mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 18:15:35 +00:00
Force IPv4 for gnutls-cli DTLS tests
Depending on the settings of the local machine, gnutls-cli will either try IPv4 or IPv6 when trying to connect to localhost. With TLS, whatever it tries first, it will notice if any failure happens and try the other protocol if necessary. With DTLS it can't do that. Unfortunately for now there isn't really any good way to specify an address and hostname independently, though that might come soon: https://gitlab.com/gnutls/gnutls/issues/344 A work around is to specify an address directly and then use --insecure to ignore certificate hostname mismatch; that is OK for tests that are completely unrelated to certificate verification (such as the recent fragmenting tests) but unacceptable for others. For that reason, don't specify a default hostname for gnutls-cli, but instead let each test choose between `--insecure 127.0.0.1` and `localhost` (or `--insecure '::1'` if desired). Alternatives include: - having test certificates with 127.0.0.1 as the hostname, but having an IP as the CN is unusual, and we would need to change our test certs; - have our server open two sockets under the hood and listen on both IPv4 and IPv6 (that's what gnutls-serv does, and IMO it's a good thing) but that obviously requires development and testing (esp. for windows compatibility) - wait for a newer version of GnuTLS to be released, install it on the CI and developer machines, and use that in all tests - quite satisfying but can't be done now (and puts stronger requirements on test environment).
This commit is contained in:
parent
68ae351dbe
commit
34aa187df6
|
@ -765,7 +765,7 @@ P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1
|
||||||
O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
|
O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
|
||||||
O_CLI="$O_CLI -connect localhost:+SRV_PORT"
|
O_CLI="$O_CLI -connect localhost:+SRV_PORT"
|
||||||
G_SRV="$G_SRV -p $SRV_PORT"
|
G_SRV="$G_SRV -p $SRV_PORT"
|
||||||
G_CLI="$G_CLI -p +SRV_PORT localhost"
|
G_CLI="$G_CLI -p +SRV_PORT"
|
||||||
|
|
||||||
if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
||||||
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
|
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
|
||||||
|
@ -777,7 +777,7 @@ if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
|
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
|
||||||
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT localhost"
|
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Allow SHA-1, because many of our test certificates use it
|
# Allow SHA-1, because many of our test certificates use it
|
||||||
|
@ -2118,7 +2118,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "Renego ext: gnutls client strict, server default" \
|
run_test "Renego ext: gnutls client strict, server default" \
|
||||||
"$P_SRV debug_level=3" \
|
"$P_SRV debug_level=3" \
|
||||||
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
|
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
|
||||||
0 \
|
0 \
|
||||||
-s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
|
||||||
-s "server hello, secure renegotiation extension"
|
-s "server hello, secure renegotiation extension"
|
||||||
|
@ -2126,7 +2126,7 @@ run_test "Renego ext: gnutls client strict, server default" \
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "Renego ext: gnutls client unsafe, server default" \
|
run_test "Renego ext: gnutls client unsafe, server default" \
|
||||||
"$P_SRV debug_level=3" \
|
"$P_SRV debug_level=3" \
|
||||||
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
|
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
|
||||||
0 \
|
0 \
|
||||||
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
|
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
|
||||||
-S "server hello, secure renegotiation extension"
|
-S "server hello, secure renegotiation extension"
|
||||||
|
@ -2134,7 +2134,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "Renego ext: gnutls client unsafe, server break legacy" \
|
run_test "Renego ext: gnutls client unsafe, server break legacy" \
|
||||||
"$P_SRV debug_level=3 allow_legacy=-1" \
|
"$P_SRV debug_level=3 allow_legacy=-1" \
|
||||||
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
|
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
|
||||||
1 \
|
1 \
|
||||||
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
|
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
|
||||||
-S "server hello, secure renegotiation extension"
|
-S "server hello, secure renegotiation extension"
|
||||||
|
@ -2145,7 +2145,7 @@ requires_gnutls
|
||||||
run_test "DER format: no trailing bytes" \
|
run_test "DER format: no trailing bytes" \
|
||||||
"$P_SRV crt_file=data_files/server5-der0.crt \
|
"$P_SRV crt_file=data_files/server5-der0.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -2153,7 +2153,7 @@ requires_gnutls
|
||||||
run_test "DER format: with a trailing zero byte" \
|
run_test "DER format: with a trailing zero byte" \
|
||||||
"$P_SRV crt_file=data_files/server5-der1a.crt \
|
"$P_SRV crt_file=data_files/server5-der1a.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -2161,7 +2161,7 @@ requires_gnutls
|
||||||
run_test "DER format: with a trailing random byte" \
|
run_test "DER format: with a trailing random byte" \
|
||||||
"$P_SRV crt_file=data_files/server5-der1b.crt \
|
"$P_SRV crt_file=data_files/server5-der1b.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -2169,7 +2169,7 @@ requires_gnutls
|
||||||
run_test "DER format: with 2 trailing random bytes" \
|
run_test "DER format: with 2 trailing random bytes" \
|
||||||
"$P_SRV crt_file=data_files/server5-der2.crt \
|
"$P_SRV crt_file=data_files/server5-der2.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -2177,7 +2177,7 @@ requires_gnutls
|
||||||
run_test "DER format: with 4 trailing random bytes" \
|
run_test "DER format: with 4 trailing random bytes" \
|
||||||
"$P_SRV crt_file=data_files/server5-der4.crt \
|
"$P_SRV crt_file=data_files/server5-der4.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -2185,7 +2185,7 @@ requires_gnutls
|
||||||
run_test "DER format: with 8 trailing random bytes" \
|
run_test "DER format: with 8 trailing random bytes" \
|
||||||
"$P_SRV crt_file=data_files/server5-der8.crt \
|
"$P_SRV crt_file=data_files/server5-der8.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -2193,7 +2193,7 @@ requires_gnutls
|
||||||
run_test "DER format: with 9 trailing random bytes" \
|
run_test "DER format: with 9 trailing random bytes" \
|
||||||
"$P_SRV crt_file=data_files/server5-der9.crt \
|
"$P_SRV crt_file=data_files/server5-der9.crt \
|
||||||
key_file=data_files/server5.key" \
|
key_file=data_files/server5.key" \
|
||||||
"$G_CLI " \
|
"$G_CLI localhost" \
|
||||||
0 \
|
0 \
|
||||||
-c "Handshake was completed" \
|
-c "Handshake was completed" \
|
||||||
|
|
||||||
|
@ -3758,14 +3758,14 @@ run_test "Per-version suites: TLS 1.2" \
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "ClientHello without extensions, SHA-1 allowed" \
|
run_test "ClientHello without extensions, SHA-1 allowed" \
|
||||||
"$P_SRV debug_level=3" \
|
"$P_SRV debug_level=3" \
|
||||||
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
|
||||||
0 \
|
0 \
|
||||||
-s "dumping 'client hello extensions' (0 bytes)"
|
-s "dumping 'client hello extensions' (0 bytes)"
|
||||||
|
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
|
run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
|
||||||
"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
|
"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
|
||||||
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
|
||||||
0 \
|
0 \
|
||||||
-s "dumping 'client hello extensions' (0 bytes)"
|
-s "dumping 'client hello extensions' (0 bytes)"
|
||||||
|
|
||||||
|
@ -5394,35 +5394,31 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
|
||||||
-c "fragmenting handshake message" \
|
-c "fragmenting handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
|
|
||||||
requires_ipv6
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
|
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
|
||||||
"$P_SRV dtls=1 debug_level=2 server_addr=::1 \
|
"$P_SRV dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
mtu=512 force_version=dtls1_2" \
|
mtu=512 force_version=dtls1_2" \
|
||||||
"$G_CLI -u" \
|
"$G_CLI -u --insecure 127.0.0.1" \
|
||||||
0 \
|
0 \
|
||||||
-s "fragmenting handshake message"
|
-s "fragmenting handshake message"
|
||||||
|
|
||||||
# gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
|
|
||||||
requires_ipv6
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
|
run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
|
||||||
"$P_SRV dtls=1 debug_level=2 server_addr=::1 \
|
"$P_SRV dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
mtu=512 force_version=dtls1" \
|
mtu=512 force_version=dtls1" \
|
||||||
"$G_CLI -u" \
|
"$G_CLI -u --insecure 127.0.0.1" \
|
||||||
0 \
|
0 \
|
||||||
-s "fragmenting handshake message"
|
-s "fragmenting handshake message"
|
||||||
|
|
||||||
|
@ -5524,8 +5520,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
|
||||||
## We can re-enable them when a fixed version fo GnuTLS is available
|
## We can re-enable them when a fixed version fo GnuTLS is available
|
||||||
## and installed in our CI system.
|
## and installed in our CI system.
|
||||||
##
|
##
|
||||||
## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
|
|
||||||
## requires_ipv6
|
|
||||||
## requires_gnutls
|
## requires_gnutls
|
||||||
## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
## requires_config_enabled MBEDTLS_RSA_C
|
## requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
@ -5534,16 +5528,14 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
|
||||||
## client_needs_more_time 4
|
## client_needs_more_time 4
|
||||||
## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
|
## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
|
||||||
## -p "$P_PXY drop=8 delay=8 duplicate=8" \
|
## -p "$P_PXY drop=8 delay=8 duplicate=8" \
|
||||||
## "$P_SRV dtls=1 debug_level=2 server_addr=::1 \
|
## "$P_SRV dtls=1 debug_level=2 \
|
||||||
## crt_file=data_files/server7_int-ca.crt \
|
## crt_file=data_files/server7_int-ca.crt \
|
||||||
## key_file=data_files/server7.key \
|
## key_file=data_files/server7.key \
|
||||||
## hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
|
## hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
|
||||||
## "$G_CLI -u" \
|
## "$G_CLI -u --insecure 127.0.0.1" \
|
||||||
## 0 \
|
## 0 \
|
||||||
## -s "fragmenting handshake message"
|
## -s "fragmenting handshake message"
|
||||||
##
|
##
|
||||||
## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
|
|
||||||
## requires_ipv6
|
|
||||||
## requires_gnutls
|
## requires_gnutls
|
||||||
## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
## requires_config_enabled MBEDTLS_RSA_C
|
## requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
@ -5552,11 +5544,11 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
|
||||||
## client_needs_more_time 4
|
## client_needs_more_time 4
|
||||||
## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
|
## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
|
||||||
## -p "$P_PXY drop=8 delay=8 duplicate=8" \
|
## -p "$P_PXY drop=8 delay=8 duplicate=8" \
|
||||||
## "$P_SRV dtls=1 debug_level=2 server_addr=::1 \
|
## "$P_SRV dtls=1 debug_level=2 \
|
||||||
## crt_file=data_files/server7_int-ca.crt \
|
## crt_file=data_files/server7_int-ca.crt \
|
||||||
## key_file=data_files/server7.key \
|
## key_file=data_files/server7.key \
|
||||||
## hs_timeout=250-60000 mtu=512 force_version=dtls1" \
|
## hs_timeout=250-60000 mtu=512 force_version=dtls1" \
|
||||||
## "$G_CLI -u" \
|
## "$G_CLI -u --insecure 127.0.0.1" \
|
||||||
## 0 \
|
## 0 \
|
||||||
## -s "fragmenting handshake message"
|
## -s "fragmenting handshake message"
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue