Commit e0802ca5 authored by Nikos Mavrogiannopoulos's avatar Nikos Mavrogiannopoulos Committed by Nikos Mavrogiannopoulos
Browse files

testcompat-tls13-openssl: fix openssl interactions

 * Do not require certificate validation on tests where no certificate is sent
 * Rekey test performs data transfer after re-key

This introduces a dependency on the expect package for testing, and
updates openssl to address an issue in post-handshake auth interop
testing.

Resolves #488

Signed-off-by: Nikos Mavrogiannopoulos's avatarNikos Mavrogiannopoulos <nmav@redhat.com>
parent f5863ab3
Pipeline #24706990 passed with stage
in 70 minutes and 37 seconds
......@@ -72,7 +72,7 @@ Nettle, P11-kit and Autogen, which you will need to build from sources.
Dependencies that are used during make check or make dist are listed below.
Moreover, for basic interoperability testing you may want to install openssl
and polarssl.
and mbedtls.
* [Valgrind](http://valgrind.org/) (optional)
* [Libasan](https://gcc.gnu.org//) (optional)
......@@ -84,13 +84,13 @@ and polarssl.
Debian/Ubuntu:
```
apt-get install -y valgrind libasan1 libubsan0 nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev
apt-get install -y valgrind libasan1 libubsan0 nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect
apt-get install -y dieharder libpolarssl-runtime openssl abi-compliance-checker socat net-tools ppp lockfile-progs
```
Fedora/RHEL:
```
yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel
yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel expect
yum install -y dieharder mbedtls-utils openssl abi-compliance-checker libcmocka-devel socat lockfile-progs
```
......
Subproject commit 25642ad29e6a2c15c10ceb5e4f029638f73a879e
Subproject commit 09fb65d5e413b7b87bf26f01ec441b44a03d4ee2
......@@ -87,7 +87,7 @@ run_client_suite() {
eval "${GETPORT}"
launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}"
launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}"
PID=$!
wait_server ${PID}
......@@ -104,8 +104,8 @@ run_client_suite() {
fail ${PID} "Failed"
done
echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..."
${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo "^rekey^") >>${OUTPUT} || \
echo_cmd "${PREFIX}Checking TLS 1.3 with double rekey..."
${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo -e "^rekey^\n^rekey1^\nGET / HTTP/1.0\r\n\r\n") >>${OUTPUT} || \
fail ${PID} "Failed"
# Try hello retry request
......@@ -214,8 +214,7 @@ run_client_suite() {
wait_server ${PID}
# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --x509cafile "${CA_CERT}" --inline-commands | tee "${testdir}/client.out" >> ${OUTPUT}
{ echo a; sleep 1; echo '^resume^'; } | \
${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands | tee "${testdir}/client.out" >> ${OUTPUT}
${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands <<< $(echo -e "^resume^\nGET / HTTP/1.0\r\n\r\n")| tee "${testdir}/client.out" >> ${OUTPUT}
grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \
fail ${PID} "Failed"
......@@ -275,7 +274,6 @@ run_server_suite() {
done
echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..."
eval "${GETPORT}"
launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
PID=$!
......@@ -285,8 +283,25 @@ run_server_suite() {
fail ${PID} "Failed"
echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..."
${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" <<<$(echo "***REKEY***") 2>&1 | grep "\:error\:" && \
expect - >/dev/null <<_EOF_
set timeout 10
set os_error_flag 1
spawn ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}"
expect "SSL-Session" {send "K\n"} timeout {exit 1}
expect "KEYUPDATE" {send "HELLO\n"} timeout {exit 1}
expect "HELLO" {close} timeout {exit 1}
lassign [wait] pid spawnid os_error_flag value
if {\$os_error_flag == 0} {
exit $value
} else {
exit 1
}
_EOF_
if test $? != 0;then
fail ${PID} "Failed"
fi
kill ${PID}
wait
......@@ -320,12 +335,39 @@ run_server_suite() {
echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..."
eval "${GETPORT}"
launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" #>>${OUTPUT} 2>&1
PID=$!
wait_server ${PID}
${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" <<<$(echo "***REAUTH***") 2>&1 | grep "\:error\:" && \
expect - >/dev/null <<_EOF_
set timeout 10
set os_error_flag 1
spawn ${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}"
expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1}
expect {
timeout {exit 1}
"error*" {exit 1}
"Successfully executed command" {send "**REAUTH**\n"}
}
expect {
timeout {exit 1}
"error*" {exit 1}
"Successfully executed command" {send "HELLO\n"}
}
expect "HELLO" {close} timeout {exit 1}
lassign [wait] pid spawnid os_error_flag value
if {\$os_error_flag == 0} {
exit $value
} else {
exit 1
}
_EOF_
if test $? != 0;then
fail ${PID} "Failed"
fi
kill ${PID}
wait
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment