1#!/bin/sh 2 3# compat.sh 4# 5# Copyright The Mbed TLS Contributors 6# SPDX-License-Identifier: Apache-2.0 7# 8# Licensed under the Apache License, Version 2.0 (the "License"); you may 9# not use this file except in compliance with the License. 10# You may obtain a copy of the License at 11# 12# http://www.apache.org/licenses/LICENSE-2.0 13# 14# Unless required by applicable law or agreed to in writing, software 15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17# See the License for the specific language governing permissions and 18# limitations under the License. 19# 20# Purpose 21# 22# Test interoperbility with OpenSSL, GnuTLS as well as itself. 23# 24# Check each common ciphersuite, with each version, both ways (client/server), 25# with and without client authentication. 26 27set -u 28 29# Limit the size of each log to 10 GiB, in case of failures with this script 30# where it may output seemingly unlimited length error logs. 31ulimit -f 20971520 32 33# initialise counters 34TESTS=0 35FAILED=0 36SKIPPED=0 37SRVMEM=0 38 39# default commands, can be overridden by the environment 40: ${M_SRV:=../programs/ssl/ssl_server2} 41: ${M_CLI:=../programs/ssl/ssl_client2} 42: ${OPENSSL:=openssl} 43: ${GNUTLS_CLI:=gnutls-cli} 44: ${GNUTLS_SERV:=gnutls-serv} 45 46# The OPENSSL variable used to be OPENSSL_CMD for historical reasons. 47# To help the migration, error out if the old variable is set, 48# but only if it has a different value than the new one. 49if [ "${OPENSSL_CMD+set}" = set ]; then 50 # the variable is set, we can now check its value 51 if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then 52 echo "Please use OPENSSL instead of OPENSSL_CMD." >&2 53 exit 125 54 fi 55fi 56 57# do we have a recent enough GnuTLS? 58if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then 59 G_VER="$( $GNUTLS_CLI --version | head -n1 )" 60 if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version 61 PEER_GNUTLS=" GnuTLS" 62 else 63 eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' ) 64 if [ $MAJOR -lt 3 -o \ 65 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \ 66 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ] 67 then 68 PEER_GNUTLS="" 69 else 70 PEER_GNUTLS=" GnuTLS" 71 if [ $MINOR -lt 4 ]; then 72 GNUTLS_MINOR_LT_FOUR='x' 73 fi 74 fi 75 fi 76else 77 PEER_GNUTLS="" 78fi 79 80# default values for options 81# /!\ keep this synchronised with: 82# - basic-build-test.sh 83# - all.sh (multiple components) 84MODES="tls12 dtls12" 85VERIFIES="NO YES" 86TYPES="ECDSA RSA PSK" 87FILTER="" 88# By default, exclude: 89# - NULL: excluded from our default config + requires OpenSSL legacy 90# - ARIA: requires OpenSSL >= 1.1.1 91# - ChachaPoly: requires OpenSSL >= 1.1.0 92EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305' 93VERBOSE="" 94MEMCHECK=0 95PEERS="OpenSSL$PEER_GNUTLS mbedTLS" 96 97# hidden option: skip DTLS with OpenSSL 98# (travis CI has a version that doesn't work for us) 99: ${OSSL_NO_DTLS:=0} 100 101print_usage() { 102 echo "Usage: $0" 103 printf " -h|--help\tPrint this help.\n" 104 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER" 105 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE" 106 printf " -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES" 107 printf " -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES" 108 printf " -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES" 109 printf " -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS" 110 printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n" 111 printf " -M|--memcheck\tCheck memory leaks and errors.\n" 112 printf " -v|--verbose\tSet verbose output.\n" 113} 114 115get_options() { 116 while [ $# -gt 0 ]; do 117 case "$1" in 118 -f|--filter) 119 shift; FILTER=$1 120 ;; 121 -e|--exclude) 122 shift; EXCLUDE=$1 123 ;; 124 -m|--modes) 125 shift; MODES=$1 126 ;; 127 -t|--types) 128 shift; TYPES=$1 129 ;; 130 -V|--verify) 131 shift; VERIFIES=$1 132 ;; 133 -p|--peers) 134 shift; PEERS=$1 135 ;; 136 -v|--verbose) 137 VERBOSE=1 138 ;; 139 -M|--memcheck) 140 MEMCHECK=1 141 ;; 142 -h|--help) 143 print_usage 144 exit 0 145 ;; 146 *) 147 echo "Unknown argument: '$1'" 148 print_usage 149 exit 1 150 ;; 151 esac 152 shift 153 done 154 155 # sanitize some options (modes checked later) 156 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )" 157 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )" 158} 159 160log() { 161 if [ "X" != "X$VERBOSE" ]; then 162 echo "" 163 echo "$@" 164 fi 165} 166 167# is_dtls <mode> 168is_dtls() 169{ 170 test "$1" = "dtls12" 171} 172 173# minor_ver <mode> 174minor_ver() 175{ 176 case "$1" in 177 tls12|dtls12) 178 echo 3 179 ;; 180 *) 181 echo "error: invalid mode: $MODE" >&2 182 # exiting is no good here, typically called in a subshell 183 echo -1 184 esac 185} 186 187filter() 188{ 189 LIST="$1" 190 NEW_LIST="" 191 192 EXCLMODE="$EXCLUDE" 193 194 for i in $LIST; 195 do 196 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )" 197 done 198 199 # normalize whitespace 200 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' 201} 202 203filter_ciphersuites() 204{ 205 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; 206 then 207 # Ciphersuite for mbed TLS 208 M_CIPHERS=$( filter "$M_CIPHERS" ) 209 210 # Ciphersuite for OpenSSL 211 O_CIPHERS=$( filter "$O_CIPHERS" ) 212 213 # Ciphersuite for GnuTLS 214 G_CIPHERS=$( filter "$G_CIPHERS" ) 215 fi 216 217 # For GnuTLS client -> mbed TLS server, 218 # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails 219 if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then 220 G_CIPHERS="" 221 fi 222} 223 224reset_ciphersuites() 225{ 226 M_CIPHERS="" 227 O_CIPHERS="" 228 G_CIPHERS="" 229} 230 231# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...} 232# Set $ciphers to the cipher suite name translations for the specified 233# program (gnutls, mbedtls or openssl). $ciphers is a space-separated 234# list of entries of the form "STANDARD_NAME=PROGRAM_NAME". 235translate_ciphers() 236{ 237 ciphers=$(scripts/translate_ciphers.py "$@") 238 if [ $? -ne 0 ]; then 239 echo "translate_ciphers.py failed with exit code $1" >&2 240 echo "$2" >&2 241 exit 1 242 fi 243} 244 245# Ciphersuites that can be used with all peers. 246# Since we currently have three possible peers, each ciphersuite should appear 247# three times: in each peer's list (with the name that this peer uses). 248add_common_ciphersuites() 249{ 250 CIPHERS="" 251 case $TYPE in 252 253 "ECDSA") 254 CIPHERS="$CIPHERS \ 255 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ 256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ 257 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ 258 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ 259 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ 260 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ 261 TLS_ECDHE_ECDSA_WITH_NULL_SHA \ 262 " 263 ;; 264 265 "RSA") 266 CIPHERS="$CIPHERS \ 267 TLS_DHE_RSA_WITH_AES_128_CBC_SHA \ 268 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \ 269 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \ 270 TLS_DHE_RSA_WITH_AES_256_CBC_SHA \ 271 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \ 272 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \ 273 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \ 274 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \ 275 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ 276 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ 277 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ 278 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ 279 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ 280 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ 281 TLS_ECDHE_RSA_WITH_NULL_SHA \ 282 TLS_RSA_WITH_AES_128_CBC_SHA \ 283 TLS_RSA_WITH_AES_128_CBC_SHA256 \ 284 TLS_RSA_WITH_AES_128_GCM_SHA256 \ 285 TLS_RSA_WITH_AES_256_CBC_SHA \ 286 TLS_RSA_WITH_AES_256_CBC_SHA256 \ 287 TLS_RSA_WITH_AES_256_GCM_SHA384 \ 288 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA \ 289 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA \ 290 TLS_RSA_WITH_NULL_MD5 \ 291 TLS_RSA_WITH_NULL_SHA \ 292 TLS_RSA_WITH_NULL_SHA256 \ 293 " 294 ;; 295 296 "PSK") 297 CIPHERS="$CIPHERS \ 298 TLS_PSK_WITH_AES_128_CBC_SHA \ 299 TLS_PSK_WITH_AES_256_CBC_SHA \ 300 " 301 ;; 302 esac 303 304 O_CIPHERS="$O_CIPHERS $CIPHERS" 305 G_CIPHERS="$G_CIPHERS $CIPHERS" 306 M_CIPHERS="$M_CIPHERS $CIPHERS" 307} 308 309# Ciphersuites usable only with Mbed TLS and OpenSSL 310# A list of ciphersuites in the standard naming convention is appended 311# to the list of Mbed TLS ciphersuites $M_CIPHERS and 312# to the list of OpenSSL ciphersuites $O_CIPHERS respectively. 313# Based on client's naming convention, all ciphersuite names will be 314# translated into another naming format before sent to the client. 315# 316# NOTE: for some reason RSA-PSK doesn't work with OpenSSL, 317# so RSA-PSK ciphersuites need to go in other sections, see 318# https://github.com/Mbed-TLS/mbedtls/issues/1419 319# 320# ChachaPoly suites are here rather than in "common", as they were added in 321# GnuTLS in 3.5.0 and the CI only has 3.4.x so far. 322add_openssl_ciphersuites() 323{ 324 CIPHERS="" 325 case $TYPE in 326 327 "ECDSA") 328 CIPHERS="$CIPHERS \ 329 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \ 330 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \ 331 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \ 332 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \ 333 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \ 334 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \ 335 TLS_ECDH_ECDSA_WITH_NULL_SHA \ 336 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \ 337 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \ 338 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ 339 " 340 ;; 341 342 "RSA") 343 CIPHERS="$CIPHERS \ 344 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 \ 345 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 \ 346 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ 347 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 \ 348 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 \ 349 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ 350 TLS_RSA_WITH_ARIA_128_GCM_SHA256 \ 351 TLS_RSA_WITH_ARIA_256_GCM_SHA384 \ 352 " 353 ;; 354 355 "PSK") 356 CIPHERS="$CIPHERS \ 357 TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 \ 358 TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 \ 359 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 360 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 361 TLS_PSK_WITH_ARIA_128_GCM_SHA256 \ 362 TLS_PSK_WITH_ARIA_256_GCM_SHA384 \ 363 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 364 " 365 ;; 366 esac 367 368 O_CIPHERS="$O_CIPHERS $CIPHERS" 369 M_CIPHERS="$M_CIPHERS $CIPHERS" 370} 371 372# Ciphersuites usable only with Mbed TLS and GnuTLS 373# A list of ciphersuites in the standard naming convention is appended 374# to the list of Mbed TLS ciphersuites $M_CIPHERS and 375# to the list of GnuTLS ciphersuites $G_CIPHERS respectively. 376# Based on client's naming convention, all ciphersuite names will be 377# translated into another naming format before sent to the client. 378add_gnutls_ciphersuites() 379{ 380 CIPHERS="" 381 case $TYPE in 382 383 "ECDSA") 384 CIPHERS="$CIPHERS \ 385 TLS_ECDHE_ECDSA_WITH_AES_128_CCM \ 386 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 \ 387 TLS_ECDHE_ECDSA_WITH_AES_256_CCM \ 388 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 \ 389 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ 390 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ 391 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ 392 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ 393 " 394 ;; 395 396 "RSA") 397 CIPHERS="$CIPHERS \ 398 TLS_DHE_RSA_WITH_AES_128_CCM \ 399 TLS_DHE_RSA_WITH_AES_128_CCM_8 \ 400 TLS_DHE_RSA_WITH_AES_256_CCM \ 401 TLS_DHE_RSA_WITH_AES_256_CCM_8 \ 402 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ 403 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ 404 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 \ 405 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ 406 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ 407 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ 408 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \ 409 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ 410 TLS_RSA_WITH_AES_128_CCM \ 411 TLS_RSA_WITH_AES_128_CCM_8 \ 412 TLS_RSA_WITH_AES_256_CCM \ 413 TLS_RSA_WITH_AES_256_CCM_8 \ 414 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ 415 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ 416 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 \ 417 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ 418 " 419 ;; 420 421 "PSK") 422 CIPHERS="$CIPHERS \ 423 TLS_DHE_PSK_WITH_AES_128_CBC_SHA \ 424 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 \ 425 TLS_DHE_PSK_WITH_AES_128_CCM \ 426 TLS_DHE_PSK_WITH_AES_128_CCM_8 \ 427 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 \ 428 TLS_DHE_PSK_WITH_AES_256_CBC_SHA \ 429 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 \ 430 TLS_DHE_PSK_WITH_AES_256_CCM \ 431 TLS_DHE_PSK_WITH_AES_256_CCM_8 \ 432 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 \ 433 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 434 TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ 435 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 436 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ 437 TLS_DHE_PSK_WITH_NULL_SHA256 \ 438 TLS_DHE_PSK_WITH_NULL_SHA384 \ 439 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA \ 440 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 \ 441 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA \ 442 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 \ 443 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 444 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 445 TLS_ECDHE_PSK_WITH_NULL_SHA256 \ 446 TLS_ECDHE_PSK_WITH_NULL_SHA384 \ 447 TLS_PSK_WITH_AES_128_CBC_SHA256 \ 448 TLS_PSK_WITH_AES_128_CCM \ 449 TLS_PSK_WITH_AES_128_CCM_8 \ 450 TLS_PSK_WITH_AES_128_GCM_SHA256 \ 451 TLS_PSK_WITH_AES_256_CBC_SHA384 \ 452 TLS_PSK_WITH_AES_256_CCM \ 453 TLS_PSK_WITH_AES_256_CCM_8 \ 454 TLS_PSK_WITH_AES_256_GCM_SHA384 \ 455 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 456 TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ 457 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 458 TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ 459 TLS_PSK_WITH_NULL_SHA256 \ 460 TLS_PSK_WITH_NULL_SHA384 \ 461 TLS_RSA_PSK_WITH_AES_128_CBC_SHA \ 462 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 \ 463 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 \ 464 TLS_RSA_PSK_WITH_AES_256_CBC_SHA \ 465 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 \ 466 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 \ 467 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 468 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ 469 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 470 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ 471 TLS_RSA_PSK_WITH_NULL_SHA256 \ 472 TLS_RSA_PSK_WITH_NULL_SHA384 \ 473 " 474 ;; 475 esac 476 477 G_CIPHERS="$G_CIPHERS $CIPHERS" 478 M_CIPHERS="$M_CIPHERS $CIPHERS" 479} 480 481# Ciphersuites usable only with Mbed TLS (not currently supported by another 482# peer usable in this script). This provides only very rudimentaty testing, as 483# this is not interop testing, but it's better than nothing. 484add_mbedtls_ciphersuites() 485{ 486 case $TYPE in 487 488 "ECDSA") 489 M_CIPHERS="$M_CIPHERS \ 490 TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \ 491 TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \ 492 TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \ 493 TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \ 494 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ 495 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ 496 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ 497 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ 498 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \ 499 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \ 500 " 501 ;; 502 503 "RSA") 504 M_CIPHERS="$M_CIPHERS \ 505 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 \ 506 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 \ 507 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 \ 508 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 \ 509 TLS_RSA_WITH_ARIA_128_CBC_SHA256 \ 510 TLS_RSA_WITH_ARIA_256_CBC_SHA384 \ 511 " 512 ;; 513 514 "PSK") 515 # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 516 M_CIPHERS="$M_CIPHERS \ 517 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 \ 518 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 \ 519 TLS_DHE_PSK_WITH_NULL_SHA \ 520 TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 \ 521 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \ 522 TLS_ECDHE_PSK_WITH_NULL_SHA \ 523 TLS_PSK_WITH_ARIA_128_CBC_SHA256 \ 524 TLS_PSK_WITH_ARIA_256_CBC_SHA384 \ 525 TLS_PSK_WITH_NULL_SHA \ 526 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 \ 527 TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 \ 528 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 \ 529 TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 \ 530 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 531 TLS_RSA_PSK_WITH_NULL_SHA \ 532 " 533 ;; 534 esac 535} 536 537# o_check_ciphersuite STANDARD_CIPHER_SUITE 538o_check_ciphersuite() 539{ 540 if [ "${O_SUPPORT_ECDH}" = "NO" ]; then 541 case "$1" in 542 *ECDH_*) SKIP_NEXT="YES" 543 esac 544 fi 545} 546 547setup_arguments() 548{ 549 O_MODE="" 550 G_MODE="" 551 case "$MODE" in 552 "tls12") 553 O_MODE="tls1_2" 554 G_PRIO_MODE="+VERS-TLS1.2" 555 ;; 556 "dtls12") 557 O_MODE="dtls1_2" 558 G_PRIO_MODE="+VERS-DTLS1.2" 559 G_MODE="-u" 560 ;; 561 *) 562 echo "error: invalid mode: $MODE" >&2 563 exit 1; 564 esac 565 566 # GnuTLS < 3.4 will choke if we try to allow CCM-8 567 if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then 568 G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:" 569 else 570 G_PRIO_CCM="" 571 fi 572 573 M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE" 574 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE" 575 G_SERVER_ARGS="-p $PORT --http $G_MODE" 576 G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" 577 578 # The default prime for `openssl s_server` depends on the version: 579 # * OpenSSL <= 1.0.2a: 512-bit 580 # * OpenSSL 1.0.2b to 1.1.1b: 1024-bit 581 # * OpenSSL >= 1.1.1c: 2048-bit 582 # Mbed TLS wants >=1024, so force that for older versions. Don't force 583 # it for newer versions, which reject a 1024-bit prime. Indifferently 584 # force it or not for intermediate versions. 585 case $($OPENSSL version) in 586 "OpenSSL 1.0"*) 587 O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem" 588 ;; 589 esac 590 591 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes 592 if is_dtls "$MODE"; then 593 O_SERVER_ARGS="$O_SERVER_ARGS" 594 else 595 O_SERVER_ARGS="$O_SERVER_ARGS -www" 596 fi 597 598 M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" 599 O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE" 600 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" 601 602 # Newer versions of OpenSSL have a syntax to enable all "ciphers", even 603 # low-security ones. This covers not just cipher suites but also protocol 604 # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on 605 # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in 606 # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find 607 # a way to discover it from -help, so check the openssl version. 608 case $($OPENSSL version) in 609 "OpenSSL 0"*|"OpenSSL 1.0"*) :;; 610 *) 611 O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0" 612 O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0" 613 ;; 614 esac 615 616 case $($OPENSSL ciphers ALL) in 617 *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; 618 *) O_SUPPORT_ECDH="NO";; 619 esac 620 621 if [ "X$VERIFY" = "XYES" ]; 622 then 623 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 624 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" 625 G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert" 626 627 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 628 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10" 629 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt" 630 else 631 # don't request a client cert at all 632 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none" 633 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert" 634 635 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none" 636 O_CLIENT_ARGS="$O_CLIENT_ARGS" 637 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure" 638 fi 639 640 case $TYPE in 641 "ECDSA") 642 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key" 643 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key" 644 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" 645 646 if [ "X$VERIFY" = "XYES" ]; then 647 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key" 648 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key" 649 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key" 650 else 651 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 652 fi 653 ;; 654 655 "RSA") 656 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" 657 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key" 658 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key" 659 660 if [ "X$VERIFY" = "XYES" ]; then 661 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key" 662 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key" 663 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key" 664 else 665 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 666 fi 667 ;; 668 669 "PSK") 670 # give RSA-PSK-capable server a RSA cert 671 # (should be a separate type, but harder to close with openssl) 672 M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" 673 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" 674 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" 675 676 M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" 677 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" 678 G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" 679 ;; 680 esac 681} 682 683# is_mbedtls <cmd_line> 684is_mbedtls() { 685 case $1 in 686 *ssl_client2*) true;; 687 *ssl_server2*) true;; 688 *) false;; 689 esac 690} 691 692# has_mem_err <log_file_name> 693has_mem_err() { 694 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" && 695 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null 696 then 697 return 1 # false: does not have errors 698 else 699 return 0 # true: has errors 700 fi 701} 702 703# Wait for process $2 to be listening on port $1 704if type lsof >/dev/null 2>/dev/null; then 705 wait_server_start() { 706 START_TIME=$(date +%s) 707 if is_dtls "$MODE"; then 708 proto=UDP 709 else 710 proto=TCP 711 fi 712 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do 713 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then 714 echo "SERVERSTART TIMEOUT" 715 echo "SERVERSTART TIMEOUT" >> $SRV_OUT 716 break 717 fi 718 # Linux and *BSD support decimal arguments to sleep. On other 719 # OSes this may be a tight loop. 720 sleep 0.1 2>/dev/null || true 721 done 722 } 723else 724 echo "Warning: lsof not available, wait_server_start = sleep" 725 wait_server_start() { 726 sleep 2 727 } 728fi 729 730 731# start_server <name> 732# also saves name and command 733start_server() { 734 case $1 in 735 [Oo]pen*) 736 SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS" 737 ;; 738 [Gg]nu*) 739 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO" 740 ;; 741 mbed*) 742 SERVER_CMD="$M_SRV $M_SERVER_ARGS" 743 if [ "$MEMCHECK" -gt 0 ]; then 744 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD" 745 fi 746 ;; 747 *) 748 echo "error: invalid server name: $1" >&2 749 exit 1 750 ;; 751 esac 752 SERVER_NAME=$1 753 754 log "$SERVER_CMD" 755 echo "$SERVER_CMD" > $SRV_OUT 756 # for servers without -www or equivalent 757 while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 & 758 SRV_PID=$! 759 760 wait_server_start "$PORT" "$SRV_PID" 761} 762 763# terminate the running server 764stop_server() { 765 # For Ubuntu 22.04, `Terminated` message is outputed by wait command. 766 # To remove it from stdout, redirect stdout/stderr to SRV_OUT 767 kill $SRV_PID >/dev/null 2>&1 768 wait $SRV_PID >> $SRV_OUT 2>&1 769 770 if [ "$MEMCHECK" -gt 0 ]; then 771 if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then 772 echo " ! Server had memory errors" 773 SRVMEM=$(( $SRVMEM + 1 )) 774 return 775 fi 776 fi 777 778 rm -f $SRV_OUT 779} 780 781# kill the running server (used when killed by signal) 782cleanup() { 783 rm -f $SRV_OUT $CLI_OUT 784 kill $SRV_PID >/dev/null 2>&1 785 kill $WATCHDOG_PID >/dev/null 2>&1 786 exit 1 787} 788 789# wait for client to terminate and set EXIT 790# must be called right after starting the client 791wait_client_done() { 792 CLI_PID=$! 793 794 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) & 795 WATCHDOG_PID=$! 796 797 # For Ubuntu 22.04, `Terminated` message is outputed by wait command. 798 # To remove it from stdout, redirect stdout/stderr to CLI_OUT 799 wait $CLI_PID >> $CLI_OUT 2>&1 800 EXIT=$? 801 802 kill $WATCHDOG_PID >/dev/null 2>&1 803 wait $WATCHDOG_PID >> $CLI_OUT 2>&1 804 805 echo "EXIT: $EXIT" >> $CLI_OUT 806} 807 808# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE 809run_client() { 810 # announce what we're going to do 811 TESTS=$(( $TESTS + 1 )) 812 TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}" 813 TITLE="$TITLE $MODE,$VERIF $2" 814 DOTS72="........................................................................" 815 printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72" 816 817 # should we skip? 818 if [ "X$SKIP_NEXT" = "XYES" ]; then 819 SKIP_NEXT="NO" 820 echo "SKIP" 821 SKIPPED=$(( $SKIPPED + 1 )) 822 return 823 fi 824 825 # run the command and interpret result 826 case $1 in 827 [Oo]pen*) 828 CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3" 829 log "$CLIENT_CMD" 830 echo "$CLIENT_CMD" > $CLI_OUT 831 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 832 wait_client_done 833 834 if [ $EXIT -eq 0 ]; then 835 RESULT=0 836 else 837 # If it is NULL cipher ... 838 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then 839 RESULT=1 840 else 841 RESULT=2 842 fi 843 fi 844 ;; 845 846 [Gg]nu*) 847 # need to force IPv4 with UDP, but keep localhost for auth 848 if is_dtls "$MODE"; then 849 G_HOST="127.0.0.1" 850 else 851 G_HOST="localhost" 852 fi 853 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST" 854 log "$CLIENT_CMD" 855 echo "$CLIENT_CMD" > $CLI_OUT 856 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 857 wait_client_done 858 859 if [ $EXIT -eq 0 ]; then 860 RESULT=0 861 else 862 RESULT=2 863 # interpret early failure, with a handshake_failure alert 864 # before the server hello, as "no ciphersuite in common" 865 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then 866 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then : 867 else 868 RESULT=1 869 fi 870 fi >/dev/null 871 fi 872 ;; 873 874 mbed*) 875 CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3" 876 if [ "$MEMCHECK" -gt 0 ]; then 877 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" 878 fi 879 log "$CLIENT_CMD" 880 echo "$CLIENT_CMD" > $CLI_OUT 881 $CLIENT_CMD >> $CLI_OUT 2>&1 & 882 wait_client_done 883 884 case $EXIT in 885 # Success 886 "0") RESULT=0 ;; 887 888 # Ciphersuite not supported 889 "2") RESULT=1 ;; 890 891 # Error 892 *) RESULT=2 ;; 893 esac 894 895 if [ "$MEMCHECK" -gt 0 ]; then 896 if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then 897 RESULT=2 898 fi 899 fi 900 901 ;; 902 903 *) 904 echo "error: invalid client name: $1" >&2 905 exit 1 906 ;; 907 esac 908 909 echo "EXIT: $EXIT" >> $CLI_OUT 910 911 # report and count result 912 case $RESULT in 913 "0") 914 echo PASS 915 ;; 916 "1") 917 echo SKIP 918 SKIPPED=$(( $SKIPPED + 1 )) 919 ;; 920 "2") 921 echo FAIL 922 cp $SRV_OUT c-srv-${TESTS}.log 923 cp $CLI_OUT c-cli-${TESTS}.log 924 echo " ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" 925 926 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then 927 echo " ! server output:" 928 cat c-srv-${TESTS}.log 929 echo " ! ===================================================" 930 echo " ! client output:" 931 cat c-cli-${TESTS}.log 932 fi 933 934 FAILED=$(( $FAILED + 1 )) 935 ;; 936 esac 937 938 rm -f $CLI_OUT 939} 940 941# 942# MAIN 943# 944 945if cd $( dirname $0 ); then :; else 946 echo "cd $( dirname $0 ) failed" >&2 947 exit 1 948fi 949 950get_options "$@" 951 952# sanity checks, avoid an avalanche of errors 953if [ ! -x "$M_SRV" ]; then 954 echo "Command '$M_SRV' is not an executable file" >&2 955 exit 1 956fi 957if [ ! -x "$M_CLI" ]; then 958 echo "Command '$M_CLI' is not an executable file" >&2 959 exit 1 960fi 961 962if echo "$PEERS" | grep -i openssl > /dev/null; then 963 if which "$OPENSSL" >/dev/null 2>&1; then :; else 964 echo "Command '$OPENSSL' not found" >&2 965 exit 1 966 fi 967fi 968 969if echo "$PEERS" | grep -i gnutls > /dev/null; then 970 for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do 971 if which "$CMD" >/dev/null 2>&1; then :; else 972 echo "Command '$CMD' not found" >&2 973 exit 1 974 fi 975 done 976fi 977 978for PEER in $PEERS; do 979 case "$PEER" in 980 mbed*|[Oo]pen*|[Gg]nu*) 981 ;; 982 *) 983 echo "Unknown peers: $PEER" >&2 984 exit 1 985 esac 986done 987 988# Pick a "unique" port in the range 10000-19999. 989PORT="0000$$" 990PORT="1$(echo $PORT | tail -c 5)" 991 992# Also pick a unique name for intermediate files 993SRV_OUT="srv_out.$$" 994CLI_OUT="cli_out.$$" 995 996# client timeout delay: be more patient with valgrind 997if [ "$MEMCHECK" -gt 0 ]; then 998 DOG_DELAY=30 999else 1000 DOG_DELAY=10 1001fi 1002 1003SKIP_NEXT="NO" 1004 1005trap cleanup INT TERM HUP 1006 1007for MODE in $MODES; do 1008 for TYPE in $TYPES; do 1009 1010 # PSK cipher suites do not allow client certificate verification. 1011 # This means PSK test cases with VERIFY=YES should be replaced by 1012 # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain 1013 # verification option for PSK test cases. 1014 SUB_VERIFIES=$VERIFIES 1015 if [ "$TYPE" = "PSK" ]; then 1016 SUB_VERIFIES="NO" 1017 fi 1018 1019 for VERIFY in $SUB_VERIFIES; do 1020 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') 1021 for PEER in $PEERS; do 1022 1023 setup_arguments 1024 1025 case "$PEER" in 1026 1027 [Oo]pen*) 1028 1029 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then 1030 continue; 1031 fi 1032 1033 # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL 1034 # supports $O_MODE from the s_server help. (The s_client 1035 # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 1036 # but doesn't list it. But the s_server help seems to be 1037 # accurate.) 1038 if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then 1039 continue; 1040 fi 1041 1042 reset_ciphersuites 1043 add_common_ciphersuites 1044 add_openssl_ciphersuites 1045 filter_ciphersuites 1046 1047 if [ "X" != "X$M_CIPHERS" ]; then 1048 start_server "OpenSSL" 1049 translate_ciphers m $M_CIPHERS 1050 for i in $ciphers; do 1051 o_check_ciphersuite "${i%%=*}" 1052 run_client mbedTLS ${i%%=*} ${i#*=} 1053 done 1054 stop_server 1055 fi 1056 1057 if [ "X" != "X$O_CIPHERS" ]; then 1058 start_server "mbedTLS" 1059 translate_ciphers o $O_CIPHERS 1060 for i in $ciphers; do 1061 o_check_ciphersuite "${i%%=*}" 1062 run_client OpenSSL ${i%%=*} ${i#*=} 1063 done 1064 stop_server 1065 fi 1066 1067 ;; 1068 1069 [Gg]nu*) 1070 1071 reset_ciphersuites 1072 add_common_ciphersuites 1073 add_gnutls_ciphersuites 1074 filter_ciphersuites 1075 1076 if [ "X" != "X$M_CIPHERS" ]; then 1077 start_server "GnuTLS" 1078 translate_ciphers m $M_CIPHERS 1079 for i in $ciphers; do 1080 run_client mbedTLS ${i%%=*} ${i#*=} 1081 done 1082 stop_server 1083 fi 1084 1085 if [ "X" != "X$G_CIPHERS" ]; then 1086 start_server "mbedTLS" 1087 translate_ciphers g $G_CIPHERS 1088 for i in $ciphers; do 1089 run_client GnuTLS ${i%%=*} ${i#*=} 1090 done 1091 stop_server 1092 fi 1093 1094 ;; 1095 1096 mbed*) 1097 1098 reset_ciphersuites 1099 add_common_ciphersuites 1100 add_openssl_ciphersuites 1101 add_gnutls_ciphersuites 1102 add_mbedtls_ciphersuites 1103 filter_ciphersuites 1104 1105 if [ "X" != "X$M_CIPHERS" ]; then 1106 start_server "mbedTLS" 1107 translate_ciphers m $M_CIPHERS 1108 for i in $ciphers; do 1109 run_client mbedTLS ${i%%=*} ${i#*=} 1110 done 1111 stop_server 1112 fi 1113 1114 ;; 1115 1116 *) 1117 echo "Unknown peer: $PEER" >&2 1118 exit 1 1119 ;; 1120 1121 esac 1122 1123 done 1124 done 1125 done 1126done 1127 1128echo "------------------------------------------------------------------------" 1129 1130if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; then 1131 printf "FAILED" 1132else 1133 printf "PASSED" 1134fi 1135 1136if [ "$MEMCHECK" -gt 0 ]; then 1137 MEMREPORT=", $SRVMEM server memory errors" 1138else 1139 MEMREPORT="" 1140fi 1141 1142PASSED=$(( $TESTS - $FAILED )) 1143echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))" 1144 1145FAILED=$(( $FAILED + $SRVMEM )) 1146if [ $FAILED -gt 255 ]; then 1147 # Clamp at 255 as caller gets exit code & 0xFF 1148 # (so 256 would be 0, or success, etc) 1149 FAILED=255 1150fi 1151exit $FAILED 1152
