From c5a251d31cd987edd02cce142dac9665f5034d3b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 8 Apr 2018 18:38:47 +0200 Subject: tests: added interop tests with openssl under TLS1.3 This adds interoperability tests for: * PSK with elliptic curve DHE * RSA,RSA-PSS,secp256r1,ed25519 server certificate * RSA,RSA-PSS,secp256r1,ed25519 client certificate * X25519,SECP256R1 key share exchange * key share with HRR Relates #328 Signed-off-by: Nikos Mavrogiannopoulos --- .gitlab-ci.yml | 24 ++ devel/openssl | 2 +- doc/credentials/psk-passwd.txt | 1 + doc/credentials/x509/cert-ed25519.pem | 15 ++ doc/credentials/x509/clicert-ed25519.pem | 15 ++ doc/credentials/x509/clicert-rsa-pss.pem | 20 ++ doc/credentials/x509/clikey-ed25519.pem | 25 ++ doc/credentials/x509/clikey-rsa-pss.pem | 139 +++++++++++ doc/credentials/x509/key-ed25519.pem | 25 ++ tests/suite/Makefile.am | 11 +- tests/suite/testcompat-common | 27 ++- tests/suite/testcompat-tls13-openssl.sh | 382 +++++++++++++++++++++++++++++++ 12 files changed, 678 insertions(+), 8 deletions(-) create mode 100644 doc/credentials/x509/cert-ed25519.pem create mode 100644 doc/credentials/x509/clicert-ed25519.pem create mode 100644 doc/credentials/x509/clicert-rsa-pss.pem create mode 100644 doc/credentials/x509/clikey-ed25519.pem create mode 100644 doc/credentials/x509/clikey-rsa-pss.pem create mode 100644 doc/credentials/x509/key-ed25519.pem create mode 100755 tests/suite/testcompat-tls13-openssl.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cbfd269121..b32f3f1cbc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -130,6 +130,30 @@ no-SSL-3.0.Fedora.x86_64: - build/tests/*/*.log - build/tests/suite/*/*.log +TLS1.3/interop: + stage: stage1-testing + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + script: + - git submodule update --init --no-fetch + - make autoreconf + - dash ./configure --disable-gcc-warnings --cache-file ./cache/config.cache --disable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile && + make -j$(nproc) + - cd devel/openssl && ./config enable-tls1_3 && make -j$(nproc) && cd ../.. + - make -C tests/suite TESTS=testcompat-tls13-openssl.sh check + tags: + - shared + except: + - tags + artifacts: + expire_in: 1 week + when: on_failure + paths: + - build/guile/tests/*.log + - build/tests/*.log + - build/*.log + - build/tests/*/*.log + - build/tests/suite/*/*.log + FIPS140-2.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD diff --git a/devel/openssl b/devel/openssl index 6b02b586c3..25642ad29e 160000 --- a/devel/openssl +++ b/devel/openssl @@ -1 +1 @@ -Subproject commit 6b02b586c35359e338cfa151341e49aeb01590d0 +Subproject commit 25642ad29e6a2c15c10ceb5e4f029638f73a879e diff --git a/doc/credentials/psk-passwd.txt b/doc/credentials/psk-passwd.txt index 81b63011e8..8ebe849d35 100644 --- a/doc/credentials/psk-passwd.txt +++ b/doc/credentials/psk-passwd.txt @@ -1,2 +1,3 @@ jas:9e32cf7786321a828ef7668f09fb35db test:8a7759b3f26983c453e448060bde8981 +test32:8a7759b3f26983c453e448060bde89818a7759b3f26983c453e448060bde8981 diff --git a/doc/credentials/x509/cert-ed25519.pem b/doc/credentials/x509/cert-ed25519.pem new file mode 100644 index 0000000000..4e82cdcba9 --- /dev/null +++ b/doc/credentials/x509/cert-ed25519.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICZzCCAR+gAwIBAgIIWtnbDCIn9iYwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE +AxMOR251VExTIFRlc3QgQ0EwIBcNMTgwNDIwMTIyMDI5WhgPOTk5OTEyMzEyMzU5 +NTlaMAAwKjAFBgMrZXADIQDzBfvpcyyM38gl9L9AeyyGm2Vmf3Xj1vR3sSG1t7WJ +h6OBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQW +BBTjUkpznRi86b98TXHIvGYiiqs8qjAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVV +G45TAQPvzzANBgkqhkiG9w0BAQsFAAOCATEAkltD//26CvEfkpjCu+2Ol8hbg6/U +1saz3vyBx+5QAaaAu8bTxj2b1LmnSgmrGf/N1JmEA2QDb3Cal8lXlVgt02MIXyAk +SvUMyc5HiOWe6Km0+LW3pb2m+ADDDlHIWQ+j/3ot3DHClXwfqVT+QUnDgvLLKUWk +vKGsAHIzIMbuRzA+Pqdkrx57cGlLdgw52PhKEYfalOEPSgxZNrYDW1cMO/0ls4+d +WWKypJy+XE5svImmO2Zh9QvSeYQMewJXv94vYjhcH0dVZ2aFywdb62wtwEUR4JnP +0FwJOCEJiY4cKBR0IyRBKl56ZKPYn8Gjxl3snwhdTsTzw0aY6TrjnZL3u3W1SSwK +mtJv2hGr9szpuS0UiY+pZgYQdwY8vNVMVhsKxevyY8nllPAl6OMJM0fc/A== +-----END CERTIFICATE----- diff --git a/doc/credentials/x509/clicert-ed25519.pem b/doc/credentials/x509/clicert-ed25519.pem new file mode 100644 index 0000000000..9eec2effcf --- /dev/null +++ b/doc/credentials/x509/clicert-ed25519.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICYjCCARqgAwIBAgIIWtncvB3mnBcwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE +AxMOR251VExTIFRlc3QgQ0EwIBcNMTgwNDIwMTIyNzQxWhgPOTk5OTEyMzEyMzU5 +NTlaMBkxFzAVBgNVBAMTDmVkMjU1MTkgY2xpZW50MCowBQYDK2VwAyEAt+PcuzkT +FosMmInrJTIh3lNYNGKvmeXYGanDrmPiqRGjdjB0MAwGA1UdEwEB/wQCMAAwEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU5RHy +9vhAqVaB91nr7aHKyxW4984wHwYDVR0jBBgwFoAUTVa3agBY8WeS9KZ1VRuOUwED +788wDQYJKoZIhvcNAQELBQADggExAI8l0gXW5nUG3ykmvxvLlLkx2j3bMAuAG2jn +6CtmWBLFSoEYlCWlUWbrvK2GRZSFc5HGvhH/+GbM4ietrfmW+Xfgy2fDBp2pH4xh +iZgceDkCF9NI02+tyi/i+0iZxrobcfKoI2oK+WZ658+aM+IHVsLIIn5rs62sv5i3 +ak2ZBOHHYUzyszbzBz28eh169skl+pFd2RtySv+TwfX1m9e7jwiuXhFNtaegZvXa +yfiV3htHkVLf6eZiOSIAqni1cgStSc65kS3vswHxfSJkajYhQaAqSxaBv+/zbiJc +Le9sqsJGlWsXya2XL4bFhmct+pQ51F/oJ9iMmheZPWkYvRxznBcSBmLNCmg+LSX7 +NCsTPJ+wTg5jdK/1vIu1lV3pK3xj9DmuVyy+E8f+b2Kg7AuWYpI= +-----END CERTIFICATE----- diff --git a/doc/credentials/x509/clicert-rsa-pss.pem b/doc/credentials/x509/clicert-rsa-pss.pem new file mode 100644 index 0000000000..de2d3a6a51 --- /dev/null +++ b/doc/credentials/x509/clicert-rsa-pss.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUjCCAgqgAwIBAgIIWtncgib1CYYwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE +AxMOR251VExTIFRlc3QgQ0EwIBcNMTgwNDIwMTIyNjQzWhgPOTk5OTEyMzEyMzU5 +NTlaMBExDzANBgNVBAMTBmNsaWVudDCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEK +AoIBAQCzjpTr0Kg/EjW9yVmSrCOlQ2R2s4RTnDsedZddp1JAc3Smjoe2M7ZD16LF +nu21VhLC3V7joX7xCeO4c719DD5naYNB9JKeepmZiBkPpuY4faDH2VSTkcQQOVBc +W48kcY4yglvVSpj/NtW5i+EYp4zJTo0e7xZMNIl5XjzgeRTcL65Ni5A3brmLKVop +T+Q3mn/UHDGN42T9pyba8vMCzP6EJ1oFK9ZZE5mvICXIAtx2fUqNv0BtdLRDcZNO +AgcN5uhvvZgDNIBxe25adUGZE5FIVbHnpzjB8r/3Xzev6eniANDhXmN/eyhHTE7E +VRGKQGLp8Bgjf+mc4cwNVdVUIuk5AgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUn90q +PpdDpwr6eLHYKX48ls2+Lm4wHwYDVR0jBBgwFoAUTVa3agBY8WeS9KZ1VRuOUwED +788wDQYJKoZIhvcNAQELBQADggExAJCDSEb3/qGFjS/OGiWtoVu+vwyQCfK4t/V5 +L25nPOHHZX3FuyKKomHqF+T+ueZt6fRxQ3uGyUie0MfIUcRP17hAtAsrzV+34uvP +05bmvOmKIvOeyWVfkqtuD2pXnzJXSfr3pcs6LwUyZIJedMCMVfL3T2C9YFQ/GmPk +O3pIK0SN+TkBRnBDbg5emiDCtqzgMnhjMN+dG0jpqt0+e1579QxRruLunbBX/4Xu +AgauWUskaJxqQsbomKFy1mLUgteDytykaEBhQdJwEPSH8USqWBxvV8p+VsE5Mrvu +bwHyP9dV4e6aZaAs25zWIJFOJCR2a2gbdoZvTufIRpj9IDBipQFVLYsrvDPQbehE +A8+7mm0NIzK8YCFEPEMSS7R/J0u/2ic57ePxWBGf/Elh6kOk2xc= +-----END CERTIFICATE----- diff --git a/doc/credentials/x509/clikey-ed25519.pem b/doc/credentials/x509/clikey-ed25519.pem new file mode 100644 index 0000000000..40e1bc28dc --- /dev/null +++ b/doc/credentials/x509/clikey-ed25519.pem @@ -0,0 +1,25 @@ +Public Key Info: + Public Key Algorithm: EdDSA (Ed25519) + Key Security Level: High (256 bits) + +curve: Ed25519 +private key: + 83:a7:5b:8d:98:cc:ba:ef:ae:59:8e:ae:fe:6f:57:6c + 5d:1a:3c:21:86:bd:72:94:c9:9a:ae:0a:3b:bc:ac:36 + + +x: + b7:e3:dc:bb:39:13:16:8b:0c:98:89:eb:25:32:21:de + 53:58:34:62:af:99:e5:d8:19:a9:c3:ae:63:e2:a9:11 + + + +Public Key PIN: + pin-sha256:kL6CIOI8mjyxqGxH125s4iip1eA8AGbystEwB6Qop1o= +Public Key ID: + sha256:90be8220e23c9a3cb1a86c47d76e6ce228a9d5e03c0066f2b2d13007a428a75a + sha1:e511f2f6f840a95681f759ebeda1cacb15b8f7ce + +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIIOnW42YzLrvrlmOrv5vV2xdGjwhhr1ylMmargo7vKw2 +-----END PRIVATE KEY----- diff --git a/doc/credentials/x509/clikey-rsa-pss.pem b/doc/credentials/x509/clikey-rsa-pss.pem new file mode 100644 index 0000000000..e22878f40d --- /dev/null +++ b/doc/credentials/x509/clikey-rsa-pss.pem @@ -0,0 +1,139 @@ +Public Key Info: + Public Key Algorithm: RSA-PSS + Key Security Level: Medium (2048 bits) + +modulus: + 00:b3:8e:94:eb:d0:a8:3f:12:35:bd:c9:59:92:ac:23 + a5:43:64:76:b3:84:53:9c:3b:1e:75:97:5d:a7:52:40 + 73:74:a6:8e:87:b6:33:b6:43:d7:a2:c5:9e:ed:b5:56 + 12:c2:dd:5e:e3:a1:7e:f1:09:e3:b8:73:bd:7d:0c:3e + 67:69:83:41:f4:92:9e:7a:99:99:88:19:0f:a6:e6:38 + 7d:a0:c7:d9:54:93:91:c4:10:39:50:5c:5b:8f:24:71 + 8e:32:82:5b:d5:4a:98:ff:36:d5:b9:8b:e1:18:a7:8c + c9:4e:8d:1e:ef:16:4c:34:89:79:5e:3c:e0:79:14:dc + 2f:ae:4d:8b:90:37:6e:b9:8b:29:5a:29:4f:e4:37:9a + 7f:d4:1c:31:8d:e3:64:fd:a7:26:da:f2:f3:02:cc:fe + 84:27:5a:05:2b:d6:59:13:99:af:20:25:c8:02:dc:76 + 7d:4a:8d:bf:40:6d:74:b4:43:71:93:4e:02:07:0d:e6 + e8:6f:bd:98:03:34:80:71:7b:6e:5a:75:41:99:13:91 + 48:55:b1:e7:a7:38:c1:f2:bf:f7:5f:37:af:e9:e9:e2 + 00:d0:e1:5e:63:7f:7b:28:47:4c:4e:c4:55:11:8a:40 + 62:e9:f0:18:23:7f:e9:9c:e1:cc:0d:55:d5:54:22:e9 + 39: + +public exponent: + 01:00:01: + +private exponent: + 1a:c2:6a:11:46:d4:7c:29:d3:96:88:36:70:34:75:4f + 80:de:ad:0e:0d:ef:83:fe:0f:89:08:d8:ed:41:c5:d7 + 2f:10:4f:77:8c:40:e2:ad:f3:aa:0f:77:a3:07:7e:5f + 67:69:24:66:1a:40:57:dd:d8:71:39:d6:88:97:55:89 + 85:e1:08:e8:51:1d:8b:39:ee:f6:a8:7d:7b:ab:1d:ca + 23:37:05:7d:a4:4c:7a:02:cc:f7:db:fb:cd:36:6a:31 + fd:f7:0d:86:99:0a:7a:26:8a:ed:8f:1a:29:d9:76:92 + dd:c1:0c:56:27:65:8e:02:da:f2:9f:71:f8:b9:92:22 + cc:da:41:55:be:c8:3e:7d:1c:85:33:64:dd:92:14:0a + d9:a5:cb:a1:d7:2c:f1:d2:70:b2:a1:9b:7e:c5:5c:fd + 56:1e:46:3d:d3:bd:70:2f:8b:4d:ff:e3:e7:c1:a6:09 + bd:7e:47:07:52:ed:71:47:44:b5:30:fc:15:1c:5d:8f + 36:fd:bc:fa:c1:27:9c:97:ee:18:7a:50:80:83:d4:5c + a6:10:34:e1:c3:17:db:a0:99:41:bf:26:d8:34:4d:99 + 7a:30:af:b9:d7:d7:4d:f6:5f:8c:d6:c3:bc:a6:75:90 + 37:9b:d1:0c:3b:27:e6:3d:99:9f:53:9e:3f:a5:33:bd + + +prime1: + 00:e9:f6:a0:ca:5d:68:b5:b7:a4:46:17:7e:17:a5:57 + a7:06:a8:ae:f5:e8:ff:37:bf:6a:22:58:3c:8f:1e:6f + 09:d8:c0:85:1b:e6:ae:db:01:82:9a:fd:20:55:77:59 + fa:23:a4:49:95:1e:1f:b4:79:55:3e:8b:d0:6b:14:e4 + ae:7c:44:46:43:3c:2a:46:8f:d5:ae:c7:81:46:3d:cf + 42:af:ff:9d:a5:64:02:bc:de:eb:45:eb:07:e3:d7:01 + 1c:e3:8b:c5:86:24:0e:fa:22:7c:91:a5:3a:3d:0c:5f + f5:24:a7:44:37:4f:0b:42:b1:02:b6:5a:83:ad:48:ff + 9b: + +prime2: + 00:c4:78:18:4d:04:68:0f:e6:6a:e2:be:48:c5:3b:da + c4:1a:ad:60:44:65:af:01:7f:8f:ec:d5:94:21:d4:5c + d2:01:57:34:34:af:20:90:7a:b9:f7:10:c0:d9:4f:41 + cc:ca:48:68:49:34:50:9d:d8:ff:ab:b5:22:38:98:9d + 46:12:7b:7e:df:2e:f9:f0:53:3d:dd:b4:47:3c:0c:98 + 0b:d2:63:b5:f8:4a:7e:d1:6d:7c:be:4f:b5:1e:a7:d0 + 18:53:eb:35:c6:39:73:1a:e3:2a:9b:10:c7:56:8b:4a + 7c:5d:91:5c:a2:ed:37:1e:1a:3f:b5:91:e2:68:17:49 + bb: + +coefficient: + 00:a5:84:6d:e2:ff:0c:ab:d4:79:a8:c6:4a:43:4e:d4 + cf:82:78:aa:ee:87:3f:a5:6f:5a:63:20:56:b9:6f:6e + ea:73:49:64:c3:47:5d:a8:04:1c:b9:c9:c7:39:40:08 + 7b:fe:f0:b5:ec:11:87:58:92:46:5f:bd:0c:44:49:b8 + b2:fa:f6:ee:d3:e8:60:b1:db:4a:bc:3a:46:fb:e9:10 + 4c:2c:9e:bf:7c:3a:eb:d7:f7:cc:e2:63:7e:40:97:71 + 14:b1:00:7f:a9:78:89:cf:95:e6:48:5a:77:56:27:40 + 28:50:69:fe:dd:80:a9:f0:80:8b:ba:a4:dd:53:6c:46 + 28: + +exp1: + 00:a3:4e:9c:03:44:da:1e:e5:35:4c:1b:7f:cf:1f:81 + 24:3b:f8:a8:4f:4b:b8:41:80:61:a3:e1:75:3b:ec:e1 + 52:bd:31:fc:77:72:38:a0:f3:d7:e7:39:42:45:85:ce + 8f:54:2b:8b:95:03:76:db:f1:49:38:24:3d:71:51:1f + 22:4f:e9:14:26:40:2b:be:1f:0d:e7:36:a8:9c:8f:ee + 48:bd:32:ae:26:50:bd:bc:79:d9:3d:6f:85:8d:5a:79 + 13:62:1d:20:dd:b5:f3:a2:53:4a:22:1b:73:a0:43:30 + 03:9b:f7:09:1d:96:15:e5:12:4b:33:5f:d0:c3:b6:cd + 7b: + +exp2: + 3b:cf:4f:9e:8a:9b:df:53:46:f0:b5:fa:d3:48:50:65 + e8:b5:25:1c:4d:54:44:81:7f:e0:1a:78:d8:ff:9c:2e + 36:48:44:d5:51:06:f9:d4:d2:ae:1b:04:8a:63:2d:65 + d9:a2:c7:54:99:bf:7c:fe:25:7f:31:4a:34:ae:89:1a + 5e:e0:07:94:8b:e9:7c:b6:ea:9b:86:99:34:f7:a4:85 + dc:cb:8c:07:05:2e:ac:34:c7:87:ec:1d:f8:32:20:10 + 77:e3:9f:e0:33:77:0e:15:5f:d0:0b:00:94:21:1d:50 + d4:ef:3e:a3:3e:d1:cb:b1:33:f9:e3:6a:68:43:c6:a7 + + +Validation parameters: + Hash: SHA384 + Seed: 158ff315e310b156af4aea0d458569e4edbbb8594bdc787cad6342e60e58557a + +Public Key PIN: + pin-sha256:6+wU+clGtIweqv1JStyZVU3ySSAl/K9K0Cj+CpALWwE= +Public Key ID: + sha256:ebec14f9c946b48c1eaafd494adc99554df2492025fcaf4ad028fe0a900b5b01 + sha1:9fdd2a3e9743a70afa78b1d8297e3c96cdbe2e6e + +-----BEGIN PRIVATE KEY----- +MIIE/QIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAs46U69CoPxI1vclZ +kqwjpUNkdrOEU5w7HnWXXadSQHN0po6HtjO2Q9eixZ7ttVYSwt1e46F+8QnjuHO9 +fQw+Z2mDQfSSnnqZmYgZD6bmOH2gx9lUk5HEEDlQXFuPJHGOMoJb1UqY/zbVuYvh +GKeMyU6NHu8WTDSJeV484HkU3C+uTYuQN265iylaKU/kN5p/1BwxjeNk/acm2vLz +Asz+hCdaBSvWWROZryAlyALcdn1Kjb9AbXS0Q3GTTgIHDebob72YAzSAcXtuWnVB +mRORSFWx56c4wfK/9183r+np4gDQ4V5jf3soR0xOxFURikBi6fAYI3/pnOHMDVXV +VCLpOQIDAQABAoIBABrCahFG1Hwp05aINnA0dU+A3q0ODe+D/g+JCNjtQcXXLxBP +d4xA4q3zqg93owd+X2dpJGYaQFfd2HE51oiXVYmF4QjoUR2LOe72qH17qx3KIzcF +faRMegLM99v7zTZqMf33DYaZCnomiu2PGinZdpLdwQxWJ2WOAtryn3H4uZIizNpB +Vb7IPn0chTNk3ZIUCtmly6HXLPHScLKhm37FXP1WHkY9071wL4tN/+PnwaYJvX5H +B1LtcUdEtTD8FRxdjzb9vPrBJ5yX7hh6UICD1FymEDThwxfboJlBvybYNE2ZejCv +udfXTfZfjNbDvKZ1kDeb0Qw7J+Y9mZ9Tnj+lM70CgYEA6fagyl1otbekRhd+F6VX +pwaorvXo/ze/aiJYPI8ebwnYwIUb5q7bAYKa/SBVd1n6I6RJlR4ftHlVPovQaxTk +rnxERkM8KkaP1a7HgUY9z0Kv/52lZAK83utF6wfj1wEc44vFhiQO+iJ8kaU6PQxf +9SSnRDdPC0KxArZag61I/5sCgYEAxHgYTQRoD+Zq4r5IxTvaxBqtYERlrwF/j+zV +lCHUXNIBVzQ0ryCQern3EMDZT0HMykhoSTRQndj/q7UiOJidRhJ7ft8u+fBTPd20 +RzwMmAvSY7X4Sn7RbXy+T7Uep9AYU+s1xjlzGuMqmxDHVotKfF2RXKLtNx4aP7WR +4mgXSbsCgYEAo06cA0TaHuU1TBt/zx+BJDv4qE9LuEGAYaPhdTvs4VK9Mfx3cjig +89fnOUJFhc6PVCuLlQN22/FJOCQ9cVEfIk/pFCZAK74fDec2qJyP7ki9Mq4mUL28 +edk9b4WNWnkTYh0g3bXzolNKIhtzoEMwA5v3CR2WFeUSSzNf0MO2zXsCgYA7z0+e +ipvfU0bwtfrTSFBl6LUlHE1URIF/4Bp42P+cLjZIRNVRBvnU0q4bBIpjLWXZosdU +mb98/iV/MUo0rokaXuAHlIvpfLbqm4aZNPekhdzLjAcFLqw0x4fsHfgyIBB345/g +M3cOFV/QCwCUIR1Q1O8+oz7Ry7Ez+eNqaEPGpwKBgQClhG3i/wyr1HmoxkpDTtTP +gniq7oc/pW9aYyBWuW9u6nNJZMNHXagEHLnJxzlACHv+8LXsEYdYkkZfvQxESbiy ++vbu0+hgsdtKvDpG++kQTCyev3w669f3zOJjfkCXcRSxAH+peInPleZIWndWJ0Ao +UGn+3YCp8ICLuqTdU2xGKKA/MD0GCisGAQQBkggSCAExLzAtBglghkgBZQMEAgIE +IBWP8xXjELFWr0rqDUWFaeTtu7hZS9x4fK1jQuYOWFV6 +-----END PRIVATE KEY----- diff --git a/doc/credentials/x509/key-ed25519.pem b/doc/credentials/x509/key-ed25519.pem new file mode 100644 index 0000000000..7fedbd79bd --- /dev/null +++ b/doc/credentials/x509/key-ed25519.pem @@ -0,0 +1,25 @@ +Public Key Info: + Public Key Algorithm: EdDSA (Ed25519) + Key Security Level: High (256 bits) + +curve: Ed25519 +private key: + e5:c3:25:73:94:e8:9e:97:75:7c:78:59:f7:32:3c:82 + cf:60:90:c7:e5:b4:5f:9b:d7:a6:f8:36:0c:92:59:70 + + +x: + f3:05:fb:e9:73:2c:8c:df:c8:25:f4:bf:40:7b:2c:86 + 9b:65:66:7f:75:e3:d6:f4:77:b1:21:b5:b7:b5:89:87 + + + +Public Key PIN: + pin-sha256:7DW50qkZrEKqSrB29HkLvRoiuQAtHaaLAZKLE9s/VZ4= +Public Key ID: + sha256:ec35b9d2a919ac42aa4ab076f4790bbd1a22b9002d1da68b01928b13db3f559e + sha1:e3524a739d18bce9bf7c4d71c8bc66228aab3caa + +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIOXDJXOU6J6XdXx4WfcyPILPYJDH5bRfm9em+DYMkllw +-----END PRIVATE KEY----- diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 90ac5d00ae..582eeea674 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -86,7 +86,8 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common -nodist_check_SCRIPTS = chain.sh \ + +scripts_to_test = chain.sh \ testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \ testrandom.sh tls-fuzzer/tls-fuzzer-nocert.sh \ tls-fuzzer/tls-fuzzer-cert.sh tls-fuzzer/tls-fuzzer-alpn.sh @@ -108,7 +109,7 @@ TESTS_ENVIRONMENT += ENABLE_SSL3=1 endif if ENABLE_DANE -nodist_check_SCRIPTS += testdane.sh +scripts_to_test += testdane.sh endif if !MACOSX @@ -121,11 +122,13 @@ nodist_eagain_cli_SOURCES = mini-eagain2.c noinst_PROGRAMS = eagain-cli mini-record-timing -nodist_check_SCRIPTS += eagain.sh +scripts_to_test += eagain.sh endif endif -TESTS = $(nodist_check_SCRIPTS) prime-check +nodist_check_SCRIPTS = $(scripts_to_test) testcompat-tls13-openssl.sh + +TESTS = $(scripts_to_test) prime-check prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) diff --git a/tests/suite/testcompat-common b/tests/suite/testcompat-common index 9028b4a400..c351662319 100644 --- a/tests/suite/testcompat-common +++ b/tests/suite/testcompat-common @@ -30,13 +30,31 @@ DSA_CERT="${srcdir}/../cert-tests/data/cert.dsa.1024.pem" DSA_KEY="${srcdir}/../cert-tests/data/dsa.1024.pem" -RSA_CERT="${srcdir}/../certs/cert-rsa-2432.pem" -RSA_KEY="${srcdir}/../certs/rsa-2432.pem" - CA_CERT="${srcdir}/../../doc/credentials/x509/ca.pem" CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert.pem" CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey.pem" +ECC_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-ecdsa.pem" +ECC_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-ecdsa.pem" + +RSA_PSS_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-rsa-pss.pem" +RSA_PSS_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-rsa-pss.pem" + +ED25519_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-ed25519.pem" +ED25519_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-ed25519.pem" + +RSA_PSS_CERT="${srcdir}/../../doc/credentials/x509/cert-rsa-pss.pem" +RSA_PSS_KEY="${srcdir}/../../doc/credentials/x509/key-rsa-pss.pem" + +RSA_CERT="${srcdir}/../../doc/credentials/x509/cert-rsa.pem" +RSA_KEY="${srcdir}/../../doc/credentials/x509/key-rsa.pem" + +ED25519_CERT="${srcdir}/../../doc/credentials/x509/cert-ed25519.pem" +ED25519_KEY="${srcdir}/../../doc/credentials/x509/key-ed25519.pem" + +ECC_CERT="${srcdir}/../../doc/credentials/x509/cert-ecc.pem" +ECC_KEY="${srcdir}/../../doc/credentials/x509/key-ecc.pem" + CA_ECC_CERT="${srcdir}/../certs/ca-cert-ecc.pem" ECC224_CERT="${srcdir}/../certs/cert-ecc.pem" ECC224_KEY="${srcdir}/../certs/ecc.pem" @@ -58,3 +76,6 @@ SERV_DSA_KEY="${srcdir}/../../doc/credentials/x509/key-dsa.pem" SERV_PSK="${srcdir}/../../doc/credentials/psk-passwd.txt" DH_PARAMS="${srcdir}/params.dh" + +PSKID=test32 +PSKKEY=8a7759b3f26983c453e448060bde89818a7759b3f26983c453e448060bde8981 diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh new file mode 100755 index 0000000000..b03e6a2111 --- /dev/null +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -0,0 +1,382 @@ +#!/bin/bash + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +abs_top_srcdir="${abs_top_srcdir:-$(pwd)/../../}" +srcdir="${srcdir:-.}" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +# Check for datefudge +TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` +if test "${TSTAMP}" != "1158969600"; then + echo "You need datefudge to run this test" + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + +. "${srcdir}/testcompat-common" + +PORT="${PORT:-${RPORT}}" + +export LD_LIBRARY_PATH=${abs_top_srcdir}/devel/openssl +echo LD_LIBRARY_PATH=$LD_LIBRARY_PATH +SERV=../../devel/openssl/apps/openssl +OPENSSL_CLI="$SERV" + +if test -z "$OUTPUT";then +OUTPUT=/dev/null +fi + +>${OUTPUT} + +echo_cmd() { + tee -a ${OUTPUT} <<<$(echo $1) +} + +echo_cmd "Compatibility checks using "`${SERV} version` + +echo_cmd "#################################################" +echo_cmd "# Client mode tests (gnutls cli-openssl server) #" +echo_cmd "#################################################" + +OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256" + +run_client_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + + eval "${GETPORT}" + launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + + #AES-128-CCM + for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure >${OUTPUT} || \ + fail ${PID} "Failed" + done + + for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure >${OUTPUT} || \ + fail ${PID} "Failed" + done + + echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo "^rekey^") >>${OUTPUT} || \ + fail ${PID} "Failed" + + # Try hello retry request + echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure >${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + #test PSK ciphersuites + # disabled as I do not seem to be able to connect to openssl s_server with PSK + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert + PID=$! + wait_server ${PID} + +# by default only SHA256 is supported under PSK as PRF, so we cannot try all +# ciphers; only the ones which use SHA256 PRF. + for i in AES-128-GCM;do +# plain PSK with (EC)DHE not supported by openssl +# echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..." +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} >${OUTPUT} || \ + fail ${PID} "Failed" + done + + kill ${PID} + wait + + #test client certificates + eval "${GETPORT}" + launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + for i in GROUP-SECP256R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" >${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" >${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" >${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" >${OUTPUT} || \ + fail ${PID} "Failed" + done + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure >${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509cafile "${CA_CERT}" >${OUTPUT} || \ + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure >${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509cafile "${CA_CERT}" >${OUTPUT} || \ + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure >${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + +} + +run_client_suite + +echo_cmd "${PREFIX}Client mode tests were successfully completed" +echo_cmd "${PREFIX}" +echo_cmd "${PREFIX}###############################################" +echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#" +echo_cmd "${PREFIX}###############################################" +SERV="../../src/gnutls-serv${EXEEXT} -q" + +# Note that openssl s_client does not return error code on failure + +run_server_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + #AES-128-CCM + for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + done + + for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + done + + echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." + + eval "${GETPORT}" + launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" <<<$(echo "***REKEY***") 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + # client certificates + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..." + + eval "${GETPORT}" + launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" <<<$(echo "***REAUTH***") 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + # openssl doesn't support PSK + for i in DHE-PSK;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server $$ --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" >${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + done + +} + +run_server_suite + +exit 0 -- cgit v1.2.1