mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-25 13:43:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add --exclude and --peers options to compat.sh

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-03-13 17:45:35 +01:00
parent a4371447e4
commit 9edba77c06
1 changed files with 109 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
tests/compat.sh
View File

@ -19,18 +19,23 @@ MODES="ssl3 tls1 tls1_1 tls1_2"
VERIFIES="NO YES" VERIFIES="NO YES"
TYPES="ECDSA RSA PSK" TYPES="ECDSA RSA PSK"
FILTER="" FILTER=""
EXCLUDE='NULL\|DES-CBC-' # avoid plain DES but keep 3DES-EDE-CBC (PolarSSL), DES-CBC3 (OpenSSL)
VERBOSE="" VERBOSE=""
PEERS="OpenSSL PolarSSL" # GnuTLS not enabled by default, 3.2.4 might not be available on all buildbot machines
MEMCHECK=0 MEMCHECK=0
print_usage() { print_usage() {
echo "Usage: $0" echo "Usage: $0"
echo -e " -f|--filter\tFilter ciphersuites to test (Default: all)" echo -e " -h|--help\tPrint this help."
echo -e " -h|--help\t\tPrint this help." echo -e " -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')"
echo -e " -m|--modes\tWhich modes to perform (Default: \"ssl3 tls1 tls1_1 tls1_2\")" echo -e " -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')"
echo -e " -t|--types\tWhich key exchange type to perform (Default: \"ECDSA RSA PSK\")" echo -e " -m|--modes\tWhich modes to perform (Default: '$MODES')"
echo -e " -V|--verify\tWhich verification modes to perform (Default: \"NO YES\")" echo -e " -t|--types\tWhich key exchange type to perform (Default: '$TYPES')"
echo -e " -M, --memcheck\tCheck memory leaks and errors." echo -e " -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')"
echo -e " -v|--verbose\t\tSet verbose output." echo -e " -p|--peers\tWhich peers to use (Default: '$PEERS')"
echo -e " \tAlso available: GnuTLS (needs v3.2.4 or higher)"
echo -e " -M|--memcheck\tCheck memory leaks and errors."
echo -e " -v|--verbose\tSet verbose output."
} }
get_options() { get_options() {
@ -39,6 +44,9 @@ get_options() {
-f|--filter) -f|--filter)
shift; FILTER=$1 shift; FILTER=$1
;; ;;
-e|--exclude)
shift; EXCLUDE=$1
;;
-m|--modes) -m|--modes)
shift; MODES=$1 shift; MODES=$1
;; ;;
@ -48,6 +56,9 @@ get_options() {
-V|--verify) -V|--verify)
shift; VERIFIES=$1 shift; VERIFIES=$1
;; ;;
-p|--peers)
shift; PEERS=$1
;;
-v|--verbose) -v|--verbose)
VERBOSE=1 VERBOSE=1
;; ;;
@ -76,14 +87,12 @@ log() {
filter() filter()
{ {
LIST=$1 LIST="$1"
FILTER=$2
NEW_LIST="" NEW_LIST=""
for i in $LIST; for i in $LIST;
do do
NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" )" NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLUDE" )"
done done
# normalize whitespace # normalize whitespace
@ -92,11 +101,11 @@ filter()
filter_ciphersuites() filter_ciphersuites()
{ {
if [ "X" != "X$FILTER" ]; if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
then then
P_CIPHERS=$( filter "$P_CIPHERS" "$FILTER" ) P_CIPHERS=$( filter "$P_CIPHERS" )
O_CIPHERS=$( filter "$O_CIPHERS" "$FILTER" ) O_CIPHERS=$( filter "$O_CIPHERS" )
G_CIPHERS=$( filter "$G_CIPHERS" "$FILTER" ) G_CIPHERS=$( filter "$G_CIPHERS" )
fi fi
} }
@ -272,7 +281,6 @@ add_openssl_ciphersuites()
add_gnutls_ciphersuites() add_gnutls_ciphersuites()
{ {
# TODO: add to G_CIPHERS too
case $TYPE in case $TYPE in
"ECDSA") "ECDSA")
@ -326,11 +334,10 @@ add_gnutls_ciphersuites()
+DHE-RSA:+CAMELLIA-256-GCM:+AEAD \ +DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+CAMELLIA-128-GCM:+AEAD \ +RSA:+CAMELLIA-128-GCM:+AEAD \
+RSA:+CAMELLIA-256-GCM:+AEAD \ +RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+NULL:+SHA256 \
+RSA:+NULL:+SHA1 \
+RSA:+NULL:+MD5 \
" "
# TODO: "skip" detection?
# +RSA:+NULL:+SHA256 \
# +RSA:+NULL:+SHA1 \
# +RSA:+NULL:+MD5 \
fi fi
;; ;;
@ -430,16 +437,15 @@ add_gnutls_ciphersuites()
+DHE-PSK:+CAMELLIA-256-GCM:+AEAD \ +DHE-PSK:+CAMELLIA-256-GCM:+AEAD \
+RSA-PSK:+AES-256-GCM:+AEAD \ +RSA-PSK:+AES-256-GCM:+AEAD \
+RSA-PSK:+AES-128-GCM:+AEAD \ +RSA-PSK:+AES-128-GCM:+AEAD \
+ECDHE-PSK:+NULL:+SHA384 \
+ECDHE-PSK:+NULL:+SHA256 \
+PSK:+NULL:+SHA256 \
+PSK:+NULL:+SHA384 \
+DHE-PSK:+NULL:+SHA256 \
+DHE-PSK:+NULL:+SHA384 \
+RSA-PSK:+NULL:+SHA256 \
+RSA-PSK:+NULL:+SHA384 \
" "
# TODO: "skip" detection
# +ECDHE-PSK:+NULL:+SHA384 \
# +ECDHE-PSK:+NULL:+SHA256 \
# +PSK:+NULL:+SHA256 \
# +PSK:+NULL:+SHA384 \
# +DHE-PSK:+NULL:+SHA256 \
# +DHE-PSK:+NULL:+SHA384 \
# +RSA-PSK:+NULL:+SHA256 \
# +RSA-PSK:+NULL:+SHA384 \
fi fi
;; ;;
esac esac
@ -514,7 +520,7 @@ setup_arguments()
P_CLIENT_ARGS="force_version=$MODE" P_CLIENT_ARGS="force_version=$MODE"
O_CLIENT_ARGS="-$MODE" O_CLIENT_ARGS="-$MODE"
G_CLIENT_ARGS="-p 4433" G_CLIENT_ARGS="-p 4433 --debug 3"
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
if [ "X$VERIFY" = "XYES" ]; if [ "X$VERIFY" = "XYES" ];
@ -700,7 +706,15 @@ run_client() {
if [ "$EXIT" == "0" ]; then if [ "$EXIT" == "0" ]; then
RESULT=0 RESULT=0
else else
RESULT=2 # TODO RESULT=2
# interpret early failure, with a handshake_failure alert
# before the server hello, as "no ciphersuite in common"
if grep -F 'Received alert [40]: Handshake failed' cli_out; then
if grep -i 'SERVER HELLO .* was received' cli_out; then :
else
RESULT=1
fi
fi >/dev/null
fi fi
;; ;;
@ -782,63 +796,81 @@ trap cleanup INT TERM HUP
for VERIFY in $VERIFIES; do for VERIFY in $VERIFIES; do
for MODE in $MODES; do for MODE in $MODES; do
for TYPE in $TYPES; do for TYPE in $TYPES; do
for PEER in $PEERS; do
setup_arguments setup_arguments
reset_ciphersuites case "$PEER" in
add_openssl_ciphersuites
filter_ciphersuites
if [ "X" != "X$P_CIPHERS" ]; then [Oo]pen*)
start_server "OpenSSL"
for i in $P_CIPHERS; do
run_client PolarSSL $i
done
stop_server
fi
if [ "X" != "X$O_CIPHERS" ]; then reset_ciphersuites
start_server "PolarSSL" add_openssl_ciphersuites
for i in $O_CIPHERS; do filter_ciphersuites
run_client OpenSSL $i
done
stop_server
fi
reset_ciphersuites if [ "X" != "X$P_CIPHERS" ]; then
add_gnutls_ciphersuites start_server "OpenSSL"
filter_ciphersuites for i in $P_CIPHERS; do
run_client PolarSSL $i
done
stop_server
fi
if [ "X" != "X$P_CIPHERS" ]; then if [ "X" != "X$O_CIPHERS" ]; then
start_server "GnuTLS" start_server "PolarSSL"
for i in $P_CIPHERS; do for i in $O_CIPHERS; do
run_client PolarSSL $i run_client OpenSSL $i
done done
stop_server stop_server
fi fi
if [ "X" != "X$G_CIPHERS" ]; then ;;
start_server "PolarSSL"
for i in $G_CIPHERS; do
run_client GnuTLS $i
done
stop_server
fi
reset_ciphersuites [Gg]nu*)
add_openssl_ciphersuites
add_gnutls_ciphersuites
add_polarssl_ciphersuites
filter_ciphersuites
if [ "X" != "X$P_CIPHERS" ]; then reset_ciphersuites
start_server "PolarSSL" add_gnutls_ciphersuites
for i in $P_CIPHERS; do filter_ciphersuites
run_client PolarSSL $i
done
stop_server
fi
if [ "X" != "X$P_CIPHERS" ]; then
start_server "GnuTLS"
for i in $P_CIPHERS; do
run_client PolarSSL $i
done
stop_server
fi
if [ "X" != "X$G_CIPHERS" ]; then
start_server "PolarSSL"
for i in $G_CIPHERS; do
run_client GnuTLS $i
done
stop_server
fi
;;
[Pp]olar*)
reset_ciphersuites
add_openssl_ciphersuites
add_gnutls_ciphersuites
add_polarssl_ciphersuites
filter_ciphersuites
if [ "X" != "X$P_CIPHERS" ]; then
start_server "PolarSSL"
for i in $P_CIPHERS; do
run_client PolarSSL $i
done
stop_server
fi
;;
esac
done
done done
done done
done done