mbedtls/tests/compat.sh

#!/bin/sh

# compat.sh
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Purpose
#
# Test interoperbility with OpenSSL, GnuTLS as well as itself.
#
# Check each common ciphersuite, with each version, both ways (client/server),
# with and without client authentication.

set -u

# Limit the size of each log to 10 GiB, in case of failures with this script
# where it may output seemingly unlimited length error logs.
ulimit -f 20971520

# initialise counters
TESTS=0
FAILED=0
SKIPPED=0
SRVMEM=0

# default commands, can be overridden by the environment
: ${M_SRV:=../programs/ssl/ssl_server2}
: ${M_CLI:=../programs/ssl/ssl_client2}
: ${OPENSSL:=openssl}
: ${GNUTLS_CLI:=gnutls-cli}
: ${GNUTLS_SERV:=gnutls-serv}

# The OPENSSL variable used to be OPENSSL_CMD for historical reasons.
# To help the migration, error out if the old variable is set,
# but only if it has a different value than the new one.
if [ "${OPENSSL_CMD+set}" = set ]; then
    # the variable is set, we can now check its value
    if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then
        echo "Please use OPENSSL instead of OPENSSL_CMD." >&2
        exit 125
    fi
fi

# do we have a recent enough GnuTLS?
if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
    G_VER="$( $GNUTLS_CLI --version | head -n1 )"
    if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version
        PEER_GNUTLS=" GnuTLS"
    else
        eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' )
        if [ $MAJOR -lt 3 -o \
            \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \
            \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ]
        then
            PEER_GNUTLS=""
        else
            PEER_GNUTLS=" GnuTLS"
            if [ $MINOR -lt 4 ]; then
                GNUTLS_MINOR_LT_FOUR='x'
            fi
        fi
    fi
else
    PEER_GNUTLS=""
fi

# default values for options
# /!\ keep this synchronised with:
# - basic-build-test.sh
# - all.sh (multiple components)
MODES="tls12 dtls12"
VERIFIES="NO YES"
TYPES="ECDSA RSA PSK"
FILTER=""
# By default, exclude:
# - NULL: excluded from our default config + requires OpenSSL legacy
# - ARIA: requires OpenSSL >= 1.1.1
# - ChachaPoly: requires OpenSSL >= 1.1.0
EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
VERBOSE=""
MEMCHECK=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"

# hidden option: skip DTLS with OpenSSL
# (travis CI has a version that doesn't work for us)
: ${OSSL_NO_DTLS:=0}

print_usage() {
    echo "Usage: $0"
    printf "  -h|--help\tPrint this help.\n"
    printf "  -f|--filter\tOnly matching ciphersuites are tested (Default: '%s')\n" "$FILTER"
    printf "  -e|--exclude\tMatching ciphersuites are excluded (Default: '%s')\n" "$EXCLUDE"
    printf "  -m|--modes\tWhich modes to perform (Default: '%s')\n" "$MODES"
    printf "  -t|--types\tWhich key exchange type to perform (Default: '%s')\n" "$TYPES"
    printf "  -V|--verify\tWhich verification modes to perform (Default: '%s')\n" "$VERIFIES"
    printf "  -p|--peers\tWhich peers to use (Default: '%s')\n" "$PEERS"
    printf "            \tAlso available: GnuTLS (needs v3.2.15 or higher)\n"
    printf "  -M|--memcheck\tCheck memory leaks and errors.\n"
    printf "  -v|--verbose\tSet verbose output.\n"
}

get_options() {
    while [ $# -gt 0 ]; do
        case "$1" in
            -f|--filter)
                shift; FILTER=$1
                ;;
            -e|--exclude)
                shift; EXCLUDE=$1
                ;;
            -m|--modes)
                shift; MODES=$1
                ;;
            -t|--types)
                shift; TYPES=$1
                ;;
            -V|--verify)
                shift; VERIFIES=$1
                ;;
            -p|--peers)
                shift; PEERS=$1
                ;;
            -v|--verbose)
                VERBOSE=1
                ;;
            -M|--memcheck)
                MEMCHECK=1
                ;;
            -h|--help)
                print_usage
                exit 0
                ;;
            *)
                echo "Unknown argument: '$1'"
                print_usage
                exit 1
                ;;
        esac
        shift
    done

    # sanitize some options (modes checked later)
    VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )"
    TYPES="$( echo $TYPES | tr [a-z] [A-Z] )"
}

log() {
  if [ "X" != "X$VERBOSE" ]; then
    echo ""
    echo "$@"
  fi
}

# is_dtls <mode>
is_dtls()
{
    test "$1" = "dtls12"
}

# minor_ver <mode>
minor_ver()
{
    case "$1" in
        tls12|dtls12)
            echo 3
            ;;
        *)
            echo "error: invalid mode: $MODE" >&2
            # exiting is no good here, typically called in a subshell
            echo -1
    esac
}

filter()
{
  LIST="$1"
  NEW_LIST=""

  EXCLMODE="$EXCLUDE"

  for i in $LIST;
  do
    NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )"
  done

  # normalize whitespace
  echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
}

filter_ciphersuites()
{
    if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
    then
        # Ciphersuite for mbed TLS
        M_CIPHERS=$( filter "$M_CIPHERS" )

        # Ciphersuite for OpenSSL
        O_CIPHERS=$( filter "$O_CIPHERS" )

        # Ciphersuite for GnuTLS
        G_CIPHERS=$( filter "$G_CIPHERS" )
    fi

    # For GnuTLS client -> mbed TLS server,
    # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
    if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then
        G_CIPHERS=""
    fi
}

reset_ciphersuites()
{
    M_CIPHERS=""
    O_CIPHERS=""
    G_CIPHERS=""
}

# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...}
# Set $ciphers to the cipher suite name translations for the specified
# program (gnutls, mbedtls or openssl). $ciphers is a space-separated
# list of entries of the form "STANDARD_NAME=PROGRAM_NAME".
translate_ciphers()
{
    ciphers=$(scripts/translate_ciphers.py "$@")
    if [ $? -ne 0 ]; then
        echo "translate_ciphers.py failed with exit code $1" >&2
        echo "$2" >&2
        exit 1
    fi
}

# Ciphersuites that can be used with all peers.
# Since we currently have three possible peers, each ciphersuite should appear
# three times: in each peer's list (with the name that this peer uses).
add_common_ciphersuites()
{
    CIPHERS=""
    case $TYPE in

        "ECDSA")
            CIPHERS="$CIPHERS                           \
                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    \
                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    \
                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
                TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
                TLS_ECDHE_ECDSA_WITH_NULL_SHA           \
                "
            ;;

        "RSA")
            CIPHERS="$CIPHERS                           \
                TLS_DHE_RSA_WITH_AES_128_CBC_SHA        \
                TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     \
                TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     \
                TLS_DHE_RSA_WITH_AES_256_CBC_SHA        \
                TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     \
                TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     \
                TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA   \
                TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA   \
                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      \
                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   \
                TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   \
                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      \
                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   \
                TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   \
                TLS_ECDHE_RSA_WITH_NULL_SHA             \
                TLS_RSA_WITH_AES_128_CBC_SHA            \
                TLS_RSA_WITH_AES_128_CBC_SHA256         \
                TLS_RSA_WITH_AES_128_GCM_SHA256         \
                TLS_RSA_WITH_AES_256_CBC_SHA            \
                TLS_RSA_WITH_AES_256_CBC_SHA256         \
                TLS_RSA_WITH_AES_256_GCM_SHA384         \
                TLS_RSA_WITH_CAMELLIA_128_CBC_SHA       \
                TLS_RSA_WITH_CAMELLIA_256_CBC_SHA       \
                TLS_RSA_WITH_NULL_MD5                   \
                TLS_RSA_WITH_NULL_SHA                   \
                TLS_RSA_WITH_NULL_SHA256                \
                "
            ;;

        "PSK")
            CIPHERS="$CIPHERS                           \
                TLS_PSK_WITH_AES_128_CBC_SHA            \
                TLS_PSK_WITH_AES_256_CBC_SHA            \
                "
            ;;
    esac

    O_CIPHERS="$O_CIPHERS $CIPHERS"
    G_CIPHERS="$G_CIPHERS $CIPHERS"
    M_CIPHERS="$M_CIPHERS $CIPHERS"
}

# Ciphersuites usable only with Mbed TLS and OpenSSL
# A list of ciphersuites in the standard naming convention is appended
# to the list of Mbed TLS ciphersuites $M_CIPHERS and
# to the list of OpenSSL ciphersuites $O_CIPHERS respectively.
# Based on client's naming convention, all ciphersuite names will be
# translated into another naming format before sent to the client.
#
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
# so RSA-PSK ciphersuites need to go in other sections, see
# https://github.com/Mbed-TLS/mbedtls/issues/1419
#
# ChachaPoly suites are here rather than in "common", as they were added in
# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
add_openssl_ciphersuites()
{
    CIPHERS=""
    case $TYPE in

        "ECDSA")
            CIPHERS="$CIPHERS                                   \
                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA             \
                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256          \
                TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256          \
                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA             \
                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384          \
                TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384          \
                TLS_ECDH_ECDSA_WITH_NULL_SHA                    \
                TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256        \
                TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384        \
                TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256   \
                "
            ;;

        "RSA")
            CIPHERS="$CIPHERS                                   \
                TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256            \
                TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384            \
                TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256       \
                TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256          \
                TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384          \
                TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256     \
                TLS_RSA_WITH_ARIA_128_GCM_SHA256                \
                TLS_RSA_WITH_ARIA_256_GCM_SHA384                \
                "
            ;;

        "PSK")
            CIPHERS="$CIPHERS                                   \
                TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256            \
                TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384            \
                TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256       \
                TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256     \
                TLS_PSK_WITH_ARIA_128_GCM_SHA256                \
                TLS_PSK_WITH_ARIA_256_GCM_SHA384                \
                TLS_PSK_WITH_CHACHA20_POLY1305_SHA256           \
                "
            ;;
    esac

    O_CIPHERS="$O_CIPHERS $CIPHERS"
    M_CIPHERS="$M_CIPHERS $CIPHERS"
}

# Ciphersuites usable only with Mbed TLS and GnuTLS
# A list of ciphersuites in the standard naming convention is appended
# to the list of Mbed TLS ciphersuites $M_CIPHERS and
# to the list of GnuTLS ciphersuites $G_CIPHERS respectively.
# Based on client's naming convention, all ciphersuite names will be
# translated into another naming format before sent to the client.
add_gnutls_ciphersuites()
{
    CIPHERS=""
    case $TYPE in

        "ECDSA")
            CIPHERS="$CIPHERS                                       \
                TLS_ECDHE_ECDSA_WITH_AES_128_CCM                    \
                TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8                  \
                TLS_ECDHE_ECDSA_WITH_AES_256_CCM                    \
                TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                  \
                TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256        \
                TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256        \
                TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384        \
                TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384        \
                "
            ;;

        "RSA")
            CIPHERS="$CIPHERS                               \
                TLS_DHE_RSA_WITH_AES_128_CCM                \
                TLS_DHE_RSA_WITH_AES_128_CCM_8              \
                TLS_DHE_RSA_WITH_AES_256_CCM                \
                TLS_DHE_RSA_WITH_AES_256_CCM_8              \
                TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256    \
                TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256    \
                TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256    \
                TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384    \
                TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256  \
                TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256  \
                TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384  \
                TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384  \
                TLS_RSA_WITH_AES_128_CCM                    \
                TLS_RSA_WITH_AES_128_CCM_8                  \
                TLS_RSA_WITH_AES_256_CCM                    \
                TLS_RSA_WITH_AES_256_CCM_8                  \
                TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256        \
                TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256        \
                TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256        \
                TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384        \
                "
            ;;

        "PSK")
            CIPHERS="$CIPHERS                               \
                TLS_DHE_PSK_WITH_AES_128_CBC_SHA            \
                TLS_DHE_PSK_WITH_AES_128_CBC_SHA256         \
                TLS_DHE_PSK_WITH_AES_128_CCM                \
                TLS_DHE_PSK_WITH_AES_128_CCM_8              \
                TLS_DHE_PSK_WITH_AES_128_GCM_SHA256         \
                TLS_DHE_PSK_WITH_AES_256_CBC_SHA            \
                TLS_DHE_PSK_WITH_AES_256_CBC_SHA384         \
                TLS_DHE_PSK_WITH_AES_256_CCM                \
                TLS_DHE_PSK_WITH_AES_256_CCM_8              \
                TLS_DHE_PSK_WITH_AES_256_GCM_SHA384         \
                TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    \
                TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256    \
                TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    \
                TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384    \
                TLS_DHE_PSK_WITH_NULL_SHA256                \
                TLS_DHE_PSK_WITH_NULL_SHA384                \
                TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA          \
                TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256       \
                TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA          \
                TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384       \
                TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256  \
                TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384  \
                TLS_ECDHE_PSK_WITH_NULL_SHA256              \
                TLS_ECDHE_PSK_WITH_NULL_SHA384              \
                TLS_PSK_WITH_AES_128_CBC_SHA256             \
                TLS_PSK_WITH_AES_128_CCM                    \
                TLS_PSK_WITH_AES_128_CCM_8                  \
                TLS_PSK_WITH_AES_128_GCM_SHA256             \
                TLS_PSK_WITH_AES_256_CBC_SHA384             \
                TLS_PSK_WITH_AES_256_CCM                    \
                TLS_PSK_WITH_AES_256_CCM_8                  \
                TLS_PSK_WITH_AES_256_GCM_SHA384             \
                TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256        \
                TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256        \
                TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384        \
                TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384        \
                TLS_PSK_WITH_NULL_SHA256                    \
                TLS_PSK_WITH_NULL_SHA384                    \
                TLS_RSA_PSK_WITH_AES_128_CBC_SHA            \
                TLS_RSA_PSK_WITH_AES_128_CBC_SHA256         \
                TLS_RSA_PSK_WITH_AES_128_GCM_SHA256         \
                TLS_RSA_PSK_WITH_AES_256_CBC_SHA            \
                TLS_RSA_PSK_WITH_AES_256_CBC_SHA384         \
                TLS_RSA_PSK_WITH_AES_256_GCM_SHA384         \
                TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256    \
                TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256    \
                TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384    \
                TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384    \
                TLS_RSA_PSK_WITH_NULL_SHA256                \
                TLS_RSA_PSK_WITH_NULL_SHA384                \
                "
            ;;
    esac

    G_CIPHERS="$G_CIPHERS $CIPHERS"
    M_CIPHERS="$M_CIPHERS $CIPHERS"
}

# Ciphersuites usable only with Mbed TLS (not currently supported by another
# peer usable in this script). This provides only very rudimentaty testing, as
# this is not interop testing, but it's better than nothing.
add_mbedtls_ciphersuites()
{
    case $TYPE in

        "ECDSA")
            M_CIPHERS="$M_CIPHERS                               \
                TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256         \
                TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256         \
                TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384         \
                TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384         \
                TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256     \
                TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256     \
                TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384     \
                TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384     \
                TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256        \
                TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384        \
                "
            ;;

        "RSA")
            M_CIPHERS="$M_CIPHERS                               \
                TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256            \
                TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384            \
                TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256          \
                TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384          \
                TLS_RSA_WITH_ARIA_128_CBC_SHA256                \
                TLS_RSA_WITH_ARIA_256_CBC_SHA384                \
                "
            ;;

        "PSK")
            # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
            M_CIPHERS="$M_CIPHERS                               \
                TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256            \
                TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384            \
                TLS_DHE_PSK_WITH_NULL_SHA                       \
                TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256          \
                TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384          \
                TLS_ECDHE_PSK_WITH_NULL_SHA                     \
                TLS_PSK_WITH_ARIA_128_CBC_SHA256                \
                TLS_PSK_WITH_ARIA_256_CBC_SHA384                \
                TLS_PSK_WITH_NULL_SHA                           \
                TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256            \
                TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256            \
                TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384            \
                TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384            \
                TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256       \
                TLS_RSA_PSK_WITH_NULL_SHA                       \
                "
            ;;
    esac
}

# o_check_ciphersuite STANDARD_CIPHER_SUITE
o_check_ciphersuite()
{
    if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
        case "$1" in
            *ECDH_*) SKIP_NEXT="YES"
        esac
    fi
}

setup_arguments()
{
    O_MODE=""
    G_MODE=""
    case "$MODE" in
        "tls12")
            O_MODE="tls1_2"
            G_PRIO_MODE="+VERS-TLS1.2"
            ;;
        "dtls12")
            O_MODE="dtls1_2"
            G_PRIO_MODE="+VERS-DTLS1.2"
            G_MODE="-u"
            ;;
        *)
            echo "error: invalid mode: $MODE" >&2
            exit 1;
    esac

    # GnuTLS < 3.4 will choke if we try to allow CCM-8
    if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
        G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
    else
        G_PRIO_CCM=""
    fi

    M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE"
    O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
    G_SERVER_ARGS="-p $PORT --http $G_MODE"
    G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"

    # The default prime for `openssl s_server` depends on the version:
    # * OpenSSL <= 1.0.2a: 512-bit
    # * OpenSSL 1.0.2b to 1.1.1b: 1024-bit
    # * OpenSSL >= 1.1.1c: 2048-bit
    # Mbed TLS wants >=1024, so force that for older versions. Don't force
    # it for newer versions, which reject a 1024-bit prime. Indifferently
    # force it or not for intermediate versions.
    case $($OPENSSL version) in
        "OpenSSL 1.0"*)
            O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem"
            ;;
    esac

    # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
    if is_dtls "$MODE"; then
        O_SERVER_ARGS="$O_SERVER_ARGS"
    else
        O_SERVER_ARGS="$O_SERVER_ARGS -www"
    fi

    M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
    O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
    G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"

    # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
    # low-security ones. This covers not just cipher suites but also protocol
    # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
    # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
    # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
    # a way to discover it from -help, so check the openssl version.
    case $($OPENSSL version) in
        "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
        *)
            O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
            O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
            ;;
    esac

    case $($OPENSSL ciphers ALL) in
        *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
        *) O_SUPPORT_ECDH="NO";;
    esac

    if [ "X$VERIFY" = "XYES" ];
    then
        M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
        O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
        G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"

        M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
        O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
        G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
    else
        # don't request a client cert at all
        M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none"
        G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert"

        M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none"
        O_CLIENT_ARGS="$O_CLIENT_ARGS"
        G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure"
    fi

    case $TYPE in
        "ECDSA")
            M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
            O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"

            if [ "X$VERIFY" = "XYES" ]; then
                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
                G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key"
            else
                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
            fi
            ;;

        "RSA")
            M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
            O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key"
            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key"

            if [ "X$VERIFY" = "XYES" ]; then
                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key"
                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key"
                G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key"
            else
                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
            fi
            ;;

        "PSK")
            # give RSA-PSK-capable server a RSA cert
            # (should be a separate type, but harder to close with openssl)
            M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
            O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"

            M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
            O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
            G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70"
            ;;
    esac
}

# is_mbedtls <cmd_line>
is_mbedtls() {
    case $1 in
        *ssl_client2*) true;;
        *ssl_server2*) true;;
        *) false;;
    esac
}

# has_mem_err <log_file_name>
has_mem_err() {
    if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
         grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
    then
        return 1 # false: does not have errors
    else
        return 0 # true: has errors
    fi
}

# Wait for process $2 to be listening on port $1
if type lsof >/dev/null 2>/dev/null; then
    wait_server_start() {
        START_TIME=$(date +%s)
        if is_dtls "$MODE"; then
            proto=UDP
        else
            proto=TCP
        fi
        while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
              if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
                  echo "SERVERSTART TIMEOUT"
                  echo "SERVERSTART TIMEOUT" >> $SRV_OUT
                  break
              fi
              # Linux and *BSD support decimal arguments to sleep. On other
              # OSes this may be a tight loop.
              sleep 0.1 2>/dev/null || true
        done
    }
else
    echo "Warning: lsof not available, wait_server_start = sleep"
    wait_server_start() {
        sleep 2
    }
fi


# start_server <name>
# also saves name and command
start_server() {
    case $1 in
        [Oo]pen*)
            SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
            ;;
        [Gg]nu*)
            SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
            ;;
        mbed*)
            SERVER_CMD="$M_SRV $M_SERVER_ARGS"
            if [ "$MEMCHECK" -gt 0 ]; then
                SERVER_CMD="valgrind --leak-check=full $SERVER_CMD"
            fi
            ;;
        *)
            echo "error: invalid server name: $1" >&2
            exit 1
            ;;
    esac
    SERVER_NAME=$1

    log "$SERVER_CMD"
    echo "$SERVER_CMD" > $SRV_OUT
    # for servers without -www or equivalent
    while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 &
    SRV_PID=$!

    wait_server_start "$PORT" "$SRV_PID"
}

# terminate the running server
stop_server() {
    # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
    # To remove it from stdout, redirect stdout/stderr to SRV_OUT
    kill $SRV_PID >/dev/null 2>&1
    wait $SRV_PID >> $SRV_OUT 2>&1

    if [ "$MEMCHECK" -gt 0 ]; then
        if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then
            echo "  ! Server had memory errors"
            SRVMEM=$(( $SRVMEM + 1 ))
            return
        fi
    fi

    rm -f $SRV_OUT
}

# kill the running server (used when killed by signal)
cleanup() {
    rm -f $SRV_OUT $CLI_OUT
    kill $SRV_PID >/dev/null 2>&1
    kill $WATCHDOG_PID >/dev/null 2>&1
    exit 1
}

# wait for client to terminate and set EXIT
# must be called right after starting the client
wait_client_done() {
    CLI_PID=$!

    ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) &
    WATCHDOG_PID=$!

    # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
    # To remove it from stdout, redirect stdout/stderr to CLI_OUT
    wait $CLI_PID >> $CLI_OUT 2>&1
    EXIT=$?

    kill $WATCHDOG_PID >/dev/null 2>&1
    wait $WATCHDOG_PID >> $CLI_OUT 2>&1

    echo "EXIT: $EXIT" >> $CLI_OUT
}

# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE
run_client() {
    # announce what we're going to do
    TESTS=$(( $TESTS + 1 ))
    TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}"
    TITLE="$TITLE $MODE,$VERIF $2"
    DOTS72="........................................................................"
    printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"

    # should we skip?
    if [ "X$SKIP_NEXT" = "XYES" ]; then
        SKIP_NEXT="NO"
        echo "SKIP"
        SKIPPED=$(( $SKIPPED + 1 ))
        return
    fi

    # run the command and interpret result
    case $1 in
        [Oo]pen*)
            CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
            log "$CLIENT_CMD"
            echo "$CLIENT_CMD" > $CLI_OUT
            printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
            wait_client_done

            if [ $EXIT -eq 0 ]; then
                RESULT=0
            else
                # If it is NULL cipher ...
                if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then
                    RESULT=1
                else
                    RESULT=2
                fi
            fi
            ;;

        [Gg]nu*)
            # need to force IPv4 with UDP, but keep localhost for auth
            if is_dtls "$MODE"; then
                G_HOST="127.0.0.1"
            else
                G_HOST="localhost"
            fi
            CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
            log "$CLIENT_CMD"
            echo "$CLIENT_CMD" > $CLI_OUT
            printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
            wait_client_done

            if [ $EXIT -eq 0 ]; then
                RESULT=0
            else
                RESULT=2
                # interpret early failure, with a handshake_failure alert
                # before the server hello, as "no ciphersuite in common"
                if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then
                    if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then :
                    else
                        RESULT=1
                    fi
                fi >/dev/null
            fi
            ;;

        mbed*)
            CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3"
            if [ "$MEMCHECK" -gt 0 ]; then
                CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
            fi
            log "$CLIENT_CMD"
            echo "$CLIENT_CMD" > $CLI_OUT
            $CLIENT_CMD >> $CLI_OUT 2>&1 &
            wait_client_done

            case $EXIT in
                # Success
                "0")    RESULT=0    ;;

                # Ciphersuite not supported
                "2")    RESULT=1    ;;

                # Error
                *)      RESULT=2    ;;
            esac

            if [ "$MEMCHECK" -gt 0 ]; then
                if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then
                    RESULT=2
                fi
            fi

            ;;

        *)
            echo "error: invalid client name: $1" >&2
            exit 1
            ;;
    esac

    echo "EXIT: $EXIT" >> $CLI_OUT

    # report and count result
    case $RESULT in
        "0")
            echo PASS
            ;;
        "1")
            echo SKIP
            SKIPPED=$(( $SKIPPED + 1 ))
            ;;
        "2")
            echo FAIL
            cp $SRV_OUT c-srv-${TESTS}.log
            cp $CLI_OUT c-cli-${TESTS}.log
            echo "  ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"

            if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
                echo "  ! server output:"
                cat c-srv-${TESTS}.log
                echo "  ! ==================================================="
                echo "  ! client output:"
                cat c-cli-${TESTS}.log
            fi

            FAILED=$(( $FAILED + 1 ))
            ;;
    esac

    rm -f $CLI_OUT
}

#
# MAIN
#

if cd $( dirname $0 ); then :; else
    echo "cd $( dirname $0 ) failed" >&2
    exit 1
fi

get_options "$@"

# sanity checks, avoid an avalanche of errors
if [ ! -x "$M_SRV" ]; then
    echo "Command '$M_SRV' is not an executable file" >&2
    exit 1
fi
if [ ! -x "$M_CLI" ]; then
    echo "Command '$M_CLI' is not an executable file" >&2
    exit 1
fi

if echo "$PEERS" | grep -i openssl > /dev/null; then
    if which "$OPENSSL" >/dev/null 2>&1; then :; else
        echo "Command '$OPENSSL' not found" >&2
        exit 1
    fi
fi

if echo "$PEERS" | grep -i gnutls > /dev/null; then
    for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do
        if which "$CMD" >/dev/null 2>&1; then :; else
            echo "Command '$CMD' not found" >&2
            exit 1
        fi
    done
fi

for PEER in $PEERS; do
    case "$PEER" in
        mbed*|[Oo]pen*|[Gg]nu*)
            ;;
        *)
            echo "Unknown peers: $PEER" >&2
            exit 1
    esac
done

# Pick a "unique" port in the range 10000-19999.
PORT="0000$$"
PORT="1$(echo $PORT | tail -c 5)"

# Also pick a unique name for intermediate files
SRV_OUT="srv_out.$$"
CLI_OUT="cli_out.$$"

# client timeout delay: be more patient with valgrind
if [ "$MEMCHECK" -gt 0 ]; then
    DOG_DELAY=30
else
    DOG_DELAY=10
fi

SKIP_NEXT="NO"

trap cleanup INT TERM HUP

for MODE in $MODES; do
    for TYPE in $TYPES; do

        # PSK cipher suites do not allow client certificate verification.
        # This means PSK test cases with VERIFY=YES should be replaced by
        # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain
        # verification option for PSK test cases.
        SUB_VERIFIES=$VERIFIES
        if [ "$TYPE" = "PSK" ]; then
            SUB_VERIFIES="NO"
        fi

        for VERIFY in $SUB_VERIFIES; do
            VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
            for PEER in $PEERS; do

            setup_arguments

            case "$PEER" in

                [Oo]pen*)

                    if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
                        continue;
                    fi

                    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
                    # supports $O_MODE from the s_server help. (The s_client
                    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
                    # but doesn't list it. But the s_server help seems to be
                    # accurate.)
                    if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
                        continue;
                    fi

                    reset_ciphersuites
                    add_common_ciphersuites
                    add_openssl_ciphersuites
                    filter_ciphersuites

                    if [ "X" != "X$M_CIPHERS" ]; then
                        start_server "OpenSSL"
                        translate_ciphers m $M_CIPHERS
                        for i in $ciphers; do
                            o_check_ciphersuite "${i%%=*}"
                            run_client mbedTLS ${i%%=*} ${i#*=}
                        done
                        stop_server
                    fi

                    if [ "X" != "X$O_CIPHERS" ]; then
                        start_server "mbedTLS"
                        translate_ciphers o $O_CIPHERS
                        for i in $ciphers; do
                            o_check_ciphersuite "${i%%=*}"
                            run_client OpenSSL ${i%%=*} ${i#*=}
                        done
                        stop_server
                    fi

                    ;;

                [Gg]nu*)

                    reset_ciphersuites
                    add_common_ciphersuites
                    add_gnutls_ciphersuites
                    filter_ciphersuites

                    if [ "X" != "X$M_CIPHERS" ]; then
                        start_server "GnuTLS"
                        translate_ciphers m $M_CIPHERS
                        for i in $ciphers; do
                            run_client mbedTLS ${i%%=*} ${i#*=}
                        done
                        stop_server
                    fi

                    if [ "X" != "X$G_CIPHERS" ]; then
                        start_server "mbedTLS"
                        translate_ciphers g $G_CIPHERS
                        for i in $ciphers; do
                            run_client GnuTLS ${i%%=*} ${i#*=}
                        done
                        stop_server
                    fi

                    ;;

                mbed*)

                    reset_ciphersuites
                    add_common_ciphersuites
                    add_openssl_ciphersuites
                    add_gnutls_ciphersuites
                    add_mbedtls_ciphersuites
                    filter_ciphersuites

                    if [ "X" != "X$M_CIPHERS" ]; then
                        start_server "mbedTLS"
                        translate_ciphers m $M_CIPHERS
                        for i in $ciphers; do
                            run_client mbedTLS ${i%%=*} ${i#*=}
                        done
                        stop_server
                    fi

                    ;;

                *)
                    echo "Unknown peer: $PEER" >&2
                    exit 1
                    ;;

                esac

            done
        done
    done
done

echo "------------------------------------------------------------------------"

if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; then
    printf "FAILED"
else
    printf "PASSED"
fi

if [ "$MEMCHECK" -gt 0 ]; then
    MEMREPORT=", $SRVMEM server memory errors"
else
    MEMREPORT=""
fi

PASSED=$(( $TESTS - $FAILED ))
echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"

FAILED=$(( $FAILED + $SRVMEM ))
if [ $FAILED -gt 255 ]; then
    # Clamp at 255 as caller gets exit code & 0xFF
    # (so 256 would be 0, or success, etc)
    FAILED=255
fi
exit $FAILED