diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b349512cc..e23daeeaf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -321,6 +321,33 @@ wait_server_start() { fi } +# Given the client or server debug output, parse the unix timestamp that is +# included in the first 4 bytes of the random bytes and check that its within +# acceptable bounds +check_server_hello_time() { + # Extract the time from the debug (lvl 3) output of the client + SERVER_HELLO_TIME="$(cat "$1" | sed -n 's/.*server hello, current time: \([0-9]\+\)$/\1/p')" + # Get the Unix timestamp for now + CUR_TIME=$(date +'%s') + THRESHOLD_IN_SECS=300 + + # Check if the ServerHello time was printed + if [ -z "$SERVER_HELLO_TIME" ]; then + return 1 + fi + + # Check the time in ServerHello is within acceptable bounds + if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then + # The time in ServerHello is at least 5 minutes before now + return 1 + elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then + # The time in ServerHello is at least 5 minues later than now + return 1 + else + return 0 + fi +} + # wait for client to terminate and set CLI_EXIT # must be called right after starting the client wait_client_done() { @@ -696,6 +723,21 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" +# Test current time in ServerHello +requires_config_enabled MBEDTLS_HAVE_TIME +run_test "Default, ServerHello contains gmt_unix_time" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3" \ + 0 \ + -s "Protocol is TLSv1.2" \ + -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ + -s "client hello v3, signature_algorithm ext: 6" \ + -s "ECDHE curve: secp521r1" \ + -S "error" \ + -C "error" \ + -f "check_server_hello_time" \ + -F "check_server_hello_time" + # Test for uniqueness of IVs in AEAD ciphersuites run_test "Unique IV in GCM" \ "$P_SRV exchanges=20 debug_level=4" \