1#!/bin/sh 2 3# compat.sh 4# 5# Copyright The Mbed TLS Contributors 6# SPDX-License-Identifier: Apache-2.0 7# 8# Licensed under the Apache License, Version 2.0 (the "License"); you may 9# not use this file except in compliance with the License. 10# You may obtain a copy of the License at 11# 12# http://www.apache.org/licenses/LICENSE-2.0 13# 14# Unless required by applicable law or agreed to in writing, software 15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17# See the License for the specific language governing permissions and 18# limitations under the License. 19# 20# Purpose 21# 22# Test interoperbility with OpenSSL, GnuTLS as well as itself. 23# 24# Check each common ciphersuite, with each version, both ways (client/server), 25# with and without client authentication. 26 27set -u 28 29# Limit the size of each log to 10 GiB, in case of failures with this script 30# where it may output seemingly unlimited length error logs. 31ulimit -f 20971520 32 33# initialise counters 34TESTS=0 35FAILED=0 36SKIPPED=0 37SRVMEM=0 38 39# default commands, can be overridden by the environment 40: ${M_SRV:=../programs/ssl/ssl_server2} 41: ${M_CLI:=../programs/ssl/ssl_client2} 42: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system 43: ${GNUTLS_CLI:=gnutls-cli} 44: ${GNUTLS_SERV:=gnutls-serv} 45 46# do we have a recent enough GnuTLS? 47if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then 48 G_VER="$( $GNUTLS_CLI --version | head -n1 )" 49 if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version 50 PEER_GNUTLS=" GnuTLS" 51 else 52 eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' ) 53 if [ $MAJOR -lt 3 -o \ 54 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \ 55 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ] 56 then 57 PEER_GNUTLS="" 58 else 59 PEER_GNUTLS=" GnuTLS" 60 if [ $MINOR -lt 4 ]; then 61 GNUTLS_MINOR_LT_FOUR='x' 62 fi 63 fi 64 fi 65else 66 PEER_GNUTLS="" 67fi 68 69# default values for options 70MODES="tls12 dtls12" 71VERIFIES="NO YES" 72TYPES="ECDSA RSA PSK" 73FILTER="" 74# exclude: 75# - NULL: excluded from our default config 76# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) 77# - ARIA: not in default mbedtls_config.h + requires OpenSSL >= 1.1.1 78# - ChachaPoly: requires OpenSSL >= 1.1.0 79# - 3DES: not in default config 80EXCLUDE='NULL\|DES\|ARIA\|CHACHA20-POLY1305' 81VERBOSE="" 82MEMCHECK=0 83PEERS="OpenSSL$PEER_GNUTLS mbedTLS" 84 85# hidden option: skip DTLS with OpenSSL 86# (travis CI has a version that doesn't work for us) 87: ${OSSL_NO_DTLS:=0} 88 89print_usage() { 90 echo "Usage: $0" 91 printf " -h|--help\tPrint this help.\n" 92 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER" 93 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE" 94 printf " -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES" 95 printf " -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES" 96 printf " -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES" 97 printf " -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS" 98 printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n" 99 printf " -M|--memcheck\tCheck memory leaks and errors.\n" 100 printf " -v|--verbose\tSet verbose output.\n" 101} 102 103get_options() { 104 while [ $# -gt 0 ]; do 105 case "$1" in 106 -f|--filter) 107 shift; FILTER=$1 108 ;; 109 -e|--exclude) 110 shift; EXCLUDE=$1 111 ;; 112 -m|--modes) 113 shift; MODES=$1 114 ;; 115 -t|--types) 116 shift; TYPES=$1 117 ;; 118 -V|--verify) 119 shift; VERIFIES=$1 120 ;; 121 -p|--peers) 122 shift; PEERS=$1 123 ;; 124 -v|--verbose) 125 VERBOSE=1 126 ;; 127 -M|--memcheck) 128 MEMCHECK=1 129 ;; 130 -h|--help) 131 print_usage 132 exit 0 133 ;; 134 *) 135 echo "Unknown argument: '$1'" 136 print_usage 137 exit 1 138 ;; 139 esac 140 shift 141 done 142 143 # sanitize some options (modes checked later) 144 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )" 145 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )" 146} 147 148log() { 149 if [ "X" != "X$VERBOSE" ]; then 150 echo "" 151 echo "$@" 152 fi 153} 154 155# is_dtls <mode> 156is_dtls() 157{ 158 test "$1" = "dtls12" 159} 160 161# minor_ver <mode> 162minor_ver() 163{ 164 case "$1" in 165 tls12|dtls12) 166 echo 3 167 ;; 168 *) 169 echo "error: invalid mode: $MODE" >&2 170 # exiting is no good here, typically called in a subshell 171 echo -1 172 esac 173} 174 175filter() 176{ 177 LIST="$1" 178 NEW_LIST="" 179 180 EXCLMODE="$EXCLUDE" 181 182 for i in $LIST; 183 do 184 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )" 185 done 186 187 # normalize whitespace 188 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' 189} 190 191# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for 192# PSK ciphersuites with DTLS, which is incorrect, so disable them for now 193check_openssl_server_bug() 194{ 195 if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ 196 echo "$1" | grep "^TLS-PSK" >/dev/null; 197 then 198 SKIP_NEXT="YES" 199 fi 200} 201 202filter_ciphersuites() 203{ 204 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; 205 then 206 # Ciphersuite for mbed TLS 207 M_CIPHERS=$( filter "$M_CIPHERS" ) 208 209 # Ciphersuite for OpenSSL 210 O_CIPHERS=$( filter "$O_CIPHERS" ) 211 212 # Ciphersuite for GnuTLS 213 G_CIPHERS=$( filter "$G_CIPHERS" ) 214 fi 215 216 # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check what OpenSSL 217 # supports from the s_server help. (The s_client help isn't 218 # accurate as of 1.0.2g: it supports DTLS 1.2 but doesn't list it. 219 # But the s_server help seems to be accurate.) 220 if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$MODE "; then 221 M_CIPHERS="" 222 O_CIPHERS="" 223 fi 224 225 # For GnuTLS client -> mbed TLS server, 226 # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails 227 if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then 228 G_CIPHERS="" 229 fi 230} 231 232reset_ciphersuites() 233{ 234 M_CIPHERS="" 235 O_CIPHERS="" 236 G_CIPHERS="" 237} 238 239check_translation() 240{ 241 if [ $1 -ne 0 ]; then 242 echo "translate_ciphers.py failed with exit code $1" >&2 243 echo "$2" >&2 244 exit 1 245 fi 246} 247 248# Ciphersuites that can be used with all peers. 249# Since we currently have three possible peers, each ciphersuite should appear 250# three times: in each peer's list (with the name that this peer uses). 251add_common_ciphersuites() 252{ 253 CIPHERS="" 254 case $TYPE in 255 256 "ECDSA") 257 if [ `minor_ver "$MODE"` -gt 0 ] 258 then 259 CIPHERS="$CIPHERS \ 260 TLS-ECDHE-ECDSA-WITH-NULL-SHA \ 261 TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA \ 262 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \ 263 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \ 264 " 265 fi 266 if [ `minor_ver "$MODE"` -ge 3 ] 267 then 268 CIPHERS="$CIPHERS \ 269 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ 270 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \ 271 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ 272 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \ 273 " 274 fi 275 ;; 276 277 "RSA") 278 CIPHERS="$CIPHERS \ 279 TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ 280 TLS-DHE-RSA-WITH-AES-256-CBC-SHA \ 281 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \ 282 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \ 283 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA \ 284 TLS-RSA-WITH-AES-256-CBC-SHA \ 285 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \ 286 TLS-RSA-WITH-AES-128-CBC-SHA \ 287 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \ 288 TLS-RSA-WITH-3DES-EDE-CBC-SHA \ 289 TLS-RSA-WITH-NULL-MD5 \ 290 TLS-RSA-WITH-NULL-SHA \ 291 " 292 if [ `minor_ver "$MODE"` -gt 0 ] 293 then 294 CIPHERS="$CIPHERS \ 295 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \ 296 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \ 297 TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA \ 298 TLS-ECDHE-RSA-WITH-NULL-SHA \ 299 " 300 fi 301 if [ `minor_ver "$MODE"` -ge 3 ] 302 then 303 CIPHERS="$CIPHERS \ 304 TLS-RSA-WITH-AES-128-CBC-SHA256 \ 305 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \ 306 TLS-RSA-WITH-AES-256-CBC-SHA256 \ 307 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \ 308 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \ 309 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \ 310 TLS-RSA-WITH-AES-128-GCM-SHA256 \ 311 TLS-RSA-WITH-AES-256-GCM-SHA384 \ 312 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \ 313 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \ 314 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ 315 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \ 316 TLS-RSA-WITH-NULL-SHA256 \ 317 " 318 fi 319 ;; 320 321 "PSK") 322 CIPHERS="$CIPHERS \ 323 TLS-PSK-WITH-3DES-EDE-CBC-SHA \ 324 TLS-PSK-WITH-AES-128-CBC-SHA \ 325 TLS-PSK-WITH-AES-256-CBC-SHA \ 326 " 327 ;; 328 esac 329 330 M_CIPHERS="$M_CIPHERS $CIPHERS" 331 332 T=$(./scripts/translate_ciphers.py g $CIPHERS) 333 check_translation $? "$T" 334 G_CIPHERS="$G_CIPHERS $T" 335 336 T=$(./scripts/translate_ciphers.py o $CIPHERS) 337 check_translation $? "$T" 338 O_CIPHERS="$O_CIPHERS $T" 339} 340 341# Ciphersuites usable only with Mbed TLS and OpenSSL 342# A list of ciphersuites in the Mbed TLS convention is compiled and 343# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list 344# is translated to the OpenSSL naming convention and appended to the list of 345# OpenSSL ciphersuites $O_CIPHERS. 346# 347# NOTE: for some reason RSA-PSK doesn't work with OpenSSL, 348# so RSA-PSK ciphersuites need to go in other sections, see 349# https://github.com/ARMmbed/mbedtls/issues/1419 350# 351# ChachaPoly suites are here rather than in "common", as they were added in 352# GnuTLS in 3.5.0 and the CI only has 3.4.x so far. 353add_openssl_ciphersuites() 354{ 355 CIPHERS="" 356 case $TYPE in 357 358 "ECDSA") 359 if [ `minor_ver "$MODE"` -gt 0 ] 360 then 361 CIPHERS="$CIPHERS \ 362 TLS-ECDH-ECDSA-WITH-NULL-SHA \ 363 TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA \ 364 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \ 365 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \ 366 " 367 fi 368 if [ `minor_ver "$MODE"` -ge 3 ] 369 then 370 CIPHERS="$CIPHERS \ 371 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \ 372 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \ 373 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \ 374 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ 375 TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ 376 TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ 377 TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ 378 " 379 fi 380 ;; 381 382 "RSA") 383 CIPHERS="$CIPHERS \ 384 TLS-RSA-WITH-DES-CBC-SHA \ 385 TLS-DHE-RSA-WITH-DES-CBC-SHA \ 386 " 387 if [ `minor_ver "$MODE"` -ge 3 ] 388 then 389 CIPHERS="$CIPHERS \ 390 TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ 391 TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ 392 TLS-RSA-WITH-ARIA-256-GCM-SHA384 \ 393 TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ 394 TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ 395 TLS-RSA-WITH-ARIA-128-GCM-SHA256 \ 396 TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ 397 TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ 398 " 399 fi 400 ;; 401 402 "PSK") 403 if [ `minor_ver "$MODE"` -ge 3 ] 404 then 405 CIPHERS="$CIPHERS \ 406 TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \ 407 TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \ 408 TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ 409 TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ 410 TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \ 411 TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ 412 TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ 413 " 414 fi 415 ;; 416 esac 417 418 M_CIPHERS="$M_CIPHERS $CIPHERS" 419 420 T=$(./scripts/translate_ciphers.py o $CIPHERS) 421 check_translation $? "$T" 422 O_CIPHERS="$O_CIPHERS $T" 423} 424 425# Ciphersuites usable only with Mbed TLS and GnuTLS 426# A list of ciphersuites in the Mbed TLS convention is compiled and 427# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list 428# is translated to the GnuTLS naming convention and appended to the list of 429# GnuTLS ciphersuites $G_CIPHERS. 430add_gnutls_ciphersuites() 431{ 432 CIPHERS="" 433 case $TYPE in 434 435 "ECDSA") 436 if [ `minor_ver "$MODE"` -ge 3 ] 437 then 438 CIPHERS="$CIPHERS \ 439 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ 440 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ 441 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ 442 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ 443 TLS-ECDHE-ECDSA-WITH-AES-128-CCM \ 444 TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ 445 TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ 446 TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ 447 " 448 fi 449 ;; 450 451 "RSA") 452 if [ `minor_ver "$MODE"` -ge 3 ] 453 then 454 CIPHERS="$CIPHERS \ 455 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ 456 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \ 457 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ 458 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ 459 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ 460 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ 461 TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ 462 TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ 463 TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ 464 TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ 465 TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ 466 TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ 467 TLS-RSA-WITH-AES-128-CCM \ 468 TLS-RSA-WITH-AES-256-CCM \ 469 TLS-DHE-RSA-WITH-AES-128-CCM \ 470 TLS-DHE-RSA-WITH-AES-256-CCM \ 471 TLS-RSA-WITH-AES-128-CCM-8 \ 472 TLS-RSA-WITH-AES-256-CCM-8 \ 473 TLS-DHE-RSA-WITH-AES-128-CCM-8 \ 474 TLS-DHE-RSA-WITH-AES-256-CCM-8 \ 475 " 476 fi 477 ;; 478 479 "PSK") 480 CIPHERS="$CIPHERS \ 481 TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \ 482 TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ 483 TLS-DHE-PSK-WITH-AES-256-CBC-SHA \ 484 " 485 if [ `minor_ver "$MODE"` -gt 0 ] 486 then 487 CIPHERS="$CIPHERS \ 488 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \ 489 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ 490 TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \ 491 TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \ 492 TLS-RSA-PSK-WITH-AES-256-CBC-SHA \ 493 TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ 494 " 495 fi 496 if [ `minor_ver "$MODE"` -ge 3 ] 497 then 498 CIPHERS="$CIPHERS \ 499 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ 500 TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 501 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ 502 TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 503 TLS-ECDHE-PSK-WITH-NULL-SHA384 \ 504 TLS-ECDHE-PSK-WITH-NULL-SHA256 \ 505 TLS-PSK-WITH-AES-128-CBC-SHA256 \ 506 TLS-PSK-WITH-AES-256-CBC-SHA384 \ 507 TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ 508 TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ 509 TLS-PSK-WITH-NULL-SHA256 \ 510 TLS-PSK-WITH-NULL-SHA384 \ 511 TLS-DHE-PSK-WITH-NULL-SHA256 \ 512 TLS-DHE-PSK-WITH-NULL-SHA384 \ 513 TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ 514 TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ 515 TLS-RSA-PSK-WITH-NULL-SHA256 \ 516 TLS-RSA-PSK-WITH-NULL-SHA384 \ 517 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 518 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 519 TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 520 TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 521 TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ 522 TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ 523 TLS-PSK-WITH-AES-128-GCM-SHA256 \ 524 TLS-PSK-WITH-AES-256-GCM-SHA384 \ 525 TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \ 526 TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \ 527 TLS-PSK-WITH-AES-128-CCM \ 528 TLS-PSK-WITH-AES-256-CCM \ 529 TLS-DHE-PSK-WITH-AES-128-CCM \ 530 TLS-DHE-PSK-WITH-AES-256-CCM \ 531 TLS-PSK-WITH-AES-128-CCM-8 \ 532 TLS-PSK-WITH-AES-256-CCM-8 \ 533 TLS-DHE-PSK-WITH-AES-128-CCM-8 \ 534 TLS-DHE-PSK-WITH-AES-256-CCM-8 \ 535 TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ 536 TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ 537 TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ 538 TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ 539 TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ 540 TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ 541 TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \ 542 TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \ 543 " 544 fi 545 ;; 546 esac 547 548 M_CIPHERS="$M_CIPHERS $CIPHERS" 549 550 T=$(./scripts/translate_ciphers.py g $CIPHERS) 551 check_translation $? "$T" 552 G_CIPHERS="$G_CIPHERS $T" 553} 554 555# Ciphersuites usable only with Mbed TLS (not currently supported by another 556# peer usable in this script). This provide only very rudimentaty testing, as 557# this is not interop testing, but it's better than nothing. 558add_mbedtls_ciphersuites() 559{ 560 case $TYPE in 561 562 "ECDSA") 563 if [ `minor_ver "$MODE"` -gt 0 ] 564 then 565 M_CIPHERS="$M_CIPHERS \ 566 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ 567 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ 568 " 569 fi 570 if [ `minor_ver "$MODE"` -ge 3 ] 571 then 572 M_CIPHERS="$M_CIPHERS \ 573 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ 574 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ 575 TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ 576 TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ 577 TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \ 578 TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \ 579 TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \ 580 TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \ 581 " 582 fi 583 ;; 584 585 "RSA") 586 if [ `minor_ver "$MODE"` -ge 3 ] 587 then 588 M_CIPHERS="$M_CIPHERS \ 589 TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \ 590 TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ 591 TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ 592 TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \ 593 TLS-RSA-WITH-ARIA-256-CBC-SHA384 \ 594 TLS-RSA-WITH-ARIA-128-CBC-SHA256 \ 595 " 596 fi 597 ;; 598 599 "PSK") 600 # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 601 M_CIPHERS="$M_CIPHERS \ 602 TLS-PSK-WITH-NULL-SHA \ 603 TLS-DHE-PSK-WITH-NULL-SHA \ 604 " 605 if [ `minor_ver "$MODE"` -gt 0 ] 606 then 607 M_CIPHERS="$M_CIPHERS \ 608 TLS-ECDHE-PSK-WITH-NULL-SHA \ 609 TLS-RSA-PSK-WITH-NULL-SHA \ 610 " 611 fi 612 if [ `minor_ver "$MODE"` -ge 3 ] 613 then 614 M_CIPHERS="$M_CIPHERS \ 615 TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \ 616 TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \ 617 TLS-PSK-WITH-ARIA-256-CBC-SHA384 \ 618 TLS-PSK-WITH-ARIA-128-CBC-SHA256 \ 619 TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ 620 TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ 621 TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \ 622 TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \ 623 TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \ 624 TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \ 625 TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \ 626 " 627 fi 628 ;; 629 esac 630} 631 632setup_arguments() 633{ 634 G_MODE="" 635 case "$MODE" in 636 "tls12") 637 G_PRIO_MODE="+VERS-TLS1.2" 638 ;; 639 "dtls12") 640 G_PRIO_MODE="+VERS-DTLS1.2" 641 G_MODE="-u" 642 ;; 643 *) 644 echo "error: invalid mode: $MODE" >&2 645 exit 1; 646 esac 647 648 # GnuTLS < 3.4 will choke if we try to allow CCM-8 649 if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then 650 G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:" 651 else 652 G_PRIO_CCM="" 653 fi 654 655 M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE" 656 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE" 657 G_SERVER_ARGS="-p $PORT --http $G_MODE" 658 G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" 659 660 # The default prime for `openssl s_server` depends on the version: 661 # * OpenSSL <= 1.0.2a: 512-bit 662 # * OpenSSL 1.0.2b to 1.1.1b: 1024-bit 663 # * OpenSSL >= 1.1.1c: 2048-bit 664 # Mbed TLS wants >=1024, so force that for older versions. Don't force 665 # it for newer versions, which reject a 1024-bit prime. Indifferently 666 # force it or not for intermediate versions. 667 case $($OPENSSL_CMD version) in 668 "OpenSSL 1.0"*) 669 O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem" 670 ;; 671 esac 672 673 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes 674 if is_dtls "$MODE"; then 675 O_SERVER_ARGS="$O_SERVER_ARGS" 676 else 677 O_SERVER_ARGS="$O_SERVER_ARGS -www" 678 fi 679 680 M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" 681 O_CLIENT_ARGS="-connect localhost:$PORT -$MODE" 682 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" 683 G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" 684 685 if [ "X$VERIFY" = "XYES" ]; 686 then 687 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 688 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" 689 G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert" 690 691 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" 692 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10" 693 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt" 694 else 695 # don't request a client cert at all 696 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none" 697 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert" 698 699 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none" 700 O_CLIENT_ARGS="$O_CLIENT_ARGS" 701 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure" 702 fi 703 704 case $TYPE in 705 "ECDSA") 706 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key" 707 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key" 708 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" 709 710 if [ "X$VERIFY" = "XYES" ]; then 711 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key" 712 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key" 713 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key" 714 else 715 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 716 fi 717 ;; 718 719 "RSA") 720 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" 721 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key" 722 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key" 723 724 if [ "X$VERIFY" = "XYES" ]; then 725 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key" 726 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key" 727 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key" 728 else 729 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" 730 fi 731 ;; 732 733 "PSK") 734 # give RSA-PSK-capable server a RSA cert 735 # (should be a separate type, but harder to close with openssl) 736 M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" 737 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" 738 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" 739 740 M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" 741 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" 742 G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" 743 ;; 744 esac 745} 746 747# is_mbedtls <cmd_line> 748is_mbedtls() { 749 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null 750} 751 752# has_mem_err <log_file_name> 753has_mem_err() { 754 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" && 755 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null 756 then 757 return 1 # false: does not have errors 758 else 759 return 0 # true: has errors 760 fi 761} 762 763# Wait for process $2 to be listening on port $1 764if type lsof >/dev/null 2>/dev/null; then 765 wait_server_start() { 766 START_TIME=$(date +%s) 767 if is_dtls "$MODE"; then 768 proto=UDP 769 else 770 proto=TCP 771 fi 772 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do 773 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then 774 echo "SERVERSTART TIMEOUT" 775 echo "SERVERSTART TIMEOUT" >> $SRV_OUT 776 break 777 fi 778 # Linux and *BSD support decimal arguments to sleep. On other 779 # OSes this may be a tight loop. 780 sleep 0.1 2>/dev/null || true 781 done 782 } 783else 784 echo "Warning: lsof not available, wait_server_start = sleep" 785 wait_server_start() { 786 sleep 2 787 } 788fi 789 790 791# start_server <name> 792# also saves name and command 793start_server() { 794 case $1 in 795 [Oo]pen*) 796 SERVER_CMD="$OPENSSL_CMD s_server $O_SERVER_ARGS" 797 ;; 798 [Gg]nu*) 799 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO" 800 ;; 801 mbed*) 802 SERVER_CMD="$M_SRV $M_SERVER_ARGS" 803 if [ "$MEMCHECK" -gt 0 ]; then 804 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD" 805 fi 806 ;; 807 *) 808 echo "error: invalid server name: $1" >&2 809 exit 1 810 ;; 811 esac 812 SERVER_NAME=$1 813 814 log "$SERVER_CMD" 815 echo "$SERVER_CMD" > $SRV_OUT 816 # for servers without -www or equivalent 817 while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 & 818 PROCESS_ID=$! 819 820 wait_server_start "$PORT" "$PROCESS_ID" 821} 822 823# terminate the running server 824stop_server() { 825 kill $PROCESS_ID 2>/dev/null 826 wait $PROCESS_ID 2>/dev/null 827 828 if [ "$MEMCHECK" -gt 0 ]; then 829 if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then 830 echo " ! Server had memory errors" 831 SRVMEM=$(( $SRVMEM + 1 )) 832 return 833 fi 834 fi 835 836 rm -f $SRV_OUT 837} 838 839# kill the running server (used when killed by signal) 840cleanup() { 841 rm -f $SRV_OUT $CLI_OUT 842 kill $PROCESS_ID >/dev/null 2>&1 843 kill $WATCHDOG_PID >/dev/null 2>&1 844 exit 1 845} 846 847# wait for client to terminate and set EXIT 848# must be called right after starting the client 849wait_client_done() { 850 CLI_PID=$! 851 852 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) & 853 WATCHDOG_PID=$! 854 855 wait $CLI_PID 856 EXIT=$? 857 858 kill $WATCHDOG_PID 859 wait $WATCHDOG_PID 860 861 echo "EXIT: $EXIT" >> $CLI_OUT 862} 863 864# run_client <name> <cipher> 865run_client() { 866 # announce what we're going to do 867 TESTS=$(( $TESTS + 1 )) 868 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') 869 TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`" 870 TITLE="$TITLE $MODE,$VERIF $2" 871 printf "%s " "$TITLE" 872 LEN=$(( 72 - `echo "$TITLE" | wc -c` )) 873 for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' 874 875 # should we skip? 876 if [ "X$SKIP_NEXT" = "XYES" ]; then 877 SKIP_NEXT="NO" 878 echo "SKIP" 879 SKIPPED=$(( $SKIPPED + 1 )) 880 return 881 fi 882 883 # run the command and interpret result 884 case $1 in 885 [Oo]pen*) 886 CLIENT_CMD="$OPENSSL_CMD s_client $O_CLIENT_ARGS -cipher $2" 887 log "$CLIENT_CMD" 888 echo "$CLIENT_CMD" > $CLI_OUT 889 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 890 wait_client_done 891 892 if [ $EXIT -eq 0 ]; then 893 RESULT=0 894 else 895 # If the cipher isn't supported... 896 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then 897 RESULT=1 898 else 899 RESULT=2 900 fi 901 fi 902 ;; 903 904 [Gg]nu*) 905 # need to force IPv4 with UDP, but keep localhost for auth 906 if is_dtls "$MODE"; then 907 G_HOST="127.0.0.1" 908 else 909 G_HOST="localhost" 910 fi 911 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST" 912 log "$CLIENT_CMD" 913 echo "$CLIENT_CMD" > $CLI_OUT 914 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & 915 wait_client_done 916 917 if [ $EXIT -eq 0 ]; then 918 RESULT=0 919 else 920 RESULT=2 921 # interpret early failure, with a handshake_failure alert 922 # before the server hello, as "no ciphersuite in common" 923 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then 924 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then : 925 else 926 RESULT=1 927 fi 928 fi >/dev/null 929 fi 930 ;; 931 932 mbed*) 933 CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2" 934 if [ "$MEMCHECK" -gt 0 ]; then 935 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" 936 fi 937 log "$CLIENT_CMD" 938 echo "$CLIENT_CMD" > $CLI_OUT 939 $CLIENT_CMD >> $CLI_OUT 2>&1 & 940 wait_client_done 941 942 case $EXIT in 943 # Success 944 "0") RESULT=0 ;; 945 946 # Ciphersuite not supported 947 "2") RESULT=1 ;; 948 949 # Error 950 *) RESULT=2 ;; 951 esac 952 953 if [ "$MEMCHECK" -gt 0 ]; then 954 if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then 955 RESULT=2 956 fi 957 fi 958 959 ;; 960 961 *) 962 echo "error: invalid client name: $1" >&2 963 exit 1 964 ;; 965 esac 966 967 echo "EXIT: $EXIT" >> $CLI_OUT 968 969 # report and count result 970 case $RESULT in 971 "0") 972 echo PASS 973 ;; 974 "1") 975 echo SKIP 976 SKIPPED=$(( $SKIPPED + 1 )) 977 ;; 978 "2") 979 echo FAIL 980 cp $SRV_OUT c-srv-${TESTS}.log 981 cp $CLI_OUT c-cli-${TESTS}.log 982 echo " ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" 983 984 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then 985 echo " ! server output:" 986 cat c-srv-${TESTS}.log 987 echo " ! ===================================================" 988 echo " ! client output:" 989 cat c-cli-${TESTS}.log 990 fi 991 992 FAILED=$(( $FAILED + 1 )) 993 ;; 994 esac 995 996 rm -f $CLI_OUT 997} 998 999# 1000# MAIN 1001# 1002 1003if cd $( dirname $0 ); then :; else 1004 echo "cd $( dirname $0 ) failed" >&2 1005 exit 1 1006fi 1007 1008get_options "$@" 1009 1010# sanity checks, avoid an avalanche of errors 1011if [ ! -x "$M_SRV" ]; then 1012 echo "Command '$M_SRV' is not an executable file" >&2 1013 exit 1 1014fi 1015if [ ! -x "$M_CLI" ]; then 1016 echo "Command '$M_CLI' is not an executable file" >&2 1017 exit 1 1018fi 1019 1020if echo "$PEERS" | grep -i openssl > /dev/null; then 1021 if which "$OPENSSL_CMD" >/dev/null 2>&1; then :; else 1022 echo "Command '$OPENSSL_CMD' not found" >&2 1023 exit 1 1024 fi 1025fi 1026 1027if echo "$PEERS" | grep -i gnutls > /dev/null; then 1028 for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do 1029 if which "$CMD" >/dev/null 2>&1; then :; else 1030 echo "Command '$CMD' not found" >&2 1031 exit 1 1032 fi 1033 done 1034fi 1035 1036for PEER in $PEERS; do 1037 case "$PEER" in 1038 mbed*|[Oo]pen*|[Gg]nu*) 1039 ;; 1040 *) 1041 echo "Unknown peers: $PEER" >&2 1042 exit 1 1043 esac 1044done 1045 1046# Pick a "unique" port in the range 10000-19999. 1047PORT="0000$$" 1048PORT="1$(echo $PORT | tail -c 5)" 1049 1050# Also pick a unique name for intermediate files 1051SRV_OUT="srv_out.$$" 1052CLI_OUT="cli_out.$$" 1053 1054# client timeout delay: be more patient with valgrind 1055if [ "$MEMCHECK" -gt 0 ]; then 1056 DOG_DELAY=30 1057else 1058 DOG_DELAY=10 1059fi 1060 1061SKIP_NEXT="NO" 1062 1063trap cleanup INT TERM HUP 1064 1065for VERIFY in $VERIFIES; do 1066 for MODE in $MODES; do 1067 for TYPE in $TYPES; do 1068 for PEER in $PEERS; do 1069 1070 setup_arguments 1071 1072 case "$PEER" in 1073 1074 [Oo]pen*) 1075 1076 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then 1077 continue; 1078 fi 1079 1080 reset_ciphersuites 1081 add_common_ciphersuites 1082 add_openssl_ciphersuites 1083 filter_ciphersuites 1084 1085 if [ "X" != "X$M_CIPHERS" ]; then 1086 start_server "OpenSSL" 1087 for i in $M_CIPHERS; do 1088 check_openssl_server_bug $i 1089 run_client mbedTLS $i 1090 done 1091 stop_server 1092 fi 1093 1094 if [ "X" != "X$O_CIPHERS" ]; then 1095 start_server "mbedTLS" 1096 for i in $O_CIPHERS; do 1097 run_client OpenSSL $i 1098 done 1099 stop_server 1100 fi 1101 1102 ;; 1103 1104 [Gg]nu*) 1105 1106 reset_ciphersuites 1107 add_common_ciphersuites 1108 add_gnutls_ciphersuites 1109 filter_ciphersuites 1110 1111 if [ "X" != "X$M_CIPHERS" ]; then 1112 start_server "GnuTLS" 1113 for i in $M_CIPHERS; do 1114 run_client mbedTLS $i 1115 done 1116 stop_server 1117 fi 1118 1119 if [ "X" != "X$G_CIPHERS" ]; then 1120 start_server "mbedTLS" 1121 for i in $G_CIPHERS; do 1122 run_client GnuTLS $i 1123 done 1124 stop_server 1125 fi 1126 1127 ;; 1128 1129 mbed*) 1130 1131 reset_ciphersuites 1132 add_common_ciphersuites 1133 add_openssl_ciphersuites 1134 add_gnutls_ciphersuites 1135 add_mbedtls_ciphersuites 1136 filter_ciphersuites 1137 1138 if [ "X" != "X$M_CIPHERS" ]; then 1139 start_server "mbedTLS" 1140 for i in $M_CIPHERS; do 1141 run_client mbedTLS $i 1142 done 1143 stop_server 1144 fi 1145 1146 ;; 1147 1148 *) 1149 echo "Unknown peer: $PEER" >&2 1150 exit 1 1151 ;; 1152 1153 esac 1154 1155 done 1156 done 1157 done 1158done 1159 1160echo "------------------------------------------------------------------------" 1161 1162if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; 1163then 1164 printf "FAILED" 1165else 1166 printf "PASSED" 1167fi 1168 1169if [ "$MEMCHECK" -gt 0 ]; then 1170 MEMREPORT=", $SRVMEM server memory errors" 1171else 1172 MEMREPORT="" 1173fi 1174 1175PASSED=$(( $TESTS - $FAILED )) 1176echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))" 1177 1178FAILED=$(( $FAILED + $SRVMEM )) 1179exit $FAILED 1180