diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index e7598a7e7a..85d02dec4b 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -38,7 +38,7 @@ if ! ./examples/client/client -V | grep -q 3; then exit 77 fi -if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then +if ./examples/client/client '-#' | grep -F -q -e ' -DWOLFSSL_SNIFFER '; then echo 'skipping oscp-stapling.test because WOLFSSL_SNIFFER defined.' exit 77 fi @@ -49,21 +49,20 @@ fi if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then dtls13=yes fi -./examples/client/client '-?' 2>&1 | grep -- 'Perform multi OCSP stapling for TLS13' -if [ $? -eq 0 ]; then +if ./examples/client/client '-?' 2>&1 | grep -q -- 'Perform multi OCSP stapling for TLS13'; then tls13multi=yes else tls13multi=no fi -if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then +if openssl s_server -help 2>&1 | grep -F -q -i ipv6 && nc -h 2>&1 | grep -F -q -i ipv6; then IPV6_SUPPORTED=yes else IPV6_SUPPORTED=no fi -if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then +if ./examples/client/client '-#' | grep -F -q -e ' -DTEST_IPV6 '; then if [[ "$IPV6_SUPPORTED" == "no" ]]; then echo 'Skipping IPV6 test in environment lacking IPV6 support.' exit 77 @@ -92,9 +91,9 @@ PARENTDIR="$PWD" WORKSPACE="${PARENTDIR}/workspace.pid$$" mkdir "${WORKSPACE}" || exit $? -cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $? +cp -pR "${SCRIPT_DIR}"/../certs "${WORKSPACE}"/ || exit $? cd "$WORKSPACE" || exit $? -ln -s ../examples +ln -s ../examples . CERT_DIR="./certs/ocsp" ready_file="$WORKSPACE"/wolf_ocsp_s1_readyF$$ @@ -107,9 +106,9 @@ wait_for_readyFile(){ counter=0 - while [ ! -s "$1" -a "$counter" -lt 20 ]; do + while [ ! -s "$1" ] && [ "$counter" -lt 20 ]; do if [[ -n "${2-}" ]]; then - if ! kill -0 $2 2>&-; then + if ! kill -0 "$2" 2>&-; then echo "pid $2 for port ${3-} exited before creating ready file. bailing..." exit 1 fi @@ -148,7 +147,7 @@ retry_with_backoff() { if [ $status -eq 0 ]; then return 0 fi - if [ $attempt -ge $max_attempts ]; then + if [ "$attempt" -ge "$max_attempts" ]; then return $status fi printf '%s\n' "Retry $attempt/$max_attempts failed, backing off ${delay}s..." @@ -162,55 +161,57 @@ retry_with_backoff() { create_new_cnf() { printf '%s\n' "Random Port Selected: $1" - printf '%s\n' "#" > $test_cnf - printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf - printf '%s\n' "#" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf - printf '%s\n' "[ v3_req1 ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf - printf '%s\n' "[ v3_req2 ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf - printf '%s\n' "[ v3_req3 ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions for a typical CA" >> $test_cnf - printf '%s\n' "[ v3_ca ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:true" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# OCSP extensions." >> $test_cnf - printf '%s\n' "[ v3_ocsp ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf - - mv $test_cnf $CERT_DIR/$test_cnf - cd $CERT_DIR + { + printf '%s\n' "#" + printf '%s\n' "# openssl configuration file for OCSP certificates" + printf '%s\n' "#" + printf '%s\n' "" + printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" + printf '%s\n' "[ v3_req1 ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" + printf '%s\n' "" + printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" + printf '%s\n' "[ v3_req2 ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" + printf '%s\n' "" + printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" + printf '%s\n' "[ v3_req3 ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" + printf '%s\n' "" + printf '%s\n' "# Extensions for a typical CA" + printf '%s\n' "[ v3_ca ]" + printf '%s\n' "basicConstraints = CA:true" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = keyCertSign, cRLSign" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" + printf '%s\n' "" + printf '%s\n' "# OCSP extensions." + printf '%s\n' "[ v3_ocsp ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "extendedKeyUsage = OCSPSigning" + } > "$test_cnf" + + mv "$test_cnf" "$CERT_DIR/$test_cnf" + cd "$CERT_DIR" || exit CURR_LOC="$PWD" printf '%s\n' "echo now in $CURR_LOC" - ./renewcerts-for-test.sh $test_cnf - cd "$WORKSPACE" + ./renewcerts-for-test.sh "$test_cnf" + cd "$WORKSPACE" || exit } remove_ready_file() { @@ -232,7 +233,7 @@ cleanup() kill -s KILL "$i" done remove_ready_file - rm $CERT_DIR/$test_cnf + rm "$CERT_DIR/$test_cnf" cd "$PARENTDIR" || return 1 rm -r "$WORKSPACE" || return 1 @@ -245,17 +246,16 @@ cleanup() trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 -./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!' -if [ $? -eq 0 ]; then +if ./examples/client/client '-?' 2>&1 | grep -q -- 'Client not compiled in!'; then exit 0 fi # check if supported key size is large enough to handle 4096 bit RSA size="$(./examples/client/client '-?' | grep "Max RSA key")" size="${size//[^0-9]/}" -if [ ! -z "$size" ]; then - printf 'check on max key size of %d ...' $size - if [ $size -lt 4096 ]; then +if [ -n "$size" ]; then + printf 'check on max key size of %d ...' "$size" + if [ "$size" -lt 4096 ]; then printf '%s\n' "4096 bit RSA keys not supported" exit 0 fi @@ -272,7 +272,7 @@ get_first_free_port() { if [[ "$ret" -ge 65536 ]]; then ret=1024 fi - if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then + if ! nc -z "$V4V6_FLAG" $LOCALHOST_FOR_NC "$ret"; then break fi ret=$((ret+1)) @@ -281,7 +281,7 @@ get_first_free_port() { return 0 } -base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) +base_port=$((((($$ + RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) port1=$(get_first_free_port $base_port) port2=$(get_first_free_port $((port1 + 1))) port3=$(get_first_free_port $((port2 + 1))) @@ -290,29 +290,28 @@ port3=$(get_first_free_port $((port2 + 1))) # test interop fail case ready_file=$PWD/wolf_ocsp_readyF$$ printf '%s\n' "ready file: \"$ready_file\"" -./examples/server/server -b -p $port1 -o -R "$ready_file" & +./examples/server/server -b -p "$port1" -o -R "$ready_file" & wolf_pid=$! -wait_for_readyFile "$ready_file" $wolf_pid $port1 +wait_for_readyFile "$ready_file" "$wolf_pid" "$port1" if [ ! -f "$ready_file" ]; then printf '%s\n' "Failed to create ready file: \"$ready_file\"" exit 1 else # should fail if ocspstapling is also enabled - OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status $V4V6_FLAG -legacy_renegotiation -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1) + OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status "$V4V6_FLAG" -legacy_renegotiation -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1) OPENSSL_RESULT=$? echo "$OPENSSL_OUTPUT" - fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" + grep -F -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" FGREP1_RESULT=$? - fgrep -q 'self-signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" + grep -F -q 'self-signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" FGREP2_RESULT=$? - if [ $OPENSSL_RESULT -eq 0 -a $FGREP1_RESULT -ne 0 -a $FGREP2_RESULT -ne 0 ]; then + if [ "$OPENSSL_RESULT" -eq 0 ] && [ "$FGREP1_RESULT" -ne 0 ] && [ "$FGREP2_RESULT" -ne 0 ]; then printf '%s\n' "Expected verification error from s_client is missing." remove_single_rF "$ready_file" exit 1 fi remove_single_rF "$ready_file" - wait $wolf_pid - if [ $? -ne 0 ]; then + if ! wait "$wolf_pid"; then printf '%s\n' "wolfSSL server unexpected fail" exit 1 fi @@ -320,17 +319,17 @@ fi # create a port to use with openssl ocsp responder -./examples/server/server -b -p $port2 -R "$ready_file" & +./examples/server/server -b -p "$port2" -R "$ready_file" & wolf_pid2=$! -wait_for_readyFile "$ready_file" $wolf_pid2 $port2 +wait_for_readyFile "$ready_file" "$wolf_pid2" "$port2" if [ ! -f "$ready_file" ]; then printf '%s\n' "Failed to create ready file: \"$ready_file\"" exit 1 else printf '%s\n' "Random port selected: $port2" # Use client connection to shutdown the server cleanly - ./examples/client/client -p $port2 - create_new_cnf $port2 + ./examples/client/client -p "$port2" + create_new_cnf "$port2" fi sleep 0.1 @@ -343,7 +342,7 @@ server=login.live.com ca=./certs/external/ca_collection.pem if [[ "$V4V6" == "4" ]]; then - retry_with_backoff 3 ./examples/client/client -C -h $server -p 443 -A $ca -g -W 1 + retry_with_backoff 3 ./examples/client/client -C -h "$server" -p 443 -A "$ca" -g -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 else @@ -352,8 +351,7 @@ fi # Test with example server -./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!' -if [ $? -eq 0 ]; then +if ./examples/server/server '-?' 2>&1 | grep -q -- 'Server not compiled in!'; then exit 0 fi @@ -361,7 +359,7 @@ fi # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port2 -nmin 1 \ +openssl ocsp -port "$port2" -nmin 1 \ -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -370,16 +368,16 @@ openssl ocsp -port $port2 -nmin 1 \ sleep 0.1 # "jobs" is not portable for posix. Must use bash interpreter! -[ $(jobs -r | wc -l) -ne 1 ] && \ +[ "$(jobs -r | wc -l)" -ne 1 ] && \ printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERT ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ - -k certs/ocsp/server1-key.pem -p $port3 & + -k certs/ocsp/server1-key.pem -p "$port3" & wolf_pid3=$! -wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3 +wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3" +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p "$port3" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" @@ -388,11 +386,11 @@ printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED CERT remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \ - -k certs/ocsp/server2-key.pem -p $port3 & + -k certs/ocsp/server2-key.pem -p "$port3" & wolf_pid3=$! -wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 +wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3" sleep 0.1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p "$port3" RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \ && exit 1 @@ -405,11 +403,11 @@ printf '%s\n\n' "Test successfully REVOKED!" remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -v 4 \ - -p $port3 & + -p "$port3" & wolf_pid3=$! - wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 + wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \ - -p $port3 + -p "$port3" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1 printf '%s\n\n' "Test PASSED!" @@ -419,11 +417,11 @@ printf '%s\n\n' "Test successfully REVOKED!" remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -v 4 \ - -p $port3 & + -p "$port3" & wolf_pid3=$! - wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 + wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \ - -p $port3 + -p "$port3" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1 printf '%s\n\n' "Test PASSED!" @@ -433,11 +431,11 @@ printf '%s\n\n' "Test successfully REVOKED!" remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \ -k certs/ocsp/server2-key.pem -v 4 \ - -p $port3 & + -p "$port3" & wolf_pid3=$! - wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 + wait_for_readyFile "$ready_file2" "$wolf_pid3" "$port3" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \ - -p $port3 + -p "$port3" RESULT=$? [ $RESULT -ne 1 ] && \ printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \ @@ -451,15 +449,15 @@ fi if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------" # client test against our own server, must staple - GOOD CERT - echo $ready_file2 + echo "$ready_file2" ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -u -v 3 \ - -p $port3 & + -p "$port3" & wolf_pid3=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 3 \ - -W 1 -p $port3 + -W 1 -p "$port3" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1 printf '%s\n\n' "Test PASSED!" @@ -470,11 +468,11 @@ fi # client test against our own server, must staple - GOOD CERT ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -u -v 4 \ - -p $port3 & + -p "$port3" & wolf_pid3=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 4 \ - -W 1 -p $port3 + -W 1 -p "$port3" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1 printf '%s\n\n' "Test PASSED!" @@ -482,28 +480,63 @@ fi fi # need a unique port since may run the same time as testsuite +# Track ports already assigned in this script run to prevent intra-run collisions +used_ports=() + generate_port() { #-------------------------------------------------------------------------# - # Generate a random port number + # Generate a random port number, guaranteed unique within this script run. + # Checks both the intra-run used_ports list and system-level bound ports. #-------------------------------------------------------------------------# + local attempts=0 collision p + + while true; do + if [[ "$OSTYPE" == "linux"* || "$OSTYPE" == "msys" + || "$OSTYPE" == "cygwin"* ]]; then + p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) + elif [[ "$OSTYPE" == "darwin"* ]]; then + p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) + else + echo "Unknown OS TYPE" + exit 1 + fi - if [[ "$OSTYPE" == "linux"* || "$OSTYPE" == "msys" - || "$OSTYPE" == "cygwin"* ]]; then - port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) - elif [[ "$OSTYPE" == "darwin"* ]]; then - port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) - else - echo "Unknown OS TYPE" - exit 1 - fi + # Check against ports already assigned in this run + collision=0 + for up in "${used_ports[@]}"; do + if [ "$up" = "$p" ]; then + collision=1 + break + fi + done + + # Also check if the port is already bound on this system + if [ $collision -eq 0 ]; then + if command -v ss &>/dev/null; then + ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + elif command -v netstat &>/dev/null; then + netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + fi + fi + + [ "$collision" -eq 0 ] && break + + ((attempts++)) + if [ "$attempts" -ge 100 ]; then + echo "ERROR: generate_port could not find a free port after 100 attempts" + exit 1 + fi + done + + port=$p + used_ports+=("$p") } # Start OpenSSL server that has no OCSP responses to return generate_port -openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port & -openssl_pid=$! +openssl s_server "$V4V6_FLAG" -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port "$port" & MAX_TIMEOUT=10 -until nc -z localhost $port # Wait for openssl to be ready +until nc -z localhost "$port" # Wait for openssl to be ready do sleep 0.05 if [ "$MAX_TIMEOUT" == "0" ]; then @@ -514,7 +547,7 @@ done printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------" # client asks for OCSP staple but doesn't fail when none returned -./examples/client/client -p $port -g -v 3 -W 1 +./examples/client/client -p "$port" -g -v 3 -W 1 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1 @@ -522,7 +555,7 @@ printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------" # client asks for OCSP staple but doesn't fail when none returned -./examples/client/client -p $port -g -v 3 -W 1m +./examples/client/client -p "$port" -g -v 3 -W 1m RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \ @@ -533,10 +566,10 @@ openssl ciphers -tls1_3 openssl_tls13=$? ./examples/client/client -V | grep -q 4 wolfssl_tls13=$? -if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then +if [ "$openssl_tls13" = "0" ] && [ "$wolfssl_tls13" = "0" ]; then printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------" # client asks for OCSP staple but doesn't fail when none returned - ./examples/client/client -p $port -g -v 4 -W 1 + ./examples/client/client -p "$port" -g -v 4 -W 1 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1 @@ -544,7 +577,7 @@ if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------" # client asks for OCSP staple but doesn't fail when none returned - ./examples/client/client -p $port -g -v 4 -W 1m + ./examples/client/client -p "$port" -g -v 4 -W 1m RESULT=$? [ $RESULT -ne 1 ] \ diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index cbfdb2e68d..b3808e48e1 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -45,18 +45,18 @@ if ! ./examples/client/client -V | grep -q 3; then exit 77 fi -if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then +if ./examples/client/client '-#' | grep -F -q -e ' -DWOLFSSL_SNIFFER '; then echo 'skipping oscp-stapling2.test because WOLFSSL_SNIFFER defined.' exit 77 fi -if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then +if openssl s_server -help 2>&1 | grep -F -q -i ipv6 && nc -h 2>&1 | grep -F -q -i ipv6; then IPV6_SUPPORTED=yes else IPV6_SUPPORTED=no fi -if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then +if ./examples/client/client '-#' | grep -F -q -e ' -DTEST_IPV6 '; then if [[ "$IPV6_SUPPORTED" == "no" ]]; then echo 'Skipping IPV6 test in environment lacking IPV6 support.' exit 77 @@ -77,9 +77,9 @@ PARENTDIR="$PWD" WORKSPACE="${PARENTDIR}/workspace.pid$$" mkdir "${WORKSPACE}" || exit $? -cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $? +cp -pR "${SCRIPT_DIR}"/../certs "${WORKSPACE}"/ || exit $? cd "$WORKSPACE" || exit $? -ln -s ../examples +ln -s ../examples . CERT_DIR="certs/ocsp" @@ -101,9 +101,9 @@ wait_for_readyFile(){ counter=0 - while [ ! -s $1 -a "$counter" -lt 20 ]; do + while [ ! -s "$1" ] && [ "$counter" -lt 20 ]; do if [[ -n "${2-}" ]]; then - if ! kill -0 $2 2>&-; then + if ! kill -0 "$2" 2>&-; then echo "pid $2 for port ${3-} exited before creating ready file. bailing..." exit 1 fi @@ -113,7 +113,7 @@ wait_for_readyFile(){ counter=$((counter+ 1)) done - if test -e $1; then + if test -e "$1"; then echo -e "found ready file, starting client..." else echo -e "NO ready file at $1 -- ending test..." @@ -123,9 +123,9 @@ wait_for_readyFile(){ } remove_single_rF(){ - if test -e $1; then + if test -e "$1"; then printf '%s\n' "removing ready file: $1" - rm $1 + rm "$1" fi } @@ -133,77 +133,79 @@ remove_single_rF(){ create_new_cnf() { printf '%s\n' "Random Ports Selected: $1 $2 $3 $4" - printf '%s\n' "#" > $test_cnf - printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf - printf '%s\n' "#" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf - printf '%s\n' "[ v3_req1 ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf - printf '%s\n' "[ v3_req2 ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf - printf '%s\n' "[ v3_req3 ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# Extensions for a typical CA" >> $test_cnf - printf '%s\n' "[ v3_ca ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:true" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf - printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf - printf '%s\n' "" >> $test_cnf - printf '%s\n' "# OCSP extensions." >> $test_cnf - printf '%s\n' "[ v3_ocsp ]" >> $test_cnf - printf '%s\n' "basicConstraints = CA:false" >> $test_cnf - printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf - printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf - printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf - - mv $test_cnf $CERT_DIR/$test_cnf - cd $CERT_DIR + { + printf '%s\n' "#" + printf '%s\n' "# openssl configuration file for OCSP certificates" + printf '%s\n' "#" + printf '%s\n' "" + printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" + printf '%s\n' "[ v3_req1 ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" + printf '%s\n' "" + printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" + printf '%s\n' "[ v3_req2 ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" + printf '%s\n' "" + printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" + printf '%s\n' "[ v3_req3 ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" + printf '%s\n' "" + printf '%s\n' "# Extensions for a typical CA" + printf '%s\n' "[ v3_ca ]" + printf '%s\n' "basicConstraints = CA:true" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "keyUsage = keyCertSign, cRLSign" + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" + printf '%s\n' "" + printf '%s\n' "# OCSP extensions." + printf '%s\n' "[ v3_ocsp ]" + printf '%s\n' "basicConstraints = CA:false" + printf '%s\n' "subjectKeyIdentifier = hash" + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" + printf '%s\n' "extendedKeyUsage = OCSPSigning" + } > "$test_cnf" + + mv "$test_cnf" "$CERT_DIR/$test_cnf" + cd "$CERT_DIR" || exit CURR_LOC="$PWD" printf '%s\n' "echo now in $CURR_LOC" - ./renewcerts-for-test.sh $test_cnf - cd $WORKSPACE + ./renewcerts-for-test.sh "$test_cnf" + cd "$WORKSPACE" || exit } remove_ready_file(){ - if test -e $ready_file1; then + if test -e "$ready_file1"; then printf '%s\n' "removing ready file: $ready_file1" - rm $ready_file1 + rm "$ready_file1" fi - if test -e $ready_file2; then + if test -e "$ready_file2"; then printf '%s\n' "removing ready file: $ready_file2" - rm $ready_file2 + rm "$ready_file2" fi - if test -e $ready_file3; then + if test -e "$ready_file3"; then printf '%s\n' "removing ready file: $ready_file3" - rm $ready_file3 + rm "$ready_file3" fi - if test -e $ready_file4; then + if test -e "$ready_file4"; then printf '%s\n' "removing ready file: $ready_file4" - rm $ready_file4 + rm "$ready_file4" fi - if test -e $ready_file5; then + if test -e "$ready_file5"; then printf '%s\n' "removing ready file: $ready_file5" - rm $ready_file5 + rm "$ready_file5" fi } @@ -215,14 +217,14 @@ cleanup() kill -s KILL "$i" done remove_ready_file - rm $CERT_DIR/$test_cnf + rm "$CERT_DIR/$test_cnf" cd "$PARENTDIR" || return 1 rm -r "$WORKSPACE" || return 1 if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then echo "retrying..." RETRIES_REMAINING=$((RETRIES_REMAINING - 1)) - exec $0 "$@" + exec "$0" "$@" fi } trap cleanup EXIT INT TERM HUP @@ -232,9 +234,9 @@ trap cleanup EXIT INT TERM HUP # check if supported key size is large enough to handle 4096 bit RSA size="$(./examples/client/client '-?' | grep "Max RSA key")" size="${size//[^0-9]/}" -if [ ! -z "$size" ]; then - printf 'check on max key size of %d ...' $size - if [ $size -lt 4096 ]; then +if [ -n "$size" ]; then + printf 'check on max key size of %d ...' "$size" + if [ "$size" -lt 4096 ]; then printf '%s\n' "4096 bit RSA keys not supported" exit 0 fi @@ -262,42 +264,42 @@ get_first_free_port() { return 0 } -base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) -port1=$(get_first_free_port $base_port) +base_port=$((((($$ + RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) +port1=$(get_first_free_port "$base_port") port2=$(get_first_free_port $((port1 + 1))) port3=$(get_first_free_port $((port2 + 1))) port4=$(get_first_free_port $((port3 + 1))) port5=$(get_first_free_port $((port4 + 1))) # 1: -./examples/server/server -R $ready_file1 -p $port1 & +./examples/server/server -R "$ready_file1" -p "$port1" & server_pid1=$! -wait_for_readyFile $ready_file1 $server_pid1 $port1 -if [ ! -f $ready_file1 ]; then +wait_for_readyFile "$ready_file1" "$server_pid1" "$port1" +if [ ! -f "$ready_file1" ]; then printf '%s\n' "Failed to create ready file1: \"$ready_file1\"" exit 1 fi # 2: -./examples/server/server -R $ready_file2 -p $port2 & +./examples/server/server -R "$ready_file2" -p "$port2" & server_pid2=$! -wait_for_readyFile $ready_file2 $server_pid2 $port2 -if [ ! -f $ready_file2 ]; then +wait_for_readyFile "$ready_file2" "$server_pid2" "$port2" +if [ ! -f "$ready_file2" ]; then printf '%s\n' "Failed to create ready file2: \"$ready_file2\"" exit 1 fi # 3: -./examples/server/server -R $ready_file3 -p $port3 & +./examples/server/server -R "$ready_file3" -p "$port3" & server_pid3=$! -wait_for_readyFile $ready_file3 $server_pid3 $port3 -if [ ! -f $ready_file3 ]; then +wait_for_readyFile "$ready_file3" "$server_pid3" "$port3" +if [ ! -f "$ready_file3" ]; then printf '%s\n' "Failed to create ready file3: \"$ready_file3\"" exit 1 fi # 4: -./examples/server/server -R $ready_file4 -p $port4 & +./examples/server/server -R "$ready_file4" -p "$port4" & server_pid4=$! -wait_for_readyFile $ready_file4 $server_pid4 $port4 -if [ ! -f $ready_file4 ]; then +wait_for_readyFile "$ready_file4" "$server_pid4" "$port4" +if [ ! -f "$ready_file4" ]; then printf '%s\n' "Failed to create ready file4: \"$ready_file4\"" exit 1 fi @@ -307,12 +309,12 @@ printf '%s' "Random ports selected: $port1 $port2" printf '%s\n' " $port3 $port4" printf '%s\n' "-----------------------------------" # Use client connections to cleanly shutdown the servers -./examples/client/client -p $port1 -./examples/client/client -p $port2 -./examples/client/client -p $port3 -./examples/client/client -p $port4 -create_new_cnf $port1 $port2 $port3 \ - $port4 +./examples/client/client -p "$port1" +./examples/client/client -p "$port2" +./examples/client/client -p "$port3" +./examples/client/client -p "$port4" +create_new_cnf "$port1" "$port2" "$port3" \ + "$port4" sleep 0.1 @@ -320,7 +322,7 @@ sleep 0.1 # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port1 -nmin 1 \ +openssl ocsp -port "$port1" -nmin 1 \ -index certs/ocsp/index-ca-and-intermediate-cas.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -331,7 +333,7 @@ openssl ocsp -port $port1 -nmin 1 \ # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port2 -nmin 1 \ +openssl ocsp -port "$port2" -nmin 1 \ -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -342,7 +344,7 @@ openssl ocsp -port $port2 -nmin 1 \ # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port3 -nmin 1 \ +openssl ocsp -port "$port3" -nmin 1 \ -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -352,7 +354,7 @@ openssl ocsp -port $port3 -nmin 1 \ # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port4 -nmin 1 \ +openssl ocsp -port "$port4" -nmin 1 \ -index certs/ocsp/index-ca-and-intermediate-cas.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -362,144 +364,179 @@ openssl ocsp -port $port4 -nmin 1 \ sleep 0.1 # "jobs" is not portable for posix. Must use bash interpreter! -[ $(jobs -r | wc -l) -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 +[ "$(jobs -r | wc -l)" -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 printf '\n\n%s\n\n' "All OCSP responders started successfully!" printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem \ - -k certs/ocsp/server3-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server3-key.pem -R "$ready_file5" \ + -p "$port5" & server_pid5=$! -wait_for_readyFile $ready_file5 $server_pid5 $port5 +wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------" -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server3-cert.pem \ - -k certs/ocsp/server3-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server3-key.pem -R "$ready_file5" \ + -p "$port5" & server_pid5=$! -wait_for_readyFile $ready_file5 $server_pid5 $port5 +wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED SERVER CERT -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" & server_pid5=$! -wait_for_readyFile $ready_file5 $server_pid5 $port5 +wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------" -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" & sleep 0.1 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------" # client test against our own server - REVOKED INTERMEDIATE CERT -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server5-cert.pem \ - -k certs/ocsp/server5-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server5-key.pem -R "$ready_file5" \ + -p "$port5" & server_pid5=$! -wait_for_readyFile $ready_file5 $server_pid5 $port5 +wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------" -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server5-cert.pem \ - -k certs/ocsp/server5-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server5-key.pem -R "$ready_file5" \ + -p "$port5" & server_pid5=$! -wait_for_readyFile $ready_file5 $server_pid5 $port5 +wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------" -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server1-cert.pem \ - -k certs/ocsp/server1-key.pem -R $ready_file5 \ - -p $port5 -H loadSSL & + -k certs/ocsp/server1-key.pem -R "$ready_file5" \ + -p "$port5" -H loadSSL & server_pid5=$! -wait_for_readyFile $ready_file5 $server_pid5 $port5 -echo "test connection" | openssl s_client -status -legacy_renegotiation -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem +wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" +echo "test connection" | openssl s_client -status -legacy_renegotiation -connect ${LOCALHOST}:"$port5" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1 -wait $server_pid5 -if [ $? -ne 0 ]; then +if ! wait "$server_pid5"; then printf '%s\n' "Unexpected server result" exit 1 fi printf '%s\n\n' "Test successful" printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------" -remove_single_rF $ready_file5 +remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 -H loadSSL & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" -H loadSSL & server_pid5=$! sleep 0.1 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 -wait $server_pid5 -if [ $? -ne 1 ]; then +if ! wait "$server_pid5"; then + : +else printf '%s\n' "Unexpected server result" exit 1 fi printf '%s\n\n' "Test successfully REVOKED!" # need a unique port since may run the same time as testsuite +# Track ports already assigned in this script run to prevent intra-run collisions +used_ports=() + generate_port() { #-------------------------------------------------------------------------# - # Generate a random port number + # Generate a random port number, guaranteed unique within this script run. + # Checks both the intra-run used_ports list and system-level bound ports. #-------------------------------------------------------------------------# + local attempts=0 collision p + + while true; do + if [[ "$OSTYPE" == "linux"* || "$OSTYPE" == "msys" + || "$OSTYPE" == "cygwin" ]]; then + p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) + elif [[ "$OSTYPE" == "darwin"* ]]; then + p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) + else + echo "Unknown OS TYPE" + exit 1 + fi - if [[ "$OSTYPE" == "linux"* || "$OSTYPE" == "msys" - || "$OSTYPE" == "cygwin" ]]; then - port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) - elif [[ "$OSTYPE" == "darwin"* ]]; then - port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) - else - echo "Unknown OS TYPE" - exit 1 - fi + # Check against ports already assigned in this run + collision=0 + for up in "${used_ports[@]}"; do + if [ "$up" = "$p" ]; then + collision=1 + break + fi + done + + # Also check if the port is already bound on this system + if [ $collision -eq 0 ]; then + if command -v ss &>/dev/null; then + ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + elif command -v netstat &>/dev/null; then + netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + fi + fi + + [ "$collision" -eq 0 ] && break + + ((attempts++)) + if [ "$attempts" -ge 100 ]; then + echo "ERROR: generate_port could not find a free port after 100 attempts" + exit 1 + fi + done + + port=$p + used_ports+=("$p") } # Start OpenSSL server that has no OCSP responses to return generate_port -openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port & -openssl_pid=$! +openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port "$port" & MAX_TIMEOUT=10 -until nc -z localhost $port # Wait for openssl to be ready +until nc -z localhost "$port" # Wait for openssl to be ready do sleep 0.05 if [ "$MAX_TIMEOUT" == "0" ]; then @@ -510,7 +547,7 @@ done printf '%s\n\n' "------------- TEST CASE 9 SHOULD PASS ----------------------" # client asks for OCSP staple but doesn't fail when none returned -./examples/client/client -p $port -g -v 3 -W 2 +./examples/client/client -p "$port" -g -v 3 -W 2 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 9 failed" && exit 1 @@ -518,7 +555,7 @@ printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 10 SHOULD UNKNOWN -------------------" # client asks for OCSP staple but doesn't fail when none returned -./examples/client/client -p $port -g -v 3 -W 2m +./examples/client/client -p "$port" -g -v 3 -W 2m RESULT=$? [ $RESULT -ne 1 ] \ @@ -531,12 +568,12 @@ if ./examples/client/client -? 2>&1 | grep -q 'DTLS'; then printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------" # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem \ - -k certs/ocsp/server3-key.pem -R $ready_file5 \ - -p $port5 -u -v 3 & + -k certs/ocsp/server3-key.pem -R "$ready_file5" \ + -p "$port5" -u -v 3 & server_pid5=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -u -v 3 \ - -p $port5 + -p "$port5" RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" diff --git a/scripts/ocsp-stapling_tls13multi.test b/scripts/ocsp-stapling_tls13multi.test index dbdcb53f7c..21227d4388 100755 --- a/scripts/ocsp-stapling_tls13multi.test +++ b/scripts/ocsp-stapling_tls13multi.test @@ -66,13 +66,13 @@ else tls13=yes fi -if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then +if openssl s_server -help 2>&1 | grep -F -q -i ipv6 && nc -h 2>&1 | grep -F -q -i ipv6; then IPV6_SUPPORTED=yes else IPV6_SUPPORTED=no fi -if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then +if ./examples/client/client '-#' | grep -F -q -e ' -DTEST_IPV6 '; then if [[ "$IPV6_SUPPORTED" == "no" ]]; then echo 'Skipping IPV6 test in environment lacking IPV6 support.' exit 77 @@ -94,11 +94,11 @@ PARENTDIR="$PWD" #mkdir "${WORKSPACE}" || exit $? # Use portable mktemp syntax that works on both Linux and macOS -WORKSPACE="$(mktemp -d ${PARENTDIR}/wolfssl-ocsp-test.XXXXXX)" +WORKSPACE="$(mktemp -d "${PARENTDIR}"/wolfssl-ocsp-test.XXXXXX)" -cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $? +cp -pR "${SCRIPT_DIR}"/../certs "${WORKSPACE}"/ || exit $? cd "$WORKSPACE" || exit $? -ln -s ../examples +ln -s ../examples . CERT_DIR="certs/ocsp" @@ -120,9 +120,9 @@ wait_for_readyFile(){ counter=0 - while [ ! -s $1 -a "$counter" -lt 20 ]; do + while [ ! -s "$1" ] && [ "$counter" -lt 20 ]; do if [[ -n "${2-}" ]]; then - if ! kill -0 $2 2>&-; then + if ! kill -0 "$2" 2>&-; then echo "pid $2 for port ${3-} exited before creating ready file. bailing..." exit 1 fi @@ -132,7 +132,7 @@ wait_for_readyFile(){ counter=$((counter+ 1)) done - if test -e $1; then + if test -e "$1"; then echo -e "found ready file, starting client..." else echo -e "NO ready file at $1 -- ending test..." @@ -142,16 +142,16 @@ wait_for_readyFile(){ } remove_single_rF(){ - if test -e $1; then + if test -e "$1"; then printf '%s\n' "removing ready file: $1" - rm $1 + rm "$1" fi } #create a configure file for cert generation with the port 0 solution create_new_cnf() { echo "Random Ports Selected: $1 $2 $3 $4" - cat <<- EOF > $test_cnf + cat <<- EOF > "$test_cnf" # # openssl configuration file for OCSP certificates # @@ -196,34 +196,34 @@ create_new_cnf() { extendedKeyUsage = OCSPSigning EOF - mv $test_cnf $CERT_DIR/$test_cnf - cd $CERT_DIR + mv "$test_cnf" "$CERT_DIR/$test_cnf" + cd "$CERT_DIR" || exit CURR_LOC="$PWD" printf '%s\n' "echo now in $CURR_LOC" - ./renewcerts-for-test.sh $test_cnf - cd $WORKSPACE + ./renewcerts-for-test.sh "$test_cnf" + cd "$WORKSPACE" || exit } remove_ready_file(){ - if test -e $ready_file1; then + if test -e "$ready_file1"; then printf '%s\n' "removing ready file: $ready_file1" - rm $ready_file1 + rm "$ready_file1" fi - if test -e $ready_file2; then + if test -e "$ready_file2"; then printf '%s\n' "removing ready file: $ready_file2" - rm $ready_file2 + rm "$ready_file2" fi - if test -e $ready_file3; then + if test -e "$ready_file3"; then printf '%s\n' "removing ready file: $ready_file3" - rm $ready_file3 + rm "$ready_file3" fi - if test -e $ready_file4; then + if test -e "$ready_file4"; then printf '%s\n' "removing ready file: $ready_file4" - rm $ready_file4 + rm "$ready_file4" fi - if test -e $ready_file5; then + if test -e "$ready_file5"; then printf '%s\n' "removing ready file: $ready_file5" - rm $ready_file5 + rm "$ready_file5" fi } @@ -235,14 +235,14 @@ cleanup() kill -s KILL "$i" done remove_ready_file - rm $CERT_DIR/$test_cnf + rm "$CERT_DIR/$test_cnf" cd "$PARENTDIR" || return 1 rm -r "$WORKSPACE" || return 1 if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then echo "retrying..." RETRIES_REMAINING=$((RETRIES_REMAINING - 1)) - exec $0 "$@" + exec "$0" "$@" fi } trap cleanup EXIT INT TERM HUP @@ -252,9 +252,9 @@ trap cleanup EXIT INT TERM HUP # check if supported key size is large enough to handle 4096 bit RSA size="$(./examples/client/client '-?' | grep "Max RSA key")" size="${size//[^0-9]/}" -if [ ! -z "$size" ]; then - printf 'check on max key size of %d ...' $size - if [ $size -lt 4096 ]; then +if [ -n "$size" ]; then + printf 'check on max key size of %d ...' "$size" + if [ "$size" -lt 4096 ]; then printf '%s\n' "4096 bit RSA keys not supported" exit 0 fi @@ -282,42 +282,42 @@ get_first_free_port() { return 0 } -base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) -port1=$(get_first_free_port $base_port) +base_port=$((((($$ + RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) +port1=$(get_first_free_port "$base_port") port2=$(get_first_free_port $((port1 + 1))) port3=$(get_first_free_port $((port2 + 1))) port4=$(get_first_free_port $((port3 + 1))) port5=$(get_first_free_port $((port4 + 1))) # 1: -./examples/server/server -R $ready_file1 -p $port1 & +./examples/server/server -R "$ready_file1" -p "$port1" & server_pid1=$! -wait_for_readyFile $ready_file1 $server_pid1 $port1 -if [ ! -f $ready_file1 ]; then +wait_for_readyFile "$ready_file1" "$server_pid1" "$port1" +if [ ! -f "$ready_file1" ]; then printf '%s\n' "Failed to create ready file1: \"$ready_file1\"" exit 1 fi # 2: -./examples/server/server -R $ready_file2 -p $port2 & +./examples/server/server -R "$ready_file2" -p "$port2" & server_pid2=$! -wait_for_readyFile $ready_file2 $server_pid2 $port2 -if [ ! -f $ready_file2 ]; then +wait_for_readyFile "$ready_file2" "$server_pid2" "$port2" +if [ ! -f "$ready_file2" ]; then printf '%s\n' "Failed to create ready file2: \"$ready_file2\"" exit 1 fi # 3: -./examples/server/server -R $ready_file3 -p $port3 & +./examples/server/server -R "$ready_file3" -p "$port3" & server_pid3=$! -wait_for_readyFile $ready_file3 $server_pid3 $port3 -if [ ! -f $ready_file3 ]; then +wait_for_readyFile "$ready_file3" "$server_pid3" "$port3" +if [ ! -f "$ready_file3" ]; then printf '%s\n' "Failed to create ready file3: \"$ready_file3\"" exit 1 fi # 4: -./examples/server/server -R $ready_file4 -p $port4 & +./examples/server/server -R "$ready_file4" -p "$port4" & server_pid4=$! -wait_for_readyFile $ready_file4 $server_pid4 $port4 -if [ ! -f $ready_file4 ]; then +wait_for_readyFile "$ready_file4" "$server_pid4" "$port4" +if [ ! -f "$ready_file4" ]; then printf '%s\n' "Failed to create ready file4: \"$ready_file4\"" exit 1 fi @@ -327,12 +327,12 @@ printf '%s' "Random ports selected: $port1 $port2" printf '%s\n' " $port3 $port4" printf '%s\n' "-----------------------------------" # Use client connections to cleanly shutdown the servers -./examples/client/client -p $port1 -./examples/client/client -p $port2 -./examples/client/client -p $port3 -./examples/client/client -p $port4 -create_new_cnf $port1 $port2 $port3 \ - $port4 +./examples/client/client -p "$port1" +./examples/client/client -p "$port2" +./examples/client/client -p "$port3" +./examples/client/client -p "$port4" +create_new_cnf "$port1" "$port2" "$port3" \ + "$port4" sleep 0.1 @@ -340,7 +340,7 @@ sleep 0.1 # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port1 -nmin 1 \ +openssl ocsp -port "$port1" -nmin 1 \ -index certs/ocsp/index-ca-and-intermediate-cas.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -351,7 +351,7 @@ openssl ocsp -port $port1 -nmin 1 \ # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port2 -nmin 1 \ +openssl ocsp -port "$port2" -nmin 1 \ -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -362,7 +362,7 @@ openssl ocsp -port $port2 -nmin 1 \ # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port3 -nmin 1 \ +openssl ocsp -port "$port3" -nmin 1 \ -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -372,7 +372,7 @@ openssl ocsp -port $port3 -nmin 1 \ # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port $port4 -nmin 1 \ +openssl ocsp -port "$port4" -nmin 1 \ -index certs/ocsp/index-ca-and-intermediate-cas.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -382,7 +382,7 @@ openssl ocsp -port $port4 -nmin 1 \ sleep 0.1 # "jobs" is not portable for posix. Must use bash interpreter! -[ $(jobs -r | wc -l) -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 +[ "$(jobs -r | wc -l)" -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 printf '\n\n%s\n\n' "All OCSP responders started successfully!" @@ -390,97 +390,96 @@ if [ "$tls13" == "yes" ]; then printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem \ - -k certs/ocsp/server3-key.pem -R $ready_file5 \ - -p $port5 -v 4 & + -k certs/ocsp/server3-key.pem -R "$ready_file5" \ + -p "$port5" -v 4 & server_pid5=$! - wait_for_readyFile $ready_file5 $server_pid5 $port5 + wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 + [ "$RESULT" -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED SERVER CERT - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 -v 4 & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" -v 4 & server_pid5=$! - wait_for_readyFile $ready_file5 $server_pid5 $port5 + wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 + [ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------" - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" & sleep 0.1 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 + [ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------------" # client test against our own server - REVOKED INTERMEDIATE CERT - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server5-cert.pem \ - -k certs/ocsp/server5-key.pem -R $ready_file5 \ - -p $port5 -v 4 & + -k certs/ocsp/server5-key.pem -R "$ready_file5" \ + -p "$port5" -v 4 & server_pid5=$! - wait_for_readyFile $ready_file5 $server_pid5 $port5 + wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 + [ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ----------------------" - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server5-cert.pem \ - -k certs/ocsp/server5-key.pem -R $ready_file5 \ - -p $port5 -v 4 & + -k certs/ocsp/server5-key.pem -R "$ready_file5" \ + -p "$port5" -v 4 & server_pid5=$! - wait_for_readyFile $ready_file5 $server_pid5 $port5 + wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 + [ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 6 LOAD CERT IN SSL -------------------" - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server1-cert.pem \ - -k certs/ocsp/server1-key.pem -R $ready_file5 -v 4 \ - -p $port5 -H loadSSL & + -k certs/ocsp/server1-key.pem -R "$ready_file5" -v 4 \ + -p "$port5" -H loadSSL & server_pid5=$! - wait_for_readyFile $ready_file5 $server_pid5 $port5 - echo "test connection" | openssl s_client -status -legacy_renegotiation -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem + wait_for_readyFile "$ready_file5" "$server_pid5" "$port5" + echo "test connection" | openssl s_client -status -legacy_renegotiation -connect "${LOCALHOST}:$port5" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem RESULT=$? - [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1 - wait $server_pid5 - if [ $? -ne 0 ]; then + [ "$RESULT" -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1 + if ! wait "$server_pid5"; then printf '%s\n' "Unexpected server result" exit 1 fi printf '%s\n\n' "Test successful" printf '%s\n\n' "------------- TEST CASE 7 SHOULD REVOKE ----------------------" - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 -H loadSSL -v 4 & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" -H loadSSL -v 4 & server_pid5=$! sleep 0.1 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 - wait $server_pid5 + [ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 + wait "$server_pid5" if [ $? -ne 1 ]; then printf '%s\n' "Unexpected server result" exit 1 @@ -492,48 +491,32 @@ if [ "$dtls13" == "yes" ]; then printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS ---------------" # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem \ - -k certs/ocsp/server3-key.pem -R $ \ - -p $port5 -u -v 4 & + -k certs/ocsp/server3-key.pem -R "$ready_file5" \ + -p "$port5" -u -v 4 & server_pid5=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -u -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 + [ "$RESULT" -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD REVOKE --------------" # client test against our own server - REVOKED SERVER CERT - remove_single_rF $ready_file5 + remove_single_rF "$ready_file5" ./examples/server/server -c certs/ocsp/server4-cert.pem \ - -k certs/ocsp/server4-key.pem -R $ready_file5 \ - -p $port5 -v 4 & + -k certs/ocsp/server4-key.pem -R "$ready_file5" \ + -p "$port5" -v 4 & server_pid5=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \ - -p $port5 + -p "$port5" RESULT=$? - [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 + [ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" fi -# need a unique port since may run the same time as testsuite -generate_port() { - #-------------------------------------------------------------------------# - # Generate a random port number - #-------------------------------------------------------------------------# - - if [[ "$OSTYPE" == "linux"* ]]; then - port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) - elif [[ "$OSTYPE" == "darwin"* ]]; then - port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) - else - echo "Unknown OS TYPE" - exit 1 - fi -} - printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" exit 0 diff --git a/scripts/openssl.test b/scripts/openssl.test index 71b36386eb..45859fbe1d 100755 --- a/scripts/openssl.test +++ b/scripts/openssl.test @@ -31,19 +31,55 @@ fi echo "WOLFSSL_OPENSSL_TEST set, running test..." # need a unique port since may run the same time as testsuite +# Track ports already assigned in this script run to prevent intra-run collisions +used_ports=() + generate_port() { #-------------------------------------------------------------------------# - # Generate a random port number + # Generate a random port number, guaranteed unique within this script run. + # Checks both the intra-run used_ports list and system-level bound ports. #-------------------------------------------------------------------------# + local attempts=0 collision p - if [[ "$OSTYPE" == "linux"* ]]; then - port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) - elif [[ "$OSTYPE" == "darwin"* ]]; then - port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) - else - echo "Unknown OS TYPE" - exit 1 - fi + while true; do + if [[ "$OSTYPE" == "linux"* ]]; then + p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) + elif [[ "$OSTYPE" == "darwin"* ]]; then + p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) + else + echo "Unknown OS TYPE" + exit 1 + fi + + # Check against ports already assigned in this run + collision=0 + for up in "${used_ports[@]}"; do + if [ "$up" = "$p" ]; then + collision=1 + break + fi + done + + # Also check if the port is already bound on this system + if [ "$collision" -eq 0 ]; then + if command -v ss &>/dev/null; then + ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + elif command -v netstat &>/dev/null; then + netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + fi + fi + + [ "$collision" -eq 0 ] && break + + ((attempts++)) + if [ "$attempts" -ge 100 ]; then + echo "ERROR: generate_port could not find a free port after 100 attempts" + exit 1 + fi + done + + port=$p + used_ports+=("$p") } no_pid=-1 @@ -112,7 +148,7 @@ do_cleanup() { pid=${f2##*:} port=${s##*:} echo "killing server: $sname ($port)" - kill -9 $pid + kill -9 "$pid" done } @@ -128,10 +164,10 @@ trap do_trap INT TERM check_process_running() { if [ "$ps_grep" = "" ] then - ps -p $server_pid > /dev/null + ps -p "$server_pid" > /dev/null PS_EXIT=$? else - ps | grep "^ *$server_pid " > /dev/null + pgrep -f "^ *$server_pid " > /dev/null PS_EXIT=$? fi } @@ -153,20 +189,13 @@ start_openssl_server() { # If OPENSSL_ENGINE_ID has been set then check that the desired engine can # be loaded successfully and error out if not. Otherwise the OpenSSL app # will fall back to default engine. - if [ ! -z "${OPENSSL_ENGINE_ID}" ]; then - OUTPUT=`$OPENSSL engine -tt $OPENSSL_ENGINE_ID` - if [ $? != 0 ]; then - printf "not able to load engine\n" - printf "$OPENSSL engine -tt $OPENSSL_ENGINE_ID\n" + if [ -n "${OPENSSL_ENGINE_ID}" ]; then + OUTPUT=$($OPENSSL engine -tt "$OPENSSL_ENGINE_ID") + if ! echo "$OUTPUT" | grep -q "available"; then + printf "not able to load engine or engine not available\n" + printf '%s\n' "$OPENSSL engine -tt $OPENSSL_ENGINE_ID" do_cleanup exit 1 - else - echo $OUTPUT | grep "available" - if [ $? != 0 ]; then - printf "engine not available\n" - do_cleanup - exit 1 - fi fi OPENSSL_ENGINE_ID="-engine ${OPENSSL_ENGINE_ID}" fi @@ -177,11 +206,13 @@ start_openssl_server() { if [ "$cert_file" != "" ] then - echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe - $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe & + echo "# $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -cert \"$cert_file\" -key \"$key_file\" -quiet -CAfile \"$ca_file\" -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher \"ALL:eNULL\" $openssl_nodhe" + # shellcheck disable=SC2086 + $OPENSSL s_server -accept "$server_port" $OPENSSL_ENGINE_ID -cert "$cert_file" -key "$key_file" -quiet -CAfile "$ca_file" -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk "$psk_hex" -cipher "ALL:eNULL" $openssl_nodhe & else - echo "# " $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe - $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe & + echo "# $OPENSSL s_server -accept $server_port $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam \"${CERT_DIR}/dh2048.pem\" -verify 10 -verify_return_error -psk $psk_hex -cipher \"ALL:eNULL\" $openssl_nodhe" + # shellcheck disable=SC2086 + $OPENSSL s_server -accept "$server_port" $OPENSSL_ENGINE_ID -quiet -nocert -www -dhparam "${CERT_DIR}/dh2048.pem" -verify 10 -verify_return_error -psk "$psk_hex" -cipher "ALL:eNULL" $openssl_nodhe & fi server_pid=$! # wait to see if s_server successfully starts before continuing @@ -201,7 +232,7 @@ start_openssl_server() { fi done - if [ $found_free_port = 0 ] + if [ "$found_free_port" = 0 ] then echo -e "Couldn't find free port for server" do_cleanup @@ -246,7 +277,8 @@ start_wolfssl_server() { echo "#" echo "# $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\"" - $WOLFSSL_SERVER -p $server_port -g -v d -x -i $psk $crl -l ALL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" & + # shellcheck disable=SC2086 + $WOLFSSL_SERVER -p "$server_port" -g -v d -x -i $psk $crl -l ALL "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" & server_pid=$! # wait to see if server successfully starts before continuing sleep 0.1 @@ -265,7 +297,7 @@ start_wolfssl_server() { fi done - if [ $found_free_port = 0 ] + if [ "$found_free_port" = 0 ] then echo -e "Couldn't find free port for server" do_cleanup @@ -280,9 +312,9 @@ check_server_ready() { server_ready=0 while [ "$counter" -lt 20 ]; do echo -e "waiting for $server_name ready..." - echo -e Checking | nc -4 -w 1 -z localhost $server_port + echo -e Checking | nc -4 -w 1 -z localhost "$server_port" nc_result=$? - if [ $nc_result = 0 ] + if [ "$nc_result" = 0 ] then echo -e "$server_name ready!" server_ready=1 @@ -325,7 +357,7 @@ do_wolfssl_client() { wolfssl_caCert="-A$caCert" fi wolfssl_resume="-r" - if [ "$openssl_psk_resume_bug" != "" -a "$tls13_suite" != "" ] + if [ "$openssl_psk_resume_bug" != "" ] && [ "$tls13_suite" != "" ] then wolfssl_resume= fi @@ -333,21 +365,23 @@ do_wolfssl_client() { then wolfssl_resume= fi - if [ "$version" != "5" -a "$version" != "" ] + if [ "$version" != "5" ] && [ "$version" != "" ] then echo "#" echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl" - $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite -v $version $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl + # shellcheck disable=SC2086 + $WOLFSSL_CLIENT -p "$port" -g $wolfssl_resume -l "$wolfSuite" -v "$version" $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl else echo "#" echo "# $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh \"$wolfssl_cert\" \"$wolfssl_key\" \"$wolfssl_caCert\" $crl" # do all versions - $WOLFSSL_CLIENT -p $port -g $wolfssl_resume -l $wolfSuite $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl + # shellcheck disable=SC2086 + $WOLFSSL_CLIENT -p "$port" -g $wolfssl_resume -l "$wolfSuite" $psk $adh "$wolfssl_cert" "$wolfssl_key" "$wolfssl_caCert" $crl fi client_result=$? - if [ $client_result != 0 ] + if [ "$client_result" != 0 ] then echo -e "client failed! Suite = $wolfSuite version = $version" do_cleanup @@ -365,9 +399,9 @@ do_openssl_client() { return fi - if [ "$version" = "" -o "$version" = "5" ] + if [ "$version" = "" ] || [ "$version" = "5" ] then - if [ "$tls13_cipher" = "" -a "$openssl_tls13" != "" ] + if [ "$tls13_cipher" = "" ] && [ "$openssl_tls13" != "" ] then openssl_version="-no_tls1_3" fi @@ -407,7 +441,7 @@ do_openssl_client() { client_result=$? - if [ $client_result != 0 ] + if [ "$client_result" != 0 ] then echo -e "client failed! Suite = $wolfSuite version = $version" do_cleanup @@ -429,27 +463,25 @@ echo "OpenSSL version:" $OPENSSL version -a echo -ps -p $PPID >/dev/null 2>&1 -if [ "$?" = "1" ] -then +if ! ps -p $PPID >/dev/null 2>&1; then ps_grep="yes" echo "ps -p not working, using ps and grep" fi echo -e "\nTesting existence of openssl command...\n" -command -v $OPENSSL >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; } +command -v "$OPENSSL" >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but it's not installed. Ending."; do_cleanup; exit 0; } echo -e "\nTesting for _build directory as part of distcheck, different paths" -currentDir=`pwd` +currentDir=$(pwd) case "$currentDir" in *_build) echo -e "_build directory detected, moving a directory back" - cd .. + cd .. || exit ;; esac echo -e "\nChecking for wolfSSL client - needed for cipher list" -wolfssl_client_avail=`$WOLFSSL_CLIENT -?` +wolfssl_client_avail=$($WOLFSSL_CLIENT -?) case $wolfssl_client_avail in *"Client not compiled in!"*) wolfssl_client_avail= @@ -460,7 +492,7 @@ case $wolfssl_client_avail in esac echo -e "\nTesting for buggy version of OpenSSL - TLS 1.3, PSK and session ticket" -openssl_version=`$OPENSSL version` +openssl_version=$($OPENSSL version) case $openssl_version in "OpenSSL 1.1.1 "*) openssl_psk_resume_bug=yes @@ -471,16 +503,16 @@ case $openssl_version in esac # check for wolfssl server -wolfssl_server_avail=`$WOLFSSL_SERVER -?` +wolfssl_server_avail=$($WOLFSSL_SERVER -?) case $wolfssl_server_avail in *"Server not compiled in!"*) wolfssl_server_avail= ;; esac # get wolfssl ciphers -wolf_ciphers=`$WOLFSSL_CLIENT -e` +wolf_ciphers=$($WOLFSSL_CLIENT -e) # get wolfssl supported versions -wolf_versions=`$WOLFSSL_CLIENT -V` +wolf_versions=$($WOLFSSL_CLIENT -V) wolf_versions="${wolf_versions}:5" #5 will test without -v flag OIFS="$IFS" # store old separator to reset @@ -503,7 +535,7 @@ IFS="$OIFS" #restore separator # # Check for certificate support in wolfSSL -wolf_certs=`$WOLFSSL_CLIENT -? 2>&1` +wolf_certs=$($WOLFSSL_CLIENT -? 2>&1) case $wolf_certs in *"cert"*) ;; @@ -516,7 +548,7 @@ if [ "$wolf_certs" != "" ] then echo # Check if RSA certificates supported in wolfSSL - wolf_rsa=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ca-cert.pem" 2>&1` + wolf_rsa=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ca-cert.pem" 2>&1) case $wolf_rsa in *"ca file"*) echo "wolfSSL does not support RSA" @@ -529,7 +561,7 @@ then echo "wolfSSL supports RSA" fi # Check if RSA-PSS certificates supported in wolfSSL - wolf_rsapss=`$WOLFSSL_CLIENT -A "${CERT_DIR}/rsapss/ca-rsapss.pem" 2>&1` + wolf_rsapss=$($WOLFSSL_CLIENT -A "${CERT_DIR}/rsapss/ca-rsapss.pem" 2>&1) case $wolf_rsapss in *"ca file"*) echo "wolfSSL does not support RSA-PSS" @@ -542,7 +574,7 @@ then echo "wolfSSL supports RSA-PSS" fi # Check if ECC certificates supported in wolfSSL - wolf_ecc=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ca-ecc-cert.pem" 2>&1` + wolf_ecc=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ca-ecc-cert.pem" 2>&1) case $wolf_ecc in *"ca file"*) echo "wolfSSL does not support ECDSA" @@ -555,7 +587,7 @@ then echo "wolfSSL supports ECDSA" fi # Check if Ed25519 certificates supported in wolfSSL - wolf_ed25519=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1` + wolf_ed25519=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ed25519/root-ed25519.pem" 2>&1) case $wolf_ed25519 in *"ca file"*) echo "wolfSSL does not support Ed25519" @@ -568,7 +600,7 @@ then echo "wolfSSL supports Ed25519" fi # Check if Ed25519 certificates supported in OpenSSL - openssl_ed25519=`$OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1` + openssl_ed25519=$($OPENSSL s_client -cert "${CERT_DIR}/ed25519/client-ed25519.pem" -key "${CERT_DIR}/ed25519/client-ed25519-priv.pem" 2>&1) case $openssl_ed25519 in *"unable to load"*) echo "OpenSSL does not support Ed25519" @@ -581,7 +613,7 @@ then echo "OpenSSL supports Ed25519" fi # Check if Ed448 certificates supported in wolfSSL - wolf_ed448=`$WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1` + wolf_ed448=$($WOLFSSL_CLIENT -A "${CERT_DIR}/ed448/root-ed448.pem" 2>&1) case $wolf_ed448 in *"ca file"*) echo "wolfSSL does not support Ed448" @@ -594,7 +626,7 @@ then echo "wolfSSL supports Ed448" fi # Check if Ed448 certificates supported in OpenSSL - openssl_ed448=`$OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1` + openssl_ed448=$($OPENSSL s_client -cert "${CERT_DIR}/ed448/client-ed448.pem" -key "${CERT_DIR}/ed448/client-ed448-priv.pem" 2>&1) case $openssl_ed448 in *"unable to load"*) echo "OpenSSL does not support Ed448" @@ -609,7 +641,7 @@ then echo fi -openssl_tls13=`$OPENSSL s_client -help 2>&1` +openssl_tls13=$($OPENSSL s_client -help 2>&1) case $openssl_tls13 in *no_tls1_3*) ;; @@ -619,7 +651,7 @@ case $openssl_tls13 in esac # Not all openssl versions support -allow_no_dhe_kex -openssl_nodhe=`$OPENSSL s_client -help 2>&1` +openssl_nodhe=$($OPENSSL s_client -help 2>&1) case $openssl_nodhe in *allow_no_dhe_kex*) openssl_nodhe=-allow_no_dhe_kex @@ -669,7 +701,7 @@ for wolfSuite in $wolf_ciphers; do done IFS="$OIFS" #restore separator -openssl_ciphers=`$OPENSSL ciphers ALL 2>&1` +openssl_ciphers=$($OPENSSL ciphers ALL 2>&1) case $openssl_ciphers in *ADH*) openssl_anon=yes @@ -680,7 +712,7 @@ esac psk_hex="1a2b3c4d" # If RSA cipher suites supported in wolfSSL then start servers -if [ "$wolf_rsa" != "" -o "$wolf_tls_psk" != "" ] +if [ "$wolf_rsa" != "" ] || [ "$wolf_tls_psk" != "" ] then if [ "$wolf_rsa" != "" ] then @@ -707,6 +739,7 @@ echo "cert_file=$cert_file" start_wolfssl_server psk= wolfssl_port=$server_port + # shellcheck disable=SC2034 wolfssl_pid=$server_pid fi @@ -720,15 +753,17 @@ then openssl_suite="ECDH-RSA" start_openssl_server ecdh_openssl_port=$server_port + # shellcheck disable=SC2034 ecdh_openssl_pid=$server_pid wolfssl_suite="ECDH-RSA" start_wolfssl_server ecdh_wolfssl_port=$server_port + # shellcheck disable=SC2034 ecdh_wolfssl_pid=$server_pid fi -if [ "$wolf_ecdsa" != "" -a "$wolf_ecc" != "" ] +if [ "$wolf_ecdsa" != "" ] && [ "$wolf_ecc" != "" ] then cert_file="${CERT_DIR}/server-ecc.pem" key_file="${CERT_DIR}/ecc-key.pem" @@ -742,6 +777,7 @@ then wolfssl_suite="ECDH[E]-ECDSA" start_wolfssl_server ecdsa_wolfssl_port=$server_port + # shellcheck disable=SC2034 ecdsa_wolfssl_pid=$server_pid fi @@ -761,6 +797,7 @@ then wolfssl_suite="Ed25519" start_wolfssl_server ed25519_wolfssl_port=$server_port + # shellcheck disable=SC2034 ed25519_wolfssl_pid=$server_pid crl= fi @@ -781,11 +818,12 @@ then wolfssl_suite="Ed448" start_wolfssl_server ed448_wolfssl_port=$server_port + # shellcheck disable=SC2034 ed448_wolfssl_pid=$server_pid crl= fi -if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ] +if [ "$wolf_tls13" != "" ] && [ "$wolf_psk" != "" ] then cert_file= @@ -793,15 +831,17 @@ then openssl_suite="TLSv1.3_PSK" start_openssl_server tls13_psk_openssl_port=$server_port + # shellcheck disable=SC2034 tls13_psk_openssl_pid=$server_pid psk="-s --openssl-psk" wolfssl_suite="TLSv1.3_PSK" start_wolfssl_server tls13_psk_wolfssl_port=$server_port + # shellcheck disable=SC2034 tls13_psk_wolfssl_pid=$server_pid fi -if [ "$wolf_anon" != "" -a "$openssl_anon" ] +if [ "$wolf_anon" != "" ] && [ "$openssl_anon" ] then cert_file="" key_file="" @@ -811,6 +851,7 @@ then psk="-a" # anonymous not psk start_wolfssl_server anon_wolfssl_port=$server_port + # shellcheck disable=SC2034 anon_wolfssl_pid=$server_pid fi @@ -837,13 +878,13 @@ do # -s flag for only supported ciphers case $version in "0") - openssl_ciphers=`$OPENSSL ciphers "SSLv3" 2>&1` + openssl_ciphers=$($OPENSSL ciphers "SSLv3" 2>&1) # double check that can actually do a sslv3 connection using # client-cert.pem to send but any file with EOF works - $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < "${CERT_DIR}/client-cert.pem" + $OPENSSL s_client -ssl3 -no_ign_eof -host localhost -port "$openssl_port" < "${CERT_DIR}/client-cert.pem" sslv3_sup=$? - if [ $sslv3_sup != 0 ] + if [ "$sslv3_sup" != 0 ] then echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier" testing_summary="${testing_summary}SSLv3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" @@ -852,17 +893,17 @@ do openssl_version="-ssl3" ;; "1") - proto_check=`echo "hell" | $OPENSSL s_client -connect localhost:$openssl_port -tls1 2>&1` + proto_check=$(echo "hell" | $OPENSSL s_client -connect localhost:"$openssl_port" -tls1 2>&1) tlsv1_sup=$? - if [ $tlsv1_sup != 0 ] + if [ "$tlsv1_sup" != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for '-tls1'" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL Support)\n" continue fi - openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1` + openssl_ciphers=$($OPENSSL ciphers -s "TLSv1" 2>&1) tlsv1_sup=$? - if [ $tlsv1_sup != 0 ] + if [ "$tlsv1_sup" != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" @@ -872,17 +913,18 @@ do ;; "2") # Same ciphers for TLSv1.1 as TLSv1 - proto_check=`echo "hello" | $OPENSSL s_client -connect localhost:$openssl_port -tls1_1 2>&1` + # shellcheck disable=SC2034 + proto_check=$(echo "hello" | $OPENSSL s_client -connect localhost:"$openssl_port" -tls1_1 2>&1) tlsv1_1_sup=$? - if [ $tlsv1_1_sup != 0 ] + if [ "$tlsv1_1_sup" != 0 ] then echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier" testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi - openssl_ciphers=`$OPENSSL ciphers -s "TLSv1" 2>&1` + openssl_ciphers=$($OPENSSL ciphers -s "TLSv1" 2>&1) tlsv1_sup=$? - if [ $tlsv1_sup != 0 ] + if [ "$tlsv1_sup" != 0 ] then echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" testing_summary="${testing_summary}TLSv1\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" @@ -891,9 +933,9 @@ do openssl_version="-tls1_1" ;; "3") - openssl_ciphers=`$OPENSSL ciphers -s "TLSv1.2" 2>&1` + openssl_ciphers=$($OPENSSL ciphers -s "TLSv1.2" 2>&1) tlsv1_2_sup=$? - if [ $tlsv1_2_sup != 0 ] + if [ "$tlsv1_2_sup" != 0 ] then echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier" testing_summary="${testing_summary}TLSv1.2\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" @@ -902,15 +944,16 @@ do openssl_version="-tls1_2" ;; "4") - openssl_ciphers=`$OPENSSL ciphers -tls1_3 2>&1` + openssl_ciphers=$($OPENSSL ciphers -tls1_3 2>&1) tlsv1_3_sup=$? - if [ $tlsv1_3_sup != 0 ] + if [ "$tlsv1_3_sup" != 0 ] then echo -e "Not testing TLSv1.3. No OpenSSL support for 'TLSv1.3' modifier" testing_summary="${testing_summary}TLSv1.3\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" continue fi - ecc_support=`$WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups'` + # shellcheck disable=SC2034 + ecc_support=$($WOLFSSL_CLIENT -? 2>&1 | grep 'ECC named groups') openssl_version="-tls1_3" ;; "d(downgrade)") @@ -921,9 +964,9 @@ do continue ;; "5") #test all suites - openssl_ciphers=`$OPENSSL ciphers -s "ALL" 2>&1` + openssl_ciphers=$($OPENSSL ciphers -s "ALL" 2>&1) all_sup=$? - if [ $all_sup != 0 ] + if [ "$all_sup" != 0 ] then echo -e "Not testing ALL. No OpenSSL support for ALL modifier" testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" @@ -932,9 +975,9 @@ do openssl_version="" ;; "") - openssl_ciphers=`$OPENSSL ciphers 2>&1` + openssl_ciphers=$($OPENSSL ciphers 2>&1) all_sup=$? - if [ $all_sup != 0 ] + if [ "$all_sup" != 0 ] then echo -e "Not testing ALL. No OpenSSL support for ALL modifier" testing_summary="${testing_summary}ALL\tNo\tN/A\tN/A\tN/A\tN/A\t (No OpenSSL cipherstring)\n" @@ -1007,7 +1050,7 @@ do case ":$openssl_ciphers:" in *":$cmpSuite:"*) # add extra : for edge cases case "$cmpSuite" in "TLS_"*) - if [ "$version" != "4" -a "$version" != "d" ] + if [ "$version" != "4" ] && [ "$version" != "d" ] then echo -e "TLS 1.3 cipher suite but not TLS 1.3 protocol" matchSuite=0 @@ -1017,7 +1060,7 @@ do fi ;; *) - if [ "$version" = "d" -a "$wolfdowngrade" = "4" ] + if [ "$version" = "d" ] && [ "$wolfdowngrade" = "4" ] then echo -e "Not TLS 1.3 cipher suite but TLS 1.3 downgrade" matchSuite=0 @@ -1072,7 +1115,7 @@ do else wolf_temp_cases_total=$((wolf_temp_cases_total - 1)) fi - if [ $ed25519_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ] + if [ "$ed25519_openssl_pid" != "$no_pid" ] && [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] then cert="${CERT_DIR}/ed25519/client-ed25519.pem" key="${CERT_DIR}/ed25519/client-ed25519-priv.pem" @@ -1086,7 +1129,7 @@ do port=$ed25519_wolfssl_port do_openssl_client fi - if [ $ed448_openssl_pid != $no_pid -a "$version" != "0" -a "$version" != "1" -a "$version" != "2" ] + if [ "$ed448_openssl_pid" != "$no_pid" ] && [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] then cert="${CERT_DIR}/ed448/client-ed448.pem" key="${CERT_DIR}/ed448/client-ed448-priv.pem" @@ -1136,7 +1179,7 @@ do key="${CERT_DIR}/client-key.pem" caCert="${CERT_DIR}/ca-cert.pem" - if [ "$version" != "0" -a "$version" != "1" -a "$version" != "2" -a "$openssl_adh_reneg_bug" != "" ] + if [ "$version" != "0" ] && [ "$version" != "1" ] && [ "$version" != "2" ] && [ "$openssl_adh_reneg_bug" != "" ] then continue fi @@ -1148,7 +1191,7 @@ do do_openssl_client ;; TLS13*) - if [ $version != "4" -a $version != "d" -a $version != " " -a $version != "5" ] + if [ "$version" != "4" ] && [ "$version" != "d" ] && [ "$version" != " " ] && [ "$version" != "5" ] then continue fi @@ -1165,10 +1208,8 @@ do fi # Integrity-only cipher suites require OpenSSL 3.4 or later - $OPENSSL version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 | \ - awk -F. '{if ($1 > 3 || ($1 == 3 && $2 >= 4)) exit 1; else exit 0;}' - if [ $? -eq 0 ] - then + if $OPENSSL version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 | \ + awk -F. '{if ($1 > 3 || ($1 == 3 && $2 >= 4)) exit 1; else exit 0;}'; then echo -e "OpenSSL version too old for integrity-only ciphers, skipping" tls13_cipher= tls13_integrity_only= @@ -1176,7 +1217,7 @@ do fi # Test with RSA certs if available - if [ $openssl_pid != $no_pid -a "$wolf_rsa" != "" ] + if [ "$openssl_pid" != "$no_pid" ] && [ "$wolf_rsa" != "" ] then cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" @@ -1185,7 +1226,7 @@ do # Start a dedicated OpenSSL server for integrity-only tests generate_port integrity_openssl_port=$port - $OPENSSL s_server -accept $integrity_openssl_port -cert "${CERT_DIR}/server-cert.pem" -key "${CERT_DIR}/server-key.pem" -quiet -CAfile "${CERT_DIR}/client-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error & + $OPENSSL s_server -accept "$integrity_openssl_port" -cert "${CERT_DIR}/server-cert.pem" -key "${CERT_DIR}/server-key.pem" -quiet -CAfile "${CERT_DIR}/client-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error & integrity_openssl_pid=$! sleep 0.1 @@ -1193,13 +1234,13 @@ do do_wolfssl_client # Kill the dedicated server - kill $integrity_openssl_pid 2>/dev/null + kill "$integrity_openssl_pid" 2>/dev/null port=$wolfssl_port do_openssl_client fi # Test with ECC certs if available - if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ] + if [ "$ecdsa_openssl_pid" != "$no_pid" ] && [ "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" @@ -1208,7 +1249,7 @@ do # Start a dedicated OpenSSL server for integrity-only tests (ECC) generate_port integrity_openssl_port=$port - $OPENSSL s_server -accept $integrity_openssl_port -cert "${CERT_DIR}/server-ecc.pem" -key "${CERT_DIR}/ecc-key.pem" -quiet -CAfile "${CERT_DIR}/client-ecc-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error & + $OPENSSL s_server -accept "$integrity_openssl_port" -cert "${CERT_DIR}/server-ecc.pem" -key "${CERT_DIR}/ecc-key.pem" -quiet -CAfile "${CERT_DIR}/client-ecc-cert.pem" -www -cipher "ALL:eNULL:@SECLEVEL=0" -ciphersuites "$cmpSuite" -verify 10 -verify_return_error & integrity_openssl_pid=$! sleep 0.1 @@ -1217,7 +1258,7 @@ do do_wolfssl_client # Kill the dedicated server - kill $integrity_openssl_pid 2>/dev/null + kill "$integrity_openssl_pid" 2>/dev/null open_temp_cases_total=$((open_temp_cases_total + 1)) port=$ecdsa_wolfssl_port @@ -1228,7 +1269,7 @@ do continue fi # RSA - if [ $openssl_pid != $no_pid -a "$ecdhe_avail" = "yes" ] + if [ "$openssl_pid" != "$no_pid" ] && [ "$ecdhe_avail" = "yes" ] then cert="${CERT_DIR}/client-cert.pem" key="${CERT_DIR}/client-key.pem" @@ -1240,7 +1281,7 @@ do do_openssl_client fi # PSK - if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" -a "$wolf_ecc" != "" -a $openssl_nodhe != "" ] + if [ "$wolf_psk" != "" ] && [ "$wolfSuite" = "TLS13-AES128-GCM-SHA256" ] && [ "$wolf_ecc" != "" ] && [ "$openssl_nodhe" != "" ] then cert="" key="" @@ -1268,7 +1309,7 @@ do openssl_psk="" fi # ECDSA - if [ $ecdsa_openssl_pid != $no_pid -a "$wolf_ecc" != "" ] + if [ "$ecdsa_openssl_pid" != "$no_pid" ] && [ "$wolf_ecc" != "" ] then cert="${CERT_DIR}/client-ecc-cert.pem" key="${CERT_DIR}/ecc-client-key.pem" @@ -1344,7 +1385,7 @@ done IFS="$OIFS" #restore separator # Skip RSA-PSS interop test when RSA-PSS is not supported -if [ "$wolf_rsapss" != "" -a "$ecdhe_avail" = "yes" -a "$wolf_rsa" = "yes" ] +if [ "$wolf_rsapss" != "" ] && [ "$ecdhe_avail" = "yes" ] && [ "$wolf_rsa" = "yes" ] then # Test for RSA-PSS certs interop # Was running into alert sent by openssl server with version 1.1.1 released diff --git a/scripts/openssl_srtp.test b/scripts/openssl_srtp.test index 509db8a6c7..c93e836891 100755 --- a/scripts/openssl_srtp.test +++ b/scripts/openssl_srtp.test @@ -14,19 +14,55 @@ OPENSSL=${OPENSSL:="openssl"} WOLFSSL_CLIENT=${WOLFSSL_CLIENT:="./examples/client/client"} # need a unique port since may run the same time as testsuite +# Track ports already assigned in this script run to prevent intra-run collisions +used_ports=() + generate_port() { #-------------------------------------------------------------------------# - # Generate a random port number + # Generate a random port number, guaranteed unique within this script run. + # Checks both the intra-run used_ports list and system-level bound ports. #-------------------------------------------------------------------------# + local attempts=0 collision p + + while true; do + if [[ "$OSTYPE" == "linux"* ]]; then + p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) + elif [[ "$OSTYPE" == "darwin"* ]]; then + p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) + else + echo "Unknown OS TYPE" + exit 1 + fi + + # Check against ports already assigned in this run + collision=0 + for up in "${used_ports[@]}"; do + if [ "$up" = "$p" ]; then + collision=1 + break + fi + done + + # Also check if the port is already bound on this system + if [ "$collision" -eq 0 ]; then + if command -v ss &>/dev/null; then + ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + elif command -v netstat &>/dev/null; then + netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + fi + fi + + [ "$collision" -eq 0 ] && break + + attempts=$((attempts + 1)) + if [ "$attempts" -ge 100 ]; then + echo "ERROR: generate_port could not find a free port after 100 attempts" + exit 1 + fi + done - if [[ "$OSTYPE" == "linux"* ]]; then - port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) - elif [[ "$OSTYPE" == "darwin"* ]]; then - port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) - else - echo "Unknown OS TYPE" - exit 1 - fi + port=$p + used_ports+=("$p") } # get size of key material based on the profile @@ -75,13 +111,13 @@ start_openssl_server() { (sleep 1;echo -n "I hear you fa shizzle...") | \ ${OPENSSL} s_server \ -${dtls_version} \ - -port ${server_port} \ + -port "${server_port}" \ -debug \ - -use_srtp ${srtp_profile} \ + -use_srtp "${srtp_profile}" \ -keymatexport EXTRACTOR-dtls_srtp \ - -keymatexportlen $ekm_size \ + -keymatexportlen "$ekm_size" \ -cert ./certs/server-cert.pem \ - -key ./certs/server-key.pem >$server_output_file & + -key ./certs/server-key.pem >"$server_output_file" & # make sure the server is up sleep 0.1 @@ -103,16 +139,16 @@ start_wolfssl_client() { ${WOLFSSL_CLIENT} -u\ -x \ -v${dtls_version} \ - --srtp ${srtp_profile} \ - -p${server_port} >$client_output_file + --srtp "${srtp_profile}" \ + -p${server_port} >"$client_output_file" } # $1 openssl file # $2 wolfssl file check_ekm() { - openssl_ekm=$(cat "$1" | grep "Keying material: " | cut -d ':' -f 2) + openssl_ekm=$(grep "Keying material: " < "$1" | cut -d ':' -f 2) echo "OPENSSL EKM: $openssl_ekm" - wolfssl_ekm=$(cat "$2" | grep "DTLS SRTP: Exported key material: " | cut -d ':' -f 3) + wolfssl_ekm=$(grep "DTLS SRTP: Exported key material: " < "$2" | cut -d ':' -f 3) echo "WOLFSSL EKM: $wolfssl_ekm" if [ "$openssl_ekm" = "$wolfssl_ekm" ];then @@ -125,11 +161,11 @@ check_ekm() { # $1 dtsl version # $2 srtp profile check_dtls_srtp() { - start_openssl_server $1 $2 - start_wolfssl_client $1 $2 - check_ekm $server_output_file $client_output_file + start_openssl_server "$1" "$2" + start_wolfssl_client "$1" "$2" + check_ekm "$server_output_file" "$client_output_file" echo -n "check dtls $1 $2... " - if [ $check_ret -ne 0 ];then + if [ "$check_ret" -ne 0 ];then echo "failed" exit 1 else @@ -145,6 +181,6 @@ PROFILES="SRTP_AES128_CM_SHA1_80 \ for DTLS in 1.0 1.2;do for SRTP_PROF in $PROFILES;do - check_dtls_srtp $DTLS $SRTP_PROF + check_dtls_srtp "$DTLS" "$SRTP_PROF" done done diff --git a/scripts/rsapss.test b/scripts/rsapss.test index 09f7c394ee..6ae75c92ce 100755 --- a/scripts/rsapss.test +++ b/scripts/rsapss.test @@ -53,19 +53,55 @@ elif [ "${AM_BWRAPPED-}" != "yes" ]; then fi # need a unique port since may run the same time as testsuite +# Track ports already assigned in this script run to prevent intra-run collisions +used_ports=() + generate_port() { #-------------------------------------------------------------------------# - # Generate a random port number + # Generate a random port number, guaranteed unique within this script run. + # Checks both the intra-run used_ports list and system-level bound ports. #-------------------------------------------------------------------------# + local attempts=0 collision p - if [[ "$OSTYPE" == "linux"* ]]; then - port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) - elif [[ "$OSTYPE" == "darwin"* ]]; then - port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) - else - echo "skipping due to unsupported OS" - exit 0 - fi + while true; do + if [[ "$OSTYPE" == "linux"* ]]; then + p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) + elif [[ "$OSTYPE" == "darwin"* ]]; then + p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) + else + echo "skipping due to unsupported OS" + exit 0 + fi + + # Check against ports already assigned in this run + collision=0 + for up in "${used_ports[@]}"; do + if [ "$up" = "$p" ]; then + collision=1 + break + fi + done + + # Also check if the port is already bound on this system + if [ "$collision" -eq 0 ]; then + if command -v ss &>/dev/null; then + ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + elif command -v netstat &>/dev/null; then + netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1 + fi + fi + + [ "$collision" -eq 0 ] && break + + ((attempts++)) + if [ "$attempts" -ge 100 ]; then + echo "ERROR: generate_port could not find a free port after 100 attempts" + exit 1 + fi + done + + port=$p + used_ports+=("$p") } WOLFSSL_SERVER=./examples/server/server @@ -73,17 +109,17 @@ WOLFSSL_SERVER=./examples/server/server start_wolfssl_server() { generate_port server_port=$port - $WOLFSSL_SERVER -p $server_port -v 4 -c $CERT_DIR/rsapss/server-rsapss.pem -k $CERT_DIR/rsapss/server-rsapss-priv.pem -A $CERT_DIR/rsapss/root-rsapss.pem -d & + $WOLFSSL_SERVER -p "$server_port" -v 4 -c "$CERT_DIR"/rsapss/server-rsapss.pem -k "$CERT_DIR"/rsapss/server-rsapss-priv.pem -A "$CERT_DIR"/rsapss/root-rsapss.pem -d & } # # Run OpenSSL client against wolfSSL server # do_openssl_client() { - echo "test connection" | $OPENSSL s_client -connect 127.0.0.1:$server_port -cert $CERT_DIR/rsapss/client-rsapss.pem -key $CERT_DIR/rsapss/client-rsapss-priv.pem -CAfile $CERT_DIR/rsapss/root-rsapss.pem > rsapss.test.log + echo "test connection" | $OPENSSL s_client -connect 127.0.0.1:"$server_port" -cert "$CERT_DIR"/rsapss/client-rsapss.pem -key "$CERT_DIR"/rsapss/client-rsapss-priv.pem -CAfile "$CERT_DIR"/rsapss/root-rsapss.pem > rsapss.test.log result=$? cat rsapss.test.log - if [ $result != 0 ] + if [ "$result" != 0 ] then echo "$OPENSSL s_client command failed" exit 1 @@ -91,7 +127,7 @@ do_openssl_client() { grep -q "Peer signature type:.*rsa_pss_rsae_sha256" rsapss.test.log result=$? rm -f rsapss.test.log - if [ $result == 0 ] + if [ "$result" == 0 ] then echo "Test failed: Peer signature type identified as rsa_pss_rsae_sha256" exit 1