Lines Matching +full:check +full:- +full:test +full:- +full:suites
6 # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 # Test interoperbility with OpenSSL, GnuTLS as well as itself.
12 # Check each common ciphersuite, with each version, both ways (client/server),
15 set -u
19 ulimit -f 20971520
36 : ${GNUTLS_CLI:=gnutls-cli}
37 : ${GNUTLS_SERV:=gnutls-serv}
43 # the variable is set, we can now check its value
52 G_VER="$( $GNUTLS_CLI --version | head -n1 )"
56 …eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\…
57 if [ $MAJOR -lt 3 -o \
58 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
59 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
64 if [ $MINOR -lt 4 ]; then
74 if git diff --quiet ../include/mbedtls/mbedtls_config.h 2>/dev/null; then
82 : ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
86 # - basic-build-test.sh
87 # - all.sh (multiple components)
93 # - NULL: excluded from our default config + requires OpenSSL legacy
94 # - ARIA: requires OpenSSL >= 1.1.1
95 # - ChachaPoly: requires OpenSSL >= 1.1.0
108 printf " -h|--help\tPrint this help.\n"
109 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER"
110 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE"
111 printf " -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES"
112 printf " -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES"
113 printf " -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES"
114 printf " -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS"
116 printf " -M|--memcheck\tCheck memory leaks and errors.\n"
117 printf " -v|--verbose\tSet verbose output.\n"
118 printf " --list-test-cases\tList all potential test cases (No Execution)\n"
119 printf " --outcome-file\tFile where test outcomes are written\n"
121 printf " --preserve-logs\tPreserve logs of successful tests as well\n"
132 # list_test_cases lists all potential test cases in compat.sh without execution
155 while [ $# -gt 0 ]; do
157 -f|--filter)
160 -e|--exclude)
163 -m|--modes)
166 -t|--types)
169 -V|--verify)
172 -p|--peers)
175 -v|--verbose)
178 -M|--memcheck)
181 # Please check scripts/check_test_cases.py correspondingly
182 # if you have to modify option, --list-test-cases
183 --list-test-cases)
187 --outcome-file)
190 --preserve-logs)
193 -h|--help)
207 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
208 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
221 test "$1" = "dtls12"
234 echo -1
247 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )"
251 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
256 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
268 # For GnuTLS client -> Mbed TLS server,
284 # program (gnutls, mbedtls or openssl). $ciphers is a space-separated
289 if [ $? -ne 0 ]; then
367 # NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
368 # so RSA-PSK ciphersuites need to go in other sections, see
369 # https://github.com/Mbed-TLS/mbedtls/issues/1419
371 # ChachaPoly suites are here rather than in "common", as they were added in
566 # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
605 G_PRIO_MODE="+VERS-TLS1.2"
609 G_PRIO_MODE="+VERS-DTLS1.2"
610 G_MODE="-u"
617 # GnuTLS < 3.4 will choke if we try to allow CCM-8
618 if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
619 G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
625 O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
626 G_SERVER_ARGS="-p $PORT --http $G_MODE"
627 …RVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-…
630 # * OpenSSL <= 1.0.2a: 512-bit
631 # * OpenSSL 1.0.2b to 1.1.1b: 1024-bit
632 # * OpenSSL >= 1.1.1c: 2048-bit
634 # it for newer versions, which reject a 1024-bit prime. Indifferently
638 O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem"
642 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
646 O_SERVER_ARGS="$O_SERVER_ARGS -www"
650 O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
651 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
654 # low-security ones. This covers not just cipher suites but also protocol
658 # a way to discover it from -help, so check the openssl version.
662 O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
663 O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
668 *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
674 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
675 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
676 … G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
678 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
679 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
680 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
684 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
688 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure"
694 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
695 …G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/serve…
699 … O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
700 …G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/serve…
707 …M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.k…
708 … O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key"
709 …G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_file…
713 … O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key"
714 …G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/s…
721 # give RSA-PSK-capable server a RSA cert
723 …sk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=d…
724 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
725 …G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_file…
728 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
729 …G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6…
745 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
746 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
763 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
764 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
790 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
794 if [ "$MEMCHECK" -gt 0 ]; then
795 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD"
807 # for servers without -www or equivalent
821 if [ "$MEMCHECK" -gt 0 ]; then
829 rm -f $SRV_OUT
834 rm -f $SRV_OUT $CLI_OUT
860 # $TITLE is considered as test case description for both --list-test-cases and
862 # each test case description.
864 TITLE="$1->$2 $MODE,$VERIF $3"
867 # record_outcome <outcome> [<failure-reason>]
870 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
871 # The test outcome file has the format (in single line):
873 # test suite name;test case description;
878 "$1" "${2-}" \
884 cp $SRV_OUT c-srv-${TESTS}.log
885 cp $CLI_OUT c-cli-${TESTS}.log
888 # display additional information if test case fails
890 FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
895 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
897 cat c-srv-${TESTS}.log
900 cat c-cli-${TESTS}.log
910 printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"
923 CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
929 if [ $EXIT -eq 0 ]; then
948 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
954 if [ $EXIT -eq 0 ]; then
960 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then
961 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then :
971 if [ "$MEMCHECK" -gt 0 ]; then
972 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
990 if [ "$MEMCHECK" -gt 0 ]; then
1010 if [ "$PRESERVE_LOGS" -gt 0 ]; then
1024 rm -f $CLI_OUT
1042 if [ ! -x "$M_SRV" ]; then
1046 if [ ! -x "$M_CLI" ]; then
1051 if echo "$PEERS" | grep -i openssl > /dev/null; then
1058 if echo "$PEERS" | grep -i gnutls > /dev/null; then
1077 # Pick a "unique" port in the range 10000-19999.
1079 PORT="1$(echo $PORT | tail -c 5)"
1086 if [ "$MEMCHECK" -gt 0 ]; then
1099 # PSK cipher suites do not allow client certificate verification.
1100 # This means PSK test cases with VERIFY=YES should be replaced by
1102 # verification option for PSK test cases.
1118 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
1122 # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
1127 if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
1217 echo "------------------------------------------------------------------------"
1219 if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; then
1225 if [ "$MEMCHECK" -gt 0 ]; then
1231 PASSED=$(( $TESTS - $FAILED ))
1235 if [ $FAILED -gt 255 ]; then