diff options
103 files changed, 4845 insertions, 3228 deletions
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml new file mode 100644 index 0000000000..37928cc398 --- /dev/null +++ b/.github/workflows/macos.yml @@ -0,0 +1,43 @@ +name: MacOS CI +on: + push: + +jobs: + build: + runs-on: macos-11.0 + steps: + - uses: actions/checkout@v2 + with: + submodules: false + - name: install dependencies + run: | + brew update + for pkg in openssl autoconf automake autogen libtool nettle p11-kit libtasn1 gettext bison; do + brew install $pkg || true + done + for pkg in nettle wget p11-kit libtasn1; do + brew upgrade $pkg || true + done + - name: update path + run: | + echo /usr/local/opt/gettext/bin >>${GITHUB_PATH} + echo /usr/local/opt/bison/bin >>${GITHUB_PATH} + - name: bootstrap + run: ./bootstrap + - name: configure + run: | + CC=clang ./configure --disable-full-test-suite --disable-valgrind-tests --disable-doc --disable-guile --disable-dependency-tracking + - name: make + run: | + make -j$(sysctl -n hw.ncpu) || make -j$(sysctl -n hw.ncpu) V=1 + - name: make check + run: | + make -j$(sysctl -n hw.ncpu) check gl_public_submodule_commit= + - name: show debug info + if: failure() + run: | + find . -name 'test-suite.log' -execdir grep -il "FAILED" {} \; -exec echo {} \; -exec cat {} \; + for i in $(ls tests/*.log fuzz/*.log); do + echo "" && echo $i && cat $i + done + cat config.log diff --git a/.gitignore b/.gitignore index b721fee238..6981a7bf78 100644 --- a/.gitignore +++ b/.gitignore @@ -438,6 +438,7 @@ tests/handshake-large-cert tests/handshake-large-packet tests/handshake-timeout tests/handshake-versions +tests/handshake-write tests/hex tests/hostname-check tests/hostname-check-utf8 @@ -583,6 +584,7 @@ tests/pkcs11-token-raw tests/pkcs11/gnutls_pcert_list_import_x509_file tests/pkcs11/gnutls_x509_crt_list_import_url tests/pkcs11/list-objects +tests/pkcs11/list-tokens tests/pkcs11/pkcs11-chainverify tests/pkcs11/pkcs11-combo tests/pkcs11/pkcs11-ec-privkey-test @@ -857,6 +859,7 @@ tests/tls13/change_cipher_spec tests/tls13/cookie tests/tls13/hello_random_value tests/tls13/hello_retry_request +tests/tls13/hello_retry_request_resume tests/tls13/key_limits tests/tls13/key_share tests/tls13/key_update diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f000f82944..98095b9cf8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,819 +1,789 @@ stages: - - stage1-testing - -# we utilize the images generated by the build-images project, to -# speed up CI runs. We also use ccache and store config.cache -# to speed up compilation. We include a version number in cache -# name to allow expiration of old caches. - -cache: - key: "$CI_JOB_NAME-ver18" - paths: - - cache/ - -before_script: - # CCache Config - - mkdir -p cache - - export CCACHE_BASEDIR=${PWD} - - export CCACHE_DIR=${PWD}/cache - - export CC="ccache gcc" - -# With just one virtual core, parallel builds only make sense when -# I/O wait is involved. If too many parallel builds are used, the overall -# time even increases (e.g. due to more cache misses). -# $BUILDJOBS seems to be best with $(nproc)+1, while $CHECKJOBS can be much -# higher because several tests have a large I/O waiting time. -# The numbers are hard-coded since FreeBSD doesn't know the nproc command. - - export BUILDJOBS=2 - - export CHECKJOBS=16 - -after_script: - # somehow after_script looses environment - - export CCACHE_BASEDIR=${PWD} - - export CCACHE_DIR=${PWD}/cache - - ccache -s + - build + - test + - archive variables: + # we utilize the images generated by the build-images project, to + # speed up CI runs. We also use ccache and store config.cache + # to speed up compilation. We include a version number in cache + # name to allow expiration of old caches. BUILD_IMAGES_PROJECT: gnutls/build-images DEBIAN_BUILD: buildenv-debian-testing DEBIAN_CROSS_BUILD: buildenv-debian-cross-testing DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross - FEDORA28_BUILD: buildenv-f28 FEDORA_BUILD: buildenv-fedora33 MINGW_BUILD: buildenv-mingw-fedora33 ALPINE_BASE_BUILD: buildenv-alpine-base-nettle36 + COMPILER: gcc CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'" GET_SOURCES_ATTEMPTS: "3" + # With just one virtual core, parallel builds only make sense when + # I/O wait is involved. If too many parallel builds are used, the overall + # time even increases (e.g. due to more cache misses). + # $BUILDJOBS seems to be best with $(nproc)+1, while $CHECKJOBS can be much + # higher because several tests have a large I/O waiting time. + # The numbers are hard-coded for the platforms without the nproc command. + BUILDJOBS: 2 + CHECKJOBS: 16 -################################################## -# Stage 1, documentation, and advanced checks -################################################## +cache: + key: "$CI_JOB_NAME-ver20" + paths: + - cache/ -commit-check: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD +.prepare-ccache: &prepare-ccache + # CCache Config + - mkdir -p cache + - export CCACHE_BASEDIR=${PWD} + - export CCACHE_DIR=${PWD}/cache + - export CCACHE_FILE=${CCACHE_DIR}/config.cache + - export CC="ccache $COMPILER" + +default: before_script: - - /bin/true - after_script: - - /bin/true - except: - - master@gnutls/gnutls - cache: - # do not load cache files - key: none - policy: pull - script: - # we want $ALPINE_BASE_BUILD without git, so add it here - - apk add git bash - - devel/check_if_signed - retry: 0 + - *prepare-ccache -doc-dist.Fedora: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - SUBMODULE_NOFETCH=1 ./bootstrap - - GUILE=/usr/bin/guile2.2 - - GUILD=/usr/bin/guild2.2 - - guile_snarf=/usr/bin/guile-snarf2.2 - - export GUILE GUILD guile_snarf - - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode - - make -j$BUILDJOBS -C doc stamp-vti - - make -j$BUILDJOBS -C doc stamp-1 - - make -j$BUILDJOBS -C doc stamp_enums - - make -j$BUILDJOBS - - make -j$BUILDJOBS -C doc gnutls.html - - make -j$BUILDJOBS -C doc/latex gnutls.pdf - - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) - - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub -# check whether distribution with or without included libopts is ok - - make -j$CHECKJOBS distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-local-libopts --disable-tests" - - make -j$CHECKJOBS distcheck - tags: - - shared - - linux - except: - - tags - retry: 1 + after_script: + # after_script is executed in separate shell + - *prepare-ccache + - ccache -s -abi/coverage: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - SUBMODULE_NOFETCH=1 ./bootstrap - - GUILE=/usr/bin/guile2.2 - - GUILD=/usr/bin/guild2.2 - - guile_snarf=/usr/bin/guile-snarf2.2 - - export GUILE GUILD guile_snarf - - CFLAGS="-g -Og" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --enable-code-coverage --disable-maintainer-mode --disable-doc - - make -j$BUILDJOBS - - make abi-check - - make pic-check - - make -j$CHECKJOBS check - - make local-code-coverage-output || true - - if objdump -R lib/.libs/libgnutls.so | grep INTERNAL ; then false ; fi +.build: + stage: build tags: - - shared - - linux + - shared + - linux except: - - tags + - tags # TODO artifacts: - expire_in: 1 week - when: on_failure + expire_in: 1 day + #when: on_failure paths: - - ./*.xml - - ./gnutls-prev-abi.tmp/ - - compat_reports/ - - ./*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - - guile/tests/*.log - retry: 1 - -minimal.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + - ./ + exclude: + - .git/ # passing forward .git causes warnings and possibly problems + - ./**/.git/ # passing forward .git causes warnings and possibly problems + - ./**/*.c + - ./**/*.h + - ./**/*.o + +.test: + stage: test script: - - echo "No tools build" - - ./bootstrap - - dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - echo "Minimal build" - - dnf remove -y libunistring-devel libtasn1-devel libidn-devel - - dash ./configure --cache-file cache/config.cache --with-included-libtasn1 - --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests - --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication - --disable-anon-authentication --disable-dhe --disable-ecdhe - --disable-ocsp --disable-non-suiteb-curves --with-included-unistring - --disable-nls --disable-libdane --without-p11-kit --without-tpm - --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility - --disable-gcc-warnings --with-system-priority-file="" - --disable-gost - --disable-guile - - make clean - - make -j$BUILDJOBS - - make -j$CHECKJOBS check + - make -j$CHECKJOBS check tags: - - shared - - linux + - shared + - linux except: - - tags + - tags # TODO artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -# This enables SSL3.0 and SHA-1 support, and runs interop tests -# with openssl 1.1.0, which include legacy algorithms like DSA. -SSL-3.0.Fedora.x86_64: - stage: stage1-testing + - ./**/*.log + +.fedora: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - update-crypto-policies --set LEGACY - - ./bootstrap - - mkdir -p build - - cd build - - dash ../configure --disable-tls13-interop --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile --disable-strict-der-time - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - cd .. - tags: - - shared - - linux + +.fedora-nettle: + extends: + - .fedora + variables: + COMPILER: clang + NETTLE_DIR: nettle + +.debian: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD + +.debian-cross-i686: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD + +.debian-cross-other: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD + +.mingw: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD + variables: + COMPILER: "${arch_name}-w64-mingw32-gcc" + CFLAGS: "-fstack-protector" + CXXFLAGS: "-fstack-protector" + LDFLAGS: "-fstack-protector" + WINEPATH: "/usr/${arch_name}-w64-mingw32/sys-root/mingw/bin" + before_script: + - *prepare-ccache + - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc + - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register + +.mingw-vista: + variables: + # Target Vista instead of XP, currently the default in mingw + CPPFLAGS: "-D_WIN32_WINNT=0x600" + +.mingw32: + extends: + - .mingw + variables: + arch_bits: 32 + arch_name: i686 + +.mingw64: + extends: + - .mingw + variables: + arch_bits: 64 + arch_name: x86_64 + +############################################################################## +############# Standalone checks without dependencies ######################### +############################################################################## + +commit-check: + stage: test + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD + needs: [] # can be run immediately + before_script: [] + after_script: [] except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/tests/*.log - - build/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -FIPS140-2.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + - master@gnutls/gnutls + cache: {} script: - - ./bootstrap - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - mkdir -p lib/.libs/fipscheck - - | - for i in lib/.libs/libgnutls.so*; do - openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex $i | cut -f 2 -d ' ' > lib/.libs/fipscheck/$(basename $i).hmac - done - - GNUTLS_FORCE_FIPS_MODE=1 make -j$CHECKJOBS check - - cd .. - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + # we want $ALPINE_BASE_BUILD without git, so we are adding it here + - apk add git bash + - devel/check_if_signed + retry: 0 -valgrind.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +doc-dist.Fedora: + extends: + - .test + - .fedora + needs: [] # can be run immediately script: - - ./bootstrap -# gcc in fedora31 inlines strcmp in a way that causes valgrind errors - - CFLAGS="-O2 -g -fno-builtin-strcmp" ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-guile --disable-full-test-suite --enable-valgrind-tests - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - tests/*.log - - tests/*/*.log - retry: 1 + - SUBMODULE_NOFETCH=1 ./bootstrap + - GUILE=/usr/bin/guile2.2 + - GUILD=/usr/bin/guild2.2 + - guile_snarf=/usr/bin/guile-snarf2.2 + - export GUILE GUILD guile_snarf + - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode + - make -j$BUILDJOBS -C doc stamp-vti + - make -j$BUILDJOBS -C doc stamp-1 + - make -j$BUILDJOBS -C doc stamp_enums + - make -j$BUILDJOBS + - make -j$BUILDJOBS -C doc gnutls.html + - make -j$BUILDJOBS -C doc/latex gnutls.pdf + - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) + - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub + # check whether distribution with or without included libopts is ok + - make -j$CHECKJOBS distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-local-libopts --disable-tests" + - make -j$CHECKJOBS distcheck -threadsan.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + +# Two runs, one with normal backend and another with pkcs11 trust store +UB+ASAN-Werror.Fedora.x86_64.gcc: + extends: + - .test + - .fedora + needs: [] # builds own artifacts, no need to wait script: - - ./bootstrap - - CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS - dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --enable-fips140-mode --disable-full-test-suite - - make -j$BUILDJOBS - - make -j$CHECKJOBS -C tests check SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 + - ./bootstrap + - export UBSAN_OPTIONS=print_stacktrace=1 + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" + - export CXXFLAGS="$CFLAGS" + - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile + - make -j$BUILDJOBS + # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) + - make -j$BUILDJOBS check -C fuzz + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 + - make -j$CHECKJOBS check -C tests + - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM + - make clean + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile + - make -j$BUILDJOBS + # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests + - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - - shared - - linux + - shared + - linux except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -static-analyzers.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - before_script: - - /bin/true + - tags +############################################################################## +########################### Fedora pipelines ################################# +############################################################################## + +fedora-notools/build: + extends: + - .build + - .fedora script: - - ./bootstrap - - scan-build ./configure --cache-file cache/config.cache --disable-doc --disable-guile --enable-fips140-mode - - make -j$BUILDJOBS syntax-check gnulib_dir=$GNULIB_SRCDIR - - make -j$BUILDJOBS -C gl - - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C lib - - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C libdane - - make -j$BUILDJOBS -C src/gl - - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C src - - cppcheck --force -q -Ilib/include -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -i lib/nettle/ecc -j2 $CPPCHECK_OPTIONS - - cppcheck --force -q -Ilib/include -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j2 $CPPCHECK_OPTIONS - after_script: - - /bin/true - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - scan-build-lib/* - - scan-build-libdane/* - retry: 1 + - ./bootstrap + - dash ./configure --cache-file $CCACHE_FILE --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" -MinGW32.DLLs: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-notools/test: + extends: + - .test + - .fedora + dependencies: + - fedora-notools/build + needs: + - fedora-notools/build + +fedora-minimal/build: + extends: + - .build + - .fedora script: - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - ./bootstrap - - export CC="ccache i686-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin - - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - - mingw32-make -j$BUILDJOBS - - mingw32-make -j$BUILDJOBS -C tests check -# Combine generated apps and DLLs. -#libwinpthread is required by libgcc -#libffi is required by libp11-kit - - mkdir -p win32-build/bin win32-build/lib/includes - - cp lib/.libs/*.dll src/.libs/*.exe win32-build/bin - - i686-w64-mingw32-strip --strip-unneeded win32-build/bin/*.dll - - i686-w64-mingw32-strip win32-build/bin/*.exe - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win32-build/bin - - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win32-build/lib - - cp lib/includes/gnutls/*.h win32-build/lib/includes - tags: - - shared - - docker - - linux - only: - - tags - artifacts: - name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" - paths: - - win32-build/ - retry: 1 + - ./bootstrap + - dnf remove -y libunistring-devel libtasn1-devel libidn-devel + - dash ./configure --cache-file $CCACHE_FILE --with-included-libtasn1 + --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests + --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication + --disable-anon-authentication --disable-dhe --disable-ecdhe + --disable-ocsp --disable-non-suiteb-curves --with-included-unistring + --disable-nls --disable-libdane --without-p11-kit --without-tpm + --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility + --disable-gcc-warnings --with-system-priority-file="" + --disable-gost + --disable-guile + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" -MinGW64.DLLs: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-minimal/test: + extends: + - .test + - .fedora + dependencies: + - fedora-minimal/build + needs: + - fedora-minimal/build + +fedora-SSL-3.0/build: + extends: + - .build + - .fedora script: - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$BUILDJOBS -C tests check -# Combine generated apps and DLLs. -#libwinpthread is required by libgcc -#libffi is required by libp11-kit - - mkdir -p win64-build/bin win64-build/lib/includes - - cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin - - x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll - - x86_64-w64-mingw32-strip win64-build/bin/*.exe - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin - - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib - - cp lib/includes/gnutls/*.h win64-build/lib/includes - tags: - - shared - - docker - - linux - only: - - tags - artifacts: - name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" - paths: - - win64-build/ - retry: 1 + - update-crypto-policies --set LEGACY + - ./bootstrap + - dash ./configure --disable-tls13-interop --disable-gcc-warnings --cache-file $CCACHE_FILE --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile --disable-strict-der-time + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" -MinGW64.DLLs.Vista+: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-SSL-3.0/test: + extends: + - .test + - .fedora + dependencies: + - fedora-SSL-3.0/build + needs: + - fedora-SSL-3.0/build + +fedora-FIPS140-2/build: + extends: + - .build + - .fedora script: - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - # Target Vista instead of XP, currently the default in mingw - - export CPPFLAGS="-D_WIN32_WINNT=0x600" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$BUILDJOBS -C tests check -# Combine generated apps and DLLs. -#libwinpthread is required by libgcc -#libffi is required by libp11-kit - - mkdir -p win64-build/bin win64-build/lib/includes - - cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin - - x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll - - x86_64-w64-mingw32-strip win64-build/bin/*.exe - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin - - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib - - cp lib/includes/gnutls/*.h win64-build/lib/includes - tags: - - shared - - docker - - linux - only: - - tags - artifacts: - name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" - paths: - - win64-build/ - retry: 1 + - ./bootstrap + - dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile + - make -j$BUILDJOBS + - mkdir -p lib/.libs/fipscheck + - | + for i in lib/.libs/libgnutls.so*; do + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex $i | cut -f 2 -d ' ' > lib/.libs/fipscheck/$(basename $i).hmac + done + # build tests, but don't execute them + - GNUTLS_FORCE_FIPS_MODE=1 make -j$BUILDJOBS check TESTS="" -MinGW64.Vista+: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-FIPS140-2/test: + extends: + - .test + - .fedora + dependencies: + - fedora-FIPS140-2/build + needs: + - fedora-FIPS140-2/build script: - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - # Target Vista instead of XP, currently the default in mingw - - export CPPFLAGS="-D_WIN32_WINNT=0x600" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - # generate the certtool autogen file to check whether later compilation will modify it - - mingw64-make -j$BUILDJOBS -C src certtool-args.c.bak - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$CHECKJOBS -C tests check - - cd .. - # since we use --enable-local-libopts the generated files must equal the .bak - - cmp build/src/certtool-args.c build/src/certtool-args.c.bak || false - tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + - GNUTLS_FORCE_FIPS_MODE=1 make -j$CHECKJOBS check -MinGW64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +.fedora-nettle/build: + extends: + - .build + - .fedora-nettle script: - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - # generate the certtool autogen file to check whether later compilation will modify it - - mingw64-make -j$BUILDJOBS -C src certtool-args.c.bak - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$CHECKJOBS -C tests check - - cd .. - # since we use --enable-local-libopts the generated files must equal the .bak - - cmp build/src/certtool-args.c build/src/certtool-args.c.bak || false - tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git + - pushd nettle-git + - ./.bootstrap + - ./configure --disable-documentation --prefix=${PWD}/$NETTLE_DIR $NETTLE_CONFIGURE_ARGS + - make -j$BUILDJOBS + - make -j$BUILDJOBS install + - popd + - SUBMODULE_NOFETCH=1 ./bootstrap + - PKG_CONFIG_PATH=${PWD}/$NETTLE_DIR/lib64/pkgconfig dash ./configure --disable-gcc-warnings --disable-doc --disable-guile + - make -j$BUILDJOBS + - make -j$BUILDJOBS check TESTS="" -MinGW32: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +.fedora-nettle/test: + extends: + - .test + - .fedora-nettle script: - - ./bootstrap - - export CC="ccache i686-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - - mingw32-make -j$BUILDJOBS - - mingw32-make -j$CHECKJOBS -C tests check - - cd .. - tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 - -# That is a specific runner that we cannot enable universally. -# We restrict it to builds under the $BUILD_IMAGES_PROJECT project. -FreeBSD.x86_64: - stage: stage1-testing - image: + - PKG_CONFIG_PATH=${PWD}/$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=${PWD}/$NETTLE_DIR/lib64 make -j$CHECKJOBS check + +fedora-nettle/build: + extends: + - .fedora-nettle/build + variables: + NETTLE_CONFIGURE_ARGS: "" + +fedora-nettle/test: + extends: + - .fedora-nettle/test + dependencies: + - fedora-nettle/build + needs: + - fedora-nettle/build + +fedora-nettle-minigmp/build: + extends: + - .fedora-nettle/build + variables: + NETTLE_CONFIGURE_ARGS: "--enable-mini-gmp" + +fedora-nettle-minigmp/test: + extends: + - .fedora-nettle/test + dependencies: + - fedora-nettle-minigmp/build + needs: + - fedora-nettle-minigmp/build + +fedora-valgrind/build: + extends: + - .build + - .fedora script: - - export CC="ccache clang" - - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git - - export NETTLE_DIR=${PWD}/nettle - - cd nettle-git - - ./.bootstrap - - ./configure --enable-mini-gmp --disable-documentation --disable-openssl --prefix=$NETTLE_DIR - - gmake - - gmake install - - cd - - - ./bootstrap - - export LDFLAGS="-Wl,-rpath,$NETTLE_DIR/lib -L$NETTLE_DIR/lib -L/usr/local/lib" - - export PKG_CONFIG_PATH=$NETTLE_DIR/lib/pkgconfig - - export CPPFLAGS=`pkg-config hogweed --cflags-only-I` - - export LD_LIBRARY_PATH=$NETTLE_DIR/lib - - ./configure --disable-full-test-suite --cache-file cache/config.cache --disable-gcc-warnings --disable-guile --disable-doc --with-nettle-mini - - gmake V=1 2>&1 | tee make.log - - gmake check - tags: - - freebsd - only: - - branches@gnutls/gnutls - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - tests/*.log - - tests/*/*.log - retry: 1 + - ./bootstrap + # gcc in fedora31 inlines strcmp in a way that causes valgrind errors + - CFLAGS="-O2 -g -fno-builtin-strcmp" ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-guile --disable-full-test-suite --enable-valgrind-tests + - make -j$BUILDJOBS + - make -j$BUILDJOBS check TESTS="" -# Two runs, one with normal backend and another with pkcs11 trust store -UB+ASAN-Werror.Fedora.x86_64.gcc: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +fedora-valgrind/test: + extends: + - .test + - .fedora + dependencies: + - fedora-valgrind/build + needs: + - fedora-valgrind/build + timeout: 2h + +fedora-threadsan/build: + extends: + - .build + - .fedora script: - - ./bootstrap - - export UBSAN_OPTIONS=print_stacktrace=1 - - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp - - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" - - export CXXFLAGS="$CFLAGS" - - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration - - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - - make -j$BUILDJOBS - # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) - - make -j$BUILDJOBS check -C fuzz - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 - - make -j$CHECKJOBS check -C tests - - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM - - make clean - - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - - make -j$BUILDJOBS - # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests - - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. + - ./bootstrap + - CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS + dash ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-non-suiteb-curves --disable-guile --enable-fips140-mode --disable-full-test-suite + - make -j$BUILDJOBS + - make -j$BUILDJOBS -C tests check SUBDIRS=. TESTS="" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 + +fedora-threadsan/test: + extends: + - .test + - .fedora + dependencies: + - fedora-threadsan/build + needs: + - fedora-threadsan/build + script: + - make -j$CHECKJOBS -C tests check SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 + +fedora-static-analyzers/build: + extends: + - .build + - .fedora + #TODO originally, before_script was set to "/bin/true".. is there a reason not to create the cache? + script: + - ./bootstrap + - scan-build ./configure --cache-file $CCACHE_FILE --disable-doc --disable-guile --enable-fips140-mode + - make -j$BUILDJOBS syntax-check gnulib_dir=$GNULIB_SRCDIR + - make -j$BUILDJOBS -C gl + - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C lib + - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C libdane + - make -j$BUILDJOBS -C src/gl + - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C src + #TODO originally, after_script was set to "/bin/true".. is there a reason not to create the cache? + +fedora-static-analyzers/test: + extends: + - .test + - .fedora + dependencies: + - fedora-static-analyzers/build + needs: + - fedora-static-analyzers/build + script: + - cppcheck --force -q -Ilib/include -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -i lib/nettle/ecc -j2 $CPPCHECK_OPTIONS + - cppcheck --force -q -Ilib/include -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j2 $CPPCHECK_OPTIONS + +# TODO this does not work, so we keep using old job doc-dist.Fedora +# Keeping it here until I figure it out. +#fedora-docdist/build: +# extends: +# - .build +# - .fedora +# script: +# - SUBMODULE_NOFETCH=1 ./bootstrap +# - GUILE=/usr/bin/guile2.2 +# - GUILD=/usr/bin/guild2.2 +# - guile_snarf=/usr/bin/guile-snarf2.2 +# - export GUILE GUILD guile_snarf +# - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode +# - make -j$BUILDJOBS -C doc stamp-vti +# - make -j$BUILDJOBS -C doc stamp-1 +# - make -j$BUILDJOBS -C doc stamp_enums +# - make -j$BUILDJOBS +# - make -j$BUILDJOBS -C doc gnutls.html +# - make -j$BUILDJOBS -C doc/latex gnutls.pdf +# - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) +# - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub +# # we don't throw away intermediate compilation results as /test job does some compiling, too +# artifacts: +# expire_in: 1 day +# paths: +# - ./ +# exclude: +# - .git/ # passing forward .git causes warnings and possibly problems +# - ./**/.git/ # passing forward .git causes warnings and possibly problems +# +#fedora-docdist/test: +# extends: +# - .test +# - .fedora +# dependencies: +# - fedora-docdist/build +# needs: +# - fedora-docdist/build +# script: # shall we separate it to two jobs? +# - export CFLAGS="-std=c99 -O2 -g" +# - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) +# - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub +# # check whether distribution with or without included libopts is ok +# - make -j$CHECKJOBS distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-local-libopts --disable-tests" +# - make -j$CHECKJOBS distcheck + +fedora-abicoverage/build: + extends: + - .build + - .fedora + script: + script: + - SUBMODULE_NOFETCH=1 ./bootstrap + - GUILE=/usr/bin/guile2.2 + - GUILD=/usr/bin/guild2.2 + - guile_snarf=/usr/bin/guile-snarf2.2 + - export GUILE GUILD guile_snarf + - CFLAGS="-g -Og" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --enable-code-coverage --disable-maintainer-mode --disable-doc + - make -j$BUILDJOBS + - make -j$BUILDJOBS check TESTS="" tags: - - shared - - linux + - shared + - linux except: - - tags + - tags + +fedora-abicoverage/test: + extends: + - .test + - .fedora + dependencies: + - fedora-abicoverage/build + needs: + - fedora-abicoverage/build + script: + - make abi-check + - make pic-check + - make -j$CHECKJOBS check + - make local-code-coverage-output || true + - if objdump -R lib/.libs/libgnutls.so | grep INTERNAL ; then false ; fi artifacts: expire_in: 1 week when: on_failure paths: - - guile/tests/*.log + - ./*.xml - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -# This includes interoperability testing with gnutls 2.12.x -Debian.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD + - ./**/*.log + - gnutls-prev-abi.tmp/ + - compat_reports/ + +############################################################################## +########################### Debian pipelines ################################# +############################################################################## + +debian/build: + extends: + - .build + - .debian script: - ./bootstrap - - mkdir -p build - - cd build - - dash ../configure --enable-oldgnutls-interop --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' + - dash ./configure --enable-oldgnutls-interop --disable-gcc-warnings --cache-file $CCACHE_FILE --disable-doc --disable-guile LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - cd .. - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -Debian.cross.i686-linux-gnu: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD + - make -j$BUILDJOBS check TESTS="" + +debian/test: + extends: + - .test + - .debian + dependencies: + - debian/build + needs: + - debian/build + +.debian-cross/build: + extends: + - .build script: - - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) - - host=i686-linux-gnu - # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes - # config.guess to detect the target as the build platform and not activate - # cross-compile mode even though --build is given - - export CC_FOR_BUILD="ccache gcc" - - export CC="ccache $host-gcc" - - ./bootstrap - - mkdir -p build - - cd build - # Debian's softhsm package is not multiarch yet. Missing softhsm libraries - # for the target will cause the test suite to fail when p11-kit is enabled. - - dash ../configure --build=$build --host=$host --disable-gcc-warnings - --cache-file ../cache/config.cache --disable-doc --disable-guile - --without-p11-kit --disable-full-test-suite - - make -j$BUILDJOBS - - make pic-check - # Parallel tests cause random failures, likely timing errors - - make -j1 check - - cd .. + - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) + - host=$(echo $CI_JOB_NAME |cut -d/ -f2) + - echo "host is $host" + # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes + # config.guess to detect the target as the build platform and not activate + # cross-compile mode even though --build is given + - export CC_FOR_BUILD="ccache gcc" + - export CC="ccache $host-gcc" + - ./bootstrap + # Debian's softhsm package is not multiarch yet. Missing softhsm libraries + # for the target will cause the test suite to fail when p11-kit is enabled. + - dash ./configure --build=$build --host=$host --disable-gcc-warnings + --cache-file $CCACHE_FILE --disable-doc --disable-guile + --without-p11-kit --disable-full-test-suite + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -.Debian.cross.template: &Debian_cross_template - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD + - shared + - docker + - linux + +.debian-cross/test: + extends: + - .test script: - - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) - - host="${CI_JOB_NAME#*.cross.}" - # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes - # config.guess to detect the target as the build platform and not activate - # cross-compile mode even though --build is given - - export CC_FOR_BUILD="ccache gcc" - - export CC="ccache $host-gcc" - - ./bootstrap - - sed -i '/errno.==.EINVAL/d' src/gl/tests/test-strerror.c - - mkdir -p build - - cd build - # Debian's softhsm package is not multiarch yet. Missing softhsm libraries - # for the target will cause the test suite to fail when p11-kit is enabled. - - dash ../configure --build=$build --host=$host --disable-gcc-warnings - --cache-file ../cache/config.cache --disable-doc --disable-guile - --without-p11-kit --disable-full-test-suite - - make -j$BUILDJOBS - # Parallel tests cause random failures, likely timing errors - - make -j1 check - - cd .. + - make pic-check + # Parallel tests cause random failures, likely timing errors + - make -j1 check tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -Debian.cross.arm-linux-gnueabihf: - <<: *Debian_cross_template - -Debian.cross.aarch64-linux-gnu: - <<: *Debian_cross_template + - shared + - docker + - linux + +debian-cross/i686-linux-gnu/build: # name is important, see .debian-cross/build + extends: + - .debian-cross/build + - .debian-cross-i686 + +debian-cross/i686-linux-gnu/test: + extends: + - .debian-cross/test + - .debian-cross-i686 + dependencies: + - debian-cross/i686-linux-gnu/build + needs: + - debian-cross/i686-linux-gnu/build + +debian-cross/arm-linux-gnueabihf/build: # name is important, see .debian-cross/build + extends: + - .debian-cross/build + - .debian-cross-other + +debian-cross/arm-linux-gnueabihf/test: + extends: + - .debian-cross/test + - .debian-cross-other + dependencies: + - debian-cross/arm-linux-gnueabihf/build + needs: + - debian-cross/arm-linux-gnueabihf/build + timeout: 2h + +debian-cross/aarch64-linux-gnu/build: # name is important, see .debian-cross/build + extends: + - .debian-cross/build + - .debian-cross-other + +debian-cross/aarch64-linux-gnu/test: + extends: + - .debian-cross/test + - .debian-cross-other + dependencies: + - debian-cross/aarch64-linux-gnu/build + needs: + - debian-cross/aarch64-linux-gnu/build + timeout: 2h allow_failure: true -nettle-master.Fedora: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +.mingw/build: + extends: + - .build script: - - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git - - export NETTLE_DIR=${PWD}/nettle - - pushd nettle-git - - ./.bootstrap - - ./configure --disable-documentation --prefix=$NETTLE_DIR - - make -j$BUILDJOBS - - make -j$BUILDJOBS install - - popd - - SUBMODULE_NOFETCH=1 ./bootstrap - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --disable-gcc-warnings --disable-doc --disable-guile - - make -j$BUILDJOBS - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=$NETTLE_DIR/lib64 make -j$CHECKJOBS check - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -nettle-master-minigmp.Fedora: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +# - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc +# - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register + - ./bootstrap + - dash ./configure --disable-gcc-warnings --host=${arch_name}-w64-mingw32 --target=${arch_name}-w64-mingw32 --cache-file $CCACHE_FILE --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc + # since we use --enable-local-libopts the generated files must equal the .bak + - mingw${arch_bits}-make -j$BUILDJOBS -C src certtool-args.c.bak + - cmp src/certtool-args.c src/certtool-args.c.bak || false # TODO not really sure about what is this for + - mingw${arch_bits}-make -j$BUILDJOBS + - mingw${arch_bits}-make -j$BUILDJOBS -C tests check TESTS="" + +############################################################################## +########################### MinGW pipelines ################################## +############################################################################## + +.mingw/test: + extends: + - .test script: - - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git - - export NETTLE_DIR=${PWD}/nettle - - pushd nettle-git - - ./.bootstrap - - ./configure --disable-documentation --enable-mini-gmp --prefix=$NETTLE_DIR - - make -j$BUILDJOBS - - make -j$BUILDJOBS install - - popd - - SUBMODULE_NOFETCH=1 ./bootstrap - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --disable-gcc-warnings --disable-doc --disable-guile --disable-full-test-suite - - make -j$BUILDJOBS - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=$NETTLE_DIR/lib64 make -j$CHECKJOBS check - tags: - - shared - - linux - except: - - tags + - mingw${arch_bits}-make -j$CHECKJOBS -C tests check + +.mingw/archive: + stage: archive +# TODO this should be here, but I want to see if it works without tagging +# only: +# - tags + script: + # Combine generated apps and DLLs. + #libwinpthread is required by libgcc + #libffi is required by libp11-kit + - mkdir -p win${arch_bits}-build/bin win${arch_bits}-build/lib/includes + - cp lib/.libs/*.dll src/.libs/*.exe win${arch_bits}-build/bin + - ${arch_name}-w64-mingw32-strip --strip-unneeded win${arch_bits}-build/bin/*.dll + - ${arch_name}-w64-mingw32-strip win${arch_bits}-build/bin/*.exe + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win${arch_bits}-build/bin + - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win${arch_bits}-build/lib + - cp lib/includes/gnutls/*.h win${arch_bits}-build/lib/includes artifacts: - expire_in: 1 week - when: on_failure + name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 + - win${arch_bits}-build/ + +mingw64/build: + extends: + - .mingw/build + - .mingw64 + +mingw64/test: + extends: + - .mingw/test + - .mingw64 + dependencies: + - mingw64/build + needs: + - mingw64/build + +mingw64/archive: + extends: + - .mingw/archive + - .mingw64 + dependencies: + - mingw64/build + needs: # archive only if tests successful + - mingw64/build + - mingw64/test + +mingw64-vista/build: + extends: + - .mingw/build + - .mingw64 + - .mingw-vista + +mingw64-vista/test: + extends: + - .mingw/test + - .mingw64 + - .mingw-vista + dependencies: + - mingw64-vista/build + needs: + - mingw64-vista/build + +mingw64-vista/archive: + extends: + - .mingw/archive + - .mingw64 + - .mingw-vista + dependencies: + - mingw64-vista/build + needs: # archive only if tests successful + - mingw64-vista/build + - mingw64-vista/test + +mingw32/build: + extends: + - .mingw/build + - .mingw32 + +mingw32/test: + extends: + - .mingw/test + - .mingw32 + dependencies: + - mingw32/build + needs: + - mingw32/build + +mingw32/archive: + extends: + - .mingw/archive + - .mingw32 + dependencies: + - mingw32/build + needs: # archive only if tests successful + - mingw32/build + - mingw32/test + +mingw32-vista/build: + extends: + - .mingw/build + - .mingw32 + - .mingw-vista + +mingw32-vista/test: + extends: + - .mingw/test + - .mingw32 + - .mingw-vista + dependencies: + - mingw32-vista/build + needs: + - mingw32-vista/build + +mingw32-vista/archive: + extends: + - .mingw/archive + - .mingw32 + - .mingw-vista + dependencies: + - mingw32-vista/build + needs: # archive only if tests successful + - mingw32-vista/build + - mingw32-vista/test diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 02f641b6a4..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,49 +0,0 @@ -os: - - osx - -osx_image: - # MacOS X 10.15.4 - - xcode11.5 - # MacOS X 10.14.6 - - xcode11.3 - # MacOS X 10.13 - - xcode10.1 - # MacOS X 10.13, Default - - xcode9.4 - -language: c -compiler: - - clang - -git: - submodules: false - -notifications: - email: - on_success: change - on_failure: always - - -before_install: - - if [[ "$TRAVIS_OS_NAME" = "osx" ]]; then - brew update; - for pkg in openssl autoconf automake autogen libtool nettle p11-kit libtasn1 gettext bison;do - brew install $pkg || true; - done; - for pkg in nettle wget p11-kit libtasn1;do - brew upgrade $pkg || true; - done; - fi - -script: - - export PATH="/usr/local/opt/gettext/bin:$PATH" - - export PATH="/usr/local/opt/bison/bin:$PATH" - - ./bootstrap - - ./configure --disable-full-test-suite --disable-valgrind-tests --disable-doc --disable-guile --disable-dependency-tracking - - make -j$(sysctl -n hw.ncpu) || make -j$(sysctl -n hw.ncpu) V=1 - - make -j$(sysctl -n hw.ncpu) check gl_public_submodule_commit= - -after_failure: - - find . -name 'test-suite.log' -execdir grep -il "FAILED" {} \; -exec echo {} \; -exec cat {} \; - - for i in tests/*.log fuzz/*.log;do echo "" && echo $i && cat $i;done - - cat config.log @@ -5,16 +5,17 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. -* Version 3.7.0 (unreleased) +* Version 3.7.0 (released 2020-12-02) -** libgnutls: Depend on nettle 3.6. +** libgnutls: Depend on nettle 3.6 (!1322). ** libgnutls: Added a new API that provides a callback function to - retrieve missing certificates from incomplete certificate chains (#202). + retrieve missing certificates from incomplete certificate chains + (#202, #968, #1100). ** libgnutls: Added a new API that provides a callback function to output the complete path to the trusted root during certificate - chain verification (#1012) + chain verification (#1012). ** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. @@ -22,11 +23,20 @@ See the end for copying conditions. gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension (#805). -** libgnutls: Added a new API to enable QUIC implementation (#826, #849, #850). +** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849, + #850). -** libgnutls: the crypto implementation override APIs deprecated in 3.6.9 are +** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are now no-op (#790). +** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161). + +** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin + CPU (#1079). + +** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31 + bytes to 255 bytes (#932). + ** API and ABI modifications: gnutls_x509_trust_list_set_getissuer_function: Added gnutls_x509_trust_list_get_ptr: Added @@ -45,6 +55,40 @@ gnutls_crypto_register_aead_cipher: Deprecated; no-op gnutls_crypto_register_mac: Deprecated; no-op gnutls_crypto_register_digest: Deprecated; no-op +* Version 3.6.15 (releases 2020-09-04) + +** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. + The server sending a "no_renegotiation" alert in an unexpected timing, + followed by an invalid second handshake was able to cause a TLS 1.3 client to + crash via a null-pointer dereference. The crash happens in the application's + error handling path, where the gnutls_deinit function is called after + detecting a handshake failure (#1071). [GNUTLS-SA-2020-09-04, CVSS: medium] + +** libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now + indicates that with a false return value (!1306). + +** libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked + accordingly to SP800-56A rev 3 (!1295, !1299). + +** libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than + the size of the internal base64 blob (#1025). The new behavior aligns to the + existing documentation. + +** libgnutls: Certificate verification failue due to OCSP must-stapling is not + honered is now correctly marked with the GNUTLS_CERT_INVALID flag + (!1317). The new behavior aligns to the existing documentation. + +** libgnutls: The audit log message for weak hashes is no longer printed twice + (!1301). + +** libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is + disabled in the priority string. Previously, even when TLS 1.2 is explicitly + disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is + enabled (#1054). + +** API and ABI modifications: +No changes since last version. + * Version 3.6.14 (released 2020-06-03) ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. @@ -3,7 +3,7 @@ |Branch|CI system|Status|Test suite coverage|Fuzzer coverage| |:----:|:-------:|-----:|:------:|:-------------:| |Master/3.6.x|Gitlab|[](https://gitlab.com/gnutls/gnutls/commits/master)|[](https://gnutls.gitlab.io/coverage/master)|[](https://gnutls.gitlab.io/coverage/master-fuzz)| -|Master/3.6.x|Travis|[](https://travis-ci.org/gnutls/gnutls)|N/A|N/A| +|Master/3.6.x|Github Actions|[](https://github.com/gnutls/gnutls/actions)|N/A|N/A| # GnuTLS -- Information for developers @@ -1,10 +1,10 @@ #! /bin/sh # Print a version string. -scriptversion=2019-01-04.17; # UTC +scriptversion=2020-11-18.17; # UTC # Bootstrap this package from checked-out sources. -# Copyright (C) 2003-2019 Free Software Foundation, Inc. +# Copyright (C) 2003-2020 Free Software Foundation, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -71,7 +71,9 @@ Options: --no-git do not use git to update gnulib. Requires that --gnulib-srcdir point to a correct gnulib snapshot --skip-po do not download po files - +EOF + bootstrap_print_option_usage_hook + cat <<EOF If the file $me.conf exists in the same directory as this script, its contents are read as shell variables to configure the bootstrap. @@ -154,6 +156,18 @@ gnulib_files= : ${AUTOPOINT=autopoint} : ${AUTORECONF=autoreconf} +# A function to be called for each unrecognized option. Returns 0 if +# the option in $1 has been processed by the function. Returns 1 if +# the option has not been processed by the function. Override it via +# your own definition in bootstrap.conf + +bootstrap_option_hook() { return 1; } + +# A function to be called in order to print the --help information +# corresponding to user-defined command-line options. + +bootstrap_print_option_usage_hook() { :; } + # A function to be called right after gnulib-tool is run. # Override it via your own definition in bootstrap.conf. bootstrap_post_import_hook() { :; } @@ -166,7 +180,7 @@ bootstrap_epilogue() { :; } # specified directory. Fill in the first %s with the destination # directory and the second with the domain name. po_download_command_format=\ -"wget --mirror --level=1 -nd -q -A.po -P '%s' \ +"wget --mirror --level=1 -nd -nv -A.po -P '%s' \ https://translationproject.org/latest/%s/" # Prefer a non-empty tarname (4th argument of AC_INIT if given), else @@ -335,7 +349,7 @@ do --no-git) use_git=false;; *) - die "$option: unknown option";; + bootstrap_option_hook $option || die "$option: unknown option";; esac done @@ -968,10 +982,10 @@ bootstrap_post_import_hook \ # uninitialized submodules. # # Uninitialized submodules are listed with an initial dash. -#if $use_git && git submodule | grep '^-' >/dev/null; then -# die "some git submodules are not initialized. " \ -# "Run 'git submodule init' and bootstrap again." -#fi +if $use_git && git submodule | grep '^-' >/dev/null; then + die "some git submodules are not initialized. " \ + "Run 'git submodule update --init' and bootstrap again." +fi # Remove any dangling symlink matching "*.m4" or "*.[ch]" in some # gnulib-populated directories. Such .m4 files would cause aclocal to fail. diff --git a/bootstrap.conf b/bootstrap.conf index 31eb7a33a6..f34508a3cb 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -23,7 +23,7 @@ gnulib_tool_option_extras="--without-tests --avoid=alignof-tests --avoid=lock-te use_libtool=1 checkout_only_file= local_gl_dir=gl/override/ -required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng devel/nettle devel/libtasn1" +required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng devel/nettle devel/openssl devel/libtasn1" # Those modules are common to lib/ and src/. common_modules=" @@ -53,53 +53,41 @@ autopoint - autogen - " -GTKDOCIZE=$(which gtkdocize 2>/dev/null) -if test $? -ne 0; then - echo "No gtk-doc support found. You can't build the docs." - # rm because gtk-doc.make might be a link to a protected file - rm -f gtk-doc.make 2>/dev/null - echo "EXTRA_DIST =" >gtk-doc.make - echo "CLEANFILES =" >>gtk-doc.make - GTKDOCIZE="" -else - $GTKDOCIZE -fi - # update git submodules git_options= if test -n "$SUBMODULE_NOFETCH"; then git_options="--no-fetch" fi -for mod in $required_submodules;do - git submodule update --init $git_options $mod +for mod in $required_submodules; do + git submodule update --init $git_options $mod done -if test -d ./gnulib;then - TMP_GNULIB_SRCDIR="${GNULIB_SRCDIR:-./gnulib/}" - - deps=$(${TMP_GNULIB_SRCDIR}/gnulib-tool --extract-recursive-dependencies ${gnulib_modules}) - deps="echo -n ${deps} ${gnulib_modules}|sort -u" - case ${deps} in - *select*|*poll*|*sockets*|*recv*|*send*) - echo "******************************************************************" - die "the library cannot include the gnulib sockets; see CONTRIBUTION.md" - ;; - esac +# This check needs to be done before actual import. +TMP_GNULIB_SRCDIR="${GNULIB_SRCDIR:-gnulib}" +if test -d "$TMP_GNULIB_SRCDIR"; then + if ${TMP_GNULIB_SRCDIR}/gnulib-tool --extract-recursive-dependencies ${gnulib_modules} | grep -E 'select|poll|sockets|recv|send' > /dev/null 2>&1; then + die "the library cannot include the gnulib sockets; see CONTRIBUTING.md" + fi fi bootstrap_post_import_hook () { - # we re-use malloc-posix from the original gnulib -# for i in ${unistring_modules}; do -# sed -i 's/malloc-posix//g' ${GNULIB_SRCDIR}/modules/$i -# done - ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=lib/unistring/override --lib=libunistring --source-base=lib/unistring --m4-base=lib/unistring/m4 --doc-base=doc --aux-dir=build-aux --lgpl=3orGPLv2 --no-conditional-dependencies --libtool --without-tests --macro-prefix=unistring ${unistring_modules} ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=src/gl/override --lib=libgnu_gpl --source-base=src/gl --m4-base=src/gl/m4 --doc-base=doc --tests-base=src/gl/tests --aux-dir=build-aux --no-conditional-dependencies --libtool --macro-prefix=ggl --with-tests --no-vc-files ${src_modules} -# git -C ${GNULIB_SRCDIR} reset --hard + gtkdocize || { + echo "No gtk-doc support found. You can't build the docs." + # rm because gtk-doc.make might be a link to a protected file + rm -f gtk-doc.make + # Those need to be defined because the upstream Makefile boilerplate + # (doc/reference/Makefile.am) relies on them. + cat > gtk-doc.make <<EOF +EXTRA_DIST = +CLEANFILES = +EOF + } # Automake requires that ChangeLog exist. touch ChangeLog || return 1 diff --git a/configure.ac b/configure.ac index d38054804b..820cbf2117 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.64) dnl when updating version also update LT_REVISION in m4/hooks.m4 -AC_INIT([GnuTLS], [3.6.14], [bugs@gnutls.org]) +AC_INIT([GnuTLS], [3.7.0], [bugs@gnutls.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 src/libopts/m4 lib/unistring/m4]) AC_CANONICAL_HOST @@ -145,7 +145,7 @@ case "$host" in dnl intended minimum runtime version. LDFLAGS="$LDFLAGS -Wl,-no_weak_imports" AC_MSG_CHECKING([whether the linker supports -Wl,-no_weak_imports]) - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <sys/select.h>], [fd_set rfds; FD_ZERO(&rfds); FD_SET(0, &rfds);])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no); LDFLAGS="$save_LDFLAGS"]) ;; *solaris*) @@ -415,6 +415,23 @@ if test "$ac_cv_func_clock_gettime" != "yes";then gnutls_needs_librt=yes fi +if test "$have_macosx" = "yes";then + dnl Remove -no_weak_imports from LDFLAGS after testing for function + dnl availability; keeping it included later breaks code that uses + dnl FD_SET, which since Xcode 11.4 implicitly adds a call to the + dnl weakly linked function __darwin_check_fd_set_overflow. We only + dnl need it above to make sure that we don't detect functions that + dnl are linked weakly (and can end up null at runtime) unless + dnl we check for their availability at runtime. + new_LDFLAGS="" + for f in $LDFLAGS; do + if test "$f" != "-Wl,-no_weak_imports"; then + new_LDFLAGS="$new_LDFLAGS $f" + fi + done + LDFLAGS="$new_LDFLAGS" +fi + AC_ARG_WITH(included-unistring, AS_HELP_STRING([--with-included-unistring], [disable linking with system libunistring]), included_unistring="$withval", @@ -989,7 +1006,7 @@ fi dnl Guile bindings. AC_MSG_CHECKING([whether building Guile bindings]) AC_ARG_ENABLE(guile, - AS_HELP_STRING([--enable-guile], [build GNU Guile bindings]), + AS_HELP_STRING([--disable-guile], [don't build GNU Guile bindings]), [opt_guile_bindings=$enableval], [opt_guile_bindings=yes]) AC_MSG_RESULT($opt_guile_bindings) diff --git a/devel/openssl b/devel/openssl -Subproject 7216e9a20aee620d85185a6ddb8caa30f11f219 +Subproject 8e813c085ac43ca6a58a20f7982b26ed31dc326 diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index eb5764b554..36ba55e3ab 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -60,10 +60,10 @@ The credentials structures are used by the authentication methods, such as certificate authentication. They store certificates, privates keys, and other information that is needed to prove the identity to the peer, and/or verify the identity of the peer. The information stored in -the credentials structures is initialized once and then can be +the credentials structures is initialized once and then can be shared by many @acronym{TLS} sessions. -A @acronym{GnuTLS} session contains all the required state and +A @acronym{GnuTLS} session contains all the required state and information to handle one secure connection. The session communicates with the peers using the provided functions of the transport layer. Every session has a unique session ID shared with the peer. @@ -165,7 +165,7 @@ below. @subsection Debugging and auditing In many cases things may not go as expected and further information, -to assist debugging, from @acronym{GnuTLS} is desired. +to assist debugging, from @acronym{GnuTLS} is desired. Those are the cases where the @funcref{gnutls_global_set_log_level} and @funcref{gnutls_global_set_log_function} are to be used. Those will print verbose information on the @acronym{GnuTLS} functions internal flow. @@ -233,7 +233,7 @@ objects of the library such as TLS sessions, can be safely divided across threads as long as a single thread accesses a single object. This is sufficient to support a server which handles several sessions per thread. Read-only access to objects, for example the credentials holding structures, -is also thread-safe. +is also thread-safe. A @code{gnutls_session_t} object could also be shared by two threads, one sending, the other receiving. However, care must be taken on the following use cases: @@ -261,7 +261,7 @@ the function @funcref{gnutls_global_set_mutex} before calling any other GnuTLS function. Setting mutexes manually is not recommended.} Note that, on Glibc systems, unless the application is explicitly linked -with the libpthread library, no mutex locks are used and setup by GnuTLS. It +with the libpthread library, no mutex locks are used and setup by GnuTLS. It will use the Glibc mutex stubs. @node Running in a sandbox @@ -308,7 +308,7 @@ An example with a seccomp filter from GnuTLS' test suite is at: @cindex fork A @code{gnutls_session_t} object can be shared by two processes after a fork, -one sending, the other receiving. In that case rehandshakes, +one sending, the other receiving. In that case rehandshakes, cannot and must not be performed. As with threads, the termination of a session should be handled by the sender process using @funcref{gnutls_bye} with @code{GNUTLS_SHUT_WR} and the receiving process waiting for a return value of zero. @@ -329,9 +329,9 @@ data to the transport layer. @showfuncB{gnutls_transport_set_push_function,gnutls_transport_set_pull_function} Other callback functions may require more complicated input and data -to be allocated. Such an example is +to be allocated. Such an example is @funcref{gnutls_srp_set_server_credentials_function}. -All callbacks should allocate and free memory using +All callbacks should allocate and free memory using @funcintref{gnutls_malloc} and @funcintref{gnutls_free}. @@ -371,7 +371,7 @@ The initialization typically enables CPU-specific acceleration, performs any req precalculations needed, opens any required system devices (e.g., /dev/urandom on Linux) and initializes subsystems that could be used later. -The resources allocated by the initialization process will be released +The resources allocated by the initialization process will be released on library deinitialization. Note that on certain systems file descriptors may be kept open by @@ -394,8 +394,8 @@ want to check that the version is okay right after program start-up. See the function @funcref{gnutls_check_version}. On the other hand, it is often desirable to support more than one -versions of the library. In that case you could utilize compile-time -feature checks using the @code{GNUTLS_VERSION_NUMBER} macro. +versions of the library. In that case you could utilize compile-time +feature checks using the @code{GNUTLS_VERSION_NUMBER} macro. For example, to conditionally add code for GnuTLS 3.2.1 or later, you may use: @example #if GNUTLS_VERSION_NUMBER >= 0x030201 @@ -468,7 +468,7 @@ required for GnuTLS as well as the initialization required for each authentication method's credentials (see @ref{Authentication}). In this section we elaborate on the TLS or DTLS session initiation. Each session is initialized using @funcref{gnutls_init} which among -others is used to specify the type of the connection (server or client), +others is used to specify the type of the connection (server or client), and the underlying protocol type, i.e., datagram (UDP) or reliable (TCP). @showfuncdesc{gnutls_init} @@ -479,9 +479,9 @@ After the session initialization details on the allowed ciphersuites and protocol versions should be set using the priority functions such as @funcref{gnutls_priority_set} and @funcref{gnutls_priority_set_direct}. We elaborate on them in @ref{Priority Strings}. -The credentials used for the key exchange method, such as certificates +The credentials used for the key exchange method, such as certificates or usernames and passwords should also be associated with the session -current session using @funcref{gnutls_credentials_set}. +current session using @funcref{gnutls_credentials_set}. @showfuncdesc{gnutls_credentials_set} @@ -496,7 +496,7 @@ current session using @funcref{gnutls_credentials_set}. * Anonymous credentials:: @end menu -Each authentication method is associated with a key exchange method, and a credentials type. +Each authentication method is associated with a key exchange method, and a credentials type. The contents of the credentials is method-dependent, e.g. certificates for certificate authentication and should be initialized and associated with a session (see @funcref{gnutls_credentials_set}). A mapping of the key exchange methods @@ -558,8 +558,8 @@ be freed. This can be done with the following functions. @showfuncB{gnutls_certificate_allocate_credentials,gnutls_certificate_free_credentials} -After the credentials structures are initialized, the certificate -and key pair must be loaded. This occurs before any @acronym{TLS} +After the credentials structures are initialized, the certificate +and key pair must be loaded. This occurs before any @acronym{TLS} session is initialized, and the same structures are reused for multiple sessions. Depending on the certificate type different loading functions are available, as shown below. @@ -574,7 +574,7 @@ already. It is recommended to use the higher level functions such as @funcref{gnutls_certificate_set_x509_key_file2} which accept not only file names but URLs that specify objects stored in token, -or system certificates and keys (see @ref{Application-specific keys}). For these cases, another important +or system certificates and keys (see @ref{Application-specific keys}). For these cases, another important function is @funcref{gnutls_certificate_set_pin_function}, that allows setting a callback function to retrieve a PIN if the input keys are protected by PIN. @@ -591,7 +591,7 @@ If multiple certificates are used with the functions above each client's request will be served with the certificate that matches the requested name (see @ref{Server name indication}). -As an alternative to loading from files or buffers, a callback may be used for the +As an alternative to loading from files or buffers, a callback may be used for the server or the client to specify the certificate and the key at the handshake time. In that case a certificate should be selected according the peer's signature algorithm preferences. To get those preferences use @@ -637,7 +637,7 @@ The request contains a list of the by the server accepted certificate signers. T is constructed using the trusted certificate authorities of the server. In cases where the server supports a large number of certificate authorities it makes sense not to advertise all of the names to save bandwidth. That can -be controlled using the function @funcref{gnutls_certificate_send_x509_rdn_sequence}. +be controlled using the function @funcref{gnutls_certificate_send_x509_rdn_sequence}. This however will have the side-effect of not restricting the client to certificates signed by server's acceptable signers. @@ -678,7 +678,7 @@ Alternatively, one must set a callback function during the handshake using @funcref{gnutls_certificate_set_verify_function}, which will verify the peer's certificate once received. The verification should happen using @funcref{gnutls_certificate_verify_peers3} within -the callback. It will verify the certificate's signature and the owner +the callback. It will verify the certificate's signature and the owner of the certificate. That will provide a brief verification output. If a detailed output is required one should call @funcref{gnutls_certificate_get_peers} to obtain the raw certificate of the peer and verify it using the @@ -727,9 +727,9 @@ The callback is called once during the @acronym{TLS} handshake. In server side the default behavior of @acronym{GnuTLS} is to read the usernames and @acronym{SRP} verifiers from password files. These password file format is compatible the with the @emph{Stanford srp libraries} -format. If a different password file format is to be used, then +format. If a different password file format is to be used, then @funcref{gnutls_srp_set_server_credentials_function} should be called, -to set an appropriate callback. +to set an appropriate callback. @showfuncdesc{gnutls_srp_set_server_credentials_file} @@ -744,7 +744,7 @@ client and server. @showfuncD{gnutls_psk_allocate_server_credentials,gnutls_psk_allocate_client_credentials,gnutls_psk_free_server_credentials,gnutls_psk_free_client_credentials} Clients supporting @acronym{PSK} should supply the username and key -before a TLS session is established. Alternatively +before a TLS session is established. Alternatively @funcref{gnutls_psk_set_client_credentials_function} can be used to specify a callback function. This has the advantage that the callback will be called only if @acronym{PSK} has @@ -792,7 +792,7 @@ The initialization functions for the credentials are shown below. The next step is to setup the underlying transport layer details. The Berkeley sockets are implicitly used by GnuTLS, thus a call to @funcref{gnutls_transport_set_int} would be sufficient to -specify the socket descriptor. +specify the socket descriptor. @showfuncB{gnutls_transport_set_int,gnutls_transport_set_int2} @@ -825,23 +825,23 @@ value instead of setting @code{errno} directly. @acronym{GnuTLS} currently only interprets the EINTR, EAGAIN and EMSGSIZE errno values and returns the corresponding @acronym{GnuTLS} error codes: @itemize -@item @code{GNUTLS_E_INTERRUPTED} +@item @code{GNUTLS_E_INTERRUPTED} @item @code{GNUTLS_E_AGAIN} @item @code{GNUTLS_E_LARGE_PACKET} @end itemize -The EINTR and EAGAIN values are returned by interrupted system calls, -or when non blocking IO is used. All @acronym{GnuTLS} functions can be +The EINTR and EAGAIN values are returned by interrupted system calls, +or when non blocking IO is used. All @acronym{GnuTLS} functions can be resumed (called again), if any of the above error codes is returned. The EMSGSIZE value is returned when attempting to send a large datagram. -In the case of DTLS it is also desirable to override the generic +In the case of DTLS it is also desirable to override the generic transport functions with functions that emulate the operation of @code{recvfrom} and @code{sendto}. In addition @acronym{DTLS} requires timers during the receive of a handshake -message, set using the @funcref{gnutls_transport_set_pull_timeout_function} +message, set using the @funcref{gnutls_transport_set_pull_timeout_function} function. To check the retransmission timers the function @funcref{gnutls_dtls_get_timeout} is provided, which returns the time -remaining until the next retransmission, or better the time until +remaining until the next retransmission, or better the time until @funcref{gnutls_handshake} should be called again. @showfuncdesc{gnutls_transport_set_pull_timeout_function} @@ -866,18 +866,18 @@ The blocking, due to network interaction, calls such as can be set to non-blocking by setting the underlying sockets to non-blocking. If other push and pull functions are setup, then they should behave the same way as @funcintref{recv} and @funcintref{send} when used in a non-blocking -way, i.e., return -1 and set errno to @code{EAGAIN}. Since, during a TLS protocol session +way, i.e., return -1 and set errno to @code{EAGAIN}. Since, during a TLS protocol session @acronym{GnuTLS} does not block except for network interaction, the non blocking -@code{EAGAIN} errno will be propagated and @acronym{GnuTLS} functions -will return the @code{GNUTLS_E_AGAIN} error code. Such calls can be resumed the -same way as a system call would. +@code{EAGAIN} errno will be propagated and @acronym{GnuTLS} functions +will return the @code{GNUTLS_E_AGAIN} error code. Such calls can be resumed the +same way as a system call would. The only exception is @funcref{gnutls_record_send}, which if interrupted subsequent calls need not to include the data to be sent (can be called with NULL argument). When using the @funcintref{poll} or @funcintref{select} system calls though, one should remember that they only apply to the kernel sockets API. To check for any -available buffered data in a @acronym{GnuTLS} session, +available buffered data in a @acronym{GnuTLS} session, utilize @funcref{gnutls_record_check_pending}, either before the @funcintref{poll} system call, or after a call to @funcref{gnutls_record_recv}. Data queued by @funcref{gnutls_record_send} @@ -898,8 +898,8 @@ call the @funcref{gnutls_init} function with the @code{GNUTLS_NONBLOCK} flag set (see @ref{Session initialization}). @subsubsection Datagram TLS protocol -When in non-blocking mode the function, the @funcref{gnutls_init} function -must be called with the @code{GNUTLS_NONBLOCK} flag set (see @ref{Session initialization}). +When in non-blocking mode the function, the @funcref{gnutls_init} function +must be called with the @code{GNUTLS_NONBLOCK} flag set (see @ref{Session initialization}). In contrast with the TLS protocol, the pull timeout function is required, but will only be called with a timeout of zero. In that case it should indicate @@ -910,7 +910,7 @@ Although in the TLS protocol implementation each call to receive or send function implies to restoring the same function that was interrupted, in the DTLS protocol this requirement isn't true. There are cases where a retransmission is required, which are indicated by -a received message and thus @funcref{gnutls_record_get_direction} must be called +a received message and thus @funcref{gnutls_record_get_direction} must be called to decide which direction to check prior to restoring a function call. @showfuncdesc{gnutls_record_get_direction} @@ -1103,8 +1103,8 @@ int main() Because datagram TLS can operate over connections where the client cannot be reliably verified, functionality in the form of cookies, is available to prevent denial of service attacks to servers. @acronym{GnuTLS} requires a server -to generate a secret key that is used to sign a cookie@footnote{A key of 128 bits or 16 bytes should be sufficient for this purpose.}. -That cookie is sent to the client using @funcref{gnutls_dtls_cookie_send}, and +to generate a secret key that is used to sign a cookie@footnote{A key of 128 bits or 16 bytes should be sufficient for this purpose.}. +That cookie is sent to the client using @funcref{gnutls_dtls_cookie_send}, and the client must reply using the correct cookie. The server side should verify the initial message sent by client using @funcref{gnutls_dtls_cookie_verify}. If successful the session should be initialized and associated with @@ -1115,7 +1115,7 @@ the handshake. Note that the above apply to server side only and they are not mandatory to be used. Not using them, however, allows denial of service attacks. -The client side cookie handling is part of @funcref{gnutls_handshake}. +The client side cookie handling is part of @funcref{gnutls_handshake}. Datagrams are typically restricted by a maximum transfer unit (MTU). For that both client and server side should set the correct maximum transfer unit for @@ -1194,8 +1194,8 @@ protocol, this field allows distinguishing out-of-order messages. @showfuncdesc{gnutls_record_recv_seq} -The @funcref{gnutls_record_check_pending} helper function is available to -allow checking whether data are available to be read in a @acronym{GnuTLS} session +The @funcref{gnutls_record_check_pending} helper function is available to +allow checking whether data are available to be read in a @acronym{GnuTLS} session buffers. Note that this function complements but does not replace @funcintref{poll}, i.e., @funcref{gnutls_record_check_pending} reports no data to be read, @funcintref{poll} should be called to check for data in the network buffers. @@ -1235,7 +1235,7 @@ must be terminated afterwards, or warning when something needs to be reported to the peer, but without interrupting the session. The error codes @code{GNUTLS_E_@-WARNING_@-ALERT_@-RECEIVED} or @code{GNUTLS_E_@-FATAL_@-ALERT_@-RECEIVED} signal those alerts -when received, and may be returned by all GnuTLS functions that receive +when received, and may be returned by all GnuTLS functions that receive data from the peer, being @funcref{gnutls_handshake} and @funcref{gnutls_record_recv}. If those error codes are received the alert and its level should be logged @@ -1264,7 +1264,7 @@ strings are intended as a user-specified override of the library defaults. That is, we recommend applications using the default settings (c.f. @funcref{gnutls_set_default_priority} or -@funcref{gnutls_set_default_priority_append}), and provide the user +@funcref{gnutls_set_default_priority_append}), and provide the user with access to priority strings for overriding the default behavior, on configuration files, or other UI. Following such a principle, makes the GnuTLS library as the default settings provider. That is @@ -1318,7 +1318,7 @@ The message authenticity security level is of 64 bits or more, and the certificate verification profile is set to GNUTLS_PROFILE_LOW (80-bits). This priority string implicitly enables ECDHE and DHE. The ECDHE ciphersuites -are placed first in the priority order, but due to compatibility +are placed first in the priority order, but due to compatibility issues with the DHE ciphersuites they are placed last in the priority order, after the plain RSA ciphersuites. @@ -1336,13 +1336,13 @@ and the certificate verification profile is set to GNUTLS_PROFILE_LOW (80-bits). This option is available since 3.2.4 or later. @item SECURE128 @tab -Means all known to be secure ciphersuites that offer a +Means all known to be secure ciphersuites that offer a security level 128-bit or more. The message authenticity security level is of 80 bits or more, and the certificate verification profile is set to GNUTLS_PROFILE_LOW (80-bits). @item SECURE192 @tab -Means all the known to be secure ciphersuites that offer a +Means all the known to be secure ciphersuites that offer a security level 192-bit or more. The message authenticity security level is of 128 bits or more, and the certificate verification profile is set to GNUTLS_PROFILE_HIGH (128-bits). @@ -1388,12 +1388,12 @@ are enabled. Note that the SECURE levels distinguish between overall security level and message authenticity security level. That is because the message authenticity security level requires the adversary to break -the algorithms at real-time during the protocol run, whilst -the overall security level refers to off-line adversaries +the algorithms at real-time during the protocol run, whilst +the overall security level refers to off-line adversaries (e.g. adversaries breaking the ciphertext years after it was captured). -The NONE keyword, if used, must followed by keywords specifying -the algorithms and protocols to be enabled. The other initial keywords +The NONE keyword, if used, must followed by keywords specifying +the algorithms and protocols to be enabled. The other initial keywords do not require, but may be followed by such keywords. All level keywords can be combined, and for example a level of "SECURE256:+SECURE128" is allowed. @@ -1406,15 +1406,15 @@ to list the supported algorithms in your currently using version use @code{gnutls-cli -l}. To avoid collisions in order to specify a protocol version -with "VERS-", signature algorithms with "SIGN-" and certificate types with "CTYPE-". +with "VERS-", signature algorithms with "SIGN-" and certificate types with "CTYPE-". All other algorithms don't need a prefix. Each specified keyword (except for @emph{special keywords}) can be prefixed with any of the following characters. @table @asis -@item '!' or '-' +@item '!' or '-' appended with an algorithm will remove this algorithm. -@item "+" +@item "+" appended with an algorithm will add this algorithm. @end table @@ -1428,7 +1428,7 @@ all the algorithms from NORMAL priority. The shortcut for secure GOST algorithms is CIPHER-GOST-ALL. @item Key exchange @tab -RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, +RSA, RSA-PSK, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, VKO-GOST-12, ANON-ECDH, ANON-DH. Catch all name is KX-ALL which will add all the algorithms from NORMAL priority. Under TLS1.3, the DHE-PSK and ECDHE-PSK strings are equivalent @@ -1445,7 +1445,7 @@ COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL. @item TLS versions @tab VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, VERS-TLS1.3, -VERS-DTLS1.0, VERS-DTLS1.2. +VERS-DTLS0.9, VERS-DTLS1.0, VERS-DTLS1.2. Catch all are VERS-ALL, and will enable all protocols from NORMAL priority. To distinguish between TLS and DTLS versions you can use VERS-TLS-ALL and VERS-DTLS-ALL. @@ -1455,6 +1455,7 @@ SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512, +SIGN-EdDSA-Ed25519, SIGN-EdDSA-Ed448, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512, SIGN-GOSTR341001, SIGN-GOSTR341012-256, SIGN-GOSTR341012-512. Catch all which enables all algorithms from NORMAL priority is SIGN-ALL. @@ -1462,10 +1463,11 @@ Shortcut which enables secure GOST algorithms is SIGN-GOST-ALL. This option is only considered for TLS 1.2 and later. @item Groups @tab -GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519, GROUP-X448, +GROUP-SECP192R1, GROUP-SECP224R1, GROUP-SECP256R1, GROUP-SECP384R1, +GROUP-SECP521R1, GROUP-X25519, GROUP-X448, GROUP-GC256B, GROUP-GC512A, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096, GROUP-FFDHE6144, and GROUP-FFDHE8192. -Groups include both elliptic curve groups, e.g., SECP256R1, as well as +Groups include both elliptic curve groups, e.g., SECP256R1, as well as finite field groups such as FFDHE2048. Catch all which enables all groups from NORMAL priority is GROUP-ALL. The helper keywords GROUP-DH-ALL, GROUP-GOST-ALL and GROUP-EC-ALL are also available, restricting the groups @@ -1504,10 +1506,10 @@ exchange methods are generally slower@footnote{It depends on the group in use. less bits are always faster, but the number of bits ties with the security parameter. See @ref{Selecting cryptographic key sizes} for the acceptable security levels.} than their elliptic curves counterpart -(ECDHE). +(ECDHE). The available special keywords are shown in @ref{tab:prio-special1} -and @ref{tab:prio-special2}. +and @ref{tab:prio-special2}. @float Table,tab:prio-special1 @multitable @columnfractions .45 .45 @@ -1638,7 +1640,7 @@ that an initial keyword that enables SUITEB automatically sets the profile. @end float Finally the ciphersuites enabled by any priority string can be -listed using the @code{gnutls-cli} application (see @ref{gnutls-cli Invocation}), +listed using the @code{gnutls-cli} application (see @ref{gnutls-cli Invocation}), or by using the priority functions as in @ref{Listing the ciphersuites in a priority string}. Example priority strings are: @@ -1658,7 +1660,7 @@ Specifying the defaults plus ARCFOUR-128: Enabling the 128-bit secure ciphers, while disabling TLS 1.0: "SECURE128:-VERS-TLS1.0" -Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS versions +Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS versions except TLS 1.2: "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2" @end example @@ -1670,7 +1672,7 @@ except TLS 1.2: Because many algorithms are involved in TLS, it is not easy to set a consistent security level. For this reason in @ref{tab:key-sizes} we present some correspondence between key sizes of symmetric algorithms -and public key algorithms based on @xcite{ECRYPT}. +and public key algorithms based on @xcite{ECRYPT}. Those can be used to generate certificates with appropriate key sizes as well as select parameters for Diffie-Hellman and SRP authentication. @@ -1761,7 +1763,7 @@ The NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar table. When using @acronym{GnuTLS} and a decision on bit sizes for a public -key algorithm is required, use of the following functions is +key algorithm is required, use of the following functions is recommended: @showfuncdesc{gnutls_sec_param_to_pk_bits} @@ -1769,13 +1771,13 @@ recommended: @showfuncdesc{gnutls_pk_bits_to_sec_param} Those functions will convert a human understandable security parameter -of @code{gnutls_sec_param_t} type, to a number of bits suitable for a public +of @code{gnutls_sec_param_t} type, to a number of bits suitable for a public key algorithm. @showfuncA{gnutls_sec_param_get_name} The following functions will set the minimum acceptable group size for Diffie-Hellman -and SRP authentication. +and SRP authentication. @showfuncB{gnutls_dh_set_prime_bits,gnutls_srp_set_prime_bits} @@ -1888,7 +1890,7 @@ re-associated with the GnuTLS session using Keep in mind that sessions will be expired after some time, depending on the server, and a server may choose not to resume a session even when requested to. The expiration is to prevent temporal session keys -from becoming long-term keys. Also note that as a client you must enable, +from becoming long-term keys. Also note that as a client you must enable, using the priority functions, at least the algorithms used in the last session. @showfuncdesc{gnutls_session_is_resumed} @@ -1946,8 +1948,8 @@ additional session tickets at any time using @funcref{gnutls_session_ticket_send @cindex Key pinning @tindex gnutls_certificate_verify_flags -In this section the functionality for additional certificate verification methods is listed. -These methods are intended to be used in addition to normal PKI verification, in order to reduce +In this section the functionality for additional certificate verification methods is listed. +These methods are intended to be used in addition to normal PKI verification, in order to reduce the risk of a compromised CA being undetected. @subsubsection Trust on first use @@ -1958,8 +1960,8 @@ The available functions to store and verify public keys are listed below. @showfuncdesc{gnutls_verify_stored_pubkey} @showfuncdesc{gnutls_store_pubkey} -In addition to the above the @funcref{gnutls_store_commitment} can be -used to implement a key-pinning architecture as in @xcite{KEYPIN}. +In addition to the above the @funcref{gnutls_store_commitment} can be +used to implement a key-pinning architecture as in @xcite{KEYPIN}. This provides a way for web server to commit on a public key that is not yet active. @@ -2005,7 +2007,7 @@ indicate the status of the verification. @showenumdesc{dane_verify_status_t,The DANE verification status flags.} -In order to generate a DANE TLSA entry to use in a DNS server +In order to generate a DANE TLSA entry to use in a DNS server you may use danetool (see @ref{danetool Invocation}). @@ -2151,9 +2153,9 @@ to derive keys to be used in another application or protocol (e.g., in an other TLS session using pre-shared keys). The following describe GnuTLS' implementation of RFC5705 to extract keys based on a session's master secret. -The API to use is @funcref{gnutls_prf_rfc5705}. The +The API to use is @funcref{gnutls_prf_rfc5705}. The function needs to be provided with a label, -and additional context data to mix in the @code{context} parameter. +and additional context data to mix in the @code{context} parameter. @showfuncdesc{gnutls_prf_rfc5705} @@ -2225,19 +2227,19 @@ Note that it must be run after a successful TLS handshake. @subsection Interoperability The @acronym{TLS} protocols support many ciphersuites, extensions and version -numbers. As a result, few implementations are +numbers. As a result, few implementations are not able to properly interoperate once faced with extensions or version protocols they do not support and understand. The @acronym{TLS} protocol allows for a -graceful downgrade to the commonly supported options, but practice shows -it is not always implemented correctly. +graceful downgrade to the commonly supported options, but practice shows +it is not always implemented correctly. Because there is no way to achieve maximum interoperability with broken peers -without sacrificing security, @acronym{GnuTLS} ignores such peers by default. +without sacrificing security, @acronym{GnuTLS} ignores such peers by default. This might not be acceptable in cases where maximum compatibility is required. Thus we allow enabling compatibility with broken peers using priority strings (see @ref{Priority Strings}). A conservative priority string that would disable certain @acronym{TLS} protocol -options that are known to cause compatibility problems, is shown below. +options that are known to cause compatibility problems, is shown below. @verbatim NORMAL:%COMPAT @end verbatim @@ -2247,8 +2249,8 @@ another priority string is: @verbatim NORMAL:-VERS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT @end verbatim -This priority string will in addition to above, only enable SSL 3.0 and -TLS 1.0 as protocols. +This priority string will in addition to above, only enable SSL 3.0 and +TLS 1.0 as protocols. @node Compatibility with the OpenSSL library @@ -2260,10 +2262,10 @@ compatibility layer with the OpenSSL library is included in the @code{gnutls-openssl} library. This compatibility layer is not complete and it is not intended to completely re-implement the OpenSSL API with @acronym{GnuTLS}. It only provides limited source-level -compatibility. +compatibility. The prototypes for the compatibility functions are in the -@file{gnutls/openssl.h} header file. The limitations +@file{gnutls/openssl.h} header file. The limitations imposed by the compatibility layer include: @itemize diff --git a/doc/gnutls.texi b/doc/gnutls.texi index b2291a6867..4de9de79cf 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -16,8 +16,8 @@ This manual is last updated @value{UPDATED} for version @value{VERSION} of GnuTLS. -Copyright @copyright{} 2001-2020 Free Software Foundation, Inc.\\ -Copyright @copyright{} 2001-2020 Nikos Mavrogiannopoulos +Copyright @copyright{} 2001-2021 Free Software Foundation, Inc.\\ +Copyright @copyright{} 2001-2021 Nikos Mavrogiannopoulos @quotation Permission is granted to copy, distribute and/or modify this document diff --git a/extra/Makefile.am b/extra/Makefile.am index 738379f913..8042ae0c77 100644 --- a/extra/Makefile.am +++ b/extra/Makefile.am @@ -45,7 +45,8 @@ defexec_DATA = # OpenSSL -libgnutls_openssl_la_LDFLAGS = -no-undefined +libgnutls_openssl_la_LDFLAGS = -no-undefined \ + -export-symbols-regex "^[[:upper:]]" if ENABLE_OPENSSL lib_LTLIBRARIES = libgnutls-openssl.la diff --git a/fuzz/gnutls_handshake_client_fuzzer.c b/fuzz/gnutls_handshake_client_fuzzer.c index 8ae5babdc0..f03b830248 100644 --- a/fuzz/gnutls_handshake_client_fuzzer.c +++ b/fuzz/gnutls_handshake_client_fuzzer.c @@ -49,6 +49,7 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) gnutls_session_t session; gnutls_certificate_credentials_t xcred; struct mem_st memdata; + unsigned int retry; res = gnutls_init(&session, GNUTLS_CLIENT); assert(res >= 0); @@ -69,6 +70,7 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) gnutls_transport_set_pull_function(session, error_pull); gnutls_handshake_set_read_function(session, handshake_discard); + retry = 0; do { res = gnutls_handshake(session); if (res == GNUTLS_E_AGAIN) { @@ -76,6 +78,12 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) res = GNUTLS_E_INTERNAL_ERROR; break; } + if (retry > HANDSHAKE_MAX_RETRY_COUNT) { + break; + } + retry++; + } else { + retry = 0; } } while (res < 0 && gnutls_error_is_fatal(res) == 0); diff --git a/fuzz/gnutls_handshake_client_fuzzer.in/a3e993409526cd26a6a6f7599c7fef26acc93f6a3077eddef2b557161fbc778a b/fuzz/gnutls_handshake_client_fuzzer.in/a3e993409526cd26a6a6f7599c7fef26acc93f6a3077eddef2b557161fbc778a Binary files differnew file mode 100644 index 0000000000..4e8caebd48 --- /dev/null +++ b/fuzz/gnutls_handshake_client_fuzzer.in/a3e993409526cd26a6a6f7599c7fef26acc93f6a3077eddef2b557161fbc778a diff --git a/fuzz/gnutls_handshake_server_fuzzer.c b/fuzz/gnutls_handshake_server_fuzzer.c index 06b4218dc7..dd58cecf82 100644 --- a/fuzz/gnutls_handshake_server_fuzzer.c +++ b/fuzz/gnutls_handshake_server_fuzzer.c @@ -51,6 +51,7 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) gnutls_session_t session; gnutls_certificate_credentials_t xcred; struct mem_st memdata; + unsigned int retry; res = gnutls_init(&session, GNUTLS_SERVER); assert(res >= 0); @@ -114,6 +115,7 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) gnutls_transport_set_pull_function(session, error_pull); gnutls_handshake_set_read_function(session, handshake_discard); + retry = 0; do { res = gnutls_handshake(session); if (res == GNUTLS_E_AGAIN) { @@ -121,6 +123,12 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) res = GNUTLS_E_INTERNAL_ERROR; break; } + if (retry > HANDSHAKE_MAX_RETRY_COUNT) { + break; + } + retry++; + } else { + retry = 0; } } while (res < 0 && gnutls_error_is_fatal(res) == 0); diff --git a/fuzz/gnutls_handshake_server_fuzzer.in/e42772ece86289ff9a1387235c19361d767d41ebbcdbbac22abac9b4435fda57 b/fuzz/gnutls_handshake_server_fuzzer.in/e42772ece86289ff9a1387235c19361d767d41ebbcdbbac22abac9b4435fda57 Binary files differnew file mode 100644 index 0000000000..bafc6b6521 --- /dev/null +++ b/fuzz/gnutls_handshake_server_fuzzer.in/e42772ece86289ff9a1387235c19361d767d41ebbcdbbac22abac9b4435fda57 diff --git a/fuzz/handshake.h b/fuzz/handshake.h index 72f26e9ea2..34c7b701e6 100644 --- a/fuzz/handshake.h +++ b/fuzz/handshake.h @@ -24,6 +24,8 @@ #ifndef HANDSHAKE_H # define HANDSHAKE_H +#define HANDSHAKE_MAX_RETRY_COUNT 10 + typedef struct mem_st { const uint8_t *data; size_t size; @@ -60,7 +62,7 @@ handshake_pull(gnutls_session_t session, mem_st *data) return -1; } - level = (data->data[0] << 24) | (data->data[1] << 16) | + level = ((unsigned)data->data[0] << 24) | (data->data[1] << 16) | (data->data[2] << 8) | data->data[3]; data->size -= 4; @@ -70,7 +72,7 @@ handshake_pull(gnutls_session_t session, mem_st *data) return -1; } - size = (data->data[0] << 24) | (data->data[1] << 16) | + size = ((unsigned)data->data[0] << 24) | (data->data[1] << 16) | (data->data[2] << 8) | data->data[3]; data->size -= 4; diff --git a/gnulib b/gnulib -Subproject 46bdd627ff522193134d31bdfd3ac4e4fddb597 +Subproject b29d62dfaf8c55b18e9c8f30322a9bcde5255cb diff --git a/lib/accelerated/aarch64/elf/aes-aarch64.s b/lib/accelerated/aarch64/elf/aes-aarch64.s index ab227a8c14..b9b4b4b6e4 100644 --- a/lib/accelerated/aarch64/elf/aes-aarch64.s +++ b/lib/accelerated/aarch64/elf/aes-aarch64.s @@ -147,7 +147,12 @@ aes_v8_set_encrypt_key: .Loop192: tbl v6.16b,{v4.16b},v2.16b ext v5.16b,v0.16b,v3.16b,#12 + + + + st1 {v4.8b},[x2],#8 + aese v6.16b,v0.16b subs w1,w1,#1 @@ -618,6 +623,9 @@ aes_v8_ctr32_encrypt_blocks: ldr w5,[x3,#240] ldr w8, [x4, #12] + + + ld1 {v0.4s},[x4] ld1 {v16.4s,v17.4s},[x3] diff --git a/lib/accelerated/aarch64/elf/sha1-armv8.s b/lib/accelerated/aarch64/elf/sha1-armv8.s index 4b65cf6ea8..0de5de02f2 100644 --- a/lib/accelerated/aarch64/elf/sha1-armv8.s +++ b/lib/accelerated/aarch64/elf/sha1-armv8.s @@ -47,6 +47,7 @@ .text +.hidden _gnutls_arm_cpuid_s .globl sha1_block_data_order .type sha1_block_data_order,%function .align 6 @@ -1262,5 +1263,4 @@ sha1_block_armv8: .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -.comm _gnutls_arm_cpuid_s,4,4 .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/aarch64/elf/sha256-armv8.s b/lib/accelerated/aarch64/elf/sha256-armv8.s index bc3f146c68..2d13b5e427 100644 --- a/lib/accelerated/aarch64/elf/sha256-armv8.s +++ b/lib/accelerated/aarch64/elf/sha256-armv8.s @@ -49,6 +49,7 @@ .text +.hidden _gnutls_arm_cpuid_s .globl sha256_block_data_order .type sha256_block_data_order,%function .align 6 @@ -2050,6 +2051,4 @@ sha256_block_neon: add sp,sp,#16*4+16 ret .size sha256_block_neon,.-sha256_block_neon - -.comm _gnutls_arm_cpuid_s,4,4 .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/aarch64/elf/sha512-armv8.s b/lib/accelerated/aarch64/elf/sha512-armv8.s index b036c2a121..13384fc827 100644 --- a/lib/accelerated/aarch64/elf/sha512-armv8.s +++ b/lib/accelerated/aarch64/elf/sha512-armv8.s @@ -49,6 +49,7 @@ .text +.hidden _gnutls_arm_cpuid_s .globl sha512_block_data_order .type sha512_block_data_order,%function .align 6 @@ -1604,7 +1605,4 @@ sha512_block_armv8: ldr x29,[sp],#16 ret .size sha512_block_armv8,.-sha512_block_armv8 - - -.comm _gnutls_arm_cpuid_s,4,4 .section .note.GNU-stack,"",%progbits diff --git a/lib/accelerated/aarch64/macosx/aes-aarch64.s b/lib/accelerated/aarch64/macosx/aes-aarch64.s index 7acabf3f25..4b55f88071 100644 --- a/lib/accelerated/aarch64/macosx/aes-aarch64.s +++ b/lib/accelerated/aarch64/macosx/aes-aarch64.s @@ -147,7 +147,12 @@ L192: Loop192: tbl v6.16b,{v4.16b},v2.16b ext v5.16b,v0.16b,v3.16b,#12 + + + + st1 {v4.8b},[x2],#8 + aese v6.16b,v0.16b subs w1,w1,#1 @@ -618,6 +623,9 @@ _aes_v8_ctr32_encrypt_blocks: ldr w5,[x3,#240] ldr w8, [x4, #12] + + + ld1 {v0.4s},[x4] ld1 {v16.4s,v17.4s},[x3] diff --git a/lib/accelerated/aarch64/macosx/sha1-armv8.s b/lib/accelerated/aarch64/macosx/sha1-armv8.s index 8e1e12edf6..9b2bdf2d85 100644 --- a/lib/accelerated/aarch64/macosx/sha1-armv8.s +++ b/lib/accelerated/aarch64/macosx/sha1-armv8.s @@ -47,6 +47,7 @@ .text +.private_extern __gnutls_arm_cpuid_s .globl _sha1_block_data_order .align 6 @@ -1262,4 +1263,3 @@ L_gnutls_arm_cpuid_s: .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -.comm __gnutls_arm_cpuid_s,4,4 diff --git a/lib/accelerated/aarch64/macosx/sha256-armv8.s b/lib/accelerated/aarch64/macosx/sha256-armv8.s index fc6424975c..3ee6befc66 100644 --- a/lib/accelerated/aarch64/macosx/sha256-armv8.s +++ b/lib/accelerated/aarch64/macosx/sha256-armv8.s @@ -49,6 +49,7 @@ .text +.private_extern __gnutls_arm_cpuid_s .globl _sha256_block_data_order .align 6 @@ -2049,6 +2050,3 @@ L_00_48: ldr x29,[x29] add sp,sp,#16*4+16 ret - - -.comm __gnutls_arm_cpuid_s,4,4 diff --git a/lib/accelerated/aarch64/macosx/sha512-armv8.s b/lib/accelerated/aarch64/macosx/sha512-armv8.s index 43af71fa48..8c3abda83b 100644 --- a/lib/accelerated/aarch64/macosx/sha512-armv8.s +++ b/lib/accelerated/aarch64/macosx/sha512-armv8.s @@ -49,6 +49,7 @@ .text +.private_extern __gnutls_arm_cpuid_s .globl _sha512_block_data_order .align 6 @@ -1603,7 +1604,3 @@ Loop_hw: ldr x29,[sp],#16 ret - - - -.comm __gnutls_arm_cpuid_s,4,4 diff --git a/lib/accelerated/x86/coff/aesni-gcm-x86_64.s b/lib/accelerated/x86/coff/aesni-gcm-x86_64.s index 7988004cb0..ab4e37c043 100644 --- a/lib/accelerated/x86/coff/aesni-gcm-x86_64.s +++ b/lib/accelerated/x86/coff/aesni-gcm-x86_64.s @@ -42,6 +42,7 @@ .def _aesni_ctr32_ghash_6x; .scl 3; .type 32; .endef .p2align 5 _aesni_ctr32_ghash_6x: + vmovdqu 32(%r11),%xmm2 subq $6,%rdx vpxor %xmm4,%xmm4,%xmm4 @@ -350,6 +351,7 @@ _aesni_ctr32_ghash_6x: .byte 0xf3,0xc3 + .globl aesni_gcm_decrypt .def aesni_gcm_decrypt; .scl 2; .type 32; .endef .p2align 5 @@ -490,6 +492,7 @@ aesni_gcm_decrypt: .def _aesni_ctr32_6x; .scl 3; .type 32; .endef .p2align 5 _aesni_ctr32_6x: + vmovdqu 0-128(%rcx),%xmm4 vmovdqu 32(%r11),%xmm2 leaq -1(%rbp),%r13 @@ -578,6 +581,7 @@ _aesni_ctr32_6x: jmp .Loop_ctr32 + .globl aesni_gcm_encrypt .def aesni_gcm_encrypt; .scl 2; .type 32; .endef .p2align 5 diff --git a/lib/accelerated/x86/coff/aesni-x86_64.s b/lib/accelerated/x86/coff/aesni-x86_64.s index 4e8de065f2..3a07713e4e 100644 --- a/lib/accelerated/x86/coff/aesni-x86_64.s +++ b/lib/accelerated/x86/coff/aesni-x86_64.s @@ -939,6 +939,7 @@ aesni_ccm64_encrypt_blocks: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + leaq -88(%rsp),%rsp movaps %xmm6,(%rsp) movaps %xmm7,16(%rsp) @@ -1015,6 +1016,7 @@ aesni_ccm64_encrypt_blocks: movq 8(%rsp),%rdi movq 16(%rsp),%rsi .byte 0xf3,0xc3 + .LSEH_end_aesni_ccm64_encrypt_blocks: .globl aesni_ccm64_decrypt_blocks .def aesni_ccm64_decrypt_blocks; .scl 2; .type 32; .endef @@ -1031,6 +1033,7 @@ aesni_ccm64_decrypt_blocks: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + leaq -88(%rsp),%rsp movaps %xmm6,(%rsp) movaps %xmm7,16(%rsp) @@ -1141,6 +1144,7 @@ aesni_ccm64_decrypt_blocks: movq 8(%rsp),%rdi movq 16(%rsp),%rsi .byte 0xf3,0xc3 + .LSEH_end_aesni_ccm64_decrypt_blocks: .globl aesni_ctr32_encrypt_blocks .def aesni_ctr32_encrypt_blocks; .scl 2; .type 32; .endef @@ -3046,6 +3050,7 @@ aesni_ocb_encrypt: .def __ocb_encrypt6; .scl 3; .type 32; .endef .p2align 5 __ocb_encrypt6: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3145,9 +3150,11 @@ __ocb_encrypt6: .byte 0xf3,0xc3 + .def __ocb_encrypt4; .scl 3; .type 32; .endef .p2align 5 __ocb_encrypt4: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3214,9 +3221,11 @@ __ocb_encrypt4: .byte 0xf3,0xc3 + .def __ocb_encrypt1; .scl 3; .type 32; .endef .p2align 5 __ocb_encrypt1: + pxor %xmm15,%xmm7 pxor %xmm9,%xmm7 pxor %xmm2,%xmm8 @@ -3249,6 +3258,7 @@ __ocb_encrypt1: .byte 0xf3,0xc3 + .globl aesni_ocb_decrypt .def aesni_ocb_decrypt; .scl 2; .type 32; .endef .p2align 5 @@ -3519,6 +3529,7 @@ aesni_ocb_decrypt: .def __ocb_decrypt6; .scl 3; .type 32; .endef .p2align 5 __ocb_decrypt6: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3612,9 +3623,11 @@ __ocb_decrypt6: .byte 0xf3,0xc3 + .def __ocb_decrypt4; .scl 3; .type 32; .endef .p2align 5 __ocb_decrypt4: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3677,9 +3690,11 @@ __ocb_decrypt4: .byte 0xf3,0xc3 + .def __ocb_decrypt1; .scl 3; .type 32; .endef .p2align 5 __ocb_decrypt1: + pxor %xmm15,%xmm7 pxor %xmm9,%xmm7 pxor %xmm7,%xmm2 @@ -3710,6 +3725,7 @@ __ocb_decrypt1: .byte 102,15,56,223,215 .byte 0xf3,0xc3 + .globl aesni_cbc_encrypt .def aesni_cbc_encrypt; .scl 2; .type 32; .endef .p2align 4 @@ -4687,7 +4703,6 @@ __aesni_set_encrypt_key: addq $8,%rsp .byte 0xf3,0xc3 - .LSEH_end_set_encrypt_key: .p2align 4 @@ -4760,6 +4775,7 @@ __aesni_set_encrypt_key: .byte 0xf3,0xc3 + .p2align 6 .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 diff --git a/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s index cdfc88254e..79f841f1ac 100644 --- a/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s +++ b/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s @@ -1490,10 +1490,10 @@ _shaext_shortcut: movaps -8-16(%rax),%xmm9 movq %rax,%rsp .Lepilogue_shaext: - movq 8(%rsp),%rdi movq 16(%rsp),%rsi .byte 0xf3,0xc3 + .LSEH_end_sha1_block_data_order_shaext: .def sha1_block_data_order_ssse3; .scl 3; .type 32; .endef .p2align 4 diff --git a/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s index d2fc1957ea..78fae2a623 100644 --- a/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s +++ b/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s @@ -1832,6 +1832,7 @@ sha256_block_data_order_shaext: movq %r8,%rdx _shaext_shortcut: + leaq -88(%rsp),%rsp movaps %xmm6,-8-80(%rax) movaps %xmm7,-8-64(%rax) @@ -2050,6 +2051,7 @@ _shaext_shortcut: movq 8(%rsp),%rdi movq 16(%rsp),%rsi .byte 0xf3,0xc3 + .LSEH_end_sha256_block_data_order_shaext: .def sha256_block_data_order_ssse3; .scl 3; .type 32; .endef .p2align 6 @@ -5501,6 +5503,8 @@ sha256_block_data_order_avx2: leaq 448(%rsp),%rsp + + addl 0(%rdi),%eax addl 4(%rdi),%ebx addl 8(%rdi),%ecx @@ -5526,15 +5530,17 @@ sha256_block_data_order_avx2: jbe .Loop_avx2 leaq (%rsp),%rbp + + + .Ldone_avx2: - leaq (%rbp),%rsp - movq 88(%rsp),%rsi + movq 88(%rbp),%rsi vzeroupper - movaps 64+32(%rsp),%xmm6 - movaps 64+48(%rsp),%xmm7 - movaps 64+64(%rsp),%xmm8 - movaps 64+80(%rsp),%xmm9 + movaps 64+32(%rbp),%xmm6 + movaps 64+48(%rbp),%xmm7 + movaps 64+64(%rbp),%xmm8 + movaps 64+80(%rbp),%xmm9 movq -48(%rsi),%r15 movq -40(%rsi),%r14 diff --git a/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s index 419fa2a980..836e0cf66e 100644 --- a/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s +++ b/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s @@ -5494,6 +5494,8 @@ sha512_block_data_order_avx2: leaq 1152(%rsp),%rsp + + addq 0(%rdi),%rax addq 8(%rdi),%rbx addq 16(%rdi),%rcx @@ -5519,17 +5521,19 @@ sha512_block_data_order_avx2: jbe .Loop_avx2 leaq (%rsp),%rbp + + + .Ldone_avx2: - leaq (%rbp),%rsp - movq 152(%rsp),%rsi + movq 152(%rbp),%rsi vzeroupper - movaps 128+32(%rsp),%xmm6 - movaps 128+48(%rsp),%xmm7 - movaps 128+64(%rsp),%xmm8 - movaps 128+80(%rsp),%xmm9 - movaps 128+96(%rsp),%xmm10 - movaps 128+112(%rsp),%xmm11 + movaps 128+32(%rbp),%xmm6 + movaps 128+48(%rbp),%xmm7 + movaps 128+64(%rbp),%xmm8 + movaps 128+80(%rbp),%xmm9 + movaps 128+96(%rbp),%xmm10 + movaps 128+112(%rbp),%xmm11 movq -48(%rsi),%r15 movq -40(%rsi),%r14 diff --git a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s index e26d18d69f..461dd026b9 100644 --- a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s +++ b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s @@ -42,6 +42,7 @@ .type _aesni_ctr32_ghash_6x,@function .align 32 _aesni_ctr32_ghash_6x: +.cfi_startproc vmovdqu 32(%r11),%xmm2 subq $6,%rdx vpxor %xmm4,%xmm4,%xmm4 @@ -349,6 +350,7 @@ _aesni_ctr32_ghash_6x: vpxor %xmm4,%xmm8,%xmm8 .byte 0xf3,0xc3 +.cfi_endproc .size _aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x .globl aesni_gcm_decrypt .type aesni_gcm_decrypt,@function @@ -455,6 +457,7 @@ aesni_gcm_decrypt: .type _aesni_ctr32_6x,@function .align 32 _aesni_ctr32_6x: +.cfi_startproc vmovdqu 0-128(%rcx),%xmm4 vmovdqu 32(%r11),%xmm2 leaq -1(%rbp),%r13 @@ -541,6 +544,7 @@ _aesni_ctr32_6x: vpshufb %xmm0,%xmm1,%xmm1 vpxor %xmm4,%xmm14,%xmm14 jmp .Loop_ctr32 +.cfi_endproc .size _aesni_ctr32_6x,.-_aesni_ctr32_6x .globl aesni_gcm_encrypt diff --git a/lib/accelerated/x86/elf/aesni-x86_64.s b/lib/accelerated/x86/elf/aesni-x86_64.s index 43cf4e68de..acc7c2c555 100644 --- a/lib/accelerated/x86/elf/aesni-x86_64.s +++ b/lib/accelerated/x86/elf/aesni-x86_64.s @@ -900,6 +900,7 @@ aesni_ecb_encrypt: .type aesni_ccm64_encrypt_blocks,@function .align 16 aesni_ccm64_encrypt_blocks: +.cfi_startproc movl 240(%rcx),%eax movdqu (%r8),%xmm6 movdqa .Lincrement64(%rip),%xmm9 @@ -958,11 +959,13 @@ aesni_ccm64_encrypt_blocks: pxor %xmm8,%xmm8 pxor %xmm6,%xmm6 .byte 0xf3,0xc3 +.cfi_endproc .size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks .globl aesni_ccm64_decrypt_blocks .type aesni_ccm64_decrypt_blocks,@function .align 16 aesni_ccm64_decrypt_blocks: +.cfi_startproc movl 240(%rcx),%eax movups (%r8),%xmm6 movdqu (%r9),%xmm3 @@ -1055,6 +1058,7 @@ aesni_ccm64_decrypt_blocks: pxor %xmm8,%xmm8 pxor %xmm6,%xmm6 .byte 0xf3,0xc3 +.cfi_endproc .size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks .globl aesni_ctr32_encrypt_blocks .type aesni_ctr32_encrypt_blocks,@function @@ -2829,6 +2833,7 @@ aesni_ocb_encrypt: .type __ocb_encrypt6,@function .align 32 __ocb_encrypt6: +.cfi_startproc pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -2926,11 +2931,13 @@ __ocb_encrypt6: .byte 102,65,15,56,221,246 .byte 102,65,15,56,221,255 .byte 0xf3,0xc3 +.cfi_endproc .size __ocb_encrypt6,.-__ocb_encrypt6 .type __ocb_encrypt4,@function .align 32 __ocb_encrypt4: +.cfi_startproc pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -2995,11 +3002,13 @@ __ocb_encrypt4: .byte 102,65,15,56,221,228 .byte 102,65,15,56,221,237 .byte 0xf3,0xc3 +.cfi_endproc .size __ocb_encrypt4,.-__ocb_encrypt4 .type __ocb_encrypt1,@function .align 32 __ocb_encrypt1: +.cfi_startproc pxor %xmm15,%xmm7 pxor %xmm9,%xmm7 pxor %xmm2,%xmm8 @@ -3030,6 +3039,7 @@ __ocb_encrypt1: .byte 102,15,56,221,215 .byte 0xf3,0xc3 +.cfi_endproc .size __ocb_encrypt1,.-__ocb_encrypt1 .globl aesni_ocb_decrypt @@ -3272,6 +3282,7 @@ aesni_ocb_decrypt: .type __ocb_decrypt6,@function .align 32 __ocb_decrypt6: +.cfi_startproc pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3363,11 +3374,13 @@ __ocb_decrypt6: .byte 102,65,15,56,223,246 .byte 102,65,15,56,223,255 .byte 0xf3,0xc3 +.cfi_endproc .size __ocb_decrypt6,.-__ocb_decrypt6 .type __ocb_decrypt4,@function .align 32 __ocb_decrypt4: +.cfi_startproc pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3428,11 +3441,13 @@ __ocb_decrypt4: .byte 102,65,15,56,223,228 .byte 102,65,15,56,223,237 .byte 0xf3,0xc3 +.cfi_endproc .size __ocb_decrypt4,.-__ocb_decrypt4 .type __ocb_decrypt1,@function .align 32 __ocb_decrypt1: +.cfi_startproc pxor %xmm15,%xmm7 pxor %xmm9,%xmm7 pxor %xmm7,%xmm2 @@ -3462,6 +3477,7 @@ __ocb_decrypt1: .byte 102,15,56,223,215 .byte 0xf3,0xc3 +.cfi_endproc .size __ocb_decrypt1,.-__ocb_decrypt1 .globl aesni_cbc_encrypt .type aesni_cbc_encrypt,@function @@ -4400,7 +4416,6 @@ __aesni_set_encrypt_key: addq $8,%rsp .cfi_adjust_cfa_offset -8 .byte 0xf3,0xc3 -.cfi_endproc .LSEH_end_set_encrypt_key: .align 16 @@ -4471,6 +4486,7 @@ __aesni_set_encrypt_key: shufps $170,%xmm1,%xmm1 xorps %xmm1,%xmm2 .byte 0xf3,0xc3 +.cfi_endproc .size aesni_set_encrypt_key,.-aesni_set_encrypt_key .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key .align 64 diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s index 1e6546e11e..d34f34497c 100644 --- a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +++ b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s @@ -1460,8 +1460,8 @@ _shaext_shortcut: pshufd $27,%xmm1,%xmm1 movdqu %xmm0,(%rdi) movd %xmm1,16(%rdi) -.cfi_endproc .byte 0xf3,0xc3 +.cfi_endproc .size sha1_block_data_order_shaext,.-sha1_block_data_order_shaext .type sha1_block_data_order_ssse3,@function .align 16 diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s index 4b08e0c85e..d196c6a793 100644 --- a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +++ b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s @@ -1814,6 +1814,7 @@ K256: .align 64 sha256_block_data_order_shaext: _shaext_shortcut: +.cfi_startproc leaq K256+128(%rip),%rcx movdqu (%rdi),%xmm1 movdqu 16(%rdi),%xmm2 @@ -2016,6 +2017,7 @@ _shaext_shortcut: movdqu %xmm1,(%rdi) movdqu %xmm2,16(%rdi) .byte 0xf3,0xc3 +.cfi_endproc .size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext .type sha256_block_data_order_ssse3,@function .align 64 @@ -4277,7 +4279,15 @@ sha256_block_data_order_avx2: vmovdqa %ymm4,0(%rsp) xorl %r14d,%r14d vmovdqa %ymm5,32(%rsp) + + movq 88(%rsp),%rdi +.cfi_def_cfa %rdi,8 leaq -64(%rsp),%rsp + + + + movq %rdi,-8(%rsp) +.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 movl %ebx,%edi vmovdqa %ymm6,0(%rsp) xorl %ecx,%edi @@ -4289,6 +4299,12 @@ sha256_block_data_order_avx2: .align 16 .Lavx2_00_47: leaq -64(%rsp),%rsp +.cfi_escape 0x0f,0x05,0x77,0x38,0x06,0x23,0x08 + + pushq 64-8(%rsp) +.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 + leaq 8(%rsp),%rsp +.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 vpalignr $4,%ymm0,%ymm1,%ymm4 addl 0+128(%rsp),%r11d andl %r8d,%r12d @@ -4544,6 +4560,12 @@ sha256_block_data_order_avx2: movl %r9d,%r12d vmovdqa %ymm6,32(%rsp) leaq -64(%rsp),%rsp +.cfi_escape 0x0f,0x05,0x77,0x38,0x06,0x23,0x08 + + pushq 64-8(%rsp) +.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 + leaq 8(%rsp),%rsp +.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 vpalignr $4,%ymm2,%ymm3,%ymm4 addl 0+128(%rsp),%r11d andl %r8d,%r12d @@ -5419,6 +5441,8 @@ sha256_block_data_order_avx2: leaq 448(%rsp),%rsp +.cfi_escape 0x0f,0x06,0x77,0xd8,0x00,0x06,0x23,0x08 + addl 0(%rdi),%eax addl 4(%rdi),%ebx addl 8(%rdi),%ecx @@ -5444,9 +5468,11 @@ sha256_block_data_order_avx2: jbe .Loop_avx2 leaq (%rsp),%rbp + +.cfi_escape 0x0f,0x06,0x76,0xd8,0x00,0x06,0x23,0x08 + .Ldone_avx2: - leaq (%rbp),%rsp - movq 88(%rsp),%rsi + movq 88(%rbp),%rsi .cfi_def_cfa %rsi,8 vzeroupper movq -48(%rsi),%r15 diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s index e384d7e9e8..446c06a3e6 100644 --- a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +++ b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s @@ -4204,7 +4204,15 @@ sha512_block_data_order_avx2: vmovdqa %ymm10,64(%rsp) vpaddq 64(%rbp),%ymm6,%ymm10 vmovdqa %ymm11,96(%rsp) + + movq 152(%rsp),%rdi +.cfi_def_cfa %rdi,8 leaq -128(%rsp),%rsp + + + + movq %rdi,-8(%rsp) +.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 vpaddq 96(%rbp),%ymm7,%ymm11 vmovdqa %ymm8,0(%rsp) xorq %r14,%r14 @@ -4220,6 +4228,12 @@ sha512_block_data_order_avx2: .align 16 .Lavx2_00_47: leaq -128(%rsp),%rsp +.cfi_escape 0x0f,0x06,0x77,0xf8,0x00,0x06,0x23,0x08 + + pushq 128-8(%rsp) +.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 + leaq 8(%rsp),%rsp +.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 vpalignr $8,%ymm0,%ymm1,%ymm8 addq 0+256(%rsp),%r11 andq %r8,%r12 @@ -4513,6 +4527,12 @@ sha512_block_data_order_avx2: movq %r9,%r12 vmovdqa %ymm10,96(%rsp) leaq -128(%rsp),%rsp +.cfi_escape 0x0f,0x06,0x77,0xf8,0x00,0x06,0x23,0x08 + + pushq 128-8(%rsp) +.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 + leaq 8(%rsp),%rsp +.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 vpalignr $8,%ymm4,%ymm5,%ymm8 addq 0+256(%rsp),%r11 andq %r8,%r12 @@ -5426,6 +5446,8 @@ sha512_block_data_order_avx2: leaq 1152(%rsp),%rsp +.cfi_escape 0x0f,0x06,0x77,0x98,0x01,0x06,0x23,0x08 + addq 0(%rdi),%rax addq 8(%rdi),%rbx addq 16(%rdi),%rcx @@ -5451,9 +5473,11 @@ sha512_block_data_order_avx2: jbe .Loop_avx2 leaq (%rsp),%rbp + +.cfi_escape 0x0f,0x06,0x76,0x98,0x01,0x06,0x23,0x08 + .Ldone_avx2: - leaq (%rbp),%rsp - movq 152(%rsp),%rsi + movq 152(%rbp),%rsi .cfi_def_cfa %rsi,8 vzeroupper movq -48(%rsi),%r15 diff --git a/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s b/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s index d540930b5b..1d323b166a 100644 --- a/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s +++ b/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s @@ -42,6 +42,7 @@ .p2align 5 _aesni_ctr32_ghash_6x: + vmovdqu 32(%r11),%xmm2 subq $6,%rdx vpxor %xmm4,%xmm4,%xmm4 @@ -350,6 +351,7 @@ L$6x_done: .byte 0xf3,0xc3 + .globl _aesni_gcm_decrypt .p2align 5 @@ -455,6 +457,7 @@ L$gcm_dec_abort: .p2align 5 _aesni_ctr32_6x: + vmovdqu 0-128(%rcx),%xmm4 vmovdqu 32(%r11),%xmm2 leaq -1(%rbp),%r13 @@ -543,6 +546,7 @@ L$handle_ctr32_2: jmp L$oop_ctr32 + .globl _aesni_gcm_encrypt .p2align 5 diff --git a/lib/accelerated/x86/macosx/aesni-x86_64.s b/lib/accelerated/x86/macosx/aesni-x86_64.s index f6145f166b..3601d54386 100644 --- a/lib/accelerated/x86/macosx/aesni-x86_64.s +++ b/lib/accelerated/x86/macosx/aesni-x86_64.s @@ -900,6 +900,7 @@ L$ecb_ret: .p2align 4 _aesni_ccm64_encrypt_blocks: + movl 240(%rcx),%eax movdqu (%r8),%xmm6 movdqa L$increment64(%rip),%xmm9 @@ -959,10 +960,12 @@ L$ccm64_enc2_loop: pxor %xmm6,%xmm6 .byte 0xf3,0xc3 + .globl _aesni_ccm64_decrypt_blocks .p2align 4 _aesni_ccm64_decrypt_blocks: + movl 240(%rcx),%eax movups (%r8),%xmm6 movdqu (%r9),%xmm3 @@ -1056,6 +1059,7 @@ L$oop_enc1_6: pxor %xmm6,%xmm6 .byte 0xf3,0xc3 + .globl _aesni_ctr32_encrypt_blocks .p2align 4 @@ -2824,6 +2828,7 @@ L$ocb_enc_epilogue: .p2align 5 __ocb_encrypt6: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -2924,8 +2929,10 @@ L$ocb_enc_loop6: + .p2align 5 __ocb_encrypt4: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -2993,8 +3000,10 @@ L$ocb_enc_loop4: + .p2align 5 __ocb_encrypt1: + pxor %xmm15,%xmm7 pxor %xmm9,%xmm7 pxor %xmm2,%xmm8 @@ -3027,6 +3036,7 @@ L$ocb_enc_loop1: .byte 0xf3,0xc3 + .globl _aesni_ocb_decrypt .p2align 5 @@ -3262,6 +3272,7 @@ L$ocb_dec_epilogue: .p2align 5 __ocb_decrypt6: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3356,8 +3367,10 @@ L$ocb_dec_loop6: + .p2align 5 __ocb_decrypt4: + pxor %xmm9,%xmm15 movdqu (%rbx,%r12,1),%xmm11 movdqa %xmm10,%xmm12 @@ -3421,8 +3434,10 @@ L$ocb_dec_loop4: + .p2align 5 __ocb_decrypt1: + pxor %xmm15,%xmm7 pxor %xmm9,%xmm7 pxor %xmm7,%xmm2 @@ -3453,6 +3468,7 @@ L$ocb_dec_loop1: .byte 102,15,56,223,215 .byte 0xf3,0xc3 + .globl _aesni_cbc_encrypt .p2align 4 @@ -4390,7 +4406,6 @@ L$enc_key_ret: addq $8,%rsp .byte 0xf3,0xc3 - L$SEH_end_set_encrypt_key: .p2align 4 @@ -4463,6 +4478,7 @@ L$key_expansion_256b: .byte 0xf3,0xc3 + .p2align 6 L$bswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 diff --git a/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s index a576acc25f..7b5d9dfc9e 100644 --- a/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s +++ b/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s @@ -1460,10 +1460,10 @@ L$oop_shaext: pshufd $27,%xmm1,%xmm1 movdqu %xmm0,(%rdi) movd %xmm1,16(%rdi) - .byte 0xf3,0xc3 + .p2align 4 sha1_block_data_order_ssse3: _ssse3_shortcut: diff --git a/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s index fd0c247359..9fed36b9c8 100644 --- a/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s +++ b/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s @@ -1814,6 +1814,7 @@ K256: .p2align 6 sha256_block_data_order_shaext: _shaext_shortcut: + leaq K256+128(%rip),%rcx movdqu (%rdi),%xmm1 movdqu 16(%rdi),%xmm2 @@ -2018,6 +2019,7 @@ L$oop_shaext: .byte 0xf3,0xc3 + .p2align 6 sha256_block_data_order_ssse3: @@ -4277,7 +4279,15 @@ L$oop_avx2: vmovdqa %ymm4,0(%rsp) xorl %r14d,%r14d vmovdqa %ymm5,32(%rsp) + + movq 88(%rsp),%rdi + leaq -64(%rsp),%rsp + + + + movq %rdi,-8(%rsp) + movl %ebx,%edi vmovdqa %ymm6,0(%rsp) xorl %ecx,%edi @@ -4289,6 +4299,12 @@ L$oop_avx2: .p2align 4 L$avx2_00_47: leaq -64(%rsp),%rsp + + + pushq 64-8(%rsp) + + leaq 8(%rsp),%rsp + vpalignr $4,%ymm0,%ymm1,%ymm4 addl 0+128(%rsp),%r11d andl %r8d,%r12d @@ -4544,6 +4560,12 @@ L$avx2_00_47: movl %r9d,%r12d vmovdqa %ymm6,32(%rsp) leaq -64(%rsp),%rsp + + + pushq 64-8(%rsp) + + leaq 8(%rsp),%rsp + vpalignr $4,%ymm2,%ymm3,%ymm4 addl 0+128(%rsp),%r11d andl %r8d,%r12d @@ -5419,6 +5441,8 @@ L$ower_avx2: leaq 448(%rsp),%rsp + + addl 0(%rdi),%eax addl 4(%rdi),%ebx addl 8(%rdi),%ecx @@ -5444,9 +5468,11 @@ L$ower_avx2: jbe L$oop_avx2 leaq (%rsp),%rbp + + + L$done_avx2: - leaq (%rbp),%rsp - movq 88(%rsp),%rsi + movq 88(%rbp),%rsi vzeroupper movq -48(%rsi),%r15 diff --git a/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s index 8bf161601e..e78d90f2d3 100644 --- a/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s +++ b/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s @@ -4204,7 +4204,15 @@ L$oop_avx2: vmovdqa %ymm10,64(%rsp) vpaddq 64(%rbp),%ymm6,%ymm10 vmovdqa %ymm11,96(%rsp) + + movq 152(%rsp),%rdi + leaq -128(%rsp),%rsp + + + + movq %rdi,-8(%rsp) + vpaddq 96(%rbp),%ymm7,%ymm11 vmovdqa %ymm8,0(%rsp) xorq %r14,%r14 @@ -4220,6 +4228,12 @@ L$oop_avx2: .p2align 4 L$avx2_00_47: leaq -128(%rsp),%rsp + + + pushq 128-8(%rsp) + + leaq 8(%rsp),%rsp + vpalignr $8,%ymm0,%ymm1,%ymm8 addq 0+256(%rsp),%r11 andq %r8,%r12 @@ -4513,6 +4527,12 @@ L$avx2_00_47: movq %r9,%r12 vmovdqa %ymm10,96(%rsp) leaq -128(%rsp),%rsp + + + pushq 128-8(%rsp) + + leaq 8(%rsp),%rsp + vpalignr $8,%ymm4,%ymm5,%ymm8 addq 0+256(%rsp),%r11 andq %r8,%r12 @@ -5426,6 +5446,8 @@ L$ower_avx2: leaq 1152(%rsp),%rsp + + addq 0(%rdi),%rax addq 8(%rdi),%rbx addq 16(%rdi),%rcx @@ -5451,9 +5473,11 @@ L$ower_avx2: jbe L$oop_avx2 leaq (%rsp),%rbp + + + L$done_avx2: - leaq (%rbp),%rsp - movq 152(%rsp),%rsi + movq 152(%rbp),%rsi vzeroupper movq -48(%rsi),%r15 diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c index 2c76f84d6d..9408397610 100644 --- a/lib/algorithms/ciphersuites.c +++ b/lib/algorithms/ciphersuites.c @@ -1675,7 +1675,7 @@ _gnutls_get_client_ciphersuites(gnutls_session_t session, /** * gnutls_priority_get_cipher_suite_index: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @idx: is an index number. * @sidx: internal index of cipher suite to get information about. * diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c index 04aa3169b6..1b44f3a634 100644 --- a/lib/cert-cred-x509.c +++ b/lib/cert-cred-x509.c @@ -739,10 +739,14 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, gnutls_x509_privkey_t key) { int ret; + int npcerts = 0; gnutls_privkey_t pkey; gnutls_pcert_st *pcerts = NULL; gnutls_str_array_t names; + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + _gnutls_str_array_init(&names); /* this should be first @@ -785,10 +789,11 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, gnutls_assert(); goto cleanup; } + npcerts = cert_list_size; ret = _gnutls_certificate_credential_append_keypair(res, pkey, names, pcerts, - cert_list_size); + npcerts); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -807,6 +812,8 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, CRED_RET_SUCCESS(res); cleanup: + while (npcerts-- > 0) + gnutls_pcert_deinit(&pcerts[npcerts]); gnutls_free(pcerts); _gnutls_str_array_clear(&names); return ret; @@ -1139,8 +1146,12 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, int ca_list_size) { int ret, i, j; - gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); + gnutls_x509_crt_t *new_list; + + if (ca_list == NULL || ca_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); if (!new_list) return GNUTLS_E_MEMORY_ERROR; diff --git a/lib/cert-cred.c b/lib/cert-cred.c index 6208ba72ae..b2f8aa3ff6 100644 --- a/lib/cert-cred.c +++ b/lib/cert-cred.c @@ -888,7 +888,8 @@ void * @func: is the callback function * * This function sets a callback to be called when the peer's certificate - * chain is incomplete due a missing intermediate certificate/certificates. + * chain is incomplete due a missing intermediate certificate. The callback + * may provide the missing certificate for use during verification. * * The callback's function prototype is defined in <gnutls/x509.h> as: * @@ -897,22 +898,19 @@ void * gnutls_x509_crt_t **issuers, * unsigned int *issuers_size); * - * If the callback function is provided then gnutls will call it, in the - * certificate verification procedure. + * If the callback function is provided then gnutls will call it during the + * certificate verification procedure. The callback may wish to use + * gnutls_x509_crt_get_authority_info_access() to get a URI from which + * to attempt to download the missing issuer certificate, if available. * * On a successful call, the callback shall allocate the 'issuers' array with * gnutls_x509_crt_list_import2(). The ownership of both the array and the * elements is transferred to the caller and thus the application does not need * to maintain the memory after the call. * - * To verify or obtain the certificate the verification functions such as - * gnutls_x509_trust_list_verify_crt() and gnutls_x509_trust_list_verify_crt2() - * can be used. - * * The callback function should return 0 if the missing issuer certificate - * for 'crt' was properly populated and added to the 'tlist' using - * gnutls_x509_trust_list_add_cas() or non-zero to continue the certificate list - * verification but with issuer as %NULL. + * for 'crt' was properly populated and added to the 'issuers', or non-zero + * to continue the certificate list verification but with issuer as %NULL. * * Since: 3.7.0 **/ diff --git a/lib/cipher.c b/lib/cipher.c index 275c57a4e8..90ab1d3a9b 100644 --- a/lib/cipher.c +++ b/lib/cipher.c @@ -42,6 +42,8 @@ #include <state.h> #include <random.h> +#include <nettle/memxor.h> + static int encrypt_packet(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, gnutls_datum_t * plain, diff --git a/lib/constate.c b/lib/constate.c index 3717522d38..fc56a7569a 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -814,7 +814,7 @@ int _gnutls_read_connection_state_init(gnutls_session_t session) /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed != RESUME_FALSE && + if (session->internals.resumed && session->security_parameters.entity == GNUTLS_CLIENT) _gnutls_set_resumed_parameters(session); @@ -850,7 +850,7 @@ int _gnutls_write_connection_state_init(gnutls_session_t session) /* Update internals from CipherSuite selected. * If we are resuming just copy the connection session */ - if (session->internals.resumed != RESUME_FALSE && + if (session->internals.resumed && session->security_parameters.entity == GNUTLS_SERVER) _gnutls_set_resumed_parameters(session); @@ -272,7 +272,7 @@ int _gnutls_server_register_current_session(gnutls_session_t session) key.data = session->security_parameters.session_id; key.size = session->security_parameters.session_id_size; - if (session->internals.resumable == RESUME_FALSE) { + if (!session->internals.resumable) { gnutls_assert(); return GNUTLS_E_INVALID_SESSION; } diff --git a/lib/dtls.h b/lib/dtls.h index 88fba4f3d1..7d9fb40094 100644 --- a/lib/dtls.h +++ b/lib/dtls.h @@ -68,9 +68,9 @@ int _dtls_wait_and_retransmit(gnutls_session_t session); inline static int _dtls_is_async(gnutls_session_t session) { if ((session->security_parameters.entity == GNUTLS_SERVER - && session->internals.resumed == RESUME_FALSE) + && !session->internals.resumed) || (session->security_parameters.entity == GNUTLS_CLIENT - && session->internals.resumed == RESUME_TRUE)) + && session->internals.resumed)) return 1; else return 0; diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index b5a86b7db1..a042c6488e 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -696,7 +696,7 @@ static int server_recv_params(gnutls_session_t session, } } - session->internals.resumed = RESUME_TRUE; + session->internals.resumed = true; _gnutls_handshake_log("EXT[%p]: selected resumption PSK identity (%d)\n", session, psk_index); } @@ -819,7 +819,7 @@ static int _gnutls_psk_recv_params(gnutls_session_t session, for (i=0;i<sizeof(session->key.binders)/sizeof(session->key.binders[0]);i++) { if (session->key.binders[i].prf != NULL && session->key.binders[i].idx == selected_identity) { if (session->key.binders[i].resumption) { - session->internals.resumed = RESUME_TRUE; + session->internals.resumed = true; _gnutls_handshake_log("EXT[%p]: selected PSK-resumption mode\n", session); } else { _gnutls_handshake_log("EXT[%p]: selected PSK mode\n", session); diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c index 8f22462fae..5877f8fa12 100644 --- a/lib/ext/session_ticket.c +++ b/lib/ext/session_ticket.c @@ -370,7 +370,7 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state) if (ret < 0) return gnutls_assert_val(ret); - session->internals.resumed = RESUME_TRUE; + session->internals.resumed = true; return 0; } @@ -656,7 +656,7 @@ int _gnutls_send_new_session_ticket(gnutls_session_t session, int again) /* Under TLS1.2 with session tickets, the session ID is used for different * purposes than the TLS1.0 session ID. Ensure that there is an internally * set value which the server will see on the original and resumed sessions */ - if (session->internals.resumed != RESUME_TRUE) { + if (!session->internals.resumed) { ret = _gnutls_generate_session_id(session->security_parameters. session_id, &session->security_parameters. diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b9134dcbdd..2611b5af54 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -53,8 +53,6 @@ typedef int ssize_t; #endif #include <time.h> -#include <nettle/memxor.h> - #include "attribute.h" #define ENABLE_ALIGN16 @@ -361,9 +359,6 @@ verify(GNUTLS_EXTENSION_MAX_VALUE - GNUTLS_EXTENSION_MAX >= 16); typedef enum { CIPHER_STREAM, CIPHER_BLOCK, CIPHER_AEAD } cipher_type_t; -#define RESUME_TRUE 1 -#define RESUME_FALSE 0 - /* Record Protocol */ typedef enum content_type_t { GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT, @@ -1086,7 +1081,7 @@ typedef struct { gnutls_buffer_st handshake_hash_buffer; /* used to keep the last received handshake * message */ - bool resumable; /* TRUE or FALSE - if we can resume that session */ + bool resumable; /* if we can resume that session */ send_ticket_state_t ticket_state; /* used by gnutls_session_ticket_send() */ bye_state_t bye_state; /* used by gnutls_bye() */ @@ -1100,7 +1095,7 @@ typedef struct { * no interruption has happened. */ - bool invalid_connection; /* true or FALSE - if this session is valid */ + bool invalid_connection; /* if this session is valid */ bool may_not_read; /* if it's 0 then we can read/write, otherwise it's forbidden to read/write */ @@ -1135,7 +1130,7 @@ typedef struct { uint16_t dh_prime_bits; /* srp_prime_bits */ /* resumed session */ - bool resumed; /* RESUME_TRUE or FALSE - if we are resuming a session */ + bool resumed; /* if we are resuming a session */ /* server side: non-zero if resumption was requested by client * client side: non-zero if we set resumption parameters */ diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index ea236c803c..7dd42becf1 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -210,7 +210,7 @@ int _gnutls13_handshake_client(gnutls_session_t session) SAVE_TRANSCRIPT; - if (session->internals.resumed != RESUME_FALSE) + if (session->internals.resumed) _gnutls_set_resumed_parameters(session); return 0; @@ -325,7 +325,7 @@ static int generate_hs_traffic_keys(gnutls_session_t session) if ((session->security_parameters.entity == GNUTLS_CLIENT && (!(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED) || (!(session->internals.hsk_flags & HSK_PSK_KE_MODE_DHE_PSK) && - session->internals.resumed != RESUME_FALSE))) || + session->internals.resumed))) || (session->security_parameters.entity == GNUTLS_SERVER && !(session->internals.hsk_flags & HSK_KEY_SHARE_SENT))) { @@ -506,7 +506,7 @@ int _gnutls13_handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE109: - if (session->internals.resumed != RESUME_FALSE) + if (session->internals.resumed) _gnutls_set_resumed_parameters(session); if (session->internals.hsk_flags & HSK_EARLY_START_USED) { diff --git a/lib/handshake.c b/lib/handshake.c index ce2d160e20..6c894eb68a 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -61,9 +61,6 @@ #include <valgrind/memcheck.h> #endif -#define TRUE 1 -#define FALSE 0 - static int check_if_null_comp_present(gnutls_session_t session, uint8_t * data, int datalen); static int handshake_client(gnutls_session_t session); @@ -532,7 +529,7 @@ _gnutls_user_hello_func(gnutls_session_t session, * server, and that includes switching version which we have already * negotiated; note that this doesn't apply when resuming as the version * negotiation is already complete. */ - if (session->internals.resumed != RESUME_TRUE) { + if (!session->internals.resumed) { new_max = _gnutls_version_max(session); old_vers = get_version(session); @@ -580,7 +577,7 @@ static int set_auth_types(gnutls_session_t session) /* Under TLS1.3 this returns a KX which matches the negotiated * groups from the key shares; if we are resuming then the KX seen * here doesn't match the original session. */ - if (session->internals.resumed == RESUME_FALSE) + if (!session->internals.resumed) kx = gnutls_kx_get(session); else kx = GNUTLS_KX_UNKNOWN; @@ -592,7 +589,7 @@ static int set_auth_types(gnutls_session_t session) if (kx != GNUTLS_KX_UNKNOWN) { session->security_parameters.server_auth_type = _gnutls_map_kx_get_cred(kx, 1); session->security_parameters.client_auth_type = _gnutls_map_kx_get_cred(kx, 0); - } else if (unlikely(session->internals.resumed == RESUME_FALSE)) { + } else if (unlikely(!session->internals.resumed)) { /* Here we can only arrive if something we received * prevented the session from completing. */ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); @@ -740,7 +737,7 @@ read_client_hello(gnutls_session_t session, uint8_t * data, if (ret < 0) return gnutls_assert_val(ret); - session->internals.resumed = RESUME_TRUE; + session->internals.resumed = true; return _gnutls_user_hello_func(session, major, minor); } else { @@ -751,7 +748,7 @@ read_client_hello(gnutls_session_t session, uint8_t * data, if (ret < 0) return gnutls_assert_val(ret); - session->internals.resumed = RESUME_FALSE; + session->internals.resumed = false; } } else { /* TLS1.3 */ /* we echo client's session ID - length was checked previously */ @@ -792,7 +789,7 @@ read_client_hello(gnutls_session_t session, uint8_t * data, } /* resumed by session_ticket extension */ - if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE) { + if (!vers->tls13_sem && session->internals.resumed) { session->internals.resumed_security_parameters. max_record_recv_size = session->security_parameters.max_record_recv_size; @@ -930,10 +927,10 @@ int _gnutls_send_finished(gnutls_session_t session, int again) return ret; } - if ((session->internals.resumed == RESUME_FALSE + if ((!session->internals.resumed && session->security_parameters.entity == GNUTLS_CLIENT) - || (session->internals.resumed != RESUME_FALSE + || (session->internals.resumed && session->security_parameters.entity == GNUTLS_SERVER)) { /* if we are a client not resuming - or we are a server resuming */ @@ -1034,9 +1031,9 @@ int _gnutls_recv_finished(gnutls_session_t session) goto cleanup; } - if ((session->internals.resumed != RESUME_FALSE + if ((session->internals.resumed && session->security_parameters.entity == GNUTLS_CLIENT) - || (session->internals.resumed == RESUME_FALSE + || (!session->internals.resumed && session->security_parameters.entity == GNUTLS_SERVER)) { /* if we are a client resuming - or we are a server not resuming */ _gnutls_handshake_log @@ -1845,13 +1842,13 @@ client_check_if_resuming(gnutls_session_t session, goto no_resume; } - session->internals.resumed = RESUME_TRUE; /* we are resuming */ + session->internals.resumed = true; /* we are resuming */ return 0; } else { no_resume: /* keep the new session id */ - session->internals.resumed = RESUME_FALSE; /* we are not resuming */ + session->internals.resumed = false; /* we are not resuming */ return -1; } } @@ -2097,17 +2094,19 @@ static int send_client_hello(gnutls_session_t session, int again) const version_entry_st *hver, *min_ver, *max_ver; uint8_t tver[2]; gnutls_buffer_st extdata; - int rehandshake = 0; + bool rehandshake = false; + bool resuming = false; unsigned add_sr_scsv = 0; + uint8_t *session_id = + session->internals.resumed_security_parameters.session_id; uint8_t session_id_len = - session->internals.resumed_security_parameters.session_id_size; - + session->internals.resumed_security_parameters.session_id_size; if (again == 0) { /* note that rehandshake is different than resuming */ if (session->internals.initial_negotiation_completed) - rehandshake = 1; + rehandshake = true; ret = _gnutls_buffer_init_handshake_mbuffer(&extdata); if (ret < 0) @@ -2124,6 +2123,8 @@ static int send_client_hello(gnutls_session_t session, int again) hver = _gnutls_legacy_version_max(session); } else { /* we are resuming a session */ + resuming = true; + hver = session->internals.resumed_security_parameters. pversion; @@ -2212,9 +2213,7 @@ static int send_client_hello(gnutls_session_t session, int again) } #ifdef TLS13_APPENDIX_D4 - if (max_ver->tls13_sem && - session->security_parameters.session_id_size == 0) { - + if (max_ver->tls13_sem && !resuming) { /* Under TLS1.3 we generate a random session ID to make * the TLS1.3 session look like a resumed TLS1.2 session */ ret = _gnutls_generate_session_id(session->security_parameters. @@ -2225,13 +2224,15 @@ static int send_client_hello(gnutls_session_t session, int again) gnutls_assert(); goto cleanup; } + session_id = session->security_parameters.session_id; + session_id_len = session->security_parameters.session_id_size; } #endif /* Copy the Session ID - if any */ ret = _gnutls_buffer_append_data_prefix(&extdata, 8, - session->internals.resumed_security_parameters.session_id, + session_id, session_id_len); if (ret < 0) { gnutls_assert(); @@ -2390,7 +2391,7 @@ int _gnutls_send_server_hello(gnutls_session_t session, int again) goto fail; } - if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE) + if (!vers->tls13_sem && session->internals.resumed) etype = GNUTLS_EXT_MANDATORY; else etype = GNUTLS_EXT_ANY; @@ -2999,7 +3000,7 @@ static int handshake_client(gnutls_session_t session) FALLTHROUGH; case STATE6: /* RECV CERTIFICATE */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_server_certificate(session); STATE = STATE6; IMED_RET("recv server certificate", ret, 1); @@ -3007,7 +3008,7 @@ static int handshake_client(gnutls_session_t session) case STATE7: #ifdef ENABLE_OCSP /* RECV CERTIFICATE STATUS */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_server_certificate_status (session); @@ -3024,7 +3025,7 @@ static int handshake_client(gnutls_session_t session) FALLTHROUGH; case STATE9: /* receive the server key exchange */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_server_kx_message(session); STATE = STATE9; IMED_RET("recv server kx message", ret, 1); @@ -3033,7 +3034,7 @@ static int handshake_client(gnutls_session_t session) /* receive the server certificate request - if any */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_server_crt_request(session); STATE = STATE10; IMED_RET("recv server certificate request message", ret, @@ -3041,7 +3042,7 @@ static int handshake_client(gnutls_session_t session) FALLTHROUGH; case STATE11: /* receive the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, @@ -3061,7 +3062,7 @@ static int handshake_client(gnutls_session_t session) case STATE13: /* send our certificate - if any and if requested */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_send_client_certificate(session, AGAIN @@ -3070,7 +3071,7 @@ static int handshake_client(gnutls_session_t session) IMED_RET("send client certificate", ret, 0); FALLTHROUGH; case STATE14: - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_send_client_kx_message(session, AGAIN(STATE14)); @@ -3079,7 +3080,7 @@ static int handshake_client(gnutls_session_t session) FALLTHROUGH; case STATE15: /* send client certificate verify */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_send_client_certificate_verify(session, AGAIN @@ -3089,8 +3090,8 @@ static int handshake_client(gnutls_session_t session) FALLTHROUGH; case STATE16: STATE = STATE16; - if (session->internals.resumed == RESUME_FALSE) { - ret = send_handshake_final(session, TRUE); + if (!session->internals.resumed) { + ret = send_handshake_final(session, true); IMED_RET("send handshake final 2", ret, 1); } else { ret = _gnutls_recv_new_session_ticket(session); @@ -3100,7 +3101,7 @@ static int handshake_client(gnutls_session_t session) FALLTHROUGH; case STATE17: STATE = STATE17; - if (session->internals.resumed == RESUME_FALSE && (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && can_send_false_start(session)) { + if (!session->internals.resumed && (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && can_send_false_start(session)) { session->internals.hsk_flags |= HSK_FALSE_START_USED; session->internals.recv_state = RECV_STATE_FALSE_START; /* complete this phase of the handshake. We @@ -3115,22 +3116,22 @@ static int handshake_client(gnutls_session_t session) case STATE18: STATE = STATE18; - if (session->internals.resumed == RESUME_FALSE) { + if (!session->internals.resumed) { ret = _gnutls_recv_new_session_ticket(session); IMED_RET("recv handshake new session ticket", ret, 1); } else { - ret = recv_handshake_final(session, TRUE); + ret = recv_handshake_final(session, true); IMED_RET("recv handshake final", ret, 1); } FALLTHROUGH; case STATE19: STATE = STATE19; - if (session->internals.resumed == RESUME_FALSE) { - ret = recv_handshake_final(session, FALSE); + if (!session->internals.resumed) { + ret = recv_handshake_final(session, false); IMED_RET("recv handshake final 2", ret, 1); } else { - ret = send_handshake_final(session, FALSE); + ret = send_handshake_final(session, false); IMED_RET("send handshake final", ret, 1); } @@ -3242,7 +3243,7 @@ static int send_handshake_final(gnutls_session_t session, int init) } /* Initialize the connection session (start encryption) - in case of client */ - if (init == TRUE) { + if (init) { ret = _gnutls_connection_state_init(session); if (ret < 0) { gnutls_assert(); @@ -3327,7 +3328,7 @@ static int recv_handshake_final(gnutls_session_t session, int init) session->internals.dtls.hsk_read_seq++; /* Initialize the connection session (start encryption) - in case of server */ - if (init == TRUE) { + if (init) { ret = _gnutls_connection_state_init(session); if (ret < 0) { gnutls_assert(); @@ -3435,7 +3436,7 @@ static int handshake_server(gnutls_session_t session) case STATE5: /* NOTE: these should not be send if we are resuming */ - if (session->internals.resumed == RESUME_FALSE) + if (!session->internals.resumed) ret = _gnutls_send_server_certificate(session, AGAIN(STATE5)); @@ -3444,7 +3445,7 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE6: #ifdef ENABLE_OCSP - if (session->internals.resumed == RESUME_FALSE) + if (!session->internals.resumed) ret = _gnutls_send_server_certificate_status(session, AGAIN @@ -3455,7 +3456,7 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE7: /* send server key exchange (A) */ - if (session->internals.resumed == RESUME_FALSE) + if (!session->internals.resumed) ret = _gnutls_send_server_kx_message(session, AGAIN(STATE7)); @@ -3464,7 +3465,7 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE8: /* Send certificate request - if requested to */ - if (session->internals.resumed == RESUME_FALSE) + if (!session->internals.resumed) ret = _gnutls_send_server_crt_request(session, AGAIN(STATE8)); @@ -3473,7 +3474,7 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE9: /* send the server hello done */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_send_empty_handshake(session, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, @@ -3491,7 +3492,7 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE11: /* receive the client certificate message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_client_certificate(session); STATE = STATE11; IMED_RET("recv client certificate", ret, 1); @@ -3504,14 +3505,14 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE13: /* receive the client key exchange message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_client_kx_message(session); STATE = STATE13; IMED_RET("recv client kx", ret, 1); FALLTHROUGH; case STATE14: /* receive the client certificate verify message */ - if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ + if (!session->internals.resumed) /* if we are not resuming */ ret = _gnutls_recv_client_certificate_verify_message (session); @@ -3520,11 +3521,11 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE15: STATE = STATE15; - if (session->internals.resumed == RESUME_FALSE) { /* if we are not resuming */ - ret = recv_handshake_final(session, TRUE); + if (!session->internals.resumed) { /* if we are not resuming */ + ret = recv_handshake_final(session, true); IMED_RET("recv handshake final", ret, 1); } else { - ret = send_handshake_final(session, TRUE); + ret = send_handshake_final(session, true); IMED_RET("send handshake final 2", ret, 1); } FALLTHROUGH; @@ -3537,8 +3538,8 @@ static int handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE17: STATE = STATE17; - if (session->internals.resumed == RESUME_FALSE) { /* if we are not resuming */ - ret = send_handshake_final(session, FALSE); + if (!session->internals.resumed) { /* if we are not resuming */ + ret = send_handshake_final(session, false); IMED_RET("send handshake final", ret, 1); if (session->security_parameters.entity == @@ -3549,7 +3550,7 @@ static int handshake_server(gnutls_session_t session) (session); } } else { - ret = recv_handshake_final(session, FALSE); + ret = recv_handshake_final(session, false); IMED_RET("recv handshake final 2", ret, 1); } @@ -54,7 +54,7 @@ static int generate_normal_master(gnutls_session_t session, int _gnutls_generate_master(gnutls_session_t session, int keep_premaster) { - if (session->internals.resumed == RESUME_FALSE) + if (!session->internals.resumed) return generate_normal_master(session, &session->key.key, keep_premaster); else if (session->internals.premaster_set) { diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 3475084f0f..432bcdd59d 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -1824,7 +1824,7 @@ int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params, params.params[DH_P] = _gnutls_mpi_copy(dh_params->params[0]); params.params[DH_G] = _gnutls_mpi_copy(dh_params->params[1]); - params.params_nr = 3; /* include empty q */ + params.params_nr = 5; params.algo = GNUTLS_PK_DH; priv_key->data = NULL; @@ -1856,6 +1856,7 @@ int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params, gnutls_free(priv_key->data); cleanup: gnutls_pk_params_clear(¶ms); + gnutls_pk_params_release(¶ms); return ret; } @@ -1869,9 +1870,13 @@ int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params, int ret; gnutls_pk_params_init(&pub); - gnutls_pk_params_init(&priv); + pub.params_nr = 5; pub.algo = GNUTLS_PK_DH; + gnutls_pk_params_init(&priv); + priv.params_nr = 5; + priv.algo = GNUTLS_PK_DH; + if (_gnutls_mpi_init_scan_nz (&pub.params[DH_Y], peer_key->data, peer_key->size) != 0) { @@ -1893,9 +1898,6 @@ int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params, goto cleanup; } - priv.params_nr = 3; /* include, possibly empty, q */ - priv.algo = GNUTLS_PK_DH; - Z->data = NULL; ret = _gnutls_pk_derive(GNUTLS_PK_DH, Z, &priv, &pub); @@ -1907,7 +1909,9 @@ int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params, ret = 0; cleanup: gnutls_pk_params_clear(&pub); + gnutls_pk_params_release(&pub); gnutls_pk_params_clear(&priv); + gnutls_pk_params_release(&priv); return ret; } @@ -1919,6 +1923,7 @@ int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, int ret; gnutls_pk_params_init(¶ms); + params.params_nr = 3; params.curve = curve; params.algo = GNUTLS_PK_ECDSA; @@ -1960,6 +1965,7 @@ int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, gnutls_free(k->data); cleanup: gnutls_pk_params_clear(¶ms); + gnutls_pk_params_release(¶ms); return ret; } @@ -1973,11 +1979,15 @@ int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, int ret; gnutls_pk_params_init(&pub); - gnutls_pk_params_init(&priv); - + pub.params_nr = 3; pub.algo = GNUTLS_PK_ECDSA; pub.curve = curve; + gnutls_pk_params_init(&priv); + priv.params_nr = 3; + priv.algo = GNUTLS_PK_ECDSA; + priv.curve = curve; + if (_gnutls_mpi_init_scan_nz (&pub.params[ECC_Y], peer_y->data, peer_y->size) != 0) { @@ -1994,8 +2004,6 @@ int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, goto cleanup; } - pub.params_nr = 2; - if (_gnutls_mpi_init_scan_nz (&priv.params[ECC_Y], y->data, y->size) != 0) { @@ -2020,11 +2028,6 @@ int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, goto cleanup; } - - priv.params_nr = 3; - priv.algo = GNUTLS_PK_ECDSA; - priv.curve = curve; - Z->data = NULL; ret = _gnutls_pk_derive(GNUTLS_PK_ECDSA, Z, &priv, &pub); @@ -2036,7 +2039,9 @@ int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, ret = 0; cleanup: gnutls_pk_params_clear(&pub); + gnutls_pk_params_release(&pub); gnutls_pk_params_clear(&priv); + gnutls_pk_params_release(&priv); return ret; } diff --git a/lib/priority.c b/lib/priority.c index 6577703a90..7686c7530a 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1802,7 +1802,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) /** * gnutls_priority_init2: - * @priority_cache: is a #gnutls_prioritity_t type. + * @priority_cache: is a #gnutls_priority_t type. * @priorities: is a string describing priorities (may be %NULL) * @err_pos: In case of an error this will have the position in the string the error occurred * @flags: zero or %GNUTLS_PRIORITY_INIT_DEF_APPEND @@ -1957,7 +1957,7 @@ gnutls_priority_init2(gnutls_priority_t * priority_cache, /** * gnutls_priority_init: - * @priority_cache: is a #gnutls_prioritity_t type. + * @priority_cache: is a #gnutls_priority_t type. * @priorities: is a string describing priorities (may be %NULL) * @err_pos: In case of an error this will have the position in the string the error occurred * @@ -2288,7 +2288,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, /** * gnutls_priority_deinit: - * @priority_cache: is a #gnutls_prioritity_t type. + * @priority_cache: is a #gnutls_priority_t type. * * Deinitializes the priority cache. **/ @@ -2469,7 +2469,7 @@ int gnutls_set_default_priority_append(gnutls_session_t session, /** * gnutls_priority_ecc_curve_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available elliptic curves in the priority @@ -2504,7 +2504,7 @@ gnutls_priority_ecc_curve_list(gnutls_priority_t pcache, /** * gnutls_priority_group_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available groups in the priority @@ -2527,7 +2527,7 @@ gnutls_priority_group_list(gnutls_priority_t pcache, /** * gnutls_priority_kx_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available key exchange methods in the priority @@ -2549,7 +2549,7 @@ gnutls_priority_kx_list(gnutls_priority_t pcache, /** * gnutls_priority_cipher_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available ciphers in the priority @@ -2571,7 +2571,7 @@ gnutls_priority_cipher_list(gnutls_priority_t pcache, /** * gnutls_priority_mac_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available MAC algorithms in the priority @@ -2593,7 +2593,7 @@ gnutls_priority_mac_list(gnutls_priority_t pcache, /** * gnutls_priority_compression_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available compression method in the priority @@ -2614,7 +2614,7 @@ gnutls_priority_compression_list(gnutls_priority_t pcache, /** * gnutls_priority_protocol_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available TLS version numbers in the priority @@ -2636,7 +2636,7 @@ gnutls_priority_protocol_list(gnutls_priority_t pcache, /** * gnutls_priority_sign_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available signature algorithms in the priority @@ -2658,7 +2658,7 @@ gnutls_priority_sign_list(gnutls_priority_t pcache, /** * gnutls_priority_certificate_type_list: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list * * Get a list of available certificate types in the priority @@ -2685,7 +2685,7 @@ gnutls_priority_certificate_type_list(gnutls_priority_t pcache, /** * gnutls_priority_certificate_type_list2: - * @pcache: is a #gnutls_prioritity_t type. + * @pcache: is a #gnutls_priority_t type. * @list: will point to an integer list. * @target: is a #gnutls_ctype_target_t type. Valid arguments are * GNUTLS_CTYPE_CLIENT and GNUTLS_CTYPE_SERVER diff --git a/lib/record.c b/lib/record.c index 3a8f8e78cc..cd9df80520 100644 --- a/lib/record.c +++ b/lib/record.c @@ -341,7 +341,7 @@ int gnutls_bye(gnutls_session_t session, gnutls_close_request_t how) inline static void session_unresumable(gnutls_session_t session) { - session->internals.resumable = RESUME_FALSE; + session->internals.resumable = false; } /* returns 0 if session is valid @@ -2370,6 +2370,10 @@ gnutls_handshake_write(gnutls_session_t session, if (IS_DTLS(session)) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + /* Nothing to do */ + if (data_size == 0) + return gnutls_assert_val(0); + /* When using this, the outgoing handshake messages should * also be handled manually */ if (!session->internals.h_read_func) diff --git a/lib/session.c b/lib/session.c index b9a23e8d02..bdaf572b0e 100644 --- a/lib/session.c +++ b/lib/session.c @@ -166,7 +166,7 @@ gnutls_session_get_data2(gnutls_session_t session, gnutls_datum_t *data) } } - if (session->internals.resumable == RESUME_FALSE) + if (!session->internals.resumable) return GNUTLS_E_INVALID_SESSION; ret = _gnutls_session_pack(session, data); diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c index 4dd62d01c1..c4a0143b92 100644 --- a/lib/sslv2_compat.c +++ b/lib/sslv2_compat.c @@ -238,7 +238,7 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, session->security_parameters.client_random, GNUTLS_RANDOM_SIZE); - session->internals.resumed = RESUME_TRUE; + session->internals.resumed = true; return 0; } else { ret = _gnutls_generate_session_id( @@ -247,7 +247,7 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, if (ret < 0) return gnutls_assert_val(ret); - session->internals.resumed = RESUME_FALSE; + session->internals.resumed = false; } return sret; diff --git a/lib/state.c b/lib/state.c index fcf6183fa4..9f306faf70 100644 --- a/lib/state.c +++ b/lib/state.c @@ -419,7 +419,7 @@ static void handshake_internal_state_clear1(gnutls_session_t session) session->internals.last_handshake_in = -1; session->internals.last_handshake_out = -1; - session->internals.resumable = RESUME_TRUE; + session->internals.resumable = true; session->internals.handshake_suspicious_loops = 0; session->internals.dtls.hsk_read_seq = 0; @@ -640,13 +640,6 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) return 0; } -/* returns RESUME_FALSE or RESUME_TRUE. - */ -int _gnutls_session_is_resumable(gnutls_session_t session) -{ - return session->internals.resumable; -} - /** * gnutls_deinit: @@ -988,9 +981,9 @@ int gnutls_session_is_resumed(gnutls_session_t session) { if (session->security_parameters.entity == GNUTLS_CLIENT) { const version_entry_st *ver = get_version(session); - if (ver && ver->tls13_sem && - session->internals.resumed != RESUME_FALSE) - return 1; + if (ver && ver->tls13_sem) { + return session->internals.resumed; + } if (session->security_parameters.session_id_size > 0 && session->security_parameters.session_id_size == @@ -1004,7 +997,7 @@ int gnutls_session_is_resumed(gnutls_session_t session) session_id_size) == 0) return 1; } else { - if (session->internals.resumed != RESUME_FALSE) + if (session->internals.resumed) return 1; } diff --git a/lib/state.h b/lib/state.h index 819df21ec6..ff945b0690 100644 --- a/lib/state.h +++ b/lib/state.h @@ -99,12 +99,8 @@ static inline int _gnutls_dh_get_min_prime_bits(gnutls_session_t session) void _gnutls_handshake_internal_state_clear(gnutls_session_t); -int _gnutls_session_is_resumable(gnutls_session_t session); - int _gnutls_session_is_psk(gnutls_session_t session); -int _gnutls_openpgp_send_fingerprint(gnutls_session_t session); - void reset_binders(gnutls_session_t session); inline static int diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c index 072a56d9c1..3f64d8c32e 100644 --- a/lib/tls13/session_ticket.c +++ b/lib/tls13/session_ticket.c @@ -201,7 +201,7 @@ generate_session_ticket(gnutls_session_t session, tls13_ticket_st *ticket) tls13_ticket_st ticket_data; gnutls_gettime(&now); - if (session->internals.resumed != RESUME_FALSE) { + if (session->internals.resumed) { /* If we are resuming ensure that we don't extend the lifetime * of the ticket past the original session expiration time */ if (now.tv_sec >= session->security_parameters.timestamp + session->internals.expire_time) diff --git a/lib/verify-tofu.c b/lib/verify-tofu.c index 5cedeed118..4e65c739f7 100644 --- a/lib/verify-tofu.c +++ b/lib/verify-tofu.c @@ -560,12 +560,16 @@ gnutls_store_pubkey(const char *db_name, _gnutls_debug_log("Configuration file: %s\n", db_name); - tdb->store(db_name, host, service, expiration, &pubkey); + ret = tdb->store(db_name, host, service, expiration, &pubkey); if (need_free) { _gnutls_free_datum(&pubkey); } + if (ret < 0) { + return gnutls_assert_val(GNUTLS_E_DB_ERROR); + } + return GNUTLS_E_SUCCESS; } @@ -638,8 +642,11 @@ gnutls_store_commitment(const char *db_name, _gnutls_debug_log("Configuration file: %s\n", db_name); - tdb->cstore(db_name, host, service, expiration, - (gnutls_digest_algorithm_t)me->id, hash); + ret = tdb->cstore(db_name, host, service, expiration, + (gnutls_digest_algorithm_t)me->id, hash); + if (ret < 0) { + return gnutls_assert_val(GNUTLS_E_DB_ERROR); + } return 0; } diff --git a/lib/x509/common.c b/lib/x509/common.c index 3301aaad0c..10c8db53c0 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, * increasing DEFAULT_MAX_VERIFY_DEPTH. */ for (i = 0; i < clist_size; i++) { + /* Self-signed certificate found in the chain; skip it + * as it should only appear in the trusted set. + */ + if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { + _gnutls_cert_log("self-signed cert found", clist[i]); + continue; + } + for (j = 1; j < clist_size; j++) { if (i == j) continue; diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 588e7ee0dc..9a16e6b42a 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { #define DEFAULT_SIZE 127 +struct cert_set_node_st { + gnutls_x509_crt_t *certs; + unsigned int size; +}; + +struct cert_set_st { + struct cert_set_node_st *node; + unsigned int size; +}; + +static int +cert_set_init(struct cert_set_st *set, unsigned int size) +{ + memset(set, 0, sizeof(*set)); + + set->size = size; + set->node = gnutls_calloc(size, sizeof(*set->node)); + if (!set->node) { + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } + + return 0; +} + +static void +cert_set_deinit(struct cert_set_st *set) +{ + size_t i; + + for (i = 0; i < set->size; i++) { + gnutls_free(set->node[i].certs); + } + + gnutls_free(set->node); +} + +static bool +cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) +{ + size_t hash, i; + + hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); + hash %= set->size; + + for (i = 0; i < set->node[hash].size; i++) { + if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { + return true; + } + } + + return false; +} + +static int +cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) +{ + size_t hash; + + hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); + hash %= set->size; + + set->node[hash].certs = + gnutls_realloc_fast(set->node[hash].certs, + (set->node[hash].size + 1) * + sizeof(*set->node[hash].certs)); + if (!set->node[hash].certs) { + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } + set->node[hash].certs[set->node[hash].size] = cert; + set->node[hash].size++; + + return 0; +} + /** * gnutls_x509_trust_list_init: * @list: A pointer to the type to be initialized @@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, unsigned have_set_name = 0; unsigned saved_output; gnutls_datum_t ip = {NULL, 0}; + struct cert_set_st cert_set = { NULL, 0 }; if (cert_list == NULL || cert_list_size < 1) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); @@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); cert_list = sorted; + ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); + if (ret < 0) { + return ret; + } + for (i = 0; i < cert_list_size && - cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { - unsigned int sorted_size; + cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { + unsigned int sorted_size = 1; + unsigned int j; + gnutls_x509_crt_t issuer; + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { sorted_size = _gnutls_sort_clist(&cert_list[i], cert_list_size - i); - i += sorted_size - 1; } - if (i == cert_list_size - 1) { - gnutls_x509_crt_t issuer; - - /* If it is the last certificate and its issuer is - * known, don't need to run issuer callback. */ - if (_gnutls_trust_list_get_issuer(list, - cert_list[i], - &issuer, - 0) == 0) { + /* Remove duplicates. Start with index 1, as the first element + * may be re-checked after issuer retrieval. */ + for (j = 1; j < sorted_size; j++) { + if (cert_set_contains(&cert_set, cert_list[i + j])) { + if (i + j < cert_list_size - 1) { + memmove(&cert_list[i + j], + &cert_list[i + j + 1], + sizeof(cert_list[i])); + } + cert_list_size--; break; } - } else if (gnutls_x509_crt_check_issuer(cert_list[i], - cert_list[i + 1])) { - /* There is no gap between this and the next - * certificate. */ + } + /* Found a duplicate, try again with the same index. */ + if (j < sorted_size) { + continue; + } + + /* Record the certificates seen. */ + for (j = 0; j < sorted_size; j++, i++) { + ret = cert_set_add(&cert_set, cert_list[i]); + if (ret < 0) { + goto cleanup; + } + } + + /* If the issuer of the certificate is known, no need + * for further processing. */ + if (_gnutls_trust_list_get_issuer(list, + cert_list[i - 1], + &issuer, + 0) == 0) { + cert_list_size = i; + break; + } + + /* If there is no gap between this and the next certificate, + * proceed with the next certificate. */ + if (i < cert_list_size && + gnutls_x509_crt_check_issuer(cert_list[i - 1], + cert_list[i])) { continue; } ret = retrieve_issuers(list, - cert_list[i], + cert_list[i - 1], &retrieved[retrieved_size], DEFAULT_MAX_VERIFY_DEPTH - MAX(retrieved_size, @@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (ret < 0) { break; } else if (ret > 0) { - memmove(&cert_list[i + 1 + ret], - &cert_list[i + 1], - (cert_list_size - i - 1) * + assert((unsigned int)ret <= + DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); + memmove(&cert_list[i + ret], + &cert_list[i], + (cert_list_size - i) * sizeof(gnutls_x509_crt_t)); - memcpy(&cert_list[i + 1], + memcpy(&cert_list[i], &retrieved[retrieved_size], ret * sizeof(gnutls_x509_crt_t)); retrieved_size += ret; cert_list_size += ret; + + /* Start again from the end of the previous segment. */ + i--; } } @@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, for (i = 0; i < retrieved_size; i++) { gnutls_x509_crt_deinit(retrieved[i]); } + cert_set_deinit(&cert_set); return ret; } diff --git a/lib/x509/x509_dn.c b/lib/x509/x509_dn.c index b7205ee6ef..54e848f714 100644 --- a/lib/x509/x509_dn.c +++ b/lib/x509/x509_dn.c @@ -173,7 +173,7 @@ static int read_attr_and_val(const char **ptr, /* remove spaces from the end */ while(val->size > 0 && c_isspace(val->data[val->size-1])) { - if (val->size-2 > 0 && val->data[val->size-2] == '\\') + if (val->size > 2 && val->data[val->size-2] == '\\') break; val->size--; } diff --git a/m4/hooks.m4 b/m4/hooks.m4 index c56c601fde..ed9a990c1d 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS], # in CONTRIBUTION.md for more info. # # Interfaces removed: AGE=0 (+bump all symbol versions in .map) - AC_SUBST(LT_CURRENT, 58) + AC_SUBST(LT_CURRENT, 59) AC_SUBST(LT_REVISION, 0) - AC_SUBST(LT_AGE, 28) + AC_SUBST(LT_AGE, 29) AC_SUBST(LT_SSL_CURRENT, 27) AC_SUBST(LT_SSL_REVISION, 2) diff --git a/tests/Makefile.am b/tests/Makefile.am index 35d06db8fc..5ab6cb4ce5 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -118,6 +118,8 @@ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ ctests += tls13/hello_retry_request +ctests += tls13/hello_retry_request_resume + ctests += tls13/psk-ext ctests += tls13/key_update @@ -255,13 +257,11 @@ tls12_rehandshake_cert_LDADD = $(CMOCKA_LDADD) gnutls_record_overhead_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl ip_utils_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl endif @@ -437,38 +437,31 @@ endif gc_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl mpi_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl atfork_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl pkcs12_s2k_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl name_constraints_merge_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl murmur3_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl tls13_anti_replay_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) + -I$(top_builddir)/gl iov_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ diff --git a/tests/dh-compute.c b/tests/dh-compute.c index 217b23b762..64eb2c5804 100644 --- a/tests/dh-compute.c +++ b/tests/dh-compute.c @@ -55,18 +55,18 @@ static void params(gnutls_dh_params_t *dh_params, const gnutls_datum_t *p, fail("error\n"); } -static void genkey(gnutls_dh_params_t *dh_params, +static void genkey(const gnutls_dh_params_t dh_params, gnutls_datum_t *priv_key, gnutls_datum_t *pub_key) { int ret; - ret = _gnutls_dh_generate_key(*dh_params, priv_key, pub_key); + ret = _gnutls_dh_generate_key(dh_params, priv_key, pub_key); if (ret != 0) fail("error\n"); } -static void compute_key(const char *name, gnutls_dh_params_t *dh_params, - gnutls_datum_t *priv_key, gnutls_datum_t *pub_key, +static void compute_key(const char *name, const gnutls_dh_params_t dh_params, + const gnutls_datum_t *priv_key, const gnutls_datum_t *pub_key, const gnutls_datum_t *peer_key, int expect_error, gnutls_datum_t *result, bool expect_success) { @@ -74,7 +74,7 @@ static void compute_key(const char *name, gnutls_dh_params_t *dh_params, bool success; int ret; - ret = _gnutls_dh_compute_key(*dh_params, priv_key, pub_key, + ret = _gnutls_dh_compute_key(dh_params, priv_key, pub_key, peer_key, &Z); if (expect_error != ret) fail("%s: error %d (expected %d)\n", name, ret, expect_error); @@ -150,9 +150,9 @@ void doit(void) params(&dh_params, &test_data[i].prime, &test_data[i].q, &test_data[i].generator); - genkey(&dh_params, &priv_key, &pub_key); + genkey(dh_params, &priv_key, &pub_key); - compute_key(test_data[i].name, &dh_params, &priv_key, + compute_key(test_data[i].name, dh_params, &priv_key, &pub_key, &test_data[i].peer_key, test_data[i].expected_error, NULL, 0); diff --git a/tests/ecdh-compute.c b/tests/ecdh-compute.c index d9f99a19ca..2eac61c6c3 100644 --- a/tests/ecdh-compute.c +++ b/tests/ecdh-compute.c @@ -53,8 +53,8 @@ static void genkey(gnutls_ecc_curve_t curve, gnutls_datum_t *x, fail("error\n"); } -static void compute_key(gnutls_ecc_curve_t curve, gnutls_datum_t *x, - gnutls_datum_t *y, gnutls_datum_t *key, +static void compute_key(gnutls_ecc_curve_t curve, const gnutls_datum_t *x, + const gnutls_datum_t *y, const gnutls_datum_t *key, const gnutls_datum_t *peer_x, const gnutls_datum_t *peer_y, int expect_error, diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index a73910dea6..3c3e2214e5 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} tls-disabled-cipher = CAMELLIA-128-CBC tls-disabled-cipher = CAMELLIA-256-CBC _EOF_ -export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" +GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ timeout 1800 datefudge "2017-08-9" \ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" -unset GNUTLS_SYSTEM_PRIORITY_FILE - kill ${PID} wait diff --git a/tests/missingissuer.c b/tests/missingissuer.c index f21e2b6b0c..226d095929 100644 --- a/tests/missingissuer.c +++ b/tests/missingissuer.c @@ -145,6 +145,8 @@ void doit(void) printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); for (j = 0; chains[i].chain[j]; j++) { + assert(j < MAX_CHAIN); + if (debug > 2) printf("\tAdding certificate %d...", (int)j); diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c index 05c1c90868..3bbba8f896 100644 --- a/tests/resume-with-previous-stek.c +++ b/tests/resume-with-previous-stek.c @@ -227,11 +227,13 @@ static void run(const char *name, const char *prio, int resume[], int rounds) if (child) { /* We are the parent */ + close(sockets[1]); server(sockets[0], rounds, prio); waitpid(child, &status, 0); check_wait_status(status); } else { /* We are the child */ + close(sockets[0]); client(sockets[1], resume, rounds, prio); exit(0); } diff --git a/tests/resume-with-stek-expiration.c b/tests/resume-with-stek-expiration.c index 80445d64d0..de0f07012b 100644 --- a/tests/resume-with-stek-expiration.c +++ b/tests/resume-with-stek-expiration.c @@ -297,11 +297,13 @@ static void run(const char *name, const char *prio, int resumption_should_succee if (child) { /* We are the parent */ + close(sockets[1]); server(sockets[0], resumption_should_succeed, rounds, prio); waitpid(child, &status, 0); check_wait_status(status); } else { /* We are the child */ + close(sockets[0]); client(sockets[1], resumption_should_succeed, rounds, prio); exit(0); } diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index d6f6ff135b..8cfb087eda 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -39,7 +39,19 @@ LDADD = ../../lib/libgnutls.la \ prime_check_LDADD = $(LDADD) -lhogweed -lgmp scripts_to_test = chain.sh \ - testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \ + testrng.sh \ + testcompat-polarssl-serv.sh \ + testcompat-polarssl-serv-compat.sh \ + testcompat-polarssl-serv-no-etm.sh \ + testcompat-openssl-cli.sh \ + testcompat-openssl-cli-compat.sh \ + testcompat-openssl-cli-no-etm.sh \ + testcompat-openssl-serv.sh \ + testcompat-openssl-serv-compat.sh \ + testcompat-openssl-serv-no-etm.sh \ + testcompat-openssl-serv-no-tickets.sh \ + testcompat-openssl-serv-no-safe-renegotiation.sh \ + testcompat-openssl-serv-safe-renegotiation.sh \ testrandom.sh tls-fuzzer/tls-fuzzer-nocert.sh \ tls-fuzzer/tls-fuzzer-cert.sh tls-fuzzer/tls-fuzzer-alpn.sh \ tls-fuzzer/tls-fuzzer-nocert-tls13.sh tls-fuzzer/tls-fuzzer-psk.sh \ @@ -67,7 +79,9 @@ TESTS_ENVIRONMENT += ENABLE_SSL3=1 endif if ENABLE_TLS13_INTEROP -scripts_to_test += testcompat-tls13-openssl.sh +scripts_to_test += \ + testcompat-openssl-tls13-cli.sh \ + testcompat-openssl-tls13-serv.sh endif if ENABLE_OLDGNUTLS_INTEROP diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl deleted file mode 100755 index f0fd6fb512..0000000000 --- a/tests/suite/testcompat-main-openssl +++ /dev/null @@ -1,970 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2010-2016, Free Software Foundation, Inc. -# Copyright (c) 2012-2016, Nikos Mavrogiannopoulos -# All rights reserved. -# -# Author: Nikos Mavrogiannopoulos -# -# This file is part of GnuTLS. -# -# Redistribution and use in source and binary forms, with or without modification, -# are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation and/or -# other materials provided with the distribution. -# 3. Neither the name of the copyright holder nor the names of its contributors may -# be used to endorse or promote products derived from this software without specific -# prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY -# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY -# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -: ${srcdir=.} -: ${SERV=../../src/gnutls-serv${EXEEXT}} -: ${CLI=../../src/gnutls-cli${EXEEXT}} -unset RETCODE - -if ! test -x "${CLI}"; then - exit 77 -fi - -if ! test -z "${VALGRIND}"; then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" -fi - -if test "${WINDIR}" != ""; then - exit 77 -fi - -. "${srcdir}/../scripts/common.sh" - -: ${PORT=${RPORT}} - -: ${OPENSSL=openssl} -SIGALGS=RSA+SHA1:RSA+SHA256 - -echo "Compatibility checks using "`${OPENSSL} version` -${OPENSSL} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1 -if test $? != 0; then - echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" - exit 77 -fi - -. "${srcdir}/testcompat-common" - -${OPENSSL} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1 -HAVE_X25519=$? - -test $HAVE_X25519 != 0 && echo "Disabling interop tests for x25519" - -${OPENSSL} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1 -NO_TLS1_2=$? - -test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" - -${OPENSSL} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 -if test $? = 0;then - NO_DH_PARAMS=0 -else - NO_DH_PARAMS=1 -fi - -${OPENSSL} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 -NO_DSS=$? - -if test $NO_DSS != 0;then - echo "Disabling interop tests for DSS ciphersuites" -else - DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}" - SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256" -fi - -${OPENSSL} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1 -NO_CAMELLIA=$? - -test $NO_CAMELLIA != 0 && echo "Disabling interop tests for Camellia ciphersuites" - -${OPENSSL} ciphers -v ALL 2>&1|grep -e RC4 >/dev/null 2>&1 -NO_RC4=$? - -test $NO_RC4 != 0 && echo "Disabling interop tests for RC4 ciphersuites" - -${OPENSSL} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1 -NO_3DES=$? - -test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites" - -${OPENSSL} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1 -NO_NULL=$? - -test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" - -${OPENSSL} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 -NO_PRIME192v1=$? - -test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" - -if test "${NO_DH_PARAMS}" = 0;then - OPENSSL_DH_PARAMS_OPT="" -else - OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\"" -fi - -${OPENSSL} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1 -HAVE_NOT_SSL3=$? - -if test $HAVE_NOT_SSL3 = 0;then - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -key "${RSA_KEY}" -cert "${RSA_CERT}" >/dev/null 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 </dev/null 2>&1 | grep "\:error\:" && \ - HAVE_NOT_SSL3=1 - kill ${PID} - wait -fi - -test $HAVE_NOT_SSL3 != 0 && echo "Disabling interop tests for SSL 3.0" - - -echo "#################################################" -echo "# Client mode tests (gnutls cli-openssl server) #" -echo "#################################################" - -run_client_suite() { - ADD=$1 - PREFIX="" - if ! test -z "${ADD}"; then - PREFIX="$(echo $ADD|sed 's/://g'): " - fi - - if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then - # It seems debian disabled SSL 3.0 completely on openssl - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher ALL -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test SSL 3.0 with RSA ciphersuite - echo "${PREFIX}Checking SSL 3.0 with RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - # Test SSL 3.0 with DHE-RSA ciphersuite - echo "${PREFIX}Checking SSL 3.0 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - if test "${NO_DSS}" = 0; then - # Test SSL 3.0 with DHE-DSS ciphersuite - echo "${PREFIX}Checking SSL 3.0 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - fi - - kill ${PID} - wait - - if test "${NO_RC4}" != 1; then - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-SHA >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking SSL 3.0 with RSA-RC4-SHA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - fi - - if test "${NO_NULL}" = 0; then - #-cipher RSA-NULL - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with RSA-NULL ciphersuite - echo "${PREFIX}Checking TLS 1.0 with RSA-NULL..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with RSA ciphersuite - if test "${NO_3DES}" != 1; then - echo "${PREFIX}Checking TLS 1.0 with RSA and 3DES-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - fi - - echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - if test "${NO_CAMELLIA}" != 1; then - echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - fi - - if test "${NO_DSS}" = 0; then - # Test TLS 1.0 with DHE-DSS ciphersuite - echo "${PREFIX}Checking TLS 1.0 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - fi - - # Test TLS 1.0 with DHE-RSA ciphersuite - echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - # Test TLS 1.0 with DHE-RSA ciphersuite - echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test TLS 1.2 with ECDHE-ECDSA ciphersuite - echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA (SECP192R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-SECP192R1${ADD}" --insecure </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - #-cipher ECDHE-ECDSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with ECDHE-ECDSA ciphersuite - echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher ECDHE-ECDSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with ECDHE-ECDSA ciphersuite - echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - #-cipher ECDHE-ECDSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with ECDHE-ECDSA ciphersuite - echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - #-cipher PSK - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.0 with PSK..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${NO_TLS1_2} = 0; then - # Tests requiring openssl 1.0.1 - TLS 1.2 - #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-GCM..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-GCM..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - if test "${NO_DSS}" = 0; then - echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - fi - - echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA..." - "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${HAVE_X25519}" = 0; then - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -curves X25519 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA (X25519)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --insecure --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - if test "${FIPS_CURVES}" != 1; then - #-cipher ECDHE-ECDSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher ECDHE-ECDSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS_CURVES}" != 1; then - #-cipher ECDHE-ECDSA-AES128-SHA - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi #FIPS_CURVES - fi #NO_TLS1_2 - - #-cipher PSK - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null - PID=$! - wait_server ${PID} - - echo "${PREFIX}Checking TLS 1.2 with PSK..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_udp_server ${PID} - - # Test DTLS 1.0 with RSA ciphersuite - echo "${PREFIX}Checking DTLS 1.0 with RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_udp_server ${PID} - - # Test DTLS 1.0 with DHE-RSA ciphersuite - echo "${PREFIX}Checking DTLS 1.0 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${NO_DSS}" = 0; then - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_udp_server ${PID} - - # Test DTLS 1.0 with DHE-DSS ciphersuite - echo "${PREFIX}Checking DTLS 1.0 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_udp_server ${PID} - - echo "${PREFIX}Checking DTLS 1.2 with AES-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_udp_server ${PID} - - # Test DTLS 1.2 with RSA ciphersuite - echo "${PREFIX}Checking DTLS 1.2 with RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null - PID=$! - wait_udp_server ${PID} - - echo "${PREFIX}Checking DTLS 1.2 with ECDHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+GROUP-ALL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait -} - -WAITPID="" -for mod in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" - run_client_suite $mod & - WAITPID="$WAITPID $!" -done - -for i in "$WAITPID";do - wait $i - test $? != 0 && exit 1 -done - -echo "${PREFIX}Client mode tests were successfully completed" -echo "${PREFIX}" -echo "${PREFIX}###############################################" -echo "${PREFIX}# Server mode tests (gnutls server-openssl cli#" -echo "${PREFIX}###############################################" -SERV="${SERV} -q" - -# Note that openssl s_client does not return error code on failure - -run_server_suite() { - ADD=$1 - PREFIX="" - if ! test -z "${ADD}"; then - PREFIX="$(echo $ADD|sed 's/://g'): " - fi - - if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then - - echo "${PREFIX}Check SSL 3.0 with RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+SHA1:+ARCFOUR-128:+3DES-CBC:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - if test "${NO_RC4}" != 1; then - echo "${PREFIX}Check SSL 3.0 with RSA-RC4-SHA ciphersuite" - ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-SHA </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - fi - - kill ${PID} - wait - - echo "${PREFIX}Check SSL 3.0 with DHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${NO_DSS}" = 0; then - echo "${PREFIX}Check SSL 3.0 with DHE-DSS ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - fi - - #TLS 1.0 - - # This test was disabled because it doesn't work as expected with openssl 1.0.0d - #echo "${PREFIX}Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" - #launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - #PID=$! - #wait_server ${PID} - # - #${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - # fail ${PID} "Failed" - # - #kill ${PID} - #wait - - if test "${NO_NULL}" = 0; then - echo "${PREFIX}Check TLS 1.0 with RSA-NULL ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${NO_DSS}" = 0; then - echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -sigalgs "$SIGALGS" -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-RSA-AES128-SHA - ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS_CURVES}" != 1; then - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS_CURVES}" != 1; then - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - ${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${NO_TLS1_2} = 0; then - # test resumption - echo "${PREFIX}Check TLS 1.2 with resumption" - eval "${GETPORT}" - launch_server --priority "NORMAL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -reconnect -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -cipher DHE -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${NO_DSS}" = 0; then - echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-RSA-AES128-SHA - ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${HAVE_X22519}" = 0; then - echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite (X25519)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - if test "${FIPS_CURVES}" != 1; then - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS_CURVES}" != 1; then - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - ${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - fi #NO_TLS1_2 - - # DTLS - echo "${PREFIX}Check DTLS 1.0 with RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_udp_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - - echo "${PREFIX}Check DTLS 1.0 with DHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_udp_server ${PID} - - - ${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${NO_DSS}" = 0; then - echo "${PREFIX}Check DTLS 1.0 with DHE-DSS ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" - PID=$! - wait_udp_server ${PID} - - - ${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "${PREFIX}Check DTLS 1.2 with AES-CBC" - eval "${GETPORT}" - launch_server --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_udp_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "${PREFIX}Check DTLS 1.2 with RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_udp_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - - echo "${PREFIX}Check DTLS 1.2 with DHE-RSA ciphersuite" - eval "${GETPORT}" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_udp_server ${PID} - - - ${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "${PREFIX}Check DTLS 1.2 with ECDHE-RSA" - eval "${GETPORT}" - launch_server --priority "NONE:+GROUP-ALL:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_udp_server ${PID} - - - ${OPENSSL} s_client -cipher ECDHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - -} - -WAITPID="" -for mod in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" ":%SAFE_RENEGOTIATION"; do - run_server_suite $mod & - WAITPID="$WAITPID $!" -done - -for i in "$WAITPID";do - wait $i - test $? != 0 && exit 1 -done - -exit 0 diff --git a/tests/suite/testcompat-main-polarssl b/tests/suite/testcompat-main-polarssl deleted file mode 100755 index ba8b7bbb6c..0000000000 --- a/tests/suite/testcompat-main-polarssl +++ /dev/null @@ -1,449 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2010-2015, Free Software Foundation, Inc. -# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos -# All rights reserved. -# -# Author: Nikos Mavrogiannopoulos -# -# This file is part of GnuTLS. -# -# Redistribution and use in source and binary forms, with or without modification, -# are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation and/or -# other materials provided with the distribution. -# 3. Neither the name of the copyright holder nor the names of its contributors may -# be used to endorse or promote products derived from this software without specific -# prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY -# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY -# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -: ${srcdir=.} -: ${CLI=../../src/gnutls-cli${EXEEXT}} -LOGFILE=polarssl.log -unset RETCODE - -if ! test -x "${CLI}"; then - exit 77 -fi - -if ! test -z "${VALGRIND}"; then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" -fi - -if test "${WINDIR}" != ""; then - exit 77 -fi - -. "${srcdir}/../scripts/common.sh" - - -TXT=`"${CLI}" --priority NORMAL --list|grep SECP224` -if test -z "${TXT}"; then - ALL_CURVES=0 -else - ALL_CURVES=1 -fi - - -echo "Compatibility checks using polarssl" - -for POLARSSL_CLI in \ - /usr/bin/polarssl_ssl_client2 \ - /usr/bin/mbedtls_ssl_client2 \ - /usr/libexec/mbedtls/ssl_client2 \ - ""; do - test -x "${POLARSSL_CLI}" && break -done - -if test -z "${POLARSSL_CLI}"; then - echo "PolarSSL is required for this test to run" - exit 77 -fi - -"${POLARSSL_CLI}" >/dev/null 2>&1 -if test $? = 0; then - echo "PolarSSL 1.3.x is required for the tests to run" - exit 77 -fi - - -. "${srcdir}/testcompat-common" - -echo "" -echo "##################################################" -echo "# Server mode tests (gnutls server-polarssl cli) #" -echo "##################################################" -SERV="../../src/gnutls-serv${EXEEXT} -q" - -rm -f "${LOGFILE}" - -run_server_suite() { - ADD=$1 - PREFIX="" - if ! test -z "${ADD}"; then - PREFIX="$(echo $ADD|sed 's/://g'): " - fi - - eval "${GETPORT}" - - #TLS 1.0 - - echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - #echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite" - #launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" - #PID=$! - #wait_server ${PID} - - #"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - # fail ${PID} "Failed" - - #kill ${PID} - #wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-RSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with DHE-PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with ECDHE-PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with RSA-PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher RSA-PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${ALL_CURVES} = 1; then - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite" - launch_server --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite" - launch_server --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite" - launch_server --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite" - launch_server --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" - PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - #echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite" - #launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" - #PID=$! - #wait_server ${PID} - # - #"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - # fail ${PID} "Failed" - # - #kill ${PID} - #wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-RSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${ALL_CURVES} = 1; then - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" - PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with DHE-PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with ECDHE-PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - eval "${GETPORT}" - echo "${PREFIX}Check TLS 1.2 with RSA-PSK ciphersuite" - launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #-cipher RSA-PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait -} - -WAITPID="" -for mod in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" - run_server_suite $mod & - WAITPID="$WAITPID $!" -done - -for i in "$WAITPID";do - wait $i - test $? != 0 && exit 1 -done - -rm -f "${LOGFILE}" - -exit 0 diff --git a/tests/suite/testcompat-openssl-cli-common.sh b/tests/suite/testcompat-openssl-cli-common.sh new file mode 100755 index 0000000000..8f0418647d --- /dev/null +++ b/tests/suite/testcompat-openssl-cli-common.sh @@ -0,0 +1,512 @@ +#!/bin/sh + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2016, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} +: ${SERV=../../src/gnutls-serv${EXEEXT}} +: ${CLI=../../src/gnutls-cli${EXEEXT}} +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + +: ${PORT=${RPORT}} + +: ${OPENSSL=openssl} +SIGALGS=RSA+SHA1:RSA+SHA256 + +echo "Compatibility checks using "`${OPENSSL} version` +${OPENSSL} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1 +if test $? != 0; then + echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" + exit 77 +fi + +. "${srcdir}/testcompat-common" + +${OPENSSL} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1 +HAVE_X25519=$? + +test $HAVE_X25519 != 0 && echo "Disabling interop tests for x25519" + +${OPENSSL} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1 +NO_TLS1_2=$? + +test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" + +${OPENSSL} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 +if test $? = 0;then + NO_DH_PARAMS=0 +else + NO_DH_PARAMS=1 +fi + +${OPENSSL} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 +NO_DSS=$? + +if test $NO_DSS != 0;then + echo "Disabling interop tests for DSS ciphersuites" +else + DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}" + SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256" +fi + +${OPENSSL} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1 +NO_CAMELLIA=$? + +test $NO_CAMELLIA != 0 && echo "Disabling interop tests for Camellia ciphersuites" + +${OPENSSL} ciphers -v ALL 2>&1|grep -e RC4 >/dev/null 2>&1 +NO_RC4=$? + +test $NO_RC4 != 0 && echo "Disabling interop tests for RC4 ciphersuites" + +${OPENSSL} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1 +NO_3DES=$? + +test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites" + +${OPENSSL} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1 +NO_NULL=$? + +test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" + +${OPENSSL} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 +NO_PRIME192v1=$? + +test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" + +if test "${NO_DH_PARAMS}" = 0;then + OPENSSL_DH_PARAMS_OPT="" +else + OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\"" +fi + +${OPENSSL} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1 +HAVE_NOT_SSL3=$? + +if test $HAVE_NOT_SSL3 = 0;then + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -key "${RSA_KEY}" -cert "${RSA_CERT}" >/dev/null 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 </dev/null 2>&1 | grep "\:error\:" && \ + HAVE_NOT_SSL3=1 + kill ${PID} + wait +fi + +test $HAVE_NOT_SSL3 != 0 && echo "Disabling interop tests for SSL 3.0" + + +echo "#################################################" +echo "# Client mode tests (gnutls cli-openssl server) #" +echo "#################################################" + +ADD=$1 +PREFIX="" +if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " +fi + +if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then + # It seems debian disabled SSL 3.0 completely on openssl + + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -cipher ALL -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + # Test SSL 3.0 with RSA ciphersuite + echo "${PREFIX}Checking SSL 3.0 with RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + # Test SSL 3.0 with DHE-RSA ciphersuite + echo "${PREFIX}Checking SSL 3.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + if test "${NO_DSS}" = 0; then + # Test SSL 3.0 with DHE-DSS ciphersuite + echo "${PREFIX}Checking SSL 3.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + fi + + kill ${PID} + wait + + if test "${NO_RC4}" != 1; then + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-SHA >/dev/null + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking SSL 3.0 with RSA-RC4-SHA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi +fi + +if test "${NO_NULL}" = 0; then + #-cipher RSA-NULL + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA-NULL ciphersuite + echo "${PREFIX}Checking TLS 1.0 with RSA-NULL..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null +PID=$! +wait_server ${PID} + +# Test TLS 1.0 with RSA ciphersuite +if test "${NO_3DES}" != 1; then + echo "${PREFIX}Checking TLS 1.0 with RSA and 3DES-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" +fi + +echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +if test "${NO_CAMELLIA}" != 1; then + echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" +fi + +if test "${NO_DSS}" = 0; then + # Test TLS 1.0 with DHE-DSS ciphersuite + echo "${PREFIX}Checking TLS 1.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" +fi + +# Test TLS 1.0 with DHE-RSA ciphersuite +echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +# Test TLS 1.0 with DHE-RSA ciphersuite +echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + # Test TLS 1.2 with ECDHE-ECDSA ciphersuite + echo "${PREFIX}Checking TLS 1.0 with ECDHE-RSA (SECP192R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-SECP192R1${ADD}" --insecure </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +#-cipher ECDHE-ECDSA-AES128-SHA +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null +PID=$! +wait_server ${PID} + +# Test TLS 1.0 with ECDHE-ECDSA ciphersuite +echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +#-cipher ECDHE-ECDSA-AES128-SHA +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null +PID=$! +wait_server ${PID} + +# Test TLS 1.0 with ECDHE-ECDSA ciphersuite +echo "${PREFIX}Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +#-cipher PSK +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null +PID=$! +wait_server ${PID} + +echo "${PREFIX}Checking TLS 1.0 with PSK..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test ${NO_TLS1_2} = 0; then + # Tests requiring openssl 1.0.1 - TLS 1.2 + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-GCM..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-GCM..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + if test "${NO_DSS}" = 0; then + echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + fi + + echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA..." + "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${HAVE_X25519}" = 0; then + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${RSA_KEY}" -cert "${RSA_CERT}" -curves X25519 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.2 with ECDHE-RSA (X25519)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --insecure --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + if test "${FIPS_CURVES}" != 1; then + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS_CURVES}" != 1; then + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi #FIPS_CURVES +fi #NO_TLS1_2 + +#-cipher PSK +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null +PID=$! +wait_server ${PID} + +echo "${PREFIX}Checking TLS 1.2 with PSK..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null +PID=$! +wait_udp_server ${PID} + +# Test DTLS 1.0 with RSA ciphersuite +echo "${PREFIX}Checking DTLS 1.0 with RSA..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null +PID=$! +wait_udp_server ${PID} + +# Test DTLS 1.0 with DHE-RSA ciphersuite +echo "${PREFIX}Checking DTLS 1.0 with DHE-RSA..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test "${NO_DSS}" = 0; then + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + + # Test DTLS 1.0 with DHE-DSS ciphersuite + echo "${PREFIX}Checking DTLS 1.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null +PID=$! +wait_udp_server ${PID} + +echo "${PREFIX}Checking DTLS 1.2 with AES-CBC..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null +PID=$! +wait_udp_server ${PID} + +# Test DTLS 1.2 with RSA ciphersuite +echo "${PREFIX}Checking DTLS 1.2 with RSA..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null +PID=$! +wait_udp_server ${PID} + +echo "${PREFIX}Checking DTLS 1.2 with ECDHE-RSA..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+GROUP-ALL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + +kill ${PID} +wait diff --git a/tests/suite/testcompat-openssl-cli-compat.sh b/tests/suite/testcompat-openssl-cli-compat.sh new file mode 100755 index 0000000000..f3513acb55 --- /dev/null +++ b/tests/suite/testcompat-openssl-cli-compat.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-cli-common.sh" ":%COMPAT" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-cli-no-etm.sh b/tests/suite/testcompat-openssl-cli-no-etm.sh new file mode 100755 index 0000000000..aa941d7092 --- /dev/null +++ b/tests/suite/testcompat-openssl-cli-no-etm.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-cli-common.sh" ":%NO_ETM" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl.sh b/tests/suite/testcompat-openssl-cli.sh index 847eded621..3e1b67018e 100755 --- a/tests/suite/testcompat-openssl.sh +++ b/tests/suite/testcompat-openssl-cli.sh @@ -56,7 +56,8 @@ export TZ="UTC" skip_if_no_datefudge -timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl" +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-cli-common.sh" ret=$? test $ret = 124 && exit 77 diff --git a/tests/suite/testcompat-openssl-serv-common.sh b/tests/suite/testcompat-openssl-serv-common.sh new file mode 100755 index 0000000000..ae18358521 --- /dev/null +++ b/tests/suite/testcompat-openssl-serv-common.sh @@ -0,0 +1,567 @@ +#!/bin/sh + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2016, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} +: ${SERV=../../src/gnutls-serv${EXEEXT}} +: ${CLI=../../src/gnutls-cli${EXEEXT}} +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + +: ${PORT=${RPORT}} + +: ${OPENSSL=openssl} +SIGALGS=RSA+SHA1:RSA+SHA256 + +echo "Compatibility checks using "`${OPENSSL} version` +${OPENSSL} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1 +if test $? != 0; then + echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" + exit 77 +fi + +. "${srcdir}/testcompat-common" + +${OPENSSL} version|grep -e '1\.[1-9]\..' >/dev/null 2>&1 +HAVE_X25519=$? + +test $HAVE_X25519 != 0 && echo "Disabling interop tests for x25519" + +${OPENSSL} version|grep -e '[1-9]\.[0-9]\.[0-9]' >/dev/null 2>&1 +NO_TLS1_2=$? + +test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" + +${OPENSSL} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 +if test $? = 0;then + NO_DH_PARAMS=0 +else + NO_DH_PARAMS=1 +fi + +${OPENSSL} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 +NO_DSS=$? + +if test $NO_DSS != 0;then + echo "Disabling interop tests for DSS ciphersuites" +else + DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}" + SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256" +fi + +${OPENSSL} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1 +NO_CAMELLIA=$? + +test $NO_CAMELLIA != 0 && echo "Disabling interop tests for Camellia ciphersuites" + +${OPENSSL} ciphers -v ALL 2>&1|grep -e RC4 >/dev/null 2>&1 +NO_RC4=$? + +test $NO_RC4 != 0 && echo "Disabling interop tests for RC4 ciphersuites" + +${OPENSSL} ciphers -v ALL 2>&1|grep -e 3DES >/dev/null 2>&1 +NO_3DES=$? + +test $NO_3DES != 0 && echo "Disabling interop tests for 3DES ciphersuites" + +${OPENSSL} ciphers -v ALL 2>&1|grep -e NULL >/dev/null 2>&1 +NO_NULL=$? + +test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" + +${OPENSSL} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 +NO_PRIME192v1=$? + +test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" + +if test "${NO_DH_PARAMS}" = 0;then + OPENSSL_DH_PARAMS_OPT="" +else + OPENSSL_DH_PARAMS_OPT="-dhparam \"${DH_PARAMS}\"" +fi + +${OPENSSL} s_server -help 2>&1|grep -e -ssl3 >/dev/null 2>&1 +HAVE_NOT_SSL3=$? + +if test $HAVE_NOT_SSL3 = 0;then + eval "${GETPORT}" + launch_bare_server "$OPENSSL" s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -key "${RSA_KEY}" -cert "${RSA_CERT}" >/dev/null 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 </dev/null 2>&1 | grep "\:error\:" && \ + HAVE_NOT_SSL3=1 + kill ${PID} + wait +fi + +test $HAVE_NOT_SSL3 != 0 && echo "Disabling interop tests for SSL 3.0" + + +echo "${PREFIX}###############################################" +echo "${PREFIX}# Server mode tests (gnutls server-openssl cli#" +echo "${PREFIX}###############################################" +SERV="${SERV} -q" + +# Note that openssl s_client does not return error code on failure + +ADD=$1 +PREFIX="" +if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " +fi + +if test "${HAVE_NOT_SSL3}" != 1 && test "${ENABLE_SSL3}" = 1; then + + echo "${PREFIX}Check SSL 3.0 with RSA ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+SHA1:+ARCFOUR-128:+3DES-CBC:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + if test "${NO_RC4}" != 1; then + echo "${PREFIX}Check SSL 3.0 with RSA-RC4-SHA ciphersuite" + ${OPENSSL} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-SHA </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + fi + + kill ${PID} + wait + + echo "${PREFIX}Check SSL 3.0 with DHE-RSA ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${NO_DSS}" = 0; then + echo "${PREFIX}Check SSL 3.0 with DHE-DSS ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi +fi + +#TLS 1.0 + +# This test was disabled because it doesn't work as expected with openssl 1.0.0d +#echo "${PREFIX}Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" +#launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +#PID=$! +#wait_server ${PID} +# +#${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ +# fail ${PID} "Failed" +# +#kill ${PID} +#wait + +if test "${NO_NULL}" = 0; then + echo "${PREFIX}Check TLS 1.0 with RSA-NULL ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +${OPENSSL} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test "${NO_DSS}" = 0; then + echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -sigalgs "$SIGALGS" -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-RSA-AES128-SHA +${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test "${FIPS_CURVES}" != 1; then + echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test "${FIPS_CURVES}" != 1; then + echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test ${NO_TLS1_2} = 0; then + # test resumption + echo "${PREFIX}Check TLS 1.2 with resumption" + eval "${GETPORT}" + launch_server --priority "NORMAL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -reconnect -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -cipher DHE -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${NO_DSS}" = 0; then + echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-RSA-AES128-SHA + ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${HAVE_X22519}" = 0; then + echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite (X25519)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-X25519${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + if test "${FIPS_CURVES}" != 1; then + echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-SECP224R1:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS_CURVES}" != 1; then + echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" + PID=$! + wait_server ${PID} + + #-cipher PSK-AES128-SHA + ${OPENSSL} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + +fi #NO_TLS1_2 + +# DTLS +echo "${PREFIX}Check DTLS 1.0 with RSA ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_udp_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + + +echo "${PREFIX}Check DTLS 1.0 with DHE-RSA ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_udp_server ${PID} + + +${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test "${NO_DSS}" = 0; then + echo "${PREFIX}Check DTLS 1.0 with DHE-DSS ciphersuite" + eval "${GETPORT}" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" + PID=$! + wait_udp_server ${PID} + + + ${OPENSSL} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +echo "${PREFIX}Check DTLS 1.2 with AES-CBC" +eval "${GETPORT}" +launch_server --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_udp_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo "${PREFIX}Check DTLS 1.2 with RSA ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_udp_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + + +echo "${PREFIX}Check DTLS 1.2 with DHE-RSA ciphersuite" +eval "${GETPORT}" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_udp_server ${PID} + + +${OPENSSL} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo "${PREFIX}Check DTLS 1.2 with ECDHE-RSA" +eval "${GETPORT}" +launch_server --priority "NONE:+GROUP-ALL:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_udp_server ${PID} + + +${OPENSSL} s_client -cipher ECDHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait diff --git a/tests/suite/testcompat-openssl-serv-compat.sh b/tests/suite/testcompat-openssl-serv-compat.sh new file mode 100755 index 0000000000..79a2b458e5 --- /dev/null +++ b/tests/suite/testcompat-openssl-serv-compat.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-serv-common.sh" ":%COMPAT" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-serv-no-etm.sh b/tests/suite/testcompat-openssl-serv-no-etm.sh new file mode 100755 index 0000000000..68c540f67f --- /dev/null +++ b/tests/suite/testcompat-openssl-serv-no-etm.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-serv-common.sh" ":%NO_ETM" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-serv-no-safe-renegotiation.sh b/tests/suite/testcompat-openssl-serv-no-safe-renegotiation.sh new file mode 100755 index 0000000000..4e71716c54 --- /dev/null +++ b/tests/suite/testcompat-openssl-serv-no-safe-renegotiation.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-serv-common.sh" ":%DISABLE_SAFE_RENEGOTIATION" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-serv-no-tickets.sh b/tests/suite/testcompat-openssl-serv-no-tickets.sh new file mode 100755 index 0000000000..137b697b20 --- /dev/null +++ b/tests/suite/testcompat-openssl-serv-no-tickets.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-serv-common.sh" ":%NO_TICKETS" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-serv-safe-renegotiation.sh b/tests/suite/testcompat-openssl-serv-safe-renegotiation.sh new file mode 100755 index 0000000000..dd866af888 --- /dev/null +++ b/tests/suite/testcompat-openssl-serv-safe-renegotiation.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-serv-common.sh" ":%SAFE_RENEGOTIATION" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-serv.sh b/tests/suite/testcompat-openssl-serv.sh new file mode 100755 index 0000000000..788e2abea2 --- /dev/null +++ b/tests/suite/testcompat-openssl-serv.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 +fi + +/usr/bin/openssl version|grep fips >/dev/null 2>&1 +if test $? = 0 || test "${ENABLE_NON_SUITEB_CURVES}" != "1"; then + export FIPS_CURVES=1 +else + export FIPS_CURVES=0 +fi + +export TZ="UTC" + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-openssl-serv-common.sh" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-openssl-tls13-cli.sh b/tests/suite/testcompat-openssl-tls13-cli.sh new file mode 100755 index 0000000000..e57b59cb13 --- /dev/null +++ b/tests/suite/testcompat-openssl-tls13-cli.sh @@ -0,0 +1,299 @@ +#!/bin/bash + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} +: ${SERV=../../src/gnutls-serv${EXEEXT}} +: ${CLI=../../src/gnutls-cli${EXEEXT}} +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +. "${srcdir}/testcompat-common" + +: ${PORT=${RPORT}} + +: ${OPENSSL=openssl} + +if test -z "$OUTPUT";then +OUTPUT=/dev/null +fi + +>${OUTPUT} + +echo_cmd() { + tee -a ${OUTPUT} <<<$(echo $1) +} + +echo_cmd "Compatibility checks using "`${OPENSSL} version` + +echo_cmd "#################################################" +echo_cmd "# Client mode tests (gnutls cli-openssl server) #" +echo_cmd "#################################################" + +OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256" + +ADD=$1 +PREFIX="" +if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " +fi + + +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#AES-128-CCM +for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" +done + +for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" +done + +echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \ + fail ${PID} "Failed" + +# Try hello retry request +echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + +kill ${PID} +wait + + +#test PSK ciphersuites +# disabled as I do not seem to be able to connect to openssl s_server with PSK +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert +PID=$! +wait_server ${PID} + +# by default only SHA256 is supported under PSK as PRF, so we cannot try all +# ciphers; only the ones which use SHA256 PRF. +for i in AES-128-GCM;do +# plain PSK with (EC)DHE not supported by openssl +# echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..." +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null || \ +# fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with DHE-PSK with ${i}..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+DHE-PSK:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" +done + +kill ${PID} +wait + +#test client certificates +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +for i in GROUP-SECP256R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" +done + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..." +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED448_KEY}" -cert "${ED448_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +# Try resumption +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..." +testdir=`create_testdir tls13-openssl-resumption` +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT} +grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +# Try resumption with HRR +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..." +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -groups 'X25519:P-256' -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1${ADD}" --single-key-share --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT} +grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +# Try resumption with early data +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..." +testdir=`create_testdir tls13-openssl-resumption` +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data +PID=$! +wait_server ${PID} + +echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'| tee "${testdir}/client.out" >> ${OUTPUT} +grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +# Try resumption with early data with small limit +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..." +testdir=`create_testdir tls13-openssl-resumption` +eval "${GETPORT}" +launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data -max_early_data 1 +PID=$! +wait_server ${PID} + +echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'|& tee "${testdir}/client.out" >> ${OUTPUT} +grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ + fail ${PID} "Failed" +grep '^\*\*\* Received alert \[10\]: Unexpected message' "${testdir}/client.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +# Try exporting keying material +echo_cmd "${PREFIX}Checking TLS 1.3 to export keying material..." +testdir=`create_testdir tls13-openssl-keymatexport` +eval "${GETPORT}" +LOGFILE="${testdir}/server.out" +launch_bare_server "$OPENSSL" s_server -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -keymatexport label -keymatexportlen 20 +unset LOGFILE +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --keymatexport label --keymatexportsize 20| tee "${testdir}/client.out" >> ${OUTPUT} +grep '^- Key material: ' "${testdir}/client.out" | \ +sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/client.key" || \ + fail ${PID} "Failed" +grep '^ Keying material: ' "${testdir}/server.out" | \ +sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/server.key" || \ + fail ${PID} "Failed" +diff "${testdir}/client.key" "${testdir}/server.key" || \ + fail ${PID} "Failed" +kill ${PID} +wait + +rm -rf "${testdir}" diff --git a/tests/suite/testcompat-openssl-tls13-serv.sh b/tests/suite/testcompat-openssl-tls13-serv.sh new file mode 100755 index 0000000000..fdabc4e515 --- /dev/null +++ b/tests/suite/testcompat-openssl-tls13-serv.sh @@ -0,0 +1,371 @@ +#!/bin/bash + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} +: ${SERV=../../src/gnutls-serv${EXEEXT}} +: ${CLI=../../src/gnutls-cli${EXEEXT}} +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +. "${srcdir}/testcompat-common" + +: ${PORT=${RPORT}} + +: ${OPENSSL=openssl} + +if test -z "$OUTPUT";then +OUTPUT=/dev/null +fi + +>${OUTPUT} + +echo_cmd() { + tee -a ${OUTPUT} <<<$(echo $1) +} + +echo_cmd "Compatibility checks using "`${OPENSSL} version` + +echo_cmd "#################################################" +echo_cmd "# Client mode tests (gnutls cli-openssl server) #" +echo_cmd "#################################################" + +OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256" + +echo_cmd "${PREFIX}###############################################" +echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#" +echo_cmd "${PREFIX}###############################################" +SERV="${SERV} -q" + +# Note that openssl s_client does not return error code on failure + +ADD=$1 +PREFIX="" +if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " +fi + +#AES-128-CCM +for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +done + +GROUPS="GROUP-X25519 GROUP-X448 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1" +for i in $GROUPS;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait +done + +echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." +eval "${GETPORT}" +launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +${OPENSSL} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." +expect - >/dev/null <<_EOF_ +set timeout 10 +set os_error_flag 1 +spawn ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" + +expect "SSL-Session" {send "K\n"} timeout {exit 1} +expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1} +expect "HELLO" {close} timeout {exit 1} + +lassign [wait] pid spawnid os_error_flag value +if {\$os_error_flag == 0} { + exit $value +} else { + exit 1 +} +_EOF_ +if test $? != 0;then + fail ${PID} "Failed" +fi + +kill ${PID} +wait + +# client certificates + +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..." +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..." +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..." +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..." +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 client certificate..." +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED448_CLI_CERT}" -key "${ED448_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..." + +eval "${GETPORT}" +launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +expect - >/dev/null <<_EOF_ +set timeout 10 +set os_error_flag 1 +spawn ${OPENSSL} s_client -enable_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" + +expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1} +expect { + timeout {exit 1} + "error*" {exit 1} + "Successfully executed command" {send "**REAUTH**\n"} +} +expect { + timeout {exit 1} + "error*" {exit 1} + "Successfully executed command" {send "HELLO\n"} +} + +expect "HELLO" {close} timeout {exit 1} + +lassign [wait] pid spawnid os_error_flag value +if {\$os_error_flag == 0} { + exit $value +} else { + exit 1 +} +_EOF_ +if test $? != 0;then + fail ${PID} "Failed" +fi + +kill ${PID} +wait + + +echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." + +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..." + +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED448_CERT}" --x509keyfile "${ED448_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." + +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." + +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + +kill ${PID} +wait + + +# openssl doesn't support PSK +for i in DHE-PSK;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait +done + +# Try resumption +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..." +testdir=`create_testdir tls13-openssl-resumption` +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +{ echo a; sleep 1; } | \ +${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess.pem" 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" +${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess.pem" </dev/null 2>&1 > "${testdir}/server.out" +grep "\:error\:" "${testdir}/server.out" && \ + fail ${PID} "Failed" +grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..." +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +{ echo a; sleep 1; } | \ +${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-hrr.pem" 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" +${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-hrr.pem" </dev/null 2>&1 > "${testdir}/server.out" +grep "\:error\:" "${testdir}/server.out" && \ + fail ${PID} "Failed" +grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data..." +testdir=`create_testdir tls13-openssl-resumption` +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" +{ echo a; sleep 1; } | \ +${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" +${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out" +grep "\:error\:" "${testdir}/server.out" && \ + fail ${PID} "Failed" +grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data with small limit..." +testdir=`create_testdir tls13-openssl-resumption` +eval "${GETPORT}" +launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata --maxearlydata 1 >>${OUTPUT} 2>&1 +PID=$! +wait_server ${PID} + +echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" +{ echo a; sleep 1; } | \ +${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" +${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out" +grep "^Early data was rejected" "${testdir}/server.out" || \ + fail ${PID} "Failed" + +kill ${PID} +wait +rm -rf "${testdir}" diff --git a/tests/suite/testcompat-polarssl-serv-common.sh b/tests/suite/testcompat-polarssl-serv-common.sh new file mode 100755 index 0000000000..f16882b22d --- /dev/null +++ b/tests/suite/testcompat-polarssl-serv-common.sh @@ -0,0 +1,432 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} +: ${CLI=../../src/gnutls-cli${EXEEXT}} +LOGFILE=polarssl.log +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + + +TXT=`"${CLI}" --priority NORMAL --list|grep SECP224` +if test -z "${TXT}"; then + ALL_CURVES=0 +else + ALL_CURVES=1 +fi + + +echo "Compatibility checks using polarssl" + +for POLARSSL_CLI in \ + /usr/bin/polarssl_ssl_client2 \ + /usr/bin/mbedtls_ssl_client2 \ + /usr/libexec/mbedtls/ssl_client2 \ + ""; do + test -x "${POLARSSL_CLI}" && break +done + +if test -z "${POLARSSL_CLI}"; then + echo "PolarSSL is required for this test to run" + exit 77 +fi + +"${POLARSSL_CLI}" >/dev/null 2>&1 +if test $? = 0; then + echo "PolarSSL 1.3.x is required for the tests to run" + exit 77 +fi + + +. "${srcdir}/testcompat-common" + +echo "" +echo "##################################################" +echo "# Server mode tests (gnutls server-polarssl cli) #" +echo "##################################################" +SERV="../../src/gnutls-serv${EXEEXT} -q" + +rm -f "${LOGFILE}" + +ADD=$1 +PREFIX="" +if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " +fi + +eval "${GETPORT}" + +#TLS 1.0 + +echo "${PREFIX}Check TLS 1.0 with DHE-RSA ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +#echo "${PREFIX}Check TLS 1.0 with DHE-DSS ciphersuite" +#launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" +#PID=$! +#wait_server ${PID} + +#"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ +# fail ${PID} "Failed" + +#kill ${PID} +#wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with ECDHE-RSA ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-RSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with DHE-PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with ECDHE-PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with RSA-PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher RSA-PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test ${ALL_CURVES} = 1; then + eval "${GETPORT}" + echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with DHE-RSA ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite" +launch_server --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite" +launch_server --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite" +launch_server --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite" +launch_server --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" +PID=$! +wait_server ${PID} + +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +#echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite" +#launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" +#PID=$! +#wait_server ${PID} +# +#"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ +# fail ${PID} "Failed" +# +#kill ${PID} +#wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with ECDHE-RSA ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-RSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +if test ${ALL_CURVES} = 1; then + eval "${GETPORT}" + echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait +fi + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" +PID=$! +wait_server ${PID} + +#-cipher ECDHE-ECDSA-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with DHE-PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with ECDHE-PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait + +eval "${GETPORT}" +echo "${PREFIX}Check TLS 1.2 with RSA-PSK ciphersuite" +launch_server --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" +PID=$! +wait_server ${PID} + +#-cipher RSA-PSK-AES128-SHA +"${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" </dev/null >>"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + +kill ${PID} +wait diff --git a/tests/suite/testcompat-polarssl-serv-compat.sh b/tests/suite/testcompat-polarssl-serv-compat.sh new file mode 100755 index 0000000000..841c3c61ce --- /dev/null +++ b/tests/suite/testcompat-polarssl-serv-compat.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +export TZ="UTC" + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1 +if test $? = 0; then + echo "PolarSSL is broken on VIA processors" + exit 77 +fi + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-polarssl-serv-common.sh" ":%COMPAT" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-polarssl-serv-no-etm.sh b/tests/suite/testcompat-polarssl-serv-no-etm.sh new file mode 100755 index 0000000000..d64dbaad28 --- /dev/null +++ b/tests/suite/testcompat-polarssl-serv-no-etm.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +# Copyright (c) 2010-2015, Free Software Foundation, Inc. +# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +: ${srcdir=.} + +export TZ="UTC" + +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + +# Check for datefudge +. "${srcdir}/../scripts/common.sh" + +skip_if_no_datefudge + +cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1 +if test $? = 0; then + echo "PolarSSL is broken on VIA processors" + exit 77 +fi + +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-polarssl-serv-common.sh" ":%NO_ETM" + +ret=$? +test $ret = 124 && exit 77 + +exit $ret diff --git a/tests/suite/testcompat-polarssl.sh b/tests/suite/testcompat-polarssl-serv.sh index 7a9f67c27c..f4ed2ba6d1 100755 --- a/tests/suite/testcompat-polarssl.sh +++ b/tests/suite/testcompat-polarssl-serv.sh @@ -50,7 +50,8 @@ if test $? = 0; then exit 77 fi -timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-polarssl" +timeout 1800 datefudge "2012-09-02" \ +"${srcdir}/testcompat-polarssl-serv-common.sh" ret=$? test $ret = 124 && exit 77 diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh deleted file mode 100755 index 7abbb5d7bc..0000000000 --- a/tests/suite/testcompat-tls13-openssl.sh +++ /dev/null @@ -1,608 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2010-2016, Free Software Foundation, Inc. -# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos -# All rights reserved. -# -# Author: Nikos Mavrogiannopoulos -# -# This file is part of GnuTLS. -# -# Redistribution and use in source and binary forms, with or without modification, -# are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation and/or -# other materials provided with the distribution. -# 3. Neither the name of the copyright holder nor the names of its contributors may -# be used to endorse or promote products derived from this software without specific -# prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY -# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY -# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -: ${srcdir=.} -: ${SERV=../../src/gnutls-serv${EXEEXT}} -: ${CLI=../../src/gnutls-cli${EXEEXT}} -unset RETCODE - -if ! test -x "${CLI}"; then - exit 77 -fi - -if ! test -z "${VALGRIND}"; then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" -fi - -if test "${WINDIR}" != ""; then - exit 77 -fi - -. "${srcdir}/../scripts/common.sh" - -skip_if_no_datefudge - -. "${srcdir}/testcompat-common" - -: ${PORT=${RPORT}} - -: ${OPENSSL=openssl} - -if test -z "$OUTPUT";then -OUTPUT=/dev/null -fi - ->${OUTPUT} - -echo_cmd() { - tee -a ${OUTPUT} <<<$(echo $1) -} - -echo_cmd "Compatibility checks using "`${OPENSSL} version` - -echo_cmd "#################################################" -echo_cmd "# Client mode tests (gnutls cli-openssl server) #" -echo_cmd "#################################################" - -OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256" - -run_client_suite() { - ADD=$1 - PREFIX="" - if ! test -z "${ADD}"; then - PREFIX="$(echo $ADD|sed 's/://g'): " - fi - - - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - #AES-128-CCM - for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do - echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - done - - for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do - echo_cmd "${PREFIX}Checking TLS 1.3 with $i..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - done - - echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \ - fail ${PID} "Failed" - - # Try hello retry request - echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - - #test PSK ciphersuites - # disabled as I do not seem to be able to connect to openssl s_server with PSK - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert - PID=$! - wait_server ${PID} - -# by default only SHA256 is supported under PSK as PRF, so we cannot try all -# ciphers; only the ones which use SHA256 PRF. - for i in AES-128-GCM;do -# plain PSK with (EC)DHE not supported by openssl -# echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..." -# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null || \ -# fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with DHE-PSK with ${i}..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+DHE-PSK:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - done - - kill ${PID} - wait - - #test client certificates - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - for i in GROUP-SECP256R1;do - echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - done - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..." - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED448_KEY}" -cert "${ED448_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - # Try resumption - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..." - testdir=`create_testdir tls13-openssl-resumption` - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT} - grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - # Try resumption with HRR - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..." - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -www -accept "${PORT}" -groups 'X25519:P-256' -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1${ADD}" --single-key-share --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT} - grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - # Try resumption with early data - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..." - testdir=`create_testdir tls13-openssl-resumption` - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data - PID=$! - wait_server ${PID} - - echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'| tee "${testdir}/client.out" >> ${OUTPUT} - grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - # Try resumption with early data with small limit - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption with early data..." - testdir=`create_testdir tls13-openssl-resumption` - eval "${GETPORT}" - launch_bare_server "$OPENSSL" s_server -quiet -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -early_data -max_early_data 1 - PID=$! - wait_server ${PID} - - echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --earlydata "${testdir}/earlydata.txt" --insecure --inline-commands <<< '^resume^'|& tee "${testdir}/client.out" >> ${OUTPUT} - grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ - fail ${PID} "Failed" - grep '^\*\*\* Received alert \[10\]: Unexpected message' "${testdir}/client.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - # Try exporting keying material - echo_cmd "${PREFIX}Checking TLS 1.3 to export keying material..." - testdir=`create_testdir tls13-openssl-keymatexport` - eval "${GETPORT}" - LOGFILE="${testdir}/server.out" - launch_bare_server "$OPENSSL" s_server -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" -keymatexport label -keymatexportlen 20 - unset LOGFILE - PID=$! - wait_server ${PID} - - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --keymatexport label --keymatexportsize 20| tee "${testdir}/client.out" >> ${OUTPUT} - grep '^- Key material: ' "${testdir}/client.out" | \ - sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/client.key" || \ - fail ${PID} "Failed" - grep '^ Keying material: ' "${testdir}/server.out" | \ - sed -e 's/^.*: //' -e 'y/abcdef/ABCDEF/' > "${testdir}/server.key" || \ - fail ${PID} "Failed" - diff "${testdir}/client.key" "${testdir}/server.key" || \ - fail ${PID} "Failed" - kill ${PID} - wait - - rm -rf "${testdir}" - -} - -run_client_suite - -echo_cmd "${PREFIX}Client mode tests were successfully completed" -echo_cmd "${PREFIX}" -echo_cmd "${PREFIX}###############################################" -echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#" -echo_cmd "${PREFIX}###############################################" -SERV="${SERV} -q" - -# Note that openssl s_client does not return error code on failure - -run_server_suite() { - ADD=$1 - PREFIX="" - if ! test -z "${ADD}"; then - PREFIX="$(echo $ADD|sed 's/://g'): " - fi - - #AES-128-CCM - for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do - echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - done - - GROUPS="GROUP-X25519 GROUP-X448 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1" - for i in $GROUPS;do - echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - done - - echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." - eval "${GETPORT}" - launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." - expect - >/dev/null <<_EOF_ -set timeout 10 -set os_error_flag 1 -spawn ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" - -expect "SSL-Session" {send "K\n"} timeout {exit 1} -expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1} -expect "HELLO" {close} timeout {exit 1} - -lassign [wait] pid spawnid os_error_flag value -if {\$os_error_flag == 0} { - exit $value -} else { - exit 1 -} -_EOF_ - if test $? != 0;then - fail ${PID} "Failed" - fi - - kill ${PID} - wait - - # client certificates - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..." - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..." - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..." - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..." - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 client certificate..." - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${ED448_CLI_CERT}" -key "${ED448_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..." - - eval "${GETPORT}" - launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - expect - >/dev/null <<_EOF_ -set timeout 10 -set os_error_flag 1 -spawn ${OPENSSL} s_client -enable_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" - -expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1} -expect { - timeout {exit 1} - "error*" {exit 1} - "Successfully executed command" {send "**REAUTH**\n"} -} -expect { - timeout {exit 1} - "error*" {exit 1} - "Successfully executed command" {send "HELLO\n"} -} - -expect "HELLO" {close} timeout {exit 1} - -lassign [wait] pid spawnid os_error_flag value -if {\$os_error_flag == 0} { - exit $value -} else { - exit 1 -} -_EOF_ - if test $? != 0;then - fail ${PID} "Failed" - fi - - kill ${PID} - wait - - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..." - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED448_CERT}" --x509keyfile "${ED448_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." - - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait - - - # openssl doesn't support PSK - for i in DHE-PSK;do - echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." - - eval "${GETPORT}" - launch_server --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - ${OPENSSL} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" </dev/null >>${OUTPUT} || \ - fail ${PID} "Failed" - - kill ${PID} - wait - done - - # Try resumption - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..." - testdir=`create_testdir tls13-openssl-resumption` - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - { echo a; sleep 1; } | \ - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess.pem" 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess.pem" </dev/null 2>&1 > "${testdir}/server.out" - grep "\:error\:" "${testdir}/server.out" && \ - fail ${PID} "Failed" - grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and HRR..." - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - { echo a; sleep 1; } | \ - ${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-hrr.pem" 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - ${OPENSSL} s_client -host localhost -port "${PORT}" -curves 'X25519:P-256:X448:P-521:P-384' -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-hrr.pem" </dev/null 2>&1 > "${testdir}/server.out" - grep "\:error\:" "${testdir}/server.out" && \ - fail ${PID} "Failed" - grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data..." - testdir=`create_testdir tls13-openssl-resumption` - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" - { echo a; sleep 1; } | \ - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out" - grep "\:error\:" "${testdir}/server.out" && \ - fail ${PID} "Failed" - grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo_cmd "${PREFIX}Checking TLS 1.3 with resumption and early data with small limit..." - testdir=`create_testdir tls13-openssl-resumption` - eval "${GETPORT}" - launch_server --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" --earlydata --maxearlydata 1 >>${OUTPUT} 2>&1 - PID=$! - wait_server ${PID} - - echo "This file contains early data sent by the client" > "${testdir}/earlydata.txt" - { echo a; sleep 1; } | \ - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess-earlydata.pem" 2>&1 | grep "\:error\:" && \ - fail ${PID} "Failed" - ${OPENSSL} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess-earlydata.pem" -early_data "${testdir}/earlydata.txt" </dev/null 2>&1 > "${testdir}/server.out" - grep "^Early data was rejected" "${testdir}/server.out" || \ - fail ${PID} "Failed" - - kill ${PID} - wait - rm -rf "${testdir}" - -} - -run_server_suite - -exit 0 diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h index 543e2d71fb..bf1e65c956 100644 --- a/tests/test-chains-issuer.h +++ b/tests/test-chains-issuer.h @@ -24,7 +24,7 @@ #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H -#define MAX_CHAIN 6 +#define MAX_CHAIN 15 #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ @@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { NULL, }; +static const char *missing_middle_single_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_2, + CA_CERT_2, + CA_CERT_1, + CA_CERT_1, + NULL, +}; + +static const char *missing_middle_multiple_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_1, + CA_CERT_1, + NULL, +}; + +static const char *missing_last_single_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_3, + CA_CERT_3, + CA_CERT_2, + CA_CERT_2, + NULL, +}; + +static const char *missing_last_multiple_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_3, + CA_CERT_3, + NULL, +}; + +static const char *missing_skip_single_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_3, + CA_CERT_3, + CA_CERT_1, + CA_CERT_1, + NULL, +}; + +static const char *missing_skip_multiple_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_3, + CA_CERT_3, + NULL, +}; + static const char *missing_ca[] = { CA_CERT_0, NULL, }; +static const char *middle_single_duplicate_ca[] = { + SERVER_CERT, + CA_CERT_5, + CA_CERT_0, + CA_CERT_4, + CA_CERT_0, + CA_CERT_2, + CA_CERT_0, + CA_CERT_1, + NULL, +}; + +static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { + CA_CERT_0, + NULL, +}; + static struct chains { const char *name; const char **chain; @@ -377,6 +468,14 @@ static struct chains { { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, + { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, + { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, + { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, + { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, + { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, + { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, + { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, + { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, { NULL, NULL, NULL, NULL }, }; diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 38b9585bc0..09a6274776 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -67,6 +67,8 @@ have_ed25519=0 P11TOOL="${VALGRIND} ${P11TOOL} --batch" SERV="${SERV} -q" +TESTDATE=2020-12-01 + . ${srcdir}/scripts/common.sh rm -f "${LOGFILE}" @@ -79,6 +81,8 @@ exit_error () { exit 1 } +skip_if_no_datefudge + # $1: token # $2: PIN # $3: filename @@ -523,6 +527,7 @@ write_certificate_test () { pubkey="$5" echo -n "* Generating client certificate... " + datefudge -s "$TESTDATE" \ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 @@ -900,7 +905,9 @@ use_certificate_test () { echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " # start server eval "${GETPORT}" - launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ + launch_bare_server datefudge -s "$TESTDATE" \ + $VALGRIND $SERV $DEBUG -p "$PORT" \ + ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 @@ -908,13 +915,16 @@ use_certificate_test () { wait_server ${PID} # connect to server using SC + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \ fail ${PID} "Connection should have failed!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ fail ${PID} "Connection (with files) should have succeeded!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ --x509keyfile="${token};object=gnutls-client;object-type=private" \ --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ diff --git a/tests/tls13/hello_retry_request_resume.c b/tests/tls13/hello_retry_request_resume.c new file mode 100644 index 0000000000..6672bc7a9c --- /dev/null +++ b/tests/tls13/hello_retry_request_resume.c @@ -0,0 +1,318 @@ +/* + * Copyright (C) 2017-2020 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos, Daiki Ueno + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +#if defined(_WIN32) + +int main() +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <signal.h> +#include <assert.h> + +#include "../lib/handshake-defs.h" +#include "cert-common.h" +#include "utils.h" + +/* This program tests whether the certificate seen in Post Handshake Auth + * is found in a resumed session under TLS 1.3. + */ + +static void server_log_func(int level, const char *str) +{ + fprintf(stderr, "server|<%d>| %s", level, str); +} + +static void client_log_func(int level, const char *str) +{ + fprintf(stderr, "client|<%d>| %s", level, str); +} + +static int ticket_callback(gnutls_session_t session, unsigned int htype, + unsigned post, unsigned int incoming, const gnutls_datum_t *msg) +{ + gnutls_datum *d; + int ret; + + assert(htype == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET); + + d = gnutls_session_get_ptr(session); + + if (post == GNUTLS_HOOK_POST) { + if (d->data) + gnutls_free(d->data); + ret = gnutls_session_get_data2(session, d); + assert(ret >= 0); + assert(d->size > 4); + + return 0; + } + + return 0; +} + +static void client(int fd) +{ + int ret; + gnutls_session_t session; + unsigned try = 0; + gnutls_datum_t session_data = {NULL, 0}; + gnutls_certificate_credentials_t x509_cred; + + global_init(); + + if (debug) { + gnutls_global_set_log_function(client_log_func); + gnutls_global_set_log_level(7); + } + + assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + + retry: + /* Initialize TLS session + */ + assert(gnutls_init(&session, GNUTLS_CLIENT)>=0); + + gnutls_handshake_set_timeout(session, 20 * 1000); + + ret = gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-X25519", NULL); + if (ret < 0) + fail("cannot set TLS 1.3 priorities\n"); + + + if (try == 0) { + gnutls_session_set_ptr(session, &session_data); + gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, + GNUTLS_HOOK_BOTH, + ticket_callback); + } else { + assert(gnutls_session_set_data(session, session_data.data, session_data.size) >= 0); + } + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + /* Perform the TLS handshake + */ + do { + ret = gnutls_handshake(session); + } + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); + + do { + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != 0) { + fail("error in recv: %s\n", gnutls_strerror(ret)); + } + + gnutls_deinit(session); + + if (try == 0) { + try++; + goto retry; + } + + gnutls_free(session_data.data); + close(fd); + gnutls_certificate_free_credentials(x509_cred); + + gnutls_global_deinit(); +} + +#define HANDSHAKE_SESSION_ID_POS 34 + +static int client_hello_callback(gnutls_session_t session, unsigned int htype, + unsigned post, unsigned int incoming, + const gnutls_datum_t *msg) +{ + gnutls_datum *d; + + assert(post == GNUTLS_HOOK_POST); + assert(msg->size >= HANDSHAKE_SESSION_ID_POS + 1); + + d = gnutls_session_get_ptr(session); + d->size = msg->data[HANDSHAKE_SESSION_ID_POS]; + d->data = gnutls_malloc(d->size); + memcpy(d->data, &msg->data[HANDSHAKE_SESSION_ID_POS], d->size); + + return 0; +} + +static void server(int fd) +{ + int ret; + gnutls_session_t session; + unsigned try = 0; + gnutls_certificate_credentials_t x509_cred; + gnutls_datum_t skey; + gnutls_datum_t session_id = {NULL, 0}; + gnutls_datum_t retry_session_id = {NULL, 0}; + + /* this must be called once in the program + */ + global_init(); + + assert(gnutls_session_ticket_key_generate(&skey)>=0); + + if (debug) { + gnutls_global_set_log_function(server_log_func); + gnutls_global_set_log_level(4711); + } + + gnutls_certificate_allocate_credentials(&x509_cred); + gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, + &server_key, + GNUTLS_X509_FMT_PEM); + + retry: + assert(gnutls_init(&session, GNUTLS_SERVER)>=0); + + assert(gnutls_session_ticket_enable_server(session, &skey) >= 0); + gnutls_handshake_set_timeout(session, 20 * 1000); + + /* server only supports x25519, client advertises secp256r1 */ + assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519", NULL)>=0); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + if (try == 0) { + gnutls_session_set_ptr(session, &session_id); + } else { + gnutls_session_set_ptr(session, &retry_session_id); + } + + gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO, + GNUTLS_HOOK_POST, + client_hello_callback); + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); + + if (try > 0) { + assert(gnutls_session_is_resumed(session) != 0); + + /* Check that the same (non-empty) session ID is used in both + * initial and resumption handshakes. This assumes + * TLS13_APPENDIX_D4 is set to 1 in lib/handshake-defs.h. Once + * it's turned off, both session IDs should be empty. */ + if (session_id.size == 0 || + session_id.size != retry_session_id.size || + memcmp(session_id.data, retry_session_id.data, session_id.size)) { + fail("session ids are different after resumption: %u, %u\n", + session_id.size, retry_session_id.size); + } + } + + do { + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + gnutls_deinit(session); + + if (try == 0) { + try++; + goto retry; + } + + gnutls_free(skey.data); + close(fd); + gnutls_certificate_free_credentials(x509_cred); + gnutls_free(session_id.data); + gnutls_free(retry_session_id.data); + + gnutls_global_deinit(); + + if (debug) + success("server: client/server hello were verified\n"); +} + +static void ch_handler(int sig) +{ + int status = 0; + wait(&status); + check_wait_status(status); + return; +} + +void doit(void) +{ + int fd[2]; + int ret; + pid_t child; + + signal(SIGCHLD, ch_handler); + signal(SIGPIPE, SIG_IGN); + + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); + if (ret < 0) { + perror("socketpair"); + exit(1); + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + exit(1); + } + + if (child) { + /* parent */ + close(fd[1]); + server(fd[0]); + kill(child, SIGTERM); + } else { + close(fd[0]); + client(fd[1]); + exit(0); + } + +} +#endif /* _WIN32 */ diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c index bc3196248f..51dd7a3f76 100644 --- a/tests/tls13/prf-early.c +++ b/tests/tls13/prf-early.c @@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) } \ } -#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04" -#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f" -#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec" -#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0" +#define KEY_EXP_VALUE "\x7f\x9a\x62\x64\x5e\x90\xa4\x19\x6f\xbf\x7b\x4e\x98\x63\x29\xb0\x46\xa2\x2a\x47\x94\x6a\x78\xdc\x6e\xea\x90\x13\x9d\xd4\xd1\x20\x02\x04" +#define HELLO_VALUE "\x38\x40\x8c\x0d\x53\xe5\xd2\xe8\x66\xb4\x46\xce\x32\x85\xd5\x02\x3a\x4f\x81\x3c\x9e\x1b\x4a\x53\x73\x22\xad\xf2\x11\xc6\x45" +#define CONTEXT_VALUE "\xf6\x95\x60\x0d\x51\x9e\x1a\x40\xb2\x9e\xb0\x48\x55\xfe\x64\xf8\xa0\x26\x31\xd8\xb1\x66\xf3\x10\x62\x32\x26\x52\x9e\x63\x49" +#define NULL_CONTEXT_VALUE "\xb1\x80\x8c\xb3\xc2\xa9\x06\x88\xb7\xc2\xed\xd4\x5f\x1c\xad\x0b\xb2\x1f\xa9\xe2\xc6\x37\xd3\x52\x73\x1b\xf5\x3b\x92\x61\x08" static int handshake_callback_called; diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c index c9c9f80b7b..e03544a042 100644 --- a/tests/tls13/prf.c +++ b/tests/tls13/prf.c @@ -130,10 +130,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) } \ } -#define KEY_EXP_VALUE "\xec\x26\x9e\x8c\x5f\xff\x5c\xb2\x60\x4f\x82\xe7\x6b\xb9\x70\x40\xb9\x2d\x2f\xe7\x41\xa8\xe7\xfa\x03\x7c\xe8\x6d\xfa\xda\xc2\xa9\x3f\x58" -#define HELLO_VALUE "\xd4\x74\x4a\x09\x28\x0a\x99\xb9\xa4\x5b\x51\x5b\x80\xe7\x50\x1c\x16\xca\x57\x78\xf0\xe5\xa1\x94\x6b\x20\x2b\x14\xff\x2b\x53" -#define CONTEXT_VALUE "\x8d\xde\xea\x58\xab\x90\xaf\x6c\x5c\x7a\x69\xbf\x8a\xd2\x16\xb4\x0f\x75\xb8\x63\xdb\x86\xe7\x66\x04\x59\xac\x57\xe0\x03\x37" -#define NULL_CONTEXT_VALUE "\x6c\x1a\x10\x1f\xa9\x5a\xfd\xcd\xf4\xcf\x27\x09\x00\xa8\xca\x8e\x8a\x56\xfb\x80\xf0\x0d\xb3\xa6\xe9\x4a\x5f\xe0\x0c\x31\xd9" +#define KEY_EXP_VALUE "\x28\x70\xa8\x34\xd4\x43\x85\xfd\x55\xe0\x13\x78\x75\xa3\x25\xa7\xfd\x0b\x6b\x68\x5d\x62\x72\x02\xdf\x3d\x79\xca\x55\xab\xea\x24\xf3\x4d" +#define HELLO_VALUE "\xd8\xcb\x72\x1e\x24\x2d\x79\x11\x41\x38\x05\x2b\x1b\x5d\x60\x12\x30\x0a\xf7\x1e\x23\x90\x4d\x64\xf8\xf5\x23\xea\xbf\xa3\x24" +#define CONTEXT_VALUE "\xe6\xc0\x57\xbe\xda\x28\x9c\xc7\xf6\x4f\xb6\x18\x92\xce\x10\xf6\xe1\x5e\xab\x10\xc8\xd1\x94\xf8\xac\xc7\x3e\x93\xde\x57\x12" +#define NULL_CONTEXT_VALUE "\xaf\xea\xd2\x64\xc9\x42\xbd\xe7\xdb\xf0\xd3\x16\x84\x39\xf3\xdb\x5d\x4f\x0e\x5e\x71\x1e\xc0\xd7\x23\xde\x8b\x1e\x80\xa1\xca" static void check_prfs(gnutls_session_t session) { unsigned char key_material[512]; diff --git a/tests/tlsext-decoding.c b/tests/tlsext-decoding.c index 1a36c669f0..a397ee55fb 100644 --- a/tests/tlsext-decoding.c +++ b/tests/tlsext-decoding.c @@ -70,7 +70,7 @@ static void client_log_func(int level, const char *str) } #define RECORD_PAYLOAD_POS 5 -#define HANDSHAKE_CS_POS (39) +#define HANDSHAKE_ID_POS (38) static ssize_t odd_push(gnutls_transport_ptr_t tr, const void *data, size_t len) { uint8_t *d = (void*)data; @@ -79,15 +79,21 @@ static ssize_t odd_push(gnutls_transport_ptr_t tr, const void *data, size_t len) int pos; if (d[0] == 22 && d[5] == GNUTLS_HANDSHAKE_CLIENT_HELLO) { + uint8_t isize; + + /* skip session ID (this can be non-empty in TLS 1.3) */ + isize = d[RECORD_PAYLOAD_POS+HANDSHAKE_ID_POS]; + isize += 1; + /* skip ciphersuites */ - csize = d[RECORD_PAYLOAD_POS+HANDSHAKE_CS_POS+1] + (d[RECORD_PAYLOAD_POS+HANDSHAKE_CS_POS] << 8); + csize = d[RECORD_PAYLOAD_POS+HANDSHAKE_ID_POS+isize+1] + (d[RECORD_PAYLOAD_POS+HANDSHAKE_ID_POS+isize] << 8); csize += 2; /* skip compression methods */ - osize = d[RECORD_PAYLOAD_POS+HANDSHAKE_CS_POS+csize]; + osize = d[RECORD_PAYLOAD_POS+HANDSHAKE_ID_POS+isize+csize]; osize += 1; - pos = RECORD_PAYLOAD_POS+HANDSHAKE_CS_POS+csize+osize; + pos = RECORD_PAYLOAD_POS+HANDSHAKE_ID_POS+isize+csize+osize; if (reduce) { if (d[pos+1] != 0x00) { diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh index eba502612a..77fe17e593 100755 --- a/tests/tpmtool_test.sh +++ b/tests/tpmtool_test.sh @@ -138,6 +138,7 @@ start_tcsd() local tcsd_conf=$workdir/tcsd.conf local tcsd_system_ps_file=$workdir/system_ps_file local tcsd_pidfile=$workdir/tcsd.pid + local owner start_swtpm "$workdir" [ $? -ne 0 ] && return 1 @@ -146,20 +147,36 @@ start_tcsd() port = $TCSD_LISTEN_PORT system_ps_file = $tcsd_system_ps_file _EOF_ + # older versions of trousers require tss:tss ownership of the + # config file, later ones root:tss + for owner in tss root; do + if [ "$owner" = "tss" ]; then + chmod 0600 $tcsd_conf + else + chmod 0640 $tcsd_conf + fi + chown $owner:tss $tcsd_conf - chown tss:tss $tcsd_conf - chmod 0600 $tcsd_conf + bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & + BASH_PID=$! - bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & - BASH_PID=$! + if wait_for_file $tcsd_pidfile 3; then + echo "Could not get TCSD's PID file" + return 1 + fi - if wait_for_file $tcsd_pidfile 3; then - echo "Could not get TCSD's PID file" - return 1 - fi + sleep 0.5 + TCSD_PID=$(cat $tcsd_pidfile) + kill -0 "${TCSD_PID}" + if [ $? -ne 0 ]; then + # Try again with other owner + continue + fi + return 0 + done - TCSD_PID=$(cat $tcsd_pidfile) - return 0 + echo "TCSD could not be started" + return 1 } stop_tcsd() |