TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / ce66d5e8e1471bb60d726e4def0520f46e9c0057 / . / tests / ssl-opt.sh
blob: 50fb0f94b9535d8623e15407e2e704f79672c5d3 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]289# Wait for process $2 to be listening on port $1
290if type lsof >/dev/null 2>/dev/null; then
291 wait_server_start() {
292 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]293 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]294 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]295 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]296 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]297 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]298 # Make a tight loop, server normally takes less than 1s to start.
299 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
300 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
301 echo "SERVERSTART TIMEOUT"
302 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
303 break
304 fi
305 # Linux and *BSD support decimal arguments to sleep. On other
306 # OSes this may be a tight loop.
307 sleep 0.1 2>/dev/null || true
308 done
309 }
310else
Gilles Peskine3c9e2b52018-01-08 12:38:15 +0100[diff] [blame]311 echo "Warning: lsof not available, wait_server_start = sleep $START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]312 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]313 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]314 }
315fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]316
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]317# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]318# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]319# acceptable bounds
320check_server_hello_time() {
321 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]322 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]323 # Get the Unix timestamp for now
324 CUR_TIME=$(date +'%s')
325 THRESHOLD_IN_SECS=300
326
327 # Check if the ServerHello time was printed
328 if [ -z "$SERVER_HELLO_TIME" ]; then
329 return 1
330 fi
331
332 # Check the time in ServerHello is within acceptable bounds
333 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
334 # The time in ServerHello is at least 5 minutes before now
335 return 1
336 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]337 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]338 return 1
339 else
340 return 0
341 fi
342}
343
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]344# wait for client to terminate and set CLI_EXIT
345# must be called right after starting the client
346wait_client_done() {
347 CLI_PID=$!
348
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]349 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
350 CLI_DELAY_FACTOR=1
351
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]352 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]353 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]354
355 wait $CLI_PID
356 CLI_EXIT=$?
357
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]358 kill $DOG_PID >/dev/null 2>&1
359 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]360
361 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]362
363 sleep $SRV_DELAY_SECONDS
364 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]365}
366
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]367# check if the given command uses dtls and sets global variable DTLS
368detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]369 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]370 DTLS=1
371 else
372 DTLS=0
373 fi
374}
375
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]376# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]377# Options: -s pattern pattern that must be present in server output
378# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]379# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]380# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]381# -S pattern pattern that must be absent in server output
382# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]383# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]384# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]385run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]386 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]387 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]388
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]389 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
390 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]391 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]392 return
393 fi
394
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]395 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]396
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]397 # Do we only run numbered tests?
398 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
399 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
400 else
401 SKIP_NEXT="YES"
402 fi
403
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]404 # should we skip?
405 if [ "X$SKIP_NEXT" = "XYES" ]; then
406 SKIP_NEXT="NO"
407 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]408 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]409 return
410 fi
411
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]412 # does this test use a proxy?
413 if [ "X$1" = "X-p" ]; then
414 PXY_CMD="$2"
415 shift 2
416 else
417 PXY_CMD=""
418 fi
419
420 # get commands and client output
421 SRV_CMD="$1"
422 CLI_CMD="$2"
423 CLI_EXPECT="$3"
424 shift 3
425
426 # fix client port
427 if [ -n "$PXY_CMD" ]; then
428 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
429 else
430 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
431 fi
432
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]433 # update DTLS variable
434 detect_dtls "$SRV_CMD"
435
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]436 # prepend valgrind to our commands if active
437 if [ "$MEMCHECK" -gt 0 ]; then
438 if is_polar "$SRV_CMD"; then
439 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
440 fi
441 if is_polar "$CLI_CMD"; then
442 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
443 fi
444 fi
445
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]446 TIMES_LEFT=2
447 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]448 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]449
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]450 # run the commands
451 if [ -n "$PXY_CMD" ]; then
452 echo "$PXY_CMD" > $PXY_OUT
453 $PXY_CMD >> $PXY_OUT 2>&1 &
454 PXY_PID=$!
455 # assume proxy starts faster than server
456 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]457
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]458 check_osrv_dtls
459 echo "$SRV_CMD" > $SRV_OUT
460 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
461 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]462 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]463
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]464 echo "$CLI_CMD" > $CLI_OUT
465 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
466 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]467
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]468 sleep 0.05
469
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]470 # terminate the server (and the proxy)
471 kill $SRV_PID
472 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]473
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]474 if [ -n "$PXY_CMD" ]; then
475 kill $PXY_PID >/dev/null 2>&1
476 wait $PXY_PID
477 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]478
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]479 # retry only on timeouts
480 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
481 printf "RETRY "
482 else
483 TIMES_LEFT=0
484 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]485 done
486
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]487 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]488 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]489 # expected client exit to incorrectly succeed in case of catastrophic
490 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]491 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]492 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]493 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]494 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]495 return
496 fi
497 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]498 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]499 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]500 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]501 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]502 return
503 fi
504 fi
505
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]506 # check server exit code
507 if [ $? != 0 ]; then
508 fail "server fail"
509 return
510 fi
511
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]512 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]513 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
514 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]515 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]516 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]517 return
518 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]519
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]520 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]521 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]522 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]523 while [ $# -gt 0 ]
524 do
525 case $1 in
526 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]527 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]528 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]529 return
530 fi
531 ;;
532
533 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]534 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]535 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]536 return
537 fi
538 ;;
539
540 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]541 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]542 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]543 return
544 fi
545 ;;
546
547 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]548 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]549 fail "pattern '$2' MUST NOT be present in the Client output"
550 return
551 fi
552 ;;
553
554 # The filtering in the following two options (-u and -U) do the following
555 # - ignore valgrind output
556 # - filter out everything but lines right after the pattern occurances
557 # - keep one of each non-unique line
558 # - count how many lines remain
559 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
560 # if there were no duplicates.
561 "-U")
562 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
563 fail "lines following pattern '$2' must be unique in Server output"
564 return
565 fi
566 ;;
567
568 "-u")
569 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
570 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]571 return
572 fi
573 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]574 "-F")
575 if ! $2 "$SRV_OUT"; then
576 fail "function call to '$2' failed on Server output"
577 return
578 fi
579 ;;
580 "-f")
581 if ! $2 "$CLI_OUT"; then
582 fail "function call to '$2' failed on Client output"
583 return
584 fi
585 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586
587 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]588 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]589 exit 1
590 esac
591 shift 2
592 done
593
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]594 # check valgrind's results
595 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]596 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]597 fail "Server has memory errors"
598 return
599 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]600 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]601 fail "Client has memory errors"
602 return
603 fi
604 fi
605
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]606 # if we're here, everything is ok
607 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]608 if [ "$PRESERVE_LOGS" -gt 0 ]; then
609 mv $SRV_OUT o-srv-${TESTS}.log
610 mv $CLI_OUT o-cli-${TESTS}.log
611 fi
612
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]613 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]614}
615
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]616cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]617 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]618 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
619 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
620 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
621 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]622 exit 1
623}
624
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]625#
626# MAIN
627#
628
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]629if cd $( dirname $0 ); then :; else
630 echo "cd $( dirname $0 ) failed" >&2
631 exit 1
632fi
633
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]634get_options "$@"
635
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]636# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]637P_SRV_BIN="${P_SRV%%[ ]*}"
638P_CLI_BIN="${P_CLI%%[ ]*}"
639P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]640if [ ! -x "$P_SRV_BIN" ]; then
641 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]642 exit 1
643fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]644if [ ! -x "$P_CLI_BIN" ]; then
645 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]646 exit 1
647fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]648if [ ! -x "$P_PXY_BIN" ]; then
649 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]650 exit 1
651fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]652if [ "$MEMCHECK" -gt 0 ]; then
653 if which valgrind >/dev/null 2>&1; then :; else
654 echo "Memcheck not possible. Valgrind not found"
655 exit 1
656 fi
657fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]658if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
659 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]660 exit 1
661fi
662
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]663# used by watchdog
664MAIN_PID="$$"
665
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]666# We use somewhat arbitrary delays for tests:
667# - how long do we wait for the server to start (when lsof not available)?
668# - how long do we allow for the client to finish?
669# (not to check performance, just to avoid waiting indefinitely)
670# Things are slower with valgrind, so give extra time here.
671#
672# Note: without lsof, there is a trade-off between the running time of this
673# script and the risk of spurious errors because we didn't wait long enough.
674# The watchdog delay on the other hand doesn't affect normal running time of
675# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]676if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]677 START_DELAY=6
678 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]679else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]680 START_DELAY=2
681 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]682fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]683
684# some particular tests need more time:
685# - for the client, we multiply the usual watchdog limit by a factor
686# - for the server, we sleep for a number of seconds after the client exits
687# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]688CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]689SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]690
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]691# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]692# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]693P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
694P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]695P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]696O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]697O_CLI="$O_CLI -connect localhost:+SRV_PORT"
698G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]699G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]700
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]701# Allow SHA-1, because many of our test certificates use it
702P_SRV="$P_SRV allow_sha1=1"
703P_CLI="$P_CLI allow_sha1=1"
704
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]705# Also pick a unique name for intermediate files
706SRV_OUT="srv_out.$$"
707CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]708PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]709SESSION="session.$$"
710
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]711SKIP_NEXT="NO"
712
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]713trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]714
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]715# Basic test
716
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]717# Checks that:
718# - things work with all ciphersuites active (used with config-full in all.sh)
719# - the expected (highest security) parameters are selected
720# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]721run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]722 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]723 "$P_CLI" \
724 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]725 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame^]726 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]727 -s "client hello v3, signature_algorithm ext: 6" \
728 -s "ECDHE curve: secp521r1" \
729 -S "error" \
730 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]731
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]732run_test "Default, DTLS" \
733 "$P_SRV dtls=1" \
734 "$P_CLI dtls=1" \
735 0 \
736 -s "Protocol is DTLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame^]737 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]738
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]739# Test current time in ServerHello
740requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame^]741run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]742 "$P_SRV debug_level=3" \
743 "$P_CLI debug_level=3" \
744 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]745 -f "check_server_hello_time" \
746 -F "check_server_hello_time"
747
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]748# Test for uniqueness of IVs in AEAD ciphersuites
749run_test "Unique IV in GCM" \
750 "$P_SRV exchanges=20 debug_level=4" \
751 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
752 0 \
753 -u "IV used" \
754 -U "IV used"
755
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]756# Tests for rc4 option
757
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]758requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]759run_test "RC4: server disabled, client enabled" \
760 "$P_SRV" \
761 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
762 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]763 -s "SSL - The server has no ciphersuites in common"
764
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]765requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]766run_test "RC4: server half, client enabled" \
767 "$P_SRV arc4=1" \
768 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
769 1 \
770 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]771
772run_test "RC4: server enabled, client disabled" \
773 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
774 "$P_CLI" \
775 1 \
776 -s "SSL - The server has no ciphersuites in common"
777
778run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]779 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]780 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
781 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]782 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]783 -S "SSL - The server has no ciphersuites in common"
784
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]785# Tests for SHA-1 support
786
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]787requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]788run_test "SHA-1 forbidden by default in server certificate" \
789 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
790 "$P_CLI debug_level=2 allow_sha1=0" \
791 1 \
792 -c "The certificate is signed with an unacceptable hash"
793
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]794requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
795run_test "SHA-1 forbidden by default in server certificate" \
796 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
797 "$P_CLI debug_level=2 allow_sha1=0" \
798 0
799
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]800run_test "SHA-1 explicitly allowed in server certificate" \
801 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
802 "$P_CLI allow_sha1=1" \
803 0
804
805run_test "SHA-256 allowed by default in server certificate" \
806 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
807 "$P_CLI allow_sha1=0" \
808 0
809
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]810requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]811run_test "SHA-1 forbidden by default in client certificate" \
812 "$P_SRV auth_mode=required allow_sha1=0" \
813 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
814 1 \
815 -s "The certificate is signed with an unacceptable hash"
816
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]817requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
818run_test "SHA-1 forbidden by default in client certificate" \
819 "$P_SRV auth_mode=required allow_sha1=0" \
820 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
821 0
822
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]823run_test "SHA-1 explicitly allowed in client certificate" \
824 "$P_SRV auth_mode=required allow_sha1=1" \
825 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
826 0
827
828run_test "SHA-256 allowed by default in client certificate" \
829 "$P_SRV auth_mode=required allow_sha1=0" \
830 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
831 0
832
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]833# Tests for Truncated HMAC extension
834
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]835run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]836 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]837 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]838 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]839 -s "dumping 'expected mac' (20 bytes)" \
840 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]841
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]842requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]843run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]844 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]845 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]846 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]847 -s "dumping 'expected mac' (20 bytes)" \
848 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]849
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]850requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]851run_test "Truncated HMAC: client enabled, server default" \
852 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]853 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]854 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]855 -s "dumping 'expected mac' (20 bytes)" \
856 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]857
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]858requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]859run_test "Truncated HMAC: client enabled, server disabled" \
860 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]861 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]862 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]863 -s "dumping 'expected mac' (20 bytes)" \
864 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]865
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]866requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]867run_test "Truncated HMAC: client disabled, server enabled" \
868 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]869 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]870 0 \
871 -s "dumping 'expected mac' (20 bytes)" \
872 -S "dumping 'expected mac' (10 bytes)"
873
874requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]875run_test "Truncated HMAC: client enabled, server enabled" \
876 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]877 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]878 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]879 -S "dumping 'expected mac' (20 bytes)" \
880 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]881
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]882run_test "Truncated HMAC, DTLS: client default, server default" \
883 "$P_SRV dtls=1 debug_level=4" \
884 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
885 0 \
886 -s "dumping 'expected mac' (20 bytes)" \
887 -S "dumping 'expected mac' (10 bytes)"
888
889requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
890run_test "Truncated HMAC, DTLS: client disabled, server default" \
891 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]892 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]893 0 \
894 -s "dumping 'expected mac' (20 bytes)" \
895 -S "dumping 'expected mac' (10 bytes)"
896
897requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
898run_test "Truncated HMAC, DTLS: client enabled, server default" \
899 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]900 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]901 0 \
902 -s "dumping 'expected mac' (20 bytes)" \
903 -S "dumping 'expected mac' (10 bytes)"
904
905requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
906run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
907 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]908 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]909 0 \
910 -s "dumping 'expected mac' (20 bytes)" \
911 -S "dumping 'expected mac' (10 bytes)"
912
913requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
914run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
915 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]916 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]917 0 \
918 -s "dumping 'expected mac' (20 bytes)" \
919 -S "dumping 'expected mac' (10 bytes)"
920
921requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
922run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
923 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]924 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]925 0 \
926 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]927 -s "dumping 'expected mac' (10 bytes)"
928
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]929# Tests for Encrypt-then-MAC extension
930
931run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]932 "$P_SRV debug_level=3 \
933 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]934 "$P_CLI debug_level=3" \
935 0 \
936 -c "client hello, adding encrypt_then_mac extension" \
937 -s "found encrypt then mac extension" \
938 -s "server hello, adding encrypt then mac extension" \
939 -c "found encrypt_then_mac extension" \
940 -c "using encrypt then mac" \
941 -s "using encrypt then mac"
942
943run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]944 "$P_SRV debug_level=3 etm=0 \
945 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]946 "$P_CLI debug_level=3 etm=1" \
947 0 \
948 -c "client hello, adding encrypt_then_mac extension" \
949 -s "found encrypt then mac extension" \
950 -S "server hello, adding encrypt then mac extension" \
951 -C "found encrypt_then_mac extension" \
952 -C "using encrypt then mac" \
953 -S "using encrypt then mac"
954
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]955run_test "Encrypt then MAC: client enabled, aead cipher" \
956 "$P_SRV debug_level=3 etm=1 \
957 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
958 "$P_CLI debug_level=3 etm=1" \
959 0 \
960 -c "client hello, adding encrypt_then_mac extension" \
961 -s "found encrypt then mac extension" \
962 -S "server hello, adding encrypt then mac extension" \
963 -C "found encrypt_then_mac extension" \
964 -C "using encrypt then mac" \
965 -S "using encrypt then mac"
966
967run_test "Encrypt then MAC: client enabled, stream cipher" \
968 "$P_SRV debug_level=3 etm=1 \
969 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]970 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]971 0 \
972 -c "client hello, adding encrypt_then_mac extension" \
973 -s "found encrypt then mac extension" \
974 -S "server hello, adding encrypt then mac extension" \
975 -C "found encrypt_then_mac extension" \
976 -C "using encrypt then mac" \
977 -S "using encrypt then mac"
978
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]979run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]980 "$P_SRV debug_level=3 etm=1 \
981 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]982 "$P_CLI debug_level=3 etm=0" \
983 0 \
984 -C "client hello, adding encrypt_then_mac extension" \
985 -S "found encrypt then mac extension" \
986 -S "server hello, adding encrypt then mac extension" \
987 -C "found encrypt_then_mac extension" \
988 -C "using encrypt then mac" \
989 -S "using encrypt then mac"
990
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]991requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]992run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]993 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]994 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]995 "$P_CLI debug_level=3 force_version=ssl3" \
996 0 \
997 -C "client hello, adding encrypt_then_mac extension" \
998 -S "found encrypt then mac extension" \
999 -S "server hello, adding encrypt then mac extension" \
1000 -C "found encrypt_then_mac extension" \
1001 -C "using encrypt then mac" \
1002 -S "using encrypt then mac"
1003
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1004requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1005run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1006 "$P_SRV debug_level=3 force_version=ssl3 \
1007 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1008 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1009 0 \
1010 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1011 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1012 -S "server hello, adding encrypt then mac extension" \
1013 -C "found encrypt_then_mac extension" \
1014 -C "using encrypt then mac" \
1015 -S "using encrypt then mac"
1016
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1017# Tests for Extended Master Secret extension
1018
1019run_test "Extended Master Secret: default" \
1020 "$P_SRV debug_level=3" \
1021 "$P_CLI debug_level=3" \
1022 0 \
1023 -c "client hello, adding extended_master_secret extension" \
1024 -s "found extended master secret extension" \
1025 -s "server hello, adding extended master secret extension" \
1026 -c "found extended_master_secret extension" \
1027 -c "using extended master secret" \
1028 -s "using extended master secret"
1029
1030run_test "Extended Master Secret: client enabled, server disabled" \
1031 "$P_SRV debug_level=3 extended_ms=0" \
1032 "$P_CLI debug_level=3 extended_ms=1" \
1033 0 \
1034 -c "client hello, adding extended_master_secret extension" \
1035 -s "found extended master secret extension" \
1036 -S "server hello, adding extended master secret extension" \
1037 -C "found extended_master_secret extension" \
1038 -C "using extended master secret" \
1039 -S "using extended master secret"
1040
1041run_test "Extended Master Secret: client disabled, server enabled" \
1042 "$P_SRV debug_level=3 extended_ms=1" \
1043 "$P_CLI debug_level=3 extended_ms=0" \
1044 0 \
1045 -C "client hello, adding extended_master_secret extension" \
1046 -S "found extended master secret extension" \
1047 -S "server hello, adding extended master secret extension" \
1048 -C "found extended_master_secret extension" \
1049 -C "using extended master secret" \
1050 -S "using extended master secret"
1051
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1052requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1053run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1054 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1055 "$P_CLI debug_level=3 force_version=ssl3" \
1056 0 \
1057 -C "client hello, adding extended_master_secret extension" \
1058 -S "found extended master secret extension" \
1059 -S "server hello, adding extended master secret extension" \
1060 -C "found extended_master_secret extension" \
1061 -C "using extended master secret" \
1062 -S "using extended master secret"
1063
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1064requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1065run_test "Extended Master Secret: client enabled, server SSLv3" \
1066 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1067 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1068 0 \
1069 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1070 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1071 -S "server hello, adding extended master secret extension" \
1072 -C "found extended_master_secret extension" \
1073 -C "using extended master secret" \
1074 -S "using extended master secret"
1075
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1076# Tests for FALLBACK_SCSV
1077
1078run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1079 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1080 "$P_CLI debug_level=3 force_version=tls1_1" \
1081 0 \
1082 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1083 -S "received FALLBACK_SCSV" \
1084 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1085 -C "is a fatal alert message (msg 86)"
1086
1087run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1088 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1089 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1090 0 \
1091 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1092 -S "received FALLBACK_SCSV" \
1093 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1094 -C "is a fatal alert message (msg 86)"
1095
1096run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1097 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1098 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1099 1 \
1100 -c "adding FALLBACK_SCSV" \
1101 -s "received FALLBACK_SCSV" \
1102 -s "inapropriate fallback" \
1103 -c "is a fatal alert message (msg 86)"
1104
1105run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1106 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1107 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1108 0 \
1109 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1110 -s "received FALLBACK_SCSV" \
1111 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1112 -C "is a fatal alert message (msg 86)"
1113
1114requires_openssl_with_fallback_scsv
1115run_test "Fallback SCSV: default, openssl server" \
1116 "$O_SRV" \
1117 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1118 0 \
1119 -C "adding FALLBACK_SCSV" \
1120 -C "is a fatal alert message (msg 86)"
1121
1122requires_openssl_with_fallback_scsv
1123run_test "Fallback SCSV: enabled, openssl server" \
1124 "$O_SRV" \
1125 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1126 1 \
1127 -c "adding FALLBACK_SCSV" \
1128 -c "is a fatal alert message (msg 86)"
1129
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1130requires_openssl_with_fallback_scsv
1131run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1132 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1133 "$O_CLI -tls1_1" \
1134 0 \
1135 -S "received FALLBACK_SCSV" \
1136 -S "inapropriate fallback"
1137
1138requires_openssl_with_fallback_scsv
1139run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1140 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1141 "$O_CLI -tls1_1 -fallback_scsv" \
1142 1 \
1143 -s "received FALLBACK_SCSV" \
1144 -s "inapropriate fallback"
1145
1146requires_openssl_with_fallback_scsv
1147run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1148 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1149 "$O_CLI -fallback_scsv" \
1150 0 \
1151 -s "received FALLBACK_SCSV" \
1152 -S "inapropriate fallback"
1153
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1154## ClientHello generated with
1155## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1156## then manually twiddling the ciphersuite list.
1157## The ClientHello content is spelled out below as a hex string as
1158## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1159## The expected response is an inappropriate_fallback alert.
1160requires_openssl_with_fallback_scsv
1161run_test "Fallback SCSV: beginning of list" \
1162 "$P_SRV debug_level=2" \
1163 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1164 0 \
1165 -s "received FALLBACK_SCSV" \
1166 -s "inapropriate fallback"
1167
1168requires_openssl_with_fallback_scsv
1169run_test "Fallback SCSV: end of list" \
1170 "$P_SRV debug_level=2" \
1171 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1172 0 \
1173 -s "received FALLBACK_SCSV" \
1174 -s "inapropriate fallback"
1175
1176## Here the expected response is a valid ServerHello prefix, up to the random.
1177requires_openssl_with_fallback_scsv
1178run_test "Fallback SCSV: not in list" \
1179 "$P_SRV debug_level=2" \
1180 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1181 0 \
1182 -S "received FALLBACK_SCSV" \
1183 -S "inapropriate fallback"
1184
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1185# Tests for CBC 1/n-1 record splitting
1186
1187run_test "CBC Record splitting: TLS 1.2, no splitting" \
1188 "$P_SRV" \
1189 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1190 request_size=123 force_version=tls1_2" \
1191 0 \
1192 -s "Read from client: 123 bytes read" \
1193 -S "Read from client: 1 bytes read" \
1194 -S "122 bytes read"
1195
1196run_test "CBC Record splitting: TLS 1.1, no splitting" \
1197 "$P_SRV" \
1198 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1199 request_size=123 force_version=tls1_1" \
1200 0 \
1201 -s "Read from client: 123 bytes read" \
1202 -S "Read from client: 1 bytes read" \
1203 -S "122 bytes read"
1204
1205run_test "CBC Record splitting: TLS 1.0, splitting" \
1206 "$P_SRV" \
1207 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1208 request_size=123 force_version=tls1" \
1209 0 \
1210 -S "Read from client: 123 bytes read" \
1211 -s "Read from client: 1 bytes read" \
1212 -s "122 bytes read"
1213
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1214requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1215run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1216 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1217 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1218 request_size=123 force_version=ssl3" \
1219 0 \
1220 -S "Read from client: 123 bytes read" \
1221 -s "Read from client: 1 bytes read" \
1222 -s "122 bytes read"
1223
1224run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1225 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1226 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1227 request_size=123 force_version=tls1" \
1228 0 \
1229 -s "Read from client: 123 bytes read" \
1230 -S "Read from client: 1 bytes read" \
1231 -S "122 bytes read"
1232
1233run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1234 "$P_SRV" \
1235 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1236 request_size=123 force_version=tls1 recsplit=0" \
1237 0 \
1238 -s "Read from client: 123 bytes read" \
1239 -S "Read from client: 1 bytes read" \
1240 -S "122 bytes read"
1241
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1242run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1243 "$P_SRV nbio=2" \
1244 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1245 request_size=123 force_version=tls1" \
1246 0 \
1247 -S "Read from client: 123 bytes read" \
1248 -s "Read from client: 1 bytes read" \
1249 -s "122 bytes read"
1250
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1251# Tests for Session Tickets
1252
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1253run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1254 "$P_SRV debug_level=3 tickets=1" \
1255 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1256 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1257 -c "client hello, adding session ticket extension" \
1258 -s "found session ticket extension" \
1259 -s "server hello, adding session ticket extension" \
1260 -c "found session_ticket extension" \
1261 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1262 -S "session successfully restored from cache" \
1263 -s "session successfully restored from ticket" \
1264 -s "a session has been resumed" \
1265 -c "a session has been resumed"
1266
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1267run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1268 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1269 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1270 0 \
1271 -c "client hello, adding session ticket extension" \
1272 -s "found session ticket extension" \
1273 -s "server hello, adding session ticket extension" \
1274 -c "found session_ticket extension" \
1275 -c "parse new session ticket" \
1276 -S "session successfully restored from cache" \
1277 -s "session successfully restored from ticket" \
1278 -s "a session has been resumed" \
1279 -c "a session has been resumed"
1280
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1281run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1282 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1283 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1284 0 \
1285 -c "client hello, adding session ticket extension" \
1286 -s "found session ticket extension" \
1287 -s "server hello, adding session ticket extension" \
1288 -c "found session_ticket extension" \
1289 -c "parse new session ticket" \
1290 -S "session successfully restored from cache" \
1291 -S "session successfully restored from ticket" \
1292 -S "a session has been resumed" \
1293 -C "a session has been resumed"
1294
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1295run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1296 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1297 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1298 0 \
1299 -c "client hello, adding session ticket extension" \
1300 -c "found session_ticket extension" \
1301 -c "parse new session ticket" \
1302 -c "a session has been resumed"
1303
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1304run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1305 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1306 "( $O_CLI -sess_out $SESSION; \
1307 $O_CLI -sess_in $SESSION; \
1308 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1309 0 \
1310 -s "found session ticket extension" \
1311 -s "server hello, adding session ticket extension" \
1312 -S "session successfully restored from cache" \
1313 -s "session successfully restored from ticket" \
1314 -s "a session has been resumed"
1315
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1316# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1317
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1318run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1319 "$P_SRV debug_level=3 tickets=0" \
1320 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1321 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1322 -c "client hello, adding session ticket extension" \
1323 -s "found session ticket extension" \
1324 -S "server hello, adding session ticket extension" \
1325 -C "found session_ticket extension" \
1326 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1327 -s "session successfully restored from cache" \
1328 -S "session successfully restored from ticket" \
1329 -s "a session has been resumed" \
1330 -c "a session has been resumed"
1331
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1332run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1333 "$P_SRV debug_level=3 tickets=1" \
1334 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1335 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1336 -C "client hello, adding session ticket extension" \
1337 -S "found session ticket extension" \
1338 -S "server hello, adding session ticket extension" \
1339 -C "found session_ticket extension" \
1340 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1341 -s "session successfully restored from cache" \
1342 -S "session successfully restored from ticket" \
1343 -s "a session has been resumed" \
1344 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1345
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1346run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1347 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1348 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1349 0 \
1350 -S "session successfully restored from cache" \
1351 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1352 -S "a session has been resumed" \
1353 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1355run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1356 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1357 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1358 0 \
1359 -s "session successfully restored from cache" \
1360 -S "session successfully restored from ticket" \
1361 -s "a session has been resumed" \
1362 -c "a session has been resumed"
1363
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1364run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1365 "$P_SRV debug_level=3 tickets=0" \
1366 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1367 0 \
1368 -s "session successfully restored from cache" \
1369 -S "session successfully restored from ticket" \
1370 -s "a session has been resumed" \
1371 -c "a session has been resumed"
1372
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1373run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1374 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1375 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1376 0 \
1377 -S "session successfully restored from cache" \
1378 -S "session successfully restored from ticket" \
1379 -S "a session has been resumed" \
1380 -C "a session has been resumed"
1381
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1382run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1383 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1384 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1385 0 \
1386 -s "session successfully restored from cache" \
1387 -S "session successfully restored from ticket" \
1388 -s "a session has been resumed" \
1389 -c "a session has been resumed"
1390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1391run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1392 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1393 "( $O_CLI -sess_out $SESSION; \
1394 $O_CLI -sess_in $SESSION; \
1395 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1396 0 \
1397 -s "found session ticket extension" \
1398 -S "server hello, adding session ticket extension" \
1399 -s "session successfully restored from cache" \
1400 -S "session successfully restored from ticket" \
1401 -s "a session has been resumed"
1402
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1403run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1404 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1405 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1406 0 \
1407 -C "found session_ticket extension" \
1408 -C "parse new session ticket" \
1409 -c "a session has been resumed"
1410
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1411# Tests for Max Fragment Length extension
1412
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1413MAX_CONTENT_LEN_EXPECT='16384'
1414MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1415
1416if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1417 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1418 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1419 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1420 printf "\n"
1421 printf "The tests assume this value and if it changes, the tests in this\n"
1422 printf "script should also be adjusted.\n"
1423 printf "\n"
1424
1425 exit 1
1426fi
1427
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1428requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1429run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1430 "$P_SRV debug_level=3" \
1431 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1432 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1433 -c "Maximum fragment length is 16384" \
1434 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1435 -C "client hello, adding max_fragment_length extension" \
1436 -S "found max fragment length extension" \
1437 -S "server hello, max_fragment_length extension" \
1438 -C "found max_fragment_length extension"
1439
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1440requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1441run_test "Max fragment length: enabled, default, larger message" \
1442 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1443 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1444 0 \
1445 -c "Maximum fragment length is 16384" \
1446 -s "Maximum fragment length is 16384" \
1447 -C "client hello, adding max_fragment_length extension" \
1448 -S "found max fragment length extension" \
1449 -S "server hello, max_fragment_length extension" \
1450 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1451 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1452 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1453 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1454
1455requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1456run_test "Max fragment length, DTLS: enabled, default, larger message" \
1457 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1458 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1459 1 \
1460 -c "Maximum fragment length is 16384" \
1461 -s "Maximum fragment length is 16384" \
1462 -C "client hello, adding max_fragment_length extension" \
1463 -S "found max fragment length extension" \
1464 -S "server hello, max_fragment_length extension" \
1465 -C "found max_fragment_length extension" \
1466 -c "fragment larger than.*maximum "
1467
1468requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1469run_test "Max fragment length: disabled, larger message" \
1470 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1471 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1472 0 \
1473 -C "Maximum fragment length is 16384" \
1474 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1475 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1476 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1477 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1478
1479requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1480run_test "Max fragment length DTLS: disabled, larger message" \
1481 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1482 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1483 1 \
1484 -C "Maximum fragment length is 16384" \
1485 -S "Maximum fragment length is 16384" \
1486 -c "fragment larger than.*maximum "
1487
1488requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1489run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1490 "$P_SRV debug_level=3" \
1491 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1492 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1493 -c "Maximum fragment length is 4096" \
1494 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1495 -c "client hello, adding max_fragment_length extension" \
1496 -s "found max fragment length extension" \
1497 -s "server hello, max_fragment_length extension" \
1498 -c "found max_fragment_length extension"
1499
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1500requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1501run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1502 "$P_SRV debug_level=3 max_frag_len=4096" \
1503 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1504 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1505 -c "Maximum fragment length is 16384" \
1506 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1507 -C "client hello, adding max_fragment_length extension" \
1508 -S "found max fragment length extension" \
1509 -S "server hello, max_fragment_length extension" \
1510 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1511
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1512requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1513requires_gnutls
1514run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1515 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1516 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1517 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1518 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1519 -c "client hello, adding max_fragment_length extension" \
1520 -c "found max_fragment_length extension"
1521
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1522requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1523run_test "Max fragment length: client, message just fits" \
1524 "$P_SRV debug_level=3" \
1525 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1526 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1527 -c "Maximum fragment length is 2048" \
1528 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1529 -c "client hello, adding max_fragment_length extension" \
1530 -s "found max fragment length extension" \
1531 -s "server hello, max_fragment_length extension" \
1532 -c "found max_fragment_length extension" \
1533 -c "2048 bytes written in 1 fragments" \
1534 -s "2048 bytes read"
1535
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1536requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1537run_test "Max fragment length: client, larger message" \
1538 "$P_SRV debug_level=3" \
1539 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1540 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1541 -c "Maximum fragment length is 2048" \
1542 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1543 -c "client hello, adding max_fragment_length extension" \
1544 -s "found max fragment length extension" \
1545 -s "server hello, max_fragment_length extension" \
1546 -c "found max_fragment_length extension" \
1547 -c "2345 bytes written in 2 fragments" \
1548 -s "2048 bytes read" \
1549 -s "297 bytes read"
1550
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1551requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1552run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1553 "$P_SRV debug_level=3 dtls=1" \
1554 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1555 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1556 -c "Maximum fragment length is 2048" \
1557 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1558 -c "client hello, adding max_fragment_length extension" \
1559 -s "found max fragment length extension" \
1560 -s "server hello, max_fragment_length extension" \
1561 -c "found max_fragment_length extension" \
1562 -c "fragment larger than.*maximum"
1563
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1564# Tests for renegotiation
1565
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1566# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1567run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1568 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1569 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1570 0 \
1571 -C "client hello, adding renegotiation extension" \
1572 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1573 -S "found renegotiation extension" \
1574 -s "server hello, secure renegotiation extension" \
1575 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1576 -C "=> renegotiate" \
1577 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1578 -S "write hello request"
1579
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1580requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1581run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1582 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1583 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1584 0 \
1585 -c "client hello, adding renegotiation extension" \
1586 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1587 -s "found renegotiation extension" \
1588 -s "server hello, secure renegotiation extension" \
1589 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1590 -c "=> renegotiate" \
1591 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1592 -S "write hello request"
1593
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1594requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1595run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1596 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1597 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1598 0 \
1599 -c "client hello, adding renegotiation extension" \
1600 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1601 -s "found renegotiation extension" \
1602 -s "server hello, secure renegotiation extension" \
1603 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1604 -c "=> renegotiate" \
1605 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1606 -s "write hello request"
1607
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1608# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1609# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1610# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1611requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1612run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1613 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1614 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1615 0 \
1616 -c "client hello, adding renegotiation extension" \
1617 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1618 -s "found renegotiation extension" \
1619 -s "server hello, secure renegotiation extension" \
1620 -c "found renegotiation extension" \
1621 -c "=> renegotiate" \
1622 -s "=> renegotiate" \
1623 -S "write hello request" \
1624 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1625
1626# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1627# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1628# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1629requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1630run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1631 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1632 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1633 0 \
1634 -c "client hello, adding renegotiation extension" \
1635 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1636 -s "found renegotiation extension" \
1637 -s "server hello, secure renegotiation extension" \
1638 -c "found renegotiation extension" \
1639 -c "=> renegotiate" \
1640 -s "=> renegotiate" \
1641 -s "write hello request" \
1642 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1643
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1644requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1645run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1646 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1647 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1648 0 \
1649 -c "client hello, adding renegotiation extension" \
1650 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1651 -s "found renegotiation extension" \
1652 -s "server hello, secure renegotiation extension" \
1653 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1654 -c "=> renegotiate" \
1655 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1656 -s "write hello request"
1657
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1658requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1659run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1660 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1661 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1662 1 \
1663 -c "client hello, adding renegotiation extension" \
1664 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1665 -S "found renegotiation extension" \
1666 -s "server hello, secure renegotiation extension" \
1667 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1668 -c "=> renegotiate" \
1669 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1670 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1671 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1672 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1673
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1674requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1675run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1676 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1677 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1678 0 \
1679 -C "client hello, adding renegotiation extension" \
1680 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1681 -S "found renegotiation extension" \
1682 -s "server hello, secure renegotiation extension" \
1683 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1684 -C "=> renegotiate" \
1685 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1686 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1687 -S "SSL - An unexpected message was received from our peer" \
1688 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1689
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1690requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1691run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1692 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1693 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1694 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1695 0 \
1696 -C "client hello, adding renegotiation extension" \
1697 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1698 -S "found renegotiation extension" \
1699 -s "server hello, secure renegotiation extension" \
1700 -c "found renegotiation extension" \
1701 -C "=> renegotiate" \
1702 -S "=> renegotiate" \
1703 -s "write hello request" \
1704 -S "SSL - An unexpected message was received from our peer" \
1705 -S "failed"
1706
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1707# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1708requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1709run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1710 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1711 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1712 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1713 0 \
1714 -C "client hello, adding renegotiation extension" \
1715 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1716 -S "found renegotiation extension" \
1717 -s "server hello, secure renegotiation extension" \
1718 -c "found renegotiation extension" \
1719 -C "=> renegotiate" \
1720 -S "=> renegotiate" \
1721 -s "write hello request" \
1722 -S "SSL - An unexpected message was received from our peer" \
1723 -S "failed"
1724
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1726run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1727 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1728 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1729 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1730 0 \
1731 -C "client hello, adding renegotiation extension" \
1732 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1733 -S "found renegotiation extension" \
1734 -s "server hello, secure renegotiation extension" \
1735 -c "found renegotiation extension" \
1736 -C "=> renegotiate" \
1737 -S "=> renegotiate" \
1738 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1739 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1740
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1741requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1742run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1743 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1744 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1745 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1746 0 \
1747 -c "client hello, adding renegotiation extension" \
1748 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1749 -s "found renegotiation extension" \
1750 -s "server hello, secure renegotiation extension" \
1751 -c "found renegotiation extension" \
1752 -c "=> renegotiate" \
1753 -s "=> renegotiate" \
1754 -s "write hello request" \
1755 -S "SSL - An unexpected message was received from our peer" \
1756 -S "failed"
1757
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1758requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1759run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1760 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1761 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1762 0 \
1763 -C "client hello, adding renegotiation extension" \
1764 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1765 -S "found renegotiation extension" \
1766 -s "server hello, secure renegotiation extension" \
1767 -c "found renegotiation extension" \
1768 -S "record counter limit reached: renegotiate" \
1769 -C "=> renegotiate" \
1770 -S "=> renegotiate" \
1771 -S "write hello request" \
1772 -S "SSL - An unexpected message was received from our peer" \
1773 -S "failed"
1774
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1775# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1776requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1777run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1778 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1779 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1780 0 \
1781 -c "client hello, adding renegotiation extension" \
1782 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1783 -s "found renegotiation extension" \
1784 -s "server hello, secure renegotiation extension" \
1785 -c "found renegotiation extension" \
1786 -s "record counter limit reached: renegotiate" \
1787 -c "=> renegotiate" \
1788 -s "=> renegotiate" \
1789 -s "write hello request" \
1790 -S "SSL - An unexpected message was received from our peer" \
1791 -S "failed"
1792
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1793requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1794run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1795 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1796 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1797 0 \
1798 -c "client hello, adding renegotiation extension" \
1799 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1800 -s "found renegotiation extension" \
1801 -s "server hello, secure renegotiation extension" \
1802 -c "found renegotiation extension" \
1803 -s "record counter limit reached: renegotiate" \
1804 -c "=> renegotiate" \
1805 -s "=> renegotiate" \
1806 -s "write hello request" \
1807 -S "SSL - An unexpected message was received from our peer" \
1808 -S "failed"
1809
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1810requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1811run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1812 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1813 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1814 0 \
1815 -C "client hello, adding renegotiation extension" \
1816 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1817 -S "found renegotiation extension" \
1818 -s "server hello, secure renegotiation extension" \
1819 -c "found renegotiation extension" \
1820 -S "record counter limit reached: renegotiate" \
1821 -C "=> renegotiate" \
1822 -S "=> renegotiate" \
1823 -S "write hello request" \
1824 -S "SSL - An unexpected message was received from our peer" \
1825 -S "failed"
1826
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1827requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1828run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1829 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1830 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1831 0 \
1832 -c "client hello, adding renegotiation extension" \
1833 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1834 -s "found renegotiation extension" \
1835 -s "server hello, secure renegotiation extension" \
1836 -c "found renegotiation extension" \
1837 -c "=> renegotiate" \
1838 -s "=> renegotiate" \
1839 -S "write hello request"
1840
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1841requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1842run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1843 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1844 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1845 0 \
1846 -c "client hello, adding renegotiation extension" \
1847 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1848 -s "found renegotiation extension" \
1849 -s "server hello, secure renegotiation extension" \
1850 -c "found renegotiation extension" \
1851 -c "=> renegotiate" \
1852 -s "=> renegotiate" \
1853 -s "write hello request"
1854
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1855requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1856run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1857 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1858 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1859 0 \
1860 -c "client hello, adding renegotiation extension" \
1861 -c "found renegotiation extension" \
1862 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1863 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1864 -C "error" \
1865 -c "HTTP/1.0 200 [Oo][Kk]"
1866
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1867requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1868requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1869run_test "Renegotiation: gnutls server strict, client-initiated" \
1870 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1871 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1872 0 \
1873 -c "client hello, adding renegotiation extension" \
1874 -c "found renegotiation extension" \
1875 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1876 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1877 -C "error" \
1878 -c "HTTP/1.0 200 [Oo][Kk]"
1879
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1880requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1881requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1882run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1883 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1884 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1885 1 \
1886 -c "client hello, adding renegotiation extension" \
1887 -C "found renegotiation extension" \
1888 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1890 -c "error" \
1891 -C "HTTP/1.0 200 [Oo][Kk]"
1892
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1893requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1894requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1895run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1896 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1897 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1898 allow_legacy=0" \
1899 1 \
1900 -c "client hello, adding renegotiation extension" \
1901 -C "found renegotiation extension" \
1902 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1903 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1904 -c "error" \
1905 -C "HTTP/1.0 200 [Oo][Kk]"
1906
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1907requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1908requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1909run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1910 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1911 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1912 allow_legacy=1" \
1913 0 \
1914 -c "client hello, adding renegotiation extension" \
1915 -C "found renegotiation extension" \
1916 -c "=> renegotiate" \
1917 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1918 -C "error" \
1919 -c "HTTP/1.0 200 [Oo][Kk]"
1920
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1921requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1922run_test "Renegotiation: DTLS, client-initiated" \
1923 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1924 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1925 0 \
1926 -c "client hello, adding renegotiation extension" \
1927 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1928 -s "found renegotiation extension" \
1929 -s "server hello, secure renegotiation extension" \
1930 -c "found renegotiation extension" \
1931 -c "=> renegotiate" \
1932 -s "=> renegotiate" \
1933 -S "write hello request"
1934
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1935requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1936run_test "Renegotiation: DTLS, server-initiated" \
1937 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1938 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1939 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1940 0 \
1941 -c "client hello, adding renegotiation extension" \
1942 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1943 -s "found renegotiation extension" \
1944 -s "server hello, secure renegotiation extension" \
1945 -c "found renegotiation extension" \
1946 -c "=> renegotiate" \
1947 -s "=> renegotiate" \
1948 -s "write hello request"
1949
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1950requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1951run_test "Renegotiation: DTLS, renego_period overflow" \
1952 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1953 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1954 0 \
1955 -c "client hello, adding renegotiation extension" \
1956 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1957 -s "found renegotiation extension" \
1958 -s "server hello, secure renegotiation extension" \
1959 -s "record counter limit reached: renegotiate" \
1960 -c "=> renegotiate" \
1961 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1962 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1963
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1964requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1965requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1966run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1967 "$G_SRV -u --mtu 4096" \
1968 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1969 0 \
1970 -c "client hello, adding renegotiation extension" \
1971 -c "found renegotiation extension" \
1972 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1973 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1974 -C "error" \
1975 -s "Extra-header:"
1976
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1977# Test for the "secure renegotation" extension only (no actual renegotiation)
1978
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1979requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1980run_test "Renego ext: gnutls server strict, client default" \
1981 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1982 "$P_CLI debug_level=3" \
1983 0 \
1984 -c "found renegotiation extension" \
1985 -C "error" \
1986 -c "HTTP/1.0 200 [Oo][Kk]"
1987
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1988requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1989run_test "Renego ext: gnutls server unsafe, client default" \
1990 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1991 "$P_CLI debug_level=3" \
1992 0 \
1993 -C "found renegotiation extension" \
1994 -C "error" \
1995 -c "HTTP/1.0 200 [Oo][Kk]"
1996
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1997requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1998run_test "Renego ext: gnutls server unsafe, client break legacy" \
1999 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2000 "$P_CLI debug_level=3 allow_legacy=-1" \
2001 1 \
2002 -C "found renegotiation extension" \
2003 -c "error" \
2004 -C "HTTP/1.0 200 [Oo][Kk]"
2005
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2006requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2007run_test "Renego ext: gnutls client strict, server default" \
2008 "$P_SRV debug_level=3" \
2009 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2010 0 \
2011 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2012 -s "server hello, secure renegotiation extension"
2013
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2014requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2015run_test "Renego ext: gnutls client unsafe, server default" \
2016 "$P_SRV debug_level=3" \
2017 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2018 0 \
2019 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2020 -S "server hello, secure renegotiation extension"
2021
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2022requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2023run_test "Renego ext: gnutls client unsafe, server break legacy" \
2024 "$P_SRV debug_level=3 allow_legacy=-1" \
2025 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2026 1 \
2027 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2028 -S "server hello, secure renegotiation extension"
2029
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2030# Tests for silently dropping trailing extra bytes in .der certificates
2031
2032requires_gnutls
2033run_test "DER format: no trailing bytes" \
2034 "$P_SRV crt_file=data_files/server5-der0.crt \
2035 key_file=data_files/server5.key" \
2036 "$G_CLI " \
2037 0 \
2038 -c "Handshake was completed" \
2039
2040requires_gnutls
2041run_test "DER format: with a trailing zero byte" \
2042 "$P_SRV crt_file=data_files/server5-der1a.crt \
2043 key_file=data_files/server5.key" \
2044 "$G_CLI " \
2045 0 \
2046 -c "Handshake was completed" \
2047
2048requires_gnutls
2049run_test "DER format: with a trailing random byte" \
2050 "$P_SRV crt_file=data_files/server5-der1b.crt \
2051 key_file=data_files/server5.key" \
2052 "$G_CLI " \
2053 0 \
2054 -c "Handshake was completed" \
2055
2056requires_gnutls
2057run_test "DER format: with 2 trailing random bytes" \
2058 "$P_SRV crt_file=data_files/server5-der2.crt \
2059 key_file=data_files/server5.key" \
2060 "$G_CLI " \
2061 0 \
2062 -c "Handshake was completed" \
2063
2064requires_gnutls
2065run_test "DER format: with 4 trailing random bytes" \
2066 "$P_SRV crt_file=data_files/server5-der4.crt \
2067 key_file=data_files/server5.key" \
2068 "$G_CLI " \
2069 0 \
2070 -c "Handshake was completed" \
2071
2072requires_gnutls
2073run_test "DER format: with 8 trailing random bytes" \
2074 "$P_SRV crt_file=data_files/server5-der8.crt \
2075 key_file=data_files/server5.key" \
2076 "$G_CLI " \
2077 0 \
2078 -c "Handshake was completed" \
2079
2080requires_gnutls
2081run_test "DER format: with 9 trailing random bytes" \
2082 "$P_SRV crt_file=data_files/server5-der9.crt \
2083 key_file=data_files/server5.key" \
2084 "$G_CLI " \
2085 0 \
2086 -c "Handshake was completed" \
2087
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2088# Tests for auth_mode
2089
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2090run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2091 "$P_SRV crt_file=data_files/server5-badsign.crt \
2092 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2093 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2094 1 \
2095 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2096 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2098 -c "X509 - Certificate verification failed"
2099
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2100run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2101 "$P_SRV crt_file=data_files/server5-badsign.crt \
2102 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2103 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2104 0 \
2105 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2106 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2108 -C "X509 - Certificate verification failed"
2109
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2110run_test "Authentication: server goodcert, client optional, no trusted CA" \
2111 "$P_SRV" \
2112 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2113 0 \
2114 -c "x509_verify_cert() returned" \
2115 -c "! The certificate is not correctly signed by the trusted CA" \
2116 -c "! Certificate verification flags"\
2117 -C "! mbedtls_ssl_handshake returned" \
2118 -C "X509 - Certificate verification failed" \
2119 -C "SSL - No CA Chain is set, but required to operate"
2120
2121run_test "Authentication: server goodcert, client required, no trusted CA" \
2122 "$P_SRV" \
2123 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2124 1 \
2125 -c "x509_verify_cert() returned" \
2126 -c "! The certificate is not correctly signed by the trusted CA" \
2127 -c "! Certificate verification flags"\
2128 -c "! mbedtls_ssl_handshake returned" \
2129 -c "SSL - No CA Chain is set, but required to operate"
2130
2131# The purpose of the next two tests is to test the client's behaviour when receiving a server
2132# certificate with an unsupported elliptic curve. This should usually not happen because
2133# the client informs the server about the supported curves - it does, though, in the
2134# corner case of a static ECDH suite, because the server doesn't check the curve on that
2135# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2136# different means to have the server ignoring the client's supported curve list.
2137
2138requires_config_enabled MBEDTLS_ECP_C
2139run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2140 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2141 crt_file=data_files/server5.ku-ka.crt" \
2142 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2143 1 \
2144 -c "bad certificate (EC key curve)"\
2145 -c "! Certificate verification flags"\
2146 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2147
2148requires_config_enabled MBEDTLS_ECP_C
2149run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2150 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2151 crt_file=data_files/server5.ku-ka.crt" \
2152 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2153 1 \
2154 -c "bad certificate (EC key curve)"\
2155 -c "! Certificate verification flags"\
2156 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2157
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2158run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2159 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2160 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2161 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2162 0 \
2163 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2164 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2165 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2166 -C "X509 - Certificate verification failed"
2167
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2168run_test "Authentication: client SHA256, server required" \
2169 "$P_SRV auth_mode=required" \
2170 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2171 key_file=data_files/server6.key \
2172 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2173 0 \
2174 -c "Supported Signature Algorithm found: 4," \
2175 -c "Supported Signature Algorithm found: 5,"
2176
2177run_test "Authentication: client SHA384, server required" \
2178 "$P_SRV auth_mode=required" \
2179 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2180 key_file=data_files/server6.key \
2181 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2182 0 \
2183 -c "Supported Signature Algorithm found: 4," \
2184 -c "Supported Signature Algorithm found: 5,"
2185
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2186requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2187run_test "Authentication: client has no cert, server required (SSLv3)" \
2188 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2189 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2190 key_file=data_files/server5.key" \
2191 1 \
2192 -S "skip write certificate request" \
2193 -C "skip parse certificate request" \
2194 -c "got a certificate request" \
2195 -c "got no certificate to send" \
2196 -S "x509_verify_cert() returned" \
2197 -s "client has no certificate" \
2198 -s "! mbedtls_ssl_handshake returned" \
2199 -c "! mbedtls_ssl_handshake returned" \
2200 -s "No client certification received from the client, but required by the authentication mode"
2201
2202run_test "Authentication: client has no cert, server required (TLS)" \
2203 "$P_SRV debug_level=3 auth_mode=required" \
2204 "$P_CLI debug_level=3 crt_file=none \
2205 key_file=data_files/server5.key" \
2206 1 \
2207 -S "skip write certificate request" \
2208 -C "skip parse certificate request" \
2209 -c "got a certificate request" \
2210 -c "= write certificate$" \
2211 -C "skip write certificate$" \
2212 -S "x509_verify_cert() returned" \
2213 -s "client has no certificate" \
2214 -s "! mbedtls_ssl_handshake returned" \
2215 -c "! mbedtls_ssl_handshake returned" \
2216 -s "No client certification received from the client, but required by the authentication mode"
2217
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2218run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2219 "$P_SRV debug_level=3 auth_mode=required" \
2220 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2221 key_file=data_files/server5.key" \
2222 1 \
2223 -S "skip write certificate request" \
2224 -C "skip parse certificate request" \
2225 -c "got a certificate request" \
2226 -C "skip write certificate" \
2227 -C "skip write certificate verify" \
2228 -S "skip parse certificate verify" \
2229 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2230 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2231 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2232 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2234 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2235# We don't check that the client receives the alert because it might
2236# detect that its write end of the connection is closed and abort
2237# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2238
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2239run_test "Authentication: client cert not trusted, server required" \
2240 "$P_SRV debug_level=3 auth_mode=required" \
2241 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2242 key_file=data_files/server5.key" \
2243 1 \
2244 -S "skip write certificate request" \
2245 -C "skip parse certificate request" \
2246 -c "got a certificate request" \
2247 -C "skip write certificate" \
2248 -C "skip write certificate verify" \
2249 -S "skip parse certificate verify" \
2250 -s "x509_verify_cert() returned" \
2251 -s "! The certificate is not correctly signed by the trusted CA" \
2252 -s "! mbedtls_ssl_handshake returned" \
2253 -c "! mbedtls_ssl_handshake returned" \
2254 -s "X509 - Certificate verification failed"
2255
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2256run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2257 "$P_SRV debug_level=3 auth_mode=optional" \
2258 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2259 key_file=data_files/server5.key" \
2260 0 \
2261 -S "skip write certificate request" \
2262 -C "skip parse certificate request" \
2263 -c "got a certificate request" \
2264 -C "skip write certificate" \
2265 -C "skip write certificate verify" \
2266 -S "skip parse certificate verify" \
2267 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2268 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269 -S "! mbedtls_ssl_handshake returned" \
2270 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2271 -S "X509 - Certificate verification failed"
2272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2273run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2274 "$P_SRV debug_level=3 auth_mode=none" \
2275 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2276 key_file=data_files/server5.key" \
2277 0 \
2278 -s "skip write certificate request" \
2279 -C "skip parse certificate request" \
2280 -c "got no certificate request" \
2281 -c "skip write certificate" \
2282 -c "skip write certificate verify" \
2283 -s "skip parse certificate verify" \
2284 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2285 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2286 -S "! mbedtls_ssl_handshake returned" \
2287 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2288 -S "X509 - Certificate verification failed"
2289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2290run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2291 "$P_SRV debug_level=3 auth_mode=optional" \
2292 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2293 0 \
2294 -S "skip write certificate request" \
2295 -C "skip parse certificate request" \
2296 -c "got a certificate request" \
2297 -C "skip write certificate$" \
2298 -C "got no certificate to send" \
2299 -S "SSLv3 client has no certificate" \
2300 -c "skip write certificate verify" \
2301 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2302 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2303 -S "! mbedtls_ssl_handshake returned" \
2304 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2305 -S "X509 - Certificate verification failed"
2306
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2307run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2308 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2309 "$O_CLI" \
2310 0 \
2311 -S "skip write certificate request" \
2312 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2313 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2314 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2315 -S "X509 - Certificate verification failed"
2316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2317run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2318 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2319 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2320 0 \
2321 -C "skip parse certificate request" \
2322 -c "got a certificate request" \
2323 -C "skip write certificate$" \
2324 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2325 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2326
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2327run_test "Authentication: client no cert, openssl server required" \
2328 "$O_SRV -Verify 10" \
2329 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2330 1 \
2331 -C "skip parse certificate request" \
2332 -c "got a certificate request" \
2333 -C "skip write certificate$" \
2334 -c "skip write certificate verify" \
2335 -c "! mbedtls_ssl_handshake returned"
2336
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2337requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2338run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2339 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2340 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2341 0 \
2342 -S "skip write certificate request" \
2343 -C "skip parse certificate request" \
2344 -c "got a certificate request" \
2345 -C "skip write certificate$" \
2346 -c "skip write certificate verify" \
2347 -c "got no certificate to send" \
2348 -s "SSLv3 client has no certificate" \
2349 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2350 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2351 -S "! mbedtls_ssl_handshake returned" \
2352 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2353 -S "X509 - Certificate verification failed"
2354
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2355# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2356# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2357
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2358MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2359MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2360
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2361if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2362 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2363 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2364 printf "test value of ${MAX_IM_CA}. \n"
2365 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2366 printf "The tests assume this value and if it changes, the tests in this\n"
2367 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2368 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2369
2370 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2371fi
2372
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2373run_test "Authentication: server max_int chain, client default" \
2374 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2375 key_file=data_files/dir-maxpath/09.key" \
2376 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2377 0 \
2378 -C "X509 - A fatal error occured"
2379
2380run_test "Authentication: server max_int+1 chain, client default" \
2381 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2382 key_file=data_files/dir-maxpath/10.key" \
2383 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2384 1 \
2385 -c "X509 - A fatal error occured"
2386
2387run_test "Authentication: server max_int+1 chain, client optional" \
2388 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2389 key_file=data_files/dir-maxpath/10.key" \
2390 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2391 auth_mode=optional" \
2392 1 \
2393 -c "X509 - A fatal error occured"
2394
2395run_test "Authentication: server max_int+1 chain, client none" \
2396 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2397 key_file=data_files/dir-maxpath/10.key" \
2398 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2399 auth_mode=none" \
2400 0 \
2401 -C "X509 - A fatal error occured"
2402
2403run_test "Authentication: client max_int+1 chain, server default" \
2404 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2405 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2406 key_file=data_files/dir-maxpath/10.key" \
2407 0 \
2408 -S "X509 - A fatal error occured"
2409
2410run_test "Authentication: client max_int+1 chain, server optional" \
2411 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2412 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2413 key_file=data_files/dir-maxpath/10.key" \
2414 1 \
2415 -s "X509 - A fatal error occured"
2416
2417run_test "Authentication: client max_int+1 chain, server required" \
2418 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2419 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2420 key_file=data_files/dir-maxpath/10.key" \
2421 1 \
2422 -s "X509 - A fatal error occured"
2423
2424run_test "Authentication: client max_int chain, server required" \
2425 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2426 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2427 key_file=data_files/dir-maxpath/09.key" \
2428 0 \
2429 -S "X509 - A fatal error occured"
2430
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2431# Tests for CA list in CertificateRequest messages
2432
2433run_test "Authentication: send CA list in CertificateRequest (default)" \
2434 "$P_SRV debug_level=3 auth_mode=required" \
2435 "$P_CLI crt_file=data_files/server6.crt \
2436 key_file=data_files/server6.key" \
2437 0 \
2438 -s "requested DN"
2439
2440run_test "Authentication: do not send CA list in CertificateRequest" \
2441 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2442 "$P_CLI crt_file=data_files/server6.crt \
2443 key_file=data_files/server6.key" \
2444 0 \
2445 -S "requested DN"
2446
2447run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2448 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2449 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2450 key_file=data_files/server5.key" \
2451 1 \
2452 -S "requested DN" \
2453 -s "x509_verify_cert() returned" \
2454 -s "! The certificate is not correctly signed by the trusted CA" \
2455 -s "! mbedtls_ssl_handshake returned" \
2456 -c "! mbedtls_ssl_handshake returned" \
2457 -s "X509 - Certificate verification failed"
2458
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2459# Tests for certificate selection based on SHA verson
2460
2461run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2462 "$P_SRV crt_file=data_files/server5.crt \
2463 key_file=data_files/server5.key \
2464 crt_file2=data_files/server5-sha1.crt \
2465 key_file2=data_files/server5.key" \
2466 "$P_CLI force_version=tls1_2" \
2467 0 \
2468 -c "signed using.*ECDSA with SHA256" \
2469 -C "signed using.*ECDSA with SHA1"
2470
2471run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2472 "$P_SRV crt_file=data_files/server5.crt \
2473 key_file=data_files/server5.key \
2474 crt_file2=data_files/server5-sha1.crt \
2475 key_file2=data_files/server5.key" \
2476 "$P_CLI force_version=tls1_1" \
2477 0 \
2478 -C "signed using.*ECDSA with SHA256" \
2479 -c "signed using.*ECDSA with SHA1"
2480
2481run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2482 "$P_SRV crt_file=data_files/server5.crt \
2483 key_file=data_files/server5.key \
2484 crt_file2=data_files/server5-sha1.crt \
2485 key_file2=data_files/server5.key" \
2486 "$P_CLI force_version=tls1" \
2487 0 \
2488 -C "signed using.*ECDSA with SHA256" \
2489 -c "signed using.*ECDSA with SHA1"
2490
2491run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2492 "$P_SRV crt_file=data_files/server5.crt \
2493 key_file=data_files/server5.key \
2494 crt_file2=data_files/server6.crt \
2495 key_file2=data_files/server6.key" \
2496 "$P_CLI force_version=tls1_1" \
2497 0 \
2498 -c "serial number.*09" \
2499 -c "signed using.*ECDSA with SHA256" \
2500 -C "signed using.*ECDSA with SHA1"
2501
2502run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2503 "$P_SRV crt_file=data_files/server6.crt \
2504 key_file=data_files/server6.key \
2505 crt_file2=data_files/server5.crt \
2506 key_file2=data_files/server5.key" \
2507 "$P_CLI force_version=tls1_1" \
2508 0 \
2509 -c "serial number.*0A" \
2510 -c "signed using.*ECDSA with SHA256" \
2511 -C "signed using.*ECDSA with SHA1"
2512
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2513# tests for SNI
2514
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2515run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2516 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2517 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2518 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2519 0 \
2520 -S "parse ServerName extension" \
2521 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2522 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2523
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2524run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2525 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2526 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2527 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2528 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2529 0 \
2530 -s "parse ServerName extension" \
2531 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2532 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2534run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2535 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2536 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2537 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2538 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2539 0 \
2540 -s "parse ServerName extension" \
2541 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2542 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2543
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2544run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2545 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2546 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2547 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2548 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2549 1 \
2550 -s "parse ServerName extension" \
2551 -s "ssl_sni_wrapper() returned" \
2552 -s "mbedtls_ssl_handshake returned" \
2553 -c "mbedtls_ssl_handshake returned" \
2554 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2555
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2556run_test "SNI: client auth no override: optional" \
2557 "$P_SRV debug_level=3 auth_mode=optional \
2558 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2559 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2560 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2561 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2562 -S "skip write certificate request" \
2563 -C "skip parse certificate request" \
2564 -c "got a certificate request" \
2565 -C "skip write certificate" \
2566 -C "skip write certificate verify" \
2567 -S "skip parse certificate verify"
2568
2569run_test "SNI: client auth override: none -> optional" \
2570 "$P_SRV debug_level=3 auth_mode=none \
2571 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2572 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2573 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2574 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2575 -S "skip write certificate request" \
2576 -C "skip parse certificate request" \
2577 -c "got a certificate request" \
2578 -C "skip write certificate" \
2579 -C "skip write certificate verify" \
2580 -S "skip parse certificate verify"
2581
2582run_test "SNI: client auth override: optional -> none" \
2583 "$P_SRV debug_level=3 auth_mode=optional \
2584 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2585 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2586 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2587 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2588 -s "skip write certificate request" \
2589 -C "skip parse certificate request" \
2590 -c "got no certificate request" \
2591 -c "skip write certificate" \
2592 -c "skip write certificate verify" \
2593 -s "skip parse certificate verify"
2594
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2595run_test "SNI: CA no override" \
2596 "$P_SRV debug_level=3 auth_mode=optional \
2597 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2598 ca_file=data_files/test-ca.crt \
2599 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2600 "$P_CLI debug_level=3 server_name=localhost \
2601 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2602 1 \
2603 -S "skip write certificate request" \
2604 -C "skip parse certificate request" \
2605 -c "got a certificate request" \
2606 -C "skip write certificate" \
2607 -C "skip write certificate verify" \
2608 -S "skip parse certificate verify" \
2609 -s "x509_verify_cert() returned" \
2610 -s "! The certificate is not correctly signed by the trusted CA" \
2611 -S "The certificate has been revoked (is on a CRL)"
2612
2613run_test "SNI: CA override" \
2614 "$P_SRV debug_level=3 auth_mode=optional \
2615 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2616 ca_file=data_files/test-ca.crt \
2617 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2618 "$P_CLI debug_level=3 server_name=localhost \
2619 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2620 0 \
2621 -S "skip write certificate request" \
2622 -C "skip parse certificate request" \
2623 -c "got a certificate request" \
2624 -C "skip write certificate" \
2625 -C "skip write certificate verify" \
2626 -S "skip parse certificate verify" \
2627 -S "x509_verify_cert() returned" \
2628 -S "! The certificate is not correctly signed by the trusted CA" \
2629 -S "The certificate has been revoked (is on a CRL)"
2630
2631run_test "SNI: CA override with CRL" \
2632 "$P_SRV debug_level=3 auth_mode=optional \
2633 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2634 ca_file=data_files/test-ca.crt \
2635 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2636 "$P_CLI debug_level=3 server_name=localhost \
2637 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2638 1 \
2639 -S "skip write certificate request" \
2640 -C "skip parse certificate request" \
2641 -c "got a certificate request" \
2642 -C "skip write certificate" \
2643 -C "skip write certificate verify" \
2644 -S "skip parse certificate verify" \
2645 -s "x509_verify_cert() returned" \
2646 -S "! The certificate is not correctly signed by the trusted CA" \
2647 -s "The certificate has been revoked (is on a CRL)"
2648
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2649# Tests for SNI and DTLS
2650
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]2651run_test "SNI: DTLS, no SNI callback" \
2652 "$P_SRV debug_level=3 dtls=1 \
2653 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2654 "$P_CLI server_name=localhost dtls=1" \
2655 0 \
2656 -S "parse ServerName extension" \
2657 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2658 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2659
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]2660run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2661 "$P_SRV debug_level=3 dtls=1 \
2662 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2663 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2664 "$P_CLI server_name=localhost dtls=1" \
2665 0 \
2666 -s "parse ServerName extension" \
2667 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2668 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2669
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]2670run_test "SNI: DTLS, matching cert 2" \
2671 "$P_SRV debug_level=3 dtls=1 \
2672 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2673 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2674 "$P_CLI server_name=polarssl.example dtls=1" \
2675 0 \
2676 -s "parse ServerName extension" \
2677 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2678 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2679
2680run_test "SNI: DTLS, no matching cert" \
2681 "$P_SRV debug_level=3 dtls=1 \
2682 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2683 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2684 "$P_CLI server_name=nonesuch.example dtls=1" \
2685 1 \
2686 -s "parse ServerName extension" \
2687 -s "ssl_sni_wrapper() returned" \
2688 -s "mbedtls_ssl_handshake returned" \
2689 -c "mbedtls_ssl_handshake returned" \
2690 -c "SSL - A fatal alert message was received from our peer"
2691
2692run_test "SNI: DTLS, client auth no override: optional" \
2693 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2694 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2695 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2696 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2697 0 \
2698 -S "skip write certificate request" \
2699 -C "skip parse certificate request" \
2700 -c "got a certificate request" \
2701 -C "skip write certificate" \
2702 -C "skip write certificate verify" \
2703 -S "skip parse certificate verify"
2704
2705run_test "SNI: DTLS, client auth override: none -> optional" \
2706 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2707 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2708 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2709 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2710 0 \
2711 -S "skip write certificate request" \
2712 -C "skip parse certificate request" \
2713 -c "got a certificate request" \
2714 -C "skip write certificate" \
2715 -C "skip write certificate verify" \
2716 -S "skip parse certificate verify"
2717
2718run_test "SNI: DTLS, client auth override: optional -> none" \
2719 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2720 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2721 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2722 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2723 0 \
2724 -s "skip write certificate request" \
2725 -C "skip parse certificate request" \
2726 -c "got no certificate request" \
2727 -c "skip write certificate" \
2728 -c "skip write certificate verify" \
2729 -s "skip parse certificate verify"
2730
2731run_test "SNI: DTLS, CA no override" \
2732 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2733 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2734 ca_file=data_files/test-ca.crt \
2735 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2736 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2737 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2738 1 \
2739 -S "skip write certificate request" \
2740 -C "skip parse certificate request" \
2741 -c "got a certificate request" \
2742 -C "skip write certificate" \
2743 -C "skip write certificate verify" \
2744 -S "skip parse certificate verify" \
2745 -s "x509_verify_cert() returned" \
2746 -s "! The certificate is not correctly signed by the trusted CA" \
2747 -S "The certificate has been revoked (is on a CRL)"
2748
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]2749run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2750 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2751 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2752 ca_file=data_files/test-ca.crt \
2753 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2754 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2755 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2756 0 \
2757 -S "skip write certificate request" \
2758 -C "skip parse certificate request" \
2759 -c "got a certificate request" \
2760 -C "skip write certificate" \
2761 -C "skip write certificate verify" \
2762 -S "skip parse certificate verify" \
2763 -S "x509_verify_cert() returned" \
2764 -S "! The certificate is not correctly signed by the trusted CA" \
2765 -S "The certificate has been revoked (is on a CRL)"
2766
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]2767run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2768 "$P_SRV debug_level=3 auth_mode=optional \
2769 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
2770 ca_file=data_files/test-ca.crt \
2771 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2772 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2773 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2774 1 \
2775 -S "skip write certificate request" \
2776 -C "skip parse certificate request" \
2777 -c "got a certificate request" \
2778 -C "skip write certificate" \
2779 -C "skip write certificate verify" \
2780 -S "skip parse certificate verify" \
2781 -s "x509_verify_cert() returned" \
2782 -S "! The certificate is not correctly signed by the trusted CA" \
2783 -s "The certificate has been revoked (is on a CRL)"
2784
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2785# Tests for non-blocking I/O: exercise a variety of handshake flows
2786
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2787run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2788 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2789 "$P_CLI nbio=2 tickets=0" \
2790 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2791 -S "mbedtls_ssl_handshake returned" \
2792 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2793 -c "Read from server: .* bytes read"
2794
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2795run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2796 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2797 "$P_CLI nbio=2 tickets=0" \
2798 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2799 -S "mbedtls_ssl_handshake returned" \
2800 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2801 -c "Read from server: .* bytes read"
2802
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2803run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2804 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2805 "$P_CLI nbio=2 tickets=1" \
2806 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2807 -S "mbedtls_ssl_handshake returned" \
2808 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2809 -c "Read from server: .* bytes read"
2810
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2811run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2812 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2813 "$P_CLI nbio=2 tickets=1" \
2814 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2815 -S "mbedtls_ssl_handshake returned" \
2816 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2817 -c "Read from server: .* bytes read"
2818
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2819run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2820 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2821 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2822 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2823 -S "mbedtls_ssl_handshake returned" \
2824 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2825 -c "Read from server: .* bytes read"
2826
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2827run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2828 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2829 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2830 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2831 -S "mbedtls_ssl_handshake returned" \
2832 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2833 -c "Read from server: .* bytes read"
2834
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2835run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2836 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2837 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2838 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2839 -S "mbedtls_ssl_handshake returned" \
2840 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2841 -c "Read from server: .* bytes read"
2842
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]2843# Tests for event-driven I/O: exercise a variety of handshake flows
2844
2845run_test "Event-driven I/O: basic handshake" \
2846 "$P_SRV event=1 tickets=0 auth_mode=none" \
2847 "$P_CLI event=1 tickets=0" \
2848 0 \
2849 -S "mbedtls_ssl_handshake returned" \
2850 -C "mbedtls_ssl_handshake returned" \
2851 -c "Read from server: .* bytes read"
2852
2853run_test "Event-driven I/O: client auth" \
2854 "$P_SRV event=1 tickets=0 auth_mode=required" \
2855 "$P_CLI event=1 tickets=0" \
2856 0 \
2857 -S "mbedtls_ssl_handshake returned" \
2858 -C "mbedtls_ssl_handshake returned" \
2859 -c "Read from server: .* bytes read"
2860
2861run_test "Event-driven I/O: ticket" \
2862 "$P_SRV event=1 tickets=1 auth_mode=none" \
2863 "$P_CLI event=1 tickets=1" \
2864 0 \
2865 -S "mbedtls_ssl_handshake returned" \
2866 -C "mbedtls_ssl_handshake returned" \
2867 -c "Read from server: .* bytes read"
2868
2869run_test "Event-driven I/O: ticket + client auth" \
2870 "$P_SRV event=1 tickets=1 auth_mode=required" \
2871 "$P_CLI event=1 tickets=1" \
2872 0 \
2873 -S "mbedtls_ssl_handshake returned" \
2874 -C "mbedtls_ssl_handshake returned" \
2875 -c "Read from server: .* bytes read"
2876
2877run_test "Event-driven I/O: ticket + client auth + resume" \
2878 "$P_SRV event=1 tickets=1 auth_mode=required" \
2879 "$P_CLI event=1 tickets=1 reconnect=1" \
2880 0 \
2881 -S "mbedtls_ssl_handshake returned" \
2882 -C "mbedtls_ssl_handshake returned" \
2883 -c "Read from server: .* bytes read"
2884
2885run_test "Event-driven I/O: ticket + resume" \
2886 "$P_SRV event=1 tickets=1 auth_mode=none" \
2887 "$P_CLI event=1 tickets=1 reconnect=1" \
2888 0 \
2889 -S "mbedtls_ssl_handshake returned" \
2890 -C "mbedtls_ssl_handshake returned" \
2891 -c "Read from server: .* bytes read"
2892
2893run_test "Event-driven I/O: session-id resume" \
2894 "$P_SRV event=1 tickets=0 auth_mode=none" \
2895 "$P_CLI event=1 tickets=0 reconnect=1" \
2896 0 \
2897 -S "mbedtls_ssl_handshake returned" \
2898 -C "mbedtls_ssl_handshake returned" \
2899 -c "Read from server: .* bytes read"
2900
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]2901run_test "Event-driven I/O, DTLS: basic handshake" \
2902 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
2903 "$P_CLI dtls=1 event=1 tickets=0" \
2904 0 \
2905 -c "Read from server: .* bytes read"
2906
2907run_test "Event-driven I/O, DTLS: client auth" \
2908 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
2909 "$P_CLI dtls=1 event=1 tickets=0" \
2910 0 \
2911 -c "Read from server: .* bytes read"
2912
2913run_test "Event-driven I/O, DTLS: ticket" \
2914 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
2915 "$P_CLI dtls=1 event=1 tickets=1" \
2916 0 \
2917 -c "Read from server: .* bytes read"
2918
2919run_test "Event-driven I/O, DTLS: ticket + client auth" \
2920 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
2921 "$P_CLI dtls=1 event=1 tickets=1" \
2922 0 \
2923 -c "Read from server: .* bytes read"
2924
2925run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
2926 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
2927 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
2928 0 \
2929 -c "Read from server: .* bytes read"
2930
2931run_test "Event-driven I/O, DTLS: ticket + resume" \
2932 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
2933 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
2934 0 \
2935 -c "Read from server: .* bytes read"
2936
2937run_test "Event-driven I/O, DTLS: session-id resume" \
2938 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
2939 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
2940 0 \
2941 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]2942
2943# This test demonstrates the need for the mbedtls_ssl_check_pending function.
2944# During session resumption, the client will send its ApplicationData record
2945# within the same datagram as the Finished messages. In this situation, the
2946# server MUST NOT idle on the underlying transport after handshake completion,
2947# because the ApplicationData request has already been queued internally.
2948run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]2949 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]2950 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
2951 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
2952 0 \
2953 -c "Read from server: .* bytes read"
2954
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2955# Tests for version negotiation
2956
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2957run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2958 "$P_SRV" \
2959 "$P_CLI" \
2960 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2961 -S "mbedtls_ssl_handshake returned" \
2962 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2963 -s "Protocol is TLSv1.2" \
2964 -c "Protocol is TLSv1.2"
2965
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2966run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2967 "$P_SRV" \
2968 "$P_CLI max_version=tls1_1" \
2969 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2970 -S "mbedtls_ssl_handshake returned" \
2971 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2972 -s "Protocol is TLSv1.1" \
2973 -c "Protocol is TLSv1.1"
2974
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2975run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2976 "$P_SRV max_version=tls1_1" \
2977 "$P_CLI" \
2978 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2979 -S "mbedtls_ssl_handshake returned" \
2980 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2981 -s "Protocol is TLSv1.1" \
2982 -c "Protocol is TLSv1.1"
2983
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2984run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2985 "$P_SRV max_version=tls1_1" \
2986 "$P_CLI max_version=tls1_1" \
2987 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2988 -S "mbedtls_ssl_handshake returned" \
2989 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2990 -s "Protocol is TLSv1.1" \
2991 -c "Protocol is TLSv1.1"
2992
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2993run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2994 "$P_SRV min_version=tls1_1" \
2995 "$P_CLI max_version=tls1_1" \
2996 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2997 -S "mbedtls_ssl_handshake returned" \
2998 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2999 -s "Protocol is TLSv1.1" \
3000 -c "Protocol is TLSv1.1"
3001
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3002run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3003 "$P_SRV max_version=tls1_1" \
3004 "$P_CLI min_version=tls1_1" \
3005 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3006 -S "mbedtls_ssl_handshake returned" \
3007 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3008 -s "Protocol is TLSv1.1" \
3009 -c "Protocol is TLSv1.1"
3010
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3011run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3012 "$P_SRV max_version=tls1_1" \
3013 "$P_CLI min_version=tls1_2" \
3014 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3015 -s "mbedtls_ssl_handshake returned" \
3016 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3017 -c "SSL - Handshake protocol not within min/max boundaries"
3018
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3019run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3020 "$P_SRV min_version=tls1_2" \
3021 "$P_CLI max_version=tls1_1" \
3022 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3023 -s "mbedtls_ssl_handshake returned" \
3024 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3025 -s "SSL - Handshake protocol not within min/max boundaries"
3026
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3027# Tests for ALPN extension
3028
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3029run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3030 "$P_SRV debug_level=3" \
3031 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3032 0 \
3033 -C "client hello, adding alpn extension" \
3034 -S "found alpn extension" \
3035 -C "got an alert message, type: \\[2:120]" \
3036 -S "server hello, adding alpn extension" \
3037 -C "found alpn extension " \
3038 -C "Application Layer Protocol is" \
3039 -S "Application Layer Protocol is"
3040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3041run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3042 "$P_SRV debug_level=3" \
3043 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3044 0 \
3045 -c "client hello, adding alpn extension" \
3046 -s "found alpn extension" \
3047 -C "got an alert message, type: \\[2:120]" \
3048 -S "server hello, adding alpn extension" \
3049 -C "found alpn extension " \
3050 -c "Application Layer Protocol is (none)" \
3051 -S "Application Layer Protocol is"
3052
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3053run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3054 "$P_SRV debug_level=3 alpn=abc,1234" \
3055 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3056 0 \
3057 -C "client hello, adding alpn extension" \
3058 -S "found alpn extension" \
3059 -C "got an alert message, type: \\[2:120]" \
3060 -S "server hello, adding alpn extension" \
3061 -C "found alpn extension " \
3062 -C "Application Layer Protocol is" \
3063 -s "Application Layer Protocol is (none)"
3064
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3065run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3066 "$P_SRV debug_level=3 alpn=abc,1234" \
3067 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3068 0 \
3069 -c "client hello, adding alpn extension" \
3070 -s "found alpn extension" \
3071 -C "got an alert message, type: \\[2:120]" \
3072 -s "server hello, adding alpn extension" \
3073 -c "found alpn extension" \
3074 -c "Application Layer Protocol is abc" \
3075 -s "Application Layer Protocol is abc"
3076
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3077run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3078 "$P_SRV debug_level=3 alpn=abc,1234" \
3079 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3080 0 \
3081 -c "client hello, adding alpn extension" \
3082 -s "found alpn extension" \
3083 -C "got an alert message, type: \\[2:120]" \
3084 -s "server hello, adding alpn extension" \
3085 -c "found alpn extension" \
3086 -c "Application Layer Protocol is abc" \
3087 -s "Application Layer Protocol is abc"
3088
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3089run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3090 "$P_SRV debug_level=3 alpn=abc,1234" \
3091 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3092 0 \
3093 -c "client hello, adding alpn extension" \
3094 -s "found alpn extension" \
3095 -C "got an alert message, type: \\[2:120]" \
3096 -s "server hello, adding alpn extension" \
3097 -c "found alpn extension" \
3098 -c "Application Layer Protocol is 1234" \
3099 -s "Application Layer Protocol is 1234"
3100
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3101run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3102 "$P_SRV debug_level=3 alpn=abc,123" \
3103 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3104 1 \
3105 -c "client hello, adding alpn extension" \
3106 -s "found alpn extension" \
3107 -c "got an alert message, type: \\[2:120]" \
3108 -S "server hello, adding alpn extension" \
3109 -C "found alpn extension" \
3110 -C "Application Layer Protocol is 1234" \
3111 -S "Application Layer Protocol is 1234"
3112
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3113
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3114# Tests for keyUsage in leaf certificates, part 1:
3115# server-side certificate/suite selection
3116
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3117run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3118 "$P_SRV key_file=data_files/server2.key \
3119 crt_file=data_files/server2.ku-ds.crt" \
3120 "$P_CLI" \
3121 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3122 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3123
3124
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3125run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3126 "$P_SRV key_file=data_files/server2.key \
3127 crt_file=data_files/server2.ku-ke.crt" \
3128 "$P_CLI" \
3129 0 \
3130 -c "Ciphersuite is TLS-RSA-WITH-"
3131
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3132run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3133 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3134 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3135 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3136 1 \
3137 -C "Ciphersuite is "
3138
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3139run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3140 "$P_SRV key_file=data_files/server5.key \
3141 crt_file=data_files/server5.ku-ds.crt" \
3142 "$P_CLI" \
3143 0 \
3144 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3145
3146
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3147run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3148 "$P_SRV key_file=data_files/server5.key \
3149 crt_file=data_files/server5.ku-ka.crt" \
3150 "$P_CLI" \
3151 0 \
3152 -c "Ciphersuite is TLS-ECDH-"
3153
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3154run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3155 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3156 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3157 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3158 1 \
3159 -C "Ciphersuite is "
3160
3161# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3162# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3163
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3164run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3165 "$O_SRV -key data_files/server2.key \
3166 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3167 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3168 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3169 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3170 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3171 -C "Processing of the Certificate handshake message failed" \
3172 -c "Ciphersuite is TLS-"
3173
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3174run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3175 "$O_SRV -key data_files/server2.key \
3176 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3177 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3178 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3179 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3180 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3181 -C "Processing of the Certificate handshake message failed" \
3182 -c "Ciphersuite is TLS-"
3183
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3184run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3185 "$O_SRV -key data_files/server2.key \
3186 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3187 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3188 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3189 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3190 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3191 -C "Processing of the Certificate handshake message failed" \
3192 -c "Ciphersuite is TLS-"
3193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3194run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3195 "$O_SRV -key data_files/server2.key \
3196 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3197 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3198 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3199 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3200 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3201 -c "Processing of the Certificate handshake message failed" \
3202 -C "Ciphersuite is TLS-"
3203
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3204run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3205 "$O_SRV -key data_files/server2.key \
3206 -cert data_files/server2.ku-ke.crt" \
3207 "$P_CLI debug_level=1 auth_mode=optional \
3208 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3209 0 \
3210 -c "bad certificate (usage extensions)" \
3211 -C "Processing of the Certificate handshake message failed" \
3212 -c "Ciphersuite is TLS-" \
3213 -c "! Usage does not match the keyUsage extension"
3214
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3215run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3216 "$O_SRV -key data_files/server2.key \
3217 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3218 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3219 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3220 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3221 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3222 -C "Processing of the Certificate handshake message failed" \
3223 -c "Ciphersuite is TLS-"
3224
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3225run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3226 "$O_SRV -key data_files/server2.key \
3227 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3228 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3229 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3230 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3231 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3232 -c "Processing of the Certificate handshake message failed" \
3233 -C "Ciphersuite is TLS-"
3234
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3235run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3236 "$O_SRV -key data_files/server2.key \
3237 -cert data_files/server2.ku-ds.crt" \
3238 "$P_CLI debug_level=1 auth_mode=optional \
3239 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3240 0 \
3241 -c "bad certificate (usage extensions)" \
3242 -C "Processing of the Certificate handshake message failed" \
3243 -c "Ciphersuite is TLS-" \
3244 -c "! Usage does not match the keyUsage extension"
3245
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3246# Tests for keyUsage in leaf certificates, part 3:
3247# server-side checking of client cert
3248
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3249run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3250 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3251 "$O_CLI -key data_files/server2.key \
3252 -cert data_files/server2.ku-ds.crt" \
3253 0 \
3254 -S "bad certificate (usage extensions)" \
3255 -S "Processing of the Certificate handshake message failed"
3256
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3257run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3258 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3259 "$O_CLI -key data_files/server2.key \
3260 -cert data_files/server2.ku-ke.crt" \
3261 0 \
3262 -s "bad certificate (usage extensions)" \
3263 -S "Processing of the Certificate handshake message failed"
3264
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3265run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3266 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3267 "$O_CLI -key data_files/server2.key \
3268 -cert data_files/server2.ku-ke.crt" \
3269 1 \
3270 -s "bad certificate (usage extensions)" \
3271 -s "Processing of the Certificate handshake message failed"
3272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3273run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3274 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3275 "$O_CLI -key data_files/server5.key \
3276 -cert data_files/server5.ku-ds.crt" \
3277 0 \
3278 -S "bad certificate (usage extensions)" \
3279 -S "Processing of the Certificate handshake message failed"
3280
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3281run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3282 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3283 "$O_CLI -key data_files/server5.key \
3284 -cert data_files/server5.ku-ka.crt" \
3285 0 \
3286 -s "bad certificate (usage extensions)" \
3287 -S "Processing of the Certificate handshake message failed"
3288
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3289# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3290
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3291run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3292 "$P_SRV key_file=data_files/server5.key \
3293 crt_file=data_files/server5.eku-srv.crt" \
3294 "$P_CLI" \
3295 0
3296
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3297run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3298 "$P_SRV key_file=data_files/server5.key \
3299 crt_file=data_files/server5.eku-srv.crt" \
3300 "$P_CLI" \
3301 0
3302
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3303run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3304 "$P_SRV key_file=data_files/server5.key \
3305 crt_file=data_files/server5.eku-cs_any.crt" \
3306 "$P_CLI" \
3307 0
3308
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3309run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3310 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3311 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3312 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3313 1
3314
3315# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3317run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3318 "$O_SRV -key data_files/server5.key \
3319 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3320 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3321 0 \
3322 -C "bad certificate (usage extensions)" \
3323 -C "Processing of the Certificate handshake message failed" \
3324 -c "Ciphersuite is TLS-"
3325
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3326run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3327 "$O_SRV -key data_files/server5.key \
3328 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3329 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3330 0 \
3331 -C "bad certificate (usage extensions)" \
3332 -C "Processing of the Certificate handshake message failed" \
3333 -c "Ciphersuite is TLS-"
3334
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3335run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3336 "$O_SRV -key data_files/server5.key \
3337 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3338 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3339 0 \
3340 -C "bad certificate (usage extensions)" \
3341 -C "Processing of the Certificate handshake message failed" \
3342 -c "Ciphersuite is TLS-"
3343
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3344run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3345 "$O_SRV -key data_files/server5.key \
3346 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3347 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3348 1 \
3349 -c "bad certificate (usage extensions)" \
3350 -c "Processing of the Certificate handshake message failed" \
3351 -C "Ciphersuite is TLS-"
3352
3353# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3355run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3356 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3357 "$O_CLI -key data_files/server5.key \
3358 -cert data_files/server5.eku-cli.crt" \
3359 0 \
3360 -S "bad certificate (usage extensions)" \
3361 -S "Processing of the Certificate handshake message failed"
3362
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3363run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3364 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3365 "$O_CLI -key data_files/server5.key \
3366 -cert data_files/server5.eku-srv_cli.crt" \
3367 0 \
3368 -S "bad certificate (usage extensions)" \
3369 -S "Processing of the Certificate handshake message failed"
3370
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3371run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3372 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3373 "$O_CLI -key data_files/server5.key \
3374 -cert data_files/server5.eku-cs_any.crt" \
3375 0 \
3376 -S "bad certificate (usage extensions)" \
3377 -S "Processing of the Certificate handshake message failed"
3378
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3379run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3380 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3381 "$O_CLI -key data_files/server5.key \
3382 -cert data_files/server5.eku-cs.crt" \
3383 0 \
3384 -s "bad certificate (usage extensions)" \
3385 -S "Processing of the Certificate handshake message failed"
3386
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3387run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3388 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3389 "$O_CLI -key data_files/server5.key \
3390 -cert data_files/server5.eku-cs.crt" \
3391 1 \
3392 -s "bad certificate (usage extensions)" \
3393 -s "Processing of the Certificate handshake message failed"
3394
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3395# Tests for DHM parameters loading
3396
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3397run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3398 "$P_SRV" \
3399 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3400 debug_level=3" \
3401 0 \
3402 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3403 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3404
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3405run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3406 "$P_SRV dhm_file=data_files/dhparams.pem" \
3407 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3408 debug_level=3" \
3409 0 \
3410 -c "value of 'DHM: P ' (1024 bits)" \
3411 -c "value of 'DHM: G ' (2 bits)"
3412
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3413# Tests for DHM client-side size checking
3414
3415run_test "DHM size: server default, client default, OK" \
3416 "$P_SRV" \
3417 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3418 debug_level=1" \
3419 0 \
3420 -C "DHM prime too short:"
3421
3422run_test "DHM size: server default, client 2048, OK" \
3423 "$P_SRV" \
3424 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3425 debug_level=1 dhmlen=2048" \
3426 0 \
3427 -C "DHM prime too short:"
3428
3429run_test "DHM size: server 1024, client default, OK" \
3430 "$P_SRV dhm_file=data_files/dhparams.pem" \
3431 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3432 debug_level=1" \
3433 0 \
3434 -C "DHM prime too short:"
3435
3436run_test "DHM size: server 1000, client default, rejected" \
3437 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3438 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3439 debug_level=1" \
3440 1 \
3441 -c "DHM prime too short:"
3442
3443run_test "DHM size: server default, client 2049, rejected" \
3444 "$P_SRV" \
3445 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3446 debug_level=1 dhmlen=2049" \
3447 1 \
3448 -c "DHM prime too short:"
3449
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3450# Tests for PSK callback
3451
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3452run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3453 "$P_SRV psk=abc123 psk_identity=foo" \
3454 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3455 psk_identity=foo psk=abc123" \
3456 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3457 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3458 -S "SSL - Unknown identity received" \
3459 -S "SSL - Verification of the message MAC failed"
3460
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3461run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3462 "$P_SRV" \
3463 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3464 psk_identity=foo psk=abc123" \
3465 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3466 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3467 -S "SSL - Unknown identity received" \
3468 -S "SSL - Verification of the message MAC failed"
3469
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3470run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3471 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3472 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3473 psk_identity=foo psk=abc123" \
3474 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3475 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3476 -s "SSL - Unknown identity received" \
3477 -S "SSL - Verification of the message MAC failed"
3478
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3479run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3480 "$P_SRV psk_list=abc,dead,def,beef" \
3481 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3482 psk_identity=abc psk=dead" \
3483 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3484 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3485 -S "SSL - Unknown identity received" \
3486 -S "SSL - Verification of the message MAC failed"
3487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3488run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3489 "$P_SRV psk_list=abc,dead,def,beef" \
3490 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3491 psk_identity=def psk=beef" \
3492 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3493 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3494 -S "SSL - Unknown identity received" \
3495 -S "SSL - Verification of the message MAC failed"
3496
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3497run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3498 "$P_SRV psk_list=abc,dead,def,beef" \
3499 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3500 psk_identity=ghi psk=beef" \
3501 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3502 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3503 -s "SSL - Unknown identity received" \
3504 -S "SSL - Verification of the message MAC failed"
3505
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3506run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3507 "$P_SRV psk_list=abc,dead,def,beef" \
3508 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3509 psk_identity=abc psk=beef" \
3510 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3511 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3512 -S "SSL - Unknown identity received" \
3513 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3514
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3515# Tests for EC J-PAKE
3516
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3517requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3518run_test "ECJPAKE: client not configured" \
3519 "$P_SRV debug_level=3" \
3520 "$P_CLI debug_level=3" \
3521 0 \
3522 -C "add ciphersuite: c0ff" \
3523 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3524 -S "found ecjpake kkpp extension" \
3525 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3526 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3527 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3528 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3529 -S "None of the common ciphersuites is usable"
3530
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3531requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3532run_test "ECJPAKE: server not configured" \
3533 "$P_SRV debug_level=3" \
3534 "$P_CLI debug_level=3 ecjpake_pw=bla \
3535 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3536 1 \
3537 -c "add ciphersuite: c0ff" \
3538 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3539 -s "found ecjpake kkpp extension" \
3540 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3541 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3542 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3543 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3544 -s "None of the common ciphersuites is usable"
3545
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3546requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3547run_test "ECJPAKE: working, TLS" \
3548 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3549 "$P_CLI debug_level=3 ecjpake_pw=bla \
3550 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3551 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3552 -c "add ciphersuite: c0ff" \
3553 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3554 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3555 -s "found ecjpake kkpp extension" \
3556 -S "skip ecjpake kkpp extension" \
3557 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3558 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3559 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3560 -S "None of the common ciphersuites is usable" \
3561 -S "SSL - Verification of the message MAC failed"
3562
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3563server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3564requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3565run_test "ECJPAKE: password mismatch, TLS" \
3566 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3567 "$P_CLI debug_level=3 ecjpake_pw=bad \
3568 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3569 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3570 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3571 -s "SSL - Verification of the message MAC failed"
3572
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3573requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3574run_test "ECJPAKE: working, DTLS" \
3575 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3576 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3577 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3578 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3579 -c "re-using cached ecjpake parameters" \
3580 -S "SSL - Verification of the message MAC failed"
3581
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3582requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3583run_test "ECJPAKE: working, DTLS, no cookie" \
3584 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3585 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3586 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3587 0 \
3588 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3589 -S "SSL - Verification of the message MAC failed"
3590
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3591server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3592requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3593run_test "ECJPAKE: password mismatch, DTLS" \
3594 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3595 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3596 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3597 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3598 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3599 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3600
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3601# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3602requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3603run_test "ECJPAKE: working, DTLS, nolog" \
3604 "$P_SRV dtls=1 ecjpake_pw=bla" \
3605 "$P_CLI dtls=1 ecjpake_pw=bla \
3606 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3607 0
3608
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3609# Tests for ciphersuites per version
3610
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3611requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3612run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3613 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3614 "$P_CLI force_version=ssl3" \
3615 0 \
3616 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3617
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3618run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3619 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3620 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3621 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3622 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3623
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3624run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3625 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3626 "$P_CLI force_version=tls1_1" \
3627 0 \
3628 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3629
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3630run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3631 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3632 "$P_CLI force_version=tls1_2" \
3633 0 \
3634 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3635
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3636# Test for ClientHello without extensions
3637
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3638requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3639run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3640 "$P_SRV debug_level=3" \
3641 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3642 0 \
3643 -s "dumping 'client hello extensions' (0 bytes)"
3644
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3645requires_gnutls
3646run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3647 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3648 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3649 0 \
3650 -s "dumping 'client hello extensions' (0 bytes)"
3651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3652# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3654run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3655 "$P_SRV" \
3656 "$P_CLI request_size=100" \
3657 0 \
3658 -s "Read from client: 100 bytes read$"
3659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3660run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3661 "$P_SRV" \
3662 "$P_CLI request_size=500" \
3663 0 \
3664 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3665
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3666# Tests for small packets
3667
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3668requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3669run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3670 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3671 "$P_CLI request_size=1 force_version=ssl3 \
3672 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3673 0 \
3674 -s "Read from client: 1 bytes read"
3675
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3676requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3677run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3678 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3679 "$P_CLI request_size=1 force_version=ssl3 \
3680 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3681 0 \
3682 -s "Read from client: 1 bytes read"
3683
3684run_test "Small packet TLS 1.0 BlockCipher" \
3685 "$P_SRV" \
3686 "$P_CLI request_size=1 force_version=tls1 \
3687 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3688 0 \
3689 -s "Read from client: 1 bytes read"
3690
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3691run_test "Small packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3692 "$P_SRV" \
3693 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3694 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3695 0 \
3696 -s "Read from client: 1 bytes read"
3697
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3698requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3699run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3700 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3701 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3702 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3703 0 \
3704 -s "Read from client: 1 bytes read"
3705
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3706requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3707run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3708 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3709 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3710 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3711 0 \
3712 -s "Read from client: 1 bytes read"
3713
3714run_test "Small packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3715 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3716 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3717 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3718 0 \
3719 -s "Read from client: 1 bytes read"
3720
3721run_test "Small packet TLS 1.0 StreamCipher, without EtM" \
3722 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3723 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3724 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3725 0 \
3726 -s "Read from client: 1 bytes read"
3727
3728requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3729run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3730 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3731 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3732 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3733 0 \
3734 -s "Read from client: 1 bytes read"
3735
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3736requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3737run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3738 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3739 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3740 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3741 0 \
3742 -s "Read from client: 1 bytes read"
3743
3744run_test "Small packet TLS 1.1 BlockCipher" \
3745 "$P_SRV" \
3746 "$P_CLI request_size=1 force_version=tls1_1 \
3747 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3748 0 \
3749 -s "Read from client: 1 bytes read"
3750
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3751run_test "Small packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3752 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3753 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3754 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3755 0 \
3756 -s "Read from client: 1 bytes read"
3757
3758requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3759run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3760 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3761 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3762 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3763 0 \
3764 -s "Read from client: 1 bytes read"
3765
3766requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3767run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3768 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3769 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3770 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3771 0 \
3772 -s "Read from client: 1 bytes read"
3773
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3774run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3775 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3776 "$P_CLI request_size=1 force_version=tls1_1 \
3777 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3778 0 \
3779 -s "Read from client: 1 bytes read"
3780
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3781run_test "Small packet TLS 1.1 StreamCipher, without EtM" \
3782 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3783 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3784 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3785 0 \
3786 -s "Read from client: 1 bytes read"
3787
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3788requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3789run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3790 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3791 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3792 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3793 0 \
3794 -s "Read from client: 1 bytes read"
3795
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3796requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3797run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3798 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3799 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3800 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3801 0 \
3802 -s "Read from client: 1 bytes read"
3803
3804run_test "Small packet TLS 1.2 BlockCipher" \
3805 "$P_SRV" \
3806 "$P_CLI request_size=1 force_version=tls1_2 \
3807 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3808 0 \
3809 -s "Read from client: 1 bytes read"
3810
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3811run_test "Small packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3812 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3813 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3814 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3815 0 \
3816 -s "Read from client: 1 bytes read"
3817
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3818run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3819 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3820 "$P_CLI request_size=1 force_version=tls1_2 \
3821 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3822 0 \
3823 -s "Read from client: 1 bytes read"
3824
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3825requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3826run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3827 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3828 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3829 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3830 0 \
3831 -s "Read from client: 1 bytes read"
3832
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3833requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3834run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3835 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3836 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3837 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3838 0 \
3839 -s "Read from client: 1 bytes read"
3840
3841run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3842 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3843 "$P_CLI request_size=1 force_version=tls1_2 \
3844 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3845 0 \
3846 -s "Read from client: 1 bytes read"
3847
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3848run_test "Small packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3849 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3850 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3851 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3852 0 \
3853 -s "Read from client: 1 bytes read"
3854
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3855requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3856run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3857 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3858 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3859 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3860 0 \
3861 -s "Read from client: 1 bytes read"
3862
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3863requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3864run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3865 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3866 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3867 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3868 0 \
3869 -s "Read from client: 1 bytes read"
3870
3871run_test "Small packet TLS 1.2 AEAD" \
3872 "$P_SRV" \
3873 "$P_CLI request_size=1 force_version=tls1_2 \
3874 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3875 0 \
3876 -s "Read from client: 1 bytes read"
3877
3878run_test "Small packet TLS 1.2 AEAD shorter tag" \
3879 "$P_SRV" \
3880 "$P_CLI request_size=1 force_version=tls1_2 \
3881 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3882 0 \
3883 -s "Read from client: 1 bytes read"
3884
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3885# Tests for small packets in DTLS
3886
3887requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3888run_test "Small packet DTLS 1.0" \
3889 "$P_SRV dtls=1 force_version=dtls1" \
3890 "$P_CLI dtls=1 request_size=1 \
3891 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3892 0 \
3893 -s "Read from client: 1 bytes read"
3894
3895requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3896run_test "Small packet DTLS 1.0, without EtM" \
3897 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
3898 "$P_CLI dtls=1 request_size=1 \
3899 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3900 0 \
3901 -s "Read from client: 1 bytes read"
3902
3903requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3904requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3905run_test "Small packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3906 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
3907 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3908 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3909 0 \
3910 -s "Read from client: 1 bytes read"
3911
3912requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3913requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3914run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3915 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3916 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3917 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3918 0 \
3919 -s "Read from client: 1 bytes read"
3920
3921requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3922run_test "Small packet DTLS 1.2" \
3923 "$P_SRV dtls=1 force_version=dtls1_2" \
3924 "$P_CLI dtls=1 request_size=1 \
3925 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3926 0 \
3927 -s "Read from client: 1 bytes read"
3928
3929requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3930run_test "Small packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3931 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3932 "$P_CLI dtls=1 request_size=1 \
3933 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3934 0 \
3935 -s "Read from client: 1 bytes read"
3936
3937requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3938requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3939run_test "Small packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3940 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3941 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3942 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3943 0 \
3944 -s "Read from client: 1 bytes read"
3945
3946requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3947requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3948run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3949 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3950 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3951 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3952 0 \
3953 -s "Read from client: 1 bytes read"
3954
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3955# A test for extensions in SSLv3
3956
3957requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3958run_test "SSLv3 with extensions, server side" \
3959 "$P_SRV min_version=ssl3 debug_level=3" \
3960 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3961 0 \
3962 -S "dumping 'client hello extensions'" \
3963 -S "server hello, total extension length:"
3964
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3965# Test for large packets
3966
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3967requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3968run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3969 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3970 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3971 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3972 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3973 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3974 -s "Read from client: 16384 bytes read"
3975
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3976requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3977run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3978 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3979 "$P_CLI request_size=16384 force_version=ssl3 \
3980 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3981 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3982 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3983 -s "Read from client: 16384 bytes read"
3984
3985run_test "Large packet TLS 1.0 BlockCipher" \
3986 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3987 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3988 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3989 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3990 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3991 -s "Read from client: 16384 bytes read"
3992
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]3993run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3994 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]3995 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
3996 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3997 0 \
3998 -s "Read from client: 16384 bytes read"
3999
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4000requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4001run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4002 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4003 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4004 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4005 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4006 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4007 -s "Read from client: 16384 bytes read"
4008
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4009requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4010run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4011 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4012 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4013 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4014 0 \
4015 -s "Read from client: 16384 bytes read"
4016
4017run_test "Large packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4018 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4019 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4020 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4021 0 \
4022 -s "Read from client: 16384 bytes read"
4023
4024run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
4025 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4026 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4027 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4028 0 \
4029 -s "Read from client: 16384 bytes read"
4030
4031requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4032run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4033 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4034 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4035 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4036 0 \
4037 -s "Read from client: 16384 bytes read"
4038
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4039requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4040run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4041 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4042 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4043 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4044 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4045 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4046 -s "Read from client: 16384 bytes read"
4047
4048run_test "Large packet TLS 1.1 BlockCipher" \
4049 "$P_SRV" \
4050 "$P_CLI request_size=16384 force_version=tls1_1 \
4051 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4052 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4053 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4054 -s "Read from client: 16384 bytes read"
4055
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4056run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
4057 "$P_SRV" \
4058 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4059 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4060 0 \
4061 -s "Read from client: 16384 bytes read"
4062
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4063requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4064run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4065 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4066 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4067 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4068 0 \
4069 -s "Read from client: 16384 bytes read"
4070
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4071requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4072run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4073 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4074 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4075 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4076 0 \
4077 -s "Read from client: 16384 bytes read"
4078
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4079run_test "Large packet TLS 1.1 StreamCipher" \
4080 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4081 "$P_CLI request_size=16384 force_version=tls1_1 \
4082 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4083 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4084 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4085 -s "Read from client: 16384 bytes read"
4086
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4087run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
4088 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4089 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4090 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4091 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4092 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4093 -s "Read from client: 16384 bytes read"
4094
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4095requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4096run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4097 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4098 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4099 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4100 0 \
4101 -s "Read from client: 16384 bytes read"
4102
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4103requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4104run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4105 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4106 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4107 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4108 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4109 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4110 -s "Read from client: 16384 bytes read"
4111
4112run_test "Large packet TLS 1.2 BlockCipher" \
4113 "$P_SRV" \
4114 "$P_CLI request_size=16384 force_version=tls1_2 \
4115 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4116 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4117 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4118 -s "Read from client: 16384 bytes read"
4119
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4120run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
4121 "$P_SRV" \
4122 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4123 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4124 0 \
4125 -s "Read from client: 16384 bytes read"
4126
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4127run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
4128 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4129 "$P_CLI request_size=16384 force_version=tls1_2 \
4130 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4131 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4132 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4133 -s "Read from client: 16384 bytes read"
4134
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4135requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4136run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4137 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4138 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4139 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4140 0 \
4141 -s "Read from client: 16384 bytes read"
4142
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4143requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4144run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4145 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4146 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4147 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4148 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4149 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4150 -s "Read from client: 16384 bytes read"
4151
4152run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4153 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4154 "$P_CLI request_size=16384 force_version=tls1_2 \
4155 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4156 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4157 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4158 -s "Read from client: 16384 bytes read"
4159
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4160run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4161 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4162 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4163 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4164 0 \
4165 -s "Read from client: 16384 bytes read"
4166
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4167requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4168run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4169 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4170 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4171 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4172 0 \
4173 -s "Read from client: 16384 bytes read"
4174
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4175requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4176run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4177 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4178 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4179 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4180 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4181 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4182 -s "Read from client: 16384 bytes read"
4183
4184run_test "Large packet TLS 1.2 AEAD" \
4185 "$P_SRV" \
4186 "$P_CLI request_size=16384 force_version=tls1_2 \
4187 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4188 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4189 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4190 -s "Read from client: 16384 bytes read"
4191
4192run_test "Large packet TLS 1.2 AEAD shorter tag" \
4193 "$P_SRV" \
4194 "$P_CLI request_size=16384 force_version=tls1_2 \
4195 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4196 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4197 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4198 -s "Read from client: 16384 bytes read"
4199
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4200# Tests of asynchronous private key support in SSL
4201
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4202requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4203run_test "SSL async private: sign, delay=0" \
4204 "$P_SRV \
4205 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4206 "$P_CLI" \
4207 0 \
4208 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4209 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4210
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4211requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4212run_test "SSL async private: sign, delay=1" \
4213 "$P_SRV \
4214 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4215 "$P_CLI" \
4216 0 \
4217 -s "Async sign callback: using key slot " \
4218 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4219 -s "Async resume (slot [0-9]): sign done, status=0"
4220
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]4221requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4222run_test "SSL async private: sign, delay=2" \
4223 "$P_SRV \
4224 async_operations=s async_private_delay1=2 async_private_delay2=2" \
4225 "$P_CLI" \
4226 0 \
4227 -s "Async sign callback: using key slot " \
4228 -U "Async sign callback: using key slot " \
4229 -s "Async resume (slot [0-9]): call 1 more times." \
4230 -s "Async resume (slot [0-9]): call 0 more times." \
4231 -s "Async resume (slot [0-9]): sign done, status=0"
4232
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]4233# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
4234# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
4235requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4236requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
4237run_test "SSL async private: sign, RSA, TLS 1.1" \
4238 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
4239 async_operations=s async_private_delay1=0 async_private_delay2=0" \
4240 "$P_CLI force_version=tls1_1" \
4241 0 \
4242 -s "Async sign callback: using key slot " \
4243 -s "Async resume (slot [0-9]): sign done, status=0"
4244
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4245requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]4246run_test "SSL async private: sign, SNI" \
4247 "$P_SRV debug_level=3 \
4248 async_operations=s async_private_delay1=0 async_private_delay2=0 \
4249 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4250 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4251 "$P_CLI server_name=polarssl.example" \
4252 0 \
4253 -s "Async sign callback: using key slot " \
4254 -s "Async resume (slot [0-9]): sign done, status=0" \
4255 -s "parse ServerName extension" \
4256 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4257 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4258
4259requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4260run_test "SSL async private: decrypt, delay=0" \
4261 "$P_SRV \
4262 async_operations=d async_private_delay1=0 async_private_delay2=0" \
4263 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4264 0 \
4265 -s "Async decrypt callback: using key slot " \
4266 -s "Async resume (slot [0-9]): decrypt done, status=0"
4267
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4268requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4269run_test "SSL async private: decrypt, delay=1" \
4270 "$P_SRV \
4271 async_operations=d async_private_delay1=1 async_private_delay2=1" \
4272 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4273 0 \
4274 -s "Async decrypt callback: using key slot " \
4275 -s "Async resume (slot [0-9]): call 0 more times." \
4276 -s "Async resume (slot [0-9]): decrypt done, status=0"
4277
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4278requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4279run_test "SSL async private: decrypt RSA-PSK, delay=0" \
4280 "$P_SRV psk=abc123 \
4281 async_operations=d async_private_delay1=0 async_private_delay2=0" \
4282 "$P_CLI psk=abc123 \
4283 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
4284 0 \
4285 -s "Async decrypt callback: using key slot " \
4286 -s "Async resume (slot [0-9]): decrypt done, status=0"
4287
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4288requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4289run_test "SSL async private: decrypt RSA-PSK, delay=1" \
4290 "$P_SRV psk=abc123 \
4291 async_operations=d async_private_delay1=1 async_private_delay2=1" \
4292 "$P_CLI psk=abc123 \
4293 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
4294 0 \
4295 -s "Async decrypt callback: using key slot " \
4296 -s "Async resume (slot [0-9]): call 0 more times." \
4297 -s "Async resume (slot [0-9]): decrypt done, status=0"
4298
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4299requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4300run_test "SSL async private: sign callback not present" \
4301 "$P_SRV \
4302 async_operations=d async_private_delay1=1 async_private_delay2=1" \
4303 "$P_CLI; [ \$? -eq 1 ] &&
4304 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4305 0 \
4306 -S "Async sign callback" \
4307 -s "! mbedtls_ssl_handshake returned" \
4308 -s "The own private key or pre-shared key is not set, but needed" \
4309 -s "Async resume (slot [0-9]): decrypt done, status=0" \
4310 -s "Successful connection"
4311
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4312requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4313run_test "SSL async private: decrypt callback not present" \
4314 "$P_SRV debug_level=1 \
4315 async_operations=s async_private_delay1=1 async_private_delay2=1" \
4316 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
4317 [ \$? -eq 1 ] && $P_CLI" \
4318 0 \
4319 -S "Async decrypt callback" \
4320 -s "! mbedtls_ssl_handshake returned" \
4321 -s "got no RSA private key" \
4322 -s "Async resume (slot [0-9]): sign done, status=0" \
4323 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4324
4325# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4326requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4327run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4328 "$P_SRV \
4329 async_operations=s async_private_delay1=1 \
4330 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4331 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4332 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4333 0 \
4334 -s "Async sign callback: using key slot 0," \
4335 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4336 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4337
4338# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4339requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4340run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4341 "$P_SRV \
4342 async_operations=s async_private_delay2=1 \
4343 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4344 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4345 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4346 0 \
4347 -s "Async sign callback: using key slot 0," \
4348 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4349 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4350
4351# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4352requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]4353run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4354 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]4355 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4356 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4357 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4358 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4359 0 \
4360 -s "Async sign callback: using key slot 1," \
4361 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4362 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4363
4364# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4365requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4366run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4367 "$P_SRV \
4368 async_operations=s async_private_delay1=1 \
4369 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4370 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4371 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4372 0 \
4373 -s "Async sign callback: no key matches this certificate."
4374
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4375requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4376run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4377 "$P_SRV \
4378 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4379 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4380 "$P_CLI" \
4381 1 \
4382 -s "Async sign callback: injected error" \
4383 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]4384 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4385 -s "! mbedtls_ssl_handshake returned"
4386
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4387requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4388run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4389 "$P_SRV \
4390 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4391 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4392 "$P_CLI" \
4393 1 \
4394 -s "Async sign callback: using key slot " \
4395 -S "Async resume" \
4396 -s "Async cancel"
4397
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4398requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4399run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4400 "$P_SRV \
4401 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4402 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4403 "$P_CLI" \
4404 1 \
4405 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4406 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]4407 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4408 -s "! mbedtls_ssl_handshake returned"
4409
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4410requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4411run_test "SSL async private: decrypt, error in start" \
4412 "$P_SRV \
4413 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4414 async_private_error=1" \
4415 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4416 1 \
4417 -s "Async decrypt callback: injected error" \
4418 -S "Async resume" \
4419 -S "Async cancel" \
4420 -s "! mbedtls_ssl_handshake returned"
4421
4422requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4423run_test "SSL async private: decrypt, cancel after start" \
4424 "$P_SRV \
4425 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4426 async_private_error=2" \
4427 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4428 1 \
4429 -s "Async decrypt callback: using key slot " \
4430 -S "Async resume" \
4431 -s "Async cancel"
4432
4433requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4434run_test "SSL async private: decrypt, error in resume" \
4435 "$P_SRV \
4436 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4437 async_private_error=3" \
4438 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4439 1 \
4440 -s "Async decrypt callback: using key slot " \
4441 -s "Async resume callback: decrypt done but injected error" \
4442 -S "Async cancel" \
4443 -s "! mbedtls_ssl_handshake returned"
4444
4445requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4446run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4447 "$P_SRV \
4448 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4449 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4450 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
4451 0 \
4452 -s "Async cancel" \
4453 -s "! mbedtls_ssl_handshake returned" \
4454 -s "Async resume" \
4455 -s "Successful connection"
4456
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4457requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4458run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4459 "$P_SRV \
4460 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4461 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4462 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
4463 0 \
4464 -s "! mbedtls_ssl_handshake returned" \
4465 -s "Async resume" \
4466 -s "Successful connection"
4467
4468# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4469requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4470run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4471 "$P_SRV \
4472 async_operations=s async_private_delay1=1 async_private_error=-2 \
4473 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4474 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4475 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
4476 [ \$? -eq 1 ] &&
4477 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4478 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]4479 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4480 -S "Async resume" \
4481 -s "Async cancel" \
4482 -s "! mbedtls_ssl_handshake returned" \
4483 -s "Async sign callback: no key matches this certificate." \
4484 -s "Successful connection"
4485
4486# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4487requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4488run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4489 "$P_SRV \
4490 async_operations=s async_private_delay1=1 async_private_error=-3 \
4491 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4492 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4493 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
4494 [ \$? -eq 1 ] &&
4495 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4496 0 \
4497 -s "Async resume" \
4498 -s "! mbedtls_ssl_handshake returned" \
4499 -s "Async sign callback: no key matches this certificate." \
4500 -s "Successful connection"
4501
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4502requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4503requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4504run_test "SSL async private: renegotiation: client-initiated; sign" \
4505 "$P_SRV \
4506 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4507 exchanges=2 renegotiation=1" \
4508 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
4509 0 \
4510 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4511 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4512
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4513requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4514requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4515run_test "SSL async private: renegotiation: server-initiated; sign" \
4516 "$P_SRV \
4517 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4518 exchanges=2 renegotiation=1 renegotiate=1" \
4519 "$P_CLI exchanges=2 renegotiation=1" \
4520 0 \
4521 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4522 -s "Async resume (slot [0-9]): sign done, status=0"
4523
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4524requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4525requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
4526run_test "SSL async private: renegotiation: client-initiated; decrypt" \
4527 "$P_SRV \
4528 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4529 exchanges=2 renegotiation=1" \
4530 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
4531 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4532 0 \
4533 -s "Async decrypt callback: using key slot " \
4534 -s "Async resume (slot [0-9]): decrypt done, status=0"
4535
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4536requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4537requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
4538run_test "SSL async private: renegotiation: server-initiated; decrypt" \
4539 "$P_SRV \
4540 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4541 exchanges=2 renegotiation=1 renegotiate=1" \
4542 "$P_CLI exchanges=2 renegotiation=1 \
4543 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4544 0 \
4545 -s "Async decrypt callback: using key slot " \
4546 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4547
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4548# Tests for DTLS HelloVerifyRequest
4549
4550run_test "DTLS cookie: enabled" \
4551 "$P_SRV dtls=1 debug_level=2" \
4552 "$P_CLI dtls=1 debug_level=2" \
4553 0 \
4554 -s "cookie verification failed" \
4555 -s "cookie verification passed" \
4556 -S "cookie verification skipped" \
4557 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4558 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4559 -S "SSL - The requested feature is not available"
4560
4561run_test "DTLS cookie: disabled" \
4562 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4563 "$P_CLI dtls=1 debug_level=2" \
4564 0 \
4565 -S "cookie verification failed" \
4566 -S "cookie verification passed" \
4567 -s "cookie verification skipped" \
4568 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4569 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4570 -S "SSL - The requested feature is not available"
4571
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4572run_test "DTLS cookie: default (failing)" \
4573 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4574 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4575 1 \
4576 -s "cookie verification failed" \
4577 -S "cookie verification passed" \
4578 -S "cookie verification skipped" \
4579 -C "received hello verify request" \
4580 -S "hello verification requested" \
4581 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4582
4583requires_ipv6
4584run_test "DTLS cookie: enabled, IPv6" \
4585 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4586 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4587 0 \
4588 -s "cookie verification failed" \
4589 -s "cookie verification passed" \
4590 -S "cookie verification skipped" \
4591 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4592 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4593 -S "SSL - The requested feature is not available"
4594
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4595run_test "DTLS cookie: enabled, nbio" \
4596 "$P_SRV dtls=1 nbio=2 debug_level=2" \
4597 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4598 0 \
4599 -s "cookie verification failed" \
4600 -s "cookie verification passed" \
4601 -S "cookie verification skipped" \
4602 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4603 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4604 -S "SSL - The requested feature is not available"
4605
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4606# Tests for client reconnecting from the same port with DTLS
4607
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4608not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4609run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4610 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4611 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4612 0 \
4613 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4614 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4615 -S "Client initiated reconnection from same port"
4616
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4617not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4618run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4619 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4620 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4621 0 \
4622 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4623 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4624 -s "Client initiated reconnection from same port"
4625
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]4626not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
4627run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4628 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
4629 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4630 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4631 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4632 -s "Client initiated reconnection from same port"
4633
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]4634only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
4635run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
4636 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
4637 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
4638 0 \
4639 -S "The operation timed out" \
4640 -s "Client initiated reconnection from same port"
4641
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4642run_test "DTLS client reconnect from same port: no cookies" \
4643 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]4644 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
4645 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4646 -s "The operation timed out" \
4647 -S "Client initiated reconnection from same port"
4648
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4649# Tests for various cases of client authentication with DTLS
4650# (focused on handshake flows and message parsing)
4651
4652run_test "DTLS client auth: required" \
4653 "$P_SRV dtls=1 auth_mode=required" \
4654 "$P_CLI dtls=1" \
4655 0 \
4656 -s "Verifying peer X.509 certificate... ok"
4657
4658run_test "DTLS client auth: optional, client has no cert" \
4659 "$P_SRV dtls=1 auth_mode=optional" \
4660 "$P_CLI dtls=1 crt_file=none key_file=none" \
4661 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4662 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4663
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4664run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4665 "$P_SRV dtls=1 auth_mode=none" \
4666 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
4667 0 \
4668 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4669 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4670
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4671run_test "DTLS wrong PSK: badmac alert" \
4672 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
4673 "$P_CLI dtls=1 psk=abc124" \
4674 1 \
4675 -s "SSL - Verification of the message MAC failed" \
4676 -c "SSL - A fatal alert message was received from our peer"
4677
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]4678# Tests for receiving fragmented handshake messages with DTLS
4679
4680requires_gnutls
4681run_test "DTLS reassembly: no fragmentation (gnutls server)" \
4682 "$G_SRV -u --mtu 2048 -a" \
4683 "$P_CLI dtls=1 debug_level=2" \
4684 0 \
4685 -C "found fragmented DTLS handshake message" \
4686 -C "error"
4687
4688requires_gnutls
4689run_test "DTLS reassembly: some fragmentation (gnutls server)" \
4690 "$G_SRV -u --mtu 512" \
4691 "$P_CLI dtls=1 debug_level=2" \
4692 0 \
4693 -c "found fragmented DTLS handshake message" \
4694 -C "error"
4695
4696requires_gnutls
4697run_test "DTLS reassembly: more fragmentation (gnutls server)" \
4698 "$G_SRV -u --mtu 128" \
4699 "$P_CLI dtls=1 debug_level=2" \
4700 0 \
4701 -c "found fragmented DTLS handshake message" \
4702 -C "error"
4703
4704requires_gnutls
4705run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
4706 "$G_SRV -u --mtu 128" \
4707 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4708 0 \
4709 -c "found fragmented DTLS handshake message" \
4710 -C "error"
4711
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4712requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4713requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4714run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
4715 "$G_SRV -u --mtu 256" \
4716 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
4717 0 \
4718 -c "found fragmented DTLS handshake message" \
4719 -c "client hello, adding renegotiation extension" \
4720 -c "found renegotiation extension" \
4721 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4722 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4723 -C "error" \
4724 -s "Extra-header:"
4725
4726requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4727requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4728run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
4729 "$G_SRV -u --mtu 256" \
4730 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
4731 0 \
4732 -c "found fragmented DTLS handshake message" \
4733 -c "client hello, adding renegotiation extension" \
4734 -c "found renegotiation extension" \
4735 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4736 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4737 -C "error" \
4738 -s "Extra-header:"
4739
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4740run_test "DTLS reassembly: no fragmentation (openssl server)" \
4741 "$O_SRV -dtls1 -mtu 2048" \
4742 "$P_CLI dtls=1 debug_level=2" \
4743 0 \
4744 -C "found fragmented DTLS handshake message" \
4745 -C "error"
4746
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4747run_test "DTLS reassembly: some fragmentation (openssl server)" \
4748 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4749 "$P_CLI dtls=1 debug_level=2" \
4750 0 \
4751 -c "found fragmented DTLS handshake message" \
4752 -C "error"
4753
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4754run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4755 "$O_SRV -dtls1 -mtu 256" \
4756 "$P_CLI dtls=1 debug_level=2" \
4757 0 \
4758 -c "found fragmented DTLS handshake message" \
4759 -C "error"
4760
4761run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
4762 "$O_SRV -dtls1 -mtu 256" \
4763 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4764 0 \
4765 -c "found fragmented DTLS handshake message" \
4766 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4767
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]4768# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]4769
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4770not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4771run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]4772 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4773 "$P_SRV dtls=1 debug_level=2" \
4774 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4775 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4776 -C "replayed record" \
4777 -S "replayed record" \
4778 -C "record from another epoch" \
4779 -S "record from another epoch" \
4780 -C "discarding invalid record" \
4781 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4782 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4783 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4784 -c "HTTP/1.0 200 OK"
4785
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4786not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4787run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4788 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4789 "$P_SRV dtls=1 debug_level=2" \
4790 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4791 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4792 -c "replayed record" \
4793 -s "replayed record" \
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4794 -c "record from another epoch" \
4795 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4796 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4797 -s "Extra-header:" \
4798 -c "HTTP/1.0 200 OK"
4799
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4800run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
4801 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4802 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
4803 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4804 0 \
4805 -c "replayed record" \
4806 -S "replayed record" \
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4807 -c "record from another epoch" \
4808 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4809 -c "resend" \
4810 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4811 -s "Extra-header:" \
4812 -c "HTTP/1.0 200 OK"
4813
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]4814run_test "DTLS proxy: multiple records in same datagram" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4815 -p "$P_PXY pack=50" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]4816 "$P_SRV dtls=1 debug_level=2" \
4817 "$P_CLI dtls=1 debug_level=2" \
4818 0 \
4819 -c "next record in same datagram" \
4820 -s "next record in same datagram"
4821
4822run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4823 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]4824 "$P_SRV dtls=1 debug_level=2" \
4825 "$P_CLI dtls=1 debug_level=2" \
4826 0 \
4827 -c "next record in same datagram" \
4828 -s "next record in same datagram"
4829
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4830run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4831 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4832 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4833 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4834 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4835 -c "discarding invalid record (mac)" \
4836 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4837 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4838 -c "HTTP/1.0 200 OK" \
4839 -S "too many records with bad MAC" \
4840 -S "Verification of the message MAC failed"
4841
4842run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
4843 -p "$P_PXY bad_ad=1" \
4844 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
4845 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
4846 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4847 -C "discarding invalid record (mac)" \
4848 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4849 -S "Extra-header:" \
4850 -C "HTTP/1.0 200 OK" \
4851 -s "too many records with bad MAC" \
4852 -s "Verification of the message MAC failed"
4853
4854run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
4855 -p "$P_PXY bad_ad=1" \
4856 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
4857 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
4858 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4859 -c "discarding invalid record (mac)" \
4860 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4861 -s "Extra-header:" \
4862 -c "HTTP/1.0 200 OK" \
4863 -S "too many records with bad MAC" \
4864 -S "Verification of the message MAC failed"
4865
4866run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
4867 -p "$P_PXY bad_ad=1" \
4868 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
4869 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
4870 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4871 -c "discarding invalid record (mac)" \
4872 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4873 -s "Extra-header:" \
4874 -c "HTTP/1.0 200 OK" \
4875 -s "too many records with bad MAC" \
4876 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4877
4878run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4879 -p "$P_PXY delay_ccs=1" \
4880 "$P_SRV dtls=1 debug_level=1" \
4881 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4882 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4883 -c "record from another epoch" \
4884 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4885 -s "Extra-header:" \
4886 -c "HTTP/1.0 200 OK"
4887
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]4888# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4889
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4890client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4891run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4892 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4893 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4894 psk=abc123" \
4895 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4896 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4897 0 \
4898 -s "Extra-header:" \
4899 -c "HTTP/1.0 200 OK"
4900
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4901client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4902run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
4903 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4904 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4905 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4906 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4907 0 \
4908 -s "Extra-header:" \
4909 -c "HTTP/1.0 200 OK"
4910
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4911client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4912run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
4913 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4914 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4915 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4916 0 \
4917 -s "Extra-header:" \
4918 -c "HTTP/1.0 200 OK"
4919
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4920client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4921run_test "DTLS proxy: 3d, FS, client auth" \
4922 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4923 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
4924 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4925 0 \
4926 -s "Extra-header:" \
4927 -c "HTTP/1.0 200 OK"
4928
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4929client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4930run_test "DTLS proxy: 3d, FS, ticket" \
4931 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4932 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
4933 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4934 0 \
4935 -s "Extra-header:" \
4936 -c "HTTP/1.0 200 OK"
4937
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4938client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4939run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
4940 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4941 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
4942 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4943 0 \
4944 -s "Extra-header:" \
4945 -c "HTTP/1.0 200 OK"
4946
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4947client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4948run_test "DTLS proxy: 3d, max handshake, nbio" \
4949 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4950 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
4951 auth_mode=required" \
4952 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4953 0 \
4954 -s "Extra-header:" \
4955 -c "HTTP/1.0 200 OK"
4956
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4957client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]4958run_test "DTLS proxy: 3d, min handshake, resumption" \
4959 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4960 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4961 psk=abc123 debug_level=3" \
4962 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4963 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4964 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4965 0 \
4966 -s "a session has been resumed" \
4967 -c "a session has been resumed" \
4968 -s "Extra-header:" \
4969 -c "HTTP/1.0 200 OK"
4970
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4971client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]4972run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
4973 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4974 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4975 psk=abc123 debug_level=3 nbio=2" \
4976 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4977 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4978 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
4979 0 \
4980 -s "a session has been resumed" \
4981 -c "a session has been resumed" \
4982 -s "Extra-header:" \
4983 -c "HTTP/1.0 200 OK"
4984
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4985client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4986requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4987run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4988 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4989 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4990 psk=abc123 renegotiation=1 debug_level=2" \
4991 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4992 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4993 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4994 0 \
4995 -c "=> renegotiate" \
4996 -s "=> renegotiate" \
4997 -s "Extra-header:" \
4998 -c "HTTP/1.0 200 OK"
4999
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5000client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5001requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5002run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5003 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5004 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
5005 psk=abc123 renegotiation=1 debug_level=2" \
5006 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
5007 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5008 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5009 0 \
5010 -c "=> renegotiate" \
5011 -s "=> renegotiate" \
5012 -s "Extra-header:" \
5013 -c "HTTP/1.0 200 OK"
5014
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5015client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5016requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5017run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5018 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5019 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5020 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5021 debug_level=2" \
5022 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5023 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5024 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5025 0 \
5026 -c "=> renegotiate" \
5027 -s "=> renegotiate" \
5028 -s "Extra-header:" \
5029 -c "HTTP/1.0 200 OK"
5030
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5031client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5032requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5033run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5034 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5035 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5036 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5037 debug_level=2 nbio=2" \
5038 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5039 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5040 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5041 0 \
5042 -c "=> renegotiate" \
5043 -s "=> renegotiate" \
5044 -s "Extra-header:" \
5045 -c "HTTP/1.0 200 OK"
5046
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5047client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5048not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5049run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5050 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5051 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]5052 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5053 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5054 -c "HTTP/1.0 200 OK"
5055
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5056client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5057not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5058run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5059 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5060 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]5061 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5062 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5063 -c "HTTP/1.0 200 OK"
5064
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5065client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5066not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5067run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5068 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5069 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]5070 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5071 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5072 -c "HTTP/1.0 200 OK"
5073
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5074requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5075client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5076not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5077run_test "DTLS proxy: 3d, gnutls server" \
5078 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5079 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]5080 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5081 0 \
5082 -s "Extra-header:" \
5083 -c "Extra-header:"
5084
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5085requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5086client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5087not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5088run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5089 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5090 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]5091 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5092 0 \
5093 -s "Extra-header:" \
5094 -c "Extra-header:"
5095
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5096requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5097client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5098not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5099run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5100 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5101 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]5102 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5103 0 \
5104 -s "Extra-header:" \
5105 -c "Extra-header:"
5106
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5107# Final report
5108
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5109echo "------------------------------------------------------------------------"
5110
5111if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5112 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5113else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5114 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5115fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5116PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5117echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5118
5119exit $FAILS