TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0d225daf7d19249e7aab0eada2baefa73c8e04f2 / . / tests / ssl-opt.sh
blob: d4e82aec94d7a3cd33eb546465fdabf4be7d03fa [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]289# Wait for process $2 to be listening on port $1
290if type lsof >/dev/null 2>/dev/null; then
291 wait_server_start() {
292 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]293 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]294 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]295 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]296 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]297 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]298 # Make a tight loop, server normally takes less than 1s to start.
299 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
300 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
301 echo "SERVERSTART TIMEOUT"
302 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
303 break
304 fi
305 # Linux and *BSD support decimal arguments to sleep. On other
306 # OSes this may be a tight loop.
307 sleep 0.1 2>/dev/null || true
308 done
309 }
310else
311 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]312 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]313 }
314fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]315
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]316# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]317# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]318# acceptable bounds
319check_server_hello_time() {
320 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]321 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]322 # Get the Unix timestamp for now
323 CUR_TIME=$(date +'%s')
324 THRESHOLD_IN_SECS=300
325
326 # Check if the ServerHello time was printed
327 if [ -z "$SERVER_HELLO_TIME" ]; then
328 return 1
329 fi
330
331 # Check the time in ServerHello is within acceptable bounds
332 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
333 # The time in ServerHello is at least 5 minutes before now
334 return 1
335 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]336 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]337 return 1
338 else
339 return 0
340 fi
341}
342
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]343# wait for client to terminate and set CLI_EXIT
344# must be called right after starting the client
345wait_client_done() {
346 CLI_PID=$!
347
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]348 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
349 CLI_DELAY_FACTOR=1
350
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]351 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]352 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]353
354 wait $CLI_PID
355 CLI_EXIT=$?
356
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]357 kill $DOG_PID >/dev/null 2>&1
358 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]359
360 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]361
362 sleep $SRV_DELAY_SECONDS
363 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]364}
365
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]366# check if the given command uses dtls and sets global variable DTLS
367detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]368 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]369 DTLS=1
370 else
371 DTLS=0
372 fi
373}
374
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]375# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]376# Options: -s pattern pattern that must be present in server output
377# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]378# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]379# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]380# -S pattern pattern that must be absent in server output
381# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]382# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]383# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]384run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]385 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]386 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]387
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]388 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
389 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]390 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]391 return
392 fi
393
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]394 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]395
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]396 # Do we only run numbered tests?
397 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
398 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
399 else
400 SKIP_NEXT="YES"
401 fi
402
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]403 # should we skip?
404 if [ "X$SKIP_NEXT" = "XYES" ]; then
405 SKIP_NEXT="NO"
406 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]407 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]408 return
409 fi
410
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]411 # does this test use a proxy?
412 if [ "X$1" = "X-p" ]; then
413 PXY_CMD="$2"
414 shift 2
415 else
416 PXY_CMD=""
417 fi
418
419 # get commands and client output
420 SRV_CMD="$1"
421 CLI_CMD="$2"
422 CLI_EXPECT="$3"
423 shift 3
424
425 # fix client port
426 if [ -n "$PXY_CMD" ]; then
427 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
428 else
429 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
430 fi
431
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]432 # update DTLS variable
433 detect_dtls "$SRV_CMD"
434
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]435 # prepend valgrind to our commands if active
436 if [ "$MEMCHECK" -gt 0 ]; then
437 if is_polar "$SRV_CMD"; then
438 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
439 fi
440 if is_polar "$CLI_CMD"; then
441 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
442 fi
443 fi
444
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]445 TIMES_LEFT=2
446 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]447 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]448
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]449 # run the commands
450 if [ -n "$PXY_CMD" ]; then
451 echo "$PXY_CMD" > $PXY_OUT
452 $PXY_CMD >> $PXY_OUT 2>&1 &
453 PXY_PID=$!
454 # assume proxy starts faster than server
455 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]456
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]457 check_osrv_dtls
458 echo "$SRV_CMD" > $SRV_OUT
459 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
460 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]461 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]462
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]463 echo "$CLI_CMD" > $CLI_OUT
464 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
465 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]466
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]467 # terminate the server (and the proxy)
468 kill $SRV_PID
469 wait $SRV_PID
470 if [ -n "$PXY_CMD" ]; then
471 kill $PXY_PID >/dev/null 2>&1
472 wait $PXY_PID
473 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]474
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]475 # retry only on timeouts
476 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
477 printf "RETRY "
478 else
479 TIMES_LEFT=0
480 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]481 done
482
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]483 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]484 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]485 # expected client exit to incorrectly succeed in case of catastrophic
486 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]487 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]488 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]489 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]490 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]491 return
492 fi
493 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]494 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]495 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]496 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]497 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]498 return
499 fi
500 fi
501
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]502 # check server exit code
503 if [ $? != 0 ]; then
504 fail "server fail"
505 return
506 fi
507
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]508 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]509 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
510 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]511 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]512 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]513 return
514 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]515
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]516 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]517 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]518 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]519 while [ $# -gt 0 ]
520 do
521 case $1 in
522 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]523 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]524 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]525 return
526 fi
527 ;;
528
529 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]530 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]531 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]532 return
533 fi
534 ;;
535
536 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]537 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]538 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]539 return
540 fi
541 ;;
542
543 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]544 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]545 fail "pattern '$2' MUST NOT be present in the Client output"
546 return
547 fi
548 ;;
549
550 # The filtering in the following two options (-u and -U) do the following
551 # - ignore valgrind output
552 # - filter out everything but lines right after the pattern occurances
553 # - keep one of each non-unique line
554 # - count how many lines remain
555 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
556 # if there were no duplicates.
557 "-U")
558 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
559 fail "lines following pattern '$2' must be unique in Server output"
560 return
561 fi
562 ;;
563
564 "-u")
565 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
566 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]567 return
568 fi
569 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]570 "-F")
571 if ! $2 "$SRV_OUT"; then
572 fail "function call to '$2' failed on Server output"
573 return
574 fi
575 ;;
576 "-f")
577 if ! $2 "$CLI_OUT"; then
578 fail "function call to '$2' failed on Client output"
579 return
580 fi
581 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]582
583 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]584 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]585 exit 1
586 esac
587 shift 2
588 done
589
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]590 # check valgrind's results
591 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]592 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]593 fail "Server has memory errors"
594 return
595 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]596 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]597 fail "Client has memory errors"
598 return
599 fi
600 fi
601
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]602 # if we're here, everything is ok
603 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]604 if [ "$PRESERVE_LOGS" -gt 0 ]; then
605 mv $SRV_OUT o-srv-${TESTS}.log
606 mv $CLI_OUT o-cli-${TESTS}.log
607 fi
608
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]609 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]610}
611
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]612cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]613 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]614 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
615 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
616 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
617 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]618 exit 1
619}
620
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]621#
622# MAIN
623#
624
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]625if cd $( dirname $0 ); then :; else
626 echo "cd $( dirname $0 ) failed" >&2
627 exit 1
628fi
629
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]630get_options "$@"
631
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]632# sanity checks, avoid an avalanche of errors
633if [ ! -x "$P_SRV" ]; then
634 echo "Command '$P_SRV' is not an executable file"
635 exit 1
636fi
637if [ ! -x "$P_CLI" ]; then
638 echo "Command '$P_CLI' is not an executable file"
639 exit 1
640fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]641if [ ! -x "$P_PXY" ]; then
642 echo "Command '$P_PXY' is not an executable file"
643 exit 1
644fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]645if [ "$MEMCHECK" -gt 0 ]; then
646 if which valgrind >/dev/null 2>&1; then :; else
647 echo "Memcheck not possible. Valgrind not found"
648 exit 1
649 fi
650fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]651if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
652 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]653 exit 1
654fi
655
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]656# used by watchdog
657MAIN_PID="$$"
658
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame^]659# We use somewhat arbitrary delays for tests:
660# - how long do we wait for the server to start (when lsof not available)?
661# - how long do we allow for the client to finish?
662# (not to check performance, just to avoid waiting indefinitely)
663# Things are slower with valgrind, so give extra time here.
664#
665# Note: without lsof, there is a trade-off between the running time of this
666# script and the risk of spurious errors because we didn't wait long enough.
667# The watchdog delay on the other hand doesn't affect normal running time of
668# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]669if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame^]670 START_DELAY=6
671 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]672else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame^]673 START_DELAY=2
674 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]675fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame^]676
677# some particular tests need more time:
678# - for the client, we multiply the usual watchdog limit by a factor
679# - for the server, we sleep for a number of seconds after the client exits
680# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]681CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]682SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]683
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]684# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]685# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]686P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
687P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]688P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]689O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]690O_CLI="$O_CLI -connect localhost:+SRV_PORT"
691G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]692G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]693
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]694# Allow SHA-1, because many of our test certificates use it
695P_SRV="$P_SRV allow_sha1=1"
696P_CLI="$P_CLI allow_sha1=1"
697
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]698# Also pick a unique name for intermediate files
699SRV_OUT="srv_out.$$"
700CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]701PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]702SESSION="session.$$"
703
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]704SKIP_NEXT="NO"
705
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]706trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]707
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]708# Basic test
709
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]710# Checks that:
711# - things work with all ciphersuites active (used with config-full in all.sh)
712# - the expected (highest security) parameters are selected
713# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]714run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]715 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]716 "$P_CLI" \
717 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]718 -s "Protocol is TLSv1.2" \
719 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
720 -s "client hello v3, signature_algorithm ext: 6" \
721 -s "ECDHE curve: secp521r1" \
722 -S "error" \
723 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]724
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]725run_test "Default, DTLS" \
726 "$P_SRV dtls=1" \
727 "$P_CLI dtls=1" \
728 0 \
729 -s "Protocol is DTLSv1.2" \
730 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
731
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]732# Test current time in ServerHello
733requires_config_enabled MBEDTLS_HAVE_TIME
734run_test "Default, ServerHello contains gmt_unix_time" \
735 "$P_SRV debug_level=3" \
736 "$P_CLI debug_level=3" \
737 0 \
738 -s "Protocol is TLSv1.2" \
739 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
740 -s "client hello v3, signature_algorithm ext: 6" \
741 -s "ECDHE curve: secp521r1" \
742 -S "error" \
743 -C "error" \
744 -f "check_server_hello_time" \
745 -F "check_server_hello_time"
746
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]747# Test for uniqueness of IVs in AEAD ciphersuites
748run_test "Unique IV in GCM" \
749 "$P_SRV exchanges=20 debug_level=4" \
750 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
751 0 \
752 -u "IV used" \
753 -U "IV used"
754
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]755# Tests for rc4 option
756
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]757requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]758run_test "RC4: server disabled, client enabled" \
759 "$P_SRV" \
760 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
761 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]762 -s "SSL - The server has no ciphersuites in common"
763
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]764requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]765run_test "RC4: server half, client enabled" \
766 "$P_SRV arc4=1" \
767 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
768 1 \
769 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]770
771run_test "RC4: server enabled, client disabled" \
772 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
773 "$P_CLI" \
774 1 \
775 -s "SSL - The server has no ciphersuites in common"
776
777run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]778 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]779 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
780 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]781 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]782 -S "SSL - The server has no ciphersuites in common"
783
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]784# Tests for SHA-1 support
785
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]786requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]787run_test "SHA-1 forbidden by default in server certificate" \
788 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
789 "$P_CLI debug_level=2 allow_sha1=0" \
790 1 \
791 -c "The certificate is signed with an unacceptable hash"
792
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]793requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
794run_test "SHA-1 forbidden by default in server certificate" \
795 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
796 "$P_CLI debug_level=2 allow_sha1=0" \
797 0
798
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]799run_test "SHA-1 explicitly allowed in server certificate" \
800 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
801 "$P_CLI allow_sha1=1" \
802 0
803
804run_test "SHA-256 allowed by default in server certificate" \
805 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
806 "$P_CLI allow_sha1=0" \
807 0
808
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]809requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]810run_test "SHA-1 forbidden by default in client certificate" \
811 "$P_SRV auth_mode=required allow_sha1=0" \
812 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
813 1 \
814 -s "The certificate is signed with an unacceptable hash"
815
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]816requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
817run_test "SHA-1 forbidden by default in client certificate" \
818 "$P_SRV auth_mode=required allow_sha1=0" \
819 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
820 0
821
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]822run_test "SHA-1 explicitly allowed in client certificate" \
823 "$P_SRV auth_mode=required allow_sha1=1" \
824 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
825 0
826
827run_test "SHA-256 allowed by default in client certificate" \
828 "$P_SRV auth_mode=required allow_sha1=0" \
829 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
830 0
831
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]832# Tests for Truncated HMAC extension
833
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]834run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]835 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]836 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]837 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]838 -s "dumping 'computed mac' (20 bytes)" \
839 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]840
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]841run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]842 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]843 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
844 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]845 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]846 -s "dumping 'computed mac' (20 bytes)" \
847 -S "dumping 'computed mac' (10 bytes)"
848
849run_test "Truncated HMAC: client enabled, server default" \
850 "$P_SRV debug_level=4" \
851 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
852 trunc_hmac=1" \
853 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]854 -s "dumping 'computed mac' (20 bytes)" \
855 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]856
857run_test "Truncated HMAC: client enabled, server disabled" \
858 "$P_SRV debug_level=4 trunc_hmac=0" \
859 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
860 trunc_hmac=1" \
861 0 \
862 -s "dumping 'computed mac' (20 bytes)" \
863 -S "dumping 'computed mac' (10 bytes)"
864
865run_test "Truncated HMAC: client enabled, server enabled" \
866 "$P_SRV debug_level=4 trunc_hmac=1" \
867 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
868 trunc_hmac=1" \
869 0 \
870 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]871 -s "dumping 'computed mac' (10 bytes)"
872
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]873# Tests for Encrypt-then-MAC extension
874
875run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]876 "$P_SRV debug_level=3 \
877 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]878 "$P_CLI debug_level=3" \
879 0 \
880 -c "client hello, adding encrypt_then_mac extension" \
881 -s "found encrypt then mac extension" \
882 -s "server hello, adding encrypt then mac extension" \
883 -c "found encrypt_then_mac extension" \
884 -c "using encrypt then mac" \
885 -s "using encrypt then mac"
886
887run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]888 "$P_SRV debug_level=3 etm=0 \
889 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]890 "$P_CLI debug_level=3 etm=1" \
891 0 \
892 -c "client hello, adding encrypt_then_mac extension" \
893 -s "found encrypt then mac extension" \
894 -S "server hello, adding encrypt then mac extension" \
895 -C "found encrypt_then_mac extension" \
896 -C "using encrypt then mac" \
897 -S "using encrypt then mac"
898
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]899run_test "Encrypt then MAC: client enabled, aead cipher" \
900 "$P_SRV debug_level=3 etm=1 \
901 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
902 "$P_CLI debug_level=3 etm=1" \
903 0 \
904 -c "client hello, adding encrypt_then_mac extension" \
905 -s "found encrypt then mac extension" \
906 -S "server hello, adding encrypt then mac extension" \
907 -C "found encrypt_then_mac extension" \
908 -C "using encrypt then mac" \
909 -S "using encrypt then mac"
910
911run_test "Encrypt then MAC: client enabled, stream cipher" \
912 "$P_SRV debug_level=3 etm=1 \
913 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]914 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]915 0 \
916 -c "client hello, adding encrypt_then_mac extension" \
917 -s "found encrypt then mac extension" \
918 -S "server hello, adding encrypt then mac extension" \
919 -C "found encrypt_then_mac extension" \
920 -C "using encrypt then mac" \
921 -S "using encrypt then mac"
922
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]923run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]924 "$P_SRV debug_level=3 etm=1 \
925 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]926 "$P_CLI debug_level=3 etm=0" \
927 0 \
928 -C "client hello, adding encrypt_then_mac extension" \
929 -S "found encrypt then mac extension" \
930 -S "server hello, adding encrypt then mac extension" \
931 -C "found encrypt_then_mac extension" \
932 -C "using encrypt then mac" \
933 -S "using encrypt then mac"
934
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]935requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]936run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]937 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]938 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]939 "$P_CLI debug_level=3 force_version=ssl3" \
940 0 \
941 -C "client hello, adding encrypt_then_mac extension" \
942 -S "found encrypt then mac extension" \
943 -S "server hello, adding encrypt then mac extension" \
944 -C "found encrypt_then_mac extension" \
945 -C "using encrypt then mac" \
946 -S "using encrypt then mac"
947
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]948requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]949run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]950 "$P_SRV debug_level=3 force_version=ssl3 \
951 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]952 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]953 0 \
954 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]955 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]956 -S "server hello, adding encrypt then mac extension" \
957 -C "found encrypt_then_mac extension" \
958 -C "using encrypt then mac" \
959 -S "using encrypt then mac"
960
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]961# Tests for Extended Master Secret extension
962
963run_test "Extended Master Secret: default" \
964 "$P_SRV debug_level=3" \
965 "$P_CLI debug_level=3" \
966 0 \
967 -c "client hello, adding extended_master_secret extension" \
968 -s "found extended master secret extension" \
969 -s "server hello, adding extended master secret extension" \
970 -c "found extended_master_secret extension" \
971 -c "using extended master secret" \
972 -s "using extended master secret"
973
974run_test "Extended Master Secret: client enabled, server disabled" \
975 "$P_SRV debug_level=3 extended_ms=0" \
976 "$P_CLI debug_level=3 extended_ms=1" \
977 0 \
978 -c "client hello, adding extended_master_secret extension" \
979 -s "found extended master secret extension" \
980 -S "server hello, adding extended master secret extension" \
981 -C "found extended_master_secret extension" \
982 -C "using extended master secret" \
983 -S "using extended master secret"
984
985run_test "Extended Master Secret: client disabled, server enabled" \
986 "$P_SRV debug_level=3 extended_ms=1" \
987 "$P_CLI debug_level=3 extended_ms=0" \
988 0 \
989 -C "client hello, adding extended_master_secret extension" \
990 -S "found extended master secret extension" \
991 -S "server hello, adding extended master secret extension" \
992 -C "found extended_master_secret extension" \
993 -C "using extended master secret" \
994 -S "using extended master secret"
995
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]996requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]997run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]998 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]999 "$P_CLI debug_level=3 force_version=ssl3" \
1000 0 \
1001 -C "client hello, adding extended_master_secret extension" \
1002 -S "found extended master secret extension" \
1003 -S "server hello, adding extended master secret extension" \
1004 -C "found extended_master_secret extension" \
1005 -C "using extended master secret" \
1006 -S "using extended master secret"
1007
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1008requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1009run_test "Extended Master Secret: client enabled, server SSLv3" \
1010 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1011 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1012 0 \
1013 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1014 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1015 -S "server hello, adding extended master secret extension" \
1016 -C "found extended_master_secret extension" \
1017 -C "using extended master secret" \
1018 -S "using extended master secret"
1019
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1020# Tests for FALLBACK_SCSV
1021
1022run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1023 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1024 "$P_CLI debug_level=3 force_version=tls1_1" \
1025 0 \
1026 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1027 -S "received FALLBACK_SCSV" \
1028 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1029 -C "is a fatal alert message (msg 86)"
1030
1031run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1032 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1033 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1034 0 \
1035 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1036 -S "received FALLBACK_SCSV" \
1037 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1038 -C "is a fatal alert message (msg 86)"
1039
1040run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1041 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1042 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1043 1 \
1044 -c "adding FALLBACK_SCSV" \
1045 -s "received FALLBACK_SCSV" \
1046 -s "inapropriate fallback" \
1047 -c "is a fatal alert message (msg 86)"
1048
1049run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1050 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1051 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1052 0 \
1053 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1054 -s "received FALLBACK_SCSV" \
1055 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1056 -C "is a fatal alert message (msg 86)"
1057
1058requires_openssl_with_fallback_scsv
1059run_test "Fallback SCSV: default, openssl server" \
1060 "$O_SRV" \
1061 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1062 0 \
1063 -C "adding FALLBACK_SCSV" \
1064 -C "is a fatal alert message (msg 86)"
1065
1066requires_openssl_with_fallback_scsv
1067run_test "Fallback SCSV: enabled, openssl server" \
1068 "$O_SRV" \
1069 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1070 1 \
1071 -c "adding FALLBACK_SCSV" \
1072 -c "is a fatal alert message (msg 86)"
1073
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1074requires_openssl_with_fallback_scsv
1075run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1076 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1077 "$O_CLI -tls1_1" \
1078 0 \
1079 -S "received FALLBACK_SCSV" \
1080 -S "inapropriate fallback"
1081
1082requires_openssl_with_fallback_scsv
1083run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1084 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1085 "$O_CLI -tls1_1 -fallback_scsv" \
1086 1 \
1087 -s "received FALLBACK_SCSV" \
1088 -s "inapropriate fallback"
1089
1090requires_openssl_with_fallback_scsv
1091run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1092 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1093 "$O_CLI -fallback_scsv" \
1094 0 \
1095 -s "received FALLBACK_SCSV" \
1096 -S "inapropriate fallback"
1097
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1098## ClientHello generated with
1099## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1100## then manually twiddling the ciphersuite list.
1101## The ClientHello content is spelled out below as a hex string as
1102## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1103## The expected response is an inappropriate_fallback alert.
1104requires_openssl_with_fallback_scsv
1105run_test "Fallback SCSV: beginning of list" \
1106 "$P_SRV debug_level=2" \
1107 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1108 0 \
1109 -s "received FALLBACK_SCSV" \
1110 -s "inapropriate fallback"
1111
1112requires_openssl_with_fallback_scsv
1113run_test "Fallback SCSV: end of list" \
1114 "$P_SRV debug_level=2" \
1115 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1116 0 \
1117 -s "received FALLBACK_SCSV" \
1118 -s "inapropriate fallback"
1119
1120## Here the expected response is a valid ServerHello prefix, up to the random.
1121requires_openssl_with_fallback_scsv
1122run_test "Fallback SCSV: not in list" \
1123 "$P_SRV debug_level=2" \
1124 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1125 0 \
1126 -S "received FALLBACK_SCSV" \
1127 -S "inapropriate fallback"
1128
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1129# Tests for CBC 1/n-1 record splitting
1130
1131run_test "CBC Record splitting: TLS 1.2, no splitting" \
1132 "$P_SRV" \
1133 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1134 request_size=123 force_version=tls1_2" \
1135 0 \
1136 -s "Read from client: 123 bytes read" \
1137 -S "Read from client: 1 bytes read" \
1138 -S "122 bytes read"
1139
1140run_test "CBC Record splitting: TLS 1.1, no splitting" \
1141 "$P_SRV" \
1142 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1143 request_size=123 force_version=tls1_1" \
1144 0 \
1145 -s "Read from client: 123 bytes read" \
1146 -S "Read from client: 1 bytes read" \
1147 -S "122 bytes read"
1148
1149run_test "CBC Record splitting: TLS 1.0, splitting" \
1150 "$P_SRV" \
1151 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1152 request_size=123 force_version=tls1" \
1153 0 \
1154 -S "Read from client: 123 bytes read" \
1155 -s "Read from client: 1 bytes read" \
1156 -s "122 bytes read"
1157
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1158requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1159run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1160 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1161 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1162 request_size=123 force_version=ssl3" \
1163 0 \
1164 -S "Read from client: 123 bytes read" \
1165 -s "Read from client: 1 bytes read" \
1166 -s "122 bytes read"
1167
1168run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1169 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1170 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1171 request_size=123 force_version=tls1" \
1172 0 \
1173 -s "Read from client: 123 bytes read" \
1174 -S "Read from client: 1 bytes read" \
1175 -S "122 bytes read"
1176
1177run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1178 "$P_SRV" \
1179 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1180 request_size=123 force_version=tls1 recsplit=0" \
1181 0 \
1182 -s "Read from client: 123 bytes read" \
1183 -S "Read from client: 1 bytes read" \
1184 -S "122 bytes read"
1185
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1186run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1187 "$P_SRV nbio=2" \
1188 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1189 request_size=123 force_version=tls1" \
1190 0 \
1191 -S "Read from client: 123 bytes read" \
1192 -s "Read from client: 1 bytes read" \
1193 -s "122 bytes read"
1194
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1195# Tests for Session Tickets
1196
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1197run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1198 "$P_SRV debug_level=3 tickets=1" \
1199 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1200 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1201 -c "client hello, adding session ticket extension" \
1202 -s "found session ticket extension" \
1203 -s "server hello, adding session ticket extension" \
1204 -c "found session_ticket extension" \
1205 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1206 -S "session successfully restored from cache" \
1207 -s "session successfully restored from ticket" \
1208 -s "a session has been resumed" \
1209 -c "a session has been resumed"
1210
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1211run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1212 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1213 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1214 0 \
1215 -c "client hello, adding session ticket extension" \
1216 -s "found session ticket extension" \
1217 -s "server hello, adding session ticket extension" \
1218 -c "found session_ticket extension" \
1219 -c "parse new session ticket" \
1220 -S "session successfully restored from cache" \
1221 -s "session successfully restored from ticket" \
1222 -s "a session has been resumed" \
1223 -c "a session has been resumed"
1224
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1225run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1226 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1227 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1228 0 \
1229 -c "client hello, adding session ticket extension" \
1230 -s "found session ticket extension" \
1231 -s "server hello, adding session ticket extension" \
1232 -c "found session_ticket extension" \
1233 -c "parse new session ticket" \
1234 -S "session successfully restored from cache" \
1235 -S "session successfully restored from ticket" \
1236 -S "a session has been resumed" \
1237 -C "a session has been resumed"
1238
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1239run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1240 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1241 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1242 0 \
1243 -c "client hello, adding session ticket extension" \
1244 -c "found session_ticket extension" \
1245 -c "parse new session ticket" \
1246 -c "a session has been resumed"
1247
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1248run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1249 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1250 "( $O_CLI -sess_out $SESSION; \
1251 $O_CLI -sess_in $SESSION; \
1252 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1253 0 \
1254 -s "found session ticket extension" \
1255 -s "server hello, adding session ticket extension" \
1256 -S "session successfully restored from cache" \
1257 -s "session successfully restored from ticket" \
1258 -s "a session has been resumed"
1259
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1260# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1261
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1262run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1263 "$P_SRV debug_level=3 tickets=0" \
1264 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1265 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1266 -c "client hello, adding session ticket extension" \
1267 -s "found session ticket extension" \
1268 -S "server hello, adding session ticket extension" \
1269 -C "found session_ticket extension" \
1270 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1271 -s "session successfully restored from cache" \
1272 -S "session successfully restored from ticket" \
1273 -s "a session has been resumed" \
1274 -c "a session has been resumed"
1275
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1276run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1277 "$P_SRV debug_level=3 tickets=1" \
1278 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1279 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1280 -C "client hello, adding session ticket extension" \
1281 -S "found session ticket extension" \
1282 -S "server hello, adding session ticket extension" \
1283 -C "found session_ticket extension" \
1284 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1285 -s "session successfully restored from cache" \
1286 -S "session successfully restored from ticket" \
1287 -s "a session has been resumed" \
1288 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1290run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1291 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1292 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1293 0 \
1294 -S "session successfully restored from cache" \
1295 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1296 -S "a session has been resumed" \
1297 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1298
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1299run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1300 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1301 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1302 0 \
1303 -s "session successfully restored from cache" \
1304 -S "session successfully restored from ticket" \
1305 -s "a session has been resumed" \
1306 -c "a session has been resumed"
1307
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1308run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1309 "$P_SRV debug_level=3 tickets=0" \
1310 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1311 0 \
1312 -s "session successfully restored from cache" \
1313 -S "session successfully restored from ticket" \
1314 -s "a session has been resumed" \
1315 -c "a session has been resumed"
1316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1317run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1318 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1319 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1320 0 \
1321 -S "session successfully restored from cache" \
1322 -S "session successfully restored from ticket" \
1323 -S "a session has been resumed" \
1324 -C "a session has been resumed"
1325
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1326run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1327 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1328 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1329 0 \
1330 -s "session successfully restored from cache" \
1331 -S "session successfully restored from ticket" \
1332 -s "a session has been resumed" \
1333 -c "a session has been resumed"
1334
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1335run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1336 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1337 "( $O_CLI -sess_out $SESSION; \
1338 $O_CLI -sess_in $SESSION; \
1339 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1340 0 \
1341 -s "found session ticket extension" \
1342 -S "server hello, adding session ticket extension" \
1343 -s "session successfully restored from cache" \
1344 -S "session successfully restored from ticket" \
1345 -s "a session has been resumed"
1346
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1347run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1348 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1349 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1350 0 \
1351 -C "found session_ticket extension" \
1352 -C "parse new session ticket" \
1353 -c "a session has been resumed"
1354
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1355# Tests for Max Fragment Length extension
1356
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1357MAX_CONTENT_LEN_EXPECT='16384'
1358MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1359
1360if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1361 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1362 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1363 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1364 printf "\n"
1365 printf "The tests assume this value and if it changes, the tests in this\n"
1366 printf "script should also be adjusted.\n"
1367 printf "\n"
1368
1369 exit 1
1370fi
1371
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1372requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1373run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1374 "$P_SRV debug_level=3" \
1375 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1376 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1377 -c "Maximum fragment length is 16384" \
1378 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1379 -C "client hello, adding max_fragment_length extension" \
1380 -S "found max fragment length extension" \
1381 -S "server hello, max_fragment_length extension" \
1382 -C "found max_fragment_length extension"
1383
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1384requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1385run_test "Max fragment length: enabled, default, larger message" \
1386 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1387 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1388 0 \
1389 -c "Maximum fragment length is 16384" \
1390 -s "Maximum fragment length is 16384" \
1391 -C "client hello, adding max_fragment_length extension" \
1392 -S "found max fragment length extension" \
1393 -S "server hello, max_fragment_length extension" \
1394 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1395 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1396 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1397 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1398
1399requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1400run_test "Max fragment length, DTLS: enabled, default, larger message" \
1401 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1402 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1403 1 \
1404 -c "Maximum fragment length is 16384" \
1405 -s "Maximum fragment length is 16384" \
1406 -C "client hello, adding max_fragment_length extension" \
1407 -S "found max fragment length extension" \
1408 -S "server hello, max_fragment_length extension" \
1409 -C "found max_fragment_length extension" \
1410 -c "fragment larger than.*maximum "
1411
1412requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1413run_test "Max fragment length: disabled, larger message" \
1414 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1415 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1416 0 \
1417 -C "Maximum fragment length is 16384" \
1418 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1419 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1420 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1421 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1422
1423requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1424run_test "Max fragment length DTLS: disabled, larger message" \
1425 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1426 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1427 1 \
1428 -C "Maximum fragment length is 16384" \
1429 -S "Maximum fragment length is 16384" \
1430 -c "fragment larger than.*maximum "
1431
1432requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1433run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1434 "$P_SRV debug_level=3" \
1435 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1436 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1437 -c "Maximum fragment length is 4096" \
1438 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1439 -c "client hello, adding max_fragment_length extension" \
1440 -s "found max fragment length extension" \
1441 -s "server hello, max_fragment_length extension" \
1442 -c "found max_fragment_length extension"
1443
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1444requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1445run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1446 "$P_SRV debug_level=3 max_frag_len=4096" \
1447 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1448 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1449 -c "Maximum fragment length is 16384" \
1450 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1451 -C "client hello, adding max_fragment_length extension" \
1452 -S "found max fragment length extension" \
1453 -S "server hello, max_fragment_length extension" \
1454 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1455
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1456requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1457requires_gnutls
1458run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1459 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1460 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1461 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1462 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1463 -c "client hello, adding max_fragment_length extension" \
1464 -c "found max_fragment_length extension"
1465
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1466requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1467run_test "Max fragment length: client, message just fits" \
1468 "$P_SRV debug_level=3" \
1469 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1470 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1471 -c "Maximum fragment length is 2048" \
1472 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1473 -c "client hello, adding max_fragment_length extension" \
1474 -s "found max fragment length extension" \
1475 -s "server hello, max_fragment_length extension" \
1476 -c "found max_fragment_length extension" \
1477 -c "2048 bytes written in 1 fragments" \
1478 -s "2048 bytes read"
1479
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1480requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1481run_test "Max fragment length: client, larger message" \
1482 "$P_SRV debug_level=3" \
1483 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1484 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1485 -c "Maximum fragment length is 2048" \
1486 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1487 -c "client hello, adding max_fragment_length extension" \
1488 -s "found max fragment length extension" \
1489 -s "server hello, max_fragment_length extension" \
1490 -c "found max_fragment_length extension" \
1491 -c "2345 bytes written in 2 fragments" \
1492 -s "2048 bytes read" \
1493 -s "297 bytes read"
1494
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1495requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1496run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1497 "$P_SRV debug_level=3 dtls=1" \
1498 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1499 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1500 -c "Maximum fragment length is 2048" \
1501 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1502 -c "client hello, adding max_fragment_length extension" \
1503 -s "found max fragment length extension" \
1504 -s "server hello, max_fragment_length extension" \
1505 -c "found max_fragment_length extension" \
1506 -c "fragment larger than.*maximum"
1507
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1508# Tests for renegotiation
1509
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1510# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1511run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1512 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1513 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1514 0 \
1515 -C "client hello, adding renegotiation extension" \
1516 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1517 -S "found renegotiation extension" \
1518 -s "server hello, secure renegotiation extension" \
1519 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1520 -C "=> renegotiate" \
1521 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1522 -S "write hello request"
1523
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1524requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1525run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1526 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1527 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1528 0 \
1529 -c "client hello, adding renegotiation extension" \
1530 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1531 -s "found renegotiation extension" \
1532 -s "server hello, secure renegotiation extension" \
1533 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1534 -c "=> renegotiate" \
1535 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1536 -S "write hello request"
1537
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1538requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1539run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1540 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1541 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1542 0 \
1543 -c "client hello, adding renegotiation extension" \
1544 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1545 -s "found renegotiation extension" \
1546 -s "server hello, secure renegotiation extension" \
1547 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1548 -c "=> renegotiate" \
1549 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1550 -s "write hello request"
1551
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1552# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1553# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1554# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1555requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1556run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1557 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1558 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1559 0 \
1560 -c "client hello, adding renegotiation extension" \
1561 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1562 -s "found renegotiation extension" \
1563 -s "server hello, secure renegotiation extension" \
1564 -c "found renegotiation extension" \
1565 -c "=> renegotiate" \
1566 -s "=> renegotiate" \
1567 -S "write hello request" \
1568 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1569
1570# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1571# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1572# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1573requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1574run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1575 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1576 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1577 0 \
1578 -c "client hello, adding renegotiation extension" \
1579 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1580 -s "found renegotiation extension" \
1581 -s "server hello, secure renegotiation extension" \
1582 -c "found renegotiation extension" \
1583 -c "=> renegotiate" \
1584 -s "=> renegotiate" \
1585 -s "write hello request" \
1586 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1587
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1588requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1589run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1590 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1591 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1592 0 \
1593 -c "client hello, adding renegotiation extension" \
1594 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1595 -s "found renegotiation extension" \
1596 -s "server hello, secure renegotiation extension" \
1597 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1598 -c "=> renegotiate" \
1599 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1600 -s "write hello request"
1601
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1602requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1603run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1604 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1605 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1606 1 \
1607 -c "client hello, adding renegotiation extension" \
1608 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1609 -S "found renegotiation extension" \
1610 -s "server hello, secure renegotiation extension" \
1611 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1612 -c "=> renegotiate" \
1613 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1614 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1615 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1616 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1617
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1618requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1619run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1620 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1621 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1622 0 \
1623 -C "client hello, adding renegotiation extension" \
1624 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1625 -S "found renegotiation extension" \
1626 -s "server hello, secure renegotiation extension" \
1627 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1628 -C "=> renegotiate" \
1629 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1630 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1631 -S "SSL - An unexpected message was received from our peer" \
1632 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1633
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1634requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1635run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1636 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1637 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1638 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1639 0 \
1640 -C "client hello, adding renegotiation extension" \
1641 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1642 -S "found renegotiation extension" \
1643 -s "server hello, secure renegotiation extension" \
1644 -c "found renegotiation extension" \
1645 -C "=> renegotiate" \
1646 -S "=> renegotiate" \
1647 -s "write hello request" \
1648 -S "SSL - An unexpected message was received from our peer" \
1649 -S "failed"
1650
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1651# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1652requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1653run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1654 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1655 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1656 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1657 0 \
1658 -C "client hello, adding renegotiation extension" \
1659 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1660 -S "found renegotiation extension" \
1661 -s "server hello, secure renegotiation extension" \
1662 -c "found renegotiation extension" \
1663 -C "=> renegotiate" \
1664 -S "=> renegotiate" \
1665 -s "write hello request" \
1666 -S "SSL - An unexpected message was received from our peer" \
1667 -S "failed"
1668
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1669requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1670run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1671 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1672 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1673 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1674 0 \
1675 -C "client hello, adding renegotiation extension" \
1676 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1677 -S "found renegotiation extension" \
1678 -s "server hello, secure renegotiation extension" \
1679 -c "found renegotiation extension" \
1680 -C "=> renegotiate" \
1681 -S "=> renegotiate" \
1682 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1683 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1684
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1685requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1686run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1687 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1688 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1689 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1690 0 \
1691 -c "client hello, adding renegotiation extension" \
1692 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1693 -s "found renegotiation extension" \
1694 -s "server hello, secure renegotiation extension" \
1695 -c "found renegotiation extension" \
1696 -c "=> renegotiate" \
1697 -s "=> renegotiate" \
1698 -s "write hello request" \
1699 -S "SSL - An unexpected message was received from our peer" \
1700 -S "failed"
1701
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1702requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1703run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1704 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1705 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1706 0 \
1707 -C "client hello, adding renegotiation extension" \
1708 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1709 -S "found renegotiation extension" \
1710 -s "server hello, secure renegotiation extension" \
1711 -c "found renegotiation extension" \
1712 -S "record counter limit reached: renegotiate" \
1713 -C "=> renegotiate" \
1714 -S "=> renegotiate" \
1715 -S "write hello request" \
1716 -S "SSL - An unexpected message was received from our peer" \
1717 -S "failed"
1718
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1719# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1720requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1721run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1722 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1723 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1724 0 \
1725 -c "client hello, adding renegotiation extension" \
1726 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1727 -s "found renegotiation extension" \
1728 -s "server hello, secure renegotiation extension" \
1729 -c "found renegotiation extension" \
1730 -s "record counter limit reached: renegotiate" \
1731 -c "=> renegotiate" \
1732 -s "=> renegotiate" \
1733 -s "write hello request" \
1734 -S "SSL - An unexpected message was received from our peer" \
1735 -S "failed"
1736
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1737requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1738run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1739 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1740 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1741 0 \
1742 -c "client hello, adding renegotiation extension" \
1743 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1744 -s "found renegotiation extension" \
1745 -s "server hello, secure renegotiation extension" \
1746 -c "found renegotiation extension" \
1747 -s "record counter limit reached: renegotiate" \
1748 -c "=> renegotiate" \
1749 -s "=> renegotiate" \
1750 -s "write hello request" \
1751 -S "SSL - An unexpected message was received from our peer" \
1752 -S "failed"
1753
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1754requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1755run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1756 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1757 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1758 0 \
1759 -C "client hello, adding renegotiation extension" \
1760 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1761 -S "found renegotiation extension" \
1762 -s "server hello, secure renegotiation extension" \
1763 -c "found renegotiation extension" \
1764 -S "record counter limit reached: renegotiate" \
1765 -C "=> renegotiate" \
1766 -S "=> renegotiate" \
1767 -S "write hello request" \
1768 -S "SSL - An unexpected message was received from our peer" \
1769 -S "failed"
1770
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1771requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1772run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1773 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1774 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1775 0 \
1776 -c "client hello, adding renegotiation extension" \
1777 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1778 -s "found renegotiation extension" \
1779 -s "server hello, secure renegotiation extension" \
1780 -c "found renegotiation extension" \
1781 -c "=> renegotiate" \
1782 -s "=> renegotiate" \
1783 -S "write hello request"
1784
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1785requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1786run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1787 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1788 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1789 0 \
1790 -c "client hello, adding renegotiation extension" \
1791 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1792 -s "found renegotiation extension" \
1793 -s "server hello, secure renegotiation extension" \
1794 -c "found renegotiation extension" \
1795 -c "=> renegotiate" \
1796 -s "=> renegotiate" \
1797 -s "write hello request"
1798
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1799requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1800run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1801 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1802 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1803 0 \
1804 -c "client hello, adding renegotiation extension" \
1805 -c "found renegotiation extension" \
1806 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1807 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1808 -C "error" \
1809 -c "HTTP/1.0 200 [Oo][Kk]"
1810
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1811requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1812requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1813run_test "Renegotiation: gnutls server strict, client-initiated" \
1814 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1815 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1816 0 \
1817 -c "client hello, adding renegotiation extension" \
1818 -c "found renegotiation extension" \
1819 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1820 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1821 -C "error" \
1822 -c "HTTP/1.0 200 [Oo][Kk]"
1823
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1824requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1825requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1826run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1827 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1828 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1829 1 \
1830 -c "client hello, adding renegotiation extension" \
1831 -C "found renegotiation extension" \
1832 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1834 -c "error" \
1835 -C "HTTP/1.0 200 [Oo][Kk]"
1836
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1837requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1838requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1839run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1840 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1841 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1842 allow_legacy=0" \
1843 1 \
1844 -c "client hello, adding renegotiation extension" \
1845 -C "found renegotiation extension" \
1846 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1848 -c "error" \
1849 -C "HTTP/1.0 200 [Oo][Kk]"
1850
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1851requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1852requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1853run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1854 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1855 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1856 allow_legacy=1" \
1857 0 \
1858 -c "client hello, adding renegotiation extension" \
1859 -C "found renegotiation extension" \
1860 -c "=> renegotiate" \
1861 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1862 -C "error" \
1863 -c "HTTP/1.0 200 [Oo][Kk]"
1864
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1865requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1866run_test "Renegotiation: DTLS, client-initiated" \
1867 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1868 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1869 0 \
1870 -c "client hello, adding renegotiation extension" \
1871 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1872 -s "found renegotiation extension" \
1873 -s "server hello, secure renegotiation extension" \
1874 -c "found renegotiation extension" \
1875 -c "=> renegotiate" \
1876 -s "=> renegotiate" \
1877 -S "write hello request"
1878
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1879requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1880run_test "Renegotiation: DTLS, server-initiated" \
1881 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1882 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1883 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1884 0 \
1885 -c "client hello, adding renegotiation extension" \
1886 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1887 -s "found renegotiation extension" \
1888 -s "server hello, secure renegotiation extension" \
1889 -c "found renegotiation extension" \
1890 -c "=> renegotiate" \
1891 -s "=> renegotiate" \
1892 -s "write hello request"
1893
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1894requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1895run_test "Renegotiation: DTLS, renego_period overflow" \
1896 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1897 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1898 0 \
1899 -c "client hello, adding renegotiation extension" \
1900 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1901 -s "found renegotiation extension" \
1902 -s "server hello, secure renegotiation extension" \
1903 -s "record counter limit reached: renegotiate" \
1904 -c "=> renegotiate" \
1905 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1906 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1907
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1908requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1909requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1910run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1911 "$G_SRV -u --mtu 4096" \
1912 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1913 0 \
1914 -c "client hello, adding renegotiation extension" \
1915 -c "found renegotiation extension" \
1916 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1917 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1918 -C "error" \
1919 -s "Extra-header:"
1920
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1921# Test for the "secure renegotation" extension only (no actual renegotiation)
1922
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1923requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1924run_test "Renego ext: gnutls server strict, client default" \
1925 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1926 "$P_CLI debug_level=3" \
1927 0 \
1928 -c "found renegotiation extension" \
1929 -C "error" \
1930 -c "HTTP/1.0 200 [Oo][Kk]"
1931
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1932requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1933run_test "Renego ext: gnutls server unsafe, client default" \
1934 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1935 "$P_CLI debug_level=3" \
1936 0 \
1937 -C "found renegotiation extension" \
1938 -C "error" \
1939 -c "HTTP/1.0 200 [Oo][Kk]"
1940
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1941requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1942run_test "Renego ext: gnutls server unsafe, client break legacy" \
1943 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1944 "$P_CLI debug_level=3 allow_legacy=-1" \
1945 1 \
1946 -C "found renegotiation extension" \
1947 -c "error" \
1948 -C "HTTP/1.0 200 [Oo][Kk]"
1949
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1950requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1951run_test "Renego ext: gnutls client strict, server default" \
1952 "$P_SRV debug_level=3" \
1953 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1954 0 \
1955 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1956 -s "server hello, secure renegotiation extension"
1957
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1958requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1959run_test "Renego ext: gnutls client unsafe, server default" \
1960 "$P_SRV debug_level=3" \
1961 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1962 0 \
1963 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1964 -S "server hello, secure renegotiation extension"
1965
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1966requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1967run_test "Renego ext: gnutls client unsafe, server break legacy" \
1968 "$P_SRV debug_level=3 allow_legacy=-1" \
1969 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1970 1 \
1971 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1972 -S "server hello, secure renegotiation extension"
1973
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]1974# Tests for silently dropping trailing extra bytes in .der certificates
1975
1976requires_gnutls
1977run_test "DER format: no trailing bytes" \
1978 "$P_SRV crt_file=data_files/server5-der0.crt \
1979 key_file=data_files/server5.key" \
1980 "$G_CLI " \
1981 0 \
1982 -c "Handshake was completed" \
1983
1984requires_gnutls
1985run_test "DER format: with a trailing zero byte" \
1986 "$P_SRV crt_file=data_files/server5-der1a.crt \
1987 key_file=data_files/server5.key" \
1988 "$G_CLI " \
1989 0 \
1990 -c "Handshake was completed" \
1991
1992requires_gnutls
1993run_test "DER format: with a trailing random byte" \
1994 "$P_SRV crt_file=data_files/server5-der1b.crt \
1995 key_file=data_files/server5.key" \
1996 "$G_CLI " \
1997 0 \
1998 -c "Handshake was completed" \
1999
2000requires_gnutls
2001run_test "DER format: with 2 trailing random bytes" \
2002 "$P_SRV crt_file=data_files/server5-der2.crt \
2003 key_file=data_files/server5.key" \
2004 "$G_CLI " \
2005 0 \
2006 -c "Handshake was completed" \
2007
2008requires_gnutls
2009run_test "DER format: with 4 trailing random bytes" \
2010 "$P_SRV crt_file=data_files/server5-der4.crt \
2011 key_file=data_files/server5.key" \
2012 "$G_CLI " \
2013 0 \
2014 -c "Handshake was completed" \
2015
2016requires_gnutls
2017run_test "DER format: with 8 trailing random bytes" \
2018 "$P_SRV crt_file=data_files/server5-der8.crt \
2019 key_file=data_files/server5.key" \
2020 "$G_CLI " \
2021 0 \
2022 -c "Handshake was completed" \
2023
2024requires_gnutls
2025run_test "DER format: with 9 trailing random bytes" \
2026 "$P_SRV crt_file=data_files/server5-der9.crt \
2027 key_file=data_files/server5.key" \
2028 "$G_CLI " \
2029 0 \
2030 -c "Handshake was completed" \
2031
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2032# Tests for auth_mode
2033
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2034run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2035 "$P_SRV crt_file=data_files/server5-badsign.crt \
2036 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2037 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2038 1 \
2039 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2040 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2041 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2042 -c "X509 - Certificate verification failed"
2043
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2044run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2045 "$P_SRV crt_file=data_files/server5-badsign.crt \
2046 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2047 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2048 0 \
2049 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2050 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2052 -C "X509 - Certificate verification failed"
2053
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2054run_test "Authentication: server goodcert, client optional, no trusted CA" \
2055 "$P_SRV" \
2056 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2057 0 \
2058 -c "x509_verify_cert() returned" \
2059 -c "! The certificate is not correctly signed by the trusted CA" \
2060 -c "! Certificate verification flags"\
2061 -C "! mbedtls_ssl_handshake returned" \
2062 -C "X509 - Certificate verification failed" \
2063 -C "SSL - No CA Chain is set, but required to operate"
2064
2065run_test "Authentication: server goodcert, client required, no trusted CA" \
2066 "$P_SRV" \
2067 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2068 1 \
2069 -c "x509_verify_cert() returned" \
2070 -c "! The certificate is not correctly signed by the trusted CA" \
2071 -c "! Certificate verification flags"\
2072 -c "! mbedtls_ssl_handshake returned" \
2073 -c "SSL - No CA Chain is set, but required to operate"
2074
2075# The purpose of the next two tests is to test the client's behaviour when receiving a server
2076# certificate with an unsupported elliptic curve. This should usually not happen because
2077# the client informs the server about the supported curves - it does, though, in the
2078# corner case of a static ECDH suite, because the server doesn't check the curve on that
2079# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2080# different means to have the server ignoring the client's supported curve list.
2081
2082requires_config_enabled MBEDTLS_ECP_C
2083run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2084 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2085 crt_file=data_files/server5.ku-ka.crt" \
2086 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2087 1 \
2088 -c "bad certificate (EC key curve)"\
2089 -c "! Certificate verification flags"\
2090 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2091
2092requires_config_enabled MBEDTLS_ECP_C
2093run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2094 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2095 crt_file=data_files/server5.ku-ka.crt" \
2096 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2097 1 \
2098 -c "bad certificate (EC key curve)"\
2099 -c "! Certificate verification flags"\
2100 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2101
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2102run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2103 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2104 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2105 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2106 0 \
2107 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2108 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2110 -C "X509 - Certificate verification failed"
2111
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2112run_test "Authentication: client SHA256, server required" \
2113 "$P_SRV auth_mode=required" \
2114 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2115 key_file=data_files/server6.key \
2116 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2117 0 \
2118 -c "Supported Signature Algorithm found: 4," \
2119 -c "Supported Signature Algorithm found: 5,"
2120
2121run_test "Authentication: client SHA384, server required" \
2122 "$P_SRV auth_mode=required" \
2123 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2124 key_file=data_files/server6.key \
2125 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2126 0 \
2127 -c "Supported Signature Algorithm found: 4," \
2128 -c "Supported Signature Algorithm found: 5,"
2129
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2130requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2131run_test "Authentication: client has no cert, server required (SSLv3)" \
2132 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2133 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2134 key_file=data_files/server5.key" \
2135 1 \
2136 -S "skip write certificate request" \
2137 -C "skip parse certificate request" \
2138 -c "got a certificate request" \
2139 -c "got no certificate to send" \
2140 -S "x509_verify_cert() returned" \
2141 -s "client has no certificate" \
2142 -s "! mbedtls_ssl_handshake returned" \
2143 -c "! mbedtls_ssl_handshake returned" \
2144 -s "No client certification received from the client, but required by the authentication mode"
2145
2146run_test "Authentication: client has no cert, server required (TLS)" \
2147 "$P_SRV debug_level=3 auth_mode=required" \
2148 "$P_CLI debug_level=3 crt_file=none \
2149 key_file=data_files/server5.key" \
2150 1 \
2151 -S "skip write certificate request" \
2152 -C "skip parse certificate request" \
2153 -c "got a certificate request" \
2154 -c "= write certificate$" \
2155 -C "skip write certificate$" \
2156 -S "x509_verify_cert() returned" \
2157 -s "client has no certificate" \
2158 -s "! mbedtls_ssl_handshake returned" \
2159 -c "! mbedtls_ssl_handshake returned" \
2160 -s "No client certification received from the client, but required by the authentication mode"
2161
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2162run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2163 "$P_SRV debug_level=3 auth_mode=required" \
2164 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2165 key_file=data_files/server5.key" \
2166 1 \
2167 -S "skip write certificate request" \
2168 -C "skip parse certificate request" \
2169 -c "got a certificate request" \
2170 -C "skip write certificate" \
2171 -C "skip write certificate verify" \
2172 -S "skip parse certificate verify" \
2173 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2174 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2175 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2176 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2177 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2178 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2179# We don't check that the client receives the alert because it might
2180# detect that its write end of the connection is closed and abort
2181# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2182
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2183run_test "Authentication: client cert not trusted, server required" \
2184 "$P_SRV debug_level=3 auth_mode=required" \
2185 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2186 key_file=data_files/server5.key" \
2187 1 \
2188 -S "skip write certificate request" \
2189 -C "skip parse certificate request" \
2190 -c "got a certificate request" \
2191 -C "skip write certificate" \
2192 -C "skip write certificate verify" \
2193 -S "skip parse certificate verify" \
2194 -s "x509_verify_cert() returned" \
2195 -s "! The certificate is not correctly signed by the trusted CA" \
2196 -s "! mbedtls_ssl_handshake returned" \
2197 -c "! mbedtls_ssl_handshake returned" \
2198 -s "X509 - Certificate verification failed"
2199
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2200run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2201 "$P_SRV debug_level=3 auth_mode=optional" \
2202 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2203 key_file=data_files/server5.key" \
2204 0 \
2205 -S "skip write certificate request" \
2206 -C "skip parse certificate request" \
2207 -c "got a certificate request" \
2208 -C "skip write certificate" \
2209 -C "skip write certificate verify" \
2210 -S "skip parse certificate verify" \
2211 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2212 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2213 -S "! mbedtls_ssl_handshake returned" \
2214 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2215 -S "X509 - Certificate verification failed"
2216
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2217run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2218 "$P_SRV debug_level=3 auth_mode=none" \
2219 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2220 key_file=data_files/server5.key" \
2221 0 \
2222 -s "skip write certificate request" \
2223 -C "skip parse certificate request" \
2224 -c "got no certificate request" \
2225 -c "skip write certificate" \
2226 -c "skip write certificate verify" \
2227 -s "skip parse certificate verify" \
2228 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2229 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2230 -S "! mbedtls_ssl_handshake returned" \
2231 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2232 -S "X509 - Certificate verification failed"
2233
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2234run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2235 "$P_SRV debug_level=3 auth_mode=optional" \
2236 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2237 0 \
2238 -S "skip write certificate request" \
2239 -C "skip parse certificate request" \
2240 -c "got a certificate request" \
2241 -C "skip write certificate$" \
2242 -C "got no certificate to send" \
2243 -S "SSLv3 client has no certificate" \
2244 -c "skip write certificate verify" \
2245 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2246 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2247 -S "! mbedtls_ssl_handshake returned" \
2248 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2249 -S "X509 - Certificate verification failed"
2250
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2251run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2252 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2253 "$O_CLI" \
2254 0 \
2255 -S "skip write certificate request" \
2256 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2257 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2258 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2259 -S "X509 - Certificate verification failed"
2260
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2261run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2262 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2263 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2264 0 \
2265 -C "skip parse certificate request" \
2266 -c "got a certificate request" \
2267 -C "skip write certificate$" \
2268 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2270
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2271run_test "Authentication: client no cert, openssl server required" \
2272 "$O_SRV -Verify 10" \
2273 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2274 1 \
2275 -C "skip parse certificate request" \
2276 -c "got a certificate request" \
2277 -C "skip write certificate$" \
2278 -c "skip write certificate verify" \
2279 -c "! mbedtls_ssl_handshake returned"
2280
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2281requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2282run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2283 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2284 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2285 0 \
2286 -S "skip write certificate request" \
2287 -C "skip parse certificate request" \
2288 -c "got a certificate request" \
2289 -C "skip write certificate$" \
2290 -c "skip write certificate verify" \
2291 -c "got no certificate to send" \
2292 -s "SSLv3 client has no certificate" \
2293 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2294 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2295 -S "! mbedtls_ssl_handshake returned" \
2296 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2297 -S "X509 - Certificate verification failed"
2298
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2299# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2300# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2301
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2302MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2303MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2304
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2305if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2306 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2307 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2308 printf "test value of ${MAX_IM_CA}. \n"
2309 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2310 printf "The tests assume this value and if it changes, the tests in this\n"
2311 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2312 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2313
2314 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2315fi
2316
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2317run_test "Authentication: server max_int chain, client default" \
2318 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2319 key_file=data_files/dir-maxpath/09.key" \
2320 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2321 0 \
2322 -C "X509 - A fatal error occured"
2323
2324run_test "Authentication: server max_int+1 chain, client default" \
2325 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2326 key_file=data_files/dir-maxpath/10.key" \
2327 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2328 1 \
2329 -c "X509 - A fatal error occured"
2330
2331run_test "Authentication: server max_int+1 chain, client optional" \
2332 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2333 key_file=data_files/dir-maxpath/10.key" \
2334 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2335 auth_mode=optional" \
2336 1 \
2337 -c "X509 - A fatal error occured"
2338
2339run_test "Authentication: server max_int+1 chain, client none" \
2340 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2341 key_file=data_files/dir-maxpath/10.key" \
2342 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2343 auth_mode=none" \
2344 0 \
2345 -C "X509 - A fatal error occured"
2346
2347run_test "Authentication: client max_int+1 chain, server default" \
2348 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2349 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2350 key_file=data_files/dir-maxpath/10.key" \
2351 0 \
2352 -S "X509 - A fatal error occured"
2353
2354run_test "Authentication: client max_int+1 chain, server optional" \
2355 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2356 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2357 key_file=data_files/dir-maxpath/10.key" \
2358 1 \
2359 -s "X509 - A fatal error occured"
2360
2361run_test "Authentication: client max_int+1 chain, server required" \
2362 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2363 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2364 key_file=data_files/dir-maxpath/10.key" \
2365 1 \
2366 -s "X509 - A fatal error occured"
2367
2368run_test "Authentication: client max_int chain, server required" \
2369 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2370 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2371 key_file=data_files/dir-maxpath/09.key" \
2372 0 \
2373 -S "X509 - A fatal error occured"
2374
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2375# Tests for CA list in CertificateRequest messages
2376
2377run_test "Authentication: send CA list in CertificateRequest (default)" \
2378 "$P_SRV debug_level=3 auth_mode=required" \
2379 "$P_CLI crt_file=data_files/server6.crt \
2380 key_file=data_files/server6.key" \
2381 0 \
2382 -s "requested DN"
2383
2384run_test "Authentication: do not send CA list in CertificateRequest" \
2385 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2386 "$P_CLI crt_file=data_files/server6.crt \
2387 key_file=data_files/server6.key" \
2388 0 \
2389 -S "requested DN"
2390
2391run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2392 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2393 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2394 key_file=data_files/server5.key" \
2395 1 \
2396 -S "requested DN" \
2397 -s "x509_verify_cert() returned" \
2398 -s "! The certificate is not correctly signed by the trusted CA" \
2399 -s "! mbedtls_ssl_handshake returned" \
2400 -c "! mbedtls_ssl_handshake returned" \
2401 -s "X509 - Certificate verification failed"
2402
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2403# Tests for certificate selection based on SHA verson
2404
2405run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2406 "$P_SRV crt_file=data_files/server5.crt \
2407 key_file=data_files/server5.key \
2408 crt_file2=data_files/server5-sha1.crt \
2409 key_file2=data_files/server5.key" \
2410 "$P_CLI force_version=tls1_2" \
2411 0 \
2412 -c "signed using.*ECDSA with SHA256" \
2413 -C "signed using.*ECDSA with SHA1"
2414
2415run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2416 "$P_SRV crt_file=data_files/server5.crt \
2417 key_file=data_files/server5.key \
2418 crt_file2=data_files/server5-sha1.crt \
2419 key_file2=data_files/server5.key" \
2420 "$P_CLI force_version=tls1_1" \
2421 0 \
2422 -C "signed using.*ECDSA with SHA256" \
2423 -c "signed using.*ECDSA with SHA1"
2424
2425run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2426 "$P_SRV crt_file=data_files/server5.crt \
2427 key_file=data_files/server5.key \
2428 crt_file2=data_files/server5-sha1.crt \
2429 key_file2=data_files/server5.key" \
2430 "$P_CLI force_version=tls1" \
2431 0 \
2432 -C "signed using.*ECDSA with SHA256" \
2433 -c "signed using.*ECDSA with SHA1"
2434
2435run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2436 "$P_SRV crt_file=data_files/server5.crt \
2437 key_file=data_files/server5.key \
2438 crt_file2=data_files/server6.crt \
2439 key_file2=data_files/server6.key" \
2440 "$P_CLI force_version=tls1_1" \
2441 0 \
2442 -c "serial number.*09" \
2443 -c "signed using.*ECDSA with SHA256" \
2444 -C "signed using.*ECDSA with SHA1"
2445
2446run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2447 "$P_SRV crt_file=data_files/server6.crt \
2448 key_file=data_files/server6.key \
2449 crt_file2=data_files/server5.crt \
2450 key_file2=data_files/server5.key" \
2451 "$P_CLI force_version=tls1_1" \
2452 0 \
2453 -c "serial number.*0A" \
2454 -c "signed using.*ECDSA with SHA256" \
2455 -C "signed using.*ECDSA with SHA1"
2456
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2457# tests for SNI
2458
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2459run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2460 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2461 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2462 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2463 0 \
2464 -S "parse ServerName extension" \
2465 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2466 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2467
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2468run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2469 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2470 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2471 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2472 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2473 0 \
2474 -s "parse ServerName extension" \
2475 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2476 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2477
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2478run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2479 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2480 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2481 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2482 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2483 0 \
2484 -s "parse ServerName extension" \
2485 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2486 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2488run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2489 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2490 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2491 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2492 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2493 1 \
2494 -s "parse ServerName extension" \
2495 -s "ssl_sni_wrapper() returned" \
2496 -s "mbedtls_ssl_handshake returned" \
2497 -c "mbedtls_ssl_handshake returned" \
2498 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2499
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2500run_test "SNI: client auth no override: optional" \
2501 "$P_SRV debug_level=3 auth_mode=optional \
2502 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2503 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2504 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2505 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2506 -S "skip write certificate request" \
2507 -C "skip parse certificate request" \
2508 -c "got a certificate request" \
2509 -C "skip write certificate" \
2510 -C "skip write certificate verify" \
2511 -S "skip parse certificate verify"
2512
2513run_test "SNI: client auth override: none -> optional" \
2514 "$P_SRV debug_level=3 auth_mode=none \
2515 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2516 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2517 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2518 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2519 -S "skip write certificate request" \
2520 -C "skip parse certificate request" \
2521 -c "got a certificate request" \
2522 -C "skip write certificate" \
2523 -C "skip write certificate verify" \
2524 -S "skip parse certificate verify"
2525
2526run_test "SNI: client auth override: optional -> none" \
2527 "$P_SRV debug_level=3 auth_mode=optional \
2528 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2529 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2530 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2531 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2532 -s "skip write certificate request" \
2533 -C "skip parse certificate request" \
2534 -c "got no certificate request" \
2535 -c "skip write certificate" \
2536 -c "skip write certificate verify" \
2537 -s "skip parse certificate verify"
2538
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2539run_test "SNI: CA no override" \
2540 "$P_SRV debug_level=3 auth_mode=optional \
2541 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2542 ca_file=data_files/test-ca.crt \
2543 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2544 "$P_CLI debug_level=3 server_name=localhost \
2545 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2546 1 \
2547 -S "skip write certificate request" \
2548 -C "skip parse certificate request" \
2549 -c "got a certificate request" \
2550 -C "skip write certificate" \
2551 -C "skip write certificate verify" \
2552 -S "skip parse certificate verify" \
2553 -s "x509_verify_cert() returned" \
2554 -s "! The certificate is not correctly signed by the trusted CA" \
2555 -S "The certificate has been revoked (is on a CRL)"
2556
2557run_test "SNI: CA override" \
2558 "$P_SRV debug_level=3 auth_mode=optional \
2559 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2560 ca_file=data_files/test-ca.crt \
2561 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2562 "$P_CLI debug_level=3 server_name=localhost \
2563 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2564 0 \
2565 -S "skip write certificate request" \
2566 -C "skip parse certificate request" \
2567 -c "got a certificate request" \
2568 -C "skip write certificate" \
2569 -C "skip write certificate verify" \
2570 -S "skip parse certificate verify" \
2571 -S "x509_verify_cert() returned" \
2572 -S "! The certificate is not correctly signed by the trusted CA" \
2573 -S "The certificate has been revoked (is on a CRL)"
2574
2575run_test "SNI: CA override with CRL" \
2576 "$P_SRV debug_level=3 auth_mode=optional \
2577 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2578 ca_file=data_files/test-ca.crt \
2579 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2580 "$P_CLI debug_level=3 server_name=localhost \
2581 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2582 1 \
2583 -S "skip write certificate request" \
2584 -C "skip parse certificate request" \
2585 -c "got a certificate request" \
2586 -C "skip write certificate" \
2587 -C "skip write certificate verify" \
2588 -S "skip parse certificate verify" \
2589 -s "x509_verify_cert() returned" \
2590 -S "! The certificate is not correctly signed by the trusted CA" \
2591 -s "The certificate has been revoked (is on a CRL)"
2592
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2593# Tests for non-blocking I/O: exercise a variety of handshake flows
2594
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2595run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2596 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2597 "$P_CLI nbio=2 tickets=0" \
2598 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2599 -S "mbedtls_ssl_handshake returned" \
2600 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2601 -c "Read from server: .* bytes read"
2602
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2603run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2604 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2605 "$P_CLI nbio=2 tickets=0" \
2606 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2607 -S "mbedtls_ssl_handshake returned" \
2608 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2609 -c "Read from server: .* bytes read"
2610
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2611run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2612 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2613 "$P_CLI nbio=2 tickets=1" \
2614 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2615 -S "mbedtls_ssl_handshake returned" \
2616 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2617 -c "Read from server: .* bytes read"
2618
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2619run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2620 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2621 "$P_CLI nbio=2 tickets=1" \
2622 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2623 -S "mbedtls_ssl_handshake returned" \
2624 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2625 -c "Read from server: .* bytes read"
2626
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2627run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2628 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2629 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2630 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2631 -S "mbedtls_ssl_handshake returned" \
2632 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2633 -c "Read from server: .* bytes read"
2634
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2635run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2636 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2637 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2638 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2639 -S "mbedtls_ssl_handshake returned" \
2640 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2641 -c "Read from server: .* bytes read"
2642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2643run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2644 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2645 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2646 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2647 -S "mbedtls_ssl_handshake returned" \
2648 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2649 -c "Read from server: .* bytes read"
2650
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2651# Tests for version negotiation
2652
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2653run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2654 "$P_SRV" \
2655 "$P_CLI" \
2656 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2657 -S "mbedtls_ssl_handshake returned" \
2658 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2659 -s "Protocol is TLSv1.2" \
2660 -c "Protocol is TLSv1.2"
2661
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2662run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2663 "$P_SRV" \
2664 "$P_CLI max_version=tls1_1" \
2665 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2666 -S "mbedtls_ssl_handshake returned" \
2667 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2668 -s "Protocol is TLSv1.1" \
2669 -c "Protocol is TLSv1.1"
2670
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2671run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2672 "$P_SRV max_version=tls1_1" \
2673 "$P_CLI" \
2674 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2675 -S "mbedtls_ssl_handshake returned" \
2676 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2677 -s "Protocol is TLSv1.1" \
2678 -c "Protocol is TLSv1.1"
2679
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2680run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2681 "$P_SRV max_version=tls1_1" \
2682 "$P_CLI max_version=tls1_1" \
2683 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2684 -S "mbedtls_ssl_handshake returned" \
2685 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2686 -s "Protocol is TLSv1.1" \
2687 -c "Protocol is TLSv1.1"
2688
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2689run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2690 "$P_SRV min_version=tls1_1" \
2691 "$P_CLI max_version=tls1_1" \
2692 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2693 -S "mbedtls_ssl_handshake returned" \
2694 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2695 -s "Protocol is TLSv1.1" \
2696 -c "Protocol is TLSv1.1"
2697
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2698run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2699 "$P_SRV max_version=tls1_1" \
2700 "$P_CLI min_version=tls1_1" \
2701 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2702 -S "mbedtls_ssl_handshake returned" \
2703 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2704 -s "Protocol is TLSv1.1" \
2705 -c "Protocol is TLSv1.1"
2706
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2707run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2708 "$P_SRV max_version=tls1_1" \
2709 "$P_CLI min_version=tls1_2" \
2710 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2711 -s "mbedtls_ssl_handshake returned" \
2712 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2713 -c "SSL - Handshake protocol not within min/max boundaries"
2714
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2715run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2716 "$P_SRV min_version=tls1_2" \
2717 "$P_CLI max_version=tls1_1" \
2718 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2719 -s "mbedtls_ssl_handshake returned" \
2720 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2721 -s "SSL - Handshake protocol not within min/max boundaries"
2722
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2723# Tests for ALPN extension
2724
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2725run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2726 "$P_SRV debug_level=3" \
2727 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2728 0 \
2729 -C "client hello, adding alpn extension" \
2730 -S "found alpn extension" \
2731 -C "got an alert message, type: \\[2:120]" \
2732 -S "server hello, adding alpn extension" \
2733 -C "found alpn extension " \
2734 -C "Application Layer Protocol is" \
2735 -S "Application Layer Protocol is"
2736
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2737run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2738 "$P_SRV debug_level=3" \
2739 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2740 0 \
2741 -c "client hello, adding alpn extension" \
2742 -s "found alpn extension" \
2743 -C "got an alert message, type: \\[2:120]" \
2744 -S "server hello, adding alpn extension" \
2745 -C "found alpn extension " \
2746 -c "Application Layer Protocol is (none)" \
2747 -S "Application Layer Protocol is"
2748
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2749run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2750 "$P_SRV debug_level=3 alpn=abc,1234" \
2751 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2752 0 \
2753 -C "client hello, adding alpn extension" \
2754 -S "found alpn extension" \
2755 -C "got an alert message, type: \\[2:120]" \
2756 -S "server hello, adding alpn extension" \
2757 -C "found alpn extension " \
2758 -C "Application Layer Protocol is" \
2759 -s "Application Layer Protocol is (none)"
2760
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2761run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2762 "$P_SRV debug_level=3 alpn=abc,1234" \
2763 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2764 0 \
2765 -c "client hello, adding alpn extension" \
2766 -s "found alpn extension" \
2767 -C "got an alert message, type: \\[2:120]" \
2768 -s "server hello, adding alpn extension" \
2769 -c "found alpn extension" \
2770 -c "Application Layer Protocol is abc" \
2771 -s "Application Layer Protocol is abc"
2772
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2773run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2774 "$P_SRV debug_level=3 alpn=abc,1234" \
2775 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2776 0 \
2777 -c "client hello, adding alpn extension" \
2778 -s "found alpn extension" \
2779 -C "got an alert message, type: \\[2:120]" \
2780 -s "server hello, adding alpn extension" \
2781 -c "found alpn extension" \
2782 -c "Application Layer Protocol is abc" \
2783 -s "Application Layer Protocol is abc"
2784
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2785run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2786 "$P_SRV debug_level=3 alpn=abc,1234" \
2787 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2788 0 \
2789 -c "client hello, adding alpn extension" \
2790 -s "found alpn extension" \
2791 -C "got an alert message, type: \\[2:120]" \
2792 -s "server hello, adding alpn extension" \
2793 -c "found alpn extension" \
2794 -c "Application Layer Protocol is 1234" \
2795 -s "Application Layer Protocol is 1234"
2796
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2797run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2798 "$P_SRV debug_level=3 alpn=abc,123" \
2799 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2800 1 \
2801 -c "client hello, adding alpn extension" \
2802 -s "found alpn extension" \
2803 -c "got an alert message, type: \\[2:120]" \
2804 -S "server hello, adding alpn extension" \
2805 -C "found alpn extension" \
2806 -C "Application Layer Protocol is 1234" \
2807 -S "Application Layer Protocol is 1234"
2808
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2809
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2810# Tests for keyUsage in leaf certificates, part 1:
2811# server-side certificate/suite selection
2812
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2813run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2814 "$P_SRV key_file=data_files/server2.key \
2815 crt_file=data_files/server2.ku-ds.crt" \
2816 "$P_CLI" \
2817 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2818 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2819
2820
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2821run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2822 "$P_SRV key_file=data_files/server2.key \
2823 crt_file=data_files/server2.ku-ke.crt" \
2824 "$P_CLI" \
2825 0 \
2826 -c "Ciphersuite is TLS-RSA-WITH-"
2827
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2828run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2829 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2830 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2831 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2832 1 \
2833 -C "Ciphersuite is "
2834
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2835run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2836 "$P_SRV key_file=data_files/server5.key \
2837 crt_file=data_files/server5.ku-ds.crt" \
2838 "$P_CLI" \
2839 0 \
2840 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2841
2842
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2843run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2844 "$P_SRV key_file=data_files/server5.key \
2845 crt_file=data_files/server5.ku-ka.crt" \
2846 "$P_CLI" \
2847 0 \
2848 -c "Ciphersuite is TLS-ECDH-"
2849
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2850run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2851 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2852 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2853 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2854 1 \
2855 -C "Ciphersuite is "
2856
2857# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2858# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2859
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2860run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2861 "$O_SRV -key data_files/server2.key \
2862 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2863 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2864 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2865 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2866 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2867 -C "Processing of the Certificate handshake message failed" \
2868 -c "Ciphersuite is TLS-"
2869
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2870run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2871 "$O_SRV -key data_files/server2.key \
2872 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2873 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2874 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2875 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2876 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2877 -C "Processing of the Certificate handshake message failed" \
2878 -c "Ciphersuite is TLS-"
2879
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2880run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2881 "$O_SRV -key data_files/server2.key \
2882 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2883 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2884 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2885 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2886 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2887 -C "Processing of the Certificate handshake message failed" \
2888 -c "Ciphersuite is TLS-"
2889
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2890run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2891 "$O_SRV -key data_files/server2.key \
2892 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2893 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2894 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2895 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2896 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2897 -c "Processing of the Certificate handshake message failed" \
2898 -C "Ciphersuite is TLS-"
2899
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2900run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2901 "$O_SRV -key data_files/server2.key \
2902 -cert data_files/server2.ku-ke.crt" \
2903 "$P_CLI debug_level=1 auth_mode=optional \
2904 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2905 0 \
2906 -c "bad certificate (usage extensions)" \
2907 -C "Processing of the Certificate handshake message failed" \
2908 -c "Ciphersuite is TLS-" \
2909 -c "! Usage does not match the keyUsage extension"
2910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2911run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2912 "$O_SRV -key data_files/server2.key \
2913 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2914 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2915 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2916 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2917 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2918 -C "Processing of the Certificate handshake message failed" \
2919 -c "Ciphersuite is TLS-"
2920
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2921run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2922 "$O_SRV -key data_files/server2.key \
2923 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2924 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2925 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2926 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2927 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2928 -c "Processing of the Certificate handshake message failed" \
2929 -C "Ciphersuite is TLS-"
2930
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2931run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2932 "$O_SRV -key data_files/server2.key \
2933 -cert data_files/server2.ku-ds.crt" \
2934 "$P_CLI debug_level=1 auth_mode=optional \
2935 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2936 0 \
2937 -c "bad certificate (usage extensions)" \
2938 -C "Processing of the Certificate handshake message failed" \
2939 -c "Ciphersuite is TLS-" \
2940 -c "! Usage does not match the keyUsage extension"
2941
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2942# Tests for keyUsage in leaf certificates, part 3:
2943# server-side checking of client cert
2944
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2945run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2946 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2947 "$O_CLI -key data_files/server2.key \
2948 -cert data_files/server2.ku-ds.crt" \
2949 0 \
2950 -S "bad certificate (usage extensions)" \
2951 -S "Processing of the Certificate handshake message failed"
2952
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2953run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2954 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2955 "$O_CLI -key data_files/server2.key \
2956 -cert data_files/server2.ku-ke.crt" \
2957 0 \
2958 -s "bad certificate (usage extensions)" \
2959 -S "Processing of the Certificate handshake message failed"
2960
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2961run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2962 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2963 "$O_CLI -key data_files/server2.key \
2964 -cert data_files/server2.ku-ke.crt" \
2965 1 \
2966 -s "bad certificate (usage extensions)" \
2967 -s "Processing of the Certificate handshake message failed"
2968
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2969run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2970 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2971 "$O_CLI -key data_files/server5.key \
2972 -cert data_files/server5.ku-ds.crt" \
2973 0 \
2974 -S "bad certificate (usage extensions)" \
2975 -S "Processing of the Certificate handshake message failed"
2976
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2977run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2978 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2979 "$O_CLI -key data_files/server5.key \
2980 -cert data_files/server5.ku-ka.crt" \
2981 0 \
2982 -s "bad certificate (usage extensions)" \
2983 -S "Processing of the Certificate handshake message failed"
2984
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2985# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2986
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2987run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2988 "$P_SRV key_file=data_files/server5.key \
2989 crt_file=data_files/server5.eku-srv.crt" \
2990 "$P_CLI" \
2991 0
2992
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2993run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2994 "$P_SRV key_file=data_files/server5.key \
2995 crt_file=data_files/server5.eku-srv.crt" \
2996 "$P_CLI" \
2997 0
2998
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2999run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3000 "$P_SRV key_file=data_files/server5.key \
3001 crt_file=data_files/server5.eku-cs_any.crt" \
3002 "$P_CLI" \
3003 0
3004
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3005run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3006 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3007 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3008 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3009 1
3010
3011# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3012
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3013run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3014 "$O_SRV -key data_files/server5.key \
3015 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3016 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3017 0 \
3018 -C "bad certificate (usage extensions)" \
3019 -C "Processing of the Certificate handshake message failed" \
3020 -c "Ciphersuite is TLS-"
3021
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3022run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3023 "$O_SRV -key data_files/server5.key \
3024 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3025 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3026 0 \
3027 -C "bad certificate (usage extensions)" \
3028 -C "Processing of the Certificate handshake message failed" \
3029 -c "Ciphersuite is TLS-"
3030
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3031run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3032 "$O_SRV -key data_files/server5.key \
3033 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3034 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3035 0 \
3036 -C "bad certificate (usage extensions)" \
3037 -C "Processing of the Certificate handshake message failed" \
3038 -c "Ciphersuite is TLS-"
3039
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3040run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3041 "$O_SRV -key data_files/server5.key \
3042 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3043 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3044 1 \
3045 -c "bad certificate (usage extensions)" \
3046 -c "Processing of the Certificate handshake message failed" \
3047 -C "Ciphersuite is TLS-"
3048
3049# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3050
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3051run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3052 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3053 "$O_CLI -key data_files/server5.key \
3054 -cert data_files/server5.eku-cli.crt" \
3055 0 \
3056 -S "bad certificate (usage extensions)" \
3057 -S "Processing of the Certificate handshake message failed"
3058
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3059run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3060 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3061 "$O_CLI -key data_files/server5.key \
3062 -cert data_files/server5.eku-srv_cli.crt" \
3063 0 \
3064 -S "bad certificate (usage extensions)" \
3065 -S "Processing of the Certificate handshake message failed"
3066
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3067run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3068 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3069 "$O_CLI -key data_files/server5.key \
3070 -cert data_files/server5.eku-cs_any.crt" \
3071 0 \
3072 -S "bad certificate (usage extensions)" \
3073 -S "Processing of the Certificate handshake message failed"
3074
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3075run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3076 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3077 "$O_CLI -key data_files/server5.key \
3078 -cert data_files/server5.eku-cs.crt" \
3079 0 \
3080 -s "bad certificate (usage extensions)" \
3081 -S "Processing of the Certificate handshake message failed"
3082
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3083run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3084 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3085 "$O_CLI -key data_files/server5.key \
3086 -cert data_files/server5.eku-cs.crt" \
3087 1 \
3088 -s "bad certificate (usage extensions)" \
3089 -s "Processing of the Certificate handshake message failed"
3090
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3091# Tests for DHM parameters loading
3092
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3093run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3094 "$P_SRV" \
3095 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3096 debug_level=3" \
3097 0 \
3098 -c "value of 'DHM: P ' (2048 bits)" \
3099 -c "value of 'DHM: G ' (2048 bits)"
3100
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3101run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3102 "$P_SRV dhm_file=data_files/dhparams.pem" \
3103 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3104 debug_level=3" \
3105 0 \
3106 -c "value of 'DHM: P ' (1024 bits)" \
3107 -c "value of 'DHM: G ' (2 bits)"
3108
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3109# Tests for DHM client-side size checking
3110
3111run_test "DHM size: server default, client default, OK" \
3112 "$P_SRV" \
3113 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3114 debug_level=1" \
3115 0 \
3116 -C "DHM prime too short:"
3117
3118run_test "DHM size: server default, client 2048, OK" \
3119 "$P_SRV" \
3120 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3121 debug_level=1 dhmlen=2048" \
3122 0 \
3123 -C "DHM prime too short:"
3124
3125run_test "DHM size: server 1024, client default, OK" \
3126 "$P_SRV dhm_file=data_files/dhparams.pem" \
3127 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3128 debug_level=1" \
3129 0 \
3130 -C "DHM prime too short:"
3131
3132run_test "DHM size: server 1000, client default, rejected" \
3133 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3134 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3135 debug_level=1" \
3136 1 \
3137 -c "DHM prime too short:"
3138
3139run_test "DHM size: server default, client 2049, rejected" \
3140 "$P_SRV" \
3141 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3142 debug_level=1 dhmlen=2049" \
3143 1 \
3144 -c "DHM prime too short:"
3145
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3146# Tests for PSK callback
3147
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3148run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3149 "$P_SRV psk=abc123 psk_identity=foo" \
3150 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3151 psk_identity=foo psk=abc123" \
3152 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3153 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3154 -S "SSL - Unknown identity received" \
3155 -S "SSL - Verification of the message MAC failed"
3156
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3157run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3158 "$P_SRV" \
3159 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3160 psk_identity=foo psk=abc123" \
3161 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3162 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3163 -S "SSL - Unknown identity received" \
3164 -S "SSL - Verification of the message MAC failed"
3165
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3166run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3167 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3168 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3169 psk_identity=foo psk=abc123" \
3170 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3171 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3172 -s "SSL - Unknown identity received" \
3173 -S "SSL - Verification of the message MAC failed"
3174
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3175run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3176 "$P_SRV psk_list=abc,dead,def,beef" \
3177 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3178 psk_identity=abc psk=dead" \
3179 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3180 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3181 -S "SSL - Unknown identity received" \
3182 -S "SSL - Verification of the message MAC failed"
3183
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3184run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3185 "$P_SRV psk_list=abc,dead,def,beef" \
3186 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3187 psk_identity=def psk=beef" \
3188 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3189 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3190 -S "SSL - Unknown identity received" \
3191 -S "SSL - Verification of the message MAC failed"
3192
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3193run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3194 "$P_SRV psk_list=abc,dead,def,beef" \
3195 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3196 psk_identity=ghi psk=beef" \
3197 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3198 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3199 -s "SSL - Unknown identity received" \
3200 -S "SSL - Verification of the message MAC failed"
3201
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3202run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3203 "$P_SRV psk_list=abc,dead,def,beef" \
3204 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3205 psk_identity=abc psk=beef" \
3206 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3207 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3208 -S "SSL - Unknown identity received" \
3209 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3210
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3211# Tests for EC J-PAKE
3212
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3213requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3214run_test "ECJPAKE: client not configured" \
3215 "$P_SRV debug_level=3" \
3216 "$P_CLI debug_level=3" \
3217 0 \
3218 -C "add ciphersuite: c0ff" \
3219 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3220 -S "found ecjpake kkpp extension" \
3221 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3222 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3223 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3224 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3225 -S "None of the common ciphersuites is usable"
3226
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3227requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3228run_test "ECJPAKE: server not configured" \
3229 "$P_SRV debug_level=3" \
3230 "$P_CLI debug_level=3 ecjpake_pw=bla \
3231 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3232 1 \
3233 -c "add ciphersuite: c0ff" \
3234 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3235 -s "found ecjpake kkpp extension" \
3236 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3237 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3238 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3239 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3240 -s "None of the common ciphersuites is usable"
3241
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3242requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3243run_test "ECJPAKE: working, TLS" \
3244 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3245 "$P_CLI debug_level=3 ecjpake_pw=bla \
3246 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3247 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3248 -c "add ciphersuite: c0ff" \
3249 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3250 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3251 -s "found ecjpake kkpp extension" \
3252 -S "skip ecjpake kkpp extension" \
3253 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3254 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3255 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3256 -S "None of the common ciphersuites is usable" \
3257 -S "SSL - Verification of the message MAC failed"
3258
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3259server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3260requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3261run_test "ECJPAKE: password mismatch, TLS" \
3262 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3263 "$P_CLI debug_level=3 ecjpake_pw=bad \
3264 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3265 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3266 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3267 -s "SSL - Verification of the message MAC failed"
3268
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3269requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3270run_test "ECJPAKE: working, DTLS" \
3271 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3272 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3273 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3274 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3275 -c "re-using cached ecjpake parameters" \
3276 -S "SSL - Verification of the message MAC failed"
3277
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3278requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3279run_test "ECJPAKE: working, DTLS, no cookie" \
3280 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3281 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3282 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3283 0 \
3284 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3285 -S "SSL - Verification of the message MAC failed"
3286
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3287server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3288requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3289run_test "ECJPAKE: password mismatch, DTLS" \
3290 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3291 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3292 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3293 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3294 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3295 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3296
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3297# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3298requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3299run_test "ECJPAKE: working, DTLS, nolog" \
3300 "$P_SRV dtls=1 ecjpake_pw=bla" \
3301 "$P_CLI dtls=1 ecjpake_pw=bla \
3302 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3303 0
3304
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3305# Tests for ciphersuites per version
3306
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3307requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3308run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3309 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3310 "$P_CLI force_version=ssl3" \
3311 0 \
3312 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3313
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3314run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3315 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3316 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3317 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3318 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3319
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3320run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3321 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3322 "$P_CLI force_version=tls1_1" \
3323 0 \
3324 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3325
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3326run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3327 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3328 "$P_CLI force_version=tls1_2" \
3329 0 \
3330 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3331
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3332# Test for ClientHello without extensions
3333
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3334requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3335run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3336 "$P_SRV debug_level=3" \
3337 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3338 0 \
3339 -s "dumping 'client hello extensions' (0 bytes)"
3340
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3341requires_gnutls
3342run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3343 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3344 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3345 0 \
3346 -s "dumping 'client hello extensions' (0 bytes)"
3347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3348# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3349
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3350run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3351 "$P_SRV" \
3352 "$P_CLI request_size=100" \
3353 0 \
3354 -s "Read from client: 100 bytes read$"
3355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3356run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3357 "$P_SRV" \
3358 "$P_CLI request_size=500" \
3359 0 \
3360 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3361
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3362# Tests for small packets
3363
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3364requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3365run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3366 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3367 "$P_CLI request_size=1 force_version=ssl3 \
3368 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3369 0 \
3370 -s "Read from client: 1 bytes read"
3371
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3372requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3373run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3374 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3375 "$P_CLI request_size=1 force_version=ssl3 \
3376 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3377 0 \
3378 -s "Read from client: 1 bytes read"
3379
3380run_test "Small packet TLS 1.0 BlockCipher" \
3381 "$P_SRV" \
3382 "$P_CLI request_size=1 force_version=tls1 \
3383 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3384 0 \
3385 -s "Read from client: 1 bytes read"
3386
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3387run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3388 "$P_SRV" \
3389 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3390 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3391 0 \
3392 -s "Read from client: 1 bytes read"
3393
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3394run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3395 "$P_SRV" \
3396 "$P_CLI request_size=1 force_version=tls1 \
3397 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3398 trunc_hmac=1" \
3399 0 \
3400 -s "Read from client: 1 bytes read"
3401
3402run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3403 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3404 "$P_CLI request_size=1 force_version=tls1 \
3405 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3406 trunc_hmac=1" \
3407 0 \
3408 -s "Read from client: 1 bytes read"
3409
3410run_test "Small packet TLS 1.1 BlockCipher" \
3411 "$P_SRV" \
3412 "$P_CLI request_size=1 force_version=tls1_1 \
3413 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3414 0 \
3415 -s "Read from client: 1 bytes read"
3416
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3417run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3418 "$P_SRV" \
3419 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3420 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3421 0 \
3422 -s "Read from client: 1 bytes read"
3423
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3424run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3425 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3426 "$P_CLI request_size=1 force_version=tls1_1 \
3427 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3428 0 \
3429 -s "Read from client: 1 bytes read"
3430
3431run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3432 "$P_SRV" \
3433 "$P_CLI request_size=1 force_version=tls1_1 \
3434 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3435 trunc_hmac=1" \
3436 0 \
3437 -s "Read from client: 1 bytes read"
3438
3439run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3440 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3441 "$P_CLI request_size=1 force_version=tls1_1 \
3442 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3443 trunc_hmac=1" \
3444 0 \
3445 -s "Read from client: 1 bytes read"
3446
3447run_test "Small packet TLS 1.2 BlockCipher" \
3448 "$P_SRV" \
3449 "$P_CLI request_size=1 force_version=tls1_2 \
3450 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3451 0 \
3452 -s "Read from client: 1 bytes read"
3453
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3454run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3455 "$P_SRV" \
3456 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3457 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3458 0 \
3459 -s "Read from client: 1 bytes read"
3460
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3461run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3462 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3463 "$P_CLI request_size=1 force_version=tls1_2 \
3464 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3465 0 \
3466 -s "Read from client: 1 bytes read"
3467
3468run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3469 "$P_SRV" \
3470 "$P_CLI request_size=1 force_version=tls1_2 \
3471 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3472 trunc_hmac=1" \
3473 0 \
3474 -s "Read from client: 1 bytes read"
3475
3476run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3477 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3478 "$P_CLI request_size=1 force_version=tls1_2 \
3479 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3480 0 \
3481 -s "Read from client: 1 bytes read"
3482
3483run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3484 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3485 "$P_CLI request_size=1 force_version=tls1_2 \
3486 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3487 trunc_hmac=1" \
3488 0 \
3489 -s "Read from client: 1 bytes read"
3490
3491run_test "Small packet TLS 1.2 AEAD" \
3492 "$P_SRV" \
3493 "$P_CLI request_size=1 force_version=tls1_2 \
3494 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3495 0 \
3496 -s "Read from client: 1 bytes read"
3497
3498run_test "Small packet TLS 1.2 AEAD shorter tag" \
3499 "$P_SRV" \
3500 "$P_CLI request_size=1 force_version=tls1_2 \
3501 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3502 0 \
3503 -s "Read from client: 1 bytes read"
3504
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3505# A test for extensions in SSLv3
3506
3507requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3508run_test "SSLv3 with extensions, server side" \
3509 "$P_SRV min_version=ssl3 debug_level=3" \
3510 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3511 0 \
3512 -S "dumping 'client hello extensions'" \
3513 -S "server hello, total extension length:"
3514
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3515# Test for large packets
3516
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3517requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3518run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3519 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3520 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3521 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3522 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3523 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3524 -s "Read from client: 16384 bytes read"
3525
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3526requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3527run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3528 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3529 "$P_CLI request_size=16384 force_version=ssl3 \
3530 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3531 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3532 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3533 -s "Read from client: 16384 bytes read"
3534
3535run_test "Large packet TLS 1.0 BlockCipher" \
3536 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3537 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3538 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3539 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3540 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3541 -s "Read from client: 16384 bytes read"
3542
3543run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3544 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3545 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3546 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3547 trunc_hmac=1" \
3548 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3549 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3550 -s "Read from client: 16384 bytes read"
3551
3552run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3553 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3554 "$P_CLI request_size=16384 force_version=tls1 \
3555 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3556 trunc_hmac=1" \
3557 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3558 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3559 -s "Read from client: 16384 bytes read"
3560
3561run_test "Large packet TLS 1.1 BlockCipher" \
3562 "$P_SRV" \
3563 "$P_CLI request_size=16384 force_version=tls1_1 \
3564 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3565 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3566 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3567 -s "Read from client: 16384 bytes read"
3568
3569run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3570 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3571 "$P_CLI request_size=16384 force_version=tls1_1 \
3572 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3573 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3574 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3575 -s "Read from client: 16384 bytes read"
3576
3577run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3578 "$P_SRV" \
3579 "$P_CLI request_size=16384 force_version=tls1_1 \
3580 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3581 trunc_hmac=1" \
3582 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3583 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3584 -s "Read from client: 16384 bytes read"
3585
3586run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3587 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3588 "$P_CLI request_size=16384 force_version=tls1_1 \
3589 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3590 trunc_hmac=1" \
3591 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3592 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3593 -s "Read from client: 16384 bytes read"
3594
3595run_test "Large packet TLS 1.2 BlockCipher" \
3596 "$P_SRV" \
3597 "$P_CLI request_size=16384 force_version=tls1_2 \
3598 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3599 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3600 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3601 -s "Read from client: 16384 bytes read"
3602
3603run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3604 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3605 "$P_CLI request_size=16384 force_version=tls1_2 \
3606 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3607 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3608 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3609 -s "Read from client: 16384 bytes read"
3610
3611run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3612 "$P_SRV" \
3613 "$P_CLI request_size=16384 force_version=tls1_2 \
3614 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3615 trunc_hmac=1" \
3616 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3617 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3618 -s "Read from client: 16384 bytes read"
3619
3620run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3621 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3622 "$P_CLI request_size=16384 force_version=tls1_2 \
3623 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3624 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3625 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3626 -s "Read from client: 16384 bytes read"
3627
3628run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3629 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3630 "$P_CLI request_size=16384 force_version=tls1_2 \
3631 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3632 trunc_hmac=1" \
3633 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3634 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3635 -s "Read from client: 16384 bytes read"
3636
3637run_test "Large packet TLS 1.2 AEAD" \
3638 "$P_SRV" \
3639 "$P_CLI request_size=16384 force_version=tls1_2 \
3640 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3641 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3642 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3643 -s "Read from client: 16384 bytes read"
3644
3645run_test "Large packet TLS 1.2 AEAD shorter tag" \
3646 "$P_SRV" \
3647 "$P_CLI request_size=16384 force_version=tls1_2 \
3648 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3649 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3650 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3651 -s "Read from client: 16384 bytes read"
3652
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3653# Tests for DTLS HelloVerifyRequest
3654
3655run_test "DTLS cookie: enabled" \
3656 "$P_SRV dtls=1 debug_level=2" \
3657 "$P_CLI dtls=1 debug_level=2" \
3658 0 \
3659 -s "cookie verification failed" \
3660 -s "cookie verification passed" \
3661 -S "cookie verification skipped" \
3662 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3663 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3664 -S "SSL - The requested feature is not available"
3665
3666run_test "DTLS cookie: disabled" \
3667 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3668 "$P_CLI dtls=1 debug_level=2" \
3669 0 \
3670 -S "cookie verification failed" \
3671 -S "cookie verification passed" \
3672 -s "cookie verification skipped" \
3673 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3674 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3675 -S "SSL - The requested feature is not available"
3676
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3677run_test "DTLS cookie: default (failing)" \
3678 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3679 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3680 1 \
3681 -s "cookie verification failed" \
3682 -S "cookie verification passed" \
3683 -S "cookie verification skipped" \
3684 -C "received hello verify request" \
3685 -S "hello verification requested" \
3686 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3687
3688requires_ipv6
3689run_test "DTLS cookie: enabled, IPv6" \
3690 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3691 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3692 0 \
3693 -s "cookie verification failed" \
3694 -s "cookie verification passed" \
3695 -S "cookie verification skipped" \
3696 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3697 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3698 -S "SSL - The requested feature is not available"
3699
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3700run_test "DTLS cookie: enabled, nbio" \
3701 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3702 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3703 0 \
3704 -s "cookie verification failed" \
3705 -s "cookie verification passed" \
3706 -S "cookie verification skipped" \
3707 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3708 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3709 -S "SSL - The requested feature is not available"
3710
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3711# Tests for client reconnecting from the same port with DTLS
3712
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3713not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3714run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3715 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3716 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3717 0 \
3718 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3719 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3720 -S "Client initiated reconnection from same port"
3721
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3722not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3723run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3724 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3725 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3726 0 \
3727 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3728 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3729 -s "Client initiated reconnection from same port"
3730
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3731not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3732run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3733 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3734 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3735 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3736 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3737 -s "Client initiated reconnection from same port"
3738
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3739only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3740run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3741 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3742 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3743 0 \
3744 -S "The operation timed out" \
3745 -s "Client initiated reconnection from same port"
3746
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3747run_test "DTLS client reconnect from same port: no cookies" \
3748 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3749 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3750 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3751 -s "The operation timed out" \
3752 -S "Client initiated reconnection from same port"
3753
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3754# Tests for various cases of client authentication with DTLS
3755# (focused on handshake flows and message parsing)
3756
3757run_test "DTLS client auth: required" \
3758 "$P_SRV dtls=1 auth_mode=required" \
3759 "$P_CLI dtls=1" \
3760 0 \
3761 -s "Verifying peer X.509 certificate... ok"
3762
3763run_test "DTLS client auth: optional, client has no cert" \
3764 "$P_SRV dtls=1 auth_mode=optional" \
3765 "$P_CLI dtls=1 crt_file=none key_file=none" \
3766 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3767 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3768
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3769run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3770 "$P_SRV dtls=1 auth_mode=none" \
3771 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3772 0 \
3773 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3774 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3775
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3776run_test "DTLS wrong PSK: badmac alert" \
3777 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3778 "$P_CLI dtls=1 psk=abc124" \
3779 1 \
3780 -s "SSL - Verification of the message MAC failed" \
3781 -c "SSL - A fatal alert message was received from our peer"
3782
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3783# Tests for receiving fragmented handshake messages with DTLS
3784
3785requires_gnutls
3786run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3787 "$G_SRV -u --mtu 2048 -a" \
3788 "$P_CLI dtls=1 debug_level=2" \
3789 0 \
3790 -C "found fragmented DTLS handshake message" \
3791 -C "error"
3792
3793requires_gnutls
3794run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3795 "$G_SRV -u --mtu 512" \
3796 "$P_CLI dtls=1 debug_level=2" \
3797 0 \
3798 -c "found fragmented DTLS handshake message" \
3799 -C "error"
3800
3801requires_gnutls
3802run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3803 "$G_SRV -u --mtu 128" \
3804 "$P_CLI dtls=1 debug_level=2" \
3805 0 \
3806 -c "found fragmented DTLS handshake message" \
3807 -C "error"
3808
3809requires_gnutls
3810run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3811 "$G_SRV -u --mtu 128" \
3812 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3813 0 \
3814 -c "found fragmented DTLS handshake message" \
3815 -C "error"
3816
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3817requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3818requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3819run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3820 "$G_SRV -u --mtu 256" \
3821 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3822 0 \
3823 -c "found fragmented DTLS handshake message" \
3824 -c "client hello, adding renegotiation extension" \
3825 -c "found renegotiation extension" \
3826 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3827 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3828 -C "error" \
3829 -s "Extra-header:"
3830
3831requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3832requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3833run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3834 "$G_SRV -u --mtu 256" \
3835 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3836 0 \
3837 -c "found fragmented DTLS handshake message" \
3838 -c "client hello, adding renegotiation extension" \
3839 -c "found renegotiation extension" \
3840 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3841 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3842 -C "error" \
3843 -s "Extra-header:"
3844
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3845run_test "DTLS reassembly: no fragmentation (openssl server)" \
3846 "$O_SRV -dtls1 -mtu 2048" \
3847 "$P_CLI dtls=1 debug_level=2" \
3848 0 \
3849 -C "found fragmented DTLS handshake message" \
3850 -C "error"
3851
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3852run_test "DTLS reassembly: some fragmentation (openssl server)" \
3853 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3854 "$P_CLI dtls=1 debug_level=2" \
3855 0 \
3856 -c "found fragmented DTLS handshake message" \
3857 -C "error"
3858
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3859run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3860 "$O_SRV -dtls1 -mtu 256" \
3861 "$P_CLI dtls=1 debug_level=2" \
3862 0 \
3863 -c "found fragmented DTLS handshake message" \
3864 -C "error"
3865
3866run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3867 "$O_SRV -dtls1 -mtu 256" \
3868 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3869 0 \
3870 -c "found fragmented DTLS handshake message" \
3871 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3872
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3873# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3874
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3875not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3876run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3877 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3878 "$P_SRV dtls=1 debug_level=2" \
3879 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3880 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3881 -C "replayed record" \
3882 -S "replayed record" \
3883 -C "record from another epoch" \
3884 -S "record from another epoch" \
3885 -C "discarding invalid record" \
3886 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3887 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3888 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3889 -c "HTTP/1.0 200 OK"
3890
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3891not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3892run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3893 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3894 "$P_SRV dtls=1 debug_level=2" \
3895 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3896 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3897 -c "replayed record" \
3898 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3899 -c "discarding invalid record" \
3900 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3901 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3902 -s "Extra-header:" \
3903 -c "HTTP/1.0 200 OK"
3904
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3905run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3906 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3907 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3908 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3909 0 \
3910 -c "replayed record" \
3911 -S "replayed record" \
3912 -c "discarding invalid record" \
3913 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3914 -c "resend" \
3915 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3916 -s "Extra-header:" \
3917 -c "HTTP/1.0 200 OK"
3918
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3919run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3920 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3921 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3922 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3923 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3924 -c "discarding invalid record (mac)" \
3925 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3926 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3927 -c "HTTP/1.0 200 OK" \
3928 -S "too many records with bad MAC" \
3929 -S "Verification of the message MAC failed"
3930
3931run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3932 -p "$P_PXY bad_ad=1" \
3933 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3934 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3935 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3936 -C "discarding invalid record (mac)" \
3937 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3938 -S "Extra-header:" \
3939 -C "HTTP/1.0 200 OK" \
3940 -s "too many records with bad MAC" \
3941 -s "Verification of the message MAC failed"
3942
3943run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3944 -p "$P_PXY bad_ad=1" \
3945 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3946 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3947 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3948 -c "discarding invalid record (mac)" \
3949 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3950 -s "Extra-header:" \
3951 -c "HTTP/1.0 200 OK" \
3952 -S "too many records with bad MAC" \
3953 -S "Verification of the message MAC failed"
3954
3955run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3956 -p "$P_PXY bad_ad=1" \
3957 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3958 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3959 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3960 -c "discarding invalid record (mac)" \
3961 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3962 -s "Extra-header:" \
3963 -c "HTTP/1.0 200 OK" \
3964 -s "too many records with bad MAC" \
3965 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3966
3967run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3968 -p "$P_PXY delay_ccs=1" \
3969 "$P_SRV dtls=1 debug_level=1" \
3970 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3971 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3972 -c "record from another epoch" \
3973 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3974 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3975 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3976 -s "Extra-header:" \
3977 -c "HTTP/1.0 200 OK"
3978
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3979# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3980
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3981client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3982run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3983 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3984 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3985 psk=abc123" \
3986 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3987 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3988 0 \
3989 -s "Extra-header:" \
3990 -c "HTTP/1.0 200 OK"
3991
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3992client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3993run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3994 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3995 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3996 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3997 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3998 0 \
3999 -s "Extra-header:" \
4000 -c "HTTP/1.0 200 OK"
4001
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4002client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4003run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
4004 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4005 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4006 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4007 0 \
4008 -s "Extra-header:" \
4009 -c "HTTP/1.0 200 OK"
4010
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4011client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4012run_test "DTLS proxy: 3d, FS, client auth" \
4013 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4014 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
4015 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4016 0 \
4017 -s "Extra-header:" \
4018 -c "HTTP/1.0 200 OK"
4019
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4020client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4021run_test "DTLS proxy: 3d, FS, ticket" \
4022 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4023 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
4024 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4025 0 \
4026 -s "Extra-header:" \
4027 -c "HTTP/1.0 200 OK"
4028
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4029client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4030run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
4031 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4032 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
4033 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4034 0 \
4035 -s "Extra-header:" \
4036 -c "HTTP/1.0 200 OK"
4037
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4038client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4039run_test "DTLS proxy: 3d, max handshake, nbio" \
4040 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4041 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
4042 auth_mode=required" \
4043 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4044 0 \
4045 -s "Extra-header:" \
4046 -c "HTTP/1.0 200 OK"
4047
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4048client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]4049run_test "DTLS proxy: 3d, min handshake, resumption" \
4050 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4051 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4052 psk=abc123 debug_level=3" \
4053 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4054 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4055 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4056 0 \
4057 -s "a session has been resumed" \
4058 -c "a session has been resumed" \
4059 -s "Extra-header:" \
4060 -c "HTTP/1.0 200 OK"
4061
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4062client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]4063run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
4064 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4065 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4066 psk=abc123 debug_level=3 nbio=2" \
4067 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4068 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4069 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
4070 0 \
4071 -s "a session has been resumed" \
4072 -c "a session has been resumed" \
4073 -s "Extra-header:" \
4074 -c "HTTP/1.0 200 OK"
4075
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4076client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4077requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4078run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4079 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4080 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4081 psk=abc123 renegotiation=1 debug_level=2" \
4082 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4083 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4084 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4085 0 \
4086 -c "=> renegotiate" \
4087 -s "=> renegotiate" \
4088 -s "Extra-header:" \
4089 -c "HTTP/1.0 200 OK"
4090
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4091client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4092requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4093run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
4094 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4095 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4096 psk=abc123 renegotiation=1 debug_level=2" \
4097 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4098 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4099 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4100 0 \
4101 -c "=> renegotiate" \
4102 -s "=> renegotiate" \
4103 -s "Extra-header:" \
4104 -c "HTTP/1.0 200 OK"
4105
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4106client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4107requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4108run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4109 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4110 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4111 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4112 debug_level=2" \
4113 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4114 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4115 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4116 0 \
4117 -c "=> renegotiate" \
4118 -s "=> renegotiate" \
4119 -s "Extra-header:" \
4120 -c "HTTP/1.0 200 OK"
4121
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4122client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4123requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4124run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4125 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4126 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4127 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4128 debug_level=2 nbio=2" \
4129 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4130 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4131 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4132 0 \
4133 -c "=> renegotiate" \
4134 -s "=> renegotiate" \
4135 -s "Extra-header:" \
4136 -c "HTTP/1.0 200 OK"
4137
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4138client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4139not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4140run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4141 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4142 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4143 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4144 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4145 -c "HTTP/1.0 200 OK"
4146
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4147client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4148not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4149run_test "DTLS proxy: 3d, openssl server, fragmentation" \
4150 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4151 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4152 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4153 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4154 -c "HTTP/1.0 200 OK"
4155
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4156client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4157not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4158run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
4159 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4160 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4161 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4162 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4163 -c "HTTP/1.0 200 OK"
4164
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4165requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4166client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4167not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4168run_test "DTLS proxy: 3d, gnutls server" \
4169 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4170 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4171 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4172 0 \
4173 -s "Extra-header:" \
4174 -c "Extra-header:"
4175
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4176requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4177client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4178not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4179run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
4180 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4181 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4182 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4183 0 \
4184 -s "Extra-header:" \
4185 -c "Extra-header:"
4186
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4187requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4188client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4189not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4190run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
4191 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4192 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4193 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4194 0 \
4195 -s "Extra-header:" \
4196 -c "Extra-header:"
4197
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4198# Final report
4199
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4200echo "------------------------------------------------------------------------"
4201
4202if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4203 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4204else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4205 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4206fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]4207PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]4208echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4209
4210exit $FAILS