From elevener at mail.ru Mon Jun 1 11:27:54 2015 From: elevener at mail.ru (Alex) Date: Mon, 1 Jun 2015 12:27:54 +0300 Subject: [gnutls-devel] Problem with double initialization of pkcs11 Message-ID: <1611407847.20150601122754@mail.ru> Hello I believe that string providers_initialized = 1; should be moved from function _gnutls_pkcs11_check_init to function gnutls_pkcs11_init. Right now there is a problem (at least on Windows/MinGW) that if you call gnutls_pkcs11_init yourself any pcks11 operation that calls _gnutls_pkcs11_check_init - it calls gnutls_pkcs11_init for the second time. So there is situation that if you call gnutls_pkcs11_init and then any operation - you have to call gnutls_pkcs11_deinit twice for pkcs11 provider to be finalized. If you dont call gnutls_pkcs11_init - if you don't do any operation, provider isn't finalized by gnutls_pkcs11_deinit at all. Thanks, Alex From benedikt.knoppix at web.de Mon Jun 1 13:24:49 2015 From: benedikt.knoppix at web.de (Benedikt Klotz) Date: Mon, 1 Jun 2015 13:24:49 +0200 Subject: [gnutls-devel] plans for plugin support? Message-ID: Hi, ? Are there any plans to implement a plugin mechanism for GnuTLS in the near future, which allows to load hardware support for crypto algorithms (like the OpenSSL Engines)? If there are no such plans, I would like to implement such a mechanism. Are there any requirements that I should know? Best Regards Benedikt Klotz From nmav at gnutls.org Mon Jun 1 15:23:37 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 1 Jun 2015 15:23:37 +0200 Subject: [gnutls-devel] plans for plugin support? In-Reply-To: References: Message-ID: On Mon, Jun 1, 2015 at 1:24 PM, Benedikt Klotz wrote: > Hi, > Are there any plans to implement a plugin mechanism for GnuTLS in the near future, which allows to load hardware support for crypto algorithms (like the OpenSSL Engines)? > If there are no such plans, I would like to implement such a mechanism. Are there any requirements that I should know? Hi Benedikt, We have such a plugin API for public key and signature algorithms. The supported plugins are PKCS #11 modules or even custom ones when imported with gnutls_privkey_import_ext3(). For symmetric key algorithms we support cryptodev (i.e., /dev/crypto) on systems that support it. Are there any other plugin mechanisms you are interested at? regards, Nikos From benedikt.knoppix at web.de Mon Jun 1 18:26:39 2015 From: benedikt.knoppix at web.de (Benedikt Klotz) Date: Mon, 01 Jun 2015 18:26:39 +0200 Subject: [gnutls-devel] plans for plugin support? In-Reply-To: References: Message-ID: <556C87BF.8050808@web.de> Hi Nikos, On 01.06.2015 at 15:23 Nikos Mavrogiannopoulos wrote: > Hi Benedikt, We have such a plugin API for public key and signature > algorithms. The supported plugins are PKCS #11 modules or even custom > ones when imported with gnutls_privkey_import_ext3(). If I understand this correctly these functions can only be used from within an application, that links with GnuTLS? What I mean with a plugin mechanism, is a shared object that is loaded by GnuTLS at runtime. This shared object registers an external crypto provider [1] for GnuTLS. This could be used if an applications wants to use an external crypto provider as the default implementation for some crypto algorithms (e.g. a provider that uses a crypto card to accelerate specific crypto algorithms) . Of course, the application can use gnutls_crypto_register_cipher/digest() to use another implementation. However with these functions the application has to write the glue code himself. If this glue code is moved in a shared object the application does only need to load this shared object. For an application this would also allow to easily change the cryptographic backend of GnuTLS at runtime [2]. > For symmetric key algorithms we support cryptodev (i.e., /dev/crypto) > on systems that support it. Are there any other plugin mechanisms you > are interested at? If I understand this correctly /dev/crypto is a kernel device. I am more interested in /lib/accelerated, because the external provider does not use /dev/crypto. I could write my code in a module under /lib/accelerated. However my code needs to call dlopen(), because the only right way [3] to enable the external provider is through another library. Is this something you would accept? However this would not solve the problem that an application can not change the crypto backend to another provider. I would still prefer a plugin concept, where an application (or GnuTLS for the application) can load a shared object, that setups the external provider. This would give the maximum flexibility. > > regards, > Nikos regards, Benedikt --------------------------- [1]: E.g. opens the library of the external crypto provider with dlopen() and then overrides specific crypto algorithms of the default backend with the implementation from the external provider. [2]: This could be interesting for a testing application that wants to compare different crypto implementations with GnuTLS. [3]: I do not want to reinvent the wheel. From nmav at gnutls.org Mon Jun 1 19:39:59 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 01 Jun 2015 19:39:59 +0200 Subject: [gnutls-devel] plans for plugin support? In-Reply-To: <556C87BF.8050808@web.de> References: <556C87BF.8050808@web.de> Message-ID: <1433180399.1760.11.camel@gnutls.org> On Mon, 2015-06-01 at 18:26 +0200, Benedikt Klotz wrote: > Hi Nikos, > > On 01.06.2015 at 15:23 Nikos Mavrogiannopoulos wrote: > > Hi Benedikt, We have such a plugin API for public key and signature > > algorithms. The supported plugins are PKCS #11 modules or even custom > > ones when imported with gnutls_privkey_import_ext3(). > If I understand this correctly these functions can only be used from > within an application, that links with GnuTLS? What I mean with a plugin > mechanism, is a shared object that is loaded by GnuTLS at runtime. This > shared object registers an external crypto provider [1] for GnuTLS. Not really. PKCS #11 modules are shared objects which provide a fixed API called cryptoki. When for example you use smart cards with gnutls you are loading the opensc-pkcs11.so under the hoods. gnutls can select the appropriate module to use when it is configured with p11-kit in the local system (in most systems it is setup by the distribution). See: http://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html#Smart-cards-and-HSMs for more information. > > For symmetric key algorithms we support cryptodev (i.e., /dev/crypto) > > on systems that support it. Are there any other plugin mechanisms you > > are interested at? > If I understand this correctly /dev/crypto is a kernel device. I am more > interested in /lib/accelerated, because the external provider does not > use /dev/crypto. > I could write my code in a module under /lib/accelerated. However my > code needs to call dlopen(), because the only right way [3] to enable > the external provider is through another library. > Is this something you would accept? What API does that module provide? If it is PKCS #11 or some other standardized API that would be indeed quite interesting. > However this would not solve the problem that an application can not > change the crypto backend to another provider. I would still prefer a > plugin concept, where an application (or GnuTLS for the application) can > load a shared object, that setups the external provider. This would give > the maximum flexibility. For asymmetric keys this flexibility is currently available, so your argument is about symmetric algorithm if I understand correctly. Let's first settle on what module API we are talking about and then we see (because if for example this is about a PKCS #11 API we can have this flexibility using p11-kit again). regards, Nikos From nmav at gnutls.org Mon Jun 1 21:58:12 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 01 Jun 2015 21:58:12 +0200 Subject: [gnutls-devel] Problem with double initialization of pkcs11 In-Reply-To: <1611407847.20150601122754@mail.ru> References: <1611407847.20150601122754@mail.ru> Message-ID: <1433188692.1760.15.camel@gnutls.org> On Mon, 2015-06-01 at 12:27 +0300, Alex wrote: > Hello > > I believe that string > providers_initialized = 1; > should be moved from function _gnutls_pkcs11_check_init to function > gnutls_pkcs11_init. > > Right now there is a problem (at least on Windows/MinGW) that if you > call gnutls_pkcs11_init yourself any pcks11 operation that calls > _gnutls_pkcs11_check_init - it calls gnutls_pkcs11_init for the second > time. Hi, Would that patch address the issue you see? https://gitlab.com/gnutls/gnutls/commit/b0e533e8dc8eb852f0cbcfa7de39cdaa45233e68 regards, Nikos From elevener at mail.ru Tue Jun 2 10:26:09 2015 From: elevener at mail.ru (Alexey Milov) Date: Tue, 2 Jun 2015 11:26:09 +0300 Subject: [gnutls-devel] Problem with double initialization of pkcs11 In-Reply-To: <1433188692.1760.15.camel@gnutls.org> References: <1611407847.20150601122754@mail.ru> <1433188692.1760.15.camel@gnutls.org> Message-ID: <189123658.20150602112609@mail.ru> > On Mon, 2015-06-01 at 12:27 +0300, Alex wrote: >> Hello >> >> I believe that string >> providers_initialized = 1; >> should be moved from function _gnutls_pkcs11_check_init to function >> gnutls_pkcs11_init. >> >> Right now there is a problem (at least on Windows/MinGW) that if you >> call gnutls_pkcs11_init yourself any pcks11 operation that calls >> _gnutls_pkcs11_check_init - it calls gnutls_pkcs11_init for the second >> time. > Hi, > Would that patch address the issue you see? > https://gitlab.com/gnutls/gnutls/commit/b0e533e8dc8eb852f0cbcfa7de39cdaa45233e68 > regards, > Nikos Yes, at least for my usecases. Thanks, Alex From benedikt.knoppix at web.de Tue Jun 2 17:52:13 2015 From: benedikt.knoppix at web.de (Benedikt Klotz) Date: Tue, 02 Jun 2015 17:52:13 +0200 Subject: [gnutls-devel] plans for plugin support? In-Reply-To: <1433180399.1760.11.camel@gnutls.org> References: <556C87BF.8050808@web.de> <1433180399.1760.11.camel@gnutls.org> Message-ID: <556DD12D.6060003@web.de> Hi Nikos, >>> For symmetric key algorithms we support cryptodev (i.e., /dev/crypto) >>> on systems that support it. Are there any other plugin mechanisms you >>> are interested at? >> If I understand this correctly /dev/crypto is a kernel device. I am more >> interested in /lib/accelerated, because the external provider does not >> use /dev/crypto. >> I could write my code in a module under /lib/accelerated. However my >> code needs to call dlopen(), because the only right way [3] to enable >> the external provider is through another library. >> Is this something you would accept? > What API does that module provide? If it is PKCS #11 or some other > standardized API that would be indeed quite interesting. Thanks for the pointer with PKCS #11. The module does provide a native crypto API and a PKCS #11 API (over a meta PKCS #11 library). The problem with the PKCS #11 API is that the crypto operations are not as fast as over the native crypto API . I will test if this API is fast enough for my need [1] or if the native crypto API should be used. > >> However this would not solve the problem that an application can not >> change the crypto backend to another provider. I would still prefer a >> plugin concept, where an application (or GnuTLS for the application) can >> load a shared object, that setups the external provider. This would give >> the maximum flexibility. > For asymmetric keys this flexibility is currently available, so your > argument is about symmetric algorithm if I understand correctly. Let's > first settle on what module API we are talking about and then we see > (because if for example this is about a PKCS #11 API we can have this > flexibility using p11-kit again). The module does support asymmetric and symmetric operations over the PKCS #11 API: p11tool --list-mechanism "pkcs11:myModule" [0x0000] CKM_RSA_PKCS_KEY_PAIR_GEN [0x0001] CKM_RSA_PKCS [0x0003] CKM_RSA_X_509 [0x0005] CKM_MD5_RSA_PKCS [0x0006] CKM_SHA1_RSA_PKCS [0x0009] CKM_RSA_PKCS_OAEP [0x000d] CKM_RSA_PKCS_PSS [0x0040] CKM_SHA256_RSA_PKCS [0x0041] CKM_SHA384_RSA_PKCS [0x0042] CKM_SHA512_RSA_PKCS [0x0120] CKM_DES_KEY_GEN [0x0121] CKM_DES_ECB [0x0122] CKM_DES_CBC [0x0125] CKM_DES_CBC_PAD [0x0131] CKM_DES3_KEY_GEN [0x0132] CKM_DES3_ECB [0x0133] CKM_DES3_CBC [0x0134] CKM_DES3_MAC [0x0135] CKM_DES3_MAC_GENERAL [0x0136] CKM_DES3_CBC_PAD ... [0x0210] CKM_MD5 [0x0211] CKM_MD5_HMAC [0x0212] CKM_MD5_HMAC_GENERAL [0x0220] CKM_SHA_1 [0x0221] CKM_SHA_1_HMAC [0x0222] CKM_SHA_1_HMAC_GENERAL [0x0250] CKM_SHA256 [0x0251] CKM_SHA256_HMAC [0x0252] CKM_SHA256_HMAC_GENERAL [0x0260] CKM_SHA384 [0x0261] CKM_SHA384_HMAC [0x0262] CKM_SHA384_HMAC_GENERAL [0x0270] CKM_SHA512 [0x0271] CKM_SHA512_HMAC [0x0272] CKM_SHA512_HMAC_GENERAL [0x1080] CKM_AES_KEY_GEN [0x1081] CKM_AES_ECB [0x1082] CKM_AES_CBC [0x1083] CKM_AES_MAC [0x1084] CKM_AES_MAC_GENERAL [0x1085] CKM_AES_CBC_PAD ... (I have removed all unknown mechanisms that p11tool does not recognise) I have tried to generate a RSA key with p11tool, but this causes a PKCS #11 error: p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" --outfile MyNewKey.pub "pkcs11:model=MyModule" Token 'MYToken' with URL 'MyModule' requires user PIN Enter PIN: Error in pkcs11_generate:505: PKCS #11 error. I will try to debug this further tomorrow. regards, Benedikt ---------------------- [1]: It should still be faster then the software implementation of GnuTLS. From ametzler at bebt.de Wed Jun 10 20:19:51 2015 From: ametzler at bebt.de (Andreas Metzler) Date: Wed, 10 Jun 2015 20:19:51 +0200 Subject: [gnutls-devel] GnuTLS 3.3.15 + nettle 3.1 - bug Message-ID: <20150610181951.GA1798@downhill.g.la> Hello, Debian unstable currently has GnuTLS 3.3.15 + https://gitlab.com/gnutls/gnutls/commit/546782633df475d9071115b5fc13b387539f0ca5 and builds against nettle 3.1.1. However this combination fails to connect to 195.135.220.8:imaps with 'Received alert [20]: Bad record MAC'. * 3.4.1 with nettle 3.1.1 works * 3.3.15 + 546782633df475d9071115b5fc13b387539f0ca5 built againsts nettle 2.7. works Using http://pkgs.fedoraproject.org/cgit/compat-gnutls28.git/log/gnutls-3.3.15-nettle3.patch instead of 546782633df475d9071115b5fc13b387539f0ca5 also works. I have searched in vain for the tiny difference between these two patches that actually breaks. cu Andreas https://bugs.debian.org/cgi-bin/bugreport.cgi?filename=gnutls.log;msg=27;att=1;bug=788011 -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Wed Jun 10 21:54:46 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 10 Jun 2015 21:54:46 +0200 Subject: [gnutls-devel] GnuTLS 3.3.15 + nettle 3.1 - bug In-Reply-To: <20150610181951.GA1798@downhill.g.la> References: <20150610181951.GA1798@downhill.g.la> Message-ID: <1433966086.2624.2.camel@gnutls.org> On Wed, 2015-06-10 at 20:19 +0200, Andreas Metzler wrote: > Hello, > > Debian unstable currently has GnuTLS 3.3.15 + > https://gitlab.com/gnutls/gnutls/commit/546782633df475d9071115b5fc13b387539f0ca5 > and builds against nettle 3.1.1. However this combination fails to > connect to 195.135.220.8:imaps with 'Received alert [20]: Bad record > MAC'. > > * 3.4.1 with nettle 3.1.1 works > * 3.3.15 + 546782633df475d9071115b5fc13b387539f0ca5 built againsts > nettle 2.7. works > > Using > http://pkgs.fedoraproject.org/cgit/compat-gnutls28.git/log/gnutls-3.3.15-nettle3.patch > instead of 546782633df475d9071115b5fc13b387539f0ca5 also works. > I have searched in vain for the tiny difference between these two > patches that actually breaks. > https://bugs.debian.org/cgi-bin/bugreport.cgi?filename=gnutls.log;msg=27;att=1;bug=788011 Thanks for the log. It seems the issue is in camellia256-cbc. I've pushed a fix which hopefully will fix that. It seems we need interop tests with camellia as well. regards, Nikos From ametzler at bebt.de Sun Jun 14 15:17:04 2015 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 14 Jun 2015 15:17:04 +0200 Subject: [gnutls-devel] VIA PadLock accelerated AES-CBC segfaults (Debian #788704) Message-ID: <20150614131704.GA10454@downhill.g.la> Hello, this is , the respective code seems to be unchanged in 3.3.15. cu Andreas ----- Forwarded message from Peter Lebbing ----- Date: Sun, 14 Jun 2015 14:40:11 +0200 From: Peter Lebbing Subject: Bug#788704: gnutls28: VIA PadLock accelerated AES-CBC segfaults Message-Id: <1434285611.695837.3888.nullmailer at terrence.lucas.digitalbrains.com> Source: gnutls28 Version: 3.3.8-6+deb8u1 Dear Maintainer, After upgrading a server with a VIA C3 (Nehemiah) processor to jessie, exim4 started to crash on pretty much every connection that negotiated AES-128-CBC or AES-256-CBC on TLS: > 2015-05-31T16:06:43.641909+02:00 info kernel: [ 3466.879332] exim4[2381]: segfault at 4aeb2453 ip b6a4a5e2 sp bf7bfde0 error 4 in libgnutls-deb0.so.28.41.0[b6996000+13a000] There's nothing in the exim4 log; it crashes before anything is logged. The problem is not limited to exim4: I could reproduce the crash with gnutls-cli. This is also how I discovered AES-CBC was to blame. It turns out that lib/accelerated/x86/elf/e_padlock-x86.s segfaults in the function padlock_cbc_encrypt() because it has not been written to handle the case where it is requested to encrypt 0 bytes of data; it expects a strictly positive number. Yet, it is called with a length of 0. The function overwrites 512 bytes on the top of its stack, and then dereferences a pointer in the overwritten data. The attached patch simply checks for a 0 length in the C functions that call the handwritten assembly PadLock AES encryption routines, so the call is avoided. The patch fixed the issue on my system. All the functions padlock_{ecb,cbc,cfb,ofb,ctr32}_encrypt() share almost all their code. The AES-CGM ciphers in GnuTLS don't seem to call the function with a 0 length, but my patch also checks for 0 in that cipher mode on the basis "once bitten, twice shy". The rest of the mail is a detailed description of the problem with length 0. I don't include a "steps to reproduce this" because it's likely you don't have access to a system with a VIA PadLock engine. But it's trivial to reproduce with gnutls-cli and an SMTP server to connect to. To my surprise, e_padlock-x86.s is a generated file[4]; the source is not included with GnuTLS. The source is the file engines/asm/e_padlock-x86.pl in openssl; from the Git repository for GnuTLS version 3.3.8, it can be concluded that the source is commit 34ccd24 in the OpenSSL Git. First, a small aside on return values. OpenSSL checks the return value (an int) of padlock_cbc_encrypt(), and indeed the function can abort if the struct padlock_cipher_data is not aligned on a 16-byte boundary, or if len is not a multiple of 16 (AES block size). But there's something odd: /if/ the function aborts, the return value (EAX) is not set; it is kept at the value it was when the function was called. On a succesful return, it's set to 1. GnuTLS never checks the return value. If it is possible that the length is not a multiple of 16, GnuTLS will not notice that the padlock_cbc_encrypt() call did nothing (unless it does some checks on the data later). I analysed the behaviour of padlock_cbc_encrypt() with GDB. During my debugging, the input and output data were never aligned on a 16-byte boundary. padlock_cbc_encrypt() checks for this because not all VIA processors can cope with this, or only at a tremendous speed penalty. To fix the alignment, an aligned block of room is allocated on the stack, and the data is copied there, encrypted in place, and copied to the destination. This part of the program is the problematic part: File openssl/engines/asm/e_padlock-x86.pl, line 204: ----------------------- 8< ------------------ >8 ----------------------- 204: &cmp ($len,$chunk); 205: &cmovc ($chunk,$len); # chunk=len>PADLOCK_CHUNK?PADLOCK_CHUNK:len 206: &and ("eax",$chunk); # out_misaligned?chunk:0 207: &mov ($chunk,$len); 208: &neg ("eax"); 209: &and ($chunk,$PADLOCK_CHUNK-1); # chunk=len%PADLOCK_CHUNK 210: &lea ("esp",&DWP(0,"eax","ebp")); # alloca 211: &mov ("eax",$PADLOCK_CHUNK); 212: &cmovz ($chunk,"eax"); # chunk=chunk?:PADLOCK_CHUNK ----------------------- 8< ------------------ >8 ----------------------- [1] At the start, EAX is all ones (binary), signifying the output is not aligned on a 16-byte boundary. Room is allocated on the stack for the data in line 210. Either `len` bytes or PADLOCK_CHUNK (512), whichever is less. The purpose of `chunk` is to take up to PADLOCK_CHUNK bytes from `len` to process. If `len` is not a multiple of 512, the remainder is processed first. After the remainder is processed, either a multiple of PADLOCK_CHUNK still needs to be processed, or we're done. To this end, it ANDs `len` with 511 in line 209. If `len` is a multiple of 512, the result is zero, so a full PADLOCK_CHUNK is processed (line 212). But if `len` was already zero to begin with, this test produces the wrong result, and results in `chunk` also being set to 512, to process 512 bytes of data. The confusion comes now. The code has just set aside 0 bytes on the stack for copying data. Then it copies 512 bytes of data from the input pointer to the stack (in line 265 of the source[2]), thereby overwriting the other information it is keeping on the stack. For good measure, this is then encrypted as well :). And here is where the SIGSEGV occurs: File openssl/engines/asm/e_padlock-x86.pl, line 279: ----------------------- 8< ------------------ >8 ----------------------- 279: &mov ($out,&DWP(0,"ebp")); # restore parameters 280: &mov ($chunk,&DWP(12,"ebp")); [...] 292: &test ($out,0x0f); 293: &jz (&label("${mode}_out_aligned")); 294: &mov ($len,$chunk); 295: &lea ($inp,&DWP(0,"esp")); 296: &shr ($len,2); 297: &data_byte(0xf3,0xa5); # rep movsl ----------------------- 8< ------------------ >8 ----------------------- [3] `out` and `chunk` are loaded with bogus data; it is from the part of the stack that was overwritten and subsequently encrypted. In line 297, the 'rep movsl' copies `len` = `chunk` bytes of data from the stack to the address `out`, but `chunk` and `out` are both garbage, resulting in a segmentation fault. That concludes my analysis. With regards, Peter. -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-586 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) $ cat /proc/cpuinfo processor : 0 vendor_id : CentaurHauls cpu family : 6 model : 9 model name : VIA Nehemiah stepping : 10 cpu MHz : 999.583 cache size : 64 KB fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr cx8 sep mtrr pge cmov pat mmx fxsr sse rng rng_en ace ace_en bogomips : 1999.16 clflush size : 32 cache_alignment : 32 address sizes : 32 bits physical, 32 bits virtual power management: [1] https://git.openssl.org/?p=openssl.git;a=blob;f=engines/asm/e_padlock-x86.pl;h=4148468c41de695751e8731369a948dff171c1ca;hb=34ccd24d0e6#l204 [2] https://git.openssl.org/?p=openssl.git;a=blob;f=engines/asm/e_padlock-x86.pl;h=4148468c41de695751e8731369a948dff171c1ca;hb=34ccd24d0e6#l265 [3] https://git.openssl.org/?p=openssl.git;a=blob;f=engines/asm/e_padlock-x86.pl;h=4148468c41de695751e8731369a948dff171c1ca;hb=34ccd24d0e6#l279 [4] In my opinion, this is not in the spirit of the stipulation "the preferred form of the work for making modifications to it" of the (L)GPL license GnuTLS is released under. For one thing, all comments explaining the code are not in the generated output. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at ----- End forwarded message ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: Handle_zero_length_padlock_accelerated_AES.patch Type: text/x-diff Size: 1116 bytes Desc: not available URL: From nmav at gnutls.org Sun Jun 14 21:29:17 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 14 Jun 2015 21:29:17 +0200 Subject: [gnutls-devel] VIA PadLock accelerated AES-CBC segfaults (Debian #788704) In-Reply-To: <20150614131704.GA10454@downhill.g.la> References: <20150614131704.GA10454@downhill.g.la> Message-ID: <1434310157.2840.0.camel@gnutls.org> On Sun, 2015-06-14 at 15:17 +0200, Andreas Metzler wrote: > Hello, > > this is , the respective code seems to > be unchanged in 3.3.15. There is a related fix in 3.3.12. Does it work in that case? https://gitlab.com/gnutls/gnutls/commit/023156ae2504c1911f8f2e66a0ebde316931671c https://gitlab.com/gnutls/gnutls/commit/1c9c8b902684a6788045b5a2102a259e5573ec03 From peter at digitalbrains.com Mon Jun 15 11:10:17 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 15 Jun 2015 09:10:17 +0000 (UTC) Subject: [gnutls-devel] VIA PadLock accelerated AES-CBC segfaults (Debian #788704) References: <20150614131704.GA10454@downhill.g.la> <1434310157.2840.0.camel@gnutls.org> Message-ID: Nikos Mavrogiannopoulos gnutls.org> writes: > There is a related fix in 3.3.12. Does it work in that case? > https://gitlab.com/gnutls/gnutls/commit/023156ae2504c1911f8f2e66a0ebde316931671c That is almost literally what my suggested patch in the Debian bug report does, so it ought to work equally well. I forgot to check if it was fixed in a later version, as the actual fix was so trivial. Oh, and probably because of a lack of experience :). Thanks, Peter. From nmav at gnutls.org Tue Jun 16 22:07:59 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 16 Jun 2015 22:07:59 +0200 Subject: [gnutls-devel] gnutls 3.4.2 Message-ID: <1434485279.7405.2.camel@gnutls.org> Hello, I've just released gnutls 3.4.2. This version fixes bugs and enhances support for PKCS #7 structures on the next stable branch. * Version 3.4.2 (released 2015-06-16) ** libgnutls: DTLS blocking API is more robust against infinite blocking, and will notify of more possible timeouts. ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported by Manuel Pegourie-Gonnard. ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That allows to disable SIGPIPE for writes done within gnutls. ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification of structures. API moved to gnutls/pkcs7.h header. ** certtool: Added options to generate PKCS #7 bundles and signed structures. ** API and ABI modifications: gnutls_x509_dn_get_str: Added gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added gnutls_x509_crt_verify_data2: Added gnutls_pkcs7_get_crt_raw2: Added gnutls_pkcs7_signature_info_deinit: Added gnutls_pkcs7_get_signature_info: Added gnutls_pkcs7_verify_direct: Added gnutls_pkcs7_verify: Added gnutls_pkcs7_get_crl_raw2: Added gnutls_pkcs7_sign: Added gnutls_pkcs7_attrs_deinit: Added gnutls_pkcs7_add_attr: Added gnutls_pkcs7_get_attr: Added gnutls_pkcs7_print: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From alon.barlev at gmail.com Tue Jun 16 22:48:58 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue, 16 Jun 2015 23:48:58 +0300 Subject: [gnutls-devel] [PATCH] tests: cert-tests: pkcs7: support separate builddir Message-ID: <1434487738-4283-1-git-send-email-alon.barlev@gmail.com> please consider to always check package using separate builddir before release. please consider adding quotes all over in shell scripts, to support spaces and other special characters within base path. Signed-off-by: Alon Bar-Lev --- tests/cert-tests/pkcs7 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 04e4058..7d28c84 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -39,7 +39,7 @@ if test "$rc" != "0"; then exit $rc fi -$DIFF $OUTFILE $FILE.out >/dev/null +$DIFF $OUTFILE $srcdir/$FILE.out >/dev/null if test "$?" != "0"; then echo "$FILE: PKCS7 decoding didn't produce the correct file" exit 1 @@ -86,7 +86,7 @@ if test "$rc" = "0"; then exit 2 fi -$VALGRIND $CERTTOOL --inder --p7-verify --load-data pkcs7-detached.txt --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE +$VALGRIND $CERTTOOL --inder --p7-verify --load-data $srcdir/pkcs7-detached.txt --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE rc=$? if test "$rc" != "0"; then @@ -106,7 +106,7 @@ if test "$rc" != "0"; then exit $rc fi -$DIFF $OUTFILE p7-combined.out >/dev/null +$DIFF $OUTFILE $srcdir/p7-combined.out >/dev/null if test "$?" != "0"; then echo "$FILE: PKCS7 generation didn't produce the correct file" exit 1 @@ -114,7 +114,7 @@ fi # Test signing FILE=signing -$VALGRIND $CERTTOOL --p7-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile pkcs7-detached.txt >$OUTFILE +$VALGRIND $CERTTOOL --p7-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE rc=$? if test "$rc" != "0"; then @@ -133,7 +133,7 @@ fi FILE=signing-detached -$VALGRIND $CERTTOOL --p7-detached-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile pkcs7-detached.txt >$OUTFILE +$VALGRIND $CERTTOOL --p7-detached-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE rc=$? if test "$rc" != "0"; then @@ -142,7 +142,7 @@ if test "$rc" != "0"; then fi FILE=signing-detached-verify -$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --load-data pkcs7-detached.txt <$OUTFILE +$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --load-data $srcdir/pkcs7-detached.txt <$OUTFILE rc=$? if test "$rc" != "0"; then @@ -152,7 +152,7 @@ fi # Test signing with broken algorithms FILE=signing-broken -$VALGRIND $CERTTOOL --hash md5 --p7-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile pkcs7-detached.txt >$OUTFILE +$VALGRIND $CERTTOOL --hash md5 --p7-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE rc=$? if test "$rc" != "0"; then @@ -170,7 +170,7 @@ if test "$rc" = "0"; then fi FILE=signing-time -$VALGRIND $CERTTOOL --p7-detached-sign --p7-time --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile pkcs7-detached.txt >$OUTFILE +$VALGRIND $CERTTOOL --p7-detached-sign --p7-time --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE rc=$? if test "$rc" != "0"; then @@ -185,7 +185,7 @@ if test "$rc" != "0"; then fi FILE=signing-time-verify -$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --load-data pkcs7-detached.txt <$OUTFILE +$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --load-data $srcdir/pkcs7-detached.txt <$OUTFILE rc=$? if test "$rc" != "0"; then -- 2.3.6 From nmav at gnutls.org Wed Jun 17 08:45:40 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jun 2015 08:45:40 +0200 Subject: [gnutls-devel] [PATCH] tests: cert-tests: pkcs7: support separate builddir In-Reply-To: <1434487738-4283-1-git-send-email-alon.barlev@gmail.com> References: <1434487738-4283-1-git-send-email-alon.barlev@gmail.com> Message-ID: On Tue, Jun 16, 2015 at 10:48 PM, Alon Bar-Lev wrote: Patch applied. > please consider to always check package using separate builddir before > release. Only if it can be automated with our ci. If you have a configure setup which we can use for it I'd be glad to add it. > please consider adding quotes all over in shell scripts, to support > spaces and other special characters within base path. That's not something I intend to do, but if there is any patch I'd apply it. regards, Nikos From alon.barlev at gmail.com Wed Jun 17 09:11:18 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 10:11:18 +0300 Subject: [gnutls-devel] [PATCH] tests: cert-tests: pkcs7: support separate builddir In-Reply-To: References: <1434487738-4283-1-git-send-email-alon.barlev@gmail.com> Message-ID: On 17 June 2015 at 09:45, Nikos Mavrogiannopoulos wrote: > > On Tue, Jun 16, 2015 at 10:48 PM, Alon Bar-Lev wrote: > > Patch applied. > > > please consider to always check package using separate builddir before > > release. > > Only if it can be automated with our ci. If you have a configure setup > which we can use for it I'd be glad to add it. should be simple :) make distcheck should do the trick, but the make distcheck of gnutls is complex, so, to you can execute this local sequence after you have tarball: tar -xf mkdir build cd build ../configure --enable-tests make check > > please consider adding quotes all over in shell scripts, to support > > spaces and other special characters within base path. > > That's not something I intend to do, but if there is any patch I'd apply it. ok, I will work something out. From nmav at gnutls.org Wed Jun 17 10:51:29 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jun 2015 10:51:29 +0200 Subject: [gnutls-devel] [PATCH] tests: cert-tests: pkcs7: support separate builddir In-Reply-To: References: <1434487738-4283-1-git-send-email-alon.barlev@gmail.com> Message-ID: On Wed, Jun 17, 2015 at 9:11 AM, Alon Bar-Lev wrote: >> > please consider to always check package using separate builddir before >> > release. >> Only if it can be automated with our ci. If you have a configure setup >> which we can use for it I'd be glad to add it. > should be simple :) > make distcheck should do the trick, but the make distcheck of gnutls > is complex, so, to you can execute this local sequence after you have > tarball: > tar -xf > mkdir build > cd build > ../configure --enable-tests > make check It seems to work so far. https://ci.gitlab.com/projects/684/builds/84885 So, if there is any breakage again, hopefully I guess I'll notice before the release. regards, Nikos From alon.barlev at gmail.com Wed Jun 17 10:59:55 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 11:59:55 +0300 Subject: [gnutls-devel] [PATCH 1/2] tests: suite: run testpkcs11 if PKCS#11 is enabled Message-ID: <1434531596-19521-1-git-send-email-alon.barlev@gmail.com> Signed-off-by: Alon Bar-Lev --- tests/suite/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index b95403f..d91f4a6 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -91,11 +91,11 @@ nodist_check_SCRIPTS = eagain testsrn chain invalid-cert testrandom \ testcompat-polarssl testcompat-openssl TESTS = ciphersuite/test-ciphersuites.sh eagain testsrn chain invalid-cert \ - testpkcs11 testrng testcompat-openssl testcompat-polarssl + testrng testcompat-openssl testcompat-polarssl if ENABLE_PKCS11 check_PROGRAMS += pkcs11-chainverify pkcs11-get-issuer pkcs11-is-known pkcs11-combo pkcs11-privkey -TESTS += pkcs11-chainverify pkcs11-get-issuer crl-test pkcs11-is-known pkcs11-combo pkcs11-privkey +TESTS += testpkcs11 pkcs11-chainverify pkcs11-get-issuer crl-test pkcs11-is-known pkcs11-combo pkcs11-privkey endif TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \ -- 2.3.6 From alon.barlev at gmail.com Wed Jun 17 10:59:56 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 11:59:56 +0300 Subject: [gnutls-devel] [PATCH 2/2] tests: remove bash usage In-Reply-To: <1434531596-19521-1-git-send-email-alon.barlev@gmail.com> References: <1434531596-19521-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434531596-19521-2-git-send-email-alon.barlev@gmail.com> Signed-off-by: Alon Bar-Lev --- tests/nist-pkits/gnutls_test_entry | 2 +- tests/suite/certs/create-chain.sh | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/nist-pkits/gnutls_test_entry b/tests/nist-pkits/gnutls_test_entry index 41fe007..f94cf4b 100755 --- a/tests/nist-pkits/gnutls_test_entry +++ b/tests/nist-pkits/gnutls_test_entry @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh TITLE=$1 EECERT=$2 diff --git a/tests/suite/certs/create-chain.sh b/tests/suite/certs/create-chain.sh index c1e1517..11add61 100755 --- a/tests/suite/certs/create-chain.sh +++ b/tests/suite/certs/create-chain.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh srcdir=${srcdir:-.} CERTTOOL=${CERTTOOL:-../../../src/certtool$EXEEXT} @@ -12,7 +12,7 @@ if test "$NUM" = "";then exit 1 fi -let LAST=`expr $NUM - 1` +LAST=`expr $NUM - 1` rm -rf $OUTPUT mkdir -p $OUTPUT @@ -74,11 +74,11 @@ while test $counter -lt $NUM; do fi - let counter=`expr $counter+1` + counter=`expr $counter + 1` prev_name=$name done -let counter=`expr $NUM - 1` +counter=`expr $NUM - 1` while test $counter -ge 0; do if test $counter = $LAST;then name="server-$counter" @@ -88,6 +88,6 @@ while test $counter -ge 0; do cat $OUTPUT/$name.crt >> $OUTPUT/chain - let counter=`expr $counter-1` + counter=`expr $counter - 1` done -- 2.3.6 From alon.barlev at gmail.com Wed Jun 17 11:01:17 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 12:01:17 +0300 Subject: [gnutls-devel] [PATCH] tests: cert-tests: pkcs7: support separate builddir In-Reply-To: References: <1434487738-4283-1-git-send-email-alon.barlev@gmail.com> Message-ID: On 17 June 2015 at 11:51, Nikos Mavrogiannopoulos wrote: > > On Wed, Jun 17, 2015 at 9:11 AM, Alon Bar-Lev wrote: > >> > please consider to always check package using separate builddir before > >> > release. > >> Only if it can be automated with our ci. If you have a configure setup > >> which we can use for it I'd be glad to add it. > > should be simple :) > > make distcheck should do the trick, but the make distcheck of gnutls > > is complex, so, to you can execute this local sequence after you have > > tarball: > > tar -xf > > mkdir build > > cd build > > ../configure --enable-tests > > make check > > It seems to work so far. > https://ci.gitlab.com/projects/684/builds/84885 > > So, if there is any breakage again, hopefully I guess I'll notice > before the release. Great! Thanks! While looking at tests I send two more minor patches. > > regards, > Nikos From nmav at gnutls.org Wed Jun 17 11:39:09 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jun 2015 11:39:09 +0200 Subject: [gnutls-devel] [PATCH 2/2] tests: remove bash usage In-Reply-To: <1434531596-19521-2-git-send-email-alon.barlev@gmail.com> References: <1434531596-19521-1-git-send-email-alon.barlev@gmail.com> <1434531596-19521-2-git-send-email-alon.barlev@gmail.com> Message-ID: On Wed, Jun 17, 2015 at 10:59 AM, Alon Bar-Lev wrote: > Signed-off-by: Alon Bar-Lev > --- > tests/nist-pkits/gnutls_test_entry | 2 +- > tests/suite/certs/create-chain.sh | 10 +++++----- > 2 files changed, 6 insertions(+), 6 deletions(-) Both applied. Thanks. From alon.barlev at gmail.com Wed Jun 17 13:05:54 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 14:05:54 +0300 Subject: [gnutls-devel] [PATCH] tests: cert-tests: cleanup shell usage Message-ID: <1434539154-32486-1-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Signed-off-by: Alon Bar-Lev --- tests/cert-tests/aki | 18 ++--- tests/cert-tests/certtool | 38 +++++----- tests/cert-tests/crq | 16 ++-- tests/cert-tests/dane | 16 ++-- tests/cert-tests/email | 38 +++++----- tests/cert-tests/invalid-sig | 24 +++--- tests/cert-tests/pathlen | 28 +++---- tests/cert-tests/pem-decoding | 52 ++++++------- tests/cert-tests/pkcs7 | 160 ++++++++++++++++++++-------------------- tests/cert-tests/template-test | 161 ++++++++++++++++++++--------------------- 10 files changed, 275 insertions(+), 276 deletions(-) diff --git a/tests/cert-tests/aki b/tests/cert-tests/aki index a3c4135..e1f2b0f 100755 --- a/tests/cert-tests/aki +++ b/tests/cert-tests/aki @@ -22,29 +22,29 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/aki-cert.pem \ +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/aki-cert.pem" \ |grep -v "Algorithm Security Level" > tmp-aki.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "info failed" - exit $rc + exit ${rc} fi -$DIFF $srcdir/aki-cert.pem tmp-aki.pem +${DIFF} "${srcdir}/aki-cert.pem" tmp-aki.pem rc=$? # We're done. -if test "$rc" != "0"; then - exit $rc +if test "${rc}" != "0"; then + exit ${rc} fi rm -f tmp-aki.pem diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index cbabb59..47a1f95 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -20,59 +20,59 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether "funny" spaces can be interpreted -id=`$VALGRIND $CERTTOOL --key-id --infile $srcdir/funny-spacing.pem --hash sha1` +id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem" --hash sha1` rc=$? -if test "$id" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Key-ID1 doesn't match the expected: $id" +if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then + echo "Key-ID1 doesn't match the expected: ${id}" exit 1 fi -id=`$VALGRIND $CERTTOOL --key-id --infile $srcdir/funny-spacing.pem` +id=`$VALGRIND "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem"` rc=$? -if test "$id" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Default key-ID1 doesn't match the expected; did the defaults change? ID: $id" +if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then + echo "Default key-ID1 doesn't match the expected; did the defaults change? ID: ${id}" exit 1 fi -id=`$CERTTOOL --pubkey-info <$srcdir/funny-spacing.pem|$CERTTOOL --key-id --hash sha1` +id=`"${CERTTOOL}" --pubkey-info <"${srcdir}/funny-spacing.pem"|"${CERTTOOL}" --key-id --hash sha1` rc=$? -if test "$id" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Key-ID2 doesn't match the expected: $id" +if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then + echo "Key-ID2 doesn't match the expected: ${id}" exit 1 fi -id=`$CERTTOOL --pubkey-info <$srcdir/funny-spacing.pem|$CERTTOOL --key-id --hash sha256` +id=`"${CERTTOOL}" --pubkey-info <"${srcdir}/funny-spacing.pem"|"${CERTTOOL}" --key-id --hash sha256` rc=$? -if test "$id" != "118e72e3655150c895ecbd19b3634179fb4a87c7a25abefcb11f5d66661d5a4d";then - echo "Key-ID3 doesn't match the expected: $id" +if test "${id}" != "118e72e3655150c895ecbd19b3634179fb4a87c7a25abefcb11f5d66661d5a4d";then + echo "Key-ID3 doesn't match the expected: ${id}" exit 1 fi #fingerprint -id=`$VALGRIND $CERTTOOL --fingerprint --infile $srcdir/funny-spacing.pem` +id=`${VALGRIND} "${CERTTOOL}" --fingerprint --infile "${srcdir}/funny-spacing.pem"` rc=$? -if test "$id" != "8f735c5ddefd723f59b6a3bb2ac0522470c0182f";then +if test "${id}" != "8f735c5ddefd723f59b6a3bb2ac0522470c0182f";then echo "Fingerprint doesn't match the expected: 3" exit 1 fi -id=`$VALGRIND $CERTTOOL --fingerprint --hash sha256 --infile $srcdir/funny-spacing.pem` +id=`${VALGRIND} "${CERTTOOL}" --fingerprint --hash sha256 --infile "${srcdir}/funny-spacing.pem"` rc=$? -if test "$id" != "fc5b45b20c489393a457f177572920ac40bacba9d25cea51200822271eaf7d1f";then +if test "${id}" != "fc5b45b20c489393a457f177572920ac40bacba9d25cea51200822271eaf7d1f";then echo "Fingerprint doesn't match the expected: 4" exit 1 fi diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index 18c2e2a..4d87c45 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -22,29 +22,29 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi OUTFILE=out.tmp -$VALGRIND $CERTTOOL --inder --crq-info --infile $srcdir/csr-invalid.der >$OUTFILE 2>&1 +${VALGRIND} "${CERTTOOL}" --inder --crq-info --infile "${srcdir}/csr-invalid.der" >"${OUTFILE}" 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Invalid crq decoding failed" - exit $rc + exit ${rc} fi -grep "error: get_key_id" $OUTFILE >/dev/null 2>&1 +grep "error: get_key_id" "${OUTFILE}" >/dev/null 2>&1 if test "$?" != "0"; then echo "crq decoding didn't fail as expected" exit 1 fi -rm -f $OUTFILE +rm -f "${OUTFILE}" exit 0 diff --git a/tests/cert-tests/dane b/tests/cert-tests/dane index c43d7d9..55688eb 100755 --- a/tests/cert-tests/dane +++ b/tests/cert-tests/dane @@ -22,22 +22,22 @@ set -e -srcdir=${srcdir:-.} -DANETOOL=${DANETOOL:-../../src/danetool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +DANETOOL="${DANETOOL:-../../src/danetool$EXEEXT}" +DIFF="${DIFF:-diff}" -test -e $DANETOOL || exit 77 +test -e "${DANETOOL}" || exit 77 -$DANETOOL --tlsa-rr --load-certificate $srcdir/cert-ecc256.pem --host www.example.com --outfile tmp-dane.rr 2>/dev/null +"${DANETOOL}" --tlsa-rr --load-certificate "${srcdir}/cert-ecc256.pem" --host www.example.com --outfile tmp-dane.rr 2>/dev/null -$DIFF $srcdir/dane-test.rr tmp-dane.rr +${DIFF} "${srcdir}/dane-test.rr" tmp-dane.rr rc=$? rm -f tmp-dane.rr # We're done. -if test "$rc" != "0"; then - exit $rc +if test "${rc}" != "0"; then + exit ${rc} fi exit 0 diff --git a/tests/cert-tests/email b/tests/cert-tests/email index abc91f2..3b093a4 100755 --- a/tests/cert-tests/email +++ b/tests/cert-tests/email @@ -20,73 +20,73 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF=$"{DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.exclude.test.example.com --verify-email test at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.exclude.test.example.com" --verify-email test at example.com rc=$? -if test "$rc" != "1"; then +if test "${rc}" != "1"; then echo "email test 1 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.exclude.test.example.com --verify-email invalid at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.exclude.test.example.com" --verify-email invalid at example.com rc=$? -if test "$rc" != "1"; then +if test "${rc}" != "1"; then echo "email test 2 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.test.example.com --verify-email test at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com" --verify-email test at example.com rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "email test 3 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.test.example.com --verify-email invalid at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com" --verify-email invalid at example.com rc=$? -if test "$rc" != "1"; then +if test "${rc}" != "1"; then echo "email test 4 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.invalid.example.com --verify-email invalid at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.invalid.example.com" --verify-email invalid at example.com rc=$? -if test "$rc" != "1"; then +if test "${rc}" != "1"; then echo "email test 5 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.invalid.example.com --verify-email test at cola.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.invalid.example.com" --verify-email test at cola.com rc=$? -if test "$rc" != "1"; then +if test "${rc}" != "1"; then echo "email test 6 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.test.example.com-2 --verify-email test at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com-2" --verify-email test at example.com rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "email test 7 failed" exit 1 fi -$VALGRIND $CERTTOOL -e --infile $srcdir/email-certs/chain.test.example.com-2 --verify-email invalid at example.com +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com-2" --verify-email invalid at example.com rc=$? -if test "$rc" != "1"; then +if test "${rc}" != "1"; then echo "email test 8 failed" exit 1 fi diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index 5c21abf..3f8553a 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -22,41 +22,41 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether a different PKCS #1 signature than the advertized in certificate is tolerated -$VALGRIND $CERTTOOL -e --infile $srcdir/invalid-sig.pem +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/invalid-sig.pem" rc=$? # We're done. -if test "$rc" = "0"; then +if test "${rc}" = "0"; then echo "Verification of invalid signature (1) failed" - exit $rc + exit ${rc} fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated -$VALGRIND $CERTTOOL -e --infile $srcdir/invalid-sig2.pem +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/invalid-sig2.pem" rc=$? # We're done. -if test "$rc" = "0"; then +if test "${rc}" = "0"; then echo "Verification of invalid signature (2) failed" - exit $rc + exit ${rc} fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated -$VALGRIND $CERTTOOL -e --infile $srcdir/invalid-sig3.pem +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/invalid-sig3.pem" rc=$? # We're done. -if test "$rc" = "0"; then +if test "${rc}" = "0"; then echo "Verification of invalid signature (3) failed" - exit $rc + exit ${rc} fi exit 0 diff --git a/tests/cert-tests/pathlen b/tests/cert-tests/pathlen index ed79b44..18084f5 100755 --- a/tests/cert-tests/pathlen +++ b/tests/cert-tests/pathlen @@ -22,42 +22,42 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/ca-no-pathlen.pem \ +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/ca-no-pathlen.pem" \ |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "info 1 failed" - exit $rc + exit ${rc} fi -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/no-ca-or-pathlen.pem \ +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/no-ca-or-pathlen.pem" \ |grep -v "Algorithm Security Level" > new-no-ca-or-pathlen.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "info 2 failed" - exit $rc + exit ${rc} fi -$DIFF $srcdir/ca-no-pathlen.pem new-ca-no-pathlen.pem +${DIFF} "${srcdir}/ca-no-pathlen.pem" new-ca-no-pathlen.pem rc1=$? -$DIFF $srcdir/no-ca-or-pathlen.pem new-no-ca-or-pathlen.pem +${DIFF} "${srcdir}/no-ca-or-pathlen.pem" new-no-ca-or-pathlen.pem rc2=$? # We're done. -if test "$rc1" != "0"; then - exit $rc1 +if test "${rc1}" != "0"; then + exit ${rc1} fi rm -f new-ca-no-pathlen.pem new-no-ca-or-pathlen.pem -exit $rc2 +exit ${rc2} diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index 866c967..6330373 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -22,78 +22,78 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether "funny" spaces can be interpreted -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/funny-spacing.pem >/dev/null 2>&1 +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/funny-spacing.pem" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Funny-spacing cert decoding failed 1" - exit $rc + exit ${rc} fi #check whether a BMPString attribute can be properly decoded -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/bmpstring.pem >tmp-pem.pem +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/bmpstring.pem" >tmp-pem.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "BMPString cert decoding failed 1" - exit $rc + exit ${rc} fi #Note that --strip-trailing-cr is used for the test #to run on windows platform. -$DIFF $srcdir/bmpstring.pem tmp-pem.pem || $DIFF --strip-trailing-cr $srcdir/bmpstring.pem tmp-pem.pem +${DIFF} "${srcdir}/bmpstring.pem" tmp-pem.pem || ${DIFF} --strip-trailing-cr "${srcdir}/bmpstring.pem" tmp-pem.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "BMPString cert decoding failed 2" - exit $rc + exit ${rc} fi #check whether complex-cert is decoded as expected -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/complex-cert.pem >tmp-pem.pem +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/complex-cert.pem" >tmp-pem.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Complex cert decoding failed 1" - exit $rc + exit ${rc} fi -cat $srcdir/complex-cert.pem |grep -v "Not After:" >tmp1 +cat "${srcdir}/complex-cert.pem" |grep -v "Not After:" >tmp1 cat tmp-pem.pem |grep -v "Not After:" >tmp2 -$DIFF tmp1 tmp2 || $DIFF --strip-trailing-cr tmp1 tmp2 +${DIFF} tmp1 tmp2 || ${DIFF} --strip-trailing-cr tmp1 tmp2 rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Complex cert decoding failed 2" - exit $rc + exit ${rc} fi #check whether the cert with many othernames is decoded as expected -$VALGRIND $CERTTOOL --certificate-info --infile $srcdir/xmpp-othername.pem >tmp-pem.pem +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/xmpp-othername.pem" >tmp-pem.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "XMPP cert decoding failed 1" - exit $rc + exit ${rc} fi -cat $srcdir/xmpp-othername.pem |grep -v "Not After:" >tmp1 +cat "${srcdir}/xmpp-othername.pem" |grep -v "Not After:" >tmp1 cat tmp-pem.pem |grep -v "Not After:" >tmp2 -$DIFF tmp1 tmp2 || $DIFF --strip-trailing-cr tmp1 tmp2 +${DIFF} tmp1 tmp2 || ${DIFF} --strip-trailing-cr tmp1 tmp2 rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "XMPP cert decoding failed 2" - exit $rc + exit ${rc} fi rm -f tmp-pem.pem tmp1 tmp2 diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 7d28c84..f2a6ff0 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -20,9 +20,9 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi @@ -30,18 +30,18 @@ OUTFILE=out-pkcs7.tmp OUTFILE2=out2-pkcs7.tmp for FILE in single-ca.p7b full.p7b;do -$VALGRIND $CERTTOOL --inder --p7-info --infile $srcdir/$FILE|grep -v "Signing time" >$OUTFILE +${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/${FILE}"|grep -v "Signing time" >"${OUTFILE}" rc=$? # We're done. -if test "$rc" != "0"; then - echo "$FILE: PKCS7 decoding failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 decoding failed" + exit ${rc} fi -$DIFF $OUTFILE $srcdir/$FILE.out >/dev/null +${DIFF} "${OUTFILE}" "${srcdir}/${FILE}.out" >/dev/null if test "$?" != "0"; then - echo "$FILE: PKCS7 decoding didn't produce the correct file" + echo "${FILE}: PKCS7 decoding didn't produce the correct file" exit 1 fi done @@ -49,27 +49,27 @@ done # check signatures for FILE in full.p7b;do -$VALGRIND $CERTTOOL --inder --p7-verify --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE >$OUTFILE +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 verification failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 verification failed" + exit ${rc} fi -$VALGRIND $CERTTOOL --verify-purpose=1.3.6.1.5.5.7.3.1 --inder --p7-verify --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE >$OUTFILE +${VALGRIND} "${CERTTOOL}" --verify-purpose=1.3.6.1.5.5.7.3.1 --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 verification failed with key purpose" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 verification failed with key purpose" + exit ${rc} fi -$VALGRIND $CERTTOOL --verify-purpose=1.3.6.1.5.5.7.3.3 --inder --p7-verify --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE >$OUTFILE +${VALGRIND} "${CERTTOOL}" --verify-purpose=1.3.6.1.5.5.7.3.3 --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" >"${OUTFILE}" rc=$? -if test "$rc" = "0"; then - echo "$FILE: PKCS7 verification succeeded with wrong key purpose" +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 verification succeeded with wrong key purpose" exit 2 fi @@ -77,123 +77,123 @@ done # check signature with detached data -FILE=detached.p7b -$VALGRIND $CERTTOOL --inder --p7-verify --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE +FILE="detached.p7b" +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" rc=$? -if test "$rc" = "0"; then - echo "$FILE: PKCS7 verification succeeded without providing detached data" +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 verification succeeded without providing detached data" exit 2 fi -$VALGRIND $CERTTOOL --inder --p7-verify --load-data $srcdir/pkcs7-detached.txt --load-ca-certificate $srcdir/../../doc/credentials/x509/ca.pem --infile $srcdir/$FILE +${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-data "${srcdir}/pkcs7-detached.txt" --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 verification failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 verification failed" + exit ${rc} fi # Test cert combination FILE="p7-combined" -cat $srcdir/../certs/cert*.pem >$OUTFILE2 -$VALGRIND $CERTTOOL --p7-generate --load-certificate $OUTFILE2 >$OUTFILE +cat "${srcdir}/../certs"/cert*.pem >"${OUTFILE2}" +${VALGRIND} "${CERTTOOL}" --p7-generate --load-certificate "${OUTFILE2}" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct generation failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct generation failed" + exit ${rc} fi -$DIFF $OUTFILE $srcdir/p7-combined.out >/dev/null +${DIFF} "${OUTFILE}" "${srcdir}/p7-combined.out" >/dev/null if test "$?" != "0"; then - echo "$FILE: PKCS7 generation didn't produce the correct file" + echo "${FILE}: PKCS7 generation didn't produce the correct file" exit 1 fi # Test signing -FILE=signing -$VALGRIND $CERTTOOL --p7-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE +FILE="signing" +${VALGRIND} "${CERTTOOL}" --p7-sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/pkcs7-detached.txt" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed" + exit ${rc} fi -FILE=signing-verify -$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem <$OUTFILE +FILE="signing-verify" +${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing failed verification" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed verification" + exit ${rc} fi -FILE=signing-detached -$VALGRIND $CERTTOOL --p7-detached-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE +FILE="signing-detached" +${VALGRIND} "${CERTTOOL}" --p7-detached-sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/pkcs7-detached.txt" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing-detached failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing-detached failed" + exit ${rc} fi -FILE=signing-detached-verify -$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --load-data $srcdir/pkcs7-detached.txt <$OUTFILE +FILE="signing-detached-verify" +${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --load-data "${srcdir}/pkcs7-detached.txt" <"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing-detached failed verification" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing-detached failed verification" + exit ${rc} fi # Test signing with broken algorithms -FILE=signing-broken -$VALGRIND $CERTTOOL --hash md5 --p7-sign --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE +FILE="signing-broken" +${VALGRIND} "${CERTTOOL}" --hash md5 --p7-sign --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/pkcs7-detached.txt" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing-broken failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing-broken failed" + exit ${rc} fi -FILE=signing-verify-broken -$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem <$OUTFILE +FILE="signing-verify-broken" +${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}" rc=$? -if test "$rc" = "0"; then - echo "$FILE: PKCS7 struct verification succeeded with broken algo" +if test "${rc}" = "0"; then + echo "${FILE}: PKCS7 struct verification succeeded with broken algo" exit 1 fi -FILE=signing-time -$VALGRIND $CERTTOOL --p7-detached-sign --p7-time --load-privkey $srcdir/../../doc/credentials/x509/key-rsa.pem --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --infile $srcdir/pkcs7-detached.txt >$OUTFILE +FILE="signing-time" +${VALGRIND} "${CERTTOOL}" --p7-detached-sign --p7-time --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/pkcs7-detached.txt" >"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing with time failed" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing with time failed" + exit ${rc} fi -$VALGRIND $CERTTOOL --p7-info <$OUTFILE|grep "Signing time:" $OUTFILE >/dev/null 2>&1 -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing with time failed. No time was found." - exit $rc +${VALGRIND} "${CERTTOOL}" --p7-info <"${OUTFILE}"|grep "Signing time:" "${OUTFILE}" >/dev/null 2>&1 +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing with time failed. No time was found." + exit ${rc} fi -FILE=signing-time-verify -$VALGRIND $CERTTOOL --p7-verify --load-certificate $srcdir/../../doc/credentials/x509/cert-rsa.pem --load-data $srcdir/pkcs7-detached.txt <$OUTFILE +FILE="signing-time-verify" +${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --load-data "${srcdir}/pkcs7-detached.txt" <"${OUTFILE}" rc=$? -if test "$rc" != "0"; then - echo "$FILE: PKCS7 struct signing with time failed verification" - exit $rc +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing with time failed verification" + exit ${rc} fi -rm -f $OUTFILE -rm -f $OUTFILE2 +rm -f "${OUTFILE}" +rm -f "${OUTFILE2}" exit 0 diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index c810db9..f99fda1 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -20,8 +20,9 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +DIFF="${DIFF:-diff}" # Check for datefudge TSTAMP=`datefudge "2006-09-23" date -u +%s || true` @@ -37,25 +38,24 @@ fi rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do - datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-test.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-test.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-test.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-test.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 1 failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -63,24 +63,24 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-utf8.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-utf8.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-utf8.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-utf8.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 2 (UTF8) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -88,38 +88,38 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-dn.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-dn.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-dn.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-dn.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 3 (DN) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-dn-err.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-dn-err.tmpl" \ --outfile tmp-tt.pem 2>/dev/null rc=$? -if test "$rc" = "0"; then +if test "${rc}" = "0"; then echo "Test 3 (DN-err) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -127,24 +127,24 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-overflow.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-overflow.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-overflow.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-overflow.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 4 (overflow1) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -155,24 +155,24 @@ if echo __SIZEOF_POINTER__ | cpp -E - - | grep '^8$' >/dev/null; then rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-overflow2.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-overflow2.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-overflow2.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-overflow2.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 5 (overflow2) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -181,24 +181,24 @@ fi rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-date.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-date.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-date.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-date.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 6 (explicit dates) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -208,24 +208,24 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do datefudge "2007-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-nc.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-nc.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-nc.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-nc.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 7 (name constraints) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem @@ -234,25 +234,24 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "$rc" != "0" -a $counter -le 3 ] +while [ "${rc}" != "0" -a $counter -le 3 ] do - datefudge "2051-04-22" \ - $CERTTOOL --generate-self-signed \ - --load-privkey $srcdir/template-test.key \ - --template $srcdir/template-generalized.tmpl \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-generalized.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -diff $srcdir/template-generalized.pem tmp-tt.pem >/dev/null 2>&1 +${DIFF} "${srcdir}/template-generalized.pem" tmp-tt.pem >/dev/null 2>&1 rc=$? -test $rc != 0 && sleep 3 -counter=`expr $counter + 1` +test ${rc} != 0 && sleep 3 +counter=`expr $counter + 1` done # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Test 8 (generalizedTime) failed" - exit $rc + exit ${rc} fi rm -f tmp-tt.pem -- 2.3.6 From alon.barlev at gmail.com Wed Jun 17 13:09:15 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 14:09:15 +0300 Subject: [gnutls-devel] tests/cert-tests/template-test is timezone sensitive Message-ID: See: $ TZ=GMT+2 datefudge "2015-01-01" date -u Thu Jan 1 02:00:00 UTC 2015 $ TZ=GMT+0 datefudge "2015-01-01" date -u Thu Jan 1 00:00:00 UTC 2015 Probably issue of datefudge of using localtime... The test should enforce a specific TZ, currently it is GMT-2. However, even if done so, the certificates are generated wi From alon.barlev at gmail.com Wed Jun 17 13:11:00 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 14:11:00 +0300 Subject: [gnutls-devel] tests/cert-tests/template-test is timezone sensitive In-Reply-To: References: Message-ID: Sorry, was cut in the middle. See: $ TZ=GMT+2 datefudge "2015-01-01" date -u Thu Jan 1 02:00:00 UTC 2015 $ TZ=GMT+0 datefudge "2015-01-01" date -u Thu Jan 1 00:00:00 UTC 2015 Probably issue of datefudge of using localtime... The test should enforce a specific TZ, currently it is UTC-2. However, even if done so, the certificates are generated with different signature. Example for test1: $ TZ=UTC-2 ./template-test --- /tmp/a1 2015-06-17 13:03:31.760671982 +0200 +++ /tmp/a2 2015-06-17 13:03:31.764672014 +0200 @@ -41,11 +41,11 @@ Certificate: URI:http://www.getcrl.crl/getcrl3/ Signature Algorithm: sha256WithRSAEncryption - 86:0e:71:aa:ec:de:31:5d:55:53:6d:39:0a:ea:c0:0b:f2:40: - f5:61:b3:d4:b3:63:d2:a8:c6:01:aa:80:9f:db:eb:3b:a9:7a: - 4c:dd:76:6b:51:4d:af:ef:f5:9d:72:3d:14:a3:0b:da:66:3e: - e7:33:90:56:96:01:c9:10:6c:2f:55:33:10:69:1b:3e:8f:28: - b5:5f:20:aa:e7:aa:5a:7e:f3:21:e0:42:60:d5:c3:06:4f:85: - 20:7b:90:db:f5:89:a3:4f:63:55:b6:3d:50:16:fa:e1:7b:3b: - e6:6f:1f:39:45:b5:4e:43:ca:8e:b0:14:5b:ad:f1:d8:59:da: - 82:2a + 58:13:fc:9f:cb:7d:2f:ad:2f:fd:f6:37:fd:ed:32:36:7a:22: + cf:f5:60:b5:3b:63:1c:88:d1:3e:c1:9c:af:30:fb:1e:08:5a: + c6:5d:8f:8d:9f:fc:27:e4:38:7a:7f:c1:20:c7:fb:0f:d4:7a: + 45:20:c8:8b:c3:fc:83:60:18:10:3b:e9:6f:a3:4a:eb:50:90: + 6c:db:7b:86:e9:52:94:c4:03:33:d0:29:67:78:c6:77:e1:0e: + ed:9c:1f:02:76:42:fe:5f:22:48:13:ee:6f:72:df:c3:0b:8f: + ec:e4:24:75:16:c6:eb:c1:07:d5:ee:ed:c7:4d:ea:d5:e1:6e: + 55:9f I am unsure what was the exact intention. Regards, Alon From j.ballantine at gmail.com Wed Jun 17 15:36:52 2015 From: j.ballantine at gmail.com (Jim Ballantine) Date: Wed, 17 Jun 2015 09:36:52 -0400 Subject: [gnutls-devel] [gnutls-help] gnutls 3.4.2 In-Reply-To: <1434485279.7405.2.camel@gnutls.org> References: <1434485279.7405.2.camel@gnutls.org> Message-ID: Hi, I just tried to build the lastest gnutls and it failed with: checking for NETTLE... Unknown keyword 'URL' in '/usr/local/add-on/nettle/lib/pkgconfig/nettle.pc' no configure: error: *** *** Libnettle 3.1 was not found. nettle was a stand install, any thoughts on what is wrong and how to fix it? On Tue, Jun 16, 2015 at 4:07 PM, Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 3.4.2. This version fixes bugs and enhances > support for PKCS #7 structures on the next stable branch. > > > * Version 3.4.2 (released 2015-06-16) > > ** libgnutls: DTLS blocking API is more robust against infinite blocking, > and will notify of more possible timeouts. > > ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported > by Manuel Pegourie-Gonnard. > > ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That > allows to disable SIGPIPE for writes done within gnutls. > > ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification > of structures. API moved to gnutls/pkcs7.h header. > > ** certtool: Added options to generate PKCS #7 bundles and signed > structures. > > ** API and ABI modifications: > gnutls_x509_dn_get_str: Added > gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added > gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added > gnutls_x509_crt_verify_data2: Added > gnutls_pkcs7_get_crt_raw2: Added > gnutls_pkcs7_signature_info_deinit: Added > gnutls_pkcs7_get_signature_info: Added > gnutls_pkcs7_verify_direct: Added > gnutls_pkcs7_verify: Added > gnutls_pkcs7_get_crl_raw2: Added > gnutls_pkcs7_sign: Added > gnutls_pkcs7_attrs_deinit: Added > gnutls_pkcs7_add_attr: Added > gnutls_pkcs7_get_attr: Added > gnutls_pkcs7_print: Added > > > Getting the Software > ==================== > > GnuTLS may be downloaded directly from > . A list of GnuTLS mirrors can be > found at . > > Here are the XZ and LZIP compressed sources: > > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz > > Here are OpenPGP detached signatures signed using key 0x96865171: > > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz.sig > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz.sig > > Note that it has been signed with my openpgp key: > pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] > uid Nikos Mavrogiannopoulos gnutls.org> > uid Nikos Mavrogiannopoulos > gmail.com> > sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] > sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] > > regards, > Nikos > > > > _______________________________________________ > Gnutls-help mailing list > Gnutls-help at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-help > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Jun 17 17:19:26 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jun 2015 17:19:26 +0200 Subject: [gnutls-devel] tests/cert-tests/template-test is timezone sensitive In-Reply-To: References: Message-ID: On Wed, Jun 17, 2015 at 1:11 PM, Alon Bar-Lev wrote: > Sorry, was cut in the middle. > See: > $ TZ=GMT+2 datefudge "2015-01-01" date -u > Thu Jan 1 02:00:00 UTC 2015 > $ TZ=GMT+0 datefudge "2015-01-01" date -u > Thu Jan 1 00:00:00 UTC 2015 > Probably issue of datefudge of using localtime... The test should > enforce a specific TZ, currently it is UTC-2. > However, even if done so, the certificates are generated with > different signature. Which test fails? From alon.barlev at gmail.com Wed Jun 17 17:58:56 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 17 Jun 2015 18:58:56 +0300 Subject: [gnutls-devel] tests/cert-tests/template-test is timezone sensitive In-Reply-To: References: Message-ID: On 17 June 2015 at 18:19, Nikos Mavrogiannopoulos wrote: > On Wed, Jun 17, 2015 at 1:11 PM, Alon Bar-Lev wrote: >> Sorry, was cut in the middle. >> See: >> $ TZ=GMT+2 datefudge "2015-01-01" date -u >> Thu Jan 1 02:00:00 UTC 2015 >> $ TZ=GMT+0 datefudge "2015-01-01" date -u >> Thu Jan 1 00:00:00 UTC 2015 >> Probably issue of datefudge of using localtime... The test should >> enforce a specific TZ, currently it is UTC-2. >> However, even if done so, the certificates are generated with >> different signature. > > Which test fails? tests/cert-tests/template-test From ametzler at bebt.de Wed Jun 17 19:55:21 2015 From: ametzler at bebt.de (Andreas Metzler) Date: Wed, 17 Jun 2015 19:55:21 +0200 Subject: [gnutls-devel] [gnutls-help] gnutls 3.4.2 In-Reply-To: References: <1434485279.7405.2.camel@gnutls.org> Message-ID: <20150617175521.GA5251@downhill.g.la> On 2015-06-17 Jim Ballantine wrote: > Hi, > I just tried to build the lastest gnutls and it failed with: > checking for NETTLE... Unknown keyword 'URL' in > '/usr/local/add-on/nettle/lib/pkgconfig/nettle.pc' > no > configure: error: > *** > *** Libnettle 3.1 was not found. > nettle was a stand install, any thoughts on what is wrong and how to fix it? [...] Hello, looks like your pkg-config installation is ancient and fails to parse the URL directive in '/usr/local/add-on/nettle/lib/pkgconfig/nettle.pc' What does "pkg-config --version" say? As a hotfix you could probably just remove the offending line. cu Andreas From j.ballantine at gmail.com Wed Jun 17 20:34:56 2015 From: j.ballantine at gmail.com (Jim Ballantine) Date: Wed, 17 Jun 2015 14:34:56 -0400 Subject: [gnutls-devel] [gnutls-help] gnutls 3.4.2 In-Reply-To: <20150617175521.GA5251@downhill.g.la> References: <1434485279.7405.2.camel@gnutls.org> <20150617175521.GA5251@downhill.g.la> Message-ID: Hi, I have 0.15.0 version of pkg-config. Thanks for the advise. On Wed, Jun 17, 2015 at 1:55 PM, Andreas Metzler wrote: > On 2015-06-17 Jim Ballantine wrote: > > Hi, > > > I just tried to build the lastest gnutls and it failed with: > > checking for NETTLE... Unknown keyword 'URL' in > > '/usr/local/add-on/nettle/lib/pkgconfig/nettle.pc' > > no > > configure: error: > > *** > > *** Libnettle 3.1 was not found. > > > nettle was a stand install, any thoughts on what is wrong and how to fix > it? > [...] > > Hello, > > looks like your pkg-config installation is ancient and fails to parse > the URL directive in '/usr/local/add-on/nettle/lib/pkgconfig/nettle.pc' > What does "pkg-config --version" say? > > As a hotfix you could probably just remove the offending line. > > cu Andreas > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Jun 17 22:56:22 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Jun 2015 22:56:22 +0200 Subject: [gnutls-devel] [PATCH] tests: cert-tests: cleanup shell usage In-Reply-To: <1434539154-32486-1-git-send-email-alon.barlev@gmail.com> References: <1434539154-32486-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434574582.2588.13.camel@gnutls.org> On Wed, 2015-06-17 at 14:05 +0300, Alon Bar-Lev wrote: > Add quotes for most usages of variables. > > Added ${} for variables. > > Cleanup trailing spaces. Applied. Thanks. From alon.barlev at gmail.com Wed Jun 17 23:57:04 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 18 Jun 2015 00:57:04 +0300 Subject: [gnutls-devel] [PATCH] tests: dsa: cleanup shell usage Message-ID: <1434578224-30721-1-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Removal of unneeded ';'. Minor fix in tests/scripts/common.sh at trap to pass message and avoid killing. Signed-off-by: Alon Bar-Lev --- tests/dsa/testdsa | 88 ++++++++++++++++++++++++------------------------- tests/scripts/common.sh | 36 ++++++++++---------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/tests/dsa/testdsa b/tests/dsa/testdsa index dea4297..0334e63 100755 --- a/tests/dsa/testdsa +++ b/tests/dsa/testdsa @@ -30,126 +30,126 @@ if test "${WINDIR}" != "";then exit 77 fi -. $srcdir/../scripts/common.sh +. "${srcdir}/../scripts/common.sh" PORT="${PORT:-$RPORT}" -echo "Checking various DSA key sizes (port $PORT)" +echo "Checking various DSA key sizes (port ${PORT})" # DSA 1024 + TLS 1.0 echo "Checking DSA-1024 with TLS 1.0" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" >/dev/null 2>&1 & PID=$! +wait_server "${PID}" PRIO="--priority NORMAL:+DHE-DSS:+SIGN-DSA-SHA512:+SIGN-DSA-SHA384:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure /dev/null || \ - fail $PID "Failed connection to a server with DSA 1024 key and TLS 1.0!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.0!" echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0" #try with client key of 1024 bits (should succeed) -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure --x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem /dev/null || \ - fail $PID "Failed connection to a server with DSA 1024 key and TLS 1.0!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" /dev/null || \ + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.0!" echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0" #try with client key of 2048 bits (should fail) -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure --x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem /dev/null 2>&1 && \ - fail $PID "Succeeded connection to a server with a client DSA 2048 key and TLS 1.0!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" /dev/null 2>&1 && \ + fail "${PID}" "Succeeded connection to a server with a client DSA 2048 key and TLS 1.0!" echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0" #try with client key of 3072 bits (should fail) -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure --x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem /dev/null 2>&1 && \ - fail $PID "Succeeded connection to a server with a client DSA 3072 key and TLS 1.0!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" /dev/null 2>&1 && \ + fail "${PID}" "Succeeded connection to a server with a client DSA 3072 key and TLS 1.0!" -kill $PID +kill "${PID}" wait # DSA 1024 + TLS 1.2 echo "Checking DSA-1024 with TLS 1.2" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" >/dev/null 2>&1 & PID=$! +wait_server "${PID}" -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure /dev/null || \ - fail $PID "Failed connection to a server with DSA 1024 key and TLS 1.2!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.2!" echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2" #try with client key of 1024 bits (should succeed) -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure --x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem /dev/null || \ - fail $PID "Failed connection to a server with DSA 1024 key and TLS 1.2!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" /dev/null || \ + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.2!" echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2" #try with client key of 2048 bits (should succeed) -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure --x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem /dev/null || \ - fail $PID "Failed connection to a server with a client DSA 2048 key and TLS 1.2!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" /dev/null || \ + fail "${PID}" "Failed connection to a server with a client DSA 2048 key and TLS 1.2!" echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2" #try with client key of 3072 bits (should succeed) -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure --x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem /dev/null || \ - fail $PID "Failed connection to a server with a client DSA 3072 key and TLS 1.2!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" /dev/null || \ + fail "${PID}" "Failed connection to a server with a client DSA 3072 key and TLS 1.2!" -kill $PID +kill "${PID}" wait # DSA 2048 + TLS 1.0 #echo "Checking DSA-2048 with TLS 1.0" -#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem >/dev/null 2>&1 & PID=$! -#wait_server $PID +#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" >/dev/null 2>&1 & PID=$! +#wait_server "${PID}" -#$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure /dev/null 2>&1 && \ -# fail $PID "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should have failed!" +#"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null 2>&1 && \ +# fail "${PID}" "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should have failed!" -#kill $PID +#kill "${PID}" #wait # DSA 2048 + TLS 1.2 echo "Checking DSA-2048 with TLS 1.2" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" >/dev/null 2>&1 & PID=$! +wait_server "${PID}" -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure /dev/null || \ - fail $PID "Failed connection to a server with DSA 2048 key and TLS 1.2!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ + fail "${PID}" "Failed connection to a server with DSA 2048 key and TLS 1.2!" -kill $PID +kill "${PID}" wait # DSA 3072 + TLS 1.0 #echo "Checking DSA-3072 with TLS 1.0" -#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 & PID=$! -#wait_server $PID +#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" >/dev/null 2>&1 & PID=$! +#wait_server "${PID}" # -#$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure /dev/null 2>&1 && \ -# fail $PID "Succeeded connection to a server with DSA 3072 key and TLS 1.0. Should have failed!" +#"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null 2>&1 && \ +# fail "${PID}" "Succeeded connection to a server with DSA 3072 key and TLS 1.0. Should have failed!" # -#kill $PID +#kill "${PID}" #wait # DSA 3072 + TLS 1.2 echo "Checking DSA-3072 with TLS 1.2" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" >/dev/null 2>&1 & PID=$! +wait_server "${PID}" -$CLI $DEBUG $PRIO -p $PORT 127.0.0.1 --insecure /dev/null || \ - fail $PID "Failed connection to a server with DSA 3072 key and TLS 1.2!" +"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ + fail "${PID}" "Failed connection to a server with DSA 3072 key and TLS 1.2!" -kill $PID +kill "${PID}" wait exit 0 diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 50880f5..3ccfc03 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -21,18 +21,18 @@ RPORT="$(((($$<<15)|RANDOM) % 63001 + 2000))" fail() { - PID=$1 - shift; + PID="$1" + shift echo "Failure: $1" >&2 - kill $PID + [ -n "${PID}" ] && kill ${PID} exit 1 } launch_server() { - PARENT=$1; - shift; - $SERV $DEBUG -p $PORT $* >/dev/null 2>&1 & - LOCALPID="$!"; + PARENT="$1" + shift + ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null 2>&1 & + LOCALPID="$!" trap "[ ! -z \"${LOCALPID}\" ] && kill ${LOCALPID};" 15 wait "${LOCALPID}" LOCALRET="$?" @@ -44,12 +44,12 @@ launch_server() { } launch_pkcs11_server() { - PARENT=$1; - shift; - PROVIDER=$1; - shift; - $VALGRIND $SERV $PROVIDER $DEBUG -p $PORT $* & - LOCALPID="$!"; + PARENT="$1" + shift + PROVIDER="$1" + shift + ${VALGRIND} ${SERV} "${PROVIDER}" ${DEBUG} -p "${PORT}" $* & + LOCALPID="$!" trap "[ ! -z \"${LOCALPID}\" ] && kill ${LOCALPID};" 15 wait "${LOCALPID}" LOCALRET="$?" @@ -61,10 +61,10 @@ launch_pkcs11_server() { } launch_bare_server() { - PARENT=$1; - shift; - $SERV $* >/dev/null 2>&1 & - LOCALPID="$!"; + PARENT="$1" + shift + ${SERV} $* >/dev/null 2>&1 & + LOCALPID="$!" trap "[ ! -z \"${LOCALPID}\" ] && kill ${LOCALPID};" 15 wait "${LOCALPID}" LOCALRET="$?" @@ -80,4 +80,4 @@ wait_server() { sleep 4 } -trap "fail \"Failed to launch a gnutls-serv server, aborting test... \"" 10 +trap "fail '' 'Failed to launch a gnutls-serv server, aborting test... '" 10 -- 2.3.6 From alon.barlev at gmail.com Thu Jun 18 08:41:52 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 18 Jun 2015 09:41:52 +0300 Subject: [gnutls-devel] [PATCH 1/4] tests: ecdsa: cleanup shell usage Message-ID: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Signed-off-by: Alon Bar-Lev --- tests/ecdsa/ecdsa | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/ecdsa/ecdsa b/tests/ecdsa/ecdsa index ddb9b60..90eead0 100755 --- a/tests/ecdsa/ecdsa +++ b/tests/ecdsa/ecdsa @@ -22,15 +22,15 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" echo ca > template echo cn = "ECDSA SHA 256 CA" >> template -$CERTTOOL --generate-privkey --ecc > key-ca-ecdsa.pem 2>/dev/null +"${CERTTOOL}" --generate-privkey --ecc > key-ca-ecdsa.pem 2>/dev/null -$CERTTOOL -d 2 --generate-self-signed --template template \ +"${CERTTOOL}" -d 2 --generate-self-signed --template template \ --load-privkey key-ca-ecdsa.pem \ --outfile new-ca-ecdsa.pem \ --hash sha256 >out 2>&1 @@ -41,10 +41,10 @@ if [ $? != 0 ];then fi echo ca > template -$CERTTOOL --generate-privkey --ecc > key-subca-ecdsa.pem 2>/dev/null +"${CERTTOOL}" --generate-privkey --ecc > key-subca-ecdsa.pem 2>/dev/null echo cn = "ECDSA SHA 224 Mid CA" >> template -$CERTTOOL -d 2 --generate-certificate --template template \ +"${CERTTOOL}" -d 2 --generate-certificate --template template \ --load-ca-privkey key-ca-ecdsa.pem \ --load-ca-certificate new-ca-ecdsa.pem \ --load-privkey key-subca-ecdsa.pem \ @@ -58,9 +58,9 @@ fi echo cn = "End-user" > template -$CERTTOOL --generate-privkey --ecc > key-ecdsa.pem 2>/dev/null +"${CERTTOOL}" --generate-privkey --ecc > key-ecdsa.pem 2>/dev/null -$CERTTOOL -d 2 --generate-certificate --template template \ +"${CERTTOOL}" -d 2 --generate-certificate --template template \ --load-ca-privkey key-subca-ecdsa.pem \ --load-ca-certificate new-subca-ecdsa.pem \ --load-privkey key-ecdsa.pem \ @@ -72,7 +72,7 @@ if [ $? != 0 ];then fi cat new-user.pem new-subca-ecdsa.pem new-ca-ecdsa.pem > out -$CERTTOOL --verify-chain verify +"${CERTTOOL}" --verify-chain verify if [ $? != 0 ];then cat verify @@ -82,7 +82,7 @@ fi rm -f verify new-user.pem new-ca-ecdsa.pem new-subca-ecdsa.pem template out rm -f key-subca-ecdsa.pem key-ca-ecdsa.pem key-ecdsa.pem -$CERTTOOL -k < ${srcdir}/bad-key.pem | grep "validation failed" >/dev/null 2>&1 +"${CERTTOOL}" -k < "${srcdir}/bad-key.pem" | grep "validation failed" >/dev/null 2>&1 if [ $? != 0 ];then echo "certtool didn't detect a bad ECDSA key." exit 1 -- 2.3.6 From alon.barlev at gmail.com Thu Jun 18 08:41:55 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 18 Jun 2015 09:41:55 +0300 Subject: [gnutls-devel] [PATCH 4/4] tests: openpgp-certs: cleanup shell usage In-Reply-To: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434609715-3018-4-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Signed-off-by: Alon Bar-Lev --- tests/openpgp-certs/testcerts | 50 ++++++++++++++++++++-------------------- tests/openpgp-certs/testselfsigs | 8 +++---- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/tests/openpgp-certs/testcerts b/tests/openpgp-certs/testcerts index add6908..c8d25d1 100755 --- a/tests/openpgp-certs/testcerts +++ b/tests/openpgp-certs/testcerts @@ -29,59 +29,59 @@ if test "${WINDIR}" != "";then exit 77 fi -. $srcdir/../scripts/common.sh +. "${srcdir}/../scripts/common.sh" PORT="${PORT:-$RPORT}" echo "Checking OpenPGP certificate verification" -launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile $srcdir/srv-public-127.0.0.1-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-127.0.0.1-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & PID=$! +wait_server ${PID} # give the server a chance to initialize #gnutls currently only considers PGP certificates verified only if #all user IDs in the certificate were signed. -#$CLI -p $PORT 127.0.0.1 --pgpkeyring ca-public.gpg /dev/null || \ +#"${CLI}" -p "${PORT}" 127.0.0.1 --pgpkeyring ca-public.gpg /dev/null || \ # fail "Connection to verified IP address should have succeeded! (error code $?)" $? -$CLI $DEBUG -p $PORT 127.0.0.2 --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring $srcdir/ca-public.gpg /dev/null 2>&1 && \ - fail $PID "Connection to unrecognized IP address should have failed!" +"${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.2 --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ + fail ${PID} "Connection to unrecognized IP address should have failed!" -$CLI $DEBUG -p $PORT localhost --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring $srcdir/ca-public.gpg /dev/null 2>&1 && \ - fail $PID "Connection to unverified (but present) 'localhost' should have failed!" +"${CLI}" ${DEBUG} -p "${PORT}" localhost --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ + fail ${PID} "Connection to unverified (but present) 'localhost' should have failed!" -kill $PID +kill ${PID} wait -launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile $srcdir/srv-public-localhost-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-localhost-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & PID=$! +wait_server ${PID} -echo | $CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.1 --pgpkeyring $srcdir/ca-public.gpg /dev/null 2>&1 && \ - fail $PID "Connection to unverified IP address should have failed! (error code $?)" $? +echo | "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.1 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ + fail ${PID} "Connection to unverified IP address should have failed! (error code $?)" $? -$CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg /dev/null 2>&1 && \ - fail $PID "Connection to unrecognized IP address should have failed!" +"${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.2 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ + fail ${PID} "Connection to unrecognized IP address should have failed!" #see reason above -#$CLI -p $PORT localhost --pgpkeyring ca-public.gpg /dev/null || \ -# fail $PID "Connection to verified 'localhost' should have succeded! (error code $?)" $? +#"${CLI}" -p "${PORT}" localhost --pgpkeyring ca-public.gpg /dev/null || \ +# fail ${PID} "Connection to verified 'localhost' should have succeded! (error code $?)" $? -kill $PID +kill ${PID} wait -launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile $srcdir/srv-public-all-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & PID=$! -wait_server $PID +launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-all-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & PID=$! +wait_server ${PID} # give the server a chance to initialize -echo | $CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.1 --pgpkeyring $srcdir/ca-public.gpg /dev/null || \ - fail $PID "Connection to signed PGP certificate should have succeeded! (error code $?)" $? +echo | "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.1 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null || \ + fail ${PID} "Connection to signed PGP certificate should have succeeded! (error code $?)" $? -$CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg /dev/null 2>&1 && \ - fail $PID "Connection to unrecognized IP address should have failed!" +"${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.2 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ + fail ${PID} "Connection to unrecognized IP address should have failed!" -kill $PID +kill ${PID} wait exit 0 diff --git a/tests/openpgp-certs/testselfsigs b/tests/openpgp-certs/testselfsigs index 3c99a6f..c997f9a 100755 --- a/tests/openpgp-certs/testselfsigs +++ b/tests/openpgp-certs/testselfsigs @@ -34,19 +34,19 @@ fail() { echo "Checking OpenPGP certificate self verification" -($CERTTOOL --inraw --pgp-certificate-info --infile $srcdir/selfsigs/alice.pub \ +("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice.pub" \ | grep "^Self Signature verification: ok" > /dev/null) || \ fail "Self sig Verification should have succeeded!" -($CERTTOOL --inraw --pgp-certificate-info --infile $srcdir/selfsigs/alice-mallory-badsig18.pub \ +("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice-mallory-badsig18.pub" \ | grep "^Self Signature verification: failed" > /dev/null) || \ fail "Self sig Verification should have failed!" -($CERTTOOL --inraw --pgp-certificate-info --infile $srcdir/selfsigs/alice-mallory-irrelevantsig.pub \ +("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice-mallory-irrelevantsig.pub" \ | grep "^Self Signature verification: failed" >/dev/null) || \ fail "Self sig Verification should have failed!" -($CERTTOOL --inraw --pgp-certificate-info --infile $srcdir/selfsigs/alice-mallory-nosig18.pub \ +("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice-mallory-nosig18.pub" \ | grep "^Self Signature verification: failed" >/dev/null) || \ fail "Self sig Verification should have failed!" -- 2.3.6 From alon.barlev at gmail.com Thu Jun 18 08:41:54 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 18 Jun 2015 09:41:54 +0300 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Consistent indent. Add perl shebang. Signed-off-by: Alon Bar-Lev --- tests/nist-pkits/build-chain | 28 +++++++++++++++------------- tests/nist-pkits/gnutls_test_entry | 30 +++++++++++++++--------------- tests/nist-pkits/pkits | 11 +++++------ tests/nist-pkits/pkits_crl | 23 ++++++++++++----------- tests/nist-pkits/pkits_crt | 23 ++++++++++++----------- tests/nist-pkits/pkits_pkcs12 | 23 ++++++++++++----------- tests/nist-pkits/pkits_smime | 33 +++++++++++++++++---------------- tests/nist-pkits/pkits_test | 8 +++++--- 8 files changed, 93 insertions(+), 86 deletions(-) diff --git a/tests/nist-pkits/build-chain b/tests/nist-pkits/build-chain index e625a8c..ebe48db 100755 --- a/tests/nist-pkits/build-chain +++ b/tests/nist-pkits/build-chain @@ -1,3 +1,5 @@ +#!/usr/bin/perl + eval '(exit $?0)' && eval 'exec perl -wST "$0" ${1+"$@"}' & eval 'exec perl -wST "$0" $argv:q' if 0; @@ -10,30 +12,30 @@ my $aki; my $info; my $list; -if (! -f "$certdir/certinfo.txt") { - system("for i in $certdir/*.crt; do echo -n \$i:; certtool --inder -i < \$i|grep 'Subject Key Id' -A 1|tail -1; done > $certdir/certinfo.txt"); +if (! -f "${certdir}/certinfo.txt") { + system("for i in '${certdir}'/*.crt; do echo -n \$i:; certtool --inder -i < \$i|grep 'Subject Key Id' -A 1|tail -1; done > '${certdir}/certinfo.txt'"); } do { - print "Parsing $certdir/$certfile...\n"; + print "Parsing ${certdir}/${certfile}...\n"; - $info = `certtool --inder -i < $certdir/$certfile`; + $info = `certtool --inder -i < '${certdir}/${certfile}'`; - print "$info"; + print "${info}"; - if ($info =~ m,Authority Key Identifier.*:\n[\t]*([a-z0-9]+),m) { - $aki = $1; + if (${info} =~ m,Authority Key Identifier.*:\n[\t ]*([a-z0-9]+),m) { + $aki = $1; } else { - die "Could not find AKI"; + die "Could not find AKI"; } - print "Finding AKI $aki...\n"; + print "Finding AKI ${aki}...\n"; - $list = `cat $certdir/certinfo.txt | grep $aki`; + $list = `cat '${certdir}/certinfo.txt' | grep '${aki}'`; if ($list =~m,.*/(.*):.*,) { - $list = $1; + $list = $1; } else { - die "Could not find issuer"; + die "Could not find issuer"; } - $certfile = $list; + $certfile = ${list}; } while (1); diff --git a/tests/nist-pkits/gnutls_test_entry b/tests/nist-pkits/gnutls_test_entry index f94cf4b..87c435e 100755 --- a/tests/nist-pkits/gnutls_test_entry +++ b/tests/nist-pkits/gnutls_test_entry @@ -1,28 +1,28 @@ #!/bin/sh -TITLE=$1 -EECERT=$2 -RESULT=$3 +TITLE="$1" +EECERT="$2" +RESULT="$3" -./build-chain certs $EECERT > chain.pem +./build-chain certs "${EECERT}" > chain.pem certtool -e < chain.pem > output.txt rm -f chain.pem if grep 'Verification output:' output.txt > /dev/null; then - if grep 'Verification output' output.txt | grep -v 'Verification output: Verified.' > /dev/null; then - if test "$RESULT" = "0"; then - echo "Unexpected reject" - else - echo "Reject" - fi + if grep 'Verification output' output.txt | grep -v 'Verification output: Verified.' > /dev/null; then + if test "${RESULT}" = "0"; then + echo "Unexpected reject" else - if test "$RESULT" = "1"; then - echo "Unexpected success" - else - echo "Success" - fi + echo "Reject" fi + else + if test "${RESULT}" = "1"; then + echo "Unexpected success" + else + echo "Success" + fi + fi fi rm -f output.txt diff --git a/tests/nist-pkits/pkits b/tests/nist-pkits/pkits index 83f4d29..ac72212 100755 --- a/tests/nist-pkits/pkits +++ b/tests/nist-pkits/pkits @@ -20,19 +20,18 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool} +srcdir="${srcdir:-.}" echo "Running PKITS CRT..." -$srcdir/pkits_crt +"${srcdir}/pkits_crt" echo "Running PKITS CRL..." -$srcdir/pkits_crl +"${srcdir}/pkits_crl" echo "Running PKITS PKCS#12..." -$srcdir/pkits_pkcs12 +"${srcdir}/pkits_pkcs12" echo "Running PKITS S/MIME..." -$srcdir/pkits_smime +"${srcdir}/pkits_smime" echo "Done" diff --git a/tests/nist-pkits/pkits_crl b/tests/nist-pkits/pkits_crl index 9bf00e6..1473587 100755 --- a/tests/nist-pkits/pkits_crl +++ b/tests/nist-pkits/pkits_crl @@ -18,20 +18,21 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -CERTTOOL=${CERTTOOL:-../../src/certtool} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool}" -test -d crls || unzip PKITS_data.zip +test -d crls || unzip "${srcdir}/PKITS_data.zip" ret=0 -for crl in crls/*; do - $CERTTOOL --crl-info --inder --infile $crl > out 2>&1 - rc=$? - if test $rc != 0; then - echo "CRL FATAL $crl" - ret=1 - fi +for crl in "${srcdir}/crls"/*; do + "${CERTTOOL}" --crl-info --inder --infile "${crl}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "CRL FATAL ${crl}" + ret=1 + fi done rm -f out -echo "Done (exit code $ret)" -exit $ret +echo "Done (exit code ${ret})" +exit ${ret} diff --git a/tests/nist-pkits/pkits_crt b/tests/nist-pkits/pkits_crt index 0fa37d4..5e22ca2 100755 --- a/tests/nist-pkits/pkits_crt +++ b/tests/nist-pkits/pkits_crt @@ -18,20 +18,21 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -CERTTOOL=${CERTTOOL:-../../src/certtool} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool}" -test -d certs || unzip PKITS_data.zip +test -d certs || unzip "${srcdir}/PKITS_data.zip" ret=0 -for crt in certs/*; do - $CERTTOOL --certificate-info --inder --infile $crt > out 2>&1 - rc=$? - if test $rc != 0; then - echo "Certificate FATAL $crt" - ret=1 - fi +for crt in "${srcdir}/certs"/*; do + "${CERTTOOL}" --certificate-info --inder --infile "${crt}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "Certificate FATAL ${crt}" + ret=1 + fi done rm -f out -echo "Done (exit code $ret)" -exit $ret +echo "Done (exit code ${ret})" +exit ${ret} diff --git a/tests/nist-pkits/pkits_pkcs12 b/tests/nist-pkits/pkits_pkcs12 index bdaaa5b..24ba7e6 100755 --- a/tests/nist-pkits/pkits_pkcs12 +++ b/tests/nist-pkits/pkits_pkcs12 @@ -18,20 +18,21 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -CERTTOOL=${CERTTOOL:-../../src/certtool} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool}" -test -d pkcs12 || unzip PKITS_data.zip +test -d pkcs12 || unzip "${srcdir}/PKITS_data.zip" ret=0 -for p12 in pkcs12/*; do - $CERTTOOL --p12-info --inder --password password --infile $p12 > out 2>&1 - rc=$? - if test $rc != 0; then - echo "PKCS12 FATAL $p12" - ret=1 - fi +for p12 in "${srcdir}/pkcs12"/*; do + "${CERTTOOL}" --p12-info --inder --password password --infile "${p12}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "PKCS12 FATAL $p12" + ret=1 + fi done rm -f out -echo "Done (exit code $ret)" -exit $ret +echo "Done (exit code ${ret})" +exit ${ret} diff --git a/tests/nist-pkits/pkits_smime b/tests/nist-pkits/pkits_smime index cfd9843..a9b15aa 100755 --- a/tests/nist-pkits/pkits_smime +++ b/tests/nist-pkits/pkits_smime @@ -18,26 +18,27 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA +srcdir="${srcdir:-.}" CERTTOOL=${CERTTOOL:-../../src/certtool} -test -d smime || unzip PKITS_data.zip +test -d smime || unzip "${srcdir}/PKITS_data.zip" ret=0 -for msg in smime/*; do - $CERTTOOL --smime-to-p7 --infile $msg > out 2>&1 - rc=$? - if test $rc != 0; then - echo "S/MIME FATAL $msg" - ret=1 - fi - $CERTTOOL --p7-info --infile out > out2 2>&1 - rc=$? - if test $rc != 0; then - echo "PKCS#7 FATAL $msg" - ret=1 - fi +for msg in "${srcdir}/smime"/*; do + "${CERTTOOL}" --smime-to-p7 --infile "${msg}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "S/MIME FATAL $msg" + ret=1 + fi + "${CERTTOOL}" --p7-info --infile out > out2 2>&1 + rc=$? + if test ${rc} != 0; then + echo "PKCS#7 FATAL $msg" + ret=1 + fi done rm -f out out2 -echo "Done (exit code $ret)" -exit $ret +echo "Done (exit code ${ret})" +exit ${ret} diff --git a/tests/nist-pkits/pkits_test b/tests/nist-pkits/pkits_test index 6daaa34..55653a3 100755 --- a/tests/nist-pkits/pkits_test +++ b/tests/nist-pkits/pkits_test @@ -2,11 +2,13 @@ set -e -test -d certs || unzip PKITS_data.zip +srcdir="${srcdir:-.}" + +test -d certs || unzip "${srcdir}/PKITS_data.zip" if ! test -d pkits_test_list_generator; then - tar xfz pkits_test_list_generator.tgz - patch -p 0 < pkits_test_list_generator.patch + tar xfz "${srcdir}/pkits_test_list_generator.tgz" + patch -p 0 < pkits_test_list_generator.patch fi make -C pkits_test_list_generator/src -- 2.3.6 From alon.barlev at gmail.com Thu Jun 18 08:41:53 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 18 Jun 2015 09:41:53 +0300 Subject: [gnutls-devel] [PATCH 2/4] tests: key-tests: cleanup shell usage In-Reply-To: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434609715-3018-2-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Signed-off-by: Alon Bar-Lev --- tests/key-tests/key-id | 14 ++++----- tests/key-tests/pkcs8 | 84 +++++++++++++++++++++++++------------------------- 2 files changed, 49 insertions(+), 49 deletions(-) diff --git a/tests/key-tests/key-id b/tests/key-tests/key-id index 9bad211..7e09617 100755 --- a/tests/key-tests/key-id +++ b/tests/key-tests/key-id @@ -22,23 +22,23 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" -PARAMS="--generate-certificate --load-privkey $srcdir/key-user.pem --load-ca-privkey $srcdir/key-ca.pem --template tmpl" +PARAMS="--generate-certificate --load-privkey '${srcdir}/key-user.pem' --load-ca-privkey '${srcdir}/key-ca.pem' --template tmpl" echo "serial = 0" > tmpl -#$CERTTOOL $PARAMS --load-ca-certificate $srcdir/ca-gnutls-keyid.pem \ +#eval "${CERTTOOL}" ${PARAMS} --load-ca-certificate $srcdir/ca-gnutls-keyid.pem \ # --outfile user-gnutls-keyid.pem 2> /dev/null -#$CERTTOOL $PARAMS --load-ca-certificate $srcdir/ca-no-keyid.pem \ +#eval "${CERTTOOL}" ${PARAMS} --load-ca-certificate $srcdir/ca-no-keyid.pem \ # --outfile user-no-keyid.pem 2> /dev/null -$CERTTOOL $PARAMS --load-ca-certificate $srcdir/ca-weird-keyid.pem \ +eval "${CERTTOOL}" ${PARAMS} --load-ca-certificate "${srcdir}/ca-weird-keyid.pem" \ --outfile user-weird-keyid.pem 2> /dev/null -if $CERTTOOL -i < user-weird-keyid.pem \ +if "${CERTTOOL}" -i < user-weird-keyid.pem \ | grep '7a2c7a6097460603cbfb28e8e219df18deeb4e0d' > /dev/null; then : else diff --git a/tests/key-tests/pkcs8 b/tests/key-tests/pkcs8 index 746bd98..8ea8dc9 100755 --- a/tests/key-tests/pkcs8 +++ b/tests/key-tests/pkcs8 @@ -18,118 +18,118 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -GREP=${GREP:-grep} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +GREP="${GREP:-grep}" # check keys with password -$CERTTOOL --to-p8 --load-privkey $srcdir/key-ca.pem --password "1234" \ +"${CERTTOOL}" --to-p8 --load-privkey "${srcdir}/key-ca.pem" --password "1234" \ --outfile tmp-key-ca.p8 2>/dev/null -$GREP "BEGIN ENCRYPTED PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 +${GREP} "BEGIN ENCRYPTED PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in converting key to PKCS #8 with password" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ca.pem --password "1234" >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca.pem" --password "1234" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading PKCS #8 key with password" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ca-1234.p8 --password "1234" >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca-1234.p8" --password "1234" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading saved PKCS #8 key with password" - exit $rc + exit ${rc} fi #keys encrypted with empty password -$CERTTOOL --to-p8 --load-privkey $srcdir/key-ca.pem --password "" \ +"${CERTTOOL}" --to-p8 --load-privkey "${srcdir}/key-ca.pem" --password "" \ --outfile tmp-key-ca.p8 2>/dev/null -$GREP "BEGIN PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 +${GREP} "BEGIN PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in converting key to PKCS #8 with empty password" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ca.pem --password "" >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca.pem" --password "" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading PKCS #8 key with empty password" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ca-empty.p8 --password "" >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca-empty.p8" --password "" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading saved PKCS #8 key with empty password" - exit $rc + exit ${rc} fi #keys encrypted with null password -$CERTTOOL --to-p8 --load-privkey $srcdir/key-ca.pem --null-password \ +"${CERTTOOL}" --to-p8 --load-privkey "${srcdir}/key-ca.pem" --null-password \ --outfile tmp-key-ca.p8 2>/dev/null -$GREP "BEGIN ENCRYPTED PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 +${GREP} "BEGIN ENCRYPTED PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in converting key to PKCS #8 with null password" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ca.pem --null-password >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca.pem" --null-password >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading PKCS #8 key with null password" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ca-null.p8 --null-password >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca-null.p8" --null-password >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading saved PKCS #8 key with null password" - exit $rc + exit ${rc} fi # Tests for PKCS #8 ECC keys -$CERTTOOL -k --infile $srcdir/key-ecc.pem >/dev/null 2>&1 +"${CERTTOOL}" -k --infile "${srcdir}/key-ecc.pem" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading saved ECC key" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/key-ecc.p8 >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ecc.p8" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading saved PKCS #8 ECC key" - exit $rc + exit ${rc} fi -$CERTTOOL -k --pkcs8 --infile $srcdir/openssl-key-ecc.p8 >/dev/null 2>&1 +"${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/openssl-key-ecc.p8" >/dev/null 2>&1 rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "Error in reading saved openssl PKCS #8 ECC key" - exit $rc + exit ${rc} fi rm -f tmp-key-ca.p8 -- 2.3.6 From saurav.babu at samsung.com Thu Jun 18 09:20:32 2015 From: saurav.babu at samsung.com (Saurav Babu) Date: Thu, 18 Jun 2015 12:50:32 +0530 Subject: [gnutls-devel] [PATCH] gnutls-cli: Fixed Possible Memory Leak Message-ID: <1434612032-3964-1-git-send-email-saurav.babu@samsung.com> This patch fixes possible memory leak in psk_callback() function, rawkey is allocated memory by gnutls_malloc() and is not freed when gnutls_hex_decode() returns with error Signed-off-by: Saurav Babu --- src/cli.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cli.c b/src/cli.c index d0e75a2..58c2d1d 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1714,6 +1714,7 @@ psk_callback(gnutls_session_t session, char **username, if (ret < 0) { fprintf(stderr, "Error deriving password: %s\n", gnutls_strerror(ret)); + gnutls_free(rawkey); gnutls_free(*username); return ret; } -- 1.9.1 From saurav.babu at samsung.com Thu Jun 18 09:23:51 2015 From: saurav.babu at samsung.com (Saurav Babu) Date: Thu, 18 Jun 2015 12:53:51 +0530 Subject: [gnutls-devel] [PATCH] gnutls-cli: Fixed Possible Memory Leak Message-ID: <1434612231-4014-1-git-send-email-saurav.babu@samsung.com> This patch fixes possible memory leak in psk_callback() function, rawkey is allocated memory by gnutls_malloc() and is not freed when gnutls_hex_decode() returns with error Signed-off-by: Saurav Babu --- src/cli.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cli.c b/src/cli.c index d0e75a2..58c2d1d 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1714,6 +1714,7 @@ psk_callback(gnutls_session_t session, char **username, if (ret < 0) { fprintf(stderr, "Error deriving password: %s\n", gnutls_strerror(ret)); + gnutls_free(rawkey); gnutls_free(*username); return ret; } -- 1.9.1 From nmav at gnutls.org Thu Jun 18 10:57:12 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 18 Jun 2015 10:57:12 +0200 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Message-ID: Thanks. I've applied all except for this one. In that case "#!/usr/bin/perl" part is not needed. It is handled by the eval part which will detect perl even if in a different path. regards, Nikos On Thu, Jun 18, 2015 at 8:41 AM, Alon Bar-Lev wrote: > Add quotes for most usages of variables. > > Added ${} for variables. > > Consistent indent. > > Add perl shebang. > > Signed-off-by: Alon Bar-Lev > --- > tests/nist-pkits/build-chain | 28 +++++++++++++++------------- > tests/nist-pkits/gnutls_test_entry | 30 +++++++++++++++--------------- > tests/nist-pkits/pkits | 11 +++++------ > tests/nist-pkits/pkits_crl | 23 ++++++++++++----------- > tests/nist-pkits/pkits_crt | 23 ++++++++++++----------- > tests/nist-pkits/pkits_pkcs12 | 23 ++++++++++++----------- > tests/nist-pkits/pkits_smime | 33 +++++++++++++++++---------------- > tests/nist-pkits/pkits_test | 8 +++++--- > 8 files changed, 93 insertions(+), 86 deletions(-) > > diff --git a/tests/nist-pkits/build-chain b/tests/nist-pkits/build-chain > index e625a8c..ebe48db 100755 > --- a/tests/nist-pkits/build-chain > +++ b/tests/nist-pkits/build-chain > @@ -1,3 +1,5 @@ > +#!/usr/bin/perl > + > eval '(exit $?0)' && eval 'exec perl -wST "$0" ${1+"$@"}' > & eval 'exec perl -wST "$0" $argv:q' > if 0; > @@ -10,30 +12,30 @@ my $aki; > my $info; > my $list; > > -if (! -f "$certdir/certinfo.txt") { > - system("for i in $certdir/*.crt; do echo -n \$i:; certtool --inder -i < \$i|grep 'Subject Key Id' -A 1|tail -1; done > $certdir/certinfo.txt"); > +if (! -f "${certdir}/certinfo.txt") { > + system("for i in '${certdir}'/*.crt; do echo -n \$i:; certtool --inder -i < \$i|grep 'Subject Key Id' -A 1|tail -1; done > '${certdir}/certinfo.txt'"); > } > > do { > - print "Parsing $certdir/$certfile...\n"; > + print "Parsing ${certdir}/${certfile}...\n"; > > - $info = `certtool --inder -i < $certdir/$certfile`; > + $info = `certtool --inder -i < '${certdir}/${certfile}'`; > > - print "$info"; > + print "${info}"; > > - if ($info =~ m,Authority Key Identifier.*:\n[\t]*([a-z0-9]+),m) { > - $aki = $1; > + if (${info} =~ m,Authority Key Identifier.*:\n[\t ]*([a-z0-9]+),m) { > + $aki = $1; > } else { > - die "Could not find AKI"; > + die "Could not find AKI"; > } > > - print "Finding AKI $aki...\n"; > + print "Finding AKI ${aki}...\n"; > > - $list = `cat $certdir/certinfo.txt | grep $aki`; > + $list = `cat '${certdir}/certinfo.txt' | grep '${aki}'`; > if ($list =~m,.*/(.*):.*,) { > - $list = $1; > + $list = $1; > } else { > - die "Could not find issuer"; > + die "Could not find issuer"; > } > - $certfile = $list; > + $certfile = ${list}; > } while (1); > diff --git a/tests/nist-pkits/gnutls_test_entry b/tests/nist-pkits/gnutls_test_entry > index f94cf4b..87c435e 100755 > --- a/tests/nist-pkits/gnutls_test_entry > +++ b/tests/nist-pkits/gnutls_test_entry > @@ -1,28 +1,28 @@ > #!/bin/sh > > -TITLE=$1 > -EECERT=$2 > -RESULT=$3 > +TITLE="$1" > +EECERT="$2" > +RESULT="$3" > > -./build-chain certs $EECERT > chain.pem > +./build-chain certs "${EECERT}" > chain.pem > certtool -e < chain.pem > output.txt > > rm -f chain.pem > > if grep 'Verification output:' output.txt > /dev/null; then > - if grep 'Verification output' output.txt | grep -v 'Verification output: Verified.' > /dev/null; then > - if test "$RESULT" = "0"; then > - echo "Unexpected reject" > - else > - echo "Reject" > - fi > + if grep 'Verification output' output.txt | grep -v 'Verification output: Verified.' > /dev/null; then > + if test "${RESULT}" = "0"; then > + echo "Unexpected reject" > else > - if test "$RESULT" = "1"; then > - echo "Unexpected success" > - else > - echo "Success" > - fi > + echo "Reject" > fi > + else > + if test "${RESULT}" = "1"; then > + echo "Unexpected success" > + else > + echo "Success" > + fi > + fi > fi > > rm -f output.txt > diff --git a/tests/nist-pkits/pkits b/tests/nist-pkits/pkits > index 83f4d29..ac72212 100755 > --- a/tests/nist-pkits/pkits > +++ b/tests/nist-pkits/pkits > @@ -20,19 +20,18 @@ > > set -e > > -srcdir=${srcdir:-.} > -CERTTOOL=${CERTTOOL:-../../src/certtool} > +srcdir="${srcdir:-.}" > > echo "Running PKITS CRT..." > -$srcdir/pkits_crt > +"${srcdir}/pkits_crt" > > echo "Running PKITS CRL..." > -$srcdir/pkits_crl > +"${srcdir}/pkits_crl" > > echo "Running PKITS PKCS#12..." > -$srcdir/pkits_pkcs12 > +"${srcdir}/pkits_pkcs12" > > echo "Running PKITS S/MIME..." > -$srcdir/pkits_smime > +"${srcdir}/pkits_smime" > > echo "Done" > diff --git a/tests/nist-pkits/pkits_crl b/tests/nist-pkits/pkits_crl > index 9bf00e6..1473587 100755 > --- a/tests/nist-pkits/pkits_crl > +++ b/tests/nist-pkits/pkits_crl > @@ -18,20 +18,21 @@ > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA > > -CERTTOOL=${CERTTOOL:-../../src/certtool} > +srcdir="${srcdir:-.}" > +CERTTOOL="${CERTTOOL:-../../src/certtool}" > > -test -d crls || unzip PKITS_data.zip > +test -d crls || unzip "${srcdir}/PKITS_data.zip" > > ret=0 > -for crl in crls/*; do > - $CERTTOOL --crl-info --inder --infile $crl > out 2>&1 > - rc=$? > - if test $rc != 0; then > - echo "CRL FATAL $crl" > - ret=1 > - fi > +for crl in "${srcdir}/crls"/*; do > + "${CERTTOOL}" --crl-info --inder --infile "${crl}" > out 2>&1 > + rc=$? > + if test ${rc} != 0; then > + echo "CRL FATAL ${crl}" > + ret=1 > + fi > done > rm -f out > > -echo "Done (exit code $ret)" > -exit $ret > +echo "Done (exit code ${ret})" > +exit ${ret} > diff --git a/tests/nist-pkits/pkits_crt b/tests/nist-pkits/pkits_crt > index 0fa37d4..5e22ca2 100755 > --- a/tests/nist-pkits/pkits_crt > +++ b/tests/nist-pkits/pkits_crt > @@ -18,20 +18,21 @@ > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA > > -CERTTOOL=${CERTTOOL:-../../src/certtool} > +srcdir="${srcdir:-.}" > +CERTTOOL="${CERTTOOL:-../../src/certtool}" > > -test -d certs || unzip PKITS_data.zip > +test -d certs || unzip "${srcdir}/PKITS_data.zip" > > ret=0 > -for crt in certs/*; do > - $CERTTOOL --certificate-info --inder --infile $crt > out 2>&1 > - rc=$? > - if test $rc != 0; then > - echo "Certificate FATAL $crt" > - ret=1 > - fi > +for crt in "${srcdir}/certs"/*; do > + "${CERTTOOL}" --certificate-info --inder --infile "${crt}" > out 2>&1 > + rc=$? > + if test ${rc} != 0; then > + echo "Certificate FATAL ${crt}" > + ret=1 > + fi > done > rm -f out > > -echo "Done (exit code $ret)" > -exit $ret > +echo "Done (exit code ${ret})" > +exit ${ret} > diff --git a/tests/nist-pkits/pkits_pkcs12 b/tests/nist-pkits/pkits_pkcs12 > index bdaaa5b..24ba7e6 100755 > --- a/tests/nist-pkits/pkits_pkcs12 > +++ b/tests/nist-pkits/pkits_pkcs12 > @@ -18,20 +18,21 @@ > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA > > -CERTTOOL=${CERTTOOL:-../../src/certtool} > +srcdir="${srcdir:-.}" > +CERTTOOL="${CERTTOOL:-../../src/certtool}" > > -test -d pkcs12 || unzip PKITS_data.zip > +test -d pkcs12 || unzip "${srcdir}/PKITS_data.zip" > > ret=0 > -for p12 in pkcs12/*; do > - $CERTTOOL --p12-info --inder --password password --infile $p12 > out 2>&1 > - rc=$? > - if test $rc != 0; then > - echo "PKCS12 FATAL $p12" > - ret=1 > - fi > +for p12 in "${srcdir}/pkcs12"/*; do > + "${CERTTOOL}" --p12-info --inder --password password --infile "${p12}" > out 2>&1 > + rc=$? > + if test ${rc} != 0; then > + echo "PKCS12 FATAL $p12" > + ret=1 > + fi > done > rm -f out > > -echo "Done (exit code $ret)" > -exit $ret > +echo "Done (exit code ${ret})" > +exit ${ret} > diff --git a/tests/nist-pkits/pkits_smime b/tests/nist-pkits/pkits_smime > index cfd9843..a9b15aa 100755 > --- a/tests/nist-pkits/pkits_smime > +++ b/tests/nist-pkits/pkits_smime > @@ -18,26 +18,27 @@ > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA > > +srcdir="${srcdir:-.}" > CERTTOOL=${CERTTOOL:-../../src/certtool} > > -test -d smime || unzip PKITS_data.zip > +test -d smime || unzip "${srcdir}/PKITS_data.zip" > > ret=0 > -for msg in smime/*; do > - $CERTTOOL --smime-to-p7 --infile $msg > out 2>&1 > - rc=$? > - if test $rc != 0; then > - echo "S/MIME FATAL $msg" > - ret=1 > - fi > - $CERTTOOL --p7-info --infile out > out2 2>&1 > - rc=$? > - if test $rc != 0; then > - echo "PKCS#7 FATAL $msg" > - ret=1 > - fi > +for msg in "${srcdir}/smime"/*; do > + "${CERTTOOL}" --smime-to-p7 --infile "${msg}" > out 2>&1 > + rc=$? > + if test ${rc} != 0; then > + echo "S/MIME FATAL $msg" > + ret=1 > + fi > + "${CERTTOOL}" --p7-info --infile out > out2 2>&1 > + rc=$? > + if test ${rc} != 0; then > + echo "PKCS#7 FATAL $msg" > + ret=1 > + fi > done > rm -f out out2 > > -echo "Done (exit code $ret)" > -exit $ret > +echo "Done (exit code ${ret})" > +exit ${ret} > diff --git a/tests/nist-pkits/pkits_test b/tests/nist-pkits/pkits_test > index 6daaa34..55653a3 100755 > --- a/tests/nist-pkits/pkits_test > +++ b/tests/nist-pkits/pkits_test > @@ -2,11 +2,13 @@ > > set -e > > -test -d certs || unzip PKITS_data.zip > +srcdir="${srcdir:-.}" > + > +test -d certs || unzip "${srcdir}/PKITS_data.zip" > > if ! test -d pkits_test_list_generator; then > - tar xfz pkits_test_list_generator.tgz > - patch -p 0 < pkits_test_list_generator.patch > + tar xfz "${srcdir}/pkits_test_list_generator.tgz" > + patch -p 0 < pkits_test_list_generator.patch > fi > > make -C pkits_test_list_generator/src > -- > 2.3.6 > > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel From alon.barlev at gmail.com Thu Jun 18 11:05:10 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 18 Jun 2015 12:05:10 +0300 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Message-ID: On 18 June 2015 at 11:57, Nikos Mavrogiannopoulos wrote: > > Thanks. I've applied all except for this one. In that case > "#!/usr/bin/perl" part is not needed. It is handled by the eval part > which will detect perl even if in a different path. > This is ugly! :) consider #!/usr/bin/env perl ? or better, I can add autoconf detection for perl. or convert this script to shell? it is not using much of perl anyway... just executing shell over and over. From nmav at gnutls.org Thu Jun 18 13:25:42 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 18 Jun 2015 13:25:42 +0200 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Message-ID: On Thu, Jun 18, 2015 at 11:05 AM, Alon Bar-Lev wrote: > On 18 June 2015 at 11:57, Nikos Mavrogiannopoulos wrote: >> Thanks. I've applied all except for this one. In that case >> "#!/usr/bin/perl" part is not needed. It is handled by the eval part >> which will detect perl even if in a different path. > This is ugly! :) > consider #!/usr/bin/env perl ? > or better, I can add autoconf detection for perl. Very ugly. I don't even remember why it was added. The problem it solved was supposedly to detect perl in all systems, by avoiding hard coded paths, but I'm not sure whether that was a real problem. If you have a better solution I'm certainly interested. > or convert this script to shell? it is not using much of perl > anyway... just executing shell over and over. There many other scripts in perl, so it wouldn't make much sense. regards, Nikos From nmav at gnutls.org Thu Jun 18 13:27:37 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 18 Jun 2015 13:27:37 +0200 Subject: [gnutls-devel] [PATCH] gnutls-cli: Fixed Possible Memory Leak In-Reply-To: <1434612231-4014-1-git-send-email-saurav.babu@samsung.com> References: <1434612231-4014-1-git-send-email-saurav.babu@samsung.com> Message-ID: On Thu, Jun 18, 2015 at 9:23 AM, Saurav Babu wrote: > This patch fixes possible memory leak in psk_callback() function, rawkey > is allocated memory by gnutls_malloc() and is not freed when > gnutls_hex_decode() returns with error Applied, thank you! From alon.barlev at gmail.com Fri Jun 19 06:02:55 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 19 Jun 2015 07:02:55 +0300 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Message-ID: On 18 June 2015 at 14:25, Nikos Mavrogiannopoulos wrote: > > On Thu, Jun 18, 2015 at 11:05 AM, Alon Bar-Lev wrote: > > On 18 June 2015 at 11:57, Nikos Mavrogiannopoulos wrote: > >> Thanks. I've applied all except for this one. In that case > >> "#!/usr/bin/perl" part is not needed. It is handled by the eval part > >> which will detect perl even if in a different path. > > This is ugly! :) > > consider #!/usr/bin/env perl ? > > or better, I can add autoconf detection for perl. > > Very ugly. I don't even remember why it was added. The problem it > solved was supposedly to detect perl in all systems, by avoiding hard > coded paths, but I'm not sure whether that was a real problem. If you > have a better solution I'm certainly interested. At least add #!/bin/sh in this case for now? > > > or convert this script to shell? it is not using much of perl > > anyway... just executing shell over and over. > > There many other scripts in perl, so it wouldn't make much sense. > > regards, > Nikos From alon.barlev at gmail.com Fri Jun 19 23:26:45 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 20 Jun 2015 00:26:45 +0300 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Message-ID: On 19 June 2015 at 07:02, Alon Bar-Lev wrote: > > On 18 June 2015 at 14:25, Nikos Mavrogiannopoulos wrote: > > > > On Thu, Jun 18, 2015 at 11:05 AM, Alon Bar-Lev wrote: > > > On 18 June 2015 at 11:57, Nikos Mavrogiannopoulos wrote: > > >> Thanks. I've applied all except for this one. In that case > > >> "#!/usr/bin/perl" part is not needed. It is handled by the eval part > > >> which will detect perl even if in a different path. > > > This is ugly! :) > > > consider #!/usr/bin/env perl ? > > > or better, I can add autoconf detection for perl. > > > > Very ugly. I don't even remember why it was added. The problem it > > solved was supposedly to detect perl in all systems, by avoiding hard > > coded paths, but I'm not sure whether that was a real problem. If you > > have a better solution I'm certainly interested. > > At least add #!/bin/sh in this case for now? it is confusing... you use multiple methods to locate perl. Examples: cfg.mk: perl $< elf >> $@ devel/perlasm/cpuid-x86.pl:#!/usr/bin/env perl tests/suite/asn1random.pl:#!/usr/bin/perl -w tests/suite/x509random.pl:#!/usr/bin/perl -w tests/nist-pkits/build-chain:eval '(exit $?0)' && eval 'exec perl -wST "$0" ${1+"$@"}' & eval 'exec perl -wST "$0" $argv:q' Maybe reduce that to one? The #!/usr/bin/env perl is the closest to what you want to achieve and as it already there, it can serve all cases. > > > > > > or convert this script to shell? it is not using much of perl > > > anyway... just executing shell over and over. > > > > There many other scripts in perl, so it wouldn't make much sense. > > > > regards, > > Nikos From nmav at gnutls.org Sat Jun 20 10:40:30 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 20 Jun 2015 10:40:30 +0200 Subject: [gnutls-devel] [PATCH 3/4] tests: nist-pkits: cleanup shell/perl usage In-Reply-To: References: <1434609715-3018-1-git-send-email-alon.barlev@gmail.com> <1434609715-3018-3-git-send-email-alon.barlev@gmail.com> Message-ID: <1434789630.27798.5.camel@gnutls.org> On Sat, 2015-06-20 at 00:26 +0300, Alon Bar-Lev wrote: > it is confusing... you use multiple methods to locate perl. > Examples: > cfg.mk: perl $< elf >> $@ > devel/perlasm/cpuid-x86.pl:#!/usr/bin/env perl > tests/suite/asn1random.pl:#!/usr/bin/perl -w > tests/suite/x509random.pl:#!/usr/bin/perl -w > tests/nist-pkits/build-chain:eval '(exit $?0)' && eval 'exec perl -wST > "$0" ${1+"$@"}' & eval 'exec perl -wST "$0" $argv:q' > Maybe reduce that to one? Indeed. Done. From alon.barlev at gmail.com Sat Jun 20 20:08:12 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 20 Jun 2015 21:08:12 +0300 Subject: [gnutls-devel] tests/cert-tests/template-test is timezone sensitive In-Reply-To: References: Message-ID: On 17 June 2015 at 18:58, Alon Bar-Lev wrote: > > On 17 June 2015 at 18:19, Nikos Mavrogiannopoulos wrote: > > On Wed, Jun 17, 2015 at 1:11 PM, Alon Bar-Lev wrote: > >> Sorry, was cut in the middle. > >> See: > >> $ TZ=GMT+2 datefudge "2015-01-01" date -u > >> Thu Jan 1 02:00:00 UTC 2015 > >> $ TZ=GMT+0 datefudge "2015-01-01" date -u > >> Thu Jan 1 00:00:00 UTC 2015 > >> Probably issue of datefudge of using localtime... The test should > >> enforce a specific TZ, currently it is UTC-2. > >> However, even if done so, the certificates are generated with > >> different signature. > > > > Which test fails? > > tests/cert-tests/template-test This applies to any datefudge test: tests/cert-tests/template-test tests/pkcs1-padding/pkcs1-pad tests/suite/testcompat-openssl tests/suite/testcompat-polarssl All required TZ=GMT-2 to use sane timestamps. From alon.barlev at gmail.com Sun Jun 21 02:00:02 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jun 2015 03:00:02 +0300 Subject: [gnutls-devel] [PATCH 1/4] tests: misc: cleanup shell usage Message-ID: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Cleanup indentation to be consistent with other tests. Signed-off-by: Alon Bar-Lev --- tests/pkcs1-padding/pkcs1-pad | 50 +++++++-------- tests/pkcs12-decode/pkcs12 | 102 +++++++++++++++--------------- tests/pkcs8-decode/pkcs8 | 70 ++++++++++---------- tests/rfc2253-escape-test | 15 ++--- tests/rsa-md5-collision/rsa-md5-collision | 26 ++++---- tests/sha2/sha2 | 70 ++++++++++---------- tests/sha2/sha2-dsa | 52 +++++++-------- tests/slow/override-ciphers | 34 +++++----- tests/slow/test-ciphers | 36 +++++------ tests/userid/userid | 14 ++-- 10 files changed, 232 insertions(+), 237 deletions(-) diff --git a/tests/pkcs1-padding/pkcs1-pad b/tests/pkcs1-padding/pkcs1-pad index 3101c7e..65b31fd 100755 --- a/tests/pkcs1-padding/pkcs1-pad +++ b/tests/pkcs1-padding/pkcs1-pad @@ -23,33 +23,33 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" # Check for datefudge TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "$TSTAMP" != "1158962400"; then - echo "You need datefudge to run this test" - exit 77 +if test "${TSTAMP}" != "1158962400"; then + echo "You need datefudge to run this test" + exit 77 fi # Test 1, PKCS#1 pad digestAlgorithm.parameters EXPECT1=2002 -datefudge "2006-09-23" $CERTTOOL --verify-chain --infile $srcdir/pkcs1-pad-ok.pem | tee out1 >/dev/null 2>&1 -datefudge "2006-09-23" $CERTTOOL --verify-chain --infile $srcdir/pkcs1-pad-broken.pem | tee out2 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-ok.pem" | tee out1 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-broken.pem" | tee out2 >/dev/null 2>&1 out1oks=`grep 'Verified.' out1 | wc -l | tr -d " "` out2oks=`grep 'Verified.' out2 | wc -l | tr -d " "` out1fails=`grep 'Not verified.' out1 | wc -l | tr -d " "` out2fails=`grep 'Not verified.' out2 | wc -l | tr -d " "` -if test "$out1oks$out2oks$out1fails$out2fails" != "$EXPECT1"; then - echo out1 oks $out1oks fails $out1fails out2 oks $out2oks fails $out2fails - echo expected $EXPECT1 - echo "PKCS1-PAD1 FAIL" - exit 1 +if test "${out1oks}${out2oks}${out1fails}${out2fails}" != "${EXPECT1}"; then + echo "out1 oks ${out1oks} fails ${out1fails} out2 oks ${out2oks} fails ${out2fails}" + echo "expected ${EXPECT1}" + echo "PKCS1-PAD1 FAIL" + exit 1 fi rm -f out1 out2 @@ -60,19 +60,19 @@ echo "PKCS1-PAD1 OK" EXPECT2=2002 -datefudge "2006-09-23" $CERTTOOL --verify-chain --infile $srcdir/pkcs1-pad-ok2.pem | tee out1 >/dev/null 2>&1 -datefudge "2006-09-23" $CERTTOOL --verify-chain --infile $srcdir/pkcs1-pad-broken2.pem | tee out2 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-ok2.pem" | tee out1 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-broken2.pem" | tee out2 >/dev/null 2>&1 out1oks=`grep 'Verified.' out1 | wc -l | tr -d " "` out2oks=`grep 'Verified.' out2 | wc -l | tr -d " "` out1fails=`grep 'Not verified.' out1 | wc -l | tr -d " "` out2fails=`grep 'Not verified.' out2 | wc -l | tr -d " "` -if test "$out1oks$out2oks$out1fails$out2fails" != "$EXPECT2"; then - echo out1 oks $out1oks fails $out1fails out2 oks $out2oks fails $out2fails - echo expected $EXPECT2 - echo "PKCS1-PAD2 FAIL" - exit 1 +if test "${out1oks}${out2oks}${out1fails}${out2fails}" != "${EXPECT2}"; then + echo "out1 oks ${out1oks} fails ${out1fails} out2 oks ${out2oks} fails ${out2fails}" + echo "expected ${EXPECT2}" + echo "PKCS1-PAD2 FAIL" + exit 1 fi rm -f out1 out2 @@ -85,16 +85,16 @@ echo "PKCS1-PAD2 OK" EXPECT3=02 -datefudge "2006-09-23" $CERTTOOL --verify-chain --infile $srcdir/pkcs1-pad-broken3.pem | tee out1 >/dev/null 2>&1 +datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/pkcs1-pad-broken3.pem" | tee out1 >/dev/null 2>&1 out1oks=`grep 'Verified.' out1 | wc -l | tr -d " "` out1fails=`grep 'Not verified.' out1 | wc -l | tr -d " "` -if test "$out1oks$out1fails" != "$EXPECT3"; then - echo out1 oks $out1oks fails $out1fails - echo expected $EXPECT3 - echo "PKCS1-PAD3 FAIL" - exit 1 +if test "${out1oks}${out1fails}" != "${EXPECT3}"; then + echo "out1 oks ${out1oks} fails ${out1fails}" + echo "expected ${EXPECT3}" + echo "PKCS1-PAD3 FAIL" + exit 1 fi rm -f out1 diff --git a/tests/pkcs12-decode/pkcs12 b/tests/pkcs12-decode/pkcs12 index 0aa7746..0408ad1 100755 --- a/tests/pkcs12-decode/pkcs12 +++ b/tests/pkcs12-decode/pkcs12 @@ -21,10 +21,10 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -top_builddir=${top_builddir:-../..} -CERTTOOL=${CERTTOOL:-${top_builddir}/src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +top_builddir="${top_builddir:-../..}" +CERTTOOL="${CERTTOOL:-${top_builddir}/src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" DEBUG="" if test "x$1" != "x";then @@ -33,88 +33,88 @@ fi ret=0 for p12 in 'client.p12 foobar' noclient.p12 unclient.p12 pkcs12_2certs.p12; do - set -- $p12 - file=$1 - passwd=$2 - if test "x$DEBUG" != "x";then - $CERTTOOL -d 99 --p12-info --inder --password "$passwd" \ - --infile $srcdir/$file - else - $CERTTOOL --p12-info --inder --password "$passwd" \ - --infile $srcdir/$file >/dev/null 2>&1 - fi - rc=$? - if test $rc != 0; then - echo "NEON PKCS12 FATAL $p12" - ret=1 - fi + set -- ${p12} + file="$1" + passwd="$2" + if test "x$DEBUG" != "x";then + "${CERTTOOL}" -d 99 --p12-info --inder --password "${passwd}" \ + --infile "${srcdir}/${file}" + else + "${CERTTOOL}" --p12-info --inder --password "${passwd}" \ + --infile "${srcdir}/${file}" >/dev/null 2>&1 + fi + rc=$? + if test ${rc} != 0; then + echo "NEON PKCS12 FATAL ${p12}" + ret=1 + fi done file=test-null.p12 -$CERTTOOL --p12-info --inder --null-password --infile $srcdir/$file >/dev/null 2>&1 +"${CERTTOOL}" --p12-info --inder --null-password --infile "${srcdir}/${file}" >/dev/null 2>&1 rc=$? -if test $rc != 0; then - echo "PKCS12 FATAL $file" - ret=1 +if test ${rc} != 0; then + echo "PKCS12 FATAL ${file}" + ret=1 fi file=sha256.p12 -$CERTTOOL --p12-info --inder --password 1234 --infile $srcdir/$file >/dev/null 2>&1 +"${CERTTOOL}" --p12-info --inder --password 1234 --infile "${srcdir}/${file}" >/dev/null 2>&1 rc=$? -if test $rc != 0; then - echo "PKCS12 FATAL $file" - ret=1 +if test ${rc} != 0; then + echo "PKCS12 FATAL ${file}" + ret=1 fi # test whether we can encode a certificate and a key -$CERTTOOL --to-p12 --password 1234 --p12-name "my-key" --load-certificate $srcdir/../certs/cert-ecc256.pem --load-privkey $srcdir/../certs/ecc256.pem --outder --outfile out.p12 >/dev/null 2>&1 +"${CERTTOOL}" --to-p12 --password 1234 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --outder --outfile out.p12 >/dev/null 2>&1 rc=$? -if test $rc != 0; then - echo "PKCS12 FATAL encoding" - ret=1 +if test ${rc} != 0; then + echo "PKCS12 FATAL encoding" + ret=1 fi -$CERTTOOL --p12-info --inder --password 1234 --infile out.p12 >out.pem 2>/dev/null +"${CERTTOOL}" --p12-info --inder --password 1234 --infile out.p12 >out.pem 2>/dev/null rc=$? -if test $rc != 0; then - echo "PKCS12 FATAL decrypting/decoding" - ret=1 +if test ${rc} != 0; then + echo "PKCS12 FATAL decrypting/decoding" + ret=1 fi grep "BEGIN ENCRYPTED PRIVATE KEY" out.pem >/dev/null 2>&1 rc=$? -if test "$rc" != "0"; then - exit $rc +if test "${rc}" != "0"; then + exit ${rc} fi grep "BEGIN CERTIFICATE" out.pem >/dev/null 2>&1 rc=$? -if test "$rc" != "0"; then - exit $rc +if test "${rc}" != "0"; then + exit ${rc} fi # test whether we can encode a certificate, a key and a CA -$CERTTOOL --to-p12 --password 123456 --p12-name "my-key" --load-certificate $srcdir/../certs/cert-ecc256.pem --load-privkey $srcdir/../certs/ecc256.pem --load-ca-certificate $srcdir/../certs/ca-cert-ecc.pem --outder --outfile out.p12 >/dev/null 2>&1 +"${CERTTOOL}" --to-p12 --password 123456 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile out.p12 >/dev/null 2>&1 rc=$? -if test $rc != 0; then - echo "PKCS12 FATAL encoding 2" - exit 1 +if test ${rc} != 0; then + echo "PKCS12 FATAL encoding 2" + exit 1 fi -$CERTTOOL --p12-info --inder --password 123456 --infile out.p12 >out.pem 2>/dev/null +"${CERTTOOL}" --p12-info --inder --password 123456 --infile out.p12 >out.pem 2>/dev/null rc=$? -if test $rc != 0; then - echo "PKCS12 FATAL decrypting/decoding 2" - exit 1 +if test ${rc} != 0; then + echo "PKCS12 FATAL decrypting/decoding 2" + exit 1 fi grep "BEGIN ENCRYPTED PRIVATE KEY" out.pem >/dev/null 2>&1 rc=$? -if test "$rc" != "0"; then - exit $rc +if test "${rc}" != "0"; then + exit ${rc} fi count=`grep -c "BEGIN CERTIFICATE" out.pem` @@ -126,5 +126,5 @@ fi rm -f out.pem out.p12 -#echo "NEON PKCS12 DONE (rc $ret)" -exit $ret +#echo "NEON PKCS12 DONE (rc ${ret})" +exit ${ret} diff --git a/tests/pkcs8-decode/pkcs8 b/tests/pkcs8-decode/pkcs8 index 041a59b..756d0ac 100755 --- a/tests/pkcs8-decode/pkcs8 +++ b/tests/pkcs8-decode/pkcs8 @@ -20,52 +20,52 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} -DIFF=${DIFF:-diff} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ret=0 for p8 in 'encpkcs8.pem foobar' unencpkcs8.pem 'enc2pkcs8.pem baz'; do - set -- $p8 - file=$1 - passwd=$2 - $VALGRIND $CERTTOOL --key-info --pkcs8 --password "$passwd" \ - --infile $srcdir/$file | tee out >/dev/null - rc=$? - if test $rc != 0; then - cat out - echo "PKCS8 FATAL $p8" - ret=1 - else - echo "PKCS8 OK $p8" - fi + set -- ${p8} + file="$1" + passwd="$2" + ${VALGRIND} "${CERTTOOL}" --key-info --pkcs8 --password "${passwd}" \ + --infile "${srcdir}/${file}" | tee out >/dev/null + rc=$? + if test ${rc} != 0; then + cat out + echo "PKCS8 FATAL ${p8}" + ret=1 + else + echo "PKCS8 OK ${p8}" + fi done rm -f out for p8 in openssl-aes128.p8 openssl-aes256.p8 openssl-3des.p8; do - set -- $p8 - file=$1 - passwd=$2 - $VALGRIND $CERTTOOL --p8-info --password "1234" \ - --infile $srcdir/$file | tee out >/dev/null - rc=$? - if test $rc != 0; then - cat out - echo "PKCS8 FATAL $p8" - ret=1 - fi + set -- ${p8} + file="$1" + passwd="$2" + ${VALGRIND} "${CERTTOOL}" --p8-info --password "1234" \ + --infile "${srcdir}/${file}" | tee out >/dev/null + rc=$? + if test ${rc} != 0; then + cat out + echo "PKCS8 FATAL ${p8}" + ret=1 + fi - $DIFF $srcdir/$p8.txt out - rc=$? - if test $rc != 0; then - cat out - echo "PKCS8 FATAL TXT $p8" - ret=1 - fi + ${DIFF} "${srcdir}/${p8}.txt" out + rc=$? + if test ${rc} != 0; then + cat out + echo "PKCS8 FATAL TXT ${p8}" + ret=1 + fi done rm -f out diff --git a/tests/rfc2253-escape-test b/tests/rfc2253-escape-test index 8f620dc..7506139 100755 --- a/tests/rfc2253-escape-test +++ b/tests/rfc2253-escape-test @@ -22,15 +22,14 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../src/certtool$EXEEXT} +CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" fi if cat< /dev/null + | ${VALGRIND} "${CERTTOOL}" --certificate-info \ + | grep 'Issuer: O=RFC 2253 escape test,OU=Plus \\+ Comma \\,' > /dev/null -----BEGIN CERTIFICATE----- MIICETCCAXygAwIBAgIESnlIMTALBgkqhkiG9w0BAQUwODEdMBsGA1UEChMUUkZD IDIyNTMgZXNjYXBlIHRlc3QxFzAVBgNVBAsTDlBsdXMgKyBDb21tYSAsMB4XDTA5 @@ -47,10 +46,10 @@ iptEYYo= -----END CERTIFICATE----- EOF then - : + : else - echo "RFC 2253 escaping not working?" - exit 1 + echo "RFC 2253 escaping not working?" + exit 1 fi exit 0 diff --git a/tests/rsa-md5-collision/rsa-md5-collision b/tests/rsa-md5-collision/rsa-md5-collision index 7f3361d..888bbed 100755 --- a/tests/rsa-md5-collision/rsa-md5-collision +++ b/tests/rsa-md5-collision/rsa-md5-collision @@ -22,26 +22,26 @@ set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" -$CERTTOOL --inder --certificate-info \ - --infile $srcdir/MD5CollisionCA.cer > ca.pem -$CERTTOOL --inder --certificate-info \ - --infile $srcdir/TargetCollidingCertificate1.cer > client1.pem -$CERTTOOL --inder --certificate-info \ - --infile $srcdir/TargetCollidingCertificate2.cer > client2.pem +"${CERTTOOL}" --inder --certificate-info \ + --infile "${srcdir}/MD5CollisionCA.cer" > ca.pem +"${CERTTOOL}" --inder --certificate-info \ + --infile "${srcdir}/TargetCollidingCertificate1.cer" > client1.pem +"${CERTTOOL}" --inder --certificate-info \ + --infile "${srcdir}/TargetCollidingCertificate2.cer" > client2.pem cat client1.pem ca.pem > chain1.pem cat client2.pem ca.pem > chain2.pem -$CERTTOOL --verify-chain < chain1.pem | \ - grep 'Not verified.' | grep 'insecure algorithm' >/dev/null -$CERTTOOL --verify-chain < chain2.pem | \ - grep 'Not verified.' | grep 'insecure algorithm' >/dev/null +"${CERTTOOL}" --verify-chain < chain1.pem | \ + grep 'Not verified.' | grep 'insecure algorithm' >/dev/null +"${CERTTOOL}" --verify-chain < chain2.pem | \ + grep 'Not verified.' | grep 'insecure algorithm' >/dev/null rm -f ca.pem client1.pem client2.pem \ - chain1.pem chain2.pem \ + chain1.pem chain2.pem \ # We're done. exit 0 diff --git a/tests/sha2/sha2 b/tests/sha2/sha2 index c8e3b71..02b1778 100755 --- a/tests/sha2/sha2 +++ b/tests/sha2/sha2 @@ -22,71 +22,71 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" echo ca > template-sha2 echo cn = "SHA 512 CA" >> template-sha2 -$CERTTOOL -d 2 --generate-self-signed --template template-sha2 \ - --load-privkey $srcdir/key-ca.pem \ - --outfile new-ca.pem \ - --hash sha512 >out 2>&1 +"${CERTTOOL}" -d 2 --generate-self-signed --template template-sha2 \ + --load-privkey "${srcdir}/key-ca.pem" \ + --outfile new-ca.pem \ + --hash sha512 >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi echo ca > template-sha2 echo cn = "SHA 384 sub-CA" >> template-sha2 -$CERTTOOL -d 2 --generate-certificate --template template-sha2 \ - --load-ca-privkey $srcdir/key-ca.pem \ - --load-ca-certificate new-ca.pem \ - --load-privkey $srcdir/key-subca.pem \ - --outfile new-subca.pem \ - --hash sha384 >out 2>&1 +"${CERTTOOL}" -d 2 --generate-certificate --template template-sha2 \ + --load-ca-privkey "${srcdir}/key-ca.pem" \ + --load-ca-certificate new-ca.pem \ + --load-privkey "${srcdir}/key-subca.pem" \ + --outfile new-subca.pem \ + --hash sha384 >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi echo ca > template-sha2 echo cn = "SHA 256 sub-sub-CA" >> template-sha2 -$CERTTOOL -d 2 --generate-certificate --template template-sha2 \ - --load-ca-privkey $srcdir/key-subca.pem \ - --load-ca-certificate new-subca.pem \ - --load-privkey $srcdir/key-subsubca.pem \ - --outfile new-subsubca.pem \ - --hash sha256 >out 2>&1 +"${CERTTOOL}" -d 2 --generate-certificate --template template-sha2 \ + --load-ca-privkey "${srcdir}/key-subca.pem" \ + --load-ca-certificate new-subca.pem \ + --load-privkey "${srcdir}/key-subsubca.pem" \ + --outfile new-subsubca.pem \ + --hash sha256 >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi echo cn = "End-user" > template-sha2 -$CERTTOOL -d 2 --generate-certificate --template template-sha2 \ - --load-ca-privkey $srcdir/key-subsubca.pem \ - --load-ca-certificate new-subsubca.pem \ - --load-privkey $srcdir/key-user.pem \ - --outfile new-user.pem >out 2>&1 +"${CERTTOOL}" -d 2 --generate-certificate --template template-sha2 \ + --load-ca-privkey "${srcdir}/key-subsubca.pem" \ + --load-ca-certificate new-subsubca.pem \ + --load-privkey "${srcdir}/key-user.pem" \ + --outfile new-user.pem >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi -num=`cat new-user.pem new-subsubca.pem new-subca.pem new-ca.pem | $CERTTOOL --verify-chain | tee verify-sha2 | grep -c Verified` +num=`cat new-user.pem new-subsubca.pem new-subca.pem new-ca.pem | "${CERTTOOL}" --verify-chain | tee verify-sha2 | grep -c Verified` #cat verify -if test "$num" != "4"; then - echo Verification failure - exit 1 +if test "${num}" != "4"; then + echo Verification failure + exit 1 fi rm -f verify-sha2 new-user.pem new-subsubca.pem new-subca.pem new-ca.pem template-sha2 out diff --git a/tests/sha2/sha2-dsa b/tests/sha2/sha2-dsa index 68b8432..623c621 100755 --- a/tests/sha2/sha2-dsa +++ b/tests/sha2/sha2-dsa @@ -22,56 +22,56 @@ #set -e -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" echo ca > template-dsa echo cn = "SHA 256 CA" >> template-dsa -$CERTTOOL -d 2 --generate-self-signed --template template-dsa \ - --load-privkey $srcdir/key-ca-dsa.pem \ - --outfile new-ca-dsa.pem \ - --hash sha256 >out-dsa 2>&1 +"${CERTTOOL}" -d 2 --generate-self-signed --template template-dsa \ + --load-privkey "${srcdir}/key-ca-dsa.pem" \ + --outfile new-ca-dsa.pem \ + --hash sha256 >out-dsa 2>&1 if [ $? != 0 ];then - cat out-dsa - exit 1 + cat out-dsa + exit 1 fi echo ca > template-dsa echo cn = "SHA 224 Mid CA" >> template-dsa -$CERTTOOL -d 2 --generate-certificate --template template-dsa \ - --load-ca-privkey $srcdir/key-ca-dsa.pem \ - --load-ca-certificate new-ca-dsa.pem \ - --load-privkey $srcdir/key-subca-dsa.pem \ - --outfile new-subca-dsa.pem \ - --hash sha224 >out-dsa 2>&1 +"${CERTTOOL}" -d 2 --generate-certificate --template template-dsa \ + --load-ca-privkey "${srcdir}/key-ca-dsa.pem" \ + --load-ca-certificate new-ca-dsa.pem \ + --load-privkey "${srcdir}/key-subca-dsa.pem" \ + --outfile new-subca-dsa.pem \ + --hash sha224 >out-dsa 2>&1 if [ $? != 0 ];then - cat out-dsa - exit 1 + cat out-dsa + exit 1 fi echo cn = "End-user" > template-dsa -$CERTTOOL -d 2 --generate-certificate --template template-dsa \ - --load-ca-privkey $srcdir/key-subca-dsa.pem \ - --load-ca-certificate new-subca-dsa.pem \ - --load-privkey $srcdir/key-dsa.pem \ - --outfile new-user-dsa.pem >out-dsa 2>&1 +"${CERTTOOL}" -d 2 --generate-certificate --template template-dsa \ + --load-ca-privkey "${srcdir}/key-subca-dsa.pem" \ + --load-ca-certificate new-subca-dsa.pem \ + --load-privkey "${srcdir}/key-dsa.pem" \ + --outfile new-user-dsa.pem >out-dsa 2>&1 if [ $? != 0 ];then - cat out-dsa - exit 1 + cat out-dsa + exit 1 fi cat new-user-dsa.pem new-subca-dsa.pem new-ca-dsa.pem > out-dsa -$CERTTOOL --verify-chain verify-dsa +"${CERTTOOL}" --verify-chain verify-dsa if [ $? != 0 ];then - cat verify-dsa - exit 1 + cat verify-dsa + exit 1 fi rm -f verify-dsa new-user-dsa.pem new-ca-dsa.pem new-subca-dsa.pem template-dsa out-dsa diff --git a/tests/slow/override-ciphers b/tests/slow/override-ciphers index 45cc862..aa1e7ad 100755 --- a/tests/slow/override-ciphers +++ b/tests/slow/override-ciphers @@ -20,41 +20,39 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir="${srcdir:-.}" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" unset RETCODE if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -GNUTLS_NO_EXPLICIT_INIT=1 $VALGRIND ./cipher-override +GNUTLS_NO_EXPLICIT_INIT=1 ${VALGRIND} ./cipher-override if test $? != 0;then - echo "overriden cipher tests failed" - exit 1 + echo "overriden cipher tests failed" + exit 1 fi -$VALGRIND ./cipher-override +${VALGRIND} ./cipher-override if test $? != 0;then - echo "overriden cipher tests 2 failed" - exit 1 + echo "overriden cipher tests 2 failed" + exit 1 fi -$VALGRIND ./cipher-override2 +${VALGRIND} ./cipher-override2 if test $? != 0;then - echo "overriden cipher tests 3 failed" - exit 1 + echo "overriden cipher tests 3 failed" + exit 1 fi -GNUTLS_NO_EXPLICIT_INIT=1 $VALGRIND ./mac-override +GNUTLS_NO_EXPLICIT_INIT=1 ${VALGRIND} ./mac-override if test $? != 0;then - echo "overriden mac tests failed" - exit 1 + echo "overriden mac tests failed" + exit 1 fi -$VALGRIND ./mac-override +${VALGRIND} ./mac-override if test $? != 0;then - echo "overriden mac tests 2 failed" - exit 1 + echo "overriden mac tests 2 failed" + exit 1 fi exit 0 diff --git a/tests/slow/test-ciphers b/tests/slow/test-ciphers index 7d66d54..0b66bb1 100755 --- a/tests/slow/test-ciphers +++ b/tests/slow/test-ciphers @@ -20,59 +20,57 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir="${srcdir:-.}" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" unset RETCODE if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ./cipher-test if test $? != 0;then - echo "default cipher tests failed" - exit 1 + echo "default cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x1 ./cipher-test if test $? != 0;then - echo "included cipher tests failed" - exit 1 + echo "included cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x2 ./cipher-test if test $? != 0;then - echo "AESNI cipher tests failed" - exit 1 + echo "AESNI cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x4 ./cipher-test if test $? != 0;then - echo "SSSE3 cipher tests failed" - exit 1 + echo "SSSE3 cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x8 ./cipher-test if test $? != 0;then - echo "PCLMUL cipher tests failed" - exit 1 + echo "PCLMUL cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x100000 ./cipher-test if test $? != 0;then - echo "padlock cipher tests failed" - exit 1 + echo "padlock cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x200000 ./cipher-test if test $? != 0;then - echo "padlock PHE cipher tests failed" - exit 1 + echo "padlock PHE cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x400000 ./cipher-test if test $? != 0;then - echo "padlock PHE SHA512 cipher tests failed" - exit 1 + echo "padlock PHE SHA512 cipher tests failed" + exit 1 fi exit 0 diff --git a/tests/userid/userid b/tests/userid/userid index 5374227..fbf97e7 100755 --- a/tests/userid/userid +++ b/tests/userid/userid @@ -20,15 +20,15 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" -$CERTTOOL --certificate-info --infile $srcdir/userid.pem >out 2>&1 +$CERTTOOL --certificate-info --infile "${srcdir}/userid.pem" >out 2>&1 RET=$? -if [ $RET != 0 ];then - echo "Error in userid:" - cat out - exit 1 +if [ ${RET} != 0 ];then + echo "Error in userid:" + cat out + exit 1 fi rm -f out -- 2.3.6 From alon.barlev at gmail.com Sun Jun 21 02:00:04 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jun 2015 03:00:04 +0300 Subject: [gnutls-devel] [PATCH 3/4] tests: misc: shell cleanup In-Reply-To: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> References: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434844805-12931-3-git-send-email-alon.barlev@gmail.com> leftovers minor sync. Signed-off-by: Alon Bar-Lev --- tests/cert-tests/aki | 6 +- tests/cert-tests/certtool | 38 +++++------ tests/cert-tests/crq | 4 +- tests/cert-tests/dane | 2 +- tests/cert-tests/email | 4 +- tests/cert-tests/invalid-sig | 4 +- tests/cert-tests/pathlen | 8 +-- tests/cert-tests/pem-decoding | 4 +- tests/cert-tests/pkcs7 | 4 +- tests/cert-tests/template-test | 134 +++++++++++++++++++-------------------- tests/ecdsa/ecdsa | 22 +++---- tests/key-tests/key-id | 8 +-- tests/key-tests/pkcs8 | 2 +- tests/openpgp-certs/testselfsigs | 2 +- 14 files changed, 120 insertions(+), 122 deletions(-) diff --git a/tests/cert-tests/aki b/tests/cert-tests/aki index e1f2b0f..5f130cc 100755 --- a/tests/cert-tests/aki +++ b/tests/cert-tests/aki @@ -23,14 +23,14 @@ set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/aki-cert.pem" \ - |grep -v "Algorithm Security Level" > tmp-aki.pem + |grep -v "Algorithm Security Level" > tmp-aki.pem rc=$? if test "${rc}" != "0"; then diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index 25a7e90..ce02ec8 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -21,10 +21,10 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether "funny" spaces can be interpreted @@ -32,32 +32,32 @@ id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem" -- rc=$? if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Key-ID1 doesn't match the expected: ${id}" - exit 1 + echo "Key-ID1 doesn't match the expected: ${id}" + exit 1 fi -id=`$VALGRIND "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem"` +id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem"` rc=$? if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Default key-ID1 doesn't match the expected; did the defaults change? ID: ${id}" - exit 1 + echo "Default key-ID1 doesn't match the expected; did the defaults change? ID: ${id}" + exit 1 fi id=`"${CERTTOOL}" --pubkey-info <"${srcdir}/funny-spacing.pem"|"${CERTTOOL}" --key-id --hash sha1` rc=$? if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Key-ID2 doesn't match the expected: ${id}" - exit 1 + echo "Key-ID2 doesn't match the expected: ${id}" + exit 1 fi id=`"${CERTTOOL}" --pubkey-info <"${srcdir}/funny-spacing.pem"|"${CERTTOOL}" --key-id --hash sha256` rc=$? if test "${id}" != "118e72e3655150c895ecbd19b3634179fb4a87c7a25abefcb11f5d66661d5a4d";then - echo "Key-ID3 doesn't match the expected: ${id}" - exit 1 + echo "Key-ID3 doesn't match the expected: ${id}" + exit 1 fi #fingerprint @@ -65,16 +65,16 @@ id=`${VALGRIND} "${CERTTOOL}" --fingerprint --infile "${srcdir}/funny-spacing.pe rc=$? if test "${id}" != "8f735c5ddefd723f59b6a3bb2ac0522470c0182f";then - echo "Fingerprint doesn't match the expected: 3" - exit 1 + echo "Fingerprint doesn't match the expected: 3" + exit 1 fi id=`${VALGRIND} "${CERTTOOL}" --fingerprint --hash sha256 --infile "${srcdir}/funny-spacing.pem"` rc=$? if test "${id}" != "fc5b45b20c489393a457f177572920ac40bacba9d25cea51200822271eaf7d1f";then - echo "Fingerprint doesn't match the expected: 4" - exit 1 + echo "Fingerprint doesn't match the expected: 4" + exit 1 fi export TZ="UTC" @@ -83,8 +83,8 @@ export TZ="UTC" TSTAMP=`datefudge "2006-09-23" date -u +%s || true` if test "$TSTAMP" != "1158969600"; then echo $TSTAMP - echo "You need datefudge to run this test" - exit 77 + echo "You need datefudge to run this test" + exit 77 fi cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|datefudge "2012-11-22" \ @@ -92,8 +92,8 @@ ${VALGRIND} "${CERTTOOL}" --verify-chain rc=$? if test "${rc}" != "0";then - echo "There was an issue verifying the chain" - exit 1 + echo "There was an issue verifying the chain" + exit 1 fi diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index 4d87c45..cc2bbfe 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -23,10 +23,10 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi OUTFILE=out.tmp diff --git a/tests/cert-tests/dane b/tests/cert-tests/dane index 55688eb..e019ef7 100755 --- a/tests/cert-tests/dane +++ b/tests/cert-tests/dane @@ -23,7 +23,7 @@ set -e srcdir="${srcdir:-.}" -DANETOOL="${DANETOOL:-../../src/danetool$EXEEXT}" +DANETOOL="${DANETOOL:-../../src/danetool${EXEEXT}}" DIFF="${DIFF:-diff}" test -e "${DANETOOL}" || exit 77 diff --git a/tests/cert-tests/email b/tests/cert-tests/email index 3b093a4..e12ee6b 100755 --- a/tests/cert-tests/email +++ b/tests/cert-tests/email @@ -21,10 +21,10 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF=$"{DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.exclude.test.example.com" --verify-email test at example.com diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index 3f8553a..72d72ec 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -23,10 +23,10 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether a different PKCS #1 signature than the advertized in certificate is tolerated diff --git a/tests/cert-tests/pathlen b/tests/cert-tests/pathlen index 18084f5..710282d 100755 --- a/tests/cert-tests/pathlen +++ b/tests/cert-tests/pathlen @@ -23,14 +23,14 @@ set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/ca-no-pathlen.pem" \ - |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem + |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem rc=$? if test "${rc}" != "0"; then @@ -39,7 +39,7 @@ if test "${rc}" != "0"; then fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/no-ca-or-pathlen.pem" \ - |grep -v "Algorithm Security Level" > new-no-ca-or-pathlen.pem + |grep -v "Algorithm Security Level" > new-no-ca-or-pathlen.pem rc=$? if test "${rc}" != "0"; then diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index 6330373..8913acb 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -23,10 +23,10 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether "funny" spaces can be interpreted diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index f2a6ff0..c3938cb 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -21,10 +21,10 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi OUTFILE=out-pkcs7.tmp OUTFILE2=out2-pkcs7.tmp diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index f1bc802..c92440e 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -21,7 +21,7 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" export TZ="UTC" @@ -29,9 +29,9 @@ export TZ="UTC" # Check for datefudge TSTAMP=`datefudge "2006-09-23" date -u +%s || true` if test "$TSTAMP" != "1158969600"; then -echo $TSTAMP - echo "You need datefudge to run this test" - exit 77 + echo $TSTAMP + echo "You need datefudge to run this test" + exit 77 fi # Note that in rare cases this test may fail because the @@ -43,16 +43,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-test.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-test.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-test.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -68,16 +68,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-utf8.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-utf8.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-utf8.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -93,16 +93,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-dn.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-dn.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-dn.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -114,10 +114,10 @@ fi rm -f tmp-tt.pem datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-dn-err.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-dn-err.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null rc=$? if test "${rc}" = "0"; then @@ -132,16 +132,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-overflow.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-overflow.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-overflow.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -160,16 +160,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-overflow2.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-overflow2.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-overflow2.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -186,16 +186,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-date.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-date.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-date.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -213,16 +213,16 @@ counter=1 while [ "${rc}" != "0" -a $counter -le 3 ] do -datefudge "2007-04-22" \ + datefudge "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ --load-privkey "${srcdir}/template-test.key" \ --template "${srcdir}/template-nc.tmpl" \ --outfile tmp-tt.pem 2>/dev/null -${DIFF} "${srcdir}/template-nc.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` + ${DIFF} "${srcdir}/template-nc.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. @@ -235,33 +235,31 @@ rm -f tmp-tt.pem # Test the GeneralizedTime support if test "$(getconf LONG_BIT)" = "64";then -# we should test that on systems which have 64-bit time_t. -rc=1 -counter=1 - -while [ "${rc}" != "0" -a $counter -le 3 ] -do -datefudge "2051-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-generalized.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - -${DIFF} "${srcdir}/template-generalized.pem" tmp-tt.pem >/dev/null 2>&1 -rc=$? -test ${rc} != 0 && sleep 3 -counter=`expr $counter + 1` -done - -# We're done. -if test "${rc}" != "0"; then - echo "Test 8 (generalizedTime) failed" - exit ${rc} -fi - + # we should test that on systems which have 64-bit time_t. + rc=1 + counter=1 + + while [ "${rc}" != "0" -a $counter -le 3 ] + do + datefudge "2051-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-generalized.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-generalized.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` + done + + # We're done. + if test "${rc}" != "0"; then + echo "Test 8 (generalizedTime) failed" + exit ${rc} + fi fi rm -f tmp-tt.pem - exit 0 diff --git a/tests/ecdsa/ecdsa b/tests/ecdsa/ecdsa index 90eead0..507f622 100755 --- a/tests/ecdsa/ecdsa +++ b/tests/ecdsa/ecdsa @@ -23,7 +23,7 @@ #set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" echo ca > template echo cn = "ECDSA SHA 256 CA" >> template @@ -36,8 +36,8 @@ echo cn = "ECDSA SHA 256 CA" >> template --hash sha256 >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi echo ca > template @@ -52,8 +52,8 @@ echo cn = "ECDSA SHA 224 Mid CA" >> template --hash sha224 >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi echo cn = "End-user" > template @@ -67,16 +67,16 @@ echo cn = "End-user" > template --outfile new-user.pem >out 2>&1 if [ $? != 0 ];then - cat out - exit 1 + cat out + exit 1 fi cat new-user.pem new-subca-ecdsa.pem new-ca-ecdsa.pem > out "${CERTTOOL}" --verify-chain verify if [ $? != 0 ];then - cat verify - exit 1 + cat verify + exit 1 fi rm -f verify new-user.pem new-ca-ecdsa.pem new-subca-ecdsa.pem template out @@ -84,8 +84,8 @@ rm -f key-subca-ecdsa.pem key-ca-ecdsa.pem key-ecdsa.pem "${CERTTOOL}" -k < "${srcdir}/bad-key.pem" | grep "validation failed" >/dev/null 2>&1 if [ $? != 0 ];then - echo "certtool didn't detect a bad ECDSA key." - exit 1 + echo "certtool didn't detect a bad ECDSA key." + exit 1 fi exit 0 diff --git a/tests/key-tests/key-id b/tests/key-tests/key-id index 7e09617..c671319 100755 --- a/tests/key-tests/key-id +++ b/tests/key-tests/key-id @@ -23,7 +23,7 @@ set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" PARAMS="--generate-certificate --load-privkey '${srcdir}/key-user.pem' --load-ca-privkey '${srcdir}/key-ca.pem' --template tmpl" @@ -40,10 +40,10 @@ eval "${CERTTOOL}" ${PARAMS} --load-ca-certificate "${srcdir}/ca-weird-keyid.pem if "${CERTTOOL}" -i < user-weird-keyid.pem \ | grep '7a2c7a6097460603cbfb28e8e219df18deeb4e0d' > /dev/null; then - : +: else - echo "Could not find CA SKI in user certificate." - exit 1; + echo "Could not find CA SKI in user certificate." + exit 1; fi rm -f tmpl user-gnutls-keyid.pem user-no-keyid.pem user-weird-keyid.pem diff --git a/tests/key-tests/pkcs8 b/tests/key-tests/pkcs8 index 8ea8dc9..3173bfa 100755 --- a/tests/key-tests/pkcs8 +++ b/tests/key-tests/pkcs8 @@ -19,7 +19,7 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" GREP="${GREP:-grep}" # check keys with password diff --git a/tests/openpgp-certs/testselfsigs b/tests/openpgp-certs/testselfsigs index c997f9a..2910b29 100755 --- a/tests/openpgp-certs/testselfsigs +++ b/tests/openpgp-certs/testselfsigs @@ -23,7 +23,7 @@ set -e srcdir="${srcdir:-.}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" unset RETCODE || true -- 2.3.6 From alon.barlev at gmail.com Sun Jun 21 02:00:05 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jun 2015 03:00:05 +0300 Subject: [gnutls-devel] [PATCH 4/4] tests: enforce UTC timezone in datefudge tests In-Reply-To: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> References: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434844805-12931-4-git-send-email-alon.barlev@gmail.com> Signed-off-by: Alon Bar-Lev --- tests/pkcs1-padding/pkcs1-pad | 4 +++- tests/suite/testcompat-openssl | 2 ++ tests/suite/testcompat-polarssl | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/pkcs1-padding/pkcs1-pad b/tests/pkcs1-padding/pkcs1-pad index 65b31fd..8d0861a 100755 --- a/tests/pkcs1-padding/pkcs1-pad +++ b/tests/pkcs1-padding/pkcs1-pad @@ -26,9 +26,11 @@ set -e srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +export TZ="UTC" + # Check for datefudge TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "${TSTAMP}" != "1158962400"; then +if test "${TSTAMP}" != "1158969600"; then echo "You need datefudge to run this test" exit 77 fi diff --git a/tests/suite/testcompat-openssl b/tests/suite/testcompat-openssl index f82f00e..42b695d 100755 --- a/tests/suite/testcompat-openssl +++ b/tests/suite/testcompat-openssl @@ -44,6 +44,8 @@ else export FIPS=0 fi +export TZ="UTC" + # Check for datefudge TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` if test "${TSTAMP}" != "1158969600"; then diff --git a/tests/suite/testcompat-polarssl b/tests/suite/testcompat-polarssl index fcaf99b..41dd59f 100755 --- a/tests/suite/testcompat-polarssl +++ b/tests/suite/testcompat-polarssl @@ -32,6 +32,8 @@ srcdir="${srcdir:-.}" +export TZ="UTC" + # Check for datefudge TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` if test "${TSTAMP}" != "1158969600"; then -- 2.3.6 From alon.barlev at gmail.com Sun Jun 21 02:00:03 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jun 2015 03:00:03 +0300 Subject: [gnutls-devel] [PATCH 2/4] tests: suite: cleanup shell usage In-Reply-To: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> References: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434844805-12931-2-git-send-email-alon.barlev@gmail.com> Add quotes for most usages of variables. Added ${} for variables. Cleanup indentation to be consistent with other tests. Fix separate builddir issues. Signed-off-by: Alon Bar-Lev --- configure.ac | 2 +- tests/suite/certs/create-chain.sh | 145 +++-- tests/suite/chain | 68 +-- tests/suite/crl-test | 20 +- tests/suite/eagain | 10 +- tests/suite/invalid-cert | 13 +- tests/suite/testcompat-common | 45 +- tests/suite/testcompat-main-openssl | 992 +++++++++++++++++------------------ tests/suite/testcompat-main-polarssl | 526 +++++++++---------- tests/suite/testcompat-openssl | 18 +- tests/suite/testcompat-polarssl | 6 +- tests/suite/testdane | 62 +-- tests/suite/testpkcs11 | 702 ++++++++++++------------- tests/suite/testpkcs11.pkcs15 | 41 +- tests/suite/testpkcs11.sc-hsm | 49 +- tests/suite/testpkcs11.softhsm | 85 ++- tests/suite/testrandom | 58 +- tests/suite/testrng | 128 ++--- tests/suite/testsrn | 78 +-- 19 files changed, 1517 insertions(+), 1531 deletions(-) diff --git a/configure.ac b/configure.ac index 0cbba41..3701889 100644 --- a/configure.ac +++ b/configure.ac @@ -89,7 +89,7 @@ if test "$use_cxx" != "no"; then AC_LANG_POP(C++) fi AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no") -AM_CONDITIONAL(WANT_TEST_SUITE, [test -f tests/suite/mini-eagain2.c]) +AM_CONDITIONAL(WANT_TEST_SUITE, [test -f "${srcdir}/tests/suite/mini-eagain2.c"]) dnl Detect windows build use_accel=yes diff --git a/tests/suite/certs/create-chain.sh b/tests/suite/certs/create-chain.sh index 11add61..53f6087 100755 --- a/tests/suite/certs/create-chain.sh +++ b/tests/suite/certs/create-chain.sh @@ -1,93 +1,92 @@ #!/bin/sh -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../../src/certtool$EXEEXT} +CERTTOOL="${CERTTOOL:-../../../src/certtool${EXEEXT}}" OUTPUT=out TEMPLATE=tmpl -NUM=$1 +NUM="$1" -if test "$NUM" = "";then - echo "usage: $0 number" - exit 1 +if test "${NUM}" = "";then + echo "usage: $0 number" + exit 1 fi -LAST=`expr $NUM - 1` +LAST=`expr ${NUM} - 1` -rm -rf $OUTPUT -mkdir -p $OUTPUT +rm -rf "${OUTPUT}" +mkdir -p "${OUTPUT}" counter=0 -while test $counter -lt $NUM; do - if test $counter = $LAST;then - name="server-$counter" - else - name="CA-$counter" - fi - serial=$counter +while test ${counter} -lt ${NUM}; do + if test ${counter} = ${LAST};then + name="server-${counter}" + else + name="CA-${counter}" + fi + serial="${counter}" - - $CERTTOOL --generate-privkey >$OUTPUT/$name.key 2>/dev/null - if test $counter = 0;then - # ROOT CA - echo "cn = $name" >$TEMPLATE - echo "serial = $serial" >>$TEMPLATE - echo "ca" >>$TEMPLATE - echo "expiration_days = -1" >>$TEMPLATE - echo "cert_signing_key" >>$TEMPLATE - echo "ocsp_signing_key" >>$TEMPLATE - echo "crl_signing_key" >>$TEMPLATE - $CERTTOOL --generate-self-signed --load-privkey $OUTPUT/$name.key --outfile \ - $OUTPUT/$name.crt --template $TEMPLATE 2>/dev/null + + "${CERTTOOL}" --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null + if test ${counter} = 0;then + # ROOT CA + echo "cn = ${name}" >"${TEMPLATE}" + echo "serial = ${serial}" >>"${TEMPLATE}" + echo "ca" >>"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + echo "cert_signing_key" >>"${TEMPLATE}" + echo "ocsp_signing_key" >>"${TEMPLATE}" + echo "crl_signing_key" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-self-signed --load-privkey "${OUTPUT}/${name}.key" --outfile \ + "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null - echo "serial = $serial" >$TEMPLATE - echo "expiration_days = -1" >>$TEMPLATE - $CERTTOOL --generate-crl --load-ca-privkey $OUTPUT/$name.key --load-ca-certificate $OUTPUT/$name.crt --outfile \ - $OUTPUT/$name.crl --template $TEMPLATE 2>/dev/null - else - if test $counter = $LAST;then - # END certificate - echo "cn = $name" >$TEMPLATE - echo "dns_name = localhost" >>$TEMPLATE - echo "expiration_days = -1" >>$TEMPLATE - echo "signing_key" >>$TEMPLATE - echo "encryption_key" >>$TEMPLATE - echo "ocsp_signing_key" >>$TEMPLATE - $CERTTOOL --generate-certificate --load-privkey $OUTPUT/$name.key \ - --load-ca-certificate $OUTPUT/$prev_name.crt \ - --load-ca-privkey $OUTPUT/$prev_name.key \ - --outfile $OUTPUT/$name.crt --template $TEMPLATE 2>/dev/null - else - # intermediate CA - echo "cn = $name" >$TEMPLATE - echo "serial = $serial" >>$TEMPLATE - echo "ca" >>$TEMPLATE - echo "expiration_days = -1" >>$TEMPLATE - echo "ocsp_signing_key" >>$TEMPLATE - echo "cert_signing_key" >>$TEMPLATE - echo "signing_key" >>$TEMPLATE - $CERTTOOL --generate-certificate --load-privkey $OUTPUT/$name.key \ - --load-ca-certificate $OUTPUT/$prev_name.crt \ - --load-ca-privkey $OUTPUT/$prev_name.key \ - --outfile $OUTPUT/$name.crt --template $TEMPLATE 2>/dev/null - fi - fi + echo "serial = ${serial}" >"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-crl --load-ca-privkey "${OUTPUT}/${name}.key" --load-ca-certificate "${OUTPUT}/${name}.crt" --outfile \ + "${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null + else + if test ${counter} = ${LAST};then + # END certificate + echo "cn = ${name}" >"${TEMPLATE}" + echo "dns_name = localhost" >>"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + echo "signing_key" >>"${TEMPLATE}" + echo "encryption_key" >>"${TEMPLATE}" + echo "ocsp_signing_key" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \ + --load-ca-certificate "${OUTPUT}/${prev_name}.crt" \ + --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ + --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null + else + # intermediate CA + echo "cn = ${name}" >"${TEMPLATE}" + echo "serial = ${serial}" >>"${TEMPLATE}" + echo "ca" >>"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + echo "ocsp_signing_key" >>"${TEMPLATE}" + echo "cert_signing_key" >>"${TEMPLATE}" + echo "signing_key" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \ + --load-ca-certificate "${OUTPUT}/${prev_name}.crt" \ + --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ + --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null + fi + fi - counter=`expr $counter + 1` - prev_name=$name + counter=`expr ${counter} + 1` + prev_name=${name} done -counter=`expr $NUM - 1` -while test $counter -ge 0; do - if test $counter = $LAST;then - name="server-$counter" - else - name="CA-$counter" - fi +counter=`expr ${NUM} - 1` +while test ${counter} -ge 0; do + if test ${counter} = ${LAST};then + name="server-${counter}" + else + name="CA-${counter}" + fi - cat $OUTPUT/$name.crt >> $OUTPUT/chain - - counter=`expr $counter - 1` + cat "${OUTPUT}/${name}.crt" >> "${OUTPUT}/chain" + + counter=`expr ${counter} - 1` done diff --git a/tests/suite/chain b/tests/suite/chain index f1967c9..4f00320 100755 --- a/tests/suite/chain +++ b/tests/suite/chain @@ -20,7 +20,7 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -CERTTOOL=../../../src/certtool +CERTTOOL="../../../src/certtool" SUCCESS=" 1 4 7 12 15 16 17 18 24 26 27 30 33 56 57 62 63 " FAILURE=" 2 3 5 6 8 9 10 11 13 14 19 20 21 22 23 25 28 29 31 32 54 55 58 59 60 61 " @@ -33,41 +33,41 @@ mkdir -p chains RET=0 i=1 -while test -d X509tests/test$i; do - find X509tests/test$i -name *.crl -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --crl-info --inder --infile > chains/chain$i.pem 2>/dev/null - find X509tests/test$i -name E*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null - if test "$i" -gt 1; then - find X509tests/test$i -name I*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null - fi - find X509tests/test$i -name T*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null - $CERTTOOL -e --infile chains/chain$i.pem > out 2>&1 - rc=$? - if test $rc != 0 && test $rc != 1; then - echo "Chain $i FATAL failure." - RET=1 +while test -d X509tests/test${i}; do + find X509tests/test${i} -name *.crl -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --crl-info --inder --infile > chains/chain${i}.pem 2>/dev/null + find X509tests/test${i} -name E*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null + if test "${i}" -gt 1; then + find X509tests/test${i} -name I*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null + fi + find X509tests/test${i} -name T*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null + "${CERTTOOL}" -e --infile chains/chain${i}.pem > out 2>&1 + rc=$? + if test $rc != 0 && test $rc != 1; then + echo "Chain ${i} FATAL failure." + RET=1 + else + if echo "$KNOWN_BUGS" | grep " ${i} " > /dev/null 2>&1; then + echo "Chain ${i} verification was skipped due to known bug." + elif echo "$SUCCESS" | grep " ${i} " > /dev/null 2>&1; then + if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then + echo "Chain ${i} verification failure UNEXPECTED." + RET=1 + else + echo "Chain ${i} verification success as expected." + fi + elif echo "$FAILURE" | grep " ${i} " >/dev/null 2>&1; then + if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then + echo "Chain ${i} verification failure as expected." + else + echo "Chain ${i} verification success UNEXPECTED. " + RET=1 + fi else - if echo "$KNOWN_BUGS" | grep " $i " > /dev/null 2>&1; then - echo "Chain $i verification was skipped due to known bug." - elif echo "$SUCCESS" | grep " $i " > /dev/null 2>&1; then - if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then - echo "Chain $i verification failure UNEXPECTED." - RET=1 - else - echo "Chain $i verification success as expected." - fi - elif echo "$FAILURE" | grep " $i " >/dev/null 2>&1; then - if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then - echo "Chain $i verification failure as expected." - else - echo "Chain $i verification success UNEXPECTED. " - RET=1 - fi - else - echo "Chain $i unclassified." - fi + echo "Chain ${i} unclassified." fi - i=`expr $i + 1` + fi + i=`expr ${i} + 1` done rm -f out -exit $RET +exit ${RET} diff --git a/tests/suite/crl-test b/tests/suite/crl-test index de51bde..228f74e 100755 --- a/tests/suite/crl-test +++ b/tests/suite/crl-test @@ -20,29 +20,29 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -DIFF=${DIFF:-diff} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +DIFF="${DIFF:-diff}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi rm -f tmp-long.pem -$VALGRIND $CERTTOOL --crl-info --inder --infile $srcdir/crl/long.crl --outfile tmp-long.pem +${VALGRIND} "${CERTTOOL}" --crl-info --inder --infile "${srcdir}/crl/long.crl" --outfile tmp-long.pem rc=$? # We're done. -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "CRL decoding failed 1!" - exit $rc + exit ${rc} fi -$DIFF $srcdir/crl/long.pem tmp-long.pem || $DIFF --strip-trailing-cr $srcdir/crl/long.pem tmp-long.pem +${DIFF} "${srcdir}/crl/long.pem tmp-long.pem" || ${DIFF} --strip-trailing-cr "${srcdir}/crl/long.pem" tmp-long.pem rc=$? -if test "$rc" != "0"; then +if test "${rc}" != "0"; then echo "CRL decoding failed 2!" - exit $rc + exit ${rc} fi rm -f tmp-long.pem diff --git a/tests/suite/eagain b/tests/suite/eagain index ba95b95..d05bab9 100755 --- a/tests/suite/eagain +++ b/tests/suite/eagain @@ -21,23 +21,23 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. srcdir="${srcdir:-.}" -SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" +SERV="${SERV:-../../src/gnutls-serv${EXEEXT}} -q" PORT="${PORT:-5445}" -$SERV -p $PORT --echo --priority "NORMAL:+ANON-DH" --dhparams $srcdir/params.dh >/dev/null 2>&1 & +$SERV -p "${PORT}" --echo --priority "NORMAL:+ANON-DH" --dhparams "${srcdir}/params.dh" >/dev/null 2>&1 & pid=$! sleep 2 ./eagain-cli if [ $? != 0 ];then - exit 1 + exit 1 fi if [ "$pid" != "" ];then -kill $pid -wait + kill $pid + wait fi exit 0 diff --git a/tests/suite/invalid-cert b/tests/suite/invalid-cert index ec8e265..a9e1f5e 100755 --- a/tests/suite/invalid-cert +++ b/tests/suite/invalid-cert @@ -20,19 +20,18 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -$VALGRIND $CERTTOOL --certificate-info --inder --infile $srcdir/invalid-cert.der 2>/dev/null - +${VALGRIND} "${CERTTOOL}" --certificate-info --inder --infile "${srcdir}/invalid-cert.der" 2>/dev/null rc=$? # We're done. -if test "$rc" != "1"; then - exit $rc +if test "${rc}" != "1"; then + exit ${rc} fi exit 0 diff --git a/tests/suite/testcompat-common b/tests/suite/testcompat-common index 2eda62b..b4181e7 100644 --- a/tests/suite/testcompat-common +++ b/tests/suite/testcompat-common @@ -1,5 +1,3 @@ -#!/bin/sh - # Copyright (C) 2014 Red Hat, Inc. # All rights reserved. # @@ -29,33 +27,32 @@ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -DSA_CERT=$srcdir/../dsa/cert.dsa.1024.pem -DSA_KEY=$srcdir/../dsa/dsa.1024.pem - -RSA_CERT=$srcdir/../certs/cert-rsa-2432.pem -RSA_KEY=$srcdir/../certs/rsa-2432.pem +DSA_CERT="${srcdir}/../dsa/cert.dsa.1024.pem" +DSA_KEY="${srcdir}/../dsa/dsa.1024.pem" -CA_CERT=$srcdir/../../doc/credentials/x509/ca.pem -CLI_CERT=$srcdir/../../doc/credentials/x509/clicert.pem -CLI_KEY=$srcdir/../../doc/credentials/x509/clikey.pem +RSA_CERT="${srcdir}/../certs/cert-rsa-2432.pem" +RSA_KEY="${srcdir}/../certs/rsa-2432.pem" -CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem -ECC224_CERT=$srcdir/../certs/cert-ecc.pem -ECC224_KEY=$srcdir/../certs/ecc.pem +CA_CERT="${srcdir}/../../doc/credentials/x509/ca.pem" +CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert.pem" +CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey.pem" -ECC256_CERT=$srcdir/../certs/cert-ecc256.pem -ECC256_KEY=$srcdir/../certs/ecc256.pem +CA_ECC_CERT="${srcdir}/../certs/ca-cert-ecc.pem" +ECC224_CERT="${srcdir}/../certs/cert-ecc.pem" +ECC224_KEY="${srcdir}/../certs/ecc.pem" -ECC521_CERT=$srcdir/../certs/cert-ecc521.pem -ECC521_KEY=$srcdir/../certs/ecc521.pem +ECC256_CERT="${srcdir}/../certs/cert-ecc256.pem" +ECC256_KEY="${srcdir}/../certs/ecc256.pem" -ECC384_CERT=$srcdir/../certs/cert-ecc384.pem -ECC384_KEY=$srcdir/../certs/ecc384.pem +ECC521_CERT="${srcdir}/../certs/cert-ecc521.pem" +ECC521_KEY="${srcdir}/../certs/ecc521.pem" -SERV_CERT=$srcdir/../../doc/credentials/x509/cert-rsa.pem -SERV_KEY=$srcdir/../../doc/credentials/x509/key-rsa.pem -SERV_DSA_CERT=$srcdir/../../doc/credentials/x509/cert-dsa.pem -SERV_DSA_KEY=$srcdir/../../doc/credentials/x509/key-dsa.pem +ECC384_CERT="${srcdir}/../certs/cert-ecc384.pem" +ECC384_KEY="${srcdir}/../certs/ecc384.pem" -SERV_PSK=$srcdir/../../doc/credentials/psk-passwd.txt +SERV_CERT="${srcdir}/../../doc/credentials/x509/cert-rsa.pem" +SERV_KEY="${srcdir}/../../doc/credentials/x509/key-rsa.pem" +SERV_DSA_CERT="${srcdir}/../../doc/credentials/x509/cert-dsa.pem" +SERV_DSA_KEY="${srcdir}/../../doc/credentials/x509/key-dsa.pem" +SERV_PSK="${srcdir}/../../doc/credentials/psk-passwd.txt" diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index 977706b..bac6026 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -31,39 +31,39 @@ # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. srcdir="${srcdir:-.}" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi if test "${WINDIR}" != "";then exit 77 fi -. $srcdir/../scripts/common.sh +. "${srcdir}/../scripts/common.sh" -PORT="${PORT:-$RPORT}" +PORT="${PORT:-${RPORT}}" SERV=openssl OPENSSL_CLI="openssl" if test -f /etc/debian_version;then - DEBIAN=1 + DEBIAN=1 fi -echo "Compatibility checks using "`$SERV version` -$SERV version|grep -e 1\.0 >/dev/null 2>&1 +echo "Compatibility checks using "`${SERV} version` +${SERV} version|grep -e 1\.0 >/dev/null 2>&1 SV=$? -if test $SV != 0;then +if test ${SV} != 0;then echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" exit 77 fi -$SERV version|grep -e 1\.0\.1 >/dev/null 2>&1 +${SERV} version|grep -e 1\.0\.1 >/dev/null 2>&1 SV2=$? -. ./testcompat-common +. "${srcdir}/testcompat-common" echo "#################################################" echo "# Client mode tests (gnutls cli-openssl server) #" @@ -71,288 +71,281 @@ echo "#################################################" for ADD in "" ":%COMPAT" ":%NO_ETM" #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" do + if ! test -z "${ADD}";then + echo "" + echo "** Modifier: ${ADD}" + fi + + if test "${DEBIAN}" != 1;then + + # It seems debian disabled SSL 3.0 completely on openssl + + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test SSL 3.0 with RSA ciphersuite + echo "Checking SSL 3.0 with RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test SSL 3.0 with DHE-RSA ciphersuite + echo "Checking SSL 3.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test SSL 3.0 with DHE-DSS ciphersuite + echo "Checking SSL 3.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-MD5 & + PID=$! + wait_server ${PID} + + echo "Checking SSL 3.0 with RSA-RC4-MD5..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + if test "${FIPS}" != 1;then + #-cipher RSA-NULL + launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA-NULL ciphersuite + echo "Checking TLS 1.0 with RSA-NULL..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA ciphersuite + echo "Checking TLS 1.0 with RSA and 3DES-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and AES-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and AES-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-RSA ciphersuite + echo "Checking TLS 1.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-RSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-DSS ciphersuite + echo "Checking TLS 1.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1;then + + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1;then + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher PSK + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.0 with PSK..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test ${SV2} = 0;then + # Tests requiring openssl 1.0.1 - TLS 1.2 + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with RSA and AES-128-GCM..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with RSA and AES-256-GCM..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with ECDHE-RSA..." + "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1;then + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1;then + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi #FIPS + fi #SV2 + + #-cipher PSK + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with PSK..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & PID=$! + wait_server ${PID} + + # Test DTLS 1.0 with RSA ciphersuite + echo "Checking DTLS 1.0 with RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test DTLS 1.0 with DHE-RSA ciphersuite + echo "Checking DTLS 1.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test DTLS 1.0 with DHE-DSS ciphersuite + echo "Checking DTLS 1.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" -if ! test -z "$ADD";then -echo "" -echo "** Modifier: $ADD" -fi - -if test "$DEBIAN" != 1;then - -# It seems debian disabled SSL 3.0 completely on openssl - -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -ssl3 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -# Test SSL 3.0 with RSA ciphersuite -echo "Checking SSL 3.0 with RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -# Test SSL 3.0 with DHE-RSA ciphersuite -echo "Checking SSL 3.0 with DHE-RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -# Test SSL 3.0 with DHE-DSS ciphersuite -echo "Checking SSL 3.0 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -ssl3 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -cipher RC4-MD5 & -PID=$! -wait_server $PID - -echo "Checking SSL 3.0 with RSA-RC4-MD5..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA$ADD" --insecure /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -fi - -if test "$FIPS" != 1;then -#-cipher RSA-NULL -launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -# Test TLS 1.0 with RSA-NULL ciphersuite -echo "Checking TLS 1.0 with RSA-NULL..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait -fi - -#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -# Test TLS 1.0 with RSA ciphersuite -echo "Checking TLS 1.0 with RSA and 3DES-CBC..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.0 with RSA and AES-128-CBC..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.0 with RSA and AES-256-CBC..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -# Test TLS 1.0 with DHE-RSA ciphersuite -echo "Checking TLS 1.0 with DHE-RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -# Test TLS 1.0 with DHE-RSA ciphersuite -echo "Checking TLS 1.0 with ECDHE-RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -# Test TLS 1.0 with DHE-DSS ciphersuite -echo "Checking TLS 1.0 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -if test "$FIPS" != 1;then - -#-cipher ECDHE-ECDSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1 -named_curve secp224r1 -CAfile $CA_ECC_CERT & -PID=$! -wait_server $PID - -# Test TLS 1.0 with ECDHE-ECDSA ciphersuite -echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -fi - -#-cipher ECDHE-ECDSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1 -named_curve secp384r1 -CAfile $CA_ECC_CERT & -PID=$! -wait_server $PID - -# Test TLS 1.0 with ECDHE-ECDSA ciphersuite -echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -if test "$FIPS" != 1;then -#-cipher ECDHE-ECDSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1 -named_curve secp521r1 -CAfile $CA_ECC_CERT & -PID=$! -wait_server $PID - -# Test TLS 1.0 with ECDHE-ECDSA ciphersuite -echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -fi - -#-cipher PSK -launch_bare_server $$ s_server -quiet -www -accept $PORT -tls1 -keyform pem -certform pem -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & -PID=$! -wait_server $PID - -echo "Checking TLS 1.0 with PSK..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK$ADD" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -if test $SV2 = 0;then -# Tests requiring openssl 1.0.1 - TLS 1.2 -#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -echo "Checking TLS 1.2 with RSA and AES-128-GCM..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.2 with RSA and AES-256-GCM..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.2 with DHE-RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.2 with ECDHE-RSA..." -$CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -echo "Checking TLS 1.2 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -if test "$FIPS" != 1;then -#-cipher ECDHE-ECDSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1 -named_curve secp224r1 -CAfile $CA_ECC_CERT & -PID=$! -wait_server $PID - -echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait -fi - -#-cipher ECDHE-ECDSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1 -named_curve secp384r1 -CAfile $CA_ECC_CERT & -PID=$! -wait_server $PID - -echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -if test "$FIPS" != 1;then -#-cipher ECDHE-ECDSA-AES128-SHA -launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1 -named_curve secp521r1 -CAfile $CA_ECC_CERT & -PID=$! -wait_server $PID - -echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait -fi #FIPS - -fi #SV2 - -#-cipher PSK -launch_bare_server $$ s_server -quiet -www -accept $PORT -tls1_2 -keyform pem -certform pem -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & -PID=$! -wait_server $PID - -echo "Checking TLS 1.2 with PSK..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL$ADD" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem -dtls1 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -# Test DTLS 1.0 with RSA ciphersuite -echo "Checking DTLS 1.0 with RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem -dtls1 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -# Test DTLS 1.0 with DHE-RSA ciphersuite -echo "Checking DTLS 1.0 with DHE-RSA..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - -launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem -dtls1 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT & -PID=$! -wait_server $PID - -# Test DTLS 1.0 with DHE-DSS ciphersuite -echo "Checking DTLS 1.0 with DHE-DSS..." -$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY /dev/null || \ - fail $PID "Failed" - -kill $PID -wait - + kill ${PID} + wait done echo "Client mode tests were successfully completed" @@ -360,303 +353,300 @@ echo "" echo "###############################################" echo "# Server mode tests (gnutls server-openssl cli#" echo "###############################################" -SERV="../../src/gnutls-serv$EXEEXT -q" +SERV="../../src/gnutls-serv${EXEEXT} -q" # Note that openssl s_client does not return error code on failure for ADD in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" do + if ! test -z "${ADD}";then + echo "" + echo "** Modifier: ${ADD}" + fi -if ! test -z "$ADD";then -echo "" -echo "** Modifier: $ADD" -fi - -if test "$DEBIAN" != 1;then + if test "${DEBIAN}" != 1;then -echo "Check SSL 3.0 with RSA ciphersuite" -launch_server $$ --priority "NONE:+MD5:+ARCFOUR-128:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + echo "Check SSL 3.0 with RSA ciphersuite" + launch_server $$ --priority "NONE:+MD5:+ARCFOUR-128:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -echo "Check SSL 3.0 with RSA-RC4-MD5 ciphersuite" -$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT -cipher RC4-MD5 &1 | grep "\:error\:" && \ - fail $PID "Failed" + echo "Check SSL 3.0 with RSA-RC4-MD5 ciphersuite" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-MD5 &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -echo "Check SSL 3.0 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + echo "Check SSL 3.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -echo "Check SSL 3.0 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -wait_server $PID + echo "Check SSL 3.0 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait + fi -fi + #TLS 1.0 -#TLS 1.0 + # This test was disabled because it doesn't work as expected with openssl 1.0.0d + #echo "Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + #wait_server ${PID} + # + #${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + # fail ${PID} "Failed" + # + #kill ${PID} + #wait -# This test was disabled because it doesn't work as expected with openssl 1.0.0d -#echo "Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" -#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -#wait_server $PID -# -#$OPENSSL_CLI s_client -host localhost -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ -# fail $PID "Failed" -# -#kill $PID -#wait + if test "${FIPS}" != 1;then + echo "Check TLS 1.0 with RSA-NULL ciphersuite" + launch_server $$ --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -if test "$FIPS" != 1;then -echo "Check TLS 1.0 with RSA-NULL ciphersuite" -launch_server $$ --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + ${OPENSSL_CLI} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -$OPENSSL_CLI s_client -cipher NULL-SHA -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait + fi -kill $PID -wait -fi + echo "Check TLS 1.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -echo "Check TLS 1.0 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait -kill $PID -wait + echo "Check TLS 1.0 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -echo "Check TLS 1.0 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -wait_server $PID + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait -kill $PID -wait + echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + #-cipher ECDHE-RSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -#-cipher ECDHE-RSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait -kill $PID -wait + if test "${FIPS}" != 1;then + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -if test "$FIPS" != 1;then -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC224_CERT -key $ECC224_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait + fi -kill $PID -wait -fi + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC256_CERT -key $ECC256_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait -kill $PID -wait + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC384_CERT -key $ECC384_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait -kill $PID -wait + if test "${FIPS}" != 1;then + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -if test "$FIPS" != 1;then -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC521_CERT -key $ECC521_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + kill ${PID} + wait + fi -kill $PID -wait -fi - -echo "Check TLS 1.0 with PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + echo "Check TLS 1.0 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -#-cipher PSK-AES128-SHA -$OPENSSL_CLI s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port $PORT crt_file=$CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep ":error:" && \ - fail $PID "Failed" + #-cipher PSK-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -if test $SV2 = 0;then + if test ${SV2} = 0;then -echo "Check TLS 1.2 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + echo "Check TLS 1.2 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -echo "Check TLS 1.2 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -wait_server $PID + echo "Check TLS 1.2 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -#-cipher ECDHE-RSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + #-cipher ECDHE-RSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -if test "$FIPS" != 1;then -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + if test "${FIPS}" != 1;then + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC224_CERT -key $ECC224_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait -fi + kill ${PID} + wait + fi -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC256_CERT -key $ECC256_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC384_CERT -key $ECC384_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -kill $PID -wait + kill ${PID} + wait -if test "$FIPS" != 1;then -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + if test "${FIPS}" != 1;then + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -#-cipher ECDHE-ECDSA-AES128-SHA -$OPENSSL_CLI s_client -host localhost -tls1_2 -port $PORT -cert $ECC521_CERT -key $ECC521_KEY -CAfile $CA_ECC_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" - -kill $PID -wait -fi + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait + fi -#-cipher PSK-AES128-SHA -$OPENSSL_CLI s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port $PORT crt_file=$CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep ":error:" && \ - fail $PID "Failed" + echo "Check TLS 1.2 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ + fail ${PID} "Failed" -fi #SV2 + kill ${PID} + wait -# DTLS -echo "Check DTLS 1.0 with RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA$ADD" --udp --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + fi #SV2 + # DTLS + echo "Check DTLS 1.0 with RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" -kill $PID -wait + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + kill ${PID} + wait -echo "Check DTLS 1.0 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA$ADD" --udp --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + echo "Check DTLS 1.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" -kill $PID -wait + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + kill ${PID} + wait -echo "Check DTLS 1.0 with DHE-DSS ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256$ADD" --udp --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -wait_server $PID + echo "Check DTLS 1.0 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -$OPENSSL_CLI s_client -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT &1 | grep "\:error\:" && \ - fail $PID "Failed" -kill $PID -wait + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + kill ${PID} + wait done exit 0 diff --git a/tests/suite/testcompat-main-polarssl b/tests/suite/testcompat-main-polarssl index a6df66c..74261b0 100755 --- a/tests/suite/testcompat-main-polarssl +++ b/tests/suite/testcompat-main-polarssl @@ -11,9 +11,9 @@ # Redistribution and use in source and binary forms, with or without modification, # are permitted provided that the following conditions are met: # -# 1. Redistributions of source code must retain the above copyright notice, this +# 1. Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright notice, +# 2. Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation and/or # other materials provided with the distribution. # 3. Neither the name of the copyright holder nor the names of its contributors may @@ -23,7 +23,7 @@ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN @@ -31,386 +31,386 @@ # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. srcdir="${srcdir:-.}" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" LOGFILE=polarssl.log unset RETCODE if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi if test "${WINDIR}" != "";then exit 77 -fi - -. $srcdir/../scripts/common.sh - -PORT="${PORT:-$RPORT}" -if test -x /usr/bin/mbedtls_ssl_client2;then -POLARSSL_CLI="/usr/bin/mbedtls_ssl_client2" -else -POLARSSL_CLI="/usr/libexec/mbedtls/ssl_client2" fi -TXT=`$CLI --priority NORMAL --list|grep SECP224` -if test -z $TEXT;then - ALL_CURVES=0 +. "${srcdir}/../scripts/common.sh" + +PORT="${PORT:-${RPORT}}" +TXT=`"${CLI}" --priority NORMAL --list|grep SECP224` +if test -z "${TXT}";then + ALL_CURVES=0 else - ALL_CURVES=1 + ALL_CURVES=1 fi echo "Compatibility checks using polarssl" -if ! test -x $POLARSSL_CLI;then +for POLARSSL_CLI in \ + /usr/bin/polarssl_ssl_client2 \ + /usr/bin/mbedtls_ssl_client2 \ + /usr/libexec/mbedtls/ssl_client2 \ + ""; do + test -x "${POLARSSL_CLI}" && break +done + +if test -z "${POLARSSL_CLI}";then echo "PolarSSL is required for this test to run" exit 77 fi -$POLARSSL_CLI >/dev/null 2>&1 +"${POLARSSL_CLI}" >/dev/null 2>&1 if test $? = 0;then echo "PolarSSL 1.3.x is required for the tests to run" exit 77 fi -. ./testcompat-common +. "${srcdir}/testcompat-common" echo "" echo "##################################################" echo "# Server mode tests (gnutls server-polarssl cli) #" echo "##################################################" -SERV="../../src/gnutls-serv$EXEEXT -q" +SERV="../../src/gnutls-serv${EXEEXT} -q" -rm -f $LOGFILE +rm -f "${LOGFILE}" for ADD in "" ":%COMPAT" ":%NO_ETM" #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" do + if ! test -z "${ADD}";then + echo "" + echo "** Modifier: ${ADD}" + fi -if ! test -z "$ADD";then -echo "" -echo "** Modifier: $ADD" -fi - -# SSL 3.0 is disabled in debian's polarssl -if test 0 = 1;then -echo "Check SSL 3.0 with RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID - -$POLARSSL_CLI server_port=$PORT server_name=localhost max_version=ssl3 crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + # SSL 3.0 is disabled in debian's polarssl + if test 0 = 1;then + echo "Check SSL 3.0 with RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_port="${PORT}" server_name=localhost max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check SSL 3.0 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + kill ${PID} + wait -$POLARSSL_CLI server_name=localhost server_port=$PORT max_version=ssl3 crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check SSL 3.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost server_port="${PORT}" max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -# No DSS for polarssl -#echo "Check SSL 3.0 with DHE-DSS ciphersuite" -#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -#wait_server $PID + kill ${PID} + wait -#$POLARSSL_CLI server_name=localhost server_port=$PORT max_version=ssl3 crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ -# fail $PID "Failed" -# -#kill $PID -#wait -fi + # No DSS for polarssl + #echo "Check SSL 3.0 with DHE-DSS ciphersuite" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + #wait_server ${PID} -#TLS 1.0 + #"${POLARSSL_CLI}" server_name=localhost server_port="${PORT}" max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + # fail ${PID} "Failed" + # + #kill ${PID} + #wait + fi -echo "Check TLS 1.0 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + #TLS 1.0 -$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -#echo "Check TLS 1.0 with DHE-DSS ciphersuite" -#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -#wait_server $PID + kill ${PID} + wait -#$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ -# fail $PID "Failed" + #echo "Check TLS 1.0 with DHE-DSS ciphersuite" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + #wait_server ${PID} -#kill $PID -#wait + #"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + # fail ${PID} "Failed" -echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + #kill ${PID} + #wait -#-cipher ECDHE-RSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-RSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with DHE-PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with DHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with ECDHE-PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with ECDHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with RSA-PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher RSA-PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with RSA-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher RSA-PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -if test $ALL_CURVES = 1;then - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$! - wait_server $PID + kill ${PID} + wait - #-cipher ECDHE-ECDSA-AES128-SHA - $POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC224_CERT key_file=$ECC224_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + if test ${ALL_CURVES} = 1;then + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} - kill $PID - wait -fi + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + kill ${PID} + wait + fi -#-cipher ECDHE-ECDSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC256_CERT key_file=$ECC256_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher ECDHE-ECDSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC384_CERT key_file=$ECC384_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher ECDHE-ECDSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1 max_version=tls1 server_port=$PORT crt_file=$ECC521_CERT key_file=$ECC521_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + kill ${PID} + wait -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + kill ${PID} + wait -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + kill ${PID} + wait -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + kill ${PID} + wait -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite" -launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$! -wait_server $PID + kill ${PID} + wait -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! + wait_server ${PID} -kill $PID -wait + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -#echo "Check TLS 1.2 with DHE-DSS ciphersuite" -#launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh & PID=$! -#wait_server $PID -# -#$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ -# fail $PID "Failed" -# -#kill $PID -#wait + kill ${PID} + wait -echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + #echo "Check TLS 1.2 with DHE-DSS ciphersuite" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! + #wait_server ${PID} + # + #"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + # fail ${PID} "Failed" + # + #kill ${PID} + #wait -#-cipher ECDHE-RSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-RSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -if test $ALL_CURVES = 1;then - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$! - wait_server $PID + kill ${PID} + wait - #-cipher ECDHE-ECDSA-AES128-SHA - $POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC224_CERT key_file=$ECC224_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + if test ${ALL_CURVES} = 1;then + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} - kill $PID - wait -fi + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + kill ${PID} + wait + fi -#-cipher ECDHE-ECDSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC256_CERT key_file=$ECC256_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher ECDHE-ECDSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC384_CERT key_file=$ECC384_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher ECDHE-ECDSA-AES128-SHA -$POLARSSL_CLI server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$ECC521_CERT key_file=$ECC521_KEY ca_file=$CA_ECC_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with DHE-PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with DHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with ECDHE-PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with ECDHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" -echo "Check TLS 1.2 with RSA-PSK ciphersuite" -launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$! -wait_server $PID + kill ${PID} + wait -#-cipher RSA-PSK-AES128-SHA -$POLARSSL_CLI server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port=$PORT crt_file=$CLI_CERT key_file=$CLI_KEY ca_file=$CA_CERT >$LOGFILE 2>&1 || \ - fail $PID "Failed" + echo "Check TLS 1.2 with RSA-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! + wait_server ${PID} -kill $PID -wait + #-cipher RSA-PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + kill ${PID} + wait done -rm -f $LOGFILE +rm -f "${LOGFILE}" exit 0 diff --git a/tests/suite/testcompat-openssl b/tests/suite/testcompat-openssl index f99c812..f82f00e 100755 --- a/tests/suite/testcompat-openssl +++ b/tests/suite/testcompat-openssl @@ -30,23 +30,25 @@ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +srcdir="${srcdir:-.}" + if ! test -x /usr/bin/openssl;then - echo "You need openssl to run this test" - exit 77 + echo "You need openssl to run this test" + exit 77 fi /usr/bin/openssl version|grep fips >/dev/null 2>&1 if test $? = 0;then - export FIPS=1 + export FIPS=1 else - export FIPS=0 + export FIPS=0 fi # Check for datefudge TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` -if test "$TSTAMP" != "1158969600"; then - echo "You need datefudge to run this test" - exit 77 +if test "${TSTAMP}" != "1158969600"; then + echo "You need datefudge to run this test" + exit 77 fi -datefudge "2012-09-2" ./testcompat-main-openssl +datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl" diff --git a/tests/suite/testcompat-polarssl b/tests/suite/testcompat-polarssl index 3e78deb..fcaf99b 100755 --- a/tests/suite/testcompat-polarssl +++ b/tests/suite/testcompat-polarssl @@ -30,9 +30,11 @@ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY # WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +srcdir="${srcdir:-.}" + # Check for datefudge TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` -if test "$TSTAMP" != "1158969600"; then +if test "${TSTAMP}" != "1158969600"; then echo "You need datefudge to run this test" exit 77 fi @@ -43,4 +45,4 @@ if test $? = 0;then exit 77 fi -datefudge "2012-09-2" ./testcompat-main-polarssl +datefudge "2012-09-2" "${srcdir}/testcompat-main-polarssl" diff --git a/tests/suite/testdane b/tests/suite/testdane index 714a582..2ec50dc 100755 --- a/tests/suite/testdane +++ b/tests/suite/testdane @@ -19,64 +19,64 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. srcdir="${srcdir:-.}" -DANETOOL="${DANETOOL:-../../src/danetool$EXEEXT}" +DANETOOL="${DANETOOL:-../../src/danetool${EXEEXT}}" unset RETCODE # Unfortunately it is extremely fragile and fails 99% of the # time. if test "${WINDIR}" != "";then exit 77 -fi +fi -. $srcdir/../scripts/common.sh +. "${srcdir}/../scripts/common.sh" # Fine hosts echo "" echo "*** Testing good HTTPS hosts ***" -# www.vulcano.cl dane.nox.su +# www.vulcano.cl dane.nox.su HOSTS="good.dane.verisignlabs.com www.freebsd.org www.kumari.net torproject.org fedoraproject.org" -HOSTS="$HOSTS nohats.ca" -for i in $HOSTS;do -echo -n "$i: " +HOSTS="${HOSTS} nohats.ca" +for host in ${HOSTS};do + echo -n "${host}: " -$DANETOOL --check $i >/dev/null 2>&1 -if [ $? != 0 ];then - echo "Error checking $i" - exit 1 -fi -echo "ok" + "${DANETOOL}" --check "${host}" >/dev/null 2>&1 + if [ $? != 0 ];then + echo "Error checking ${host}" + exit 1 + fi + echo "ok" done echo "" echo "*** Testing good SMTP hosts ***" #HOSTS="dougbarton.us nlnetlabs.nl" HOSTS="nlnetlabs.nl" -for i in $HOSTS;do -echo -n "$i: " +for host in ${HOSTS};do + echo -n "${host}: " -$DANETOOL --check $i --port 25 >/dev/null 2>&1 -if [ $? != 0 ];then - echo "Error checking $i" - exit 1 -fi -echo "ok" + "${DANETOOL}" --check "${host}" --port 25 >/dev/null 2>&1 + if [ $? != 0 ];then + echo "Error checking ${host}" + exit 1 + fi + echo "ok" done echo "" echo "*** Testing bad HTTPS hosts ***" # Not ok -# used to work: dane-broken.rd.nic.fr +# used to work: dane-broken.rd.nic.fr HOSTS="bad-hash.dane.verisignlabs.com bad-params.dane.verisignlabs.com" -HOSTS="$HOSTS bad-sig.dane.verisignlabs.com" -for i in $HOSTS;do -echo -n "$i: " -$DANETOOL --check $i >/dev/null 2>&1 -if [ $? = 0 ];then - echo "Checking $i should have failed" - exit 1 -fi -echo "ok" +HOSTS="${HOSTS} bad-sig.dane.verisignlabs.com" +for host in ${HOSTS};do + echo -n "${host}: " + "${DANETOOL}" --check "${host}" >/dev/null 2>&1 + if [ $? = 0 ];then + echo "Checking ${host} should have failed" + exit 1 + fi + echo "ok" done diff --git a/tests/suite/testpkcs11 b/tests/suite/testpkcs11 index 2a4b88f..b301cc3 100755 --- a/tests/suite/testpkcs11 +++ b/tests/suite/testpkcs11 @@ -19,57 +19,57 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. srcdir="${srcdir:-.}" -P11TOOL="${P11TOOL:-../../src/p11tool$EXEEXT}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" +P11TOOL="${P11TOOL:-../../src/p11tool${EXEEXT}}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff -b -B}" -SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" +SERV="${SERV:-../../src/gnutls-serv${EXEEXT}} -q" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" RETCODE=0 if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --leak-check=no" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --leak-check=no" fi -TMPFILE=$srcdir/testpkcs11.debug +TMPFILE="testpkcs11.debug" CERTTOOL_PARAM="--stdout-info" if test "${WINDIR}" != "";then exit 77 fi -P11TOOL="$VALGRIND $P11TOOL --batch" +P11TOOL="${VALGRIND} ${P11TOOL} --batch" -. $srcdir/../scripts/common.sh +. ${srcdir}/../scripts/common.sh -PORT="${PORT:-$RPORT}" +PORT="${PORT:-${RPORT}}" -rm -f $TMPFILE +rm -f "${TMPFILE}" exit_error () { - echo "Check $TMPFILE for additional debugging information" - echo "" - echo "" - tail $TMPFILE - exit 1 + echo "Check ${TMPFILE} for additional debugging information" + echo "" + echo "" + tail "${TMPFILE}" + exit 1 } # $1: token # $2: PIN # $3: filename -# $srcdir/pkcs11-certs/client.key +# ${srcdir}/pkcs11-certs/client.key write_privkey () { - export GNUTLS_PIN=$2 - - filename=$3 - token=$1 - echo -n "* Writing a client private key... " - $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey "$filename" "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing a client private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi } @@ -77,18 +77,18 @@ write_privkey () { # $2: PIN # $3: filename write_serv_privkey () { - export GNUTLS_PIN=$2 - - filename=$3 - token=$1 - echo -n "* Writing the server private key... " - $P11TOOL $ADDITIONAL_PARAM --login --write --label serv-key --load-privkey "$filename" "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing the server private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi } @@ -96,18 +96,18 @@ write_serv_privkey () { # $2: PIN # $3: filename write_serv_cert () { - export GNUTLS_PIN=$2 - - filename=$3 - token=$1 - echo -n "* Writing the server certificate... " - $P11TOOL $ADDITIONAL_PARAM --login --write --no-mark-private --label serv-cert --load-certificate "$filename" "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing the server certificate... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi } @@ -115,282 +115,282 @@ write_serv_cert () { # $2: PIN # $3: bits generate_rsa_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating RSA private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --id 000102030405 --label gnutls-client --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating RSA private key ("${bits}")... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit 1 + fi } # $1: token # $2: PIN # $3: bits generate_temp_rsa_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating RSA private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --label temp-rsa-$bits --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 - if test $? = 0;then - RETCODE=0 - echo ok - else - echo failed - RETCODE=1 - fi - -# if test $RETCODE = 0;then -# echo -n "* Testing private key flags... " -# $P11TOOL $ADDITIONAL_PARAM --login --list-keys "$token;object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>$TMPFILE -# if test $? != 0;then -# echo failed -# exit_error -# fi + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating RSA private key ("${bits}")... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0;then + RETCODE=0 + echo ok + else + echo failed + RETCODE=1 + fi + +# if test ${RETCODE} = 0;then +# echo -n "* Testing private key flags... " +# ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${TMPFILE}" +# if test $? != 0;then +# echo failed +# exit_error +# fi # -# grep CKA_WRAP tmp-client-2.pub >>$TMPFILE 2>&1 -# if test $? != 0;then -# echo "failed (no CKA_WRAP)" -# exit_error -# else -# echo ok -# fi -# fi +# grep CKA_WRAP tmp-client-2.pub >>"${TMPFILE}" 2>&1 +# if test $? != 0;then +# echo "failed (no CKA_WRAP)" +# exit_error +# else +# echo ok +# fi +# fi } # $1: token # $2: PIN delete_temp_privkey () { - export GNUTLS_PIN=$2 - token=$1 - type=$3 + export GNUTLS_PIN="$2" + token="$1" + type="$3" - test "$RETCODE" = "0" || return + test "${RETCODE}" = "0" || return - echo -n "* Deleting private key... " - $P11TOOL $ADDITIONAL_PARAM --login --delete "$token;object=temp-$type;object-type=private" >>$TMPFILE 2>&1 + echo -n "* Deleting private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo failed - RETCODE=1 - return - fi + if test $? != 0;then + echo failed + RETCODE=1 + return + fi - RETCODE=0 - echo ok + RETCODE=0 + echo ok } # $1: token # $2: PIN # $3: bits export_pubkey_of_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Exporting public key of generated private key... " - $P11TOOL $ADDITIONAL_PARAM --login --export-pubkey "$token;object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>$TMPFILE 2>&1 - if test $? != 0;then - echo failed - exit 1 - fi - - $DIFF tmp-client.pub tmp-client-2.pub - if test $? != 0;then - echo keys differ - exit 1 - fi - - echo ok + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Exporting public key of generated private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo failed + exit 1 + fi + + ${DIFF} tmp-client.pub tmp-client-2.pub + if test $? != 0;then + echo keys differ + exit 1 + fi + + echo ok } # $1: token # $2: PIN change_id_of_privkey () { - export GNUTLS_PIN=$2 - token=$1 - - echo -n "* Change the CKA_ID of generated private key... " - $P11TOOL $ADDITIONAL_PARAM --login --set-id "01a1b103" "$token;object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>$TMPFILE 2>&1 - if test $? != 0;then - echo failed - exit_error - fi - - $P11TOOL $ADDITIONAL_PARAM --login --list-privkeys "$token;object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>$TMPFILE 2>&1 - if test $? != 0;then - echo "ID didn't change" - exit_error - fi - - echo ok + export GNUTLS_PIN="$2" + token="$1" + + echo -n "* Change the CKA_ID of generated private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo "ID didn't change" + exit_error + fi + + echo ok } # $1: token # $2: PIN change_label_of_privkey () { - export GNUTLS_PIN=$2 - token=$1 - - echo -n "* Change the CKA_LABEL of generated private key... " - $P11TOOL $ADDITIONAL_PARAM --login --set-label "new-label" "$token;object=gnutls-client;object-type=private" >>$TMPFILE 2>&1 - if test $? != 0;then - echo failed - exit_error - fi - - $P11TOOL $ADDITIONAL_PARAM --login --list-privkeys "$token;object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>$TMPFILE 2>&1 - if test $? != 0;then - echo "label didn't change" - exit_error - fi - - $P11TOOL $ADDITIONAL_PARAM --login --set-label "gnutls-client" "$token;object=new-label;object-type=private" >>$TMPFILE 2>&1 - if test $? != 0;then - echo failed - exit_error - fi - - echo ok + export GNUTLS_PIN="$2" + token="$1" + + echo -n "* Change the CKA_LABEL of generated private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo "label didn't change" + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo failed + exit_error + fi + + echo ok } # $1: token # $2: PIN # $3: bits generate_temp_ecc_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating ECC private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --label temp-ecc-$bits --generate-ecc --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 - if test $? = 0;then - RETCODE=0 - echo ok - else - echo failed - RETCODE=1 - fi + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating ECC private key (${bits})... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0;then + RETCODE=0 + echo ok + else + echo failed + RETCODE=1 + fi } # $1: token # $2: PIN -# $3: cakey: $srcdir/pkcs11-certs/ca.key -# $4: cacert: $srcdir/pkcs11-certs/ca.crt +# $3: cakey: ${srcdir}/pkcs11-certs/ca.key +# $4: cacert: ${srcdir}/pkcs11-certs/ca.crt # # Tests writing a certificate which corresponds to the given key, # as well as the CA certificate, and tries to export them. write_certificate_test () { - export GNUTLS_PIN=$2 - token=$1 - cakey=$3 - cacert=$4 - pubkey=$5 - - echo -n "* Generating client certificate... " - $CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey "$cakey" --load-ca-certificate "$cacert" \ - --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$token;object=gnutls-client;object-type=private" \ - --load-pubkey "$pubkey" --outfile tmp-client.crt >>$TMPFILE 2>&1 - - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Writing client certificate... " - $P11TOOL $ADDITIONAL_PARAM --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Checking whether ID was correctly set... " - $P11TOOL $ADDITIONAL_PARAM --login --list-certs "$token;object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>$TMPFILE 2>&1 - if test $? != 0;then - echo "ID was not set on copy" - exit_error - fi - echo ok - - echo -n "* Writing certificate of client's CA... " - $P11TOOL $ADDITIONAL_PARAM --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1 - ret=$? - if test $ret != 0;then - $P11TOOL $ADDITIONAL_PARAM --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1 - ret=$? - fi - - if test $ret = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Testing certificate flags... " - $P11TOOL $ADDITIONAL_PARAM --login --list-all-certs "$token;object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>$TMPFILE - if test $? != 0;then - echo failed - exit_error - fi - - grep CKA_TRUSTED tmp-client-2.pub >>$TMPFILE 2>&1 - if test $? != 0;then - echo "failed (no CKA_TRUSTED)" - #exit_error - fi - - grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>$TMPFILE 2>&1 - if test $? != 0;then - echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" - #exit_error - fi - - echo ok - - - echo -n "* Trying to obtain back the cert... " - $P11TOOL $ADDITIONAL_PARAM --export "$token;object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>$TMPFILE 2>&1 - $DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt - if test $? != 0;then - echo "failed. Exported certificate differs (crt1.tmp)!" - exit_error - fi - rm -f crt1.tmp - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Trying to obtain the full chain... " - $P11TOOL $ADDITIONAL_PARAM --login --export-chain "$token;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i --outfile crt1.tmp >>$TMPFILE 2>&1 - - cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp - $DIFF crt1.tmp crt2.tmp - if test $? != 0;then - echo "failed. Exported certificate chain differs!" - exit_error - fi - rm -f crt1.tmp crt2.tmp - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + token="$1" + cakey="$3" + cacert="$4" + pubkey="$5" + + echo -n "* Generating client certificate... " + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/pkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 + + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Writing client certificate... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Checking whether ID was correctly set... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo "ID was not set on copy" + exit_error + fi + echo ok + + echo -n "* Writing certificate of client's CA... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 + ret=$? + if test ${ret} != 0;then + ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 + ret=$? + fi + + if test ${ret} = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Testing certificate flags... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}" + if test $? != 0;then + echo failed + exit_error + fi + + grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo "failed (no CKA_TRUSTED)" + #exit_error + fi + + grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1 + if test $? != 0;then + echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" + #exit_error + fi + + echo ok + + + echo -n "* Trying to obtain back the cert... " + ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1 + ${DIFF} crt1.tmp "${srcdir}/pkcs11-certs/ca.crt" + if test $? != 0;then + echo "failed. Exported certificate differs (crt1.tmp)!" + exit_error + fi + rm -f crt1.tmp + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Trying to obtain the full chain... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1 + + cat tmp-client.crt ${srcdir}/pkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp + ${DIFF} crt1.tmp crt2.tmp + if test $? != 0;then + echo "failed. Exported certificate chain differs!" + exit_error + fi + rm -f crt1.tmp crt2.tmp + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi } @@ -402,39 +402,39 @@ write_certificate_test () { # # Tests using a certificate and key pair using gnutls-serv and gnutls-cli. use_certificate_test () { - export GNUTLS_PIN=$2 - token=$1 - certfile=$3 - keyfile=$4 - cafile=$5 - txt=$6 - - echo -n "* Using PKCS #11 with gnutls-cli ($txt)... " - # start server - launch_pkcs11_server $$ "$ADDITIONAL_PARAM" --echo --priority NORMAL --x509certfile="$certfile" \ - --x509keyfile="$keyfile" --x509cafile="$cafile" \ - --require-client-cert >>$TMPFILE 2>&1 & - - PID=$! - wait_server $PID - - # connect to server using SC - $VALGRIND $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile="$cafile" >$TMPFILE 2>&1 && \ - fail $PID "Connection should have failed!" - - $VALGRIND $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$certfile" \ - --x509keyfile="$keyfile" --x509cafile="$cafile" >$TMPFILE 2>&1 || \ - fail $PID "Connection (with files) should have succeeded!" - - $VALGRIND $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$token;object=gnutls-client;object-type=cert" \ - --x509keyfile="$token;object=gnutls-client;object-type=private" \ - --x509cafile="$cafile" >$TMPFILE 2>&1 || \ - fail $PID "Connection (with SC) should have succeeded!" - - kill $PID - wait - - echo ok + export GNUTLS_PIN="$2" + token="$1" + certfile="$3" + keyfile="$4" + cafile="$5" + txt="$6" + + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --require-client-cert >>"${TMPFILE}" 2>&1 & + + PID=$! + wait_server ${PID} + + # connect to server using SC + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ + fail ${PID} "Connection (with SC) should have succeeded!" + + kill ${PID} + wait + + echo ok } @@ -443,65 +443,65 @@ echo "Testing PKCS11 support" # erase SC -type=$1 +type="$1" -if test -z "$type";then - echo "usage: $0: [pkcs15|softhsm|sc-hsm]" - if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util";then - echo "assuming 'softhsm'" - echo "" - type=softhsm - else - exit 1 - fi +if test -z "${type}";then + echo "usage: $0: [pkcs15|softhsm|sc-hsm]" + if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util";then + echo "assuming 'softhsm'" + echo "" + type=softhsm + else + exit 1 + fi fi -. $srcdir/testpkcs11.$type +. "${srcdir}/testpkcs11.${type}" export GNUTLS_PIN=12345678 export GNUTLS_SO_PIN=00000000 -init_card $GNUTLS_PIN $GNUTLS_SO_PIN +init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}" # find token name -TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` +TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` -echo "* Token: $TOKEN" -if test x"$TOKEN" = x;then - echo "Could not find generated token" - exit_error +echo "* Token: ${TOKEN}" +if test "x${TOKEN}" = x;then + echo "Could not find generated token" + exit_error fi #write a given privkey -write_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/client.key" +write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/client.key" -generate_temp_ecc_privkey $TOKEN $GNUTLS_PIN 256 -delete_temp_privkey $TOKEN $GNUTLS_PIN ecc-256 +generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 -generate_temp_ecc_privkey $TOKEN $GNUTLS_PIN 384 -delete_temp_privkey $TOKEN $GNUTLS_PIN ecc-384 +generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 -generate_temp_rsa_privkey $TOKEN $GNUTLS_PIN 2048 -delete_temp_privkey $TOKEN $GNUTLS_PIN rsa-2048 +generate_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 +delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048 -generate_rsa_privkey $TOKEN $GNUTLS_PIN 1024 -change_id_of_privkey $TOKEN $GNUTLS_PIN -export_pubkey_of_privkey $TOKEN $GNUTLS_PIN -change_label_of_privkey $TOKEN $GNUTLS_PIN +generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 +change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" -write_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/ca.key" "$srcdir/pkcs11-certs/ca.crt" tmp-client.pub +write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/ca.key" "${srcdir}/pkcs11-certs/ca.crt" tmp-client.pub -write_serv_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.key" -write_serv_cert $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.crt" +write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/server.key" +write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/server.crt" -use_certificate_test $TOKEN $GNUTLS_PIN "$TOKEN;object=serv-cert;object-type=cert" "$TOKEN;object=serv-key;object-type=private" "$srcdir/pkcs11-certs/ca.crt" "full URLs" +use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/pkcs11-certs/ca.crt" "full URLs" -use_certificate_test $TOKEN $GNUTLS_PIN "$TOKEN;object=serv-cert" "$TOKEN;object=serv-key" "$srcdir/pkcs11-certs/ca.crt" "abbrv URLs" +use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/pkcs11-certs/ca.crt" "abbrv URLs" -if test $RETCODE = 0;then - echo "* All smart cards tests succeeded" +if test ${RETCODE} = 0;then + echo "* All smart cards tests succeeded" fi -rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub $TMPFILE +rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${TMPFILE}" exit 0 diff --git a/tests/suite/testpkcs11.pkcs15 b/tests/suite/testpkcs11.pkcs15 index d72163b..59c535e 100644 --- a/tests/suite/testpkcs11.pkcs15 +++ b/tests/suite/testpkcs11.pkcs15 @@ -20,27 +20,26 @@ init_card () { - PIN=$1 - PUK=$2 + PIN="$1" + PUK="$2" - echo -n "* Erasing smart card... " - pkcs15-init -E >$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - cat $TMPFILE - exit_error - fi + echo -n "* Erasing smart card... " + pkcs15-init -E >"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + cat "${TMPFILE}" + exit_error + fi - echo -n "* Initializing smart card... " - pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin $PIN --pin $PIN --puk $PUK --label "GnuTLS-Test" >$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - cat $TMPFILE - exit_error - fi + echo -n "* Initializing smart card... " + pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + cat "${TMPFILE}" + exit_error + fi } - diff --git a/tests/suite/testpkcs11.sc-hsm b/tests/suite/testpkcs11.sc-hsm index 03b86a4..26ce485 100644 --- a/tests/suite/testpkcs11.sc-hsm +++ b/tests/suite/testpkcs11.sc-hsm @@ -20,32 +20,31 @@ init_card () { - PIN=$1 - PUK=3537363231383830 - export GNUTLS_SO_PIN=$PUK + PIN="$1" + PUK=3537363231383830 + export GNUTLS_SO_PIN="${PUK}" - echo -n "* Erasing smart card... " - sc-hsm-tool --initialize --so-pin $PUK --pin $PIN --label=GnuTLS-Test >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + echo -n "* Erasing smart card... " + sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi - echo -n "* Initializing smart card... " - TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` - if test -z "$TOKEN";then - echo "Could not find initialized card" - exit_error - fi + echo -n "* Initializing smart card... " + TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + if test -z "${TOKEN}";then + echo "Could not find initialized card" + exit_error + fi - $P11TOOL $ADDITIONAL_PARAM --initialize "$TOKEN" --set-so-pin $PUK --set-pin $PIN --label "GnuTLS-Test" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi } - diff --git a/tests/suite/testpkcs11.softhsm b/tests/suite/testpkcs11.softhsm index c58dde1..b444e62 100755 --- a/tests/suite/testpkcs11.softhsm +++ b/tests/suite/testpkcs11.softhsm @@ -19,57 +19,56 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. if test -f /usr/lib64/pkcs11/libsofthsm2.so;then - ADDITIONAL_PARAM="--provider /usr/lib64/pkcs11/libsofthsm2.so" + ADDITIONAL_PARAM="--provider /usr/lib64/pkcs11/libsofthsm2.so" else - if test -f /usr/lib/softhsm/libsofthsm.so;then - ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" - else - ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" - fi + if test -f /usr/lib/softhsm/libsofthsm.so;then + ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" + else + ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" + fi fi init_card () { - PIN=$1 - PUK=$2 + PIN="$1" + PUK="$2" - if test -x "/usr/bin/softhsm2-util";then - export SOFTHSM2_CONF="softhsm-testpkcs11.config" - SOFTHSM_TOOL="/usr/bin/softhsm2-util" - $SOFTHSM_TOOL --version|grep "2.0.0b1" >/dev/null 2>&1 - if test $? = 0;then - echo "softhsm2-util 2.0.0b1 is broken" - exit 77 - fi - fi + if test -x "/usr/bin/softhsm2-util";then + export SOFTHSM2_CONF="softhsm-testpkcs11.config" + SOFTHSM_TOOL="/usr/bin/softhsm2-util" + ${SOFTHSM_TOOL} --version|grep "2.0.0b1" >/dev/null 2>&1 + if test $? = 0;then + echo "softhsm2-util 2.0.0b1 is broken" + exit 77 + fi + fi - if test -x "/usr/bin/softhsm";then - export SOFTHSM_CONF="softhsm-testpkcs11.config" - SOFTHSM_TOOL="/usr/bin/softhsm" - fi + if test -x "/usr/bin/softhsm";then + export SOFTHSM_CONF="softhsm-testpkcs11.config" + SOFTHSM_TOOL="/usr/bin/softhsm" + fi - if test -z "$SOFTHSM_TOOL";then - echo "Could not find softhsm(2) tool" - exit 77 - fi + if test -z "${SOFTHSM_TOOL}";then + echo "Could not find softhsm(2) tool" + exit 77 + fi - if test -z "$SOFTHSM_CONF";then - rm -rf ./softhsm-testpkcs11.db - mkdir -p ./softhsm-testpkcs11.db - echo "objectstore.backend = file" > $SOFTHSM2_CONF - echo "directories.tokendir = ./softhsm-testpkcs11.db" >> $SOFTHSM2_CONF - else - rm -rf ./softhsm-testpkcs11.db - echo "0:./softhsm-testpkcs11.db" > $SOFTHSM_CONF - fi + if test -z "${SOFTHSM_CONF}";then + rm -rf ./softhsm-testpkcs11.db + mkdir -p ./softhsm-testpkcs11.db + echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" + echo "directories.tokendir = ./softhsm-testpkcs11.db" >> "${SOFTHSM2_CONF}" + else + rm -rf ./softhsm-testpkcs11.db + echo "0:./softhsm-testpkcs11.db" > "${SOFTHSM_CONF}" + fi - echo -n "* Initializing smart card... " - $SOFTHSM_TOOL --init-token --slot 0 --label "GnuTLS-Test" --so-pin $PUK --pin $PIN >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + echo -n "* Initializing smart card... " + ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi } - diff --git a/tests/suite/testrandom b/tests/suite/testrandom index e682375..894b2e9d 100755 --- a/tests/suite/testrandom +++ b/tests/suite/testrandom @@ -20,10 +20,10 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -srcdir=${srcdir:-.} -CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi counter=0 @@ -32,58 +32,58 @@ file=test.out counter=0 echo "Testing verification with randomly generated certificates..." -while [ $counter -lt 400 ] +while [ ${counter} -lt 400 ] do - $srcdir/x509random.pl > $srcdir/$file - $VALGRIND $CERTTOOL -i --inder --infile $srcdir/$file --outfile $srcdir/$file.pem >/dev/null 2>&1 + "${srcdir}/x509random.pl" > "${file}" + ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" --outfile "${file}.pem" >/dev/null 2>&1 if test $? != 0;then - continue + continue fi - cat $srcdir/$file.pem $srcdir/../certs/ca-cert-ecc.pem > $srcdir/$file-chain.pem + cat "${file}.pem" "${srcdir}/../certs/ca-cert-ecc.pem" > "${file}-chain.pem" - $VALGRIND $CERTTOOL -e --infile $srcdir/$file-chain.pem >/dev/null 2>&1 + ${VALGRIND} "${CERTTOOL}" -e --infile "${file}-chain.pem" >/dev/null 2>&1 ret=$? - if [ $ret != 1 ];then - echo "Succeeded verification with $file-chain.pem!" - exit 1 + if [ ${ret} != 1 ];then + echo "Succeeded verification with ${file}-chain.pem!" + exit 1 fi - rm -f $srcdir/$file.pem $srcdir/$file-chain.pem + rm -f "${file}.pem" "${file}-chain.pem" - counter=`expr $counter + 1` + counter=`expr ${counter} + 1` done echo "Testing with randomly generated certificates..." -while [ $counter -lt 200 ] +while [ ${counter} -lt 200 ] do - $srcdir/x509random.pl > $srcdir/$file - $VALGRIND $CERTTOOL -i --inder --infile $srcdir/$file >/dev/null + "${srcdir}/x509random.pl" > "${file}" + ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" >/dev/null ret=$? - if [ $ret != 0 -a $ret != 1 ];then - echo "Unknown exit code with $file" - exit 1 + if [ ${ret} != 0 -a ${ret} != 1 ];then + echo "Unknown exit code with ${file}" + exit 1 fi - counter=`expr $counter + 1` + counter=`expr ${counter} + 1` done counter=0 echo "Testing with random ASN.1 data..." -while [ $counter -lt 200 ] +while [ ${counter} -lt 200 ] do - $srcdir/asn1random.pl > $srcdir/$file - $VALGRIND $CERTTOOL -i --inder --infile $srcdir/$file >/dev/null 2>/dev/null + "${srcdir}/asn1random.pl" > "${file}" + ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" >/dev/null 2>/dev/null ret=$? - if [ $ret != 0 -a $ret != 1 ];then - echo "Unknown exit code with $file" - exit 1 + if [ ${ret} != 0 -a ${ret} != 1 ];then + echo "Unknown exit code with ${file}" + exit 1 fi - counter=`expr $counter + 1` + counter=`expr ${counter} + 1` done -rm -f $srcdir/$file +rm -f "${file}" exit 0 diff --git a/tests/suite/testrng b/tests/suite/testrng index c780cf4..16fb4d5 100755 --- a/tests/suite/testrng +++ b/tests/suite/testrng @@ -29,7 +29,7 @@ VERSION=`dieharder -l|grep version|cut -d ' ' -f 6` if test "$1" = "full";then OPTIONS="-a" else - if test "$VERSION" = "2.28.1";then + if test "${VERSION}" = "2.28.1";then OPTIONS="-d 5" OPTIONS2="-d 10" else @@ -42,122 +42,122 @@ OUTFILE=rng.log RNGFILE=rng.out RNGFILE2=rng2.out -rm -f $OUTFILE -rm -f $RNGFILE -rm -f $RNGFILE2 +rm -f "${OUTFILE}" +rm -f "${RNGFILE}" +rm -f "${RNGFILE2}" -. $srcdir/../scripts/common.sh +. "${srcdir}/../scripts/common.sh" RINPUTNO=`dieharder -g -1|grep file_input_raw|cut -d '|' -f 2|cut -d ' ' -f 1` -if test -z "$RINPUTNO";then - echo "Cannot determine dieharder option for raw file input, assuming 201" - RINPUTNO=201 +if test -z "${RINPUTNO}";then + echo "Cannot determine dieharder option for raw file input, assuming 201" + RINPUTNO=201 fi echo "" echo "Testing nonce PRNG" -./rng nonce 64 $RNGFILE -./rng nonce 64 $RNGFILE2 -cmp $RNGFILE $RNGFILE2 >/dev/null 2>&1 +./rng nonce 64 "${RNGFILE}" +./rng nonce 64 "${RNGFILE2}" +cmp "${RNGFILE}" "${RNGFILE2}" >/dev/null 2>&1 ret=$? -if test $ret = 0;then - echo "numbers are repeated in nonce!" - exit 1 +if test ${ret} = 0;then + echo "numbers are repeated in nonce!" + exit 1 fi -./rng nonce 100000000 $RNGFILE +./rng nonce 100000000 "${RNGFILE}" -dieharder -f $RNGFILE -g $RINPUTNO $OPTIONS >$OUTFILE 2>&1 -if ! test -z "$OPTIONS2";then - dieharder -f $RNGFILE -g $RINPUTNO $OPTIONS2 >>$OUTFILE 2>&1 +dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS} >"${OUTFILE}" 2>&1 +if ! test -z "${OPTIONS2}";then + dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 fi -grep FAILED $OUTFILE >/dev/null 2>&1 +grep FAILED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "$ret" = "0";then - echo "test failed for nonce" - exit 1 +if test "${ret}" = "0";then + echo "test failed for nonce" + exit 1 fi -grep PASSED $OUTFILE >/dev/null 2>&1 +grep PASSED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "$ret" != "0";then - echo "could not run dieharder test?" - exit 1 +if test "${ret}" != "0";then + echo "could not run dieharder test?" + exit 1 fi -cat $OUTFILE -rm -f $OUTFILE +cat "${OUTFILE}" +rm -f "${OUTFILE}" echo "" echo "Testing key PRNG" -./rng key 64 $RNGFILE -./rng key 64 $RNGFILE2 -cmp $RNGFILE $RNGFILE2 >/dev/null 2>&1 +./rng key 64 "${RNGFILE}" +./rng key 64 "${RNGFILE2}" +cmp "${RNGFILE}" "${RNGFILE2}" >/dev/null 2>&1 ret=$? -if test $ret = 0;then - echo "numbers are repeated in nonce!" - exit 1 +if test ${ret} = 0;then + echo "numbers are repeated in nonce!" + exit 1 fi -./rng key 100000000 $RNGFILE +./rng key 100000000 "${RNGFILE}" -dieharder -f $RNGFILE -g $RINPUTNO $OPTIONS >$OUTFILE 2>&1 -if ! test -z "$OPTIONS2";then - dieharder -f $RNGFILE -g $RINPUTNO $OPTIONS2 >>$OUTFILE 2>&1 +dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS} >"${OUTFILE}" 2>&1 +if ! test -z "${OPTIONS2}";then + dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 fi -grep FAILED $OUTFILE >/dev/null 2>&1 +grep FAILED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "$ret" = "0";then - echo "test failed for key" - exit 1 +if test "${ret}" = "0";then + echo "test failed for key" + exit 1 fi -grep PASSED $OUTFILE >/dev/null 2>&1 +grep PASSED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "$ret" != "0";then - echo "could not run dieharder test?" - exit 1 +if test "${ret}" != "0";then + echo "could not run dieharder test?" + exit 1 fi -cat $OUTFILE -rm -f $OUTFILE +cat "${OUTFILE}" +rm -f "${OUTFILE}" echo "" echo "Testing /dev/zero PRNG" -dd if=/dev/zero of=$RNGFILE bs=4 count=10000000 >/dev/null 2>&1 +dd if=/dev/zero of="${RNGFILE}" bs=4 count=10000000 >/dev/null 2>&1 -dieharder -f $RNGFILE -g $RINPUTNO $OPTIONS >$OUTFILE 2>&1 -if ! test -z "$OPTIONS2";then - dieharder -f $RNGFILE -g $RINPUTNO $OPTIONS2 >>$OUTFILE 2>&1 +dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS} >"${OUTFILE}" 2>&1 +if ! test -z "${OPTIONS2}";then + dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 fi -grep PASSED $OUTFILE >/dev/null 2>&1 +grep PASSED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "$ret" = "0";then - echo "test succeeded for /dev/zero!!!" - exit 1 +if test "${ret}" = "0";then + echo "test succeeded for /dev/zero!!!" + exit 1 fi -grep FAILED $OUTFILE >/dev/null 2>&1 +grep FAILED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "$ret" != "0";then - echo "could not run dieharder test?" - exit 1 +if test "${ret}" != "0";then + echo "could not run dieharder test?" + exit 1 fi -cat $OUTFILE -rm -f $OUTFILE -rm -f $RNGFILE -rm -f $RNGFILE2 +cat "${OUTFILE}" +rm -f "${OUTFILE}" +rm -f "${RNGFILE}" +rm -f "${RNGFILE2}" exit 0 diff --git a/tests/suite/testsrn b/tests/suite/testsrn index 826bb4a..783ed9d 100755 --- a/tests/suite/testsrn +++ b/tests/suite/testsrn @@ -21,79 +21,79 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. srcdir="${srcdir:-.}" -SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" +SERV="${SERV:-../../src/gnutls-serv${EXEEXT}} -q" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE if test "${WINDIR}" != "";then exit 77 fi -. $srcdir/../scripts/common.sh +. "${srcdir}/../scripts/common.sh" -PORT="${PORT:-$RPORT}" +PORT="${PORT:-${RPORT}}" echo "Checking Safe renegotiation" -launch_server $$ --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & +launch_server $$ --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams "${srcdir}/params.dh" >/dev/null 2>&1 & PID=$! -wait_server $PID +wait_server ${PID} -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-TLS1.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "0. Renegotiation should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-TLS1.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "0. Renegotiation should have succeeded!" -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "1. Safe rehandshake should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "1. Safe rehandshake should have succeeded!" -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "2. Unsafe rehandshake should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "2. Unsafe rehandshake should have succeeded!" -$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "3. Unsafe negotiation should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "3. Unsafe negotiation should have succeeded!" -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail $PID "4. Unsafe renegotiation should have failed!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail ${PID} "4. Unsafe renegotiation should have failed!" -kill $PID +kill ${PID} wait -launch_server $$ --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & +launch_server $$ --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams "${srcdir}/params.dh" >/dev/null 2>&1 & PID=$! -wait_server $PID +wait_server ${PID} -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "5. Safe rehandshake should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "5. Safe rehandshake should have succeeded!" -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "6. Unsafe rehandshake should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "6. Unsafe rehandshake should have succeeded!" -$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail $PID "7. Unsafe negotiation should have failed!" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail ${PID} "7. Unsafe negotiation should have failed!" -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail $PID "8. Unsafe renegotiation should have failed!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail ${PID} "8. Unsafe renegotiation should have failed!" -kill $PID +kill ${PID} wait -launch_server $$ --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & +launch_server $$ --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams "${srcdir}/params.dh" >/dev/null 2>&1 & PID=$! -wait_server $PID +wait_server ${PID} -$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail $PID "9. Initial connection should have failed!" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail ${PID} "9. Initial connection should have failed!" -$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "10. Unsafe connection should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "10. Unsafe connection should have succeeded!" -$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "11. Unsafe negotiation should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "11. Unsafe negotiation should have succeeded!" -$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail $PID "12. Unsafe renegotiation should have succeeded!" +"${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail ${PID} "12. Unsafe renegotiation should have succeeded!" -kill $PID +kill ${PID} wait exit 0 -- 2.3.6 From nmav at gnutls.org Sun Jun 21 10:59:15 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 21 Jun 2015 10:59:15 +0200 Subject: [gnutls-devel] [PATCH 4/4] tests: enforce UTC timezone in datefudge tests In-Reply-To: <1434844805-12931-4-git-send-email-alon.barlev@gmail.com> References: <1434844805-12931-1-git-send-email-alon.barlev@gmail.com> <1434844805-12931-4-git-send-email-alon.barlev@gmail.com> Message-ID: <1434877155.31541.0.camel@gnutls.org> On Sun, 2015-06-21 at 03:00 +0300, Alon Bar-Lev wrote: > Signed-off-by: Alon Bar-Lev > --- > tests/pkcs1-padding/pkcs1-pad | 4 +++- > tests/suite/testcompat-openssl | 2 ++ > tests/suite/testcompat-polarssl | 2 ++ > 3 files changed, 7 insertions(+), 1 deletion(-) Applied the whole patch set. Thanks. From alon.barlev at gmail.com Sun Jun 21 19:43:34 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jun 2015 20:43:34 +0300 Subject: [gnutls-devel] [PATCH 1/2] tests: suite: ciphersuite: fixups Message-ID: <1434908615-31312-1-git-send-email-alon.barlev@gmail.com> fix separate builddir issue, without modifying locations, quite ugly. re-indent using tab. fix shebang. Signed-off-by: Alon Bar-Lev --- tests/suite/ciphersuite/scan-gnutls.sh | 36 ++++----- tests/suite/ciphersuite/test-ciphers.js | 106 ++++++++++++++------------- tests/suite/ciphersuite/test-ciphersuites.sh | 24 +++--- 3 files changed, 89 insertions(+), 77 deletions(-) diff --git a/tests/suite/ciphersuite/scan-gnutls.sh b/tests/suite/ciphersuite/scan-gnutls.sh index 95cd9bd..2a2379e 100755 --- a/tests/suite/ciphersuite/scan-gnutls.sh +++ b/tests/suite/ciphersuite/scan-gnutls.sh @@ -1,23 +1,25 @@ -#/bin/sh +#!/bin/sh # ./scan-gnutls.sh > gnutls-ciphers.js echo 'var gnutls_ciphersuites = {' -cd ../../../lib/algorithms/ && gcc -E ciphersuites.c -I.. -I../../ -DHAVE_CONFIG_H -DHAVE_LIBNETTLE -I../../gl -I../includes -DENABLE_DHE -DENABLE_ECDHE -DENABLE_PSK -DENABLE_ANON -DENABLE_SRP \ - | awk '/^static const gnutls_cipher_suite_entry_st cs_algorithms/, /;/ { print; }' \ - | grep '{' | head -n-1 | tail -n+2 \ - | sed -r -e 's#\{ *0x(..), *0x(..) *\}#0x\1\2#;s# *\{ *"#"#;s#\}##;s#, +# #g' \ - -e 's#GNUTLS_VERSION_UNKNOWN#unknown#' \ - -e 's#GNUTLS_DTLS_VERSION_MIN#GNUTLS_DTLS1_0#;s#GNUTLS_TLS1 #GNUTLS_TLS1_0 #' \ - -e 's#TLS([0-9])_([0-9])#TLS\1.\2#g;s#GNUTLS_SSL3#SSL3.0#;s#_#-#g;s#GNUTLS-(CIPHER|KX|MAC)-##g;s#GNUTLS-##g' \ - | gawk --non-decimal-data '{ if ($5 == "AEAD") { mac = $8; } else { mac = $5; }; sub("UMAC-", "UMAC", mac); sub("DIG-", "", mac); if (mac == "SHA1") { mac = "SHA"; } \ - cipher = $3; sub("ARCFOUR", "RC4", cipher); sub("3DES-CBC", "3DES-EDE-CBC", cipher); \ - kx = $4; if (sub("ANON-", "", kx)) { kx = kx "-anon"; }; sub("SRP", "SRP-SHA", kx); \ - if ($5 != "AEAD" || cipher ~ /GCM/) { name = "TLS_" kx "_WITH_" cipher "_" mac; } else { name = "TLS_" kx "_WITH_" cipher }; \ - gsub("-", "_", name); printf ("%d# \"%s\": { id: %s, name: \"%s\", gnutlsname: %s, cipher: \"%s\", kx: \"%s\", mac: \"%s\", min_version: \"%s\", min_dtls_version: \"%s\", prf: \"%s\" },\n", $2, name, $2, name, $1, $3, $4, $5, $6, $7, $8) }' \ - | sort -n \ - | cut -d'#' -f2- \ - | column -t \ - | sed -e 's#: #: #g;s#, #, #g;s#{ #{ #g;s#^# #' +srcdir="${srcdir:-..}" +top_builddir="${top_builddir:-../../..}" +gcc -E "${srcdir}/../../lib/algorithms/ciphersuites.c" -I"${top_builddir}" -I"${srcdir}/../../lib" -DHAVE_CONFIG_H -DHAVE_LIBNETTLE -I"${srcdir}/../../gl" -I"${srcdir}/../includes" -DENABLE_DHE -DENABLE_ECDHE -DENABLE_PSK -DENABLE_ANON -DENABLE_SRP \ + | awk '/^static const gnutls_cipher_suite_entry_st cs_algorithms/, /;/ { print; }' \ + | grep '{' | head -n-1 | tail -n+2 \ + | sed -r -e 's#\{ *0x(..), *0x(..) *\}#0x\1\2#;s# *\{ *"#"#;s#\}##;s#, +# #g' \ + -e 's#GNUTLS_VERSION_UNKNOWN#unknown#' \ + -e 's#GNUTLS_DTLS_VERSION_MIN#GNUTLS_DTLS1_0#;s#GNUTLS_TLS1 #GNUTLS_TLS1_0 #' \ + -e 's#TLS([0-9])_([0-9])#TLS\1.\2#g;s#GNUTLS_SSL3#SSL3.0#;s#_#-#g;s#GNUTLS-(CIPHER|KX|MAC)-##g;s#GNUTLS-##g' \ + | gawk --non-decimal-data '{ if ($5 == "AEAD") { mac = $8; } else { mac = $5; }; sub("UMAC-", "UMAC", mac); sub("DIG-", "", mac); if (mac == "SHA1") { mac = "SHA"; } \ + cipher = $3; sub("ARCFOUR", "RC4", cipher); sub("3DES-CBC", "3DES-EDE-CBC", cipher); \ + kx = $4; if (sub("ANON-", "", kx)) { kx = kx "-anon"; }; sub("SRP", "SRP-SHA", kx); \ + if ($5 != "AEAD" || cipher ~ /GCM/) { name = "TLS_" kx "_WITH_" cipher "_" mac; } else { name = "TLS_" kx "_WITH_" cipher }; \ + gsub("-", "_", name); printf ("%d# \"%s\": { id: %s, name: \"%s\", gnutlsname: %s, cipher: \"%s\", kx: \"%s\", mac: \"%s\", min_version: \"%s\", min_dtls_version: \"%s\", prf: \"%s\" },\n", $2, name, $2, name, $1, $3, $4, $5, $6, $7, $8) }' \ + | sort -n \ + | cut -d'#' -f2- \ + | column -t \ + | sed -e 's#: #: #g;s#, #, #g;s#{ #{ #g;s#^# #' echo '};' diff --git a/tests/suite/ciphersuite/test-ciphers.js b/tests/suite/ciphersuite/test-ciphers.js index 2336cb4..1985045 100644 --- a/tests/suite/ciphersuite/test-ciphers.js +++ b/tests/suite/ciphersuite/test-ciphers.js @@ -4,12 +4,20 @@ var fs = require('fs'); var vm = require('vm'); function include(path) { - var code = fs.readFileSync(path, 'utf-8'); - vm.runInThisContext(code, path); + var code = fs.readFileSync(path, 'utf-8'); + vm.runInThisContext(code, path); } -include('./gnutls-ciphers.js'); -include('./registry-ciphers.js'); +srcdir=process.env["srcdir"]; +if (srcdir == undefined) { + srcdir = "."; +} +builddir=process.env['builddir'] +if (builddir == undefined) { + builddir = "."; +} +include(builddir + "/gnutls-ciphers.js"); +include(srcdir + "/registry-ciphers.js"); (function() { @@ -17,51 +25,51 @@ include('./registry-ciphers.js'); // console.log("Test: ", require('util').inspect(priority_config(priority(s)), false, 10)); // console.log("Test: ", require('util').inspect(priority_ciphersuites(priority(s)), false, 10)); - // check whether gnutls ciphersuite names match the kx/cipher/mac/prf combination - for (var i in gnutls_ciphersuites) { - if (!gnutls_ciphersuites.hasOwnProperty(i)) continue; - var cs = gnutls_ciphersuites[i]; - var mac = cs.mac; - if (mac == "AEAD") mac = cs.prf.replace("DIG-", ""); - mac = mac.replace("UMAC-", "UMAC"); - var cipher = cs.cipher.replace("3DES-CBC", "3DES-EDE-CBC"); - var kx = cs.kx.replace("ANON-DH", "DH-ANON").replace("ANON-ECDH", "ECDH-ANON").replace("SRP", "SRP-SHA"); + // check whether gnutls ciphersuite names match the kx/cipher/mac/prf combination + for (var i in gnutls_ciphersuites) { + if (!gnutls_ciphersuites.hasOwnProperty(i)) continue; + var cs = gnutls_ciphersuites[i]; + var mac = cs.mac; + if (mac == "AEAD") mac = cs.prf.replace("DIG-", ""); + mac = mac.replace("UMAC-", "UMAC"); + var cipher = cs.cipher.replace("3DES-CBC", "3DES-EDE-CBC"); + var kx = cs.kx.replace("ANON-DH", "DH-ANON").replace("ANON-ECDH", "ECDH-ANON").replace("SRP", "SRP-SHA"); + + if (cs.mac == "AEAD") { + if (kx + "-" + cipher != cs.gnutlsname && kx + "-" + cipher + "-SHA256" != cs.gnutlsname && kx + "-" + cipher + "-SHA384" != cs.gnutlsname) { + console.log("Broken AEAD ciphersuite: ", kx + "-" + cipher, " ", cs.gnutlsname); + process.exit(1); + } + } else { + if (kx + "-" + cipher + "-" + mac != cs.gnutlsname) { + console.log("Broken ciphersuite name: ", kx + "-" + cipher + "-" + mac, " ", cs.gnutlsname); + process.exit(1); + } + } + if (cs.name !== i) { + console.log("Name doesn't match index:", cs.name, i); + process.exit(1); + } + if (!registry_ciphersuites[cs.id]) { + if (cipher.match(/SALSA20/)) { + var warned_salsa20; + if (!warned_salsa20) { + /* warn only once */ + console.log("Unofficial SALSA20 ciphers"); + warned_salsa20 = 1; + } + } else { + console.log("Unofficial cipher:", cs.name, cs.id); + } + } else if (registry_ciphersuites[cs.id] !== cs.name) { + if (cs.name !== "TLS_DHE_PSK_WITH_AES_128_CCM_8" && + cs.name !== "TLS_DHE_PSK_WITH_AES_256_CCM_8") { + console.log("Name doesn't match official name for id:", cs.name, registry_ciphersuites[cs.id], cs.id); + process.exit(1); + } + } + } - if (cs.mac == "AEAD") { - if (kx + "-" + cipher != cs.gnutlsname && kx + "-" + cipher + "-SHA256" != cs.gnutlsname && kx + "-" + cipher + "-SHA384" != cs.gnutlsname) { - console.log("Broken AEAD ciphersuite: ", kx + "-" + cipher, " ", cs.gnutlsname); - process.exit(1); - } - } else { - if (kx + "-" + cipher + "-" + mac != cs.gnutlsname) { - console.log("Broken ciphersuite name: ", kx + "-" + cipher + "-" + mac, " ", cs.gnutlsname); - process.exit(1); - } - } - if (cs.name !== i) { - console.log("Name doesn't match index:", cs.name, i); - process.exit(1); - } - if (!registry_ciphersuites[cs.id]) { - if (cipher.match(/SALSA20/)) { - var warned_salsa20; - if (!warned_salsa20) { - /* warn only once */ - console.log("Unofficial SALSA20 ciphers"); - warned_salsa20 = 1; - } - } else { - console.log("Unofficial cipher:", cs.name, cs.id); - } - } else if (registry_ciphersuites[cs.id] !== cs.name) { - if (cs.name !== "TLS_DHE_PSK_WITH_AES_128_CCM_8" && - cs.name !== "TLS_DHE_PSK_WITH_AES_256_CCM_8") { - console.log("Name doesn't match official name for id:", cs.name, registry_ciphersuites[cs.id], cs.id); - process.exit(1); - } - } - } - - process.exit(0); + process.exit(0); })(); diff --git a/tests/suite/ciphersuite/test-ciphersuites.sh b/tests/suite/ciphersuite/test-ciphersuites.sh index 028a92f..88306dd 100755 --- a/tests/suite/ciphersuite/test-ciphersuites.sh +++ b/tests/suite/ciphersuite/test-ciphersuites.sh @@ -1,22 +1,24 @@ -#! /bin/sh +#!/bin/sh + +srcdir="${srcdir:-..}" +top_builddir="${top_builddir:-../../..}" nodejs --help >/dev/null 2>&1 -if test $? = 0;then -NODEJS=nodejs +if test $? = 0; then + NODEJS=nodejs else - node --help >/dev/null 2>&1 - if test $? = 0;then - NODEJS=node - fi + node --help >/dev/null 2>&1 + if test $? = 0; then + NODEJS=node + fi fi -if test "z$NODEJS" = "z";then +if test -z "${NODEJS}"; then echo "You need nodejs to run this test" exit 77 fi set -e -cd ciphersuite && ( \ -./scan-gnutls.sh > gnutls-ciphers.js && \ -$NODEJS test-ciphers.js ) +"${srcdir}/ciphersuite/scan-gnutls.sh" > "${top_builddir}/tests/suite/ciphersuite/gnutls-ciphers.js" +srcdir="${srcdir}/ciphersuite" builddir="${top_builddir}/tests/suite/ciphersuite" ${NODEJS} "${srcdir}/ciphersuite/test-ciphers.js" -- 2.3.6 From alon.barlev at gmail.com Sun Jun 21 19:43:35 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jun 2015 20:43:35 +0300 Subject: [gnutls-devel] [PATCH 2/2] tests: tab indent + minor style changes In-Reply-To: <1434908615-31312-1-git-send-email-alon.barlev@gmail.com> References: <1434908615-31312-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1434908615-31312-2-git-send-email-alon.barlev@gmail.com> Signed-off-by: Alon Bar-Lev --- tests/cert-tests/aki | 12 +- tests/cert-tests/certtool | 50 +- tests/cert-tests/crq | 12 +- tests/cert-tests/dane | 2 +- tests/cert-tests/email | 36 +- tests/cert-tests/invalid-sig | 16 +- tests/cert-tests/pathlen | 18 +- tests/cert-tests/pem-decoding | 32 +- tests/cert-tests/pkcs7 | 80 +-- tests/cert-tests/template-test | 254 ++++--- tests/dsa/testdsa | 48 +- tests/dtls/dtls | 4 +- tests/dtls/dtls-nb | 4 +- tests/ecdsa/ecdsa | 64 +- tests/key-tests/key-id | 8 +- tests/key-tests/pkcs8 | 54 +- tests/nist-pkits/gnutls_test_entry | 26 +- tests/nist-pkits/pkits_crl | 12 +- tests/nist-pkits/pkits_crt | 12 +- tests/nist-pkits/pkits_pkcs12 | 12 +- tests/nist-pkits/pkits_smime | 24 +- tests/nist-pkits/pkits_test | 4 +- tests/openpgp-certs/testcerts | 25 +- tests/openpgp-certs/testselfsigs | 20 +- tests/pkcs1-padding/pkcs1-pad | 28 +- tests/pkcs12-decode/pkcs12 | 68 +- tests/pkcs8-decode/pkcs8 | 66 +- tests/rfc2253-escape-test | 14 +- tests/rsa-md5-collision/rsa-md5-collision | 12 +- tests/sha2/sha2 | 76 +-- tests/sha2/sha2-dsa | 58 +- tests/slow/override-ciphers | 34 +- tests/slow/test-ciphers | 52 +- tests/suite/certs/create-chain.sh | 128 ++-- tests/suite/chain | 66 +- tests/suite/crl-test | 12 +- tests/suite/eagain | 12 +- tests/suite/invalid-cert | 6 +- tests/suite/testcompat-main-openssl | 1027 +++++++++++++++-------------- tests/suite/testcompat-main-polarssl | 662 ++++++++++--------- tests/suite/testcompat-openssl | 16 +- tests/suite/testcompat-polarssl | 10 +- tests/suite/testdane | 52 +- tests/suite/testpkcs11 | 616 ++++++++--------- tests/suite/testpkcs11.pkcs15 | 40 +- tests/suite/testpkcs11.sc-hsm | 48 +- tests/suite/testpkcs11.softhsm | 86 +-- tests/suite/testrandom | 83 ++- tests/suite/testrng | 88 +-- tests/suite/testsrn | 30 +- tests/userid/userid | 10 +- 51 files changed, 2137 insertions(+), 2092 deletions(-) diff --git a/tests/cert-tests/aki b/tests/cert-tests/aki index 5f130cc..6d71a28 100755 --- a/tests/cert-tests/aki +++ b/tests/cert-tests/aki @@ -25,17 +25,17 @@ set -e srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/aki-cert.pem" \ - |grep -v "Algorithm Security Level" > tmp-aki.pem + |grep -v "Algorithm Security Level" > tmp-aki.pem rc=$? if test "${rc}" != "0"; then - echo "info failed" - exit ${rc} + echo "info failed" + exit ${rc} fi @@ -44,7 +44,7 @@ rc=$? # We're done. if test "${rc}" != "0"; then - exit ${rc} + exit ${rc} fi rm -f tmp-aki.pem diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index ce02ec8..4df4a5d 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -23,58 +23,58 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether "funny" spaces can be interpreted id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem" --hash sha1` rc=$? -if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Key-ID1 doesn't match the expected: ${id}" - exit 1 +if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3"; then + echo "Key-ID1 doesn't match the expected: ${id}" + exit 1 fi id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/funny-spacing.pem"` rc=$? -if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Default key-ID1 doesn't match the expected; did the defaults change? ID: ${id}" - exit 1 +if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3"; then + echo "Default key-ID1 doesn't match the expected; did the defaults change? ID: ${id}" + exit 1 fi id=`"${CERTTOOL}" --pubkey-info <"${srcdir}/funny-spacing.pem"|"${CERTTOOL}" --key-id --hash sha1` rc=$? -if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3";then - echo "Key-ID2 doesn't match the expected: ${id}" - exit 1 +if test "${id}" != "1e09d707d4e3651b84dcb6c68a828d2affef7ec3"; then + echo "Key-ID2 doesn't match the expected: ${id}" + exit 1 fi id=`"${CERTTOOL}" --pubkey-info <"${srcdir}/funny-spacing.pem"|"${CERTTOOL}" --key-id --hash sha256` rc=$? -if test "${id}" != "118e72e3655150c895ecbd19b3634179fb4a87c7a25abefcb11f5d66661d5a4d";then - echo "Key-ID3 doesn't match the expected: ${id}" - exit 1 +if test "${id}" != "118e72e3655150c895ecbd19b3634179fb4a87c7a25abefcb11f5d66661d5a4d"; then + echo "Key-ID3 doesn't match the expected: ${id}" + exit 1 fi #fingerprint id=`${VALGRIND} "${CERTTOOL}" --fingerprint --infile "${srcdir}/funny-spacing.pem"` rc=$? -if test "${id}" != "8f735c5ddefd723f59b6a3bb2ac0522470c0182f";then - echo "Fingerprint doesn't match the expected: 3" - exit 1 +if test "${id}" != "8f735c5ddefd723f59b6a3bb2ac0522470c0182f"; then + echo "Fingerprint doesn't match the expected: 3" + exit 1 fi id=`${VALGRIND} "${CERTTOOL}" --fingerprint --hash sha256 --infile "${srcdir}/funny-spacing.pem"` rc=$? -if test "${id}" != "fc5b45b20c489393a457f177572920ac40bacba9d25cea51200822271eaf7d1f";then - echo "Fingerprint doesn't match the expected: 4" - exit 1 +if test "${id}" != "fc5b45b20c489393a457f177572920ac40bacba9d25cea51200822271eaf7d1f"; then + echo "Fingerprint doesn't match the expected: 4" + exit 1 fi export TZ="UTC" @@ -83,17 +83,17 @@ export TZ="UTC" TSTAMP=`datefudge "2006-09-23" date -u +%s || true` if test "$TSTAMP" != "1158969600"; then echo $TSTAMP - echo "You need datefudge to run this test" - exit 77 + echo "You need datefudge to run this test" + exit 77 fi cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify-chain rc=$? -if test "${rc}" != "0";then - echo "There was an issue verifying the chain" - exit 1 +if test "${rc}" != "0"; then + echo "There was an issue verifying the chain" + exit 1 fi diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index cc2bbfe..50b78c8 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -25,8 +25,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi OUTFILE=out.tmp @@ -35,14 +35,14 @@ rc=$? # We're done. if test "${rc}" != "0"; then - echo "Invalid crq decoding failed" - exit ${rc} + echo "Invalid crq decoding failed" + exit ${rc} fi grep "error: get_key_id" "${OUTFILE}" >/dev/null 2>&1 if test "$?" != "0"; then - echo "crq decoding didn't fail as expected" - exit 1 + echo "crq decoding didn't fail as expected" + exit 1 fi rm -f "${OUTFILE}" diff --git a/tests/cert-tests/dane b/tests/cert-tests/dane index e019ef7..f2aa341 100755 --- a/tests/cert-tests/dane +++ b/tests/cert-tests/dane @@ -37,7 +37,7 @@ rm -f tmp-dane.rr # We're done. if test "${rc}" != "0"; then - exit ${rc} + exit ${rc} fi exit 0 diff --git a/tests/cert-tests/email b/tests/cert-tests/email index e12ee6b..8efe18e 100755 --- a/tests/cert-tests/email +++ b/tests/cert-tests/email @@ -23,72 +23,72 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF=$"{DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.exclude.test.example.com" --verify-email test at example.com rc=$? if test "${rc}" != "1"; then - echo "email test 1 failed" - exit 1 + echo "email test 1 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.exclude.test.example.com" --verify-email invalid at example.com rc=$? if test "${rc}" != "1"; then - echo "email test 2 failed" - exit 1 + echo "email test 2 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com" --verify-email test at example.com rc=$? if test "${rc}" != "0"; then - echo "email test 3 failed" - exit 1 + echo "email test 3 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com" --verify-email invalid at example.com rc=$? if test "${rc}" != "1"; then - echo "email test 4 failed" - exit 1 + echo "email test 4 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.invalid.example.com" --verify-email invalid at example.com rc=$? if test "${rc}" != "1"; then - echo "email test 5 failed" - exit 1 + echo "email test 5 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.invalid.example.com" --verify-email test at cola.com rc=$? if test "${rc}" != "1"; then - echo "email test 6 failed" - exit 1 + echo "email test 6 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com-2" --verify-email test at example.com rc=$? if test "${rc}" != "0"; then - echo "email test 7 failed" - exit 1 + echo "email test 7 failed" + exit 1 fi ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/email-certs/chain.test.example.com-2" --verify-email invalid at example.com rc=$? if test "${rc}" != "1"; then - echo "email test 8 failed" - exit 1 + echo "email test 8 failed" + exit 1 fi diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index 72d72ec..dacdc61 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -25,8 +25,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether a different PKCS #1 signature than the advertized in certificate is tolerated @@ -35,8 +35,8 @@ rc=$? # We're done. if test "${rc}" = "0"; then - echo "Verification of invalid signature (1) failed" - exit ${rc} + echo "Verification of invalid signature (1) failed" + exit ${rc} fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -45,8 +45,8 @@ rc=$? # We're done. if test "${rc}" = "0"; then - echo "Verification of invalid signature (2) failed" - exit ${rc} + echo "Verification of invalid signature (2) failed" + exit ${rc} fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -55,8 +55,8 @@ rc=$? # We're done. if test "${rc}" = "0"; then - echo "Verification of invalid signature (3) failed" - exit ${rc} + echo "Verification of invalid signature (3) failed" + exit ${rc} fi exit 0 diff --git a/tests/cert-tests/pathlen b/tests/cert-tests/pathlen index 710282d..d940fe8 100755 --- a/tests/cert-tests/pathlen +++ b/tests/cert-tests/pathlen @@ -25,26 +25,26 @@ set -e srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/ca-no-pathlen.pem" \ - |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem + |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem rc=$? if test "${rc}" != "0"; then - echo "info 1 failed" - exit ${rc} + echo "info 1 failed" + exit ${rc} fi ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/no-ca-or-pathlen.pem" \ - |grep -v "Algorithm Security Level" > new-no-ca-or-pathlen.pem + |grep -v "Algorithm Security Level" > new-no-ca-or-pathlen.pem rc=$? if test "${rc}" != "0"; then - echo "info 2 failed" - exit ${rc} + echo "info 2 failed" + exit ${rc} fi ${DIFF} "${srcdir}/ca-no-pathlen.pem" new-ca-no-pathlen.pem @@ -55,7 +55,7 @@ rc2=$? # We're done. if test "${rc1}" != "0"; then - exit ${rc1} + exit ${rc1} fi rm -f new-ca-no-pathlen.pem new-no-ca-or-pathlen.pem diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index 8913acb..a5f612c 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -25,8 +25,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi #check whether "funny" spaces can be interpreted @@ -35,8 +35,8 @@ rc=$? # We're done. if test "${rc}" != "0"; then - echo "Funny-spacing cert decoding failed 1" - exit ${rc} + echo "Funny-spacing cert decoding failed 1" + exit ${rc} fi #check whether a BMPString attribute can be properly decoded @@ -44,8 +44,8 @@ ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/bmpstring.pem" rc=$? if test "${rc}" != "0"; then - echo "BMPString cert decoding failed 1" - exit ${rc} + echo "BMPString cert decoding failed 1" + exit ${rc} fi #Note that --strip-trailing-cr is used for the test @@ -54,8 +54,8 @@ ${DIFF} "${srcdir}/bmpstring.pem" tmp-pem.pem || ${DIFF} --strip-trailing-cr "${ rc=$? if test "${rc}" != "0"; then - echo "BMPString cert decoding failed 2" - exit ${rc} + echo "BMPString cert decoding failed 2" + exit ${rc} fi #check whether complex-cert is decoded as expected @@ -63,8 +63,8 @@ ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/complex-cert.pe rc=$? if test "${rc}" != "0"; then - echo "Complex cert decoding failed 1" - exit ${rc} + echo "Complex cert decoding failed 1" + exit ${rc} fi cat "${srcdir}/complex-cert.pem" |grep -v "Not After:" >tmp1 @@ -73,8 +73,8 @@ ${DIFF} tmp1 tmp2 || ${DIFF} --strip-trailing-cr tmp1 tmp2 rc=$? if test "${rc}" != "0"; then - echo "Complex cert decoding failed 2" - exit ${rc} + echo "Complex cert decoding failed 2" + exit ${rc} fi #check whether the cert with many othernames is decoded as expected @@ -82,8 +82,8 @@ ${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/xmpp-othername. rc=$? if test "${rc}" != "0"; then - echo "XMPP cert decoding failed 1" - exit ${rc} + echo "XMPP cert decoding failed 1" + exit ${rc} fi cat "${srcdir}/xmpp-othername.pem" |grep -v "Not After:" >tmp1 @@ -92,8 +92,8 @@ ${DIFF} tmp1 tmp2 || ${DIFF} --strip-trailing-cr tmp1 tmp2 rc=$? if test "${rc}" != "0"; then - echo "XMPP cert decoding failed 2" - exit ${rc} + echo "XMPP cert decoding failed 2" + exit ${rc} fi rm -f tmp-pem.pem tmp1 tmp2 diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index c3938cb..d4b754b 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -23,54 +23,54 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" fi OUTFILE=out-pkcs7.tmp OUTFILE2=out2-pkcs7.tmp -for FILE in single-ca.p7b full.p7b;do +for FILE in single-ca.p7b full.p7b; do ${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/${FILE}"|grep -v "Signing time" >"${OUTFILE}" rc=$? # We're done. if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 decoding failed" - exit ${rc} + echo "${FILE}: PKCS7 decoding failed" + exit ${rc} fi ${DIFF} "${OUTFILE}" "${srcdir}/${FILE}.out" >/dev/null if test "$?" != "0"; then - echo "${FILE}: PKCS7 decoding didn't produce the correct file" - exit 1 + echo "${FILE}: PKCS7 decoding didn't produce the correct file" + exit 1 fi done # check signatures -for FILE in full.p7b;do +for FILE in full.p7b; do ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" >"${OUTFILE}" rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 verification failed" - exit ${rc} + echo "${FILE}: PKCS7 verification failed" + exit ${rc} fi ${VALGRIND} "${CERTTOOL}" --verify-purpose=1.3.6.1.5.5.7.3.1 --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" >"${OUTFILE}" rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 verification failed with key purpose" - exit ${rc} + echo "${FILE}: PKCS7 verification failed with key purpose" + exit ${rc} fi ${VALGRIND} "${CERTTOOL}" --verify-purpose=1.3.6.1.5.5.7.3.3 --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" >"${OUTFILE}" rc=$? if test "${rc}" = "0"; then - echo "${FILE}: PKCS7 verification succeeded with wrong key purpose" - exit 2 + echo "${FILE}: PKCS7 verification succeeded with wrong key purpose" + exit 2 fi done @@ -82,16 +82,16 @@ ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/. rc=$? if test "${rc}" = "0"; then - echo "${FILE}: PKCS7 verification succeeded without providing detached data" - exit 2 + echo "${FILE}: PKCS7 verification succeeded without providing detached data" + exit 2 fi ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-data "${srcdir}/pkcs7-detached.txt" --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/${FILE}" rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 verification failed" - exit ${rc} + echo "${FILE}: PKCS7 verification failed" + exit ${rc} fi # Test cert combination @@ -102,14 +102,14 @@ ${VALGRIND} "${CERTTOOL}" --p7-generate --load-certificate "${OUTFILE2}" >"${OUT rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct generation failed" - exit ${rc} + echo "${FILE}: PKCS7 struct generation failed" + exit ${rc} fi ${DIFF} "${OUTFILE}" "${srcdir}/p7-combined.out" >/dev/null if test "$?" != "0"; then - echo "${FILE}: PKCS7 generation didn't produce the correct file" - exit 1 + echo "${FILE}: PKCS7 generation didn't produce the correct file" + exit 1 fi # Test signing @@ -118,8 +118,8 @@ ${VALGRIND} "${CERTTOOL}" --p7-sign --load-privkey "${srcdir}/../../doc/credent rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing failed" - exit ${rc} + echo "${FILE}: PKCS7 struct signing failed" + exit ${rc} fi FILE="signing-verify" @@ -127,8 +127,8 @@ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/cr rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing failed verification" - exit ${rc} + echo "${FILE}: PKCS7 struct signing failed verification" + exit ${rc} fi @@ -137,8 +137,8 @@ ${VALGRIND} "${CERTTOOL}" --p7-detached-sign --load-privkey "${srcdir}/../../do rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing-detached failed" - exit ${rc} + echo "${FILE}: PKCS7 struct signing-detached failed" + exit ${rc} fi FILE="signing-detached-verify" @@ -146,8 +146,8 @@ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/cr rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing-detached failed verification" - exit ${rc} + echo "${FILE}: PKCS7 struct signing-detached failed verification" + exit ${rc} fi # Test signing with broken algorithms @@ -156,8 +156,8 @@ ${VALGRIND} "${CERTTOOL}" --hash md5 --p7-sign --load-privkey "${srcdir}/../../ rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing-broken failed" - exit ${rc} + echo "${FILE}: PKCS7 struct signing-broken failed" + exit ${rc} fi FILE="signing-verify-broken" @@ -165,8 +165,8 @@ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/cr rc=$? if test "${rc}" = "0"; then - echo "${FILE}: PKCS7 struct verification succeeded with broken algo" - exit 1 + echo "${FILE}: PKCS7 struct verification succeeded with broken algo" + exit 1 fi FILE="signing-time" @@ -174,14 +174,14 @@ ${VALGRIND} "${CERTTOOL}" --p7-detached-sign --p7-time --load-privkey "${srcdir rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing with time failed" - exit ${rc} + echo "${FILE}: PKCS7 struct signing with time failed" + exit ${rc} fi ${VALGRIND} "${CERTTOOL}" --p7-info <"${OUTFILE}"|grep "Signing time:" "${OUTFILE}" >/dev/null 2>&1 if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing with time failed. No time was found." - exit ${rc} + echo "${FILE}: PKCS7 struct signing with time failed. No time was found." + exit ${rc} fi FILE="signing-time-verify" @@ -189,8 +189,8 @@ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/cr rc=$? if test "${rc}" != "0"; then - echo "${FILE}: PKCS7 struct signing with time failed verification" - exit ${rc} + echo "${FILE}: PKCS7 struct signing with time failed verification" + exit ${rc} fi rm -f "${OUTFILE}" diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index c92440e..3903492 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -29,9 +29,9 @@ export TZ="UTC" # Check for datefudge TSTAMP=`datefudge "2006-09-23" date -u +%s || true` if test "$TSTAMP" != "1158969600"; then - echo $TSTAMP - echo "You need datefudge to run this test" - exit 77 + echo $TSTAMP + echo "You need datefudge to run this test" + exit 77 fi # Note that in rare cases this test may fail because the @@ -41,24 +41,23 @@ fi rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-test.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-test.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-test.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-test.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 1 failed" - exit ${rc} + echo "Test 1 failed" + exit ${rc} fi rm -f tmp-tt.pem @@ -66,24 +65,23 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-utf8.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-utf8.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-utf8.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-utf8.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 2 (UTF8) failed" - exit ${rc} + echo "Test 2 (UTF8) failed" + exit ${rc} fi rm -f tmp-tt.pem @@ -91,38 +89,37 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-dn.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-dn.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-dn.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-dn.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 3 (DN) failed" - exit ${rc} + echo "Test 3 (DN) failed" + exit ${rc} fi rm -f tmp-tt.pem datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-dn-err.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-dn-err.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null rc=$? if test "${rc}" = "0"; then - echo "Test 3 (DN-err) failed" - exit ${rc} + echo "Test 3 (DN-err) failed" + exit ${rc} fi rm -f tmp-tt.pem @@ -130,24 +127,23 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-overflow.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-overflow.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-overflow.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-overflow.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 4 (overflow1) failed" - exit ${rc} + echo "Test 4 (overflow1) failed" + exit ${rc} fi rm -f tmp-tt.pem @@ -158,24 +154,23 @@ if echo __SIZEOF_POINTER__ | cpp -E - - | grep '^8$' >/dev/null; then rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-overflow2.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-overflow2.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-overflow2.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-overflow2.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 5 (overflow2) failed" - exit ${rc} + echo "Test 5 (overflow2) failed" + exit ${rc} fi rm -f tmp-tt.pem @@ -184,24 +179,23 @@ fi rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-date.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-date.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-date.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-date.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 6 (explicit dates) failed" - exit ${rc} + echo "Test 6 (explicit dates) failed" + exit ${rc} fi rm -f tmp-tt.pem @@ -211,53 +205,51 @@ rm -f tmp-tt.pem rc=1 counter=1 -while [ "${rc}" != "0" -a $counter -le 3 ] -do - datefudge "2007-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-nc.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-nc.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-nc.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-nc.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` done # We're done. if test "${rc}" != "0"; then - echo "Test 7 (name constraints) failed" - exit ${rc} + echo "Test 7 (name constraints) failed" + exit ${rc} fi rm -f tmp-tt.pem # Test the GeneralizedTime support -if test "$(getconf LONG_BIT)" = "64";then - # we should test that on systems which have 64-bit time_t. - rc=1 - counter=1 - - while [ "${rc}" != "0" -a $counter -le 3 ] - do - datefudge "2051-04-22" \ - "${CERTTOOL}" --generate-self-signed \ - --load-privkey "${srcdir}/template-test.key" \ - --template "${srcdir}/template-generalized.tmpl" \ - --outfile tmp-tt.pem 2>/dev/null - - ${DIFF} "${srcdir}/template-generalized.pem" tmp-tt.pem >/dev/null 2>&1 - rc=$? - test ${rc} != 0 && sleep 3 - counter=`expr $counter + 1` - done - - # We're done. - if test "${rc}" != "0"; then - echo "Test 8 (generalizedTime) failed" - exit ${rc} - fi +if test "$(getconf LONG_BIT)" = "64"; then + # we should test that on systems which have 64-bit time_t. + rc=1 + counter=1 + + while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2051-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-generalized.tmpl" \ + --outfile tmp-tt.pem 2>/dev/null + + ${DIFF} "${srcdir}/template-generalized.pem" tmp-tt.pem >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` + done + + # We're done. + if test "${rc}" != "0"; then + echo "Test 8 (generalizedTime) failed" + exit ${rc} + fi fi rm -f tmp-tt.pem diff --git a/tests/dsa/testdsa b/tests/dsa/testdsa index 0334e63..456182f 100755 --- a/tests/dsa/testdsa +++ b/tests/dsa/testdsa @@ -26,8 +26,8 @@ CLI="${CLI:-../../src/gnutls-cli}" DEBUG="" unset RETCODE -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi . "${srcdir}/../scripts/common.sh" @@ -40,30 +40,31 @@ echo "Checking various DSA key sizes (port ${PORT})" echo "Checking DSA-1024 with TLS 1.0" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" >/dev/null 2>&1 & +PID=$! wait_server "${PID}" PRIO="--priority NORMAL:+DHE-DSS:+SIGN-DSA-SHA512:+SIGN-DSA-SHA384:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ - fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.0!" + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.0!" echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0" #try with client key of 1024 bits (should succeed) "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" /dev/null || \ - fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.0!" + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.0!" echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0" #try with client key of 2048 bits (should fail) "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" /dev/null 2>&1 && \ - fail "${PID}" "Succeeded connection to a server with a client DSA 2048 key and TLS 1.0!" + fail "${PID}" "Succeeded connection to a server with a client DSA 2048 key and TLS 1.0!" echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0" #try with client key of 3072 bits (should fail) "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" /dev/null 2>&1 && \ - fail "${PID}" "Succeeded connection to a server with a client DSA 3072 key and TLS 1.0!" + fail "${PID}" "Succeeded connection to a server with a client DSA 3072 key and TLS 1.0!" kill "${PID}" wait @@ -72,30 +73,30 @@ wait echo "Checking DSA-1024 with TLS 1.2" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" >/dev/null 2>&1 & +PID=$! wait_server "${PID}" "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ - fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.2!" + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.2!" echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2" #try with client key of 1024 bits (should succeed) "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.1024.pem" --x509keyfile "${srcdir}/dsa.1024.pem" /dev/null || \ - fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.2!" + fail "${PID}" "Failed connection to a server with DSA 1024 key and TLS 1.2!" echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2" #try with client key of 2048 bits (should succeed) "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" /dev/null || \ - fail "${PID}" "Failed connection to a server with a client DSA 2048 key and TLS 1.2!" + fail "${PID}" "Failed connection to a server with a client DSA 2048 key and TLS 1.2!" echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2" #try with client key of 3072 bits (should succeed) "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" /dev/null || \ - fail "${PID}" "Failed connection to a server with a client DSA 3072 key and TLS 1.2!" - + fail "${PID}" "Failed connection to a server with a client DSA 3072 key and TLS 1.2!" kill "${PID}" wait @@ -104,11 +105,12 @@ wait #echo "Checking DSA-2048 with TLS 1.0" -#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" >/dev/null 2>&1 & PID=$! +#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" >/dev/null 2>&1 & +#PID=$! #wait_server "${PID}" #"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null 2>&1 && \ -# fail "${PID}" "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should have failed!" +# fail "${PID}" "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should have failed!" #kill "${PID}" #wait @@ -117,11 +119,12 @@ wait echo "Checking DSA-2048 with TLS 1.2" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.2048.pem" --x509keyfile "${srcdir}/dsa.2048.pem" >/dev/null 2>&1 & +PID=$! wait_server "${PID}" "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ - fail "${PID}" "Failed connection to a server with DSA 2048 key and TLS 1.2!" + fail "${PID}" "Failed connection to a server with DSA 2048 key and TLS 1.2!" kill "${PID}" wait @@ -130,11 +133,12 @@ wait #echo "Checking DSA-3072 with TLS 1.0" -#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" >/dev/null 2>&1 & PID=$! +#launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" >/dev/null 2>&1 & +#PID=$! #wait_server "${PID}" # #"${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null 2>&1 && \ -# fail "${PID}" "Succeeded connection to a server with DSA 3072 key and TLS 1.0. Should have failed!" +# fail "${PID}" "Succeeded connection to a server with DSA 3072 key and TLS 1.0. Should have failed!" # #kill "${PID}" #wait @@ -143,14 +147,14 @@ wait echo "Checking DSA-3072 with TLS 1.2" -launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1" --x509certfile "${srcdir}/cert.dsa.3072.pem" --x509keyfile "${srcdir}/dsa.3072.pem" >/dev/null 2>&1 & +PID=$! wait_server "${PID}" "${CLI}" ${DEBUG} ${PRIO} -p "${PORT}" 127.0.0.1 --insecure /dev/null || \ - fail "${PID}" "Failed connection to a server with DSA 3072 key and TLS 1.2!" + fail "${PID}" "Failed connection to a server with DSA 3072 key and TLS 1.2!" kill "${PID}" wait exit 0 - diff --git a/tests/dtls/dtls b/tests/dtls/dtls index 1a80573..ea1f3be 100755 --- a/tests/dtls/dtls +++ b/tests/dtls/dtls @@ -22,8 +22,8 @@ set -e -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi ./dtls-stress -full -shello 01234 -sfinished 01 -cfinished 01234 CCertificate CKeyExchange CCertificateVerify CChangeCipherSpec CFinished -d 6 diff --git a/tests/dtls/dtls-nb b/tests/dtls/dtls-nb index 7ba2f33..87c2d0d 100755 --- a/tests/dtls/dtls-nb +++ b/tests/dtls/dtls-nb @@ -22,8 +22,8 @@ set -e -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi ./dtls-stress -nb -shello 021 -sfinished 01 -cfinished 012 SKeyExchange CKeyExchange CFinished diff --git a/tests/ecdsa/ecdsa b/tests/ecdsa/ecdsa index 507f622..e5b48b9 100755 --- a/tests/ecdsa/ecdsa +++ b/tests/ecdsa/ecdsa @@ -26,66 +26,66 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" echo ca > template -echo cn = "ECDSA SHA 256 CA" >> template +echo "cn = ECDSA SHA 256 CA" >> template "${CERTTOOL}" --generate-privkey --ecc > key-ca-ecdsa.pem 2>/dev/null "${CERTTOOL}" -d 2 --generate-self-signed --template template \ - --load-privkey key-ca-ecdsa.pem \ - --outfile new-ca-ecdsa.pem \ - --hash sha256 >out 2>&1 + --load-privkey key-ca-ecdsa.pem \ + --outfile new-ca-ecdsa.pem \ + --hash sha256 >out 2>&1 -if [ $? != 0 ];then - cat out - exit 1 +if [ $? != 0 ]; then + cat out + exit 1 fi echo ca > template "${CERTTOOL}" --generate-privkey --ecc > key-subca-ecdsa.pem 2>/dev/null -echo cn = "ECDSA SHA 224 Mid CA" >> template +echo "cn = ECDSA SHA 224 Mid CA" >> template "${CERTTOOL}" -d 2 --generate-certificate --template template \ - --load-ca-privkey key-ca-ecdsa.pem \ - --load-ca-certificate new-ca-ecdsa.pem \ - --load-privkey key-subca-ecdsa.pem \ - --outfile new-subca-ecdsa.pem \ - --hash sha224 >out 2>&1 - -if [ $? != 0 ];then - cat out - exit 1 + --load-ca-privkey key-ca-ecdsa.pem \ + --load-ca-certificate new-ca-ecdsa.pem \ + --load-privkey key-subca-ecdsa.pem \ + --outfile new-subca-ecdsa.pem \ + --hash sha224 >out 2>&1 + +if [ $? != 0 ]; then + cat out + exit 1 fi -echo cn = "End-user" > template +echo "cn = End-user" > template "${CERTTOOL}" --generate-privkey --ecc > key-ecdsa.pem 2>/dev/null "${CERTTOOL}" -d 2 --generate-certificate --template template \ - --load-ca-privkey key-subca-ecdsa.pem \ - --load-ca-certificate new-subca-ecdsa.pem \ - --load-privkey key-ecdsa.pem \ - --outfile new-user.pem >out 2>&1 - -if [ $? != 0 ];then - cat out - exit 1 + --load-ca-privkey key-subca-ecdsa.pem \ + --load-ca-certificate new-subca-ecdsa.pem \ + --load-privkey key-ecdsa.pem \ + --outfile new-user.pem >out 2>&1 + +if [ $? != 0 ]; then + cat out + exit 1 fi cat new-user.pem new-subca-ecdsa.pem new-ca-ecdsa.pem > out "${CERTTOOL}" --verify-chain verify -if [ $? != 0 ];then - cat verify - exit 1 +if [ $? != 0 ]; then + cat verify + exit 1 fi rm -f verify new-user.pem new-ca-ecdsa.pem new-subca-ecdsa.pem template out rm -f key-subca-ecdsa.pem key-ca-ecdsa.pem key-ecdsa.pem "${CERTTOOL}" -k < "${srcdir}/bad-key.pem" | grep "validation failed" >/dev/null 2>&1 -if [ $? != 0 ];then - echo "certtool didn't detect a bad ECDSA key." - exit 1 +if [ $? != 0 ]; then + echo "certtool didn't detect a bad ECDSA key." + exit 1 fi exit 0 diff --git a/tests/key-tests/key-id b/tests/key-tests/key-id index c671319..2ef0f3e 100755 --- a/tests/key-tests/key-id +++ b/tests/key-tests/key-id @@ -36,14 +36,14 @@ echo "serial = 0" > tmpl # --outfile user-no-keyid.pem 2> /dev/null eval "${CERTTOOL}" ${PARAMS} --load-ca-certificate "${srcdir}/ca-weird-keyid.pem" \ - --outfile user-weird-keyid.pem 2> /dev/null + --outfile user-weird-keyid.pem 2> /dev/null if "${CERTTOOL}" -i < user-weird-keyid.pem \ - | grep '7a2c7a6097460603cbfb28e8e219df18deeb4e0d' > /dev/null; then + | grep '7a2c7a6097460603cbfb28e8e219df18deeb4e0d' > /dev/null; then : else - echo "Could not find CA SKI in user certificate." - exit 1; + echo "Could not find CA SKI in user certificate." + exit 1; fi rm -f tmpl user-gnutls-keyid.pem user-no-keyid.pem user-weird-keyid.pem diff --git a/tests/key-tests/pkcs8 b/tests/key-tests/pkcs8 index 3173bfa..d166469 100755 --- a/tests/key-tests/pkcs8 +++ b/tests/key-tests/pkcs8 @@ -24,86 +24,86 @@ GREP="${GREP:-grep}" # check keys with password "${CERTTOOL}" --to-p8 --load-privkey "${srcdir}/key-ca.pem" --password "1234" \ - --outfile tmp-key-ca.p8 2>/dev/null + --outfile tmp-key-ca.p8 2>/dev/null ${GREP} "BEGIN ENCRYPTED PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in converting key to PKCS #8 with password" - exit ${rc} + echo "Error in converting key to PKCS #8 with password" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca.pem" --password "1234" >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading PKCS #8 key with password" - exit ${rc} + echo "Error in reading PKCS #8 key with password" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca-1234.p8" --password "1234" >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading saved PKCS #8 key with password" - exit ${rc} + echo "Error in reading saved PKCS #8 key with password" + exit ${rc} fi #keys encrypted with empty password "${CERTTOOL}" --to-p8 --load-privkey "${srcdir}/key-ca.pem" --password "" \ - --outfile tmp-key-ca.p8 2>/dev/null + --outfile tmp-key-ca.p8 2>/dev/null ${GREP} "BEGIN PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in converting key to PKCS #8 with empty password" - exit ${rc} + echo "Error in converting key to PKCS #8 with empty password" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca.pem" --password "" >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading PKCS #8 key with empty password" - exit ${rc} + echo "Error in reading PKCS #8 key with empty password" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca-empty.p8" --password "" >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading saved PKCS #8 key with empty password" - exit ${rc} + echo "Error in reading saved PKCS #8 key with empty password" + exit ${rc} fi #keys encrypted with null password "${CERTTOOL}" --to-p8 --load-privkey "${srcdir}/key-ca.pem" --null-password \ - --outfile tmp-key-ca.p8 2>/dev/null + --outfile tmp-key-ca.p8 2>/dev/null ${GREP} "BEGIN ENCRYPTED PRIVATE KEY" tmp-key-ca.p8 >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in converting key to PKCS #8 with null password" - exit ${rc} + echo "Error in converting key to PKCS #8 with null password" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca.pem" --null-password >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading PKCS #8 key with null password" - exit ${rc} + echo "Error in reading PKCS #8 key with null password" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ca-null.p8" --null-password >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading saved PKCS #8 key with null password" - exit ${rc} + echo "Error in reading saved PKCS #8 key with null password" + exit ${rc} fi # Tests for PKCS #8 ECC keys @@ -112,24 +112,24 @@ fi rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading saved ECC key" - exit ${rc} + echo "Error in reading saved ECC key" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/key-ecc.p8" >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading saved PKCS #8 ECC key" - exit ${rc} + echo "Error in reading saved PKCS #8 ECC key" + exit ${rc} fi "${CERTTOOL}" -k --pkcs8 --infile "${srcdir}/openssl-key-ecc.p8" >/dev/null 2>&1 rc=$? # We're done. if test "${rc}" != "0"; then - echo "Error in reading saved openssl PKCS #8 ECC key" - exit ${rc} + echo "Error in reading saved openssl PKCS #8 ECC key" + exit ${rc} fi rm -f tmp-key-ca.p8 diff --git a/tests/nist-pkits/gnutls_test_entry b/tests/nist-pkits/gnutls_test_entry index 87c435e..a35d026 100755 --- a/tests/nist-pkits/gnutls_test_entry +++ b/tests/nist-pkits/gnutls_test_entry @@ -10,19 +10,19 @@ certtool -e < chain.pem > output.txt rm -f chain.pem if grep 'Verification output:' output.txt > /dev/null; then - if grep 'Verification output' output.txt | grep -v 'Verification output: Verified.' > /dev/null; then - if test "${RESULT}" = "0"; then - echo "Unexpected reject" - else - echo "Reject" - fi - else - if test "${RESULT}" = "1"; then - echo "Unexpected success" - else - echo "Success" - fi - fi + if grep 'Verification output' output.txt | grep -v 'Verification output: Verified.' > /dev/null; then + if test "${RESULT}" = "0"; then + echo "Unexpected reject" + else + echo "Reject" + fi + else + if test "${RESULT}" = "1"; then + echo "Unexpected success" + else + echo "Success" + fi + fi fi rm -f output.txt diff --git a/tests/nist-pkits/pkits_crl b/tests/nist-pkits/pkits_crl index 1473587..6c3e92d 100755 --- a/tests/nist-pkits/pkits_crl +++ b/tests/nist-pkits/pkits_crl @@ -25,12 +25,12 @@ test -d crls || unzip "${srcdir}/PKITS_data.zip" ret=0 for crl in "${srcdir}/crls"/*; do - "${CERTTOOL}" --crl-info --inder --infile "${crl}" > out 2>&1 - rc=$? - if test ${rc} != 0; then - echo "CRL FATAL ${crl}" - ret=1 - fi + "${CERTTOOL}" --crl-info --inder --infile "${crl}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "CRL FATAL ${crl}" + ret=1 + fi done rm -f out diff --git a/tests/nist-pkits/pkits_crt b/tests/nist-pkits/pkits_crt index 5e22ca2..92b69bd 100755 --- a/tests/nist-pkits/pkits_crt +++ b/tests/nist-pkits/pkits_crt @@ -25,12 +25,12 @@ test -d certs || unzip "${srcdir}/PKITS_data.zip" ret=0 for crt in "${srcdir}/certs"/*; do - "${CERTTOOL}" --certificate-info --inder --infile "${crt}" > out 2>&1 - rc=$? - if test ${rc} != 0; then - echo "Certificate FATAL ${crt}" - ret=1 - fi + "${CERTTOOL}" --certificate-info --inder --infile "${crt}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "Certificate FATAL ${crt}" + ret=1 + fi done rm -f out diff --git a/tests/nist-pkits/pkits_pkcs12 b/tests/nist-pkits/pkits_pkcs12 index 24ba7e6..0b34cb9 100755 --- a/tests/nist-pkits/pkits_pkcs12 +++ b/tests/nist-pkits/pkits_pkcs12 @@ -25,12 +25,12 @@ test -d pkcs12 || unzip "${srcdir}/PKITS_data.zip" ret=0 for p12 in "${srcdir}/pkcs12"/*; do - "${CERTTOOL}" --p12-info --inder --password password --infile "${p12}" > out 2>&1 - rc=$? - if test ${rc} != 0; then - echo "PKCS12 FATAL $p12" - ret=1 - fi + "${CERTTOOL}" --p12-info --inder --password password --infile "${p12}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "PKCS12 FATAL $p12" + ret=1 + fi done rm -f out diff --git a/tests/nist-pkits/pkits_smime b/tests/nist-pkits/pkits_smime index a9b15aa..62da9c9 100755 --- a/tests/nist-pkits/pkits_smime +++ b/tests/nist-pkits/pkits_smime @@ -25,18 +25,18 @@ test -d smime || unzip "${srcdir}/PKITS_data.zip" ret=0 for msg in "${srcdir}/smime"/*; do - "${CERTTOOL}" --smime-to-p7 --infile "${msg}" > out 2>&1 - rc=$? - if test ${rc} != 0; then - echo "S/MIME FATAL $msg" - ret=1 - fi - "${CERTTOOL}" --p7-info --infile out > out2 2>&1 - rc=$? - if test ${rc} != 0; then - echo "PKCS#7 FATAL $msg" - ret=1 - fi + "${CERTTOOL}" --smime-to-p7 --infile "${msg}" > out 2>&1 + rc=$? + if test ${rc} != 0; then + echo "S/MIME FATAL $msg" + ret=1 + fi + "${CERTTOOL}" --p7-info --infile out > out2 2>&1 + rc=$? + if test ${rc} != 0; then + echo "PKCS#7 FATAL $msg" + ret=1 + fi done rm -f out out2 diff --git a/tests/nist-pkits/pkits_test b/tests/nist-pkits/pkits_test index 55653a3..49feecb 100755 --- a/tests/nist-pkits/pkits_test +++ b/tests/nist-pkits/pkits_test @@ -7,8 +7,8 @@ srcdir="${srcdir:-.}" test -d certs || unzip "${srcdir}/PKITS_data.zip" if ! test -d pkits_test_list_generator; then - tar xfz "${srcdir}/pkits_test_list_generator.tgz" - patch -p 0 < pkits_test_list_generator.patch + tar xfz "${srcdir}/pkits_test_list_generator.tgz" + patch -p 0 < pkits_test_list_generator.patch fi make -C pkits_test_list_generator/src diff --git a/tests/openpgp-certs/testcerts b/tests/openpgp-certs/testcerts index c8d25d1..9ac5f53 100755 --- a/tests/openpgp-certs/testcerts +++ b/tests/openpgp-certs/testcerts @@ -25,8 +25,8 @@ SERV="${SERV:-../../src/gnutls-serv} -q" CLI="${CLI:-../../src/gnutls-cli}" DEBUG="" -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi . "${srcdir}/../scripts/common.sh" @@ -35,7 +35,8 @@ PORT="${PORT:-$RPORT}" echo "Checking OpenPGP certificate verification" -launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-127.0.0.1-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-127.0.0.1-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & +PID=$! wait_server ${PID} # give the server a chance to initialize @@ -47,22 +48,23 @@ wait_server ${PID} # fail "Connection to verified IP address should have succeeded! (error code $?)" $? "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.2 --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ - fail ${PID} "Connection to unrecognized IP address should have failed!" + fail ${PID} "Connection to unrecognized IP address should have failed!" "${CLI}" ${DEBUG} -p "${PORT}" localhost --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ - fail ${PID} "Connection to unverified (but present) 'localhost' should have failed!" + fail ${PID} "Connection to unverified (but present) 'localhost' should have failed!" kill ${PID} wait -launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-localhost-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-localhost-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & +PID=$! wait_server ${PID} echo | "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.1 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ - fail ${PID} "Connection to unverified IP address should have failed! (error code $?)" $? + fail ${PID} "Connection to unverified IP address should have failed! (error code $?)" $? "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.2 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ - fail ${PID} "Connection to unrecognized IP address should have failed!" + fail ${PID} "Connection to unrecognized IP address should have failed!" #see reason above #"${CLI}" -p "${PORT}" localhost --pgpkeyring ca-public.gpg /dev/null || \ @@ -71,15 +73,16 @@ echo | "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.1 kill ${PID} wait -launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-all-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & PID=$! +launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile "${srcdir}/srv-public-all-signed.gpg" --pgpkeyfile "${srcdir}/srv-secret.gpg" >/dev/null 2>&1 & +PID=$! wait_server ${PID} # give the server a chance to initialize echo | "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.1 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null || \ - fail ${PID} "Connection to signed PGP certificate should have succeeded! (error code $?)" $? + fail ${PID} "Connection to signed PGP certificate should have succeeded! (error code $?)" $? "${CLI}" ${DEBUG} --priority NORMAL:+CTYPE-OPENPGP -p "${PORT}" 127.0.0.2 --pgpkeyring "${srcdir}/ca-public.gpg" /dev/null 2>&1 && \ - fail ${PID} "Connection to unrecognized IP address should have failed!" + fail ${PID} "Connection to unrecognized IP address should have failed!" kill ${PID} wait diff --git a/tests/openpgp-certs/testselfsigs b/tests/openpgp-certs/testselfsigs index 2910b29..2100c11 100755 --- a/tests/openpgp-certs/testselfsigs +++ b/tests/openpgp-certs/testselfsigs @@ -28,26 +28,26 @@ CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" unset RETCODE || true fail() { - echo "Failure: $1" >&2 - RETCODE=${RETCODE:-${2:-1}} + echo "Failure: $1" >&2 + RETCODE=${RETCODE:-${2:-1}} } echo "Checking OpenPGP certificate self verification" ("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice.pub" \ - | grep "^Self Signature verification: ok" > /dev/null) || \ - fail "Self sig Verification should have succeeded!" + | grep "^Self Signature verification: ok" > /dev/null) || \ + fail "Self sig Verification should have succeeded!" ("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice-mallory-badsig18.pub" \ - | grep "^Self Signature verification: failed" > /dev/null) || \ - fail "Self sig Verification should have failed!" + | grep "^Self Signature verification: failed" > /dev/null) || \ + fail "Self sig Verification should have failed!" ("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice-mallory-irrelevantsig.pub" \ - | grep "^Self Signature verification: failed" >/dev/null) || \ - fail "Self sig Verification should have failed!" + | grep "^Self Signature verification: failed" >/dev/null) || \ + fail "Self sig Verification should have failed!" ("${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/selfsigs/alice-mallory-nosig18.pub" \ - | grep "^Self Signature verification: failed" >/dev/null) || \ - fail "Self sig Verification should have failed!" + | grep "^Self Signature verification: failed" >/dev/null) || \ + fail "Self sig Verification should have failed!" exit ${RETCODE:-0} diff --git a/tests/pkcs1-padding/pkcs1-pad b/tests/pkcs1-padding/pkcs1-pad index 8d0861a..8b71126 100755 --- a/tests/pkcs1-padding/pkcs1-pad +++ b/tests/pkcs1-padding/pkcs1-pad @@ -31,8 +31,8 @@ export TZ="UTC" # Check for datefudge TSTAMP=`datefudge "2006-09-23" date -u +%s || true` if test "${TSTAMP}" != "1158969600"; then - echo "You need datefudge to run this test" - exit 77 + echo "You need datefudge to run this test" + exit 77 fi # Test 1, PKCS#1 pad digestAlgorithm.parameters @@ -48,10 +48,10 @@ out1fails=`grep 'Not verified.' out1 | wc -l | tr -d " "` out2fails=`grep 'Not verified.' out2 | wc -l | tr -d " "` if test "${out1oks}${out2oks}${out1fails}${out2fails}" != "${EXPECT1}"; then - echo "out1 oks ${out1oks} fails ${out1fails} out2 oks ${out2oks} fails ${out2fails}" - echo "expected ${EXPECT1}" - echo "PKCS1-PAD1 FAIL" - exit 1 + echo "out1 oks ${out1oks} fails ${out1fails} out2 oks ${out2oks} fails ${out2fails}" + echo "expected ${EXPECT1}" + echo "PKCS1-PAD1 FAIL" + exit 1 fi rm -f out1 out2 @@ -71,10 +71,10 @@ out1fails=`grep 'Not verified.' out1 | wc -l | tr -d " "` out2fails=`grep 'Not verified.' out2 | wc -l | tr -d " "` if test "${out1oks}${out2oks}${out1fails}${out2fails}" != "${EXPECT2}"; then - echo "out1 oks ${out1oks} fails ${out1fails} out2 oks ${out2oks} fails ${out2fails}" - echo "expected ${EXPECT2}" - echo "PKCS1-PAD2 FAIL" - exit 1 + echo "out1 oks ${out1oks} fails ${out1fails} out2 oks ${out2oks} fails ${out2fails}" + echo "expected ${EXPECT2}" + echo "PKCS1-PAD2 FAIL" + exit 1 fi rm -f out1 out2 @@ -93,10 +93,10 @@ out1oks=`grep 'Verified.' out1 | wc -l | tr -d " "` out1fails=`grep 'Not verified.' out1 | wc -l | tr -d " "` if test "${out1oks}${out1fails}" != "${EXPECT3}"; then - echo "out1 oks ${out1oks} fails ${out1fails}" - echo "expected ${EXPECT3}" - echo "PKCS1-PAD3 FAIL" - exit 1 + echo "out1 oks ${out1oks} fails ${out1fails}" + echo "expected ${EXPECT3}" + echo "PKCS1-PAD3 FAIL" + exit 1 fi rm -f out1 diff --git a/tests/pkcs12-decode/pkcs12 b/tests/pkcs12-decode/pkcs12 index 0408ad1..64a3607 100755 --- a/tests/pkcs12-decode/pkcs12 +++ b/tests/pkcs12-decode/pkcs12 @@ -27,101 +27,101 @@ CERTTOOL="${CERTTOOL:-${top_builddir}/src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" DEBUG="" -if test "x$1" != "x";then - DEBUG="1" +if test "x$1" != "x"; then + DEBUG="1" fi ret=0 for p12 in 'client.p12 foobar' noclient.p12 unclient.p12 pkcs12_2certs.p12; do - set -- ${p12} - file="$1" - passwd="$2" - if test "x$DEBUG" != "x";then - "${CERTTOOL}" -d 99 --p12-info --inder --password "${passwd}" \ - --infile "${srcdir}/${file}" - else - "${CERTTOOL}" --p12-info --inder --password "${passwd}" \ - --infile "${srcdir}/${file}" >/dev/null 2>&1 - fi - rc=$? - if test ${rc} != 0; then - echo "NEON PKCS12 FATAL ${p12}" - ret=1 - fi + set -- ${p12} + file="$1" + passwd="$2" + if test "x$DEBUG" != "x"; then + "${CERTTOOL}" -d 99 --p12-info --inder --password "${passwd}" \ + --infile "${srcdir}/${file}" + else + "${CERTTOOL}" --p12-info --inder --password "${passwd}" \ + --infile "${srcdir}/${file}" >/dev/null 2>&1 + fi + rc=$? + if test ${rc} != 0; then + echo "NEON PKCS12 FATAL ${p12}" + ret=1 + fi done file=test-null.p12 "${CERTTOOL}" --p12-info --inder --null-password --infile "${srcdir}/${file}" >/dev/null 2>&1 rc=$? if test ${rc} != 0; then - echo "PKCS12 FATAL ${file}" - ret=1 + echo "PKCS12 FATAL ${file}" + ret=1 fi file=sha256.p12 "${CERTTOOL}" --p12-info --inder --password 1234 --infile "${srcdir}/${file}" >/dev/null 2>&1 rc=$? if test ${rc} != 0; then - echo "PKCS12 FATAL ${file}" - ret=1 + echo "PKCS12 FATAL ${file}" + ret=1 fi # test whether we can encode a certificate and a key "${CERTTOOL}" --to-p12 --password 1234 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --outder --outfile out.p12 >/dev/null 2>&1 rc=$? if test ${rc} != 0; then - echo "PKCS12 FATAL encoding" - ret=1 + echo "PKCS12 FATAL encoding" + ret=1 fi "${CERTTOOL}" --p12-info --inder --password 1234 --infile out.p12 >out.pem 2>/dev/null rc=$? if test ${rc} != 0; then - echo "PKCS12 FATAL decrypting/decoding" - ret=1 + echo "PKCS12 FATAL decrypting/decoding" + ret=1 fi grep "BEGIN ENCRYPTED PRIVATE KEY" out.pem >/dev/null 2>&1 rc=$? if test "${rc}" != "0"; then - exit ${rc} + exit ${rc} fi grep "BEGIN CERTIFICATE" out.pem >/dev/null 2>&1 rc=$? if test "${rc}" != "0"; then - exit ${rc} + exit ${rc} fi # test whether we can encode a certificate, a key and a CA "${CERTTOOL}" --to-p12 --password 123456 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --load-ca-certificate "${srcdir}/../certs/ca-cert-ecc.pem" --outder --outfile out.p12 >/dev/null 2>&1 rc=$? if test ${rc} != 0; then - echo "PKCS12 FATAL encoding 2" - exit 1 + echo "PKCS12 FATAL encoding 2" + exit 1 fi "${CERTTOOL}" --p12-info --inder --password 123456 --infile out.p12 >out.pem 2>/dev/null rc=$? if test ${rc} != 0; then - echo "PKCS12 FATAL decrypting/decoding 2" - exit 1 + echo "PKCS12 FATAL decrypting/decoding 2" + exit 1 fi grep "BEGIN ENCRYPTED PRIVATE KEY" out.pem >/dev/null 2>&1 rc=$? if test "${rc}" != "0"; then - exit ${rc} + exit ${rc} fi count=`grep -c "BEGIN CERTIFICATE" out.pem` if test "$count" != "2"; then - echo "Only one certificate was included" - exit 1 + echo "Only one certificate was included" + exit 1 fi rm -f out.pem out.p12 diff --git a/tests/pkcs8-decode/pkcs8 b/tests/pkcs8-decode/pkcs8 index 756d0ac..a305014 100755 --- a/tests/pkcs8-decode/pkcs8 +++ b/tests/pkcs8-decode/pkcs8 @@ -24,48 +24,48 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ret=0 for p8 in 'encpkcs8.pem foobar' unencpkcs8.pem 'enc2pkcs8.pem baz'; do - set -- ${p8} - file="$1" - passwd="$2" - ${VALGRIND} "${CERTTOOL}" --key-info --pkcs8 --password "${passwd}" \ - --infile "${srcdir}/${file}" | tee out >/dev/null - rc=$? - if test ${rc} != 0; then - cat out - echo "PKCS8 FATAL ${p8}" - ret=1 - else - echo "PKCS8 OK ${p8}" - fi + set -- ${p8} + file="$1" + passwd="$2" + ${VALGRIND} "${CERTTOOL}" --key-info --pkcs8 --password "${passwd}" \ + --infile "${srcdir}/${file}" | tee out >/dev/null + rc=$? + if test ${rc} != 0; then + cat out + echo "PKCS8 FATAL ${p8}" + ret=1 + else + echo "PKCS8 OK ${p8}" + fi done rm -f out for p8 in openssl-aes128.p8 openssl-aes256.p8 openssl-3des.p8; do - set -- ${p8} - file="$1" - passwd="$2" - ${VALGRIND} "${CERTTOOL}" --p8-info --password "1234" \ - --infile "${srcdir}/${file}" | tee out >/dev/null - rc=$? - if test ${rc} != 0; then - cat out - echo "PKCS8 FATAL ${p8}" - ret=1 - fi + set -- ${p8} + file="$1" + passwd="$2" + ${VALGRIND} "${CERTTOOL}" --p8-info --password "1234" \ + --infile "${srcdir}/${file}" | tee out >/dev/null + rc=$? + if test ${rc} != 0; then + cat out + echo "PKCS8 FATAL ${p8}" + ret=1 + fi - ${DIFF} "${srcdir}/${p8}.txt" out - rc=$? - if test ${rc} != 0; then - cat out - echo "PKCS8 FATAL TXT ${p8}" - ret=1 - fi + ${DIFF} "${srcdir}/${p8}.txt" out + rc=$? + if test ${rc} != 0; then + cat out + echo "PKCS8 FATAL TXT ${p8}" + ret=1 + fi done rm -f out diff --git a/tests/rfc2253-escape-test b/tests/rfc2253-escape-test index 7506139..2ce8c3c 100755 --- a/tests/rfc2253-escape-test +++ b/tests/rfc2253-escape-test @@ -23,13 +23,13 @@ set -e CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" fi if cat< /dev/null + | ${VALGRIND} "${CERTTOOL}" --certificate-info \ + | grep 'Issuer: O=RFC 2253 escape test,OU=Plus \\+ Comma \\,' > /dev/null -----BEGIN CERTIFICATE----- MIICETCCAXygAwIBAgIESnlIMTALBgkqhkiG9w0BAQUwODEdMBsGA1UEChMUUkZD IDIyNTMgZXNjYXBlIHRlc3QxFzAVBgNVBAsTDlBsdXMgKyBDb21tYSAsMB4XDTA5 @@ -46,10 +46,10 @@ iptEYYo= -----END CERTIFICATE----- EOF then - : + : else - echo "RFC 2253 escaping not working?" - exit 1 + echo "RFC 2253 escaping not working?" + exit 1 fi exit 0 diff --git a/tests/rsa-md5-collision/rsa-md5-collision b/tests/rsa-md5-collision/rsa-md5-collision index 888bbed..d6c1d2d 100755 --- a/tests/rsa-md5-collision/rsa-md5-collision +++ b/tests/rsa-md5-collision/rsa-md5-collision @@ -26,22 +26,22 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" "${CERTTOOL}" --inder --certificate-info \ - --infile "${srcdir}/MD5CollisionCA.cer" > ca.pem + --infile "${srcdir}/MD5CollisionCA.cer" > ca.pem "${CERTTOOL}" --inder --certificate-info \ - --infile "${srcdir}/TargetCollidingCertificate1.cer" > client1.pem + --infile "${srcdir}/TargetCollidingCertificate1.cer" > client1.pem "${CERTTOOL}" --inder --certificate-info \ - --infile "${srcdir}/TargetCollidingCertificate2.cer" > client2.pem + --infile "${srcdir}/TargetCollidingCertificate2.cer" > client2.pem cat client1.pem ca.pem > chain1.pem cat client2.pem ca.pem > chain2.pem "${CERTTOOL}" --verify-chain < chain1.pem | \ - grep 'Not verified.' | grep 'insecure algorithm' >/dev/null + grep 'Not verified.' | grep 'insecure algorithm' >/dev/null "${CERTTOOL}" --verify-chain < chain2.pem | \ - grep 'Not verified.' | grep 'insecure algorithm' >/dev/null + grep 'Not verified.' | grep 'insecure algorithm' >/dev/null rm -f ca.pem client1.pem client2.pem \ - chain1.pem chain2.pem \ + chain1.pem chain2.pem # We're done. exit 0 diff --git a/tests/sha2/sha2 b/tests/sha2/sha2 index 02b1778..8b77ea4 100755 --- a/tests/sha2/sha2 +++ b/tests/sha2/sha2 @@ -26,67 +26,67 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" echo ca > template-sha2 -echo cn = "SHA 512 CA" >> template-sha2 +echo "cn = SHA 512 CA" >> template-sha2 "${CERTTOOL}" -d 2 --generate-self-signed --template template-sha2 \ - --load-privkey "${srcdir}/key-ca.pem" \ - --outfile new-ca.pem \ - --hash sha512 >out 2>&1 + --load-privkey "${srcdir}/key-ca.pem" \ + --outfile new-ca.pem \ + --hash sha512 >out 2>&1 -if [ $? != 0 ];then - cat out - exit 1 +if [ $? != 0 ]; then + cat out + exit 1 fi echo ca > template-sha2 -echo cn = "SHA 384 sub-CA" >> template-sha2 +echo "cn = SHA 384 sub-CA" >> template-sha2 "${CERTTOOL}" -d 2 --generate-certificate --template template-sha2 \ - --load-ca-privkey "${srcdir}/key-ca.pem" \ - --load-ca-certificate new-ca.pem \ - --load-privkey "${srcdir}/key-subca.pem" \ - --outfile new-subca.pem \ - --hash sha384 >out 2>&1 - -if [ $? != 0 ];then - cat out - exit 1 + --load-ca-privkey "${srcdir}/key-ca.pem" \ + --load-ca-certificate new-ca.pem \ + --load-privkey "${srcdir}/key-subca.pem" \ + --outfile new-subca.pem \ + --hash sha384 >out 2>&1 + +if [ $? != 0 ]; then + cat out + exit 1 fi echo ca > template-sha2 -echo cn = "SHA 256 sub-sub-CA" >> template-sha2 +echo "cn = SHA 256 sub-sub-CA" >> template-sha2 "${CERTTOOL}" -d 2 --generate-certificate --template template-sha2 \ - --load-ca-privkey "${srcdir}/key-subca.pem" \ - --load-ca-certificate new-subca.pem \ - --load-privkey "${srcdir}/key-subsubca.pem" \ - --outfile new-subsubca.pem \ - --hash sha256 >out 2>&1 - -if [ $? != 0 ];then - cat out - exit 1 + --load-ca-privkey "${srcdir}/key-subca.pem" \ + --load-ca-certificate new-subca.pem \ + --load-privkey "${srcdir}/key-subsubca.pem" \ + --outfile new-subsubca.pem \ + --hash sha256 >out 2>&1 + +if [ $? != 0 ]; then + cat out + exit 1 fi -echo cn = "End-user" > template-sha2 +echo "cn = End-user" > template-sha2 "${CERTTOOL}" -d 2 --generate-certificate --template template-sha2 \ - --load-ca-privkey "${srcdir}/key-subsubca.pem" \ - --load-ca-certificate new-subsubca.pem \ - --load-privkey "${srcdir}/key-user.pem" \ - --outfile new-user.pem >out 2>&1 - -if [ $? != 0 ];then - cat out - exit 1 + --load-ca-privkey "${srcdir}/key-subsubca.pem" \ + --load-ca-certificate new-subsubca.pem \ + --load-privkey "${srcdir}/key-user.pem" \ + --outfile new-user.pem >out 2>&1 + +if [ $? != 0 ]; then + cat out + exit 1 fi num=`cat new-user.pem new-subsubca.pem new-subca.pem new-ca.pem | "${CERTTOOL}" --verify-chain | tee verify-sha2 | grep -c Verified` #cat verify if test "${num}" != "4"; then - echo Verification failure - exit 1 + echo Verification failure + exit 1 fi rm -f verify-sha2 new-user.pem new-subsubca.pem new-subca.pem new-ca.pem template-sha2 out diff --git a/tests/sha2/sha2-dsa b/tests/sha2/sha2-dsa index 623c621..b2b673f 100755 --- a/tests/sha2/sha2-dsa +++ b/tests/sha2/sha2-dsa @@ -26,52 +26,52 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" echo ca > template-dsa -echo cn = "SHA 256 CA" >> template-dsa +echo "cn = SHA 256 CA" >> template-dsa "${CERTTOOL}" -d 2 --generate-self-signed --template template-dsa \ - --load-privkey "${srcdir}/key-ca-dsa.pem" \ - --outfile new-ca-dsa.pem \ - --hash sha256 >out-dsa 2>&1 + --load-privkey "${srcdir}/key-ca-dsa.pem" \ + --outfile new-ca-dsa.pem \ + --hash sha256 >out-dsa 2>&1 -if [ $? != 0 ];then - cat out-dsa - exit 1 +if [ $? != 0 ]; then + cat out-dsa + exit 1 fi echo ca > template-dsa -echo cn = "SHA 224 Mid CA" >> template-dsa +echo "cn = SHA 224 Mid CA" >> template-dsa "${CERTTOOL}" -d 2 --generate-certificate --template template-dsa \ - --load-ca-privkey "${srcdir}/key-ca-dsa.pem" \ - --load-ca-certificate new-ca-dsa.pem \ - --load-privkey "${srcdir}/key-subca-dsa.pem" \ - --outfile new-subca-dsa.pem \ - --hash sha224 >out-dsa 2>&1 - -if [ $? != 0 ];then - cat out-dsa - exit 1 + --load-ca-privkey "${srcdir}/key-ca-dsa.pem" \ + --load-ca-certificate new-ca-dsa.pem \ + --load-privkey "${srcdir}/key-subca-dsa.pem" \ + --outfile new-subca-dsa.pem \ + --hash sha224 >out-dsa 2>&1 + +if [ $? != 0 ]; then + cat out-dsa + exit 1 fi -echo cn = "End-user" > template-dsa +echo "cn = End-user" > template-dsa "${CERTTOOL}" -d 2 --generate-certificate --template template-dsa \ - --load-ca-privkey "${srcdir}/key-subca-dsa.pem" \ - --load-ca-certificate new-subca-dsa.pem \ - --load-privkey "${srcdir}/key-dsa.pem" \ - --outfile new-user-dsa.pem >out-dsa 2>&1 - -if [ $? != 0 ];then - cat out-dsa - exit 1 + --load-ca-privkey "${srcdir}/key-subca-dsa.pem" \ + --load-ca-certificate new-subca-dsa.pem \ + --load-privkey "${srcdir}/key-dsa.pem" \ + --outfile new-user-dsa.pem >out-dsa 2>&1 + +if [ $? != 0 ]; then + cat out-dsa + exit 1 fi cat new-user-dsa.pem new-subca-dsa.pem new-ca-dsa.pem > out-dsa "${CERTTOOL}" --verify-chain verify-dsa -if [ $? != 0 ];then - cat verify-dsa - exit 1 +if [ $? != 0 ]; then + cat verify-dsa + exit 1 fi rm -f verify-dsa new-user-dsa.pem new-ca-dsa.pem new-subca-dsa.pem template-dsa out-dsa diff --git a/tests/slow/override-ciphers b/tests/slow/override-ciphers index aa1e7ad..83a282a 100755 --- a/tests/slow/override-ciphers +++ b/tests/slow/override-ciphers @@ -21,38 +21,38 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. unset RETCODE -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi GNUTLS_NO_EXPLICIT_INIT=1 ${VALGRIND} ./cipher-override -if test $? != 0;then - echo "overriden cipher tests failed" - exit 1 +if test $? != 0; then + echo "overriden cipher tests failed" + exit 1 fi ${VALGRIND} ./cipher-override -if test $? != 0;then - echo "overriden cipher tests 2 failed" - exit 1 +if test $? != 0; then + echo "overriden cipher tests 2 failed" + exit 1 fi ${VALGRIND} ./cipher-override2 -if test $? != 0;then - echo "overriden cipher tests 3 failed" - exit 1 +if test $? != 0; then + echo "overriden cipher tests 3 failed" + exit 1 fi GNUTLS_NO_EXPLICIT_INIT=1 ${VALGRIND} ./mac-override -if test $? != 0;then - echo "overriden mac tests failed" - exit 1 +if test $? != 0; then + echo "overriden mac tests failed" + exit 1 fi ${VALGRIND} ./mac-override -if test $? != 0;then - echo "overriden mac tests 2 failed" - exit 1 +if test $? != 0; then + echo "overriden mac tests 2 failed" + exit 1 fi exit 0 diff --git a/tests/slow/test-ciphers b/tests/slow/test-ciphers index 0b66bb1..fc21a8b 100755 --- a/tests/slow/test-ciphers +++ b/tests/slow/test-ciphers @@ -21,56 +21,56 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. unset RETCODE -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ./cipher-test -if test $? != 0;then - echo "default cipher tests failed" - exit 1 +if test $? != 0; then + echo "default cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x1 ./cipher-test -if test $? != 0;then - echo "included cipher tests failed" - exit 1 +if test $? != 0; then + echo "included cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x2 ./cipher-test -if test $? != 0;then - echo "AESNI cipher tests failed" - exit 1 +if test $? != 0; then + echo "AESNI cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x4 ./cipher-test -if test $? != 0;then - echo "SSSE3 cipher tests failed" - exit 1 +if test $? != 0; then + echo "SSSE3 cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x8 ./cipher-test -if test $? != 0;then - echo "PCLMUL cipher tests failed" - exit 1 +if test $? != 0; then + echo "PCLMUL cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x100000 ./cipher-test -if test $? != 0;then - echo "padlock cipher tests failed" - exit 1 +if test $? != 0; then + echo "padlock cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x200000 ./cipher-test -if test $? != 0;then - echo "padlock PHE cipher tests failed" - exit 1 +if test $? != 0; then + echo "padlock PHE cipher tests failed" + exit 1 fi GNUTLS_CPUID_OVERRIDE=0x400000 ./cipher-test -if test $? != 0;then - echo "padlock PHE SHA512 cipher tests failed" - exit 1 +if test $? != 0; then + echo "padlock PHE SHA512 cipher tests failed" + exit 1 fi exit 0 diff --git a/tests/suite/certs/create-chain.sh b/tests/suite/certs/create-chain.sh index 53f6087..9ae68a1 100755 --- a/tests/suite/certs/create-chain.sh +++ b/tests/suite/certs/create-chain.sh @@ -6,9 +6,9 @@ TEMPLATE=tmpl NUM="$1" -if test "${NUM}" = "";then - echo "usage: $0 number" - exit 1 +if test "${NUM}" = ""; then + echo "usage: $0 number" + exit 1 fi LAST=`expr ${NUM} - 1` @@ -18,75 +18,73 @@ mkdir -p "${OUTPUT}" counter=0 while test ${counter} -lt ${NUM}; do - if test ${counter} = ${LAST};then - name="server-${counter}" - else - name="CA-${counter}" - fi - serial="${counter}" + if test ${counter} = ${LAST}; then + name="server-${counter}" + else + name="CA-${counter}" + fi + serial="${counter}" - - "${CERTTOOL}" --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null - if test ${counter} = 0;then - # ROOT CA - echo "cn = ${name}" >"${TEMPLATE}" - echo "serial = ${serial}" >>"${TEMPLATE}" - echo "ca" >>"${TEMPLATE}" - echo "expiration_days = -1" >>"${TEMPLATE}" - echo "cert_signing_key" >>"${TEMPLATE}" - echo "ocsp_signing_key" >>"${TEMPLATE}" - echo "crl_signing_key" >>"${TEMPLATE}" - "${CERTTOOL}" --generate-self-signed --load-privkey "${OUTPUT}/${name}.key" --outfile \ - "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null + "${CERTTOOL}" --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null + if test ${counter} = 0; then + # ROOT CA + echo "cn = ${name}" >"${TEMPLATE}" + echo "serial = ${serial}" >>"${TEMPLATE}" + echo "ca" >>"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + echo "cert_signing_key" >>"${TEMPLATE}" + echo "ocsp_signing_key" >>"${TEMPLATE}" + echo "crl_signing_key" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-self-signed --load-privkey "${OUTPUT}/${name}.key" --outfile \ + "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null - echo "serial = ${serial}" >"${TEMPLATE}" - echo "expiration_days = -1" >>"${TEMPLATE}" - "${CERTTOOL}" --generate-crl --load-ca-privkey "${OUTPUT}/${name}.key" --load-ca-certificate "${OUTPUT}/${name}.crt" --outfile \ - "${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null - else - if test ${counter} = ${LAST};then - # END certificate - echo "cn = ${name}" >"${TEMPLATE}" - echo "dns_name = localhost" >>"${TEMPLATE}" - echo "expiration_days = -1" >>"${TEMPLATE}" - echo "signing_key" >>"${TEMPLATE}" - echo "encryption_key" >>"${TEMPLATE}" - echo "ocsp_signing_key" >>"${TEMPLATE}" - "${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \ - --load-ca-certificate "${OUTPUT}/${prev_name}.crt" \ - --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ - --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null - else - # intermediate CA - echo "cn = ${name}" >"${TEMPLATE}" - echo "serial = ${serial}" >>"${TEMPLATE}" - echo "ca" >>"${TEMPLATE}" - echo "expiration_days = -1" >>"${TEMPLATE}" - echo "ocsp_signing_key" >>"${TEMPLATE}" - echo "cert_signing_key" >>"${TEMPLATE}" - echo "signing_key" >>"${TEMPLATE}" - "${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \ - --load-ca-certificate "${OUTPUT}/${prev_name}.crt" \ - --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ - --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null - fi - fi + echo "serial = ${serial}" >"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-crl --load-ca-privkey "${OUTPUT}/${name}.key" --load-ca-certificate "${OUTPUT}/${name}.crt" --outfile \ + "${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null + else + if test ${counter} = ${LAST}; then + # END certificate + echo "cn = ${name}" >"${TEMPLATE}" + echo "dns_name = localhost" >>"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + echo "signing_key" >>"${TEMPLATE}" + echo "encryption_key" >>"${TEMPLATE}" + echo "ocsp_signing_key" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \ + --load-ca-certificate "${OUTPUT}/${prev_name}.crt" \ + --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ + --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null + else + # intermediate CA + echo "cn = ${name}" >"${TEMPLATE}" + echo "serial = ${serial}" >>"${TEMPLATE}" + echo "ca" >>"${TEMPLATE}" + echo "expiration_days = -1" >>"${TEMPLATE}" + echo "ocsp_signing_key" >>"${TEMPLATE}" + echo "cert_signing_key" >>"${TEMPLATE}" + echo "signing_key" >>"${TEMPLATE}" + "${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \ + --load-ca-certificate "${OUTPUT}/${prev_name}.crt" \ + --load-ca-privkey "${OUTPUT}/${prev_name}.key" \ + --outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null + fi + fi - counter=`expr ${counter} + 1` - prev_name=${name} + counter=`expr ${counter} + 1` + prev_name=${name} done counter=`expr ${NUM} - 1` while test ${counter} -ge 0; do - if test ${counter} = ${LAST};then - name="server-${counter}" - else - name="CA-${counter}" - fi + if test ${counter} = ${LAST}; then + name="server-${counter}" + else + name="CA-${counter}" + fi - cat "${OUTPUT}/${name}.crt" >> "${OUTPUT}/chain" - - counter=`expr ${counter} - 1` -done + cat "${OUTPUT}/${name}.crt" >> "${OUTPUT}/chain" + counter=`expr ${counter} - 1` +done diff --git a/tests/suite/chain b/tests/suite/chain index 4f00320..f67ad16 100755 --- a/tests/suite/chain +++ b/tests/suite/chain @@ -34,39 +34,39 @@ RET=0 i=1 while test -d X509tests/test${i}; do - find X509tests/test${i} -name *.crl -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --crl-info --inder --infile > chains/chain${i}.pem 2>/dev/null - find X509tests/test${i} -name E*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null - if test "${i}" -gt 1; then - find X509tests/test${i} -name I*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null - fi - find X509tests/test${i} -name T*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null - "${CERTTOOL}" -e --infile chains/chain${i}.pem > out 2>&1 - rc=$? - if test $rc != 0 && test $rc != 1; then - echo "Chain ${i} FATAL failure." - RET=1 - else - if echo "$KNOWN_BUGS" | grep " ${i} " > /dev/null 2>&1; then - echo "Chain ${i} verification was skipped due to known bug." - elif echo "$SUCCESS" | grep " ${i} " > /dev/null 2>&1; then - if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then - echo "Chain ${i} verification failure UNEXPECTED." - RET=1 - else - echo "Chain ${i} verification success as expected." - fi - elif echo "$FAILURE" | grep " ${i} " >/dev/null 2>&1; then - if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then - echo "Chain ${i} verification failure as expected." - else - echo "Chain ${i} verification success UNEXPECTED. " - RET=1 - fi - else - echo "Chain ${i} unclassified." - fi - fi - i=`expr ${i} + 1` + find X509tests/test${i} -name *.crl -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --crl-info --inder --infile > chains/chain${i}.pem 2>/dev/null + find X509tests/test${i} -name E*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null + if test "${i}" -gt 1; then + find X509tests/test${i} -name I*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null + fi + find X509tests/test${i} -name T*.crt -print0 |sort -r -z|xargs -n1 --null "${CERTTOOL}" --certificate-info --inder --infile >> chains/chain${i}.pem 2>/dev/null + "${CERTTOOL}" -e --infile chains/chain${i}.pem > out 2>&1 + rc=$? + if test $rc != 0 && test $rc != 1; then + echo "Chain ${i} FATAL failure." + RET=1 + else + if echo "$KNOWN_BUGS" | grep " ${i} " > /dev/null 2>&1; then + echo "Chain ${i} verification was skipped due to known bug." + elif echo "$SUCCESS" | grep " ${i} " > /dev/null 2>&1; then + if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then + echo "Chain ${i} verification failure UNEXPECTED." + RET=1 + else + echo "Chain ${i} verification success as expected." + fi + elif echo "$FAILURE" | grep " ${i} " >/dev/null 2>&1; then + if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.' > /dev/null 2>&1; then + echo "Chain ${i} verification failure as expected." + else + echo "Chain ${i} verification success UNEXPECTED. " + RET=1 + fi + else + echo "Chain ${i} unclassified." + fi + fi + i=`expr ${i} + 1` done rm -f out diff --git a/tests/suite/crl-test b/tests/suite/crl-test index 228f74e..3a03c81 100755 --- a/tests/suite/crl-test +++ b/tests/suite/crl-test @@ -23,8 +23,8 @@ srcdir="${srcdir:-.}" DIFF="${DIFF:-diff}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi rm -f tmp-long.pem @@ -33,16 +33,16 @@ rc=$? # We're done. if test "${rc}" != "0"; then - echo "CRL decoding failed 1!" - exit ${rc} + echo "CRL decoding failed 1!" + exit ${rc} fi ${DIFF} "${srcdir}/crl/long.pem tmp-long.pem" || ${DIFF} --strip-trailing-cr "${srcdir}/crl/long.pem" tmp-long.pem rc=$? if test "${rc}" != "0"; then - echo "CRL decoding failed 2!" - exit ${rc} + echo "CRL decoding failed 2!" + exit ${rc} fi rm -f tmp-long.pem diff --git a/tests/suite/eagain b/tests/suite/eagain index d05bab9..42bb991 100755 --- a/tests/suite/eagain +++ b/tests/suite/eagain @@ -26,18 +26,18 @@ PORT="${PORT:-5445}" $SERV -p "${PORT}" --echo --priority "NORMAL:+ANON-DH" --dhparams "${srcdir}/params.dh" >/dev/null 2>&1 & -pid=$! +PID=$! sleep 2 ./eagain-cli -if [ $? != 0 ];then - exit 1 +if [ $? != 0 ]; then + exit 1 fi -if [ "$pid" != "" ];then - kill $pid - wait +if [ "${PID}" != "" ]; then + kill ${PID} + wait fi exit 0 diff --git a/tests/suite/invalid-cert b/tests/suite/invalid-cert index a9e1f5e..00bf1e4 100755 --- a/tests/suite/invalid-cert +++ b/tests/suite/invalid-cert @@ -22,8 +22,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi ${VALGRIND} "${CERTTOOL}" --certificate-info --inder --infile "${srcdir}/invalid-cert.der" 2>/dev/null @@ -31,7 +31,7 @@ rc=$? # We're done. if test "${rc}" != "1"; then - exit ${rc} + exit ${rc} fi exit 0 diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index bac6026..c463895 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -11,9 +11,9 @@ # Redistribution and use in source and binary forms, with or without modification, # are permitted provided that the following conditions are met: # -# 1. Redistributions of source code must retain the above copyright notice, this +# 1. Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright notice, +# 2. Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation and/or # other materials provided with the distribution. # 3. Neither the name of the copyright holder nor the names of its contributors may @@ -23,7 +23,7 @@ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN @@ -33,13 +33,13 @@ srcdir="${srcdir:-.}" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -if test "${WINDIR}" != "";then - exit 77 -fi +if test "${WINDIR}" != ""; then + exit 77 +fi . "${srcdir}/../scripts/common.sh" @@ -48,16 +48,16 @@ PORT="${PORT:-${RPORT}}" SERV=openssl OPENSSL_CLI="openssl" -if test -f /etc/debian_version;then - DEBIAN=1 +if test -f /etc/debian_version; then + DEBIAN=1 fi echo "Compatibility checks using "`${SERV} version` ${SERV} version|grep -e 1\.0 >/dev/null 2>&1 SV=$? -if test ${SV} != 0;then - echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" - exit 77 +if test ${SV} != 0; then + echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests" + exit 77 fi ${SERV} version|grep -e 1\.0\.1 >/dev/null 2>&1 @@ -69,283 +69,283 @@ echo "#################################################" echo "# Client mode tests (gnutls cli-openssl server) #" echo "#################################################" -for ADD in "" ":%COMPAT" ":%NO_ETM" #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" -do - if ! test -z "${ADD}";then - echo "" - echo "** Modifier: ${ADD}" - fi - - if test "${DEBIAN}" != 1;then - - # It seems debian disabled SSL 3.0 completely on openssl - - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & - PID=$! - wait_server ${PID} - - # Test SSL 3.0 with RSA ciphersuite - echo "Checking SSL 3.0 with RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - # Test SSL 3.0 with DHE-RSA ciphersuite - echo "Checking SSL 3.0 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - # Test SSL 3.0 with DHE-DSS ciphersuite - echo "Checking SSL 3.0 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-MD5 & - PID=$! - wait_server ${PID} - - echo "Checking SSL 3.0 with RSA-RC4-MD5..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - if test "${FIPS}" != 1;then - #-cipher RSA-NULL - launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with RSA-NULL ciphersuite - echo "Checking TLS 1.0 with RSA-NULL..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with RSA ciphersuite - echo "Checking TLS 1.0 with RSA and 3DES-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.0 with RSA and AES-128-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.0 with RSA and AES-256-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - # Test TLS 1.0 with DHE-RSA ciphersuite - echo "Checking TLS 1.0 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - # Test TLS 1.0 with DHE-RSA ciphersuite - echo "Checking TLS 1.0 with ECDHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - # Test TLS 1.0 with DHE-DSS ciphersuite - echo "Checking TLS 1.0 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS}" != 1;then - - #-cipher ECDHE-ECDSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" & - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with ECDHE-ECDSA ciphersuite - echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher ECDHE-ECDSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" & - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with ECDHE-ECDSA ciphersuite - echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS}" != 1;then - #-cipher ECDHE-ECDSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" & - PID=$! - wait_server ${PID} - - # Test TLS 1.0 with ECDHE-ECDSA ciphersuite - echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher PSK - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & - PID=$! - wait_server ${PID} - - echo "Checking TLS 1.0 with PSK..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${SV2} = 0;then - # Tests requiring openssl 1.0.1 - TLS 1.2 - #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & - PID=$! - wait_server ${PID} - - echo "Checking TLS 1.2 with RSA and AES-128-GCM..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.2 with RSA and AES-256-GCM..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.2 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.2 with ECDHE-RSA..." - "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - echo "Checking TLS 1.2 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS}" != 1;then - #-cipher ECDHE-ECDSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" & - PID=$! - wait_server ${PID} - - echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - #-cipher ECDHE-ECDSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" & - PID=$! - wait_server ${PID} - - echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test "${FIPS}" != 1;then - #-cipher ECDHE-ECDSA-AES128-SHA - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" & - PID=$! - wait_server ${PID} - - echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi #FIPS - fi #SV2 - - #-cipher PSK - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & - PID=$! - wait_server ${PID} - - echo "Checking TLS 1.2 with PSK..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & PID=$! - wait_server ${PID} - - # Test DTLS 1.0 with RSA ciphersuite - echo "Checking DTLS 1.0 with RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & - PID=$! - wait_server ${PID} - - # Test DTLS 1.0 with DHE-RSA ciphersuite - echo "Checking DTLS 1.0 with DHE-RSA..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & - PID=$! - wait_server ${PID} - - # Test DTLS 1.0 with DHE-DSS ciphersuite - echo "Checking DTLS 1.0 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ - fail ${PID} "Failed" +for ADD in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" + if ! test -z "${ADD}"; then + echo "" + echo "** Modifier: ${ADD}" + fi + + if test "${DEBIAN}" != 1; then + + # It seems debian disabled SSL 3.0 completely on openssl - kill ${PID} - wait + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test SSL 3.0 with RSA ciphersuite + echo "Checking SSL 3.0 with RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test SSL 3.0 with DHE-RSA ciphersuite + echo "Checking SSL 3.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test SSL 3.0 with DHE-DSS ciphersuite + echo "Checking SSL 3.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher RC4-MD5 & + PID=$! + wait_server ${PID} + + echo "Checking SSL 3.0 with RSA-RC4-MD5..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+VERS-SSL3.0:+RSA${ADD}" --insecure /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + if test "${FIPS}" != 1; then + #-cipher RSA-NULL + launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA-NULL ciphersuite + echo "Checking TLS 1.0 with RSA-NULL..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA ciphersuite + echo "Checking TLS 1.0 with RSA and 3DES-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+3DES-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and AES-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and AES-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and CAMELLIA-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.0 with RSA and CAMELLIA-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CAMELLIA-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-RSA ciphersuite + echo "Checking TLS 1.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-RSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-DSS ciphersuite + echo "Checking TLS 1.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1; then + + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1; then + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with ECDHE-ECDSA ciphersuite + echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher PSK + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.0 with PSK..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK${ADD}" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test ${SV2} = 0; then + # Tests requiring openssl 1.0.1 - TLS 1.2 + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with RSA and AES-128-GCM..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with RSA and AES-256-GCM..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with ECDHE-RSA..." + "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + echo "Checking TLS 1.2 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1; then + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1; then + #-cipher ECDHE-ECDSA-AES128-SHA + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)" + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --insecure --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi #FIPS + fi #SV2 + + #-cipher PSK + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1_2 -keyform pem -certform pem -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db & + PID=$! + wait_server ${PID} + + echo "Checking TLS 1.2 with PSK..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test DTLS 1.0 with RSA ciphersuite + echo "Checking DTLS 1.0 with RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test DTLS 1.0 with DHE-RSA ciphersuite + echo "Checking DTLS 1.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout -dhparam "${srcdir}/params.dh" -key "${RSA_KEY}" -cert "${RSA_CERT}" -dkey "${DSA_KEY}" -dcert "${DSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + # Test DTLS 1.0 with DHE-DSS ciphersuite + echo "Checking DTLS 1.0 with DHE-DSS..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait done echo "Client mode tests were successfully completed" @@ -357,296 +357,319 @@ SERV="../../src/gnutls-serv${EXEEXT} -q" # Note that openssl s_client does not return error code on failure -for ADD in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" -do - if ! test -z "${ADD}";then - echo "" - echo "** Modifier: ${ADD}" - fi - - if test "${DEBIAN}" != 1;then - - echo "Check SSL 3.0 with RSA ciphersuite" - launch_server $$ --priority "NONE:+MD5:+ARCFOUR-128:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} - - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - echo "Check SSL 3.0 with RSA-RC4-MD5 ciphersuite" - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-MD5 &1 | grep "\:error\:" && \ - fail ${PID} "Failed" - - kill ${PID} - wait +for ADD in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION"; do + if ! test -z "${ADD}"; then + echo "" + echo "** Modifier: ${ADD}" + fi - echo "Check SSL 3.0 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + if test "${DEBIAN}" != 1; then - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + echo "Check SSL 3.0 with RSA ciphersuite" + launch_server $$ --priority "NONE:+MD5:+ARCFOUR-128:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - echo "Check SSL 3.0 with DHE-DSS ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + echo "Check SSL 3.0 with RSA-RC4-MD5 ciphersuite" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" -cipher RC4-MD5 &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + kill ${PID} + wait + echo "Check SSL 3.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - kill ${PID} - wait - fi + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - #TLS 1.0 + kill ${PID} + wait - # This test was disabled because it doesn't work as expected with openssl 1.0.0d - #echo "Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" - #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - #wait_server ${PID} - # - #${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - # fail ${PID} "Failed" - # - #kill ${PID} - #wait + echo "Check SSL 3.0 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - if test "${FIPS}" != 1;then - echo "Check TLS 1.0 with RSA-NULL ciphersuite" - launch_server $$ --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -ssl3 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - ${OPENSSL_CLI} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" - kill ${PID} - wait - fi + kill ${PID} + wait + fi - echo "Check TLS 1.0 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + #TLS 1.0 - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + # This test was disabled because it doesn't work as expected with openssl 1.0.0d + #echo "Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + #PID=$! + #wait_server ${PID} + # + #${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + # fail ${PID} "Failed" + # + #kill ${PID} + #wait - kill ${PID} - wait + if test "${FIPS}" != 1; then + echo "Check TLS 1.0 with RSA-NULL ciphersuite" + launch_server $$ --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -cipher NULL-SHA -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with DHE-DSS ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + kill ${PID} + wait + fi - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + echo "Check TLS 1.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait - #-cipher ECDHE-RSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + echo "Check TLS 1.0 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - if test "${FIPS}" != 1;then - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait - fi + #-cipher ECDHE-RSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + if test "${FIPS}" != 1; then + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait + fi - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - if test "${FIPS}" != 1;then - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait - fi + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test "${FIPS}" != 1; then + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi - echo "Check TLS 1.0 with PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + echo "Check TLS 1.0 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - #-cipher PSK-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ - fail ${PID} "Failed" + #-cipher PSK-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - if test ${SV2} = 0;then + if test ${SV2} = 0; then - echo "Check TLS 1.2 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + echo "Check TLS 1.2 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - echo "Check TLS 1.2 with DHE-DSS ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + echo "Check TLS 1.2 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - #-cipher ECDHE-RSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + #-cipher ECDHE-RSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - if test "${FIPS}" != 1;then - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + if test "${FIPS}" != 1; then + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait - fi + kill ${PID} + wait + fi - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - if test "${FIPS}" != 1;then - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} + if test "${FIPS}" != 1; then + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -tls1_2 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait - fi + kill ${PID} + wait + fi - echo "Check TLS 1.2 with PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + echo "Check TLS 1.2 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - #-cipher PSK-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ - fail ${PID} "Failed" + #-cipher PSK-AES128-SHA + ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep ":error:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - fi #SV2 + fi #SV2 - # DTLS - echo "Check DTLS 1.0 with RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + # DTLS + echo "Check DTLS 1.0 with RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - echo "Check DTLS 1.0 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + echo "Check DTLS 1.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - echo "Check DTLS 1.0 with DHE-DSS ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + echo "Check DTLS 1.0 with DHE-DSS ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --udp --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ - fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait done exit 0 diff --git a/tests/suite/testcompat-main-polarssl b/tests/suite/testcompat-main-polarssl index 74261b0..bf49918 100755 --- a/tests/suite/testcompat-main-polarssl +++ b/tests/suite/testcompat-main-polarssl @@ -34,44 +34,44 @@ srcdir="${srcdir:-.}" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" LOGFILE=polarssl.log unset RETCODE -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi . "${srcdir}/../scripts/common.sh" PORT="${PORT:-${RPORT}}" TXT=`"${CLI}" --priority NORMAL --list|grep SECP224` -if test -z "${TXT}";then - ALL_CURVES=0 +if test -z "${TXT}"; then + ALL_CURVES=0 else - ALL_CURVES=1 + ALL_CURVES=1 fi echo "Compatibility checks using polarssl" for POLARSSL_CLI in \ - /usr/bin/polarssl_ssl_client2 \ - /usr/bin/mbedtls_ssl_client2 \ - /usr/libexec/mbedtls/ssl_client2 \ - ""; do - test -x "${POLARSSL_CLI}" && break + /usr/bin/polarssl_ssl_client2 \ + /usr/bin/mbedtls_ssl_client2 \ + /usr/libexec/mbedtls/ssl_client2 \ + ""; do + test -x "${POLARSSL_CLI}" && break done -if test -z "${POLARSSL_CLI}";then - echo "PolarSSL is required for this test to run" - exit 77 +if test -z "${POLARSSL_CLI}"; then + echo "PolarSSL is required for this test to run" + exit 77 fi "${POLARSSL_CLI}" >/dev/null 2>&1 -if test $? = 0;then - echo "PolarSSL 1.3.x is required for the tests to run" - exit 77 +if test $? = 0; then + echo "PolarSSL 1.3.x is required for the tests to run" + exit 77 fi @@ -85,330 +85,358 @@ SERV="../../src/gnutls-serv${EXEEXT} -q" rm -f "${LOGFILE}" -for ADD in "" ":%COMPAT" ":%NO_ETM" #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" -do - if ! test -z "${ADD}";then - echo "" - echo "** Modifier: ${ADD}" - fi +for ADD in "" ":%COMPAT" ":%NO_ETM"; do #":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION" + if ! test -z "${ADD}"; then + echo "" + echo "** Modifier: ${ADD}" + fi - # SSL 3.0 is disabled in debian's polarssl - if test 0 = 1;then - echo "Check SSL 3.0 with RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + # SSL 3.0 is disabled in debian's polarssl + if test 0 = 1; then + echo "Check SSL 3.0 with RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - "${POLARSSL_CLI}" server_port="${PORT}" server_name=localhost max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" + "${POLARSSL_CLI}" server_port="${PORT}" server_name=localhost max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait + + echo "Check SSL 3.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - echo "Check SSL 3.0 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + "${POLARSSL_CLI}" server_name=localhost server_port="${PORT}" max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - "${POLARSSL_CLI}" server_name=localhost server_port="${PORT}" max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" + kill ${PID} + wait - kill ${PID} - wait + # No DSS for polarssl + #echo "Check SSL 3.0 with DHE-DSS ciphersuite" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + #PID=$! + #wait_server ${PID} + + #"${POLARSSL_CLI}" server_name=localhost server_port="${PORT}" max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + # fail ${PID} "Failed" + # + #kill ${PID} + #wait + fi + + #TLS 1.0 + + echo "Check TLS 1.0 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} - # No DSS for polarssl - #echo "Check SSL 3.0 with DHE-DSS ciphersuite" - #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - #wait_server ${PID} + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - #"${POLARSSL_CLI}" server_name=localhost server_port="${PORT}" max_version=ssl3 crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - # fail ${PID} "Failed" - # - #kill ${PID} - #wait - fi + kill ${PID} + wait + + #echo "Check TLS 1.0 with DHE-DSS ciphersuite" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + #PID=$! + #wait_server ${PID} + + #"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + # fail ${PID} "Failed" + + #kill ${PID} + #wait + + echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-RSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.0 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - #TLS 1.0 + kill ${PID} + wait + + echo "Check TLS 1.0 with DHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - echo "Check TLS 1.0 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" + kill ${PID} + wait + + echo "Check TLS 1.0 with ECDHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - #echo "Check TLS 1.0 with DHE-DSS ciphersuite" - #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - #wait_server ${PID} + kill ${PID} + wait - #"${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - # fail ${PID} "Failed" + echo "Check TLS 1.0 with RSA-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - #kill ${PID} - #wait + #-cipher RSA-PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with ECDHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait - #-cipher ECDHE-RSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" + if test ${ALL_CURVES} = 1; then + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + kill ${PID} + wait + fi - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - kill ${PID} - wait + kill ${PID} + wait - echo "Check TLS 1.0 with DHE-PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} + + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} + + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} + + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} + + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite" + launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & + PID=$! + wait_server ${PID} + + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + #echo "Check TLS 1.2 with DHE-DSS ciphersuite" + #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & + #PID=$! + #wait_server ${PID} + # + #"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + # fail ${PID} "Failed" + # + #kill ${PID} + #wait + + echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-RSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + if test ${ALL_CURVES} = 1; then + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + fi + + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with DHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with ECDHE-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} + + #-cipher PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "Check TLS 1.2 with RSA-PSK ciphersuite" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & + PID=$! + wait_server ${PID} - kill ${PID} - wait + #-cipher RSA-PSK-AES128-SHA + "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Failed" - echo "Check TLS 1.0 with ECDHE-PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.0 with RSA-PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher RSA-PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${ALL_CURVES} = 1;then - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1 max_version=tls1 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with CAMELLIA-128-GCM-DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-128-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with CAMELLIA-256-GCM-DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:-CIPHER-ALL:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with AES-128-CCM-DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with AES-128-CCM-8-DHE-RSA ciphersuite" - launch_server $$ --priority "NONE:-CIPHER-ALL:+AES-128-CCM-8:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${srcdir}/params.dh" & PID=$! - wait_server ${PID} - - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - #echo "Check TLS 1.2 with DHE-DSS ciphersuite" - #launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${srcdir}/params.dh" & PID=$! - #wait_server ${PID} - # - #"${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - # fail ${PID} "Failed" - # - #kill ${PID} - #wait - - echo "Check TLS 1.2 with ECDHE-RSA ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-RSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - if test ${ALL_CURVES} = 1;then - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC224_CERT}" --x509keyfile "${ECC224_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC224_CERT}" key_file="${ECC224_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - fi - - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC256_CERT}" --x509keyfile "${ECC256_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC256_CERT}" key_file="${ECC256_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC384_CERT}" --x509keyfile "${ECC384_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC384_CERT}" key_file="${ECC384_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL${ADD}" --x509certfile "${ECC521_CERT}" --x509keyfile "${ECC521_KEY}" --x509cafile "${CA_ECC_CERT}" & PID=$! - wait_server ${PID} - - #-cipher ECDHE-ECDSA-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${ECC521_CERT}" key_file="${ECC521_KEY}" ca_file="${CA_ECC_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with DHE-PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with ECDHE-PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait - - echo "Check TLS 1.2 with RSA-PSK ciphersuite" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA-PSK:+CURVE-ALL${ADD}" --pskpasswd "${SERV_PSK}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" & PID=$! - wait_server ${PID} - - #-cipher RSA-PSK-AES128-SHA - "${POLARSSL_CLI}" server_name=localhost psk_identity=jas psk=9e32cf7786321a828ef7668f09fb35db min_version=tls1_2 max_version=tls1_2 server_port="${PORT}" crt_file="${CLI_CERT}" key_file="${CLI_KEY}" ca_file="${CA_CERT}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Failed" - - kill ${PID} - wait + kill ${PID} + wait done rm -f "${LOGFILE}" diff --git a/tests/suite/testcompat-openssl b/tests/suite/testcompat-openssl index 42b695d..d7f9cc0 100755 --- a/tests/suite/testcompat-openssl +++ b/tests/suite/testcompat-openssl @@ -32,16 +32,16 @@ srcdir="${srcdir:-.}" -if ! test -x /usr/bin/openssl;then - echo "You need openssl to run this test" - exit 77 +if ! test -x /usr/bin/openssl; then + echo "You need openssl to run this test" + exit 77 fi /usr/bin/openssl version|grep fips >/dev/null 2>&1 -if test $? = 0;then - export FIPS=1 +if test $? = 0; then + export FIPS=1 else - export FIPS=0 + export FIPS=0 fi export TZ="UTC" @@ -49,8 +49,8 @@ export TZ="UTC" # Check for datefudge TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` if test "${TSTAMP}" != "1158969600"; then - echo "You need datefudge to run this test" - exit 77 + echo "You need datefudge to run this test" + exit 77 fi datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl" diff --git a/tests/suite/testcompat-polarssl b/tests/suite/testcompat-polarssl index 41dd59f..c4dfb36 100755 --- a/tests/suite/testcompat-polarssl +++ b/tests/suite/testcompat-polarssl @@ -37,14 +37,14 @@ export TZ="UTC" # Check for datefudge TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` if test "${TSTAMP}" != "1158969600"; then - echo "You need datefudge to run this test" - exit 77 + echo "You need datefudge to run this test" + exit 77 fi cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1 -if test $? = 0;then - echo "PolarSSL is broken on VIA processors" - exit 77 +if test $? = 0; then + echo "PolarSSL is broken on VIA processors" + exit 77 fi datefudge "2012-09-2" "${srcdir}/testcompat-main-polarssl" diff --git a/tests/suite/testdane b/tests/suite/testdane index 2ec50dc..12d3ce1 100755 --- a/tests/suite/testdane +++ b/tests/suite/testdane @@ -24,8 +24,8 @@ unset RETCODE # Unfortunately it is extremely fragile and fails 99% of the # time. -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi . "${srcdir}/../scripts/common.sh" @@ -37,30 +37,30 @@ echo "*** Testing good HTTPS hosts ***" # www.vulcano.cl dane.nox.su HOSTS="good.dane.verisignlabs.com www.freebsd.org www.kumari.net torproject.org fedoraproject.org" HOSTS="${HOSTS} nohats.ca" -for host in ${HOSTS};do - echo -n "${host}: " +for host in ${HOSTS}; do + echo -n "${host}: " - "${DANETOOL}" --check "${host}" >/dev/null 2>&1 - if [ $? != 0 ];then - echo "Error checking ${host}" - exit 1 - fi - echo "ok" + "${DANETOOL}" --check "${host}" >/dev/null 2>&1 + if [ $? != 0 ]; then + echo "Error checking ${host}" + exit 1 + fi + echo "ok" done echo "" echo "*** Testing good SMTP hosts ***" #HOSTS="dougbarton.us nlnetlabs.nl" HOSTS="nlnetlabs.nl" -for host in ${HOSTS};do - echo -n "${host}: " +for host in ${HOSTS}; do + echo -n "${host}: " - "${DANETOOL}" --check "${host}" --port 25 >/dev/null 2>&1 - if [ $? != 0 ];then - echo "Error checking ${host}" - exit 1 - fi - echo "ok" + "${DANETOOL}" --check "${host}" --port 25 >/dev/null 2>&1 + if [ $? != 0 ]; then + echo "Error checking ${host}" + exit 1 + fi + echo "ok" done echo "" @@ -69,14 +69,14 @@ echo "*** Testing bad HTTPS hosts ***" # used to work: dane-broken.rd.nic.fr HOSTS="bad-hash.dane.verisignlabs.com bad-params.dane.verisignlabs.com" HOSTS="${HOSTS} bad-sig.dane.verisignlabs.com" -for host in ${HOSTS};do - echo -n "${host}: " - "${DANETOOL}" --check "${host}" >/dev/null 2>&1 - if [ $? = 0 ];then - echo "Checking ${host} should have failed" - exit 1 - fi - echo "ok" +for host in ${HOSTS}; do + echo -n "${host}: " + "${DANETOOL}" --check "${host}" >/dev/null 2>&1 + if [ $? = 0 ]; then + echo "Checking ${host} should have failed" + exit 1 + fi + echo "ok" done diff --git a/tests/suite/testpkcs11 b/tests/suite/testpkcs11 index b301cc3..53ae752 100755 --- a/tests/suite/testpkcs11 +++ b/tests/suite/testpkcs11 @@ -26,15 +26,15 @@ SERV="${SERV:-../../src/gnutls-serv${EXEEXT}} -q" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" RETCODE=0 -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --leak-check=no" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --leak-check=no" fi TMPFILE="testpkcs11.debug" CERTTOOL_PARAM="--stdout-info" -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi P11TOOL="${VALGRIND} ${P11TOOL} --batch" @@ -46,11 +46,11 @@ PORT="${PORT:-${RPORT}}" rm -f "${TMPFILE}" exit_error () { - echo "Check ${TMPFILE} for additional debugging information" - echo "" - echo "" - tail "${TMPFILE}" - exit 1 + echo "Check ${TMPFILE} for additional debugging information" + echo "" + echo "" + tail "${TMPFILE}" + exit 1 } # $1: token @@ -58,18 +58,18 @@ exit_error () { # $3: filename # ${srcdir}/pkcs11-certs/client.key write_privkey () { - export GNUTLS_PIN="$2" - filename="$3" - token="$1" - - echo -n "* Writing a client private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing a client private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi } @@ -77,18 +77,18 @@ write_privkey () { # $2: PIN # $3: filename write_serv_privkey () { - export GNUTLS_PIN="$2" - filename="$3" - token="$1" - - echo -n "* Writing the server private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing the server private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi } @@ -96,18 +96,18 @@ write_serv_privkey () { # $2: PIN # $3: filename write_serv_cert () { - export GNUTLS_PIN="$2" - filename="$3" - token="$1" - - echo -n "* Writing the server certificate... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing the server certificate... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi } @@ -115,48 +115,48 @@ write_serv_cert () { # $2: PIN # $3: bits generate_rsa_privkey () { - export GNUTLS_PIN="$2" - token="$1" - bits="$3" - - echo -n "* Generating RSA private key ("${bits}")... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating RSA private key ("${bits}")... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit 1 + fi } # $1: token # $2: PIN # $3: bits generate_temp_rsa_privkey () { - export GNUTLS_PIN="$2" - token="$1" - bits="$3" - - echo -n "* Generating RSA private key ("${bits}")... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 - if test $? = 0;then - RETCODE=0 - echo ok - else - echo failed - RETCODE=1 - fi - -# if test ${RETCODE} = 0;then + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating RSA private key ("${bits}")... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0; then + RETCODE=0 + echo ok + else + echo failed + RETCODE=1 + fi + +# if test ${RETCODE} = 0; then # echo -n "* Testing private key flags... " # ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${TMPFILE}" -# if test $? != 0;then +# if test $? != 0; then # echo failed # exit_error # fi # # grep CKA_WRAP tmp-client-2.pub >>"${TMPFILE}" 2>&1 -# if test $? != 0;then +# if test $? != 0; then # echo "failed (no CKA_WRAP)" # exit_error # else @@ -168,116 +168,116 @@ generate_temp_rsa_privkey () { # $1: token # $2: PIN delete_temp_privkey () { - export GNUTLS_PIN="$2" - token="$1" - type="$3" + export GNUTLS_PIN="$2" + token="$1" + type="$3" - test "${RETCODE}" = "0" || return + test "${RETCODE}" = "0" || return - echo -n "* Deleting private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1 + echo -n "* Deleting private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo failed - RETCODE=1 - return - fi + if test $? != 0; then + echo failed + RETCODE=1 + return + fi - RETCODE=0 - echo ok + RETCODE=0 + echo ok } # $1: token # $2: PIN # $3: bits export_pubkey_of_privkey () { - export GNUTLS_PIN="$2" - token="$1" - bits="$3" - - echo -n "* Exporting public key of generated private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo failed - exit 1 - fi - - ${DIFF} tmp-client.pub tmp-client-2.pub - if test $? != 0;then - echo keys differ - exit 1 - fi - - echo ok + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Exporting public key of generated private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit 1 + fi + + ${DIFF} tmp-client.pub tmp-client-2.pub + if test $? != 0; then + echo keys differ + exit 1 + fi + + echo ok } # $1: token # $2: PIN change_id_of_privkey () { - export GNUTLS_PIN="$2" - token="$1" - - echo -n "* Change the CKA_ID of generated private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo failed - exit_error - fi - - ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo "ID didn't change" - exit_error - fi - - echo ok + export GNUTLS_PIN="$2" + token="$1" + + echo -n "* Change the CKA_ID of generated private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "ID didn't change" + exit_error + fi + + echo ok } # $1: token # $2: PIN change_label_of_privkey () { - export GNUTLS_PIN="$2" - token="$1" - - echo -n "* Change the CKA_LABEL of generated private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo failed - exit_error - fi - - ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo "label didn't change" - exit_error - fi - - ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo failed - exit_error - fi - - echo ok + export GNUTLS_PIN="$2" + token="$1" + + echo -n "* Change the CKA_LABEL of generated private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "label didn't change" + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + echo ok } # $1: token # $2: PIN # $3: bits generate_temp_ecc_privkey () { - export GNUTLS_PIN="$2" - token="$1" - bits="$3" - - echo -n "* Generating ECC private key (${bits})... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 - if test $? = 0;then - RETCODE=0 - echo ok - else - echo failed - RETCODE=1 - fi + export GNUTLS_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Generating ECC private key (${bits})... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 + if test $? = 0; then + RETCODE=0 + echo ok + else + echo failed + RETCODE=1 + fi } # $1: token @@ -288,109 +288,109 @@ generate_temp_ecc_privkey () { # Tests writing a certificate which corresponds to the given key, # as well as the CA certificate, and tries to export them. write_certificate_test () { - export GNUTLS_PIN="$2" - token="$1" - cakey="$3" - cacert="$4" - pubkey="$5" - - echo -n "* Generating client certificate... " - "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ - --template ${srcdir}/pkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ - --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 - - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Writing client certificate... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Checking whether ID was correctly set... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo "ID was not set on copy" - exit_error - fi - echo ok - - echo -n "* Writing certificate of client's CA... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 - ret=$? - if test ${ret} != 0;then - ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 - ret=$? - fi - - if test ${ret} = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Testing certificate flags... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}" - if test $? != 0;then - echo failed - exit_error - fi - - grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo "failed (no CKA_TRUSTED)" - #exit_error - fi - - grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1 - if test $? != 0;then - echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" - #exit_error - fi - - echo ok - - - echo -n "* Trying to obtain back the cert... " - ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1 - ${DIFF} crt1.tmp "${srcdir}/pkcs11-certs/ca.crt" - if test $? != 0;then - echo "failed. Exported certificate differs (crt1.tmp)!" - exit_error - fi - rm -f crt1.tmp - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Trying to obtain the full chain... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1 - - cat tmp-client.crt ${srcdir}/pkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp - ${DIFF} crt1.tmp crt2.tmp - if test $? != 0;then - echo "failed. Exported certificate chain differs!" - exit_error - fi - rm -f crt1.tmp crt2.tmp - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + export GNUTLS_PIN="$2" + token="$1" + cakey="$3" + cacert="$4" + pubkey="$5" + + echo -n "* Generating client certificate... " + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/pkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 + + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Writing client certificate... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Checking whether ID was correctly set... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "ID was not set on copy" + exit_error + fi + echo ok + + echo -n "* Writing certificate of client's CA... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 + ret=$? + if test ${ret} != 0; then + ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 + ret=$? + fi + + if test ${ret} = 0; then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Testing certificate flags... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}" + if test $? != 0; then + echo failed + exit_error + fi + + grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "failed (no CKA_TRUSTED)" + #exit_error + fi + + grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" + #exit_error + fi + + echo ok + + + echo -n "* Trying to obtain back the cert... " + ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1 + ${DIFF} crt1.tmp "${srcdir}/pkcs11-certs/ca.crt" + if test $? != 0; then + echo "failed. Exported certificate differs (crt1.tmp)!" + exit_error + fi + rm -f crt1.tmp + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Trying to obtain the full chain... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1 + + cat tmp-client.crt ${srcdir}/pkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp + ${DIFF} crt1.tmp crt2.tmp + if test $? != 0; then + echo "failed. Exported certificate chain differs!" + exit_error + fi + rm -f crt1.tmp crt2.tmp + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi } @@ -402,39 +402,39 @@ write_certificate_test () { # # Tests using a certificate and key pair using gnutls-serv and gnutls-cli. use_certificate_test () { - export GNUTLS_PIN="$2" - token="$1" - certfile="$3" - keyfile="$4" - cafile="$5" - txt="$6" - - echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " - # start server - launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ - --x509keyfile="$keyfile" --x509cafile="${cafile}" \ - --require-client-cert >>"${TMPFILE}" 2>&1 & - - PID=$! - wait_server ${PID} - - # connect to server using SC - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 && \ - fail ${PID} "Connection should have failed!" - - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ - --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ - fail ${PID} "Connection (with files) should have succeeded!" - - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ - --x509keyfile="${token};object=gnutls-client;object-type=private" \ - --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ - fail ${PID} "Connection (with SC) should have succeeded!" - - kill ${PID} - wait - - echo ok + export GNUTLS_PIN="$2" + token="$1" + certfile="$3" + keyfile="$4" + cafile="$5" + txt="$6" + + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --require-client-cert >>"${TMPFILE}" 2>&1 & + + PID=$! + wait_server ${PID} + + # connect to server using SC + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ + fail ${PID} "Connection (with SC) should have succeeded!" + + kill ${PID} + wait + + echo ok } @@ -445,15 +445,15 @@ echo "Testing PKCS11 support" type="$1" -if test -z "${type}";then - echo "usage: $0: [pkcs15|softhsm|sc-hsm]" - if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util";then - echo "assuming 'softhsm'" - echo "" - type=softhsm - else - exit 1 - fi +if test -z "${type}"; then + echo "usage: $0: [pkcs15|softhsm|sc-hsm]" + if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util"; then + echo "assuming 'softhsm'" + echo "" + type=softhsm + else + exit 1 + fi fi @@ -468,9 +468,9 @@ init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}" TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` echo "* Token: ${TOKEN}" -if test "x${TOKEN}" = x;then - echo "Could not find generated token" - exit_error +if test "x${TOKEN}" = x; then + echo "Could not find generated token" + exit_error fi #write a given privkey @@ -499,8 +499,8 @@ use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;objec use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/pkcs11-certs/ca.crt" "abbrv URLs" -if test ${RETCODE} = 0;then - echo "* All smart cards tests succeeded" +if test ${RETCODE} = 0; then + echo "* All smart cards tests succeeded" fi rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${TMPFILE}" diff --git a/tests/suite/testpkcs11.pkcs15 b/tests/suite/testpkcs11.pkcs15 index 59c535e..565282a 100644 --- a/tests/suite/testpkcs11.pkcs15 +++ b/tests/suite/testpkcs11.pkcs15 @@ -20,26 +20,26 @@ init_card () { - PIN="$1" - PUK="$2" + PIN="$1" + PUK="$2" - echo -n "* Erasing smart card... " - pkcs15-init -E >"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - cat "${TMPFILE}" - exit_error - fi + echo -n "* Erasing smart card... " + pkcs15-init -E >"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + cat "${TMPFILE}" + exit_error + fi - echo -n "* Initializing smart card... " - pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - cat "${TMPFILE}" - exit_error - fi + echo -n "* Initializing smart card... " + pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + cat "${TMPFILE}" + exit_error + fi } diff --git a/tests/suite/testpkcs11.sc-hsm b/tests/suite/testpkcs11.sc-hsm index 26ce485..f3eab68 100644 --- a/tests/suite/testpkcs11.sc-hsm +++ b/tests/suite/testpkcs11.sc-hsm @@ -20,31 +20,31 @@ init_card () { - PIN="$1" - PUK=3537363231383830 - export GNUTLS_SO_PIN="${PUK}" + PIN="$1" + PUK=3537363231383830 + export GNUTLS_SO_PIN="${PUK}" - echo -n "* Erasing smart card... " - sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + echo -n "* Erasing smart card... " + sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi - echo -n "* Initializing smart card... " - TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` - if test -z "${TOKEN}";then - echo "Could not find initialized card" - exit_error - fi + echo -n "* Initializing smart card... " + TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + if test -z "${TOKEN}"; then + echo "Could not find initialized card" + exit_error + fi - ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi } diff --git a/tests/suite/testpkcs11.softhsm b/tests/suite/testpkcs11.softhsm index b444e62..70badf1 100755 --- a/tests/suite/testpkcs11.softhsm +++ b/tests/suite/testpkcs11.softhsm @@ -18,57 +18,57 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -if test -f /usr/lib64/pkcs11/libsofthsm2.so;then - ADDITIONAL_PARAM="--provider /usr/lib64/pkcs11/libsofthsm2.so" +if test -f /usr/lib64/pkcs11/libsofthsm2.so; then + ADDITIONAL_PARAM="--provider /usr/lib64/pkcs11/libsofthsm2.so" else - if test -f /usr/lib/softhsm/libsofthsm.so;then - ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" - else - ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" - fi + if test -f /usr/lib/softhsm/libsofthsm.so; then + ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" + else + ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" + fi fi init_card () { - PIN="$1" - PUK="$2" + PIN="$1" + PUK="$2" - if test -x "/usr/bin/softhsm2-util";then - export SOFTHSM2_CONF="softhsm-testpkcs11.config" - SOFTHSM_TOOL="/usr/bin/softhsm2-util" - ${SOFTHSM_TOOL} --version|grep "2.0.0b1" >/dev/null 2>&1 - if test $? = 0;then - echo "softhsm2-util 2.0.0b1 is broken" - exit 77 - fi - fi + if test -x "/usr/bin/softhsm2-util"; then + export SOFTHSM2_CONF="softhsm-testpkcs11.config" + SOFTHSM_TOOL="/usr/bin/softhsm2-util" + ${SOFTHSM_TOOL} --version|grep "2.0.0b1" >/dev/null 2>&1 + if test $? = 0; then + echo "softhsm2-util 2.0.0b1 is broken" + exit 77 + fi + fi - if test -x "/usr/bin/softhsm";then - export SOFTHSM_CONF="softhsm-testpkcs11.config" - SOFTHSM_TOOL="/usr/bin/softhsm" - fi + if test -x "/usr/bin/softhsm"; then + export SOFTHSM_CONF="softhsm-testpkcs11.config" + SOFTHSM_TOOL="/usr/bin/softhsm" + fi - if test -z "${SOFTHSM_TOOL}";then - echo "Could not find softhsm(2) tool" - exit 77 - fi + if test -z "${SOFTHSM_TOOL}"; then + echo "Could not find softhsm(2) tool" + exit 77 + fi - if test -z "${SOFTHSM_CONF}";then - rm -rf ./softhsm-testpkcs11.db - mkdir -p ./softhsm-testpkcs11.db - echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" - echo "directories.tokendir = ./softhsm-testpkcs11.db" >> "${SOFTHSM2_CONF}" - else - rm -rf ./softhsm-testpkcs11.db - echo "0:./softhsm-testpkcs11.db" > "${SOFTHSM_CONF}" - fi + if test -z "${SOFTHSM_CONF}"; then + rm -rf ./softhsm-testpkcs11.db + mkdir -p ./softhsm-testpkcs11.db + echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" + echo "directories.tokendir = ./softhsm-testpkcs11.db" >> "${SOFTHSM2_CONF}" + else + rm -rf ./softhsm-testpkcs11.db + echo "0:./softhsm-testpkcs11.db" > "${SOFTHSM_CONF}" + fi - echo -n "* Initializing smart card... " - ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi + echo -n "* Initializing smart card... " + ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi } diff --git a/tests/suite/testrandom b/tests/suite/testrandom index 894b2e9d..79b90d3 100755 --- a/tests/suite/testrandom +++ b/tests/suite/testrandom @@ -22,8 +22,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" -if ! test -z "${VALGRIND}";then - VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi counter=0 @@ -32,56 +32,53 @@ file=test.out counter=0 echo "Testing verification with randomly generated certificates..." -while [ ${counter} -lt 400 ] -do - "${srcdir}/x509random.pl" > "${file}" - ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" --outfile "${file}.pem" >/dev/null 2>&1 - if test $? != 0;then - continue - fi - - cat "${file}.pem" "${srcdir}/../certs/ca-cert-ecc.pem" > "${file}-chain.pem" - - ${VALGRIND} "${CERTTOOL}" -e --infile "${file}-chain.pem" >/dev/null 2>&1 - ret=$? - if [ ${ret} != 1 ];then - echo "Succeeded verification with ${file}-chain.pem!" - exit 1 - fi - rm -f "${file}.pem" "${file}-chain.pem" - - counter=`expr ${counter} + 1` +while [ ${counter} -lt 400 ]; do + "${srcdir}/x509random.pl" > "${file}" + ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" --outfile "${file}.pem" >/dev/null 2>&1 + if test $? != 0; then + continue + fi + + cat "${file}.pem" "${srcdir}/../certs/ca-cert-ecc.pem" > "${file}-chain.pem" + + ${VALGRIND} "${CERTTOOL}" -e --infile "${file}-chain.pem" >/dev/null 2>&1 + ret=$? + if [ ${ret} != 1 ]; then + echo "Succeeded verification with ${file}-chain.pem!" + exit 1 + fi + rm -f "${file}.pem" "${file}-chain.pem" + + counter=`expr ${counter} + 1` done echo "Testing with randomly generated certificates..." -while [ ${counter} -lt 200 ] -do - "${srcdir}/x509random.pl" > "${file}" - ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" >/dev/null - ret=$? - if [ ${ret} != 0 -a ${ret} != 1 ];then - echo "Unknown exit code with ${file}" - exit 1 - fi - - counter=`expr ${counter} + 1` +while [ ${counter} -lt 200 ]; do + "${srcdir}/x509random.pl" > "${file}" + ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" >/dev/null + ret=$? + if [ ${ret} != 0 -a ${ret} != 1 ]; then + echo "Unknown exit code with ${file}" + exit 1 + fi + + counter=`expr ${counter} + 1` done counter=0 echo "Testing with random ASN.1 data..." -while [ ${counter} -lt 200 ] -do - "${srcdir}/asn1random.pl" > "${file}" - ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" >/dev/null 2>/dev/null - ret=$? - if [ ${ret} != 0 -a ${ret} != 1 ];then - echo "Unknown exit code with ${file}" - exit 1 - fi - - counter=`expr ${counter} + 1` +while [ ${counter} -lt 200 ]; do + "${srcdir}/asn1random.pl" > "${file}" + ${VALGRIND} "${CERTTOOL}" -i --inder --infile "${file}" >/dev/null 2>/dev/null + ret=$? + if [ ${ret} != 0 -a ${ret} != 1 ]; then + echo "Unknown exit code with ${file}" + exit 1 + fi + + counter=`expr ${counter} + 1` done rm -f "${file}" diff --git a/tests/suite/testrng b/tests/suite/testrng index 16fb4d5..c45c930 100755 --- a/tests/suite/testrng +++ b/tests/suite/testrng @@ -20,22 +20,22 @@ srcdir="${srcdir:-.}" -if ! test -x "/usr/bin/dieharder";then - exit 77 +if ! test -x "/usr/bin/dieharder"; then + exit 77 fi VERSION=`dieharder -l|grep version|cut -d ' ' -f 6` -if test "$1" = "full";then - OPTIONS="-a" +if test "$1" = "full"; then + OPTIONS="-a" else - if test "${VERSION}" = "2.28.1";then - OPTIONS="-d 5" - OPTIONS2="-d 10" - else - OPTIONS="-d 202" - OPTIONS2="-d 10" - fi + if test "${VERSION}" = "2.28.1"; then + OPTIONS="-d 5" + OPTIONS2="-d 10" + else + OPTIONS="-d 202" + OPTIONS2="-d 10" + fi fi OUTFILE=rng.log @@ -51,9 +51,9 @@ rm -f "${RNGFILE2}" RINPUTNO=`dieharder -g -1|grep file_input_raw|cut -d '|' -f 2|cut -d ' ' -f 1` -if test -z "${RINPUTNO}";then - echo "Cannot determine dieharder option for raw file input, assuming 201" - RINPUTNO=201 +if test -z "${RINPUTNO}"; then + echo "Cannot determine dieharder option for raw file input, assuming 201" + RINPUTNO=201 fi echo "" @@ -64,31 +64,31 @@ echo "Testing nonce PRNG" cmp "${RNGFILE}" "${RNGFILE2}" >/dev/null 2>&1 ret=$? -if test ${ret} = 0;then - echo "numbers are repeated in nonce!" - exit 1 +if test ${ret} = 0; then + echo "numbers are repeated in nonce!" + exit 1 fi ./rng nonce 100000000 "${RNGFILE}" dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS} >"${OUTFILE}" 2>&1 -if ! test -z "${OPTIONS2}";then - dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 +if ! test -z "${OPTIONS2}"; then + dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 fi grep FAILED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "${ret}" = "0";then - echo "test failed for nonce" - exit 1 +if test "${ret}" = "0"; then + echo "test failed for nonce" + exit 1 fi grep PASSED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "${ret}" != "0";then - echo "could not run dieharder test?" - exit 1 +if test "${ret}" != "0"; then + echo "could not run dieharder test?" + exit 1 fi cat "${OUTFILE}" @@ -101,32 +101,32 @@ echo "Testing key PRNG" cmp "${RNGFILE}" "${RNGFILE2}" >/dev/null 2>&1 ret=$? -if test ${ret} = 0;then - echo "numbers are repeated in nonce!" - exit 1 +if test ${ret} = 0; then + echo "numbers are repeated in nonce!" + exit 1 fi ./rng key 100000000 "${RNGFILE}" dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS} >"${OUTFILE}" 2>&1 -if ! test -z "${OPTIONS2}";then - dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 +if ! test -z "${OPTIONS2}"; then + dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 fi grep FAILED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "${ret}" = "0";then - echo "test failed for key" - exit 1 +if test "${ret}" = "0"; then + echo "test failed for key" + exit 1 fi grep PASSED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "${ret}" != "0";then - echo "could not run dieharder test?" - exit 1 +if test "${ret}" != "0"; then + echo "could not run dieharder test?" + exit 1 fi cat "${OUTFILE}" @@ -136,23 +136,23 @@ echo "Testing /dev/zero PRNG" dd if=/dev/zero of="${RNGFILE}" bs=4 count=10000000 >/dev/null 2>&1 dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS} >"${OUTFILE}" 2>&1 -if ! test -z "${OPTIONS2}";then - dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 +if ! test -z "${OPTIONS2}"; then + dieharder -f "${RNGFILE}" -g ${RINPUTNO} ${OPTIONS2} >>"${OUTFILE}" 2>&1 fi grep PASSED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "${ret}" = "0";then - echo "test succeeded for /dev/zero!!!" - exit 1 +if test "${ret}" = "0"; then + echo "test succeeded for /dev/zero!!!" + exit 1 fi grep FAILED "${OUTFILE}" >/dev/null 2>&1 ret=$? -if test "${ret}" != "0";then - echo "could not run dieharder test?" - exit 1 +if test "${ret}" != "0"; then + echo "could not run dieharder test?" + exit 1 fi cat "${OUTFILE}" diff --git a/tests/suite/testsrn b/tests/suite/testsrn index 783ed9d..3ea2c15 100755 --- a/tests/suite/testsrn +++ b/tests/suite/testsrn @@ -25,8 +25,8 @@ SERV="${SERV:-../../src/gnutls-serv${EXEEXT}} -q" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE -if test "${WINDIR}" != "";then - exit 77 +if test "${WINDIR}" != ""; then + exit 77 fi . "${srcdir}/../scripts/common.sh" @@ -40,19 +40,19 @@ PID=$! wait_server ${PID} "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-TLS1.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "0. Renegotiation should have succeeded!" + fail ${PID} "0. Renegotiation should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "1. Safe rehandshake should have succeeded!" + fail ${PID} "1. Safe rehandshake should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "2. Unsafe rehandshake should have succeeded!" + fail ${PID} "2. Unsafe rehandshake should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "3. Unsafe negotiation should have succeeded!" + fail ${PID} "3. Unsafe negotiation should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail ${PID} "4. Unsafe renegotiation should have failed!" + fail ${PID} "4. Unsafe renegotiation should have failed!" kill ${PID} @@ -63,16 +63,16 @@ PID=$! wait_server ${PID} "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "5. Safe rehandshake should have succeeded!" + fail ${PID} "5. Safe rehandshake should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "6. Unsafe rehandshake should have succeeded!" + fail ${PID} "6. Unsafe rehandshake should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail ${PID} "7. Unsafe negotiation should have failed!" + fail ${PID} "7. Unsafe negotiation should have failed!" "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail ${PID} "8. Unsafe renegotiation should have failed!" + fail ${PID} "8. Unsafe renegotiation should have failed!" kill ${PID} wait @@ -82,16 +82,16 @@ PID=$! wait_server ${PID} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 && \ - fail ${PID} "9. Initial connection should have failed!" + fail ${PID} "9. Initial connection should have failed!" "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "10. Unsafe connection should have succeeded!" + fail ${PID} "10. Unsafe connection should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "11. Unsafe negotiation should have succeeded!" + fail ${PID} "11. Unsafe negotiation should have succeeded!" "${CLI}" -p "${PORT}" 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ - fail ${PID} "12. Unsafe renegotiation should have succeeded!" + fail ${PID} "12. Unsafe renegotiation should have succeeded!" kill ${PID} wait diff --git a/tests/userid/userid b/tests/userid/userid index fbf97e7..b1c93fc 100755 --- a/tests/userid/userid +++ b/tests/userid/userid @@ -23,12 +23,12 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" -$CERTTOOL --certificate-info --infile "${srcdir}/userid.pem" >out 2>&1 +"${CERTTOOL}" --certificate-info --infile "${srcdir}/userid.pem" >out 2>&1 RET=$? -if [ ${RET} != 0 ];then - echo "Error in userid:" - cat out - exit 1 +if [ ${RET} != 0 ]; then + echo "Error in userid:" + cat out + exit 1 fi rm -f out -- 2.3.6 From nmav at gnutls.org Mon Jun 22 21:14:05 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Jun 2015 21:14:05 +0200 Subject: [gnutls-devel] [PATCH 1/2] tests: suite: ciphersuite: fixups In-Reply-To: <1434908615-31312-1-git-send-email-alon.barlev@gmail.com> References: <1434908615-31312-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1435000445.1783.0.camel@gnutls.org> On Sun, 2015-06-21 at 20:43 +0300, Alon Bar-Lev wrote: > fix separate builddir issue, without modifying locations, quite ugly. Thank you. Applied. From nmav at gnutls.org Wed Jun 24 21:54:41 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 24 Jun 2015 21:54:41 +0200 Subject: [gnutls-devel] [PATCH 1/2] tests: suite: ciphersuite: fixups In-Reply-To: References: <1434908615-31312-1-git-send-email-alon.barlev@gmail.com> <1435000445.1783.0.camel@gnutls.org> <1435174737.2803.0.camel@gnutls.org> Message-ID: <1435175681.3393.0.camel@gnutls.org> On Wed, 2015-06-24 at 22:42 +0300, Alon Bar-Lev wrote: > On 24 June 2015 at 22:38, Nikos Mavrogiannopoulos wrote: > > > > On Wed, 2015-06-24 at 21:18 +0300, Alon Bar-Lev wrote: > > > Hi, > > > > > > Any problem with the last patch? the tab indent? it was too large so > > > probably somewhere in queue. > > > > Did I miss some patch? I believe I've applied all you've sent. Now received and applied. Thank you.