1#!/bin/sh 2 3# compat.sh 4# 5# Copyright The Mbed TLS Contributors 6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 7# 8# Purpose 9# 10# Test interoperbility with OpenSSL, GnuTLS as well as itself. 11# 12# Check each common ciphersuite, with each version, both ways (client/server), 13# with and without client authentication. 14 15set -u 16 17# Limit the size of each log to 10 GiB, in case of failures with this script 18# where it may output seemingly unlimited length error logs. 19ulimit -f 20971520 20 21ORIGINAL_PWD=$PWD 22if ! cd "$(dirname "$0")"; then 23 exit 125 24fi 25 26# initialise counters 27TESTS=0 28FAILED=0 29SKIPPED=0 30SRVMEM=0 31 32# default commands, can be overridden by the environment 33: ${M_SRV:=../programs/ssl/ssl_server2} 34: ${M_CLI:=../programs/ssl/ssl_client2} 35: ${OPENSSL:=openssl} 36: ${GNUTLS_CLI:=gnutls-cli} 37: ${GNUTLS_SERV:=gnutls-serv} 38 39# The OPENSSL variable used to be OPENSSL_CMD for historical reasons. 40# To help the migration, error out if the old variable is set, 41# but only if it has a different value than the new one. 42if [ "${OPENSSL_CMD+set}" = set ]; then 43 # the variable is set, we can now check its value 44 if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then 45 echo "Please use OPENSSL instead of OPENSSL_CMD." >&2 46 exit 125 47 fi 48fi 49 50# do we have a recent enough GnuTLS? 51if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then 52 G_VER="$( $GNUTLS_CLI --version | head -n1 )" 53 if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version 54 PEER_GNUTLS=" GnuTLS" 55 else 56 eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' ) 57 if [ $MAJOR -lt 3 -o \ 58 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \ 59 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ] 60 then 61 PEER_GNUTLS="" 62 else 63 PEER_GNUTLS=" GnuTLS" 64 if [ $MINOR -lt 4 ]; then 65 GNUTLS_MINOR_LT_FOUR='x' 66 fi 67 fi 68 fi 69else 70 PEER_GNUTLS="" 71fi 72 73guess_config_name() { 74 if git diff --quiet ../include/mbedtls/mbedtls_config.h 2>/dev/null; then 75 echo "default" 76 else 77 echo "unknown" 78 fi 79} 80: ${MBEDTLS_TEST_OUTCOME_FILE=} 81: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"} 82: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"} 83 84# default values for options 85# /!\ keep this synchronised with: 86# - basic-build-test.sh 87# - all.sh (multiple components) 88MODES="tls12 dtls12" 89VERIFIES="NO YES" 90TYPES="ECDSA RSA PSK" 91FILTER="" 92# By default, exclude: 93# - NULL: excluded from our default config + requires OpenSSL legacy 94# - ARIA: requires OpenSSL >= 1.1.1 95# - ChachaPoly: requires OpenSSL >= 1.1.0 96EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305' 97VERBOSE="" 98MEMCHECK=0 99PEERS="OpenSSL$PEER_GNUTLS mbedTLS" 100 101# hidden option: skip DTLS with OpenSSL 102# (travis CI has a version that doesn't work for us) 103: ${OSSL_NO_DTLS:=0} 104 105print_usage() { 106 echo "Usage: $0" 107 printf " -h|--help\tPrint this help.\n" 108 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER" 109 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE" 110 printf " -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES" 111 printf " -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES" 112 printf " -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES" 113 printf " -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS" 114 printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n" 115 printf " -M|--memcheck\tCheck memory leaks and errors.\n" 116 printf " -v|--verbose\tSet verbose output.\n" 117 printf " --list-test-case\tList all potential test cases (No Execution)\n" 118 printf " --outcome-file\tFile where test outcomes are written\n" 119 printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n" 120} 121 122# print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE> 123print_test_case() { 124 for i in $3; do 125 uniform_title $1 $2 $i 126 echo $TITLE 127 done 128} 129 130# list_test_case lists all potential test cases in compat.sh without execution 131list_test_case() { 132 reset_ciphersuites 133 for TYPE in $TYPES; do 134 add_common_ciphersuites 135 add_openssl_ciphersuites 136 add_gnutls_ciphersuites 137 add_mbedtls_ciphersuites 138 done 139 140 for VERIFY in $VERIFIES; do 141 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') 142 for MODE in $MODES; do 143 print_test_case m O "$O_CIPHERS" 144 print_test_case O m "$O_CIPHERS" 145 print_test_case m G "$G_CIPHERS" 146 print_test_case G m "$G_CIPHERS" 147 print_test_case m m "$M_CIPHERS" 148 done 149 done 150} 151 152get_options() { 153 while [ $# -gt 0 ]; do 154 case "$1" in 155 -f|--filter) 156 shift; FILTER=$1 157 ;; 158 -e|--exclude) 159 shift; EXCLUDE=$1 160 ;; 161 -m|--modes) 162 shift; MODES=$1 163 ;; 164 -t|--types) 165 shift; TYPES=$1 166 ;; 167 -V|--verify) 168 shift; VERIFIES=$1 169 ;; 170 -p|--peers) 171 shift; PEERS=$1 172 ;; 173 -v|--verbose) 174 VERBOSE=1 175 ;; 176 -M|--memcheck) 177 MEMCHECK=1 178 ;; 179 # Please check scripts/check_test_cases.py correspondingly 180 # if you have to modify option, --list-test-case 181 --list-test-case) 182 list_test_case 183 exit $? 184 ;; 185 --outcome-file) 186 shift; MBEDTLS_TEST_OUTCOME_FILE=$1 187 ;; 188 -h|--help) 189 print_usage 190 exit 0 191 ;; 192 *) 193 echo "Unknown argument: '$1'" 194 print_usage 195 exit 1 196 ;; 197 esac 198 shift 199 done 200 201 # sanitize some options (modes checked later) 202 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )" 203 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )" 204} 205 206log() { 207 if [ "X" != "X$VERBOSE" ]; then 208 echo "" 209 echo "$@" 210 fi 211} 212 213# is_dtls <mode> 214is_dtls() 215{ 216 test "$1" = "dtls12" 217} 218 219# minor_ver <mode> 220minor_ver() 221{ 222 case "$1" in 223 tls12|dtls12) 224 echo 3 225 ;; 226 *) 227 echo "error: invalid mode: $MODE" >&2 228 # exiting is no good here, typically called in a subshell 229 echo -1 230 esac 231} 232 233filter() 234{ 235 LIST="$1" 236 NEW_LIST="" 237 238 EXCLMODE="$EXCLUDE" 239 240 for i in $LIST; 241 do 242 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )" 243 done 244 245 # normalize whitespace 246 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' 247} 248 249filter_ciphersuites() 250{ 251 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; 252 then 253 # Ciphersuite for Mbed TLS 254 M_CIPHERS=$( filter "$M_CIPHERS" ) 255 256 # Ciphersuite for OpenSSL 257 O_CIPHERS=$( filter "$O_CIPHERS" ) 258 259 # Ciphersuite for GnuTLS 260 G_CIPHERS=$( filter "$G_CIPHERS" ) 261 fi 262 263 # For GnuTLS client -> Mbed TLS server, 264 # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails 265 if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then 266 G_CIPHERS="" 267 fi 268} 269 270reset_ciphersuites() 271{ 272 M_CIPHERS="" 273 O_CIPHERS="" 274 G_CIPHERS="" 275} 276 277# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...} 278# Set $ciphers to the cipher suite name translations for the specified 279# program (gnutls, mbedtls or openssl). $ciphers is a space-separated 280# list of entries of the form "STANDARD_NAME=PROGRAM_NAME". 281translate_ciphers() 282{ 283 ciphers=$(scripts/translate_ciphers.py "$@") 284 if [ $? -ne 0 ]; then 285 echo "translate_ciphers.py failed with exit code $1" >&2 286 echo "$2" >&2 287 exit 1 288 fi 289} 290 291# Ciphersuites that can be used with all peers. 292# Since we currently have three possible peers, each ciphersuite should appear 293# three times: in each peer's list (with the name that this peer uses). 294add_common_ciphersuites() 295{ 296 CIPHERS="" 297 case $TYPE in 298 299 "ECDSA") 300 CIPHERS="$CIPHERS \ 301 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ 302 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ 303 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ 304 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ 305 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ 306 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ 307 TLS_ECDHE_ECDSA_WITH_NULL_SHA \ 308 " 309 ;; 310 311 "RSA") 312 CIPHERS="$CIPHERS \ 313 TLS_DHE_RSA_WITH_AES_128_CBC_SHA \ 314 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \ 315 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \ 316 TLS_DHE_RSA_WITH_AES_256_CBC_SHA \ 317 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \ 318 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \ 319 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \ 320 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \ 321 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ 322 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ 323 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ 324 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ 325 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ 326 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ 327 TLS_ECDHE_RSA_WITH_NULL_SHA \ 328 TLS_RSA_WITH_AES_128_CBC_SHA \ 329 TLS_RSA_WITH_AES_128_CBC_SHA256 \ 330 TLS_RSA_WITH_AES_128_GCM_SHA256 \ 331 TLS_RSA_WITH_AES_256_CBC_SHA \ 332 TLS_RSA_WITH_AES_256_CBC_SHA256 \ 333 TLS_RSA_WITH_AES_256_GCM_SHA384 \ 334 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA \ 335 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA \ 336 TLS_RSA_WITH_NULL_MD5 \ 337 TLS_RSA_WITH_NULL_SHA \ 338 TLS_RSA_WITH_NULL_SHA256 \ 339 " 340 ;; 341 342 "PSK") 343 CIPHERS="$CIPHERS \ 344 TLS_PSK_WITH_AES_128_CBC_SHA \ 345 TLS_PSK_WITH_AES_256_CBC_SHA \ 346 " 347 ;; 348 esac 349 350 O_CIPHERS="$O_CIPHERS $CIPHERS" 351 G_CIPHERS="$G_CIPHERS $CIPHERS" 352 M_CIPHERS="$M_CIPHERS $CIPHERS" 353} 354 355# Ciphersuites usable only with Mbed TLS and OpenSSL 356# A list of ciphersuites in the standard naming convention is appended 357# to the list of Mbed TLS ciphersuites $M_CIPHERS and 358# to the list of OpenSSL ciphersuites $O_CIPHERS respectively. 359# Based on client's naming convention, all ciphersuite names will be 360# translated into another naming format before sent to the client. 361# 362# NOTE: for some reason RSA-PSK doesn't work with OpenSSL, 363# so RSA-PSK ciphersuites need to go in other sections, see 364# https://github.com/Mbed-TLS/mbedtls/issues/1419 365# 366# ChachaPoly suites are here rather than in "common", as they were added in 367# GnuTLS in 3.5.0 and the CI only has 3.4.x so far. 368add_openssl_ciphersuites() 369{ 370 CIPHERS="" 371 case $TYPE in 372 373 "ECDSA") 374 CIPHERS="$CIPHERS \ 375 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \ 376 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \ 377 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \ 378 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \ 379 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \ 380 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \ 381 TLS_ECDH_ECDSA_WITH_NULL_SHA \ 382 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \ 383 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \ 384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ 385 " 386 ;; 387 388 "RSA") 389 CIPHERS="$CIPHERS \ 390 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 \ 391 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 \ 392 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ 393 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 \ 394 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 \ 395 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ 396 TLS_RSA_WITH_ARIA_128_GCM_SHA256 \ 397 TLS_RSA_WITH_ARIA_256_GCM_SHA384 \ 398 " 399 ;; 400 401 "PSK") 402 CIPHERS="$CIPHERS \ 403 TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 \ 404 TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 \ 405 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 406 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 407 TLS_PSK_WITH_ARIA_128_GCM_SHA256 \ 408 TLS_PSK_WITH_ARIA_256_GCM_SHA384 \ 409 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 410 " 411 ;; 412 esac 413 414 O_CIPHERS="$O_CIPHERS $CIPHERS" 415 M_CIPHERS="$M_CIPHERS $CIPHERS" 416} 417 418# Ciphersuites usable only with Mbed TLS and GnuTLS 419# A list of ciphersuites in the standard naming convention is appended 420# to the list of Mbed TLS ciphersuites $M_CIPHERS and 421# to the list of GnuTLS ciphersuites $G_CIPHERS respectively. 422# Based on client's naming convention, all ciphersuite names will be 423# translated into another naming format before sent to the client. 424add_gnutls_ciphersuites() 425{ 426 CIPHERS="" 427 case $TYPE in 428 429 "ECDSA") 430 CIPHERS="$CIPHERS \ 431 TLS_ECDHE_ECDSA_WITH_AES_128_CCM \ 432 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 \ 433 TLS_ECDHE_ECDSA_WITH_AES_256_CCM \ 434 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 \ 435 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ 436 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ 437 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ 438 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ 439 " 440 ;; 441 442 "RSA") 443 CIPHERS="$CIPHERS \ 444 TLS_DHE_RSA_WITH_AES_128_CCM \ 445 TLS_DHE_RSA_WITH_AES_128_CCM_8 \ 446 TLS_DHE_RSA_WITH_AES_256_CCM \ 447 TLS_DHE_RSA_WITH_AES_256_CCM_8 \ 448 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ 449 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ 450 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 \ 451 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ 452 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ 453 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ 454 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \ 455 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ 456 TLS_RSA_WITH_AES_128_CCM \ 457 TLS_RSA_WITH_AES_128_CCM_8 \ 458 TLS_RSA_WITH_AES_256_CCM \ 459 TLS_RSA_WITH_AES_256_CCM_8 \ 460 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ 461 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ 462 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 \ 463 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ 464 " 465 ;; 466 467 "PSK") 468 CIPHERS="$CIPHERS \ 469 TLS_DHE_PSK_WITH_AES_128_CBC_SHA \ 470 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 \ 471 TLS_DHE_PSK_WITH_AES_128_CCM \ 472 TLS_DHE_PSK_WITH_AES_128_CCM_8 \ 473 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 \ 474 TLS_DHE_PSK_WITH_AES_256_CBC_SHA \ 475 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 \ 476 TLS_DHE_PSK_WITH_AES_256_CCM \ 477 TLS_DHE_PSK_WITH_AES_256_CCM_8 \ 478 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 \ 479 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 480 TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ 481 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 482 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ 483 TLS_DHE_PSK_WITH_NULL_SHA256 \ 484 TLS_DHE_PSK_WITH_NULL_SHA384 \ 485 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA \ 486 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 \ 487 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA \ 488 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 \ 489 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 490 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 491 TLS_ECDHE_PSK_WITH_NULL_SHA256 \ 492 TLS_ECDHE_PSK_WITH_NULL_SHA384 \ 493 TLS_PSK_WITH_AES_128_CBC_SHA256 \ 494 TLS_PSK_WITH_AES_128_CCM \ 495 TLS_PSK_WITH_AES_128_CCM_8 \ 496 TLS_PSK_WITH_AES_128_GCM_SHA256 \ 497 TLS_PSK_WITH_AES_256_CBC_SHA384 \ 498 TLS_PSK_WITH_AES_256_CCM \ 499 TLS_PSK_WITH_AES_256_CCM_8 \ 500 TLS_PSK_WITH_AES_256_GCM_SHA384 \ 501 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 502 TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ 503 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 504 TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ 505 TLS_PSK_WITH_NULL_SHA256 \ 506 TLS_PSK_WITH_NULL_SHA384 \ 507 TLS_RSA_PSK_WITH_AES_128_CBC_SHA \ 508 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 \ 509 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 \ 510 TLS_RSA_PSK_WITH_AES_256_CBC_SHA \ 511 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 \ 512 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 \ 513 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ 514 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ 515 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ 516 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ 517 TLS_RSA_PSK_WITH_NULL_SHA256 \ 518 TLS_RSA_PSK_WITH_NULL_SHA384 \ 519 " 520 ;; 521 esac 522 523 G_CIPHERS="$G_CIPHERS $CIPHERS" 524 M_CIPHERS="$M_CIPHERS $CIPHERS" 525} 526 527# Ciphersuites usable only with Mbed TLS (not currently supported by another 528# peer usable in this script). This provides only very rudimentaty testing, as 529# this is not interop testing, but it's better than nothing. 530add_mbedtls_ciphersuites() 531{ 532 case $TYPE in 533 534 "ECDSA") 535 M_CIPHERS="$M_CIPHERS \ 536 TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \ 537 TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \ 538 TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \ 539 TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \ 540 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ 541 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ 542 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ 543 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ 544 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \ 545 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \ 546 " 547 ;; 548 549 "RSA") 550 M_CIPHERS="$M_CIPHERS \ 551 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 \ 552 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 \ 553 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 \ 554 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 \ 555 TLS_RSA_WITH_ARIA_128_CBC_SHA256 \ 556 TLS_RSA_WITH_ARIA_256_CBC_SHA384 \ 557 " 558 ;; 559 560 "PSK") 561 # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 562 M_CIPHERS="$M_CIPHERS \ 563 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 \ 564 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 \ 565 TLS_DHE_PSK_WITH_NULL_SHA \ 566 TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 \ 567 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \ 568 TLS_ECDHE_PSK_WITH_NULL_SHA \ 569 TLS_PSK_WITH_ARIA_128_CBC_SHA256 \ 570 TLS_PSK_WITH_ARIA_256_CBC_SHA384 \ 571 TLS_PSK_WITH_NULL_SHA \ 572 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 \ 573 TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 \ 574 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 \ 575 TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 \ 576 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 \ 577 TLS_RSA_PSK_WITH_NULL_SHA \ 578 " 579 ;; 580 esac 581} 582 583# o_check_ciphersuite STANDARD_CIPHER_SUITE 584o_check_ciphersuite() 585{ 586 if [ "${O_SUPPORT_ECDH}" = "NO" ]; then 587 case "$1" in 588 *ECDH_*) SKIP_NEXT="YES" 589 esac 590 fi 591} 592 593setup_arguments() 594{ 595 O_MODE="" 596 G_MODE="" 597 case "$MODE" in 598 "tls12") 599 O_MODE="tls1_2" 600 G_PRIO_MODE="+VERS-TLS1.2" 601 ;; 602 "dtls12") 603 O_MODE="dtls1_2" 604 G_PRIO_MODE="+VERS-DTLS1.2" 605 G_MODE="-u" 606 ;; 607 *) 608 echo "error: invalid mode: $MODE" >&2 609 exit 1; 610 esac 611 612 # GnuTLS < 3.4 will choke if we try to allow CCM-8 613 if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then 614 G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:" 615 else 616 G_PRIO_CCM="" 617 fi 618 619 M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE" 620 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE" 621 G_SERVER_ARGS="-p $PORT --http $G_MODE" 622 G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" 623 624 # The default prime for `openssl s_server` depends on the version: 625 # * OpenSSL <= 1.0.2a: 512-bit 626 # * OpenSSL 1.0.2b to 1.1.1b: 1024-bit 627 # * OpenSSL >= 1.1.1c: 2048-bit 628 # Mbed TLS wants >=1024, so force that for older versions. Don't force 629 # it for newer versions, which reject a 1024-bit prime. Indifferently 630 # force it or not for intermediate versions. 631 case $($OPENSSL version) in 632 "OpenSSL 1.0"*) 633 O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem" 634 ;; 635 esac 636 637 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes 638 if is_dtls "$MODE"; then 639 O_SERVER_ARGS="$O_SERVER_ARGS" 640 else 641 O_SERVER_ARGS="$O_SERVER_ARGS -www" 642 fi 643 644 M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" 645 O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE" 646 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" 647 648 # Newer versions of OpenSSL have a syntax to enable all "ciphers", even 649 # low-security ones. This covers not just cipher suites but also protocol 650 # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on 651 # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in 652 # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find 653 # a way to discover it from -help, so check the openssl version. 654 case $($OPENSSL version) in 655 "OpenSSL 0"*|"OpenSSL 1.0"*) :;; 656 *) 657 O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0" 658 O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0" 659 ;; 660 esac 661 662 case $($OPENSSL ciphers ALL) in 663 *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; 664 *) O_SUPPORT_ECDH="NO";; 665 esac 666 667 if [ "X$VERIFY" = "XYES" ]; 668 then 669 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 670 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" 671 G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert" 672 673 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 674 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10" 675 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt" 676 else 677 # don't request a client cert at all 678 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none" 679 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert" 680 681 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none" 682 O_CLIENT_ARGS="$O_CLIENT_ARGS" 683 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure" 684 fi 685 686 case $TYPE in 687 "ECDSA") 688 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key" 689 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key" 690 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" 691 692 if [ "X$VERIFY" = "XYES" ]; then 693 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key" 694 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key" 695 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key" 696 else 697 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 698 fi 699 ;; 700 701 "RSA") 702 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" 703 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key" 704 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key" 705 706 if [ "X$VERIFY" = "XYES" ]; then 707 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key" 708 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key" 709 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key" 710 else 711 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 712 fi 713 ;; 714 715 "PSK") 716 # give RSA-PSK-capable server a RSA cert 717 # (should be a separate type, but harder to close with openssl) 718 M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" 719 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" 720 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" 721 722 M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" 723 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" 724 G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" 725 ;; 726 esac 727} 728 729# is_mbedtls <cmd_line> 730is_mbedtls() { 731 case $1 in 732 *ssl_client2*) true;; 733 *ssl_server2*) true;; 734 *) false;; 735 esac 736} 737 738# has_mem_err <log_file_name> 739has_mem_err() { 740 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" && 741 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null 742 then 743 return 1 # false: does not have errors 744 else 745 return 0 # true: has errors 746 fi 747} 748 749# Wait for process $2 to be listening on port $1 750if type lsof >/dev/null 2>/dev/null; then 751 wait_server_start() { 752 START_TIME=$(date +%s) 753 if is_dtls "$MODE"; then 754 proto=UDP 755 else 756 proto=TCP 757 fi 758 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do 759 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then 760 echo "SERVERSTART TIMEOUT" 761 echo "SERVERSTART TIMEOUT" >> $SRV_OUT 762 break 763 fi 764 # Linux and *BSD support decimal arguments to sleep. On other 765 # OSes this may be a tight loop. 766 sleep 0.1 2>/dev/null || true 767 done 768 } 769else 770 echo "Warning: lsof not available, wait_server_start = sleep" 771 wait_server_start() { 772 sleep 2 773 } 774fi 775 776 777# start_server <name> 778# also saves name and command 779start_server() { 780 case $1 in 781 [Oo]pen*) 782 SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS" 783 ;; 784 [Gg]nu*) 785 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO" 786 ;; 787 mbed*) 788 SERVER_CMD="$M_SRV $M_SERVER_ARGS" 789 if [ "$MEMCHECK" -gt 0 ]; then 790 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD" 791 fi 792 ;; 793 *) 794 echo "error: invalid server name: $1" >&2 795 exit 1 796 ;; 797 esac 798 SERVER_NAME=$1 799 800 log "$SERVER_CMD" 801 echo "$SERVER_CMD" > $SRV_OUT 802 # for servers without -www or equivalent 803 while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 & 804 SRV_PID=$! 805 806 wait_server_start "$PORT" "$SRV_PID" 807} 808 809# terminate the running server 810stop_server() { 811 # For Ubuntu 22.04, `Terminated` message is outputed by wait command. 812 # To remove it from stdout, redirect stdout/stderr to SRV_OUT 813 kill $SRV_PID >/dev/null 2>&1 814 wait $SRV_PID >> $SRV_OUT 2>&1 815 816 if [ "$MEMCHECK" -gt 0 ]; then 817 if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then 818 echo " ! Server had memory errors" 819 SRVMEM=$(( $SRVMEM + 1 )) 820 return 821 fi 822 fi 823 824 rm -f $SRV_OUT 825} 826 827# kill the running server (used when killed by signal) 828cleanup() { 829 rm -f $SRV_OUT $CLI_OUT 830 kill $SRV_PID >/dev/null 2>&1 831 kill $WATCHDOG_PID >/dev/null 2>&1 832 exit 1 833} 834 835# wait for client to terminate and set EXIT 836# must be called right after starting the client 837wait_client_done() { 838 CLI_PID=$! 839 840 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) & 841 WATCHDOG_PID=$! 842 843 # For Ubuntu 22.04, `Terminated` message is outputed by wait command. 844 # To remove it from stdout, redirect stdout/stderr to CLI_OUT 845 wait $CLI_PID >> $CLI_OUT 2>&1 846 EXIT=$? 847 848 kill $WATCHDOG_PID >/dev/null 2>&1 849 wait $WATCHDOG_PID >> $CLI_OUT 2>&1 850 851 echo "EXIT: $EXIT" >> $CLI_OUT 852} 853 854# uniform_title <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE> 855# $TITLE is considered as test case description for both --list-test-case and 856# MBEDTLS_TEST_OUTCOME_FILE. This function aims to control the format of 857# each test case description. 858uniform_title() { 859 TITLE="$1->$2 $MODE,$VERIF $3" 860} 861 862# record_outcome <outcome> [<failure-reason>] 863record_outcome() { 864 echo "$1" 865 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then 866 # The test outcome file has the format (in single line): 867 # platform;configuration; 868 # test suite name;test case description; 869 # PASS/FAIL/SKIP;[failure cause] 870 printf '%s;%s;%s;%s;%s;%s\n' \ 871 "$MBEDTLS_TEST_PLATFORM" "$MBEDTLS_TEST_CONFIGURATION" \ 872 "compat" "$TITLE" \ 873 "$1" "${2-}" \ 874 >> "$MBEDTLS_TEST_OUTCOME_FILE" 875 fi 876} 877 878# display additional information if test case fails 879report_fail() { 880 FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" 881 record_outcome "FAIL" "$FAIL_PROMPT" 882 cp $SRV_OUT c-srv-${TESTS}.log 883 cp $CLI_OUT c-cli-${TESTS}.log 884 echo " ! $FAIL_PROMPT" 885 886 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then 887 echo " ! server output:" 888 cat c-srv-${TESTS}.log 889 echo " ! ===================================================" 890 echo " ! client output:" 891 cat c-cli-${TESTS}.log 892 fi 893} 894 895# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE 896run_client() { 897 # announce what we're going to do 898 TESTS=$(( $TESTS + 1 )) 899 uniform_title "${1%"${1#?}"}" "${SERVER_NAME%"${SERVER_NAME#?}"}" $2 900 DOTS72="........................................................................" 901 printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72" 902 903 # should we skip? 904 if [ "X$SKIP_NEXT" = "XYES" ]; then 905 SKIP_NEXT="NO" 906 record_outcome "SKIP" 907 SKIPPED=$(( $SKIPPED + 1 )) 908 return 909 fi 910 911 # run the command and interpret result 912 case $1 in 913 [Oo]pen*) 914 CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3" 915 log "$CLIENT_CMD" 916 echo "$CLIENT_CMD" > $CLI_OUT 917 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 918 wait_client_done 919 920 if [ $EXIT -eq 0 ]; then 921 RESULT=0 922 else 923 # If it is NULL cipher ... 924 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then 925 RESULT=1 926 else 927 RESULT=2 928 fi 929 fi 930 ;; 931 932 [Gg]nu*) 933 # need to force IPv4 with UDP, but keep localhost for auth 934 if is_dtls "$MODE"; then 935 G_HOST="127.0.0.1" 936 else 937 G_HOST="localhost" 938 fi 939 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST" 940 log "$CLIENT_CMD" 941 echo "$CLIENT_CMD" > $CLI_OUT 942 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 943 wait_client_done 944 945 if [ $EXIT -eq 0 ]; then 946 RESULT=0 947 else 948 RESULT=2 949 # interpret early failure, with a handshake_failure alert 950 # before the server hello, as "no ciphersuite in common" 951 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then 952 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then : 953 else 954 RESULT=1 955 fi 956 fi >/dev/null 957 fi 958 ;; 959 960 mbed*) 961 CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3" 962 if [ "$MEMCHECK" -gt 0 ]; then 963 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" 964 fi 965 log "$CLIENT_CMD" 966 echo "$CLIENT_CMD" > $CLI_OUT 967 $CLIENT_CMD >> $CLI_OUT 2>&1 & 968 wait_client_done 969 970 case $EXIT in 971 # Success 972 "0") RESULT=0 ;; 973 974 # Ciphersuite not supported 975 "2") RESULT=1 ;; 976 977 # Error 978 *) RESULT=2 ;; 979 esac 980 981 if [ "$MEMCHECK" -gt 0 ]; then 982 if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then 983 RESULT=2 984 fi 985 fi 986 987 ;; 988 989 *) 990 echo "error: invalid client name: $1" >&2 991 exit 1 992 ;; 993 esac 994 995 echo "EXIT: $EXIT" >> $CLI_OUT 996 997 # report and count result 998 case $RESULT in 999 "0") 1000 record_outcome "PASS" 1001 ;; 1002 "1") 1003 record_outcome "SKIP" 1004 SKIPPED=$(( $SKIPPED + 1 )) 1005 ;; 1006 "2") 1007 report_fail 1008 FAILED=$(( $FAILED + 1 )) 1009 ;; 1010 esac 1011 1012 rm -f $CLI_OUT 1013} 1014 1015# 1016# MAIN 1017# 1018 1019get_options "$@" 1020 1021# Make the outcome file path relative to the original directory, not 1022# to .../tests 1023case "$MBEDTLS_TEST_OUTCOME_FILE" in 1024 [!/]*) 1025 MBEDTLS_TEST_OUTCOME_FILE="$ORIGINAL_PWD/$MBEDTLS_TEST_OUTCOME_FILE" 1026 ;; 1027esac 1028 1029# sanity checks, avoid an avalanche of errors 1030if [ ! -x "$M_SRV" ]; then 1031 echo "Command '$M_SRV' is not an executable file" >&2 1032 exit 1 1033fi 1034if [ ! -x "$M_CLI" ]; then 1035 echo "Command '$M_CLI' is not an executable file" >&2 1036 exit 1 1037fi 1038 1039if echo "$PEERS" | grep -i openssl > /dev/null; then 1040 if which "$OPENSSL" >/dev/null 2>&1; then :; else 1041 echo "Command '$OPENSSL' not found" >&2 1042 exit 1 1043 fi 1044fi 1045 1046if echo "$PEERS" | grep -i gnutls > /dev/null; then 1047 for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do 1048 if which "$CMD" >/dev/null 2>&1; then :; else 1049 echo "Command '$CMD' not found" >&2 1050 exit 1 1051 fi 1052 done 1053fi 1054 1055for PEER in $PEERS; do 1056 case "$PEER" in 1057 mbed*|[Oo]pen*|[Gg]nu*) 1058 ;; 1059 *) 1060 echo "Unknown peers: $PEER" >&2 1061 exit 1 1062 esac 1063done 1064 1065# Pick a "unique" port in the range 10000-19999. 1066PORT="0000$$" 1067PORT="1$(echo $PORT | tail -c 5)" 1068 1069# Also pick a unique name for intermediate files 1070SRV_OUT="srv_out.$$" 1071CLI_OUT="cli_out.$$" 1072 1073# client timeout delay: be more patient with valgrind 1074if [ "$MEMCHECK" -gt 0 ]; then 1075 DOG_DELAY=30 1076else 1077 DOG_DELAY=10 1078fi 1079 1080SKIP_NEXT="NO" 1081 1082trap cleanup INT TERM HUP 1083 1084for MODE in $MODES; do 1085 for TYPE in $TYPES; do 1086 1087 # PSK cipher suites do not allow client certificate verification. 1088 # This means PSK test cases with VERIFY=YES should be replaced by 1089 # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain 1090 # verification option for PSK test cases. 1091 SUB_VERIFIES=$VERIFIES 1092 if [ "$TYPE" = "PSK" ]; then 1093 SUB_VERIFIES="NO" 1094 fi 1095 1096 for VERIFY in $SUB_VERIFIES; do 1097 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') 1098 for PEER in $PEERS; do 1099 1100 setup_arguments 1101 1102 case "$PEER" in 1103 1104 [Oo]pen*) 1105 1106 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then 1107 continue; 1108 fi 1109 1110 # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL 1111 # supports $O_MODE from the s_server help. (The s_client 1112 # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 1113 # but doesn't list it. But the s_server help seems to be 1114 # accurate.) 1115 if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then 1116 continue; 1117 fi 1118 1119 reset_ciphersuites 1120 add_common_ciphersuites 1121 add_openssl_ciphersuites 1122 filter_ciphersuites 1123 1124 if [ "X" != "X$M_CIPHERS" ]; then 1125 start_server "OpenSSL" 1126 translate_ciphers m $M_CIPHERS 1127 for i in $ciphers; do 1128 o_check_ciphersuite "${i%%=*}" 1129 run_client mbedTLS ${i%%=*} ${i#*=} 1130 done 1131 stop_server 1132 fi 1133 1134 if [ "X" != "X$O_CIPHERS" ]; then 1135 start_server "mbedTLS" 1136 translate_ciphers o $O_CIPHERS 1137 for i in $ciphers; do 1138 o_check_ciphersuite "${i%%=*}" 1139 run_client OpenSSL ${i%%=*} ${i#*=} 1140 done 1141 stop_server 1142 fi 1143 1144 ;; 1145 1146 [Gg]nu*) 1147 1148 reset_ciphersuites 1149 add_common_ciphersuites 1150 add_gnutls_ciphersuites 1151 filter_ciphersuites 1152 1153 if [ "X" != "X$M_CIPHERS" ]; then 1154 start_server "GnuTLS" 1155 translate_ciphers m $M_CIPHERS 1156 for i in $ciphers; do 1157 run_client mbedTLS ${i%%=*} ${i#*=} 1158 done 1159 stop_server 1160 fi 1161 1162 if [ "X" != "X$G_CIPHERS" ]; then 1163 start_server "mbedTLS" 1164 translate_ciphers g $G_CIPHERS 1165 for i in $ciphers; do 1166 run_client GnuTLS ${i%%=*} ${i#*=} 1167 done 1168 stop_server 1169 fi 1170 1171 ;; 1172 1173 mbed*) 1174 1175 reset_ciphersuites 1176 add_common_ciphersuites 1177 add_openssl_ciphersuites 1178 add_gnutls_ciphersuites 1179 add_mbedtls_ciphersuites 1180 filter_ciphersuites 1181 1182 if [ "X" != "X$M_CIPHERS" ]; then 1183 start_server "mbedTLS" 1184 translate_ciphers m $M_CIPHERS 1185 for i in $ciphers; do 1186 run_client mbedTLS ${i%%=*} ${i#*=} 1187 done 1188 stop_server 1189 fi 1190 1191 ;; 1192 1193 *) 1194 echo "Unknown peer: $PEER" >&2 1195 exit 1 1196 ;; 1197 1198 esac 1199 1200 done 1201 done 1202 done 1203done 1204 1205echo "------------------------------------------------------------------------" 1206 1207if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; then 1208 printf "FAILED" 1209else 1210 printf "PASSED" 1211fi 1212 1213if [ "$MEMCHECK" -gt 0 ]; then 1214 MEMREPORT=", $SRVMEM server memory errors" 1215else 1216 MEMREPORT="" 1217fi 1218 1219PASSED=$(( $TESTS - $FAILED )) 1220echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))" 1221 1222FAILED=$(( $FAILED + $SRVMEM )) 1223if [ $FAILED -gt 255 ]; then 1224 # Clamp at 255 as caller gets exit code & 0xFF 1225 # (so 256 would be 0, or success, etc) 1226 FAILED=255 1227fi 1228exit $FAILED 1229
