TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 13db25fbe92e06b45368374e03cc26bfa82ec9fb / . / tests / ssl-opt.sh
blob: a39ca3ecd1eeebf288e39a344736f708a72f68f7 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Jaeden Ameroa258ccd2019-07-03 13:51:04 +0100[diff] [blame]24# Limit the size of each log to 10 GiB, in case of failures with this script
25# where it may output seemingly unlimited length error logs.
26ulimit -f 20971520
27
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]28if cd $( dirname $0 ); then :; else
29 echo "cd $( dirname $0 ) failed" >&2
30 exit 1
31fi
32
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]33# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]34: ${P_SRV:=../programs/ssl/ssl_server2}
35: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]36: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]37: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]38: ${GNUTLS_CLI:=gnutls-cli}
39: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]40: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]41
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]42O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]43O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]44G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]45G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]46TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]47
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]48# alternative versions of OpenSSL and GnuTLS (no default path)
49
50if [ -n "${OPENSSL_LEGACY:-}" ]; then
51 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
52 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
53else
54 O_LEGACY_SRV=false
55 O_LEGACY_CLI=false
56fi
57
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]58if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]59 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
60else
61 G_NEXT_SRV=false
62fi
63
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]64if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]65 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
66else
67 G_NEXT_CLI=false
68fi
69
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]70TESTS=0
71FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]72SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]73
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]74MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]75FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]76EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]77
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]78SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]79RUN_TEST_NUMBER=''
80
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]81PRESERVE_LOGS=0
82
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]83# Pick a "unique" server port in the range 10000-19999, and a proxy
84# port which is this plus 10000. Each port number may be independently
85# overridden by a command line option.
86SRV_PORT=$(($$ % 10000 + 10000))
87PXY_PORT=$((SRV_PORT + 10000))
88
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89print_usage() {
90 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]91 printf " -h|--help\tPrint this help.\n"
92 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]93 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
94 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]95 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]96 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]97 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]98 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
99 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]100 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]101}
102
103get_options() {
104 while [ $# -gt 0 ]; do
105 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]106 -f|--filter)
107 shift; FILTER=$1
108 ;;
109 -e|--exclude)
110 shift; EXCLUDE=$1
111 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]112 -m|--memcheck)
113 MEMCHECK=1
114 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]115 -n|--number)
116 shift; RUN_TEST_NUMBER=$1
117 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]118 -s|--show-numbers)
119 SHOW_TEST_NUMBER=1
120 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]121 -p|--preserve-logs)
122 PRESERVE_LOGS=1
123 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]124 --port)
125 shift; SRV_PORT=$1
126 ;;
127 --proxy-port)
128 shift; PXY_PORT=$1
129 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]130 --seed)
131 shift; SEED="$1"
132 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]133 -h|--help)
134 print_usage
135 exit 0
136 ;;
137 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]138 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]139 print_usage
140 exit 1
141 ;;
142 esac
143 shift
144 done
145}
146
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]147# Skip next test; use this macro to skip tests which are legitimate
148# in theory and expected to be re-introduced at some point, but
149# aren't expected to succeed at the moment due to problems outside
150# our control (such as bugs in other TLS implementations).
151skip_next_test() {
152 SKIP_NEXT="YES"
153}
154
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]155requires_ciphersuite_enabled() {
156 if [ -z "$($P_CLI --help | grep "$1")" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]161get_config_value_or_default() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]162 # This function uses the query_config command line option to query the
163 # required Mbed TLS compile time configuration from the ssl_server2
164 # program. The command will always return a success value if the
165 # configuration is defined and the value will be printed to stdout.
166 #
167 # Note that if the configuration is not defined or is defined to nothing,
168 # the output of this function will be an empty string.
169 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]170}
171
Hanno Beckerab9a29b2019-09-24 16:14:39 +0100[diff] [blame]172# skip next test if the flag is enabled in config.h
173requires_config_disabled() {
174 if get_config_value_or_default $1; then
175 SKIP_NEXT="YES"
176 fi
177}
178
179requires_config_enabled() {
180 if ! get_config_value_or_default $1; then
181 SKIP_NEXT="YES"
182 fi
183}
184
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]185requires_config_value_at_least() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]186 VAL="$( get_config_value_or_default "$1" )"
187 if [ -z "$VAL" ]; then
188 # Should never happen
189 echo "Mbed TLS configuration $1 is not defined"
190 exit 1
191 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]192 SKIP_NEXT="YES"
193 fi
194}
195
196requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]197 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]198 if [ -z "$VAL" ]; then
199 # Should never happen
200 echo "Mbed TLS configuration $1 is not defined"
201 exit 1
202 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]203 SKIP_NEXT="YES"
204 fi
205}
206
Arto Kinnunenc457ab12019-09-27 12:00:51 +0300[diff] [blame]207requires_config_value_exactly() {
208 VAL=$( get_config_value_or_default "$1" )
209 if [ -z "$VAL" ]; then
210 # Should never happen
211 echo "Mbed TLS configuration $1 is not defined"
212 exit 1
Arto Kinnunen13db25f2019-09-27 13:06:25 +0300[diff] [blame^]213 elif [ "$VAL" -ne "$2" ]; then
Arto Kinnunenc457ab12019-09-27 12:00:51 +0300[diff] [blame]214 SKIP_NEXT="YES"
215 fi
216}
217
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]218# skip next test if OpenSSL doesn't support FALLBACK_SCSV
219requires_openssl_with_fallback_scsv() {
220 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
221 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
222 then
223 OPENSSL_HAS_FBSCSV="YES"
224 else
225 OPENSSL_HAS_FBSCSV="NO"
226 fi
227 fi
228 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
229 SKIP_NEXT="YES"
230 fi
231}
232
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]233# skip next test if GnuTLS isn't available
234requires_gnutls() {
235 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]236 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]237 GNUTLS_AVAILABLE="YES"
238 else
239 GNUTLS_AVAILABLE="NO"
240 fi
241 fi
242 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
243 SKIP_NEXT="YES"
244 fi
245}
246
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]247# skip next test if GnuTLS-next isn't available
248requires_gnutls_next() {
249 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
250 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
251 GNUTLS_NEXT_AVAILABLE="YES"
252 else
253 GNUTLS_NEXT_AVAILABLE="NO"
254 fi
255 fi
256 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
257 SKIP_NEXT="YES"
258 fi
259}
260
261# skip next test if OpenSSL-legacy isn't available
262requires_openssl_legacy() {
263 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
264 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
265 OPENSSL_LEGACY_AVAILABLE="YES"
266 else
267 OPENSSL_LEGACY_AVAILABLE="NO"
268 fi
269 fi
270 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
271 SKIP_NEXT="YES"
272 fi
273}
274
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]275# skip next test if IPv6 isn't available on this host
276requires_ipv6() {
277 if [ -z "${HAS_IPV6:-}" ]; then
278 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
279 SRV_PID=$!
280 sleep 1
281 kill $SRV_PID >/dev/null 2>&1
282 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
283 HAS_IPV6="NO"
284 else
285 HAS_IPV6="YES"
286 fi
287 rm -r $SRV_OUT
288 fi
289
290 if [ "$HAS_IPV6" = "NO" ]; then
291 SKIP_NEXT="YES"
292 fi
293}
294
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]295# skip next test if it's i686 or uname is not available
296requires_not_i686() {
297 if [ -z "${IS_I686:-}" ]; then
298 IS_I686="YES"
299 if which "uname" >/dev/null 2>&1; then
300 if [ -z "$(uname -a | grep i686)" ]; then
301 IS_I686="NO"
302 fi
303 fi
304 fi
305 if [ "$IS_I686" = "YES" ]; then
306 SKIP_NEXT="YES"
307 fi
308}
309
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]310# Calculate the input & output maximum content lengths set in the config
Arto Kinnunen78213522019-09-26 11:06:39 +0300[diff] [blame]311MAX_CONTENT_LEN="$( get_config_value_or_default MBEDTLS_SSL_MAX_CONTENT_LEN )"
312if [ -z "$MAX_CONTENT_LEN" ]; then
313 MAX_CONTENT_LEN=16384
314fi
315
316MAX_IN_LEN="$( get_config_value_or_default MBEDTLS_SSL_IN_CONTENT_LEN )"
317if [ -z "$MAX_IN_LEN" ]; then
318 MAX_IN_LEN=$MAX_CONTENT_LEN
319fi
320
321MAX_OUT_LEN="$( get_config_value_or_default MBEDTLS_SSL_OUT_CONTENT_LEN )"
322if [ -z "$MAX_OUT_LEN" ]; then
323 MAX_OUT_LEN=$MAX_CONTENT_LEN
324fi
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]325
326if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
327 MAX_CONTENT_LEN="$MAX_IN_LEN"
328fi
329if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
330 MAX_CONTENT_LEN="$MAX_OUT_LEN"
331fi
332
333# skip the next test if the SSL output buffer is less than 16KB
334requires_full_size_output_buffer() {
335 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
336 SKIP_NEXT="YES"
337 fi
338}
339
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]340# skip the next test if valgrind is in use
341not_with_valgrind() {
342 if [ "$MEMCHECK" -gt 0 ]; then
343 SKIP_NEXT="YES"
344 fi
345}
346
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]347# skip the next test if valgrind is NOT in use
348only_with_valgrind() {
349 if [ "$MEMCHECK" -eq 0 ]; then
350 SKIP_NEXT="YES"
351 fi
352}
353
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]354# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]355client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]356 CLI_DELAY_FACTOR=$1
357}
358
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]359# wait for the given seconds after the client finished in the next test
360server_needs_more_time() {
361 SRV_DELAY_SECONDS=$1
362}
363
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]364# print_name <name>
365print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]366 TESTS=$(( $TESTS + 1 ))
367 LINE=""
368
369 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
370 LINE="$TESTS "
371 fi
372
373 LINE="$LINE$1"
374 printf "$LINE "
375 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]376 for i in `seq 1 $LEN`; do printf '.'; done
377 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]378
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]379}
380
381# fail <message>
382fail() {
383 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]384 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]385
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]386 mv $SRV_OUT o-srv-${TESTS}.log
387 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]388 if [ -n "$PXY_CMD" ]; then
389 mv $PXY_OUT o-pxy-${TESTS}.log
390 fi
391 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]392
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]393 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]394 echo " ! server output:"
395 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]396 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]397 echo " ! client output:"
398 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]399 if [ -n "$PXY_CMD" ]; then
400 echo " ! ========================================================"
401 echo " ! proxy output:"
402 cat o-pxy-${TESTS}.log
403 fi
404 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]405 fi
406
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]407 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]408}
409
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]410# is_polar <cmd_line>
411is_polar() {
412 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
413}
414
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]415# openssl s_server doesn't have -www with DTLS
416check_osrv_dtls() {
417 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
418 NEEDS_INPUT=1
419 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
420 else
421 NEEDS_INPUT=0
422 fi
423}
424
425# provide input to commands that need it
426provide_input() {
427 if [ $NEEDS_INPUT -eq 0 ]; then
428 return
429 fi
430
431 while true; do
432 echo "HTTP/1.0 200 OK"
433 sleep 1
434 done
435}
436
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]437# has_mem_err <log_file_name>
438has_mem_err() {
439 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
440 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
441 then
442 return 1 # false: does not have errors
443 else
444 return 0 # true: has errors
445 fi
446}
447
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]448# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]449if type lsof >/dev/null 2>/dev/null; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]450 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]451 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]452 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]453 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]454 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]455 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]456 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]457 # Make a tight loop, server normally takes less than 1s to start.
458 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
459 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]460 echo "$3 START TIMEOUT"
461 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]462 break
463 fi
464 # Linux and *BSD support decimal arguments to sleep. On other
465 # OSes this may be a tight loop.
466 sleep 0.1 2>/dev/null || true
467 done
468 }
469else
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]470 echo "Warning: lsof not available, wait_app_start = sleep"
471 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]472 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]473 }
474fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]475
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]476# Wait for server process $2 to be listening on port $1.
477wait_server_start() {
478 wait_app_start $1 $2 "SERVER" $SRV_OUT
479}
480
481# Wait for proxy process $2 to be listening on port $1.
482wait_proxy_start() {
483 wait_app_start $1 $2 "PROXY" $PXY_OUT
484}
485
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]486# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]487# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]488# acceptable bounds
489check_server_hello_time() {
490 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]491 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]492 # Get the Unix timestamp for now
493 CUR_TIME=$(date +'%s')
494 THRESHOLD_IN_SECS=300
495
496 # Check if the ServerHello time was printed
497 if [ -z "$SERVER_HELLO_TIME" ]; then
498 return 1
499 fi
500
501 # Check the time in ServerHello is within acceptable bounds
502 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
503 # The time in ServerHello is at least 5 minutes before now
504 return 1
505 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]506 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]507 return 1
508 else
509 return 0
510 fi
511}
512
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]513# wait for client to terminate and set CLI_EXIT
514# must be called right after starting the client
515wait_client_done() {
516 CLI_PID=$!
517
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]518 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
519 CLI_DELAY_FACTOR=1
520
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]521 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]522 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]523
524 wait $CLI_PID
525 CLI_EXIT=$?
526
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]527 kill $DOG_PID >/dev/null 2>&1
528 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]529
530 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]531
532 sleep $SRV_DELAY_SECONDS
533 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]534}
535
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]536# check if the given command uses dtls and sets global variable DTLS
537detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]538 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]539 DTLS=1
540 else
541 DTLS=0
542 fi
543}
544
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]545# Strip off a particular parameter from the command line
546# and return its value.
547# Parameter 1: Command line parameter to strip off
548# ENV I/O: CMD command line to search and modify
549extract_cmdline_argument() {
550 __ARG=$(echo "$CMD" | sed -n "s/^.* $1=\([^ ]*\).*$/\1/p")
551 CMD=$(echo "$CMD" | sed "s/$1=\([^ ]*\)//")
552}
553
554# Check compatibility of the ssl_client2/ssl_server2 command-line
555# with a particular compile-time configurable option.
556# Parameter 1: Command-line argument (e.g. extended_ms)
557# Parameter 2: Corresponding compile-time configuration
558# (e.g. MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
559# ENV I/O: CMD command line to search and modify
560# SKIP_NEXT set to "YES" on a mismatch
561check_cmdline_param_compat() {
562 __VAL="$( get_config_value_or_default "$2" )"
563 if [ ! -z "$__VAL" ]; then
564 extract_cmdline_argument "$1"
565 if [ ! -z "$__ARG" ] && [ "$__ARG" != "$__VAL" ]; then
566 SKIP_NEXT="YES"
567 fi
568 fi
569}
570
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]571check_cmdline_check_tls_dtls() {
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]572 detect_dtls "$CMD"
573 if [ "$DTLS" = "0" ]; then
574 requires_config_disabled MBEDTLS_SSL_PROTO_NO_TLS
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]575 elif [ "$DTLS" = "1" ]; then
576 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]577 fi
578}
579
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]580check_cmdline_authmode_compat() {
581 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
582 if [ ! -z "$__VAL" ]; then
583 extract_cmdline_argument "auth_mode"
584 if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
585 SKIP_NEXT="YES";
586 elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
587 SKIP_NEXT="YES"
588 elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
589 SKIP_NEXT="YES"
590 fi
591 fi
592}
593
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]594check_cmdline_legacy_renego_compat() {
595 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
596 if [ ! -z "$__VAL" ]; then
597 extract_cmdline_argument "allow_legacy"
598 if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
599 SKIP_NEXT="YES";
600 elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
601 SKIP_NEXT="YES"
602 elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
603 SKIP_NEXT="YES"
604 fi
605 fi
606}
607
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]608check_cmdline_min_minor_version_compat() {
609 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
610 if [ ! -z "$__VAL" ]; then
611 extract_cmdline_argument "min_version"
612 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
613 SKIP_NEXT="YES";
614 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
615 SKIP_NEXT="YES"
616 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
617 SKIP_NEXT="YES"
618 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
619 SKIP_NEXT="YES"
620 fi
621 fi
622}
623
624check_cmdline_max_minor_version_compat() {
625 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
626 if [ ! -z "$__VAL" ]; then
627 extract_cmdline_argument "max_version"
628 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
629 SKIP_NEXT="YES";
630 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
631 SKIP_NEXT="YES"
632 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
633 SKIP_NEXT="YES"
634 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
635 SKIP_NEXT="YES"
636 fi
637 fi
638}
639
640check_cmdline_force_version_compat() {
641 __VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
642 __VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
643 if [ ! -z "$__VAL_MIN" ]; then
644
645 # SSL cli/srv cmd line
646
647 extract_cmdline_argument "force_version"
648 if [ "$__ARG" = "ssl3" ] && \
649 ( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
650 SKIP_NEXT="YES";
651 elif [ "$__ARG" = "tls1" ] && \
652 ( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
653 SKIP_NEXT="YES"
654 elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
655 ( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
656 SKIP_NEXT="YES"
657 elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
658 ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
659 echo "FORCE SKIP"
660 SKIP_NEXT="YES"
661 fi
662
663 # OpenSSL cmd line
664
665 if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
666 if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
667 SKIP_NEXT="YES"
668 fi
669 fi
670
671 if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
672 if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
673 SKIP_NEXT="YES"
674 fi
675 fi
676
677 if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
678 if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
679 SKIP_NEXT="YES"
680 fi
681 fi
682
683 fi
684}
685
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]686check_cmdline_crt_key_files_compat() {
687
688 # test-ca2.crt
689 if echo "$CMD" | grep -e "test-ca2" > /dev/null; then
690 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
691 fi
692
693 # Variants of server5.key and server5.crt
694 if echo "$CMD" | grep -e "server5" > /dev/null; then
695 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
696 fi
697
698 # Variants of server6.key and server6.crt
699 if echo "$CMD" | grep -e "server6" > /dev/null; then
700 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
701 fi
702
703}
704
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]705# Go through all options that can be hardcoded at compile-time and
706# detect whether the command line configures them in a conflicting
707# way. If so, skip the test. Otherwise, remove the corresponding
708# entry.
709# Parameter 1: Command line to inspect
710# Output: Modified command line
711# ENV I/O: SKIP_TEST set to 1 on mismatch.
712check_cmdline_compat() {
713 CMD="$1"
714
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]715 # Check that if we're specifying particular certificate and/or
716 # ECC key files, the corresponding curve is enabled.
717 check_cmdline_crt_key_files_compat
718
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]719 # ExtendedMasterSecret configuration
720 check_cmdline_param_compat "extended_ms" \
721 "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
722 check_cmdline_param_compat "enforce_extended_master_secret" \
723 "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]724
725 # DTLS anti replay protection configuration
726 check_cmdline_param_compat "anti_replay" \
727 "MBEDTLS_SSL_CONF_ANTI_REPLAY"
728
Hanno Beckerde671542019-06-12 16:30:46 +0100[diff] [blame]729 # DTLS bad MAC limit
730 check_cmdline_param_compat "badmac_limit" \
731 "MBEDTLS_SSL_CONF_BADMAC_LIMIT"
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]732
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]733 # Skip tests relying on TLS/DTLS in configs that disable it.
734 check_cmdline_check_tls_dtls
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]735
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]736 # Authentication mode
737 check_cmdline_authmode_compat
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]738
739 # Legacy renegotiation
740 check_cmdline_legacy_renego_compat
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]741
742 # Version configuration
743 check_cmdline_min_minor_version_compat
744 check_cmdline_max_minor_version_compat
745 check_cmdline_force_version_compat
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]746}
747
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]748# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]749# Options: -s pattern pattern that must be present in server output
750# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]751# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]752# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]753# -S pattern pattern that must be absent in server output
754# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]755# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]756# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]757run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]758 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]759 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]760
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]761 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
762 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]763 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]764 return
765 fi
766
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]767 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]768
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]769 # Do we only run numbered tests?
770 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
771 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
772 else
773 SKIP_NEXT="YES"
774 fi
775
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]776 # does this test use a proxy?
777 if [ "X$1" = "X-p" ]; then
778 PXY_CMD="$2"
779 shift 2
780 else
781 PXY_CMD=""
782 fi
783
784 # get commands and client output
785 SRV_CMD="$1"
786 CLI_CMD="$2"
787 CLI_EXPECT="$3"
788 shift 3
789
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]790 check_cmdline_compat "$SRV_CMD"
791 SRV_CMD="$CMD"
792
793 check_cmdline_compat "$CLI_CMD"
794 CLI_CMD="$CMD"
795
Hanno Becker7a11e722019-05-10 14:38:42 +0100[diff] [blame]796 # Check if test uses files
797 TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
798 if [ ! -z "$TEST_USES_FILES" ]; then
799 requires_config_enabled MBEDTLS_FS_IO
800 fi
801
802 # should we skip?
803 if [ "X$SKIP_NEXT" = "XYES" ]; then
804 SKIP_NEXT="NO"
805 echo "SKIP"
806 SKIPS=$(( $SKIPS + 1 ))
807 return
808 fi
809
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]810 # fix client port
811 if [ -n "$PXY_CMD" ]; then
812 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
813 else
814 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
815 fi
816
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]817 # update DTLS variable
818 detect_dtls "$SRV_CMD"
819
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]820 # prepend valgrind to our commands if active
821 if [ "$MEMCHECK" -gt 0 ]; then
822 if is_polar "$SRV_CMD"; then
823 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
824 fi
825 if is_polar "$CLI_CMD"; then
826 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
827 fi
828 fi
829
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]830 TIMES_LEFT=2
831 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]832 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]833
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]834 # run the commands
835 if [ -n "$PXY_CMD" ]; then
836 echo "$PXY_CMD" > $PXY_OUT
837 $PXY_CMD >> $PXY_OUT 2>&1 &
838 PXY_PID=$!
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]839 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]840 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]841
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]842 check_osrv_dtls
843 echo "$SRV_CMD" > $SRV_OUT
844 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
845 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]846 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]847
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]848 echo "$CLI_CMD" > $CLI_OUT
849 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
850 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]851
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]852 sleep 0.05
853
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]854 # terminate the server (and the proxy)
855 kill $SRV_PID
856 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]857
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]858 if [ -n "$PXY_CMD" ]; then
859 kill $PXY_PID >/dev/null 2>&1
860 wait $PXY_PID
861 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]862
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]863 # retry only on timeouts
864 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
865 printf "RETRY "
866 else
867 TIMES_LEFT=0
868 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]869 done
870
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]871 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]872 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]873 # expected client exit to incorrectly succeed in case of catastrophic
874 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]875 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]876 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]877 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]878 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]879 return
880 fi
881 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]882 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]883 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]884 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]885 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]886 return
887 fi
888 fi
889
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]890 # check server exit code
891 if [ $? != 0 ]; then
892 fail "server fail"
893 return
894 fi
895
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]896 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]897 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
898 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]899 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]900 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]901 return
902 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]903
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]904 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]905 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]906 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]907 while [ $# -gt 0 ]
908 do
909 case $1 in
910 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]911 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]912 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]913 return
914 fi
915 ;;
916
917 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]918 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]919 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]920 return
921 fi
922 ;;
923
924 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]925 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]926 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]927 return
928 fi
929 ;;
930
931 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]932 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]933 fail "pattern '$2' MUST NOT be present in the Client output"
934 return
935 fi
936 ;;
937
938 # The filtering in the following two options (-u and -U) do the following
939 # - ignore valgrind output
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]940 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]941 # - keep one of each non-unique line
942 # - count how many lines remain
943 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
944 # if there were no duplicates.
945 "-U")
946 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
947 fail "lines following pattern '$2' must be unique in Server output"
948 return
949 fi
950 ;;
951
952 "-u")
953 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
954 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]955 return
956 fi
957 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]958 "-F")
959 if ! $2 "$SRV_OUT"; then
960 fail "function call to '$2' failed on Server output"
961 return
962 fi
963 ;;
964 "-f")
965 if ! $2 "$CLI_OUT"; then
966 fail "function call to '$2' failed on Client output"
967 return
968 fi
969 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]970
971 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]972 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]973 exit 1
974 esac
975 shift 2
976 done
977
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]978 # check valgrind's results
979 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]980 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]981 fail "Server has memory errors"
982 return
983 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]984 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]985 fail "Client has memory errors"
986 return
987 fi
988 fi
989
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]990 # if we're here, everything is ok
991 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]992 if [ "$PRESERVE_LOGS" -gt 0 ]; then
993 mv $SRV_OUT o-srv-${TESTS}.log
994 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]995 if [ -n "$PXY_CMD" ]; then
996 mv $PXY_OUT o-pxy-${TESTS}.log
997 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]998 fi
999
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1000 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1001}
1002
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1003cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1004 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1005 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
1006 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
1007 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
1008 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1009 exit 1
1010}
1011
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1012#
1013# MAIN
1014#
1015
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]1016get_options "$@"
1017
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1018# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]1019P_SRV_BIN="${P_SRV%%[ ]*}"
1020P_CLI_BIN="${P_CLI%%[ ]*}"
1021P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1022if [ ! -x "$P_SRV_BIN" ]; then
1023 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1024 exit 1
1025fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1026if [ ! -x "$P_CLI_BIN" ]; then
1027 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1028 exit 1
1029fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1030if [ ! -x "$P_PXY_BIN" ]; then
1031 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1032 exit 1
1033fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1034if [ "$MEMCHECK" -gt 0 ]; then
1035 if which valgrind >/dev/null 2>&1; then :; else
1036 echo "Memcheck not possible. Valgrind not found"
1037 exit 1
1038 fi
1039fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1040if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1041 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1042 exit 1
1043fi
1044
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1045# used by watchdog
1046MAIN_PID="$$"
1047
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1048# We use somewhat arbitrary delays for tests:
1049# - how long do we wait for the server to start (when lsof not available)?
1050# - how long do we allow for the client to finish?
1051# (not to check performance, just to avoid waiting indefinitely)
1052# Things are slower with valgrind, so give extra time here.
1053#
1054# Note: without lsof, there is a trade-off between the running time of this
1055# script and the risk of spurious errors because we didn't wait long enough.
1056# The watchdog delay on the other hand doesn't affect normal running time of
1057# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1058if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1059 START_DELAY=6
1060 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1061else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1062 START_DELAY=2
1063 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1064fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1065
1066# some particular tests need more time:
1067# - for the client, we multiply the usual watchdog limit by a factor
1068# - for the server, we sleep for a number of seconds after the client exits
1069# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1070CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1071SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1072
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1073# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1074# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1075P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1076P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1077P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]1078O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1079O_CLI="$O_CLI -connect localhost:+SRV_PORT"
1080G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1081G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1082
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1083if [ -n "${OPENSSL_LEGACY:-}" ]; then
1084 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
1085 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
1086fi
1087
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1088if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1089 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1090fi
1091
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1092if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1093 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1094fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1095
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1096# Allow SHA-1, because many of our test certificates use it
1097P_SRV="$P_SRV allow_sha1=1"
1098P_CLI="$P_CLI allow_sha1=1"
1099
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1100# Also pick a unique name for intermediate files
1101SRV_OUT="srv_out.$$"
1102CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1103PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1104SESSION="session.$$"
1105
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1106SKIP_NEXT="NO"
1107
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1108trap cleanup INT TERM HUP
1109
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1110# Basic test
1111
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1112run_test "Default" \
1113 "$P_SRV debug_level=3" \
1114 "$P_CLI" \
1115 0
1116
1117run_test "Default, DTLS" \
1118 "$P_SRV dtls=1" \
1119 "$P_CLI dtls=1" \
1120 0
1121
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1122# Checks that:
1123# - things work with all ciphersuites active (used with config-full in all.sh)
1124# - the expected (highest security) parameters are selected
1125# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1126requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1127requires_config_enabled MBEDTLS_SHA512_C
1128requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1129requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1130run_test "Default, choose highest security suite and hash" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1131 "$P_SRV debug_level=3" \
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1132 "$P_CLI" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1133 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1134 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1135 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1136 -s "client hello v3, signature_algorithm ext: 6" \
1137 -s "ECDHE curve: secp521r1" \
1138 -S "error" \
1139 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1140
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1141requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1142requires_config_enabled MBEDTLS_SHA512_C
1143requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1144requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1145run_test "Default, choose highest security suite and hash, DTLS" \
1146 "$P_SRV debug_level=3 dtls=1" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1147 "$P_CLI dtls=1" \
1148 0 \
1149 -s "Protocol is DTLSv1.2" \
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1150 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
1151 -s "client hello v3, signature_algorithm ext: 6" \
1152 -s "ECDHE curve: secp521r1"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1153
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1154# Test current time in ServerHello
1155requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1156run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1157 "$P_SRV debug_level=3" \
1158 "$P_CLI debug_level=3" \
1159 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1160 -f "check_server_hello_time" \
1161 -F "check_server_hello_time"
1162
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1163# Test for uniqueness of IVs in AEAD ciphersuites
1164run_test "Unique IV in GCM" \
1165 "$P_SRV exchanges=20 debug_level=4" \
1166 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1167 0 \
1168 -u "IV used" \
1169 -U "IV used"
1170
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1171# Tests for rc4 option
1172
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1173requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1174run_test "RC4: server disabled, client enabled" \
1175 "$P_SRV" \
1176 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1177 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1178 -s "SSL - The server has no ciphersuites in common"
1179
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1180requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1181run_test "RC4: server half, client enabled" \
1182 "$P_SRV arc4=1" \
1183 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1184 1 \
1185 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1186
1187run_test "RC4: server enabled, client disabled" \
1188 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1189 "$P_CLI" \
1190 1 \
1191 -s "SSL - The server has no ciphersuites in common"
1192
1193run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1194 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1195 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1196 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1197 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1198 -S "SSL - The server has no ciphersuites in common"
1199
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1200# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1201
1202requires_gnutls
1203requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1204run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1205 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1206 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1207 0
1208
1209requires_gnutls
1210requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1211run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1212 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1213 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1214 0
1215
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1216# Tests for SHA-1 support
1217
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1218requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1219requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1220requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1221run_test "SHA-1 forbidden by default in server certificate" \
1222 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1223 "$P_CLI debug_level=2 allow_sha1=0" \
1224 1 \
1225 -c "The certificate is signed with an unacceptable hash"
1226
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1227requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1228run_test "SHA-1 forbidden by default in server certificate" \
1229 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1230 "$P_CLI debug_level=2 allow_sha1=0" \
1231 0
1232
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1233run_test "SHA-1 explicitly allowed in server certificate" \
1234 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1235 "$P_CLI allow_sha1=1" \
1236 0
1237
1238run_test "SHA-256 allowed by default in server certificate" \
1239 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1240 "$P_CLI allow_sha1=0" \
1241 0
1242
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1243requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1244requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1245requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1246run_test "SHA-1 forbidden by default in client certificate" \
1247 "$P_SRV auth_mode=required allow_sha1=0" \
1248 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1249 1 \
1250 -s "The certificate is signed with an unacceptable hash"
1251
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1252requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1253run_test "SHA-1 forbidden by default in client certificate" \
1254 "$P_SRV auth_mode=required allow_sha1=0" \
1255 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1256 0
1257
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1258run_test "SHA-1 explicitly allowed in client certificate" \
1259 "$P_SRV auth_mode=required allow_sha1=1" \
1260 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1261 0
1262
1263run_test "SHA-256 allowed by default in client certificate" \
1264 "$P_SRV auth_mode=required allow_sha1=0" \
1265 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1266 0
1267
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1268# Tests for datagram packing
1269run_test "DTLS: multiple records in same datagram, client and server" \
1270 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1271 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1272 0 \
1273 -c "next record in same datagram" \
1274 -s "next record in same datagram"
1275
1276run_test "DTLS: multiple records in same datagram, client only" \
1277 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1278 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1279 0 \
1280 -s "next record in same datagram" \
1281 -C "next record in same datagram"
1282
1283run_test "DTLS: multiple records in same datagram, server only" \
1284 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1285 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1286 0 \
1287 -S "next record in same datagram" \
1288 -c "next record in same datagram"
1289
1290run_test "DTLS: multiple records in same datagram, neither client nor server" \
1291 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1292 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1293 0 \
1294 -S "next record in same datagram" \
1295 -C "next record in same datagram"
1296
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1297# Tests for Truncated HMAC extension
1298
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1299run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1300 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1301 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1302 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1303 -s "dumping 'expected mac' (20 bytes)" \
1304 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1305
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1306requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1307run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1308 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1309 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1310 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1311 -s "dumping 'expected mac' (20 bytes)" \
1312 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1313
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1314requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1315run_test "Truncated HMAC: client enabled, server default" \
1316 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1317 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1318 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1319 -s "dumping 'expected mac' (20 bytes)" \
1320 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1321
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1322requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1323run_test "Truncated HMAC: client enabled, server disabled" \
1324 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1325 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1326 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1327 -s "dumping 'expected mac' (20 bytes)" \
1328 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1329
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1330requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1331run_test "Truncated HMAC: client disabled, server enabled" \
1332 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1333 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1334 0 \
1335 -s "dumping 'expected mac' (20 bytes)" \
1336 -S "dumping 'expected mac' (10 bytes)"
1337
1338requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1339run_test "Truncated HMAC: client enabled, server enabled" \
1340 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1341 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1342 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1343 -S "dumping 'expected mac' (20 bytes)" \
1344 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1345
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1346run_test "Truncated HMAC, DTLS: client default, server default" \
1347 "$P_SRV dtls=1 debug_level=4" \
1348 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1349 0 \
1350 -s "dumping 'expected mac' (20 bytes)" \
1351 -S "dumping 'expected mac' (10 bytes)"
1352
1353requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1354run_test "Truncated HMAC, DTLS: client disabled, server default" \
1355 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1356 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1357 0 \
1358 -s "dumping 'expected mac' (20 bytes)" \
1359 -S "dumping 'expected mac' (10 bytes)"
1360
1361requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1362run_test "Truncated HMAC, DTLS: client enabled, server default" \
1363 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1364 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1365 0 \
1366 -s "dumping 'expected mac' (20 bytes)" \
1367 -S "dumping 'expected mac' (10 bytes)"
1368
1369requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1370run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1371 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1372 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1373 0 \
1374 -s "dumping 'expected mac' (20 bytes)" \
1375 -S "dumping 'expected mac' (10 bytes)"
1376
1377requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1378run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1379 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1380 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1381 0 \
1382 -s "dumping 'expected mac' (20 bytes)" \
1383 -S "dumping 'expected mac' (10 bytes)"
1384
1385requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1386run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1387 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1388 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1389 0 \
1390 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1391 -s "dumping 'expected mac' (10 bytes)"
1392
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1393# Tests for Context serialization
1394
1395requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1396run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1397 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1398 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1399 0 \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1400 -c "Deserializing connection..." \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1401 -S "Deserializing connection..."
1402
1403requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1404run_test "Context serialization, client serializes, ChaChaPoly" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1405 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1406 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1407 0 \
1408 -c "Deserializing connection..." \
1409 -S "Deserializing connection..."
1410
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1411requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1412run_test "Context serialization, client serializes, GCM" \
1413 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1414 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1415 0 \
1416 -c "Deserializing connection..." \
1417 -S "Deserializing connection..."
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1418
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1419requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1420requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1421run_test "Context serialization, client serializes, with CID" \
1422 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1423 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1424 0 \
1425 -c "Deserializing connection..." \
1426 -S "Deserializing connection..."
1427
1428requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1429run_test "Context serialization, server serializes, CCM" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1430 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1431 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1432 0 \
1433 -C "Deserializing connection..." \
1434 -s "Deserializing connection..."
1435
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1436requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1437run_test "Context serialization, server serializes, ChaChaPoly" \
1438 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1439 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1440 0 \
1441 -C "Deserializing connection..." \
1442 -s "Deserializing connection..."
1443
1444requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1445run_test "Context serialization, server serializes, GCM" \
1446 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1447 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1448 0 \
1449 -C "Deserializing connection..." \
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1450 -s "Deserializing connection..."
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1451
1452requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1453requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1454run_test "Context serialization, server serializes, with CID" \
1455 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1456 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1457 0 \
1458 -C "Deserializing connection..." \
1459 -s "Deserializing connection..."
1460
1461requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1462run_test "Context serialization, both serialize, CCM" \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1463 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1464 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1465 0 \
1466 -c "Deserializing connection..." \
1467 -s "Deserializing connection..."
1468
1469requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1470run_test "Context serialization, both serialize, ChaChaPoly" \
1471 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1472 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1473 0 \
1474 -c "Deserializing connection..." \
1475 -s "Deserializing connection..."
1476
1477requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1478run_test "Context serialization, both serialize, GCM" \
1479 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1480 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1481 0 \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1482 -c "Deserializing connection..." \
1483 -s "Deserializing connection..."
1484
1485requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1486requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1487run_test "Context serialization, both serialize, with CID" \
1488 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1489 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1490 0 \
1491 -c "Deserializing connection..." \
1492 -s "Deserializing connection..."
1493
1494requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1495run_test "Context serialization, re-init, client serializes, CCM" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1496 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1497 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1498 0 \
1499 -c "Deserializing connection..." \
1500 -S "Deserializing connection..."
1501
1502requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1503run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1504 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1505 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1506 0 \
1507 -c "Deserializing connection..." \
1508 -S "Deserializing connection..."
1509
1510requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1511run_test "Context serialization, re-init, client serializes, GCM" \
1512 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1513 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1514 0 \
1515 -c "Deserializing connection..." \
1516 -S "Deserializing connection..."
1517
1518requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1519requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1520run_test "Context serialization, re-init, client serializes, with CID" \
1521 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1522 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1523 0 \
1524 -c "Deserializing connection..." \
1525 -S "Deserializing connection..."
1526
1527requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1528run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1529 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1530 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1531 0 \
1532 -C "Deserializing connection..." \
1533 -s "Deserializing connection..."
1534
1535requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1536run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1537 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1538 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1539 0 \
1540 -C "Deserializing connection..." \
1541 -s "Deserializing connection..."
1542
1543requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1544run_test "Context serialization, re-init, server serializes, GCM" \
1545 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1546 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1547 0 \
1548 -C "Deserializing connection..." \
1549 -s "Deserializing connection..."
1550
1551requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1552requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1553run_test "Context serialization, re-init, server serializes, with CID" \
1554 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1555 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1556 0 \
1557 -C "Deserializing connection..." \
1558 -s "Deserializing connection..."
1559
1560requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1561run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1562 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1563 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1564 0 \
1565 -c "Deserializing connection..." \
1566 -s "Deserializing connection..."
1567
1568requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1569run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1570 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1571 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1572 0 \
1573 -c "Deserializing connection..." \
1574 -s "Deserializing connection..."
1575
1576requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1577run_test "Context serialization, re-init, both serialize, GCM" \
1578 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1579 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1580 0 \
1581 -c "Deserializing connection..." \
1582 -s "Deserializing connection..."
1583
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1584requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1585requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1586run_test "Context serialization, re-init, both serialize, with CID" \
1587 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1588 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1589 0 \
1590 -c "Deserializing connection..." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1591 -s "Deserializing connection..."
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1592
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1593# Tests for DTLS Connection ID extension
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1594
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1595# So far, the CID API isn't implemented, so we can't
1596# grep for output witnessing its use. This needs to be
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1597# changed once the CID extension is implemented.
Hanno Beckerad8e2c92019-05-08 13:19:53 +0100[diff] [blame]1598
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1599requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1600run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1601 "$P_SRV debug_level=3 dtls=1 cid=0" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1602 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1603 0 \
1604 -s "Disable use of CID extension." \
1605 -s "found CID extension" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1606 -s "Client sent CID extension, but CID disabled" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1607 -c "Enable use of CID extension." \
1608 -c "client hello, adding CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1609 -S "server hello, adding CID extension" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1610 -C "found CID extension" \
1611 -S "Copy CIDs into SSL transform" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1612 -C "Copy CIDs into SSL transform" \
1613 -c "Use of Connection ID was rejected by the server"
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1614
1615requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1616run_test "Connection ID: Cli disabled, Srv enabled" \
1617 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1618 "$P_CLI debug_level=3 dtls=1 cid=0" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1619 0 \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1620 -c "Disable use of CID extension." \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1621 -C "client hello, adding CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1622 -S "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1623 -s "Enable use of CID extension." \
1624 -S "server hello, adding CID extension" \
1625 -C "found CID extension" \
1626 -S "Copy CIDs into SSL transform" \
1627 -C "Copy CIDs into SSL transform" \
1628 -s "Use of Connection ID was not offered by client"
1629
1630requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1631run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
1632 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1633 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1634 0 \
1635 -c "Enable use of CID extension." \
1636 -s "Enable use of CID extension." \
1637 -c "client hello, adding CID extension" \
1638 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1639 -s "Use of CID extension negotiated" \
1640 -s "server hello, adding CID extension" \
1641 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1642 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1643 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1644 -c "Copy CIDs into SSL transform" \
1645 -c "Peer CID (length 2 Bytes): de ad" \
1646 -s "Peer CID (length 2 Bytes): be ef" \
1647 -s "Use of Connection ID has been negotiated" \
1648 -c "Use of Connection ID has been negotiated"
1649
1650requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1651run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
1652 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
1653 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1654 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1655 0 \
1656 -c "Enable use of CID extension." \
1657 -s "Enable use of CID extension." \
1658 -c "client hello, adding CID extension" \
1659 -s "found CID extension" \
1660 -s "Use of CID extension negotiated" \
1661 -s "server hello, adding CID extension" \
1662 -c "found CID extension" \
1663 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1664 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1665 -c "Copy CIDs into SSL transform" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1666 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1667 -s "Peer CID (length 2 Bytes): be ef" \
1668 -s "Use of Connection ID has been negotiated" \
1669 -c "Use of Connection ID has been negotiated" \
1670 -c "ignoring unexpected CID" \
1671 -s "ignoring unexpected CID"
1672
1673requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1674run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1675 -p "$P_PXY mtu=800" \
1676 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1677 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1678 0 \
1679 -c "Enable use of CID extension." \
1680 -s "Enable use of CID extension." \
1681 -c "client hello, adding CID extension" \
1682 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1683 -s "Use of CID extension negotiated" \
1684 -s "server hello, adding CID extension" \
1685 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1686 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1687 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1688 -c "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1689 -c "Peer CID (length 2 Bytes): de ad" \
1690 -s "Peer CID (length 2 Bytes): be ef" \
1691 -s "Use of Connection ID has been negotiated" \
1692 -c "Use of Connection ID has been negotiated"
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1693
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1694requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1695run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1696 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1697 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1698 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1699 0 \
1700 -c "Enable use of CID extension." \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1701 -s "Enable use of CID extension." \
1702 -c "client hello, adding CID extension" \
1703 -s "found CID extension" \
1704 -s "Use of CID extension negotiated" \
1705 -s "server hello, adding CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1706 -c "found CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1707 -c "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1708 -s "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1709 -c "Copy CIDs into SSL transform" \
1710 -c "Peer CID (length 2 Bytes): de ad" \
1711 -s "Peer CID (length 2 Bytes): be ef" \
1712 -s "Use of Connection ID has been negotiated" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1713 -c "Use of Connection ID has been negotiated" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1714 -c "ignoring unexpected CID" \
1715 -s "ignoring unexpected CID"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1716
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1717requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1718run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1719 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1720 "$P_CLI debug_level=3 dtls=1 cid=1" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1721 0 \
1722 -c "Enable use of CID extension." \
1723 -s "Enable use of CID extension." \
1724 -c "client hello, adding CID extension" \
1725 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1726 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1727 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1728 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1729 -c "Use of CID extension negotiated" \
1730 -s "Copy CIDs into SSL transform" \
1731 -c "Copy CIDs into SSL transform" \
1732 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1733 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1734 -s "Use of Connection ID has been negotiated" \
1735 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1736
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1737requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1738run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1739 "$P_SRV debug_level=3 dtls=1 cid=1" \
1740 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1741 0 \
1742 -c "Enable use of CID extension." \
1743 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1744 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1745 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1746 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1747 -s "server hello, adding CID extension" \
1748 -c "found CID extension" \
1749 -c "Use of CID extension negotiated" \
1750 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1751 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1752 -s "Peer CID (length 4 Bytes): de ad be ef" \
1753 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1754 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1755 -c "Use of Connection ID has been negotiated"
1756
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1757requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1758run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1759 "$P_SRV debug_level=3 dtls=1 cid=1" \
1760 "$P_CLI debug_level=3 dtls=1 cid=1" \
1761 0 \
1762 -c "Enable use of CID extension." \
1763 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1764 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1765 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1766 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1767 -s "server hello, adding CID extension" \
1768 -c "found CID extension" \
1769 -c "Use of CID extension negotiated" \
1770 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1771 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1772 -S "Use of Connection ID has been negotiated" \
1773 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1774
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1775requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1776run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1777 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1778 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1779 0 \
1780 -c "Enable use of CID extension." \
1781 -s "Enable use of CID extension." \
1782 -c "client hello, adding CID extension" \
1783 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1784 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1785 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1786 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1787 -c "Use of CID extension negotiated" \
1788 -s "Copy CIDs into SSL transform" \
1789 -c "Copy CIDs into SSL transform" \
1790 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1791 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1792 -s "Use of Connection ID has been negotiated" \
1793 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1794
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1795requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1796run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1797 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1798 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1799 0 \
1800 -c "Enable use of CID extension." \
1801 -s "Enable use of CID extension." \
1802 -c "client hello, adding CID extension" \
1803 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1804 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1805 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1806 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1807 -c "Use of CID extension negotiated" \
1808 -s "Copy CIDs into SSL transform" \
1809 -c "Copy CIDs into SSL transform" \
1810 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1811 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1812 -s "Use of Connection ID has been negotiated" \
1813 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1814
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1815requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1816run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1817 "$P_SRV debug_level=3 dtls=1 cid=1" \
1818 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1819 0 \
1820 -c "Enable use of CID extension." \
1821 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1822 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1823 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1824 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1825 -s "server hello, adding CID extension" \
1826 -c "found CID extension" \
1827 -c "Use of CID extension negotiated" \
1828 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1829 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1830 -s "Peer CID (length 4 Bytes): de ad be ef" \
1831 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1832 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1833 -c "Use of Connection ID has been negotiated"
1834
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1835requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1836run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1837 "$P_SRV debug_level=3 dtls=1 cid=1" \
1838 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1839 0 \
1840 -c "Enable use of CID extension." \
1841 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1842 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1843 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1844 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1845 -s "server hello, adding CID extension" \
1846 -c "found CID extension" \
1847 -c "Use of CID extension negotiated" \
1848 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1849 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1850 -S "Use of Connection ID has been negotiated" \
1851 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1852
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1853requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1854run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1855 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1856 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1857 0 \
1858 -c "Enable use of CID extension." \
1859 -s "Enable use of CID extension." \
1860 -c "client hello, adding CID extension" \
1861 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1862 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1863 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1864 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1865 -c "Use of CID extension negotiated" \
1866 -s "Copy CIDs into SSL transform" \
1867 -c "Copy CIDs into SSL transform" \
1868 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1869 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1870 -s "Use of Connection ID has been negotiated" \
1871 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1872
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1873requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1874run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1875 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1876 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1877 0 \
1878 -c "Enable use of CID extension." \
1879 -s "Enable use of CID extension." \
1880 -c "client hello, adding CID extension" \
1881 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1882 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1883 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1884 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1885 -c "Use of CID extension negotiated" \
1886 -s "Copy CIDs into SSL transform" \
1887 -c "Copy CIDs into SSL transform" \
1888 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1889 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1890 -s "Use of Connection ID has been negotiated" \
1891 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1892
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1893requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1894run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1895 "$P_SRV debug_level=3 dtls=1 cid=1" \
1896 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1897 0 \
1898 -c "Enable use of CID extension." \
1899 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1900 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1901 -s "found CID extension" \
Hanno Becker963cb352019-04-23 11:52:44 +0100[diff] [blame]1902 -s "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1903 -s "server hello, adding CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1904 -c "found CID extension" \
1905 -c "Use of CID extension negotiated" \
1906 -s "Copy CIDs into SSL transform" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1907 -c "Copy CIDs into SSL transform" \
1908 -s "Peer CID (length 4 Bytes): de ad be ef" \
1909 -c "Peer CID (length 0 Bytes):" \
1910 -s "Use of Connection ID has been negotiated" \
1911 -c "Use of Connection ID has been negotiated"
1912
1913requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1914run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
1915 "$P_SRV debug_level=3 dtls=1 cid=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1916 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1917 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1918 -c "Enable use of CID extension." \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1919 -s "Enable use of CID extension." \
1920 -c "client hello, adding CID extension" \
1921 -s "found CID extension" \
1922 -s "Use of CID extension negotiated" \
1923 -s "server hello, adding CID extension" \
1924 -c "found CID extension" \
1925 -c "Use of CID extension negotiated" \
1926 -s "Copy CIDs into SSL transform" \
1927 -c "Copy CIDs into SSL transform" \
1928 -S "Use of Connection ID has been negotiated" \
1929 -C "Use of Connection ID has been negotiated"
1930
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1931requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1932requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1933run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
1934 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1935 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1936 0 \
1937 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1938 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1939 -s "(initial handshake) Use of Connection ID has been negotiated" \
1940 -c "(initial handshake) Use of Connection ID has been negotiated" \
1941 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1942 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1943 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1944 -c "(after renegotiation) Use of Connection ID has been negotiated"
1945
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1946requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1947requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1948run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1949 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1950 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1951 0 \
1952 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1953 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1954 -s "(initial handshake) Use of Connection ID has been negotiated" \
1955 -c "(initial handshake) Use of Connection ID has been negotiated" \
1956 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1957 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1958 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1959 -c "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1960
1961requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1962requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1963run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1964 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1965 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1966 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1967 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1968 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1969 -s "(initial handshake) Use of Connection ID has been negotiated" \
1970 -c "(initial handshake) Use of Connection ID has been negotiated" \
1971 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1972 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1973 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1974 -c "(after renegotiation) Use of Connection ID has been negotiated"
1975
1976requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1977requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1978run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1979 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1980 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1981 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1982 0 \
1983 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1984 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1985 -s "(initial handshake) Use of Connection ID has been negotiated" \
1986 -c "(initial handshake) Use of Connection ID has been negotiated" \
1987 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1988 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1989 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1990 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1991 -c "ignoring unexpected CID" \
1992 -s "ignoring unexpected CID"
1993
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1994requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1995requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1996run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1997 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1998 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1999 0 \
2000 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2001 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2002 -s "(initial handshake) Use of Connection ID has been negotiated" \
2003 -c "(initial handshake) Use of Connection ID has been negotiated" \
2004 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2005 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2006 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2007 -S "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2008
2009requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2010requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2011run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2012 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2013 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2014 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2015 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2016 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2017 -s "(initial handshake) Use of Connection ID has been negotiated" \
2018 -c "(initial handshake) Use of Connection ID has been negotiated" \
2019 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2020 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2021 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2022 -S "(after renegotiation) Use of Connection ID has been negotiated"
2023
2024requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2025requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2026run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2027 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2028 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2029 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2030 0 \
2031 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2032 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2033 -s "(initial handshake) Use of Connection ID has been negotiated" \
2034 -c "(initial handshake) Use of Connection ID has been negotiated" \
2035 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2036 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2037 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2038 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2039 -c "ignoring unexpected CID" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2040 -s "ignoring unexpected CID"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2041
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2042requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2043requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2044run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
2045 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2046 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2047 0 \
2048 -S "(initial handshake) Use of Connection ID has been negotiated" \
2049 -C "(initial handshake) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2050 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2051 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2052 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2053 -s "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2054
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2055requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2056requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2057run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2058 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2059 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2060 0 \
2061 -S "(initial handshake) Use of Connection ID has been negotiated" \
2062 -C "(initial handshake) Use of Connection ID has been negotiated" \
2063 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2064 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2065 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2066 -s "(after renegotiation) Use of Connection ID has been negotiated"
2067
2068requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2069requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2070run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2071 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2072 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2073 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2074 0 \
2075 -S "(initial handshake) Use of Connection ID has been negotiated" \
2076 -C "(initial handshake) Use of Connection ID has been negotiated" \
2077 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2078 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2079 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2080 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2081 -c "ignoring unexpected CID" \
2082 -s "ignoring unexpected CID"
2083
2084requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2085requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2086run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
2087 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2088 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2089 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2090 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2091 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2092 -s "(initial handshake) Use of Connection ID has been negotiated" \
2093 -c "(initial handshake) Use of Connection ID has been negotiated" \
2094 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2095 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2096 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2097 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2098 -s "(after renegotiation) Use of Connection ID was not offered by client"
2099
2100requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2101requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2102run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
2103 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2104 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2105 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2106 0 \
2107 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2108 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2109 -s "(initial handshake) Use of Connection ID has been negotiated" \
2110 -c "(initial handshake) Use of Connection ID has been negotiated" \
2111 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2112 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2113 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2114 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2115 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2116 -c "ignoring unexpected CID" \
2117 -s "ignoring unexpected CID"
2118
2119requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2120requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2121run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2122 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2123 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2124 0 \
2125 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2126 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2127 -s "(initial handshake) Use of Connection ID has been negotiated" \
2128 -c "(initial handshake) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2129 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2130 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2131 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2132 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2133 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2134
2135requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2136requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2137run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
2138 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2139 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2140 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2141 0 \
2142 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2143 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2144 -s "(initial handshake) Use of Connection ID has been negotiated" \
2145 -c "(initial handshake) Use of Connection ID has been negotiated" \
2146 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2147 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2148 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2149 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2150 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2151 -c "ignoring unexpected CID" \
2152 -s "ignoring unexpected CID"
2153
2154# Tests for Encrypt-then-MAC extension
2155
2156run_test "Encrypt then MAC: default" \
2157 "$P_SRV debug_level=3 \
2158 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2159 "$P_CLI debug_level=3" \
2160 0 \
2161 -c "client hello, adding encrypt_then_mac extension" \
2162 -s "found encrypt then mac extension" \
2163 -s "server hello, adding encrypt then mac extension" \
2164 -c "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2165 -c "using encrypt then mac" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2166 -s "using encrypt then mac"
2167
2168run_test "Encrypt then MAC: client enabled, server disabled" \
2169 "$P_SRV debug_level=3 etm=0 \
2170 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2171 "$P_CLI debug_level=3 etm=1" \
2172 0 \
2173 -c "client hello, adding encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2174 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2175 -S "server hello, adding encrypt then mac extension" \
2176 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2177 -C "using encrypt then mac" \
2178 -S "using encrypt then mac"
2179
2180run_test "Encrypt then MAC: client enabled, aead cipher" \
2181 "$P_SRV debug_level=3 etm=1 \
2182 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2183 "$P_CLI debug_level=3 etm=1" \
2184 0 \
2185 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2186 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2187 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2188 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2189 -C "using encrypt then mac" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2190 -S "using encrypt then mac"
2191
2192run_test "Encrypt then MAC: client enabled, stream cipher" \
2193 "$P_SRV debug_level=3 etm=1 \
2194 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2195 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2196 0 \
2197 -c "client hello, adding encrypt_then_mac extension" \
2198 -s "found encrypt then mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2199 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2200 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2201 -C "using encrypt then mac" \
2202 -S "using encrypt then mac"
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2203
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2204run_test "Encrypt then MAC: client disabled, server enabled" \
2205 "$P_SRV debug_level=3 etm=1 \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2206 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2207 "$P_CLI debug_level=3 etm=0" \
2208 0 \
2209 -C "client hello, adding encrypt_then_mac extension" \
2210 -S "found encrypt then mac extension" \
2211 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2212 -C "found encrypt_then_mac extension" \
2213 -C "using encrypt then mac" \
Jarno Lamsa31d940b2019-06-12 10:21:33 +0300[diff] [blame]2214 -S "using encrypt then mac"
2215
2216requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2217run_test "Encrypt then MAC: client SSLv3, server enabled" \
2218 "$P_SRV debug_level=3 min_version=ssl3 \
2219 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2220 "$P_CLI debug_level=3 force_version=ssl3" \
2221 0 \
2222 -C "client hello, adding encrypt_then_mac extension" \
2223 -S "found encrypt then mac extension" \
2224 -S "server hello, adding encrypt then mac extension" \
2225 -C "found encrypt_then_mac extension" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2226 -C "using encrypt then mac" \
2227 -S "using encrypt then mac"
2228
2229requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2230run_test "Encrypt then MAC: client enabled, server SSLv3" \
2231 "$P_SRV debug_level=3 force_version=ssl3 \
2232 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2233 "$P_CLI debug_level=3 min_version=ssl3" \
2234 0 \
2235 -c "client hello, adding encrypt_then_mac extension" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2236 -S "found encrypt then mac extension" \
2237 -S "server hello, adding encrypt then mac extension" \
2238 -C "found encrypt_then_mac extension" \
2239 -C "using encrypt then mac" \
2240 -S "using encrypt then mac"
2241
2242# Tests for Extended Master Secret extension
2243
2244run_test "Extended Master Secret: default (not enforcing)" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2245 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0 " \
2246 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]2247 0 \
2248 -c "client hello, adding extended_master_secret extension" \
2249 -s "found extended master secret extension" \
2250 -s "server hello, adding extended master secret extension" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2251 -c "found extended_master_secret extension" \
2252 -c "session hash for extended master secret" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2253 -s "session hash for extended master secret"
2254
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2255run_test "Extended Master Secret: both enabled, both enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2256 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2257 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2258 0 \
2259 -c "client hello, adding extended_master_secret extension" \
2260 -s "found extended master secret extension" \
2261 -s "server hello, adding extended master secret extension" \
2262 -c "found extended_master_secret extension" \
2263 -c "session hash for extended master secret" \
2264 -s "session hash for extended master secret"
2265
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2266run_test "Extended Master Secret: both enabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2267 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2268 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2269 0 \
2270 -c "client hello, adding extended_master_secret extension" \
2271 -s "found extended master secret extension" \
2272 -s "server hello, adding extended master secret extension" \
2273 -c "found extended_master_secret extension" \
2274 -c "session hash for extended master secret" \
2275 -s "session hash for extended master secret"
2276
2277run_test "Extended Master Secret: both enabled, server enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2278 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2279 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2280 0 \
2281 -c "client hello, adding extended_master_secret extension" \
2282 -s "found extended master secret extension" \
2283 -s "server hello, adding extended master secret extension" \
2284 -c "found extended_master_secret extension" \
2285 -c "session hash for extended master secret" \
2286 -s "session hash for extended master secret"
2287
2288run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2289 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2290 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2291 1 \
2292 -c "client hello, adding extended_master_secret extension" \
2293 -s "found extended master secret extension" \
2294 -S "server hello, adding extended master secret extension" \
2295 -C "found extended_master_secret extension" \
2296 -c "Peer not offering extended master secret, while it is enforced"
2297
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2298run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2299 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2300 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2301 1 \
2302 -C "client hello, adding extended_master_secret extension" \
2303 -S "found extended master secret extension" \
2304 -S "server hello, adding extended master secret extension" \
2305 -C "found extended_master_secret extension" \
2306 -s "Peer not offering extended master secret, while it is enforced"
2307
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2308run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2309 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2310 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2311 0 \
2312 -c "client hello, adding extended_master_secret extension" \
2313 -s "found extended master secret extension" \
2314 -S "server hello, adding extended master secret extension" \
2315 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2316 -C "session hash for extended master secret" \
2317 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2318
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2319run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2320 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2321 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2322 0 \
2323 -C "client hello, adding extended_master_secret extension" \
2324 -S "found extended master secret extension" \
2325 -S "server hello, adding extended master secret extension" \
2326 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2327 -C "session hash for extended master secret" \
2328 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2329
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2330run_test "Extended Master Secret: client disabled, server disabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2331 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2332 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2333 0 \
2334 -C "client hello, adding extended_master_secret extension" \
2335 -S "found extended master secret extension" \
2336 -S "server hello, adding extended master secret extension" \
2337 -C "found extended_master_secret extension" \
2338 -C "session hash for extended master secret" \
2339 -S "session hash for extended master secret"
2340
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2341requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2342run_test "Extended Master Secret: client SSLv3, server enabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2343 "$P_SRV debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2344 "$P_CLI debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2345 0 \
2346 -C "client hello, adding extended_master_secret extension" \
2347 -S "found extended master secret extension" \
2348 -S "server hello, adding extended master secret extension" \
2349 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2350 -C "session hash for extended master secret" \
2351 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2352
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2353requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2354run_test "Extended Master Secret: client enabled, server SSLv3" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2355 "$P_SRV debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2356 "$P_CLI debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2357 0 \
2358 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2359 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2360 -S "server hello, adding extended master secret extension" \
2361 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2362 -C "session hash for extended master secret" \
2363 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2364
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2365# Tests for FALLBACK_SCSV
2366
2367run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2368 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2369 "$P_CLI debug_level=3 force_version=tls1_1" \
2370 0 \
2371 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2372 -S "received FALLBACK_SCSV" \
2373 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2374 -C "is a fatal alert message (msg 86)"
2375
2376run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2377 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2378 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2379 0 \
2380 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2381 -S "received FALLBACK_SCSV" \
2382 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2383 -C "is a fatal alert message (msg 86)"
2384
2385run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2386 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2387 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2388 1 \
2389 -c "adding FALLBACK_SCSV" \
2390 -s "received FALLBACK_SCSV" \
2391 -s "inapropriate fallback" \
2392 -c "is a fatal alert message (msg 86)"
2393
2394run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2395 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2396 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2397 0 \
2398 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2399 -s "received FALLBACK_SCSV" \
2400 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2401 -C "is a fatal alert message (msg 86)"
2402
2403requires_openssl_with_fallback_scsv
2404run_test "Fallback SCSV: default, openssl server" \
2405 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2406 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2407 0 \
2408 -C "adding FALLBACK_SCSV" \
2409 -C "is a fatal alert message (msg 86)"
2410
2411requires_openssl_with_fallback_scsv
2412run_test "Fallback SCSV: enabled, openssl server" \
2413 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2414 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2415 1 \
2416 -c "adding FALLBACK_SCSV" \
2417 -c "is a fatal alert message (msg 86)"
2418
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2419requires_openssl_with_fallback_scsv
2420run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2421 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2422 "$O_CLI -tls1_1" \
2423 0 \
2424 -S "received FALLBACK_SCSV" \
2425 -S "inapropriate fallback"
2426
2427requires_openssl_with_fallback_scsv
2428run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2429 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2430 "$O_CLI -tls1_1 -fallback_scsv" \
2431 1 \
2432 -s "received FALLBACK_SCSV" \
2433 -s "inapropriate fallback"
2434
2435requires_openssl_with_fallback_scsv
2436run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2437 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2438 "$O_CLI -fallback_scsv" \
2439 0 \
2440 -s "received FALLBACK_SCSV" \
2441 -S "inapropriate fallback"
2442
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2443# Test sending and receiving empty application data records
2444
2445run_test "Encrypt then MAC: empty application data record" \
2446 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2447 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2448 0 \
2449 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2450 -s "dumping 'input payload after decrypt' (0 bytes)" \
2451 -c "0 bytes written in 1 fragments"
2452
2453run_test "Default, no Encrypt then MAC: empty application data record" \
2454 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2455 "$P_CLI auth_mode=none etm=0 request_size=0" \
2456 0 \
2457 -s "dumping 'input payload after decrypt' (0 bytes)" \
2458 -c "0 bytes written in 1 fragments"
2459
2460run_test "Encrypt then MAC, DTLS: empty application data record" \
2461 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2462 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2463 0 \
2464 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2465 -s "dumping 'input payload after decrypt' (0 bytes)" \
2466 -c "0 bytes written in 1 fragments"
2467
2468run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
2469 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2470 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2471 0 \
2472 -s "dumping 'input payload after decrypt' (0 bytes)" \
2473 -c "0 bytes written in 1 fragments"
2474
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2475## ClientHello generated with
2476## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2477## then manually twiddling the ciphersuite list.
2478## The ClientHello content is spelled out below as a hex string as
2479## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2480## The expected response is an inappropriate_fallback alert.
2481requires_openssl_with_fallback_scsv
2482run_test "Fallback SCSV: beginning of list" \
2483 "$P_SRV debug_level=2" \
2484 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2485 0 \
2486 -s "received FALLBACK_SCSV" \
2487 -s "inapropriate fallback"
2488
2489requires_openssl_with_fallback_scsv
2490run_test "Fallback SCSV: end of list" \
2491 "$P_SRV debug_level=2" \
2492 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2493 0 \
2494 -s "received FALLBACK_SCSV" \
2495 -s "inapropriate fallback"
2496
2497## Here the expected response is a valid ServerHello prefix, up to the random.
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]2498## Due to the way the clienthello was generated, this currently needs the
2499## server to have support for session tickets.
2500requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2501requires_openssl_with_fallback_scsv
2502run_test "Fallback SCSV: not in list" \
2503 "$P_SRV debug_level=2" \
2504 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2505 0 \
2506 -S "received FALLBACK_SCSV" \
2507 -S "inapropriate fallback"
2508
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2509# Tests for CBC 1/n-1 record splitting
2510
2511run_test "CBC Record splitting: TLS 1.2, no splitting" \
2512 "$P_SRV" \
2513 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2514 request_size=123 force_version=tls1_2" \
2515 0 \
2516 -s "Read from client: 123 bytes read" \
2517 -S "Read from client: 1 bytes read" \
2518 -S "122 bytes read"
2519
2520run_test "CBC Record splitting: TLS 1.1, no splitting" \
2521 "$P_SRV" \
2522 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2523 request_size=123 force_version=tls1_1" \
2524 0 \
2525 -s "Read from client: 123 bytes read" \
2526 -S "Read from client: 1 bytes read" \
2527 -S "122 bytes read"
2528
2529run_test "CBC Record splitting: TLS 1.0, splitting" \
2530 "$P_SRV" \
2531 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2532 request_size=123 force_version=tls1" \
2533 0 \
2534 -S "Read from client: 123 bytes read" \
2535 -s "Read from client: 1 bytes read" \
2536 -s "122 bytes read"
2537
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2538requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2539run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2540 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2541 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2542 request_size=123 force_version=ssl3" \
2543 0 \
2544 -S "Read from client: 123 bytes read" \
2545 -s "Read from client: 1 bytes read" \
2546 -s "122 bytes read"
2547
2548run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2549 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2550 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2551 request_size=123 force_version=tls1" \
2552 0 \
2553 -s "Read from client: 123 bytes read" \
2554 -S "Read from client: 1 bytes read" \
2555 -S "122 bytes read"
2556
2557run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2558 "$P_SRV" \
2559 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2560 request_size=123 force_version=tls1 recsplit=0" \
2561 0 \
2562 -s "Read from client: 123 bytes read" \
2563 -S "Read from client: 1 bytes read" \
2564 -S "122 bytes read"
2565
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2566run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2567 "$P_SRV nbio=2" \
2568 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2569 request_size=123 force_version=tls1" \
2570 0 \
2571 -S "Read from client: 123 bytes read" \
2572 -s "Read from client: 1 bytes read" \
2573 -s "122 bytes read"
2574
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2575# Tests for Session Tickets
2576
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2577requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2578requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2579run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2580 "$P_SRV debug_level=3 tickets=1" \
2581 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2582 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2583 -c "client hello, adding session ticket extension" \
2584 -s "found session ticket extension" \
2585 -s "server hello, adding session ticket extension" \
2586 -c "found session_ticket extension" \
2587 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2588 -S "session successfully restored from cache" \
2589 -s "session successfully restored from ticket" \
2590 -s "a session has been resumed" \
2591 -c "a session has been resumed"
2592
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2593requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2594requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2595run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2596 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2597 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2598 0 \
2599 -c "client hello, adding session ticket extension" \
2600 -s "found session ticket extension" \
2601 -s "server hello, adding session ticket extension" \
2602 -c "found session_ticket extension" \
2603 -c "parse new session ticket" \
2604 -S "session successfully restored from cache" \
2605 -s "session successfully restored from ticket" \
2606 -s "a session has been resumed" \
2607 -c "a session has been resumed"
2608
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2609requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2610requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2611run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2612 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2613 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2614 0 \
2615 -c "client hello, adding session ticket extension" \
2616 -s "found session ticket extension" \
2617 -s "server hello, adding session ticket extension" \
2618 -c "found session_ticket extension" \
2619 -c "parse new session ticket" \
2620 -S "session successfully restored from cache" \
2621 -S "session successfully restored from ticket" \
2622 -S "a session has been resumed" \
2623 -C "a session has been resumed"
2624
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2625requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2626requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2627run_test "Session resume using tickets: session copy" \
2628 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2629 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2630 0 \
2631 -c "client hello, adding session ticket extension" \
2632 -s "found session ticket extension" \
2633 -s "server hello, adding session ticket extension" \
2634 -c "found session_ticket extension" \
2635 -c "parse new session ticket" \
2636 -S "session successfully restored from cache" \
2637 -s "session successfully restored from ticket" \
2638 -s "a session has been resumed" \
2639 -c "a session has been resumed"
2640
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2641requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2642requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2643run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2644 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2645 "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2646 0 \
2647 -c "client hello, adding session ticket extension" \
2648 -c "found session_ticket extension" \
2649 -c "parse new session ticket" \
2650 -c "a session has been resumed"
2651
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2652requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2653requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2654run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2655 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2656 "( $O_CLI -sess_out $SESSION; \
2657 $O_CLI -sess_in $SESSION; \
2658 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2659 0 \
2660 -s "found session ticket extension" \
2661 -s "server hello, adding session ticket extension" \
2662 -S "session successfully restored from cache" \
2663 -s "session successfully restored from ticket" \
2664 -s "a session has been resumed"
2665
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2666# Tests for Session Tickets with DTLS
2667
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2668requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2669requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2670run_test "Session resume using tickets, DTLS: basic" \
2671 "$P_SRV debug_level=3 dtls=1 tickets=1" \
2672 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2673 0 \
2674 -c "client hello, adding session ticket extension" \
2675 -s "found session ticket extension" \
2676 -s "server hello, adding session ticket extension" \
2677 -c "found session_ticket extension" \
2678 -c "parse new session ticket" \
2679 -S "session successfully restored from cache" \
2680 -s "session successfully restored from ticket" \
2681 -s "a session has been resumed" \
2682 -c "a session has been resumed"
2683
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2684requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2685requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2686run_test "Session resume using tickets, DTLS: cache disabled" \
2687 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2688 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2689 0 \
2690 -c "client hello, adding session ticket extension" \
2691 -s "found session ticket extension" \
2692 -s "server hello, adding session ticket extension" \
2693 -c "found session_ticket extension" \
2694 -c "parse new session ticket" \
2695 -S "session successfully restored from cache" \
2696 -s "session successfully restored from ticket" \
2697 -s "a session has been resumed" \
2698 -c "a session has been resumed"
2699
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2700requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2701requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2702run_test "Session resume using tickets, DTLS: timeout" \
2703 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
2704 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
2705 0 \
2706 -c "client hello, adding session ticket extension" \
2707 -s "found session ticket extension" \
2708 -s "server hello, adding session ticket extension" \
2709 -c "found session_ticket extension" \
2710 -c "parse new session ticket" \
2711 -S "session successfully restored from cache" \
2712 -S "session successfully restored from ticket" \
2713 -S "a session has been resumed" \
2714 -C "a session has been resumed"
2715
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2716requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2717requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2718run_test "Session resume using tickets, DTLS: session copy" \
2719 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2720 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_mode=0" \
2721 0 \
2722 -c "client hello, adding session ticket extension" \
2723 -s "found session ticket extension" \
2724 -s "server hello, adding session ticket extension" \
2725 -c "found session_ticket extension" \
2726 -c "parse new session ticket" \
2727 -S "session successfully restored from cache" \
2728 -s "session successfully restored from ticket" \
2729 -s "a session has been resumed" \
2730 -c "a session has been resumed"
2731
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2732requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2733requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2734run_test "Session resume using tickets, DTLS: openssl server" \
2735 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2736 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2737 0 \
2738 -c "client hello, adding session ticket extension" \
2739 -c "found session_ticket extension" \
2740 -c "parse new session ticket" \
2741 -c "a session has been resumed"
2742
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2743requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2744requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2745run_test "Session resume using tickets, DTLS: openssl client" \
2746 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2747 "( $O_CLI -dtls1 -sess_out $SESSION; \
2748 $O_CLI -dtls1 -sess_in $SESSION; \
2749 rm -f $SESSION )" \
2750 0 \
2751 -s "found session ticket extension" \
2752 -s "server hello, adding session ticket extension" \
2753 -S "session successfully restored from cache" \
2754 -s "session successfully restored from ticket" \
2755 -s "a session has been resumed"
2756
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2757# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2758
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2759requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2760requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2761requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2762run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2763 "$P_SRV debug_level=3 tickets=0" \
2764 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2765 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2766 -c "client hello, adding session ticket extension" \
2767 -s "found session ticket extension" \
2768 -S "server hello, adding session ticket extension" \
2769 -C "found session_ticket extension" \
2770 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2771 -s "session successfully restored from cache" \
2772 -S "session successfully restored from ticket" \
2773 -s "a session has been resumed" \
2774 -c "a session has been resumed"
2775
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2776requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2777requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2778requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2779run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2780 "$P_SRV debug_level=3 tickets=1" \
2781 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2782 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2783 -C "client hello, adding session ticket extension" \
2784 -S "found session ticket extension" \
2785 -S "server hello, adding session ticket extension" \
2786 -C "found session_ticket extension" \
2787 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2788 -s "session successfully restored from cache" \
2789 -S "session successfully restored from ticket" \
2790 -s "a session has been resumed" \
2791 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2792
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2793requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2794requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2795run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2796 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
2797 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2798 0 \
2799 -S "session successfully restored from cache" \
2800 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2801 -S "a session has been resumed" \
2802 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2803
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2804requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2805requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2806run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2807 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
2808 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2809 0 \
2810 -s "session successfully restored from cache" \
2811 -S "session successfully restored from ticket" \
2812 -s "a session has been resumed" \
2813 -c "a session has been resumed"
2814
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2815requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2816requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]2817run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2818 "$P_SRV debug_level=3 tickets=0" \
2819 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2820 0 \
2821 -s "session successfully restored from cache" \
2822 -S "session successfully restored from ticket" \
2823 -s "a session has been resumed" \
2824 -c "a session has been resumed"
2825
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2826requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2827requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2828run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2829 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
2830 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2831 0 \
2832 -S "session successfully restored from cache" \
2833 -S "session successfully restored from ticket" \
2834 -S "a session has been resumed" \
2835 -C "a session has been resumed"
2836
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2837requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2838requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2839run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2840 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
2841 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2842 0 \
2843 -s "session successfully restored from cache" \
2844 -S "session successfully restored from ticket" \
2845 -s "a session has been resumed" \
2846 -c "a session has been resumed"
2847
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2848requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2849requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2850run_test "Session resume using cache: session copy" \
2851 "$P_SRV debug_level=3 tickets=0" \
2852 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2853 0 \
2854 -s "session successfully restored from cache" \
2855 -S "session successfully restored from ticket" \
2856 -s "a session has been resumed" \
2857 -c "a session has been resumed"
2858
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2859requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2860requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2861run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2862 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2863 "( $O_CLI -sess_out $SESSION; \
2864 $O_CLI -sess_in $SESSION; \
2865 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2866 0 \
2867 -s "found session ticket extension" \
2868 -S "server hello, adding session ticket extension" \
2869 -s "session successfully restored from cache" \
2870 -S "session successfully restored from ticket" \
2871 -s "a session has been resumed"
2872
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2873requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2874requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2875run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2876 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2877 "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2878 0 \
2879 -C "found session_ticket extension" \
2880 -C "parse new session ticket" \
2881 -c "a session has been resumed"
2882
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2883# Tests for Session Resume based on session-ID and cache, DTLS
2884
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2885requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2886requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2887requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2888run_test "Session resume using cache, DTLS: tickets enabled on client" \
2889 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2890 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2891 0 \
2892 -c "client hello, adding session ticket extension" \
2893 -s "found session ticket extension" \
2894 -S "server hello, adding session ticket extension" \
2895 -C "found session_ticket extension" \
2896 -C "parse new session ticket" \
2897 -s "session successfully restored from cache" \
2898 -S "session successfully restored from ticket" \
2899 -s "a session has been resumed" \
2900 -c "a session has been resumed"
2901
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2902requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2903requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2904requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2905run_test "Session resume using cache, DTLS: tickets enabled on server" \
2906 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2907 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2908 0 \
2909 -C "client hello, adding session ticket extension" \
2910 -S "found session ticket extension" \
2911 -S "server hello, adding session ticket extension" \
2912 -C "found session_ticket extension" \
2913 -C "parse new session ticket" \
2914 -s "session successfully restored from cache" \
2915 -S "session successfully restored from ticket" \
2916 -s "a session has been resumed" \
2917 -c "a session has been resumed"
2918
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2919requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2920requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2921run_test "Session resume using cache, DTLS: cache_max=0" \
2922 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
2923 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2924 0 \
2925 -S "session successfully restored from cache" \
2926 -S "session successfully restored from ticket" \
2927 -S "a session has been resumed" \
2928 -C "a session has been resumed"
2929
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2930requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2931requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2932run_test "Session resume using cache, DTLS: cache_max=1" \
2933 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
2934 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2935 0 \
2936 -s "session successfully restored from cache" \
2937 -S "session successfully restored from ticket" \
2938 -s "a session has been resumed" \
2939 -c "a session has been resumed"
2940
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2941requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2942requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2943run_test "Session resume using cache, DTLS: timeout > delay" \
2944 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2945 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
2946 0 \
2947 -s "session successfully restored from cache" \
2948 -S "session successfully restored from ticket" \
2949 -s "a session has been resumed" \
2950 -c "a session has been resumed"
2951
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2952requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2953requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2954run_test "Session resume using cache, DTLS: timeout < delay" \
2955 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
2956 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2957 0 \
2958 -S "session successfully restored from cache" \
2959 -S "session successfully restored from ticket" \
2960 -S "a session has been resumed" \
2961 -C "a session has been resumed"
2962
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2963requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2964requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2965run_test "Session resume using cache, DTLS: no timeout" \
2966 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
2967 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2968 0 \
2969 -s "session successfully restored from cache" \
2970 -S "session successfully restored from ticket" \
2971 -s "a session has been resumed" \
2972 -c "a session has been resumed"
2973
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2974requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2975requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2976run_test "Session resume using cache, DTLS: session copy" \
2977 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2978 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2979 0 \
2980 -s "session successfully restored from cache" \
2981 -S "session successfully restored from ticket" \
2982 -s "a session has been resumed" \
2983 -c "a session has been resumed"
2984
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2985requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2986requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2987run_test "Session resume using cache, DTLS: openssl client" \
2988 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2989 "( $O_CLI -dtls1 -sess_out $SESSION; \
2990 $O_CLI -dtls1 -sess_in $SESSION; \
2991 rm -f $SESSION )" \
2992 0 \
2993 -s "found session ticket extension" \
2994 -S "server hello, adding session ticket extension" \
2995 -s "session successfully restored from cache" \
2996 -S "session successfully restored from ticket" \
2997 -s "a session has been resumed"
2998
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2999requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3000requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3001run_test "Session resume using cache, DTLS: openssl server" \
3002 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3003 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3004 0 \
3005 -C "found session_ticket extension" \
3006 -C "parse new session ticket" \
3007 -c "a session has been resumed"
3008
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3009# Tests for Max Fragment Length extension
3010
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3011if [ $MAX_CONTENT_LEN -ne 16384 ]; then
3012 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
3013fi
3014
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3015requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3016run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3017 "$P_SRV debug_level=3" \
3018 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3019 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3020 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3021 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3022 -C "client hello, adding max_fragment_length extension" \
3023 -S "found max fragment length extension" \
3024 -S "server hello, max_fragment_length extension" \
3025 -C "found max_fragment_length extension"
3026
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3027requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3028run_test "Max fragment length: enabled, default, larger message" \
3029 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3030 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3031 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3032 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3033 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3034 -C "client hello, adding max_fragment_length extension" \
3035 -S "found max fragment length extension" \
3036 -S "server hello, max_fragment_length extension" \
3037 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3038 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3039 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3040 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3041
3042requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3043requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3044run_test "Max fragment length, DTLS: enabled, default, larger message" \
3045 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3046 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3047 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3048 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3049 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3050 -C "client hello, adding max_fragment_length extension" \
3051 -S "found max fragment length extension" \
3052 -S "server hello, max_fragment_length extension" \
3053 -C "found max_fragment_length extension" \
3054 -c "fragment larger than.*maximum "
3055
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3056# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3057# (session fragment length will be 16384 regardless of mbedtls
3058# content length configuration.)
3059
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3060requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3061requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 16384
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3062run_test "Max fragment length: disabled, larger message" \
3063 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3064 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3065 0 \
3066 -C "Maximum fragment length is 16384" \
3067 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3068 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3069 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3070 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3071
3072requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3073requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 16384
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3074run_test "Max fragment length DTLS: disabled, larger message" \
3075 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3076 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3077 1 \
3078 -C "Maximum fragment length is 16384" \
3079 -S "Maximum fragment length is 16384" \
3080 -c "fragment larger than.*maximum "
3081
3082requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3083requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3084run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3085 "$P_SRV debug_level=3" \
3086 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3087 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3088 -c "Maximum fragment length is 4096" \
3089 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3090 -c "client hello, adding max_fragment_length extension" \
3091 -s "found max fragment length extension" \
3092 -s "server hello, max_fragment_length extension" \
3093 -c "found max_fragment_length extension"
3094
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3095requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3096requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3097run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3098 "$P_SRV debug_level=3 max_frag_len=4096" \
3099 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3100 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3101 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3102 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3103 -C "client hello, adding max_fragment_length extension" \
3104 -S "found max fragment length extension" \
3105 -S "server hello, max_fragment_length extension" \
3106 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3107
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3108requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3109requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3110requires_gnutls
3111run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3112 "$G_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3113 "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3114 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3115 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3116 -c "client hello, adding max_fragment_length extension" \
3117 -c "found max_fragment_length extension"
3118
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3119requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3120requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 2048
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3121run_test "Max fragment length: client, message just fits" \
3122 "$P_SRV debug_level=3" \
3123 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3124 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3125 -c "Maximum fragment length is 2048" \
3126 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3127 -c "client hello, adding max_fragment_length extension" \
3128 -s "found max fragment length extension" \
3129 -s "server hello, max_fragment_length extension" \
3130 -c "found max_fragment_length extension" \
3131 -c "2048 bytes written in 1 fragments" \
3132 -s "2048 bytes read"
3133
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3134requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3135requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 2048
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3136run_test "Max fragment length: client, larger message" \
3137 "$P_SRV debug_level=3" \
3138 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3139 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3140 -c "Maximum fragment length is 2048" \
3141 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3142 -c "client hello, adding max_fragment_length extension" \
3143 -s "found max fragment length extension" \
3144 -s "server hello, max_fragment_length extension" \
3145 -c "found max_fragment_length extension" \
3146 -c "2345 bytes written in 2 fragments" \
3147 -s "2048 bytes read" \
3148 -s "297 bytes read"
3149
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3150requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3151requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 2048
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3152run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3153 "$P_SRV debug_level=3 dtls=1" \
3154 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3155 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3156 -c "Maximum fragment length is 2048" \
3157 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3158 -c "client hello, adding max_fragment_length extension" \
3159 -s "found max fragment length extension" \
3160 -s "server hello, max_fragment_length extension" \
3161 -c "found max_fragment_length extension" \
3162 -c "fragment larger than.*maximum"
3163
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3164# Tests for renegotiation
3165
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3166# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3167run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3168 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3169 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3170 0 \
3171 -C "client hello, adding renegotiation extension" \
3172 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3173 -S "found renegotiation extension" \
3174 -s "server hello, secure renegotiation extension" \
3175 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3176 -C "=> renegotiate" \
3177 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3178 -S "write hello request"
3179
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3180requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3181run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3182 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3183 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3184 0 \
3185 -c "client hello, adding renegotiation extension" \
3186 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3187 -s "found renegotiation extension" \
3188 -s "server hello, secure renegotiation extension" \
3189 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3190 -c "=> renegotiate" \
3191 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3192 -S "write hello request"
3193
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3194requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3195run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3196 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3197 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3198 0 \
3199 -c "client hello, adding renegotiation extension" \
3200 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3201 -s "found renegotiation extension" \
3202 -s "server hello, secure renegotiation extension" \
3203 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3204 -c "=> renegotiate" \
3205 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3206 -s "write hello request"
3207
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3208# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3209# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3210# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3211requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3212run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3213 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3214 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3215 0 \
3216 -c "client hello, adding renegotiation extension" \
3217 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3218 -s "found renegotiation extension" \
3219 -s "server hello, secure renegotiation extension" \
3220 -c "found renegotiation extension" \
3221 -c "=> renegotiate" \
3222 -s "=> renegotiate" \
3223 -S "write hello request" \
3224 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3225
3226# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3227# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3228# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3229requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3230run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3231 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3232 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3233 0 \
3234 -c "client hello, adding renegotiation extension" \
3235 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3236 -s "found renegotiation extension" \
3237 -s "server hello, secure renegotiation extension" \
3238 -c "found renegotiation extension" \
3239 -c "=> renegotiate" \
3240 -s "=> renegotiate" \
3241 -s "write hello request" \
3242 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3243
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3244requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3245run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3246 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3247 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3248 0 \
3249 -c "client hello, adding renegotiation extension" \
3250 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3251 -s "found renegotiation extension" \
3252 -s "server hello, secure renegotiation extension" \
3253 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3254 -c "=> renegotiate" \
3255 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3256 -s "write hello request"
3257
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3258requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3259run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3260 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3261 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3262 1 \
3263 -c "client hello, adding renegotiation extension" \
3264 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3265 -S "found renegotiation extension" \
3266 -s "server hello, secure renegotiation extension" \
3267 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3268 -c "=> renegotiate" \
3269 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3270 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3271 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3272 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3273
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3274requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3275run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3276 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3277 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3278 0 \
3279 -C "client hello, adding renegotiation extension" \
3280 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3281 -S "found renegotiation extension" \
3282 -s "server hello, secure renegotiation extension" \
3283 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3284 -C "=> renegotiate" \
3285 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3286 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3287 -S "SSL - An unexpected message was received from our peer" \
3288 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3289
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3290requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3291run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3292 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3293 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3294 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3295 0 \
3296 -C "client hello, adding renegotiation extension" \
3297 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3298 -S "found renegotiation extension" \
3299 -s "server hello, secure renegotiation extension" \
3300 -c "found renegotiation extension" \
3301 -C "=> renegotiate" \
3302 -S "=> renegotiate" \
3303 -s "write hello request" \
3304 -S "SSL - An unexpected message was received from our peer" \
3305 -S "failed"
3306
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3307# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3308requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3309run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3310 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3311 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3312 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3313 0 \
3314 -C "client hello, adding renegotiation extension" \
3315 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3316 -S "found renegotiation extension" \
3317 -s "server hello, secure renegotiation extension" \
3318 -c "found renegotiation extension" \
3319 -C "=> renegotiate" \
3320 -S "=> renegotiate" \
3321 -s "write hello request" \
3322 -S "SSL - An unexpected message was received from our peer" \
3323 -S "failed"
3324
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3325requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3326run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3327 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3328 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3329 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3330 0 \
3331 -C "client hello, adding renegotiation extension" \
3332 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3333 -S "found renegotiation extension" \
3334 -s "server hello, secure renegotiation extension" \
3335 -c "found renegotiation extension" \
3336 -C "=> renegotiate" \
3337 -S "=> renegotiate" \
3338 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3339 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3340
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3341requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3342run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3343 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3344 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3345 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3346 0 \
3347 -c "client hello, adding renegotiation extension" \
3348 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3349 -s "found renegotiation extension" \
3350 -s "server hello, secure renegotiation extension" \
3351 -c "found renegotiation extension" \
3352 -c "=> renegotiate" \
3353 -s "=> renegotiate" \
3354 -s "write hello request" \
3355 -S "SSL - An unexpected message was received from our peer" \
3356 -S "failed"
3357
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3358requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3359run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3360 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3361 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3362 0 \
3363 -C "client hello, adding renegotiation extension" \
3364 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3365 -S "found renegotiation extension" \
3366 -s "server hello, secure renegotiation extension" \
3367 -c "found renegotiation extension" \
3368 -S "record counter limit reached: renegotiate" \
3369 -C "=> renegotiate" \
3370 -S "=> renegotiate" \
3371 -S "write hello request" \
3372 -S "SSL - An unexpected message was received from our peer" \
3373 -S "failed"
3374
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3375# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3376requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3377run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3378 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3379 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3380 0 \
3381 -c "client hello, adding renegotiation extension" \
3382 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3383 -s "found renegotiation extension" \
3384 -s "server hello, secure renegotiation extension" \
3385 -c "found renegotiation extension" \
3386 -s "record counter limit reached: renegotiate" \
3387 -c "=> renegotiate" \
3388 -s "=> renegotiate" \
3389 -s "write hello request" \
3390 -S "SSL - An unexpected message was received from our peer" \
3391 -S "failed"
3392
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3393requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3394run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3395 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3396 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3397 0 \
3398 -c "client hello, adding renegotiation extension" \
3399 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3400 -s "found renegotiation extension" \
3401 -s "server hello, secure renegotiation extension" \
3402 -c "found renegotiation extension" \
3403 -s "record counter limit reached: renegotiate" \
3404 -c "=> renegotiate" \
3405 -s "=> renegotiate" \
3406 -s "write hello request" \
3407 -S "SSL - An unexpected message was received from our peer" \
3408 -S "failed"
3409
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3410requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3411run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3412 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3413 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3414 0 \
3415 -C "client hello, adding renegotiation extension" \
3416 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3417 -S "found renegotiation extension" \
3418 -s "server hello, secure renegotiation extension" \
3419 -c "found renegotiation extension" \
3420 -S "record counter limit reached: renegotiate" \
3421 -C "=> renegotiate" \
3422 -S "=> renegotiate" \
3423 -S "write hello request" \
3424 -S "SSL - An unexpected message was received from our peer" \
3425 -S "failed"
3426
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3427requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3428run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3429 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3430 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3431 0 \
3432 -c "client hello, adding renegotiation extension" \
3433 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3434 -s "found renegotiation extension" \
3435 -s "server hello, secure renegotiation extension" \
3436 -c "found renegotiation extension" \
3437 -c "=> renegotiate" \
3438 -s "=> renegotiate" \
3439 -S "write hello request"
3440
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3441requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3442run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3443 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3444 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3445 0 \
3446 -c "client hello, adding renegotiation extension" \
3447 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3448 -s "found renegotiation extension" \
3449 -s "server hello, secure renegotiation extension" \
3450 -c "found renegotiation extension" \
3451 -c "=> renegotiate" \
3452 -s "=> renegotiate" \
3453 -s "write hello request"
3454
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3455requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3456run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3457 "$O_SRV -www" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3458 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3459 0 \
3460 -c "client hello, adding renegotiation extension" \
3461 -c "found renegotiation extension" \
3462 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3463 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3464 -C "error" \
3465 -c "HTTP/1.0 200 [Oo][Kk]"
3466
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3467requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3468requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3469run_test "Renegotiation: gnutls server strict, client-initiated" \
3470 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3471 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3472 0 \
3473 -c "client hello, adding renegotiation extension" \
3474 -c "found renegotiation extension" \
3475 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3476 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3477 -C "error" \
3478 -c "HTTP/1.0 200 [Oo][Kk]"
3479
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3480requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3481requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3482run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3483 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3484 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3485 1 \
3486 -c "client hello, adding renegotiation extension" \
3487 -C "found renegotiation extension" \
3488 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3489 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3490 -c "error" \
3491 -C "HTTP/1.0 200 [Oo][Kk]"
3492
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3493requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3494requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3495run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3496 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3497 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3498 allow_legacy=0" \
3499 1 \
3500 -c "client hello, adding renegotiation extension" \
3501 -C "found renegotiation extension" \
3502 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3503 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3504 -c "error" \
3505 -C "HTTP/1.0 200 [Oo][Kk]"
3506
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3507requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3508requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3509run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3510 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3511 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3512 allow_legacy=1" \
3513 0 \
3514 -c "client hello, adding renegotiation extension" \
3515 -C "found renegotiation extension" \
3516 -c "=> renegotiate" \
3517 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3518 -C "error" \
3519 -c "HTTP/1.0 200 [Oo][Kk]"
3520
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3521requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3522run_test "Renegotiation: DTLS, client-initiated" \
3523 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3524 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3525 0 \
3526 -c "client hello, adding renegotiation extension" \
3527 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3528 -s "found renegotiation extension" \
3529 -s "server hello, secure renegotiation extension" \
3530 -c "found renegotiation extension" \
3531 -c "=> renegotiate" \
3532 -s "=> renegotiate" \
3533 -S "write hello request"
3534
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3535requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3536run_test "Renegotiation: DTLS, server-initiated" \
3537 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3538 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3539 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3540 0 \
3541 -c "client hello, adding renegotiation extension" \
3542 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3543 -s "found renegotiation extension" \
3544 -s "server hello, secure renegotiation extension" \
3545 -c "found renegotiation extension" \
3546 -c "=> renegotiate" \
3547 -s "=> renegotiate" \
3548 -s "write hello request"
3549
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3550requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3551run_test "Renegotiation: DTLS, renego_period overflow" \
3552 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3553 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3554 0 \
3555 -c "client hello, adding renegotiation extension" \
3556 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3557 -s "found renegotiation extension" \
3558 -s "server hello, secure renegotiation extension" \
3559 -s "record counter limit reached: renegotiate" \
3560 -c "=> renegotiate" \
3561 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3562 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3563
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3564requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3565requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3566run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
3567 "$G_SRV -u --mtu 4096" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3568 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3569 0 \
3570 -c "client hello, adding renegotiation extension" \
3571 -c "found renegotiation extension" \
3572 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3573 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3574 -C "error" \
3575 -s "Extra-header:"
3576
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3577# Test for the "secure renegotation" extension only (no actual renegotiation)
3578
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3579requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3580run_test "Renego ext: gnutls server strict, client default" \
3581 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3582 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3583 0 \
3584 -c "found renegotiation extension" \
3585 -C "error" \
3586 -c "HTTP/1.0 200 [Oo][Kk]"
3587
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3588requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3589run_test "Renego ext: gnutls server unsafe, client default" \
3590 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3591 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3592 0 \
3593 -C "found renegotiation extension" \
3594 -C "error" \
3595 -c "HTTP/1.0 200 [Oo][Kk]"
3596
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3597requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3598run_test "Renego ext: gnutls server unsafe, client break legacy" \
3599 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3600 "$P_CLI debug_level=3 allow_legacy=-1" \
3601 1 \
3602 -C "found renegotiation extension" \
3603 -c "error" \
3604 -C "HTTP/1.0 200 [Oo][Kk]"
3605
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3606requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3607run_test "Renego ext: gnutls client strict, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3608 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3609 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3610 0 \
3611 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3612 -s "server hello, secure renegotiation extension"
3613
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3614requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3615run_test "Renego ext: gnutls client unsafe, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3616 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3617 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3618 0 \
3619 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3620 -S "server hello, secure renegotiation extension"
3621
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3622requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3623run_test "Renego ext: gnutls client unsafe, server break legacy" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3624 "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3625 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3626 1 \
3627 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3628 -S "server hello, secure renegotiation extension"
3629
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3630# Tests for silently dropping trailing extra bytes in .der certificates
3631
3632requires_gnutls
3633run_test "DER format: no trailing bytes" \
3634 "$P_SRV crt_file=data_files/server5-der0.crt \
3635 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3636 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3637 0 \
3638 -c "Handshake was completed" \
3639
3640requires_gnutls
3641run_test "DER format: with a trailing zero byte" \
3642 "$P_SRV crt_file=data_files/server5-der1a.crt \
3643 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3644 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3645 0 \
3646 -c "Handshake was completed" \
3647
3648requires_gnutls
3649run_test "DER format: with a trailing random byte" \
3650 "$P_SRV crt_file=data_files/server5-der1b.crt \
3651 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3652 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3653 0 \
3654 -c "Handshake was completed" \
3655
3656requires_gnutls
3657run_test "DER format: with 2 trailing random bytes" \
3658 "$P_SRV crt_file=data_files/server5-der2.crt \
3659 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3660 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3661 0 \
3662 -c "Handshake was completed" \
3663
3664requires_gnutls
3665run_test "DER format: with 4 trailing random bytes" \
3666 "$P_SRV crt_file=data_files/server5-der4.crt \
3667 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3668 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3669 0 \
3670 -c "Handshake was completed" \
3671
3672requires_gnutls
3673run_test "DER format: with 8 trailing random bytes" \
3674 "$P_SRV crt_file=data_files/server5-der8.crt \
3675 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3676 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3677 0 \
3678 -c "Handshake was completed" \
3679
3680requires_gnutls
3681run_test "DER format: with 9 trailing random bytes" \
3682 "$P_SRV crt_file=data_files/server5-der9.crt \
3683 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3684 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3685 0 \
3686 -c "Handshake was completed" \
3687
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3688# Tests for auth_mode
3689
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3690requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3691requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3692run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3693 "$P_SRV crt_file=data_files/server5-badsign.crt \
3694 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3695 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3696 1 \
3697 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3698 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3699 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3700 -c "X509 - Certificate verification failed"
3701
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3702requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3703requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3704run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3705 "$P_SRV crt_file=data_files/server5-badsign.crt \
3706 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3707 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3708 0 \
3709 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3710 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3711 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3712 -C "X509 - Certificate verification failed"
3713
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3714requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3715requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3716run_test "Authentication: server goodcert, client optional, no trusted CA" \
3717 "$P_SRV" \
3718 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
3719 0 \
3720 -c "x509_verify_cert() returned" \
3721 -c "! The certificate is not correctly signed by the trusted CA" \
3722 -c "! Certificate verification flags"\
3723 -C "! mbedtls_ssl_handshake returned" \
3724 -C "X509 - Certificate verification failed" \
3725 -C "SSL - No CA Chain is set, but required to operate"
3726
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3727requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3728requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3729run_test "Authentication: server goodcert, client required, no trusted CA" \
3730 "$P_SRV" \
3731 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
3732 1 \
3733 -c "x509_verify_cert() returned" \
3734 -c "! The certificate is not correctly signed by the trusted CA" \
3735 -c "! Certificate verification flags"\
3736 -c "! mbedtls_ssl_handshake returned" \
3737 -c "SSL - No CA Chain is set, but required to operate"
3738
3739# The purpose of the next two tests is to test the client's behaviour when receiving a server
3740# certificate with an unsupported elliptic curve. This should usually not happen because
3741# the client informs the server about the supported curves - it does, though, in the
3742# corner case of a static ECDH suite, because the server doesn't check the curve on that
3743# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
3744# different means to have the server ignoring the client's supported curve list.
3745
3746requires_config_enabled MBEDTLS_ECP_C
3747run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
3748 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3749 crt_file=data_files/server5.ku-ka.crt" \
3750 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
3751 1 \
3752 -c "bad certificate (EC key curve)"\
3753 -c "! Certificate verification flags"\
3754 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
3755
3756requires_config_enabled MBEDTLS_ECP_C
3757run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
3758 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3759 crt_file=data_files/server5.ku-ka.crt" \
3760 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
3761 1 \
3762 -c "bad certificate (EC key curve)"\
3763 -c "! Certificate verification flags"\
3764 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
3765
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3766run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]3767 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3768 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3769 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3770 0 \
3771 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3772 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3773 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3774 -C "X509 - Certificate verification failed"
3775
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3776run_test "Authentication: client SHA256, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3777 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3778 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3779 key_file=data_files/server6.key \
3780 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
3781 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3782 -c "Supported Signature Algorithm found: 5,"
3783
3784run_test "Authentication: client SHA384, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3785 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3786 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3787 key_file=data_files/server6.key \
3788 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
3789 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3790 -c "Supported Signature Algorithm found: 5,"
3791
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3792requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3793run_test "Authentication: client has no cert, server required (SSLv3)" \
3794 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
3795 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
3796 key_file=data_files/server5.key" \
3797 1 \
3798 -S "skip write certificate request" \
3799 -C "skip parse certificate request" \
3800 -c "got a certificate request" \
3801 -c "got no certificate to send" \
3802 -S "x509_verify_cert() returned" \
3803 -s "client has no certificate" \
3804 -s "! mbedtls_ssl_handshake returned" \
3805 -c "! mbedtls_ssl_handshake returned" \
3806 -s "No client certification received from the client, but required by the authentication mode"
3807
3808run_test "Authentication: client has no cert, server required (TLS)" \
3809 "$P_SRV debug_level=3 auth_mode=required" \
3810 "$P_CLI debug_level=3 crt_file=none \
3811 key_file=data_files/server5.key" \
3812 1 \
3813 -S "skip write certificate request" \
3814 -C "skip parse certificate request" \
3815 -c "got a certificate request" \
3816 -c "= write certificate$" \
3817 -C "skip write certificate$" \
3818 -S "x509_verify_cert() returned" \
3819 -s "client has no certificate" \
3820 -s "! mbedtls_ssl_handshake returned" \
3821 -c "! mbedtls_ssl_handshake returned" \
3822 -s "No client certification received from the client, but required by the authentication mode"
3823
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3824requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3825requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3826run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3827 "$P_SRV debug_level=3 auth_mode=required" \
3828 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3829 key_file=data_files/server5.key" \
3830 1 \
3831 -S "skip write certificate request" \
3832 -C "skip parse certificate request" \
3833 -c "got a certificate request" \
3834 -C "skip write certificate" \
3835 -C "skip write certificate verify" \
3836 -S "skip parse certificate verify" \
3837 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3838 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3839 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3840 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3841 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3842 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3843# We don't check that the client receives the alert because it might
3844# detect that its write end of the connection is closed and abort
3845# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3846
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3847requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3848requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]3849run_test "Authentication: client cert not trusted, server required" \
3850 "$P_SRV debug_level=3 auth_mode=required" \
3851 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3852 key_file=data_files/server5.key" \
3853 1 \
3854 -S "skip write certificate request" \
3855 -C "skip parse certificate request" \
3856 -c "got a certificate request" \
3857 -C "skip write certificate" \
3858 -C "skip write certificate verify" \
3859 -S "skip parse certificate verify" \
3860 -s "x509_verify_cert() returned" \
3861 -s "! The certificate is not correctly signed by the trusted CA" \
3862 -s "! mbedtls_ssl_handshake returned" \
3863 -c "! mbedtls_ssl_handshake returned" \
3864 -s "X509 - Certificate verification failed"
3865
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3866requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3867requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3868run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3869 "$P_SRV debug_level=3 auth_mode=optional" \
3870 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3871 key_file=data_files/server5.key" \
3872 0 \
3873 -S "skip write certificate request" \
3874 -C "skip parse certificate request" \
3875 -c "got a certificate request" \
3876 -C "skip write certificate" \
3877 -C "skip write certificate verify" \
3878 -S "skip parse certificate verify" \
3879 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3880 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3881 -S "! mbedtls_ssl_handshake returned" \
3882 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3883 -S "X509 - Certificate verification failed"
3884
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3885run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3886 "$P_SRV debug_level=3 auth_mode=none" \
3887 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3888 key_file=data_files/server5.key" \
3889 0 \
3890 -s "skip write certificate request" \
3891 -C "skip parse certificate request" \
3892 -c "got no certificate request" \
3893 -c "skip write certificate" \
3894 -c "skip write certificate verify" \
3895 -s "skip parse certificate verify" \
3896 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3897 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3898 -S "! mbedtls_ssl_handshake returned" \
3899 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3900 -S "X509 - Certificate verification failed"
3901
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3902requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3903requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3904run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3905 "$P_SRV debug_level=3 auth_mode=optional" \
3906 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3907 0 \
3908 -S "skip write certificate request" \
3909 -C "skip parse certificate request" \
3910 -c "got a certificate request" \
3911 -C "skip write certificate$" \
3912 -C "got no certificate to send" \
3913 -S "SSLv3 client has no certificate" \
3914 -c "skip write certificate verify" \
3915 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3916 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3917 -S "! mbedtls_ssl_handshake returned" \
3918 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3919 -S "X509 - Certificate verification failed"
3920
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3921requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3922requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3923run_test "Authentication: openssl client no cert, server optional" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3924 "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3925 "$O_CLI" \
3926 0 \
3927 -S "skip write certificate request" \
3928 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3929 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3930 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3931 -S "X509 - Certificate verification failed"
3932
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3933run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3934 "$O_SRV -verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3935 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3936 0 \
3937 -C "skip parse certificate request" \
3938 -c "got a certificate request" \
3939 -C "skip write certificate$" \
3940 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3941 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3942
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3943run_test "Authentication: client no cert, openssl server required" \
3944 "$O_SRV -Verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3945 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3946 1 \
3947 -C "skip parse certificate request" \
3948 -c "got a certificate request" \
3949 -C "skip write certificate$" \
3950 -c "skip write certificate verify" \
3951 -c "! mbedtls_ssl_handshake returned"
3952
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3953requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]3954requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3955requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3956run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3957 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3958 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3959 0 \
3960 -S "skip write certificate request" \
3961 -C "skip parse certificate request" \
3962 -c "got a certificate request" \
3963 -C "skip write certificate$" \
3964 -c "skip write certificate verify" \
3965 -c "got no certificate to send" \
3966 -s "SSLv3 client has no certificate" \
3967 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3968 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3969 -S "! mbedtls_ssl_handshake returned" \
3970 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3971 -S "X509 - Certificate verification failed"
3972
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]3973# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
3974# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3975
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3976MAX_IM_CA='8'
Arto Kinnunen78213522019-09-26 11:06:39 +0300[diff] [blame]3977MAX_IM_CA_CONFIG="$( get_config_value_or_default MBEDTLS_X509_MAX_INTERMEDIATE_CA )"
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3978
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3979requires_full_size_output_buffer
Arto Kinnunenc457ab12019-09-27 12:00:51 +0300[diff] [blame]3980requires_config_value_exactly "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3981run_test "Authentication: server max_int chain, client default" \
3982 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
3983 key_file=data_files/dir-maxpath/09.key" \
3984 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
3985 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3986 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3987
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3988requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3989requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3990run_test "Authentication: server max_int+1 chain, client default" \
3991 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3992 key_file=data_files/dir-maxpath/10.key" \
3993 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
3994 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3995 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3996
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3997requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]3998requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3999run_test "Authentication: server max_int+1 chain, client optional" \
4000 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4001 key_file=data_files/dir-maxpath/10.key" \
4002 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4003 auth_mode=optional" \
4004 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4005 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4006
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4007requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame]4008requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4009run_test "Authentication: server max_int+1 chain, client none" \
4010 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4011 key_file=data_files/dir-maxpath/10.key" \
4012 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4013 auth_mode=none" \
4014 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4015 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4016
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4017requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4018run_test "Authentication: client max_int+1 chain, server default" \
4019 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4020 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4021 key_file=data_files/dir-maxpath/10.key" \
4022 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4023 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4024
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4025requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4026run_test "Authentication: client max_int+1 chain, server optional" \
4027 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4028 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4029 key_file=data_files/dir-maxpath/10.key" \
4030 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4031 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4032
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4033requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4034run_test "Authentication: client max_int+1 chain, server required" \
4035 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4036 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4037 key_file=data_files/dir-maxpath/10.key" \
4038 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4039 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4040
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4041requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4042run_test "Authentication: client max_int chain, server required" \
4043 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4044 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4045 key_file=data_files/dir-maxpath/09.key" \
4046 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4047 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4048
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4049# Tests for CA list in CertificateRequest messages
4050
4051run_test "Authentication: send CA list in CertificateRequest (default)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4052 "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4053 "$P_CLI crt_file=data_files/server6.crt \
4054 key_file=data_files/server6.key" \
4055 0 \
4056 -s "requested DN"
4057
4058run_test "Authentication: do not send CA list in CertificateRequest" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4059 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4060 "$P_CLI crt_file=data_files/server6.crt \
4061 key_file=data_files/server6.key" \
4062 0 \
4063 -S "requested DN"
4064
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4065requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4066requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4067run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4068 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4069 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4070 key_file=data_files/server5.key" \
4071 1 \
4072 -S "requested DN" \
4073 -s "x509_verify_cert() returned" \
4074 -s "! The certificate is not correctly signed by the trusted CA" \
4075 -s "! mbedtls_ssl_handshake returned" \
4076 -c "! mbedtls_ssl_handshake returned" \
4077 -s "X509 - Certificate verification failed"
4078
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4079# Tests for certificate selection based on SHA verson
4080
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4081requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4082requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4083run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4084 "$P_SRV crt_file=data_files/server5.crt \
4085 key_file=data_files/server5.key \
4086 crt_file2=data_files/server5-sha1.crt \
4087 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4088 "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4089 0 \
4090 -c "signed using.*ECDSA with SHA256" \
4091 -C "signed using.*ECDSA with SHA1"
4092
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4093requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4094requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4095run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4096 "$P_SRV crt_file=data_files/server5.crt \
4097 key_file=data_files/server5.key \
4098 crt_file2=data_files/server5-sha1.crt \
4099 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4100 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4101 0 \
4102 -C "signed using.*ECDSA with SHA256" \
4103 -c "signed using.*ECDSA with SHA1"
4104
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4105requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4106requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4107run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4108 "$P_SRV crt_file=data_files/server5.crt \
4109 key_file=data_files/server5.key \
4110 crt_file2=data_files/server5-sha1.crt \
4111 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4112 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4113 0 \
4114 -C "signed using.*ECDSA with SHA256" \
4115 -c "signed using.*ECDSA with SHA1"
4116
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4117requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4118requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4119run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4120 "$P_SRV crt_file=data_files/server5.crt \
4121 key_file=data_files/server5.key \
4122 crt_file2=data_files/server6.crt \
4123 key_file2=data_files/server6.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4124 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4125 0 \
4126 -c "serial number.*09" \
4127 -c "signed using.*ECDSA with SHA256" \
4128 -C "signed using.*ECDSA with SHA1"
4129
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4130requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4131requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4132run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4133 "$P_SRV crt_file=data_files/server6.crt \
4134 key_file=data_files/server6.key \
4135 crt_file2=data_files/server5.crt \
4136 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4137 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4138 0 \
4139 -c "serial number.*0A" \
4140 -c "signed using.*ECDSA with SHA256" \
4141 -C "signed using.*ECDSA with SHA1"
4142
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4143# tests for SNI
4144
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4145requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4146requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4147run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4148 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4149 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4150 "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4151 0 \
4152 -S "parse ServerName extension" \
4153 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4154 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4155
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4156requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4157requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4158requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4159run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4160 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4161 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4162 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4163 "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4164 0 \
4165 -s "parse ServerName extension" \
4166 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4167 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4168
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4169requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4170requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4171requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4172run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4173 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4174 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4175 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4176 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4177 0 \
4178 -s "parse ServerName extension" \
4179 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4180 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4181
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4182requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4183run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4184 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4185 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4186 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4187 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4188 1 \
4189 -s "parse ServerName extension" \
4190 -s "ssl_sni_wrapper() returned" \
4191 -s "mbedtls_ssl_handshake returned" \
4192 -c "mbedtls_ssl_handshake returned" \
4193 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4194
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4195run_test "SNI: client auth no override: optional" \
4196 "$P_SRV debug_level=3 auth_mode=optional \
4197 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4198 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4199 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4200 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4201 -S "skip write certificate request" \
4202 -C "skip parse certificate request" \
4203 -c "got a certificate request" \
4204 -C "skip write certificate" \
4205 -C "skip write certificate verify" \
4206 -S "skip parse certificate verify"
4207
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4208requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4209run_test "SNI: client auth override: none -> optional" \
4210 "$P_SRV debug_level=3 auth_mode=none \
4211 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4212 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4213 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4214 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4215 -S "skip write certificate request" \
4216 -C "skip parse certificate request" \
4217 -c "got a certificate request" \
4218 -C "skip write certificate" \
4219 -C "skip write certificate verify" \
4220 -S "skip parse certificate verify"
4221
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4222requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4223run_test "SNI: client auth override: optional -> none" \
4224 "$P_SRV debug_level=3 auth_mode=optional \
4225 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4226 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4227 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4228 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4229 -s "skip write certificate request" \
4230 -C "skip parse certificate request" \
4231 -c "got no certificate request" \
4232 -c "skip write certificate" \
4233 -c "skip write certificate verify" \
4234 -s "skip parse certificate verify"
4235
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4236requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4237requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4238requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4239run_test "SNI: CA no override" \
4240 "$P_SRV debug_level=3 auth_mode=optional \
4241 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4242 ca_file=data_files/test-ca.crt \
4243 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4244 "$P_CLI debug_level=3 server_name=localhost \
4245 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4246 1 \
4247 -S "skip write certificate request" \
4248 -C "skip parse certificate request" \
4249 -c "got a certificate request" \
4250 -C "skip write certificate" \
4251 -C "skip write certificate verify" \
4252 -S "skip parse certificate verify" \
4253 -s "x509_verify_cert() returned" \
4254 -s "! The certificate is not correctly signed by the trusted CA" \
4255 -S "The certificate has been revoked (is on a CRL)"
4256
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4257requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4258requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4259requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4260run_test "SNI: CA override" \
4261 "$P_SRV debug_level=3 auth_mode=optional \
4262 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4263 ca_file=data_files/test-ca.crt \
4264 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4265 "$P_CLI debug_level=3 server_name=localhost \
4266 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4267 0 \
4268 -S "skip write certificate request" \
4269 -C "skip parse certificate request" \
4270 -c "got a certificate request" \
4271 -C "skip write certificate" \
4272 -C "skip write certificate verify" \
4273 -S "skip parse certificate verify" \
4274 -S "x509_verify_cert() returned" \
4275 -S "! The certificate is not correctly signed by the trusted CA" \
4276 -S "The certificate has been revoked (is on a CRL)"
4277
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4278requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4279requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4280requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4281run_test "SNI: CA override with CRL" \
4282 "$P_SRV debug_level=3 auth_mode=optional \
4283 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4284 ca_file=data_files/test-ca.crt \
4285 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4286 "$P_CLI debug_level=3 server_name=localhost \
4287 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4288 1 \
4289 -S "skip write certificate request" \
4290 -C "skip parse certificate request" \
4291 -c "got a certificate request" \
4292 -C "skip write certificate" \
4293 -C "skip write certificate verify" \
4294 -S "skip parse certificate verify" \
4295 -s "x509_verify_cert() returned" \
4296 -S "! The certificate is not correctly signed by the trusted CA" \
4297 -s "The certificate has been revoked (is on a CRL)"
4298
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4299# Tests for SNI and DTLS
4300
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4301requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4302requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4303run_test "SNI: DTLS, no SNI callback" \
4304 "$P_SRV debug_level=3 dtls=1 \
4305 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4306 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4307 0 \
4308 -S "parse ServerName extension" \
4309 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4310 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4311
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4312requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4313requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4314requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4315run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4316 "$P_SRV debug_level=3 dtls=1 \
4317 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4318 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4319 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4320 0 \
4321 -s "parse ServerName extension" \
4322 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4323 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4324
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4325requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4326requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4327requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4328run_test "SNI: DTLS, matching cert 2" \
4329 "$P_SRV debug_level=3 dtls=1 \
4330 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4331 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4332 "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4333 0 \
4334 -s "parse ServerName extension" \
4335 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4336 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4337
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4338requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4339run_test "SNI: DTLS, no matching cert" \
4340 "$P_SRV debug_level=3 dtls=1 \
4341 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4342 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4343 "$P_CLI server_name=nonesuch.example dtls=1" \
4344 1 \
4345 -s "parse ServerName extension" \
4346 -s "ssl_sni_wrapper() returned" \
4347 -s "mbedtls_ssl_handshake returned" \
4348 -c "mbedtls_ssl_handshake returned" \
4349 -c "SSL - A fatal alert message was received from our peer"
4350
4351run_test "SNI: DTLS, client auth no override: optional" \
4352 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4353 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4354 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4355 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4356 0 \
4357 -S "skip write certificate request" \
4358 -C "skip parse certificate request" \
4359 -c "got a certificate request" \
4360 -C "skip write certificate" \
4361 -C "skip write certificate verify" \
4362 -S "skip parse certificate verify"
4363
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4364requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4365run_test "SNI: DTLS, client auth override: none -> optional" \
4366 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4367 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4368 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4369 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4370 0 \
4371 -S "skip write certificate request" \
4372 -C "skip parse certificate request" \
4373 -c "got a certificate request" \
4374 -C "skip write certificate" \
4375 -C "skip write certificate verify" \
4376 -S "skip parse certificate verify"
4377
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4378requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4379run_test "SNI: DTLS, client auth override: optional -> none" \
4380 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4381 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4382 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4383 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4384 0 \
4385 -s "skip write certificate request" \
4386 -C "skip parse certificate request" \
4387 -c "got no certificate request" \
4388 -c "skip write certificate" \
4389 -c "skip write certificate verify" \
4390 -s "skip parse certificate verify"
4391
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4392requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4393requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4394requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4395run_test "SNI: DTLS, CA no override" \
4396 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4397 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4398 ca_file=data_files/test-ca.crt \
4399 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4400 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4401 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4402 1 \
4403 -S "skip write certificate request" \
4404 -C "skip parse certificate request" \
4405 -c "got a certificate request" \
4406 -C "skip write certificate" \
4407 -C "skip write certificate verify" \
4408 -S "skip parse certificate verify" \
4409 -s "x509_verify_cert() returned" \
4410 -s "! The certificate is not correctly signed by the trusted CA" \
4411 -S "The certificate has been revoked (is on a CRL)"
4412
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4413requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4414run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4415 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4416 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4417 ca_file=data_files/test-ca.crt \
4418 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4419 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4420 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4421 0 \
4422 -S "skip write certificate request" \
4423 -C "skip parse certificate request" \
4424 -c "got a certificate request" \
4425 -C "skip write certificate" \
4426 -C "skip write certificate verify" \
4427 -S "skip parse certificate verify" \
4428 -S "x509_verify_cert() returned" \
4429 -S "! The certificate is not correctly signed by the trusted CA" \
4430 -S "The certificate has been revoked (is on a CRL)"
4431
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4432requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4433requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4434requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4435run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4436 "$P_SRV debug_level=3 auth_mode=optional \
4437 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
4438 ca_file=data_files/test-ca.crt \
4439 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4440 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4441 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4442 1 \
4443 -S "skip write certificate request" \
4444 -C "skip parse certificate request" \
4445 -c "got a certificate request" \
4446 -C "skip write certificate" \
4447 -C "skip write certificate verify" \
4448 -S "skip parse certificate verify" \
4449 -s "x509_verify_cert() returned" \
4450 -S "! The certificate is not correctly signed by the trusted CA" \
4451 -s "The certificate has been revoked (is on a CRL)"
4452
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4453# Tests for non-blocking I/O: exercise a variety of handshake flows
4454
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4455run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4456 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4457 "$P_CLI nbio=2 tickets=0" \
4458 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4459 -S "mbedtls_ssl_handshake returned" \
4460 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4461 -c "Read from server: .* bytes read"
4462
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4463run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4464 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
4465 "$P_CLI nbio=2 tickets=0" \
4466 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4467 -S "mbedtls_ssl_handshake returned" \
4468 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4469 -c "Read from server: .* bytes read"
4470
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4471run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4472 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4473 "$P_CLI nbio=2 tickets=1" \
4474 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4475 -S "mbedtls_ssl_handshake returned" \
4476 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4477 -c "Read from server: .* bytes read"
4478
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4479run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4480 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4481 "$P_CLI nbio=2 tickets=1" \
4482 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4483 -S "mbedtls_ssl_handshake returned" \
4484 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4485 -c "Read from server: .* bytes read"
4486
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4487run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4488 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4489 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4490 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4491 -S "mbedtls_ssl_handshake returned" \
4492 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4493 -c "Read from server: .* bytes read"
4494
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4495run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4496 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4497 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4498 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4499 -S "mbedtls_ssl_handshake returned" \
4500 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4501 -c "Read from server: .* bytes read"
4502
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4503run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4504 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4505 "$P_CLI nbio=2 tickets=0 reconnect=1" \
4506 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4507 -S "mbedtls_ssl_handshake returned" \
4508 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4509 -c "Read from server: .* bytes read"
4510
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]4511# Tests for event-driven I/O: exercise a variety of handshake flows
4512
4513run_test "Event-driven I/O: basic handshake" \
4514 "$P_SRV event=1 tickets=0 auth_mode=none" \
4515 "$P_CLI event=1 tickets=0" \
4516 0 \
4517 -S "mbedtls_ssl_handshake returned" \
4518 -C "mbedtls_ssl_handshake returned" \
4519 -c "Read from server: .* bytes read"
4520
4521run_test "Event-driven I/O: client auth" \
4522 "$P_SRV event=1 tickets=0 auth_mode=required" \
4523 "$P_CLI event=1 tickets=0" \
4524 0 \
4525 -S "mbedtls_ssl_handshake returned" \
4526 -C "mbedtls_ssl_handshake returned" \
4527 -c "Read from server: .* bytes read"
4528
4529run_test "Event-driven I/O: ticket" \
4530 "$P_SRV event=1 tickets=1 auth_mode=none" \
4531 "$P_CLI event=1 tickets=1" \
4532 0 \
4533 -S "mbedtls_ssl_handshake returned" \
4534 -C "mbedtls_ssl_handshake returned" \
4535 -c "Read from server: .* bytes read"
4536
4537run_test "Event-driven I/O: ticket + client auth" \
4538 "$P_SRV event=1 tickets=1 auth_mode=required" \
4539 "$P_CLI event=1 tickets=1" \
4540 0 \
4541 -S "mbedtls_ssl_handshake returned" \
4542 -C "mbedtls_ssl_handshake returned" \
4543 -c "Read from server: .* bytes read"
4544
4545run_test "Event-driven I/O: ticket + client auth + resume" \
4546 "$P_SRV event=1 tickets=1 auth_mode=required" \
4547 "$P_CLI event=1 tickets=1 reconnect=1" \
4548 0 \
4549 -S "mbedtls_ssl_handshake returned" \
4550 -C "mbedtls_ssl_handshake returned" \
4551 -c "Read from server: .* bytes read"
4552
4553run_test "Event-driven I/O: ticket + resume" \
4554 "$P_SRV event=1 tickets=1 auth_mode=none" \
4555 "$P_CLI event=1 tickets=1 reconnect=1" \
4556 0 \
4557 -S "mbedtls_ssl_handshake returned" \
4558 -C "mbedtls_ssl_handshake returned" \
4559 -c "Read from server: .* bytes read"
4560
4561run_test "Event-driven I/O: session-id resume" \
4562 "$P_SRV event=1 tickets=0 auth_mode=none" \
4563 "$P_CLI event=1 tickets=0 reconnect=1" \
4564 0 \
4565 -S "mbedtls_ssl_handshake returned" \
4566 -C "mbedtls_ssl_handshake returned" \
4567 -c "Read from server: .* bytes read"
4568
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4569run_test "Event-driven I/O, DTLS: basic handshake" \
4570 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4571 "$P_CLI dtls=1 event=1 tickets=0" \
4572 0 \
4573 -c "Read from server: .* bytes read"
4574
4575run_test "Event-driven I/O, DTLS: client auth" \
4576 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4577 "$P_CLI dtls=1 event=1 tickets=0" \
4578 0 \
4579 -c "Read from server: .* bytes read"
4580
4581run_test "Event-driven I/O, DTLS: ticket" \
4582 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4583 "$P_CLI dtls=1 event=1 tickets=1" \
4584 0 \
4585 -c "Read from server: .* bytes read"
4586
4587run_test "Event-driven I/O, DTLS: ticket + client auth" \
4588 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4589 "$P_CLI dtls=1 event=1 tickets=1" \
4590 0 \
4591 -c "Read from server: .* bytes read"
4592
4593run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
4594 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4595 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4596 0 \
4597 -c "Read from server: .* bytes read"
4598
4599run_test "Event-driven I/O, DTLS: ticket + resume" \
4600 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4601 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4602 0 \
4603 -c "Read from server: .* bytes read"
4604
4605run_test "Event-driven I/O, DTLS: session-id resume" \
4606 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4607 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4608 0 \
4609 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4610
4611# This test demonstrates the need for the mbedtls_ssl_check_pending function.
4612# During session resumption, the client will send its ApplicationData record
4613# within the same datagram as the Finished messages. In this situation, the
4614# server MUST NOT idle on the underlying transport after handshake completion,
4615# because the ApplicationData request has already been queued internally.
4616run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4617 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4618 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4619 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4620 0 \
4621 -c "Read from server: .* bytes read"
4622
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4623# Tests for version negotiation
4624
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4625run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4626 "$P_SRV" \
4627 "$P_CLI" \
4628 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4629 -S "mbedtls_ssl_handshake returned" \
4630 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4631 -s "Protocol is TLSv1.2" \
4632 -c "Protocol is TLSv1.2"
4633
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4634run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4635 "$P_SRV" \
4636 "$P_CLI max_version=tls1_1" \
4637 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4638 -S "mbedtls_ssl_handshake returned" \
4639 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4640 -s "Protocol is TLSv1.1" \
4641 -c "Protocol is TLSv1.1"
4642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4643run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4644 "$P_SRV max_version=tls1_1" \
4645 "$P_CLI" \
4646 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4647 -S "mbedtls_ssl_handshake returned" \
4648 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4649 -s "Protocol is TLSv1.1" \
4650 -c "Protocol is TLSv1.1"
4651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4652run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4653 "$P_SRV max_version=tls1_1" \
4654 "$P_CLI max_version=tls1_1" \
4655 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4656 -S "mbedtls_ssl_handshake returned" \
4657 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4658 -s "Protocol is TLSv1.1" \
4659 -c "Protocol is TLSv1.1"
4660
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4661run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4662 "$P_SRV min_version=tls1_1" \
4663 "$P_CLI max_version=tls1_1" \
4664 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4665 -S "mbedtls_ssl_handshake returned" \
4666 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4667 -s "Protocol is TLSv1.1" \
4668 -c "Protocol is TLSv1.1"
4669
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4670run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4671 "$P_SRV max_version=tls1_1" \
4672 "$P_CLI min_version=tls1_1" \
4673 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4674 -S "mbedtls_ssl_handshake returned" \
4675 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4676 -s "Protocol is TLSv1.1" \
4677 -c "Protocol is TLSv1.1"
4678
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4679run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4680 "$P_SRV max_version=tls1_1" \
4681 "$P_CLI min_version=tls1_2" \
4682 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4683 -s "mbedtls_ssl_handshake returned" \
4684 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4685 -c "SSL - Handshake protocol not within min/max boundaries"
4686
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4687run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4688 "$P_SRV min_version=tls1_2" \
4689 "$P_CLI max_version=tls1_1" \
4690 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4691 -s "mbedtls_ssl_handshake returned" \
4692 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4693 -s "SSL - Handshake protocol not within min/max boundaries"
4694
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4695# Tests for ALPN extension
4696
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4697run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4698 "$P_SRV debug_level=3" \
4699 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4700 0 \
4701 -C "client hello, adding alpn extension" \
4702 -S "found alpn extension" \
4703 -C "got an alert message, type: \\[2:120]" \
4704 -S "server hello, adding alpn extension" \
4705 -C "found alpn extension " \
4706 -C "Application Layer Protocol is" \
4707 -S "Application Layer Protocol is"
4708
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4709run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4710 "$P_SRV debug_level=3" \
4711 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4712 0 \
4713 -c "client hello, adding alpn extension" \
4714 -s "found alpn extension" \
4715 -C "got an alert message, type: \\[2:120]" \
4716 -S "server hello, adding alpn extension" \
4717 -C "found alpn extension " \
4718 -c "Application Layer Protocol is (none)" \
4719 -S "Application Layer Protocol is"
4720
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4721run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4722 "$P_SRV debug_level=3 alpn=abc,1234" \
4723 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4724 0 \
4725 -C "client hello, adding alpn extension" \
4726 -S "found alpn extension" \
4727 -C "got an alert message, type: \\[2:120]" \
4728 -S "server hello, adding alpn extension" \
4729 -C "found alpn extension " \
4730 -C "Application Layer Protocol is" \
4731 -s "Application Layer Protocol is (none)"
4732
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4733run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4734 "$P_SRV debug_level=3 alpn=abc,1234" \
4735 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4736 0 \
4737 -c "client hello, adding alpn extension" \
4738 -s "found alpn extension" \
4739 -C "got an alert message, type: \\[2:120]" \
4740 -s "server hello, adding alpn extension" \
4741 -c "found alpn extension" \
4742 -c "Application Layer Protocol is abc" \
4743 -s "Application Layer Protocol is abc"
4744
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4745run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4746 "$P_SRV debug_level=3 alpn=abc,1234" \
4747 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4748 0 \
4749 -c "client hello, adding alpn extension" \
4750 -s "found alpn extension" \
4751 -C "got an alert message, type: \\[2:120]" \
4752 -s "server hello, adding alpn extension" \
4753 -c "found alpn extension" \
4754 -c "Application Layer Protocol is abc" \
4755 -s "Application Layer Protocol is abc"
4756
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4757run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4758 "$P_SRV debug_level=3 alpn=abc,1234" \
4759 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4760 0 \
4761 -c "client hello, adding alpn extension" \
4762 -s "found alpn extension" \
4763 -C "got an alert message, type: \\[2:120]" \
4764 -s "server hello, adding alpn extension" \
4765 -c "found alpn extension" \
4766 -c "Application Layer Protocol is 1234" \
4767 -s "Application Layer Protocol is 1234"
4768
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4769run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4770 "$P_SRV debug_level=3 alpn=abc,123" \
4771 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4772 1 \
4773 -c "client hello, adding alpn extension" \
4774 -s "found alpn extension" \
4775 -c "got an alert message, type: \\[2:120]" \
4776 -S "server hello, adding alpn extension" \
4777 -C "found alpn extension" \
4778 -C "Application Layer Protocol is 1234" \
4779 -S "Application Layer Protocol is 1234"
4780
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]4781
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4782# Tests for keyUsage in leaf certificates, part 1:
4783# server-side certificate/suite selection
4784
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4785run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4786 "$P_SRV key_file=data_files/server2.key \
4787 crt_file=data_files/server2.ku-ds.crt" \
4788 "$P_CLI" \
4789 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]4790 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4791
4792
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4793run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4794 "$P_SRV key_file=data_files/server2.key \
4795 crt_file=data_files/server2.ku-ke.crt" \
4796 "$P_CLI" \
4797 0 \
4798 -c "Ciphersuite is TLS-RSA-WITH-"
4799
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4800run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4801 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4802 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4803 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4804 1 \
4805 -C "Ciphersuite is "
4806
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4807run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4808 "$P_SRV key_file=data_files/server5.key \
4809 crt_file=data_files/server5.ku-ds.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4810 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4811 0 \
4812 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
4813
4814
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4815run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4816 "$P_SRV key_file=data_files/server5.key \
4817 crt_file=data_files/server5.ku-ka.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4818 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4819 0 \
4820 -c "Ciphersuite is TLS-ECDH-"
4821
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4822run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4823 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4824 crt_file=data_files/server5.ku-ke.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4825 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4826 1 \
4827 -C "Ciphersuite is "
4828
4829# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4830# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4831
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4832run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4833 "$O_SRV -key data_files/server2.key \
4834 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4835 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4836 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4837 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4838 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4839 -C "Processing of the Certificate handshake message failed" \
4840 -c "Ciphersuite is TLS-"
4841
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4842run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4843 "$O_SRV -key data_files/server2.key \
4844 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4845 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4846 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4847 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4848 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4849 -C "Processing of the Certificate handshake message failed" \
4850 -c "Ciphersuite is TLS-"
4851
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4852run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4853 "$O_SRV -key data_files/server2.key \
4854 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4855 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4856 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4857 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4858 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4859 -C "Processing of the Certificate handshake message failed" \
4860 -c "Ciphersuite is TLS-"
4861
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4862run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4863 "$O_SRV -key data_files/server2.key \
4864 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4865 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4866 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4867 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4868 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4869 -c "Processing of the Certificate handshake message failed" \
4870 -C "Ciphersuite is TLS-"
4871
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4872requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4873requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4874run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
4875 "$O_SRV -key data_files/server2.key \
4876 -cert data_files/server2.ku-ke.crt" \
4877 "$P_CLI debug_level=1 auth_mode=optional \
4878 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4879 0 \
4880 -c "bad certificate (usage extensions)" \
4881 -C "Processing of the Certificate handshake message failed" \
4882 -c "Ciphersuite is TLS-" \
4883 -c "! Usage does not match the keyUsage extension"
4884
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4885run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4886 "$O_SRV -key data_files/server2.key \
4887 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4888 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4889 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4890 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4891 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4892 -C "Processing of the Certificate handshake message failed" \
4893 -c "Ciphersuite is TLS-"
4894
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4895run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4896 "$O_SRV -key data_files/server2.key \
4897 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4898 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4899 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4900 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4901 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4902 -c "Processing of the Certificate handshake message failed" \
4903 -C "Ciphersuite is TLS-"
4904
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4905requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4906requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4907run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
4908 "$O_SRV -key data_files/server2.key \
4909 -cert data_files/server2.ku-ds.crt" \
4910 "$P_CLI debug_level=1 auth_mode=optional \
4911 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4912 0 \
4913 -c "bad certificate (usage extensions)" \
4914 -C "Processing of the Certificate handshake message failed" \
4915 -c "Ciphersuite is TLS-" \
4916 -c "! Usage does not match the keyUsage extension"
4917
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4918# Tests for keyUsage in leaf certificates, part 3:
4919# server-side checking of client cert
4920
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4921run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4922 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4923 "$O_CLI -key data_files/server2.key \
4924 -cert data_files/server2.ku-ds.crt" \
4925 0 \
4926 -S "bad certificate (usage extensions)" \
4927 -S "Processing of the Certificate handshake message failed"
4928
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4929run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4930 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4931 "$O_CLI -key data_files/server2.key \
4932 -cert data_files/server2.ku-ke.crt" \
4933 0 \
4934 -s "bad certificate (usage extensions)" \
4935 -S "Processing of the Certificate handshake message failed"
4936
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4937run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4938 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4939 "$O_CLI -key data_files/server2.key \
4940 -cert data_files/server2.ku-ke.crt" \
4941 1 \
4942 -s "bad certificate (usage extensions)" \
4943 -s "Processing of the Certificate handshake message failed"
4944
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4945run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4946 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4947 "$O_CLI -key data_files/server5.key \
4948 -cert data_files/server5.ku-ds.crt" \
4949 0 \
4950 -S "bad certificate (usage extensions)" \
4951 -S "Processing of the Certificate handshake message failed"
4952
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4953run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4954 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4955 "$O_CLI -key data_files/server5.key \
4956 -cert data_files/server5.ku-ka.crt" \
4957 0 \
4958 -s "bad certificate (usage extensions)" \
4959 -S "Processing of the Certificate handshake message failed"
4960
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4961# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
4962
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4963run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4964 "$P_SRV key_file=data_files/server5.key \
4965 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4966 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4967 0
4968
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4969run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4970 "$P_SRV key_file=data_files/server5.key \
4971 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4972 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4973 0
4974
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4975run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4976 "$P_SRV key_file=data_files/server5.key \
4977 crt_file=data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4978 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4979 0
4980
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4981run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]4982 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4983 crt_file=data_files/server5.eku-cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4984 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4985 1
4986
4987# Tests for extendedKeyUsage, part 2: client-side checking of server cert
4988
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4989run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4990 "$O_SRV -key data_files/server5.key \
4991 -cert data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4992 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4993 0 \
4994 -C "bad certificate (usage extensions)" \
4995 -C "Processing of the Certificate handshake message failed" \
4996 -c "Ciphersuite is TLS-"
4997
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4998run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4999 "$O_SRV -key data_files/server5.key \
5000 -cert data_files/server5.eku-srv_cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5001 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5002 0 \
5003 -C "bad certificate (usage extensions)" \
5004 -C "Processing of the Certificate handshake message failed" \
5005 -c "Ciphersuite is TLS-"
5006
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5007run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5008 "$O_SRV -key data_files/server5.key \
5009 -cert data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5010 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5011 0 \
5012 -C "bad certificate (usage extensions)" \
5013 -C "Processing of the Certificate handshake message failed" \
5014 -c "Ciphersuite is TLS-"
5015
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5016run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5017 "$O_SRV -key data_files/server5.key \
5018 -cert data_files/server5.eku-cs.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5019 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5020 1 \
5021 -c "bad certificate (usage extensions)" \
5022 -c "Processing of the Certificate handshake message failed" \
5023 -C "Ciphersuite is TLS-"
5024
5025# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5026
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5027run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5028 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5029 "$O_CLI -key data_files/server5.key \
5030 -cert data_files/server5.eku-cli.crt" \
5031 0 \
5032 -S "bad certificate (usage extensions)" \
5033 -S "Processing of the Certificate handshake message failed"
5034
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5035run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5036 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5037 "$O_CLI -key data_files/server5.key \
5038 -cert data_files/server5.eku-srv_cli.crt" \
5039 0 \
5040 -S "bad certificate (usage extensions)" \
5041 -S "Processing of the Certificate handshake message failed"
5042
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5043run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5044 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5045 "$O_CLI -key data_files/server5.key \
5046 -cert data_files/server5.eku-cs_any.crt" \
5047 0 \
5048 -S "bad certificate (usage extensions)" \
5049 -S "Processing of the Certificate handshake message failed"
5050
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5051run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5052 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5053 "$O_CLI -key data_files/server5.key \
5054 -cert data_files/server5.eku-cs.crt" \
5055 0 \
5056 -s "bad certificate (usage extensions)" \
5057 -S "Processing of the Certificate handshake message failed"
5058
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5059run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5060 "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5061 "$O_CLI -key data_files/server5.key \
5062 -cert data_files/server5.eku-cs.crt" \
5063 1 \
5064 -s "bad certificate (usage extensions)" \
5065 -s "Processing of the Certificate handshake message failed"
5066
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5067# Tests for DHM parameters loading
5068
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5069run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5070 "$P_SRV" \
5071 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5072 debug_level=3" \
5073 0 \
5074 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5075 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5076
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5077run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5078 "$P_SRV dhm_file=data_files/dhparams.pem" \
5079 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5080 debug_level=3" \
5081 0 \
5082 -c "value of 'DHM: P ' (1024 bits)" \
5083 -c "value of 'DHM: G ' (2 bits)"
5084
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5085# Tests for DHM client-side size checking
5086
5087run_test "DHM size: server default, client default, OK" \
5088 "$P_SRV" \
5089 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5090 debug_level=1" \
5091 0 \
5092 -C "DHM prime too short:"
5093
5094run_test "DHM size: server default, client 2048, OK" \
5095 "$P_SRV" \
5096 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5097 debug_level=1 dhmlen=2048" \
5098 0 \
5099 -C "DHM prime too short:"
5100
5101run_test "DHM size: server 1024, client default, OK" \
5102 "$P_SRV dhm_file=data_files/dhparams.pem" \
5103 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5104 debug_level=1" \
5105 0 \
5106 -C "DHM prime too short:"
5107
5108run_test "DHM size: server 1000, client default, rejected" \
5109 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5110 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5111 debug_level=1" \
5112 1 \
5113 -c "DHM prime too short:"
5114
5115run_test "DHM size: server default, client 2049, rejected" \
5116 "$P_SRV" \
5117 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5118 debug_level=1 dhmlen=2049" \
5119 1 \
5120 -c "DHM prime too short:"
5121
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5122# Tests for PSK callback
5123
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5124run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5125 "$P_SRV psk=abc123 psk_identity=foo" \
5126 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5127 psk_identity=foo psk=abc123" \
5128 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5129 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5130 -S "SSL - Unknown identity received" \
5131 -S "SSL - Verification of the message MAC failed"
5132
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5133run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5134 "$P_SRV" \
5135 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5136 psk_identity=foo psk=abc123" \
5137 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5138 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5139 -S "SSL - Unknown identity received" \
5140 -S "SSL - Verification of the message MAC failed"
5141
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5142run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5143 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
5144 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5145 psk_identity=foo psk=abc123" \
5146 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5147 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5148 -s "SSL - Unknown identity received" \
5149 -S "SSL - Verification of the message MAC failed"
5150
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5151run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5152 "$P_SRV psk_list=abc,dead,def,beef" \
5153 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5154 psk_identity=abc psk=dead" \
5155 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5156 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5157 -S "SSL - Unknown identity received" \
5158 -S "SSL - Verification of the message MAC failed"
5159
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5160run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5161 "$P_SRV psk_list=abc,dead,def,beef" \
5162 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5163 psk_identity=def psk=beef" \
5164 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5165 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5166 -S "SSL - Unknown identity received" \
5167 -S "SSL - Verification of the message MAC failed"
5168
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5169run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5170 "$P_SRV psk_list=abc,dead,def,beef" \
5171 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5172 psk_identity=ghi psk=beef" \
5173 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5174 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5175 -s "SSL - Unknown identity received" \
5176 -S "SSL - Verification of the message MAC failed"
5177
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5178run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5179 "$P_SRV psk_list=abc,dead,def,beef" \
5180 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5181 psk_identity=abc psk=beef" \
5182 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5183 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5184 -S "SSL - Unknown identity received" \
5185 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5186
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5187# Tests for EC J-PAKE
5188
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5189requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5190run_test "ECJPAKE: client not configured" \
5191 "$P_SRV debug_level=3" \
5192 "$P_CLI debug_level=3" \
5193 0 \
5194 -C "add ciphersuite: c0ff" \
5195 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5196 -S "found ecjpake kkpp extension" \
5197 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5198 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5199 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5200 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5201 -S "None of the common ciphersuites is usable"
5202
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5203requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5204run_test "ECJPAKE: server not configured" \
5205 "$P_SRV debug_level=3" \
5206 "$P_CLI debug_level=3 ecjpake_pw=bla \
5207 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5208 1 \
5209 -c "add ciphersuite: c0ff" \
5210 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5211 -s "found ecjpake kkpp extension" \
5212 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5213 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5214 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5215 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5216 -s "None of the common ciphersuites is usable"
5217
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5218requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5219run_test "ECJPAKE: working, TLS" \
5220 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5221 "$P_CLI debug_level=3 ecjpake_pw=bla \
5222 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]5223 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5224 -c "add ciphersuite: c0ff" \
5225 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5226 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5227 -s "found ecjpake kkpp extension" \
5228 -S "skip ecjpake kkpp extension" \
5229 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5230 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5231 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5232 -S "None of the common ciphersuites is usable" \
5233 -S "SSL - Verification of the message MAC failed"
5234
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5235server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5236requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5237run_test "ECJPAKE: password mismatch, TLS" \
5238 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5239 "$P_CLI debug_level=3 ecjpake_pw=bad \
5240 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5241 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5242 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5243 -s "SSL - Verification of the message MAC failed"
5244
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5245requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5246run_test "ECJPAKE: working, DTLS" \
5247 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5248 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5249 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5250 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5251 -c "re-using cached ecjpake parameters" \
5252 -S "SSL - Verification of the message MAC failed"
5253
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5254requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5255run_test "ECJPAKE: working, DTLS, no cookie" \
5256 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
5257 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5258 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5259 0 \
5260 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5261 -S "SSL - Verification of the message MAC failed"
5262
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5263server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5264requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5265run_test "ECJPAKE: password mismatch, DTLS" \
5266 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5267 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
5268 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5269 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5270 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5271 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5272
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5273# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5274requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5275run_test "ECJPAKE: working, DTLS, nolog" \
5276 "$P_SRV dtls=1 ecjpake_pw=bla" \
5277 "$P_CLI dtls=1 ecjpake_pw=bla \
5278 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5279 0
5280
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5281# Tests for ciphersuites per version
5282
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5283requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5284requires_config_enabled MBEDTLS_CAMELLIA_C
5285requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5286run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5287 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5288 "$P_CLI force_version=ssl3" \
5289 0 \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5290 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5291
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5292requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
5293requires_config_enabled MBEDTLS_CAMELLIA_C
5294requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5295run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5296 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]5297 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5298 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5299 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5300
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5301requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5302requires_config_enabled MBEDTLS_CAMELLIA_C
5303requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5304run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5305 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5306 "$P_CLI force_version=tls1_1" \
5307 0 \
5308 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
5309
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5310requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
5311requires_config_enabled MBEDTLS_CAMELLIA_C
5312requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5313run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5314 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5315 "$P_CLI force_version=tls1_2" \
5316 0 \
5317 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
5318
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5319# Test for ClientHello without extensions
5320
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]5321requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5322run_test "ClientHello without extensions, SHA-1 allowed" \
Ron Eldorb76e7652019-01-16 23:14:41 +0200[diff] [blame]5323 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5324 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5325 0 \
5326 -s "dumping 'client hello extensions' (0 bytes)"
5327
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5328requires_gnutls
5329run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
5330 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5331 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5332 0 \
5333 -s "dumping 'client hello extensions' (0 bytes)"
5334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5335# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5336
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5337run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5338 "$P_SRV" \
5339 "$P_CLI request_size=100" \
5340 0 \
5341 -s "Read from client: 100 bytes read$"
5342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5343run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5344 "$P_SRV" \
5345 "$P_CLI request_size=500" \
5346 0 \
5347 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5348
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5349# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5350
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5351requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5352run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5353 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5354 "$P_CLI request_size=1 force_version=ssl3 \
5355 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5356 0 \
5357 -s "Read from client: 1 bytes read"
5358
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5359requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5360run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5361 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5362 "$P_CLI request_size=1 force_version=ssl3 \
5363 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5364 0 \
5365 -s "Read from client: 1 bytes read"
5366
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5367run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5368 "$P_SRV" \
5369 "$P_CLI request_size=1 force_version=tls1 \
5370 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5371 0 \
5372 -s "Read from client: 1 bytes read"
5373
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5374run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5375 "$P_SRV" \
5376 "$P_CLI request_size=1 force_version=tls1 etm=0 \
5377 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5378 0 \
5379 -s "Read from client: 1 bytes read"
5380
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5381requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5382run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5383 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5384 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5385 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5386 0 \
5387 -s "Read from client: 1 bytes read"
5388
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5389requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5390run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5391 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5392 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5393 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5394 0 \
5395 -s "Read from client: 1 bytes read"
5396
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5397run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5398 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5399 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5400 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5401 0 \
5402 -s "Read from client: 1 bytes read"
5403
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5404run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5405 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5406 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5407 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5408 0 \
5409 -s "Read from client: 1 bytes read"
5410
5411requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5412run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5413 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5414 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5415 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5416 0 \
5417 -s "Read from client: 1 bytes read"
5418
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5419requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5420run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5421 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5422 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5423 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5424 0 \
5425 -s "Read from client: 1 bytes read"
5426
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5427run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5428 "$P_SRV" \
5429 "$P_CLI request_size=1 force_version=tls1_1 \
5430 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5431 0 \
5432 -s "Read from client: 1 bytes read"
5433
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5434run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5435 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5436 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5437 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5438 0 \
5439 -s "Read from client: 1 bytes read"
5440
5441requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5442run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5443 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5444 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5445 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5446 0 \
5447 -s "Read from client: 1 bytes read"
5448
5449requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5450run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5451 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5452 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5453 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5454 0 \
5455 -s "Read from client: 1 bytes read"
5456
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5457run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5458 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5459 "$P_CLI request_size=1 force_version=tls1_1 \
5460 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5461 0 \
5462 -s "Read from client: 1 bytes read"
5463
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5464run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5465 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5466 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5467 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5468 0 \
5469 -s "Read from client: 1 bytes read"
5470
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5471requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5472run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5473 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5474 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5475 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5476 0 \
5477 -s "Read from client: 1 bytes read"
5478
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5479requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5480run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5481 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5482 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5483 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5484 0 \
5485 -s "Read from client: 1 bytes read"
5486
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5487run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5488 "$P_SRV" \
5489 "$P_CLI request_size=1 force_version=tls1_2 \
5490 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5491 0 \
5492 -s "Read from client: 1 bytes read"
5493
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5494run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5495 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5496 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5497 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5498 0 \
5499 -s "Read from client: 1 bytes read"
5500
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5501run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5502 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5503 "$P_CLI request_size=1 force_version=tls1_2 \
5504 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5505 0 \
5506 -s "Read from client: 1 bytes read"
5507
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5508requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5509run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5510 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5511 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5512 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5513 0 \
5514 -s "Read from client: 1 bytes read"
5515
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5516requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5517run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5518 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5519 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5520 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5521 0 \
5522 -s "Read from client: 1 bytes read"
5523
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5524run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5525 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5526 "$P_CLI request_size=1 force_version=tls1_2 \
5527 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5528 0 \
5529 -s "Read from client: 1 bytes read"
5530
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5531run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5532 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5533 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5534 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5535 0 \
5536 -s "Read from client: 1 bytes read"
5537
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5538requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5539run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5540 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5541 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5542 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5543 0 \
5544 -s "Read from client: 1 bytes read"
5545
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5546requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5547run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5548 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5549 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5550 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5551 0 \
5552 -s "Read from client: 1 bytes read"
5553
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5554run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5555 "$P_SRV" \
5556 "$P_CLI request_size=1 force_version=tls1_2 \
5557 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5558 0 \
5559 -s "Read from client: 1 bytes read"
5560
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5561run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5562 "$P_SRV" \
5563 "$P_CLI request_size=1 force_version=tls1_2 \
5564 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5565 0 \
5566 -s "Read from client: 1 bytes read"
5567
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5568# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5569
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5570run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5571 "$P_SRV dtls=1 force_version=dtls1" \
5572 "$P_CLI dtls=1 request_size=1 \
5573 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5574 0 \
5575 -s "Read from client: 1 bytes read"
5576
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5577run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5578 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
5579 "$P_CLI dtls=1 request_size=1 \
5580 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5581 0 \
5582 -s "Read from client: 1 bytes read"
5583
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5584requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5585run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5586 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
5587 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5588 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5589 0 \
5590 -s "Read from client: 1 bytes read"
5591
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5592requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5593run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5594 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5595 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5596 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5597 0 \
5598 -s "Read from client: 1 bytes read"
5599
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5600run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5601 "$P_SRV dtls=1 force_version=dtls1_2" \
5602 "$P_CLI dtls=1 request_size=1 \
5603 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5604 0 \
5605 -s "Read from client: 1 bytes read"
5606
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5607run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5608 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5609 "$P_CLI dtls=1 request_size=1 \
5610 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5611 0 \
5612 -s "Read from client: 1 bytes read"
5613
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5614requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5615run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5616 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5617 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5618 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5619 0 \
5620 -s "Read from client: 1 bytes read"
5621
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5622requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5623run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5624 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5625 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5626 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5627 0 \
5628 -s "Read from client: 1 bytes read"
5629
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5630# Tests for small server packets
5631
5632requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5633run_test "Small server packet SSLv3 BlockCipher" \
5634 "$P_SRV response_size=1 min_version=ssl3" \
5635 "$P_CLI force_version=ssl3 \
5636 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5637 0 \
5638 -c "Read from server: 1 bytes read"
5639
5640requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5641run_test "Small server packet SSLv3 StreamCipher" \
5642 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5643 "$P_CLI force_version=ssl3 \
5644 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5645 0 \
5646 -c "Read from server: 1 bytes read"
5647
5648run_test "Small server packet TLS 1.0 BlockCipher" \
5649 "$P_SRV response_size=1" \
5650 "$P_CLI force_version=tls1 \
5651 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5652 0 \
5653 -c "Read from server: 1 bytes read"
5654
5655run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
5656 "$P_SRV response_size=1" \
5657 "$P_CLI force_version=tls1 etm=0 \
5658 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5659 0 \
5660 -c "Read from server: 1 bytes read"
5661
5662requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5663run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
5664 "$P_SRV response_size=1 trunc_hmac=1" \
5665 "$P_CLI force_version=tls1 \
5666 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5667 0 \
5668 -c "Read from server: 1 bytes read"
5669
5670requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5671run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
5672 "$P_SRV response_size=1 trunc_hmac=1" \
5673 "$P_CLI force_version=tls1 \
5674 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5675 0 \
5676 -c "Read from server: 1 bytes read"
5677
5678run_test "Small server packet TLS 1.0 StreamCipher" \
5679 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5680 "$P_CLI force_version=tls1 \
5681 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5682 0 \
5683 -c "Read from server: 1 bytes read"
5684
5685run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
5686 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5687 "$P_CLI force_version=tls1 \
5688 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5689 0 \
5690 -c "Read from server: 1 bytes read"
5691
5692requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5693run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
5694 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5695 "$P_CLI force_version=tls1 \
5696 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5697 0 \
5698 -c "Read from server: 1 bytes read"
5699
5700requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5701run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
5702 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5703 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5704 trunc_hmac=1 etm=0" \
5705 0 \
5706 -c "Read from server: 1 bytes read"
5707
5708run_test "Small server packet TLS 1.1 BlockCipher" \
5709 "$P_SRV response_size=1" \
5710 "$P_CLI force_version=tls1_1 \
5711 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5712 0 \
5713 -c "Read from server: 1 bytes read"
5714
5715run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
5716 "$P_SRV response_size=1" \
5717 "$P_CLI force_version=tls1_1 \
5718 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5719 0 \
5720 -c "Read from server: 1 bytes read"
5721
5722requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5723run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
5724 "$P_SRV response_size=1 trunc_hmac=1" \
5725 "$P_CLI force_version=tls1_1 \
5726 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5727 0 \
5728 -c "Read from server: 1 bytes read"
5729
5730requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5731run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
5732 "$P_SRV response_size=1 trunc_hmac=1" \
5733 "$P_CLI force_version=tls1_1 \
5734 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5735 0 \
5736 -c "Read from server: 1 bytes read"
5737
5738run_test "Small server packet TLS 1.1 StreamCipher" \
5739 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5740 "$P_CLI force_version=tls1_1 \
5741 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5742 0 \
5743 -c "Read from server: 1 bytes read"
5744
5745run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
5746 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5747 "$P_CLI force_version=tls1_1 \
5748 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5749 0 \
5750 -c "Read from server: 1 bytes read"
5751
5752requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5753run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
5754 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5755 "$P_CLI force_version=tls1_1 \
5756 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5757 0 \
5758 -c "Read from server: 1 bytes read"
5759
5760requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5761run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
5762 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5763 "$P_CLI force_version=tls1_1 \
5764 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5765 0 \
5766 -c "Read from server: 1 bytes read"
5767
5768run_test "Small server packet TLS 1.2 BlockCipher" \
5769 "$P_SRV response_size=1" \
5770 "$P_CLI force_version=tls1_2 \
5771 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5772 0 \
5773 -c "Read from server: 1 bytes read"
5774
5775run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
5776 "$P_SRV response_size=1" \
5777 "$P_CLI force_version=tls1_2 \
5778 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5779 0 \
5780 -c "Read from server: 1 bytes read"
5781
5782run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
5783 "$P_SRV response_size=1" \
5784 "$P_CLI force_version=tls1_2 \
5785 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
5786 0 \
5787 -c "Read from server: 1 bytes read"
5788
5789requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5790run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
5791 "$P_SRV response_size=1 trunc_hmac=1" \
5792 "$P_CLI force_version=tls1_2 \
5793 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5794 0 \
5795 -c "Read from server: 1 bytes read"
5796
5797requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5798run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
5799 "$P_SRV response_size=1 trunc_hmac=1" \
5800 "$P_CLI force_version=tls1_2 \
5801 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5802 0 \
5803 -c "Read from server: 1 bytes read"
5804
5805run_test "Small server packet TLS 1.2 StreamCipher" \
5806 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5807 "$P_CLI force_version=tls1_2 \
5808 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5809 0 \
5810 -c "Read from server: 1 bytes read"
5811
5812run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
5813 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5814 "$P_CLI force_version=tls1_2 \
5815 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5816 0 \
5817 -c "Read from server: 1 bytes read"
5818
5819requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5820run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
5821 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5822 "$P_CLI force_version=tls1_2 \
5823 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5824 0 \
5825 -c "Read from server: 1 bytes read"
5826
5827requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5828run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
5829 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5830 "$P_CLI force_version=tls1_2 \
5831 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5832 0 \
5833 -c "Read from server: 1 bytes read"
5834
5835run_test "Small server packet TLS 1.2 AEAD" \
5836 "$P_SRV response_size=1" \
5837 "$P_CLI force_version=tls1_2 \
5838 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5839 0 \
5840 -c "Read from server: 1 bytes read"
5841
5842run_test "Small server packet TLS 1.2 AEAD shorter tag" \
5843 "$P_SRV response_size=1" \
5844 "$P_CLI force_version=tls1_2 \
5845 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5846 0 \
5847 -c "Read from server: 1 bytes read"
5848
5849# Tests for small server packets in DTLS
5850
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5851run_test "Small server packet DTLS 1.0" \
5852 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
5853 "$P_CLI dtls=1 \
5854 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5855 0 \
5856 -c "Read from server: 1 bytes read"
5857
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5858run_test "Small server packet DTLS 1.0, without EtM" \
5859 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
5860 "$P_CLI dtls=1 \
5861 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5862 0 \
5863 -c "Read from server: 1 bytes read"
5864
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5865requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5866run_test "Small server packet DTLS 1.0, truncated hmac" \
5867 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
5868 "$P_CLI dtls=1 trunc_hmac=1 \
5869 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5870 0 \
5871 -c "Read from server: 1 bytes read"
5872
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5873requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5874run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
5875 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
5876 "$P_CLI dtls=1 \
5877 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5878 0 \
5879 -c "Read from server: 1 bytes read"
5880
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5881run_test "Small server packet DTLS 1.2" \
5882 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
5883 "$P_CLI dtls=1 \
5884 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5885 0 \
5886 -c "Read from server: 1 bytes read"
5887
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5888run_test "Small server packet DTLS 1.2, without EtM" \
5889 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
5890 "$P_CLI dtls=1 \
5891 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5892 0 \
5893 -c "Read from server: 1 bytes read"
5894
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5895requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5896run_test "Small server packet DTLS 1.2, truncated hmac" \
5897 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
5898 "$P_CLI dtls=1 \
5899 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5900 0 \
5901 -c "Read from server: 1 bytes read"
5902
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5903requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5904run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
5905 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
5906 "$P_CLI dtls=1 \
5907 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5908 0 \
5909 -c "Read from server: 1 bytes read"
5910
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]5911# A test for extensions in SSLv3
5912
5913requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5914run_test "SSLv3 with extensions, server side" \
5915 "$P_SRV min_version=ssl3 debug_level=3" \
5916 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
5917 0 \
5918 -S "dumping 'client hello extensions'" \
5919 -S "server hello, total extension length:"
5920
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5921# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5922
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5923# How many fragments do we expect to write $1 bytes?
5924fragments_for_write() {
5925 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
5926}
5927
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5928requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5929run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5930 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5931 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5932 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5933 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5934 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5935 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5936
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5937requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5938run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5939 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5940 "$P_CLI request_size=16384 force_version=ssl3 \
5941 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5942 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5943 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5944 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5945
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5946run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5947 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5948 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5949 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5950 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5951 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5952 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5953
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5954run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5955 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5956 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
5957 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5958 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5959 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5960
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5961requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5962run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5963 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5964 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5965 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5966 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5967 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5968 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5969
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5970requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5971run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5972 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5973 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5974 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5975 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5976 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5977
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5978run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5979 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5980 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5981 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5982 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5983 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5984
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5985run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5986 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5987 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5988 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5989 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5990 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5991
5992requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5993run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5994 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5995 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5996 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5997 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5998 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5999
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6000requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6001run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6002 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6003 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6004 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6005 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6006 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6007 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6008
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6009run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6010 "$P_SRV" \
6011 "$P_CLI request_size=16384 force_version=tls1_1 \
6012 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6013 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6014 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6015 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6016
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6017run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6018 "$P_SRV" \
6019 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6020 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6021 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6022 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6023
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6024requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6025run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6026 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6027 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6028 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6029 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6030 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6031
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6032requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6033run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6034 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6035 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6036 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6037 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6038 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6039
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6040run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6041 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6042 "$P_CLI request_size=16384 force_version=tls1_1 \
6043 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6044 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6045 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6046 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6047
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6048run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6049 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6050 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6051 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6052 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6053 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6054 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6055
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6056requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6057run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6058 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6059 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6060 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6061 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6062 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6063
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6064requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6065run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6066 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6067 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6068 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6069 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6070 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6071 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6072
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6073run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6074 "$P_SRV" \
6075 "$P_CLI request_size=16384 force_version=tls1_2 \
6076 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6077 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6078 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6079 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6080
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6081run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6082 "$P_SRV" \
6083 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6084 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6085 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6086 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6087
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6088run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6089 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6090 "$P_CLI request_size=16384 force_version=tls1_2 \
6091 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6092 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6093 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6094 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6095
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6096requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6097run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6098 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6099 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6100 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6101 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6102 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6103
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6104requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6105run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6106 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6107 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6108 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6109 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6110 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6111 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6112
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6113run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6114 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6115 "$P_CLI request_size=16384 force_version=tls1_2 \
6116 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6117 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6118 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6119 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6120
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6121run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6122 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6123 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6124 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6125 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6126 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6127
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6128requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6129run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6130 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6131 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6132 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6133 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6134 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6135
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6136requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6137run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6138 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6139 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6140 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6141 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6142 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6143 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6144
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6145run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6146 "$P_SRV" \
6147 "$P_CLI request_size=16384 force_version=tls1_2 \
6148 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6149 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6150 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6151 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6152
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6153run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6154 "$P_SRV" \
6155 "$P_CLI request_size=16384 force_version=tls1_2 \
6156 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6157 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6158 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6159 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6160
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6161# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6162requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6163run_test "Large server packet SSLv3 StreamCipher" \
6164 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6165 "$P_CLI force_version=ssl3 \
6166 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6167 0 \
6168 -c "Read from server: 16384 bytes read"
6169
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]6170# Checking next 4 tests logs for 1n-1 split against BEAST too
6171requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6172run_test "Large server packet SSLv3 BlockCipher" \
6173 "$P_SRV response_size=16384 min_version=ssl3" \
6174 "$P_CLI force_version=ssl3 recsplit=0 \
6175 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6176 0 \
6177 -c "Read from server: 1 bytes read"\
6178 -c "16383 bytes read"\
6179 -C "Read from server: 16384 bytes read"
6180
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6181run_test "Large server packet TLS 1.0 BlockCipher" \
6182 "$P_SRV response_size=16384" \
6183 "$P_CLI force_version=tls1 recsplit=0 \
6184 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6185 0 \
6186 -c "Read from server: 1 bytes read"\
6187 -c "16383 bytes read"\
6188 -C "Read from server: 16384 bytes read"
6189
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6190run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
6191 "$P_SRV response_size=16384" \
6192 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
6193 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6194 0 \
6195 -c "Read from server: 1 bytes read"\
6196 -c "16383 bytes read"\
6197 -C "Read from server: 16384 bytes read"
6198
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6199requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6200run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
6201 "$P_SRV response_size=16384" \
6202 "$P_CLI force_version=tls1 recsplit=0 \
6203 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6204 trunc_hmac=1" \
6205 0 \
6206 -c "Read from server: 1 bytes read"\
6207 -c "16383 bytes read"\
6208 -C "Read from server: 16384 bytes read"
6209
6210requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6211run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
6212 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6213 "$P_CLI force_version=tls1 \
6214 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6215 trunc_hmac=1" \
6216 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6217 -s "16384 bytes written in 1 fragments" \
6218 -c "Read from server: 16384 bytes read"
6219
6220run_test "Large server packet TLS 1.0 StreamCipher" \
6221 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6222 "$P_CLI force_version=tls1 \
6223 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6224 0 \
6225 -s "16384 bytes written in 1 fragments" \
6226 -c "Read from server: 16384 bytes read"
6227
6228run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
6229 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6230 "$P_CLI force_version=tls1 \
6231 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6232 0 \
6233 -s "16384 bytes written in 1 fragments" \
6234 -c "Read from server: 16384 bytes read"
6235
6236requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6237run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
6238 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6239 "$P_CLI force_version=tls1 \
6240 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6241 0 \
6242 -s "16384 bytes written in 1 fragments" \
6243 -c "Read from server: 16384 bytes read"
6244
6245requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6246run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6247 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6248 "$P_CLI force_version=tls1 \
6249 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6250 0 \
6251 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6252 -c "Read from server: 16384 bytes read"
6253
6254run_test "Large server packet TLS 1.1 BlockCipher" \
6255 "$P_SRV response_size=16384" \
6256 "$P_CLI force_version=tls1_1 \
6257 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6258 0 \
6259 -c "Read from server: 16384 bytes read"
6260
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6261run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
6262 "$P_SRV response_size=16384" \
6263 "$P_CLI force_version=tls1_1 etm=0 \
6264 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6265 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6266 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6267 -c "Read from server: 16384 bytes read"
6268
6269requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6270run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
6271 "$P_SRV response_size=16384" \
6272 "$P_CLI force_version=tls1_1 \
6273 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6274 trunc_hmac=1" \
6275 0 \
6276 -c "Read from server: 16384 bytes read"
6277
6278requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6279run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6280 "$P_SRV response_size=16384 trunc_hmac=1" \
6281 "$P_CLI force_version=tls1_1 \
6282 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6283 0 \
6284 -s "16384 bytes written in 1 fragments" \
6285 -c "Read from server: 16384 bytes read"
6286
6287run_test "Large server packet TLS 1.1 StreamCipher" \
6288 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6289 "$P_CLI force_version=tls1_1 \
6290 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6291 0 \
6292 -c "Read from server: 16384 bytes read"
6293
6294run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
6295 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6296 "$P_CLI force_version=tls1_1 \
6297 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6298 0 \
6299 -s "16384 bytes written in 1 fragments" \
6300 -c "Read from server: 16384 bytes read"
6301
6302requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6303run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
6304 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6305 "$P_CLI force_version=tls1_1 \
6306 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6307 trunc_hmac=1" \
6308 0 \
6309 -c "Read from server: 16384 bytes read"
6310
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6311run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6312 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6313 "$P_CLI force_version=tls1_1 \
6314 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6315 0 \
6316 -s "16384 bytes written in 1 fragments" \
6317 -c "Read from server: 16384 bytes read"
6318
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6319run_test "Large server packet TLS 1.2 BlockCipher" \
6320 "$P_SRV response_size=16384" \
6321 "$P_CLI force_version=tls1_2 \
6322 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6323 0 \
6324 -c "Read from server: 16384 bytes read"
6325
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6326run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
6327 "$P_SRV response_size=16384" \
6328 "$P_CLI force_version=tls1_2 etm=0 \
6329 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6330 0 \
6331 -s "16384 bytes written in 1 fragments" \
6332 -c "Read from server: 16384 bytes read"
6333
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6334run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
6335 "$P_SRV response_size=16384" \
6336 "$P_CLI force_version=tls1_2 \
6337 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6338 0 \
6339 -c "Read from server: 16384 bytes read"
6340
6341requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6342run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
6343 "$P_SRV response_size=16384" \
6344 "$P_CLI force_version=tls1_2 \
6345 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6346 trunc_hmac=1" \
6347 0 \
6348 -c "Read from server: 16384 bytes read"
6349
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6350run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6351 "$P_SRV response_size=16384 trunc_hmac=1" \
6352 "$P_CLI force_version=tls1_2 \
6353 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6354 0 \
6355 -s "16384 bytes written in 1 fragments" \
6356 -c "Read from server: 16384 bytes read"
6357
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6358run_test "Large server packet TLS 1.2 StreamCipher" \
6359 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6360 "$P_CLI force_version=tls1_2 \
6361 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6362 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6363 -s "16384 bytes written in 1 fragments" \
6364 -c "Read from server: 16384 bytes read"
6365
6366run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
6367 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6368 "$P_CLI force_version=tls1_2 \
6369 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6370 0 \
6371 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6372 -c "Read from server: 16384 bytes read"
6373
6374requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6375run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
6376 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6377 "$P_CLI force_version=tls1_2 \
6378 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6379 trunc_hmac=1" \
6380 0 \
6381 -c "Read from server: 16384 bytes read"
6382
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6383requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6384run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6385 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6386 "$P_CLI force_version=tls1_2 \
6387 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6388 0 \
6389 -s "16384 bytes written in 1 fragments" \
6390 -c "Read from server: 16384 bytes read"
6391
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6392run_test "Large server packet TLS 1.2 AEAD" \
6393 "$P_SRV response_size=16384" \
6394 "$P_CLI force_version=tls1_2 \
6395 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6396 0 \
6397 -c "Read from server: 16384 bytes read"
6398
6399run_test "Large server packet TLS 1.2 AEAD shorter tag" \
6400 "$P_SRV response_size=16384" \
6401 "$P_CLI force_version=tls1_2 \
6402 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6403 0 \
6404 -c "Read from server: 16384 bytes read"
6405
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6406# Tests for restartable ECC
6407
6408requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6409run_test "EC restart: TLS, default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6410 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6411 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6412 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6413 debug_level=1" \
6414 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6415 -C "x509_verify_cert.*4b00" \
6416 -C "mbedtls_pk_verify.*4b00" \
6417 -C "mbedtls_ecdh_make_public.*4b00" \
6418 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6419
6420requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6421run_test "EC restart: TLS, max_ops=0" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6422 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6423 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6424 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6425 debug_level=1 ec_max_ops=0" \
6426 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6427 -C "x509_verify_cert.*4b00" \
6428 -C "mbedtls_pk_verify.*4b00" \
6429 -C "mbedtls_ecdh_make_public.*4b00" \
6430 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6431
6432requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6433run_test "EC restart: TLS, max_ops=65535" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6434 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6435 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6436 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6437 debug_level=1 ec_max_ops=65535" \
6438 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6439 -C "x509_verify_cert.*4b00" \
6440 -C "mbedtls_pk_verify.*4b00" \
6441 -C "mbedtls_ecdh_make_public.*4b00" \
6442 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6443
6444requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6445run_test "EC restart: TLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6446 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6447 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6448 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6449 debug_level=1 ec_max_ops=1000" \
6450 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6451 -c "x509_verify_cert.*4b00" \
6452 -c "mbedtls_pk_verify.*4b00" \
6453 -c "mbedtls_ecdh_make_public.*4b00" \
6454 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6455
6456requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6457requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6458run_test "EC restart: TLS, max_ops=1000, badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6459 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6460 crt_file=data_files/server5-badsign.crt \
6461 key_file=data_files/server5.key" \
6462 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6463 key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \
6464 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6465 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6466 -c "x509_verify_cert.*4b00" \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6467 -c "mbedtls_pk_verify.*4b00" \
6468 -c "mbedtls_ecdh_make_public.*4b00" \
6469 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6470 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6471
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6472requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6473requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6474run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6475 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6476 crt_file=data_files/server5-badsign.crt \
6477 key_file=data_files/server5.key" \
6478 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6479 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6480 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6481 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6482 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6483 -c "x509_verify_cert.*4b00" \
6484 -c "mbedtls_pk_verify.*4b00" \
6485 -c "mbedtls_ecdh_make_public.*4b00" \
6486 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6487 -c "! The certificate is not correctly signed by the trusted CA" \
6488 -C "! mbedtls_ssl_handshake returned" \
6489 -C "X509 - Certificate verification failed"
6490
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6491requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6492requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6493requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6494run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6495 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6496 crt_file=data_files/server5-badsign.crt \
6497 key_file=data_files/server5.key" \
6498 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6499 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6500 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6501 debug_level=1 ec_max_ops=1000 auth_mode=none" \
6502 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6503 -C "x509_verify_cert.*4b00" \
6504 -c "mbedtls_pk_verify.*4b00" \
6505 -c "mbedtls_ecdh_make_public.*4b00" \
6506 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6507 -C "! The certificate is not correctly signed by the trusted CA" \
6508 -C "! mbedtls_ssl_handshake returned" \
6509 -C "X509 - Certificate verification failed"
6510
6511requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6512run_test "EC restart: DTLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6513 "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6514 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6515 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6516 dtls=1 debug_level=1 ec_max_ops=1000" \
6517 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6518 -c "x509_verify_cert.*4b00" \
6519 -c "mbedtls_pk_verify.*4b00" \
6520 -c "mbedtls_ecdh_make_public.*4b00" \
6521 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6522
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6523requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6524run_test "EC restart: TLS, max_ops=1000 no client auth" \
6525 "$P_SRV" \
6526 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6527 debug_level=1 ec_max_ops=1000" \
6528 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6529 -c "x509_verify_cert.*4b00" \
6530 -c "mbedtls_pk_verify.*4b00" \
6531 -c "mbedtls_ecdh_make_public.*4b00" \
6532 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6533
6534requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6535run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
6536 "$P_SRV psk=abc123" \
6537 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
6538 psk=abc123 debug_level=1 ec_max_ops=1000" \
6539 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6540 -C "x509_verify_cert.*4b00" \
6541 -C "mbedtls_pk_verify.*4b00" \
6542 -C "mbedtls_ecdh_make_public.*4b00" \
6543 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6544
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6545# Tests of asynchronous private key support in SSL
6546
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6547requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6548run_test "SSL async private: sign, delay=0" \
6549 "$P_SRV \
6550 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6551 "$P_CLI" \
6552 0 \
6553 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6554 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6555
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6556requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6557run_test "SSL async private: sign, delay=1" \
6558 "$P_SRV \
6559 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6560 "$P_CLI" \
6561 0 \
6562 -s "Async sign callback: using key slot " \
6563 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6564 -s "Async resume (slot [0-9]): sign done, status=0"
6565
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]6566requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6567run_test "SSL async private: sign, delay=2" \
6568 "$P_SRV \
6569 async_operations=s async_private_delay1=2 async_private_delay2=2" \
6570 "$P_CLI" \
6571 0 \
6572 -s "Async sign callback: using key slot " \
6573 -U "Async sign callback: using key slot " \
6574 -s "Async resume (slot [0-9]): call 1 more times." \
6575 -s "Async resume (slot [0-9]): call 0 more times." \
6576 -s "Async resume (slot [0-9]): sign done, status=0"
6577
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]6578# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
6579# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
6580requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6581requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6582run_test "SSL async private: sign, RSA, TLS 1.1" \
6583 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
6584 async_operations=s async_private_delay1=0 async_private_delay2=0" \
6585 "$P_CLI force_version=tls1_1" \
6586 0 \
6587 -s "Async sign callback: using key slot " \
6588 -s "Async resume (slot [0-9]): sign done, status=0"
6589
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6590requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]6591requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]6592requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6593requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]6594run_test "SSL async private: sign, SNI" \
6595 "$P_SRV debug_level=3 \
6596 async_operations=s async_private_delay1=0 async_private_delay2=0 \
6597 crt_file=data_files/server5.crt key_file=data_files/server5.key \
6598 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
6599 "$P_CLI server_name=polarssl.example" \
6600 0 \
6601 -s "Async sign callback: using key slot " \
6602 -s "Async resume (slot [0-9]): sign done, status=0" \
6603 -s "parse ServerName extension" \
6604 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6605 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6606
6607requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6608run_test "SSL async private: decrypt, delay=0" \
6609 "$P_SRV \
6610 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6611 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6612 0 \
6613 -s "Async decrypt callback: using key slot " \
6614 -s "Async resume (slot [0-9]): decrypt done, status=0"
6615
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6616requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6617run_test "SSL async private: decrypt, delay=1" \
6618 "$P_SRV \
6619 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6620 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6621 0 \
6622 -s "Async decrypt callback: using key slot " \
6623 -s "Async resume (slot [0-9]): call 0 more times." \
6624 -s "Async resume (slot [0-9]): decrypt done, status=0"
6625
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6626requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6627run_test "SSL async private: decrypt RSA-PSK, delay=0" \
6628 "$P_SRV psk=abc123 \
6629 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6630 "$P_CLI psk=abc123 \
6631 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6632 0 \
6633 -s "Async decrypt callback: using key slot " \
6634 -s "Async resume (slot [0-9]): decrypt done, status=0"
6635
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6636requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6637run_test "SSL async private: decrypt RSA-PSK, delay=1" \
6638 "$P_SRV psk=abc123 \
6639 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6640 "$P_CLI psk=abc123 \
6641 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6642 0 \
6643 -s "Async decrypt callback: using key slot " \
6644 -s "Async resume (slot [0-9]): call 0 more times." \
6645 -s "Async resume (slot [0-9]): decrypt done, status=0"
6646
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6647requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6648run_test "SSL async private: sign callback not present" \
6649 "$P_SRV \
6650 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6651 "$P_CLI; [ \$? -eq 1 ] &&
6652 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6653 0 \
6654 -S "Async sign callback" \
6655 -s "! mbedtls_ssl_handshake returned" \
6656 -s "The own private key or pre-shared key is not set, but needed" \
6657 -s "Async resume (slot [0-9]): decrypt done, status=0" \
6658 -s "Successful connection"
6659
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6660requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6661run_test "SSL async private: decrypt callback not present" \
6662 "$P_SRV debug_level=1 \
6663 async_operations=s async_private_delay1=1 async_private_delay2=1" \
6664 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
6665 [ \$? -eq 1 ] && $P_CLI" \
6666 0 \
6667 -S "Async decrypt callback" \
6668 -s "! mbedtls_ssl_handshake returned" \
6669 -s "got no RSA private key" \
6670 -s "Async resume (slot [0-9]): sign done, status=0" \
6671 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6672
6673# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6674requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6675run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6676 "$P_SRV \
6677 async_operations=s async_private_delay1=1 \
6678 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6679 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6680 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6681 0 \
6682 -s "Async sign callback: using key slot 0," \
6683 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6684 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6685
6686# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6687requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6688run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6689 "$P_SRV \
6690 async_operations=s async_private_delay2=1 \
6691 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6692 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6693 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6694 0 \
6695 -s "Async sign callback: using key slot 0," \
6696 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6697 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6698
6699# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6700requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]6701run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6702 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]6703 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6704 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6705 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6706 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6707 0 \
6708 -s "Async sign callback: using key slot 1," \
6709 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6710 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6711
6712# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6713requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6714run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6715 "$P_SRV \
6716 async_operations=s async_private_delay1=1 \
6717 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6718 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6719 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6720 0 \
6721 -s "Async sign callback: no key matches this certificate."
6722
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6723requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6724run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6725 "$P_SRV \
6726 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6727 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6728 "$P_CLI" \
6729 1 \
6730 -s "Async sign callback: injected error" \
6731 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6732 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6733 -s "! mbedtls_ssl_handshake returned"
6734
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6735requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6736run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6737 "$P_SRV \
6738 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6739 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6740 "$P_CLI" \
6741 1 \
6742 -s "Async sign callback: using key slot " \
6743 -S "Async resume" \
6744 -s "Async cancel"
6745
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6746requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6747run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6748 "$P_SRV \
6749 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6750 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6751 "$P_CLI" \
6752 1 \
6753 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6754 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6755 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6756 -s "! mbedtls_ssl_handshake returned"
6757
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6758requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6759run_test "SSL async private: decrypt, error in start" \
6760 "$P_SRV \
6761 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6762 async_private_error=1" \
6763 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6764 1 \
6765 -s "Async decrypt callback: injected error" \
6766 -S "Async resume" \
6767 -S "Async cancel" \
6768 -s "! mbedtls_ssl_handshake returned"
6769
6770requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6771run_test "SSL async private: decrypt, cancel after start" \
6772 "$P_SRV \
6773 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6774 async_private_error=2" \
6775 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6776 1 \
6777 -s "Async decrypt callback: using key slot " \
6778 -S "Async resume" \
6779 -s "Async cancel"
6780
6781requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6782run_test "SSL async private: decrypt, error in resume" \
6783 "$P_SRV \
6784 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6785 async_private_error=3" \
6786 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6787 1 \
6788 -s "Async decrypt callback: using key slot " \
6789 -s "Async resume callback: decrypt done but injected error" \
6790 -S "Async cancel" \
6791 -s "! mbedtls_ssl_handshake returned"
6792
6793requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6794run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6795 "$P_SRV \
6796 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6797 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6798 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6799 0 \
6800 -s "Async cancel" \
6801 -s "! mbedtls_ssl_handshake returned" \
6802 -s "Async resume" \
6803 -s "Successful connection"
6804
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6805requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6806run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6807 "$P_SRV \
6808 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6809 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6810 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6811 0 \
6812 -s "! mbedtls_ssl_handshake returned" \
6813 -s "Async resume" \
6814 -s "Successful connection"
6815
6816# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6817requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6818run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6819 "$P_SRV \
6820 async_operations=s async_private_delay1=1 async_private_error=-2 \
6821 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6822 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6823 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6824 [ \$? -eq 1 ] &&
6825 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6826 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]6827 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6828 -S "Async resume" \
6829 -s "Async cancel" \
6830 -s "! mbedtls_ssl_handshake returned" \
6831 -s "Async sign callback: no key matches this certificate." \
6832 -s "Successful connection"
6833
6834# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6835requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6836run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6837 "$P_SRV \
6838 async_operations=s async_private_delay1=1 async_private_error=-3 \
6839 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6840 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6841 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6842 [ \$? -eq 1 ] &&
6843 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6844 0 \
6845 -s "Async resume" \
6846 -s "! mbedtls_ssl_handshake returned" \
6847 -s "Async sign callback: no key matches this certificate." \
6848 -s "Successful connection"
6849
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6850requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6851requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6852run_test "SSL async private: renegotiation: client-initiated; sign" \
6853 "$P_SRV \
6854 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6855 exchanges=2 renegotiation=1" \
6856 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
6857 0 \
6858 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6859 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6860
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6861requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6862requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6863run_test "SSL async private: renegotiation: server-initiated; sign" \
6864 "$P_SRV \
6865 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6866 exchanges=2 renegotiation=1 renegotiate=1" \
6867 "$P_CLI exchanges=2 renegotiation=1" \
6868 0 \
6869 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6870 -s "Async resume (slot [0-9]): sign done, status=0"
6871
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6872requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6873requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6874run_test "SSL async private: renegotiation: client-initiated; decrypt" \
6875 "$P_SRV \
6876 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6877 exchanges=2 renegotiation=1" \
6878 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
6879 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6880 0 \
6881 -s "Async decrypt callback: using key slot " \
6882 -s "Async resume (slot [0-9]): decrypt done, status=0"
6883
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6884requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6885requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6886run_test "SSL async private: renegotiation: server-initiated; decrypt" \
6887 "$P_SRV \
6888 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6889 exchanges=2 renegotiation=1 renegotiate=1" \
6890 "$P_CLI exchanges=2 renegotiation=1 \
6891 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6892 0 \
6893 -s "Async decrypt callback: using key slot " \
6894 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6895
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6896# Tests for ECC extensions (rfc 4492)
6897
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6898requires_config_enabled MBEDTLS_AES_C
6899requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6900requires_config_enabled MBEDTLS_SHA256_C
6901requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6902run_test "Force a non ECC ciphersuite in the client side" \
6903 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6904 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6905 0 \
6906 -C "client hello, adding supported_elliptic_curves extension" \
6907 -C "client hello, adding supported_point_formats extension" \
6908 -S "found supported elliptic curves extension" \
6909 -S "found supported point formats extension"
6910
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6911requires_config_enabled MBEDTLS_AES_C
6912requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6913requires_config_enabled MBEDTLS_SHA256_C
6914requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6915run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6916 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6917 "$P_CLI debug_level=3" \
6918 0 \
6919 -C "found supported_point_formats extension" \
6920 -S "server hello, supported_point_formats extension"
6921
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6922requires_config_enabled MBEDTLS_AES_C
6923requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6924requires_config_enabled MBEDTLS_SHA256_C
6925requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6926run_test "Force an ECC ciphersuite in the client side" \
6927 "$P_SRV debug_level=3" \
6928 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6929 0 \
6930 -c "client hello, adding supported_elliptic_curves extension" \
6931 -c "client hello, adding supported_point_formats extension" \
6932 -s "found supported elliptic curves extension" \
6933 -s "found supported point formats extension"
6934
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6935requires_config_enabled MBEDTLS_AES_C
6936requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6937requires_config_enabled MBEDTLS_SHA256_C
6938requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6939run_test "Force an ECC ciphersuite in the server side" \
6940 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6941 "$P_CLI debug_level=3" \
6942 0 \
6943 -c "found supported_point_formats extension" \
6944 -s "server hello, supported_point_formats extension"
6945
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6946# Tests for DTLS HelloVerifyRequest
6947
6948run_test "DTLS cookie: enabled" \
6949 "$P_SRV dtls=1 debug_level=2" \
6950 "$P_CLI dtls=1 debug_level=2" \
6951 0 \
6952 -s "cookie verification failed" \
6953 -s "cookie verification passed" \
6954 -S "cookie verification skipped" \
6955 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6956 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6957 -S "SSL - The requested feature is not available"
6958
6959run_test "DTLS cookie: disabled" \
6960 "$P_SRV dtls=1 debug_level=2 cookies=0" \
6961 "$P_CLI dtls=1 debug_level=2" \
6962 0 \
6963 -S "cookie verification failed" \
6964 -S "cookie verification passed" \
6965 -s "cookie verification skipped" \
6966 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6967 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6968 -S "SSL - The requested feature is not available"
6969
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6970run_test "DTLS cookie: default (failing)" \
6971 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
6972 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
6973 1 \
6974 -s "cookie verification failed" \
6975 -S "cookie verification passed" \
6976 -S "cookie verification skipped" \
6977 -C "received hello verify request" \
6978 -S "hello verification requested" \
6979 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6980
6981requires_ipv6
6982run_test "DTLS cookie: enabled, IPv6" \
6983 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
6984 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
6985 0 \
6986 -s "cookie verification failed" \
6987 -s "cookie verification passed" \
6988 -S "cookie verification skipped" \
6989 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6990 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6991 -S "SSL - The requested feature is not available"
6992
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6993run_test "DTLS cookie: enabled, nbio" \
6994 "$P_SRV dtls=1 nbio=2 debug_level=2" \
6995 "$P_CLI dtls=1 nbio=2 debug_level=2" \
6996 0 \
6997 -s "cookie verification failed" \
6998 -s "cookie verification passed" \
6999 -S "cookie verification skipped" \
7000 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7001 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7002 -S "SSL - The requested feature is not available"
7003
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7004# Tests for client reconnecting from the same port with DTLS
7005
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7006not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7007run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7008 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
7009 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7010 0 \
7011 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7012 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7013 -S "Client initiated reconnection from same port"
7014
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7015not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7016run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7017 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
7018 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7019 0 \
7020 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7021 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7022 -s "Client initiated reconnection from same port"
7023
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7024not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
7025run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7026 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7027 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7028 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7029 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7030 -s "Client initiated reconnection from same port"
7031
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7032only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
7033run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7034 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7035 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7036 0 \
7037 -S "The operation timed out" \
7038 -s "Client initiated reconnection from same port"
7039
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7040run_test "DTLS client reconnect from same port: no cookies" \
7041 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7042 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7043 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7044 -s "The operation timed out" \
7045 -S "Client initiated reconnection from same port"
7046
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7047# Tests for various cases of client authentication with DTLS
7048# (focused on handshake flows and message parsing)
7049
7050run_test "DTLS client auth: required" \
7051 "$P_SRV dtls=1 auth_mode=required" \
7052 "$P_CLI dtls=1" \
7053 0 \
7054 -s "Verifying peer X.509 certificate... ok"
7055
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7056requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7057requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7058run_test "DTLS client auth: optional, client has no cert" \
7059 "$P_SRV dtls=1 auth_mode=optional" \
7060 "$P_CLI dtls=1 crt_file=none key_file=none" \
7061 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7062 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7063
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7064requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7065requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7066run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7067 "$P_SRV dtls=1 auth_mode=none" \
7068 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7069 0 \
7070 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7071 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7072
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7073run_test "DTLS wrong PSK: badmac alert" \
7074 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7075 "$P_CLI dtls=1 psk=abc124" \
7076 1 \
7077 -s "SSL - Verification of the message MAC failed" \
7078 -c "SSL - A fatal alert message was received from our peer"
7079
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7080# Tests for receiving fragmented handshake messages with DTLS
7081
7082requires_gnutls
7083run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7084 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7085 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7086 0 \
7087 -C "found fragmented DTLS handshake message" \
7088 -C "error"
7089
7090requires_gnutls
7091run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7092 "$G_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7093 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7094 0 \
7095 -c "found fragmented DTLS handshake message" \
7096 -C "error"
7097
7098requires_gnutls
7099run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7100 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7101 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7102 0 \
7103 -c "found fragmented DTLS handshake message" \
7104 -C "error"
7105
7106requires_gnutls
7107run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7108 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7109 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7110 0 \
7111 -c "found fragmented DTLS handshake message" \
7112 -C "error"
7113
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7114requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7115requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7116run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7117 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7118 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7119 0 \
7120 -c "found fragmented DTLS handshake message" \
7121 -c "client hello, adding renegotiation extension" \
7122 -c "found renegotiation extension" \
7123 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7124 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7125 -C "error" \
7126 -s "Extra-header:"
7127
7128requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7129requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7130run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
7131 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7132 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7133 0 \
7134 -c "found fragmented DTLS handshake message" \
7135 -c "client hello, adding renegotiation extension" \
7136 -c "found renegotiation extension" \
7137 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7138 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7139 -C "error" \
7140 -s "Extra-header:"
7141
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7142run_test "DTLS reassembly: no fragmentation (openssl server)" \
7143 "$O_SRV -dtls1 -mtu 2048" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7144 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7145 0 \
7146 -C "found fragmented DTLS handshake message" \
7147 -C "error"
7148
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7149run_test "DTLS reassembly: some fragmentation (openssl server)" \
7150 "$O_SRV -dtls1 -mtu 768" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7151 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7152 0 \
7153 -c "found fragmented DTLS handshake message" \
7154 -C "error"
7155
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7156run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7157 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7158 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7159 0 \
7160 -c "found fragmented DTLS handshake message" \
7161 -C "error"
7162
7163run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
7164 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7165 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7166 0 \
7167 -c "found fragmented DTLS handshake message" \
7168 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7169
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7170# Tests for sending fragmented handshake messages with DTLS
7171#
7172# Use client auth when we need the client to send large messages,
7173# and use large cert chains on both sides too (the long chains we have all use
7174# both RSA and ECDSA, but ideally we should have long chains with either).
7175# Sizes reached (UDP payload):
7176# - 2037B for server certificate
7177# - 1542B for client certificate
7178# - 1013B for newsessionticket
7179# - all others below 512B
7180# All those tests assume MAX_CONTENT_LEN is at least 2048
7181
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7182requires_config_enabled MBEDTLS_RSA_C
7183requires_config_enabled MBEDTLS_ECDSA_C
7184requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7185run_test "DTLS fragmenting: none (for reference)" \
7186 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7187 crt_file=data_files/server7_int-ca.crt \
7188 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7189 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7190 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7191 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7192 "$P_CLI dtls=1 debug_level=2 \
7193 crt_file=data_files/server8_int-ca2.crt \
7194 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7195 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7196 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7197 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7198 0 \
7199 -S "found fragmented DTLS handshake message" \
7200 -C "found fragmented DTLS handshake message" \
7201 -C "error"
7202
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7203requires_config_enabled MBEDTLS_RSA_C
7204requires_config_enabled MBEDTLS_ECDSA_C
7205requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7206run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7207 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7208 crt_file=data_files/server7_int-ca.crt \
7209 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7210 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7211 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7212 max_frag_len=1024" \
7213 "$P_CLI dtls=1 debug_level=2 \
7214 crt_file=data_files/server8_int-ca2.crt \
7215 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7216 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7217 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7218 max_frag_len=2048" \
7219 0 \
7220 -S "found fragmented DTLS handshake message" \
7221 -c "found fragmented DTLS handshake message" \
7222 -C "error"
7223
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7224# With the MFL extension, the server has no way of forcing
7225# the client to not exceed a certain MTU; hence, the following
7226# test can't be replicated with an MTU proxy such as the one
7227# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7228requires_config_enabled MBEDTLS_RSA_C
7229requires_config_enabled MBEDTLS_ECDSA_C
7230requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7231run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7232 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7233 crt_file=data_files/server7_int-ca.crt \
7234 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7235 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7236 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7237 max_frag_len=512" \
7238 "$P_CLI dtls=1 debug_level=2 \
7239 crt_file=data_files/server8_int-ca2.crt \
7240 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7241 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7242 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7243 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7244 0 \
7245 -S "found fragmented DTLS handshake message" \
7246 -c "found fragmented DTLS handshake message" \
7247 -C "error"
7248
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7249requires_config_enabled MBEDTLS_RSA_C
7250requires_config_enabled MBEDTLS_ECDSA_C
7251requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7252run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7253 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7254 crt_file=data_files/server7_int-ca.crt \
7255 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7256 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7257 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7258 max_frag_len=2048" \
7259 "$P_CLI dtls=1 debug_level=2 \
7260 crt_file=data_files/server8_int-ca2.crt \
7261 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7262 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7263 hs_timeout=2500-60000 \
7264 max_frag_len=1024" \
7265 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7266 -S "found fragmented DTLS handshake message" \
7267 -c "found fragmented DTLS handshake message" \
7268 -C "error"
7269
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7270# While not required by the standard defining the MFL extension
7271# (according to which it only applies to records, not to datagrams),
7272# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7273# as otherwise there wouldn't be any means to communicate MTU restrictions
7274# to the peer.
7275# The next test checks that no datagrams significantly larger than the
7276# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7277requires_config_enabled MBEDTLS_RSA_C
7278requires_config_enabled MBEDTLS_ECDSA_C
7279requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7280run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7281 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7282 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7283 crt_file=data_files/server7_int-ca.crt \
7284 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7285 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7286 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7287 max_frag_len=2048" \
7288 "$P_CLI dtls=1 debug_level=2 \
7289 crt_file=data_files/server8_int-ca2.crt \
7290 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7291 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7292 hs_timeout=2500-60000 \
7293 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7294 0 \
7295 -S "found fragmented DTLS handshake message" \
7296 -c "found fragmented DTLS handshake message" \
7297 -C "error"
7298
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7299requires_config_enabled MBEDTLS_RSA_C
7300requires_config_enabled MBEDTLS_ECDSA_C
7301requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7302run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7303 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7304 crt_file=data_files/server7_int-ca.crt \
7305 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7306 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7307 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7308 max_frag_len=2048" \
7309 "$P_CLI dtls=1 debug_level=2 \
7310 crt_file=data_files/server8_int-ca2.crt \
7311 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7312 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7313 hs_timeout=2500-60000 \
7314 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7315 0 \
7316 -s "found fragmented DTLS handshake message" \
7317 -c "found fragmented DTLS handshake message" \
7318 -C "error"
7319
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7320# While not required by the standard defining the MFL extension
7321# (according to which it only applies to records, not to datagrams),
7322# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7323# as otherwise there wouldn't be any means to communicate MTU restrictions
7324# to the peer.
7325# The next test checks that no datagrams significantly larger than the
7326# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7327requires_config_enabled MBEDTLS_RSA_C
7328requires_config_enabled MBEDTLS_ECDSA_C
7329requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7330run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7331 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7332 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7333 crt_file=data_files/server7_int-ca.crt \
7334 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7335 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7336 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7337 max_frag_len=2048" \
7338 "$P_CLI dtls=1 debug_level=2 \
7339 crt_file=data_files/server8_int-ca2.crt \
7340 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7341 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7342 hs_timeout=2500-60000 \
7343 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7344 0 \
7345 -s "found fragmented DTLS handshake message" \
7346 -c "found fragmented DTLS handshake message" \
7347 -C "error"
7348
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7349requires_config_enabled MBEDTLS_RSA_C
7350requires_config_enabled MBEDTLS_ECDSA_C
7351run_test "DTLS fragmenting: none (for reference) (MTU)" \
7352 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7353 crt_file=data_files/server7_int-ca.crt \
7354 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7355 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7356 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7357 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7358 "$P_CLI dtls=1 debug_level=2 \
7359 crt_file=data_files/server8_int-ca2.crt \
7360 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7361 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7362 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7363 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7364 0 \
7365 -S "found fragmented DTLS handshake message" \
7366 -C "found fragmented DTLS handshake message" \
7367 -C "error"
7368
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7369requires_config_enabled MBEDTLS_RSA_C
7370requires_config_enabled MBEDTLS_ECDSA_C
7371run_test "DTLS fragmenting: client (MTU)" \
7372 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7373 crt_file=data_files/server7_int-ca.crt \
7374 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7375 ca_file=data_files/test-ca.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7376 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7377 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7378 "$P_CLI dtls=1 debug_level=2 \
7379 crt_file=data_files/server8_int-ca2.crt \
7380 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7381 ca_file=data_files/test-ca2.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7382 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7383 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7384 0 \
7385 -s "found fragmented DTLS handshake message" \
7386 -C "found fragmented DTLS handshake message" \
7387 -C "error"
7388
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7389requires_config_enabled MBEDTLS_RSA_C
7390requires_config_enabled MBEDTLS_ECDSA_C
7391run_test "DTLS fragmenting: server (MTU)" \
7392 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7393 crt_file=data_files/server7_int-ca.crt \
7394 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7395 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7396 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7397 mtu=512" \
7398 "$P_CLI dtls=1 debug_level=2 \
7399 crt_file=data_files/server8_int-ca2.crt \
7400 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7401 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7402 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7403 mtu=2048" \
7404 0 \
7405 -S "found fragmented DTLS handshake message" \
7406 -c "found fragmented DTLS handshake message" \
7407 -C "error"
7408
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7409requires_config_enabled MBEDTLS_RSA_C
7410requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7411run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7412 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7413 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7414 crt_file=data_files/server7_int-ca.crt \
7415 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7416 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7417 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]7418 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7419 "$P_CLI dtls=1 debug_level=2 \
7420 crt_file=data_files/server8_int-ca2.crt \
7421 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7422 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7423 hs_timeout=2500-60000 \
7424 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7425 0 \
7426 -s "found fragmented DTLS handshake message" \
7427 -c "found fragmented DTLS handshake message" \
7428 -C "error"
7429
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7430# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7431requires_config_enabled MBEDTLS_RSA_C
7432requires_config_enabled MBEDTLS_ECDSA_C
7433requires_config_enabled MBEDTLS_SHA256_C
7434requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7435requires_config_enabled MBEDTLS_AES_C
7436requires_config_enabled MBEDTLS_GCM_C
7437run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]7438 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7439 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7440 crt_file=data_files/server7_int-ca.crt \
7441 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7442 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7443 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7444 mtu=512" \
7445 "$P_CLI dtls=1 debug_level=2 \
7446 crt_file=data_files/server8_int-ca2.crt \
7447 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7448 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7449 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7450 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7451 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]7452 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7453 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7454 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7455 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]7456
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7457# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7458# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7459# The ratio of max/min timeout should ideally equal 4 to accept two
7460# retransmissions, but in some cases (like both the server and client using
7461# fragmentation and auto-reduction) an extra retransmission might occur,
7462# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]7463not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7464requires_config_enabled MBEDTLS_RSA_C
7465requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7466requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7467requires_config_enabled MBEDTLS_AES_C
7468requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7469run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7470 -p "$P_PXY mtu=508" \
7471 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7472 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7473 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7474 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7475 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7476 "$P_CLI dtls=1 debug_level=2 \
7477 crt_file=data_files/server8_int-ca2.crt \
7478 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7479 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7480 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7481 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7482 0 \
7483 -s "found fragmented DTLS handshake message" \
7484 -c "found fragmented DTLS handshake message" \
7485 -C "error"
7486
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7487# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7488only_with_valgrind
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7489requires_config_enabled MBEDTLS_RSA_C
7490requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7491requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7492requires_config_enabled MBEDTLS_AES_C
7493requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7494run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7495 -p "$P_PXY mtu=508" \
7496 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7497 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7498 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7499 ca_file=data_files/test-ca.crt \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7500 hs_timeout=250-10000" \
7501 "$P_CLI dtls=1 debug_level=2 \
7502 crt_file=data_files/server8_int-ca2.crt \
7503 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7504 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7505 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7506 hs_timeout=250-10000" \
7507 0 \
7508 -s "found fragmented DTLS handshake message" \
7509 -c "found fragmented DTLS handshake message" \
7510 -C "error"
7511
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7512# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]7513# OTOH the client might resend if the server is to slow to reset after sending
7514# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7515not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7516requires_config_enabled MBEDTLS_RSA_C
7517requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7518run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7519 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7520 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7521 crt_file=data_files/server7_int-ca.crt \
7522 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7523 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7524 hs_timeout=10000-60000 \
7525 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7526 "$P_CLI dtls=1 debug_level=2 \
7527 crt_file=data_files/server8_int-ca2.crt \
7528 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7529 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7530 hs_timeout=10000-60000 \
7531 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7532 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7533 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7534 -s "found fragmented DTLS handshake message" \
7535 -c "found fragmented DTLS handshake message" \
7536 -C "error"
7537
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7538# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7539# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
7540# OTOH the client might resend if the server is to slow to reset after sending
7541# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7542not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7543requires_config_enabled MBEDTLS_RSA_C
7544requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7545requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7546requires_config_enabled MBEDTLS_AES_C
7547requires_config_enabled MBEDTLS_GCM_C
7548run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7549 -p "$P_PXY mtu=512" \
7550 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7551 crt_file=data_files/server7_int-ca.crt \
7552 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7553 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7554 hs_timeout=10000-60000 \
7555 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7556 "$P_CLI dtls=1 debug_level=2 \
7557 crt_file=data_files/server8_int-ca2.crt \
7558 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7559 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7560 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7561 hs_timeout=10000-60000 \
7562 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7563 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7564 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7565 -s "found fragmented DTLS handshake message" \
7566 -c "found fragmented DTLS handshake message" \
7567 -C "error"
7568
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7569not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7570requires_config_enabled MBEDTLS_RSA_C
7571requires_config_enabled MBEDTLS_ECDSA_C
7572run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7573 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7574 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7575 crt_file=data_files/server7_int-ca.crt \
7576 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7577 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7578 hs_timeout=10000-60000 \
7579 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7580 "$P_CLI dtls=1 debug_level=2 \
7581 crt_file=data_files/server8_int-ca2.crt \
7582 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7583 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7584 hs_timeout=10000-60000 \
7585 mtu=1024 nbio=2" \
7586 0 \
7587 -S "autoreduction" \
7588 -s "found fragmented DTLS handshake message" \
7589 -c "found fragmented DTLS handshake message" \
7590 -C "error"
7591
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7592# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7593not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7594requires_config_enabled MBEDTLS_RSA_C
7595requires_config_enabled MBEDTLS_ECDSA_C
7596requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7597requires_config_enabled MBEDTLS_AES_C
7598requires_config_enabled MBEDTLS_GCM_C
7599run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
7600 -p "$P_PXY mtu=512" \
7601 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7602 crt_file=data_files/server7_int-ca.crt \
7603 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7604 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7605 hs_timeout=10000-60000 \
7606 mtu=512 nbio=2" \
7607 "$P_CLI dtls=1 debug_level=2 \
7608 crt_file=data_files/server8_int-ca2.crt \
7609 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7610 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7611 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7612 hs_timeout=10000-60000 \
7613 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7614 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7615 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7616 -s "found fragmented DTLS handshake message" \
7617 -c "found fragmented DTLS handshake message" \
7618 -C "error"
7619
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7620# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]7621# This ensures things still work after session_reset().
7622# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7623# Since we don't support reading fragmented ClientHello yet,
7624# up the MTU to 1450 (larger than ClientHello with session ticket,
7625# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7626# An autoreduction on the client-side might happen if the server is
7627# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7628# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7629# resumed listening, which would result in a spurious autoreduction.
7630not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7631requires_config_enabled MBEDTLS_RSA_C
7632requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7633requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7634requires_config_enabled MBEDTLS_AES_C
7635requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7636run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
7637 -p "$P_PXY mtu=1450" \
7638 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7639 crt_file=data_files/server7_int-ca.crt \
7640 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7641 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7642 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7643 mtu=1450" \
7644 "$P_CLI dtls=1 debug_level=2 \
7645 crt_file=data_files/server8_int-ca2.crt \
7646 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7647 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7648 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7649 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7650 mtu=1450 reconnect=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7651 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7652 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7653 -s "found fragmented DTLS handshake message" \
7654 -c "found fragmented DTLS handshake message" \
7655 -C "error"
7656
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7657# An autoreduction on the client-side might happen if the server is
7658# slow to reset, therefore omitting '-C "autoreduction"' below.
7659not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7660requires_config_enabled MBEDTLS_RSA_C
7661requires_config_enabled MBEDTLS_ECDSA_C
7662requires_config_enabled MBEDTLS_SHA256_C
7663requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7664requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7665requires_config_enabled MBEDTLS_CHACHAPOLY_C
7666run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
7667 -p "$P_PXY mtu=512" \
7668 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7669 crt_file=data_files/server7_int-ca.crt \
7670 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7671 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7672 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7673 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7674 mtu=512" \
7675 "$P_CLI dtls=1 debug_level=2 \
7676 crt_file=data_files/server8_int-ca2.crt \
7677 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7678 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7679 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7680 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7681 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7682 mtu=512" \
7683 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7684 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7685 -s "found fragmented DTLS handshake message" \
7686 -c "found fragmented DTLS handshake message" \
7687 -C "error"
7688
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7689# An autoreduction on the client-side might happen if the server is
7690# slow to reset, therefore omitting '-C "autoreduction"' below.
7691not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7692requires_config_enabled MBEDTLS_RSA_C
7693requires_config_enabled MBEDTLS_ECDSA_C
7694requires_config_enabled MBEDTLS_SHA256_C
7695requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7696requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7697requires_config_enabled MBEDTLS_AES_C
7698requires_config_enabled MBEDTLS_GCM_C
7699run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
7700 -p "$P_PXY mtu=512" \
7701 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7702 crt_file=data_files/server7_int-ca.crt \
7703 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7704 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7705 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7706 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7707 mtu=512" \
7708 "$P_CLI dtls=1 debug_level=2 \
7709 crt_file=data_files/server8_int-ca2.crt \
7710 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7711 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7712 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7713 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7714 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7715 mtu=512" \
7716 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7717 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7718 -s "found fragmented DTLS handshake message" \
7719 -c "found fragmented DTLS handshake message" \
7720 -C "error"
7721
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7722# An autoreduction on the client-side might happen if the server is
7723# slow to reset, therefore omitting '-C "autoreduction"' below.
7724not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7725requires_config_enabled MBEDTLS_RSA_C
7726requires_config_enabled MBEDTLS_ECDSA_C
7727requires_config_enabled MBEDTLS_SHA256_C
7728requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7729requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7730requires_config_enabled MBEDTLS_AES_C
7731requires_config_enabled MBEDTLS_CCM_C
7732run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7733 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7734 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7735 crt_file=data_files/server7_int-ca.crt \
7736 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7737 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7738 exchanges=2 renegotiation=1 \
7739 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7740 hs_timeout=10000-60000 \
7741 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7742 "$P_CLI dtls=1 debug_level=2 \
7743 crt_file=data_files/server8_int-ca2.crt \
7744 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7745 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7746 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7747 hs_timeout=10000-60000 \
7748 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7749 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7750 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7751 -s "found fragmented DTLS handshake message" \
7752 -c "found fragmented DTLS handshake message" \
7753 -C "error"
7754
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7755# An autoreduction on the client-side might happen if the server is
7756# slow to reset, therefore omitting '-C "autoreduction"' below.
7757not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7758requires_config_enabled MBEDTLS_RSA_C
7759requires_config_enabled MBEDTLS_ECDSA_C
7760requires_config_enabled MBEDTLS_SHA256_C
7761requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7762requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7763requires_config_enabled MBEDTLS_AES_C
7764requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7765requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
7766run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7767 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7768 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7769 crt_file=data_files/server7_int-ca.crt \
7770 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7771 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7772 exchanges=2 renegotiation=1 \
7773 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7774 hs_timeout=10000-60000 \
7775 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7776 "$P_CLI dtls=1 debug_level=2 \
7777 crt_file=data_files/server8_int-ca2.crt \
7778 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7779 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7780 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7781 hs_timeout=10000-60000 \
7782 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7783 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7784 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7785 -s "found fragmented DTLS handshake message" \
7786 -c "found fragmented DTLS handshake message" \
7787 -C "error"
7788
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7789# An autoreduction on the client-side might happen if the server is
7790# slow to reset, therefore omitting '-C "autoreduction"' below.
7791not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7792requires_config_enabled MBEDTLS_RSA_C
7793requires_config_enabled MBEDTLS_ECDSA_C
7794requires_config_enabled MBEDTLS_SHA256_C
7795requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7796requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7797requires_config_enabled MBEDTLS_AES_C
7798requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7799run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7800 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7801 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7802 crt_file=data_files/server7_int-ca.crt \
7803 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7804 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7805 exchanges=2 renegotiation=1 \
7806 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7807 hs_timeout=10000-60000 \
7808 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7809 "$P_CLI dtls=1 debug_level=2 \
7810 crt_file=data_files/server8_int-ca2.crt \
7811 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7812 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7813 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7814 hs_timeout=10000-60000 \
7815 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7816 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7817 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7818 -s "found fragmented DTLS handshake message" \
7819 -c "found fragmented DTLS handshake message" \
7820 -C "error"
7821
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7822# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7823requires_config_enabled MBEDTLS_RSA_C
7824requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7825requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7826requires_config_enabled MBEDTLS_AES_C
7827requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7828client_needs_more_time 2
7829run_test "DTLS fragmenting: proxy MTU + 3d" \
7830 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7831 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7832 crt_file=data_files/server7_int-ca.crt \
7833 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7834 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7835 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7836 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7837 crt_file=data_files/server8_int-ca2.crt \
7838 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7839 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7840 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7841 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7842 0 \
7843 -s "found fragmented DTLS handshake message" \
7844 -c "found fragmented DTLS handshake message" \
7845 -C "error"
7846
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7847# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7848requires_config_enabled MBEDTLS_RSA_C
7849requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7850requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7851requires_config_enabled MBEDTLS_AES_C
7852requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7853client_needs_more_time 2
7854run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
7855 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
7856 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7857 crt_file=data_files/server7_int-ca.crt \
7858 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7859 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7860 hs_timeout=250-10000 mtu=512 nbio=2" \
7861 "$P_CLI dtls=1 debug_level=2 \
7862 crt_file=data_files/server8_int-ca2.crt \
7863 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7864 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7865 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7866 hs_timeout=250-10000 mtu=512 nbio=2" \
7867 0 \
7868 -s "found fragmented DTLS handshake message" \
7869 -c "found fragmented DTLS handshake message" \
7870 -C "error"
7871
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7872# interop tests for DTLS fragmentating with reliable connection
7873#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7874# here and below we just want to test that the we fragment in a way that
7875# pleases other implementations, so we don't need the peer to fragment
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7876requires_config_enabled MBEDTLS_RSA_C
7877requires_config_enabled MBEDTLS_ECDSA_C
7878requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7879requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7880run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
7881 "$G_SRV -u" \
7882 "$P_CLI dtls=1 debug_level=2 \
7883 crt_file=data_files/server8_int-ca2.crt \
7884 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7885 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7886 mtu=512 force_version=dtls1_2" \
7887 0 \
7888 -c "fragmenting handshake message" \
7889 -C "error"
7890
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7891requires_config_enabled MBEDTLS_RSA_C
7892requires_config_enabled MBEDTLS_ECDSA_C
7893requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7894requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7895run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
7896 "$G_SRV -u" \
7897 "$P_CLI dtls=1 debug_level=2 \
7898 crt_file=data_files/server8_int-ca2.crt \
7899 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7900 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7901 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7902 0 \
7903 -c "fragmenting handshake message" \
7904 -C "error"
7905
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7906# We use --insecure for the GnuTLS client because it expects
7907# the hostname / IP it connects to to be the name used in the
7908# certificate obtained from the server. Here, however, it
7909# connects to 127.0.0.1 while our test certificates use 'localhost'
7910# as the server name in the certificate. This will make the
7911# certifiate validation fail, but passing --insecure makes
7912# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7913requires_config_enabled MBEDTLS_RSA_C
7914requires_config_enabled MBEDTLS_ECDSA_C
7915requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7916requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7917requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7918run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7919 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7920 crt_file=data_files/server7_int-ca.crt \
7921 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7922 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7923 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7924 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7925 0 \
7926 -s "fragmenting handshake message"
7927
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7928# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7929requires_config_enabled MBEDTLS_RSA_C
7930requires_config_enabled MBEDTLS_ECDSA_C
7931requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7932requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7933requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7934run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7935 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7936 crt_file=data_files/server7_int-ca.crt \
7937 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7938 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7939 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7940 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7941 0 \
7942 -s "fragmenting handshake message"
7943
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7944requires_config_enabled MBEDTLS_RSA_C
7945requires_config_enabled MBEDTLS_ECDSA_C
7946requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7947run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
7948 "$O_SRV -dtls1_2 -verify 10" \
7949 "$P_CLI dtls=1 debug_level=2 \
7950 crt_file=data_files/server8_int-ca2.crt \
7951 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7952 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7953 mtu=512 force_version=dtls1_2" \
7954 0 \
7955 -c "fragmenting handshake message" \
7956 -C "error"
7957
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7958requires_config_enabled MBEDTLS_RSA_C
7959requires_config_enabled MBEDTLS_ECDSA_C
7960requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7961run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
7962 "$O_SRV -dtls1 -verify 10" \
7963 "$P_CLI dtls=1 debug_level=2 \
7964 crt_file=data_files/server8_int-ca2.crt \
7965 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7966 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7967 mtu=512 force_version=dtls1" \
7968 0 \
7969 -c "fragmenting handshake message" \
7970 -C "error"
7971
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7972requires_config_enabled MBEDTLS_RSA_C
7973requires_config_enabled MBEDTLS_ECDSA_C
7974requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7975run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
7976 "$P_SRV dtls=1 debug_level=2 \
7977 crt_file=data_files/server7_int-ca.crt \
7978 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7979 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7980 mtu=512 force_version=dtls1_2" \
7981 "$O_CLI -dtls1_2" \
7982 0 \
7983 -s "fragmenting handshake message"
7984
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7985requires_config_enabled MBEDTLS_RSA_C
7986requires_config_enabled MBEDTLS_ECDSA_C
7987requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7988run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
7989 "$P_SRV dtls=1 debug_level=2 \
7990 crt_file=data_files/server7_int-ca.crt \
7991 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7992 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7993 mtu=512 force_version=dtls1" \
7994 "$O_CLI -dtls1" \
7995 0 \
7996 -s "fragmenting handshake message"
7997
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7998# interop tests for DTLS fragmentating with unreliable connection
7999#
8000# again we just want to test that the we fragment in a way that
8001# pleases other implementations, so we don't need the peer to fragment
8002requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8003requires_config_enabled MBEDTLS_RSA_C
8004requires_config_enabled MBEDTLS_ECDSA_C
8005requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8006client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8007run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
8008 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8009 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8010 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8011 crt_file=data_files/server8_int-ca2.crt \
8012 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8013 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8014 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8015 0 \
8016 -c "fragmenting handshake message" \
8017 -C "error"
8018
8019requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8020requires_config_enabled MBEDTLS_RSA_C
8021requires_config_enabled MBEDTLS_ECDSA_C
8022requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8023client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8024run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8025 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8026 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8027 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8028 crt_file=data_files/server8_int-ca2.crt \
8029 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8030 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8031 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8032 0 \
8033 -c "fragmenting handshake message" \
8034 -C "error"
8035
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8036requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8037requires_config_enabled MBEDTLS_RSA_C
8038requires_config_enabled MBEDTLS_ECDSA_C
8039requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8040client_needs_more_time 4
8041run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8042 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8043 "$P_SRV dtls=1 debug_level=2 \
8044 crt_file=data_files/server7_int-ca.crt \
8045 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8046 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8047 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8048 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8049 0 \
8050 -s "fragmenting handshake message"
8051
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8052requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8053requires_config_enabled MBEDTLS_RSA_C
8054requires_config_enabled MBEDTLS_ECDSA_C
8055requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8056client_needs_more_time 4
8057run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8058 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8059 "$P_SRV dtls=1 debug_level=2 \
8060 crt_file=data_files/server7_int-ca.crt \
8061 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8062 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8063 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8064 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8065 0 \
8066 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8067
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8068## Interop test with OpenSSL might trigger a bug in recent versions (including
8069## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8070## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8071## They should be re-enabled once a fixed version of OpenSSL is available
8072## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8073skip_next_test
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8074requires_config_enabled MBEDTLS_RSA_C
8075requires_config_enabled MBEDTLS_ECDSA_C
8076requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8077client_needs_more_time 4
8078run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8079 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8080 "$O_SRV -dtls1_2 -verify 10" \
8081 "$P_CLI dtls=1 debug_level=2 \
8082 crt_file=data_files/server8_int-ca2.crt \
8083 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8084 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8085 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8086 0 \
8087 -c "fragmenting handshake message" \
8088 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8089
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8090skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8091requires_config_enabled MBEDTLS_RSA_C
8092requires_config_enabled MBEDTLS_ECDSA_C
8093requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8094client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8095run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8096 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8097 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8098 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8099 crt_file=data_files/server8_int-ca2.crt \
8100 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8101 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8102 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8103 0 \
8104 -c "fragmenting handshake message" \
8105 -C "error"
8106
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8107skip_next_test
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8108requires_config_enabled MBEDTLS_RSA_C
8109requires_config_enabled MBEDTLS_ECDSA_C
8110requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8111client_needs_more_time 4
8112run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
8113 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8114 "$P_SRV dtls=1 debug_level=2 \
8115 crt_file=data_files/server7_int-ca.crt \
8116 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8117 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8118 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8119 "$O_CLI -dtls1_2" \
8120 0 \
8121 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8122
8123# -nbio is added to prevent s_client from blocking in case of duplicated
8124# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8125skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8126requires_config_enabled MBEDTLS_RSA_C
8127requires_config_enabled MBEDTLS_ECDSA_C
8128requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8129client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8130run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
8131 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8132 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8133 crt_file=data_files/server7_int-ca.crt \
8134 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8135 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8136 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8137 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8138 0 \
8139 -s "fragmenting handshake message"
8140
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8141# Tests for specific things with "unreliable" UDP connection
8142
8143not_with_valgrind # spurious resend due to timeout
8144run_test "DTLS proxy: reference" \
8145 -p "$P_PXY" \
8146 "$P_SRV dtls=1 debug_level=2" \
8147 "$P_CLI dtls=1 debug_level=2" \
8148 0 \
8149 -C "replayed record" \
8150 -S "replayed record" \
Hanno Beckere03eb7b2019-07-19 15:43:09 +0100[diff] [blame]8151 -C "Buffer record from epoch" \
8152 -S "Buffer record from epoch" \
8153 -C "ssl_buffer_message" \
8154 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8155 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8156 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8157 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8158 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8159 -c "HTTP/1.0 200 OK"
8160
8161not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8162run_test "DTLS proxy: duplicate every packet" \
8163 -p "$P_PXY duplicate=1" \
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]8164 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8165 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8166 0 \
8167 -c "replayed record" \
8168 -s "replayed record" \
8169 -c "record from another epoch" \
8170 -s "record from another epoch" \
8171 -S "resend" \
8172 -s "Extra-header:" \
8173 -c "HTTP/1.0 200 OK"
8174
8175run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
8176 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8177 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
8178 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8179 0 \
8180 -c "replayed record" \
8181 -S "replayed record" \
8182 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8183 -s "record from another epoch" \
8184 -c "resend" \
8185 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8186 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8187 -c "HTTP/1.0 200 OK"
8188
8189run_test "DTLS proxy: multiple records in same datagram" \
8190 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8191 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8192 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8193 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8194 -c "next record in same datagram" \
8195 -s "next record in same datagram"
8196
8197run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
8198 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8199 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8200 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8201 0 \
8202 -c "next record in same datagram" \
8203 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8204
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8205run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
8206 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8207 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
8208 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8209 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8210 -c "discarding invalid record (mac)" \
8211 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8212 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8213 -c "HTTP/1.0 200 OK" \
8214 -S "too many records with bad MAC" \
8215 -S "Verification of the message MAC failed"
8216
8217run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
8218 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8219 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
8220 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8221 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8222 -C "discarding invalid record (mac)" \
8223 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8224 -S "Extra-header:" \
8225 -C "HTTP/1.0 200 OK" \
8226 -s "too many records with bad MAC" \
8227 -s "Verification of the message MAC failed"
8228
8229run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
8230 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8231 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
8232 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8233 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8234 -c "discarding invalid record (mac)" \
8235 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8236 -s "Extra-header:" \
8237 -c "HTTP/1.0 200 OK" \
8238 -S "too many records with bad MAC" \
8239 -S "Verification of the message MAC failed"
8240
8241run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
8242 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8243 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
8244 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8245 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8246 -c "discarding invalid record (mac)" \
8247 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8248 -s "Extra-header:" \
8249 -c "HTTP/1.0 200 OK" \
8250 -s "too many records with bad MAC" \
8251 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8252
8253run_test "DTLS proxy: delay ChangeCipherSpec" \
8254 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]8255 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
8256 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8257 0 \
8258 -c "record from another epoch" \
8259 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8260 -s "Extra-header:" \
8261 -c "HTTP/1.0 200 OK"
8262
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8263# Tests for reordering support with DTLS
8264
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8265run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
8266 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8267 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8268 hs_timeout=2500-60000" \
8269 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8270 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8271 0 \
8272 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8273 -c "Next handshake message has been buffered - load"\
8274 -S "Buffering HS message" \
8275 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8276 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8277 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8278 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8279 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8280
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8281run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
8282 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8283 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8284 hs_timeout=2500-60000" \
8285 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8286 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8287 0 \
8288 -c "Buffering HS message" \
8289 -c "found fragmented DTLS handshake message"\
8290 -c "Next handshake message 1 not or only partially bufffered" \
8291 -c "Next handshake message has been buffered - load"\
8292 -S "Buffering HS message" \
8293 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8294 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8295 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8296 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8297 -S "Remember CCS message"
8298
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8299# The client buffers the ServerKeyExchange before receiving the fragmented
8300# Certificate message; at the time of writing, together these are aroudn 1200b
8301# in size, so that the bound below ensures that the certificate can be reassembled
8302# while keeping the ServerKeyExchange.
8303requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
8304run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8305 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8306 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8307 hs_timeout=2500-60000" \
8308 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8309 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8310 0 \
8311 -c "Buffering HS message" \
8312 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8313 -C "attempt to make space by freeing buffered messages" \
8314 -S "Buffering HS message" \
8315 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8316 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8317 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8318 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8319 -S "Remember CCS message"
8320
8321# The size constraints ensure that the delayed certificate message can't
8322# be reassembled while keeping the ServerKeyExchange message, but it can
8323# when dropping it first.
8324requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
8325requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
8326run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
8327 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8328 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8329 hs_timeout=2500-60000" \
8330 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8331 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8332 0 \
8333 -c "Buffering HS message" \
8334 -c "attempt to make space by freeing buffered future messages" \
8335 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8336 -S "Buffering HS message" \
8337 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8338 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8339 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8340 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8341 -S "Remember CCS message"
8342
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8343run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
8344 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8345 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
8346 hs_timeout=2500-60000" \
8347 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8348 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8349 0 \
8350 -C "Buffering HS message" \
8351 -C "Next handshake message has been buffered - load"\
8352 -s "Buffering HS message" \
8353 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8354 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8355 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8356 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8357 -S "Remember CCS message"
8358
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]8359# This needs session tickets; otherwise CCS is the first message in its flight
8360requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8361run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
8362 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8363 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8364 hs_timeout=2500-60000" \
8365 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8366 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8367 0 \
8368 -C "Buffering HS message" \
8369 -C "Next handshake message has been buffered - load"\
8370 -S "Buffering HS message" \
8371 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8372 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8373 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8374 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8375 -S "Remember CCS message"
8376
8377run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
8378 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8379 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8380 hs_timeout=2500-60000" \
8381 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8382 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8383 0 \
8384 -C "Buffering HS message" \
8385 -C "Next handshake message has been buffered - load"\
8386 -S "Buffering HS message" \
8387 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8388 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8389 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8390 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8391 -s "Remember CCS message"
8392
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8393run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8394 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8395 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8396 hs_timeout=2500-60000" \
8397 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8398 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]8399 0 \
8400 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8401 -s "Found buffered record from current epoch - load" \
8402 -c "Buffer record from epoch 1" \
8403 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8404
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8405# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
8406# from the server are delayed, so that the encrypted Finished message
8407# is received and buffered. When the fragmented NewSessionTicket comes
8408# in afterwards, the encrypted Finished message must be freed in order
8409# to make space for the NewSessionTicket to be reassembled.
8410# This works only in very particular circumstances:
8411# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
8412# of the NewSessionTicket, but small enough to also allow buffering of
8413# the encrypted Finished message.
8414# - The MTU setting on the server must be so small that the NewSessionTicket
8415# needs to be fragmented.
8416# - All messages sent by the server must be small enough to be either sent
8417# without fragmentation or be reassembled within the bounds of
8418# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
8419# handshake, omitting CRTs.
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8420requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
8421requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8422run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
8423 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8424 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8425 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
8426 0 \
8427 -s "Buffer record from epoch 1" \
8428 -s "Found buffered record from current epoch - load" \
8429 -c "Buffer record from epoch 1" \
8430 -C "Found buffered record from current epoch - load" \
8431 -c "Enough space available after freeing future epoch record"
8432
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]8433# Tests for "randomly unreliable connection": try a variety of flows and peers
8434
8435client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8436run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
8437 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8438 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8439 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8440 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8441 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8442 0 \
8443 -s "Extra-header:" \
8444 -c "HTTP/1.0 200 OK"
8445
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8446client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8447run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
8448 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8449 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8450 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8451 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
8452 0 \
8453 -s "Extra-header:" \
8454 -c "HTTP/1.0 200 OK"
8455
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8456client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8457run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
8458 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8459 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8460 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8461 0 \
8462 -s "Extra-header:" \
8463 -c "HTTP/1.0 200 OK"
8464
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8465client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8466run_test "DTLS proxy: 3d, FS, client auth" \
8467 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8468 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
8469 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8470 0 \
8471 -s "Extra-header:" \
8472 -c "HTTP/1.0 200 OK"
8473
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8474client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8475run_test "DTLS proxy: 3d, FS, ticket" \
8476 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8477 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
8478 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8479 0 \
8480 -s "Extra-header:" \
8481 -c "HTTP/1.0 200 OK"
8482
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8483client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8484run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
8485 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8486 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
8487 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8488 0 \
8489 -s "Extra-header:" \
8490 -c "HTTP/1.0 200 OK"
8491
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8492client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8493run_test "DTLS proxy: 3d, max handshake, nbio" \
8494 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8495 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8496 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8497 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8498 0 \
8499 -s "Extra-header:" \
8500 -c "HTTP/1.0 200 OK"
8501
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8502client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8503requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8504requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8505requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8506run_test "DTLS proxy: 3d, min handshake, resumption" \
8507 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8508 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8509 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8510 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8511 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8512 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8513 0 \
8514 -s "a session has been resumed" \
8515 -c "a session has been resumed" \
8516 -s "Extra-header:" \
8517 -c "HTTP/1.0 200 OK"
8518
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8519client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8520requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8521requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8522requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8523run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
8524 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8525 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8526 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8527 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8528 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8529 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
8530 0 \
8531 -s "a session has been resumed" \
8532 -c "a session has been resumed" \
8533 -s "Extra-header:" \
8534 -c "HTTP/1.0 200 OK"
8535
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8536client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8537requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8538run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8539 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8540 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8541 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8542 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8543 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8544 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8545 0 \
8546 -c "=> renegotiate" \
8547 -s "=> renegotiate" \
8548 -s "Extra-header:" \
8549 -c "HTTP/1.0 200 OK"
8550
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8551client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8552requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8553run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
8554 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8555 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8556 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8557 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8558 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8559 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8560 0 \
8561 -c "=> renegotiate" \
8562 -s "=> renegotiate" \
8563 -s "Extra-header:" \
8564 -c "HTTP/1.0 200 OK"
8565
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8566client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8567requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8568run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8569 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8570 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8571 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8572 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8573 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8574 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8575 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8576 0 \
8577 -c "=> renegotiate" \
8578 -s "=> renegotiate" \
8579 -s "Extra-header:" \
8580 -c "HTTP/1.0 200 OK"
8581
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8582client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8583requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8584run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8585 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8586 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8587 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8588 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8589 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8590 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8591 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8592 0 \
8593 -c "=> renegotiate" \
8594 -s "=> renegotiate" \
8595 -s "Extra-header:" \
8596 -c "HTTP/1.0 200 OK"
8597
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8598## Interop tests with OpenSSL might trigger a bug in recent versions (including
8599## all versions installed on the CI machines), reported here:
8600## Bug report: https://github.com/openssl/openssl/issues/6902
8601## They should be re-enabled once a fixed version of OpenSSL is available
8602## (this should happen in some 1.1.1_ release according to the ticket).
8603skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8604client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8605not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8606run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8607 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8608 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8609 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8610 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8611 -c "HTTP/1.0 200 OK"
8612
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8613skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8614client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8615not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8616run_test "DTLS proxy: 3d, openssl server, fragmentation" \
8617 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8618 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8619 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8620 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8621 -c "HTTP/1.0 200 OK"
8622
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8623skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8624client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8625not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8626run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
8627 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8628 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8629 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8630 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8631 -c "HTTP/1.0 200 OK"
8632
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]8633requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8634client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8635not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8636run_test "DTLS proxy: 3d, gnutls server" \
8637 -p "$P_PXY drop=5 delay=5 duplicate=5" \
8638 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8639 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8640 0 \
8641 -s "Extra-header:" \
8642 -c "Extra-header:"
8643
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8644requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8645client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8646not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8647run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
8648 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8649 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8650 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8651 0 \
8652 -s "Extra-header:" \
8653 -c "Extra-header:"
8654
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8655requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8656client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8657not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8658run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
8659 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8660 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8661 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8662 0 \
8663 -s "Extra-header:" \
8664 -c "Extra-header:"
8665
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]8666# Final report
8667
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8668echo "------------------------------------------------------------------------"
8669
8670if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8671 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8672else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8673 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8674fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]8675PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]8676echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8677
8678exit $FAILS