GnuTLS in compat.sh: server-side
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index ff6a2a9..5f031e2 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1050,6 +1050,9 @@
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
+
+ if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
+ ret = 0;
}
#endif
diff --git a/tests/compat.sh b/tests/compat.sh
index 1107b71..286eec4 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -90,11 +90,25 @@
echo "$NEW_LIST" | sed -e 's/[[:space:]]\+/ /g' -e 's/^ //' -e 's/ $//'
}
-setup_ciphersuites()
+filter_ciphersuites()
+{
+ if [ "X" != "X$FILTER" ];
+ then
+ P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" )
+ O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" )
+ G_CIPHERS=$( filter "$G_CIPHERS" "$FILTER" )
+ fi
+}
+
+reset_ciphersuites()
{
P_CIPHERS=""
O_CIPHERS=""
+ G_CIPHERS=""
+}
+add_openssl_ciphersuites()
+{
case $TYPE in
"ECDSA")
@@ -254,54 +268,31 @@
"
;;
esac
-
- # Filter ciphersuites
- if [ "X" != "X$FILTER" ];
- then
- O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" )
- P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" )
- fi
-
}
-add_polarssl_ciphersuites()
+add_gnutls_ciphersuites()
{
- ADD_CIPHERS=""
-
+ # TODO: add to G_CIPHERS too
case $TYPE in
"ECDSA")
- if [ "$MODE" != "ssl3" ];
- then
- ADD_CIPHERS="$ADD_CIPHERS \
- TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
- "
- fi
if [ "$MODE" = "tls1_2" ];
then
- ADD_CIPHERS="$ADD_CIPHERS \
+ P_CIPHERS="$P_CIPHERS \
+ TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
+ TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
"
fi
;;
"RSA")
- if [ "$MODE" != "ssl3" ];
- then
- ADD_CIPHERS="$ADD_CIPHERS \
- TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
- "
- fi
if [ "$MODE" = "tls1_2" ];
then
- ADD_CIPHERS="$ADD_CIPHERS \
+ P_CIPHERS="$P_CIPHERS \
+ TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
+ TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
@@ -317,57 +308,50 @@
;;
"PSK")
- ADD_CIPHERS="$ADD_CIPHERS \
- TLS-DHE-PSK-WITH-RC4-128-SHA \
- TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \
- TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
- TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
- TLS-DHE-PSK-WITH-NULL-SHA \
- TLS-PSK-WITH-NULL-SHA \
- TLS-RSA-PSK-WITH-RC4-128-SHA \
- TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \
- TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
- TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
- TLS-RSA-WITH-NULL-SHA \
- TLS-RSA-WITH-NULL-MD5 \
- TLS-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-PSK-WITH-NULL-SHA256 \
- TLS-PSK-WITH-NULL-SHA384 \
- TLS-DHE-PSK-WITH-NULL-SHA256 \
- TLS-DHE-PSK-WITH-NULL-SHA384 \
- TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-RSA-PSK-WITH-NULL-SHA256 \
- TLS-RSA-PSK-WITH-NULL-SHA384 \
- TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- "
+ # GnuTLS 3.2.11 (2014-02-13) requires TLS 1.x for most *PSK suites
if [ "$MODE" != "ssl3" ];
then
- ADD_CIPHERS="$ADD_CIPHERS \
+ P_CIPHERS="$P_CIPHERS \
TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \
- TLS-ECDHE-PSK-WITH-RC4-128-SHA \
- TLS-ECDHE-PSK-WITH-NULL-SHA \
+ TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \
+ TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
+ TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
+ TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \
+ TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
+ TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
+ TLS-RSA-WITH-NULL-SHA \
+ TLS-RSA-WITH-NULL-MD5 \
+ "
+ fi
+ if [ "$MODE" = "tls1_2" ];
+ then
+ P_CIPHERS="$P_CIPHERS \
TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
TLS-ECDHE-PSK-WITH-NULL-SHA384 \
TLS-ECDHE-PSK-WITH-NULL-SHA256 \
- "
- fi
- if [ "$MODE" = "tls1_2" ];
- then
- ADD_CIPHERS="$ADD_CIPHERS \
+ TLS-PSK-WITH-AES-128-CBC-SHA256 \
+ TLS-PSK-WITH-AES-256-CBC-SHA384 \
+ TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
+ TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ TLS-PSK-WITH-NULL-SHA256 \
+ TLS-PSK-WITH-NULL-SHA384 \
+ TLS-DHE-PSK-WITH-NULL-SHA256 \
+ TLS-DHE-PSK-WITH-NULL-SHA384 \
+ TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
+ TLS-RSA-PSK-WITH-NULL-SHA256 \
+ TLS-RSA-PSK-WITH-NULL-SHA384 \
+ TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
+ TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
+ TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
+ TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
+ TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
+ TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
TLS-PSK-WITH-AES-128-GCM-SHA256 \
TLS-PSK-WITH-AES-256-GCM-SHA384 \
TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
@@ -385,24 +369,64 @@
fi
;;
esac
+}
- # Filter new ciphersuites and add them
- if [ "X" != "X$FILTER" ]; then
- ADD_CIPHERS=$( filter "$ADD_CIPHERS" "$FILTER" )
- fi
- # avoid P_CIPHERS being only ' '
- if [ "X" != "X$P_CIPHERS" ]; then
- P_CIPHERS="$P_CIPHERS $ADD_CIPHERS"
- else
- P_CIPHERS="$ADD_CIPHERS"
- fi
+add_polarssl_ciphersuites()
+{
+ case $TYPE in
+
+ "ECDSA")
+ if [ "$MODE" != "ssl3" ];
+ then
+ P_CIPHERS="$P_CIPHERS \
+ TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
+ TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
+ "
+ fi
+ if [ "$MODE" = "tls1_2" ];
+ then
+ P_CIPHERS="$P_CIPHERS \
+ TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
+ TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
+ "
+ fi
+ ;;
+
+ "RSA")
+ ;;
+
+ "PSK")
+ P_CIPHERS="$P_CIPHERS \
+ TLS-PSK-WITH-NULL-SHA \
+ TLS-DHE-PSK-WITH-RC4-128-SHA \
+ TLS-DHE-PSK-WITH-NULL-SHA \
+ TLS-RSA-PSK-WITH-RC4-128-SHA \
+ "
+ if [ "$MODE" != "ssl3" ];
+ then
+ P_CIPHERS="$P_CIPHERS \
+ TLS-ECDHE-PSK-WITH-RC4-128-SHA \
+ TLS-ECDHE-PSK-WITH-NULL-SHA \
+ "
+ fi
+ ;;
+ esac
}
setup_arguments()
{
- # avoid an avalanche of errors due to typos
case $MODE in
- ssl3|tls1|tls1_1|tls1_2)
+ "ssl3")
+ G_PRIO_MODE="+VERS-SSL3.0"
+ ;;
+ "tls1")
+ G_PRIO_MODE="+VERS-TLS1.0"
+ ;;
+ "tls1_1")
+ G_PRIO_MODE="+VERS-TLS1.1"
+ ;;
+ "tls1_2")
+ G_PRIO_MODE="+VERS-TLS1.2"
;;
*)
echo "error: invalid mode: $MODE" >&2
@@ -410,20 +434,26 @@
esac
P_SERVER_ARGS="server_addr=0.0.0.0 force_version=$MODE"
- P_CLIENT_ARGS="server_name=localhost force_version=$MODE"
- O_SERVER_ARGS="-www -quiet -cipher NULL,ALL -$MODE"
+ O_SERVER_ARGS="-www -cipher NULL,ALL -$MODE"
+ G_SERVER_ARGS="-p 4433 --http"
+ G_PRIO_BASE="EXPORT:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL"
+
+ P_CLIENT_ARGS="force_version=$MODE"
O_CLIENT_ARGS="-$MODE"
if [ "X$VERIFY" = "XYES" ];
then
P_SERVER_ARGS="$P_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
- P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
+ G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
+
+ P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
else
- # ssl_server2 defaults to optional, but we want to test handshakes
- # that don't exchange client certificate at all too
+ # don't request a client cert at all
P_SERVER_ARGS="$P_SERVER_ARGS ca_file=none auth_mode=none"
+ G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
+
# give dummy CA to clients
P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/cli2.crt"
O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/cli2.crt"
@@ -433,6 +463,8 @@
"ECDSA")
P_SERVER_ARGS="$P_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
+ G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
+
if [ "X$VERIFY" = "XYES" ]; then
P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
@@ -444,6 +476,8 @@
"RSA")
P_SERVER_ARGS="$P_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key"
+ G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key"
+
if [ "X$VERIFY" = "XYES" ]; then
P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key"
@@ -453,11 +487,13 @@
;;
"PSK")
- # give our server a certificate for RSA-PSK
+ # give RSA-PSK-capable server a RSA cert
# (should be a separate type, but harder to close with openssl)
P_SERVER_ARGS="$P_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key"
- P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
+ G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
+
+ P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
;;
esac
@@ -486,6 +522,9 @@
[Oo]pen*)
SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
;;
+ [Gg]nu*)
+ SERVER_CMD="gnutls-serv $G_SERVER_ARGS --priority $G_PRIO_BASE:$G_PRIO_MODE"
+ ;;
[Pp]olar*)
SERVER_CMD="$P_SRV $P_SERVER_ARGS"
if [ "$MEMCHECK" -gt 0 ]; then
@@ -642,7 +681,7 @@
get_options "$@"
-killall -q openssl ssl_server ssl_server2
+killall -q gnutls-serv openssl ssl_server ssl_server2
trap cleanup INT TERM HUP
for VERIFY in $VERIFIES; do
@@ -650,7 +689,10 @@
for TYPE in $TYPES; do
setup_arguments
- setup_ciphersuites
+
+ reset_ciphersuites
+ add_openssl_ciphersuites
+ filter_ciphersuites
if [ "X" != "X$P_CIPHERS" ]; then
start_server "OpenSSL"
@@ -668,7 +710,31 @@
stop_server
fi
+ reset_ciphersuites
+ add_gnutls_ciphersuites
+ filter_ciphersuites
+
+ if [ "X" != "X$P_CIPHERS" ]; then
+ start_server "GnuTLS"
+ for i in $P_CIPHERS; do
+ run_client PolarSSL $i
+ done
+ stop_server
+ fi
+
+ if [ "X" != "X$G_CIPHERS" ]; then
+ start_server "PolarSSL"
+ for i in $G_CIPHERS; do
+ run_client GnuTLS $i
+ done
+ stop_server
+ fi
+
+ reset_ciphersuites
+ add_openssl_ciphersuites
+ add_gnutls_ciphersuites
add_polarssl_ciphersuites
+ filter_ciphersuites
if [ "X" != "X$P_CIPHERS" ]; then
start_server "PolarSSL"
diff --git a/tests/data_files/passwd.psk b/tests/data_files/passwd.psk
new file mode 100644
index 0000000..17fee37
--- /dev/null
+++ b/tests/data_files/passwd.psk
@@ -0,0 +1 @@
+Client_identity:6162636465666768696a6b6c6d6e6f70