From ac36e382a97a54b06cca1f61f70eddc8c3904f4d Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Wed, 6 Sep 2017 15:44:01 +0100
Subject: [PATCH] Add ssl-opt.sh test to check gmt_unix_time is good

Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
---
 tests/ssl-opt.sh | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index b349512cc..e23daeeaf 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -321,6 +321,33 @@ wait_server_start() {
     fi
 }
 
+# Given the client or server debug output, parse the unix timestamp that is
+# included in the first 4 bytes of the random bytes and check that its within
+# acceptable bounds
+check_server_hello_time() {
+    # Extract the time from the debug (lvl 3) output of the client
+    SERVER_HELLO_TIME="$(cat "$1" | sed -n 's/.*server hello, current time: \([0-9]\+\)$/\1/p')"
+    # Get the Unix timestamp for now
+    CUR_TIME=$(date +'%s')
+    THRESHOLD_IN_SECS=300
+
+    # Check if the ServerHello time was printed
+    if [ -z "$SERVER_HELLO_TIME" ]; then
+        return 1
+    fi
+
+    # Check the time in ServerHello is within acceptable bounds
+    if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
+        # The time in ServerHello is at least 5 minutes before now
+        return 1
+    elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
+        # The time in ServerHello is at least 5 minues later than now
+        return 1
+    else
+        return 0
+    fi
+}
+
 # wait for client to terminate and set CLI_EXIT
 # must be called right after starting the client
 wait_client_done() {
@@ -696,6 +723,21 @@ run_test    "Default, DTLS" \
             -s "Protocol is DTLSv1.2" \
             -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
 
+# Test current time in ServerHello
+requires_config_enabled MBEDTLS_HAVE_TIME
+run_test    "Default, ServerHello contains gmt_unix_time" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -s "Protocol is TLSv1.2" \
+            -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
+            -s "client hello v3, signature_algorithm ext: 6" \
+            -s "ECDHE curve: secp521r1" \
+            -S "error" \
+            -C "error" \
+            -f "check_server_hello_time" \
+            -F "check_server_hello_time"
+
 # Test for uniqueness of IVs in AEAD ciphersuites
 run_test    "Unique IV in GCM" \
             "$P_SRV exchanges=20 debug_level=4" \