mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 21:00:48 +02:00
fd63d6c20e
Add NETWORK_UNSHARE_HELPER/bwrap wrapping to benchmark.test, openssl_srtp.test, and sniffer-gen.sh to isolate network namespaces and prevent port collisions when tests run concurrently. sniffer-gen.sh uses --cap-add ALL (like dtls.test) since it runs tcpdump. ocsp-stapling.test is excluded because it connects to external servers (login.live.com).
202 lines
5.6 KiB
Bash
Executable File
202 lines
5.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Test WolfSSL/OpenSSL srtp interoperability
|
|
#
|
|
# TODO: add OpenSSL client with WolfSSL server
|
|
|
|
set -e
|
|
|
|
# if we can, isolate the network namespace to eliminate port collisions.
|
|
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
|
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
|
|
export NETWORK_UNSHARE_HELPER_CALLED=yes
|
|
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
|
|
fi
|
|
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
|
|
bwrap_path="$(command -v bwrap)"
|
|
if [ -n "$bwrap_path" ]; then
|
|
export AM_BWRAPPED=yes
|
|
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
|
|
fi
|
|
unset AM_BWRAPPED
|
|
fi
|
|
|
|
if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
|
|
echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
|
|
exit 0
|
|
fi
|
|
|
|
OPENSSL=${OPENSSL:="openssl"}
|
|
WOLFSSL_CLIENT=${WOLFSSL_CLIENT:="./examples/client/client"}
|
|
|
|
# need a unique port since may run the same time as testsuite
|
|
# Track ports already assigned in this script run to prevent intra-run collisions
|
|
used_ports=()
|
|
|
|
generate_port() {
|
|
#-------------------------------------------------------------------------#
|
|
# Generate a random port number, guaranteed unique within this script run.
|
|
# Checks both the intra-run used_ports list and system-level bound ports.
|
|
#-------------------------------------------------------------------------#
|
|
local attempts=0 collision p
|
|
|
|
while true; do
|
|
if [[ "$OSTYPE" == "linux"* ]]; then
|
|
p=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
|
|
elif [[ "$OSTYPE" == "darwin"* ]]; then
|
|
p=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
|
|
else
|
|
echo "Unknown OS TYPE"
|
|
exit 1
|
|
fi
|
|
|
|
# Check against ports already assigned in this run
|
|
collision=0
|
|
for up in "${used_ports[@]}"; do
|
|
if [ "$up" = "$p" ]; then
|
|
collision=1
|
|
break
|
|
fi
|
|
done
|
|
|
|
# Also check if the port is already bound on this system
|
|
if [ "$collision" -eq 0 ]; then
|
|
if command -v ss &>/dev/null; then
|
|
ss -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
|
|
elif command -v netstat &>/dev/null; then
|
|
netstat -lnt 2>/dev/null | grep -q ":${p}[[:space:]]" && collision=1
|
|
fi
|
|
fi
|
|
|
|
[ "$collision" -eq 0 ] && break
|
|
|
|
attempts=$((attempts + 1))
|
|
if [ "$attempts" -ge 100 ]; then
|
|
echo "ERROR: generate_port could not find a free port after 100 attempts"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
port=$p
|
|
used_ports+=("$p")
|
|
}
|
|
|
|
# get size of key material based on the profile
|
|
# $1 srtp profile
|
|
get_key_material_size() {
|
|
case "$1" in
|
|
"SRTP_AES128_CM_SHA1_80")
|
|
ekm_size=60 ;;
|
|
"SRTP_AES128_CM_SHA1_32")
|
|
ekm_size=60 ;;
|
|
"SRTP_NULL_SHA1_80")
|
|
ekm_size=28 ;;
|
|
"SRTP_NULL_SHA1_32")
|
|
ekm_size=27 ;;
|
|
"SRTP_AEAD_AES_128_GCM")
|
|
ekm_size=56;;
|
|
"SRTP_AEAD_AES_256_GCM")
|
|
ekm_size=88;;
|
|
*)
|
|
echo "SRTP profile $1 unsupported"
|
|
exit 1
|
|
esac
|
|
}
|
|
|
|
|
|
# Start an OpenSSL server dtls with srtp
|
|
# $1: dtsl version [1.0, 1.2]
|
|
# $2: srtp profile string
|
|
start_openssl_server() {
|
|
generate_port
|
|
server_port=$port
|
|
srtp_profile=$2
|
|
|
|
if [ "$1" = "1.0" ]; then
|
|
dtls_version=dtls1
|
|
elif [ "$1" = "1.2" ]; then
|
|
dtls_version=dtls1_2
|
|
fi
|
|
|
|
get_key_material_size "$srtp_profile"
|
|
|
|
server_output_file=/tmp/openssl_srtp_out
|
|
|
|
# hackish but OpenSSL doesn't work if input is fed before handshaking and
|
|
# the wolfSSL client needs a reply to stop
|
|
(sleep 1;echo -n "I hear you fa shizzle...") | \
|
|
${OPENSSL} s_server \
|
|
-${dtls_version} \
|
|
-port "${server_port}" \
|
|
-debug \
|
|
-use_srtp "${srtp_profile}" \
|
|
-keymatexport EXTRACTOR-dtls_srtp \
|
|
-keymatexportlen "$ekm_size" \
|
|
-cert ./certs/server-cert.pem \
|
|
-key ./certs/server-key.pem >"$server_output_file" &
|
|
|
|
# make sure the server is up
|
|
sleep 0.1
|
|
}
|
|
|
|
# Start an wolfssl client dtls with srtp
|
|
# $1: dtsl version [1.0, 1.2]
|
|
# $2: srtp profile string
|
|
start_wolfssl_client() {
|
|
srtp_profile=$2
|
|
|
|
if [ "$1" = "1.0" ]; then
|
|
dtls_version=2
|
|
elif [ "$1" = "1.2" ]; then
|
|
dtls_version=3
|
|
fi
|
|
|
|
client_output_file=/tmp/wolfssl_srtp_out
|
|
${WOLFSSL_CLIENT} -u\
|
|
-x \
|
|
-v${dtls_version} \
|
|
--srtp "${srtp_profile}" \
|
|
-p${server_port} >"$client_output_file"
|
|
}
|
|
|
|
# $1 openssl file
|
|
# $2 wolfssl file
|
|
check_ekm() {
|
|
openssl_ekm=$(grep "Keying material: " < "$1" | cut -d ':' -f 2)
|
|
echo "OPENSSL EKM: $openssl_ekm"
|
|
wolfssl_ekm=$(grep "DTLS SRTP: Exported key material: " < "$2" | cut -d ':' -f 3)
|
|
echo "WOLFSSL EKM: $wolfssl_ekm"
|
|
|
|
if [ "$openssl_ekm" = "$wolfssl_ekm" ];then
|
|
check_ret=0
|
|
else
|
|
check_ret=1
|
|
fi
|
|
}
|
|
|
|
# $1 dtsl version
|
|
# $2 srtp profile
|
|
check_dtls_srtp() {
|
|
start_openssl_server "$1" "$2"
|
|
start_wolfssl_client "$1" "$2"
|
|
check_ekm "$server_output_file" "$client_output_file"
|
|
echo -n "check dtls $1 $2... "
|
|
if [ "$check_ret" -ne 0 ];then
|
|
echo "failed"
|
|
exit 1
|
|
else
|
|
echo "ok"
|
|
fi
|
|
}
|
|
|
|
# SRTP_NULL_SHA1_80" and SRTP_NULL_SHA1_32 aren't supported by OpenSSL
|
|
PROFILES="SRTP_AES128_CM_SHA1_80 \
|
|
SRTP_AES128_CM_SHA1_32 \
|
|
SRTP_AEAD_AES_128_GCM \
|
|
SRTP_AEAD_AES_256_GCM"
|
|
|
|
for DTLS in 1.0 1.2;do
|
|
for SRTP_PROF in $PROFILES;do
|
|
check_dtls_srtp "$DTLS" "$SRTP_PROF"
|
|
done
|
|
done
|