diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-08-03 21:32:47 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-09-01 14:22:51 +0200 |
| commit | 5074fb7f22c0d09ad0ceb57bd8f9420ae9dc74d3 (patch) | |
| tree | 2758fea92c83bcb5fe328648b5a7926718d3a6ee | |
| parent | 6522c27d70d29cdb67cbfe5864e2f02bdda69970 (diff) | |
| download | gnutls-5074fb7f22c0d09ad0ceb57bd8f9420ae9dc74d3.tar.gz | |
tests: added interoperability test with gnutls 2.12.x
This enables this test in debian build.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | .gitlab-ci.yml | 3 | ||||
| -rw-r--r-- | configure.ac | 10 | ||||
| -rw-r--r-- | tests/suite/Makefile.am | 4 | ||||
| -rwxr-xr-x | tests/suite/testcompat-oldgnutls.sh | 190 |
4 files changed, 206 insertions, 1 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9a1f28f07b..6126a8e808 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -496,13 +496,14 @@ ubsan-Werror.Fedora.x86_64: - tests/suite/*/*.log retry: 1 +# This includes interoperability testing with gnutls 2.12.x Debian.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD script: - ./bootstrap - mkdir -p build && cd build - - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --disable-full-test-suite LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' + - dash ../configure --enable-oldgnutls-interop --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' - make -j$(nproc) - make check -j$(nproc) - cd .. diff --git a/configure.ac b/configure.ac index 1bf9bce95e..710db7608d 100644 --- a/configure.ac +++ b/configure.ac @@ -423,6 +423,16 @@ fi AM_CONDITIONAL(WANT_TEST_SUITE, test "$full_test_suite" = "yes") +AC_ARG_ENABLE(oldgnutls-interop, + AS_HELP_STRING([--enable-oldgnutls-interop], [enable interoperability testing with old gnutls version]), + enable_oldgnutls_interop=$enableval, enable_oldgnutls_interop=no) + +if test "$enable_oldgnutls_interop" != "no" && test "$full_test_suite" != yes;then + AC_MSG_ERROR([cannot --enable-oldgnutls-interop without --enable-full-test-suite]) +fi + +AM_CONDITIONAL(ENABLE_OLDGNUTLS_INTEROP, test "$enable_oldgnutls_interop" != "no") + dnl GCC warnings to enable AC_ARG_ENABLE([gcc-warnings], diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index b4da01a375..21966ac898 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -118,6 +118,10 @@ if ENABLE_TLS13_INTEROP scripts_to_test += testcompat-tls13-openssl.sh endif +if ENABLE_OLDGNUTLS_INTEROP +scripts_to_test += testcompat-oldgnutls.sh +endif + if ENABLE_DANE scripts_to_test += testdane.sh endif diff --git a/tests/suite/testcompat-oldgnutls.sh b/tests/suite/testcompat-oldgnutls.sh new file mode 100755 index 0000000000..d0467c65c6 --- /dev/null +++ b/tests/suite/testcompat-oldgnutls.sh @@ -0,0 +1,190 @@ +#!/bin/bash + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +abs_top_srcdir="${abs_top_srcdir:-$(pwd)/../../}" +srcdir="${srcdir:-.}" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" +TMPFILE=testcompat-oldgnutls.$$.tmp + +# This assumes a root directory in /usr/local/OLDGNUTLS containing the +# gnutls client and server + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +LDPATH=/usr/local/OLDGNUTLS/lib/x86_64-linux-gnu:/usr/local/OLDGNUTLS/usr/lib/x86_64-linux-gnu + +. "${srcdir}/../scripts/common.sh" + +check_for_datefudge + +. "${srcdir}/testcompat-common" + +PORT="${PORT:-${RPORT}}" + +SERV=/usr/local/OLDGNUTLS/usr/bin/gnutls-serv + +if test -z "$OUTPUT";then +OUTPUT=/dev/null +fi + +>${OUTPUT} + +echo_cmd() { + tee -a ${OUTPUT} <<<$(echo $1) +} + +echo_cmd "Compatibility checks using "`${SERV} version` + +echo_cmd "####################################################" +echo_cmd "# Client mode tests (new cli-gnutls 2.12.x server) #" +echo_cmd "####################################################" + +run_client_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + eval "${GETPORT}" + LD_LIBRARY_PATH=$LDPATH launch_server $$ --priority "NORMAL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA ciphersuite + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-RSA ciphersuite + echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA, AES-CBC and long packet..." + head -c 16384 /dev/zero|tr \\0 a >${TMPFILE} + echo >>${TMPFILE} + ${VALGRIND} "${CLI}" -d 6 ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || + fail ${PID} "Failed" + + kill ${PID} + wait +} + +run_client_suite + +echo_cmd "${PREFIX}Client mode tests were successfully completed" +echo_cmd "${PREFIX}" +echo_cmd "${PREFIX}###############################################" +echo_cmd "${PREFIX}# Server mode tests (new server-old cli) #" +echo_cmd "${PREFIX}###############################################" +SERV="../../src/gnutls-serv${EXEEXT} -q" +CLI=/usr/local/OLDGNUTLS/usr/bin/gnutls-cli + +run_server_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA, AES-CBC and long packet..." + head -c 16384 /dev/zero|tr \\0 a >${TMPFILE} + echo >>${TMPFILE} + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + +} + +run_server_suite + +rm -f ${TMPFILE} + +exit 0 |