GnuTLS in compat.sh: server-side

2024-11-26 03:45:38 +01:00 · 2014-02-28 12:42:57 +01:00 · 2014-02-28 12:42:57 +01:00 · 5b2d776d2a
commit 5b2d776d2a
parent 3eec60402f
3 changed files with 163 additions and 93 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1050,6 +1050,9 @@ exit:
        char error_buf[100];
        polarssl_strerror( ret, error_buf, 100 );
        printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
        if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
            ret = 0;
    }
 #endif
--- a/tests/compat.sh
+++ b/tests/compat.sh
@ -90,11 +90,25 @@ filter()
  echo "$NEW_LIST" | sed -e 's/[[:space:]]\+/ /g' -e 's/^ //' -e 's/ $//'
 }
-setup_ciphersuites()
+filter_ciphersuites()
 {
    if [ "X" != "X$FILTER" ];
    then
        P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" )
        O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" )
        G_CIPHERS=$( filter "$G_CIPHERS" "$FILTER" )
    fi
 }
 reset_ciphersuites()
 {
    P_CIPHERS=""
    O_CIPHERS=""
    G_CIPHERS=""
 }
 add_openssl_ciphersuites()
 {
    case $TYPE in
        "ECDSA")
@ -254,54 +268,31 @@ setup_ciphersuites()
                "
            ;;
    esac
    # Filter ciphersuites
    if [ "X" != "X$FILTER" ];
    then
        O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" )
        P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" )
    fi
 }
-add_polarssl_ciphersuites()
+add_gnutls_ciphersuites()
 {
-    ADD_CIPHERS=""
+    # TODO: add to G_CIPHERS too
    case $TYPE in
        "ECDSA")
            if [ "$MODE" != "ssl3" ];
            then
                ADD_CIPHERS="$ADD_CIPHERS                           \
                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256    \
                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384    \
                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256     \
                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384     \
                    "
            fi
            if [ "$MODE" = "tls1_2" ];
            then
-                ADD_CIPHERS="$ADD_CIPHERS                           \
+                P_CIPHERS="$P_CIPHERS                               \
                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256    \
                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384    \
                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256    \
                    TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384    \
                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256     \
                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384     \
                    "
            fi
            ;;
        "RSA")
            if [ "$MODE" != "ssl3" ];
            then
                ADD_CIPHERS="$ADD_CIPHERS                       \
                    TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256  \
                    TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384  \
                    "
            fi
            if [ "$MODE" = "tls1_2" ];
            then
-                ADD_CIPHERS="$ADD_CIPHERS                       \
+                P_CIPHERS="$P_CIPHERS                           \
                    TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256  \
                    TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384  \
                    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256        \
                    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256        \
                    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256    \
@ -317,57 +308,50 @@ add_polarssl_ciphersuites()
            ;;
        "PSK")
-            ADD_CIPHERS="$ADD_CIPHERS                    \
+            # GnuTLS 3.2.11 (2014-02-13) requires TLS 1.x for most *PSK suites
                TLS-DHE-PSK-WITH-RC4-128-SHA             \
                TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA        \
                TLS-DHE-PSK-WITH-AES-128-CBC-SHA         \
                TLS-DHE-PSK-WITH-AES-256-CBC-SHA         \
                TLS-DHE-PSK-WITH-NULL-SHA                \
                TLS-PSK-WITH-NULL-SHA                    \
                TLS-RSA-PSK-WITH-RC4-128-SHA             \
                TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA        \
                TLS-RSA-PSK-WITH-AES-256-CBC-SHA         \
                TLS-RSA-PSK-WITH-AES-128-CBC-SHA         \
                TLS-RSA-WITH-NULL-SHA                    \
                TLS-RSA-WITH-NULL-MD5                    \
                TLS-PSK-WITH-AES-128-CBC-SHA256          \
                TLS-PSK-WITH-AES-256-CBC-SHA384          \
                TLS-DHE-PSK-WITH-AES-128-CBC-SHA256      \
                TLS-DHE-PSK-WITH-AES-256-CBC-SHA384      \
                TLS-PSK-WITH-NULL-SHA256                 \
                TLS-PSK-WITH-NULL-SHA384                 \
                TLS-DHE-PSK-WITH-NULL-SHA256             \
                TLS-DHE-PSK-WITH-NULL-SHA384             \
                TLS-RSA-PSK-WITH-AES-256-CBC-SHA384      \
                TLS-RSA-PSK-WITH-AES-128-CBC-SHA256      \
                TLS-RSA-PSK-WITH-NULL-SHA256             \
                TLS-RSA-PSK-WITH-NULL-SHA384             \
                TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
                TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
                TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256     \
                TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384     \
                TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
                TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
                "
            if [ "$MODE" != "ssl3" ];
            then
-                ADD_CIPHERS="$ADD_CIPHERS                       \
+                P_CIPHERS="$P_CIPHERS                           \
                    TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA          \
                    TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA          \
                    TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA         \
-                    TLS-ECDHE-PSK-WITH-RC4-128-SHA              \
+                    TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA           \
-                    TLS-ECDHE-PSK-WITH-NULL-SHA                 \
+                    TLS-DHE-PSK-WITH-AES-128-CBC-SHA            \
                    TLS-DHE-PSK-WITH-AES-256-CBC-SHA            \
                    TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA           \
                    TLS-RSA-PSK-WITH-AES-256-CBC-SHA            \
                    TLS-RSA-PSK-WITH-AES-128-CBC-SHA            \
                    TLS-RSA-WITH-NULL-SHA                       \
                    TLS-RSA-WITH-NULL-MD5                       \
                    "
            fi
            if [ "$MODE" = "tls1_2" ];
            then
                P_CIPHERS="$P_CIPHERS                           \
                    TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384       \
                    TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384  \
                    TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256       \
                    TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256  \
                    TLS-ECDHE-PSK-WITH-NULL-SHA384              \
                    TLS-ECDHE-PSK-WITH-NULL-SHA256              \
-                    "
+                    TLS-PSK-WITH-AES-128-CBC-SHA256             \
-            fi
+                    TLS-PSK-WITH-AES-256-CBC-SHA384             \
-            if [ "$MODE" = "tls1_2" ];
+                    TLS-DHE-PSK-WITH-AES-128-CBC-SHA256         \
-            then
+                    TLS-DHE-PSK-WITH-AES-256-CBC-SHA384         \
-                ADD_CIPHERS="$ADD_CIPHERS                       \
+                    TLS-PSK-WITH-NULL-SHA256                    \
                    TLS-PSK-WITH-NULL-SHA384                    \
                    TLS-DHE-PSK-WITH-NULL-SHA256                \
                    TLS-DHE-PSK-WITH-NULL-SHA384                \
                    TLS-RSA-PSK-WITH-AES-256-CBC-SHA384         \
                    TLS-RSA-PSK-WITH-AES-128-CBC-SHA256         \
                    TLS-RSA-PSK-WITH-NULL-SHA256                \
                    TLS-RSA-PSK-WITH-NULL-SHA384                \
                    TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256    \
                    TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384    \
                    TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256        \
                    TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384        \
                    TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384    \
                    TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256    \
                    TLS-PSK-WITH-AES-128-GCM-SHA256             \
                    TLS-PSK-WITH-AES-256-GCM-SHA384             \
                    TLS-DHE-PSK-WITH-AES-128-GCM-SHA256         \
@ -385,24 +369,64 @@ add_polarssl_ciphersuites()
            fi
            ;;
    esac
 }
-    # Filter new ciphersuites and add them
+add_polarssl_ciphersuites()
-    if [ "X" != "X$FILTER" ]; then
+{
-        ADD_CIPHERS=$( filter "$ADD_CIPHERS" "$FILTER" )
+    case $TYPE in
-    fi
+
-    # avoid P_CIPHERS being only ' '
+        "ECDSA")
-    if [ "X" != "X$P_CIPHERS" ]; then
+            if [ "$MODE" != "ssl3" ];
-        P_CIPHERS="$P_CIPHERS $ADD_CIPHERS"
+            then
-    else
+                P_CIPHERS="$P_CIPHERS                               \
-        P_CIPHERS="$ADD_CIPHERS"
+                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256     \
-    fi
+                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384     \
                    "
            fi
            if [ "$MODE" = "tls1_2" ];
            then
                P_CIPHERS="$P_CIPHERS                               \
                    TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256     \
                    TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384     \
                    "
            fi
            ;;
        "RSA")
            ;;
        "PSK")
            P_CIPHERS="$P_CIPHERS                        \
                TLS-PSK-WITH-NULL-SHA                    \
                TLS-DHE-PSK-WITH-RC4-128-SHA             \
                TLS-DHE-PSK-WITH-NULL-SHA                \
                TLS-RSA-PSK-WITH-RC4-128-SHA             \
                "
            if [ "$MODE" != "ssl3" ];
            then
                P_CIPHERS="$P_CIPHERS                    \
                    TLS-ECDHE-PSK-WITH-RC4-128-SHA       \
                    TLS-ECDHE-PSK-WITH-NULL-SHA          \
                    "
            fi
            ;;
    esac
 }
 setup_arguments()
 {
    # avoid an avalanche of errors due to typos
    case $MODE in
-        ssl3|tls1|tls1_1|tls1_2)
+        "ssl3")
            G_PRIO_MODE="+VERS-SSL3.0"
            ;;
        "tls1")
            G_PRIO_MODE="+VERS-TLS1.0"
            ;;
        "tls1_1")
            G_PRIO_MODE="+VERS-TLS1.1"
            ;;
        "tls1_2")
            G_PRIO_MODE="+VERS-TLS1.2"
            ;;
        *)
            echo "error: invalid mode: $MODE" >&2
@ -410,20 +434,26 @@ setup_arguments()
    esac
    P_SERVER_ARGS="server_addr=0.0.0.0 force_version=$MODE"
-    P_CLIENT_ARGS="server_name=localhost force_version=$MODE"
+    O_SERVER_ARGS="-www -cipher NULL,ALL -$MODE"
-    O_SERVER_ARGS="-www -quiet -cipher NULL,ALL -$MODE"
+    G_SERVER_ARGS="-p 4433 --http"
    G_PRIO_BASE="EXPORT:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL"
    P_CLIENT_ARGS="force_version=$MODE"
    O_CLIENT_ARGS="-$MODE"
    if [ "X$VERIFY" = "XYES" ];
    then
        P_SERVER_ARGS="$P_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
        P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
        O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
        G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
        P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
        O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
    else
-        # ssl_server2 defaults to optional, but we want to test handshakes
+        # don't request a client cert at all
        # that don't exchange client certificate at all too
        P_SERVER_ARGS="$P_SERVER_ARGS ca_file=none auth_mode=none"
        G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"
        # give dummy CA to clients
        P_CLIENT_ARGS="$P_CLIENT_ARGS ca_file=data_files/cli2.crt"
        O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/cli2.crt"
@ -433,6 +463,8 @@ setup_arguments()
        "ECDSA")
            P_SERVER_ARGS="$P_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
            O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
            if [ "X$VERIFY" = "XYES" ]; then
                P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
@ -444,6 +476,8 @@ setup_arguments()
        "RSA")
            P_SERVER_ARGS="$P_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key"
            O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key"
            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key"
            if [ "X$VERIFY" = "XYES" ]; then
                P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key"
                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key"
@ -453,11 +487,13 @@ setup_arguments()
            ;;
        "PSK")
-            # give our server a certificate for RSA-PSK
+            # give RSA-PSK-capable server a RSA cert
            # (should be a separate type, but harder to close with openssl)
            P_SERVER_ARGS="$P_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key"
            P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
            O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
            P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
            O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
            ;;
    esac
@ -486,6 +522,9 @@ start_server() {
        [Oo]pen*)
            SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
            ;;
        [Gg]nu*)
            SERVER_CMD="gnutls-serv $G_SERVER_ARGS --priority $G_PRIO_BASE:$G_PRIO_MODE"
            ;;
        [Pp]olar*)
            SERVER_CMD="$P_SRV $P_SERVER_ARGS"
            if [ "$MEMCHECK" -gt 0 ]; then
@ -642,7 +681,7 @@ fi
 get_options "$@"
-killall -q openssl ssl_server ssl_server2
+killall -q gnutls-serv openssl ssl_server ssl_server2
 trap cleanup INT TERM HUP
 for VERIFY in $VERIFIES; do
@ -650,7 +689,10 @@ for VERIFY in $VERIFIES; do
        for TYPE in $TYPES; do
            setup_arguments
-            setup_ciphersuites
+
            reset_ciphersuites
            add_openssl_ciphersuites
            filter_ciphersuites
            if [ "X" != "X$P_CIPHERS" ]; then
                start_server "OpenSSL"
@ -668,7 +710,31 @@ for VERIFY in $VERIFIES; do
                stop_server
            fi
            reset_ciphersuites
            add_gnutls_ciphersuites
            filter_ciphersuites
            if [ "X" != "X$P_CIPHERS" ]; then
                start_server "GnuTLS"
                for i in $P_CIPHERS; do
                    run_client PolarSSL $i
                done
                stop_server
            fi
            if [ "X" != "X$G_CIPHERS" ]; then
                start_server "PolarSSL"
                for i in $G_CIPHERS; do
                    run_client GnuTLS $i
                done
                stop_server
            fi
            reset_ciphersuites
            add_openssl_ciphersuites
            add_gnutls_ciphersuites
            add_polarssl_ciphersuites
            filter_ciphersuites
            if [ "X" != "X$P_CIPHERS" ]; then
                start_server "PolarSSL"
--- a/tests/data_files/passwd.psk
+++ b/tests/data_files/passwd.psk
@ -0,0 +1 @@
 Client_identity:6162636465666768696a6b6c6d6e6f70
		`@ -0,0 +1 @@`
							`Client_identity:6162636465666768696a6b6c6d6e6f70`