#!/bin/sh
set -u
ulimit -f 20971520
ORIGINAL_PWD=$PWD
if ! cd "$(dirname "$0")"; then
exit 125
fi
TESTS=0
FAILED=0
SKIPPED=0
SRVMEM=0
: ${M_SRV:=../programs/ssl/ssl_server2}
: ${M_CLI:=../programs/ssl/ssl_client2}
: ${OPENSSL:=openssl}
: ${GNUTLS_CLI:=gnutls-cli}
: ${GNUTLS_SERV:=gnutls-serv}
if [ "${OPENSSL_CMD+set}" = set ]; then
if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then
echo "Please use OPENSSL instead of OPENSSL_CMD." >&2
exit 125
fi
fi
if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
G_VER="$( $GNUTLS_CLI --version | head -n1 )"
if echo "$G_VER" | grep '@VERSION@' > /dev/null; then
PEER_GNUTLS=" GnuTLS"
else
eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
if [ $MAJOR -lt 3 -o \
\( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
\( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
then
PEER_GNUTLS=""
else
PEER_GNUTLS=" GnuTLS"
if [ $MINOR -lt 4 ]; then
GNUTLS_MINOR_LT_FOUR='x'
fi
fi
fi
else
PEER_GNUTLS=""
fi
guess_config_name() {
if git diff --quiet ../include/mbedtls/mbedtls_config.h 2>/dev/null; then
echo "default"
else
echo "unknown"
fi
}
: ${MBEDTLS_TEST_OUTCOME_FILE=}
: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
MODES="tls12 dtls12"
VERIFIES="NO YES"
TYPES="ECDSA RSA PSK"
FILTER=""
EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
VERBOSE=""
MEMCHECK=0
MIN_TESTS=1
PRESERVE_LOGS=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
: ${OSSL_NO_DTLS:=0}
print_usage() {
echo "Usage: $0"
printf " -h|--help\tPrint this help.\n"
printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER"
printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE"
printf " -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES"
printf " -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES"
printf " -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES"
printf " -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS"
printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n"
printf " -M|--memcheck\tCheck memory leaks and errors.\n"
printf " -v|--verbose\tSet verbose output.\n"
printf " --list-test-cases\tList all potential test cases (No Execution)\n"
printf " --min \tMinimum number of non-skipped tests (default 1)\n"
printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
}
print_test_case() {
for i in $3; do
uniform_title $1 $2 $i
echo "compat;$TITLE"
done
}
list_test_cases() {
for TYPE in $TYPES; do
reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
add_gnutls_ciphersuites
add_mbedtls_ciphersuites
SUB_VERIFIES=$VERIFIES
if [ "$TYPE" = "PSK" ]; then
SUB_VERIFIES="NO"
fi
for VERIFY in $SUB_VERIFIES; do
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
for MODE in $MODES; do
print_test_case m O "$O_CIPHERS"
print_test_case O m "$O_CIPHERS"
print_test_case m G "$G_CIPHERS"
print_test_case G m "$G_CIPHERS"
print_test_case m m "$M_CIPHERS"
done
done
done
}
get_options() {
while [ $# -gt 0 ]; do
case "$1" in
-f|--filter)
shift; FILTER=$1
;;
-e|--exclude)
shift; EXCLUDE=$1
;;
-m|--modes)
shift; MODES=$1
;;
-t|--types)
shift; TYPES=$1
;;
-V|--verify)
shift; VERIFIES=$1
;;
-p|--peers)
shift; PEERS=$1
;;
-v|--verbose)
VERBOSE=1
;;
-M|--memcheck)
MEMCHECK=1
;;
--list-test-cases)
list_test_cases
exit $?
;;
--min)
shift; MIN_TESTS=$1
;;
--outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;;
--preserve-logs)
PRESERVE_LOGS=1
;;
-h|--help)
print_usage
exit 0
;;
*)
echo "Unknown argument: '$1'"
print_usage
exit 1
;;
esac
shift
done
VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
}
log() {
if [ "X" != "X$VERBOSE" ]; then
echo ""
echo "$@"
fi
}
is_dtls()
{
test "$1" = "dtls12"
}
minor_ver()
{
case "$1" in
tls12|dtls12)
echo 3
;;
*)
echo "error: invalid mode: $MODE" >&2
echo -1
esac
}
filter()
{
LIST="$1"
NEW_LIST=""
EXCLMODE="$EXCLUDE"
for i in $LIST;
do
NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )"
done
echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
}
filter_ciphersuites()
{
if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
then
M_CIPHERS=$( filter "$M_CIPHERS" )
O_CIPHERS=$( filter "$O_CIPHERS" )
G_CIPHERS=$( filter "$G_CIPHERS" )
fi
}
reset_ciphersuites()
{
M_CIPHERS=""
O_CIPHERS=""
G_CIPHERS=""
}
translate_ciphers()
{
ciphers=$(../framework/scripts/translate_ciphers.py "$@")
if [ $? -ne 0 ]; then
echo "translate_ciphers.py failed with exit code $1" >&2
echo "$2" >&2
exit 1
fi
}
add_common_ciphersuites()
{
CIPHERS=""
case $TYPE in
"ECDSA")
CIPHERS="$CIPHERS \
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
TLS_ECDHE_ECDSA_WITH_NULL_SHA \
"
;;
"RSA")
CIPHERS="$CIPHERS \
TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \
TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
TLS_ECDHE_RSA_WITH_NULL_SHA \
TLS_RSA_WITH_AES_128_CBC_SHA \
TLS_RSA_WITH_AES_128_CBC_SHA256 \
TLS_RSA_WITH_AES_128_GCM_SHA256 \
TLS_RSA_WITH_AES_256_CBC_SHA \
TLS_RSA_WITH_AES_256_CBC_SHA256 \
TLS_RSA_WITH_AES_256_GCM_SHA384 \
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA \
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA \
TLS_RSA_WITH_NULL_MD5 \
TLS_RSA_WITH_NULL_SHA \
TLS_RSA_WITH_NULL_SHA256 \
"
;;
"PSK")
CIPHERS="$CIPHERS \
TLS_PSK_WITH_AES_128_CBC_SHA \
TLS_PSK_WITH_AES_256_CBC_SHA \
"
;;
esac
O_CIPHERS="$O_CIPHERS $CIPHERS"
G_CIPHERS="$G_CIPHERS $CIPHERS"
M_CIPHERS="$M_CIPHERS $CIPHERS"
}
add_openssl_ciphersuites()
{
CIPHERS=""
case $TYPE in
"ECDSA")
CIPHERS="$CIPHERS \
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \
TLS_ECDH_ECDSA_WITH_NULL_SHA \
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
"
;;
"RSA")
CIPHERS="$CIPHERS \
TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 \
TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 \
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 \
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 \
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
TLS_RSA_WITH_ARIA_128_GCM_SHA256 \
TLS_RSA_WITH_ARIA_256_GCM_SHA384 \
"
;;
"PSK")
CIPHERS="$CIPHERS \
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 \
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 \
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
TLS_PSK_WITH_ARIA_128_GCM_SHA256 \
TLS_PSK_WITH_ARIA_256_GCM_SHA384 \
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 \
"
;;
esac
O_CIPHERS="$O_CIPHERS $CIPHERS"
M_CIPHERS="$M_CIPHERS $CIPHERS"
}
add_gnutls_ciphersuites()
{
CIPHERS=""
case $TYPE in
"ECDSA")
CIPHERS="$CIPHERS \
TLS_ECDHE_ECDSA_WITH_AES_128_CCM \
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 \
TLS_ECDHE_ECDSA_WITH_AES_256_CCM \
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 \
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
"
;;
"RSA")
CIPHERS="$CIPHERS \
TLS_DHE_RSA_WITH_AES_128_CCM \
TLS_DHE_RSA_WITH_AES_128_CCM_8 \
TLS_DHE_RSA_WITH_AES_256_CCM \
TLS_DHE_RSA_WITH_AES_256_CCM_8 \
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 \
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_RSA_WITH_AES_128_CCM \
TLS_RSA_WITH_AES_128_CCM_8 \
TLS_RSA_WITH_AES_256_CCM \
TLS_RSA_WITH_AES_256_CCM_8 \
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 \
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
"
;;
"PSK")
CIPHERS="$CIPHERS \
TLS_DHE_PSK_WITH_AES_128_CBC_SHA \
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 \
TLS_DHE_PSK_WITH_AES_128_CCM \
TLS_DHE_PSK_WITH_AES_128_CCM_8 \
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 \
TLS_DHE_PSK_WITH_AES_256_CBC_SHA \
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 \
TLS_DHE_PSK_WITH_AES_256_CCM \
TLS_DHE_PSK_WITH_AES_256_CCM_8 \
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 \
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_DHE_PSK_WITH_NULL_SHA256 \
TLS_DHE_PSK_WITH_NULL_SHA384 \
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA \
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 \
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA \
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 \
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_ECDHE_PSK_WITH_NULL_SHA256 \
TLS_ECDHE_PSK_WITH_NULL_SHA384 \
TLS_PSK_WITH_AES_128_CBC_SHA256 \
TLS_PSK_WITH_AES_128_CCM \
TLS_PSK_WITH_AES_128_CCM_8 \
TLS_PSK_WITH_AES_128_GCM_SHA256 \
TLS_PSK_WITH_AES_256_CBC_SHA384 \
TLS_PSK_WITH_AES_256_CCM \
TLS_PSK_WITH_AES_256_CCM_8 \
TLS_PSK_WITH_AES_256_GCM_SHA384 \
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_PSK_WITH_NULL_SHA256 \
TLS_PSK_WITH_NULL_SHA384 \
TLS_RSA_PSK_WITH_AES_128_CBC_SHA \
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 \
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 \
TLS_RSA_PSK_WITH_AES_256_CBC_SHA \
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 \
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 \
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_RSA_PSK_WITH_NULL_SHA256 \
TLS_RSA_PSK_WITH_NULL_SHA384 \
"
;;
esac
G_CIPHERS="$G_CIPHERS $CIPHERS"
M_CIPHERS="$M_CIPHERS $CIPHERS"
}
add_mbedtls_ciphersuites()
{
case $TYPE in
"ECDSA")
M_CIPHERS="$M_CIPHERS \
TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \
TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \
TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \
TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \
TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \
"
;;
"RSA")
M_CIPHERS="$M_CIPHERS \
TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 \
TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 \
TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 \
TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 \
TLS_RSA_WITH_ARIA_128_CBC_SHA256 \
TLS_RSA_WITH_ARIA_256_CBC_SHA384 \
"
;;
"PSK")
M_CIPHERS="$M_CIPHERS \
TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 \
TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 \
TLS_DHE_PSK_WITH_NULL_SHA \
TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 \
TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \
TLS_ECDHE_PSK_WITH_NULL_SHA \
TLS_PSK_WITH_ARIA_128_CBC_SHA256 \
TLS_PSK_WITH_ARIA_256_CBC_SHA384 \
TLS_PSK_WITH_NULL_SHA \
TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 \
TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 \
TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 \
TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 \
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 \
TLS_RSA_PSK_WITH_NULL_SHA \
"
;;
esac
}
o_check_ciphersuite()
{
if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
SKIP_NEXT_="YES"
fi
if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
SKIP_NEXT="YES"
fi
if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then
case "$1" in
*ECDH_*) SKIP_NEXT="YES"
esac
fi
}
setup_arguments()
{
DATA_FILES_PATH="../framework/data_files"
O_MODE=""
G_MODE=""
case "$MODE" in
"tls12")
O_MODE="tls1_2"
G_PRIO_MODE="+VERS-TLS1.2"
;;
"dtls12")
O_MODE="dtls1_2"
G_PRIO_MODE="+VERS-DTLS1.2"
G_MODE="-u"
;;
*)
echo "error: invalid mode: $MODE" >&2
exit 1;
esac
if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
else
G_PRIO_CCM=""
fi
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE"
O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
G_SERVER_ARGS="-p $PORT --http $G_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
case $($OPENSSL version) in
"OpenSSL 1.0"*)
O_SERVER_ARGS="$O_SERVER_ARGS -dhparam $DATA_FILES_PATH/dhparams.pem"
;;
esac
if is_dtls "$MODE"; then
O_SERVER_ARGS="$O_SERVER_ARGS"
else
O_SERVER_ARGS="$O_SERVER_ARGS -www"
fi
M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
case $($OPENSSL version) in
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
*)
O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
;;
esac
case $($OPENSSL ciphers ALL) in
*ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";;
*) O_SUPPORT_STATIC_ECDH="NO";;
esac
case $($OPENSSL ciphers ALL) in
*DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
*) O_SUPPORT_SINGLE_DES="NO";;
esac
O_SUPPORT_DTLS12="NO"
if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
O_SUPPORT_DTLS12="YES"
fi
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required"
O_SERVER_ARGS="$O_SERVER_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -Verify 10"
G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --require-client-cert"
M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required"
O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -verify 10"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
else
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none"
G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none"
O_CLIENT_ARGS="$O_CLIENT_ARGS"
G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure"
fi
case $TYPE in
"ECDSA")
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
if [ "X$VERIFY" = "XYES" ]; then
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/server6.crt -key $DATA_FILES_PATH/server6.key"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/server6.crt --x509keyfile $DATA_FILES_PATH/server6.key"
else
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
fi
;;
"RSA")
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key"
if [ "X$VERIFY" = "XYES" ]; then
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/cert_sha256.crt key_file=$DATA_FILES_PATH/server1.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/cert_sha256.crt -key $DATA_FILES_PATH/server1.key"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/cert_sha256.crt --x509keyfile $DATA_FILES_PATH/server1.key"
else
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
fi
;;
"PSK")
M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key"
O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --pskpasswd $DATA_FILES_PATH/passwd.psk"
M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70"
;;
esac
}
is_mbedtls() {
case $1 in
*ssl_client2*) true;;
*ssl_server2*) true;;
*) false;;
esac
}
has_mem_err() {
if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
then
return 1
else
return 0
fi
}
if type lsof >/dev/null 2>/dev/null; then
wait_server_start() {
START_TIME=$(date +%s)
if is_dtls "$MODE"; then
proto=UDP
else
proto=TCP
fi
while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
echo "SERVERSTART TIMEOUT"
echo "SERVERSTART TIMEOUT" >> $SRV_OUT
break
fi
sleep 0.1 2>/dev/null || true
done
}
else
echo "Warning: lsof not available, wait_server_start = sleep"
wait_server_start() {
sleep 2
}
fi
start_server() {
case $1 in
[Oo]pen*)
SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
;;
[Gg]nu*)
SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
;;
mbed*)
SERVER_CMD="$M_SRV $M_SERVER_ARGS"
if [ "$MEMCHECK" -gt 0 ]; then
SERVER_CMD="valgrind --leak-check=full $SERVER_CMD"
fi
;;
*)
echo "error: invalid server name: $1" >&2
exit 1
;;
esac
SERVER_NAME=$1
log "$SERVER_CMD"
echo "$SERVER_CMD" > $SRV_OUT
while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 &
SRV_PID=$!
wait_server_start "$PORT" "$SRV_PID"
}
stop_server() {
kill $SRV_PID >/dev/null 2>&1
wait $SRV_PID >> $SRV_OUT 2>&1
if [ "$MEMCHECK" -gt 0 ]; then
if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then
echo " ! Server had memory errors"
SRVMEM=$(( $SRVMEM + 1 ))
return
fi
fi
rm -f $SRV_OUT
}
cleanup() {
rm -f $SRV_OUT $CLI_OUT
kill $SRV_PID >/dev/null 2>&1
kill $WATCHDOG_PID >/dev/null 2>&1
exit 1
}
wait_client_done() {
CLI_PID=$!
( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) &
WATCHDOG_PID=$!
wait $CLI_PID >> $CLI_OUT 2>&1
EXIT=$?
kill $WATCHDOG_PID >/dev/null 2>&1
wait $WATCHDOG_PID >> $CLI_OUT 2>&1
echo "EXIT: $EXIT" >> $CLI_OUT
}
uniform_title() {
TITLE="$1->$2 $MODE,$VERIF $3"
}
record_outcome() {
echo "$1"
if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
printf '%s;%s;%s;%s;%s;%s\n' \
"$MBEDTLS_TEST_PLATFORM" "$MBEDTLS_TEST_CONFIGURATION" \
"compat" "$TITLE" \
"$1" "${2-}" \
>> "$MBEDTLS_TEST_OUTCOME_FILE"
fi
}
save_logs() {
cp $SRV_OUT c-srv-${TESTS}.log
cp $CLI_OUT c-cli-${TESTS}.log
}
report_fail() {
FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
record_outcome "FAIL" "$FAIL_PROMPT"
save_logs
echo " ! $FAIL_PROMPT"
if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
echo " ! server output:"
cat c-srv-${TESTS}.log
echo " ! ==================================================="
echo " ! client output:"
cat c-cli-${TESTS}.log
fi
}
run_client() {
TESTS=$(( $TESTS + 1 ))
uniform_title "${1%"${1#?}"}" "${SERVER_NAME%"${SERVER_NAME#?}"}" $2
DOTS72="........................................................................"
printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"
if [ "X$SKIP_NEXT" = "XYES" ]; then
SKIP_NEXT="NO"
record_outcome "SKIP"
SKIPPED=$(( $SKIPPED + 1 ))
return
fi
case $1 in
[Oo]pen*)
CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
wait_client_done
if [ $EXIT -eq 0 ]; then
RESULT=0
else
if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then
RESULT=1
else
RESULT=2
fi
fi
;;
[Gg]nu*)
CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 localhost"
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
wait_client_done
if [ $EXIT -eq 0 ]; then
RESULT=0
else
RESULT=2
if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then
if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then :
else
RESULT=1
fi
fi >/dev/null
fi
;;
mbed*)
CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3"
if [ "$MEMCHECK" -gt 0 ]; then
CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
fi
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
$CLIENT_CMD >> $CLI_OUT 2>&1 &
wait_client_done
case $EXIT in
"0") RESULT=0 ;;
"2") RESULT=1 ;;
*) RESULT=2 ;;
esac
if [ "$MEMCHECK" -gt 0 ]; then
if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then
RESULT=2
fi
fi
;;
*)
echo "error: invalid client name: $1" >&2
exit 1
;;
esac
echo "EXIT: $EXIT" >> $CLI_OUT
case $RESULT in
"0")
record_outcome "PASS"
if [ "$PRESERVE_LOGS" -gt 0 ]; then
save_logs
fi
;;
"1")
record_outcome "SKIP"
SKIPPED=$(( $SKIPPED + 1 ))
;;
"2")
report_fail
FAILED=$(( $FAILED + 1 ))
;;
esac
rm -f $CLI_OUT
}
get_options "$@"
case "$MBEDTLS_TEST_OUTCOME_FILE" in
[!/]*)
MBEDTLS_TEST_OUTCOME_FILE="$ORIGINAL_PWD/$MBEDTLS_TEST_OUTCOME_FILE"
;;
esac
if [ ! -x "$M_SRV" ]; then
echo "Command '$M_SRV' is not an executable file" >&2
exit 1
fi
if [ ! -x "$M_CLI" ]; then
echo "Command '$M_CLI' is not an executable file" >&2
exit 1
fi
if echo "$PEERS" | grep -i openssl > /dev/null; then
if which "$OPENSSL" >/dev/null 2>&1; then :; else
echo "Command '$OPENSSL' not found" >&2
exit 1
fi
fi
if echo "$PEERS" | grep -i gnutls > /dev/null; then
for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do
if which "$CMD" >/dev/null 2>&1; then :; else
echo "Command '$CMD' not found" >&2
exit 1
fi
done
fi
for PEER in $PEERS; do
case "$PEER" in
mbed*|[Oo]pen*|[Gg]nu*)
;;
*)
echo "Unknown peers: $PEER" >&2
exit 1
esac
done
PORT="0000$$"
PORT="1$(echo $PORT | tail -c 5)"
SRV_OUT="srv_out.$$"
CLI_OUT="cli_out.$$"
if [ "$MEMCHECK" -gt 0 ]; then
DOG_DELAY=30
else
DOG_DELAY=10
fi
SKIP_NEXT="NO"
trap cleanup INT TERM HUP
for MODE in $MODES; do
for TYPE in $TYPES; do
SUB_VERIFIES=$VERIFIES
if [ "$TYPE" = "PSK" ]; then
SUB_VERIFIES="NO"
fi
for VERIFY in $SUB_VERIFIES; do
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
for PEER in $PEERS; do
setup_arguments
case "$PEER" in
[Oo]pen*)
reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
filter_ciphersuites
if [ "X" != "X$M_CIPHERS" ]; then
start_server "OpenSSL"
translate_ciphers m $M_CIPHERS
for i in $ciphers; do
o_check_ciphersuite "${i%%=*}"
run_client mbedTLS ${i%%=*} ${i#*=}
done
stop_server
fi
if [ "X" != "X$O_CIPHERS" ]; then
start_server "mbedTLS"
translate_ciphers o $O_CIPHERS
for i in $ciphers; do
o_check_ciphersuite "${i%%=*}"
run_client OpenSSL ${i%%=*} ${i#*=}
done
stop_server
fi
;;
[Gg]nu*)
reset_ciphersuites
add_common_ciphersuites
add_gnutls_ciphersuites
filter_ciphersuites
if [ "X" != "X$M_CIPHERS" ]; then
start_server "GnuTLS"
translate_ciphers m $M_CIPHERS
for i in $ciphers; do
run_client mbedTLS ${i%%=*} ${i#*=}
done
stop_server
fi
if [ "X" != "X$G_CIPHERS" ]; then
start_server "mbedTLS"
translate_ciphers g $G_CIPHERS
for i in $ciphers; do
run_client GnuTLS ${i%%=*} ${i#*=}
done
stop_server
fi
;;
mbed*)
reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
add_gnutls_ciphersuites
add_mbedtls_ciphersuites
filter_ciphersuites
if [ "X" != "X$M_CIPHERS" ]; then
start_server "mbedTLS"
translate_ciphers m $M_CIPHERS
for i in $ciphers; do
run_client mbedTLS ${i%%=*} ${i#*=}
done
stop_server
fi
;;
*)
echo "Unknown peer: $PEER" >&2
exit 1
;;
esac
done
done
done
done
echo "------------------------------------------------------------------------"
if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; then
printf "FAILED"
else
printf "PASSED"
fi
if [ "$MEMCHECK" -gt 0 ]; then
MEMREPORT=", $SRVMEM server memory errors"
else
MEMREPORT=""
fi
PASSED=$(( $TESTS - $FAILED ))
echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"
if [ $((TESTS - SKIPPED)) -lt $MIN_TESTS ]; then
cat <<EOF
Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPPED)).
Maybe a bad filter ('$FILTER' excluding '$EXCLUDE') or a bad configuration?
EOF
if [ $FAILED -eq 0 ]; then
FAILED=1
fi
fi
FAILED=$(( $FAILED + $SRVMEM ))
if [ $FAILED -gt 255 ]; then
FAILED=255
fi
exit $FAILED