mbed TLS upgraded to 2.6.0

Fork of mbedtls by Mark Radbourne

Committer:
markrad
Date:
Thu Jan 05 00:18:44 2017 +0000
Revision:
0:cdf462088d13
Child:
2:bbdeda018a3c
Initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 #!/bin/sh
markrad 0:cdf462088d13 2
markrad 0:cdf462088d13 3 # compat.sh
markrad 0:cdf462088d13 4 #
markrad 0:cdf462088d13 5 # This file is part of mbed TLS (https://tls.mbed.org)
markrad 0:cdf462088d13 6 #
markrad 0:cdf462088d13 7 # Copyright (c) 2012-2016, ARM Limited, All Rights Reserved
markrad 0:cdf462088d13 8 #
markrad 0:cdf462088d13 9 # Purpose
markrad 0:cdf462088d13 10 #
markrad 0:cdf462088d13 11 # Test interoperbility with OpenSSL, GnuTLS as well as itself.
markrad 0:cdf462088d13 12 #
markrad 0:cdf462088d13 13 # Check each common ciphersuite, with each version, both ways (client/server),
markrad 0:cdf462088d13 14 # with and without client authentication.
markrad 0:cdf462088d13 15
markrad 0:cdf462088d13 16 set -u
markrad 0:cdf462088d13 17
markrad 0:cdf462088d13 18 # initialise counters
markrad 0:cdf462088d13 19 TESTS=0
markrad 0:cdf462088d13 20 FAILED=0
markrad 0:cdf462088d13 21 SKIPPED=0
markrad 0:cdf462088d13 22 SRVMEM=0
markrad 0:cdf462088d13 23
markrad 0:cdf462088d13 24 # default commands, can be overriden by the environment
markrad 0:cdf462088d13 25 : ${M_SRV:=../programs/ssl/ssl_server2}
markrad 0:cdf462088d13 26 : ${M_CLI:=../programs/ssl/ssl_client2}
markrad 0:cdf462088d13 27 : ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
markrad 0:cdf462088d13 28 : ${GNUTLS_CLI:=gnutls-cli}
markrad 0:cdf462088d13 29 : ${GNUTLS_SERV:=gnutls-serv}
markrad 0:cdf462088d13 30
markrad 0:cdf462088d13 31 # do we have a recent enough GnuTLS?
markrad 0:cdf462088d13 32 if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
markrad 0:cdf462088d13 33 G_VER="$( $GNUTLS_CLI --version | head -n1 )"
markrad 0:cdf462088d13 34 if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version
markrad 0:cdf462088d13 35 PEER_GNUTLS=" GnuTLS"
markrad 0:cdf462088d13 36 else
markrad 0:cdf462088d13 37 eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
markrad 0:cdf462088d13 38 if [ $MAJOR -lt 3 -o \
markrad 0:cdf462088d13 39 \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
markrad 0:cdf462088d13 40 \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
markrad 0:cdf462088d13 41 then
markrad 0:cdf462088d13 42 PEER_GNUTLS=""
markrad 0:cdf462088d13 43 else
markrad 0:cdf462088d13 44 PEER_GNUTLS=" GnuTLS"
markrad 0:cdf462088d13 45 fi
markrad 0:cdf462088d13 46 fi
markrad 0:cdf462088d13 47 else
markrad 0:cdf462088d13 48 PEER_GNUTLS=""
markrad 0:cdf462088d13 49 fi
markrad 0:cdf462088d13 50
markrad 0:cdf462088d13 51 # default values for options
markrad 0:cdf462088d13 52 MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2"
markrad 0:cdf462088d13 53 VERIFIES="NO YES"
markrad 0:cdf462088d13 54 TYPES="ECDSA RSA PSK"
markrad 0:cdf462088d13 55 FILTER=""
markrad 0:cdf462088d13 56 EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
markrad 0:cdf462088d13 57 VERBOSE=""
markrad 0:cdf462088d13 58 MEMCHECK=0
markrad 0:cdf462088d13 59 PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
markrad 0:cdf462088d13 60
markrad 0:cdf462088d13 61 # hidden option: skip DTLS with OpenSSL
markrad 0:cdf462088d13 62 # (travis CI has a version that doesn't work for us)
markrad 0:cdf462088d13 63 : ${OSSL_NO_DTLS:=0}
markrad 0:cdf462088d13 64
markrad 0:cdf462088d13 65 print_usage() {
markrad 0:cdf462088d13 66 echo "Usage: $0"
markrad 0:cdf462088d13 67 printf " -h|--help\tPrint this help.\n"
markrad 0:cdf462088d13 68 printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')\n"
markrad 0:cdf462088d13 69 printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')\n"
markrad 0:cdf462088d13 70 printf " -m|--modes\tWhich modes to perform (Default: '$MODES')\n"
markrad 0:cdf462088d13 71 printf " -t|--types\tWhich key exchange type to perform (Default: '$TYPES')\n"
markrad 0:cdf462088d13 72 printf " -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')\n"
markrad 0:cdf462088d13 73 printf " -p|--peers\tWhich peers to use (Default: '$PEERS')\n"
markrad 0:cdf462088d13 74 printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n"
markrad 0:cdf462088d13 75 printf " -M|--memcheck\tCheck memory leaks and errors.\n"
markrad 0:cdf462088d13 76 printf " -v|--verbose\tSet verbose output.\n"
markrad 0:cdf462088d13 77 }
markrad 0:cdf462088d13 78
markrad 0:cdf462088d13 79 get_options() {
markrad 0:cdf462088d13 80 while [ $# -gt 0 ]; do
markrad 0:cdf462088d13 81 case "$1" in
markrad 0:cdf462088d13 82 -f|--filter)
markrad 0:cdf462088d13 83 shift; FILTER=$1
markrad 0:cdf462088d13 84 ;;
markrad 0:cdf462088d13 85 -e|--exclude)
markrad 0:cdf462088d13 86 shift; EXCLUDE=$1
markrad 0:cdf462088d13 87 ;;
markrad 0:cdf462088d13 88 -m|--modes)
markrad 0:cdf462088d13 89 shift; MODES=$1
markrad 0:cdf462088d13 90 ;;
markrad 0:cdf462088d13 91 -t|--types)
markrad 0:cdf462088d13 92 shift; TYPES=$1
markrad 0:cdf462088d13 93 ;;
markrad 0:cdf462088d13 94 -V|--verify)
markrad 0:cdf462088d13 95 shift; VERIFIES=$1
markrad 0:cdf462088d13 96 ;;
markrad 0:cdf462088d13 97 -p|--peers)
markrad 0:cdf462088d13 98 shift; PEERS=$1
markrad 0:cdf462088d13 99 ;;
markrad 0:cdf462088d13 100 -v|--verbose)
markrad 0:cdf462088d13 101 VERBOSE=1
markrad 0:cdf462088d13 102 ;;
markrad 0:cdf462088d13 103 -M|--memcheck)
markrad 0:cdf462088d13 104 MEMCHECK=1
markrad 0:cdf462088d13 105 ;;
markrad 0:cdf462088d13 106 -h|--help)
markrad 0:cdf462088d13 107 print_usage
markrad 0:cdf462088d13 108 exit 0
markrad 0:cdf462088d13 109 ;;
markrad 0:cdf462088d13 110 *)
markrad 0:cdf462088d13 111 echo "Unknown argument: '$1'"
markrad 0:cdf462088d13 112 print_usage
markrad 0:cdf462088d13 113 exit 1
markrad 0:cdf462088d13 114 ;;
markrad 0:cdf462088d13 115 esac
markrad 0:cdf462088d13 116 shift
markrad 0:cdf462088d13 117 done
markrad 0:cdf462088d13 118
markrad 0:cdf462088d13 119 # sanitize some options (modes checked later)
markrad 0:cdf462088d13 120 VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
markrad 0:cdf462088d13 121 TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
markrad 0:cdf462088d13 122 }
markrad 0:cdf462088d13 123
markrad 0:cdf462088d13 124 log() {
markrad 0:cdf462088d13 125 if [ "X" != "X$VERBOSE" ]; then
markrad 0:cdf462088d13 126 echo ""
markrad 0:cdf462088d13 127 echo "$@"
markrad 0:cdf462088d13 128 fi
markrad 0:cdf462088d13 129 }
markrad 0:cdf462088d13 130
markrad 0:cdf462088d13 131 # is_dtls <mode>
markrad 0:cdf462088d13 132 is_dtls()
markrad 0:cdf462088d13 133 {
markrad 0:cdf462088d13 134 test "$1" = "dtls1" -o "$1" = "dtls1_2"
markrad 0:cdf462088d13 135 }
markrad 0:cdf462088d13 136
markrad 0:cdf462088d13 137 # minor_ver <mode>
markrad 0:cdf462088d13 138 minor_ver()
markrad 0:cdf462088d13 139 {
markrad 0:cdf462088d13 140 case "$1" in
markrad 0:cdf462088d13 141 ssl3)
markrad 0:cdf462088d13 142 echo 0
markrad 0:cdf462088d13 143 ;;
markrad 0:cdf462088d13 144 tls1)
markrad 0:cdf462088d13 145 echo 1
markrad 0:cdf462088d13 146 ;;
markrad 0:cdf462088d13 147 tls1_1|dtls1)
markrad 0:cdf462088d13 148 echo 2
markrad 0:cdf462088d13 149 ;;
markrad 0:cdf462088d13 150 tls1_2|dtls1_2)
markrad 0:cdf462088d13 151 echo 3
markrad 0:cdf462088d13 152 ;;
markrad 0:cdf462088d13 153 *)
markrad 0:cdf462088d13 154 echo "error: invalid mode: $MODE" >&2
markrad 0:cdf462088d13 155 # exiting is no good here, typically called in a subshell
markrad 0:cdf462088d13 156 echo -1
markrad 0:cdf462088d13 157 esac
markrad 0:cdf462088d13 158 }
markrad 0:cdf462088d13 159
markrad 0:cdf462088d13 160 filter()
markrad 0:cdf462088d13 161 {
markrad 0:cdf462088d13 162 LIST="$1"
markrad 0:cdf462088d13 163 NEW_LIST=""
markrad 0:cdf462088d13 164
markrad 0:cdf462088d13 165 if is_dtls "$MODE"; then
markrad 0:cdf462088d13 166 EXCLMODE="$EXCLUDE"'\|RC4\|ARCFOUR'
markrad 0:cdf462088d13 167 else
markrad 0:cdf462088d13 168 EXCLMODE="$EXCLUDE"
markrad 0:cdf462088d13 169 fi
markrad 0:cdf462088d13 170
markrad 0:cdf462088d13 171 for i in $LIST;
markrad 0:cdf462088d13 172 do
markrad 0:cdf462088d13 173 NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )"
markrad 0:cdf462088d13 174 done
markrad 0:cdf462088d13 175
markrad 0:cdf462088d13 176 # normalize whitespace
markrad 0:cdf462088d13 177 echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
markrad 0:cdf462088d13 178 }
markrad 0:cdf462088d13 179
markrad 0:cdf462088d13 180 # OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for
markrad 0:cdf462088d13 181 # PSK ciphersuites with DTLS, which is incorrect, so disable them for now
markrad 0:cdf462088d13 182 check_openssl_server_bug()
markrad 0:cdf462088d13 183 {
markrad 0:cdf462088d13 184 if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
markrad 0:cdf462088d13 185 echo "$1" | grep "^TLS-PSK" >/dev/null;
markrad 0:cdf462088d13 186 then
markrad 0:cdf462088d13 187 SKIP_NEXT="YES"
markrad 0:cdf462088d13 188 fi
markrad 0:cdf462088d13 189 }
markrad 0:cdf462088d13 190
markrad 0:cdf462088d13 191 filter_ciphersuites()
markrad 0:cdf462088d13 192 {
markrad 0:cdf462088d13 193 if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
markrad 0:cdf462088d13 194 then
markrad 0:cdf462088d13 195 # Ciphersuite for mbed TLS
markrad 0:cdf462088d13 196 M_CIPHERS=$( filter "$M_CIPHERS" )
markrad 0:cdf462088d13 197
markrad 0:cdf462088d13 198 # Ciphersuite for OpenSSL
markrad 0:cdf462088d13 199 O_CIPHERS=$( filter "$O_CIPHERS" )
markrad 0:cdf462088d13 200
markrad 0:cdf462088d13 201 # Ciphersuite for GnuTLS
markrad 0:cdf462088d13 202 G_CIPHERS=$( filter "$G_CIPHERS" )
markrad 0:cdf462088d13 203 fi
markrad 0:cdf462088d13 204
markrad 0:cdf462088d13 205 # OpenSSL 1.0.1h doesn't support DTLS 1.2
markrad 0:cdf462088d13 206 if [ `minor_ver "$MODE"` -ge 3 ] && is_dtls "$MODE"; then
markrad 0:cdf462088d13 207 O_CIPHERS=""
markrad 0:cdf462088d13 208 case "$PEER" in
markrad 0:cdf462088d13 209 [Oo]pen*)
markrad 0:cdf462088d13 210 M_CIPHERS=""
markrad 0:cdf462088d13 211 ;;
markrad 0:cdf462088d13 212 esac
markrad 0:cdf462088d13 213 fi
markrad 0:cdf462088d13 214
markrad 0:cdf462088d13 215 # For GnuTLS client -> mbed TLS server,
markrad 0:cdf462088d13 216 # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
markrad 0:cdf462088d13 217 if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
markrad 0:cdf462088d13 218 G_CIPHERS=""
markrad 0:cdf462088d13 219 fi
markrad 0:cdf462088d13 220 }
markrad 0:cdf462088d13 221
markrad 0:cdf462088d13 222 reset_ciphersuites()
markrad 0:cdf462088d13 223 {
markrad 0:cdf462088d13 224 M_CIPHERS=""
markrad 0:cdf462088d13 225 O_CIPHERS=""
markrad 0:cdf462088d13 226 G_CIPHERS=""
markrad 0:cdf462088d13 227 }
markrad 0:cdf462088d13 228
markrad 0:cdf462088d13 229 add_common_ciphersuites()
markrad 0:cdf462088d13 230 {
markrad 0:cdf462088d13 231 case $TYPE in
markrad 0:cdf462088d13 232
markrad 0:cdf462088d13 233 "ECDSA")
markrad 0:cdf462088d13 234 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 235 then
markrad 0:cdf462088d13 236 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 237 TLS-ECDHE-ECDSA-WITH-NULL-SHA \
markrad 0:cdf462088d13 238 TLS-ECDHE-ECDSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 239 TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 240 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 241 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 242 "
markrad 0:cdf462088d13 243 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 244 +ECDHE-ECDSA:+NULL:+SHA1 \
markrad 0:cdf462088d13 245 +ECDHE-ECDSA:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 246 +ECDHE-ECDSA:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 247 +ECDHE-ECDSA:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 248 +ECDHE-ECDSA:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 249 "
markrad 0:cdf462088d13 250 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 251 ECDHE-ECDSA-NULL-SHA \
markrad 0:cdf462088d13 252 ECDHE-ECDSA-RC4-SHA \
markrad 0:cdf462088d13 253 ECDHE-ECDSA-DES-CBC3-SHA \
markrad 0:cdf462088d13 254 ECDHE-ECDSA-AES128-SHA \
markrad 0:cdf462088d13 255 ECDHE-ECDSA-AES256-SHA \
markrad 0:cdf462088d13 256 "
markrad 0:cdf462088d13 257 fi
markrad 0:cdf462088d13 258 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 259 then
markrad 0:cdf462088d13 260 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 261 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 262 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 263 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 264 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 265 "
markrad 0:cdf462088d13 266 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 267 +ECDHE-ECDSA:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 268 +ECDHE-ECDSA:+AES-256-CBC:+SHA384 \
markrad 0:cdf462088d13 269 +ECDHE-ECDSA:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 270 +ECDHE-ECDSA:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 271 "
markrad 0:cdf462088d13 272 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 273 ECDHE-ECDSA-AES128-SHA256 \
markrad 0:cdf462088d13 274 ECDHE-ECDSA-AES256-SHA384 \
markrad 0:cdf462088d13 275 ECDHE-ECDSA-AES128-GCM-SHA256 \
markrad 0:cdf462088d13 276 ECDHE-ECDSA-AES256-GCM-SHA384 \
markrad 0:cdf462088d13 277 "
markrad 0:cdf462088d13 278 fi
markrad 0:cdf462088d13 279 ;;
markrad 0:cdf462088d13 280
markrad 0:cdf462088d13 281 "RSA")
markrad 0:cdf462088d13 282 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 283 TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 284 TLS-DHE-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 285 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \
markrad 0:cdf462088d13 286 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \
markrad 0:cdf462088d13 287 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 288 TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 289 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \
markrad 0:cdf462088d13 290 TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 291 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \
markrad 0:cdf462088d13 292 TLS-RSA-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 293 TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 294 TLS-RSA-WITH-RC4-128-MD5 \
markrad 0:cdf462088d13 295 TLS-RSA-WITH-NULL-MD5 \
markrad 0:cdf462088d13 296 TLS-RSA-WITH-NULL-SHA \
markrad 0:cdf462088d13 297 "
markrad 0:cdf462088d13 298 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 299 +DHE-RSA:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 300 +DHE-RSA:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 301 +DHE-RSA:+CAMELLIA-128-CBC:+SHA1 \
markrad 0:cdf462088d13 302 +DHE-RSA:+CAMELLIA-256-CBC:+SHA1 \
markrad 0:cdf462088d13 303 +DHE-RSA:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 304 +RSA:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 305 +RSA:+CAMELLIA-256-CBC:+SHA1 \
markrad 0:cdf462088d13 306 +RSA:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 307 +RSA:+CAMELLIA-128-CBC:+SHA1 \
markrad 0:cdf462088d13 308 +RSA:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 309 +RSA:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 310 +RSA:+ARCFOUR-128:+MD5 \
markrad 0:cdf462088d13 311 +RSA:+NULL:+MD5 \
markrad 0:cdf462088d13 312 +RSA:+NULL:+SHA1 \
markrad 0:cdf462088d13 313 "
markrad 0:cdf462088d13 314 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 315 DHE-RSA-AES128-SHA \
markrad 0:cdf462088d13 316 DHE-RSA-AES256-SHA \
markrad 0:cdf462088d13 317 DHE-RSA-CAMELLIA128-SHA \
markrad 0:cdf462088d13 318 DHE-RSA-CAMELLIA256-SHA \
markrad 0:cdf462088d13 319 EDH-RSA-DES-CBC3-SHA \
markrad 0:cdf462088d13 320 AES256-SHA \
markrad 0:cdf462088d13 321 CAMELLIA256-SHA \
markrad 0:cdf462088d13 322 AES128-SHA \
markrad 0:cdf462088d13 323 CAMELLIA128-SHA \
markrad 0:cdf462088d13 324 DES-CBC3-SHA \
markrad 0:cdf462088d13 325 RC4-SHA \
markrad 0:cdf462088d13 326 RC4-MD5 \
markrad 0:cdf462088d13 327 NULL-MD5 \
markrad 0:cdf462088d13 328 NULL-SHA \
markrad 0:cdf462088d13 329 "
markrad 0:cdf462088d13 330 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 331 then
markrad 0:cdf462088d13 332 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 333 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 334 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 335 TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 336 TLS-ECDHE-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 337 TLS-ECDHE-RSA-WITH-NULL-SHA \
markrad 0:cdf462088d13 338 "
markrad 0:cdf462088d13 339 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 340 +ECDHE-RSA:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 341 +ECDHE-RSA:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 342 +ECDHE-RSA:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 343 +ECDHE-RSA:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 344 +ECDHE-RSA:+NULL:+SHA1 \
markrad 0:cdf462088d13 345 "
markrad 0:cdf462088d13 346 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 347 ECDHE-RSA-AES256-SHA \
markrad 0:cdf462088d13 348 ECDHE-RSA-AES128-SHA \
markrad 0:cdf462088d13 349 ECDHE-RSA-DES-CBC3-SHA \
markrad 0:cdf462088d13 350 ECDHE-RSA-RC4-SHA \
markrad 0:cdf462088d13 351 ECDHE-RSA-NULL-SHA \
markrad 0:cdf462088d13 352 "
markrad 0:cdf462088d13 353 fi
markrad 0:cdf462088d13 354 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 355 then
markrad 0:cdf462088d13 356 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 357 TLS-RSA-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 358 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 359 TLS-RSA-WITH-AES-256-CBC-SHA256 \
markrad 0:cdf462088d13 360 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \
markrad 0:cdf462088d13 361 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 362 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 363 TLS-RSA-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 364 TLS-RSA-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 365 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 366 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 367 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 368 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 369 "
markrad 0:cdf462088d13 370 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 371 +RSA:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 372 +DHE-RSA:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 373 +RSA:+AES-256-CBC:+SHA256 \
markrad 0:cdf462088d13 374 +DHE-RSA:+AES-256-CBC:+SHA256 \
markrad 0:cdf462088d13 375 +ECDHE-RSA:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 376 +ECDHE-RSA:+AES-256-CBC:+SHA384 \
markrad 0:cdf462088d13 377 +RSA:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 378 +RSA:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 379 +DHE-RSA:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 380 +DHE-RSA:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 381 +ECDHE-RSA:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 382 +ECDHE-RSA:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 383 "
markrad 0:cdf462088d13 384 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 385 NULL-SHA256 \
markrad 0:cdf462088d13 386 AES128-SHA256 \
markrad 0:cdf462088d13 387 DHE-RSA-AES128-SHA256 \
markrad 0:cdf462088d13 388 AES256-SHA256 \
markrad 0:cdf462088d13 389 DHE-RSA-AES256-SHA256 \
markrad 0:cdf462088d13 390 ECDHE-RSA-AES128-SHA256 \
markrad 0:cdf462088d13 391 ECDHE-RSA-AES256-SHA384 \
markrad 0:cdf462088d13 392 AES128-GCM-SHA256 \
markrad 0:cdf462088d13 393 DHE-RSA-AES128-GCM-SHA256 \
markrad 0:cdf462088d13 394 AES256-GCM-SHA384 \
markrad 0:cdf462088d13 395 DHE-RSA-AES256-GCM-SHA384 \
markrad 0:cdf462088d13 396 ECDHE-RSA-AES128-GCM-SHA256 \
markrad 0:cdf462088d13 397 ECDHE-RSA-AES256-GCM-SHA384 \
markrad 0:cdf462088d13 398 "
markrad 0:cdf462088d13 399 fi
markrad 0:cdf462088d13 400 ;;
markrad 0:cdf462088d13 401
markrad 0:cdf462088d13 402 "PSK")
markrad 0:cdf462088d13 403 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 404 TLS-PSK-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 405 TLS-PSK-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 406 TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 407 TLS-PSK-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 408 "
markrad 0:cdf462088d13 409 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 410 +PSK:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 411 +PSK:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 412 +PSK:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 413 +PSK:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 414 "
markrad 0:cdf462088d13 415 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 416 PSK-RC4-SHA \
markrad 0:cdf462088d13 417 PSK-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 418 PSK-AES128-CBC-SHA \
markrad 0:cdf462088d13 419 PSK-AES256-CBC-SHA \
markrad 0:cdf462088d13 420 "
markrad 0:cdf462088d13 421 ;;
markrad 0:cdf462088d13 422 esac
markrad 0:cdf462088d13 423 }
markrad 0:cdf462088d13 424
markrad 0:cdf462088d13 425 add_openssl_ciphersuites()
markrad 0:cdf462088d13 426 {
markrad 0:cdf462088d13 427 case $TYPE in
markrad 0:cdf462088d13 428
markrad 0:cdf462088d13 429 "ECDSA")
markrad 0:cdf462088d13 430 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 431 then
markrad 0:cdf462088d13 432 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 433 TLS-ECDH-ECDSA-WITH-NULL-SHA \
markrad 0:cdf462088d13 434 TLS-ECDH-ECDSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 435 TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 436 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 437 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 438 "
markrad 0:cdf462088d13 439 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 440 ECDH-ECDSA-NULL-SHA \
markrad 0:cdf462088d13 441 ECDH-ECDSA-RC4-SHA \
markrad 0:cdf462088d13 442 ECDH-ECDSA-DES-CBC3-SHA \
markrad 0:cdf462088d13 443 ECDH-ECDSA-AES128-SHA \
markrad 0:cdf462088d13 444 ECDH-ECDSA-AES256-SHA \
markrad 0:cdf462088d13 445 "
markrad 0:cdf462088d13 446 fi
markrad 0:cdf462088d13 447 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 448 then
markrad 0:cdf462088d13 449 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 450 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 451 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 452 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 453 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 454 "
markrad 0:cdf462088d13 455 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 456 ECDH-ECDSA-AES128-SHA256 \
markrad 0:cdf462088d13 457 ECDH-ECDSA-AES256-SHA384 \
markrad 0:cdf462088d13 458 ECDH-ECDSA-AES128-GCM-SHA256 \
markrad 0:cdf462088d13 459 ECDH-ECDSA-AES256-GCM-SHA384 \
markrad 0:cdf462088d13 460 "
markrad 0:cdf462088d13 461 fi
markrad 0:cdf462088d13 462 ;;
markrad 0:cdf462088d13 463
markrad 0:cdf462088d13 464 "RSA")
markrad 0:cdf462088d13 465 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 466 TLS-RSA-WITH-DES-CBC-SHA \
markrad 0:cdf462088d13 467 TLS-DHE-RSA-WITH-DES-CBC-SHA \
markrad 0:cdf462088d13 468 "
markrad 0:cdf462088d13 469 O_CIPHERS="$O_CIPHERS \
markrad 0:cdf462088d13 470 DES-CBC-SHA \
markrad 0:cdf462088d13 471 EDH-RSA-DES-CBC-SHA \
markrad 0:cdf462088d13 472 "
markrad 0:cdf462088d13 473 ;;
markrad 0:cdf462088d13 474
markrad 0:cdf462088d13 475 "PSK")
markrad 0:cdf462088d13 476 ;;
markrad 0:cdf462088d13 477 esac
markrad 0:cdf462088d13 478 }
markrad 0:cdf462088d13 479
markrad 0:cdf462088d13 480 add_gnutls_ciphersuites()
markrad 0:cdf462088d13 481 {
markrad 0:cdf462088d13 482 case $TYPE in
markrad 0:cdf462088d13 483
markrad 0:cdf462088d13 484 "ECDSA")
markrad 0:cdf462088d13 485 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 486 then
markrad 0:cdf462088d13 487 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 488 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 489 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 490 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 491 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 492 "
markrad 0:cdf462088d13 493 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 494 +ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 495 +ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \
markrad 0:cdf462088d13 496 +ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 497 +ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 498 "
markrad 0:cdf462088d13 499 fi
markrad 0:cdf462088d13 500 ;;
markrad 0:cdf462088d13 501
markrad 0:cdf462088d13 502 "RSA")
markrad 0:cdf462088d13 503 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 504 then
markrad 0:cdf462088d13 505 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 506 TLS-RSA-WITH-NULL-SHA256 \
markrad 0:cdf462088d13 507 "
markrad 0:cdf462088d13 508 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 509 +RSA:+NULL:+SHA256 \
markrad 0:cdf462088d13 510 "
markrad 0:cdf462088d13 511 fi
markrad 0:cdf462088d13 512 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 513 then
markrad 0:cdf462088d13 514 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 515 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 516 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 517 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 518 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
markrad 0:cdf462088d13 519 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 520 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
markrad 0:cdf462088d13 521 TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 522 TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 523 TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 524 TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 525 TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 526 TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 527 "
markrad 0:cdf462088d13 528 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 529 +ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 530 +ECDHE-RSA:+CAMELLIA-256-CBC:+SHA384 \
markrad 0:cdf462088d13 531 +RSA:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 532 +RSA:+CAMELLIA-256-CBC:+SHA256 \
markrad 0:cdf462088d13 533 +DHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 534 +DHE-RSA:+CAMELLIA-256-CBC:+SHA256 \
markrad 0:cdf462088d13 535 +ECDHE-RSA:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 536 +ECDHE-RSA:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 537 +DHE-RSA:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 538 +DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 539 +RSA:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 540 +RSA:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 541 "
markrad 0:cdf462088d13 542 fi
markrad 0:cdf462088d13 543 ;;
markrad 0:cdf462088d13 544
markrad 0:cdf462088d13 545 "PSK")
markrad 0:cdf462088d13 546 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 547 TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 548 TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 549 TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 550 TLS-DHE-PSK-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 551 "
markrad 0:cdf462088d13 552 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 553 +DHE-PSK:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 554 +DHE-PSK:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 555 +DHE-PSK:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 556 +DHE-PSK:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 557 "
markrad 0:cdf462088d13 558 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 559 then
markrad 0:cdf462088d13 560 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 561 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 562 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 563 TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 564 TLS-ECDHE-PSK-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 565 TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \
markrad 0:cdf462088d13 566 TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 567 TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 568 TLS-RSA-PSK-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 569 "
markrad 0:cdf462088d13 570 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 571 +ECDHE-PSK:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 572 +ECDHE-PSK:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 573 +ECDHE-PSK:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 574 +ECDHE-PSK:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 575 +RSA-PSK:+3DES-CBC:+SHA1 \
markrad 0:cdf462088d13 576 +RSA-PSK:+AES-256-CBC:+SHA1 \
markrad 0:cdf462088d13 577 +RSA-PSK:+AES-128-CBC:+SHA1 \
markrad 0:cdf462088d13 578 +RSA-PSK:+ARCFOUR-128:+SHA1 \
markrad 0:cdf462088d13 579 "
markrad 0:cdf462088d13 580 fi
markrad 0:cdf462088d13 581 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 582 then
markrad 0:cdf462088d13 583 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 584 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 585 TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 586 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 587 TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 588 TLS-ECDHE-PSK-WITH-NULL-SHA384 \
markrad 0:cdf462088d13 589 TLS-ECDHE-PSK-WITH-NULL-SHA256 \
markrad 0:cdf462088d13 590 TLS-PSK-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 591 TLS-PSK-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 592 TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 593 TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 594 TLS-PSK-WITH-NULL-SHA256 \
markrad 0:cdf462088d13 595 TLS-PSK-WITH-NULL-SHA384 \
markrad 0:cdf462088d13 596 TLS-DHE-PSK-WITH-NULL-SHA256 \
markrad 0:cdf462088d13 597 TLS-DHE-PSK-WITH-NULL-SHA384 \
markrad 0:cdf462088d13 598 TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
markrad 0:cdf462088d13 599 TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
markrad 0:cdf462088d13 600 TLS-RSA-PSK-WITH-NULL-SHA256 \
markrad 0:cdf462088d13 601 TLS-RSA-PSK-WITH-NULL-SHA384 \
markrad 0:cdf462088d13 602 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 603 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 604 TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 605 TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 606 TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 607 TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 608 TLS-PSK-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 609 TLS-PSK-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 610 TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 611 TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 612 TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 613 TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 614 TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 615 TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 616 TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 617 TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 618 TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \
markrad 0:cdf462088d13 619 TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \
markrad 0:cdf462088d13 620 "
markrad 0:cdf462088d13 621 G_CIPHERS="$G_CIPHERS \
markrad 0:cdf462088d13 622 +ECDHE-PSK:+AES-256-CBC:+SHA384 \
markrad 0:cdf462088d13 623 +ECDHE-PSK:+CAMELLIA-256-CBC:+SHA384 \
markrad 0:cdf462088d13 624 +ECDHE-PSK:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 625 +ECDHE-PSK:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 626 +PSK:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 627 +PSK:+AES-256-CBC:+SHA384 \
markrad 0:cdf462088d13 628 +DHE-PSK:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 629 +DHE-PSK:+AES-256-CBC:+SHA384 \
markrad 0:cdf462088d13 630 +RSA-PSK:+AES-256-CBC:+SHA384 \
markrad 0:cdf462088d13 631 +RSA-PSK:+AES-128-CBC:+SHA256 \
markrad 0:cdf462088d13 632 +DHE-PSK:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 633 +DHE-PSK:+CAMELLIA-256-CBC:+SHA384 \
markrad 0:cdf462088d13 634 +PSK:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 635 +PSK:+CAMELLIA-256-CBC:+SHA384 \
markrad 0:cdf462088d13 636 +RSA-PSK:+CAMELLIA-256-CBC:+SHA384 \
markrad 0:cdf462088d13 637 +RSA-PSK:+CAMELLIA-128-CBC:+SHA256 \
markrad 0:cdf462088d13 638 +PSK:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 639 +PSK:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 640 +DHE-PSK:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 641 +DHE-PSK:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 642 +RSA-PSK:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 643 +RSA-PSK:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 644 +PSK:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 645 +PSK:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 646 +DHE-PSK:+CAMELLIA-128-GCM:+AEAD \
markrad 0:cdf462088d13 647 +DHE-PSK:+CAMELLIA-256-GCM:+AEAD \
markrad 0:cdf462088d13 648 +RSA-PSK:+AES-256-GCM:+AEAD \
markrad 0:cdf462088d13 649 +RSA-PSK:+AES-128-GCM:+AEAD \
markrad 0:cdf462088d13 650 +ECDHE-PSK:+NULL:+SHA384 \
markrad 0:cdf462088d13 651 +ECDHE-PSK:+NULL:+SHA256 \
markrad 0:cdf462088d13 652 +PSK:+NULL:+SHA256 \
markrad 0:cdf462088d13 653 +PSK:+NULL:+SHA384 \
markrad 0:cdf462088d13 654 +DHE-PSK:+NULL:+SHA256 \
markrad 0:cdf462088d13 655 +DHE-PSK:+NULL:+SHA384 \
markrad 0:cdf462088d13 656 +RSA-PSK:+NULL:+SHA256 \
markrad 0:cdf462088d13 657 +RSA-PSK:+NULL:+SHA384 \
markrad 0:cdf462088d13 658 "
markrad 0:cdf462088d13 659 fi
markrad 0:cdf462088d13 660 ;;
markrad 0:cdf462088d13 661 esac
markrad 0:cdf462088d13 662 }
markrad 0:cdf462088d13 663
markrad 0:cdf462088d13 664 add_mbedtls_ciphersuites()
markrad 0:cdf462088d13 665 {
markrad 0:cdf462088d13 666 case $TYPE in
markrad 0:cdf462088d13 667
markrad 0:cdf462088d13 668 "ECDSA")
markrad 0:cdf462088d13 669 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 670 then
markrad 0:cdf462088d13 671 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 672 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
markrad 0:cdf462088d13 673 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
markrad 0:cdf462088d13 674 "
markrad 0:cdf462088d13 675 fi
markrad 0:cdf462088d13 676 if [ `minor_ver "$MODE"` -ge 3 ]
markrad 0:cdf462088d13 677 then
markrad 0:cdf462088d13 678 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 679 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
markrad 0:cdf462088d13 680 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
markrad 0:cdf462088d13 681 TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
markrad 0:cdf462088d13 682 TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
markrad 0:cdf462088d13 683 TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
markrad 0:cdf462088d13 684 TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
markrad 0:cdf462088d13 685 "
markrad 0:cdf462088d13 686 fi
markrad 0:cdf462088d13 687 ;;
markrad 0:cdf462088d13 688
markrad 0:cdf462088d13 689 "RSA")
markrad 0:cdf462088d13 690 if [ "$MODE" = "tls1_2" ];
markrad 0:cdf462088d13 691 then
markrad 0:cdf462088d13 692 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 693 TLS-RSA-WITH-AES-128-CCM \
markrad 0:cdf462088d13 694 TLS-RSA-WITH-AES-256-CCM \
markrad 0:cdf462088d13 695 TLS-DHE-RSA-WITH-AES-128-CCM \
markrad 0:cdf462088d13 696 TLS-DHE-RSA-WITH-AES-256-CCM \
markrad 0:cdf462088d13 697 TLS-RSA-WITH-AES-128-CCM-8 \
markrad 0:cdf462088d13 698 TLS-RSA-WITH-AES-256-CCM-8 \
markrad 0:cdf462088d13 699 TLS-DHE-RSA-WITH-AES-128-CCM-8 \
markrad 0:cdf462088d13 700 TLS-DHE-RSA-WITH-AES-256-CCM-8 \
markrad 0:cdf462088d13 701 "
markrad 0:cdf462088d13 702 fi
markrad 0:cdf462088d13 703 ;;
markrad 0:cdf462088d13 704
markrad 0:cdf462088d13 705 "PSK")
markrad 0:cdf462088d13 706 # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
markrad 0:cdf462088d13 707 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 708 TLS-PSK-WITH-NULL-SHA \
markrad 0:cdf462088d13 709 TLS-DHE-PSK-WITH-NULL-SHA \
markrad 0:cdf462088d13 710 "
markrad 0:cdf462088d13 711 if [ `minor_ver "$MODE"` -gt 0 ]
markrad 0:cdf462088d13 712 then
markrad 0:cdf462088d13 713 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 714 TLS-ECDHE-PSK-WITH-NULL-SHA \
markrad 0:cdf462088d13 715 TLS-RSA-PSK-WITH-NULL-SHA \
markrad 0:cdf462088d13 716 "
markrad 0:cdf462088d13 717 fi
markrad 0:cdf462088d13 718 if [ "$MODE" = "tls1_2" ];
markrad 0:cdf462088d13 719 then
markrad 0:cdf462088d13 720 M_CIPHERS="$M_CIPHERS \
markrad 0:cdf462088d13 721 TLS-PSK-WITH-AES-128-CCM \
markrad 0:cdf462088d13 722 TLS-PSK-WITH-AES-256-CCM \
markrad 0:cdf462088d13 723 TLS-DHE-PSK-WITH-AES-128-CCM \
markrad 0:cdf462088d13 724 TLS-DHE-PSK-WITH-AES-256-CCM \
markrad 0:cdf462088d13 725 TLS-PSK-WITH-AES-128-CCM-8 \
markrad 0:cdf462088d13 726 TLS-PSK-WITH-AES-256-CCM-8 \
markrad 0:cdf462088d13 727 TLS-DHE-PSK-WITH-AES-128-CCM-8 \
markrad 0:cdf462088d13 728 TLS-DHE-PSK-WITH-AES-256-CCM-8 \
markrad 0:cdf462088d13 729 "
markrad 0:cdf462088d13 730 fi
markrad 0:cdf462088d13 731 ;;
markrad 0:cdf462088d13 732 esac
markrad 0:cdf462088d13 733 }
markrad 0:cdf462088d13 734
markrad 0:cdf462088d13 735 setup_arguments()
markrad 0:cdf462088d13 736 {
markrad 0:cdf462088d13 737 G_MODE=""
markrad 0:cdf462088d13 738 case "$MODE" in
markrad 0:cdf462088d13 739 "ssl3")
markrad 0:cdf462088d13 740 G_PRIO_MODE="+VERS-SSL3.0"
markrad 0:cdf462088d13 741 ;;
markrad 0:cdf462088d13 742 "tls1")
markrad 0:cdf462088d13 743 G_PRIO_MODE="+VERS-TLS1.0"
markrad 0:cdf462088d13 744 ;;
markrad 0:cdf462088d13 745 "tls1_1")
markrad 0:cdf462088d13 746 G_PRIO_MODE="+VERS-TLS1.1"
markrad 0:cdf462088d13 747 ;;
markrad 0:cdf462088d13 748 "tls1_2")
markrad 0:cdf462088d13 749 G_PRIO_MODE="+VERS-TLS1.2"
markrad 0:cdf462088d13 750 ;;
markrad 0:cdf462088d13 751 "dtls1")
markrad 0:cdf462088d13 752 G_PRIO_MODE="+VERS-DTLS1.0"
markrad 0:cdf462088d13 753 G_MODE="-u"
markrad 0:cdf462088d13 754 ;;
markrad 0:cdf462088d13 755 "dtls1_2")
markrad 0:cdf462088d13 756 G_PRIO_MODE="+VERS-DTLS1.2"
markrad 0:cdf462088d13 757 G_MODE="-u"
markrad 0:cdf462088d13 758 ;;
markrad 0:cdf462088d13 759 *)
markrad 0:cdf462088d13 760 echo "error: invalid mode: $MODE" >&2
markrad 0:cdf462088d13 761 exit 1;
markrad 0:cdf462088d13 762 esac
markrad 0:cdf462088d13 763
markrad 0:cdf462088d13 764 M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
markrad 0:cdf462088d13 765 O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem"
markrad 0:cdf462088d13 766 G_SERVER_ARGS="-p $PORT --http $G_MODE"
markrad 0:cdf462088d13 767 G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
markrad 0:cdf462088d13 768
markrad 0:cdf462088d13 769 # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
markrad 0:cdf462088d13 770 if is_dtls "$MODE"; then
markrad 0:cdf462088d13 771 O_SERVER_ARGS="$O_SERVER_ARGS"
markrad 0:cdf462088d13 772 else
markrad 0:cdf462088d13 773 O_SERVER_ARGS="$O_SERVER_ARGS -www"
markrad 0:cdf462088d13 774 fi
markrad 0:cdf462088d13 775
markrad 0:cdf462088d13 776 M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
markrad 0:cdf462088d13 777 O_CLIENT_ARGS="-connect localhost:$PORT -$MODE"
markrad 0:cdf462088d13 778 G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
markrad 0:cdf462088d13 779 G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
markrad 0:cdf462088d13 780
markrad 0:cdf462088d13 781 if [ "X$VERIFY" = "XYES" ];
markrad 0:cdf462088d13 782 then
markrad 0:cdf462088d13 783 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
markrad 0:cdf462088d13 784 O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
markrad 0:cdf462088d13 785 G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
markrad 0:cdf462088d13 786
markrad 0:cdf462088d13 787 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
markrad 0:cdf462088d13 788 O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
markrad 0:cdf462088d13 789 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
markrad 0:cdf462088d13 790 else
markrad 0:cdf462088d13 791 # don't request a client cert at all
markrad 0:cdf462088d13 792 M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none"
markrad 0:cdf462088d13 793 G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
markrad 0:cdf462088d13 794
markrad 0:cdf462088d13 795 M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none"
markrad 0:cdf462088d13 796 O_CLIENT_ARGS="$O_CLIENT_ARGS"
markrad 0:cdf462088d13 797 G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure"
markrad 0:cdf462088d13 798 fi
markrad 0:cdf462088d13 799
markrad 0:cdf462088d13 800 case $TYPE in
markrad 0:cdf462088d13 801 "ECDSA")
markrad 0:cdf462088d13 802 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
markrad 0:cdf462088d13 803 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
markrad 0:cdf462088d13 804 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
markrad 0:cdf462088d13 805
markrad 0:cdf462088d13 806 if [ "X$VERIFY" = "XYES" ]; then
markrad 0:cdf462088d13 807 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
markrad 0:cdf462088d13 808 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
markrad 0:cdf462088d13 809 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key"
markrad 0:cdf462088d13 810 else
markrad 0:cdf462088d13 811 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
markrad 0:cdf462088d13 812 fi
markrad 0:cdf462088d13 813 ;;
markrad 0:cdf462088d13 814
markrad 0:cdf462088d13 815 "RSA")
markrad 0:cdf462088d13 816 M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key"
markrad 0:cdf462088d13 817 O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key"
markrad 0:cdf462088d13 818 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key"
markrad 0:cdf462088d13 819
markrad 0:cdf462088d13 820 if [ "X$VERIFY" = "XYES" ]; then
markrad 0:cdf462088d13 821 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key"
markrad 0:cdf462088d13 822 O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key"
markrad 0:cdf462088d13 823 G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server1.crt --x509keyfile data_files/server1.key"
markrad 0:cdf462088d13 824 else
markrad 0:cdf462088d13 825 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
markrad 0:cdf462088d13 826 fi
markrad 0:cdf462088d13 827 ;;
markrad 0:cdf462088d13 828
markrad 0:cdf462088d13 829 "PSK")
markrad 0:cdf462088d13 830 # give RSA-PSK-capable server a RSA cert
markrad 0:cdf462088d13 831 # (should be a separate type, but harder to close with openssl)
markrad 0:cdf462088d13 832 M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key"
markrad 0:cdf462088d13 833 O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
markrad 0:cdf462088d13 834 G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
markrad 0:cdf462088d13 835
markrad 0:cdf462088d13 836 M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
markrad 0:cdf462088d13 837 O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
markrad 0:cdf462088d13 838 G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70"
markrad 0:cdf462088d13 839 ;;
markrad 0:cdf462088d13 840 esac
markrad 0:cdf462088d13 841 }
markrad 0:cdf462088d13 842
markrad 0:cdf462088d13 843 # is_mbedtls <cmd_line>
markrad 0:cdf462088d13 844 is_mbedtls() {
markrad 0:cdf462088d13 845 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
markrad 0:cdf462088d13 846 }
markrad 0:cdf462088d13 847
markrad 0:cdf462088d13 848 # has_mem_err <log_file_name>
markrad 0:cdf462088d13 849 has_mem_err() {
markrad 0:cdf462088d13 850 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
markrad 0:cdf462088d13 851 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
markrad 0:cdf462088d13 852 then
markrad 0:cdf462088d13 853 return 1 # false: does not have errors
markrad 0:cdf462088d13 854 else
markrad 0:cdf462088d13 855 return 0 # true: has errors
markrad 0:cdf462088d13 856 fi
markrad 0:cdf462088d13 857 }
markrad 0:cdf462088d13 858
markrad 0:cdf462088d13 859 # start_server <name>
markrad 0:cdf462088d13 860 # also saves name and command
markrad 0:cdf462088d13 861 start_server() {
markrad 0:cdf462088d13 862 case $1 in
markrad 0:cdf462088d13 863 [Oo]pen*)
markrad 0:cdf462088d13 864 SERVER_CMD="$OPENSSL_CMD s_server $O_SERVER_ARGS"
markrad 0:cdf462088d13 865 ;;
markrad 0:cdf462088d13 866 [Gg]nu*)
markrad 0:cdf462088d13 867 SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
markrad 0:cdf462088d13 868 ;;
markrad 0:cdf462088d13 869 mbed*)
markrad 0:cdf462088d13 870 SERVER_CMD="$M_SRV $M_SERVER_ARGS"
markrad 0:cdf462088d13 871 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 872 SERVER_CMD="valgrind --leak-check=full $SERVER_CMD"
markrad 0:cdf462088d13 873 fi
markrad 0:cdf462088d13 874 ;;
markrad 0:cdf462088d13 875 *)
markrad 0:cdf462088d13 876 echo "error: invalid server name: $1" >&2
markrad 0:cdf462088d13 877 exit 1
markrad 0:cdf462088d13 878 ;;
markrad 0:cdf462088d13 879 esac
markrad 0:cdf462088d13 880 SERVER_NAME=$1
markrad 0:cdf462088d13 881
markrad 0:cdf462088d13 882 log "$SERVER_CMD"
markrad 0:cdf462088d13 883 echo "$SERVER_CMD" > $SRV_OUT
markrad 0:cdf462088d13 884 # for servers without -www or equivalent
markrad 0:cdf462088d13 885 while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 &
markrad 0:cdf462088d13 886 PROCESS_ID=$!
markrad 0:cdf462088d13 887
markrad 0:cdf462088d13 888 sleep 1
markrad 0:cdf462088d13 889 }
markrad 0:cdf462088d13 890
markrad 0:cdf462088d13 891 # terminate the running server
markrad 0:cdf462088d13 892 stop_server() {
markrad 0:cdf462088d13 893 kill $PROCESS_ID 2>/dev/null
markrad 0:cdf462088d13 894 wait $PROCESS_ID 2>/dev/null
markrad 0:cdf462088d13 895
markrad 0:cdf462088d13 896 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 897 if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then
markrad 0:cdf462088d13 898 echo " ! Server had memory errors"
markrad 0:cdf462088d13 899 SRVMEM=$(( $SRVMEM + 1 ))
markrad 0:cdf462088d13 900 return
markrad 0:cdf462088d13 901 fi
markrad 0:cdf462088d13 902 fi
markrad 0:cdf462088d13 903
markrad 0:cdf462088d13 904 rm -f $SRV_OUT
markrad 0:cdf462088d13 905 }
markrad 0:cdf462088d13 906
markrad 0:cdf462088d13 907 # kill the running server (used when killed by signal)
markrad 0:cdf462088d13 908 cleanup() {
markrad 0:cdf462088d13 909 rm -f $SRV_OUT $CLI_OUT
markrad 0:cdf462088d13 910 kill $PROCESS_ID >/dev/null 2>&1
markrad 0:cdf462088d13 911 kill $WATCHDOG_PID >/dev/null 2>&1
markrad 0:cdf462088d13 912 exit 1
markrad 0:cdf462088d13 913 }
markrad 0:cdf462088d13 914
markrad 0:cdf462088d13 915 # wait for client to terminate and set EXIT
markrad 0:cdf462088d13 916 # must be called right after starting the client
markrad 0:cdf462088d13 917 wait_client_done() {
markrad 0:cdf462088d13 918 CLI_PID=$!
markrad 0:cdf462088d13 919
markrad 0:cdf462088d13 920 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) &
markrad 0:cdf462088d13 921 WATCHDOG_PID=$!
markrad 0:cdf462088d13 922
markrad 0:cdf462088d13 923 wait $CLI_PID
markrad 0:cdf462088d13 924 EXIT=$?
markrad 0:cdf462088d13 925
markrad 0:cdf462088d13 926 kill $WATCHDOG_PID
markrad 0:cdf462088d13 927 wait $WATCHDOG_PID
markrad 0:cdf462088d13 928
markrad 0:cdf462088d13 929 echo "EXIT: $EXIT" >> $CLI_OUT
markrad 0:cdf462088d13 930 }
markrad 0:cdf462088d13 931
markrad 0:cdf462088d13 932 # run_client <name> <cipher>
markrad 0:cdf462088d13 933 run_client() {
markrad 0:cdf462088d13 934 # announce what we're going to do
markrad 0:cdf462088d13 935 TESTS=$(( $TESTS + 1 ))
markrad 0:cdf462088d13 936 VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
markrad 0:cdf462088d13 937 TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
markrad 0:cdf462088d13 938 TITLE="$TITLE $MODE,$VERIF $2"
markrad 0:cdf462088d13 939 printf "$TITLE "
markrad 0:cdf462088d13 940 LEN=$(( 72 - `echo "$TITLE" | wc -c` ))
markrad 0:cdf462088d13 941 for i in `seq 1 $LEN`; do printf '.'; done; printf ' '
markrad 0:cdf462088d13 942
markrad 0:cdf462088d13 943 # should we skip?
markrad 0:cdf462088d13 944 if [ "X$SKIP_NEXT" = "XYES" ]; then
markrad 0:cdf462088d13 945 SKIP_NEXT="NO"
markrad 0:cdf462088d13 946 echo "SKIP"
markrad 0:cdf462088d13 947 SKIPPED=$(( $SKIPPED + 1 ))
markrad 0:cdf462088d13 948 return
markrad 0:cdf462088d13 949 fi
markrad 0:cdf462088d13 950
markrad 0:cdf462088d13 951 # run the command and interpret result
markrad 0:cdf462088d13 952 case $1 in
markrad 0:cdf462088d13 953 [Oo]pen*)
markrad 0:cdf462088d13 954 CLIENT_CMD="$OPENSSL_CMD s_client $O_CLIENT_ARGS -cipher $2"
markrad 0:cdf462088d13 955 log "$CLIENT_CMD"
markrad 0:cdf462088d13 956 echo "$CLIENT_CMD" > $CLI_OUT
markrad 0:cdf462088d13 957 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
markrad 0:cdf462088d13 958 wait_client_done
markrad 0:cdf462088d13 959
markrad 0:cdf462088d13 960 if [ $EXIT -eq 0 ]; then
markrad 0:cdf462088d13 961 RESULT=0
markrad 0:cdf462088d13 962 else
markrad 0:cdf462088d13 963 # If the cipher isn't supported...
markrad 0:cdf462088d13 964 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then
markrad 0:cdf462088d13 965 RESULT=1
markrad 0:cdf462088d13 966 else
markrad 0:cdf462088d13 967 RESULT=2
markrad 0:cdf462088d13 968 fi
markrad 0:cdf462088d13 969 fi
markrad 0:cdf462088d13 970 ;;
markrad 0:cdf462088d13 971
markrad 0:cdf462088d13 972 [Gg]nu*)
markrad 0:cdf462088d13 973 # need to force IPv4 with UDP, but keep localhost for auth
markrad 0:cdf462088d13 974 if is_dtls "$MODE"; then
markrad 0:cdf462088d13 975 G_HOST="127.0.0.1"
markrad 0:cdf462088d13 976 else
markrad 0:cdf462088d13 977 G_HOST="localhost"
markrad 0:cdf462088d13 978 fi
markrad 0:cdf462088d13 979 CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST"
markrad 0:cdf462088d13 980 log "$CLIENT_CMD"
markrad 0:cdf462088d13 981 echo "$CLIENT_CMD" > $CLI_OUT
markrad 0:cdf462088d13 982 printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
markrad 0:cdf462088d13 983 wait_client_done
markrad 0:cdf462088d13 984
markrad 0:cdf462088d13 985 if [ $EXIT -eq 0 ]; then
markrad 0:cdf462088d13 986 RESULT=0
markrad 0:cdf462088d13 987 else
markrad 0:cdf462088d13 988 RESULT=2
markrad 0:cdf462088d13 989 # interpret early failure, with a handshake_failure alert
markrad 0:cdf462088d13 990 # before the server hello, as "no ciphersuite in common"
markrad 0:cdf462088d13 991 if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then
markrad 0:cdf462088d13 992 if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then :
markrad 0:cdf462088d13 993 else
markrad 0:cdf462088d13 994 RESULT=1
markrad 0:cdf462088d13 995 fi
markrad 0:cdf462088d13 996 fi >/dev/null
markrad 0:cdf462088d13 997 fi
markrad 0:cdf462088d13 998 ;;
markrad 0:cdf462088d13 999
markrad 0:cdf462088d13 1000 mbed*)
markrad 0:cdf462088d13 1001 CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2"
markrad 0:cdf462088d13 1002 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 1003 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
markrad 0:cdf462088d13 1004 fi
markrad 0:cdf462088d13 1005 log "$CLIENT_CMD"
markrad 0:cdf462088d13 1006 echo "$CLIENT_CMD" > $CLI_OUT
markrad 0:cdf462088d13 1007 $CLIENT_CMD >> $CLI_OUT 2>&1 &
markrad 0:cdf462088d13 1008 wait_client_done
markrad 0:cdf462088d13 1009
markrad 0:cdf462088d13 1010 case $EXIT in
markrad 0:cdf462088d13 1011 # Success
markrad 0:cdf462088d13 1012 "0") RESULT=0 ;;
markrad 0:cdf462088d13 1013
markrad 0:cdf462088d13 1014 # Ciphersuite not supported
markrad 0:cdf462088d13 1015 "2") RESULT=1 ;;
markrad 0:cdf462088d13 1016
markrad 0:cdf462088d13 1017 # Error
markrad 0:cdf462088d13 1018 *) RESULT=2 ;;
markrad 0:cdf462088d13 1019 esac
markrad 0:cdf462088d13 1020
markrad 0:cdf462088d13 1021 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 1022 if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then
markrad 0:cdf462088d13 1023 RESULT=2
markrad 0:cdf462088d13 1024 fi
markrad 0:cdf462088d13 1025 fi
markrad 0:cdf462088d13 1026
markrad 0:cdf462088d13 1027 ;;
markrad 0:cdf462088d13 1028
markrad 0:cdf462088d13 1029 *)
markrad 0:cdf462088d13 1030 echo "error: invalid client name: $1" >&2
markrad 0:cdf462088d13 1031 exit 1
markrad 0:cdf462088d13 1032 ;;
markrad 0:cdf462088d13 1033 esac
markrad 0:cdf462088d13 1034
markrad 0:cdf462088d13 1035 echo "EXIT: $EXIT" >> $CLI_OUT
markrad 0:cdf462088d13 1036
markrad 0:cdf462088d13 1037 # report and count result
markrad 0:cdf462088d13 1038 case $RESULT in
markrad 0:cdf462088d13 1039 "0")
markrad 0:cdf462088d13 1040 echo PASS
markrad 0:cdf462088d13 1041 ;;
markrad 0:cdf462088d13 1042 "1")
markrad 0:cdf462088d13 1043 echo SKIP
markrad 0:cdf462088d13 1044 SKIPPED=$(( $SKIPPED + 1 ))
markrad 0:cdf462088d13 1045 ;;
markrad 0:cdf462088d13 1046 "2")
markrad 0:cdf462088d13 1047 echo FAIL
markrad 0:cdf462088d13 1048 cp $SRV_OUT c-srv-${TESTS}.log
markrad 0:cdf462088d13 1049 cp $CLI_OUT c-cli-${TESTS}.log
markrad 0:cdf462088d13 1050 echo " ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
markrad 0:cdf462088d13 1051
markrad 0:cdf462088d13 1052 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
markrad 0:cdf462088d13 1053 echo " ! server output:"
markrad 0:cdf462088d13 1054 cat c-srv-${TESTS}.log
markrad 0:cdf462088d13 1055 echo " ! ==================================================="
markrad 0:cdf462088d13 1056 echo " ! client output:"
markrad 0:cdf462088d13 1057 cat c-cli-${TESTS}.log
markrad 0:cdf462088d13 1058 fi
markrad 0:cdf462088d13 1059
markrad 0:cdf462088d13 1060 FAILED=$(( $FAILED + 1 ))
markrad 0:cdf462088d13 1061 ;;
markrad 0:cdf462088d13 1062 esac
markrad 0:cdf462088d13 1063
markrad 0:cdf462088d13 1064 rm -f $CLI_OUT
markrad 0:cdf462088d13 1065 }
markrad 0:cdf462088d13 1066
markrad 0:cdf462088d13 1067 #
markrad 0:cdf462088d13 1068 # MAIN
markrad 0:cdf462088d13 1069 #
markrad 0:cdf462088d13 1070
markrad 0:cdf462088d13 1071 if cd $( dirname $0 ); then :; else
markrad 0:cdf462088d13 1072 echo "cd $( dirname $0 ) failed" >&2
markrad 0:cdf462088d13 1073 exit 1
markrad 0:cdf462088d13 1074 fi
markrad 0:cdf462088d13 1075
markrad 0:cdf462088d13 1076 get_options "$@"
markrad 0:cdf462088d13 1077
markrad 0:cdf462088d13 1078 # sanity checks, avoid an avalanche of errors
markrad 0:cdf462088d13 1079 if [ ! -x "$M_SRV" ]; then
markrad 0:cdf462088d13 1080 echo "Command '$M_SRV' is not an executable file" >&2
markrad 0:cdf462088d13 1081 exit 1
markrad 0:cdf462088d13 1082 fi
markrad 0:cdf462088d13 1083 if [ ! -x "$M_CLI" ]; then
markrad 0:cdf462088d13 1084 echo "Command '$M_CLI' is not an executable file" >&2
markrad 0:cdf462088d13 1085 exit 1
markrad 0:cdf462088d13 1086 fi
markrad 0:cdf462088d13 1087
markrad 0:cdf462088d13 1088 if echo "$PEERS" | grep -i openssl > /dev/null; then
markrad 0:cdf462088d13 1089 if which "$OPENSSL_CMD" >/dev/null 2>&1; then :; else
markrad 0:cdf462088d13 1090 echo "Command '$OPENSSL_CMD' not found" >&2
markrad 0:cdf462088d13 1091 exit 1
markrad 0:cdf462088d13 1092 fi
markrad 0:cdf462088d13 1093 fi
markrad 0:cdf462088d13 1094
markrad 0:cdf462088d13 1095 if echo "$PEERS" | grep -i gnutls > /dev/null; then
markrad 0:cdf462088d13 1096 for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do
markrad 0:cdf462088d13 1097 if which "$CMD" >/dev/null 2>&1; then :; else
markrad 0:cdf462088d13 1098 echo "Command '$CMD' not found" >&2
markrad 0:cdf462088d13 1099 exit 1
markrad 0:cdf462088d13 1100 fi
markrad 0:cdf462088d13 1101 done
markrad 0:cdf462088d13 1102 fi
markrad 0:cdf462088d13 1103
markrad 0:cdf462088d13 1104 for PEER in $PEERS; do
markrad 0:cdf462088d13 1105 case "$PEER" in
markrad 0:cdf462088d13 1106 mbed*|[Oo]pen*|[Gg]nu*)
markrad 0:cdf462088d13 1107 ;;
markrad 0:cdf462088d13 1108 *)
markrad 0:cdf462088d13 1109 echo "Unknown peers: $PEER" >&2
markrad 0:cdf462088d13 1110 exit 1
markrad 0:cdf462088d13 1111 esac
markrad 0:cdf462088d13 1112 done
markrad 0:cdf462088d13 1113
markrad 0:cdf462088d13 1114 # Pick a "unique" port in the range 10000-19999.
markrad 0:cdf462088d13 1115 PORT="0000$$"
markrad 0:cdf462088d13 1116 PORT="1$(echo $PORT | tail -c 5)"
markrad 0:cdf462088d13 1117
markrad 0:cdf462088d13 1118 # Also pick a unique name for intermediate files
markrad 0:cdf462088d13 1119 SRV_OUT="srv_out.$$"
markrad 0:cdf462088d13 1120 CLI_OUT="cli_out.$$"
markrad 0:cdf462088d13 1121
markrad 0:cdf462088d13 1122 # client timeout delay: be more patient with valgrind
markrad 0:cdf462088d13 1123 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 1124 DOG_DELAY=30
markrad 0:cdf462088d13 1125 else
markrad 0:cdf462088d13 1126 DOG_DELAY=10
markrad 0:cdf462088d13 1127 fi
markrad 0:cdf462088d13 1128
markrad 0:cdf462088d13 1129 SKIP_NEXT="NO"
markrad 0:cdf462088d13 1130
markrad 0:cdf462088d13 1131 trap cleanup INT TERM HUP
markrad 0:cdf462088d13 1132
markrad 0:cdf462088d13 1133 for VERIFY in $VERIFIES; do
markrad 0:cdf462088d13 1134 for MODE in $MODES; do
markrad 0:cdf462088d13 1135 for TYPE in $TYPES; do
markrad 0:cdf462088d13 1136 for PEER in $PEERS; do
markrad 0:cdf462088d13 1137
markrad 0:cdf462088d13 1138 setup_arguments
markrad 0:cdf462088d13 1139
markrad 0:cdf462088d13 1140 case "$PEER" in
markrad 0:cdf462088d13 1141
markrad 0:cdf462088d13 1142 [Oo]pen*)
markrad 0:cdf462088d13 1143
markrad 0:cdf462088d13 1144 if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
markrad 0:cdf462088d13 1145 continue;
markrad 0:cdf462088d13 1146 fi
markrad 0:cdf462088d13 1147
markrad 0:cdf462088d13 1148 reset_ciphersuites
markrad 0:cdf462088d13 1149 add_common_ciphersuites
markrad 0:cdf462088d13 1150 add_openssl_ciphersuites
markrad 0:cdf462088d13 1151 filter_ciphersuites
markrad 0:cdf462088d13 1152
markrad 0:cdf462088d13 1153 if [ "X" != "X$M_CIPHERS" ]; then
markrad 0:cdf462088d13 1154 start_server "OpenSSL"
markrad 0:cdf462088d13 1155 for i in $M_CIPHERS; do
markrad 0:cdf462088d13 1156 check_openssl_server_bug $i
markrad 0:cdf462088d13 1157 run_client mbedTLS $i
markrad 0:cdf462088d13 1158 done
markrad 0:cdf462088d13 1159 stop_server
markrad 0:cdf462088d13 1160 fi
markrad 0:cdf462088d13 1161
markrad 0:cdf462088d13 1162 if [ "X" != "X$O_CIPHERS" ]; then
markrad 0:cdf462088d13 1163 start_server "mbedTLS"
markrad 0:cdf462088d13 1164 for i in $O_CIPHERS; do
markrad 0:cdf462088d13 1165 run_client OpenSSL $i
markrad 0:cdf462088d13 1166 done
markrad 0:cdf462088d13 1167 stop_server
markrad 0:cdf462088d13 1168 fi
markrad 0:cdf462088d13 1169
markrad 0:cdf462088d13 1170 ;;
markrad 0:cdf462088d13 1171
markrad 0:cdf462088d13 1172 [Gg]nu*)
markrad 0:cdf462088d13 1173
markrad 0:cdf462088d13 1174 reset_ciphersuites
markrad 0:cdf462088d13 1175 add_common_ciphersuites
markrad 0:cdf462088d13 1176 add_gnutls_ciphersuites
markrad 0:cdf462088d13 1177 filter_ciphersuites
markrad 0:cdf462088d13 1178
markrad 0:cdf462088d13 1179 if [ "X" != "X$M_CIPHERS" ]; then
markrad 0:cdf462088d13 1180 start_server "GnuTLS"
markrad 0:cdf462088d13 1181 for i in $M_CIPHERS; do
markrad 0:cdf462088d13 1182 run_client mbedTLS $i
markrad 0:cdf462088d13 1183 done
markrad 0:cdf462088d13 1184 stop_server
markrad 0:cdf462088d13 1185 fi
markrad 0:cdf462088d13 1186
markrad 0:cdf462088d13 1187 if [ "X" != "X$G_CIPHERS" ]; then
markrad 0:cdf462088d13 1188 start_server "mbedTLS"
markrad 0:cdf462088d13 1189 for i in $G_CIPHERS; do
markrad 0:cdf462088d13 1190 run_client GnuTLS $i
markrad 0:cdf462088d13 1191 done
markrad 0:cdf462088d13 1192 stop_server
markrad 0:cdf462088d13 1193 fi
markrad 0:cdf462088d13 1194
markrad 0:cdf462088d13 1195 ;;
markrad 0:cdf462088d13 1196
markrad 0:cdf462088d13 1197 mbed*)
markrad 0:cdf462088d13 1198
markrad 0:cdf462088d13 1199 reset_ciphersuites
markrad 0:cdf462088d13 1200 add_common_ciphersuites
markrad 0:cdf462088d13 1201 add_openssl_ciphersuites
markrad 0:cdf462088d13 1202 add_gnutls_ciphersuites
markrad 0:cdf462088d13 1203 add_mbedtls_ciphersuites
markrad 0:cdf462088d13 1204 filter_ciphersuites
markrad 0:cdf462088d13 1205
markrad 0:cdf462088d13 1206 if [ "X" != "X$M_CIPHERS" ]; then
markrad 0:cdf462088d13 1207 start_server "mbedTLS"
markrad 0:cdf462088d13 1208 for i in $M_CIPHERS; do
markrad 0:cdf462088d13 1209 run_client mbedTLS $i
markrad 0:cdf462088d13 1210 done
markrad 0:cdf462088d13 1211 stop_server
markrad 0:cdf462088d13 1212 fi
markrad 0:cdf462088d13 1213
markrad 0:cdf462088d13 1214 ;;
markrad 0:cdf462088d13 1215
markrad 0:cdf462088d13 1216 *)
markrad 0:cdf462088d13 1217 echo "Unknown peer: $PEER" >&2
markrad 0:cdf462088d13 1218 exit 1
markrad 0:cdf462088d13 1219 ;;
markrad 0:cdf462088d13 1220
markrad 0:cdf462088d13 1221 esac
markrad 0:cdf462088d13 1222
markrad 0:cdf462088d13 1223 done
markrad 0:cdf462088d13 1224 done
markrad 0:cdf462088d13 1225 done
markrad 0:cdf462088d13 1226 done
markrad 0:cdf462088d13 1227
markrad 0:cdf462088d13 1228 echo "------------------------------------------------------------------------"
markrad 0:cdf462088d13 1229
markrad 0:cdf462088d13 1230 if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ];
markrad 0:cdf462088d13 1231 then
markrad 0:cdf462088d13 1232 printf "FAILED"
markrad 0:cdf462088d13 1233 else
markrad 0:cdf462088d13 1234 printf "PASSED"
markrad 0:cdf462088d13 1235 fi
markrad 0:cdf462088d13 1236
markrad 0:cdf462088d13 1237 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 1238 MEMREPORT=", $SRVMEM server memory errors"
markrad 0:cdf462088d13 1239 else
markrad 0:cdf462088d13 1240 MEMREPORT=""
markrad 0:cdf462088d13 1241 fi
markrad 0:cdf462088d13 1242
markrad 0:cdf462088d13 1243 PASSED=$(( $TESTS - $FAILED ))
markrad 0:cdf462088d13 1244 echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"
markrad 0:cdf462088d13 1245
markrad 0:cdf462088d13 1246 FAILED=$(( $FAILED + $SRVMEM ))
markrad 0:cdf462088d13 1247 exit $FAILED