TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0b9d913ac6d10cd83b2d0b30f404d6194660b084 / . / tests / ssl-opt.sh
blob: f87a742720d41e3017de98212ea3ef3730a064a6 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]9# Assumes a build with default options.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]16: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]17: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]18: ${GNUTLS_CLI:=gnutls-cli}
19: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]20: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]22O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]23O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]24G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]25G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]26TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]27
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28TESTS=0
29FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]30SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]36EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]37
38print_usage() {
39 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]40 printf " -h|--help\tPrint this help.\n"
41 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
42 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
43 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]44}
45
46get_options() {
47 while [ $# -gt 0 ]; do
48 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]49 -f|--filter)
50 shift; FILTER=$1
51 ;;
52 -e|--exclude)
53 shift; EXCLUDE=$1
54 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]55 -m|--memcheck)
56 MEMCHECK=1
57 ;;
58 -h|--help)
59 print_usage
60 exit 0
61 ;;
62 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]63 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]64 print_usage
65 exit 1
66 ;;
67 esac
68 shift
69 done
70}
71
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]72# skip next test if the flag is not enabled in config.h
73requires_config_enabled() {
74 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
75 SKIP_NEXT="YES"
76 fi
77}
78
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]79# skip next test if the flag is enabled in config.h
80requires_config_disabled() {
81 if grep "^#define $1" $CONFIG_H > /dev/null; then
82 SKIP_NEXT="YES"
83 fi
84}
85
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]86# skip next test if OpenSSL doesn't support FALLBACK_SCSV
87requires_openssl_with_fallback_scsv() {
88 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
89 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
90 then
91 OPENSSL_HAS_FBSCSV="YES"
92 else
93 OPENSSL_HAS_FBSCSV="NO"
94 fi
95 fi
96 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
97 SKIP_NEXT="YES"
98 fi
99}
100
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]101# skip next test if GnuTLS isn't available
102requires_gnutls() {
103 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]104 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]105 GNUTLS_AVAILABLE="YES"
106 else
107 GNUTLS_AVAILABLE="NO"
108 fi
109 fi
110 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
111 SKIP_NEXT="YES"
112 fi
113}
114
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]115# skip next test if IPv6 isn't available on this host
116requires_ipv6() {
117 if [ -z "${HAS_IPV6:-}" ]; then
118 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
119 SRV_PID=$!
120 sleep 1
121 kill $SRV_PID >/dev/null 2>&1
122 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
123 HAS_IPV6="NO"
124 else
125 HAS_IPV6="YES"
126 fi
127 rm -r $SRV_OUT
128 fi
129
130 if [ "$HAS_IPV6" = "NO" ]; then
131 SKIP_NEXT="YES"
132 fi
133}
134
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]135# skip the next test if valgrind is in use
136not_with_valgrind() {
137 if [ "$MEMCHECK" -gt 0 ]; then
138 SKIP_NEXT="YES"
139 fi
140}
141
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]142# skip the next test if valgrind is NOT in use
143only_with_valgrind() {
144 if [ "$MEMCHECK" -eq 0 ]; then
145 SKIP_NEXT="YES"
146 fi
147}
148
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]149# multiply the client timeout delay by the given factor for the next test
150needs_more_time() {
151 CLI_DELAY_FACTOR=$1
152}
153
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]154# print_name <name>
155print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]156 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]157 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]158 for i in `seq 1 $LEN`; do printf '.'; done
159 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]160
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]161 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]162}
163
164# fail <message>
165fail() {
166 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]167 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]168
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]169 mv $SRV_OUT o-srv-${TESTS}.log
170 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]171 if [ -n "$PXY_CMD" ]; then
172 mv $PXY_OUT o-pxy-${TESTS}.log
173 fi
174 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]175
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]176 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
177 echo " ! server output:"
178 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]179 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]180 echo " ! client output:"
181 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]182 if [ -n "$PXY_CMD" ]; then
183 echo " ! ========================================================"
184 echo " ! proxy output:"
185 cat o-pxy-${TESTS}.log
186 fi
187 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]188 fi
189
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]190 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]191}
192
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]193# is_polar <cmd_line>
194is_polar() {
195 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
196}
197
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]198# openssl s_server doesn't have -www with DTLS
199check_osrv_dtls() {
200 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
201 NEEDS_INPUT=1
202 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
203 else
204 NEEDS_INPUT=0
205 fi
206}
207
208# provide input to commands that need it
209provide_input() {
210 if [ $NEEDS_INPUT -eq 0 ]; then
211 return
212 fi
213
214 while true; do
215 echo "HTTP/1.0 200 OK"
216 sleep 1
217 done
218}
219
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]220# has_mem_err <log_file_name>
221has_mem_err() {
222 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
223 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
224 then
225 return 1 # false: does not have errors
226 else
227 return 0 # true: has errors
228 fi
229}
230
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]231# wait for server to start: two versions depending on lsof availability
232wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]233 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]234 START_TIME=$( date +%s )
235 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]236
237 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]238 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]239 while [ $DONE -eq 0 ]; do
240 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
241 then
242 DONE=1
243 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
244 echo "SERVERSTART TIMEOUT"
245 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
246 DONE=1
247 fi
248 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]249 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]250 while [ $DONE -eq 0 ]; do
251 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
252 then
253 DONE=1
254 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
255 echo "SERVERSTART TIMEOUT"
256 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
257 DONE=1
258 fi
259 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]260 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]261 else
262 sleep "$START_DELAY"
263 fi
264}
265
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]266# wait for client to terminate and set CLI_EXIT
267# must be called right after starting the client
268wait_client_done() {
269 CLI_PID=$!
270
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]271 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
272 CLI_DELAY_FACTOR=1
273
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]274 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]275 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]276
277 wait $CLI_PID
278 CLI_EXIT=$?
279
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]280 kill $DOG_PID >/dev/null 2>&1
281 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]282
283 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
284}
285
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]286# check if the given command uses dtls and sets global variable DTLS
287detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]288 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]289 DTLS=1
290 else
291 DTLS=0
292 fi
293}
294
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]295# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]296# Options: -s pattern pattern that must be present in server output
297# -c pattern pattern that must be present in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]298# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]299# -S pattern pattern that must be absent in server output
300# -C pattern pattern that must be absent in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]301# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]302run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]303 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]304 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]305
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]306 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
307 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]308 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]309 return
310 fi
311
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]312 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]313
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]314 # should we skip?
315 if [ "X$SKIP_NEXT" = "XYES" ]; then
316 SKIP_NEXT="NO"
317 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]318 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]319 return
320 fi
321
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]322 # does this test use a proxy?
323 if [ "X$1" = "X-p" ]; then
324 PXY_CMD="$2"
325 shift 2
326 else
327 PXY_CMD=""
328 fi
329
330 # get commands and client output
331 SRV_CMD="$1"
332 CLI_CMD="$2"
333 CLI_EXPECT="$3"
334 shift 3
335
336 # fix client port
337 if [ -n "$PXY_CMD" ]; then
338 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
339 else
340 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
341 fi
342
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]343 # update DTLS variable
344 detect_dtls "$SRV_CMD"
345
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]346 # prepend valgrind to our commands if active
347 if [ "$MEMCHECK" -gt 0 ]; then
348 if is_polar "$SRV_CMD"; then
349 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
350 fi
351 if is_polar "$CLI_CMD"; then
352 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
353 fi
354 fi
355
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]356 TIMES_LEFT=2
357 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]358 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]359
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]360 # run the commands
361 if [ -n "$PXY_CMD" ]; then
362 echo "$PXY_CMD" > $PXY_OUT
363 $PXY_CMD >> $PXY_OUT 2>&1 &
364 PXY_PID=$!
365 # assume proxy starts faster than server
366 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]367
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]368 check_osrv_dtls
369 echo "$SRV_CMD" > $SRV_OUT
370 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
371 SRV_PID=$!
372 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]373
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]374 echo "$CLI_CMD" > $CLI_OUT
375 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
376 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]377
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]378 # terminate the server (and the proxy)
379 kill $SRV_PID
380 wait $SRV_PID
381 if [ -n "$PXY_CMD" ]; then
382 kill $PXY_PID >/dev/null 2>&1
383 wait $PXY_PID
384 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]385
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]386 # retry only on timeouts
387 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
388 printf "RETRY "
389 else
390 TIMES_LEFT=0
391 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]392 done
393
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]394 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]395 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]396 # expected client exit to incorrectly succeed in case of catastrophic
397 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]398 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]399 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]400 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]401 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]402 return
403 fi
404 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]405 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]406 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]407 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]408 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]409 return
410 fi
411 fi
412
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]413 # check server exit code
414 if [ $? != 0 ]; then
415 fail "server fail"
416 return
417 fi
418
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]419 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]420 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
421 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]422 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]423 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]424 return
425 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]426
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]427 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]428 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]429 while [ $# -gt 0 ]
430 do
431 case $1 in
432 "-s")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]433 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
434 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]435 return
436 fi
437 ;;
438
439 "-c")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]440 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
441 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]442 return
443 fi
444 ;;
445
446 "-S")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]447 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
448 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]449 return
450 fi
451 ;;
452
453 "-C")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]454 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
455 fail "pattern '$2' MUST NOT be present in the Client output"
456 return
457 fi
458 ;;
459
460 # The filtering in the following two options (-u and -U) do the following
461 # - ignore valgrind output
462 # - filter out everything but lines right after the pattern occurances
463 # - keep one of each non-unique line
464 # - count how many lines remain
465 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
466 # if there were no duplicates.
467 "-U")
468 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
469 fail "lines following pattern '$2' must be unique in Server output"
470 return
471 fi
472 ;;
473
474 "-u")
475 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
476 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]477 return
478 fi
479 ;;
480
481 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]482 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]483 exit 1
484 esac
485 shift 2
486 done
487
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]488 # check valgrind's results
489 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]490 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]491 fail "Server has memory errors"
492 return
493 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]494 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 fail "Client has memory errors"
496 return
497 fi
498 fi
499
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]500 # if we're here, everything is ok
501 echo "PASS"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]502 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]503}
504
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]505cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]506 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]507 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
508 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
509 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
510 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]511 exit 1
512}
513
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]514#
515# MAIN
516#
517
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]518if cd $( dirname $0 ); then :; else
519 echo "cd $( dirname $0 ) failed" >&2
520 exit 1
521fi
522
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]523get_options "$@"
524
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]525# sanity checks, avoid an avalanche of errors
526if [ ! -x "$P_SRV" ]; then
527 echo "Command '$P_SRV' is not an executable file"
528 exit 1
529fi
530if [ ! -x "$P_CLI" ]; then
531 echo "Command '$P_CLI' is not an executable file"
532 exit 1
533fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]534if [ ! -x "$P_PXY" ]; then
535 echo "Command '$P_PXY' is not an executable file"
536 exit 1
537fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]538if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
539 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]540 exit 1
541fi
542
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]543# used by watchdog
544MAIN_PID="$$"
545
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]546# be more patient with valgrind
547if [ "$MEMCHECK" -gt 0 ]; then
548 START_DELAY=3
549 DOG_DELAY=30
550else
551 START_DELAY=1
552 DOG_DELAY=10
553fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]554CLI_DELAY_FACTOR=1
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]555
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]556# Pick a "unique" server port in the range 10000-19999, and a proxy port
557PORT_BASE="0000$$"
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]558PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]559SRV_PORT="1$PORT_BASE"
560PXY_PORT="2$PORT_BASE"
561unset PORT_BASE
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]562
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]563# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]564# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]565P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
566P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
567P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]568O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]569O_CLI="$O_CLI -connect localhost:+SRV_PORT"
570G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]571G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]572
Gilles Peskine35db5ba2017-05-10 10:13:59 +0200[diff] [blame]573# Allow SHA-1, because many of our test certificates use it
574P_SRV="$P_SRV allow_sha1=1"
575P_CLI="$P_CLI allow_sha1=1"
576
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]577# Also pick a unique name for intermediate files
578SRV_OUT="srv_out.$$"
579CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]581SESSION="session.$$"
582
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]583SKIP_NEXT="NO"
584
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]585trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]587# Basic test
588
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]589# Checks that:
590# - things work with all ciphersuites active (used with config-full in all.sh)
591# - the expected (highest security) parameters are selected
592# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]593run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]594 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]595 "$P_CLI" \
596 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]597 -s "Protocol is TLSv1.2" \
598 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
599 -s "client hello v3, signature_algorithm ext: 6" \
600 -s "ECDHE curve: secp521r1" \
601 -S "error" \
602 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]603
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]604run_test "Default, DTLS" \
605 "$P_SRV dtls=1" \
606 "$P_CLI dtls=1" \
607 0 \
608 -s "Protocol is DTLSv1.2" \
609 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
610
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]611# Test for uniqueness of IVs in AEAD ciphersuites
612run_test "Unique IV in GCM" \
613 "$P_SRV exchanges=20 debug_level=4" \
614 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
615 0 \
616 -u "IV used" \
617 -U "IV used"
618
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]619# Tests for rc4 option
620
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]621requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]622run_test "RC4: server disabled, client enabled" \
623 "$P_SRV" \
624 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
625 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]626 -s "SSL - The server has no ciphersuites in common"
627
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]628requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]629run_test "RC4: server half, client enabled" \
630 "$P_SRV arc4=1" \
631 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
632 1 \
633 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]634
635run_test "RC4: server enabled, client disabled" \
636 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
637 "$P_CLI" \
638 1 \
639 -s "SSL - The server has no ciphersuites in common"
640
641run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]642 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]643 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
644 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]645 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]646 -S "SSL - The server has no ciphersuites in common"
647
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]648# Tests for SHA-1 support
649
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]650requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]651run_test "SHA-1 forbidden by default in server certificate" \
652 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
653 "$P_CLI debug_level=2 allow_sha1=0" \
654 1 \
655 -c "The certificate is signed with an unacceptable hash"
656
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]657requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
658run_test "SHA-1 forbidden by default in server certificate" \
659 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
660 "$P_CLI debug_level=2 allow_sha1=0" \
661 0
662
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]663run_test "SHA-1 explicitly allowed in server certificate" \
664 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
665 "$P_CLI allow_sha1=1" \
666 0
667
668run_test "SHA-256 allowed by default in server certificate" \
669 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
670 "$P_CLI allow_sha1=0" \
671 0
672
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]673requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]674run_test "SHA-1 forbidden by default in client certificate" \
675 "$P_SRV auth_mode=required allow_sha1=0" \
676 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
677 1 \
678 -s "The certificate is signed with an unacceptable hash"
679
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]680requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
681run_test "SHA-1 forbidden by default in client certificate" \
682 "$P_SRV auth_mode=required allow_sha1=0" \
683 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
684 0
685
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]686run_test "SHA-1 explicitly allowed in client certificate" \
687 "$P_SRV auth_mode=required allow_sha1=1" \
688 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
689 0
690
691run_test "SHA-256 allowed by default in client certificate" \
692 "$P_SRV auth_mode=required allow_sha1=0" \
693 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
694 0
695
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]696# Tests for Truncated HMAC extension
697
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]698run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]699 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]700 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]701 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]702 -s "dumping 'expected mac' (20 bytes)" \
703 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]704
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]705requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]706run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]707 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]708 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
709 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]710 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]711 -s "dumping 'expected mac' (20 bytes)" \
712 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]713
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]714requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]715run_test "Truncated HMAC: client enabled, server default" \
716 "$P_SRV debug_level=4" \
717 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
718 trunc_hmac=1" \
719 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]720 -s "dumping 'expected mac' (20 bytes)" \
721 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]722
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]723requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]724run_test "Truncated HMAC: client enabled, server disabled" \
725 "$P_SRV debug_level=4 trunc_hmac=0" \
726 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
727 trunc_hmac=1" \
728 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]729 -s "dumping 'expected mac' (20 bytes)" \
730 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]731
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]732requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]733run_test "Truncated HMAC: client enabled, server enabled" \
734 "$P_SRV debug_level=4 trunc_hmac=1" \
735 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
736 trunc_hmac=1" \
737 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]738 -S "dumping 'expected mac' (20 bytes)" \
739 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]740
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]741# Tests for Encrypt-then-MAC extension
742
743run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]744 "$P_SRV debug_level=3 \
745 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]746 "$P_CLI debug_level=3" \
747 0 \
748 -c "client hello, adding encrypt_then_mac extension" \
749 -s "found encrypt then mac extension" \
750 -s "server hello, adding encrypt then mac extension" \
751 -c "found encrypt_then_mac extension" \
752 -c "using encrypt then mac" \
753 -s "using encrypt then mac"
754
755run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]756 "$P_SRV debug_level=3 etm=0 \
757 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]758 "$P_CLI debug_level=3 etm=1" \
759 0 \
760 -c "client hello, adding encrypt_then_mac extension" \
761 -s "found encrypt then mac extension" \
762 -S "server hello, adding encrypt then mac extension" \
763 -C "found encrypt_then_mac extension" \
764 -C "using encrypt then mac" \
765 -S "using encrypt then mac"
766
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]767run_test "Encrypt then MAC: client enabled, aead cipher" \
768 "$P_SRV debug_level=3 etm=1 \
769 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
770 "$P_CLI debug_level=3 etm=1" \
771 0 \
772 -c "client hello, adding encrypt_then_mac extension" \
773 -s "found encrypt then mac extension" \
774 -S "server hello, adding encrypt then mac extension" \
775 -C "found encrypt_then_mac extension" \
776 -C "using encrypt then mac" \
777 -S "using encrypt then mac"
778
779run_test "Encrypt then MAC: client enabled, stream cipher" \
780 "$P_SRV debug_level=3 etm=1 \
781 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]782 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]783 0 \
784 -c "client hello, adding encrypt_then_mac extension" \
785 -s "found encrypt then mac extension" \
786 -S "server hello, adding encrypt then mac extension" \
787 -C "found encrypt_then_mac extension" \
788 -C "using encrypt then mac" \
789 -S "using encrypt then mac"
790
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]791run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]792 "$P_SRV debug_level=3 etm=1 \
793 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]794 "$P_CLI debug_level=3 etm=0" \
795 0 \
796 -C "client hello, adding encrypt_then_mac extension" \
797 -S "found encrypt then mac extension" \
798 -S "server hello, adding encrypt then mac extension" \
799 -C "found encrypt_then_mac extension" \
800 -C "using encrypt then mac" \
801 -S "using encrypt then mac"
802
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]803requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]804run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]805 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]806 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]807 "$P_CLI debug_level=3 force_version=ssl3" \
808 0 \
809 -C "client hello, adding encrypt_then_mac extension" \
810 -S "found encrypt then mac extension" \
811 -S "server hello, adding encrypt then mac extension" \
812 -C "found encrypt_then_mac extension" \
813 -C "using encrypt then mac" \
814 -S "using encrypt then mac"
815
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]816requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]817run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]818 "$P_SRV debug_level=3 force_version=ssl3 \
819 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]820 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]821 0 \
822 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]823 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]824 -S "server hello, adding encrypt then mac extension" \
825 -C "found encrypt_then_mac extension" \
826 -C "using encrypt then mac" \
827 -S "using encrypt then mac"
828
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]829# Tests for Extended Master Secret extension
830
831run_test "Extended Master Secret: default" \
832 "$P_SRV debug_level=3" \
833 "$P_CLI debug_level=3" \
834 0 \
835 -c "client hello, adding extended_master_secret extension" \
836 -s "found extended master secret extension" \
837 -s "server hello, adding extended master secret extension" \
838 -c "found extended_master_secret extension" \
839 -c "using extended master secret" \
840 -s "using extended master secret"
841
842run_test "Extended Master Secret: client enabled, server disabled" \
843 "$P_SRV debug_level=3 extended_ms=0" \
844 "$P_CLI debug_level=3 extended_ms=1" \
845 0 \
846 -c "client hello, adding extended_master_secret extension" \
847 -s "found extended master secret extension" \
848 -S "server hello, adding extended master secret extension" \
849 -C "found extended_master_secret extension" \
850 -C "using extended master secret" \
851 -S "using extended master secret"
852
853run_test "Extended Master Secret: client disabled, server enabled" \
854 "$P_SRV debug_level=3 extended_ms=1" \
855 "$P_CLI debug_level=3 extended_ms=0" \
856 0 \
857 -C "client hello, adding extended_master_secret extension" \
858 -S "found extended master secret extension" \
859 -S "server hello, adding extended master secret extension" \
860 -C "found extended_master_secret extension" \
861 -C "using extended master secret" \
862 -S "using extended master secret"
863
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]864requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]865run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]866 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]867 "$P_CLI debug_level=3 force_version=ssl3" \
868 0 \
869 -C "client hello, adding extended_master_secret extension" \
870 -S "found extended master secret extension" \
871 -S "server hello, adding extended master secret extension" \
872 -C "found extended_master_secret extension" \
873 -C "using extended master secret" \
874 -S "using extended master secret"
875
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]876requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]877run_test "Extended Master Secret: client enabled, server SSLv3" \
878 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]879 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]880 0 \
881 -c "client hello, adding extended_master_secret extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]882 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]883 -S "server hello, adding extended master secret extension" \
884 -C "found extended_master_secret extension" \
885 -C "using extended master secret" \
886 -S "using extended master secret"
887
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]888# Tests for FALLBACK_SCSV
889
890run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]891 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]892 "$P_CLI debug_level=3 force_version=tls1_1" \
893 0 \
894 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]895 -S "received FALLBACK_SCSV" \
896 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]897 -C "is a fatal alert message (msg 86)"
898
899run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]900 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]901 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
902 0 \
903 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]904 -S "received FALLBACK_SCSV" \
905 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]906 -C "is a fatal alert message (msg 86)"
907
908run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]909 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]910 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]911 1 \
912 -c "adding FALLBACK_SCSV" \
913 -s "received FALLBACK_SCSV" \
914 -s "inapropriate fallback" \
915 -c "is a fatal alert message (msg 86)"
916
917run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]918 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]919 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]920 0 \
921 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]922 -s "received FALLBACK_SCSV" \
923 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]924 -C "is a fatal alert message (msg 86)"
925
926requires_openssl_with_fallback_scsv
927run_test "Fallback SCSV: default, openssl server" \
928 "$O_SRV" \
929 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
930 0 \
931 -C "adding FALLBACK_SCSV" \
932 -C "is a fatal alert message (msg 86)"
933
934requires_openssl_with_fallback_scsv
935run_test "Fallback SCSV: enabled, openssl server" \
936 "$O_SRV" \
937 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
938 1 \
939 -c "adding FALLBACK_SCSV" \
940 -c "is a fatal alert message (msg 86)"
941
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]942requires_openssl_with_fallback_scsv
943run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]944 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]945 "$O_CLI -tls1_1" \
946 0 \
947 -S "received FALLBACK_SCSV" \
948 -S "inapropriate fallback"
949
950requires_openssl_with_fallback_scsv
951run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]952 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]953 "$O_CLI -tls1_1 -fallback_scsv" \
954 1 \
955 -s "received FALLBACK_SCSV" \
956 -s "inapropriate fallback"
957
958requires_openssl_with_fallback_scsv
959run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]960 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]961 "$O_CLI -fallback_scsv" \
962 0 \
963 -s "received FALLBACK_SCSV" \
964 -S "inapropriate fallback"
965
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]966## ClientHello generated with
967## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
968## then manually twiddling the ciphersuite list.
969## The ClientHello content is spelled out below as a hex string as
970## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
971## The expected response is an inappropriate_fallback alert.
972requires_openssl_with_fallback_scsv
973run_test "Fallback SCSV: beginning of list" \
974 "$P_SRV debug_level=2" \
975 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
976 0 \
977 -s "received FALLBACK_SCSV" \
978 -s "inapropriate fallback"
979
980requires_openssl_with_fallback_scsv
981run_test "Fallback SCSV: end of list" \
982 "$P_SRV debug_level=2" \
983 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
984 0 \
985 -s "received FALLBACK_SCSV" \
986 -s "inapropriate fallback"
987
988## Here the expected response is a valid ServerHello prefix, up to the random.
989requires_openssl_with_fallback_scsv
990run_test "Fallback SCSV: not in list" \
991 "$P_SRV debug_level=2" \
992 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
993 0 \
994 -S "received FALLBACK_SCSV" \
995 -S "inapropriate fallback"
996
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]997# Tests for CBC 1/n-1 record splitting
998
999run_test "CBC Record splitting: TLS 1.2, no splitting" \
1000 "$P_SRV" \
1001 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1002 request_size=123 force_version=tls1_2" \
1003 0 \
1004 -s "Read from client: 123 bytes read" \
1005 -S "Read from client: 1 bytes read" \
1006 -S "122 bytes read"
1007
1008run_test "CBC Record splitting: TLS 1.1, no splitting" \
1009 "$P_SRV" \
1010 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1011 request_size=123 force_version=tls1_1" \
1012 0 \
1013 -s "Read from client: 123 bytes read" \
1014 -S "Read from client: 1 bytes read" \
1015 -S "122 bytes read"
1016
1017run_test "CBC Record splitting: TLS 1.0, splitting" \
1018 "$P_SRV" \
1019 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1020 request_size=123 force_version=tls1" \
1021 0 \
1022 -S "Read from client: 123 bytes read" \
1023 -s "Read from client: 1 bytes read" \
1024 -s "122 bytes read"
1025
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1026requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1027run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1028 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1029 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1030 request_size=123 force_version=ssl3" \
1031 0 \
1032 -S "Read from client: 123 bytes read" \
1033 -s "Read from client: 1 bytes read" \
1034 -s "122 bytes read"
1035
1036run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1037 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1038 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1039 request_size=123 force_version=tls1" \
1040 0 \
1041 -s "Read from client: 123 bytes read" \
1042 -S "Read from client: 1 bytes read" \
1043 -S "122 bytes read"
1044
1045run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1046 "$P_SRV" \
1047 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1048 request_size=123 force_version=tls1 recsplit=0" \
1049 0 \
1050 -s "Read from client: 123 bytes read" \
1051 -S "Read from client: 1 bytes read" \
1052 -S "122 bytes read"
1053
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1054run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1055 "$P_SRV nbio=2" \
1056 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1057 request_size=123 force_version=tls1" \
1058 0 \
1059 -S "Read from client: 123 bytes read" \
1060 -s "Read from client: 1 bytes read" \
1061 -s "122 bytes read"
1062
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1063# Tests for Session Tickets
1064
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1065run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1066 "$P_SRV debug_level=3 tickets=1" \
1067 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1068 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1069 -c "client hello, adding session ticket extension" \
1070 -s "found session ticket extension" \
1071 -s "server hello, adding session ticket extension" \
1072 -c "found session_ticket extension" \
1073 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1074 -S "session successfully restored from cache" \
1075 -s "session successfully restored from ticket" \
1076 -s "a session has been resumed" \
1077 -c "a session has been resumed"
1078
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1079run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1080 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1081 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1082 0 \
1083 -c "client hello, adding session ticket extension" \
1084 -s "found session ticket extension" \
1085 -s "server hello, adding session ticket extension" \
1086 -c "found session_ticket extension" \
1087 -c "parse new session ticket" \
1088 -S "session successfully restored from cache" \
1089 -s "session successfully restored from ticket" \
1090 -s "a session has been resumed" \
1091 -c "a session has been resumed"
1092
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1093run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1094 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1095 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1096 0 \
1097 -c "client hello, adding session ticket extension" \
1098 -s "found session ticket extension" \
1099 -s "server hello, adding session ticket extension" \
1100 -c "found session_ticket extension" \
1101 -c "parse new session ticket" \
1102 -S "session successfully restored from cache" \
1103 -S "session successfully restored from ticket" \
1104 -S "a session has been resumed" \
1105 -C "a session has been resumed"
1106
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1107run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1108 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1109 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1110 0 \
1111 -c "client hello, adding session ticket extension" \
1112 -c "found session_ticket extension" \
1113 -c "parse new session ticket" \
1114 -c "a session has been resumed"
1115
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1116run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1117 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1118 "( $O_CLI -sess_out $SESSION; \
1119 $O_CLI -sess_in $SESSION; \
1120 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1121 0 \
1122 -s "found session ticket extension" \
1123 -s "server hello, adding session ticket extension" \
1124 -S "session successfully restored from cache" \
1125 -s "session successfully restored from ticket" \
1126 -s "a session has been resumed"
1127
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1128# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1129
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1130run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1131 "$P_SRV debug_level=3 tickets=0" \
1132 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1133 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1134 -c "client hello, adding session ticket extension" \
1135 -s "found session ticket extension" \
1136 -S "server hello, adding session ticket extension" \
1137 -C "found session_ticket extension" \
1138 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1139 -s "session successfully restored from cache" \
1140 -S "session successfully restored from ticket" \
1141 -s "a session has been resumed" \
1142 -c "a session has been resumed"
1143
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1144run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1145 "$P_SRV debug_level=3 tickets=1" \
1146 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1147 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1148 -C "client hello, adding session ticket extension" \
1149 -S "found session ticket extension" \
1150 -S "server hello, adding session ticket extension" \
1151 -C "found session_ticket extension" \
1152 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1153 -s "session successfully restored from cache" \
1154 -S "session successfully restored from ticket" \
1155 -s "a session has been resumed" \
1156 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1157
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1158run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1159 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1160 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1161 0 \
1162 -S "session successfully restored from cache" \
1163 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1164 -S "a session has been resumed" \
1165 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1167run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1168 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1169 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1170 0 \
1171 -s "session successfully restored from cache" \
1172 -S "session successfully restored from ticket" \
1173 -s "a session has been resumed" \
1174 -c "a session has been resumed"
1175
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1176run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1177 "$P_SRV debug_level=3 tickets=0" \
1178 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1179 0 \
1180 -s "session successfully restored from cache" \
1181 -S "session successfully restored from ticket" \
1182 -s "a session has been resumed" \
1183 -c "a session has been resumed"
1184
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1185run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1186 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1187 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1188 0 \
1189 -S "session successfully restored from cache" \
1190 -S "session successfully restored from ticket" \
1191 -S "a session has been resumed" \
1192 -C "a session has been resumed"
1193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1194run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1195 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1196 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1197 0 \
1198 -s "session successfully restored from cache" \
1199 -S "session successfully restored from ticket" \
1200 -s "a session has been resumed" \
1201 -c "a session has been resumed"
1202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1203run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1204 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1205 "( $O_CLI -sess_out $SESSION; \
1206 $O_CLI -sess_in $SESSION; \
1207 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1208 0 \
1209 -s "found session ticket extension" \
1210 -S "server hello, adding session ticket extension" \
1211 -s "session successfully restored from cache" \
1212 -S "session successfully restored from ticket" \
1213 -s "a session has been resumed"
1214
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1215run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1216 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1217 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1218 0 \
1219 -C "found session_ticket extension" \
1220 -C "parse new session ticket" \
1221 -c "a session has been resumed"
1222
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1223# Tests for Max Fragment Length extension
1224
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1225run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1226 "$P_SRV debug_level=3" \
1227 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1228 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1229 -c "Maximum fragment length is 16384" \
1230 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1231 -C "client hello, adding max_fragment_length extension" \
1232 -S "found max fragment length extension" \
1233 -S "server hello, max_fragment_length extension" \
1234 -C "found max_fragment_length extension"
1235
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1236run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1237 "$P_SRV debug_level=3" \
1238 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1239 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1240 -c "Maximum fragment length is 4096" \
1241 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1242 -c "client hello, adding max_fragment_length extension" \
1243 -s "found max fragment length extension" \
1244 -s "server hello, max_fragment_length extension" \
1245 -c "found max_fragment_length extension"
1246
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1247run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1248 "$P_SRV debug_level=3 max_frag_len=4096" \
1249 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1250 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1251 -c "Maximum fragment length is 16384" \
1252 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1253 -C "client hello, adding max_fragment_length extension" \
1254 -S "found max fragment length extension" \
1255 -S "server hello, max_fragment_length extension" \
1256 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1257
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1258requires_gnutls
1259run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1260 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1261 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1262 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1263 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1264 -c "client hello, adding max_fragment_length extension" \
1265 -c "found max_fragment_length extension"
1266
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1267run_test "Max fragment length: client, message just fits" \
1268 "$P_SRV debug_level=3" \
1269 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1270 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1271 -c "Maximum fragment length is 2048" \
1272 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1273 -c "client hello, adding max_fragment_length extension" \
1274 -s "found max fragment length extension" \
1275 -s "server hello, max_fragment_length extension" \
1276 -c "found max_fragment_length extension" \
1277 -c "2048 bytes written in 1 fragments" \
1278 -s "2048 bytes read"
1279
1280run_test "Max fragment length: client, larger message" \
1281 "$P_SRV debug_level=3" \
1282 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1283 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1284 -c "Maximum fragment length is 2048" \
1285 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1286 -c "client hello, adding max_fragment_length extension" \
1287 -s "found max fragment length extension" \
1288 -s "server hello, max_fragment_length extension" \
1289 -c "found max_fragment_length extension" \
1290 -c "2345 bytes written in 2 fragments" \
1291 -s "2048 bytes read" \
1292 -s "297 bytes read"
1293
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1294run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1295 "$P_SRV debug_level=3 dtls=1" \
1296 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1297 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1298 -c "Maximum fragment length is 2048" \
1299 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1300 -c "client hello, adding max_fragment_length extension" \
1301 -s "found max fragment length extension" \
1302 -s "server hello, max_fragment_length extension" \
1303 -c "found max_fragment_length extension" \
1304 -c "fragment larger than.*maximum"
1305
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1306# Tests for renegotiation
1307
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1308run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1309 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1310 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1311 0 \
1312 -C "client hello, adding renegotiation extension" \
1313 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1314 -S "found renegotiation extension" \
1315 -s "server hello, secure renegotiation extension" \
1316 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1317 -C "=> renegotiate" \
1318 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1319 -S "write hello request"
1320
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1321run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1322 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1323 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1324 0 \
1325 -c "client hello, adding renegotiation extension" \
1326 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1327 -s "found renegotiation extension" \
1328 -s "server hello, secure renegotiation extension" \
1329 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1330 -c "=> renegotiate" \
1331 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1332 -S "write hello request"
1333
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1334run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1335 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1336 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1337 0 \
1338 -c "client hello, adding renegotiation extension" \
1339 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1340 -s "found renegotiation extension" \
1341 -s "server hello, secure renegotiation extension" \
1342 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1343 -c "=> renegotiate" \
1344 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1345 -s "write hello request"
1346
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1347# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1348# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1349# algorithm stronger than SHA-1 is enabled in config.h
1350run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1351 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1352 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1353 0 \
1354 -c "client hello, adding renegotiation extension" \
1355 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1356 -s "found renegotiation extension" \
1357 -s "server hello, secure renegotiation extension" \
1358 -c "found renegotiation extension" \
1359 -c "=> renegotiate" \
1360 -s "=> renegotiate" \
1361 -S "write hello request" \
1362 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1363
1364# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1365# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1366# algorithm stronger than SHA-1 is enabled in config.h
1367run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1368 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1369 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1370 0 \
1371 -c "client hello, adding renegotiation extension" \
1372 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1373 -s "found renegotiation extension" \
1374 -s "server hello, secure renegotiation extension" \
1375 -c "found renegotiation extension" \
1376 -c "=> renegotiate" \
1377 -s "=> renegotiate" \
1378 -s "write hello request" \
1379 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1380
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1381run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1382 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1383 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1384 0 \
1385 -c "client hello, adding renegotiation extension" \
1386 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1387 -s "found renegotiation extension" \
1388 -s "server hello, secure renegotiation extension" \
1389 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1390 -c "=> renegotiate" \
1391 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1392 -s "write hello request"
1393
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1394run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1395 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1396 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1397 1 \
1398 -c "client hello, adding renegotiation extension" \
1399 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1400 -S "found renegotiation extension" \
1401 -s "server hello, secure renegotiation extension" \
1402 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1403 -c "=> renegotiate" \
1404 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1405 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1406 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1407 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1408
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1409run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1410 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1411 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1412 0 \
1413 -C "client hello, adding renegotiation extension" \
1414 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1415 -S "found renegotiation extension" \
1416 -s "server hello, secure renegotiation extension" \
1417 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1418 -C "=> renegotiate" \
1419 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1420 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1421 -S "SSL - An unexpected message was received from our peer" \
1422 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1423
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1424run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1425 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1426 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1427 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1428 0 \
1429 -C "client hello, adding renegotiation extension" \
1430 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1431 -S "found renegotiation extension" \
1432 -s "server hello, secure renegotiation extension" \
1433 -c "found renegotiation extension" \
1434 -C "=> renegotiate" \
1435 -S "=> renegotiate" \
1436 -s "write hello request" \
1437 -S "SSL - An unexpected message was received from our peer" \
1438 -S "failed"
1439
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1440# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1441run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1442 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1443 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1444 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1445 0 \
1446 -C "client hello, adding renegotiation extension" \
1447 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1448 -S "found renegotiation extension" \
1449 -s "server hello, secure renegotiation extension" \
1450 -c "found renegotiation extension" \
1451 -C "=> renegotiate" \
1452 -S "=> renegotiate" \
1453 -s "write hello request" \
1454 -S "SSL - An unexpected message was received from our peer" \
1455 -S "failed"
1456
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1457run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1458 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1459 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1460 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1461 0 \
1462 -C "client hello, adding renegotiation extension" \
1463 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1464 -S "found renegotiation extension" \
1465 -s "server hello, secure renegotiation extension" \
1466 -c "found renegotiation extension" \
1467 -C "=> renegotiate" \
1468 -S "=> renegotiate" \
1469 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1470 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1471
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1472run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1473 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1474 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1475 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1476 0 \
1477 -c "client hello, adding renegotiation extension" \
1478 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1479 -s "found renegotiation extension" \
1480 -s "server hello, secure renegotiation extension" \
1481 -c "found renegotiation extension" \
1482 -c "=> renegotiate" \
1483 -s "=> renegotiate" \
1484 -s "write hello request" \
1485 -S "SSL - An unexpected message was received from our peer" \
1486 -S "failed"
1487
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1488run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1489 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1490 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1491 0 \
1492 -C "client hello, adding renegotiation extension" \
1493 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1494 -S "found renegotiation extension" \
1495 -s "server hello, secure renegotiation extension" \
1496 -c "found renegotiation extension" \
1497 -S "record counter limit reached: renegotiate" \
1498 -C "=> renegotiate" \
1499 -S "=> renegotiate" \
1500 -S "write hello request" \
1501 -S "SSL - An unexpected message was received from our peer" \
1502 -S "failed"
1503
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1504# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1505run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1506 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1507 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1508 0 \
1509 -c "client hello, adding renegotiation extension" \
1510 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1511 -s "found renegotiation extension" \
1512 -s "server hello, secure renegotiation extension" \
1513 -c "found renegotiation extension" \
1514 -s "record counter limit reached: renegotiate" \
1515 -c "=> renegotiate" \
1516 -s "=> renegotiate" \
1517 -s "write hello request" \
1518 -S "SSL - An unexpected message was received from our peer" \
1519 -S "failed"
1520
1521run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1522 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1523 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1524 0 \
1525 -c "client hello, adding renegotiation extension" \
1526 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1527 -s "found renegotiation extension" \
1528 -s "server hello, secure renegotiation extension" \
1529 -c "found renegotiation extension" \
1530 -s "record counter limit reached: renegotiate" \
1531 -c "=> renegotiate" \
1532 -s "=> renegotiate" \
1533 -s "write hello request" \
1534 -S "SSL - An unexpected message was received from our peer" \
1535 -S "failed"
1536
1537run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1538 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1539 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1540 0 \
1541 -C "client hello, adding renegotiation extension" \
1542 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1543 -S "found renegotiation extension" \
1544 -s "server hello, secure renegotiation extension" \
1545 -c "found renegotiation extension" \
1546 -S "record counter limit reached: renegotiate" \
1547 -C "=> renegotiate" \
1548 -S "=> renegotiate" \
1549 -S "write hello request" \
1550 -S "SSL - An unexpected message was received from our peer" \
1551 -S "failed"
1552
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1553run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1554 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1555 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1556 0 \
1557 -c "client hello, adding renegotiation extension" \
1558 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1559 -s "found renegotiation extension" \
1560 -s "server hello, secure renegotiation extension" \
1561 -c "found renegotiation extension" \
1562 -c "=> renegotiate" \
1563 -s "=> renegotiate" \
1564 -S "write hello request"
1565
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1566run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1567 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1568 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1569 0 \
1570 -c "client hello, adding renegotiation extension" \
1571 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1572 -s "found renegotiation extension" \
1573 -s "server hello, secure renegotiation extension" \
1574 -c "found renegotiation extension" \
1575 -c "=> renegotiate" \
1576 -s "=> renegotiate" \
1577 -s "write hello request"
1578
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1579run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1580 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1581 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1582 0 \
1583 -c "client hello, adding renegotiation extension" \
1584 -c "found renegotiation extension" \
1585 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1586 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1587 -C "error" \
1588 -c "HTTP/1.0 200 [Oo][Kk]"
1589
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1590requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1591run_test "Renegotiation: gnutls server strict, client-initiated" \
1592 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1593 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1594 0 \
1595 -c "client hello, adding renegotiation extension" \
1596 -c "found renegotiation extension" \
1597 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1598 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1599 -C "error" \
1600 -c "HTTP/1.0 200 [Oo][Kk]"
1601
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1602requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1603run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1604 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1605 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1606 1 \
1607 -c "client hello, adding renegotiation extension" \
1608 -C "found renegotiation extension" \
1609 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1610 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1611 -c "error" \
1612 -C "HTTP/1.0 200 [Oo][Kk]"
1613
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1614requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1615run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1616 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1617 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1618 allow_legacy=0" \
1619 1 \
1620 -c "client hello, adding renegotiation extension" \
1621 -C "found renegotiation extension" \
1622 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1623 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1624 -c "error" \
1625 -C "HTTP/1.0 200 [Oo][Kk]"
1626
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1627requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1628run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1629 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1630 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1631 allow_legacy=1" \
1632 0 \
1633 -c "client hello, adding renegotiation extension" \
1634 -C "found renegotiation extension" \
1635 -c "=> renegotiate" \
1636 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1637 -C "error" \
1638 -c "HTTP/1.0 200 [Oo][Kk]"
1639
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1640run_test "Renegotiation: DTLS, client-initiated" \
1641 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1642 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1643 0 \
1644 -c "client hello, adding renegotiation extension" \
1645 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1646 -s "found renegotiation extension" \
1647 -s "server hello, secure renegotiation extension" \
1648 -c "found renegotiation extension" \
1649 -c "=> renegotiate" \
1650 -s "=> renegotiate" \
1651 -S "write hello request"
1652
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1653run_test "Renegotiation: DTLS, server-initiated" \
1654 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1655 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1656 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1657 0 \
1658 -c "client hello, adding renegotiation extension" \
1659 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1660 -s "found renegotiation extension" \
1661 -s "server hello, secure renegotiation extension" \
1662 -c "found renegotiation extension" \
1663 -c "=> renegotiate" \
1664 -s "=> renegotiate" \
1665 -s "write hello request"
1666
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1667run_test "Renegotiation: DTLS, renego_period overflow" \
1668 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1669 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1670 0 \
1671 -c "client hello, adding renegotiation extension" \
1672 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1673 -s "found renegotiation extension" \
1674 -s "server hello, secure renegotiation extension" \
1675 -s "record counter limit reached: renegotiate" \
1676 -c "=> renegotiate" \
1677 -s "=> renegotiate" \
1678 -s "write hello request" \
1679
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1680requires_gnutls
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1681run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1682 "$G_SRV -u --mtu 4096" \
1683 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1684 0 \
1685 -c "client hello, adding renegotiation extension" \
1686 -c "found renegotiation extension" \
1687 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1688 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1689 -C "error" \
1690 -s "Extra-header:"
1691
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1692# Test for the "secure renegotation" extension only (no actual renegotiation)
1693
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1694requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1695run_test "Renego ext: gnutls server strict, client default" \
1696 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1697 "$P_CLI debug_level=3" \
1698 0 \
1699 -c "found renegotiation extension" \
1700 -C "error" \
1701 -c "HTTP/1.0 200 [Oo][Kk]"
1702
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1703requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1704run_test "Renego ext: gnutls server unsafe, client default" \
1705 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1706 "$P_CLI debug_level=3" \
1707 0 \
1708 -C "found renegotiation extension" \
1709 -C "error" \
1710 -c "HTTP/1.0 200 [Oo][Kk]"
1711
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1712requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1713run_test "Renego ext: gnutls server unsafe, client break legacy" \
1714 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1715 "$P_CLI debug_level=3 allow_legacy=-1" \
1716 1 \
1717 -C "found renegotiation extension" \
1718 -c "error" \
1719 -C "HTTP/1.0 200 [Oo][Kk]"
1720
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1721requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1722run_test "Renego ext: gnutls client strict, server default" \
1723 "$P_SRV debug_level=3" \
1724 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1725 0 \
1726 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1727 -s "server hello, secure renegotiation extension"
1728
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1729requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1730run_test "Renego ext: gnutls client unsafe, server default" \
1731 "$P_SRV debug_level=3" \
1732 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1733 0 \
1734 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1735 -S "server hello, secure renegotiation extension"
1736
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1737requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1738run_test "Renego ext: gnutls client unsafe, server break legacy" \
1739 "$P_SRV debug_level=3 allow_legacy=-1" \
1740 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1741 1 \
1742 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1743 -S "server hello, secure renegotiation extension"
1744
Janos Follath365b2262016-02-17 10:11:21 +0000[diff] [blame]1745# Tests for silently dropping trailing extra bytes in .der certificates
1746
1747requires_gnutls
1748run_test "DER format: no trailing bytes" \
1749 "$P_SRV crt_file=data_files/server5-der0.crt \
1750 key_file=data_files/server5.key" \
1751 "$G_CLI " \
1752 0 \
1753 -c "Handshake was completed" \
1754
1755requires_gnutls
1756run_test "DER format: with a trailing zero byte" \
1757 "$P_SRV crt_file=data_files/server5-der1a.crt \
1758 key_file=data_files/server5.key" \
1759 "$G_CLI " \
1760 0 \
1761 -c "Handshake was completed" \
1762
1763requires_gnutls
1764run_test "DER format: with a trailing random byte" \
1765 "$P_SRV crt_file=data_files/server5-der1b.crt \
1766 key_file=data_files/server5.key" \
1767 "$G_CLI " \
1768 0 \
1769 -c "Handshake was completed" \
1770
1771requires_gnutls
1772run_test "DER format: with 2 trailing random bytes" \
1773 "$P_SRV crt_file=data_files/server5-der2.crt \
1774 key_file=data_files/server5.key" \
1775 "$G_CLI " \
1776 0 \
1777 -c "Handshake was completed" \
1778
1779requires_gnutls
1780run_test "DER format: with 4 trailing random bytes" \
1781 "$P_SRV crt_file=data_files/server5-der4.crt \
1782 key_file=data_files/server5.key" \
1783 "$G_CLI " \
1784 0 \
1785 -c "Handshake was completed" \
1786
1787requires_gnutls
1788run_test "DER format: with 8 trailing random bytes" \
1789 "$P_SRV crt_file=data_files/server5-der8.crt \
1790 key_file=data_files/server5.key" \
1791 "$G_CLI " \
1792 0 \
1793 -c "Handshake was completed" \
1794
1795requires_gnutls
1796run_test "DER format: with 9 trailing random bytes" \
1797 "$P_SRV crt_file=data_files/server5-der9.crt \
1798 key_file=data_files/server5.key" \
1799 "$G_CLI " \
1800 0 \
1801 -c "Handshake was completed" \
1802
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1803# Tests for auth_mode
1804
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1805run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1806 "$P_SRV crt_file=data_files/server5-badsign.crt \
1807 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1808 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1809 1 \
1810 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1811 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1813 -c "X509 - Certificate verification failed"
1814
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1815run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1816 "$P_SRV crt_file=data_files/server5-badsign.crt \
1817 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1818 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1819 0 \
1820 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1821 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1822 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1823 -C "X509 - Certificate verification failed"
1824
Hanno Becker61c0c702017-05-15 16:05:15 +0100[diff] [blame]1825run_test "Authentication: server goodcert, client optional, no trusted CA" \
1826 "$P_SRV" \
1827 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1828 0 \
1829 -c "x509_verify_cert() returned" \
1830 -c "! The certificate is not correctly signed by the trusted CA" \
1831 -c "! Certificate verification flags"\
1832 -C "! mbedtls_ssl_handshake returned" \
1833 -C "X509 - Certificate verification failed" \
1834 -C "SSL - No CA Chain is set, but required to operate"
1835
1836run_test "Authentication: server goodcert, client required, no trusted CA" \
1837 "$P_SRV" \
1838 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1839 1 \
1840 -c "x509_verify_cert() returned" \
1841 -c "! The certificate is not correctly signed by the trusted CA" \
1842 -c "! Certificate verification flags"\
1843 -c "! mbedtls_ssl_handshake returned" \
1844 -c "SSL - No CA Chain is set, but required to operate"
1845
1846# The purpose of the next two tests is to test the client's behaviour when receiving a server
1847# certificate with an unsupported elliptic curve. This should usually not happen because
1848# the client informs the server about the supported curves - it does, though, in the
1849# corner case of a static ECDH suite, because the server doesn't check the curve on that
1850# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1851# different means to have the server ignoring the client's supported curve list.
1852
1853requires_config_enabled MBEDTLS_ECP_C
1854run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1855 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1856 crt_file=data_files/server5.ku-ka.crt" \
1857 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1858 1 \
1859 -c "bad certificate (EC key curve)"\
1860 -c "! Certificate verification flags"\
1861 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1862
1863requires_config_enabled MBEDTLS_ECP_C
1864run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1865 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1866 crt_file=data_files/server5.ku-ka.crt" \
1867 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1868 1 \
1869 -c "bad certificate (EC key curve)"\
1870 -c "! Certificate verification flags"\
1871 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1872
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1873run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1874 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1875 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1876 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1877 0 \
1878 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1879 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1880 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1881 -C "X509 - Certificate verification failed"
1882
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1883run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1884 "$P_SRV debug_level=3 auth_mode=required" \
1885 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1886 key_file=data_files/server5.key" \
1887 1 \
1888 -S "skip write certificate request" \
1889 -C "skip parse certificate request" \
1890 -c "got a certificate request" \
1891 -C "skip write certificate" \
1892 -C "skip write certificate verify" \
1893 -S "skip parse certificate verify" \
1894 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1895 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1896 -s "! mbedtls_ssl_handshake returned" \
1897 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1898 -s "X509 - Certificate verification failed"
1899
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1900run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1901 "$P_SRV debug_level=3 auth_mode=optional" \
1902 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1903 key_file=data_files/server5.key" \
1904 0 \
1905 -S "skip write certificate request" \
1906 -C "skip parse certificate request" \
1907 -c "got a certificate request" \
1908 -C "skip write certificate" \
1909 -C "skip write certificate verify" \
1910 -S "skip parse certificate verify" \
1911 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1912 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1913 -S "! mbedtls_ssl_handshake returned" \
1914 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1915 -S "X509 - Certificate verification failed"
1916
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1917run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1918 "$P_SRV debug_level=3 auth_mode=none" \
1919 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1920 key_file=data_files/server5.key" \
1921 0 \
1922 -s "skip write certificate request" \
1923 -C "skip parse certificate request" \
1924 -c "got no certificate request" \
1925 -c "skip write certificate" \
1926 -c "skip write certificate verify" \
1927 -s "skip parse certificate verify" \
1928 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1929 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1930 -S "! mbedtls_ssl_handshake returned" \
1931 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1932 -S "X509 - Certificate verification failed"
1933
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1934run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1935 "$P_SRV debug_level=3 auth_mode=optional" \
1936 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1937 0 \
1938 -S "skip write certificate request" \
1939 -C "skip parse certificate request" \
1940 -c "got a certificate request" \
1941 -C "skip write certificate$" \
1942 -C "got no certificate to send" \
1943 -S "SSLv3 client has no certificate" \
1944 -c "skip write certificate verify" \
1945 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1946 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1947 -S "! mbedtls_ssl_handshake returned" \
1948 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1949 -S "X509 - Certificate verification failed"
1950
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1951run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1952 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1953 "$O_CLI" \
1954 0 \
1955 -S "skip write certificate request" \
1956 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1957 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1958 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1959 -S "X509 - Certificate verification failed"
1960
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1961run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1962 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1963 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1964 0 \
1965 -C "skip parse certificate request" \
1966 -c "got a certificate request" \
1967 -C "skip write certificate$" \
1968 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1970
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1971requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1972run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1973 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]1974 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1975 0 \
1976 -S "skip write certificate request" \
1977 -C "skip parse certificate request" \
1978 -c "got a certificate request" \
1979 -C "skip write certificate$" \
1980 -c "skip write certificate verify" \
1981 -c "got no certificate to send" \
1982 -s "SSLv3 client has no certificate" \
1983 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1984 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1985 -S "! mbedtls_ssl_handshake returned" \
1986 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1987 -S "X509 - Certificate verification failed"
1988
Manuel Pégourié-Gonnard591035d2017-06-26 10:45:33 +0200[diff] [blame]1989run_test "Authentication: server max_int chain, client default" \
1990 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
1991 key_file=data_files/dir-maxpath/09.key" \
1992 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
1993 0 \
1994 -C "X509 - A fatal error occured"
1995
1996run_test "Authentication: server max_int+1 chain, client default" \
1997 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1998 key_file=data_files/dir-maxpath/10.key" \
1999 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2000 1 \
2001 -c "X509 - A fatal error occured"
2002
2003run_test "Authentication: server max_int+1 chain, client optional" \
2004 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2005 key_file=data_files/dir-maxpath/10.key" \
2006 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2007 auth_mode=optional" \
2008 1 \
2009 -c "X509 - A fatal error occured"
2010
2011run_test "Authentication: server max_int+1 chain, client none" \
2012 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2013 key_file=data_files/dir-maxpath/10.key" \
2014 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2015 auth_mode=none" \
2016 0 \
2017 -C "X509 - A fatal error occured"
2018
2019run_test "Authentication: client max_int+1 chain, server default" \
2020 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2021 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2022 key_file=data_files/dir-maxpath/10.key" \
2023 0 \
2024 -S "X509 - A fatal error occured"
2025
2026run_test "Authentication: client max_int+1 chain, server optional" \
2027 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2028 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2029 key_file=data_files/dir-maxpath/10.key" \
2030 1 \
2031 -s "X509 - A fatal error occured"
2032
2033run_test "Authentication: client max_int+1 chain, server required" \
2034 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2035 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2036 key_file=data_files/dir-maxpath/10.key" \
2037 1 \
2038 -s "X509 - A fatal error occured"
2039
2040run_test "Authentication: client max_int chain, server required" \
2041 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2042 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2043 key_file=data_files/dir-maxpath/09.key" \
2044 0 \
2045 -S "X509 - A fatal error occured"
2046
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2047# Tests for certificate selection based on SHA verson
2048
2049run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2050 "$P_SRV crt_file=data_files/server5.crt \
2051 key_file=data_files/server5.key \
2052 crt_file2=data_files/server5-sha1.crt \
2053 key_file2=data_files/server5.key" \
2054 "$P_CLI force_version=tls1_2" \
2055 0 \
2056 -c "signed using.*ECDSA with SHA256" \
2057 -C "signed using.*ECDSA with SHA1"
2058
2059run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2060 "$P_SRV crt_file=data_files/server5.crt \
2061 key_file=data_files/server5.key \
2062 crt_file2=data_files/server5-sha1.crt \
2063 key_file2=data_files/server5.key" \
2064 "$P_CLI force_version=tls1_1" \
2065 0 \
2066 -C "signed using.*ECDSA with SHA256" \
2067 -c "signed using.*ECDSA with SHA1"
2068
2069run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2070 "$P_SRV crt_file=data_files/server5.crt \
2071 key_file=data_files/server5.key \
2072 crt_file2=data_files/server5-sha1.crt \
2073 key_file2=data_files/server5.key" \
2074 "$P_CLI force_version=tls1" \
2075 0 \
2076 -C "signed using.*ECDSA with SHA256" \
2077 -c "signed using.*ECDSA with SHA1"
2078
2079run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2080 "$P_SRV crt_file=data_files/server5.crt \
2081 key_file=data_files/server5.key \
2082 crt_file2=data_files/server6.crt \
2083 key_file2=data_files/server6.key" \
2084 "$P_CLI force_version=tls1_1" \
2085 0 \
2086 -c "serial number.*09" \
2087 -c "signed using.*ECDSA with SHA256" \
2088 -C "signed using.*ECDSA with SHA1"
2089
2090run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2091 "$P_SRV crt_file=data_files/server6.crt \
2092 key_file=data_files/server6.key \
2093 crt_file2=data_files/server5.crt \
2094 key_file2=data_files/server5.key" \
2095 "$P_CLI force_version=tls1_1" \
2096 0 \
2097 -c "serial number.*0A" \
2098 -c "signed using.*ECDSA with SHA256" \
2099 -C "signed using.*ECDSA with SHA1"
2100
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2101# tests for SNI
2102
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2103run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2104 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2105 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2106 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2107 0 \
2108 -S "parse ServerName extension" \
2109 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2110 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2111
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2112run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2113 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2114 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2115 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2116 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2117 0 \
2118 -s "parse ServerName extension" \
2119 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2120 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2121
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2122run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2123 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2124 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2125 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2126 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2127 0 \
2128 -s "parse ServerName extension" \
2129 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2130 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2131
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2132run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2133 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2134 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2135 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2136 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2137 1 \
2138 -s "parse ServerName extension" \
2139 -s "ssl_sni_wrapper() returned" \
2140 -s "mbedtls_ssl_handshake returned" \
2141 -c "mbedtls_ssl_handshake returned" \
2142 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2143
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2144run_test "SNI: client auth no override: optional" \
2145 "$P_SRV debug_level=3 auth_mode=optional \
2146 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2147 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2148 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2149 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2150 -S "skip write certificate request" \
2151 -C "skip parse certificate request" \
2152 -c "got a certificate request" \
2153 -C "skip write certificate" \
2154 -C "skip write certificate verify" \
2155 -S "skip parse certificate verify"
2156
2157run_test "SNI: client auth override: none -> optional" \
2158 "$P_SRV debug_level=3 auth_mode=none \
2159 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2160 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2161 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2162 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2163 -S "skip write certificate request" \
2164 -C "skip parse certificate request" \
2165 -c "got a certificate request" \
2166 -C "skip write certificate" \
2167 -C "skip write certificate verify" \
2168 -S "skip parse certificate verify"
2169
2170run_test "SNI: client auth override: optional -> none" \
2171 "$P_SRV debug_level=3 auth_mode=optional \
2172 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2173 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2174 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2175 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2176 -s "skip write certificate request" \
2177 -C "skip parse certificate request" \
2178 -c "got no certificate request" \
2179 -c "skip write certificate" \
2180 -c "skip write certificate verify" \
2181 -s "skip parse certificate verify"
2182
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2183run_test "SNI: CA no override" \
2184 "$P_SRV debug_level=3 auth_mode=optional \
2185 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2186 ca_file=data_files/test-ca.crt \
2187 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2188 "$P_CLI debug_level=3 server_name=localhost \
2189 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2190 1 \
2191 -S "skip write certificate request" \
2192 -C "skip parse certificate request" \
2193 -c "got a certificate request" \
2194 -C "skip write certificate" \
2195 -C "skip write certificate verify" \
2196 -S "skip parse certificate verify" \
2197 -s "x509_verify_cert() returned" \
2198 -s "! The certificate is not correctly signed by the trusted CA" \
2199 -S "The certificate has been revoked (is on a CRL)"
2200
2201run_test "SNI: CA override" \
2202 "$P_SRV debug_level=3 auth_mode=optional \
2203 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2204 ca_file=data_files/test-ca.crt \
2205 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2206 "$P_CLI debug_level=3 server_name=localhost \
2207 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2208 0 \
2209 -S "skip write certificate request" \
2210 -C "skip parse certificate request" \
2211 -c "got a certificate request" \
2212 -C "skip write certificate" \
2213 -C "skip write certificate verify" \
2214 -S "skip parse certificate verify" \
2215 -S "x509_verify_cert() returned" \
2216 -S "! The certificate is not correctly signed by the trusted CA" \
2217 -S "The certificate has been revoked (is on a CRL)"
2218
2219run_test "SNI: CA override with CRL" \
2220 "$P_SRV debug_level=3 auth_mode=optional \
2221 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2222 ca_file=data_files/test-ca.crt \
2223 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2224 "$P_CLI debug_level=3 server_name=localhost \
2225 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2226 1 \
2227 -S "skip write certificate request" \
2228 -C "skip parse certificate request" \
2229 -c "got a certificate request" \
2230 -C "skip write certificate" \
2231 -C "skip write certificate verify" \
2232 -S "skip parse certificate verify" \
2233 -s "x509_verify_cert() returned" \
2234 -S "! The certificate is not correctly signed by the trusted CA" \
2235 -s "The certificate has been revoked (is on a CRL)"
2236
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2237# Tests for non-blocking I/O: exercise a variety of handshake flows
2238
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2239run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2240 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2241 "$P_CLI nbio=2 tickets=0" \
2242 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2243 -S "mbedtls_ssl_handshake returned" \
2244 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2245 -c "Read from server: .* bytes read"
2246
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2247run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2248 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2249 "$P_CLI nbio=2 tickets=0" \
2250 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2251 -S "mbedtls_ssl_handshake returned" \
2252 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2253 -c "Read from server: .* bytes read"
2254
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2255run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2256 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2257 "$P_CLI nbio=2 tickets=1" \
2258 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2259 -S "mbedtls_ssl_handshake returned" \
2260 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2261 -c "Read from server: .* bytes read"
2262
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2263run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2264 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2265 "$P_CLI nbio=2 tickets=1" \
2266 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2267 -S "mbedtls_ssl_handshake returned" \
2268 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2269 -c "Read from server: .* bytes read"
2270
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2271run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2272 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2273 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2274 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2275 -S "mbedtls_ssl_handshake returned" \
2276 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2277 -c "Read from server: .* bytes read"
2278
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2279run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2280 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2281 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2282 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2283 -S "mbedtls_ssl_handshake returned" \
2284 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2285 -c "Read from server: .* bytes read"
2286
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2287run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2288 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2289 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2290 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2291 -S "mbedtls_ssl_handshake returned" \
2292 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2293 -c "Read from server: .* bytes read"
2294
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2295# Tests for version negotiation
2296
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2297run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2298 "$P_SRV" \
2299 "$P_CLI" \
2300 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2301 -S "mbedtls_ssl_handshake returned" \
2302 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2303 -s "Protocol is TLSv1.2" \
2304 -c "Protocol is TLSv1.2"
2305
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2306run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2307 "$P_SRV" \
2308 "$P_CLI max_version=tls1_1" \
2309 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310 -S "mbedtls_ssl_handshake returned" \
2311 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2312 -s "Protocol is TLSv1.1" \
2313 -c "Protocol is TLSv1.1"
2314
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2315run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2316 "$P_SRV max_version=tls1_1" \
2317 "$P_CLI" \
2318 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2319 -S "mbedtls_ssl_handshake returned" \
2320 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2321 -s "Protocol is TLSv1.1" \
2322 -c "Protocol is TLSv1.1"
2323
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2324run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2325 "$P_SRV max_version=tls1_1" \
2326 "$P_CLI max_version=tls1_1" \
2327 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2328 -S "mbedtls_ssl_handshake returned" \
2329 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2330 -s "Protocol is TLSv1.1" \
2331 -c "Protocol is TLSv1.1"
2332
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2333run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2334 "$P_SRV min_version=tls1_1" \
2335 "$P_CLI max_version=tls1_1" \
2336 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2337 -S "mbedtls_ssl_handshake returned" \
2338 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2339 -s "Protocol is TLSv1.1" \
2340 -c "Protocol is TLSv1.1"
2341
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2342run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2343 "$P_SRV max_version=tls1_1" \
2344 "$P_CLI min_version=tls1_1" \
2345 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2346 -S "mbedtls_ssl_handshake returned" \
2347 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2348 -s "Protocol is TLSv1.1" \
2349 -c "Protocol is TLSv1.1"
2350
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2351run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2352 "$P_SRV max_version=tls1_1" \
2353 "$P_CLI min_version=tls1_2" \
2354 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2355 -s "mbedtls_ssl_handshake returned" \
2356 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2357 -c "SSL - Handshake protocol not within min/max boundaries"
2358
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2359run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2360 "$P_SRV min_version=tls1_2" \
2361 "$P_CLI max_version=tls1_1" \
2362 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2363 -s "mbedtls_ssl_handshake returned" \
2364 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2365 -s "SSL - Handshake protocol not within min/max boundaries"
2366
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2367# Tests for ALPN extension
2368
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2369run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2370 "$P_SRV debug_level=3" \
2371 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2372 0 \
2373 -C "client hello, adding alpn extension" \
2374 -S "found alpn extension" \
2375 -C "got an alert message, type: \\[2:120]" \
2376 -S "server hello, adding alpn extension" \
2377 -C "found alpn extension " \
2378 -C "Application Layer Protocol is" \
2379 -S "Application Layer Protocol is"
2380
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2381run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2382 "$P_SRV debug_level=3" \
2383 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2384 0 \
2385 -c "client hello, adding alpn extension" \
2386 -s "found alpn extension" \
2387 -C "got an alert message, type: \\[2:120]" \
2388 -S "server hello, adding alpn extension" \
2389 -C "found alpn extension " \
2390 -c "Application Layer Protocol is (none)" \
2391 -S "Application Layer Protocol is"
2392
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2393run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2394 "$P_SRV debug_level=3 alpn=abc,1234" \
2395 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2396 0 \
2397 -C "client hello, adding alpn extension" \
2398 -S "found alpn extension" \
2399 -C "got an alert message, type: \\[2:120]" \
2400 -S "server hello, adding alpn extension" \
2401 -C "found alpn extension " \
2402 -C "Application Layer Protocol is" \
2403 -s "Application Layer Protocol is (none)"
2404
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2405run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2406 "$P_SRV debug_level=3 alpn=abc,1234" \
2407 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2408 0 \
2409 -c "client hello, adding alpn extension" \
2410 -s "found alpn extension" \
2411 -C "got an alert message, type: \\[2:120]" \
2412 -s "server hello, adding alpn extension" \
2413 -c "found alpn extension" \
2414 -c "Application Layer Protocol is abc" \
2415 -s "Application Layer Protocol is abc"
2416
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2417run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2418 "$P_SRV debug_level=3 alpn=abc,1234" \
2419 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2420 0 \
2421 -c "client hello, adding alpn extension" \
2422 -s "found alpn extension" \
2423 -C "got an alert message, type: \\[2:120]" \
2424 -s "server hello, adding alpn extension" \
2425 -c "found alpn extension" \
2426 -c "Application Layer Protocol is abc" \
2427 -s "Application Layer Protocol is abc"
2428
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2429run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2430 "$P_SRV debug_level=3 alpn=abc,1234" \
2431 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2432 0 \
2433 -c "client hello, adding alpn extension" \
2434 -s "found alpn extension" \
2435 -C "got an alert message, type: \\[2:120]" \
2436 -s "server hello, adding alpn extension" \
2437 -c "found alpn extension" \
2438 -c "Application Layer Protocol is 1234" \
2439 -s "Application Layer Protocol is 1234"
2440
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2441run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2442 "$P_SRV debug_level=3 alpn=abc,123" \
2443 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2444 1 \
2445 -c "client hello, adding alpn extension" \
2446 -s "found alpn extension" \
2447 -c "got an alert message, type: \\[2:120]" \
2448 -S "server hello, adding alpn extension" \
2449 -C "found alpn extension" \
2450 -C "Application Layer Protocol is 1234" \
2451 -S "Application Layer Protocol is 1234"
2452
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2453
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2454# Tests for keyUsage in leaf certificates, part 1:
2455# server-side certificate/suite selection
2456
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2457run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2458 "$P_SRV key_file=data_files/server2.key \
2459 crt_file=data_files/server2.ku-ds.crt" \
2460 "$P_CLI" \
2461 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2462 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2463
2464
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2465run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2466 "$P_SRV key_file=data_files/server2.key \
2467 crt_file=data_files/server2.ku-ke.crt" \
2468 "$P_CLI" \
2469 0 \
2470 -c "Ciphersuite is TLS-RSA-WITH-"
2471
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2472run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2473 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2474 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2475 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2476 1 \
2477 -C "Ciphersuite is "
2478
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2479run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2480 "$P_SRV key_file=data_files/server5.key \
2481 crt_file=data_files/server5.ku-ds.crt" \
2482 "$P_CLI" \
2483 0 \
2484 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2485
2486
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2487run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2488 "$P_SRV key_file=data_files/server5.key \
2489 crt_file=data_files/server5.ku-ka.crt" \
2490 "$P_CLI" \
2491 0 \
2492 -c "Ciphersuite is TLS-ECDH-"
2493
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2494run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2495 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2496 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2497 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2498 1 \
2499 -C "Ciphersuite is "
2500
2501# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2502# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2503
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2504run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2505 "$O_SRV -key data_files/server2.key \
2506 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2507 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2508 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2509 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2510 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2511 -C "Processing of the Certificate handshake message failed" \
2512 -c "Ciphersuite is TLS-"
2513
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2514run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2515 "$O_SRV -key data_files/server2.key \
2516 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2517 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2518 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2519 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2520 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2521 -C "Processing of the Certificate handshake message failed" \
2522 -c "Ciphersuite is TLS-"
2523
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2524run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2525 "$O_SRV -key data_files/server2.key \
2526 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2527 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2528 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2529 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2530 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2531 -C "Processing of the Certificate handshake message failed" \
2532 -c "Ciphersuite is TLS-"
2533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2534run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2535 "$O_SRV -key data_files/server2.key \
2536 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2537 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2538 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2539 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2540 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2541 -c "Processing of the Certificate handshake message failed" \
2542 -C "Ciphersuite is TLS-"
2543
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2544run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2545 "$O_SRV -key data_files/server2.key \
2546 -cert data_files/server2.ku-ke.crt" \
2547 "$P_CLI debug_level=1 auth_mode=optional \
2548 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2549 0 \
2550 -c "bad certificate (usage extensions)" \
2551 -C "Processing of the Certificate handshake message failed" \
2552 -c "Ciphersuite is TLS-" \
2553 -c "! Usage does not match the keyUsage extension"
2554
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2555run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2556 "$O_SRV -key data_files/server2.key \
2557 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2558 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2559 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2560 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2561 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2562 -C "Processing of the Certificate handshake message failed" \
2563 -c "Ciphersuite is TLS-"
2564
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2565run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2566 "$O_SRV -key data_files/server2.key \
2567 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2568 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2569 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2570 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2571 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2572 -c "Processing of the Certificate handshake message failed" \
2573 -C "Ciphersuite is TLS-"
2574
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2575run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2576 "$O_SRV -key data_files/server2.key \
2577 -cert data_files/server2.ku-ds.crt" \
2578 "$P_CLI debug_level=1 auth_mode=optional \
2579 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2580 0 \
2581 -c "bad certificate (usage extensions)" \
2582 -C "Processing of the Certificate handshake message failed" \
2583 -c "Ciphersuite is TLS-" \
2584 -c "! Usage does not match the keyUsage extension"
2585
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2586# Tests for keyUsage in leaf certificates, part 3:
2587# server-side checking of client cert
2588
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2589run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2590 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2591 "$O_CLI -key data_files/server2.key \
2592 -cert data_files/server2.ku-ds.crt" \
2593 0 \
2594 -S "bad certificate (usage extensions)" \
2595 -S "Processing of the Certificate handshake message failed"
2596
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2597run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2598 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2599 "$O_CLI -key data_files/server2.key \
2600 -cert data_files/server2.ku-ke.crt" \
2601 0 \
2602 -s "bad certificate (usage extensions)" \
2603 -S "Processing of the Certificate handshake message failed"
2604
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2605run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2606 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2607 "$O_CLI -key data_files/server2.key \
2608 -cert data_files/server2.ku-ke.crt" \
2609 1 \
2610 -s "bad certificate (usage extensions)" \
2611 -s "Processing of the Certificate handshake message failed"
2612
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2613run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2614 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2615 "$O_CLI -key data_files/server5.key \
2616 -cert data_files/server5.ku-ds.crt" \
2617 0 \
2618 -S "bad certificate (usage extensions)" \
2619 -S "Processing of the Certificate handshake message failed"
2620
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2621run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2622 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2623 "$O_CLI -key data_files/server5.key \
2624 -cert data_files/server5.ku-ka.crt" \
2625 0 \
2626 -s "bad certificate (usage extensions)" \
2627 -S "Processing of the Certificate handshake message failed"
2628
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2629# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2630
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2631run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2632 "$P_SRV key_file=data_files/server5.key \
2633 crt_file=data_files/server5.eku-srv.crt" \
2634 "$P_CLI" \
2635 0
2636
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2637run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2638 "$P_SRV key_file=data_files/server5.key \
2639 crt_file=data_files/server5.eku-srv.crt" \
2640 "$P_CLI" \
2641 0
2642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2643run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2644 "$P_SRV key_file=data_files/server5.key \
2645 crt_file=data_files/server5.eku-cs_any.crt" \
2646 "$P_CLI" \
2647 0
2648
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2649run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2650 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2651 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2652 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2653 1
2654
2655# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2656
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2657run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2658 "$O_SRV -key data_files/server5.key \
2659 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2660 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2661 0 \
2662 -C "bad certificate (usage extensions)" \
2663 -C "Processing of the Certificate handshake message failed" \
2664 -c "Ciphersuite is TLS-"
2665
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2666run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2667 "$O_SRV -key data_files/server5.key \
2668 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2669 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2670 0 \
2671 -C "bad certificate (usage extensions)" \
2672 -C "Processing of the Certificate handshake message failed" \
2673 -c "Ciphersuite is TLS-"
2674
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2675run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2676 "$O_SRV -key data_files/server5.key \
2677 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2678 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2679 0 \
2680 -C "bad certificate (usage extensions)" \
2681 -C "Processing of the Certificate handshake message failed" \
2682 -c "Ciphersuite is TLS-"
2683
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2684run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2685 "$O_SRV -key data_files/server5.key \
2686 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2687 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2688 1 \
2689 -c "bad certificate (usage extensions)" \
2690 -c "Processing of the Certificate handshake message failed" \
2691 -C "Ciphersuite is TLS-"
2692
2693# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2694
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2695run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2696 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2697 "$O_CLI -key data_files/server5.key \
2698 -cert data_files/server5.eku-cli.crt" \
2699 0 \
2700 -S "bad certificate (usage extensions)" \
2701 -S "Processing of the Certificate handshake message failed"
2702
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2703run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2704 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2705 "$O_CLI -key data_files/server5.key \
2706 -cert data_files/server5.eku-srv_cli.crt" \
2707 0 \
2708 -S "bad certificate (usage extensions)" \
2709 -S "Processing of the Certificate handshake message failed"
2710
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2711run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2712 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2713 "$O_CLI -key data_files/server5.key \
2714 -cert data_files/server5.eku-cs_any.crt" \
2715 0 \
2716 -S "bad certificate (usage extensions)" \
2717 -S "Processing of the Certificate handshake message failed"
2718
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2719run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2720 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2721 "$O_CLI -key data_files/server5.key \
2722 -cert data_files/server5.eku-cs.crt" \
2723 0 \
2724 -s "bad certificate (usage extensions)" \
2725 -S "Processing of the Certificate handshake message failed"
2726
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2727run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2728 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2729 "$O_CLI -key data_files/server5.key \
2730 -cert data_files/server5.eku-cs.crt" \
2731 1 \
2732 -s "bad certificate (usage extensions)" \
2733 -s "Processing of the Certificate handshake message failed"
2734
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2735# Tests for DHM parameters loading
2736
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2737run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2738 "$P_SRV" \
2739 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2740 debug_level=3" \
2741 0 \
2742 -c "value of 'DHM: P ' (2048 bits)" \
2743 -c "value of 'DHM: G ' (2048 bits)"
2744
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2745run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2746 "$P_SRV dhm_file=data_files/dhparams.pem" \
2747 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2748 debug_level=3" \
2749 0 \
2750 -c "value of 'DHM: P ' (1024 bits)" \
2751 -c "value of 'DHM: G ' (2 bits)"
2752
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2753# Tests for DHM client-side size checking
2754
2755run_test "DHM size: server default, client default, OK" \
2756 "$P_SRV" \
2757 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2758 debug_level=1" \
2759 0 \
2760 -C "DHM prime too short:"
2761
2762run_test "DHM size: server default, client 2048, OK" \
2763 "$P_SRV" \
2764 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2765 debug_level=1 dhmlen=2048" \
2766 0 \
2767 -C "DHM prime too short:"
2768
2769run_test "DHM size: server 1024, client default, OK" \
2770 "$P_SRV dhm_file=data_files/dhparams.pem" \
2771 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2772 debug_level=1" \
2773 0 \
2774 -C "DHM prime too short:"
2775
2776run_test "DHM size: server 1000, client default, rejected" \
2777 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2778 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2779 debug_level=1" \
2780 1 \
2781 -c "DHM prime too short:"
2782
2783run_test "DHM size: server default, client 2049, rejected" \
2784 "$P_SRV" \
2785 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2786 debug_level=1 dhmlen=2049" \
2787 1 \
2788 -c "DHM prime too short:"
2789
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2790# Tests for PSK callback
2791
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2792run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2793 "$P_SRV psk=abc123 psk_identity=foo" \
2794 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2795 psk_identity=foo psk=abc123" \
2796 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2797 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2798 -S "SSL - Unknown identity received" \
2799 -S "SSL - Verification of the message MAC failed"
2800
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2801run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2802 "$P_SRV" \
2803 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2804 psk_identity=foo psk=abc123" \
2805 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2806 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2807 -S "SSL - Unknown identity received" \
2808 -S "SSL - Verification of the message MAC failed"
2809
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2810run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2811 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2812 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2813 psk_identity=foo psk=abc123" \
2814 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2815 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2816 -s "SSL - Unknown identity received" \
2817 -S "SSL - Verification of the message MAC failed"
2818
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2819run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2820 "$P_SRV psk_list=abc,dead,def,beef" \
2821 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2822 psk_identity=abc psk=dead" \
2823 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2824 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2825 -S "SSL - Unknown identity received" \
2826 -S "SSL - Verification of the message MAC failed"
2827
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2828run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2829 "$P_SRV psk_list=abc,dead,def,beef" \
2830 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2831 psk_identity=def psk=beef" \
2832 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2833 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2834 -S "SSL - Unknown identity received" \
2835 -S "SSL - Verification of the message MAC failed"
2836
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2837run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2838 "$P_SRV psk_list=abc,dead,def,beef" \
2839 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2840 psk_identity=ghi psk=beef" \
2841 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2842 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2843 -s "SSL - Unknown identity received" \
2844 -S "SSL - Verification of the message MAC failed"
2845
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2846run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2847 "$P_SRV psk_list=abc,dead,def,beef" \
2848 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2849 psk_identity=abc psk=beef" \
2850 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2851 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2852 -S "SSL - Unknown identity received" \
2853 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2854
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2855# Tests for ciphersuites per version
2856
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2857requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2858run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2859 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2860 "$P_CLI force_version=ssl3" \
2861 0 \
2862 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2863
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2864run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2865 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2866 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2867 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2868 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2869
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2870run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2871 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2872 "$P_CLI force_version=tls1_1" \
2873 0 \
2874 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2875
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2876run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2877 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2878 "$P_CLI force_version=tls1_2" \
2879 0 \
2880 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2881
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2882# Test for ClientHello without extensions
2883
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]2884requires_gnutls
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2885run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2886 "$P_SRV debug_level=3" \
2887 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2888 0 \
2889 -s "dumping 'client hello extensions' (0 bytes)"
2890
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2891requires_gnutls
2892run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
2893 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
2894 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2895 0 \
2896 -s "dumping 'client hello extensions' (0 bytes)"
2897
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2898# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2899
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2900run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2901 "$P_SRV" \
2902 "$P_CLI request_size=100" \
2903 0 \
2904 -s "Read from client: 100 bytes read$"
2905
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2906run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2907 "$P_SRV" \
2908 "$P_CLI request_size=500" \
2909 0 \
2910 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2911
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2912# Tests for small packets
2913
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2914requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2915run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2916 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2917 "$P_CLI request_size=1 force_version=ssl3 \
2918 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2919 0 \
2920 -s "Read from client: 1 bytes read"
2921
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2922requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2923run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2924 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2925 "$P_CLI request_size=1 force_version=ssl3 \
2926 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2927 0 \
2928 -s "Read from client: 1 bytes read"
2929
2930run_test "Small packet TLS 1.0 BlockCipher" \
2931 "$P_SRV" \
2932 "$P_CLI request_size=1 force_version=tls1 \
2933 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2934 0 \
2935 -s "Read from client: 1 bytes read"
2936
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2937run_test "Small packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2938 "$P_SRV" \
2939 "$P_CLI request_size=1 force_version=tls1 etm=0 \
2940 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2941 0 \
2942 -s "Read from client: 1 bytes read"
2943
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]2944requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2945run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2946 "$P_SRV" \
2947 "$P_CLI request_size=1 force_version=tls1 \
2948 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2949 trunc_hmac=1" \
2950 0 \
2951 -s "Read from client: 1 bytes read"
2952
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]2953requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2954run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
2955 "$P_SRV" \
2956 "$P_CLI request_size=1 force_version=tls1 \
2957 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2958 trunc_hmac=1 \
2959 etm=0" \
2960 0 \
2961 -s "Read from client: 1 bytes read"
2962
2963run_test "Small packet TLS 1.0 StreamCipher" \
2964 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2965 "$P_CLI request_size=1 force_version=tls1 \
2966 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2967 0 \
2968 -s "Read from client: 1 bytes read"
2969
2970run_test "Small packet TLS 1.0 StreamCipher, without EtM" \
2971 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2972 "$P_CLI request_size=1 force_version=tls1 \
2973 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2974 etm=0" \
2975 0 \
2976 -s "Read from client: 1 bytes read"
2977
2978requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
2979run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2980 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2981 "$P_CLI request_size=1 force_version=tls1 \
2982 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2983 trunc_hmac=1" \
2984 0 \
2985 -s "Read from client: 1 bytes read"
2986
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2987requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
2988run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
2989 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2990 "$P_CLI request_size=1 force_version=tls1 \
2991 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2992 trunc_hmac=1 \
2993 etm=0" \
2994 0 \
2995 -s "Read from client: 1 bytes read"
2996
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2997run_test "Small packet TLS 1.1 BlockCipher" \
2998 "$P_SRV" \
2999 "$P_CLI request_size=1 force_version=tls1_1 \
3000 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3001 0 \
3002 -s "Read from client: 1 bytes read"
3003
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3004run_test "Small packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3005 "$P_SRV" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3006 "$P_CLI request_size=1 force_version=tls1_1 \
3007 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA
3008 etm=0" \
3009 0 \
3010 -s "Read from client: 1 bytes read"
3011
3012requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3013run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \
3014 "$P_SRV" \
3015 "$P_CLI request_size=1 force_version=tls1_1 \
3016 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3017 trunc_hmac=1" \
3018 0 \
3019 -s "Read from client: 1 bytes read"
3020
3021requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3022run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
3023 "$P_SRV" \
3024 "$P_CLI request_size=1 force_version=tls1_1 \
3025 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3026 trunc_hmac=1 \
3027 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3028 0 \
3029 -s "Read from client: 1 bytes read"
3030
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3031run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3032 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3033 "$P_CLI request_size=1 force_version=tls1_1 \
3034 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3035 0 \
3036 -s "Read from client: 1 bytes read"
3037
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3038run_test "Small packet TLS 1.1 StreamCipher, without EtM" \
3039 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3040 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3041 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3042 etm=0" \
3043 0 \
3044 -s "Read from client: 1 bytes read"
3045
3046requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3047run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \
3048 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3049 "$P_CLI request_size=1 force_version=tls1_1 \
3050 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3051 trunc_hmac=1" \
3052 0 \
3053 -s "Read from client: 1 bytes read"
3054
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3055requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3056run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3057 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3058 "$P_CLI request_size=1 force_version=tls1_1 \
3059 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3060 trunc_hmac=1 \
3061 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3062 0 \
3063 -s "Read from client: 1 bytes read"
3064
3065run_test "Small packet TLS 1.2 BlockCipher" \
3066 "$P_SRV" \
3067 "$P_CLI request_size=1 force_version=tls1_2 \
3068 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3069 0 \
3070 -s "Read from client: 1 bytes read"
3071
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3072run_test "Small packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3073 "$P_SRV" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3074 "$P_CLI request_size=1 force_version=tls1_2 \
3075 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3076 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3077 0 \
3078 -s "Read from client: 1 bytes read"
3079
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3080run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3081 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3082 "$P_CLI request_size=1 force_version=tls1_2 \
3083 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3084 0 \
3085 -s "Read from client: 1 bytes read"
3086
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3087requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3088run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3089 "$P_SRV" \
3090 "$P_CLI request_size=1 force_version=tls1_2 \
3091 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3092 trunc_hmac=1" \
3093 0 \
3094 -s "Read from client: 1 bytes read"
3095
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3096requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3097run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
3098 "$P_SRV" \
3099 "$P_CLI request_size=1 force_version=tls1_2 \
3100 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3101 trunc_hmac=1 \
3102 etm=0" \
3103 0 \
3104 -s "Read from client: 1 bytes read"
3105
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3106run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3107 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3108 "$P_CLI request_size=1 force_version=tls1_2 \
3109 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3110 0 \
3111 -s "Read from client: 1 bytes read"
3112
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3113run_test "Small packet TLS 1.2 StreamCipher, without EtM" \
3114 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3115 "$P_CLI request_size=1 force_version=tls1_2 \
3116 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3117 etm=0" \
3118 0 \
3119 -s "Read from client: 1 bytes read"
3120
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3121requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3122run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3123 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3124 "$P_CLI request_size=1 force_version=tls1_2 \
3125 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3126 trunc_hmac=1" \
3127 0 \
3128 -s "Read from client: 1 bytes read"
3129
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3130requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3131run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
3132 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3133 "$P_CLI request_size=1 force_version=tls1_2 \
3134 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3135 trunc_hmac=1 \
3136 etm=0" \
3137 0 \
3138 -s "Read from client: 1 bytes read"
3139
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3140run_test "Small packet TLS 1.2 AEAD" \
3141 "$P_SRV" \
3142 "$P_CLI request_size=1 force_version=tls1_2 \
3143 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3144 0 \
3145 -s "Read from client: 1 bytes read"
3146
3147run_test "Small packet TLS 1.2 AEAD shorter tag" \
3148 "$P_SRV" \
3149 "$P_CLI request_size=1 force_version=tls1_2 \
3150 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3151 0 \
3152 -s "Read from client: 1 bytes read"
3153
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]3154# A test for extensions in SSLv3
3155
3156requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3157run_test "SSLv3 with extensions, server side" \
3158 "$P_SRV min_version=ssl3 debug_level=3" \
3159 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3160 0 \
3161 -S "dumping 'client hello extensions'" \
3162 -S "server hello, total extension length:"
3163
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3164# Test for large packets
3165
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3166requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3167run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3168 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3169 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3170 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3171 0 \
3172 -s "Read from client: 16384 bytes read"
3173
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3174requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3175run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3176 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3177 "$P_CLI request_size=16384 force_version=ssl3 \
3178 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3179 0 \
3180 -s "Read from client: 16384 bytes read"
3181
3182run_test "Large packet TLS 1.0 BlockCipher" \
3183 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3184 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3185 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3186 0 \
3187 -s "Read from client: 16384 bytes read"
3188
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3189run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
3190 "$P_SRV" \
3191 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
3192 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3193 0 \
3194 -s "Read from client: 16384 bytes read"
3195
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3196requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3197run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3198 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3199 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3200 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3201 trunc_hmac=1" \
3202 0 \
3203 -s "Read from client: 16384 bytes read"
3204
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3205requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3206run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
3207 "$P_SRV" \
3208 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
3209 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3210 trunc_hmac=1" \
3211 0 \
3212 -s "Read from client: 16384 bytes read"
3213
3214run_test "Large packet TLS 1.0 StreamCipher" \
3215 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3216 "$P_CLI request_size=16384 force_version=tls1 \
3217 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3218 0 \
3219 -s "Read from client: 16384 bytes read"
3220
3221run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
3222 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3223 "$P_CLI request_size=16384 force_version=tls1 \
3224 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3225 etm=0" \
3226 0 \
3227 -s "Read from client: 16384 bytes read"
3228
3229requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3230run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3231 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3232 "$P_CLI request_size=16384 force_version=tls1 \
3233 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3234 trunc_hmac=1" \
3235 0 \
3236 -s "Read from client: 16384 bytes read"
3237
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3238requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3239run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
3240 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3241 "$P_CLI request_size=16384 force_version=tls1 \
3242 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3243 trunc_hmac=1 etm=0" \
3244 0 \
3245 -s "Read from client: 16384 bytes read"
3246
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3247run_test "Large packet TLS 1.1 BlockCipher" \
3248 "$P_SRV" \
3249 "$P_CLI request_size=16384 force_version=tls1_1 \
3250 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3251 0 \
3252 -s "Read from client: 16384 bytes read"
3253
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3254run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
3255 "$P_SRV" \
3256 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
3257 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3258 0 \
3259 -s "Read from client: 16384 bytes read"
3260
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3261requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3262run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3263 "$P_SRV" \
3264 "$P_CLI request_size=16384 force_version=tls1_1 \
3265 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3266 trunc_hmac=1" \
3267 0 \
3268 -s "Read from client: 16384 bytes read"
3269
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3270requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3271run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
3272 "$P_SRV" \
3273 "$P_CLI request_size=16384 force_version=tls1_1 \
3274 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3275 trunc_hmac=1 etm=0" \
3276 0 \
3277 -s "Read from client: 16384 bytes read"
3278
3279run_test "Large packet TLS 1.1 StreamCipher" \
3280 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3281 "$P_CLI request_size=16384 force_version=tls1_1 \
3282 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3283 0 \
3284 -s "Read from client: 16384 bytes read"
3285
3286run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
3287 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3288 "$P_CLI request_size=16384 force_version=tls1_1 \
3289 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3290 etm=0" \
3291 0 \
3292 -s "Read from client: 16384 bytes read"
3293
3294requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3295run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3296 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3297 "$P_CLI request_size=16384 force_version=tls1_1 \
3298 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3299 trunc_hmac=1" \
3300 0 \
3301 -s "Read from client: 16384 bytes read"
3302
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3303requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3304run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
3305 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3306 "$P_CLI request_size=16384 force_version=tls1_1 \
3307 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3308 trunc_hmac=1 etm=0" \
3309 0 \
3310 -s "Read from client: 16384 bytes read"
3311
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3312run_test "Large packet TLS 1.2 BlockCipher" \
3313 "$P_SRV" \
3314 "$P_CLI request_size=16384 force_version=tls1_2 \
3315 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3316 0 \
3317 -s "Read from client: 16384 bytes read"
3318
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3319run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
3320 "$P_SRV" \
3321 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
3322 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3323 0 \
3324 -s "Read from client: 16384 bytes read"
3325
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3326run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3327 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3328 "$P_CLI request_size=16384 force_version=tls1_2 \
3329 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3330 0 \
3331 -s "Read from client: 16384 bytes read"
3332
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3333requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3334run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3335 "$P_SRV" \
3336 "$P_CLI request_size=16384 force_version=tls1_2 \
3337 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3338 trunc_hmac=1" \
3339 0 \
3340 -s "Read from client: 16384 bytes read"
3341
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3342requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3343run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
3344 "$P_SRV" \
3345 "$P_CLI request_size=16384 force_version=tls1_2 \
3346 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3347 trunc_hmac=1 etm=0" \
3348 0 \
3349 -s "Read from client: 16384 bytes read"
3350
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3351run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3352 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3353 "$P_CLI request_size=16384 force_version=tls1_2 \
3354 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3355 0 \
3356 -s "Read from client: 16384 bytes read"
3357
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3358run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
3359 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3360 "$P_CLI request_size=16384 force_version=tls1_2 \
3361 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
3362 0 \
3363 -s "Read from client: 16384 bytes read"
3364
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3365requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3366run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3367 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3368 "$P_CLI request_size=16384 force_version=tls1_2 \
3369 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3370 trunc_hmac=1" \
3371 0 \
3372 -s "Read from client: 16384 bytes read"
3373
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame^]3374requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3375run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
3376 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3377 "$P_CLI request_size=16384 force_version=tls1_2 \
3378 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3379 trunc_hmac=1 etm=0" \
3380 0 \
3381 -s "Read from client: 16384 bytes read"
3382
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3383run_test "Large packet TLS 1.2 AEAD" \
3384 "$P_SRV" \
3385 "$P_CLI request_size=16384 force_version=tls1_2 \
3386 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3387 0 \
3388 -s "Read from client: 16384 bytes read"
3389
3390run_test "Large packet TLS 1.2 AEAD shorter tag" \
3391 "$P_SRV" \
3392 "$P_CLI request_size=16384 force_version=tls1_2 \
3393 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3394 0 \
3395 -s "Read from client: 16384 bytes read"
3396
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3397# Tests for DTLS HelloVerifyRequest
3398
3399run_test "DTLS cookie: enabled" \
3400 "$P_SRV dtls=1 debug_level=2" \
3401 "$P_CLI dtls=1 debug_level=2" \
3402 0 \
3403 -s "cookie verification failed" \
3404 -s "cookie verification passed" \
3405 -S "cookie verification skipped" \
3406 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3407 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3408 -S "SSL - The requested feature is not available"
3409
3410run_test "DTLS cookie: disabled" \
3411 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3412 "$P_CLI dtls=1 debug_level=2" \
3413 0 \
3414 -S "cookie verification failed" \
3415 -S "cookie verification passed" \
3416 -s "cookie verification skipped" \
3417 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3418 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3419 -S "SSL - The requested feature is not available"
3420
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3421run_test "DTLS cookie: default (failing)" \
3422 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3423 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3424 1 \
3425 -s "cookie verification failed" \
3426 -S "cookie verification passed" \
3427 -S "cookie verification skipped" \
3428 -C "received hello verify request" \
3429 -S "hello verification requested" \
3430 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3431
3432requires_ipv6
3433run_test "DTLS cookie: enabled, IPv6" \
3434 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3435 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3436 0 \
3437 -s "cookie verification failed" \
3438 -s "cookie verification passed" \
3439 -S "cookie verification skipped" \
3440 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3441 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3442 -S "SSL - The requested feature is not available"
3443
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3444run_test "DTLS cookie: enabled, nbio" \
3445 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3446 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3447 0 \
3448 -s "cookie verification failed" \
3449 -s "cookie verification passed" \
3450 -S "cookie verification skipped" \
3451 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3452 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3453 -S "SSL - The requested feature is not available"
3454
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3455# Tests for client reconnecting from the same port with DTLS
3456
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3457not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3458run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3459 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3460 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3461 0 \
3462 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3463 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3464 -S "Client initiated reconnection from same port"
3465
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3466not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3467run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3468 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3469 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3470 0 \
3471 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3472 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3473 -s "Client initiated reconnection from same port"
3474
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3475not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3476run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3477 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3478 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3479 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3480 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3481 -s "Client initiated reconnection from same port"
3482
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3483only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3484run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3485 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3486 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3487 0 \
3488 -S "The operation timed out" \
3489 -s "Client initiated reconnection from same port"
3490
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3491run_test "DTLS client reconnect from same port: no cookies" \
3492 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3493 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3494 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3495 -s "The operation timed out" \
3496 -S "Client initiated reconnection from same port"
3497
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3498# Tests for various cases of client authentication with DTLS
3499# (focused on handshake flows and message parsing)
3500
3501run_test "DTLS client auth: required" \
3502 "$P_SRV dtls=1 auth_mode=required" \
3503 "$P_CLI dtls=1" \
3504 0 \
3505 -s "Verifying peer X.509 certificate... ok"
3506
3507run_test "DTLS client auth: optional, client has no cert" \
3508 "$P_SRV dtls=1 auth_mode=optional" \
3509 "$P_CLI dtls=1 crt_file=none key_file=none" \
3510 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3511 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3512
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3513run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3514 "$P_SRV dtls=1 auth_mode=none" \
3515 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3516 0 \
3517 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3518 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3519
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3520run_test "DTLS wrong PSK: badmac alert" \
3521 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3522 "$P_CLI dtls=1 psk=abc124" \
3523 1 \
3524 -s "SSL - Verification of the message MAC failed" \
3525 -c "SSL - A fatal alert message was received from our peer"
3526
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3527# Tests for receiving fragmented handshake messages with DTLS
3528
3529requires_gnutls
3530run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3531 "$G_SRV -u --mtu 2048 -a" \
3532 "$P_CLI dtls=1 debug_level=2" \
3533 0 \
3534 -C "found fragmented DTLS handshake message" \
3535 -C "error"
3536
3537requires_gnutls
3538run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3539 "$G_SRV -u --mtu 512" \
3540 "$P_CLI dtls=1 debug_level=2" \
3541 0 \
3542 -c "found fragmented DTLS handshake message" \
3543 -C "error"
3544
3545requires_gnutls
3546run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3547 "$G_SRV -u --mtu 128" \
3548 "$P_CLI dtls=1 debug_level=2" \
3549 0 \
3550 -c "found fragmented DTLS handshake message" \
3551 -C "error"
3552
3553requires_gnutls
3554run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3555 "$G_SRV -u --mtu 128" \
3556 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3557 0 \
3558 -c "found fragmented DTLS handshake message" \
3559 -C "error"
3560
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3561requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3562run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3563 "$G_SRV -u --mtu 256" \
3564 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3565 0 \
3566 -c "found fragmented DTLS handshake message" \
3567 -c "client hello, adding renegotiation extension" \
3568 -c "found renegotiation extension" \
3569 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3570 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3571 -C "error" \
3572 -s "Extra-header:"
3573
3574requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3575run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3576 "$G_SRV -u --mtu 256" \
3577 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3578 0 \
3579 -c "found fragmented DTLS handshake message" \
3580 -c "client hello, adding renegotiation extension" \
3581 -c "found renegotiation extension" \
3582 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3583 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3584 -C "error" \
3585 -s "Extra-header:"
3586
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3587run_test "DTLS reassembly: no fragmentation (openssl server)" \
3588 "$O_SRV -dtls1 -mtu 2048" \
3589 "$P_CLI dtls=1 debug_level=2" \
3590 0 \
3591 -C "found fragmented DTLS handshake message" \
3592 -C "error"
3593
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3594run_test "DTLS reassembly: some fragmentation (openssl server)" \
3595 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3596 "$P_CLI dtls=1 debug_level=2" \
3597 0 \
3598 -c "found fragmented DTLS handshake message" \
3599 -C "error"
3600
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3601run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3602 "$O_SRV -dtls1 -mtu 256" \
3603 "$P_CLI dtls=1 debug_level=2" \
3604 0 \
3605 -c "found fragmented DTLS handshake message" \
3606 -C "error"
3607
3608run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3609 "$O_SRV -dtls1 -mtu 256" \
3610 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3611 0 \
3612 -c "found fragmented DTLS handshake message" \
3613 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3614
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3615# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3616
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3617not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3618run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3619 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3620 "$P_SRV dtls=1 debug_level=2" \
3621 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3622 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3623 -C "replayed record" \
3624 -S "replayed record" \
3625 -C "record from another epoch" \
3626 -S "record from another epoch" \
3627 -C "discarding invalid record" \
3628 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3629 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3630 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3631 -c "HTTP/1.0 200 OK"
3632
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3633not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3634run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3635 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3636 "$P_SRV dtls=1 debug_level=2" \
3637 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3638 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3639 -c "replayed record" \
3640 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3641 -c "discarding invalid record" \
3642 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3643 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3644 -s "Extra-header:" \
3645 -c "HTTP/1.0 200 OK"
3646
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3647run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3648 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3649 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3650 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3651 0 \
3652 -c "replayed record" \
3653 -S "replayed record" \
3654 -c "discarding invalid record" \
3655 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3656 -c "resend" \
3657 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3658 -s "Extra-header:" \
3659 -c "HTTP/1.0 200 OK"
3660
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3661run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3662 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3663 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3664 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3665 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3666 -c "discarding invalid record (mac)" \
3667 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3668 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3669 -c "HTTP/1.0 200 OK" \
3670 -S "too many records with bad MAC" \
3671 -S "Verification of the message MAC failed"
3672
3673run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3674 -p "$P_PXY bad_ad=1" \
3675 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3676 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3677 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3678 -C "discarding invalid record (mac)" \
3679 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3680 -S "Extra-header:" \
3681 -C "HTTP/1.0 200 OK" \
3682 -s "too many records with bad MAC" \
3683 -s "Verification of the message MAC failed"
3684
3685run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3686 -p "$P_PXY bad_ad=1" \
3687 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3688 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3689 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3690 -c "discarding invalid record (mac)" \
3691 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3692 -s "Extra-header:" \
3693 -c "HTTP/1.0 200 OK" \
3694 -S "too many records with bad MAC" \
3695 -S "Verification of the message MAC failed"
3696
3697run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3698 -p "$P_PXY bad_ad=1" \
3699 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3700 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3701 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3702 -c "discarding invalid record (mac)" \
3703 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3704 -s "Extra-header:" \
3705 -c "HTTP/1.0 200 OK" \
3706 -s "too many records with bad MAC" \
3707 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3708
3709run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3710 -p "$P_PXY delay_ccs=1" \
3711 "$P_SRV dtls=1 debug_level=1" \
3712 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3713 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3714 -c "record from another epoch" \
3715 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3716 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3717 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3718 -s "Extra-header:" \
3719 -c "HTTP/1.0 200 OK"
3720
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3721# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3722
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3723needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3724run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3725 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3726 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3727 psk=abc123" \
3728 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3729 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3730 0 \
3731 -s "Extra-header:" \
3732 -c "HTTP/1.0 200 OK"
3733
3734needs_more_time 2
3735run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3736 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3737 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3738 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3739 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3740 0 \
3741 -s "Extra-header:" \
3742 -c "HTTP/1.0 200 OK"
3743
3744needs_more_time 2
3745run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3746 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3747 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3748 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3749 0 \
3750 -s "Extra-header:" \
3751 -c "HTTP/1.0 200 OK"
3752
3753needs_more_time 2
3754run_test "DTLS proxy: 3d, FS, client auth" \
3755 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3756 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3757 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3758 0 \
3759 -s "Extra-header:" \
3760 -c "HTTP/1.0 200 OK"
3761
3762needs_more_time 2
3763run_test "DTLS proxy: 3d, FS, ticket" \
3764 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3765 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3766 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3767 0 \
3768 -s "Extra-header:" \
3769 -c "HTTP/1.0 200 OK"
3770
3771needs_more_time 2
3772run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3773 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3774 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3775 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3776 0 \
3777 -s "Extra-header:" \
3778 -c "HTTP/1.0 200 OK"
3779
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3780needs_more_time 2
3781run_test "DTLS proxy: 3d, max handshake, nbio" \
3782 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3783 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3784 auth_mode=required" \
3785 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3786 0 \
3787 -s "Extra-header:" \
3788 -c "HTTP/1.0 200 OK"
3789
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3790needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3791run_test "DTLS proxy: 3d, min handshake, resumption" \
3792 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3793 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3794 psk=abc123 debug_level=3" \
3795 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3796 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3797 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3798 0 \
3799 -s "a session has been resumed" \
3800 -c "a session has been resumed" \
3801 -s "Extra-header:" \
3802 -c "HTTP/1.0 200 OK"
3803
3804needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3805run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3806 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3807 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3808 psk=abc123 debug_level=3 nbio=2" \
3809 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3810 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3811 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3812 0 \
3813 -s "a session has been resumed" \
3814 -c "a session has been resumed" \
3815 -s "Extra-header:" \
3816 -c "HTTP/1.0 200 OK"
3817
3818needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3819run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3820 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3821 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3822 psk=abc123 renegotiation=1 debug_level=2" \
3823 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3824 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3825 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3826 0 \
3827 -c "=> renegotiate" \
3828 -s "=> renegotiate" \
3829 -s "Extra-header:" \
3830 -c "HTTP/1.0 200 OK"
3831
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3832needs_more_time 4
3833run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3834 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3835 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3836 psk=abc123 renegotiation=1 debug_level=2" \
3837 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3838 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3839 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3840 0 \
3841 -c "=> renegotiate" \
3842 -s "=> renegotiate" \
3843 -s "Extra-header:" \
3844 -c "HTTP/1.0 200 OK"
3845
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3846needs_more_time 4
3847run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3848 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3849 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3850 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3851 debug_level=2" \
3852 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3853 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3854 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3855 0 \
3856 -c "=> renegotiate" \
3857 -s "=> renegotiate" \
3858 -s "Extra-header:" \
3859 -c "HTTP/1.0 200 OK"
3860
3861needs_more_time 4
3862run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3863 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3864 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3865 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3866 debug_level=2 nbio=2" \
3867 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3868 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3869 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3870 0 \
3871 -c "=> renegotiate" \
3872 -s "=> renegotiate" \
3873 -s "Extra-header:" \
3874 -c "HTTP/1.0 200 OK"
3875
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3876needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3877not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3878run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3879 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3880 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3881 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3882 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3883 -c "HTTP/1.0 200 OK"
3884
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3885needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3886not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3887run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3888 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3889 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3890 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3891 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3892 -c "HTTP/1.0 200 OK"
3893
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3894needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3895not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3896run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3897 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3898 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3899 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3900 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3901 -c "HTTP/1.0 200 OK"
3902
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3903requires_gnutls
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3904needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3905not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3906run_test "DTLS proxy: 3d, gnutls server" \
3907 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3908 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3909 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3910 0 \
3911 -s "Extra-header:" \
3912 -c "Extra-header:"
3913
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3914requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3915needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3916not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3917run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3918 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3919 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3920 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3921 0 \
3922 -s "Extra-header:" \
3923 -c "Extra-header:"
3924
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3925requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3926needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3927not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3928run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3929 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3930 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3931 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3932 0 \
3933 -s "Extra-header:" \
3934 -c "Extra-header:"
3935
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3936# Final report
3937
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3938echo "------------------------------------------------------------------------"
3939
3940if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3941 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3942else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3943 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3944fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]3945PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]3946echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3947
3948exit $FAILS