Add ssl-opt.sh test to check gmt_unix_time is good
Add a test to ssl-opt.sh that parses the client and server debug output and then checks that the Unix timestamp in the ServerHello message is within acceptable bounds.
This commit is contained in:
parent
a46a58ab94
commit
ac36e382a9
1 changed files with 42 additions and 0 deletions
|
@ -321,6 +321,33 @@ wait_server_start() {
|
|||
fi
|
||||
}
|
||||
|
||||
# Given the client or server debug output, parse the unix timestamp that is
|
||||
# included in the first 4 bytes of the random bytes and check that its within
|
||||
# acceptable bounds
|
||||
check_server_hello_time() {
|
||||
# Extract the time from the debug (lvl 3) output of the client
|
||||
SERVER_HELLO_TIME="$(cat "$1" | sed -n 's/.*server hello, current time: \([0-9]\+\)$/\1/p')"
|
||||
# Get the Unix timestamp for now
|
||||
CUR_TIME=$(date +'%s')
|
||||
THRESHOLD_IN_SECS=300
|
||||
|
||||
# Check if the ServerHello time was printed
|
||||
if [ -z "$SERVER_HELLO_TIME" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Check the time in ServerHello is within acceptable bounds
|
||||
if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
|
||||
# The time in ServerHello is at least 5 minutes before now
|
||||
return 1
|
||||
elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
|
||||
# The time in ServerHello is at least 5 minues later than now
|
||||
return 1
|
||||
else
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
# wait for client to terminate and set CLI_EXIT
|
||||
# must be called right after starting the client
|
||||
wait_client_done() {
|
||||
|
@ -696,6 +723,21 @@ run_test "Default, DTLS" \
|
|||
-s "Protocol is DTLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
|
||||
|
||||
# Test current time in ServerHello
|
||||
requires_config_enabled MBEDTLS_HAVE_TIME
|
||||
run_test "Default, ServerHello contains gmt_unix_time" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-s "Protocol is TLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
|
||||
-s "client hello v3, signature_algorithm ext: 6" \
|
||||
-s "ECDHE curve: secp521r1" \
|
||||
-S "error" \
|
||||
-C "error" \
|
||||
-f "check_server_hello_time" \
|
||||
-F "check_server_hello_time"
|
||||
|
||||
# Test for uniqueness of IVs in AEAD ciphersuites
|
||||
run_test "Unique IV in GCM" \
|
||||
"$P_SRV exchanges=20 debug_level=4" \
|
||||
|
|
Loading…
Reference in a new issue