Lines Matching +full:openssl +full:- +full:no +full:- +full:verbose
6 # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 # Test interoperbility with OpenSSL, GnuTLS as well as itself.
15 set -u
19 ulimit -f 20971520
35 : ${OPENSSL:=openssl}
36 : ${GNUTLS_CLI:=gnutls-cli}
37 : ${GNUTLS_SERV:=gnutls-serv}
39 # The OPENSSL variable used to be OPENSSL_CMD for historical reasons.
44 if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then
45 echo "Please use OPENSSL instead of OPENSSL_CMD." >&2
52 G_VER="$( $GNUTLS_CLI --version | head -n1 )"
56 …eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\…
57 if [ $MAJOR -lt 3 -o \
58 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
59 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
64 if [ $MINOR -lt 4 ]; then
74 if git diff --quiet ../include/mbedtls/mbedtls_config.h 2>/dev/null; then
82 : ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
86 # - basic-build-test.sh
87 # - all.sh (multiple components)
89 VERIFIES="NO YES"
93 # - NULL: excluded from our default config + requires OpenSSL legacy
94 # - ARIA: requires OpenSSL >= 1.1.1
95 # - ChachaPoly: requires OpenSSL >= 1.1.0
97 VERBOSE=""
99 PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
101 # hidden option: skip DTLS with OpenSSL
107 printf " -h|--help\tPrint this help.\n"
108 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER"
109 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE"
110 printf " -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES"
111 printf " -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES"
112 printf " -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES"
113 printf " -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS"
115 printf " -M|--memcheck\tCheck memory leaks and errors.\n"
116 printf " -v|--verbose\tSet verbose output.\n"
117 printf " --list-test-case\tList all potential test cases (No Execution)\n"
118 printf " --outcome-file\tFile where test outcomes are written\n"
153 while [ $# -gt 0 ]; do
155 -f|--filter)
158 -e|--exclude)
161 -m|--modes)
164 -t|--types)
167 -V|--verify)
170 -p|--peers)
173 -v|--verbose)
174 VERBOSE=1
176 -M|--memcheck)
180 # if you have to modify option, --list-test-case
181 --list-test-case)
185 --outcome-file)
188 -h|--help)
202 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
203 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
207 if [ "X" != "X$VERBOSE" ]; then
228 # exiting is no good here, typically called in a subshell
229 echo -1
242 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )"
246 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
251 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
256 # Ciphersuite for OpenSSL
263 # For GnuTLS client -> Mbed TLS server,
279 # program (gnutls, mbedtls or openssl). $ciphers is a space-separated
284 if [ $? -ne 0 ]; then
355 # Ciphersuites usable only with Mbed TLS and OpenSSL
358 # to the list of OpenSSL ciphersuites $O_CIPHERS respectively.
362 # NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
363 # so RSA-PSK ciphersuites need to go in other sections, see
364 # https://github.com/Mbed-TLS/mbedtls/issues/1419
586 if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
600 G_PRIO_MODE="+VERS-TLS1.2"
604 G_PRIO_MODE="+VERS-DTLS1.2"
605 G_MODE="-u"
612 # GnuTLS < 3.4 will choke if we try to allow CCM-8
613 if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
614 G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
620 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
621 G_SERVER_ARGS="-p $PORT --http $G_MODE"
622 …RVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-…
624 # The default prime for `openssl s_server` depends on the version:
625 # * OpenSSL <= 1.0.2a: 512-bit
626 # * OpenSSL 1.0.2b to 1.1.1b: 1024-bit
627 # * OpenSSL >= 1.1.1c: 2048-bit
629 # it for newer versions, which reject a 1024-bit prime. Indifferently
631 case $($OPENSSL version) in
632 "OpenSSL 1.0"*)
633 O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem"
637 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
641 O_SERVER_ARGS="$O_SERVER_ARGS -www"
645 O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
646 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
648 # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
649 # low-security ones. This covers not just cipher suites but also protocol
651 # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
652 # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
653 # a way to discover it from -help, so check the openssl version.
654 case $($OPENSSL version) in
655 "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
657 O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
658 O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
662 case $($OPENSSL ciphers ALL) in
663 *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
664 *) O_SUPPORT_ECDH="NO";;
669 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
670 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
671 … G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
673 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
674 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
675 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
679 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
683 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure"
689 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
690 …G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/serve…
694 … O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
695 …G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/serve…
702 …M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.k…
703 … O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key"
704 …G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_file…
708 … O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key"
709 …G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/s…
716 # give RSA-PSK-capable server a RSA cert
717 # (should be a separate type, but harder to close with openssl)
718 …sk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=d…
719 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
720 …G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_file…
723 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
724 …G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6…
740 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
741 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
758 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
759 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
782 SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
785 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
789 if [ "$MEMCHECK" -gt 0 ]; then
790 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD"
802 # for servers without -www or equivalent
816 if [ "$MEMCHECK" -gt 0 ]; then
824 rm -f $SRV_OUT
829 rm -f $SRV_OUT $CLI_OUT
855 # $TITLE is considered as test case description for both --list-test-case and
859 TITLE="$1->$2 $MODE,$VERIF $3"
862 # record_outcome <outcome> [<failure-reason>]
865 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
873 "$1" "${2-}" \
880 FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
882 cp $SRV_OUT c-srv-${TESTS}.log
883 cp $CLI_OUT c-cli-${TESTS}.log
886 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
888 cat c-srv-${TESTS}.log
891 cat c-cli-${TESTS}.log
901 printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"
905 SKIP_NEXT="NO"
914 CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
920 if [ $EXIT -eq 0 ]; then
939 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
945 if [ $EXIT -eq 0 ]; then
950 # before the server hello, as "no ciphersuite in common"
951 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then
952 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then :
962 if [ "$MEMCHECK" -gt 0 ]; then
963 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
981 if [ "$MEMCHECK" -gt 0 ]; then
1012 rm -f $CLI_OUT
1030 if [ ! -x "$M_SRV" ]; then
1034 if [ ! -x "$M_CLI" ]; then
1039 if echo "$PEERS" | grep -i openssl > /dev/null; then
1040 if which "$OPENSSL" >/dev/null 2>&1; then :; else
1041 echo "Command '$OPENSSL' not found" >&2
1046 if echo "$PEERS" | grep -i gnutls > /dev/null; then
1065 # Pick a "unique" port in the range 10000-19999.
1067 PORT="1$(echo $PORT | tail -c 5)"
1074 if [ "$MEMCHECK" -gt 0 ]; then
1080 SKIP_NEXT="NO"
1089 # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain
1093 SUB_VERIFIES="NO"
1106 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
1110 # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
1115 if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
1125 start_server "OpenSSL"
1139 run_client OpenSSL ${i%%=*} ${i#*=}
1205 echo "------------------------------------------------------------------------"
1207 if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; then
1213 if [ "$MEMCHECK" -gt 0 ]; then
1219 PASSED=$(( $TESTS - $FAILED ))
1223 if [ $FAILED -gt 255 ]; then