wolfssl-nginx/test.sh

#!/bin/bash



NGINX_SRC="../nginx"
if [ "$NGINX_BIN" = "" ]; then
    NGINX_BIN="${NGINX_SRC}/objs/nginx"
fi
if [ "$WOLFSSL_SOURCE" = "" ]; then
    WOLFSSL_SOURCE="../wolfssl"
fi
WOLFSSL_CLIENT="./examples/client/client"
NGINX_CONF="./conf/nginx.conf"
NGINX_TLS13_CONF="./conf/nginx_tls13.conf"
CLIENT_TMP="/tmp/nginx_client.$$"
SERVER_TMP="/tmp/nginx_server.$$"
OCSP_GOOD="ocsp-good-status.der"
OCSP_BAD="ocsp-bad-status.der"
WN_PATH=`pwd`
WN_OCSP_GOOD="$WN_PATH/conf/$OCSP_GOOD"
WN_OCSP_BAD="$WN_PATH/conf/$OCSP_BAD"
WN_LOGS="$WN_PATH/logs"
WN_ERROR_LOG="$WN_LOGS/error.log"
HOST="127.0.0.1"
if [ "$IPV6" != "" ]; then
    HOST="::ffff:127.0.0.1"
fi


while [ $# -gt 0 ]
do
    case $1 in
        -tls13)
            TLS13=1
            NGINX_CONF=$NGINX_TLS13_CONF
            ;;
        *)
            echo "Unrecognized option: $1"
            exit 1
            ;;
    esac
    shift
done


if [ ! -f $NGINX_BIN ]; then
    echo "Could not find Nginx exe: ${NGINX_BIN}"
    echo "Stopping - FAIL"
    exit 1
fi
echo "Ngninx binary: $NGINX_BIN"
echo "wolfSSL Source directory: $WOLFSSL_SOURCE"
if [ ! -d $WOLFSSL_SOURCE ]; then
    echo "Could not find wolfSSL source directory: ${WOLFSSL_SOURCE}"
    echo "Stopping - FAIL"
    exit 1
fi
echo "Changing into wolfSSL source directory"
cd $WOLFSSL_SOURCE
if [ ! -e $WOLFSSL_CLIENT ]; then
    echo "Could not find wolfSSL client: ${WOLFSSL_CLIENT}"
    echo "Stopping - FAIL"
    exit 1
fi
OPENSSL=`which openssl`
if [ "$?" = "1" ]; then
    echo "Could not find openssl superapp"
    echo "Stopping - FAIL"
    exit 1
fi
echo "OpenSSL superapp found: $OPENSSL"
echo

if [ ! -d $WN_LOGS ]; then
    echo "Making directory: ${WN_LOGS}"
    mkdir ${WN_LOGS}
fi

# Number of minutes OCSP responses will be valid for
VALID_MIN=60

declare -a EXPECT
declare -a EXPECT_SERVER
declare -a EXP

SERVER_PID=0
OCSP_PID=0

PASS=0
FAIL=0
UNKNOWN=0

run_nginx() {
    # valgrind --leak-check=full
    echo ${NGINX_BIN} -p ${WN_PATH} \
        -c $NGINX_CONF \
        -g "error_log ${WN_ERROR_LOG} debug;" \
        ${NGINX_OPTS}
    ${NGINX_BIN} -p ${WN_PATH} \
        -c $NGINX_CONF \
        -g "error_log ${WN_ERROR_LOG} debug;" \
        ${NGINX_OPTS}
    RES=$?
}

do_cleanup() {
    echo "# In cleanup"

    NGINX_OPTS="-s stop"
    run_nginx

    rm -f $CLIENT_TMP
    rm -f $SERVER_TMP

    if  [ $SERVER_PID != '0' ]
    then
        echo "# Killing server"
        kill -9 $SERVER_PID
    fi
    if  [ $OCSP_PID != '0' ]
    then
        echo "# Killing OCSP responder"
        kill -9 $OCSP_PID
    fi

    cd $WN_PATH
    rm -rf client_body_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp
}

do_trap() {
    echo "# Got trap"
    do_cleanup
    exit 1
}

trap do_trap INT TERM

check_log() {
    DUMP_LOG="no"
    if [ "$EXP" != "" ]; then
        for I in ${!EXP[@]}
        do
            if grep "${EXP[$I]}" $LOG; then
                echo "# PASS: Found: ${EXP[$I]}"
                echo
                PASS=$(($PASS + 1))
            else
                echo "# FAIL: Didn't find: ${EXP[$I]}"
                echo
                DUMP_LOG="yes"
                FAIL=$(($FAIL + 1))
            fi
        done
    else
        DUMP_LOG="yes"
        UNKNOWN=$(($UNKNOWN + 1))
    fi

    if [ "$DUMP_LOG" = "yes" ]; then
        cat $LOG
    fi
}

client() {
    ${WOLFSSL_CLIENT} -r -g -p $PORT -h $HOST $OPTS >$CLIENT_TMP 2>&1

    echo "# Client Output"
    LOG=$CLIENT_TMP
    EXP=("${EXPECT[@]}")
    check_log
}
client_test() {
    OPTS="$OPTS -r"
    client
}
stapling_test() {
    OPTS="$OPTS -C -A ${WN_PATH}/conf/ocsp-root-ca-cert.pem -W 1"
    client
}

# Start the OSCP responder and generate the response files
${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index ${WN_PATH}/conf/ocsp-index.txt -rsigner ${WN_PATH}/conf/ocsp-responder-cert.pem -rkey ${WN_PATH}/conf/ocsp-responder-key.pem -CA ${WN_PATH}/conf/ocsp-intermediate-ca-cert.pem >/dev/null 2>&1 &
OCSP_PID=$!

# Generate OCSP response file that indicates certificate is good.
${OPENSSL} ocsp -issuer ${WN_PATH}/conf/ocsp-intermediate-ca-cert.pem -cert ${WN_PATH}/conf/ocsp-good-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_GOOD} -no_nonce >/dev/null 2>&1

# Generate OCSP response file that indicates certificate is revoked.
${OPENSSL} ocsp -issuer ${WN_PATH}/conf/ocsp-intermediate-ca-cert.pem -cert ${WN_PATH}/conf/ocsp-bad-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_BAD} -no_nonce >/dev/null 2>&1

if [ ! -f $WN_OCSP_GOOD ]; then
    echo "Could not find OCSP output file: ${WN_OCSP_GOOD}"
    echo "Stopping - FAIL"
    exit 1
fi
if [ ! -f $WN_OCSP_BAD ]; then
    echo "Could not find OCSP output file: ${WN_OCSP_BAD}"
    echo "Stopping - FAIL"
    exit 1
fi

echo "Stopping Nginx ..."
NGINX_OPTS="-s stop"
run_nginx
echo "Starting Nginx ..."
# Start Nginx
NGINX_OPTS=
run_nginx
if [ "$RES" != "0" ]; then
    echo "Failed to start Nginx"
    exit 1
fi

# Default certificate, DH KEA
echo
echo '#'
echo '# DH Key Exchange'
echo '#'
PORT=11443
echo "# Port: $PORT"
OPTS=
EXPECT=("2048" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
client_test
# Default certificate, DH, verify client
echo
echo '#'
echo '# DH Key Exchange verify client'
echo '#'
PORT=11444
echo "# Port: $PORT"
OPTS="-x"
EXPECT=("400 No required SSL certificate was sent")
client_test
# Default certificate, ECDH with SECP384R1
echo
echo '#'
echo '# ECDH Key Exchange: SECP384R1'
echo '#'
PORT=11445
echo "# Port: $PORT"
OPTS=
EXPECT=("SECP384R1" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
client_test
# ECC certificate, ECDH with default curve (prime256v1)
echo
echo '#'
echo '# ECC Certificate, ECDH Key Exchange: default curve (prime256v1)'
echo '#'
PORT=11446
echo "# Port: $PORT"
OPTS="-A certs/ca-ecc-cert.pem"
EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
client_test
if [ "$TLS13" != "" ]; then
  # TLS v1.3
  echo
  echo '#'
  echo '# TLS v1.3 client connecting to nginx server'
  echo '#'
  PORT=11447
  echo "# Port: $PORT"
  OPTS="-v 4"
  EXPECT=("SECP256R1" "TLS_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
  client_test
fi
# Session tickets file
echo
echo '#'
echo '# Session ticket file'
echo '#'
PORT=11450
echo "# Port: $PORT"
OPTS=
EXPECT=("Session Ticket CB" "HTTP/1.1 200 OK")
client_test

echo
echo '#'
echo '# Session cache off'
echo '#'
PORT=11455
echo "# Port: $PORT"
OPTS=
EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
client_test
echo
echo '#'
echo '# Session cache none'
echo '#'
PORT=11456
echo "# Port: $PORT"
OPTS=
EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
client_test
echo
echo '#'
echo '# Session cache builtin'
echo '#'
PORT=11457
echo "# Port: $PORT"
OPTS=
if [ "$TLS13" != "" ]; then
  EXPECT=("HTTP/1.1 200 OK")
else
  EXPECT=("reused session id" "HTTP/1.1 200 OK")
fi
client_test

# Proxy to localhost:11111 - DHE-RSA
echo
echo '#'
echo '# Proxy - DHE-RSA'
echo '#'
PORT=11460
echo "# Port: $PORT"
OPTS=
SERVER_OPTS=
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
client_test
# Proxy to localhost:11111 - ECDHE-RSA
echo
echo '#'
echo '# Proxy - ECDHE-RSA'
echo '#'
PORT=11461
echo "# Port: $PORT"
OPTS=
SERVER_OPTS=
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
client_test
# Proxy to localhost:11111 - ECDHE-ECDSA
echo
echo '#'
echo '# Proxy - ECDHE-ECDSA'
echo '#'
PORT=11462
echo "# Port: $PORT"
OPTS=
SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem"
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
client_test
# Proxy to localhost:11111 - ECDHE-ECDSA
echo
echo '#'
echo '# Proxy - ECDHE-ECDSA'
echo '#'
PORT=11463
echo "# Port: $PORT"
OPTS=
SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem"
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
client_test
# Proxy to localhost:11111 - ECDHE-ECDSA
echo
echo '#'
echo '# Proxy - ECDHE-ECDSA'
echo '#'
PORT=11464
echo "# Port: $PORT"
OPTS=
SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem"
EXPECT=("HTTP/1.1 502")
client_test
# Proxy to localhost:11111 - Revoked certificate in CRL
echo
echo '#'
echo '# Proxy - Revoked certificate in CRL'
echo '#'
PORT=11465
echo "# Port: $PORT"
OPTS=
SERVER_OPTS=
EXPECT=("HTTP/1.1 502")
client_test

# OCSP Stapling
# Good certificate
echo
echo '#'
echo '# OCSP Stapling - Good Certificate (Using OCSP Responder)'
echo '#'
PORT=11470
echo "# Port: $PORT"
OPTS=
EXPECT=("HTTP/1.1 200 OK")
stapling_test
stapling_test
# Revoked certificate
echo
echo '#'
echo '# OCSP Stapling - Revoked Certificate (Using OCSP Responder)'
echo '#'
PORT=11471
echo "# Port: $PORT"
OPTS=
EXPECT=("err" "360")
stapling_test
stapling_test
# Good certificate - response file
echo
echo '#'
echo '# OCSP Stapling - Good Certificate (Using pre-generated file)'
echo '#'
PORT=11472
echo "# Port: $PORT"
OPTS=
EXPECT=("HTTP/1.1 200 OK")
stapling_test
# Revoked certificate - response file
echo
echo '#'
echo '# OCSP Stapling - Revoked Certificate (Using pre-generated file)'
echo '#'
PORT=11473
echo "# Port: $PORT"
OPTS=
EXPECT=("err" "360")
stapling_test
# No certificate for verification of OCSP response
echo
echo '#'
echo '# OCSP Stapling - Using OCSP Responder but no cert to verify'
echo '#'
PORT=11474
echo "# Port: $PORT"
OPTS=
EXPECT=("HTTP/1.1 200 OK")
stapling_test
stapling_test

do_cleanup

echo
echo "##############"
echo "# PASS    : $PASS"
echo "# FAIL    : $FAIL"
echo "# UNKNOWN : $UNKNOWN"
echo "##############"