#!/bin/bash

# Copyright (c) 2010-2016, Free Software Foundation, Inc.
# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos
# All rights reserved.
#
# Author: Nikos Mavrogiannopoulos
#
# This file is part of GnuTLS.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation and/or
# other materials provided with the distribution.
# 3. Neither the name of the copyright holder nor the names of its contributors may
# be used to endorse or promote products derived from this software without specific
# prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

: ${abs_top_srcdir=$(pwd)/../../}
: ${srcdir=.}
GNUTLS_SERV="${SERV:-../../src/gnutls-serv${EXEEXT}}"
: ${CLI=../../src/gnutls-cli${EXEEXT}}
unset RETCODE

if ! test -x "${CLI}"; then
	exit 77
fi

if ! test -z "${VALGRIND}"; then
	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
fi

if test "${WINDIR}" != ""; then
	exit 77
fi

. "${srcdir}/../scripts/common.sh"

skip_if_no_datefudge

. "${srcdir}/testcompat-common"

: ${PORT=${RPORT}}

SERV=openssl
OPENSSL_CLI="$SERV"

if test -z "$OUTPUT";then
OUTPUT=/dev/null
fi

>${OUTPUT}

echo_cmd() {
	tee -a ${OUTPUT} <<<$(echo $1)
}

echo_cmd "Compatibility checks using "`${SERV} version`

echo_cmd "#################################################"
echo_cmd "# Client mode tests (gnutls cli-openssl server) #"
echo_cmd "#################################################"

OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256"

run_client_suite() {
	ADD=$1
	PREFIX=""
	if ! test -z "${ADD}"; then
		PREFIX="$(echo $ADD|sed 's/://g'): "
	fi


	eval "${GETPORT}"
	launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	#AES-128-CCM
	for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do
		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"
	done

	for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do
		echo_cmd "${PREFIX}Checking TLS 1.3 with $i..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"
	done

	echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..."
	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \
		fail ${PID} "Failed"

	# Try hello retry request
	echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure </dev/null >>${OUTPUT} || \
		fail ${PID} "Failed"

	kill ${PID}
	wait


	#test PSK ciphersuites
	# disabled as I do not seem to be able to connect to openssl s_server with PSK
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert
	PID=$!
	wait_server ${PID}

# by default only SHA256 is supported under PSK as PRF, so we cannot try all
# ciphers; only the ones which use SHA256 PRF.
	for i in AES-128-GCM;do
# plain PSK with (EC)DHE not supported by openssl
#		echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..."
#		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null || \
#			fail ${PID} "Failed"

		echo_cmd "${PREFIX}Checking TLS 1.3 with DHE-PSK with ${i}..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+DHE-PSK:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"
	done

	kill ${PID}
	wait

	#test client certificates
	eval "${GETPORT}"
	launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	for i in GROUP-SECP256R1;do
		echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"

		echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"

		echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"

		echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..."
		${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"
	done

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..."
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..."
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED448_KEY}" -cert "${ED448_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..."
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..."
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	# Try resumption
	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..."
	testdir=`create_testdir tls13-openssl-resumption`
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	# Try resumption with HRR
	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..."
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -groups 'X25519:P-256' -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1${ADD}" --single-key-share --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	# Try resumption with early data
	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..."
	testdir=`create_testdir tls13-openssl-resumption`
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data
	PID=$!
	wait_server ${PID}

	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'| tee "${testdir}/client.out" >> ${OUTPUT}
	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	# Try resumption with early data with small limit
	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..."
	testdir=`create_testdir tls13-openssl-resumption`
	eval "${GETPORT}"
	launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data -max_early_data 1
	PID=$!
	wait_server ${PID}

	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'|& tee "${testdir}/client.out" >> ${OUTPUT}
	grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
		fail ${PID} "Failed"
	grep '^\*\*\* Received alert \[10\]: Unexpected message' "${testdir}/client.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	# Try exporting keying material
	echo_cmd "${PREFIX}Checking TLS 1.3 to export keying material..."
	testdir=`create_testdir tls13-openssl-keymatexport`
	eval "${GETPORT}"
	LOGFILE="${testdir}/server.out"
	launch_bare_server $$ s_server -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -keymatexport label -keymatexportlen 20
	unset LOGFILE
	PID=$!
	wait_server ${PID}

	${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --keymatexport label --keymatexportsize 20| tee "${testdir}/client.out" >> ${OUTPUT}
	grep '^- Key material: ' "${testdir}/client.out" | \
	sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/client.key" || \
		fail ${PID} "Failed"
	grep '^    Keying material: ' "${testdir}/server.out" | \
	sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/server.key" || \
		fail ${PID} "Failed"
	diff "${testdir}/client.key" "${testdir}/server.key" || \
		fail ${PID} "Failed"
	kill ${PID}
	wait

	rm -rf "${testdir}"

}

run_client_suite

echo_cmd "${PREFIX}Client mode tests were successfully completed"
echo_cmd "${PREFIX}"
echo_cmd "${PREFIX}###############################################"
echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#"
echo_cmd "${PREFIX}###############################################"
SERV="${GNUTLS_SERV} -q"

# Note that openssl s_client does not return error code on failure

run_server_suite() {
	ADD=$1
	PREFIX=""
	if ! test -z "${ADD}"; then
		PREFIX="$(echo $ADD|sed 's/://g'): "
	fi

	#AES-128-CCM
	for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do
		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."

		eval "${GETPORT}"
		launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
		PID=$!
		wait_server ${PID}

		${OPENSSL_CLI} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
			fail ${PID} "Failed"

		kill ${PID}
		wait
	done

	GROUPS="GROUP-X25519 GROUP-X448 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1"
	for i in $GROUPS;do
		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."

		eval "${GETPORT}"
		launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
		PID=$!
		wait_server ${PID}

		${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
			fail ${PID} "Failed"

		kill ${PID}
		wait
	done

	echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
	eval "${GETPORT}"
	launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	${OPENSSL_CLI} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..."
	expect - >/dev/null <<_EOF_
set timeout 10
set os_error_flag 1
spawn ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}"

expect "SSL-Session" {send "K\n"} timeout {exit 1}
expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1}
expect "HELLO" {close} timeout {exit 1}

lassign [wait] pid spawnid os_error_flag value
if {\$os_error_flag == 0} {
    exit $value
} else {
    exit 1
}
_EOF_
	if test $? != 0;then
		fail ${PID} "Failed"
	fi

	kill ${PID}
	wait

	# client certificates

	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..."
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..."
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..."
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..."
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 client certificate..."
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ED448_CLI_CERT}" -key "${ED448_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..."

	eval "${GETPORT}"
	launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	expect - >/dev/null <<_EOF_
set timeout 10
set os_error_flag 1
spawn ${OPENSSL_CLI} s_client -enable_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}"

expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1}
expect {
  timeout {exit 1}
  "error*" {exit 1}
  "Successfully executed command" {send "**REAUTH**\n"}
}
expect {
  timeout {exit 1}
  "error*" {exit 1}
  "Successfully executed command" {send "HELLO\n"}
}

expect "HELLO" {close} timeout {exit 1}

lassign [wait] pid spawnid os_error_flag value
if {\$os_error_flag == 0} {
    exit $value
} else {
    exit 1
}
_EOF_
	if test $? != 0;then
		fail ${PID} "Failed"
	fi

	kill ${PID}
	wait


	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..."

	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..."

	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED448_CERT}" --x509keyfile "${ED448_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..."

	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..."

	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"

	kill ${PID}
	wait


	# openssl doesn't support PSK
	for i in DHE-PSK;do
		echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..."

		eval "${GETPORT}"
		launch_server $$ --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
		PID=$!
		wait_server ${PID}

		${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" </dev/null >>${OUTPUT} || \
			fail ${PID} "Failed"

		kill ${PID}
		wait
	done

	# Try resumption
	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..."
	testdir=`create_testdir tls13-openssl-resumption`
	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	{ echo a; sleep 1; } | \
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess.pem" 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess.pem" </dev/null 2>&1 > "${testdir}/server.out"
	grep "\:error\:" "${testdir}/server.out" && \
		fail ${PID} "Failed"
	grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..."
	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}"  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	{ echo a; sleep 1; } | \
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-hrr.pem" 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-hrr.pem" </dev/null 2>&1 > "${testdir}/server.out"
	grep "\:error\:" "${testdir}/server.out" && \
		fail ${PID} "Failed"
	grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data..."
	testdir=`create_testdir tls13-openssl-resumption`
	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
	{ echo a; sleep 1; } | \
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out"
	grep "\:error\:" "${testdir}/server.out" && \
		fail ${PID} "Failed"
	grep "^Reused, TLSv1.3" "${testdir}/server.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait

	echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data with small limit..."
	testdir=`create_testdir tls13-openssl-resumption`
	eval "${GETPORT}"
	launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata --maxearlydata 1  >>${OUTPUT} 2>&1
	PID=$!
	wait_server ${PID}

	echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt"
	{ echo a; sleep 1; } | \
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \
		fail ${PID} "Failed"
	${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out"
	grep "^Early data was rejected" "${testdir}/server.out" || \
		fail ${PID} "Failed"

	kill ${PID}
	wait
	rm -rf "${testdir}"

}

run_server_suite

exit 0