--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+DSA_CERT=$srcdir/../dsa/cert.dsa.1024.pem
+DSA_KEY=$srcdir/../dsa/dsa.1024.pem
+
+RSA_CERT=$srcdir/../certs/cert-rsa-2432.pem
+RSA_KEY=$srcdir/../certs/rsa-2432.pem
+
+CA_CERT=$srcdir/../../doc/credentials/x509/ca.pem
+CLI_CERT=$srcdir/../../doc/credentials/x509/clicert.pem
+CLI_KEY=$srcdir/../../doc/credentials/x509/clikey.pem
+
+CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem
+ECC224_CERT=$srcdir/../certs/cert-ecc.pem
+ECC224_KEY=$srcdir/../certs/ecc.pem
+
+ECC256_CERT=$srcdir/../certs/cert-ecc256.pem
+ECC256_KEY=$srcdir/../certs/ecc256.pem
+
+ECC521_CERT=$srcdir/../certs/cert-ecc521.pem
+ECC521_KEY=$srcdir/../certs/ecc521.pem
+
+ECC384_CERT=$srcdir/../certs/cert-ecc384.pem
+ECC384_KEY=$srcdir/../certs/ecc384.pem
+
+SERV_CERT=$srcdir/../../doc/credentials/x509/cert-rsa.pem
+SERV_KEY=$srcdir/../../doc/credentials/x509/key-rsa.pem
+SERV_DSA_CERT=$srcdir/../../doc/credentials/x509/cert-dsa.pem
+SERV_DSA_KEY=$srcdir/../../doc/credentials/x509/key-dsa.pem
$SERV version|grep -e 1\.0\.1 >/dev/null 2>&1
SV2=$?
-DSA_CERT=$srcdir/../dsa/cert.dsa.1024.pem
-DSA_KEY=$srcdir/../dsa/dsa.1024.pem
+. ./testcompat-common
-RSA_CERT=$srcdir/../certs/cert-rsa-2432.pem
-RSA_KEY=$srcdir/../certs/rsa-2432.pem
-
-CA_CERT=$srcdir/../../doc/credentials/x509/ca.pem
-CLI_CERT=$srcdir/../../doc/credentials/x509/clicert.pem
-CLI_KEY=$srcdir/../../doc/credentials/x509/clikey.pem
-
-CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem
-ECC224_CERT=$srcdir/../certs/cert-ecc.pem
-ECC224_KEY=$srcdir/../certs/ecc.pem
-
-ECC256_CERT=$srcdir/../certs/cert-ecc256.pem
-ECC256_KEY=$srcdir/../certs/ecc256.pem
-
-ECC521_CERT=$srcdir/../certs/cert-ecc521.pem
-ECC521_KEY=$srcdir/../certs/ecc521.pem
-
-ECC384_CERT=$srcdir/../certs/cert-ecc384.pem
-ECC384_KEY=$srcdir/../certs/ecc384.pem
-
-SERV_CERT=$srcdir/../../doc/credentials/x509/cert-rsa.pem
-SERV_KEY=$srcdir/../../doc/credentials/x509/key-rsa.pem
-SERV_DSA_CERT=$srcdir/../../doc/credentials/x509/cert-dsa.pem
-SERV_DSA_KEY=$srcdir/../../doc/credentials/x509/key-dsa.pem
-
-echo "#####################"
-echo "# Client mode tests #"
-echo "#####################"
+echo "#################################################"
+echo "# Client mode tests (gnutls cli-openssl server) #"
+echo "#################################################"
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -ssl3 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
echo "Client mode tests were successfully completed"
echo ""
-echo "#####################"
-echo "# Server mode tests #"
-echo "#####################"
+echo "###############################################"
+echo "# Server mode tests (gnutls server-openssl cli#"
+echo "###############################################"
SERV="../../src/gnutls-serv$EXEEXT -q"
-PORT="5559"
# Note that openssl s_client does not return error code on failure
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
+LOGFILE=polarssl.log
+unset RETCODE
+if ! test -z "${VALGRIND}";then
+VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+if test "${WINDIR}" != "";then
+ exit 77
+fi
+
+. $srcdir/../scripts/common.sh
+
+PORT="${PORT:-$RPORT}"
+POLARSSL_CLI="/usr/libexec/polarssl/ssl_client2"
+
+TXT=`$CLI --priority NORMAL --list|grep SECP224`
+if test -z $TEXT;then
+ ALL_CURVES=0
+else
+ ALL_CURVES=1
+fi
+
+VERSION=`grep released /usr/share/doc/polarssl/ChangeLog|head -1|cut -d ' ' -f 3`
+
+echo "Compatibility checks using polarssl "$VERSION
+echo $VERSION|grep -e 1\.3\. >/dev/null 2>&1
+SV=$?
+if test $SV != 0;then
+ echo "PolarSSL 1.3.x is required for the tests to run"
+ exit 77
+fi
+
+. ./testcompat-common
+
+echo ""
+echo "##################################################"
+echo "# Server mode tests (gnutls server-polarssl cli) #"
+echo "##################################################"
+SERV="../../src/gnutls-serv$EXEEXT -q"
+
+rm -f $LOGFILE
+
+echo "Check SSL 3.0 with RSA ciphersuite"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$!
+wait_server $PID
+
+$POLARSSL_CLI server_port=$PORT server_name=localhost max_version=ssl3 crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check SSL 3.0 with DHE-RSA ciphersuite"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$!
+wait_server $PID
+
+$POLARSSL_CLI server_name=localhost server_port=$PORT max_version=ssl3 crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+# No DSS for polarssl
+#echo "Check SSL 3.0 with DHE-DSS ciphersuite"
+#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$!
+#wait_server $PID
+
+#$POLARSSL_CLI server_name=localhost server_port=$PORT max_version=ssl3 crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+# fail $PID "Failed"
+#
+#kill $PID
+#wait
+
+#TLS 1.0
+
+echo "Check TLS 1.0 with DHE-RSA ciphersuite"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$!
+wait_server $PID
+
+$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#echo "Check TLS 1.0 with DHE-DSS ciphersuite"
+#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$!
+#wait_server $PID
+
+#$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+# fail $PID "Failed"
+
+#kill $PID
+#wait
+
+echo "Check TLS 1.0 with ECDHE-RSA ciphersuite"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-RSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+if test $ALL_CURVES = 1;then
+ echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+ launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$!
+ wait_server $PID
+
+ #-cipher ECDHE-ECDSA-AES128-SHA
+ $POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC224_CERT key_file=$ECC224_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+ kill $PID
+ wait
+fi
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC256_CERT key_file=$ECC256_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC384_CERT key_file=$ECC384_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC521_CERT key_file=$ECC521_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with DHE-RSA ciphersuite"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$!
+wait_server $PID
+
+$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+#echo "Check TLS 1.2 with DHE-DSS ciphersuite"
+#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$!
+#wait_server $PID
+#
+#$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+# fail $PID "Failed"
+#
+#kill $PID
+#wait
+
+echo "Check TLS 1.2 with ECDHE-RSA ciphersuite"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-RSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+if test $ALL_CURVES = 1;then
+ echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
+ launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$!
+ wait_server $PID
+
+ #-cipher ECDHE-ECDSA-AES128-SHA
+ $POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC224_CERT key_file=$ECC224_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+ kill $PID
+ wait
+fi
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC256_CERT key_file=$ECC256_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC384_CERT key_file=$ECC384_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
+launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC521_CERT key_file=$ECC521_KEY ca_file=$CA_ECC_CERT </dev/null >>$LOGFILE 2>&1 || \
+ fail $PID "Failed"
+
+kill $PID
+wait
+
+rm -f $LOGFILE
+
+exit 0
projects / thirdparty / gnutls.git / commitdiff
