1#!/bin/sh 2 3# compat.sh 4# 5# This file is part of mbed TLS (https://tls.mbed.org) 6# 7# Copyright (c) 2012-2016, ARM Limited, All Rights Reserved 8# 9# Purpose 10# 11# Test interoperbility with OpenSSL, GnuTLS as well as itself. 12# 13# Check each common ciphersuite, with each version, both ways (client/server), 14# with and without client authentication. 15 16set -u 17 18# initialise counters 19TESTS=0 20FAILED=0 21SKIPPED=0 22SRVMEM=0 23 24# default commands, can be overriden by the environment 25: ${M_SRV:=../programs/ssl/ssl_server2} 26: ${M_CLI:=../programs/ssl/ssl_client2} 27: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system 28: ${GNUTLS_CLI:=gnutls-cli} 29: ${GNUTLS_SERV:=gnutls-serv} 30 31# do we have a recent enough GnuTLS? 32if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then 33 G_VER="$( $GNUTLS_CLI --version | head -n1 )" 34 if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version 35 PEER_GNUTLS=" GnuTLS" 36 else 37 eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' ) 38 if [ $MAJOR -lt 3 -o \ 39 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \ 40 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ] 41 then 42 PEER_GNUTLS="" 43 else 44 PEER_GNUTLS=" GnuTLS" 45 fi 46 fi 47else 48 PEER_GNUTLS="" 49fi 50 51# default values for options 52MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2" 53VERIFIES="NO YES" 54TYPES="ECDSA RSA PSK" 55FILTER="" 56EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) 57VERBOSE="" 58MEMCHECK=0 59PEERS="OpenSSL$PEER_GNUTLS mbedTLS" 60 61# hidden option: skip DTLS with OpenSSL 62# (travis CI has a version that doesn't work for us) 63: ${OSSL_NO_DTLS:=0} 64 65print_usage() { 66 echo "Usage: $0" 67 printf " -h|--help\tPrint this help.\n" 68 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')\n" 69 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')\n" 70 printf " -m|--modes\tWhich modes to perform (Default: '$MODES')\n" 71 printf " -t|--types\tWhich key exchange type to perform (Default: '$TYPES')\n" 72 printf " -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')\n" 73 printf " -p|--peers\tWhich peers to use (Default: '$PEERS')\n" 74 printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n" 75 printf " -M|--memcheck\tCheck memory leaks and errors.\n" 76 printf " -v|--verbose\tSet verbose output.\n" 77} 78 79get_options() { 80 while [ $# -gt 0 ]; do 81 case "$1" in 82 -f|--filter) 83 shift; FILTER=$1 84 ;; 85 -e|--exclude) 86 shift; EXCLUDE=$1 87 ;; 88 -m|--modes) 89 shift; MODES=$1 90 ;; 91 -t|--types) 92 shift; TYPES=$1 93 ;; 94 -V|--verify) 95 shift; VERIFIES=$1 96 ;; 97 -p|--peers) 98 shift; PEERS=$1 99 ;; 100 -v|--verbose) 101 VERBOSE=1 102 ;; 103 -M|--memcheck) 104 MEMCHECK=1 105 ;; 106 -h|--help) 107 print_usage 108 exit 0 109 ;; 110 *) 111 echo "Unknown argument: '$1'" 112 print_usage 113 exit 1 114 ;; 115 esac 116 shift 117 done 118 119 # sanitize some options (modes checked later) 120 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )" 121 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )" 122} 123 124log() { 125 if [ "X" != "X$VERBOSE" ]; then 126 echo "" 127 echo "$@" 128 fi 129} 130 131# is_dtls <mode> 132is_dtls() 133{ 134 test "$1" = "dtls1" -o "$1" = "dtls1_2" 135} 136 137# minor_ver <mode> 138minor_ver() 139{ 140 case "$1" in 141 ssl3) 142 echo 0 143 ;; 144 tls1) 145 echo 1 146 ;; 147 tls1_1|dtls1) 148 echo 2 149 ;; 150 tls1_2|dtls1_2) 151 echo 3 152 ;; 153 *) 154 echo "error: invalid mode: $MODE" >&2 155 # exiting is no good here, typically called in a subshell 156 echo -1 157 esac 158} 159 160filter() 161{ 162 LIST="$1" 163 NEW_LIST="" 164 165 if is_dtls "$MODE"; then 166 EXCLMODE="$EXCLUDE"'\|RC4\|ARCFOUR' 167 else 168 EXCLMODE="$EXCLUDE" 169 fi 170 171 for i in $LIST; 172 do 173 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )" 174 done 175 176 # normalize whitespace 177 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' 178} 179 180# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for 181# PSK ciphersuites with DTLS, which is incorrect, so disable them for now 182check_openssl_server_bug() 183{ 184 if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ 185 echo "$1" | grep "^TLS-PSK" >/dev/null; 186 then 187 SKIP_NEXT="YES" 188 fi 189} 190 191filter_ciphersuites() 192{ 193 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; 194 then 195 # Ciphersuite for mbed TLS 196 M_CIPHERS=$( filter "$M_CIPHERS" ) 197 198 # Ciphersuite for OpenSSL 199 O_CIPHERS=$( filter "$O_CIPHERS" ) 200 201 # Ciphersuite for GnuTLS 202 G_CIPHERS=$( filter "$G_CIPHERS" ) 203 fi 204 205 # OpenSSL 1.0.1h doesn't support DTLS 1.2 206 if [ `minor_ver "$MODE"` -ge 3 ] && is_dtls "$MODE"; then 207 O_CIPHERS="" 208 case "$PEER" in 209 [Oo]pen*) 210 M_CIPHERS="" 211 ;; 212 esac 213 fi 214 215 # For GnuTLS client -> mbed TLS server, 216 # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails 217 if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then 218 G_CIPHERS="" 219 fi 220} 221 222reset_ciphersuites() 223{ 224 M_CIPHERS="" 225 O_CIPHERS="" 226 G_CIPHERS="" 227} 228 229add_common_ciphersuites() 230{ 231 case $TYPE in 232 233 "ECDSA") 234 if [ `minor_ver "$MODE"` -gt 0 ] 235 then 236 M_CIPHERS="$M_CIPHERS \ 237 TLS-ECDHE-ECDSA-WITH-NULL-SHA \ 238 TLS-ECDHE-ECDSA-WITH-RC4-128-SHA \ 239 TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA \ 240 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \ 241 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \ 242 " 243 G_CIPHERS="$G_CIPHERS \ 244 +ECDHE-ECDSA:+NULL:+SHA1 \ 245 +ECDHE-ECDSA:+ARCFOUR-128:+SHA1 \ 246 +ECDHE-ECDSA:+3DES-CBC:+SHA1 \ 247 +ECDHE-ECDSA:+AES-128-CBC:+SHA1 \ 248 +ECDHE-ECDSA:+AES-256-CBC:+SHA1 \ 249 " 250 O_CIPHERS="$O_CIPHERS \ 251 ECDHE-ECDSA-NULL-SHA \ 252 ECDHE-ECDSA-RC4-SHA \ 253 ECDHE-ECDSA-DES-CBC3-SHA \ 254 ECDHE-ECDSA-AES128-SHA \ 255 ECDHE-ECDSA-AES256-SHA \ 256 " 257 fi 258 if [ `minor_ver "$MODE"` -ge 3 ] 259 then 260 M_CIPHERS="$M_CIPHERS \ 261 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ 262 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \ 263 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ 264 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \ 265 " 266 G_CIPHERS="$G_CIPHERS \ 267 +ECDHE-ECDSA:+AES-128-CBC:+SHA256 \ 268 +ECDHE-ECDSA:+AES-256-CBC:+SHA384 \ 269 +ECDHE-ECDSA:+AES-128-GCM:+AEAD \ 270 +ECDHE-ECDSA:+AES-256-GCM:+AEAD \ 271 " 272 O_CIPHERS="$O_CIPHERS \ 273 ECDHE-ECDSA-AES128-SHA256 \ 274 ECDHE-ECDSA-AES256-SHA384 \ 275 ECDHE-ECDSA-AES128-GCM-SHA256 \ 276 ECDHE-ECDSA-AES256-GCM-SHA384 \ 277 " 278 fi 279 ;; 280 281 "RSA") 282 M_CIPHERS="$M_CIPHERS \ 283 TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ 284 TLS-DHE-RSA-WITH-AES-256-CBC-SHA \ 285 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \ 286 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \ 287 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA \ 288 TLS-RSA-WITH-AES-256-CBC-SHA \ 289 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \ 290 TLS-RSA-WITH-AES-128-CBC-SHA \ 291 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \ 292 TLS-RSA-WITH-3DES-EDE-CBC-SHA \ 293 TLS-RSA-WITH-RC4-128-SHA \ 294 TLS-RSA-WITH-RC4-128-MD5 \ 295 TLS-RSA-WITH-NULL-MD5 \ 296 TLS-RSA-WITH-NULL-SHA \ 297 " 298 G_CIPHERS="$G_CIPHERS \ 299 +DHE-RSA:+AES-128-CBC:+SHA1 \ 300 +DHE-RSA:+AES-256-CBC:+SHA1 \ 301 +DHE-RSA:+CAMELLIA-128-CBC:+SHA1 \ 302 +DHE-RSA:+CAMELLIA-256-CBC:+SHA1 \ 303 +DHE-RSA:+3DES-CBC:+SHA1 \ 304 +RSA:+AES-256-CBC:+SHA1 \ 305 +RSA:+CAMELLIA-256-CBC:+SHA1 \ 306 +RSA:+AES-128-CBC:+SHA1 \ 307 +RSA:+CAMELLIA-128-CBC:+SHA1 \ 308 +RSA:+3DES-CBC:+SHA1 \ 309 +RSA:+ARCFOUR-128:+SHA1 \ 310 +RSA:+ARCFOUR-128:+MD5 \ 311 +RSA:+NULL:+MD5 \ 312 +RSA:+NULL:+SHA1 \ 313 " 314 O_CIPHERS="$O_CIPHERS \ 315 DHE-RSA-AES128-SHA \ 316 DHE-RSA-AES256-SHA \ 317 DHE-RSA-CAMELLIA128-SHA \ 318 DHE-RSA-CAMELLIA256-SHA \ 319 EDH-RSA-DES-CBC3-SHA \ 320 AES256-SHA \ 321 CAMELLIA256-SHA \ 322 AES128-SHA \ 323 CAMELLIA128-SHA \ 324 DES-CBC3-SHA \ 325 RC4-SHA \ 326 RC4-MD5 \ 327 NULL-MD5 \ 328 NULL-SHA \ 329 " 330 if [ `minor_ver "$MODE"` -gt 0 ] 331 then 332 M_CIPHERS="$M_CIPHERS \ 333 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \ 334 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \ 335 TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA \ 336 TLS-ECDHE-RSA-WITH-RC4-128-SHA \ 337 TLS-ECDHE-RSA-WITH-NULL-SHA \ 338 " 339 G_CIPHERS="$G_CIPHERS \ 340 +ECDHE-RSA:+AES-128-CBC:+SHA1 \ 341 +ECDHE-RSA:+AES-256-CBC:+SHA1 \ 342 +ECDHE-RSA:+3DES-CBC:+SHA1 \ 343 +ECDHE-RSA:+ARCFOUR-128:+SHA1 \ 344 +ECDHE-RSA:+NULL:+SHA1 \ 345 " 346 O_CIPHERS="$O_CIPHERS \ 347 ECDHE-RSA-AES256-SHA \ 348 ECDHE-RSA-AES128-SHA \ 349 ECDHE-RSA-DES-CBC3-SHA \ 350 ECDHE-RSA-RC4-SHA \ 351 ECDHE-RSA-NULL-SHA \ 352 " 353 fi 354 if [ `minor_ver "$MODE"` -ge 3 ] 355 then 356 M_CIPHERS="$M_CIPHERS \ 357 TLS-RSA-WITH-AES-128-CBC-SHA256 \ 358 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \ 359 TLS-RSA-WITH-AES-256-CBC-SHA256 \ 360 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \ 361 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \ 362 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \ 363 TLS-RSA-WITH-AES-128-GCM-SHA256 \ 364 TLS-RSA-WITH-AES-256-GCM-SHA384 \ 365 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \ 366 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \ 367 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ 368 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \ 369 " 370 G_CIPHERS="$G_CIPHERS \ 371 +RSA:+AES-128-CBC:+SHA256 \ 372 +DHE-RSA:+AES-128-CBC:+SHA256 \ 373 +RSA:+AES-256-CBC:+SHA256 \ 374 +DHE-RSA:+AES-256-CBC:+SHA256 \ 375 +ECDHE-RSA:+AES-128-CBC:+SHA256 \ 376 +ECDHE-RSA:+AES-256-CBC:+SHA384 \ 377 +RSA:+AES-128-GCM:+AEAD \ 378 +RSA:+AES-256-GCM:+AEAD \ 379 +DHE-RSA:+AES-128-GCM:+AEAD \ 380 +DHE-RSA:+AES-256-GCM:+AEAD \ 381 +ECDHE-RSA:+AES-128-GCM:+AEAD \ 382 +ECDHE-RSA:+AES-256-GCM:+AEAD \ 383 " 384 O_CIPHERS="$O_CIPHERS \ 385 NULL-SHA256 \ 386 AES128-SHA256 \ 387 DHE-RSA-AES128-SHA256 \ 388 AES256-SHA256 \ 389 DHE-RSA-AES256-SHA256 \ 390 ECDHE-RSA-AES128-SHA256 \ 391 ECDHE-RSA-AES256-SHA384 \ 392 AES128-GCM-SHA256 \ 393 DHE-RSA-AES128-GCM-SHA256 \ 394 AES256-GCM-SHA384 \ 395 DHE-RSA-AES256-GCM-SHA384 \ 396 ECDHE-RSA-AES128-GCM-SHA256 \ 397 ECDHE-RSA-AES256-GCM-SHA384 \ 398 " 399 fi 400 ;; 401 402 "PSK") 403 M_CIPHERS="$M_CIPHERS \ 404 TLS-PSK-WITH-RC4-128-SHA \ 405 TLS-PSK-WITH-3DES-EDE-CBC-SHA \ 406 TLS-PSK-WITH-AES-128-CBC-SHA \ 407 TLS-PSK-WITH-AES-256-CBC-SHA \ 408 " 409 G_CIPHERS="$G_CIPHERS \ 410 +PSK:+ARCFOUR-128:+SHA1 \ 411 +PSK:+3DES-CBC:+SHA1 \ 412 +PSK:+AES-128-CBC:+SHA1 \ 413 +PSK:+AES-256-CBC:+SHA1 \ 414 " 415 O_CIPHERS="$O_CIPHERS \ 416 PSK-RC4-SHA \ 417 PSK-3DES-EDE-CBC-SHA \ 418 PSK-AES128-CBC-SHA \ 419 PSK-AES256-CBC-SHA \ 420 " 421 ;; 422 esac 423} 424 425add_openssl_ciphersuites() 426{ 427 case $TYPE in 428 429 "ECDSA") 430 if [ `minor_ver "$MODE"` -gt 0 ] 431 then 432 M_CIPHERS="$M_CIPHERS \ 433 TLS-ECDH-ECDSA-WITH-NULL-SHA \ 434 TLS-ECDH-ECDSA-WITH-RC4-128-SHA \ 435 TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA \ 436 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \ 437 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \ 438 " 439 O_CIPHERS="$O_CIPHERS \ 440 ECDH-ECDSA-NULL-SHA \ 441 ECDH-ECDSA-RC4-SHA \ 442 ECDH-ECDSA-DES-CBC3-SHA \ 443 ECDH-ECDSA-AES128-SHA \ 444 ECDH-ECDSA-AES256-SHA \ 445 " 446 fi 447 if [ `minor_ver "$MODE"` -ge 3 ] 448 then 449 M_CIPHERS="$M_CIPHERS \ 450 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \ 451 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \ 452 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \ 453 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ 454 " 455 O_CIPHERS="$O_CIPHERS \ 456 ECDH-ECDSA-AES128-SHA256 \ 457 ECDH-ECDSA-AES256-SHA384 \ 458 ECDH-ECDSA-AES128-GCM-SHA256 \ 459 ECDH-ECDSA-AES256-GCM-SHA384 \ 460 " 461 fi 462 ;; 463 464 "RSA") 465 M_CIPHERS="$M_CIPHERS \ 466 TLS-RSA-WITH-DES-CBC-SHA \ 467 TLS-DHE-RSA-WITH-DES-CBC-SHA \ 468 " 469 O_CIPHERS="$O_CIPHERS \ 470 DES-CBC-SHA \ 471 EDH-RSA-DES-CBC-SHA \ 472 " 473 ;; 474 475 "PSK") 476 ;; 477 esac 478} 479 480add_gnutls_ciphersuites() 481{ 482 case $TYPE in 483 484 "ECDSA") 485 if [ `minor_ver "$MODE"` -ge 3 ] 486 then 487 M_CIPHERS="$M_CIPHERS \ 488 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ 489 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ 490 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ 491 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ 492 " 493 G_CIPHERS="$G_CIPHERS \ 494 +ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \ 495 +ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \ 496 +ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \ 497 +ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \ 498 " 499 fi 500 ;; 501 502 "RSA") 503 if [ `minor_ver "$MODE"` -gt 0 ] 504 then 505 M_CIPHERS="$M_CIPHERS \ 506 TLS-RSA-WITH-NULL-SHA256 \ 507 " 508 G_CIPHERS="$G_CIPHERS \ 509 +RSA:+NULL:+SHA256 \ 510 " 511 fi 512 if [ `minor_ver "$MODE"` -ge 3 ] 513 then 514 M_CIPHERS="$M_CIPHERS \ 515 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ 516 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \ 517 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ 518 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ 519 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ 520 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ 521 TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ 522 TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ 523 TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ 524 TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ 525 TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ 526 TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ 527 " 528 G_CIPHERS="$G_CIPHERS \ 529 +ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \ 530 +ECDHE-RSA:+CAMELLIA-256-CBC:+SHA384 \ 531 +RSA:+CAMELLIA-128-CBC:+SHA256 \ 532 +RSA:+CAMELLIA-256-CBC:+SHA256 \ 533 +DHE-RSA:+CAMELLIA-128-CBC:+SHA256 \ 534 +DHE-RSA:+CAMELLIA-256-CBC:+SHA256 \ 535 +ECDHE-RSA:+CAMELLIA-128-GCM:+AEAD \ 536 +ECDHE-RSA:+CAMELLIA-256-GCM:+AEAD \ 537 +DHE-RSA:+CAMELLIA-128-GCM:+AEAD \ 538 +DHE-RSA:+CAMELLIA-256-GCM:+AEAD \ 539 +RSA:+CAMELLIA-128-GCM:+AEAD \ 540 +RSA:+CAMELLIA-256-GCM:+AEAD \ 541 " 542 fi 543 ;; 544 545 "PSK") 546 M_CIPHERS="$M_CIPHERS \ 547 TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \ 548 TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ 549 TLS-DHE-PSK-WITH-AES-256-CBC-SHA \ 550 TLS-DHE-PSK-WITH-RC4-128-SHA \ 551 " 552 G_CIPHERS="$G_CIPHERS \ 553 +DHE-PSK:+3DES-CBC:+SHA1 \ 554 +DHE-PSK:+AES-128-CBC:+SHA1 \ 555 +DHE-PSK:+AES-256-CBC:+SHA1 \ 556 +DHE-PSK:+ARCFOUR-128:+SHA1 \ 557 " 558 if [ `minor_ver "$MODE"` -gt 0 ] 559 then 560 M_CIPHERS="$M_CIPHERS \ 561 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \ 562 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ 563 TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \ 564 TLS-ECDHE-PSK-WITH-RC4-128-SHA \ 565 TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \ 566 TLS-RSA-PSK-WITH-AES-256-CBC-SHA \ 567 TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ 568 TLS-RSA-PSK-WITH-RC4-128-SHA \ 569 " 570 G_CIPHERS="$G_CIPHERS \ 571 +ECDHE-PSK:+3DES-CBC:+SHA1 \ 572 +ECDHE-PSK:+AES-128-CBC:+SHA1 \ 573 +ECDHE-PSK:+AES-256-CBC:+SHA1 \ 574 +ECDHE-PSK:+ARCFOUR-128:+SHA1 \ 575 +RSA-PSK:+3DES-CBC:+SHA1 \ 576 +RSA-PSK:+AES-256-CBC:+SHA1 \ 577 +RSA-PSK:+AES-128-CBC:+SHA1 \ 578 +RSA-PSK:+ARCFOUR-128:+SHA1 \ 579 " 580 fi 581 if [ `minor_ver "$MODE"` -ge 3 ] 582 then 583 M_CIPHERS="$M_CIPHERS \ 584 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ 585 TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 586 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ 587 TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 588 TLS-ECDHE-PSK-WITH-NULL-SHA384 \ 589 TLS-ECDHE-PSK-WITH-NULL-SHA256 \ 590 TLS-PSK-WITH-AES-128-CBC-SHA256 \ 591 TLS-PSK-WITH-AES-256-CBC-SHA384 \ 592 TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ 593 TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ 594 TLS-PSK-WITH-NULL-SHA256 \ 595 TLS-PSK-WITH-NULL-SHA384 \ 596 TLS-DHE-PSK-WITH-NULL-SHA256 \ 597 TLS-DHE-PSK-WITH-NULL-SHA384 \ 598 TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ 599 TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ 600 TLS-RSA-PSK-WITH-NULL-SHA256 \ 601 TLS-RSA-PSK-WITH-NULL-SHA384 \ 602 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 603 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 604 TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 605 TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 606 TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 607 TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 608 TLS-PSK-WITH-AES-128-GCM-SHA256 \ 609 TLS-PSK-WITH-AES-256-GCM-SHA384 \ 610 TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \ 611 TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \ 612 TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ 613 TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ 614 TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ 615 TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ 616 TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ 617 TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ 618 TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \ 619 TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \ 620 " 621 G_CIPHERS="$G_CIPHERS \ 622 +ECDHE-PSK:+AES-256-CBC:+SHA384 \ 623 +ECDHE-PSK:+CAMELLIA-256-CBC:+SHA384 \ 624 +ECDHE-PSK:+AES-128-CBC:+SHA256 \ 625 +ECDHE-PSK:+CAMELLIA-128-CBC:+SHA256 \ 626 +PSK:+AES-128-CBC:+SHA256 \ 627 +PSK:+AES-256-CBC:+SHA384 \ 628 +DHE-PSK:+AES-128-CBC:+SHA256 \ 629 +DHE-PSK:+AES-256-CBC:+SHA384 \ 630 +RSA-PSK:+AES-256-CBC:+SHA384 \ 631 +RSA-PSK:+AES-128-CBC:+SHA256 \ 632 +DHE-PSK:+CAMELLIA-128-CBC:+SHA256 \ 633 +DHE-PSK:+CAMELLIA-256-CBC:+SHA384 \ 634 +PSK:+CAMELLIA-128-CBC:+SHA256 \ 635 +PSK:+CAMELLIA-256-CBC:+SHA384 \ 636 +RSA-PSK:+CAMELLIA-256-CBC:+SHA384 \ 637 +RSA-PSK:+CAMELLIA-128-CBC:+SHA256 \ 638 +PSK:+AES-128-GCM:+AEAD \ 639 +PSK:+AES-256-GCM:+AEAD \ 640 +DHE-PSK:+AES-128-GCM:+AEAD \ 641 +DHE-PSK:+AES-256-GCM:+AEAD \ 642 +RSA-PSK:+CAMELLIA-128-GCM:+AEAD \ 643 +RSA-PSK:+CAMELLIA-256-GCM:+AEAD \ 644 +PSK:+CAMELLIA-128-GCM:+AEAD \ 645 +PSK:+CAMELLIA-256-GCM:+AEAD \ 646 +DHE-PSK:+CAMELLIA-128-GCM:+AEAD \ 647 +DHE-PSK:+CAMELLIA-256-GCM:+AEAD \ 648 +RSA-PSK:+AES-256-GCM:+AEAD \ 649 +RSA-PSK:+AES-128-GCM:+AEAD \ 650 +ECDHE-PSK:+NULL:+SHA384 \ 651 +ECDHE-PSK:+NULL:+SHA256 \ 652 +PSK:+NULL:+SHA256 \ 653 +PSK:+NULL:+SHA384 \ 654 +DHE-PSK:+NULL:+SHA256 \ 655 +DHE-PSK:+NULL:+SHA384 \ 656 +RSA-PSK:+NULL:+SHA256 \ 657 +RSA-PSK:+NULL:+SHA384 \ 658 " 659 fi 660 ;; 661 esac 662} 663 664add_mbedtls_ciphersuites() 665{ 666 case $TYPE in 667 668 "ECDSA") 669 if [ `minor_ver "$MODE"` -gt 0 ] 670 then 671 M_CIPHERS="$M_CIPHERS \ 672 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ 673 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ 674 " 675 fi 676 if [ `minor_ver "$MODE"` -ge 3 ] 677 then 678 M_CIPHERS="$M_CIPHERS \ 679 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ 680 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ 681 TLS-ECDHE-ECDSA-WITH-AES-128-CCM \ 682 TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ 683 TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ 684 TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ 685 " 686 fi 687 ;; 688 689 "RSA") 690 if [ "$MODE" = "tls1_2" ]; 691 then 692 M_CIPHERS="$M_CIPHERS \ 693 TLS-RSA-WITH-AES-128-CCM \ 694 TLS-RSA-WITH-AES-256-CCM \ 695 TLS-DHE-RSA-WITH-AES-128-CCM \ 696 TLS-DHE-RSA-WITH-AES-256-CCM \ 697 TLS-RSA-WITH-AES-128-CCM-8 \ 698 TLS-RSA-WITH-AES-256-CCM-8 \ 699 TLS-DHE-RSA-WITH-AES-128-CCM-8 \ 700 TLS-DHE-RSA-WITH-AES-256-CCM-8 \ 701 " 702 fi 703 ;; 704 705 "PSK") 706 # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 707 M_CIPHERS="$M_CIPHERS \ 708 TLS-PSK-WITH-NULL-SHA \ 709 TLS-DHE-PSK-WITH-NULL-SHA \ 710 " 711 if [ `minor_ver "$MODE"` -gt 0 ] 712 then 713 M_CIPHERS="$M_CIPHERS \ 714 TLS-ECDHE-PSK-WITH-NULL-SHA \ 715 TLS-RSA-PSK-WITH-NULL-SHA \ 716 " 717 fi 718 if [ "$MODE" = "tls1_2" ]; 719 then 720 M_CIPHERS="$M_CIPHERS \ 721 TLS-PSK-WITH-AES-128-CCM \ 722 TLS-PSK-WITH-AES-256-CCM \ 723 TLS-DHE-PSK-WITH-AES-128-CCM \ 724 TLS-DHE-PSK-WITH-AES-256-CCM \ 725 TLS-PSK-WITH-AES-128-CCM-8 \ 726 TLS-PSK-WITH-AES-256-CCM-8 \ 727 TLS-DHE-PSK-WITH-AES-128-CCM-8 \ 728 TLS-DHE-PSK-WITH-AES-256-CCM-8 \ 729 " 730 fi 731 ;; 732 esac 733} 734 735setup_arguments() 736{ 737 G_MODE="" 738 case "$MODE" in 739 "ssl3") 740 G_PRIO_MODE="+VERS-SSL3.0" 741 ;; 742 "tls1") 743 G_PRIO_MODE="+VERS-TLS1.0" 744 ;; 745 "tls1_1") 746 G_PRIO_MODE="+VERS-TLS1.1" 747 ;; 748 "tls1_2") 749 G_PRIO_MODE="+VERS-TLS1.2" 750 ;; 751 "dtls1") 752 G_PRIO_MODE="+VERS-DTLS1.0" 753 G_MODE="-u" 754 ;; 755 "dtls1_2") 756 G_PRIO_MODE="+VERS-DTLS1.2" 757 G_MODE="-u" 758 ;; 759 *) 760 echo "error: invalid mode: $MODE" >&2 761 exit 1; 762 esac 763 764 M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1" 765 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem" 766 G_SERVER_ARGS="-p $PORT --http $G_MODE" 767 G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" 768 769 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes 770 if is_dtls "$MODE"; then 771 O_SERVER_ARGS="$O_SERVER_ARGS" 772 else 773 O_SERVER_ARGS="$O_SERVER_ARGS -www" 774 fi 775 776 M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" 777 O_CLIENT_ARGS="-connect localhost:$PORT -$MODE" 778 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" 779 G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" 780 781 if [ "X$VERIFY" = "XYES" ]; 782 then 783 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 784 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" 785 G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert" 786 787 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 788 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10" 789 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt" 790 else 791 # don't request a client cert at all 792 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none" 793 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert" 794 795 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none" 796 O_CLIENT_ARGS="$O_CLIENT_ARGS" 797 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure" 798 fi 799 800 case $TYPE in 801 "ECDSA") 802 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key" 803 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key" 804 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" 805 806 if [ "X$VERIFY" = "XYES" ]; then 807 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key" 808 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key" 809 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key" 810 else 811 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 812 fi 813 ;; 814 815 "RSA") 816 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key" 817 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key" 818 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key" 819 820 if [ "X$VERIFY" = "XYES" ]; then 821 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key" 822 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key" 823 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server1.crt --x509keyfile data_files/server1.key" 824 else 825 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 826 fi 827 ;; 828 829 "PSK") 830 # give RSA-PSK-capable server a RSA cert 831 # (should be a separate type, but harder to close with openssl) 832 M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key" 833 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" 834 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" 835 836 M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" 837 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" 838 G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" 839 ;; 840 esac 841} 842 843# is_mbedtls <cmd_line> 844is_mbedtls() { 845 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null 846} 847 848# has_mem_err <log_file_name> 849has_mem_err() { 850 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" && 851 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null 852 then 853 return 1 # false: does not have errors 854 else 855 return 0 # true: has errors 856 fi 857} 858 859# start_server <name> 860# also saves name and command 861start_server() { 862 case $1 in 863 [Oo]pen*) 864 SERVER_CMD="$OPENSSL_CMD s_server $O_SERVER_ARGS" 865 ;; 866 [Gg]nu*) 867 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO" 868 ;; 869 mbed*) 870 SERVER_CMD="$M_SRV $M_SERVER_ARGS" 871 if [ "$MEMCHECK" -gt 0 ]; then 872 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD" 873 fi 874 ;; 875 *) 876 echo "error: invalid server name: $1" >&2 877 exit 1 878 ;; 879 esac 880 SERVER_NAME=$1 881 882 log "$SERVER_CMD" 883 echo "$SERVER_CMD" > $SRV_OUT 884 # for servers without -www or equivalent 885 while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 & 886 PROCESS_ID=$! 887 888 sleep 1 889} 890 891# terminate the running server 892stop_server() { 893 kill $PROCESS_ID 2>/dev/null 894 wait $PROCESS_ID 2>/dev/null 895 896 if [ "$MEMCHECK" -gt 0 ]; then 897 if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then 898 echo " ! Server had memory errors" 899 SRVMEM=$(( $SRVMEM + 1 )) 900 return 901 fi 902 fi 903 904 rm -f $SRV_OUT 905} 906 907# kill the running server (used when killed by signal) 908cleanup() { 909 rm -f $SRV_OUT $CLI_OUT 910 kill $PROCESS_ID >/dev/null 2>&1 911 kill $WATCHDOG_PID >/dev/null 2>&1 912 exit 1 913} 914 915# wait for client to terminate and set EXIT 916# must be called right after starting the client 917wait_client_done() { 918 CLI_PID=$! 919 920 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) & 921 WATCHDOG_PID=$! 922 923 wait $CLI_PID 924 EXIT=$? 925 926 kill $WATCHDOG_PID 927 wait $WATCHDOG_PID 928 929 echo "EXIT: $EXIT" >> $CLI_OUT 930} 931 932# run_client <name> <cipher> 933run_client() { 934 # announce what we're going to do 935 TESTS=$(( $TESTS + 1 )) 936 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') 937 TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`" 938 TITLE="$TITLE $MODE,$VERIF $2" 939 printf "$TITLE " 940 LEN=$(( 72 - `echo "$TITLE" | wc -c` )) 941 for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' 942 943 # should we skip? 944 if [ "X$SKIP_NEXT" = "XYES" ]; then 945 SKIP_NEXT="NO" 946 echo "SKIP" 947 SKIPPED=$(( $SKIPPED + 1 )) 948 return 949 fi 950 951 # run the command and interpret result 952 case $1 in 953 [Oo]pen*) 954 CLIENT_CMD="$OPENSSL_CMD s_client $O_CLIENT_ARGS -cipher $2" 955 log "$CLIENT_CMD" 956 echo "$CLIENT_CMD" > $CLI_OUT 957 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 958 wait_client_done 959 960 if [ $EXIT -eq 0 ]; then 961 RESULT=0 962 else 963 # If the cipher isn't supported... 964 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then 965 RESULT=1 966 else 967 RESULT=2 968 fi 969 fi 970 ;; 971 972 [Gg]nu*) 973 # need to force IPv4 with UDP, but keep localhost for auth 974 if is_dtls "$MODE"; then 975 G_HOST="127.0.0.1" 976 else 977 G_HOST="localhost" 978 fi 979 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST" 980 log "$CLIENT_CMD" 981 echo "$CLIENT_CMD" > $CLI_OUT 982 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 983 wait_client_done 984 985 if [ $EXIT -eq 0 ]; then 986 RESULT=0 987 else 988 RESULT=2 989 # interpret early failure, with a handshake_failure alert 990 # before the server hello, as "no ciphersuite in common" 991 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then 992 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then : 993 else 994 RESULT=1 995 fi 996 fi >/dev/null 997 fi 998 ;; 999 1000 mbed*) 1001 CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2" 1002 if [ "$MEMCHECK" -gt 0 ]; then 1003 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" 1004 fi 1005 log "$CLIENT_CMD" 1006 echo "$CLIENT_CMD" > $CLI_OUT 1007 $CLIENT_CMD >> $CLI_OUT 2>&1 & 1008 wait_client_done 1009 1010 case $EXIT in 1011 # Success 1012 "0") RESULT=0 ;; 1013 1014 # Ciphersuite not supported 1015 "2") RESULT=1 ;; 1016 1017 # Error 1018 *) RESULT=2 ;; 1019 esac 1020 1021 if [ "$MEMCHECK" -gt 0 ]; then 1022 if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then 1023 RESULT=2 1024 fi 1025 fi 1026 1027 ;; 1028 1029 *) 1030 echo "error: invalid client name: $1" >&2 1031 exit 1 1032 ;; 1033 esac 1034 1035 echo "EXIT: $EXIT" >> $CLI_OUT 1036 1037 # report and count result 1038 case $RESULT in 1039 "0") 1040 echo PASS 1041 ;; 1042 "1") 1043 echo SKIP 1044 SKIPPED=$(( $SKIPPED + 1 )) 1045 ;; 1046 "2") 1047 echo FAIL 1048 cp $SRV_OUT c-srv-${TESTS}.log 1049 cp $CLI_OUT c-cli-${TESTS}.log 1050 echo " ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" 1051 1052 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then 1053 echo " ! server output:" 1054 cat c-srv-${TESTS}.log 1055 echo " ! ===================================================" 1056 echo " ! client output:" 1057 cat c-cli-${TESTS}.log 1058 fi 1059 1060 FAILED=$(( $FAILED + 1 )) 1061 ;; 1062 esac 1063 1064 rm -f $CLI_OUT 1065} 1066 1067# 1068# MAIN 1069# 1070 1071if cd $( dirname $0 ); then :; else 1072 echo "cd $( dirname $0 ) failed" >&2 1073 exit 1 1074fi 1075 1076get_options "$@" 1077 1078# sanity checks, avoid an avalanche of errors 1079if [ ! -x "$M_SRV" ]; then 1080 echo "Command '$M_SRV' is not an executable file" >&2 1081 exit 1 1082fi 1083if [ ! -x "$M_CLI" ]; then 1084 echo "Command '$M_CLI' is not an executable file" >&2 1085 exit 1 1086fi 1087 1088if echo "$PEERS" | grep -i openssl > /dev/null; then 1089 if which "$OPENSSL_CMD" >/dev/null 2>&1; then :; else 1090 echo "Command '$OPENSSL_CMD' not found" >&2 1091 exit 1 1092 fi 1093fi 1094 1095if echo "$PEERS" | grep -i gnutls > /dev/null; then 1096 for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do 1097 if which "$CMD" >/dev/null 2>&1; then :; else 1098 echo "Command '$CMD' not found" >&2 1099 exit 1 1100 fi 1101 done 1102fi 1103 1104for PEER in $PEERS; do 1105 case "$PEER" in 1106 mbed*|[Oo]pen*|[Gg]nu*) 1107 ;; 1108 *) 1109 echo "Unknown peers: $PEER" >&2 1110 exit 1 1111 esac 1112done 1113 1114# Pick a "unique" port in the range 10000-19999. 1115PORT="0000$$" 1116PORT="1$(echo $PORT | tail -c 5)" 1117 1118# Also pick a unique name for intermediate files 1119SRV_OUT="srv_out.$$" 1120CLI_OUT="cli_out.$$" 1121 1122# client timeout delay: be more patient with valgrind 1123if [ "$MEMCHECK" -gt 0 ]; then 1124 DOG_DELAY=30 1125else 1126 DOG_DELAY=10 1127fi 1128 1129SKIP_NEXT="NO" 1130 1131trap cleanup INT TERM HUP 1132 1133for VERIFY in $VERIFIES; do 1134 for MODE in $MODES; do 1135 for TYPE in $TYPES; do 1136 for PEER in $PEERS; do 1137 1138 setup_arguments 1139 1140 case "$PEER" in 1141 1142 [Oo]pen*) 1143 1144 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then 1145 continue; 1146 fi 1147 1148 reset_ciphersuites 1149 add_common_ciphersuites 1150 add_openssl_ciphersuites 1151 filter_ciphersuites 1152 1153 if [ "X" != "X$M_CIPHERS" ]; then 1154 start_server "OpenSSL" 1155 for i in $M_CIPHERS; do 1156 check_openssl_server_bug $i 1157 run_client mbedTLS $i 1158 done 1159 stop_server 1160 fi 1161 1162 if [ "X" != "X$O_CIPHERS" ]; then 1163 start_server "mbedTLS" 1164 for i in $O_CIPHERS; do 1165 run_client OpenSSL $i 1166 done 1167 stop_server 1168 fi 1169 1170 ;; 1171 1172 [Gg]nu*) 1173 1174 reset_ciphersuites 1175 add_common_ciphersuites 1176 add_gnutls_ciphersuites 1177 filter_ciphersuites 1178 1179 if [ "X" != "X$M_CIPHERS" ]; then 1180 start_server "GnuTLS" 1181 for i in $M_CIPHERS; do 1182 run_client mbedTLS $i 1183 done 1184 stop_server 1185 fi 1186 1187 if [ "X" != "X$G_CIPHERS" ]; then 1188 start_server "mbedTLS" 1189 for i in $G_CIPHERS; do 1190 run_client GnuTLS $i 1191 done 1192 stop_server 1193 fi 1194 1195 ;; 1196 1197 mbed*) 1198 1199 reset_ciphersuites 1200 add_common_ciphersuites 1201 add_openssl_ciphersuites 1202 add_gnutls_ciphersuites 1203 add_mbedtls_ciphersuites 1204 filter_ciphersuites 1205 1206 if [ "X" != "X$M_CIPHERS" ]; then 1207 start_server "mbedTLS" 1208 for i in $M_CIPHERS; do 1209 run_client mbedTLS $i 1210 done 1211 stop_server 1212 fi 1213 1214 ;; 1215 1216 *) 1217 echo "Unknown peer: $PEER" >&2 1218 exit 1 1219 ;; 1220 1221 esac 1222 1223 done 1224 done 1225 done 1226done 1227 1228echo "------------------------------------------------------------------------" 1229 1230if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; 1231then 1232 printf "FAILED" 1233else 1234 printf "PASSED" 1235fi 1236 1237if [ "$MEMCHECK" -gt 0 ]; then 1238 MEMREPORT=", $SRVMEM server memory errors" 1239else 1240 MEMREPORT="" 1241fi 1242 1243PASSED=$(( $TESTS - $FAILED )) 1244echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))" 1245 1246FAILED=$(( $FAILED + $SRVMEM )) 1247exit $FAILED 1248
