compat.sh: add ARIA interop tests with OpenSSL
Disabled by default, needs OpenSSL >= 1.1.1 - tested locally with 1.1.1-pre1 Local version of OpenSSL was compiled with: ./config --prefix=$HOME/usr/openssl-1.1.1-pre1 -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' make make install With OpenSSL 1.1.1-pre1, two ciphersuites were incorrectly skipped, but this has since been fixed in OpenSSL master, see: https://github.com/openssl/openssl/issues/5406
This commit is contained in:
parent
a0e47088d8
commit
7299dfd86b
1 changed files with 53 additions and 11 deletions
|
@ -53,7 +53,12 @@ MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2"
|
|||
VERIFIES="NO YES"
|
||||
TYPES="ECDSA RSA PSK"
|
||||
FILTER=""
|
||||
EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
|
||||
# exclude:
|
||||
# - NULL: excluded from our default config
|
||||
# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
|
||||
# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
|
||||
# - ARIA: requires OpenSSL >= 1.1.1
|
||||
EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA'
|
||||
VERBOSE=""
|
||||
MEMCHECK=0
|
||||
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
|
||||
|
@ -226,6 +231,9 @@ reset_ciphersuites()
|
|||
G_CIPHERS=""
|
||||
}
|
||||
|
||||
# Ciphersuites that can be used with all peers.
|
||||
# Since we currently have three possible peers, each ciphersuite should appear
|
||||
# three times: in each peer's list (with the name that this peer uses).
|
||||
add_common_ciphersuites()
|
||||
{
|
||||
case $TYPE in
|
||||
|
@ -422,6 +430,12 @@ add_common_ciphersuites()
|
|||
esac
|
||||
}
|
||||
|
||||
# Ciphersuites usable only with Mbed TLS and OpenSSL
|
||||
# Each ciphersuite should appear two times, once with its OpenSSL name, once
|
||||
# with its Mbed TLS name.
|
||||
#
|
||||
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
|
||||
# so RSA-PSK ciphersuites need to go in other sections.
|
||||
add_openssl_ciphersuites()
|
||||
{
|
||||
case $TYPE in
|
||||
|
@ -451,12 +465,16 @@ add_openssl_ciphersuites()
|
|||
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
|
||||
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
"
|
||||
O_CIPHERS="$O_CIPHERS \
|
||||
ECDH-ECDSA-AES128-SHA256 \
|
||||
ECDH-ECDSA-AES256-SHA384 \
|
||||
ECDH-ECDSA-AES128-GCM-SHA256 \
|
||||
ECDH-ECDSA-AES256-GCM-SHA384 \
|
||||
ECDHE-ECDSA-ARIA256-GCM-SHA384 \
|
||||
ECDHE-ECDSA-ARIA128-GCM-SHA256 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
|
@ -470,13 +488,42 @@ add_openssl_ciphersuites()
|
|||
DES-CBC-SHA \
|
||||
EDH-RSA-DES-CBC-SHA \
|
||||
"
|
||||
if [ `minor_ver "$MODE"` -ge 3 ]
|
||||
then
|
||||
M_CIPHERS="$M_CIPHERS \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
"
|
||||
O_CIPHERS="$O_CIPHERS \
|
||||
ECDHE-ARIA256-GCM-SHA384 \
|
||||
DHE-RSA-ARIA256-GCM-SHA384 \
|
||||
ECDHE-ARIA128-GCM-SHA256 \
|
||||
DHE-RSA-ARIA128-GCM-SHA256 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
|
||||
"PSK")
|
||||
if [ `minor_ver "$MODE"` -ge 3 ]
|
||||
then
|
||||
M_CIPHERS="$M_CIPHERS \
|
||||
TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
|
||||
"
|
||||
O_CIPHERS="$O_CIPHERS \
|
||||
PSK-ARIA256-GCM-SHA384 \
|
||||
PSK-ARIA128-GCM-SHA256 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# Ciphersuites usable only with Mbed TLS and GnuTLS
|
||||
# Each ciphersuite should appear two times, once with its GnuTLS name, once
|
||||
# with its Mbed TLS name.
|
||||
add_gnutls_ciphersuites()
|
||||
{
|
||||
case $TYPE in
|
||||
|
@ -661,6 +708,9 @@ add_gnutls_ciphersuites()
|
|||
esac
|
||||
}
|
||||
|
||||
# Ciphersuites usable only with Mbed TLS (not currently supported by another
|
||||
# peer usable in this script). This provide only very rudimentaty testing, as
|
||||
# this is not interop testing, but it's better than nothing.
|
||||
add_mbedtls_ciphersuites()
|
||||
{
|
||||
case $TYPE in
|
||||
|
@ -682,9 +732,7 @@ add_mbedtls_ciphersuites()
|
|||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
|
||||
"
|
||||
fi
|
||||
|
@ -702,12 +750,8 @@ add_mbedtls_ciphersuites()
|
|||
TLS-RSA-WITH-AES-256-CCM-8 \
|
||||
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
|
||||
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \
|
||||
"
|
||||
|
@ -738,14 +782,12 @@ add_mbedtls_ciphersuites()
|
|||
TLS-PSK-WITH-AES-256-CCM-8 \
|
||||
TLS-DHE-PSK-WITH-AES-128-CCM-8 \
|
||||
TLS-DHE-PSK-WITH-AES-256-CCM-8 \
|
||||
TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-PSK-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
|
|
Loading…
Reference in a new issue