keys'
if [ $? -eq 0 ]; then
    psk=yes
fi

if [ "$early_data" = "yes" ]; then

    early_data_try_num=1
    while :; do

        echo -e "\n\nTLS v1.3 Early Data - session ticket"
        port=0
        (./examples/server/server -v 4 -r -0 -R "$ready_file" -p $port 2>&1 | \
             tee "$server_out_file") &
        server_pid=$!
        create_port
        ./examples/client/client -v 4 -r -0 -p $port >"$client_out_file" 2>&1
        RESULT=$?
        cat "$client_out_file"
        remove_ready_file
        grep -F -e 'Session Ticket' "$client_out_file"
        session_ticket=$?

        # wait for the server to quit and write output
        wait $server_pid

        ed_srv_msg_cnt="$(grep -c -F -e 'Early Data Client message' "$server_out_file")"
        ed_srv_status_cnt="$(grep -c -F -e 'Early Data was' "$server_out_file")"

        echo "earlydata: session_ticket=${session_ticket} ed_srv_msg_cnt=${ed_srv_msg_cnt} ed_srv_status_cnt=${ed_srv_status_cnt}"

        if [ $session_ticket -eq 0 -a $ed_srv_msg_cnt -ne 2 \
                             -a $ed_srv_status_cnt -ne 2 ]; then
            RESULT=1
        fi
        if [ $RESULT -ne 0 ]; then
            echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket"
            if [ $early_data_try_num -lt $early_data_try_max ]; then
                echo -e "retry #${early_data_try_num}...\n"
                : $((++early_data_try_num))
                continue
            fi
            do_cleanup
            exit 1
        fi
        do_cleanup
        break

    done

    echo ""
fi

if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
    echo -e "\n\nTLS v1.3 Early Data - PSK"
    port=0

    early_data_try_num=1
    while :; do

        (./examples/server/server -v 4 -s -0 -R "$ready_file" -p $port 2>&1 | \
             tee "$server_out_file") &
        server_pid=$!
        create_port
        ./examples/client/client -v 4 -s -0 -p $port
        RESULT=$?
        remove_ready_file

        # wait for the server to quit and write output
        wait $server_pid

        ed_srv_msg_cnt="$(grep -c -F -e 'Early Data Client message' "$server_out_file")"
        ed_srv_status_cnt="$(grep -c -F -e 'Early Data was' "$server_out_file")"

        echo "PSK earlydata: ed_srv_msg_cnt=${ed_srv_msg_cnt} ed_srv_status_cnt=${ed_srv_status_cnt}"

        if [ $ed_srv_msg_cnt -ne 2 -a $ed_srv_status_cnt -ne 1 ]; then
            echo
            echo "Server out file"
            cat "$server_out_file"
            echo
            echo "Found lines"
            grep -F -e 'Early Data' "$server_out_file"
            echo -e "\n\nUnexpected 'Early Data' lines."
            RESULT=1
        fi
        if [ $RESULT -ne 0 ]; then
            echo -e "\n\nIssue with TLS v1.3 Early Data - PSK"
            if [ $early_data_try_num -lt $early_data_try_max ]; then
                echo -e "retry #${early_data_try_num}...\n"
                : $((++early_data_try_num))
                continue
            fi
            do_cleanup
            exit 1
        fi

        break

    done

else
    echo "Early Data not available"
fi

do_cleanup

echo -e "\nALL Tests Passed"

exit 0