Add ssl-opt.sh test to check gmt_unix_time is good

Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
This commit is contained in:
Andres Amaya Garcia 2017-09-06 15:44:01 +01:00 committed by Simon Butcher
parent 93993defd1
commit b84c40b12f

View file

@ -321,6 +321,33 @@ wait_server_start() {
fi fi
} }
# Given the client or server debug output, parse the unix timestamp that is
# included in the first 4 bytes of the random bytes and check that its within
# acceptable bounds
check_server_hello_time() {
# Extract the time from the debug (lvl 3) output of the client
SERVER_HELLO_TIME="$(cat "$1" | sed -n 's/.*server hello, current time: \([0-9]\+\)$/\1/p')"
# Get the Unix timestamp for now
CUR_TIME=$(date +'%s')
THRESHOLD_IN_SECS=300
# Check if the ServerHello time was printed
if [ -z "$SERVER_HELLO_TIME" ]; then
return 1
fi
# Check the time in ServerHello is within acceptable bounds
if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
# The time in ServerHello is at least 5 minutes before now
return 1
elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
# The time in ServerHello is at least 5 minues later than now
return 1
else
return 0
fi
}
# wait for client to terminate and set CLI_EXIT # wait for client to terminate and set CLI_EXIT
# must be called right after starting the client # must be called right after starting the client
wait_client_done() { wait_client_done() {
@ -696,6 +723,21 @@ run_test "Default, DTLS" \
-s "Protocol is DTLSv1.2" \ -s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
# Test current time in ServerHello
requires_config_enabled MBEDTLS_HAVE_TIME
run_test "Default, ServerHello contains gmt_unix_time" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
0 \
-s "Protocol is TLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
-s "client hello v3, signature_algorithm ext: 6" \
-s "ECDHE curve: secp521r1" \
-S "error" \
-C "error" \
-f "check_server_hello_time" \
-F "check_server_hello_time"
# Test for uniqueness of IVs in AEAD ciphersuites # Test for uniqueness of IVs in AEAD ciphersuites
run_test "Unique IV in GCM" \ run_test "Unique IV in GCM" \
"$P_SRV exchanges=20 debug_level=4" \ "$P_SRV exchanges=20 debug_level=4" \