diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-06-21 11:29:19 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-06-27 20:54:34 +0200 |
| commit | e0802ca59c45b0ed7b194b535b507225a6de5427 (patch) | |
| tree | 6e3770836a43cc7514fdbe1258f5c305034addc0 | |
| parent | f5863ab35f8afbc8d0354dbea08d41e0df2ce292 (diff) | |
| download | gnutls-e0802ca59c45b0ed7b194b535b507225a6de5427.tar.gz | |
testcompat-tls13-openssl: fix openssl interactions
* Do not require certificate validation on tests where no certificate is sent
* Rekey test performs data transfer after re-key
This introduces a dependency on the expect package for testing, and
updates openssl to address an issue in post-handshake auth interop
testing.
Resolves #488
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | README.md | 6 | ||||
| m--------- | devel/openssl | 0 | ||||
| -rwxr-xr-x | tests/suite/testcompat-tls13-openssl.sh | 60 |
3 files changed, 54 insertions, 12 deletions
@@ -72,7 +72,7 @@ Nettle, P11-kit and Autogen, which you will need to build from sources. Dependencies that are used during make check or make dist are listed below. Moreover, for basic interoperability testing you may want to install openssl -and polarssl. +and mbedtls. * [Valgrind](http://valgrind.org/) (optional) * [Libasan](https://gcc.gnu.org//) (optional) @@ -84,13 +84,13 @@ and polarssl. Debian/Ubuntu: ``` -apt-get install -y valgrind libasan1 libubsan0 nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev +apt-get install -y valgrind libasan1 libubsan0 nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect apt-get install -y dieharder libpolarssl-runtime openssl abi-compliance-checker socat net-tools ppp lockfile-progs ``` Fedora/RHEL: ``` -yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel +yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel expect yum install -y dieharder mbedtls-utils openssl abi-compliance-checker libcmocka-devel socat lockfile-progs ``` diff --git a/devel/openssl b/devel/openssl -Subproject 25642ad29e6a2c15c10ceb5e4f029638f73a879 +Subproject 09fb65d5e413b7b87bf26f01ec441b44a03d4ee diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index e7a58f560a..957aa5fe05 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -87,7 +87,7 @@ run_client_suite() { eval "${GETPORT}" - launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" + launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" PID=$! wait_server ${PID} @@ -104,8 +104,8 @@ run_client_suite() { fail ${PID} "Failed" done - echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo "^rekey^") >>${OUTPUT} || \ + echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \ fail ${PID} "Failed" # Try hello retry request @@ -214,8 +214,7 @@ run_client_suite() { wait_server ${PID} # ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --x509cafile "${CA_CERT}" --inline-commands | tee "${testdir}/client.out" >> ${OUTPUT} - { echo a; sleep 1; echo '^resume^'; } | \ - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands | tee "${testdir}/client.out" >> ${OUTPUT} + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT} grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ fail ${PID} "Failed" @@ -275,7 +274,6 @@ run_server_suite() { done echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." - eval "${GETPORT}" launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 PID=$! @@ -285,8 +283,25 @@ run_server_suite() { fail ${PID} "Failed" echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" <<<$(echo "***REKEY***") 2>&1 | grep "\:error\:" && \ + expect - >/dev/null <<_EOF_ +set timeout 10 +set os_error_flag 1 +spawn ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" + +expect "SSL-Session" {send "K\n"} timeout {exit 1} +expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1} +expect "HELLO" {close} timeout {exit 1} + +lassign [wait] pid spawnid os_error_flag value +if {\$os_error_flag == 0} { + exit $value +} else { + exit 1 +} +_EOF_ + if test $? != 0;then fail ${PID} "Failed" + fi kill ${PID} wait @@ -320,12 +335,39 @@ run_server_suite() { echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..." eval "${GETPORT}" - launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" #>>${OUTPUT} 2>&1 PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" <<<$(echo "***REAUTH***") 2>&1 | grep "\:error\:" && \ + expect - >/dev/null <<_EOF_ +set timeout 10 +set os_error_flag 1 +spawn ${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" + +expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1} +expect { + timeout {exit 1} + "error*" {exit 1} + "Successfully executed command" {send "**REAUTH**\n"} +} +expect { + timeout {exit 1} + "error*" {exit 1} + "Successfully executed command" {send "HELLO\n"} +} + +expect "HELLO" {close} timeout {exit 1} + +lassign [wait] pid spawnid os_error_flag value +if {\$os_error_flag == 0} { + exit $value +} else { + exit 1 +} +_EOF_ + if test $? != 0;then fail ${PID} "Failed" + fi kill ${PID} wait |