TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/restartable-ecc-unused-variable-2-16 / . / tests / compat.sh
blob: bf65e5e61fc5f162c5e42f86aaf439cf1e69fb43 [file] [log] [blame]
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1#!/bin/sh
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]2
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]3# compat.sh
4#
5# This file is part of mbed TLS (https://tls.mbed.org)
6#
7# Copyright (c) 2012-2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Test interoperbility with OpenSSL, GnuTLS as well as itself.
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]12#
13# Check each common ciphersuite, with each version, both ways (client/server),
14# with and without client authentication.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]15
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]16set -u
17
Manuel Pégourié-Gonnarda1a9f9a2014-03-25 18:04:59 +0100[diff] [blame]18# initialise counters
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]19TESTS=0
20FAILED=0
21SKIPPED=0
22SRVMEM=0
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]23
Manuel Pégourié-Gonnarda1a9f9a2014-03-25 18:04:59 +0100[diff] [blame]24# default commands, can be overriden by the environment
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]25: ${M_SRV:=../programs/ssl/ssl_server2}
26: ${M_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]27: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
28: ${GNUTLS_CLI:=gnutls-cli}
29: ${GNUTLS_SERV:=gnutls-serv}
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]30
Manuel Pégourié-Gonnard1287f112014-08-31 16:20:58 +0200[diff] [blame]31# do we have a recent enough GnuTLS?
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]32if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnarddd459272014-10-24 12:57:37 +0200[diff] [blame]33 G_VER="$( $GNUTLS_CLI --version | head -n1 )"
34 if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version
Manuel Pégourié-Gonnard1287f112014-08-31 16:20:58 +0200[diff] [blame]35 PEER_GNUTLS=" GnuTLS"
Manuel Pégourié-Gonnarddd459272014-10-24 12:57:37 +0200[diff] [blame]36 else
37 eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
38 if [ $MAJOR -lt 3 -o \
39 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
40 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
41 then
42 PEER_GNUTLS=""
43 else
44 PEER_GNUTLS=" GnuTLS"
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]45 if [ $MINOR -lt 4 ]; then
46 GNUTLS_MINOR_LT_FOUR='x'
47 fi
Manuel Pégourié-Gonnarddd459272014-10-24 12:57:37 +0200[diff] [blame]48 fi
Manuel Pégourié-Gonnard1287f112014-08-31 16:20:58 +0200[diff] [blame]49 fi
50else
51 PEER_GNUTLS=""
52fi
53
Manuel Pégourié-Gonnarda1a9f9a2014-03-25 18:04:59 +0100[diff] [blame]54# default values for options
Simon Butcher3ea7f522016-03-07 23:22:10 +0000[diff] [blame]55MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2"
Paul Bakker1eeceae2012-11-23 14:25:34 +0100[diff] [blame]56VERIFIES="NO YES"
Manuel Pégourié-Gonnard7ebaf372013-08-27 21:03:33 +0200[diff] [blame]57TYPES="ECDSA RSA PSK"
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]58FILTER=""
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]59# exclude:
60# - NULL: excluded from our default config
61# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
62# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
Manuel Pégourié-Gonnard2268b962018-02-27 12:22:36 +0100[diff] [blame]63# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]64# - ChachaPoly: requires OpenSSL >= 1.1.0
65EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]66VERBOSE=""
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]67MEMCHECK=0
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]68PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]69
Manuel Pégourié-Gonnard39e2ca92015-08-04 16:43:37 +0200[diff] [blame]70# hidden option: skip DTLS with OpenSSL
71# (travis CI has a version that doesn't work for us)
72: ${OSSL_NO_DTLS:=0}
73
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]74print_usage() {
75 echo "Usage: $0"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]76 printf " -h|--help\tPrint this help.\n"
77 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')\n"
78 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')\n"
79 printf " -m|--modes\tWhich modes to perform (Default: '$MODES')\n"
80 printf " -t|--types\tWhich key exchange type to perform (Default: '$TYPES')\n"
81 printf " -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')\n"
82 printf " -p|--peers\tWhich peers to use (Default: '$PEERS')\n"
83 printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n"
84 printf " -M|--memcheck\tCheck memory leaks and errors.\n"
85 printf " -v|--verbose\tSet verbose output.\n"
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]86}
87
88get_options() {
89 while [ $# -gt 0 ]; do
90 case "$1" in
91 -f|--filter)
92 shift; FILTER=$1
93 ;;
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]94 -e|--exclude)
95 shift; EXCLUDE=$1
96 ;;
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]97 -m|--modes)
98 shift; MODES=$1
99 ;;
100 -t|--types)
101 shift; TYPES=$1
102 ;;
103 -V|--verify)
104 shift; VERIFIES=$1
105 ;;
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]106 -p|--peers)
107 shift; PEERS=$1
108 ;;
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]109 -v|--verbose)
110 VERBOSE=1
111 ;;
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]112 -M|--memcheck)
113 MEMCHECK=1
114 ;;
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]115 -h|--help)
116 print_usage
117 exit 0
118 ;;
119 *)
120 echo "Unknown argument: '$1'"
121 print_usage
122 exit 1
123 ;;
124 esac
125 shift
126 done
Manuel Pégourié-Gonnard85a41782014-10-24 12:47:26 +0200[diff] [blame]127
128 # sanitize some options (modes checked later)
129 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
130 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]131}
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]132
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]133log() {
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]134 if [ "X" != "X$VERBOSE" ]; then
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]135 echo ""
Paul Bakkeraccd4eb2013-07-19 13:41:51 +0200[diff] [blame]136 echo "$@"
137 fi
138}
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]139
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]140# is_dtls <mode>
141is_dtls()
142{
143 test "$1" = "dtls1" -o "$1" = "dtls1_2"
144}
145
146# minor_ver <mode>
147minor_ver()
148{
149 case "$1" in
150 ssl3)
151 echo 0
152 ;;
153 tls1)
154 echo 1
155 ;;
156 tls1_1|dtls1)
157 echo 2
158 ;;
159 tls1_2|dtls1_2)
160 echo 3
161 ;;
162 *)
163 echo "error: invalid mode: $MODE" >&2
164 # exiting is no good here, typically called in a subshell
165 echo -1
166 esac
167}
168
Manuel Pégourié-Gonnarddfc8d5a2013-08-27 20:48:40 +0200[diff] [blame]169filter()
170{
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]171 LIST="$1"
Manuel Pégourié-Gonnarddfc8d5a2013-08-27 20:48:40 +0200[diff] [blame]172 NEW_LIST=""
173
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]174 if is_dtls "$MODE"; then
Manuel Pégourié-Gonnard29980b12014-07-10 20:12:56 +0200[diff] [blame]175 EXCLMODE="$EXCLUDE"'\|RC4\|ARCFOUR'
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]176 else
177 EXCLMODE="$EXCLUDE"
178 fi
179
Manuel Pégourié-Gonnarddfc8d5a2013-08-27 20:48:40 +0200[diff] [blame]180 for i in $LIST;
181 do
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]182 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )"
Manuel Pégourié-Gonnarddfc8d5a2013-08-27 20:48:40 +0200[diff] [blame]183 done
184
Manuel Pégourié-Gonnard911622d2014-02-27 11:50:40 +0100[diff] [blame]185 # normalize whitespace
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]186 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
Manuel Pégourié-Gonnarddfc8d5a2013-08-27 20:48:40 +0200[diff] [blame]187}
188
Manuel Pégourié-Gonnard53aef812014-07-11 17:41:24 +0200[diff] [blame]189# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for
190# PSK ciphersuites with DTLS, which is incorrect, so disable them for now
191check_openssl_server_bug()
192{
193 if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
194 echo "$1" | grep "^TLS-PSK" >/dev/null;
195 then
196 SKIP_NEXT="YES"
197 fi
198}
199
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]200filter_ciphersuites()
201{
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]202 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]203 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]204 # Ciphersuite for mbed TLS
205 M_CIPHERS=$( filter "$M_CIPHERS" )
206
207 # Ciphersuite for OpenSSL
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]208 O_CIPHERS=$( filter "$O_CIPHERS" )
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]209
210 # Ciphersuite for GnuTLS
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]211 G_CIPHERS=$( filter "$G_CIPHERS" )
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]212 fi
Manuel Pégourié-Gonnard29980b12014-07-10 20:12:56 +0200[diff] [blame]213
Manuel Pégourié-Gonnard53aef812014-07-11 17:41:24 +0200[diff] [blame]214 # OpenSSL 1.0.1h doesn't support DTLS 1.2
Manuel Pégourié-Gonnard29980b12014-07-10 20:12:56 +0200[diff] [blame]215 if [ `minor_ver "$MODE"` -ge 3 ] && is_dtls "$MODE"; then
216 O_CIPHERS=""
Manuel Pégourié-Gonnardd1af1022014-07-11 17:01:06 +0200[diff] [blame]217 case "$PEER" in
218 [Oo]pen*)
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]219 M_CIPHERS=""
Manuel Pégourié-Gonnardd1af1022014-07-11 17:01:06 +0200[diff] [blame]220 ;;
221 esac
Manuel Pégourié-Gonnard29980b12014-07-10 20:12:56 +0200[diff] [blame]222 fi
223
Manuel Pégourié-Gonnarddba564b2015-01-23 11:33:38 +0000[diff] [blame]224 # For GnuTLS client -> mbed TLS server,
Manuel Pégourié-Gonnardd1af1022014-07-11 17:01:06 +0200[diff] [blame]225 # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
Manuel Pégourié-Gonnard29980b12014-07-10 20:12:56 +0200[diff] [blame]226 if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
227 G_CIPHERS=""
228 fi
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]229}
230
231reset_ciphersuites()
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]232{
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]233 M_CIPHERS=""
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]234 O_CIPHERS=""
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]235 G_CIPHERS=""
236}
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]237
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]238# Ciphersuites that can be used with all peers.
239# Since we currently have three possible peers, each ciphersuite should appear
240# three times: in each peer's list (with the name that this peer uses).
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]241add_common_ciphersuites()
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]242{
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]243 case $TYPE in
244
245 "ECDSA")
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]246 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]247 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]248 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]249 TLS-ECDHE-ECDSA-WITH-NULL-SHA \
250 TLS-ECDHE-ECDSA-WITH-RC4-128-SHA \
251 TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA \
252 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \
253 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]254 "
255 G_CIPHERS="$G_CIPHERS \
256 +ECDHE-ECDSA:+NULL:+SHA1 \
257 +ECDHE-ECDSA:+ARCFOUR-128:+SHA1 \
258 +ECDHE-ECDSA:+3DES-CBC:+SHA1 \
259 +ECDHE-ECDSA:+AES-128-CBC:+SHA1 \
260 +ECDHE-ECDSA:+AES-256-CBC:+SHA1 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]261 "
262 O_CIPHERS="$O_CIPHERS \
263 ECDHE-ECDSA-NULL-SHA \
264 ECDHE-ECDSA-RC4-SHA \
265 ECDHE-ECDSA-DES-CBC3-SHA \
266 ECDHE-ECDSA-AES128-SHA \
267 ECDHE-ECDSA-AES256-SHA \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]268 "
269 fi
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]270 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]271 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]272 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]273 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
274 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \
275 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
276 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]277 "
278 G_CIPHERS="$G_CIPHERS \
279 +ECDHE-ECDSA:+AES-128-CBC:+SHA256 \
280 +ECDHE-ECDSA:+AES-256-CBC:+SHA384 \
281 +ECDHE-ECDSA:+AES-128-GCM:+AEAD \
282 +ECDHE-ECDSA:+AES-256-GCM:+AEAD \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]283 "
284 O_CIPHERS="$O_CIPHERS \
285 ECDHE-ECDSA-AES128-SHA256 \
286 ECDHE-ECDSA-AES256-SHA384 \
287 ECDHE-ECDSA-AES128-GCM-SHA256 \
288 ECDHE-ECDSA-AES256-GCM-SHA384 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]289 "
290 fi
291 ;;
292
293 "RSA")
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]294 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]295 TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
296 TLS-DHE-RSA-WITH-AES-256-CBC-SHA \
297 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \
298 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \
299 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA \
300 TLS-RSA-WITH-AES-256-CBC-SHA \
301 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \
302 TLS-RSA-WITH-AES-128-CBC-SHA \
303 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \
304 TLS-RSA-WITH-3DES-EDE-CBC-SHA \
305 TLS-RSA-WITH-RC4-128-SHA \
306 TLS-RSA-WITH-RC4-128-MD5 \
307 TLS-RSA-WITH-NULL-MD5 \
308 TLS-RSA-WITH-NULL-SHA \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]309 "
310 G_CIPHERS="$G_CIPHERS \
311 +DHE-RSA:+AES-128-CBC:+SHA1 \
312 +DHE-RSA:+AES-256-CBC:+SHA1 \
313 +DHE-RSA:+CAMELLIA-128-CBC:+SHA1 \
314 +DHE-RSA:+CAMELLIA-256-CBC:+SHA1 \
315 +DHE-RSA:+3DES-CBC:+SHA1 \
316 +RSA:+AES-256-CBC:+SHA1 \
317 +RSA:+CAMELLIA-256-CBC:+SHA1 \
318 +RSA:+AES-128-CBC:+SHA1 \
319 +RSA:+CAMELLIA-128-CBC:+SHA1 \
320 +RSA:+3DES-CBC:+SHA1 \
321 +RSA:+ARCFOUR-128:+SHA1 \
322 +RSA:+ARCFOUR-128:+MD5 \
323 +RSA:+NULL:+MD5 \
324 +RSA:+NULL:+SHA1 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]325 "
326 O_CIPHERS="$O_CIPHERS \
327 DHE-RSA-AES128-SHA \
328 DHE-RSA-AES256-SHA \
329 DHE-RSA-CAMELLIA128-SHA \
330 DHE-RSA-CAMELLIA256-SHA \
331 EDH-RSA-DES-CBC3-SHA \
332 AES256-SHA \
333 CAMELLIA256-SHA \
334 AES128-SHA \
335 CAMELLIA128-SHA \
336 DES-CBC3-SHA \
337 RC4-SHA \
338 RC4-MD5 \
339 NULL-MD5 \
340 NULL-SHA \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]341 "
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]342 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]343 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]344 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]345 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \
346 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \
347 TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA \
348 TLS-ECDHE-RSA-WITH-RC4-128-SHA \
349 TLS-ECDHE-RSA-WITH-NULL-SHA \
350 "
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]351 G_CIPHERS="$G_CIPHERS \
352 +ECDHE-RSA:+AES-128-CBC:+SHA1 \
353 +ECDHE-RSA:+AES-256-CBC:+SHA1 \
354 +ECDHE-RSA:+3DES-CBC:+SHA1 \
355 +ECDHE-RSA:+ARCFOUR-128:+SHA1 \
356 +ECDHE-RSA:+NULL:+SHA1 \
357 "
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]358 O_CIPHERS="$O_CIPHERS \
359 ECDHE-RSA-AES256-SHA \
360 ECDHE-RSA-AES128-SHA \
361 ECDHE-RSA-DES-CBC3-SHA \
362 ECDHE-RSA-RC4-SHA \
363 ECDHE-RSA-NULL-SHA \
364 "
365 fi
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]366 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]367 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]368 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]369 TLS-RSA-WITH-AES-128-CBC-SHA256 \
370 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \
371 TLS-RSA-WITH-AES-256-CBC-SHA256 \
372 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \
373 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \
374 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \
375 TLS-RSA-WITH-AES-128-GCM-SHA256 \
376 TLS-RSA-WITH-AES-256-GCM-SHA384 \
377 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \
378 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \
379 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
380 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \
381 "
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]382 G_CIPHERS="$G_CIPHERS \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]383 +RSA:+AES-128-CBC:+SHA256 \
384 +DHE-RSA:+AES-128-CBC:+SHA256 \
385 +RSA:+AES-256-CBC:+SHA256 \
386 +DHE-RSA:+AES-256-CBC:+SHA256 \
387 +ECDHE-RSA:+AES-128-CBC:+SHA256 \
388 +ECDHE-RSA:+AES-256-CBC:+SHA384 \
389 +RSA:+AES-128-GCM:+AEAD \
390 +RSA:+AES-256-GCM:+AEAD \
391 +DHE-RSA:+AES-128-GCM:+AEAD \
392 +DHE-RSA:+AES-256-GCM:+AEAD \
393 +ECDHE-RSA:+AES-128-GCM:+AEAD \
394 +ECDHE-RSA:+AES-256-GCM:+AEAD \
395 "
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]396 O_CIPHERS="$O_CIPHERS \
397 NULL-SHA256 \
398 AES128-SHA256 \
399 DHE-RSA-AES128-SHA256 \
400 AES256-SHA256 \
401 DHE-RSA-AES256-SHA256 \
402 ECDHE-RSA-AES128-SHA256 \
403 ECDHE-RSA-AES256-SHA384 \
404 AES128-GCM-SHA256 \
405 DHE-RSA-AES128-GCM-SHA256 \
406 AES256-GCM-SHA384 \
407 DHE-RSA-AES256-GCM-SHA384 \
408 ECDHE-RSA-AES128-GCM-SHA256 \
409 ECDHE-RSA-AES256-GCM-SHA384 \
410 "
411 fi
412 ;;
413
414 "PSK")
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]415 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]416 TLS-PSK-WITH-RC4-128-SHA \
417 TLS-PSK-WITH-3DES-EDE-CBC-SHA \
418 TLS-PSK-WITH-AES-128-CBC-SHA \
419 TLS-PSK-WITH-AES-256-CBC-SHA \
420 "
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]421 G_CIPHERS="$G_CIPHERS \
422 +PSK:+ARCFOUR-128:+SHA1 \
423 +PSK:+3DES-CBC:+SHA1 \
424 +PSK:+AES-128-CBC:+SHA1 \
425 +PSK:+AES-256-CBC:+SHA1 \
426 "
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]427 O_CIPHERS="$O_CIPHERS \
428 PSK-RC4-SHA \
429 PSK-3DES-EDE-CBC-SHA \
430 PSK-AES128-CBC-SHA \
431 PSK-AES256-CBC-SHA \
432 "
433 ;;
434 esac
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]435}
436
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]437# Ciphersuites usable only with Mbed TLS and OpenSSL
438# Each ciphersuite should appear two times, once with its OpenSSL name, once
439# with its Mbed TLS name.
440#
441# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
Manuel Pégourié-Gonnardce5673c2018-03-06 09:54:10 +0100[diff] [blame]442# so RSA-PSK ciphersuites need to go in other sections, see
443# https://github.com/ARMmbed/mbedtls/issues/1419
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]444#
445# ChachaPoly suites are here rather than in "common", as they were added in
446# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]447add_openssl_ciphersuites()
448{
449 case $TYPE in
450
451 "ECDSA")
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]452 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]453 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]454 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]455 TLS-ECDH-ECDSA-WITH-NULL-SHA \
456 TLS-ECDH-ECDSA-WITH-RC4-128-SHA \
457 TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA \
458 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \
459 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \
460 "
461 O_CIPHERS="$O_CIPHERS \
462 ECDH-ECDSA-NULL-SHA \
463 ECDH-ECDSA-RC4-SHA \
464 ECDH-ECDSA-DES-CBC3-SHA \
465 ECDH-ECDSA-AES128-SHA \
466 ECDH-ECDSA-AES256-SHA \
467 "
468 fi
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]469 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]470 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]471 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]472 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \
473 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
474 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
475 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]476 TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
477 TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]478 TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]479 "
480 O_CIPHERS="$O_CIPHERS \
481 ECDH-ECDSA-AES128-SHA256 \
482 ECDH-ECDSA-AES256-SHA384 \
483 ECDH-ECDSA-AES128-GCM-SHA256 \
484 ECDH-ECDSA-AES256-GCM-SHA384 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]485 ECDHE-ECDSA-ARIA256-GCM-SHA384 \
486 ECDHE-ECDSA-ARIA128-GCM-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]487 ECDHE-ECDSA-CHACHA20-POLY1305 \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]488 "
489 fi
490 ;;
491
492 "RSA")
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]493 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]494 TLS-RSA-WITH-DES-CBC-SHA \
495 TLS-DHE-RSA-WITH-DES-CBC-SHA \
496 "
497 O_CIPHERS="$O_CIPHERS \
498 DES-CBC-SHA \
499 EDH-RSA-DES-CBC-SHA \
500 "
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]501 if [ `minor_ver "$MODE"` -ge 3 ]
502 then
503 M_CIPHERS="$M_CIPHERS \
504 TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
505 TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]506 TLS-RSA-WITH-ARIA-256-GCM-SHA384 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]507 TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
508 TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]509 TLS-RSA-WITH-ARIA-128-GCM-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]510 TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
511 TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]512 "
513 O_CIPHERS="$O_CIPHERS \
514 ECDHE-ARIA256-GCM-SHA384 \
515 DHE-RSA-ARIA256-GCM-SHA384 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]516 ARIA256-GCM-SHA384 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]517 ECDHE-ARIA128-GCM-SHA256 \
518 DHE-RSA-ARIA128-GCM-SHA256 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]519 ARIA128-GCM-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]520 DHE-RSA-CHACHA20-POLY1305 \
521 ECDHE-RSA-CHACHA20-POLY1305 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]522 "
523 fi
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]524 ;;
525
526 "PSK")
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]527 if [ `minor_ver "$MODE"` -ge 3 ]
528 then
529 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]530 TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \
531 TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]532 TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
533 TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]534 TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \
535 TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
536 TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]537 "
538 O_CIPHERS="$O_CIPHERS \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]539 DHE-PSK-ARIA256-GCM-SHA384 \
540 DHE-PSK-ARIA128-GCM-SHA256 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]541 PSK-ARIA256-GCM-SHA384 \
542 PSK-ARIA128-GCM-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]543 DHE-PSK-CHACHA20-POLY1305 \
544 ECDHE-PSK-CHACHA20-POLY1305 \
545 PSK-CHACHA20-POLY1305 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]546 "
547 fi
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]548 ;;
549 esac
550}
551
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]552# Ciphersuites usable only with Mbed TLS and GnuTLS
553# Each ciphersuite should appear two times, once with its GnuTLS name, once
554# with its Mbed TLS name.
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]555add_gnutls_ciphersuites()
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]556{
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]557 case $TYPE in
558
559 "ECDSA")
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]560 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]561 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]562 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]563 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
564 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]565 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
566 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]567 TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
568 TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
569 TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
570 TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]571 "
572 G_CIPHERS="$G_CIPHERS \
573 +ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \
574 +ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \
575 +ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \
576 +ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]577 +ECDHE-ECDSA:+AES-128-CCM:+AEAD \
578 +ECDHE-ECDSA:+AES-256-CCM:+AEAD \
579 +ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \
580 +ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]581 "
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]582 fi
583 ;;
584
585 "RSA")
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]586 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard7457cb32014-07-13 13:57:24 +0200[diff] [blame]587 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]588 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard7457cb32014-07-13 13:57:24 +0200[diff] [blame]589 TLS-RSA-WITH-NULL-SHA256 \
590 "
591 G_CIPHERS="$G_CIPHERS \
592 +RSA:+NULL:+SHA256 \
593 "
594 fi
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]595 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]596 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]597 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]598 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
599 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]600 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
601 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
602 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
603 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
604 TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
605 TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
606 TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
607 TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
608 TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
609 TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]610 TLS-RSA-WITH-AES-128-CCM \
611 TLS-RSA-WITH-AES-256-CCM \
612 TLS-DHE-RSA-WITH-AES-128-CCM \
613 TLS-DHE-RSA-WITH-AES-256-CCM \
614 TLS-RSA-WITH-AES-128-CCM-8 \
615 TLS-RSA-WITH-AES-256-CCM-8 \
616 TLS-DHE-RSA-WITH-AES-128-CCM-8 \
617 TLS-DHE-RSA-WITH-AES-256-CCM-8 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]618 "
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]619 G_CIPHERS="$G_CIPHERS \
620 +ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
621 +ECDHE-RSA:+CAMELLIA-256-CBC:+SHA384 \
622 +RSA:+CAMELLIA-128-CBC:+SHA256 \
623 +RSA:+CAMELLIA-256-CBC:+SHA256 \
624 +DHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
625 +DHE-RSA:+CAMELLIA-256-CBC:+SHA256 \
626 +ECDHE-RSA:+CAMELLIA-128-GCM:+AEAD \
627 +ECDHE-RSA:+CAMELLIA-256-GCM:+AEAD \
628 +DHE-RSA:+CAMELLIA-128-GCM:+AEAD \
629 +DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
630 +RSA:+CAMELLIA-128-GCM:+AEAD \
631 +RSA:+CAMELLIA-256-GCM:+AEAD \
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]632 +RSA:+AES-128-CCM:+AEAD \
633 +RSA:+AES-256-CCM:+AEAD \
634 +RSA:+AES-128-CCM-8:+AEAD \
635 +RSA:+AES-256-CCM-8:+AEAD \
636 +DHE-RSA:+AES-128-CCM:+AEAD \
637 +DHE-RSA:+AES-256-CCM:+AEAD \
638 +DHE-RSA:+AES-128-CCM-8:+AEAD \
639 +DHE-RSA:+AES-256-CCM-8:+AEAD \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]640 "
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]641 fi
642 ;;
643
644 "PSK")
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]645 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnarde46aa5e2014-07-13 15:44:19 +0200[diff] [blame]646 TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \
647 TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
648 TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
649 TLS-DHE-PSK-WITH-RC4-128-SHA \
650 "
651 G_CIPHERS="$G_CIPHERS \
652 +DHE-PSK:+3DES-CBC:+SHA1 \
653 +DHE-PSK:+AES-128-CBC:+SHA1 \
654 +DHE-PSK:+AES-256-CBC:+SHA1 \
655 +DHE-PSK:+ARCFOUR-128:+SHA1 \
656 "
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]657 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]658 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]659 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]660 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \
661 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
662 TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \
Manuel Pégourié-Gonnarde46aa5e2014-07-13 15:44:19 +0200[diff] [blame]663 TLS-ECDHE-PSK-WITH-RC4-128-SHA \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]664 TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \
665 TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
666 TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
Manuel Pégourié-Gonnarde46aa5e2014-07-13 15:44:19 +0200[diff] [blame]667 TLS-RSA-PSK-WITH-RC4-128-SHA \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]668 "
669 G_CIPHERS="$G_CIPHERS \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]670 +ECDHE-PSK:+3DES-CBC:+SHA1 \
Manuel Pégourié-Gonnarde46aa5e2014-07-13 15:44:19 +0200[diff] [blame]671 +ECDHE-PSK:+AES-128-CBC:+SHA1 \
672 +ECDHE-PSK:+AES-256-CBC:+SHA1 \
673 +ECDHE-PSK:+ARCFOUR-128:+SHA1 \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]674 +RSA-PSK:+3DES-CBC:+SHA1 \
675 +RSA-PSK:+AES-256-CBC:+SHA1 \
676 +RSA-PSK:+AES-128-CBC:+SHA1 \
Manuel Pégourié-Gonnarde46aa5e2014-07-13 15:44:19 +0200[diff] [blame]677 +RSA-PSK:+ARCFOUR-128:+SHA1 \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]678 "
679 fi
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]680 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]681 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]682 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]683 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
684 TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
685 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
686 TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
687 TLS-ECDHE-PSK-WITH-NULL-SHA384 \
688 TLS-ECDHE-PSK-WITH-NULL-SHA256 \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]689 TLS-PSK-WITH-AES-128-CBC-SHA256 \
690 TLS-PSK-WITH-AES-256-CBC-SHA384 \
691 TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
692 TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
693 TLS-PSK-WITH-NULL-SHA256 \
694 TLS-PSK-WITH-NULL-SHA384 \
695 TLS-DHE-PSK-WITH-NULL-SHA256 \
696 TLS-DHE-PSK-WITH-NULL-SHA384 \
697 TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
698 TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
699 TLS-RSA-PSK-WITH-NULL-SHA256 \
700 TLS-RSA-PSK-WITH-NULL-SHA384 \
701 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
702 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
703 TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
704 TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
705 TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
706 TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]707 TLS-PSK-WITH-AES-128-GCM-SHA256 \
708 TLS-PSK-WITH-AES-256-GCM-SHA384 \
709 TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
710 TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]711 TLS-PSK-WITH-AES-128-CCM \
712 TLS-PSK-WITH-AES-256-CCM \
713 TLS-DHE-PSK-WITH-AES-128-CCM \
714 TLS-DHE-PSK-WITH-AES-256-CCM \
715 TLS-PSK-WITH-AES-128-CCM-8 \
716 TLS-PSK-WITH-AES-256-CCM-8 \
717 TLS-DHE-PSK-WITH-AES-128-CCM-8 \
718 TLS-DHE-PSK-WITH-AES-256-CCM-8 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]719 TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
720 TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
721 TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
722 TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
723 TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
724 TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
725 TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \
726 TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]727 "
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]728 G_CIPHERS="$G_CIPHERS \
729 +ECDHE-PSK:+AES-256-CBC:+SHA384 \
730 +ECDHE-PSK:+CAMELLIA-256-CBC:+SHA384 \
731 +ECDHE-PSK:+AES-128-CBC:+SHA256 \
732 +ECDHE-PSK:+CAMELLIA-128-CBC:+SHA256 \
733 +PSK:+AES-128-CBC:+SHA256 \
734 +PSK:+AES-256-CBC:+SHA384 \
735 +DHE-PSK:+AES-128-CBC:+SHA256 \
736 +DHE-PSK:+AES-256-CBC:+SHA384 \
737 +RSA-PSK:+AES-256-CBC:+SHA384 \
738 +RSA-PSK:+AES-128-CBC:+SHA256 \
739 +DHE-PSK:+CAMELLIA-128-CBC:+SHA256 \
740 +DHE-PSK:+CAMELLIA-256-CBC:+SHA384 \
741 +PSK:+CAMELLIA-128-CBC:+SHA256 \
742 +PSK:+CAMELLIA-256-CBC:+SHA384 \
743 +RSA-PSK:+CAMELLIA-256-CBC:+SHA384 \
744 +RSA-PSK:+CAMELLIA-128-CBC:+SHA256 \
745 +PSK:+AES-128-GCM:+AEAD \
746 +PSK:+AES-256-GCM:+AEAD \
747 +DHE-PSK:+AES-128-GCM:+AEAD \
748 +DHE-PSK:+AES-256-GCM:+AEAD \
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]749 +PSK:+AES-128-CCM:+AEAD \
750 +PSK:+AES-256-CCM:+AEAD \
751 +DHE-PSK:+AES-128-CCM:+AEAD \
752 +DHE-PSK:+AES-256-CCM:+AEAD \
753 +PSK:+AES-128-CCM-8:+AEAD \
754 +PSK:+AES-256-CCM-8:+AEAD \
755 +DHE-PSK:+AES-128-CCM-8:+AEAD \
756 +DHE-PSK:+AES-256-CCM-8:+AEAD \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]757 +RSA-PSK:+CAMELLIA-128-GCM:+AEAD \
758 +RSA-PSK:+CAMELLIA-256-GCM:+AEAD \
759 +PSK:+CAMELLIA-128-GCM:+AEAD \
760 +PSK:+CAMELLIA-256-GCM:+AEAD \
761 +DHE-PSK:+CAMELLIA-128-GCM:+AEAD \
762 +DHE-PSK:+CAMELLIA-256-GCM:+AEAD \
763 +RSA-PSK:+AES-256-GCM:+AEAD \
764 +RSA-PSK:+AES-128-GCM:+AEAD \
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]765 +ECDHE-PSK:+NULL:+SHA384 \
766 +ECDHE-PSK:+NULL:+SHA256 \
767 +PSK:+NULL:+SHA256 \
768 +PSK:+NULL:+SHA384 \
769 +DHE-PSK:+NULL:+SHA256 \
770 +DHE-PSK:+NULL:+SHA384 \
771 +RSA-PSK:+NULL:+SHA256 \
772 +RSA-PSK:+NULL:+SHA384 \
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]773 "
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]774 fi
775 ;;
776 esac
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]777}
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]778
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]779# Ciphersuites usable only with Mbed TLS (not currently supported by another
780# peer usable in this script). This provide only very rudimentaty testing, as
781# this is not interop testing, but it's better than nothing.
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]782add_mbedtls_ciphersuites()
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]783{
784 case $TYPE in
785
786 "ECDSA")
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]787 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]788 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]789 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]790 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
791 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
792 "
793 fi
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]794 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]795 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]796 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]797 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
798 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]799 TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]800 TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]801 TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \
802 TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \
803 TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \
804 TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]805 "
806 fi
807 ;;
808
809 "RSA")
Manuel Pégourié-Gonnard392c2d22018-02-15 11:06:14 +0100[diff] [blame]810 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard25948592014-05-22 14:36:02 +0200[diff] [blame]811 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]812 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]813 TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
814 TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]815 TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
816 TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]817 TLS-RSA-WITH-ARIA-256-CBC-SHA384 \
818 TLS-RSA-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnard25948592014-05-22 14:36:02 +0200[diff] [blame]819 "
820 fi
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]821 ;;
822
823 "PSK")
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]824 # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]825 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]826 TLS-PSK-WITH-NULL-SHA \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]827 TLS-DHE-PSK-WITH-NULL-SHA \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]828 "
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]829 if [ `minor_ver "$MODE"` -gt 0 ]
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]830 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]831 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]832 TLS-ECDHE-PSK-WITH-NULL-SHA \
Manuel Pégourié-Gonnarde46aa5e2014-07-13 15:44:19 +0200[diff] [blame]833 TLS-RSA-PSK-WITH-NULL-SHA \
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]834 "
835 fi
Manuel Pégourié-Gonnard392c2d22018-02-15 11:06:14 +0100[diff] [blame]836 if [ `minor_ver "$MODE"` -ge 3 ]
Manuel Pégourié-Gonnard25948592014-05-22 14:36:02 +0200[diff] [blame]837 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]838 M_CIPHERS="$M_CIPHERS \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]839 TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]840 TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]841 TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
Manuel Pégourié-Gonnarda0e47082018-02-15 11:07:58 +0100[diff] [blame]842 TLS-PSK-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnard7299dfd2018-02-15 11:43:55 +0100[diff] [blame]843 TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \
844 TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \
Manuel Pégourié-Gonnardbba64062018-02-20 11:58:44 +0100[diff] [blame]845 TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \
846 TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \
847 TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \
848 TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \
Manuel Pégourié-Gonnard9fece7e2018-06-18 11:38:22 +0200[diff] [blame]849 TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \
Manuel Pégourié-Gonnard25948592014-05-22 14:36:02 +0200[diff] [blame]850 "
851 fi
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]852 ;;
853 esac
Manuel Pégourié-Gonnard48f196c2014-02-19 13:51:58 +0100[diff] [blame]854}
855
Manuel Pégourié-Gonnardd941a792014-02-19 13:35:52 +0100[diff] [blame]856setup_arguments()
857{
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]858 G_MODE=""
859 case "$MODE" in
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]860 "ssl3")
861 G_PRIO_MODE="+VERS-SSL3.0"
862 ;;
863 "tls1")
864 G_PRIO_MODE="+VERS-TLS1.0"
865 ;;
866 "tls1_1")
867 G_PRIO_MODE="+VERS-TLS1.1"
868 ;;
869 "tls1_2")
870 G_PRIO_MODE="+VERS-TLS1.2"
Manuel Pégourié-Gonnard9ada01a2014-02-19 14:24:24 +0100[diff] [blame]871 ;;
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]872 "dtls1")
873 G_PRIO_MODE="+VERS-DTLS1.0"
Manuel Pégourié-Gonnard36795192014-09-26 16:33:45 +0200[diff] [blame]874 G_MODE="-u"
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]875 ;;
876 "dtls1_2")
877 G_PRIO_MODE="+VERS-DTLS1.2"
Manuel Pégourié-Gonnard36795192014-09-26 16:33:45 +0200[diff] [blame]878 G_MODE="-u"
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]879 ;;
Manuel Pégourié-Gonnard9ada01a2014-02-19 14:24:24 +0100[diff] [blame]880 *)
881 echo "error: invalid mode: $MODE" >&2
882 exit 1;
883 esac
884
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]885 # GnuTLS < 3.4 will choke if we try to allow CCM-8
886 if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
887 G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
888 else
889 G_PRIO_CCM=""
890 fi
891
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]892 M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]893 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]894 G_SERVER_ARGS="-p $PORT --http $G_MODE"
Manuel Pégourié-Gonnardc36b4322018-06-14 13:14:29 +0200[diff] [blame]895 G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]896
Manuel Pégourié-Gonnardd1af1022014-07-11 17:01:06 +0200[diff] [blame]897 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
898 if is_dtls "$MODE"; then
Manuel Pégourié-Gonnard36795192014-09-26 16:33:45 +0200[diff] [blame]899 O_SERVER_ARGS="$O_SERVER_ARGS"
Manuel Pégourié-Gonnardd1af1022014-07-11 17:01:06 +0200[diff] [blame]900 else
901 O_SERVER_ARGS="$O_SERVER_ARGS -www"
902 fi
903
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]904 M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]905 O_CLIENT_ARGS="-connect localhost:$PORT -$MODE"
Manuel Pégourié-Gonnard3025b6c2014-03-26 15:30:16 +0100[diff] [blame]906 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]907 G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
Manuel Pégourié-Gonnard9ada01a2014-02-19 14:24:24 +0100[diff] [blame]908
Manuel Pégourié-Gonnardd941a792014-02-19 13:35:52 +0100[diff] [blame]909 if [ "X$VERIFY" = "XYES" ];
910 then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]911 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
Manuel Pégourié-Gonnard9ada01a2014-02-19 14:24:24 +0100[diff] [blame]912 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]913 G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
914
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]915 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
Manuel Pégourié-Gonnardda782c92014-02-21 10:10:20 +0100[diff] [blame]916 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]917 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
Manuel Pégourié-Gonnardda782c92014-02-21 10:10:20 +0100[diff] [blame]918 else
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]919 # don't request a client cert at all
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]920 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]921 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
922
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]923 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none"
Manuel Pégourié-Gonnard5de31ec2014-03-19 17:34:52 +0100[diff] [blame]924 O_CLIENT_ARGS="$O_CLIENT_ARGS"
925 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure"
Manuel Pégourié-Gonnardd941a792014-02-19 13:35:52 +0100[diff] [blame]926 fi
927
928 case $TYPE in
929 "ECDSA")
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]930 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
Manuel Pégourié-Gonnard9ada01a2014-02-19 14:24:24 +0100[diff] [blame]931 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]932 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
933
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]934 if [ "X$VERIFY" = "XYES" ]; then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]935 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]936 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]937 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]938 else
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]939 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]940 fi
Manuel Pégourié-Gonnardd941a792014-02-19 13:35:52 +0100[diff] [blame]941 ;;
942
943 "RSA")
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]944 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key"
Manuel Pégourié-Gonnardda782c92014-02-21 10:10:20 +0100[diff] [blame]945 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]946 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key"
947
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]948 if [ "X$VERIFY" = "XYES" ]; then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]949 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]950 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key"
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]951 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server1.crt --x509keyfile data_files/server1.key"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]952 else
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]953 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]954 fi
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]955
956 # Allow SHA-1. It's disabled by default for security reasons but
957 # our tests still use certificates signed with it.
958 M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1"
959 M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1"
Manuel Pégourié-Gonnardd941a792014-02-19 13:35:52 +0100[diff] [blame]960 ;;
961
962 "PSK")
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]963 # give RSA-PSK-capable server a RSA cert
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]964 # (should be a separate type, but harder to close with openssl)
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]965 M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key"
Manuel Pégourié-Gonnard1b149ef2014-02-27 14:38:29 +0100[diff] [blame]966 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]967 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
968
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]969 M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
Manuel Pégourié-Gonnard9ada01a2014-02-19 14:24:24 +0100[diff] [blame]970 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]971 G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70"
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]972
973 # Allow SHA-1. It's disabled by default for security reasons but
974 # our tests still use certificates signed with it.
975 M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1"
976 M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1"
Manuel Pégourié-Gonnardd941a792014-02-19 13:35:52 +0100[diff] [blame]977 ;;
978 esac
979}
980
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]981# is_mbedtls <cmd_line>
982is_mbedtls() {
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]983 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
984}
985
986# has_mem_err <log_file_name>
987has_mem_err() {
988 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
989 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
990 then
991 return 1 # false: does not have errors
992 else
993 return 0 # true: has errors
994 fi
995}
996
Gilles Peskine12c49c72017-12-14 19:02:00 +0100[diff] [blame]997# Wait for process $2 to be listening on port $1
998if type lsof >/dev/null 2>/dev/null; then
999 wait_server_start() {
1000 START_TIME=$(date +%s)
1001 if is_dtls "$MODE"; then
1002 proto=UDP
1003 else
1004 proto=TCP
1005 fi
1006 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
1007 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
1008 echo "SERVERSTART TIMEOUT"
1009 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
1010 break
1011 fi
1012 # Linux and *BSD support decimal arguments to sleep. On other
1013 # OSes this may be a tight loop.
1014 sleep 0.1 2>/dev/null || true
1015 done
1016 }
1017else
Gilles Peskine3c9e2b52018-01-08 12:38:15 +0100[diff] [blame]1018 echo "Warning: lsof not available, wait_server_start = sleep"
Gilles Peskine12c49c72017-12-14 19:02:00 +0100[diff] [blame]1019 wait_server_start() {
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1020 sleep 2
Gilles Peskine12c49c72017-12-14 19:02:00 +0100[diff] [blame]1021 }
1022fi
1023
1024
Manuel Pégourié-Gonnard304beef2014-02-19 14:45:00 +0100[diff] [blame]1025# start_server <name>
1026# also saves name and command
1027start_server() {
Manuel Pégourié-Gonnard304beef2014-02-19 14:45:00 +0100[diff] [blame]1028 case $1 in
1029 [Oo]pen*)
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1030 SERVER_CMD="$OPENSSL_CMD s_server $O_SERVER_ARGS"
Manuel Pégourié-Gonnard304beef2014-02-19 14:45:00 +0100[diff] [blame]1031 ;;
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]1032 [Gg]nu*)
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1033 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]1034 ;;
Manuel Pégourié-Gonnarda8f3b752015-01-22 17:05:05 +0000[diff] [blame]1035 mbed*)
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1036 SERVER_CMD="$M_SRV $M_SERVER_ARGS"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1037 if [ "$MEMCHECK" -gt 0 ]; then
1038 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD"
1039 fi
Manuel Pégourié-Gonnard304beef2014-02-19 14:45:00 +0100[diff] [blame]1040 ;;
1041 *)
1042 echo "error: invalid server name: $1" >&2
1043 exit 1
1044 ;;
1045 esac
1046 SERVER_NAME=$1
1047
1048 log "$SERVER_CMD"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1049 echo "$SERVER_CMD" > $SRV_OUT
Manuel Pégourié-Gonnardd1af1022014-07-11 17:01:06 +0200[diff] [blame]1050 # for servers without -www or equivalent
Manuel Pégourié-Gonnard82cf0a12015-02-09 13:05:54 +0000[diff] [blame]1051 while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 &
Manuel Pégourié-Gonnard304beef2014-02-19 14:45:00 +0100[diff] [blame]1052 PROCESS_ID=$!
1053
Gilles Peskine12c49c72017-12-14 19:02:00 +0100[diff] [blame]1054 wait_server_start "$PORT" "$PROCESS_ID"
Manuel Pégourié-Gonnard304beef2014-02-19 14:45:00 +0100[diff] [blame]1055}
1056
Manuel Pégourié-Gonnard16494492014-08-31 10:37:14 +0200[diff] [blame]1057# terminate the running server
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]1058stop_server() {
Manuel Pégourié-Gonnard74b11702014-08-14 15:47:33 +0200[diff] [blame]1059 kill $PROCESS_ID 2>/dev/null
1060 wait $PROCESS_ID 2>/dev/null
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1061
1062 if [ "$MEMCHECK" -gt 0 ]; then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1063 if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1064 echo " ! Server had memory errors"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1065 SRVMEM=$(( $SRVMEM + 1 ))
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1066 return
1067 fi
1068 fi
1069
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1070 rm -f $SRV_OUT
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]1071}
1072
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1073# kill the running server (used when killed by signal)
1074cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1075 rm -f $SRV_OUT $CLI_OUT
Manuel Pégourié-Gonnard16494492014-08-31 10:37:14 +0200[diff] [blame]1076 kill $PROCESS_ID >/dev/null 2>&1
1077 kill $WATCHDOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1078 exit 1
1079}
1080
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1081# wait for client to terminate and set EXIT
1082# must be called right after starting the client
1083wait_client_done() {
1084 CLI_PID=$!
1085
1086 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) &
1087 WATCHDOG_PID=$!
1088
1089 wait $CLI_PID
1090 EXIT=$?
1091
1092 kill $WATCHDOG_PID
1093 wait $WATCHDOG_PID
1094
1095 echo "EXIT: $EXIT" >> $CLI_OUT
1096}
1097
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1098# run_client <name> <cipher>
1099run_client() {
Manuel Pégourié-Gonnard87ae3032014-02-27 11:12:30 +0100[diff] [blame]1100 # announce what we're going to do
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1101 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnard87ae3032014-02-27 11:12:30 +0100[diff] [blame]1102 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1103 TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
1104 TITLE="$TITLE $MODE,$VERIF $2"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]1105 printf "$TITLE "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1106 LEN=$(( 72 - `echo "$TITLE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]1107 for i in `seq 1 $LEN`; do printf '.'; done; printf ' '
Manuel Pégourié-Gonnard87ae3032014-02-27 11:12:30 +0100[diff] [blame]1108
Manuel Pégourié-Gonnard53aef812014-07-11 17:41:24 +0200[diff] [blame]1109 # should we skip?
1110 if [ "X$SKIP_NEXT" = "XYES" ]; then
1111 SKIP_NEXT="NO"
1112 echo "SKIP"
1113 SKIPPED=$(( $SKIPPED + 1 ))
1114 return
1115 fi
1116
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1117 # run the command and interpret result
1118 case $1 in
1119 [Oo]pen*)
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1120 CLIENT_CMD="$OPENSSL_CMD s_client $O_CLIENT_ARGS -cipher $2"
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1121 log "$CLIENT_CMD"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1122 echo "$CLIENT_CMD" > $CLI_OUT
Manuel Pégourié-Gonnard9afdc832015-08-04 17:15:13 +0200[diff] [blame]1123 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1124 wait_client_done
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1125
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1126 if [ $EXIT -eq 0 ]; then
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1127 RESULT=0
1128 else
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1129 # If the cipher isn't supported...
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1130 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1131 RESULT=1
1132 else
1133 RESULT=2
1134 fi
1135 fi
1136 ;;
1137
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]1138 [Gg]nu*)
Manuel Pégourié-Gonnard29980b12014-07-10 20:12:56 +0200[diff] [blame]1139 # need to force IPv4 with UDP, but keep localhost for auth
1140 if is_dtls "$MODE"; then
1141 G_HOST="127.0.0.1"
1142 else
1143 G_HOST="localhost"
1144 fi
1145 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST"
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]1146 log "$CLIENT_CMD"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1147 echo "$CLIENT_CMD" > $CLI_OUT
Manuel Pégourié-Gonnard9afdc832015-08-04 17:15:13 +0200[diff] [blame]1148 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1149 wait_client_done
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]1150
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1151 if [ $EXIT -eq 0 ]; then
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]1152 RESULT=0
1153 else
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1154 RESULT=2
1155 # interpret early failure, with a handshake_failure alert
1156 # before the server hello, as "no ciphersuite in common"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1157 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then
1158 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then :
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1159 else
1160 RESULT=1
1161 fi
1162 fi >/dev/null
Manuel Pégourié-Gonnarda4371442014-03-13 16:21:59 +0100[diff] [blame]1163 fi
1164 ;;
1165
Manuel Pégourié-Gonnarda8f3b752015-01-22 17:05:05 +0000[diff] [blame]1166 mbed*)
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1167 CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1168 if [ "$MEMCHECK" -gt 0 ]; then
1169 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
1170 fi
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1171 log "$CLIENT_CMD"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1172 echo "$CLIENT_CMD" > $CLI_OUT
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1173 $CLIENT_CMD >> $CLI_OUT 2>&1 &
1174 wait_client_done
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1175
1176 case $EXIT in
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1177 # Success
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1178 "0") RESULT=0 ;;
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1179
1180 # Ciphersuite not supported
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1181 "2") RESULT=1 ;;
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1182
1183 # Error
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1184 *) RESULT=2 ;;
1185 esac
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1186
1187 if [ "$MEMCHECK" -gt 0 ]; then
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1188 if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1189 RESULT=2
1190 fi
1191 fi
1192
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1193 ;;
1194
1195 *)
1196 echo "error: invalid client name: $1" >&2
1197 exit 1
1198 ;;
1199 esac
1200
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1201 echo "EXIT: $EXIT" >> $CLI_OUT
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]1202
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1203 # report and count result
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1204 case $RESULT in
1205 "0")
Manuel Pégourié-Gonnard4145b892014-02-24 13:20:14 +0100[diff] [blame]1206 echo PASS
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1207 ;;
1208 "1")
Manuel Pégourié-Gonnard4145b892014-02-24 13:20:14 +0100[diff] [blame]1209 echo SKIP
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1210 SKIPPED=$(( $SKIPPED + 1 ))
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1211 ;;
1212 "2")
Manuel Pégourié-Gonnard4145b892014-02-24 13:20:14 +0100[diff] [blame]1213 echo FAIL
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1214 cp $SRV_OUT c-srv-${TESTS}.log
1215 cp $CLI_OUT c-cli-${TESTS}.log
1216 echo " ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]1217
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]1218 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]1219 echo " ! server output:"
1220 cat c-srv-${TESTS}.log
1221 echo " ! ==================================================="
1222 echo " ! client output:"
1223 cat c-cli-${TESTS}.log
1224 fi
1225
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1226 FAILED=$(( $FAILED + 1 ))
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1227 ;;
1228 esac
Manuel Pégourié-Gonnard87ae3032014-02-27 11:12:30 +0100[diff] [blame]1229
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1230 rm -f $CLI_OUT
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1231}
1232
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1233#
1234# MAIN
1235#
1236
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]1237if cd $( dirname $0 ); then :; else
1238 echo "cd $( dirname $0 ) failed" >&2
1239 exit 1
1240fi
1241
Manuel Pégourié-Gonnard3947d042014-03-14 18:13:53 +0100[diff] [blame]1242get_options "$@"
1243
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1244# sanity checks, avoid an avalanche of errors
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1245if [ ! -x "$M_SRV" ]; then
1246 echo "Command '$M_SRV' is not an executable file" >&2
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1247 exit 1
1248fi
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1249if [ ! -x "$M_CLI" ]; then
1250 echo "Command '$M_CLI' is not an executable file" >&2
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1251 exit 1
1252fi
Manuel Pégourié-Gonnard3947d042014-03-14 18:13:53 +0100[diff] [blame]1253
1254if echo "$PEERS" | grep -i openssl > /dev/null; then
1255 if which "$OPENSSL_CMD" >/dev/null 2>&1; then :; else
1256 echo "Command '$OPENSSL_CMD' not found" >&2
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1257 exit 1
1258 fi
Manuel Pégourié-Gonnard3947d042014-03-14 18:13:53 +0100[diff] [blame]1259fi
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1260
Manuel Pégourié-Gonnard3947d042014-03-14 18:13:53 +0100[diff] [blame]1261if echo "$PEERS" | grep -i gnutls > /dev/null; then
1262 for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do
1263 if which "$CMD" >/dev/null 2>&1; then :; else
1264 echo "Command '$CMD' not found" >&2
1265 exit 1
1266 fi
1267 done
1268fi
1269
1270for PEER in $PEERS; do
1271 case "$PEER" in
Manuel Pégourié-Gonnarda8f3b752015-01-22 17:05:05 +0000[diff] [blame]1272 mbed*|[Oo]pen*|[Gg]nu*)
Manuel Pégourié-Gonnard3947d042014-03-14 18:13:53 +0100[diff] [blame]1273 ;;
1274 *)
1275 echo "Unknown peers: $PEER" >&2
1276 exit 1
1277 esac
1278done
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1279
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1280# Pick a "unique" port in the range 10000-19999.
1281PORT="0000$$"
Manuel Pégourié-Gonnardfab2a3c2014-06-16 16:54:36 +0200[diff] [blame]1282PORT="1$(echo $PORT | tail -c 5)"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1283
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1284# Also pick a unique name for intermediate files
1285SRV_OUT="srv_out.$$"
1286CLI_OUT="cli_out.$$"
1287
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1288# client timeout delay: be more patient with valgrind
1289if [ "$MEMCHECK" -gt 0 ]; then
1290 DOG_DELAY=30
1291else
1292 DOG_DELAY=10
1293fi
1294
Manuel Pégourié-Gonnard53aef812014-07-11 17:41:24 +0200[diff] [blame]1295SKIP_NEXT="NO"
1296
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1297trap cleanup INT TERM HUP
1298
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]1299for VERIFY in $VERIFIES; do
1300 for MODE in $MODES; do
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]1301 for TYPE in $TYPES; do
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1302 for PEER in $PEERS; do
Paul Bakker7e5e7ca2013-04-17 19:27:58 +0200[diff] [blame]1303
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]1304 setup_arguments
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]1305
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1306 case "$PEER" in
Manuel Pégourié-Gonnardd3313192013-09-13 19:20:37 +0200[diff] [blame]1307
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1308 [Oo]pen*)
Paul Bakker398cb512012-04-10 08:22:31 +0000[diff] [blame]1309
Manuel Pégourié-Gonnard39e2ca92015-08-04 16:43:37 +0200[diff] [blame]1310 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
1311 continue;
1312 fi
1313
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1314 reset_ciphersuites
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]1315 add_common_ciphersuites
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1316 add_openssl_ciphersuites
1317 filter_ciphersuites
Manuel Pégourié-Gonnard330e4112014-02-19 15:23:21 +0100[diff] [blame]1318
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1319 if [ "X" != "X$M_CIPHERS" ]; then
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1320 start_server "OpenSSL"
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1321 for i in $M_CIPHERS; do
Manuel Pégourié-Gonnard53aef812014-07-11 17:41:24 +0200[diff] [blame]1322 check_openssl_server_bug $i
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]1323 run_client mbedTLS $i
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1324 done
1325 stop_server
1326 fi
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]1327
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1328 if [ "X" != "X$O_CIPHERS" ]; then
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]1329 start_server "mbedTLS"
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1330 for i in $O_CIPHERS; do
1331 run_client OpenSSL $i
1332 done
1333 stop_server
1334 fi
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]1335
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1336 ;;
Manuel Pégourié-Gonnard5b2d7762014-02-28 12:42:57 +0100[diff] [blame]1337
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1338 [Gg]nu*)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1339
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1340 reset_ciphersuites
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]1341 add_common_ciphersuites
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1342 add_gnutls_ciphersuites
1343 filter_ciphersuites
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1344
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1345 if [ "X" != "X$M_CIPHERS" ]; then
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1346 start_server "GnuTLS"
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1347 for i in $M_CIPHERS; do
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]1348 run_client mbedTLS $i
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1349 done
1350 stop_server
1351 fi
1352
1353 if [ "X" != "X$G_CIPHERS" ]; then
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]1354 start_server "mbedTLS"
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1355 for i in $G_CIPHERS; do
1356 run_client GnuTLS $i
1357 done
1358 stop_server
1359 fi
1360
1361 ;;
1362
Manuel Pégourié-Gonnarda8f3b752015-01-22 17:05:05 +0000[diff] [blame]1363 mbed*)
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1364
1365 reset_ciphersuites
Manuel Pégourié-Gonnard12b84722014-03-25 19:07:28 +0100[diff] [blame]1366 add_common_ciphersuites
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1367 add_openssl_ciphersuites
1368 add_gnutls_ciphersuites
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369 add_mbedtls_ciphersuites
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1370 filter_ciphersuites
1371
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1372 if [ "X" != "X$M_CIPHERS" ]; then
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]1373 start_server "mbedTLS"
Simon Butcherac22d112016-09-04 22:31:09 +0100[diff] [blame]1374 for i in $M_CIPHERS; do
Manuel Pégourié-Gonnarde4f6edc2015-01-22 16:43:54 +0000[diff] [blame]1375 run_client mbedTLS $i
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1376 done
1377 stop_server
1378 fi
1379
1380 ;;
1381
Manuel Pégourié-Gonnarda1a9f9a2014-03-25 18:04:59 +0100[diff] [blame]1382 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]1383 echo "Unknown peer: $PEER" >&2
Manuel Pégourié-Gonnarda1a9f9a2014-03-25 18:04:59 +0100[diff] [blame]1384 exit 1
1385 ;;
1386
Manuel Pégourié-Gonnard9edba772014-03-13 17:45:35 +0100[diff] [blame]1387 esac
1388
1389 done
Manuel Pégourié-Gonnard95957712014-02-19 15:29:38 +0100[diff] [blame]1390 done
1391 done
Manuel Pégourié-Gonnard9791a402013-08-27 19:57:15 +0200[diff] [blame]1392done
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]1393
Manuel Pégourié-Gonnard4145b892014-02-24 13:20:14 +0100[diff] [blame]1394echo "------------------------------------------------------------------------"
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]1395
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1396if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ];
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]1397then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]1398 printf "FAILED"
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]1399else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]1400 printf "PASSED"
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]1401fi
1402
Manuel Pégourié-Gonnardba0b8442014-03-13 17:57:45 +0100[diff] [blame]1403if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1404 MEMREPORT=", $SRVMEM server memory errors"
Manuel Pégourié-Gonnardba0b8442014-03-13 17:57:45 +0100[diff] [blame]1405else
1406 MEMREPORT=""
1407fi
1408
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1409PASSED=$(( $TESTS - $FAILED ))
1410echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"
Manuel Pégourié-Gonnard70064fd2013-08-27 22:00:47 +0200[diff] [blame]1411
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1412FAILED=$(( $FAILED + $SRVMEM ))
1413exit $FAILED