Imported Upstream version 3.13.0+dfsg

scripts/include.am

@@ -11,6 +11,12 @@ endif
 if BUILD_EXAMPLE_SERVERS
 
 dist_noinst_SCRIPTS+= scripts/resume.test
+
+# only run this test if we have the ability to support cert validation
+if BUILD_PKI
+dist_noinst_SCRIPTS+= scripts/tls-cert-fail.test
+endif
+
 EXTRA_DIST+= scripts/benchmark.test
 
 if BUILD_CRL
@@ -26,13 +32,15 @@ endif
 if BUILD_OCSP_STAPLING
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
 scripts/ocsp-stapling.log: scripts/ocsp.log
+dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
+scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
 endif
 
 if BUILD_OCSP_STAPLING_V2
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
 
 if BUILD_OCSP_STAPLING
-scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log
+scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log
 else
 scripts/ocsp-stapling2.log: scripts/ocsp.log
 endif
@@ -52,6 +60,10 @@ dist_noinst_SCRIPTS+= scripts/pkcallbacks.test
 scripts/pkcallbacks.log: scripts/resume.log
 endif
 
+if BUILD_TLS13
+dist_noinst_SCRIPTS+= scripts/tls13.test
+endif
+
 endif # end of BUILD_EXAMPLE_SERVERS
 
 if BUILD_EXAMPLE_CLIENTS

scripts/ocsp-stapling-with-ca-as-responder.test

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
+
+server=login.live.com
+ca=certs/external/baltimore-cybertrust-root.pem
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# is our desired server there? - login.live.com doesn't answers PING
+#./scripts/ping.test $server 2
+
+# client test against the server
+./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# setup ocsp responder
+./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
+sleep 1
+[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
+
+# client test against our own server - GOOD CERT
+./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
+sleep 1
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# client test against our own server - REVOKED CERT
+./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
+sleep 1
+./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
+
+exit 0

scripts/ocsp-stapling.test

@@ -5,7 +5,7 @@
 trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
 
 server=login.live.com
-ca=certs/external/ca-verisign-g5.pem
+ca=certs/external/baltimore-cybertrust-root.pem
 
 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
 
@@ -18,7 +18,7 @@ RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
 
 # setup ocsp responder
-./certs/ocsp/ocspd1.sh &
+./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
 sleep 1
 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
 

scripts/ocsp-stapling2.test

@@ -7,9 +7,9 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
 
 # setup ocsp responders
-./certs/ocsp/ocspd0.sh &
-./certs/ocsp/ocspd2.sh &
-./certs/ocsp/ocspd3.sh &
+./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
+./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
+./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
 sleep 1
 [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
 

scripts/ocsp.test

@@ -3,7 +3,7 @@
 # ocsp-stapling.test
 
 server=www.globalsign.com
-ca=certs/external/ca-globalsign-root-r2.pem
+ca=certs/external/ca-globalsign-root-r3.pem
 
 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
 

scripts/openssl.test

@@ -4,16 +4,18 @@
 
 # need a unique port since may run the same time as testsuite
 generate_port() {
-    openssl_port=`LC_CTYPE=C tr -cd 0-9 </dev/urandom | head -c 7`
-    openssl_port=$((`LC_CTYPE=C tr -cd 1-9 </dev/urandom | head -c 1`$openssl_port))
-    openssl_port=$(($openssl_port % (65535-49512)))
-    openssl_port=$(($openssl_port + 49512))
+    port=`LC_CTYPE=C tr -cd 0-9 </dev/urandom | head -c 7`
+    port=$((`LC_CTYPE=C tr -cd 1-9 </dev/urandom | head -c 1`$port))
+    port=$(($port % (65535-49512)))
+    port=$(($port + 49512))
 }
 
 
 generate_port
+openssl_port=$port
 no_pid=-1
 server_pid=$no_pid
+ecdh_server_pid=$no_pid
 wolf_suites_tested=0
 wolf_suites_total=0
 counter=0
@@ -47,6 +49,12 @@ do_cleanup() {
         echo "killing server"
         kill -9 $server_pid
     fi
+
+    if  [ $ecdh_server_pid != $no_pid ]
+    then
+        echo "killing ECDH-RSA server"
+        kill -9 $ecdh_server_pid
+    fi
 }
 
 do_trap() {
@@ -77,6 +85,8 @@ then
 fi
 
 
+# get wolfssl ciphers
+wolf_ciphers=`./examples/client/client -e`
 
 found_free_port=0
 while [ "$counter" -lt 20 ]; do
@@ -96,6 +106,7 @@ while [ "$counter" -lt 20 ]; do
         #port already started, try a different port
         counter=$((counter+ 1))
         generate_port
+        openssl_port=$port
     fi
 done
 
@@ -106,8 +117,42 @@ then
     exit 1
 fi
 
-# get wolfssl ciphers
-wolf_ciphers=`./examples/client/client -e`
+# if ECDH-RSA is enabled then start up server for ECDH-RSA suites
+case $wolf_ciphers in
+*ECDH-RSA*)
+    generate_port
+    ecdh_port=$port
+    found_free_port=0
+    counter=0
+    while [ "$counter" -lt 20 ]; do
+        echo -e "\nTrying to start ECDH-RSA openssl server on port $ecdh_port...\n"
+
+        openssl s_server -accept $ecdh_port -cert ./certs/server-ecc-rsa.pem -key ./certs/ecc-key.pem  -quiet -CAfile ./certs/client-ca.pem -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -cipher "ALL:eNULL" &
+        ecdh_server_pid=$!
+        # wait to see if s_server successfully starts before continuing
+        sleep 0.1
+
+        if ps -p $ecdh_server_pid > /dev/null
+        then
+            echo "s_server started successfully on port $ecdh_port"
+            found_free_port=1
+            break
+        else
+            #port already started, try a different port
+            counter=$((counter+ 1))
+            generate_port
+            ecdh_port=$port
+        fi
+    done
+
+    if [ $found_free_port = 0 ]
+    then
+        echo -e "Couldn't find free port for server"
+        do_cleanup
+        exit 1
+    fi
+    ;;
+esac
 
 # server should be ready, let's make sure
 server_ready=0
@@ -149,7 +194,12 @@ do
     # get openssl ciphers depending on version
     case $version in "0")
         openssl_ciphers=`openssl ciphers "SSLv3"`
+
+        # double check that can actually do a sslv3 connection using
+        # client-cert.pem to send but any file with EOF works
+        openssl s_client -ssl3 -no_ign_eof -host localhost -port $openssl_port < ./certs/client-cert.pem
         sslv3_sup=$?
+
         if [ $sslv3_sup != 0 ]
         then
             echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
@@ -216,18 +266,27 @@ do
         fi
 
         # check for psk suite and turn on client psk if so
-        psk = ""
+        psk=""
+        adh=""
+        port=$openssl_port
+        caCert=""
         case $wolfSuite in
+        *ECDH-RSA*)
+            port=$ecdh_port ;;
+        *ECDHE-ECDSA*|*ECDH-ECDSA*)
+            caCert="-A./certs/ca-ecc-cert.pem" ;;
         *PSK*)
             psk="-s " ;;
+        *ADH*)
+            adh="-a " ;;
         esac
 
         if [ $version -lt 4 ]
         then
-            ./examples/client/client -p $openssl_port -g -r -l $wolfSuite -v $version $psk
+            ./examples/client/client -p $port -g -r -l $wolfSuite -v $version $psk $adh $caCert
         else
             # do all versions
-            ./examples/client/client -p $openssl_port -g -r -l $wolfSuite $psk
+            ./examples/client/client -p $port -g -r -l $wolfSuite $psk $adh $caCert
         fi
 
         client_result=$?
@@ -252,6 +311,10 @@ done
 IFS=$OIFS #restore separator
 
 kill -9 $server_pid
+if  [ $ecdh_server_pid != $no_pid ]
+then
+    kill -9 $ecdh_server_pid
+fi
 
 echo -e "wolfSSL total suites   $wolf_suites_total"
 echo -e "wolfSSL suites tested  $wolf_suites_tested"

scripts/resume.test

@@ -1,10 +1,11 @@
 #!/bin/sh
 
-#reusme.test
+#resume.test
 
 # need a unique resume port since may run the same time as testsuite
 # use server port zero hack to get one
 resume_string="reused"
+resume_sup_string="Resume session"
 ems_string="Extended\ Master\ Secret"
 resume_port=0
 no_pid=-1
@@ -45,6 +46,18 @@ do_trap() {
 do_test() {
     echo -e "\nStarting example server for resume test...\n"
 
+    #make sure we support session resumption (!NO_SESSION_CACHE)
+    # Check the client for the extended master secret disable option. If
+    # present we need to run the test twice.
+    options_check=`./examples/client/client -?`
+    case "$options_check" in
+    *$resume_sup_string*)
+        echo -e "\nResume test supported";;
+    *)
+        echo -e "\nResume test not supported with build"
+        return;;
+    esac
+
     remove_ready_file
     ./examples/server/server -r -R $ready_file -p $resume_port &
     server_pid=$!
@@ -71,7 +84,7 @@ do_test() {
 
     if [ $client_result != 0 ]
     then
-        echo -e "client failed!"
+        echo -e "client failed!\ncapture_out=$capture_out\nclient_result=$client_result"
         do_cleanup
         exit 1
     fi

scripts/tls-cert-fail.test

@@ -0,0 +1,173 @@
+#!/bin/sh
+
+#tls-cert-fail.test
+
+asn_no_signer_e="-188"
+asn_sig_confirm_e="-155"
+exit_code=1
+counter=0
+
+# need a unique resume port since may run the same time as testsuite
+# use server port zero hack to get one
+tls_port=0
+
+#no_pid tells us process was never started if -1
+no_pid=-1
+
+#server_pid captured on startup, stores the id of the server process
+server_pid=$no_pid
+
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_tls_ready$$
+
+remove_ready_file() {
+    if test -e $ready_file; then
+        echo -e "removing existing ready file"
+        rm $ready_file
+    fi
+}
+
+# trap this function so if user aborts with ^C or other kill signal we still
+# get an exit that will in turn clean up the file system
+abort_trap() {
+    echo "script aborted"
+
+    if  [ $server_pid != $no_pid ]
+    then
+        echo "killing server"
+        kill -9 $server_pid
+    fi
+
+    exit_code=2 #different exit code in case of user interrupt
+
+    echo "got abort signal, exiting with $exit_code"
+    exit $exit_code
+}
+trap abort_trap INT TERM
+
+
+# trap this function so that if we exit on an error the file system will still
+# be restored and the other tests may still pass. Never call this function
+# instead use "exit <some value>" and this function will run automatically
+restore_file_system() {
+    remove_ready_file
+}
+trap restore_file_system EXIT
+
+run_tls_no_signer_test() {
+    echo -e "\nStarting example server for tls no signer fail test...\n"
+
+    remove_ready_file
+
+    # starts the server on tls_port, -R generates ready file to be used as a
+    # mutex lock. We capture the processid into the variable server_pid
+    ./examples/server/server -R $ready_file -p $tls_port &
+    server_pid=$!
+
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+    else
+        echo -e "NO ready file ending test..."
+        exit 1
+    fi
+
+    # get created port 0 ephemeral port
+    tls_port=`cat $ready_file`
+
+    # starts client on tls_port and captures the output from client
+    capture_out=$(./examples/client/client -p $tls_port -H badCert 2>&1)
+    client_result=$?
+
+    wait $server_pid
+    server_result=$?
+
+    case  "$capture_out" in
+    *$asn_no_signer_e*)
+        # only exit with zero on detection of the expected error code
+        echo ""
+        echo "$capture_out"
+        echo ""
+        echo "No signer error as expected! Test pass"
+        echo ""
+        exit_code=0
+        ;;
+    *)
+        echo ""
+        echo "Client did not return asn_no_signer_e as expected: $capture_out"
+        echo ""
+        exit_code=1
+    esac
+}
+
+run_tls_sig_confirm_test() {
+    echo -e "\nStarting example server for tls sig confirm fail test...\n"
+
+    remove_ready_file
+
+    # starts the server on tls_port, -R generates ready file to be used as a
+    # mutex lock. We capture the processid into the variable server_pid
+    ./examples/server/server -R $ready_file -p $tls_port -H badCert &
+    server_pid=$!
+
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+    else
+        echo -e "NO ready file ending test..."
+        exit 1
+    fi
+
+    # get created port 0 ephemeral port
+    tls_port=`cat $ready_file`
+
+    # starts client on tls_port and captures the output from client
+    capture_out=$(./examples/client/client -p $tls_port 2>&1)
+    client_result=$?
+
+    wait $server_pid
+    server_result=$?
+
+    case  "$capture_out" in
+    *$asn_sig_confirm_e*)
+        # only exit with zero on detection of the expected error code
+        echo ""
+        echo "$capture_out"
+        echo ""
+        echo "Sig confirm error as expected! Test pass"
+        echo ""
+        exit_code=0
+        ;;
+    *)
+        echo ""
+        echo "Client did not return asn_sig_confirm_e as expected: $capture_out"
+        echo ""
+        exit_code=1
+    esac
+}
+
+
+######### begin program #########
+
+# run the test
+run_tls_no_signer_test
+
+tls_port=0
+run_tls_sig_confirm_test
+
+echo "exiting with $exit_code"
+exit $exit_code
+########## end program ##########
+

scripts/tls13.test

@@ -0,0 +1,443 @@
+#!/bin/sh
+
+# tls13.test
+# copyright wolfSSL 2016
+
+# getting unique port is modeled after resume.test script
+# need a unique port since may run the same time as testsuite
+# use server port zero hack to get one
+port=0
+no_pid=-1
+server_pid=$no_pid
+counter=0
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_psk_ready$$
+
+echo "ready file $ready_file"
+
+create_port() {
+    while [ ! -s $ready_file -a "$counter" -lt 50 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+
+        # get created port 0 ephemeral port
+        port=`cat $ready_file`
+    else
+        echo -e "NO ready file ending test..."
+        do_cleanup
+    fi
+}
+
+remove_ready_file() {
+    if test -e $ready_file; then
+        echo -e "removing existing ready file"
+    rm $ready_file
+    fi
+}
+
+do_cleanup() {
+    echo "in cleanup"
+
+    if  [ $server_pid != $no_pid ]
+    then
+        echo "killing server"
+        kill -9 $server_pid
+    fi
+    remove_ready_file
+}
+
+do_trap() {
+    echo "got trap"
+    do_cleanup
+    exit -1
+}
+
+trap do_trap INT TERM
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# Usual TLS v1.3 server / TLS v1.3 client.
+echo -e "\n\nTLS v1.3 server with TLS v1.3 client"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 not enabled"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Usual TLS v1.3 server / TLS v1.3 client - fragment.
+echo -e "\n\nTLS v1.3 server with TLS v1.3 client - fragment"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -F 1 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 and fragments not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client.
+echo -e "\n\nTLS v1.3 HelloRetryRequest"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -J -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 HelloRetryRequest not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client using cookie
+echo -e "\n\nTLS v1.3 HelloRetryRequest with cookie"
+port=0
+./examples/server/server -v 4 -J -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -J -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 HelloRetryRequest with cookie not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Use HelloRetryRequest with TLS v1.3 server / TLS v1.3 client - SHA384.
+echo -e "\n\nTLS v1.3 HelloRetryRequest - SHA384"
+port=0
+./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -J -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 HelloRetryRequest with SHA384 not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Resumption TLS v1.3 server / TLS v1.3 client.
+echo -e "\n\nTLS v1.3 resumption"
+port=0
+./examples/server/server -v 4 -r -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -r -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 resumption not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Resumption TLS v1.3 server / TLS v1.3 client - SHA384
+echo -e "\n\nTLS v1.3 resumption - SHA384"
+port=0
+./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 resumption with SHA384 not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+./examples/client/client -v 4 -e 2>&1 | grep -- '-ECC'
+if [ $? -eq 0 ]; then
+    # Usual TLS v1.3 server / TLS v1.3 client and ECC certificates.
+    echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates"
+    port=0
+    ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
+    server_pid=$!
+    create_port
+    ./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
+    RESULT=$?
+    remove_ready_file
+    if [ $RESULT -ne 0 ]; then
+        echo -e "\n\nTLS v1.3 ECC certificates not working"
+        do_cleanup
+        exit 1
+    fi
+    echo ""
+fi
+
+# Usual TLS v1.3 server / TLS v1.3 client and no client certificate.
+echo -e "\n\nTLS v1.3 server with TLS v1.3 client - no client cretificate"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -x -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 and no client certificate not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Usual TLS v1.3 server / TLS v1.3 client and DH Key.
+echo -e "\n\nTLS v1.3 server with TLS v1.3 client - DH Key Exchange"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -y -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 DH Key Exchange not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Usual TLS v1.3 server / TLS v1.3 client and ECC Key.
+echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC Key Exchange"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -Y -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTLS v1.3 ECDH Key Exchange not working"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 cipher suites server / client.
+echo -e "\n\nOnly TLS v1.3 cipher suites"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256 &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 cipher suites - only TLS v1.3"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 cipher suites server / client.
+echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-GCM SHA-256"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256 &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-GCM SHA-256"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 cipher suites server / client.
+echo -e "\n\nOnly TLS v1.3 cipher suite - AES256-GCM SHA-384"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES256-GCM-SHA384 &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 cipher suites - AES256-GCM SHA-384"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 cipher suites server / client.
+echo -e "\n\nOnly TLS v1.3 cipher suite - CHACHA20-POLY1305 SHA-256"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 cipher suites - CHACHA20-POLY1305 SHA-256"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+./examples/client/client -v 4 -e 2>&1 | grep -- '-CCM'
+if [ $? -eq 0 ]; then
+    # TLS 1.3 cipher suites server / client.
+    echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-CCM SHA-256"
+    port=0
+    ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-CCM-SHA256 &
+    server_pid=$!
+    create_port
+    ./examples/client/client -v 4 -p $port
+    RESULT=$?
+    remove_ready_file
+    if [ $RESULT -ne 0 ]; then
+        echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-CCM SHA-256"
+        do_cleanup
+        exit 1
+    fi
+    echo ""
+
+    # TLS 1.3 cipher suites server / client.
+    echo -e "\n\nOnly TLS v1.3 cipher suite - AES128-CCM-8 SHA-256"
+    port=0
+    ./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-CCM-8-SHA256 &
+    server_pid=$!
+    create_port
+    ./examples/client/client -v 4 -p $port
+    RESULT=$?
+    remove_ready_file
+    if [ $RESULT -ne 0 ]; then
+        echo -e "\n\nIssue with TLS v1.3 cipher suites - AES128-CCM-8 SHA-256"
+        do_cleanup
+        exit 1
+    fi
+    echo ""
+fi
+
+# TLS 1.3 cipher suites server / client.
+echo -e "\n\nTLS v1.3 cipher suite mismatch"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port -l TLS13-AES256-GCM-SHA384
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 1 ]; then
+    echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 server / TLS 1.2 client.
+echo -e "\n\nTLS v1.3 server downgrading to TLS v1.2"
+port=0
+./examples/server/server -v 4 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 3 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -eq 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.2 server / TLS 1.3 client.
+echo -e "\n\nTLS v1.3 client upgrading server to TLS v1.3"
+port=0
+./examples/server/server -v 3 -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -eq 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 server / TLS 1.3 client send KeyUpdate before sending app data.
+echo -e "\n\nTLS v1.3 KeyUpdate"
+port=0
+./examples/server/server -v 4 -U -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -I -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 KeyUpdate"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 server / TLS 1.3 client don't use (EC)DHE with PSK.
+echo -e "\n\nTLS v1.3 KeyUpdate"
+port=0
+./examples/server/server -v 4 -r -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -r -K -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 KeyUpdate"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# TLS 1.3 server / TLS 1.3 client and Post-Handshake Authentication.
+echo -e "\n\nTLS v1.3 Post-Handshake Authentication"
+port=0
+./examples/server/server -v 4 -Q -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -v 4 -Q -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nIssue with TLS v1.3 Post-Handshake Auth"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+echo -e "\nALL Tests Passed"
+
+exit 0
+