diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-06-11 10:56:43 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-06-11 11:12:57 +0200 |
| commit | 5bcce4d195af9be30d09a0de5e5894da7b0e4593 (patch) | |
| tree | d821dabf816572cdf4ba40b2d2515d860982bf57 | |
| parent | d8f455b832ddebf5450899380825db93e91199af (diff) | |
| download | gnutls-5bcce4d195af9be30d09a0de5e5894da7b0e4593.tar.gz | |
tests: backported test-compat-main from master
| -rwxr-xr-x | tests/suite/testcompat-main | 116 |
1 files changed, 77 insertions, 39 deletions
diff --git a/tests/suite/testcompat-main b/tests/suite/testcompat-main index 589d68cca1..8b407c7cbf 100755 --- a/tests/suite/testcompat-main +++ b/tests/suite/testcompat-main @@ -1,24 +1,34 @@ #!/bin/sh -# Copyright (C) 2010-2012 Free Software Foundation, Inc. +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. # # Author: Nikos Mavrogiannopoulos # # This file is part of GnuTLS. # -# GnuTLS is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 3 of the License, or (at -# your option) any later version. +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: # -# GnuTLS is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. # -# You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. srcdir="${srcdir:-.}" CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" @@ -38,6 +48,10 @@ PORT="${PORT:-5458}" SERV=openssl OPENSSL_CLI="openssl" +if test -f /etc/debian_version;then + DEBIAN=1 +fi + echo "Compatibility checks using "`$SERV version` $SERV version|grep -e 1\.0 >/dev/null 2>&1 SV=$? @@ -55,7 +69,7 @@ echo "#################################################" echo "# Client mode tests (gnutls cli-openssl server) #" echo "#################################################" -for ADD in "" ":%COMPAT" ":%DISABLE_SAFE_RENEGOTIATION" +for ADD in "" ":%COMPAT" #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" do if ! test -z "$ADD";then @@ -63,7 +77,7 @@ echo "" echo "** Modifier: $ADD" fi -if test 0 = 1;then +if test "$DEBIAN" != 1;then # It seems debian disabled SSL 3.0 completely on openssl @@ -83,17 +97,24 @@ $VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL: # Test SSL 3.0 with DHE-DSS ciphersuite echo "Checking SSL 3.0 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ fail $PID "Failed" kill $PID wait -fi +launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -ssl3 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -cipher RC4-MD5 & +PID=$! +wait_server $PID -if test 0 = 1;then +echo "Checking SSL 3.0 with RSA-RC4-MD5..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA$ADD" --insecure </dev/null >/dev/null || \ + fail $PID "Failed" -# It seems debian disabled NULL ciphersuites completely on openssl +kill $PID +wait + +fi if test "$FIPS" != 1;then #-cipher RSA-NULL @@ -110,16 +131,30 @@ kill $PID wait fi -fi - #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & PID=$! wait_server $PID # Test TLS 1.0 with RSA ciphersuite -echo "Checking TLS 1.0 with RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ +echo "Checking TLS 1.0 with RSA and 3DES-CBC..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ + fail $PID "Failed" + +echo "Checking TLS 1.0 with RSA and AES-128-CBC..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ + fail $PID "Failed" + +echo "Checking TLS 1.0 with RSA and AES-256-CBC..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ + fail $PID "Failed" + +echo "Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ + fail $PID "Failed" + +echo "Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ fail $PID "Failed" # Test TLS 1.0 with DHE-RSA ciphersuite @@ -134,7 +169,7 @@ $VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL: # Test TLS 1.0 with DHE-DSS ciphersuite echo "Checking TLS 1.0 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ fail $PID "Failed" kill $PID @@ -205,8 +240,12 @@ launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform PID=$! wait_server $PID -echo "Checking TLS 1.2 with RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ +echo "Checking TLS 1.2 with RSA and AES-128-GCM..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ + fail $PID "Failed" + +echo "Checking TLS 1.2 with RSA and AES-256-GCM..." +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ fail $PID "Failed" echo "Checking TLS 1.2 with DHE-RSA..." @@ -218,7 +257,7 @@ $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL fail $PID "Failed" echo "Checking TLS 1.2 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ fail $PID "Failed" kill $PID @@ -308,7 +347,7 @@ wait_server $PID # Test DTLS 1.0 with DHE-DSS ciphersuite echo "Checking DTLS 1.0 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ +$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \ fail $PID "Failed" kill $PID @@ -333,15 +372,19 @@ echo "" echo "** Modifier: $ADD" fi -if test 0 = 1;then +if test "$DEBIAN" != 1;then echo "Check SSL 3.0 with RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! +launch_server $$ --priority "NONE:+MD5:+ARCFOUR-128:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! wait_server $PID $OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \ fail $PID "Failed" +echo "Check SSL 3.0 with RSA-RC4-MD5 ciphersuite" +$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT -cipher RC4-MD5 </dev/null 2>&1 | grep "\:error\:" && \ + fail $PID "Failed" + kill $PID wait @@ -356,12 +399,13 @@ kill $PID wait echo "Check SSL 3.0 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! +launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! wait_server $PID $OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \ fail $PID "Failed" + kill $PID wait @@ -380,10 +424,6 @@ fi #kill $PID #wait -if test 0 = 1;then - -# It seems debian disabled NULL ciphersuites completely on openssl - if test "$FIPS" != 1;then echo "Check TLS 1.0 with RSA-NULL ciphersuite" launch_server $$ --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! @@ -396,8 +436,6 @@ kill $PID wait fi -fi - echo "Check TLS 1.0 with DHE-RSA ciphersuite" launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! wait_server $PID @@ -409,7 +447,7 @@ kill $PID wait echo "Check TLS 1.0 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! +launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! wait_server $PID $OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \ @@ -501,7 +539,7 @@ kill $PID wait echo "Check TLS 1.2 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! +launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! wait_server $PID $OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \ @@ -609,7 +647,7 @@ wait echo "Check DTLS 1.0 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS$ADD" --udp --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! +launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --udp --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! wait_server $PID |