RTOS/SDK_STM32F302x
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[修改] 增加freeRTOS

Browse Source 
1. 版本FreeRTOSv202212.01,命名为kernel;
This commit is contained in:
gaoyang3513
2023-05-06 16:43:01 +00:00
commit a345df017b
20944 changed files with 11094377 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/benchmark.test vendored Executable file
View File

@ -0,0 +1,115 @@
#!/bin/sh
#benchmark.test
if [ "$#" -lt 2 ]; then
echo "Usage: $0 [mode] [num] [clientargs] [serverargs]" >&2
echo " [mode]: 1=Connection Rate (TPS), 2=Throughput Bytes" >&2
echo " [num]: Mode 1=Connection Count, Mode 2=Bytes to TX/RX" >&2
echo " [clientargs]: Passed to client (see \"./example/client/client -?\" for help)" >&2
echo " Example: Use different cipher suite: \"-l DHE-RSA-AES256-SHA\"" >&2
echo " [serverargs]: Passed to server (see \"./example/server/server -?\" for help)" >&2
echo " Example: Disable client certificate check: \"-d\"" >&2
echo "Note: If additional client or server args contains spaces wrap with double quotes" >&2
exit 1
fi
# Use unique benchmark port so it won't conflict with any other tests
bench_port=11113
no_pid=-1
server_pid=$no_pid
counter=0
client_result=-1
remove_ready_file() {
if test -e /tmp/wolfssl_server_ready; then
echo "removing existing server_ready file"
rm /tmp/wolfssl_server_ready
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit -1
}
trap do_trap INT TERM
# Start server in loop continuous mode (-L) with echo data (-e) enabled and non-blocking (-N)
echo "\nStarting example server for benchmark test"
remove_ready_file
# benchmark connections
if [ $1 -eq 1 ]
then
# start server in loop mode with port
./examples/server/server -i -p $bench_port $4 &
server_pid=$!
fi
# benchmark throughput
if [ $1 -eq 2 ]
then
# start server in loop mode, non-blocking, benchmark throughput with port
./examples/server/server -i -N -B $2 -p $bench_port $4 &
server_pid=$!
fi
echo "Waiting for server_ready file..."
while [ ! -s /tmp/wolfssl_server_ready -a "$counter" -lt 20 ]; do
sleep 0.1
counter=$((counter+ 1))
done
# benchmark connections
if [ $1 -eq 1 ]
then
echo "Starting example client to benchmark connection average time"
# start client to benchmark average time for each connection using port
./examples/client/client -b $2 -p $bench_port $3
client_result=$?
fi
# benchmark throughput
if [ $1 -eq 2 ]
then
echo "Starting example client to benchmark throughput"
# start client in non-blocking mode, benchmark throughput using port
./examples/client/client -N -B $2 -p $bench_port $3
client_result=$?
fi
if [ $client_result != 0 ]
then
echo "Client failed!"
do_cleanup
exit 1
fi
# End server
kill -6 $server_pid
server_result=$?
remove_ready_file
if [ $server_result != 0 ]
then
echo "Server failed!"
exit 1
fi
echo "\nSuccess!\n"
exit 0

15
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/cleanup_testfiles.sh vendored Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
# Script to cleanup test files
# This is helpful if running ./tests/unit.test as sudo,
# which creates these files with sudoer permissions and
# will cause issues on subsequent tests without sudo
rm -f ./tests/bio_write_test.txt
rm -f ./test-write-dhparams.pem
rm -f ./certeccrsa.pem
rm -f ./certeccrsa.der
rm -f ./ecc-key.der
rm -f ./ecc-key.pem
rm -f ./ecc-public-key.der
rm -f ./tests/test-log-dump-to-file.txt

118
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/crl-revoked.test vendored Executable file
View File

@ -0,0 +1,118 @@
#!/bin/sh
#crl.test
revocation_code="-361"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
crl_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_crl_ready$$
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
echo "script aborted"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
exit_code=2 #different exit code in case of user interrupt
echo "got abort signal, exiting with $exit_code"
exit $exit_code
}
trap abort_trap INT TERM
# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
}
trap restore_file_system EXIT
run_test() {
echo -e "\nStarting example server for crl test...\n"
remove_ready_file
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R $ready_file -p $crl_port \
-c certs/server-revoked-cert.pem -k certs/server-revoked-key.pem &
server_pid=$!
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# get created port 0 ephemeral port
crl_port=`cat $ready_file`
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*$revocation_code*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!!"
echo ""
exit_code=0
echo "exiting with $exit_code"
exit $exit_code
;;
*)
echo ""
echo "Certificate was not revoked saw this instead: $capture_out"
echo ""
echo "configure with --enable-crl and run this script again"
echo ""
esac
}
######### begin program #########
# run the test
run_test
# If we get to this exit, exit_code will be a 1 signaling failure
echo "exiting with $exit_code certificate was not revoked"
exit $exit_code
########## end program ##########

71
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/dertoc.pl vendored Executable file
View File

@ -0,0 +1,71 @@
#!/usr/bin/perl
# dertoc.pl
# version 1.0
# Updated 07/31/2018
#
# Copyright (C) 2006-2018 wolfSSL Inc.
#
use strict;
use warnings;
my $num_args = $#ARGV + 1;
if ($num_args != 3 ) {
print "usage: ./scripts/dertoc.pl ./certs/server-cert.der server_cert_der_2048 dertoc.c\n";
exit;
}
my $inFile = $ARGV[0];
my $outName = $ARGV[1];
my $outputFile = $ARGV[2];
# open our output file, "+>" creates and/or truncates
open OUT_FILE, "+>", $outputFile or die $!;
print OUT_FILE "/* $outputFile */\n\n";
print OUT_FILE "static const unsigned char $outName\[] =\n";
print OUT_FILE "{\n";
file_to_hex($inFile);
print OUT_FILE "};\n";
print OUT_FILE "static const int sizeof_$outName = sizeof($outName);\n\n";
# close file
close OUT_FILE or die $!;
# print file as hex, comma-separated, as needed by C buffer
sub file_to_hex {
my $fileName = $_[0];
open my $fp, "<", $fileName or die $!;
binmode($fp);
my $fileLen = -s $fileName;
my $byte;
for (my $i = 0, my $j = 1; $i < $fileLen; $i++, $j++)
{
if ($j == 1) {
print OUT_FILE "\t";
}
read($fp, $byte, 1) or die "Error reading $fileName";
my $output = sprintf("0x%02X", ord($byte));
print OUT_FILE $output;
if ($i != ($fileLen - 1)) {
print OUT_FILE ", ";
}
if ($j == 10) {
$j = 0;
print OUT_FILE "\n";
}
}
print OUT_FILE "\n";
close($fp);
}

34
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/external.test vendored Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh
# external.test
server=www.wolfssl.com
ca=./certs/wolfssl-website-ca.pem
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# www.wolfssl.com isn't using RFC 8446 yet but the draft instead.
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
# cloudflare seems to change CAs quickly, disabled by default
if test -n "$WOLFSSL_EXTERNAL_TEST"; then
echo "WOLFSSL_EXTERNAL_TEST set, running test..."
else
echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run"
exit 0
fi
# is our desired server there?
./scripts/ping.test $server 2
RESULT=$?
[ $RESULT -ne 0 ] && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -g -A $ca
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
fi
exit 0

26
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/google.test vendored Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
# google.test
server=www.google.com
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# TODO: [TLS13] Remove this when google supports final version of TLS 1.3
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -eq 0 ]; then
echo -e "\n\nClient doesn't support TLS v1.2"
exit 0
fi
# is our desired server there?
./scripts/ping.test $server 2
RESULT=$?
[ $RESULT -ne 0 ] && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -g -d
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
exit 0

101
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/include.am vendored Normal file
View File

@ -0,0 +1,101 @@
# vim:ft=automake
# included from Top Level Makefile.am
# All paths should be given relative to the root
if BUILD_SNIFFTEST
dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
endif
if BUILD_EXAMPLE_SERVERS
dist_noinst_SCRIPTS+= scripts/resume.test
EXTRA_DIST+= scripts/benchmark.test
EXTRA_DIST+= scripts/memtest.sh
# The CRL and OCSP tests use RSA certificates.
if BUILD_RSA
if BUILD_CRL
# make revoked test rely on completion of resume test
dist_noinst_SCRIPTS+= scripts/crl-revoked.test
scripts/crl-revoked.log: scripts/resume.log
endif
if BUILD_OCSP_STAPLING
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
scripts/ocsp-stapling.log: tests/unit.log
scripts/ocsp-stapling.log: scripts/ocsp.log
dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
scripts/ocsp-stapling-with-ca-as-responder.log: tests/unit.log
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
endif
if BUILD_OCSP_STAPLING_V2
dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
if BUILD_OCSP_STAPLING
scripts/ocsp-stapling2.log: tests/unit.log
scripts/ocsp-stapling2.log: scripts/ocsp.log
scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log
scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log
else
scripts/ocsp-stapling2.log: tests/unit.log
scripts/ocsp-stapling2.log: scripts/ocsp.log
endif
endif
endif
if BUILD_PSK
dist_noinst_SCRIPTS+= scripts/psk.test
endif
if BUILD_TRUST_PEER_CERT
dist_noinst_SCRIPTS+= scripts/trusted_peer.test
endif
if BUILD_PKCALLBACKS
dist_noinst_SCRIPTS+= scripts/pkcallbacks.test
scripts/pkcallbacks.log: scripts/resume.log
endif
if BUILD_TLS13
dist_noinst_SCRIPTS+= scripts/tls13.test
endif
endif # end of BUILD_EXAMPLE_SERVERS
if BUILD_EXAMPLE_CLIENTS
if !BUILD_IPV6
dist_noinst_SCRIPTS+= scripts/external.test
dist_noinst_SCRIPTS+= scripts/google.test
dist_noinst_SCRIPTS+= scripts/openssl.test
if BUILD_OCSP
dist_noinst_SCRIPTS+= scripts/ocsp.test
endif
endif
endif
EXTRA_DIST += scripts/testsuite.pcap \
scripts/sniffer-ipv6.pcap \
scripts/sniffer-tls13-dh.pcap \
scripts/sniffer-tls13-ecc.pcap \
scripts/sniffer-tls13-gen.sh \
scripts/ping.test
# leave openssl.test as extra until non bash works
EXTRA_DIST += scripts/openssl.test
EXTRA_DIST += scripts/dertoc.pl
# for use with wolfssl-x.x.x-commercial-fips-stm32l4-v2
EXTRA_DIST += scripts/stm32l4-v4_0_1_build.sh
EXTRA_DIST += scripts/cleanup_testfiles.sh

24
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/memtest.sh vendored Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# Run this script from the wolfSSL root as `./scripts/memtest.sh`.
./autogen.sh
./configure --enable-debug --disable-shared --enable-memtest \
--enable-opensslextra --enable-des3 --enable-dh --enable-ecc --enable-aesgcm --enable-aesccm --enable-hc128 \
--enable-sniffer --enable-psk --enable-rabbit --enable-camellia --enable-sha512 --enable-crl --enable-ocsp --enable-savesession \
--enable-savecert --enable-atomicuser --enable-pkcallbacks --enable-scep;
#DTLS has issue with trapping client/server failure disconnect since its stateless. Need to find way to communicate failure through file system.
#--enable-dtls
make
for i in {1..1000}
do
echo "Trying $i...\n"
./tests/unit.test > ./scripts/memtest.txt 2>&1
RESULT=$?
[ $RESULT -eq 139 ] && echo "Mem Seg Fault" && exit 1
done
echo "Loop SUCCESS"

231
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/ocsp-stapling-with-ca-as-responder.test vendored Executable file
View File

@ -0,0 +1,231 @@
#!/bin/bash
# ocsp-stapling.test
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -eq 0 ]; then
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0
fi
WORKSPACE=`pwd`
CERT_DIR="./certs/ocsp"
resume_port=0
ready_file=`pwd`/wolf_ocsp_s1_readyF$$
ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready file: $ready_file"
test_cnf="ocsp_s_w_ca_a_r.cnf"
copy_originals() {
cd $CERT_DIR
cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
cp root-ca-cert.pem bak-root-ca-cert.pem
cp server1-cert.pem bak-server1-cert.pem
cp server2-cert.pem bak-server2-cert.pem
cp server3-cert.pem bak-server3-cert.pem
cp server4-cert.pem bak-server4-cert.pem
cp server5-cert.pem bak-server5-cert.pem
cd $WORKSPACE
}
restore_originals() {
cd $CERT_DIR
mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
mv bak-root-ca-cert.pem root-ca-cert.pem
mv bak-server1-cert.pem server1-cert.pem
mv bak-server2-cert.pem server2-cert.pem
mv bak-server3-cert.pem server3-cert.pem
mv bak-server4-cert.pem server4-cert.pem
mv bak-server5-cert.pem server5-cert.pem
}
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
copy_originals
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
printf '%s\n' "#" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
printf '%s\n' "[ v3_ca ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# OCSP extensions." >> $test_cnf
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
mv $test_cnf $CERT_DIR/$test_cnf
cd $CERT_DIR
CURR_LOC=`pwd`
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh $test_cnf
cd $WORKSPACE
}
remove_ready_file() {
if test -e $ready_file; then
printf '%s\n' "removing ready file"
rm $ready_file
fi
if test -e $ready_file2; then
printf '%s\n' "removing ready file: $ready_file2"
rm $ready_file2
fi
}
cleanup()
{
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
remove_ready_file
rm $CERT_DIR/$test_cnf
restore_originals
}
trap cleanup EXIT INT TERM HUP
server=login.live.com
ca=certs/external/baltimore-cybertrust-root.pem
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" && exit 1
# create a port 0 port to use with openssl ocsp responder
./examples/server/server -R $ready_file -p $resume_port &
wait_for_readyFile $ready_file
if [ ! -f $ready_file ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
RPORTSELECTED=`cat $ready_file`
printf '%s\n' "Random port selected: $RPORTSELECTED"
# Use client connection to shutdown the server cleanly
./examples/client/client -p $RPORTSELECTED
create_new_cnf $RPORTSELECTED
fi
sleep 1
# is our desired server there? - login.live.com doesn't answers PING
#./scripts/ping.test $server 2
# client test against the server
# external test case was never running, disable for now but retain case in event
# we wish to re-activate in the future.
#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
#RESULT=$?
#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# setup ocsp responder
# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/intermediate1-ca-cert.pem \
-rkey certs/ocsp/intermediate1-ca-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
$@ \
&
sleep 1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 1 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R $ready_file2 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem -R $ready_file2 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
exit 0

315
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/ocsp-stapling.test vendored Executable file
View File

@ -0,0 +1,315 @@
#!/bin/bash
# ocsp-stapling.test
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -eq 0 ]; then
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0
fi
# create a unique ready file ending in PID for the script instance ($$) to take
# advantage of port zero solution
WORKSPACE=`pwd`
CERT_DIR="./certs/ocsp"
resume_port=0
ready_file=`pwd`/wolf_ocsp_s1_readyF$$
ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready file: $ready_file"
test_cnf="ocsp_s1.cnf"
copy_originals() {
cd $CERT_DIR
cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
cp root-ca-cert.pem bak-root-ca-cert.pem
cp server1-cert.pem bak-server1-cert.pem
cp server2-cert.pem bak-server2-cert.pem
cp server3-cert.pem bak-server3-cert.pem
cp server4-cert.pem bak-server4-cert.pem
cp server5-cert.pem bak-server5-cert.pem
cd $WORKSPACE
}
restore_originals() {
cd $CERT_DIR
mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
mv bak-root-ca-cert.pem root-ca-cert.pem
mv bak-server1-cert.pem server1-cert.pem
mv bak-server2-cert.pem server2-cert.pem
mv bak-server3-cert.pem server3-cert.pem
mv bak-server4-cert.pem server4-cert.pem
mv bak-server5-cert.pem server5-cert.pem
}
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
copy_originals
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
printf '%s\n' "#" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
printf '%s\n' "[ v3_ca ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# OCSP extensions." >> $test_cnf
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
mv $test_cnf $CERT_DIR/$test_cnf
cd $CERT_DIR
CURR_LOC=`pwd`
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh $test_cnf
cd $WORKSPACE
}
remove_ready_file() {
if test -e $ready_file; then
printf '%s\n' "removing ready file"
rm $ready_file
fi
if test -e $ready_file2; then
printf '%s\n' "removing ready file: $ready_file2"
rm $ready_file2
fi
}
cleanup()
{
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
remove_ready_file
rm $CERT_DIR/$test_cnf
restore_originals
}
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# check if supported key size is large enough to handle 4096 bit RSA
size=`./examples/client/client '-?' | grep "Max RSA key"`
size=`echo ${size//[^0-9]/}`
if [ ! -z "$size" ]; then
printf 'check on max key size of %d ...' $size
if [ $size -lt 4096 ]; then
printf '%s\n' "4096 bit RSA keys not supported"
exit 0
fi
printf 'OK\n'
fi
# test interop fail case
ready_file=`pwd`/wolf_ocsp_readyF$$
printf '%s\n' "ready file: $ready_file"
./examples/server/server -o -R $ready_file &
wolf_pid=$!
wait_for_readyFile $ready_file
if [ ! -f $ready_file ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
# should fail if ocspstapling is also enabled
RPORTSELECTED=`cat $ready_file`
echo "hi" | openssl s_client -status -connect 127.0.0.1:${RPORTSELECTED} -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
if [ $? -eq 0 ]; then
printf '%s\n' "Succeeded when should have failed"
remove_single_rF $ready_file
exit 1
fi
remove_single_rF $ready_file
wait $wolf_pid
if [ $? -ne 1 ]; then
printf '%s\n' "wolfSSL server unexpected fail value"
exit 1
fi
fi
# create a port 0 port to use with openssl ocsp responder
./examples/server/server -R $ready_file -p $resume_port &
wait_for_readyFile $ready_file
if [ ! -f $ready_file ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
else
RPORTSELECTED=`cat $ready_file`
printf '%s\n' "Random port selected: $RPORTSELECTED"
# Use client connection to shutdown the server cleanly
./examples/client/client -p $RPORTSELECTED
create_new_cnf $RPORTSELECTED
fi
sleep 1
# is our desired server there? - login.live.com doesn't answers PING
#./scripts/ping.test $server 2
# client test against the server
server=login.live.com
#ca=certs/external/baltimore-cybertrust-root.pem
ca=certs/external/ca_collection.pem
./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# Test with example server
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# setup ocsp responder
# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
"$@" &
sleep 1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 1 ] && \
printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \
-k certs/ocsp/server1-key.pem -p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \
-k certs/ocsp/server2-key.pem -p $resume_port &
wait_for_readyFile $ready_file2
sleep 1
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
# client test against our own server - GOOD CERT
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \
-k certs/ocsp/server1-key.pem -v 4 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED CERT
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \
-k certs/ocsp/server2-key.pem -v 4 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && \
printf '\n\n%s\n' "Client connection succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test successfully REVOKED!"
fi
exit 0

395
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/ocsp-stapling2.test vendored Executable file
View File

@ -0,0 +1,395 @@
#!/bin/bash
# ocsp-stapling.test
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -eq 0 ]; then
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0
fi
WORKSPACE=`pwd`
CERT_DIR="certs/ocsp"
resume_port=0
ready_file1=`pwd`/wolf_ocsp_s2_readyF1$$
ready_file2=`pwd`/wolf_ocsp_s2_readyF2$$
ready_file3=`pwd`/wolf_ocsp_s2_readyF3$$
ready_file4=`pwd`/wolf_ocsp_s2_readyF4$$
ready_file5=`pwd`/wolf_ocsp_s2_readyF5$$
printf '%s\n' "ready file 1: $ready_file1"
printf '%s\n' "ready file 2: $ready_file2"
printf '%s\n' "ready file 3: $ready_file3"
printf '%s\n' "ready file 4: $ready_file4"
printf '%s\n' "ready file 5: $ready_file5"
test_cnf="ocsp_s2.cnf"
copy_originals() {
cd $CERT_DIR
cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
cp root-ca-cert.pem bak-root-ca-cert.pem
cp server1-cert.pem bak-server1-cert.pem
cp server2-cert.pem bak-server2-cert.pem
cp server3-cert.pem bak-server3-cert.pem
cp server4-cert.pem bak-server4-cert.pem
cp server5-cert.pem bak-server5-cert.pem
cd $WORKSPACE
}
restore_originals() {
cd $CERT_DIR
mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
mv bak-root-ca-cert.pem root-ca-cert.pem
mv bak-server1-cert.pem server1-cert.pem
mv bak-server2-cert.pem server2-cert.pem
mv bak-server3-cert.pem server3-cert.pem
mv bak-server4-cert.pem server4-cert.pem
mv bak-server5-cert.pem server5-cert.pem
}
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
copy_originals
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
printf '%s\n' "#" > $test_cnf
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
printf '%s\n' "#" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
printf '%s\n' "[ v3_ca ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf
printf '%s\n' "" >> $test_cnf
printf '%s\n' "# OCSP extensions." >> $test_cnf
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
mv $test_cnf $CERT_DIR/$test_cnf
cd $CERT_DIR
CURR_LOC=`pwd`
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh $test_cnf
cd $WORKSPACE
}
remove_ready_file(){
if test -e $ready_file1; then
printf '%s\n' "removing ready file: $ready_file1"
rm $ready_file1
fi
if test -e $ready_file2; then
printf '%s\n' "removing ready file: $ready_file2"
rm $ready_file2
fi
if test -e $ready_file3; then
printf '%s\n' "removing ready file: $ready_file3"
rm $ready_file3
fi
if test -e $ready_file4; then
printf '%s\n' "removing ready file: $ready_file4"
rm $ready_file4
fi
if test -e $ready_file5; then
printf '%s\n' "removing ready file: $ready_file5"
rm $ready_file5
fi
}
cleanup()
{
for i in $(jobs -pr)
do
kill -s HUP "$i"
done
remove_ready_file
rm $CERT_DIR/$test_cnf
restore_originals
}
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# check if supported key size is large enough to handle 4096 bit RSA
size=`./examples/client/client '-?' | grep "Max RSA key"`
size=`echo ${size//[^0-9]/}`
if [ ! -z "$size" ]; then
printf 'check on max key size of %d ...' $size
if [ $size -lt 4096 ]; then
printf '%s\n' "4096 bit RSA keys not supported"
exit 0
fi
printf 'OK\n'
fi
#get four unique ports
# 1:
./examples/server/server -R $ready_file1 -p $resume_port &
wait_for_readyFile $ready_file1
if [ ! -f $ready_file1 ]; then
printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
exit 1
fi
# 2:
./examples/server/server -R $ready_file2 -p $resume_port &
wait_for_readyFile $ready_file2
if [ ! -f $ready_file2 ]; then
printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
exit 1
fi
# 3:
./examples/server/server -R $ready_file3 -p $resume_port &
wait_for_readyFile $ready_file3
if [ ! -f $ready_file3 ]; then
printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
exit 1
fi
# 4:
./examples/server/server -R $ready_file4 -p $resume_port &
wait_for_readyFile $ready_file4
if [ ! -f $ready_file4 ]; then
printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
exit 1
else
RPORTSELECTED1=`cat $ready_file1`
RPORTSELECTED2=`cat $ready_file2`
RPORTSELECTED3=`cat $ready_file3`
RPORTSELECTED4=`cat $ready_file4`
printf '%s\n' "------------- PORTS ---------------"
printf '%s' "Random ports selected: $RPORTSELECTED1 $RPORTSELECTED2"
printf '%s\n' " $RPORTSELECTED3 $RPORTSELECTED4"
printf '%s\n' "-----------------------------------"
# Use client connections to cleanly shutdown the servers
./examples/client/client -p $RPORTSELECTED1
./examples/client/client -p $RPORTSELECTED2
./examples/client/client -p $RPORTSELECTED3
./examples/client/client -p $RPORTSELECTED4
create_new_cnf $RPORTSELECTED1 $RPORTSELECTED2 $RPORTSELECTED3 \
$RPORTSELECTED4
fi
sleep 1
# setup ocsp responders
# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED1 -nmin 1 \
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
$@ \
&
# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED2 -nmin 1 \
-index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate2-ca-cert.pem \
$@ \
&
# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED3 -nmin 1 \
-index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate3-ca-cert.pem \
$@ \
&
sleep 1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '\n\n%s\n\n' "All OCSP responders started successfully!"
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW"
#printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------"
#remove_single_rF $ready_file5
#./examples/server/server -c certs/ocsp/server3-cert.pem \
# -k certs/ocsp/server3-key.pem -R $ready_file5 \
# -p $resume_port &
#wait_for_readyFile $ready_file5
#CLI_PORT=`cat $ready_file5`
#./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
# -p $CLI_PORT
#RESULT=$?
#[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
#printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $resume_port &
sleep 1
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R $ready_file5 \
-p $resume_port -H loadSSL &
wolf_pid=$!
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
echo "test connection" | openssl s_client -status -connect 127.0.0.1:$CLI_PORT -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
wait $wolf_pid
if [ $? -ne 0 ]; then
printf '%s\n' "Unexpected server result"
exit 1
fi
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $resume_port -H loadSSL &
wolf_pid=$!
sleep 1
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
wait $wolf_pid
if [ $? -ne 1 ]; then
printf '%s\n' "Unexpected server result"
exit 1
fi
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0

92
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/ocsp.test vendored Executable file
View File

@ -0,0 +1,92 @@
#!/bin/sh
# ocsp.test
server=www.globalsign.com
ca=certs/external/ca-globalsign-root.pem
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -eq 0 ]; then
echo "TLS 1.2 or lower required"
echo "Skipped"
exit 0
fi
GL_UNREACHABLE=0
# Global Sign now requires server name indication extension to work, check
# enabled prior to testing
OUTPUT=$(eval "./examples/client/client -S check")
if [ "$OUTPUT" = "SNI is: ON" ]; then
printf '\n\n%s\n\n' "SNI is on, proceed with globalsign test"
# is our desired server there?
./scripts/ping.test $server 2
RESULT=$?
if [ $RESULT -ne 0 ]; then
GL_UNREACHABLE=1
fi
if [ $RESULT -eq 0 ]; then
# client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -o -N -v d -S $server
GL_RESULT=$?
[ $GL_RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed"
else
GL_RESULT=1
fi
else
printf '\n\n%s\n\n' "SNI disabled, skipping globalsign test"
GL_RESULT=0
fi
server=www.google.com
ca=certs/external/ca-google-root.pem
# is our desired server there?
./scripts/ping.test $server 2
RESULT=$?
if [ $RESULT -eq 0 ]; then
# client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -o -N
GR_RESULT=$?
[ $GR_RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed"
else
GR_RESULT=1
fi
if test -n "$WOLFSSL_OCSP_TEST"; then
# check that both passed
if [ $GL_RESULT -eq 0 ] && [ $GR_RESULT -eq 0 ]; then
printf '\n\n%s\n' "Both OCSP connection to globalsign and google passed"
printf '%s\n' "Test Passed!"
exit 0
elif [ $GL_UNREACHABLE -eq 1 ] && [ $GR_RESULT -eq 0 ]; then
printf '%s\n' "Global Sign is currently unreachable. Logging it but if"
printf '%s\n' "this continues to occur should be investigated"
exit 0
else
# Unlike other environment variables the intent of WOLFSSL_OCSP_TEST
# is to indicate a requirement for both tests to pass. If variable is
# set and either tests fail then whole case fails. Do not set the
# variable if either case passing is to be considered a success.
printf '\n\n%s\n' "One of the OCSP connections to either globalsign or"
printf '%s\n' "google failed, however since WOLFSSL_OCSP_TEST is set"
printf '%s\n' "the test is considered to have failed"
printf '%s\n' "Test Failed!"
exit 1
fi
else
# if environment variable is not set then just need one to pass
if [ $GL_RESULT -ne 0 ] && [ $GR_RESULT -ne 0 ]; then
printf '\n\n%s\n' "Both OCSP connection to globalsign and google failed"
printf '%s\n' "Test Failed!"
exit 1
else
printf '\n\n%s\n' "WOLFSSL_OCSP_TEST NOT set, and 1 of the tests passed"
printf '%s\n' "Test Passed!"
exit 0
fi
fi

1112
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/openssl.test vendored Executable file
View File

File diff suppressed because it is too large Load Diff

29
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/ping.test vendored Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# ping.test
# defaults
server=www.wolfssl.com
tries=2
# populate args
if [ "$#" -gt 1 ]; then
tries=$2
fi
if [ "$#" -gt 0 ]; then
server=$1
fi
# determine os
OS="`uname`"
case $OS in
MINGW* | MSYS*) PINGSW=-n ;;
*) PINGSW=-c ;;
esac
# is our desired server there?
ping $PINGSW $tries $server
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 1
exit 0

123
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/pkcallbacks.test vendored Executable file
View File

@ -0,0 +1,123 @@
#!/bin/sh
#pkcallbacks.test
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
pk_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_pk_ready$$
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
echo "script aborted"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
exit_code=2 #different exit code in case of user interrupt
echo "got abort signal, exiting with $exit_code"
exit $exit_code
}
trap abort_trap INT TERM
# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
}
trap restore_file_system EXIT
run_test() {
echo -e "\nStarting example server for pkcallbacks test...\n"
remove_ready_file
# starts the server on pk_port, -R generates ready file to be used as a
# mutex lock, -P does pkcallbacks. We capture the processid
# into the variable server_pid
./examples/server/server -P -R $ready_file -p $pk_port &
server_pid=$!
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# get created port 0 ephemeral port
pk_port=`cat $ready_file`
# starts client on pk_port with pkcallbacks, captures the output from client
capture_out=$(./examples/client/client -P -p $pk_port 2>&1)
client_result=$?
if [ $client_result != 0 ]
then
echo -e "client failed!"
do_cleanup
exit 1
fi
wait $server_pid
server_result=$?
if [ $server_result != 0 ]
then
echo -e "server failed!"
exit 1
fi
}
######### begin program #########
# run the test
run_test
# If we get to this, success
echo "Success!"
exit 0
########## end program ##########

148
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/psk.test vendored Executable file
View File

@ -0,0 +1,148 @@
#!/bin/sh
# psk.test
# copyright wolfSSL 2016
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_psk_ready$$
echo "ready file $ready_file"
create_port() {
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
# get created port 0 ephemeral port
port=`cat $ready_file`
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit -1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# Usual psk server / psk client. This use case is tested in
# tests/unit.test and is used here for just checking if PSK is enabled
port=0
./examples/server/server -s -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -s -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nPSK not enabled"
do_cleanup
exit 0
fi
echo ""
# client test against the server
###############################
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
# Usual server / client. This use case is tested in
# tests/unit.test and is used here for just checking if cipher suite
# is available (one case for example is with disable-asn)
port=0
./examples/server/server -R $ready_file -p $port -l DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nIssue with chosen non PSK suites"
do_cleanup
exit 0
fi
echo ""
# psk server with non psk client
port=0
./examples/server/server -j -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nClient connection failed"
do_cleanup
exit 1
fi
echo ""
# check fail if no auth, psk server with non psk client
echo "Checking fail when not sending peer cert"
port=0
./examples/server/server -j -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nClient connected when supposed to fail"
do_cleanup
exit 1
fi
fi
echo -e "\nALL Tests Passed"
exit 0

144
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/resume.test vendored Executable file
View File

@ -0,0 +1,144 @@
#!/bin/sh
#resume.test
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
resume_string="reused"
resume_sup_string="Resume session"
ems_string="Extended\ Master\ Secret"
resume_port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_resume_ready$$
echo "ready file $ready_file"
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit -1
}
do_test() {
echo -e "\nStarting example server for resume test...\n"
#make sure we support session resumption (!NO_SESSION_CACHE)
# Check the client for the extended master secret disable option. If
# present we need to run the test twice.
options_check=`./examples/client/client '-?'`
case "$options_check" in
*$resume_sup_string*)
echo -e "\nResume test supported";;
*)
echo -e "\nResume test not supported with build"
return;;
esac
remove_ready_file
./examples/server/server -r -R $ready_file -p $resume_port &
server_pid=$!
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
do_cleanup
exit 1
fi
# get created port 0 ephemeral port
resume_port=`cat $ready_file`
capture_out=$(./examples/client/client $1 -r -p $resume_port 2>&1)
client_result=$?
if [ $client_result != 0 ]
then
echo -e "client failed!\ncapture_out=$capture_out\nclient_result=$client_result"
do_cleanup
exit 1
fi
wait $server_pid
server_result=$?
remove_ready_file
if [ $server_result != 0 ]
then
echo -e "client failed!"
exit 1
fi
case "$capture_out" in
*$resume_string*)
echo "resumed session" ;;
*)
echo "did NOT resume session as expected"
exit 1
;;
esac
}
trap do_trap INT TERM
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -ne 0 ]; then
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -ne 0 ]; then
RUN_TEST="Y"
fi
fi
./examples/client/client '-?' 2>&1 | grep -- 'Resume session'
if [ $? -ne 0 ]; then
RUN_TEST="Y"
fi
if [ "$RUN_TEST" = "Y" ]; then
do_test
# Check the client for the extended master secret disable option. If
# present we need to run the test twice.
options_check=`./examples/client/client -?`
case "$options_check" in
*$ems_string*)
echo -e "\nRepeating resume test without extended master secret..."
do_test -n ;;
*)
;;
esac
fi
echo -e "\nSuccess!\n"
exit 0

BIN
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/sniffer-ipv6.pcap vendored Normal file
View File

Binary file not shown.

44
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/sniffer-testsuite.test vendored Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
#sniffer-testsuite.test
# ./configure --enable-sniffer [--enable-session-ticket]
# Resumption tests require "--enable-session-ticket"
echo -e "\nStaring snifftest on testsuite.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
# TLS v1.3 sniffer test ECC (and resumption)
if test $# -ne 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC\n" && exit 1
fi
# TLS v1.3 sniffer test DH (and resumption)
if test $# -ne 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH\n" && exit 1
fi
# IPv6
if test $# -ne 0 && test "x$1" = "x-6";
then
echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
fi
echo -e "\nSuccess!\n"
exit 0

BIN
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/sniffer-tls13-dh.pcap vendored Normal file
View File

Binary file not shown.

BIN
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/sniffer-tls13-ecc.pcap vendored Normal file
View File

Binary file not shown.

24
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/sniffer-tls13-gen.sh vendored Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# Run these configures and the example server/client below
# Script to generate wireshark trace for sniffer-tls13-ecc.pcap
#./configure --enable-sniffer --enable-session-ticket && make
# Script to generate wireshark trace for sniffer-tls13-dh.pcap
#./configure --enable-sniffer --enable-session-ticket --disable-ecc && make
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 &
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 &
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 &
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r &
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r &
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r &
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r

199
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/stm32l4-v4_0_1_build.sh vendored Executable file
View File

@ -0,0 +1,199 @@
#!/bin/bash
WOLF_ROOT=$(eval "pwd")
echo "WOLF_ROOT set to: \"$WOLF_ROOT\""
cd ../ || exit 5
APP_ROOT=$(eval "pwd")
echo "APP_ROOT set to: \"$APP_ROOT\""
cd ../../ || exit 5
FIRMWARE_ROOT=$(eval "pwd")
echo "FIRMWARE_ROOT set to: \"$FIRMWARE_ROOT\""
cd "$WOLF_ROOT" || exit 5
WOLFCRYPT_SRC_LIST=(wolfcrypt_first hmac random sha256 rsa ecc aes des3 sha
sha512 sha3 dh cmac fips fips_test wolfcrypt_last asn coding
dsa error hash logging md5 memory signature tfm wc_encrypt
wc_port wolfmath
)
assumptions(){
printf '%s\n' "ASSUMPTIONS:"
printf '%s\n' "It is assumed that the firmware directory layout is as follows:"
printf '%s\n' "firmware-root/"
printf '%s\n' "firmware-root/dir1/"
printf '%s\n' "firmware-root/dir1/app-root/"
printf '%s\n' "firmware-root/dir1/app-root/wolfssl-x.x.x-commercial-fips-stm32l4-v2/"
printf '\n\n%s\n' "It is also assumed this script will be run from the directory:"
printf '%s\n' "firmware-root/dir1/app-root/wolfssl-x.x.x-commercial-fips-stm32l4-v2/"
printf '%s\n' "with the command:"
printf '%s\n' "./scripts/stm32l4-v4_0_2_build.sh"
}
flatten_wolfcrypt_sources(){
if [ -d "$WOLF_ROOT" ]; then
for TARGET_FILE in "${WOLFCRYPT_SRC_LIST[@]}"
do
if [ -f "$APP_ROOT/$TARGET_FILE".c ]; then
printf '%s\n' "Removing: APP_ROOT/$TARGET_FILE.c"
rm "$APP_ROOT/$TARGET_FILE".c
fi
printf '%s\n' "WOLF_ROOT/wolfcrypt/src/$TARGET_FILE.c --> APP_ROOT/$TARGET_FILE.c"
cp "$WOLF_ROOT/wolfcrypt/src/$TARGET_FILE".c "$APP_ROOT/"
done
# uncomment to copy over the test app for testing purposes
#cp "$WOLF_ROOT/wolfcrypt/test/test.c" ./
else
printf '%s\n' "Please update the MY_WOLF_RELEASE_VARIABLE to the name"
printf '%s\n' "of the release you received most recently. Currently"
printf '%s\n' "it is set to \"$MY_WOLF_RELEASE_NAME\""
fi
}
update_user_settings(){
if [ -f user_settings.h ]; then
printf '%s\n' "Removing old user_settings.h"
rm user_settings.h
fi
printf '%s\n' "Generating new user_settings.h..."
touch user_settings.h
printf '%s\n' "#ifndef STM32L4_V_4_0_1_USER_SETTINGS_H" > user_settings.h
{
printf '%s\n' "#define STM32L4_V_4_0_1_USER_SETTINGS_H";
printf '%s\n' "";
printf '%s\n' "/* FIPS SETTINGS - BEGIN */";
printf '%s\n' "#define HAVE_FIPS";
printf '%s\n' "#define HAVE_FIPS_VERSION 2";
printf '%s\n' "#define NO_THREAD_LS";
printf '%s\n' "#define NO_STRICT_ECDSA_LEN";
printf '%s\n' "#define HAVE_ECC";
printf '%s\n' "#define HAVE_HKDF";
printf '%s\n' "#define HAVE_AESCCM";
printf '%s\n' "#define HAVE_AES_ECB";
printf '%s\n' "#define HAVE_ECC_CDH";
printf '%s\n' "#define HAVE_FFDHE_Q";
printf '%s\n' "#define HAVE_FFDHE_2048"; # NEW
printf '%s\n' "#define HAVE_HASHDRBG";
printf '%s\n' "#define WOLFSSL_SHA3";
printf '%s\n' "#define WOLFSSL_CMAC";
printf '%s\n' "#define WOLFSSL_SHA224";
printf '%s\n' "#define WOLFSSL_SHA384";
printf '%s\n' "#define WOLFSSL_SHA512";
printf '%s\n' "#define WOLFSSL_KEY_GEN";
printf '%s\n' "#define WOLFSSL_PUBLIC_MP";
printf '%s\n' "#define WOLFSSL_AES_DIRECT";
printf '%s\n' "#define WOLFSSL_AES_COUNTER";
printf '%s\n' "#define WOLFSSL_BASE64_ENCODE";
printf '%s\n' "#define WOLFSSL_VALIDATE_FFC_IMPORT";
printf '%s\n' "#define WOLFSSL_VALIDATE_ECC_IMPORT";
printf '%s\n' "#define WC_RSA_PSS";
printf '%s\n' "#define WC_RSA_NO_PADDING";
# NEW printf '%s\n' "#define WC_RSA_BLINDING";
printf '%s\n' "#define FP_MAX_BITS 8192";
printf '%s\n' "";
printf '%s\n' "/* For operational testing use only in validation effort */";
# printf '%s\n' "/* #define HAVE_FORCE_FIPS_FAILURE */";
printf '%s\n' "#define HAVE_FORCE_FIPS_FAILURE";
printf '%s\n' "/* FIPS SETTINGS - END */";
printf '%s\n' "";
printf '%s\n' "/* Debugging */";
printf '%s\n' "/* #define WOLFSSL_DEBUG_MEMORY */";
printf '%s\n' "/* #define WOLFSSL_TRACK_MEMORY */";
printf '%s\n' "/* #define WOLFSSL_DEBUG_MEMORY_PRINT */";
printf '%s\n' "/* Debugging */";
printf '%s\n' "";
printf '%s\n' "/* Environment settings */";
printf '%s\n' "#define NO_FILESYSTEM";
printf '%s\n' "#define USE_FAST_MATH";
printf '%s\n' "#define NO_MAIN_DRIVER";
printf '%s\n' "#define WOLFCRYPT_ONLY";
printf '%s\n' "#define WC_RSA_BLINDING";
printf '%s\n' "#define SINGLE_THREADED";
printf '%s\n' "#define TFM_TIMING_RESISTANT";
printf '%s\n' "#define ECC_TIMING_RESISTANT";
printf '%s\n' "#define USE_CERT_BUFFERS_256";
printf '%s\n' "#define USE_CERT_BUFFERS_2048";
printf '%s\n' "#define WOLFSSL_STM32L4";
printf '%s\n' "#define WOLFSSL_STM32_CUBEMX";
printf '%s\n' "#define WOLFSSL_CUBEMX_USE_LL";
printf '%s\n' "#define STM32_RNG";
printf '%s\n' "#define NO_STM32_CRYPTO";
printf '%s\n' "#define NO_STM32_HASH";
printf '%s\n' "#define NO_OLD_RNGNAME";
printf '%s\n' "/* Environment settings */";
printf '%s\n' "";
printf '%s\n' "/* Tuning options */";
printf '%s\n' "#define ALT_ECC_SIZE";
printf '%s\n' "#define NO_RC4";
printf '%s\n' "#define NO_MD4";
printf '%s\n' "#define NO_PSK";
printf '%s\n' "#define NO_HC128";
printf '%s\n' "#define NO_RABBIT";
printf '%s\n' "#define GCM_SMALL";
printf '%s\n' "#define TFM_ECC256";
printf '%s\n' "#define ECC_SHAMIR";
printf '%s\n' "#define HAVE_AESGCM";
printf '%s\n' "#define NO_PWDBASED";
printf '%s\n' "/* Tuning options */";
printf '%s\n' "";
printf '%s\n' "/* Non-FIPS related settings */";
printf '%s\n' "#define HAVE_TLS_EXTENSIONS";
printf '%s\n' "#define HAVE_EXTENDED_MASTER";
printf '%s\n' "#define HAVE_SUPPORTED_CURVES";
printf '%s\n' "/* Non-FIPS related settings */";
printf '%s\n' "";
printf '%s\n' "/* Agent harness settings */";
printf '%s\n' "#define USE_NORMAL_PRINTF";
printf '%s\n' "#define STM32L4R9I_DISCO";
printf '%s\n' "#define USE_NORMAL_SCAN";
printf '%s\n' "#define HAVE_FIPS";
printf '%s\n' "#define HAVE_FIPS_VERSION 2";
printf '%s\n' "#define VERIFY_GENERATED_PSS_SIGS";
printf '%s\n' "/* Agent harness settings */";
printf '%s\n' "";
printf '%s\n' "#endif /* STM32L4_V_4_0_1_USER_SETTINGS_H */";
printf '%s\n' "";
} >> user_settings.h
printf '%s\n' "new user_settings.h has been created"
}
assumptions
if [ -f wolfssl/ssl.h ]; then
if [ -f "$FIRMWARE_ROOT"/project.mk ]; then
printf '%s\n' "Found ../../../project.mk, wolfSSL properly placed in"
printf '%s\n' "application root directory"
else
printf '%s\n' "Failed to locate ../../../project.mk, wolfSSL in wrong"
printf '%s\n' "location or assumptions need updated."
fi
else
printf '%s\n' "Run this script from the wolfSSL root directory"
exit 1
fi
flatten_wolfcrypt_sources
# optional test application, remove if not testing
if [ -f "$APP_ROOT/test.c" ]; then
printf '%s\n' "Removing: $APP_ROOT/test.c"
rm "$APP_ROOT/test.c"
fi
printf '%s\n' "WOLF_ROOT/wolfcrypt/test/test.c --> APP_ROOT/test.c"
cp "$WOLF_ROOT/wolfcrypt/test/test.c" "$APP_ROOT/"
# optional test application section end
# used during fips validation only, these will not be in final distribution
#./scripts/flatten-agent-sources.sh
#./scripts/flatten-op-test.sh
# used during fips validation only, these will not be in final distribution
update_user_settings
cd "$FIRMWARE_ROOT"
make clean
make -j 1
cd "$APP_ROOT"
make install-target

BIN
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/testsuite.pcap vendored Normal file
View File

Binary file not shown.

206
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/tls13.test vendored Executable file
View File

@ -0,0 +1,206 @@
#!/bin/sh
# tls13.test
# copyright wolfSSL 2016
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tls13_ready$$
client_file=`pwd`/wolfssl_tls13_client$$
echo "ready file $ready_file"
create_port() {
while [ ! -s $ready_file ]; do
if [ "$counter" -gt 50 ]; then
break
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if [ -e $ready_file ]; then
echo -e "found ready file, starting client..."
# get created port 0 ephemeral port
port=`cat $ready_file`
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if [ -e $ready_file ]; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
if [ -e $client_file ]; then
echo -e "removing existing client file"
rm $client_file
fi
}
do_trap() {
echo "got trap"
do_cleanup
exit -1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
if [ $? -eq 0 ]; then
exit 0
fi
# Usual TLS v1.3 server / TLS v1.3 client.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
port=0
./examples/server/server -v 4 -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port | tee $client_file
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTLS v1.3 not enabled"
do_cleanup
exit 1
fi
echo ""
# TLS 1.3 cipher suites server / client.
echo -e "\n\nTLS v1.3 cipher suite mismatch"
port=0
./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
exit 1
fi
do_cleanup
echo ""
cat ./wolfssl/options.h | grep -- 'NO_CERTS'
if [ $? -ne 0 ]; then
# TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail"
port=0
./examples/server/server -v 4 -F -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with requiring mutual authentication"
exit 1
fi
do_cleanup
echo ""
fi
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
# TLS 1.3 server / TLS 1.2 client.
echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
port=0
./examples/server/server -v 4 -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 3 -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
exit 1
fi
do_cleanup
echo ""
# TLS 1.2 server / TLS 1.3 client.
echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
port=0
./examples/server/server -v 3 -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
exit 1
fi
do_cleanup
echo ""
echo "Find usable TLS 1.2 cipher suite"
for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
do
echo $CS
./examples/client/client -e | grep $CS >/dev/null
if [ "$?" = "0" ]; then
TLS12_CS=$CS
break
fi
do_cleanup
done
if [ "$TLS12_CS" != "" ]; then
# TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
port=0
SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v d -l $CLIENT_CS -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
exit 1
fi
do_cleanup
echo ""
else
echo "No usable TLS 1.2 cipher suite found"
fi
fi
do_cleanup
echo -e "\nALL Tests Passed"
exit 0

286
kernel/FreeRTOS-Plus/ThirdParty/wolfSSL/scripts/trusted_peer.test vendored Executable file
View File

@ -0,0 +1,286 @@
#!/bin/sh
# trusted_peer.test
# copyright wolfSSL 2016
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tp_ready$$
# variables for certs so can use RSA or ECC
client_cert=`pwd`/certs/client-cert.pem
client_ca=`pwd`/certs/ca-cert.pem
client_key=`pwd`/certs/client-key.pem
ca_key=`pwd`/certs/ca-key.pem
server_cert=`pwd`/certs/server-cert.pem
server_key=`pwd`/certs/server-key.pem
combined_cert=`pwd`/certs/client_combined.pem
wrong_ca=`pwd`/certs/wolfssl-website-ca.pem
wrong_cert=`pwd`/certs/server-revoked-cert.pem
echo "ready file $ready_file"
create_port() {
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
# get created port 0 ephemeral port
port=`cat $ready_file`
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit -1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# Look for if RSA and/or ECC is enabled and adjust certs/keys
ciphers=`./examples/client/client -e`
if [[ $ciphers != *"RSA"* ]]; then
if [[ $ciphers == *"ECDSA"* ]]; then
client_cert=`pwd`/certs/client-ecc-cert.pem
client_ca=`pwd`/certs/server-ecc.pem
client_key=`pwd`/certs/ecc-client-key.pem
ca_key=`pwd`/certs/ecc-key.pem
server_cert=`pwd`/certs/server-ecc.pem
server_key=`pwd`/certs/ecc-key.pem
wrong_ca=`pwd`/certs/server-ecc-comp.pem
wrong_cert=`pwd`/certs/server-ecc-comp.pem
else
echo "configure options not set up for test. No RSA or ECC"
exit 0
fi
fi
# CRL list not set up for tests
crl_test=`./examples/client/client -h`
if [[ $crl_test == *"-C "* ]]; then
echo "test not set up to run with CRL"
exit 0
fi
# Test for trusted peer certs build
echo ""
echo "Checking built with trusted peer certs "
echo "-----------------------------------------------------"
port=0
remove_ready_file
./examples/server/server -E $client_cert -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $client_ca -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
do_cleanup
exit 0
fi
echo ""
# Test that using no CA's and only trusted peer certs works
echo "Server and Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A $wrong_ca -E $client_cert -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $wrong_ca -E $server_cert -c $client_cert -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer and Client trusted peer cert failed!"
do_cleanup
exit 1
fi
echo ""
# Test that using server trusted peer certs works
echo "Server relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A $wrong_ca -E $client_cert -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $client_ca -c $client_cert -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that using client trusted peer certs works
echo "Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $wrong_ca -E $server_cert -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nClient trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that client fall through to CA works
echo "Client fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $client_ca -E $wrong_cert -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nClient trusted peer cert fall through to CA test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that client can fail
# check if using ECC client example is hard coded to load correct ECC ca so skip
if [[ $wrong_ca != *"ecc"* ]]; then
echo "Client wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $wrong_ca -E $wrong_cert -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\nClient trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
fi
# Test that server can fail
echo "Server wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A $wrong_ca -E $wrong_cert -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $client_ca -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\nServer trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that server fall through to CA works
echo "Server fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -E $wrong_cert -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $client_ca -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer trusted peer cert fall through to CA test failed!"
do_cleanup
exit 1
fi
echo ""
# test loading multiple certs
echo "Server loading multiple trusted peer certs"
echo "Test two success cases and one fail case"
echo "-----------------------------------------------------"
port=0
cat $client_cert $client_ca > $combined_cert
./examples/server/server -i -A $wrong_ca -E $combined_cert -c $server_cert -k $server_key -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A $client_ca -c $client_cert -k $client_key -p $port
RESULT=$?
if [ $RESULT -ne 0 ]; then
echo -e "\nServer load multiple trusted peer certs failed!"
do_cleanup
exit 1
fi
./examples/client/client -A $client_ca -c $client_ca -k $ca_key -p $port
RESULT=$?
if [ $RESULT -ne 0 ]; then
echo -e "\nServer load multiple trusted peer certs failed!"
do_cleanup
exit 1
fi
./examples/client/client -A $client_ca -c $wrong_cert -k $client_key -p $port
RESULT=$?
if [ $RESULT -eq 0 ]; then
echo -e "\nServer load multiple trusted peer certs failed!"
do_cleanup
exit 1
fi
do_cleanup # kill PID of server running in infinite loop
rm $combined_cert
remove_ready_file
echo ""
echo "-----------------------------------------------------"
echo "ALL TESTS PASSED"
echo "-----------------------------------------------------"
exit 0